Version FINAL Unclassified//Official Use Only August 2011

Red Team Report CleanSweep: Technical Details

Prepared for: United States Department of Labor Mr. Ed Hugler Deputy Assistant Secretary for Operations United States Department of Labor Frances Perkins Building 200 Constitution Avenue Washington, DC Prepared by: Scott Maruoka RT Project Lead Department 5627 Sandia National Laboratories 505P O Box 5800, MS 0620 Albuquerque NM 87185-0671
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energys National Nuclear Security Administration under contract DE-AC04-94AL85000. For additional Information, contact: Han Wei Lin, Project Manager Phone: 505 Email @sandia.gov OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act (5 U.S.C. 552), Exemption 5, Privileged Information. Department of Labor review required before public release William Atkins Org.05628 29 AUG 2011

OFFICIAL USE ONLY CleanSweep Contents

Table of Contents
Table of Contents .............................................................................................................................ii Executive Summary......................................................................................................................... 1 CleanSweep: Technical Details....................................................................................................... 2 Introduction .................................................................................................................................. 2 Objective ...................................................................................................................................... 2 Rules of Engagement .................................................................................................................. 3 Scope ........................................................................................................................................... 4 Red Team .................................................................................................................................... 4 Analysis Environment .................................................................................................................. 5 Methodology................................................................................................................................. 5 Threat Model .............................................................................................................................. 15 Nightmare Consequences ......................................................................................................... 17 Adversary ................................................................................................................................... 18 Analysis...................................................................................................................................... 20 Attack Graph .............................................................................................................................. 21 Summary ....................................................................................................................................... 27 Observations .............................................................................................................................. 32 Recommendations ..................................................................................................................... 32 Attachment 1: Agenda ................................................................................................................... 33 Attachment 2: Cost Estimates ....................................................................................................... 35

August 2011

OFFICIAL USE ONLY

Page ii

OFFICIAL USE ONLY CleanSweep Executive Summary

Executive Summary
Overthecourseofthelastfouryears,theDOL wasapproachedbyvariousregulatory authorities(e.g.OIG,SEC,andFBI)concerned thatkeyeconomicdatawerepotentiallysubject tounauthorized,prematurerelease. Theeconomicdatainquestionaresubjecttoan embargoprocesswherebyDOLcontrolsthe timingofitsreleasetoreportersandthegeneral public.TheobjectiveforCleanSweepwasto identifypotentialvulnerabilitiesintheDOL PressLockuproomfacilityandassociateddata embargoandreleaseprocedures,provide mitigationoptionsforvulnerabilitiesidentified, andassistinmitigationverificationshouldDOL decidetoimplementrecommendedmitigation options. CleanSweepcustomersincludedstakeholders fromseveralorganizationswithinDOL: Operations,theOfficeofPublicAffairs(OPA), andtheBureauofLaborStatistics(BLS).Eachof theseentitieshaditsownuniqueperspective regardingthenatureoftheperceivedthreatand consequently,differingideasonpotential solutions.Thecommonconcernamongstthese stakeholdersrevolvedaroundtheunauthorized, prematurereleaseofembargoeddata. Likelyadversariesinthisscenarioareprofit driven,technicallysophisticatedindividualswho mayhaveconsiderableresourcesattheir disposal.Theirtechnicalproficiencyenables implementationofstealthysurveillance equipment.Thoughtheyarewillingtobendand potentiallyviolaterulesandlaws,violenceis unlikelyasanoperationalmethod. ThoughDOL,BLS,andOPApersonnelaredoing duediligenceintheireffortstomonitorthe presslockupfacility,theireffortsare complicatedbythepresenceofnonDOLIT equipmentandcommunicationslinesinthis facility.Theopaquenatureofthisequipmentto DOL,BLS,andOPAstakeholdersisamajor impedimenttoensuringthatembargoeddatais notreleasedpriortoauthorization. Thepresenceofequipmentownedbypress organizationsnecessitatesthataccesstoareas housingDOLcommunicationsanddata infrastructureismadeavailabletocontractors workingforthesepressorganizationsto conductmaintenance.Thisaccess,though controlledbyDOLpersonnelescortingsuch maintenancecontractors,createsopportunities foradversariestocompromisecriticalDOL communicationsanddatainfrastructure. Thefollowingactionswouldmitigateagainst risksidentifiedduringCleanSweep: ReplacecomputersandotherIT equipmentinthePresslockupfacility withDOLownedequipmentand removetheprivatedatalinescurrently inuse.Thiswouldeliminatetheneed fortheBlackBoxesaltogether. ProhibitanyoneotherthanDOL personnel(orcontractorsworkingfor DOL)fromenteringcommunications closetswithoutatechnically knowledgeableescort. Provide/traintechnically knowledgeableescorts. Modifyexistingpolicytorequire personalitemsbekeptinlockers outsideofthePressLockuproom. Divestmentshouldbeaprerequisite forroomentry. ThoughnotdirectlyaddressedintheSNLRed Teamanalysis,theapparentrootcauseforthe issuesdrivingthisassessmentisthepresenceof algorithmictradersinthepresslockupfacility. ModifyingDOLpolicyonwhatcriteriaqualifies applicantstoattendreleaseeventswouldlikely beofbenefit.

August 2011

OFFICIAL USE ONLY

Page 1

OFFICIAL USE ONLY CleanSweep Technical Details

CleanSweep: Technical Details

Thissectionofthereportisintendedforpersonnelinterestedinthedetailsofthe SandiaRedTeamconclusionsdescribedintheManagementOverview.Someofthe informationisrepeatedfromprevioussectionstohelpestablishcontextforthose readerswhohavechosentobeginwiththissection.Wherethatinformationis repeated,additionaldetailisprovidedforthetechnicalreader.

Introduction
Overthecourseofthelastfouryears,theDOLwasapproachedbyvariousregulatory authorities(e.g.OIG,SEC,andFBI)concernedthatkeyeconomicdatawerepotentially subjecttounauthorized,prematurerelease.Theeconomicdatainquestionaresubject toanembargoprocesswherebyDOLcontrolsthetimingofitsreleasetoreportersand thegeneralpublic.ThefocusofDOLmanagementconcernisthephysical,technical,and proceduralcontrolswhichconstitutethisembargoprocess.

