Modem Scanning

1.0 Identification Data
1.1 BSP Number
00001
1.2 BSP Title/Name
Detecting Unauthorized Modem Connections at USAID Missions
1.3 Version Number
1.1
1.4 Adoption Date
January 23, 2001
1.5 Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization
United States Agency for International Development (USAID), Bureau for Management, Information Resources Management (M/IRM), Information Systems Security Team
1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
In the Security Process Framework:
  • (1.6.3.2) Monitor Effectiveness and Compliance of Organizational Technical Security Program
  • (2.6.3.4.4) Review Security Posture
  • (2.8.2.2.1) Assess Vulnerability

In the SSE CMM Framework:

  • (PA-05) Assess Vulnerability

In the OMB A-130, Appendix III,

Section A:

  • (3.a.3) Review of Security Controls
1.9 Reserved
Not to be completed by the drafter
1.10 Points of Contact
Government BSP Owner:
  • James P. Craft, CISSP
    USAID Information Systems Security Officer
    Ronald Reagan Building
    1300 Pennsylvania Ave., Suite 2.12-032
    Washington DC 20523-2120
    Telephone No - 202-712-5460
    Fax No. - 202-712-3053
    E-mail – jcraft@usaid.gov
    Also: cassistance@usaid.gov

Vendor Partner:

2.0 What This BSP Does
2.1 BSP's Purpose
This BSP discusses how to detect unauthorized modem connections to an official network as part of the cyber-security assistance visits at USAID missions worldwide. The process involves the use of the 'PhoneSweep' software. The scans can be conducted at various levels of specificity, for instance, detect only, detect and identify protocols, detect and attempt to crack passwords. These levels are discussed with management prior to conducting the scans.
2.2 Requirements for this BSP
OMB A-130 Appendix III, Section A.3.a.3 states:

"Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. Depending on the potential risk and magnitude of harm that could occur, consider identifying a deficiency pursuant to OMB Circular No. A-123, "Management Accountability and Control" and the Federal Managers' Financial Integrity Act (FMFIA), if there is no assignment of security responsibility, no security plan, or no authorization to process for a system."

2.3 Success Stories
Modem scanning was an integral part of the cyber-security assistance visit provided to the mission in Lima, Peru in 1999 and Phnom Penh, Cambodia and Manila, Philippines during November and December 2000. The correspondence below is from a senior manager at Lima expressing the mission's appreciation for raising their information system security posture through the cyber-security assistance visit process.

Subj: COMPUTER SECURITY TEAM VISIT

Source: David Bayer, USAID Peru Executive Office

If you have the opportunity to have the Information Systems Security Officer (ISSO) Jim Craft and his Risk Assessment Program Area Manager, Rodney Murphy, visit your Mission with their team of computer security experts, then take advantage of it. They did one hell of a job during their February visit with us at USAID/Peru in getting us up to speed and raising our level of consciousness about security issues. This is not to say that our dedicated IRM staff, led by Systems Manager, Lucho Figueroa, have not been working their hearts out to get us into shape, but it is a real injection of energy to have professional people like Jim, Rodney, John Zoble, Mike Reiter and Steve Bui come in and sit down to review your Computer Security Program and Computer Contingency Plan with you.

In addition, they trained some 80 employees to become aware of computer security pitfalls.

And, last but not least, they have given us some key advice and methods for closing out some computer security audit issues which are not only USAID/Peru exposures but endemic to all Missions worldwide.

Computer security is becoming an important issue in for USAID and all organizations. In this environment, new security standards and having a formal security program in each overseas Mission is very important.

USAID/Peru was selected as a Beta site to define the model/templates for the Computer Security Program to be applied in all overseas Missions.

Starting February 19 to February 25, during five workdays, a Computer Security Team belonging to the IRM/ Security Group was in Lima. The team had five members. Jim Craft acted as the team Leader.

Computer Security is a dynamic activity and demands coordination and permanent follow-up. The Computer Security Team's role in the implementation of the Computer Security Program in each Mission is critical. Computer Security activity involves the entire USAID organization, starting from Washington and reaching out worldwide to all Missions. If one Mission security system fails, it endangers the entire USAID organization.

3.0 What This BSP Is
3.1 Description of BSP
3.1.1

Inputs

  1. Scanning tool (PhoneSweep software)
  2. Laptop computer with modem
  3. Digital Converter, if needed
  4. Sample 'PhoneSweep' screens with selection choices
3.1.2

Process

Step 1. Coordinate, with the appropriate personnel, approval to conduct the modem scan. The Modem Scan activity should be completed after-hours to eliminate disturbances to working staff and also to look for unauthorized modems operating after normal working hours.

Step 2. Connect the hardware and configure the software.

