Incident Handling

Insiden
•    Insiden merupakan bagian dari kehidupan elektronik
•    Tidak sengaja vs disengaja
•    Sering terjadi pada waktu yang kurang “pas” (misal: admin sedang tidak ada, sedang ada deadline)
Contoh
•    Wabah virus
•    Spam mail, mailbomb
•    Previlage attack, rootkit, intrusion
•    DoS attack
•    Harus dipikirkan skenario lain yang mungkin terjadi
•    Definisi dari “incident”
Apakah yang berikut ini termasuk insiden?
•    Ancaman (threat), hoax, virus
•    computer intrusion, DoS attack, insider theft information, any unathorized or unlawful network-based activity
Definisi
•    David Theunissen, “Corporate Incident Handling Guidelines”:
Incidents is “the act of violating or threatening to violate an explicit or implied security policy”
•    Kevin Mandia & Chris Prosise, “Incident Response”:
“Incidents are events that interrupt normal operating procedure and precipitate some level of crisis”
Tujuan dari “Incident Handling”
•    Memastikan bahwa insiden terjadi atau tidak terjadi
•    Melakukan pengumpulan informasi yang akurat
•    Melakukan pengambilan dan penanganan bukti-bukti
•    Menjaga agar kegiatan berada dalam kerangka hukum (misalnya masalah privacy, legal action)
•    Meminimalkan gangguan terhadap operasi bisnis dan jaringan
•    Membuat laporan yang akurat berserta rekomendasinya

Metodologi

•    From Kevin Mandia & Chris Prosise
“Incident Response”

•    Pre-incident preparation

•    Detection of incidents

•    Initial response

•    Response strategy formulation

•    Duplication (forensic backups)

•    Investigation

•    Security measure implementation

•    Network monitoring

•    Recovery

•    Follow-up

Permasalahan Incident Handling
Teknis
•    Apa saja yang harus dilaporkan?
•    Apakah ada informasi yang confidential?
(nomor IP, userid, password, data, files)
•    Perlunya packet scrubbing?
•    Terlalu sedikit/banyak data yang dilaporkan
•    Ketersediaan trouble ticketing system, help desk (24 jam?)
•    Data-data log sering tidak tersedia sehingga menyulitkan incident handling

Permasalahan Incident Handling 2

•    Non-teknis

•    Organisasi:

•    Kemana (kepada siapa) harus melapor jika terjadi insiden? Perlunya “Incident Response Team” (IRT)

•    Melapor ke organisasi yang lebih tinggi di luar institusi lokal? (misal ke ID-CERT, APSIRC, CERT)
Untuk keperluan statistik (ada wabah regional?)

•    Hubungan dengan policy & procedures, SOP yang seringkali tidak dimiliki oleh institusi

•    Ketersediaan SDM

•    Kualifikasi apa yang dibutuhkan?
budi.paume.itb.ac.id/courses/ec5010/incident-handling.ppt

Web Security

Web security
Web security merupakan bagian dari
Computer/Information security. Pertanyaan
yang muncul dalam computer security
ataupun web security yaitu: “apa yang harus
secure ?”
Electronic Assets
Electronic Assets adalah target dari serangan yang
mengancam keamanan sistem komputer atau
sistem informasi. Electronic Assets merupakan aset
yang paling berarti bagi suatu perusahaan atau
industri yang sehariharinya
bergantung pada
sistem komputer dan jaringan dalam menjalankan
transaksi bisnisnya. 'Electronic Assets adalah
data dan program'

The Difference Between Hackers
and Crackers
A hacker is a person intensely interested in the arcane
and recondite workings of any computer operating
system. Hackers are most often programmers. As such,
hackers obtain advanced knowledge of operating
systems and programming languages. They might
discover holes within systems and the reasons for such
holes. Hackers constantly seek further knowledge,
freely share what they have discovered, and never
intentionally damage data.

The Difference Between Hackers
and Crackers (cont'd)
A cracker is one who breaks into or otherwise
violates the system integrity of remote
machines with malicious intent. Having
gained unauthorized access, crackers
destroy vital data, deny legitimate users
service, or cause problems for their targets.
Crackers can easily be identified because
their actions are malicious.

Risks of Web security
Loss of customer confidence, trust and reputation with
the consequent harm to brand equity and consequent
effects on revenue and profitability;
Possible loss of the ability to accept certain payment
instruments e.g. VISA, Mastercard
Negative impact on revenues and profits arising from
any falsified transactions and from employee downtime;

Risks of Web security (cont'd)
 Website downtime which is in effect the closure of one
of the most important sales channels for an ebusiness;
 The expenditure involved in repairing the damage
done and building contingency plans for securing
compromised websites and web applications;
and,
 Legal battles and related implications from Web
application attacks and lax security measures including
fines and damages to be paid to victims.