Objective
SNLIDARTwastaskedtoidentifypotentialvulnerabilitiesinDOLpresslockuproom facilitiesandassociateddataembargoandreleaseprocedures,providemitigation optionsforvulnerabilitiesidentified,andassistinmitigationverificationshouldDOL decidetoimplementrecommendedmitigationoptions. InformationsharingwasperformedviaSNLexternalSharePoint(anSSLenabled collaborationapplication). SandiasIDARTteamexecutedthefollowingassessmentactivities: 1) DocumentReviewAnalysisofavailablesecurityprocesses,procedures,rules, securityequipmenttechnicalspecifications,floorplans,andotherartifacts relatingtotheembargoprocess.Conductopensourceresearchonpertinent subjects. 2) KickoffmeetingFacetofaceengagementwithkeystakeholdersintheembargo processtosetcommonexpectationsfortheassessmentoutcome,andfinalize scopeandtherulesofengagementforassessmentactivities. 3) VulnerabilityAssessmentIDARTTeammembersconductedaninspectionand evaluationofthephysicalattributesofthepresslockupfacilityandsurrounding areaswithintheFrancesPerkinsBuilding,theinformationtechnologyequipment containedwithintheLockupFacility,associatedcommunicationsinfrastructure, technicalsecurityequipment,andconductedinterviewswithDOLpersonnel taskedwithimplementingtheembargoprocess. 4) SandiaNationalLaboratoriestechnicalspecialistsexecutedexteriorandinterior surveysoftheradiofrequency(RF)spectrumintheareaofinterest,and conductedanotherradiofrequencyspectrumanalysisduringaninformation embargo/releaseevent.Thesepersonnelusedacombinationofproprietaryand publiclyavailablebutcontrolledequipmentandapplications.

August 2011

OFFICIAL USE ONLY

Page 2

OFFICIAL USE ONLY CleanSweep Technical Details

a. EstablishbaselineRFreadingsforthetargetarea. b. ConductRFassessmentofthetargetareaduringapressevent. c. Compareresults,identifyanomalies. FindingsfromtheseassessmentactivitieswereanalyzedusingtheIDARTmethodology describedthroughoutthisdocument,andtheresultsarerecordedinthisreport.

Rules of Engagement
SNLIDARTactionswerelimitedtoobservationandassessmentduringCleanSweepno attemptsweremadetoactivelyexploitpotentialvulnerabilitiesidentified.DOLagreed toprovideaccessandsupporttoSNLIDARTteammembersduringassessment activities.TheseRulesofEngagement(ROE)weredevelopedbySNLIDARTpersonnelin concertwithDOLofficials,andwereformulatedtoensurethattheRedTeam assessmentactivitieswouldnotadverselyimpactDOLoperationswhileconcurrently providingresultsusefultoDOLmanagementforformulatingriskbasedcorrective measures,ifneeded. OfparticularnoteisthatITsystems(e.g.computers,monitors,I/Odevices,routers, switches)withinthepresslockupfacilityarenotownedbyDOL,withtheexceptionof theAirPatrolconsoleandLAN.Eachpressagencywithaccesstothelockupfacilityowns andmaintainstheirownequipment,includingthecommunicationslinestotheoutside world.TheSNLIDARTRedTeamwasthereforelimitedtovisualexamination(no physicalcontact)andobservation(visualandpassiveRF)whenthesystemswereused bypresspersonnelduringapressrelease. Notification:SandiapresentedproposedassessmentactivitiesforCleanSweeptoDOL officialsintheStatementofWork(SOW)createdpriortocommencementofthis project.ApprovaloftheCleanSweepSOWsignifiedDOLapprovalfortheassessment activitiesdocumentedtherein.SNLagreedtonotifyDOLofficialspriortothestartofany assessmentactivityandobtainDOLapprovalbeforebeginninganysuchactivity.Sandia willnotifyDOLattheconclusionoftheassessmentandverballyprovidetheresults.SNL IDARTandDOLpersonnelworkedjointlytodeveloptheassessmentscheduleof activities,providingconcurrenceonassessmentdates,times,andprocesses. DOLofficialsweremadeawareofandconsentedtotherequirementthatfederallaw enforcementbenotifiedshouldSNLIDARTpersonneldiscoversurveillancedevices duringtheirassessment. InformationProtection:InformationcollectedduringthecourseofCleanSweepwillbe retainedbySandiainelectronicworkpapers.Afinalreportthatincludesnotificationsof findings,recommendationsthatsummarizepreliminaryfindingsbasedonthesedata, andpossibleremediationactionsforinformationtechnologysecurityweaknessesor deficiencieswillbeprovidedtoDOLofficialsataresultsbriefing.Sandiawilldestroyall retainedcopiesoflogsanddataattherequestofDOL. TechnicalDetailsofthisSandiaassessmentreportcontainsOfficialUseOnlyinformation describingspecificvulnerabilitiesandattackstepsforpotentialexploits.Noclassified

August 2011

OFFICIAL USE ONLY

Page 3

OFFICIAL USE ONLY CleanSweep Technical Details

informationwasgeneratedduringthecourseofCleanSweepactivities.Sandiawill protectallcopiesoflogsanddataappropriatetothelevelofsensitivity.AllSNLIDART personnelagreedtoprotectandholdinconfidenceanyDOLproprietaryinformation discoveredduringthecourseofCleanSweep,andprovidedwrittenassentofthis agreementtoDOLofficials.

Scope
Ideally,RedTeamswouldprefertoidentifyeveryweaknessinatargetsystem,explore andtestallvulnerabilities,andproduceareportprovidingacompletepictureofthe targetenvironmentssecurityposture.Inreality,aprojectsbudgetandscheduleplacea limitonthescopeofassessmentactivities. TheIDARTprocessaddsfurtherlimitstoprojectscopebyspecifyingthethreatmodel andassociatedadversariesandconstraints.Theselimitsareusedas"realitychecks"on RedTeamcoursesofactionandrecommendations.ForDOL,thethreatmodeloriginally specifiedanadversarialupperlimitofmoderatecapability,characterizedby individualsororganizationsseekingtoprofitfromprematureaccesstoembargoed economicdata.AsexplainedbyofficialsrepresentingtheDepartmentofLabor,the OfficeofPublicAffairs(OPA),andBureauofLaborStatistics(BLS),thescopeofthis assessmentwaslimitedtohowsuchanadversarymightexfiltrateembargoedeconomic datafromthepresslockupfacilityduringapressreleaseevent. TheRedTeamconcentratedonthefollowing: Physicalattributesofthepresslockupfacilityandsurroundingareaswithinthe FrancesPerkinsBuilding,200ConstitutionAvenueNW,Washington,DC. Businessprocessesassociatedwithpressembargoandreleaseproceduresas documentedbypolicy,andasobservedduringanactualpressreleaseevent RadioFrequency(RF)environmentfortheareaofinterest Computerandcommunicationsequipmentinthepresslockupfacility Communicationsinfrastructureforthepresslockupfacility TheRedTeamspecificallydidnotconsiderthefollowing: ThreatsandvulnerabilitiesassociatedwithDOLinsiders ThreatsandvulnerabilitiesassociatedwithDOLInformationTechnology(IT) systemsusedintheacquisitionofdataandproductionoffinishedeconomic analysis Surveillancevulnerabilitiesatotherlocationsassociatedwiththedataembargo andreleaseprocess Parallelembargo/releasefacilityandprocessfortelevisionjournalists

Red Team
Sandia/IDARTcreatedateamwhosememberspossessskillsspecificallychosento addressthevariousissuespresentedbythisproject,withRedTeammembers representingseveralSandiaorganizations.Theteamconsistedoffive(5)memberswith

August 2011

OFFICIAL USE ONLY

Page 4

OFFICIAL USE ONLY CleanSweep Technical Details

technicalspecialtiesincludingcybersecurityandthreatassessment,ITsystem penetrationandexploitation,physicalsecuritydesignandthreatassessment,electronic surveillance,andriskmanagement.

