Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations for 1991

EXECUTIVE SUMMARY

1. This report replaces the Information Security Assessment of the Drug Enforcement Administration, Automated Data Processing Systems, published in June 1989. Following publication of the original report, it was determined that many of the findings and recommendations concerning the Department of Justice, which supports the Drug Enforcement Administration (DEA), were outdated and no longer applicable.

2. Most of the DEA's computer support is handled by the Justice Data Center-Washington (JDC-W) facility. The majority of this report is based on a recently concluded review of those portions of the newly activated JDC-W facility, located in Rockville, MD, that support the DEA. The team was not able to give specific attention to those systems that are operated by the DEA outside of the JDC-W. This assessment was undertaken at the request of the JDC-W personnel.

3. The assessment team found the new facility to be state of the art and believes that it provides DEA users with a reliable, protected processing capability which can meet user requirements for automated information systems support. Once available security procedures and automated features are fully implemented, certification and recertification becomes a routine task, allowing new and future security requirements to fit into the system with little effort. A complete listing of the findings and associated recommendations compiled by the assessment team are found in this report. The assessment team commends the JDC personnel for an excellent job in designing and setting up this new facility.

SECTION I-INTRODUCTION

PARTI-DEPARTMENT OF JUSTICE

1. In September 1989, the Justice Data Center--Washington (JDC-W) began operations at their new computer facility in Rockville, MD. This facility now houses four mainframe computer systems owned by the Department of Justice (DOJ), one of which is operated solely in support of the Drug Enforcement Administration's (DEA) automated information systems. On 19-22 December 1989, representatives from the Information Systems Security Organization (ISSO) at the National Security Agency (NSA) performed a computer security assessment of portions of the DoJ/DEÁ computer system.

2. The computer security assessment was not an inspection, accreditation, certification, or risk analysis but a technical analysis of the computer security posture of the DoJ/DEA system at JDC-W. The information analyzed was derived from discussions with the automated data processing (ADP) Facility Security Officer, operations personnel, user help desk personnel, systems programmers, and other ADP facility security staff. During this assessment, there were no hands-on testing of the system or discussions with DEA ADP users of the system.

3. The assessment examines various areas of computer security. These areas are designed to determine whether the goals of computer security are being met. It is recognized that the goals of computer security include:

a. Protection from compromise of information;

Protection from accidental or malicious modification, insertion, or destruction of information;

C. Protection from denial of service threats to information and

computing resources; and,

d. Accountability of users on computer systems.

4 The assessment also recognized the similar goals or fundamental characteristics of the DoJ/DEA system as defined in the U.S. DOJ Order 2640.2B, dated November 16, 1988, Subject: Automated Information Systems Security.

5. The computer security goals and the DoJ fundamental characteristics are achievable by implementation of the DoJ 2640.2B requirements. These requirements specify the protection mechanisms necessary to ensure the effectiveness of the DOJ/DEA system in a secure operating environment and, more importantly, define who in the organization is responsible for implementating this policy. The responsibilities are a joint effort of the ADP Facility Security Officer and the Dol user organizations.

PART II - DRUG ENFORCEMENT ADMINISTRATION

1. The DEA has one of the most straightforward missions within the Federal Government and includes:

a. The enforcement of controlled substance laws;

The investigation and prosecution of persons involved in the illicit production and trafficking of controlled substances; and

The promulgation of programs to reduce availability of illicit controlled substances.

2. The DEA's primary responsibilities include:

a. Coordination and cooperation with other Federal Government law enforcement agencies and state and local law enforcement officials on mutual drug enforcement efforts;

b. Investigation and prosecution of major violators of controlled substance laws operating at all levels;

C. Regulation and enforcement of/with compliance with the laws governing the legal manufacture and distribution of controlled substances;

d. Management of a national narcotics intelligence system in cooperation with federal, state, local, and foreign officials to collect, analyze, and disseminate data as appropriate;

e. Operation of all DEA programs associated with drug law enforcement officials of foreign countries;

f. Provide scientific and technical training and research and other support services that enhance the DEA's overall mission;

9. Liaison with the United Nations, Interpol, and other organizations on matters relating to international narcotic control programs; and

h. Coordination and cooperation with other federal, state, and local agencies, as well as foreign governments, in programs designed to reduce the illicit availability of abused drugs on the U.S. market through noninterdiction methods, such as crop eradication, crop substitution, and training of foreign officials against drug abuse.

SECTION II-THREAT

1. The spectrum of threat to the DEA's ADP environment is as diverse as the threat to the DEA's other operations. The criminal element (including drug traffickers and those involved in criminal activities peripheral to drug-related matters) has a deep and abiding interest in both obtaining the DEA's sensitive information and denying the DEA access to that information. Casual hackers and others with questionable intentions may also attempt to enter ADP systems, electronically, out of curiosity or malice. Such entries often result in the alteration, destruction, or compromise of data resident in these systems and the possible denial of the use of the systems to legitimate users.

2. There have been cases of disgruntled federal employees, with legitimate access to computer files, who have caused serious harm before the damage is noticed Also, cleaning crews in many commercial buildings routinely have access to office spaces during and after duty hours. In this case, when computer terminals are left activated or unattended and when sensitive hard copy material is not properly destroyed, an opportunity exists for an unauthorized person to access the system.

3. Moreover, phone tapping and/or bugging of offices and homes of persons involved in law enforcement activities have been reported. In many commercial buildings, the telephone closet and conduit systems are accessible to unauthorized persons because of their central location in maintenance corridors or basements. As most ADP communications use the commercial telephone system, this vulnerability may allow the adversary considerable insight into the activities, involvements, and concerns of DEA personnel.

4. The telephone threat becomes all-pervasive in the DEA's overseas operations, where the host nation's government controls all telephone service into and within the country. In many countries where drug kingpins wield a great deal of power and influence, there are officials at all levels who are influenced directly or indirectly by the politics of contraband.

5. Additional modes of communication may also be compromised in overseas facilities because of the presence of local nationals in many U.S. buildings, including embassies and consulates. In drug-exporting countries, many local national employees may have family or other ties with narcotics traffickers that would give them the incentive to use their positions to acquire information that could be used to damage operations and persons involved in interdiction and eradication.

6. Additionally, all computer systems that are connected in any way to the outside world are susceptible to malicious codes (e.g., computer viruses). Any system with a dial-in/dial-out capability is vulnerable, especially those computers that are linked to commercial networks and electronic mail systems or that communicate with on-line bulletin boards. Other vulnerable systems include those which use software that is loaned, borrowed, or acquired outside of the normal government procurement channels (including public domain software, freeware, and software downloaded from bulletin boards). Disks brought in from outside official channels can convey all sorts of malicious code embedded into the software. Past instances of malicious codes have ranged from the benign (sending a Christmas greeting) to the malevolent (destroying data) and can be unwittingly transmitted by users from one system or stand-alone unit to another via ordinary but "infected" software.

« Înapoi Continuă »

Cărți

Departments of Commerce, Justice, and State, the Judiciary, and ..., Partea 2