Web security Attack
 Passive attack
 Sniffing(capture message)
 Trapper web (web penjebak)
 Active attack
 Denial of Service (DoS)
 Buffer OverFlow
 SQL injection
 Cross Site Scripting
 Session Hijacking
 Directory Traversal attack
 Authentication Attack (Brute Force attack)

http://overflow.web.id/source/Web-Security.pdf

Blaster worm

Sebuah kode / program kecil yang membuat windows tersebut menjadimusuh dari windows yang lain. Blaster biasanya menyerang port 135 RPC(remote procedure call) salah satu komponen pada windows selain menyerangport 135 RPC, Blaster merupakan worm virus yang menyerang langsungpengguna PC (user). Penyebaran Blaster melalui pencarian port 135 RPC. 5. VirusSasser Secara definisi sama dengan blaster dan nachi hanya beda cara menyerangnyadimana sasser menyerang LSASS (Local Security Authority Subsystem Service)yaitu lisensi windows atau protokol lisensi window. Penyebarannya melalui TCPPort 445 (netbios) yang ada di PC, dimana bila ada kelemahan pada TCP port 445tersebut akan diserang, sama halnya dengan Blaster dan Nachi, Sasser jugamerupakan worm virus yang menyerang langsung pengguna PC (user).

http://www.scribd.com/doc/52688344/TUGAS-KEAMANAN-SIFO 

Code Red II

CODE RED, Memanfaatkan vulnerability pada Index Server ISAPI tersebut, pada tanggal 12 Juli 2001 muncul sebuah worm dengan nama “Code Red” yang menyerang semua IIS webserver, dengan aksi mengubah tampilan awal website pada server yang tertular. Tidak begitu lama pada tanggal 19 Juli 2001, muncul Code Red I yang merupakan versi kedua dari worm Code Red dengan penyebaran yang lebih cepat. Banyak perbaikan pada program worm sehingga mampu menginfeksi 359.000 unit komputer hanya dalam waktu 14 jam, seperti versi pertama worm ini juga membuat dirinya dalam kondisi dormant pada tanggal 20 Juli secara permanen. Di bulan Agustus 2001, kembali Code Red muncul dengan versi berbeda “Code Red II”, muncul dengan payload yang sangat berbahaya. Worm ini masih memanfaatkan vulnerability yang sama dengan versi sebelumnya, sedikit perubahan pada program, worm ini akan membuat suatu trojan “explorer.exe” dan ditempatkan pada direktori root.
http://alanisa.comyr.com/2007/11/06/perkembangan-worm-non-lokal/

w32.sircam worm

W32/Sircam-A is a network-aware worm. The worm spreads via email and by using open network shares. The worm arrives in an email with a random subject and body text. The attached filename is also randomly chosen, but it has a double extension (for instance, .doc.com or .mpg.pif).
If the attachment is opened, the worm copies itself into the Windows System directory with the filename scam32.exe. The worm also copies itself as a file called sirc32.exe to the Recycled files directory with its file attributes set to hidden. The worm changes the registry key:
        HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Driver32
so that it runs on Windows startup. The registry key:  
        HKLM\SOFTWARE\Classes\exefile\shell\open\command  
is also changed so that the worm runs before any other executable file is opened. If the worm finds any open network share, it will attempt to copy itself into the Windows directory on the machine with an open share, with the filename rundll32.exe. The original rundll32.exe file is renamed to run32.exe. If this is successful, the worm changes the file autoexec.bat so that it includes a command to run the worm file previously dropped to the Windows directory.
The worm contains its own SMTP routine, which is used to send email messages to email addresses found in the Windows address book and the temporary internet folder, where cached internet files are kept.
When a recipient opens this attachment, his system gets infected and then the included document is displayed. This way the worm's activity is disguised. Messages sent by the worm look like this:
Subject: Document file name (without extension)
From: [user_of_infected_machine@...]
To: [random@...]
Hi! How are you?
I send you this file in order to have your advice
See you later! Thanks
http://antivirus.about.com/library/weekly/aa071801a.htm
In Microsoft® Windows, the 'My Documents' folders is one of the most accessible, whether from the desktop, Windows Explorer, or the default save to location in many programs. As a result, many use it as a repository for all their data files - even those which contain sensitive or confidential information. This practice has never been a good idea as it gives ill-intentioned intruders a virtual roadmap to your personal and work output. The SirCam worm takes the vulnerability one step further, using the contents of the folder to package and disguise itself to others.
Sircam, (a.k.a. I-Worm.Sircam, W32.Sircam, and W32/SircCam) mass mails itself using addresses found in the Windows Address Book and in cached email addresses found on the system. The attachment it sends is a compilation of its infection routine and a file found in the My Documents folder. The original name of the file is left intact, with an executable extension appended to it. For example, .PIF, .COM, or .EXE would be added to the orginal filename, thus myphoto.jpg would become myphoto.jpg.exe. Users who did not have file extension viewing enabled would see only the original extension and in the example above, could be tricked into believing an executable file was actually a harmless image file.
The worm then mails itself in an email with following message body:  
Hi! How are you?  
I send you this file in order to have your advice  
See you later! Thanks  
The subject line of the email is the name of the orginal file. When the infected attachment is executed, whatever file was "lifted" from the sender's My Document folder is displayed, thus disguising the SirCam worm's actions. This is particularly risky, as an infected user who stores confidential data in the My Documents folder could easily find proprietary and sensitive data mass-mailed to others.
SirCam then copies itself to the Recycle Bin, C:\recycled\SirC32.exe, in an attempt to avoid detection by some antivirus scanners. The worm modifies the registry, [HKEY_CLASSES_ROOT\exefile\shell\open\command], so that the worm is run first when any .EXE on the system is run. This method makes improper removal of the worm a dangerous proposition. If the worm is deleted before the registry modification is corrected, no .EXE on the system will run.
http://groups.yahoo.com/group/asidharta/message/616

