Professional Documents
Culture Documents
(my “day job” – Chief Systems Engineer (CSE) for large deck ships & shore sites - SPAWAR HQ 5.0.2 / 5.2)
1
1
1 Good for public release.
What’s Wrong With This “Security”?
What level of “cyber” protection is provided here?
Capabilities that are “invisible” (IA/cyber, safety, reliability) - what you see is not the whole picture!
Gates were completely locked, properly installed, configured and validated.
I could not get through them, but it seems there are “cyber” issues!
2
2
2
Presentation Value Proposition
• Today’s presentation
– Independent view, accommodates commercial and government
– Technical / capability aspects versus organizational / political
– Covers a wide range of assessments and perspectives
– Presents actions based on several IA/cyber papers and efforts
• Bottom line:
– What really matters in ‘cyber” is essentially the same as what ails
us today in effectively correlating IO/CNO and IA/CND “protections”
Warning…. This is an engineer’s perspective, so it’s overly busy and all power
point rules are violated! Don’t try to absorb it, but get a “sense” of it all…;-))
3
3
3
Summary Preview
Global reach
RoE / CONOPS & impact
Kinetic = virtual
AND sensors
“NO” boundaries everywhere,
ISR/METOC,
SPACE,
Legal aspects rule Networks,
ETC, Etc, etc!
No clear Cyber IFF!
8
8
8 (Source: derived from JS Cyber 101 brief)
What makes Cyber different?
Given Cyber = “virtual” warfare, somewhat different from
the kinetic / physical environment we all know well
-- Includes ALL Offensive and Defensive IT/IO/IA
capabilities and DOTMPLF, ALL aggregated somehow
-- Essentially a select critical technical combination of
IO/CNO and IA/CND + more integration stuff
-- A different virtual ROE than Kinetic – sometimes
reversed, legally constrained (and what is “an act of War?”)
-- Shared vulnerabilities mandate a proactive, dynamic
defensive posture – a “mission kill” is one e-mail away
-- Thus a crisis of prioritization, where everything is
urgent, mandatory… and the many CoC lines are blurred
Many high-level cyber definitions and approaches abound
Yet FEW “definitive” enterprise top down action plans
9
9
9
DoD CND (and “Cyber”) Defense in Depth
The “smart” integration and collaboration
CND SP
CND SP
- Incident Response /
between MANY needed IO & IA functions
Management
- Incident Response /
Management IDS PKI
- Prometheus IDS PKI
- Prometheus
- Threat Analysis
- Threat Analysis NUDOP Firewalls
- Compliance Scans NUDOP Firewalls IAP Monitoring
- Compliance Scans IAP Monitoring
- IAVM Management
- IAVM Management Standard IP Blocks
DNS Blackholes Operational
DNS Blackholes Standard IP Blocks Incident Handling
Incident Response Incident Handling Operational
Incident Response
PROMETHEUS ACLs NET Cool / INMS View
PROMETHEUS ACLs NET Cool / INMS View
Site Compliance Scans PKI Threat Analysis Funded and
Site Compliance Scans PKI Threat Analysis Funded and
NMCI NIPRNET IDS Feeds Rolling Out
Email AV IAVM Implementation NMCI NIPRNET IDS Feeds Rolling Out
Email AV IAVM Implementation TRICKLER /
SIPRNET Firewall PPS Policy TRICKLER
CENTAUR / Proposed or In
ly
Threat Assessment Alert Filtering SIPRNET Firewall PPS Policy CENTAUR Proposed or In
Threat Assessment Alert Filtering Vulnerability Scanning
PKI System Patching Vulnerability Scanning Metrics
ba l
CND Data Strategy
CND Data Strategy
GIAP
GIAP Development
Development
PKI System Patching
DITSCAP/DIACAP
DITSCAP/DIACAP
NET Cool View
NET Cool View
Metrics
Gl
CDSo
CDS NET Cool Data
IP Sonar
IP Sonar
ACLs
ACLs Vulnerability
Vulnerability
Remediation
e nd In-Line Filtering
In-Line Filtering
NET Cool Data Tutelage
Tutelage
ef
Standard IP Block Lists IPS Remediation Global CND UDOP
Standard IP Block Lists IPS CENTRIXS Monitoring Global CND UDOP
Firewalls
Firewalls
Email AV
Email AV
– D
In-Line Virus Scanning
In-Line Virus Scanning
CENTRIXS Monitoring
CONOPS
Multi-Layer Protocol
Multi-Layer Protocol
ly
LOCAL ENCLAVE