Analysis Environment
AllCleanSweepactivitiesoccurredattheUnitedStatesDepartmentofLabor headquarters,locatedintheFrancesPerkinsBuildingat200ConstitutionAvenue, Washington,DCasdepictedinFigure1.Thesixstorysteelandlimestonebuildingcovers twosquareblocksnearthebaseofCapitolHill,andwascompletedin1974.1

Figure 1. Frances Perkins Building exterior view from Constitution Avenue.

TheIDARTRedTeamconductedpreliminaryanalysisofinformationacquiredduringthis assessmentwhileonsite,whichwascommunicatedtoDOLstakeholdersduringanout briefingattheconclusionofassessmentactivities.AcopyoftheCleanSweepagendais providedasAttachmentA. UponreturningtotheSandiaNationalLaboratoriesAlbuquerque,NMfacilitytheRed TeamandanIDARTsubjectmatterexpert(whodidnotaccompanytheRedTeamto DOL),conductedfurtheranalysistoidentifyandthenrefinepotentialattackscenarios andappropriatemitigationstrategies.

Methodology
Forthisassessment,theRedTeamusedtheIDARTmethodologyillustratedinFigure2. TheIDARTmethodologyfollowsthestandardactivitiesshownontheleftofthefigure byperformingtheworkanddevelopingtheproductsshownontherightofthefigure.
August 2011 OFFICIAL USE ONLY Page 5

OFFICIAL USE ONLY CleanSweep Technical Details

placedontheanalysisorontheRedTeam.Theresultsofthisphasearebasedon customerrequirementsandareusuallyproducedbyajointRedTeam/customerteam, althoughsometimestheRedTeamdevelopsrecommendationsthataresubmittedto thecustomerforapproval. DOLofficialsandSNLmanagementteammembersconductedinitialdiscussionsonthe issueofapotentialinformationleakofsensitiveeconomicdataduringtheembargoand releaseprocess,resultinginapreliminarysitevisitbySNLpersonnel.Subsequently,SNL IDARTProjectManager,HanLin,andProjectLead,ScottMaruoka,workedwithDOL officialstocreateaStatementofWork(SOW)capturinganddocumentingproject detailsregardingperceivedthreat,nightmarescenarios,associatedmilestonesand deliverables,andprojectscopeandconstraintstoIDARTactivities.

Data Collection
ThesecondphaseoftheIDARTMethodologyconsistsofdatacollection.Inthisphase, theRedTeamreviewsallavailableapplicabledocumentation,collectsopensource materialrelevanttothetargetsystem,andvisitsanoperationalcustomersiteiffeasible andappropriate.ThisphaseservestoprovidetheRedTeamwiththeappropriate backgroundinformationtomodeltheadversariesidentifiedintheThreatModel.The RedTeamdevelopsadetaileddescriptionalongwiththemissionandobjectivesofthe targetsystem.TheRedTeamalsoidentifiesitscriticalsuccessfactorsalistof objectivesthatwillserveasindicatorsofRedTeamsuccess.Thesubsequentsystem characterizationandanalysisphasesareverydependentontheaccuracyand completenessofthesystemdescriptiongeneratedinthisstep.Asnotedpreviously, IDARTactivitieswerelimitedtoobservationandassessmentduringCleanSweepso successindicatorswerenotapplicableasnopenetrationandexploittestswere conducted. CleanSweepdatacollectionactivitiesconsistedofdocumentreview,interviewsofDOL Operations,OPA,andBLSpersonnel,physicalinspectionofthepresslockupfacilityand adjoiningareas,wiringclosetsandtelecommunicationshubrooms,andobservationofa livepresseventinvolvingdataembargoandrelease. DOLprovidedthefollowingdata: 1) DOLLockupRoomWirelessDeviceDetectionUserGuidecombinedconceptof operations(CONOP)coversAirPatrolconsole,MantisHandheldBluetooth detector,andAirCheckWiFitesterequipment. 2) DOLLockupRoomTaskSummarystepbystepCONOPcoveringAirPatrol, AirCheck,andMantistools. 3) PressRoomActivitylogs10JAN201112APR2011chronologicallyordered documentationofPressLockupfacilitymonitoringactivitiesperformedbyBLS InformationAssurancepersonnel;samplereportform. 4) BlackBoxusersmanualandtechnicalspecifications. 5) EquipmenttoBlackBoxCablingguide.

August 2011

OFFICIAL USE ONLY

Page 7

OFFICIAL USE ONLY CleanSweep Technical Details

6) InventoryofBlackBoxesinuse. 7) AHall/FillichiomemodatedMarch2,2011suggestingvariouschangesto securitypolicyandproceduresforthePressLockupfacility. 8) EvacuationandshelterinplacepolicyforthePressLockupfacility. 9) AdraftcopyofLockupfacilityrulesforpresspersonnelandtheiremployers. 10) AdraftcopyofLockupfacilityresponsibilitiesforDOLstaff. 11) NumerousphotographsofthePressLockupfacilityworkspaces. 12) FloorplansfortheFrancesPerkinsbuildingandthePressLockupfacility. 13) FindingsfrompreviousassessmentsconductedbyBLSIA. 14) Timelineofsecurityissuesandassociatedmitigationmeasureimplementation. 15) May2008letterfromOPAtonewsorganizationsdocumentingsecurityrulesfor thePressLockupfacility. 16) Meetingminutesfrom2008incidentresponse.

Characterization
Duringsystemcharacterization,theRedTeamcombinesalltheinputsfromthePlanning andDataCollectionphaseswithdomainexpertisetogenerateavarietyofdifferent viewpoints,suchasthoselistedintheIDARTMethodologydiagram.Someviewpoints maybesimpleasvendorsuppliednetworkmapsorphysicaldiagrams.Othersmayshow complextiminginteractionsbetweensystemcomponentsandexternalinputsources. TemporalView BasedoninterviewsofOPAandBLSpersonnelandfirsthandobservation,SNLIDART producedthetemporalviewillustratedinFigure3,DataEmbargoandReleasetimeline.