Morris worm

The Morris worm or Internet worm of November 2, 1988 was one of the first computer worms distributed via the Internet. It is considered the first worm and was certainly the first to gain significant mainstream media attention. It also resulted in the first conviction in the US under the 1986 Computer Fraud and Abuse Act.^[1] It was written by a student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from MIT.

Contents  [hide]  1 Architecture of the worm 2 The mistake 3 Effects of the worm 4 See also 5 Notes and references 6 External links

[edit] Architecture of the worm

Disk containing the source code for the Morris Worm held at the Boston Museum of Science.

According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. However, the worm was released from MIT to disguise the fact that the worm originally came from Cornell. Additionally, the Morris worm worked by exploiting known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as well as weak passwords ^[2] . Due to reliance on rsh (normally disabled on untrusted networks) it should not succeed with the recent properly configured system.
A supposedly unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable. This would have the same effect as a fork bomb and crash the computer. The main body of the worm could only infect DEC VAX machines running 4BSD, and Sun-3 systems. A portable C "grappling hook" component of the worm was used to pull over (download) the main body, and the grappling hook could run on other systems, loading them down and making them peripheral victims.

[edit] The mistake

The critical error that transformed the worm from a potentially harmless intellectual exercise into a virulent denial of service attack was in the spreading mechanism. The worm could have determined whether to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times.^[3] This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Morris remarked, when he heard of the mistake, that he "should have tried it on a simulator first."

[edit] Effects of the worm

It is usually reported that around 6,000 major UNIX machines were infected by the Morris worm. Paul Graham has claimed^[4] that

"I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."

The U.S. GAO put the cost of the damage at $10M–100M.^[5]
The Morris worm prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University to give experts a central point for coordinating responses to network emergencies.^[6] Gene Spafford also created the Phage mailing list to coordinate a response to the emergency.
Robert Morris was tried and convicted of violating United States Code: Title 18 (18 U.S.C. § 1030), the Computer Fraud and Abuse Act.^[7] in United States v. Morris. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.^[8]
The Morris worm has sometimes been referred to as the "Great Worm", because of the devastating effect it had on the Internet at that time, both in overall system downtime and in psychological impact on the perception of security and reliability of the Internet. The name was derived from the "Great Worms" of Tolkien: Scatha and Glaurung.^[9]

[edit] See also

Computer security portal

• Notable computer viruses and worms
• Buffer overflow

[edit] Notes and references

1. ^ Dressler, J. (2007). "United States v. Morris". Cases and Materials on Criminal Law. St. Paul, MN: Thomson/West. ISBN 9780314177193.
2. ^ US vs. Morris
3. ^ Court Appeal of Morris
4. ^ The Submarine
5. ^ During the Morris appeal process, the U.S. Court of Appeals estimated the cost of removing the virus from each installation was in the range of $200 - 53,000. Possibly based on these numbers, Harvard spokesman Clifford Stoll estimated the total economic impact was between $100,000 - 10,000,000. http://www.bs2.com/cvirus.htm#anchor111400
6. ^ Security of the Internet. CERT/CC
7. ^ United States v. Morris, 928 F.2d 504, 505 (2d Cir. 1991).
8. ^ "Computer Intruder is Put on Probation and Fined" by John Markoff, New York Times. The total fine ran to $13,326, which included a $10,000 fine, $50 special assessment, and $3,276 cost of probation oversight.
9. ^ Great Worm from The Jargon File