oc
CARS IASM DRRS-N
IAVM Vulnerability Remediation • HBSS In-Line Filtering
Content Filtering • HBSS In-Line Filtering
IAVM
Compliance
Compliance
e L
Vulnerability Remediation Content Filtering
ENMS •
•
SCCVI-
SCCVI-
Anti-virus
Anti-virus
c ur
PKI
PKI
CARS
CARS
Tier 3 SIM
Tier 3 SIM WIDS
ENMS SCRI
SCRI
Deep Packet Inspection
Deep Packet Inspection
Se
IAVM Compliance TMAT WIDS CND POR Honey Grid
IAVM Compliance IWCE CND POR Honey Grid
TMAT IWCE
HBSS CAC/PKI Wireless Mapping WAN SA
HBSS CAC/PKI Wireless Mapping SLIDR WAN SA Deep Packet Inspection
SLIDR Deep Packet Inspection
SCCVI-SCRI WIDS Enterprise
SCCVI-SCRI WIDS NET Cool Data Functional NIC Enterprise
NET Cool Data Navy DMZ Functional NIC DMZ
Standardized Configurations Navy DMZ DMZ DAPE
Standardized Configurations DAPE
DAR POR Management Enclave DMZ
Insider Threat DAR POR Management Enclave DMZ NMCI SIPRNET IDS Feeds
Insider Threat NMCI SIPRNET IDS Feeds
TMAT TIER III TIER II TIER I
SIPR NAC TMAT
SIPR NAC HOST LAN (POP/HUB) WAN (Enclave) Navy GIG (NCDOC) DoD GIG (JTF-GNO)
HOST LAN (POP/HUB) WAN (Enclave) Navy GIG (NCDOC) DoD GIG (JTF-GNO)
Cyber
Cyber==“mostly”
“mostly”Life-cycle
Life-cycleeducation
educationand
andproactive,
proactive,dynamic
dynamicdefense….
defense….
10
10
(From NCDOC briefs)
10
Integration of Cyber Security and Defense
Where, lack of “IA
Threat New/Custom Trojans CM” is pervasive and
• HBSS Deployment
• Content Filtering
Stolen Credentials Spear Phishing undermines it all • Joint Data Strategy
Zero Day Exploits • NMIMC Integration
Soft Cert Searches • SLIDR Pilot
Web Based Attacks • Insider Threat Tool Pilot
Social Engineering • OCRS / IAVA Spiral
• Tactical Sensor Pilot • Tactical Sensor Pilot
Compromised Password Files • HBSS Pilot • HBSS Pilot
• SCCVI/SCRI • SCCVI/SCRI
Capabilities
Synchronized
Synchronized“cyber”
“cyber”capabilities
capabilitiesto
tonarrow
narrowthe
theThreat
ThreatVectors
Vectors
11
11
11 (From NCDOC briefs)
President's Cyber Plan
2 - Work with ALL the key players, including state and local
governments and the private sector.
12
12
12
NSPD-54/HSPD-23: CNCI ‘12 Initiatives’
Many are still being finessed, and all need prioritized
Focus Area 3 Focus Area 2 Focus Area 1
Deploy
DeployPassive
Passive Pursue
PursueDeployment
Deploymentof
of Coordinate
Coordinateand
and
Trusted
TrustedInternet
Internet Sensors
SensorsAcross
Across Intrusion Prevention
Intrusion Prevention Redirect R&D
Redirect R&D
Connections
Connections Federal Systems
Federal Systems Systems
Systems Efforts
Efforts
Connect
ConnectCurrent
Current Develop
DevelopGov’t-wide
Gov’t-wide Increase
IncreaseSecurity
Security Expand
Expand
Centers to Enhance
Centers to Enhance Counterintelligence
Counterintelligence of the Classified
of the Classified Education
Education
Situational
SituationalAwareness
Awareness Plan
Planfor
forCyberspace
Cyberspace Networks
Networks
Define
Defineand
andDevelop
Develop Define
DefineFederal
FederalRole
Rolefor
for
Enduring Define
Defineand
andDevelop
Develop
Enduring LeadAhead
Lead Ahead Enduring Deterrence
Manage
ManageGlobal
Global Cybersecurity in
Cybersecurity in
Technologies, Enduring Deterrence Supply
Technologies, Strategies Supply ChainRisk
Chain Risk Critical
CriticalInfrastructure
Infrastructure
Strategies Strategies&&Programs
Programs
Strategies&&Programs
Programs Domains
Domains
Shape future environment / secure U.S. advantage / address new threats
17
17
17
Leadership Summary / Recap / Results
(Cyber Security Collaboration Summit – SD – Nov 08)
Calling things “cyber” will not change the current IA and IO issues
These are still the activities that are needed for protecting the GIG
19
19
19
Recent IT/Cyber Leadership perspectives
A - Political / legal cyber approach
Cyber offense must be strictly monitored controlled, due to potential
escalation & state department implications & countries suing each
other
22
22
22
IA/Security is more leadership, strategic direction, than technical!