Figure 3. Data Embargo and Release timeline.

SNLIDARTpersonnelnotedthatpressattendeesqueuedupoutsidethepresslockup facilitywaitingfortheroomtoopen.Onceallowedin,thesepresspersonneldispersed totheirvariousworkareas.Signinandsurrenderofcellphonesoccurredaftertheyhad beenallowedentry,withsomeindividualsneedingtoberemindedbyOPApersonnelto signinandturnincellphones.Requiringpresstosigninandsurrendercellphonesprior

August 2011

OFFICIAL USE ONLY

Page 8

OFFICIAL USE ONLY CleanSweep Technical Details

Figure 7. Cluttered press work area, showing what appear to be networking appliances to the left of the workstation and monitor. Note the two Black Boxes atop the network gear.

Theinteriorofthepresslockupfacilityissomewhatcrowded,andsomeofthework spacesusedbypresspersonnelareclutteredwithITequipment,asillustratedbyFigures 7and8.MembersoftheSNLRedTeamweresomewhatsurprisedtofindwhat appearedtobenetworkappliances(e.g.switchesandrouters)capableofsupporting infrastructurewellbeyondtheworkstationstowhichtheywereconnected.Sincethese devicesarenotDOLownedequipment,theRedTeamwaslimitedtovisualonly inspection,andcouldnotverifythatcomputerandnetworkappliancecasesandchassis containedonlystandardequipment.AsexplainedbyOPAandBLSstaff,theelaborate networkingconfigurationsaremeanttogivetheirownersanadvantageover neighboringcompetitorsintransmittingdatawhenitisauthorizedforrelease. Duringthelivepressreleaseevent,IDARTpersonnelinthepresslockupfacilitynoted theambienttemperaturebecameuncomfortablywarm,likelyduetothehuman occupantsandtheconsiderableamountofITequipmentpresent.Manyofthework areasfeaturedmorethanoneBlackBox,whicharesuppliedbyDOL.

August 2011

OFFICIAL USE ONLY

Page 12

OFFICIAL USE ONLY CleanSweep Technical Details

Figure 8. Cluttered press work area, with Black Box under network appliance and obscured by telephone.

RFView SNLtechnicalpersonnelconductedexternalandinconferenceinspectionsoftheRadio Frequency(RF)environmentbothpriortoandduringalivepressrelease,todetectthe presenceofclandestinesurveillancedevicesinthearea.Nosuchdevicesweredetected. Abreakdownoftheseactivitiesconsistedof: 1) SearchandanalysisoftheRFspectruminthetargetareadelineatedasthepress lockupfacility.SeeFigure9. 2) Technicalandphysicalexaminationoffixtures,furnishings,andequipment locatedwithinthetargetarea. 3) Technicalandphysicalexaminationofelectronicandelectricalequipment, electricalwiring,andutilitypathways. 4) Technicalandphysicalinspectionoftheinteriorandexteriorsurfacesofthe perimeterwalls,floors,ceilings,andotherstructuralobjectswithinthetarget area. 5) Physicalinspectionoftheexteriorperimetertoincludeapplicablespacesabove andbelowthetargetarea.

August 2011

OFFICIAL USE ONLY

Page 13

OFFICIAL USE ONLY CleanSweep Technical Details

ForRFmonitoringduringthepressrelease,SNLtechnicalpersonnelsetupequipmentin anofficeadjacenttothetargetarea,withaBLSIArepresentativeobserving.AnRF contactobservedduringthepressreleaseeventwasdeterminedtohavebeencaused byasourceoutsidetheLockupfacility,andwasalsoidentifiedbyBLSIApersonnelon theirequipment.

Analysis
TheAnalysisphaseishighlyvariable,dependingontheproject'sbudgetandschedule, theThreatModel,andanyconstraintsidentifiedduringthePlanningphase.Thisphase canrangefromaQuickLookoverview(aswasconductedforCleanSweep),which identifiespotentialvulnerabilitiesandattackswithoutverificationtesting,toadetailed analysisinwhichthesystemorportionsofitaresubjectedtoadeepanalysiswithfull attackdevelopment,validation,andcountermeasuregeneration. TheintentionallylimitedscopeandrulesofengagementforCleanSweepdictatedthat nopenetrationtestingandexploitationofidentifiedvulnerabilitiesoccur.Basedupon informationderivedfromdocumentreview,interviews,anddirectobservationonsite, theRedTeamconductedatabletopattackbrainstormexerciseresultinginattack graphsdepictingpotentialattacksthatteammembersthoughthadviablepotentialfor success.

Threat Model
TheIDARTmethodologybeginsbydevelopingathreatmodeltobeusedforRedTeam operations.AsthescopeofoperationsforCleanSweepwaslimitedtoobservationand analysis,noattackexerciseswereconducted.Instead,threatandadversarymodeling providedthebasisforattackscenariovettingwhatwasrealisticintermsofperceived attackergoalsandcapabilitylimitations.Thismodeldefinestheadversariesalongwith theirskills,resources,andmotivations.Establishinganadversarymodelallowsanalysts topostulatemoreaccuratelyonwhattypesofattacktoolsorweaponswilllikelybe broughttobearagainstdefenders,andsoinstructastothemostappropriatemitigation strategiestoemploy.

Threats
Thefirststepindevelopingathreatmodelistoestablishwhichthreatsexisttothe targetsystemsmissionandwhichthreatsthetargetsystemisintendedtomitigate. Figure11showsgeneralsystemthreatsastheyrelatetooperationalenvironments.

August 2011

OFFICIAL USE ONLY

Page 15

OFFICIAL USE ONLY CleanSweep Technical Details

Adversary
Sandiahasdevelopeddetailedmodelsthatidentifytheskill,resources,motivationsand threatsofvariousadversaries.Thatsaid,thesemodelscanrarelybesimplypluggedinto aproject.Sinceeverysystemthataredteamassesseshasuniquecharacteristics,the adversarymodelsmustbecustomizedforeachproject.Sandiasadversarymodelsallow forthat. TheRedTeamschoiceofadversarymodelsisdrivenbythreefactors: ThethreatsandnightmareconsequencesidentifiedbytheRedTeamand customer:Morecomplexnightmareconsequencesoften,butnotalways, requiremoresophisticatedadversaries. Thematurityofthesystem:MorematuresystemscanbenefitfromRedTeam emulationofmoresophisticatedadversaries,aslowerlevelthreatshaveoften alreadybeenaddressed.Lessmaturesystemsprofitmorefromless sophisticatedadversarialattack.Sinceeventrivialattacksarelikelytosucceed, thereislittlereasontoshowthathighlevelattacksaresuccessful. ProjectbudgetandscheduleandinformationavailabletotheRedTeam:Highly sophisticatedattackssuchasthoseatthenationstatelevel(Cyberterrorist organizations,MilitaryInformationOperationsunits,andForeignIntelligence Services)usuallyrequireindepthknowledgeofthetargetsystem.TheRed Teamcanacquiresuchinformationintwoways:synthesizeit,limitedbyproject budgetandschedule,orobtainitfromthecustomerorsystemvendor.Ifthese optionsarelimitedornotavailable,theRedTeamwillnotbeabletoadequately emulatethehigherthreatlevelsandwillchoosetoholdadversarycapabilities toalowerlimit.