[edit] External links

• Cornell commission findings – in the ACM Digital Library ((from the abstract: "sheds new light and dispels some myths"))
• the full text of The Cornell commission findings (.pdf) is also available via paid subscription from the ACM Digital Library
• Archive of worm material, incl. papers and code
• An analysis of the worm by Eugene Spafford
• An analysis of the worm by Mark Eichin and Jon Rochlis
• "The Morris Internet Worm" by Charles Schmidt and Tom Darby
• RFC 1135 – "Helminthiasis of the Internet" – an analysis of the worm infestation
• A Report On The Internet Worm, by Bob Page, University of Lowell
• "A Tour of the Worm" by Donn Seeley, Department of Computer Science University of Utah This paper provides a chronology for the outbreak and presents a detailed description of the internals of the worm, based on a C version produced by decompiling.
• "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988" by Mark W. Eichin and Jon A. Rochlis, Massachusetts Institute of Technology dated February 9, 1989 We present the chronology of events as seen by our team at MIT...  http://en.wikipedia.org/wiki/Morris_worm 

Melissa-availabitity-1999

virus Melissa yang menjangkiti Microsoft E-mail outlook, virus ini meyebarkan dirinya dan melakukan pengiriman email. Kemudian pengguna tidak mengetahui bahwa itu adalah virus karena di pos email tertulis pesan bahwa program tersebut tidak berbahaya. Karean pengguna mempercayai pesan dari E-mail outlook tersebut, pengguna membuka pesan maka virus tesebut akan masuk dan mengeksekusi dirinya.

Information warfare

The term Information warfare refers to the use of information, and attacks on information, as a tool of warfare. Information warfare is comprised of giving the enemy propaganda to convince them to give up and denying them information that might lead to their resistance.

The following public domain text is written from a U.S. Armed Forces point of view -- please edit for NPOV

Cornerstones of information warfare

The competition for information is as old as human conflict. it is virtually a defining characteristic of humanity. Nations, corporations, and individuals each seek to increase and protect their own store of information while trying to limit and penetrate the adversary's. Since around 1970, there have been extraordinary improvements in the technical means of collecting, storing, analyzing, and transmitting information.

Why are we talking about information now?

Because there is a technological revolution sweeping through information systems and their integration into our daily lives leading to the term 'Information Age.' information-related technologies concentrate data, vastly increase the rate at which we process and transmit data, and intimately couple the results into virtually every aspect of our lives. The Information Age is also transforming all military operations by providing commanders with information unprecedented in quantity and quality (2). The commander with the advantage in observing the battlespace, analyzing events, and distributing information possesses a powerful, if not decisive, lever over the adversary.
We must distinguish between information age warfare and information warfare. We make this distinction because much of the literature treats information warfare and advances in information technology synonymously. Information age warfare uses information technology as a tool to impart our combat operations with unprecedented economies of time and force (3). Ultimately, information age warfare will affect all combat operations. In contrast, information warfare views information itself as a separate realm, potent weapon, and lucrative target. Information, as we will show below, is technology independent. However, information age technology is turning a theoretical possibility into fact: directly (4) manipulating the adversary's information.

What is information ?

This question is elementary, but pivotal. It is impossible to discuss information warfare meaningfully without rigorously defining the central concept: information.
Information derives from phenomena. Phenomena, observable facts or events, are everything that happens around us. Phenomena must be perceived and interpreted to become information. Information, then, is the result of two things: perceived phenomena (data) and the instructions required to interpret that data and give it meaning.
This distinction is important, and easily encompassed by a familiar paradox: If a tree falls, but no one was around to hear it, did it make a noise? The falling tree caused pressure waves in the atmosphere, a phenomenon. Noise, the information denoting a falling tree, occurs when someone's ear detects the pressure waves, creating data, and the brain's instructions manipulate that data into the sound recognizable as a falling tree. Within that person's context, there is no falling tree until the person hears (or sees) it.
Phenomena become information through observation and analysis. Therefore, information is an abstraction of phenomena. Information is the result of our perceptions and interpretations, regardless of the means. As falling trees make clear, to define information requires only two characteristics:

• Information consists of data and instructions.

Note that the definition for information is absolutely distinct from technology. However, what we can do with information, and how fast we can do it, is very dependent on technology. Technology dramatically enhances our observational means, expands and concentrates data storage, and accelerates instruction processing.

• An Information Function is any activity involving the acquisition, transmission, storage, or transformation of information.

For example, the system that tells a machine to stamp eighty hubcaps is performing an information function. The sheet metal press stamping those hubcaps is not.

What are some military information functions ?