IA / Security “Best Practices”
• Best practices are not a panacea, complete or what YOU need to do
• Do you even know your business protection needs? Do you have a
current asset inventory?
• Determine what is “good enough” or “minimally acceptable?
• Quantify your environment’s threats and vulnerabilities
– your list should have 10 – 50 or so threats assessed
• Have a security policy that’s useful, complete, VIP endorsed
– yes, that’s HAVE A POLICY, choose a model, then enforce it too!
• Run self-assessment on security measures (use accepted tests,
STIGs, etc) and compliance (HIPAA, PCI, CFR, SOX, etc)
• Training and awareness programs – needed, but not a black hole
• TEST your continuity, recovery plans, backup – can you restore?
• Encrypt where you can (do you need it for: IM, Chat, e-mail, file
transfer, online meetings, storage, backup, etc)
• Be familiar with the “NIST” IA/Security series – they are great!
• Always use capabilities off the preferred products lists (PPLs)
• A risk management plan should roll all these into one aspect
You can somewhat control and get what you plan,
but will only get what you ENFORCE…
23
23
23
Where you can assist
24
24
24
Summary
• There are MANY IA/cyber initiatives in the works
– Follow the CNCI trail, that approach should prevail…
https://www.portal.navy.mil/netwar http://www.commoncriteriaportal.org/
com/navycanda
Navy C&A http://www.amc.army.mil/amc/ci/matrix
http://iase.disa.mil/index2.html moved here /policy/policy_new.htm
https://www.us.army.mil/suite/porta http://iac.dtic.mil/iatac/
l/index.jsp
Great http://www.cerias.purdue.edu/
http://csrc.nist.gov/ Sites
too http://security.sdsc.edu/
http://www.nsa.gov/ia/index.cfm
http://iase.disa.mil/stigs/index.html
http://www.iatf.net/
26
26
26
CYBER: A Non-Benign Environment
Various Issues
• National Threats
• Non-Nationals
• Criminal Elements
• Hackers
• Insiders
• INFO/EMCON
• EMI / RFI / MIJI
• Weakest Links
• Lack of “CM!”
It’s what you can’t “see” or the unknowns that WILL GET YOU / US!!!
27
27
27
28
28
28
What’s a “simple” IA/Cyber
end-state / vision look like?
What are the “Requirements”
• • Assurance
Assurancethat
thatInformation
InformationisisNot
NotDisclosed
Disclosedto
to
Information Assurance
Confidentiality
Confidentiality Unauthorized Entities or Processes
Unauthorized Entities or Processes
INFOSEC
• • Quality
Qualityof
ofInformation
InformationSystem
SystemReflecting
ReflectingLogical
Logical
Integrity
Integrity Correctness and Reliability of Operating System
Correctness and Reliability of Operating System
• • Timely,
Timely,Reliable
ReliableAccess
Accessto
toData
Dataand
andInformation
InformationServices
Services
Availability
Availability for Authorized Users
for Authorized Users
• • Security
SecurityMeasure
MeasureDesigned
Designedto
toEstablish
EstablishValidity
Validityof
of
Authentication
Authentication Transmission, Message, or Originator
Transmission, Message, or Originator
Non-Repudiation • • Assurance
AssuranceSender
Senderof
ofData
DataisisProvided
Providedwith
withProof
Proofof
of
Non-Repudiation Delivery and Recipient with Proof of Sender’s Identity
Delivery and Recipient with Proof of Sender’s Identity
WHAT parts belong where – wrt our collective enterprise cyber model?