    1. Connect the PhoneSweep Software dongle to the parallel port of the laptop.
    2. Connect the Digital converter to the laptop as outlined in the manual for the Digital converter.
    3. Access the PhoneSweep software: Programs, PhoneSweep, PhoneSweep.
    4. Select I agree to the license agreement.
    5. Select File, New and you will be presented with a prompt to enter a new profile name.
    6. Enter a profile name, _________________, OK.
    7. Select Phone Numbers from the PhoneSweep 1.1 – Test screen, and Add from the (next) screen.


      bsp10.1.jpg (18832 bytes)

    8. Enter the phone number or the starting number for a range of numbers (ex., 7000) in the left hand box, and enter the ending number of the range (ex., 7900) in the right hand box.


      bsp10.2.jpg (12293 bytes)

    9. Check the box for the appropriate dialing period – Outside Hours.
    10. Check the button entitled Dial During Each Time Period.
    11. Select Add. Then, select Close to add the phone numbers to the new profile.
    12. Select Options from the list of Tabs on the next screen (PhoneSweep 1.1– Test), and then select the Modem Tab and choose the appropriate Com Port. (The Com Port selection can be confirmed by selecting Modem Diagnostics in the Settings/Control Panel from Windows 95).


      bsp10.3.jpg (23039 bytes)

    13. Select the Time Tab and set the time period associated with the Business Hours at the location of the scan. Most scans should be conducted during times outside Business Hours. Change Outside Rings to 4 (in the ‘Timeout in Rings or Seconds’ section).
    14. Select the Effort Tab and choose the degree of effort desired for the scan. Most scans will only require the Connect Level of Effort. Also ensure that you select ‘scan for’ Both Modems and Fax Machines. Other settings are OK.
    15. Select the Dial Tab and program any Dialing Prefix required to initiate calls from your location. NOTE: You should verify these settings by dialing the prefix and one assigned number to ensure proper configuration and operation. In addition, set the Modem Baud Rate to 57600.


      bsp10.4.jpg (25144 bytes)

    16. Select the Report Tab and ensure all selections are chosen.


      bsp10.5.jpg (21153 bytes)


    17. Select the Status Tab, and Save your current configuration.

Step 3. Run the Scan, produce the Scan results Report, and Analyze the report data

    1. After selecting the Status Tab, and Saving your current configuration, select Start to initiate the scanning process.


      bsp10.6.jpg (27764 bytes)

    2. When the Scan is complete, select the Report Tab and save the results of the scan to a chosen file name. After saving the file, you must use MS Word to retrieve, edit, and print the report.


      bsp10.7.jpg (31075 bytes)

    3. Analyze the data and confirm the findings in the Report. Then, issue the Report to all applicable personnel.
3.1.3

Outputs

Modem Scan Results’ report.

3.2 Relationship to Other BSPs
The cyber-security assistance visit process comprises several subprocesses, one of which is the Modem Scan. Additional relationships will be added as additional BSPs are submitted
4.0 How To Use This BSP
4.1 Implementation Guidance
  • The Phone Sweep software operates at the optimal level using a Gold Modem card installed in the laptop. Note: Other modem cards will work but do not always provide complete information for reports.
  • Having the Administrator of the system being reviewed work closely with the individual conducting the after-hours Modem Scan can enhance the efficiency of this process.
4.2 Implementation Resource Estimates
Personnel: Operating System Administrator or trained security professional.

Time per System/Scan:

Preparation Time up-front: 2 - 4 hours identifying the current system environment and obtaining proper approvals.

On-Site Time: 4 - 6 hours to connect hardware, configure software, and tear down when finished. 12 hours to run After-hours Scan. (This is dependent upon the number of phone numbers being scanned.)

Final Report Preparation Time: 4 hours; this includes the review of data and documentation of activities by the reviewer, and also the transfer of the documentation by the report writer into the final report.

4.3 Performance Goals and Indicators (Metrics)
General Goal: To eliminate those security vulnerabilities associated with unauthorized access to system resources caused by the existence/use of non-approved and unauthorized modems connected to the network.

Performance Goal: To perform the modem scan on an organization's networks, often and routinely, in order to ensure detection of unauthorized modems connected to the network.

Outcome Goal: To search for the existence of modems connected to the network and identify their specific location.

Output goal: To document the identification and location of modems connected to the network.

General Objective: To identify the risk involved with the security vulnerability associated with the presence of unauthorized modems connected to the network. The organization's Senior Management can then use this information to make proper information systems security decisions.

Performance Indicator: Assess the effectiveness of the modem scan by routine analysis of the process. By keeping detailed records on the number of scans run, the frequency and time of day of the scans, and scan results, an assessment can be made to determine whether or not the process is keeping unauthorized modems off the network. Modify the process, if necessary.

4.4 Tools
The tools used to perform the Risk Assessment After-hours Modem Scan are:
  • PhoneSweep software,
  • Laptop with modem
  • Digital Converter, if needed
4.5 Training Materials
PhoneSweep v1.03 User's Manual, Sandstorm Enterprises, 1999
Appendices
A Executive Overview and Briefing
Editor's Note: See App A *.ppt briefing
B Reference List
None applicable
C Procurement Information
The United States Agency for International Development (USAID) has contracted for general IRM support with Computer Sciences Corporation (CSC) under the Agency's Principle Resource for Information Management Enterprisewide (PRIME) contract (GS00K96AJD0012) with FEDSIM. USAID obtains its information system security support from CSC under the PRIME contract using the Performance Work Statement (PWS) at Appendix C *.doc.
D Evaluation Information
Not yet evaluated
E Recommended Changes
Version 1.0 of the BSP was reviewed after conducting cyber-assistance visits to Phnom Penh, Cambodia and Manila, Philippines during November and December 2000. The review has determined the original BSP remains valid and has incorporated minor editorial revisions.
F Glossary
None applicable