Quality information is the counter to the fog of war. As mentioned earlier, the commander with better information holds a powerful advantage over his adversary. Military operations make special demands on information functions in seeking to give the commander an information advantage.
Surveillance and reconnaissance are our powers of observation. Intelligence and weather analysis are the bases for orienting observations. Some militaries use those bases to form an Air Tasking Order, which command and control operations execute and monitor in directing the conflict. Precision navigation enhances mission performance. Together, these are the kinds of military information functions that enhance all military operations. Collectively, some militaries use the term military information functions to describe force enhancing information functions.

• A Military Information Function is any information function supporting and enhancing the employment of military forces.

This definition serves to delineate militarily important information functions from the total universe of information functions.

What is information warfare ?

At the grand strategy level, nations seek to acquire, exploit, and protect information in support of their objectives. This exploitation and protection can occur in the economic, political, or military arenas. Knowledge of the adversary's information is a means to enhance our own capabilities, degrade or counteract enemy capabilities, and protect our own assets, including our own information. This is not new. The struggle to discover and exploit information started the first time one group of people tried to gain advantage over another.
Information warfare consists of targeting the enemy's information and information functions, while protecting our own, with the intent of degrading his will or capability to fight (5). Drawing on the definitions of information and information functions, information warfare may be defined as:

• Information Warfare is any action to deny, exploit, corrupt, or destroy the enemy's information and its functions; protecting ourselves against those actions; and exploiting our own military information functions (6).

This definition is the basis for the following assertions:

• Information warfare is any attack against an information function, regardless of the means. Bombing a telephone switching facility is information warfare. So is destroying the switching facility's software.
• Information warfare is any action to protect our information functions, regardless of the means. Hardening and defending the switching facility against air attack is information warfare. So is using an anti-virus program to protect the facility's software.
• Information warfare is a means, not an end, in precisely the same manner that air warfare is a means, not an end. Information warfare may be used as a means to conduct strategic attack and interdiction, for example, just as air warfare may be used to conduct strategic attack and interdiction.

Militaries have always tried to gain or affect the information required for an adversary to effectively employ forces. Past strategies typically relied on measures such as feints and deception to influence decisions by affecting the decision maker's perceptions. Because these strategies influenced information through the perception process, they attacked the enemy's information indirectly. That is, for deception to be effective, the enemy had to do three things:

• observe the deception,
• analyze the deception as reality, and,
• act upon the deception according to the deceiver's goals.

However, modern means of performing information functions give information added vulnerability: direct access and manipulation (7). Modern technology now permits an adversary to change or create information without relying on observation and interpretation. Here is a short list of modem information system characteristics creating this vulnerability: concentrated storage, access speed, widespread information transmission, and the increased capacity for information systems to direct actions autonomously. Intelligent security measures can reduce, but not eliminate, this vulnerability; their absence makes it glaring.

What comprises information warfare ?

Recalling the definition, information warfare consists of activities that deny, exploit, corrupt, destroy, or protect information. Traditional means of conducting information warfare include psychological operations, electronic warfare, military deception, physical attack, and various security measures.

• Psychological operations use information to affect the enemy's reasoning. (aka propaganda)

• Electronic warfare denies accurate information to the enemy (8).

• Military deception misleads the enemy about our capabilities or intentions (9).

• Physical destruction can do information warfare by affecting information system elements through the conversion of stored energy to destructive power. The means of physical attack range from conventional bombs to electromagnetic pulse weapons.

• Security measures seek to keep the adversary from learning about our military capabilities and intentions (10).

The Information Age has provided new and practical means to deny, exploit, corrupt, or destroy information (11), as well as the vulnerabilities to make those attacks possible. Air Force doctrine does not yet acknowledge or define these assaults on information, which we call Information Attack.
Information Attack: directly corrupting (12) information without visibly changing the physical entity within which it resides.
Information attack, constrained by the definition of information, is limited to directly altering data or instructions. It is, therefore, just another means of conducting information warfare, one whose immediate effects do not include visible changes to the entity within which the information resides. That is to say, after being subjected to information attack, an information function is indistinguishable from its original state except through inspecting its data or instructions (13).

How is information attack different ?