30
30
30
30
Cyberspace Characteristics
In relation to other
All of the warfighting mission areas…
domains intersect…
C2
IA
“CIO ” PKI/CAC
ID Mgmt
CND “IO”
FISMA and
Operations CNO
CA Support C&A
IAMs Defend
Attack
Policy
CMI/KMI
IA IA Services
Exploit
Training
Multiple players
Multiple PEs/Lines
Typical IA Acquisition elements Multiple threats
Multiple PMW/S/As
Enterprise Risk Mgmt. Requirements
NETOPS
Apps
Each sub-aggregation is responsible for the IA controls within their boundaries and
also inherit the controls of their environment – need to formalize reciprocity therein!
Net-centric operations as well as the emerging new joint capabilities and integration development process is
where the DoD is headed in the “Business of Warfighting”
Cyberspace
“DATA QoP”
(C-I-A and N & A)
Complex… Settings
Dynamic… IA&A and CBE / DCS
(distributed / transitive trust model … E2E data-centric security and protections)
IA devices
network protection – CND – FW / IDS / VPN / etc
Known… (in general, mature capabilities – but multiple unclear “CM” processes are persistent and problematic)
Static…
IO … and ... IA A&E /
Policy
• Common User Trust Level (Clearances) across sys-high • User Trust Level sufficient across Transaction/COI – varies for
environment enterprise
• Privilege gained by access to environment and rudimentary • Privilege assigned to user/device based on operational role and
roles can be changed
• Information “authority” determines required level of protection • Information “authority” determines required level of end-to-end
(QoP) for the most sensitive information in the sys-high protection (QoP) required to access information – translates to a
environment – high water mark determines IT/IA/“Comms” set of IT/IA/“Comms” Standard that must be met for the
Standards for all information Transaction to occur
37
37
37
We will be loosely connected, sharing information – and protected?
The Big Picture: XML Family of Specifications
38
38
38
Hard “IA/Cyber” Problems List (HPL)
• Original Version
– Composed in 1997-98 based on several government sponsored
workshops; Published in 1999
• Topics
– 1. Intrusion and Misuse Detection
– 2. Intrusion and Misuse Response
– 3. Security of Foreign and Mobile Code
– 4. Controlled Sharing of Sensitive Information
– 5. Application Security
– 6. Denial of Service
– 7. Communications Security
– 8. Security Management Infrastructure
– 9. Information Security for Mobile Warfare
– A. Secure System Composition
– B. High Assurance Development
– C. Metrics for Security
Areas of opportunities in Cyber…
From Homeland Security brief
39
39
39
IA / C&A Building blocks
• …. The desired end-state is in general one of a transformed single C&A process that
accommodates all C&A needs and activities (re: T&E / V&V)
• End-state needs to integrate and accommodate several major perspectives / initiatives:
– (1) aggregation into some number of larger systems of systems (SoS) and enclaves / platforms,
– (2) platform IT (PIT),
– (3) the federal C&A transformation effort (bringing together DOD, IC and federal agencies), and
– (4) the new NNWC C&A process (for the Navy aspect).
• Develop a "security container" of sorts emulating the "CC" process (see http://www.niap-
ccevs.org/cc-scheme/ ) that IA devices go through –establishes the same format / needs
• Natural to have a limited and controlled set of IA building blocks for a FEW main classes:
– IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc)
– IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc )(and we submit the
IA/WSS standards need to go here too… prescribe a limited set of IA “profiles” with defined standards / protocols!)
– Services and Applications ( we think we can define a standard "security container" for each, ideally a “class” -
maybe a couple are needed for SOA/Services – we postulate the earlier three C&A types would work well) )
– Critical IA capability devices (any key IT capabilities, we may have missed and want to specifically consider)
– PIT Platform IT variants (there should be ONE general PIT super set, then each SYSCOM takes that and tailors it
a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc)
– Remainder of NIST 95 descriptions: Intelligence activities; Cyrptologic activities; command and control; weapons
and their systems; systems for "direct military / intelligence" missions; and classified systems... Any “special cases”
defined
– AND/OR consider the remainder of 8500.2 categories: AIS application; enclaves; outsourced IT; PIT
interconnection (where Platform IT refers to computer resources, both hardware and software, that are physically
part of, dedicated to, or essential in real time to the mission performance of special purpose systems, such as
weapons, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in
the R&D of weapons systems, medical technologies, transport vehicles, buildings, and utility distribution systems)