DOL Adversary Model

Asnotedpreviouslyinthescopesection,DOLmanagementperceivedthatapotential threatexistsfromindividualsororganizationswishingtoprofitfrompremature, unauthorizedaccesstokeyeconomicdata.Advanceknowledgeofsuchdatawouldgive itspossessoraheadstartadvantageagainstotherfinancialtraderswhotransmitted theinformationlater,duringtheofficialrelease. AccordingtoDOLofficialsinterviewedduringthisassessment,concernexistsoverwhich pressorganizationsareallowedaccesstoinformationalreleaseevents.Attheheartof thedebateiswhatcriteriashoulddefineapressorganizationvs.abusinessprimarily interestedinsupplyingdataforalgorithmictrading.Thelinebetweensuchentitiesis blurredbyorganizationswhichprovidebothtraditionaljournalisticcontentaswellas algorithmictradingproductstotheircustomers.InterviewswithDOLofficialsindicate thisissueisrelevantbecauseorganizationsprimarilyconcernedwithalgorithmictrading wouldhavesignificantmonetaryincentivetocircumventtheembargoimposedonkey economicdatapriortoitsofficialrelease.ANewYorkTimesarticleposted contemporaneouslywiththewritingofthisreportstatedthatHighFrequencyTraders(a typeofalgorithmictrader)made$12.9billioninprofitsinthelasttwoyears.2

August 2011

OFFICIAL USE ONLY

Page 18

OFFICIAL USE ONLY CleanSweep Technical Details

Withtheassessmentscopelimitedtothepresslockupfacilityandassociateddata embargoandreleaseprocesses,theSNLIDARTRedTeamfocusedonlyonadversaries withopportunity,motivationandwillingnesstosubvertsecuritycontrolsspecifically associatedwiththisfacility.Thiswasanimportantlimitationinthatiteffectively excludedcommonadversariesusingtheInternetasapreferredattackvector3,4while DOLInternetconnectedsystemswherethekeyeconomicdataofinterestisproduced andstoredarenotwithinthedefinedscopeofCleanSweep.Thefullspectrumof adversariesisillustratedinTable1,theGenericThreatMatrix.

Table 1: Generic Threat Matrix. Foregoing potentially loaded terms such as hacker or nation state actor, the Generic Threat Matrix provides a qualitative categorization of adversaries based upon attributes describing their capabilities in terms of technical and organizational capacity.

Thismatrixprovidesqualitativevaluestokeyadversaryattributes,enablingtheRed Teamtogaugethecapabilitylevelandattacktools,tactics,andprocessessuchan adversarywouldbringtobear5. InformationprovidedbyDOLofficialsandpersonnelandgleanedbytheSNLteam duringtheirassessmentactivitiesindicatesthefollowingadversarythreatprofileforthe presslockupfacilityanddataembargoandreleaseprocess: Intensity:MediumThethreatismoderatelydeterminedtopursueitsgoalandiswilling toacceptsomenegativeconsequencesresultingfromthatpursuit.Acceptable consequencesmayincludeimprisonment,butusuallynotthedeathofgroupmembers orinnocentbystanders. Stealth:MediumThethreatismoderatelycapableofmaintaininganecessarylevelof secrecyinpursuitofitsgoal,butisnotabletocompletelyobscuredetailsaboutthe threatorganizationoritsinternaloperations.

August 2011

OFFICIAL USE ONLY

Page 19

OFFICIAL USE ONLY CleanSweep Technical Details

Time:WeekstoMonthsThethreatiscapableofdedicatingseveralmonthstoplanning, developing,anddeployingmethodstoreachanobjective. TechnicalPersonnel:TensThethreatiscapableofdedicatingasmall,independent groupofindividualstoprovidethetechnicalcapabilityofbuildinganddeploying weapons.Thereisfullcommunicationbetweenthemembersofthegroup. CyberKnowledge:HighThethreatiscapableofusingexpertproficiencyboth theoreticalandpracticalinpursuitofitsgoal.Thethreatisabletoparticipatein informationsharingandiscapableofmaintainingatrainingprogram,aswellasa researchanddevelopmentprogram. Access:MediumThethreatisabletoplanandplaceagroupmemberwithindirector limitedaccesswithinarestrictedsystem. TheKineticKnowledgecategorywasnotusedinthisanalysis,assuchcapabilitywasnot judgedtobenecessarytocompromisethetargetenvironment. Thesumoftheseattributesfallbetweenlevelsfive(5)andsix(6),bothwithinthe mediumrangeofthreatactor.Theteamassessedtheadversaryherelackedthe highlevelofintensitybecauseitisunlikelytheywouldemployviolentmeanstomeet theirgoalofexfiltratingembargoeddatapriortotheofficialreleasetime.Thisadversary hasahighratingforcyberknowledgecapabilitybecauseofthehighlytechnicalnature ofalgorithmictrading. Insummary,likelyadversariesinthisscenarioareprofitdriven,technicallysophisticated individualswhomayhaveconsiderableresourcesattheirdisposal.Theirtechnical proficiencyenablesimplementationofstealthysurveillanceequipment.Thoughthey arewillingtobendandpotentiallyviolaterulesandlaws,therearelimitstowhatthese adversariesarewillingtodotoachievetheirgoalsviolenceisunlikelyasanoperational method.