As previously described, there are two ways to influence the adversary's information functions: indirectly and directly.
Indirect information warfare affects information by creating phenomena, which the adversary will perceive, interpret, and act upon. Military deception, physical attack, and OPSEC traditionally achieved their ends indirectly (14). For example, the goal of deception is to cause the adversary to make incorrect decisions; deception does this by creating an apparent reality. Generally, this entails creating phenomena for the enemy to observer Success, however, depends on several conditional events: the adversary actually observes the phenomenon, thereby turning it into data; analyzes it into the desired information; and acts upon the information in the desired manner.
Direct information warfare affects information through altering its components without relying on the adversary's powers of perception or interpretation. Information attack acts directly upon the adversary's information. Since nearly all modem information functions are themselves controlled by information, information attack may be directed against most information functions.
Direct information warfare, the point of information attack, acts on the adversary's information without relying on the adversary's collection, analysis, or decision functions. It can short circuit the OODA loop (15) through creating observations and skewing orientation, or decapitate it by imposing decisions and causing actions.
A short illustration will serve to demonstrate the difference between indirect and direct information warfare applications:
One goal, using military deception, is to make the adversary think there is a wing of combat aircraft where, in fact, there is none, and act on that information in a manner benefiting operations.
Indirect information warfare: Using military deception, we could construct fake runways and parking areas, and generate enough other activities to present a convincing image. We rely on the adversary to observe the pseudo combat operation and interpret it as real (as opposed to detecting the fake). Only then does it become the information we want the adversary to have.
Direct information warfare: Conversely, if we use information attack to create the pseudo combat wing in the adversary's store of information, the result-deception-is precisely the same. But the means to that result, never mind the resources, time, and uncertainty, are dramatically different.

What is the other edge of the information warfare sword?

The defensive side of information warfaresecurity measures aimed at protecting information-prevents an adversary from conducting successful information warfare against our information functions. Current security measures such as OPSEC and COMSEC are typical means of preventing, detecting, and subverting an adversary's indirect actions on our military information functions. In contrast, security measures such as COMPUSEC encompass preventing, detecting, and subverting direct information actions on our information functions. Future security measures must evolve as information technology advances. Consequently, new-measures will likely take forms entirely different from today's security measures, rooted as they are in previous security requirements. As the simple examples in this paper illustrate, we must avoid falling victim to profound, debilitating effects of direct information warfare.

Why is information warfare important to the USAF?

Two reasons. First, because information warfare offers important means to accomplish Air Force missions. Second, because the widespread integration of information systems into Air Force operations makes our military information functions a valuable target set.
A hypothetical example using information attack shows how information warfare might accomplish a typical Air Force mission:
Interdiction prevents or delays essential resources from reaching combat units. One approach to interdiction is wrecking bridge spans using laser-guided bombs. Alternatively, we might be able to alter the adversary planners' information, falsely categorizing the bridges as destroyed, causing the planners to reroute forces and supplies. Each means performs interdiction; information attack offers the possibility of achieving our goal while consuming fewer resources or without exposing our assets to attack.
As an example emphasizing the need for robust defenses against information warfare, imagine the chaos that would ensue should an adversary manage to penetrate our time-phased force deployment database. Subtle changes in it could be sufficient to bring our power projection capabilities to a near standstill.

How should we change Air Force doctrine to accommodate information warfare?

Presently, Air Force doctrine recognizes air warfare and space warfare. However, the doctrine doesn't identify separate missions for air warfare or space warfare. Instead, both cut across all roles and missions. Similarly, information warfare cannot be pigeonholed as a single mission. To do so would fail to completely integrate information warfare into Air Force doctrine.
Recall that missions are operational tasks performed to achieve military objectives. Air warfare is a means, defined by the environment, to execute those missions. There are three objectives of air warfare:

• control the air while protecting our forces from enemy action,
• exploit control of the air to employ forces against the enemy, and,
• enhance our overall force effectiveness.

In our doctrine, the objectives of control, exploit, and enhance translate into the roles of aerospace control, force application, and force enhancement.
In many respects, one can consider information as a realm, just as land, sea, air, and space are realms (16) information has its own characteristics of motion, mass, and topography, just as air, space, sea, and land have their own distinct characteristics (17). There are strong conceptual parallels between conceiving of air and information as realms. Before the Wright brothers, air, while it obviously existed, was not a realm suitable for practical, widespread military operations. Similarly, information existed before the Information Age. But the Information Age changed the information realm's characteristics so that widespread military operations within it became practical.
Information warfare, like air warfare, is the means defined by the environment to execute military missions. There are three objectives of information warfare:

• control the information realm so we can exploit it while protecting our own military information functions from enemy action,
• exploit control of information to employ information warfare against the enemy, and,
• enhance overall force effectiveness by fully developing military information functions.

