... "Three years ago, we had close to 10,000 Air Force computers that
were compromised with viruses. That was about the time the Melissa virus
came out. It was a very bad situation," Kaufman said. "In 2001, we had
fewer than 700 Air Force computers compromised by viruses and the number
is down even more in 2002." ...
Cyber warriors protect Air Force computer network
by Staff Sgt. C. Todd Lopez
Air Force Print News
10/10/02 - WASHINGTON -- Air Force computer systems around the globe are
kept safe from viruses and unauthorized users by a dedicated group of
computer network defenders.
Because the Air Force computer network is a weapons system and is under
constant attack by viruses and illegal entry attempts by adversaries,
defending that weapons system has become an ongoing war, said the
director of operations for the 33rd Information Operations Squadron,
home of the Air Force Computer Emergency Response Team at Lackland Air
Force Base, Texas.
"We believe we are on the front lines of the cyber war every day," said
Lt. Col. Rob Kaufman. "Our crews are well-trained, motivated and
committed to stopping network intrusions and viruses."
AFCERT has strong allies in its fight to protect the global Air Force
computer network, he said.
"In this fight, we are not alone," Kaufman said. "Fellow computer
network defenders at major command network operations and security
centers and base-level network control centers are in the fight with us.
Together we are able to fight off malicious hackers that range from the
nuisance 'script kiddies' to the professional hackers."
Kaufman and other cyber warriors use an arsenal of software and hardware
to defend the Air Force computer network.
"We have a sensor out there at every single one of our bases and even
some non-Air Force bases," Kaufman said. "That is our primary defensive
Computer experts at Lackland's Air Force Information Warfare Center
developed the current sensor platform, which has been acknowledged as a
"one-of-a-kind" capability second to none. The sensors scan network
traffic for virus signatures -- telltale strings of ones and zeros that
indicate the presence of malicious logic. When they find such a string,
AFCERT moves quickly to let everybody know about it.
"What we will do is put out advisories to the field so they will
understand what an exploit or vulnerability can do to a computer and
what mitigating steps they can take to protect themselves," Kaufman
said. "If the threat is very bad and we think it is a system-wide type
of threat, we will release a time compliance network order, which
directs field units on what steps to take to protect themselves."
AFCERT monitors the network traffic for some 500,000 Air Force
computers, he said. Those machines generate around 10 billion network
events each year, including e-mail messages, Web page views, telnet
sessions and other network traffic. That opportunity allows AFCERT to be
the first to come in contact with a lot of potential viruses.
"We can actually get viruses 'in the wild,' tear them down and see what
they do," Kaufman said. "We reverse engineer the viruses and, based on
what we see in those viruses, we are able to build alert strings for our
sensor so we can get an indication or warning when a new virus comes
out. It also allows us to develop countermeasures for those viruses."
In addition, countermeasure engineers at the Air Force Information
Warfare Center help develop more robust and long-term solutions against
the emerging threats, he said.
Those countermeasures and alert strings are not just sent to local
bases. Sometimes they are sent to commercial anti-virus software
developers so they can be added to the global database of computer
viruses. In this way, Kaufman said, results of AFCERT's work reach
beyond the Air Force. "There is a community of interest out there that
will feed information to commercial vendors, and we have specifically
fed them information that they have not seen elsewhere," he said. "We
have identified technical threats and have passed them off to commercial
vendors so they can protect the nation."
Although more than 100 individuals at AFCERT work in conjunction with
major command NOSCs, base-level NCC personnel, the Air Force Information
Warfare Center, and the Air Force Office of Special Investigations to
secure Air Force computer systems worldwide, Kaufman said the computer
user is still the key to network defense.
"Air Force computer users can help by using strong passwords and by
ensuring their anti-virus software is current on both their work
machines and home machines," Kaufman said. "They should only open
attachments they are expecting and ensure new systems are properly
configured and patched to the latest revision levels."
AFCERT's efforts to defend the Air Force network are proving successful,
"Three years ago, we had close to 10,000 Air Force computers that were
compromised with viruses. That was about the time the Melissa virus came
out. It was a very bad situation," Kaufman said. "In 2001, we had fewer
than 700 Air Force computers compromised by viruses and the number is
down even more in 2002."
Kaufman said he believes AFCERT is ready to handle future threats as
"Like fighting an air war, the cyber environment is extremely dynamic,"
he said. "It is changing constantly as technology improves and new
vulnerabilities and tactics are discovered."
Air Force communications, intelligence and engineering professionals
understand the dynamic nature of the network, and Kaufman said he
believes they are equipped to deal with whatever comes along.
"We are trained to do the in-depth analysis, event correlation, incident
response, and countermeasure development necessary to secure our
networks," he said. "Every hour of every day, we Air Force network
defenders are standing watch."
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site