Analysis
InthissectionwediscusstheattacksthatweredevelopedandrunbyRedTeam personnel.UsingtheIDARTmethodology,theRedTeambeginsanalysisofthetarget systemandcreatesthevariousviewpointsdiscussedaboveintheError!Reference sourcenotfound.section.Next,theteamholdsabrainstormingsession,invitingSandia employeesthathaveexpertiseintheareasaddressedbythetargetsystem.TheRed Teamleaddescribesthetargetsystem,presentsandexplainstheviewpoints,and answersanyquestionsbeforebeginningthebrainstorming. Duringbrainstorming,verylittlefilteringisappliedtosubmittedideas.Ifanattackidea willobviouslynotworkorviolatestheROE,itmaybefilteredimmediately.Otherwise, allideasareaddedtotheattackgraphsandwillbefilteredlater.Thisallowsallideasto inspireotherideasthatmaynotbefiltered. Theresultofthebrainstormingsessionistheprojectsattackgraphadiagramthat suggestsstartstates,endstates,andattackpathsconnectingthetwostates.Manyof theattackstepswillbeinvalidated,andsomewillbefilteredbecausetheyarebeyond

August 2011

OFFICIAL USE ONLY

Page 20

OFFICIAL USE ONLY CleanSweep Technical Details

Attacksareratedinseverityfromcritical,denotinganearcertainlikelihoodof occurrence,tolow,denotinganunlikelyevent.Table2,AttackStepRiskRanking System,capturesthesemetrics.Noneoftheattackstepswereidentifiedascriticalor important. Rating Critical Important Moderate Low Definition Anattackstepthathasanearcertainriskofoccurringinthe futureifithasnotalreadyhappened Anattackstepthatisverylikelytooccurinthefutureand mayalreadyhavetakenplace Anattackstepthatislikelytooccurinthefutureandcould alreadyhavetakenplace Anattackstepthatisunlikelytooccurinthefutureand probablyhasnotyetoccurred
Table 2: Attack Step Risk Ranking System. For each attack step we provide a statement of what was or could be done by an attacker.

Attacks

August 2011

OFFICIAL USE ONLY

Page 23

OFFICIAL USE ONLY CleanSweep Technical Details

MitigationOptions: Modifyexistingpolicytorequirepersonalitemsbekeptinlockersoutsideofthe presslockuproom.Divestmentshouldbeaprerequisiteforroomentry.Cost:Low. Metaldetectoratpresslockupfacilityentry.Securitycheckpointsatbuilding entrancesaresomedistanceawayfromtheLockupfacility,andpresspersonnelare notescortedbetweenpoints.Cost:Medium. RemodelpresslockupfacilitywithRFshielding.AttenuatingmaterialblocksRF communicationsintooroutofthefacility.Cost:Medium/High ReplacecomputersandotherITequipmentinthepresslockupfacilitywithDOL ownedequipmentandremovetheprivatedatalinescurrentlyinuse.Cost:High. Retainstatusquo.Cost:Nil.

Attacks

August 2011

OFFICIAL USE ONLY

Page 24

OFFICIAL USE ONLY CleanSweep Technical Details

MitigationOptions ReplacecomputersandotherITequipmentinthepresslockupfacilitywithDOL ownedequipmentandremovetheprivatedatalinescurrentlyinuse.Cost:High. ProhibitanyoneotherthanDOLpersonnelorcontractorsworkingforDOLfrom enteringcommunicationsclosetswithoutatechnicallyknowledgeableescort.Cost: Medium. Provide/traintechnicallyknowledgeableescorts.Cost:Medium. Retainstatusquo.Cost:Nil.

August 2011

OFFICIAL USE ONLY

Page 25

OFFICIAL USE ONLY CleanSweep Technical Details

MitigationOptions LimitthenumberofBlackBoxeseachpressorganizationmayuse.Cost:Nil. MountBlackBoxestowalloronraisedshelvessothattheequipmentiswithinplain view.Useuniform,colorcoded,DOLissuedcablesbetweenBlackBoxesandIT equipment.Cost:Low/Medium. Adopttamperevidentdecalsforinventorytags.Cost:Low. ReplacecomputersandotherITequipmentinthepresslockupfacilitywithDOL ownedequipmentandremovetheprivatedatalinescurrentlyinuse.Thiswould eliminatetheneedfortheBlackBoxesaltogether.Cost:High. Retainstatusquo.Cost:Nil.

August 2011

OFFICIAL USE ONLY

Page 26

OFFICIAL USE ONLY CleanSweep Technical Details

Summary
ThoughDOL,BLS,andOPApersonnelaredoingduediligenceintheireffortstomonitor andcontrolthepresslockupfacility,SNLIDARTobservationsindicateopportunitiesfor securityimprovements,rangingfromrelativelylowcostchangestoexistingpolicyupto investinginnewITinfrastructureforthepresslockupfacility.Table2Comparisonof MitigationAlternatives,capturesthecriteriasuchascost,risk,andperformancefor eachoption.AlsoincludedareschedulingrequirementsrelativetoSNLfollowup activitiestoverify/validateeffectivenessofimplementation. PolicyIssues Thedataembargoandreleaseprocessiswellestablished,andenjoysanadvancedlevel ofmaturity.Requisitedatasecuritypoliciesalreadyexist,butmaylackoptimal implementation. Currentpolicyrequirespresspersonneltosurrendercellphonesinthepress lockupfacilitypriortothedistributionofembargoeddata.Animprovementto thisprudentrulewouldbetocollectcellphonesandotherpersonalitemssuch aspurses,briefcases,totebags,etc.priortograntingentrytothefacility,and securelystoringtheseitemsoutsideforthedurationofthepressreleaseevent. 1. Cost:Low.Approximately$2,200.00forhardwareandshippingplus labortoinstall. 2. Risk:Low.Potentialpushbackfrompress;potentialliabilityfor lost/damagedpersonalitems. 3. Performance:Mediumvalue. 4. Schedulepriority:Medium.Followupwouldconsistofobservingnew processinaction. AnotherpolicyrequiresthatnonDOLpersonnelbeescortedwhileaccessing wiringclosetsandcommunicationshubs.Ensuringthatonlytechnically knowledgeablepersonnelaregivenescortingdutieswouldbeasignificant enhancementtothispractice,aswouldbedocumentingprocessand procedures,andtrainingassignedescortsinsecurityconcepts(e.g.maintain visualcontactonchargesforthedurationofeachvisit,limitingthenumberof visitorsperescort,whotocontactandwhattodoshouldanincidentoccur, whatconstitutesanincident). 1. Cost:Medium.Personnelwagesassociatedwithassigningtechnicalstaff (vs.nontechnical,whopotentiallyhavelowerhourlycost)and development,documentation,andimplementationoftraining. 2. Risk:Medium.PushbackfromDOLemployeesregardingadditional assignments;lackofqualifiedpersonnel;prioritizingcurrentassignments vs.escorting;costofhiringnewstaff. 3. Performance:High.