The first objective of information warfare, to control the realm so we can exploit it while protecting our own military information functions from enemy action, contributes significantly to controlling the combat environment. Presently, Air Force doctrine recognizes two missions to control the combat environment: counterair and counterspace. Counterair comprises missions whose objectives are control of the air; counterspace comprises those missions whose objectives are control of space. Clarity and consistency require we term those activities dedicated to controlling information as counterinformation.
Counterinformation: actions dedicated to controlling the information realm.
Further, counterinformation, like counterair and counterspace, has both offensive and defensive aspects. Offensive counterinformation enables us to use the information realm and impedes the adversary's use of the realm. Typical means include physical attack, military deception, psychological operations, electronic warfare, and information attack. Defensive counterinformation includes both active and passive actions to protect ourselves from the adversary's information warfare actions. Defensive counterinformation is accomplished, for instance, through physical defense, physical security, hardening, OPSEC, COMSEC, COMPUSEC, and counterintelligence.
Successful aerospace control enables us to use the air and space realms without suffering substantial losses, and inflict substantial losses on the enemy's use of those realms. Counterinformation, working with counterair and counterspace, seeks to create such an environment.
The second objective of information warfare is to exploit our control of information. In air warfare's force application role, the missions of strategic attack, interdiction, and close air support exploit air control. Similarly, information warfare might also be used to achieve the same ends. We have already cited an example of how information warfare can perform interdiction. It can also perform strategic attack:
Suppose we want to limit the enemy's long-term mobility by restricting his POL resupply. We first identify his refineries as the most suitable target to achieve this goal. Through research we further identify the specific refineries comprising most of his production capacity. For each refinery, we find there is one critical cracking tower. We mount a strike and, with admirable economy of force, put the refineries out of operation by destroying just those towers, while leaving everything else untouched. This is a classic example of strategic attack.
Same situation. Like all modern refineries, these have extensive automated control systems. These extensive information functions offer a potential target for information warfare. Early in the conflict we performed an offensive counterinformation mission by penetrating and characterizing the refinery's automated control system. In the process, we uncovered several vulnerable information dependencies, giving us the means of affecting the refineries' operations at a time of our choosing. Later in the conflict, combined with interdiction and ground maneuvers, we choose to exploit one of the vulnerabilities. We have just disabled their refineries. This, too, is a classic example of strategic attack.
Information technology is already tightly woven with our military operations, providing heretofore unimaginable amounts of information. Exploiting this information has provided us striking capabilities; relying on it inevitably creates potentially crippling vulnerabilities. This, coupled with advances in the ability -to both locate and destroy command and control (C2) nodes makes C2, more than ever, a lucrative target set. History has shown successful militaries can achieve striking success through paralyzing the enemy's ability to exercise command and control. Airmen have always considered this an important objective and expended much effort against C2 (18). For these reasons, the efforts to disrupt and destroy the adversary's command and control elements have prompted us to identify a separate mission under force application.
C2 Attack: any action against any element of the enemy's command and control system.
The third objective of information warfare is to develop information functions to enhance total force effectiveness. Previously we described military information functions as supporting the employment of military forces. Our current doctrine does not include such a mission. To fill that void, we will include information operations under force enhancement. Some examples of information operations are: surveillance, reconnaissance, command and control, communications, combat identification, intelligence, precision navigation, and weather. The distinguishing characteristic of the information operations mission is that it deals primarily with information as both its resource and product.

Roles And Missons of Aerospace Power

Information Operations: any action involving the acquisition, transmission, storage, or transformation of information that enhances the employment of military forces.
Since we require relevant, accurate, and timely information for everything we do, information operations support the conduct of missions across all four roles', from aerospace control to force support. Information operations provide commanders the ability to observe the battlespace, analyze events, and direct forces. information operations provide logisticians the ability to know what is in inventory, and where it is needed. Information operations provide the flight lead the ability to know where the target is, its defenses, and select the most appropriate weapon.
In sum, information warfare cuts across all Air Force roles and missions. It is another means to conduct our traditional missions. However, there are three additional operational tasks that information warfare enables us to execute which are not suitably addressed by our current doctrine: counterinformation, C2 Attack, and information operations. Similarly, we elected to delete two missions no longer relevant under regrouped missions: electronic combat, previously under force enhancement, is now subsumed by information warfare; surveillance and reconnaissance are now considered instances of information operations. However, this list is by no means exhaustive. As this paper's title conveys, the ideas contained herein provide the cornerstones, not the entire building. Invariably, as the Air Force fully accommodates the information technology revolution, additional operational tasks may arise which will in turn warrant adding or removing missions. To the extent these cornerstones continue to provide a valid litmus test for information warfare, all new missions need to meet and pass it.

What is the relationship between information warfare and command & control warfare?

The focus of information warfare is any information function, whether it is C2, a refinery's control system, or a telephone switching station. C2 represents only part of the universe of military information functions. The Joint Staff defines command and control:
Command and Control: the exercise of authority and direction by a properly designated commander over assigned forces in the accomplishment of the mission. [joint Pub 1-021
Command and control warfare (C2W) only addresses activities directed against the adversary's ability to direct the disposition and employment of forces, or those which protect the friendly commander's ability to do so. As we have illustrated, information warfare not only attacks the C2 process, but it also attacks the enemy's combat power itself. Conversely, by definition, C2W is not associated with reducing or nullifying the ability or desire of combat units to execute their orders. Tactical psychological operations and electronic countermeasures self-protection hinder the ability of units to execute orders. But they in no way affect commanders' ability to issue orders to those units, nor their ability to receive those orders.
Although extraordinarily important, the JCS's policy of Command and Control Warfare is only a particular application of information warfare. For the military to concentrate only on C2W would be ignoring other legitimate target sets. Therefore, information warfare, and its attendant organizing, training, and equipping issues, is essential to fully effective C2W.