August 2011

OFFICIAL USE ONLY

Page 27

OFFICIAL USE ONLY CleanSweep Technical Details

4. Schedulepriority:High.Multistepsolutionrequiresearlystart;potential delaysforcontractnegotiationpertainingtoescortduties;policyand proceduredevelopment,documentationandimplementationof training. Pressorganizationsarecurrentlyallowedtousetheirownequipmentinthe presslockupfacility,withsomepartiesimplementingcomplexconfigurationsto includeinfrastructuregradenetworkingappliancesandutilizingmultiple,DOL suppliedBlackBoxes.Theresultingclutter,powerconsumption,heat generation,andgovernmentexpenseforsupplyingBlackBoxescouldbe reducedbychangingexistingpolicytolimiteachpressworkareatoastandard equipmentconfiguration(e.g.asinglecomputer,monitor,keyboard&mouse). 1. Cost:None. 2. Risk:Medium.Pushbackfrompressorganizations. 3. Performance:Medium.Reducesclutter,makingBlackBoxstatus identificationeasier;reducesheatgeneration,powerconsumption. 4. Schedulepriority:Medium.Thoughminimalinimplementationeffort, SNLprojectperiodperformance(PoP)endisMarch2012. AnotherpolicyoptionistocompletelydisallownonDOLequipment.Cost,risk, performanceandtechnicalramificationsofthispatharediscussedinthenext section. TechnicalIssues ThepresenceofnonDOLITequipmentandcommunicationslinesinthisfacilityisof concerntotheRedTeam.TheopaquenatureofthisequipmenttoDOL,BLS,andOPA stakeholdersisamajorimpedimenttoensuringthatembargoeddataisnotreleased priortoauthorization,andthepresenceofoutsiderequipmentopensattackvectors intotheDOLenvironment.BecauseDOLmaynotconducttechnicalinspectionofthis equipmentormonitordatatrafficforunauthorizedactivity,thereisnowaytoascertain withcertaintythatDOLdataisnotbeingexfiltratedwithoutDOLauthorization. Allowingpressorganizationownedequipmentandcommunicationlinesinthe presslockupfacilitycreatesaneedfornonDOLmaintenancepersonnelto accessDOLcommunicationsanddatainfrastructure.Replacingpressowned equipmentanddatalineswithaDOLownedsolutionwouldremove opportunitiesforadversariestocompromisecriticalDOLcommunicationsand datainfrastructure. 1. ImplementingaDOLownedITsolutionforthepresslockupfacility wouldentailthepurchasing,configuring,andmaintainingsuch equipment. 2. Anappropriatesolutioncouldbetailoredtoabarebones configurationtosavecostandreduceattacksurface.Serviceslimitedto Internetaccessshouldprovideadequatefunctionalityfortraditional journalists,whileredirectingtheburdenofenhancedcapabilityaway fromDOLandontothosewhodesireit.Applications(e.g.MSWord,

August 2011

OFFICIAL USE ONLY

Page 28

OFFICIAL USE ONLY CleanSweep Technical Details

algorithmictradingapplications,etc.)wouldresideonpressorganization servers,andnotbetheresponsibilityofDOLtolicense,maintain,and patch. 3. Suchasolutionwouldlikelyreduceheatgenerationandenergycostsfor thepresslockupfacility. 4. DOLwouldhavecompletecontroloverpresslockupfacilityhardware andsoftwareandtheabilitytomonitoraswellasterminate/enabledata communications. 5. SuchasolutionwouldbesegregatedfromDOLEnterpriseenvironments. Cost:High.Approximately$66Kforhardwareandsoftware,$3.2K annuallyforlicenses,andbetween0.51.0FTEfor maintenance/administration(pleaseseeAttachment2:Cost Estimatesfordetails). Risk:High.Pushbackfrompress;futureincreasestolicensing costs;onusofdefendingnewenvironment;ensuringsegregation fromDOLenterpriseenvironment. Performance:High.EliminatesuncertaintiessurroundingnonDOL equipmentcapabilitiesandaccesstowiringclosets;reduces clutter,heatgeneration,powerconsumption;eliminatesBlack Boxcosts. Schedulepriority:High.Complex,multiphaseoptionrequires immediatestarttofacilitatecompletionpriortoendofSNLPoP. 1. Cost:High.Approximately$40K. 2. Risk:Medium.Aswithanytechnicalproject,unintentionalservice disruptionsmayoccur,withassociatedcoststoproductivityand equipmentreplacement;intheeventthatunauthorizedsurveillance devicesareidentified,lawenforcementmustbenotifiedimmediately. 3. Performance:High.WouldprovideDOLleadershipwithcleanbillof healthfortheircommunicationsinfrastructure(uptothatpointintime). 4. Schedulepriority:Medium.Shouldonlybedoneafterremovingpress ownedITequipmentandcommunicationlinesandimplementing qualified/trainedescorts. TheBlackBoxdevicescurrentlyemployedtocontrolthereleaseofembargoed datainthepresslockupfacilityaresimpleandfairlyrobust.However,the currentconceptofoperationsgoverningtheirusemakescompromisingor circumventingthiscontrolmechanismaplausibleoccurrence.Thecluttered natureofthefacility,plethoraofnonDOLequipment,andmultipleinstancesof BlackBoxesforsomepressorganizations,createsopportunitiestomask activitiesdesignedtoneutralizethesecontroldevices.

August 2011

OFFICIAL USE ONLY

Page 29

OFFICIAL USE ONLY CleanSweep Technical Details

1. SealBlackBoxeswithtamperresistant/indicatinginventorylabels. Developandimplementpolicytomonitorlabelsfortampering. Cost:Low.From$9.00/250basicsealsor$1,200.00/20Kfor hologramseals;personneltime/wagesfordeveloping, documenting,andimplementingprocess;auditing/checkingfor tamperindications. Risk:Low/Medium. Performance:Lowforbasicseals/Mediumforhologramseals. Schedulepriority:Low. 2. MountBlackBoxestowalloronraisedshelvessothattheequipmentis withinplainview.Useuniform,colorcoded,DOLissuedcablesbetween BlackBoxesandITequipment. Cost:Low/Medium.Laborforinstallation;standardizedcabling. Risk:Low. Performance:Medium. Schedulepriority:Medium. Asnotedpreviously,surreptitioususeoftransmittingdeviceswasidentifiedasa potentialvulnerability.InstallingRFshieldinginthepresslockupfacilitywould mitigateagainstthisvectorbyattenuatingRFsignalstrength.Productssuchas foilbackedsheetrockarearelativelyinexpensiveimplementation. 1. Cost:Medium.Materials+labor. 2. Risk:Low. 3. Performance:High.Correctlyimplementedshieldingwouldgreatly reducetheeffectivenessoftransmitterattacksfromwithinthepress lockupfacility;thisoptionwouldeliminatetheneedforinroomRF monitoring. 4. Schedulepriority:High.

August 2011

OFFICIAL USE ONLY

Page 30

OFFICIAL USE ONLY CleanSweep Technical Details

Observations
ROE Constraints of Note
TheSNLIDARTRedTeamwaslimitedtoobservationandassessmentactivitiesno activeexploitationexerciseswereperformedduringthecourseofCleanSweep.The scopeofallowedactivitieswaslimitedtothepresslockupRoomandassociateddata embargoandreleaseprocesses. 1. Otherareasassociatedwithpreparationofthetargetdatawerenotsubjectto observationandassessment. 2. OperationalITsystemsassociatedwithpreparing/producingthetargetdata werenotsubjecttoobservationandassessment. 3. AdversarymodelingspecificallyexcludedDOLpersonnelinsiderthreat.