Is information warfare important only to the Air Force?

We have established that information warfare is important to the Air Force for two reasons. First, since our military information functions present a valuable target set, we must make commensurate defensive efforts. Second, as the examples in this paper show, information warfare is a potential means to achieve typical Air Force ends: strategic attack, interdiction, etc. More fundamentally, the Air Force already does information warfare through such systems as the EF-111 and Compass Call.
But in a broader sense, information warfare might be a means to conduct any mission the services already conduct - and the services are best positioned to choose the best means for their ends. Each service has its own unique operational demands. After all, the Army is best qualified to decide which means are best suited for pursuing the goals the joint Force Commander apportions to the Army.
As a result of its service-unique expertise, its own OODA loop requirements, logistics, etc., each service has information warfare concerns. In developing the doctrinal constructs in this paper, we used airpower terminology and examples. That is our background, those are the terms and the environment with which we are familiar. But the argument we present is not dependent on terminology. Replacing Air Force terms with Army or Navy terms would leave the conclusions unchanged.

Conclusion

The information revolution, startlingly fast as it is, shows no signs of slowing. As armed forces more technologically sophisticated, they becomes more technologically dependent. We need to use that technological sophistication to avail ourselves of all the opportunities that information, as a target, presents. We also need to be aware that our technical dependencies represent potentially crippling vulnerabilities. Sophisticated, robust, multi-layered defenses for our military information functions may well be what separates us from joining the sorry league of military failures.
Information, combined with modern information functions, has distinct characteristics that warrant it being considered a realm, just as land, sea, air, .and space are realms. Information warfare does not fill a discrete place in Air Force doctrine. just like air warfare, information warfare can be part of many AFM 1 -1 missions. just as when space warfare was integrated into Air Force doctrine, viewing information as a realm now leads us to add several missions:
Counterinformation: controlling the information realm.
C2 Attack: any action against the enemy's command and control system.
Information Operations: any action involving the acquisition, transmission, storage, or transformation of information that enhances the employment of military forces.
Since World War 1, airmen have had to control the air environment effectively to employ airpower. What is more, air and space superiority are virtually a sine qua non for employing ground and naval forces. Information is the next realm we must control to operate effectively and with the greatest economy of force.
At the outset we stated the competition for information is as old as man's first conflict. It involves increasing and protecting our own store of information while limiting and penetrating the adversary's. The recent explosion in information technologies is prompting the current discussion in and outside government on the topic of information warfare - targeting the enemy's information functions, while protecting ours, with the intent of degrading his will or capability to fight.
For airmen, controlling the combat environment is job One. With the advances in information technology, airmen must pursue information superiority just as they do air and space superiority. Only with these realms under our control can we effectively employ all our combat assets. Military information functions are essential to our combat operations-they are a tool for achieving the Joint Force Commander's campaign objectives. Targeting the enemy's information functions keeps him from achieving his.
In this paper we have laid out information warfare's doctrinal foundation. Our goal is to provide a sound and widely accepted basis from which we can adapt Air Force doctrine to the Information Age. The ultimate aim? Incorporating information warfare into the way the Air Force organizes, trains, equips, and employs.

Definitions

• C2 Attack: Any action against any element of the enemy's command and control system.
• Command and Control: The exercise of authority and direction by a properly designated commander over assigned forces in the accomplishment of the mission.
• Counterinformation: Actions dedicated to controlling the information realm.
• Defensive counterinformation: Actions protecting our military information functions from the adversary.
• Direct Information Warfare: Changing the adversary's information without involving the intervening perceptive and analytical functions.
• Indirect Information Warfare: Changing the adversary's information by creating phenomena that the adversary must then observe and analyze.
• Information: Data and instructions.
• Information Attack: Directly corrupting information without visibly changing the physical entity within which it resides.
• Information Function: Any activity involving the acquisition, transmission, storage, or transformation of information.
• Information Operations: Any action involving the acquisition, transmission, storage, or transformation of information that enhances the employment of military forces.
• Information Warfare: Any action to deny, exploit, corrupt, or destroy the enemy's information and its functions; protecting ourselves against those actions; and exploiting our own military information functions.
  
  It was last modified 12:52 Apr 11, 2003. All text is available under the terms of the GNU Free Documentation License. 

 http://www.iwar.org.uk/iwar/resources/wikipedia/information-warfare.htm 
http://en.wikipedia.org/wiki/Information_warfare