Potential Avenues
ThefollowingactivitieswereproposedtoDOLbutnotsanctionedduringthisactivity1. 1. TechnicalevaluationandassessmentofBLSITenvironments. 2. TechnicalevaluationandassessmentofRFenvironmentatBLS.

Recommendations
Thereareareasforimprovementinpolicydevelopmentandimplementation,andfor technicalmitigationstrategiestobettersecurethePressLockupfacility. ShouldDOLdecidetopursuemitigationoptionsspecifictothePressLockupfacility,the RedTeamsuggeststhefollowingmeasurestakeprioritystatus: 1. DisallownonDOLownedITequipmentandcommunicationlinesfromthePress LockupfacilityoranywhereelseonDOLpremises. 2. RequiretechnicallycognizantescortsaccompanynonDOLpersonnelintowiring closetsandcommunicationshubs. 3. RequirenonDOLpersonneltosurrenderpersonalitemspriortoenteringthe PressLockupfacility.Externalstoragelockerscouldsecurebelongingsforthe durationofpressevents.

Current reporting from open and sensitive sources indicates computer targeted network exploitation (CNE) as the most prevalent method of unauthorized data exfiltration from a wide range of adversaries. It is the opinion of Red Team Cyber Security subject matter experts that the IT environments where the data are produced are more likely avenues for data loss than is the Press Lockup facility. CNE offers advantages such as anonymity to an adversary due to the difficulty of conclusively attributing malicious actions over the Internet to specific individuals vs. actions carried out in person in the Press Lockup facility. Compromise of IT systems provides an adversary long-term, unauthorized accesses to potentially valuable information with little chance of discovery.1

August 2011

OFFICIAL USE ONLY

Page 32

OFFICIAL USE ONLY CleanSweep Technical Details

Attachment 1: Agenda

Project CleanSweep Site Assessment

Han Lin, Project Manager; Scott Maruoka, Technical Lead; Will Atkins, Michael Freund, Lyle Hansen, Technical Team. 7-8 July, 2011
U.S. Department of Labor Frances Perkins Building 200 Constitution Ave, NW

Thursday, July 7, 2011

8:30 am 9:00 am Introductions DOL/BLS Mission & Goals All S-2203 Conference Room Ed Hugler

Deputy Assistant Secretary for Operations

Carl Fillichio

Senior Advisor for Communications and Public Affairs

Michael Levi

Associate Commissioner, BLS Office of Publications and Special Studies

9:30 am SNL IDART Agenda S-2203 Conference Room Han Lin, Michael Freund, Lyle Hansen

Manager, Networked Systems Survey & Assurance; Technical Team

10:00 am 11:00 am 11:15 am 12:00 pm 1:00 pm 1:00 pm 1:00 pm 1:30 pm Introduction to IDART Break Introduction to IDART Lunch Technical Team setup. Facility Wireless System Assessment Interview with Jermaine Pegues. Interview with Gary Steinberg. S-2203 Conference Room Will Atkins & Scott Maruoka

IDART Team
S-2203 Conference Room Will Atkins & Scott Maruoka

IDART Team
S-2203 Conference Room Michael Freund, Lyle Hansen Will Atkins Han Lin, Scott Maruoka S-2203 Office Han Lin, Scott Maruoka S-2203 Office

August 2011

OFFICIAL USE ONLY

Page 33

OFFICIAL USE ONLY CleanSweep Technical Details

2:00 pm 2:30 pm 3:00 pm 4:00 pm

Interview with Rick Vaughn. Interview with Anthony Ferreira. Interviews with Carl Fillichio. SNL Team Members depart

Han Lin, Scott Maruoka S-2203 Office Han Lin, Scott Maruoka S-2203 Office Han Lin, Scott Maruoka S-2203 Office All

Friday, July 8, 2011

6:30 am 8:00 am 9:00 am 9:30 am 12:00 pm 1:00 pm 3:00 pm Briefing Preparation Press Briefing Interview with Jennifer Kaplan SNL Team Discussion & Analysis Lunch Presentation of Initial Findings SNL Team Members depart SNL Technical Team SNL Technical Team Han Lin, Scott Maruoka N-1649 Conference Room SNL Technical Team N-1649 Conference Room SNL Technical Team N-1649 Conference Room All

August 2011

OFFICIAL USE ONLY

Page 34

OFFICIAL USE ONLY CleanSweep Technical Details

Vanguard Metal QS Assembly : Assembled Vanguard Metal QS Color : Grey Cost: $1,279.92; shipping: $880.00; Total: $2,159.92 Lockers and Storage Catalog: http://lockerscatalog.com/items.asp?Cc=LLOCKQSW&iTpStatus=0 Hallowell Wall Mounted Premium Box Locker Product ID: L236-1095 Weight: 50 LB Dimensions: 48 W X 18 D X 12 H Color: Grey Unassembled Cost: $1,440.00; shipping: $880; Total: $2,320.00 Lockers.com: http://www.lockersupply.com/ Penco Quick Ship: Vanguard Unit Packaged Lockers - Four-Wide Wall Mount - 68242 SKU #: PN1122 Dimensions: 13.625" H x 45" W x 18" D 43.0 lbs. Unassembled Cost: $1,463.92; shipping: 116.19; Total: $1,580.11

Tamper-evident Labels
Tamperco: http://www.tamperco.com/Tamper Void Tamper Evident Labels s/22.htm Tampervoid labels: $9.00/250 Hologram labels: $1,200.00/20K

August 2011

OFFICIAL USE ONLY

Page 36

OFFICIAL USE ONLY CleanSweep Technical Details

References
Eugene Register-Guard (no author attributed),Labor building named for Madame Secretary, April 11, 1980, http://news.google.com/newspapers?id=jIMRAAAAIBAJ&sjid=3eEDAAAAIBAJ&pg=5679,291081 7&dq=frances-perkins-building&hl=en 2 New York Times (no author attributed), High Frequency Trading, August 9, 2011, http://topics.nytimes.com/topics/reference/timestopics/subjects/h/high frequency algorithmic tra ding/index.html?scp=1-spot&sq=High%20Frequency%20Trading&st=cse 3 Cisco, Cisco 2010 Annual Security Report, http://www.cisco.com/en/US/prod/collateral/vpndevc/security annual report 2010.pdf 4 Alperovitch, D. Revealed: Operation Shady Rat, McAfee Blog Central, http://home.mcafee.com/AdviceCenter/ExternalContent.aspx?id=cm malb 5 Dugan et al, Sandia National Laboratories, Categorizing Threat: Building and Using a Generic Threat Matrix, September 2007.
1

August 2011

OFFICIAL USE ONLY

Page 37