Mike Davis
for
Information Systems Security Association,
VP, ISSA, SD; and
The Security Networks
Technical Advisor, TSN
[email protected]
NDIA – 4 Oct
“Achieving Information Dominance: The Operational Edge”
Cyber Security
What is that - and what matters - really?
An overall perspective and general overview of our
Cyber Security – what REALLY matters & Cyber Security Prioritization Crisis papers
Cyber Security EASY button! October is the 7th Annual National Cyber Security Awareness Month STUXNET
Yes, you are betting your livelihood and
family QOL on getting cyber right.
What’s Wrong With This “Security”?
What level of “cyber” protection is provided here?Gates were completely locked, properly installed, configured and validated.
I could not get through them, but it seems there are “cyber” issues!
3
Is it really that bad?
•
“If the nation went to war today,
in a cyber war we would
lose
.” (former Director of National Intelligence, Mike
McConnell, 16 Feb 10)
•
The United States would
not be able to defend itself
against a cyber-attack. "Prompt action is necessary”
(James A. Lewis, senior fellow CSIS)
•
Cyber – Shockwave –
we’re not prepared
!
– Very tough to identify WHO is attacking – internet anonymity
– President has little to no overall authority to direct industry actions
– Essentially impossible to prosecute cyber crime, as international borders hinder virtual legal reciprocity and enforcement
YES… and even more so….
Summary
Preview
•
There are MANY IA/cyber initiatives in the works
–
Follow the CNCI trail
,
that approach should prevail…
•
We still need cyber enterprise “R”equirements, just
as we do now for IA and IO and C&A and ….
–
What is needed now,
current issues, will exist in cyber
–
W/o an
enterprise risk management approach
, any / all
paths will do… and we stay in the crisis of prioritization
– Enterprise
Hygiene / CM mgmt
&
access control
are key!
•
We ALL need better collaboration – DOD & Industry
–
Users / leaders must drive
cyber = KISS = commodity
–
YOU - drive
–
we ALL must coalesce,
perfect the basics
!
5
Cyber Security – the Journey
(the B.L.U.F… bottom line up front)
.
BEST POTENTIAL IMPACT / THRUSTS: Education and training; Cyber Hygiene/DCEM; Enterprise risk management; IA / Cyber
Governance; Cyber architecture = Proactive, dynamic CND / IA defense
STRATEGIC GOALS: DoN enterprise IA/cyber vision/strategy; Overall enterprise risk assessment (ERA); Align cyber resources and capabilities; Resolve lack of basic cyber hygiene (DCEM); Trusted enterprise cyber
infrastructure; Integrate / leverage IO / CNO, effective education….
KEY ACTIVITIES: ERA / prioritized mitigations; Reduce IA complexity / enforce the rules; Cyber workforce capital management; Governance / collaboration; key IO/CNO attributes - > genser IA ….
FOUNDATION: Overarching vision / strategy; Common architecture / standards / profiles; enterprise trust model / access control; Integrated IA/CND as an SoS; Lifecycle education / training; Enterprise hygiene / CM (DCEM)…
SO… What / who is the issue?
- Top Cybersecurity Threat Is Customers / Users
, Experts Say
- SANS “Two risks dwarf all others, but organizations fail to
mitigate them….”
•
Priority One: Client-side software that remains
unpatched
.
(but we can’t get into a patch tail chase, as threats morph quickly)
•
Priority Two:
Internet-facing web sites
that are vulnerable.
(we have much SANS / OWASP / NIST guidance – not followed / implemented)
- SANS - trends
•Rising numbers
of zero-day
vulnerabilities
•Application Vulnerabilities
Exceed OS Vulnerabilities
•Web Application Attacks
•Windows: Conficker/Downadup
•Apple
: QuickTime and Six More
7
A few more threat perspectives / scare tactics?
Websense’s 2010 list of security predictions and trends.
1. Web 2.0 attacks will increase in sophistication &prevalence2. Botnet gangs will fight turf wars
3. Email gains again as a top vector for malicious attacks 4. Targetted attacks on Microsoft properties
5. Don't trust your search results.. Or “Linked in” updates! 6. Smartphones are hackers' next playground
7. Attacks through web advertisements
8. Macs are not immune either
•Cyber crime illegal revenues exceeds all of the drug traffic •Most attacks take place within the US, then from China
•YOUR assets will be comprised, used in other attacks, data / IP stolen,
President's
Cyber
Plan
Cyber requirements from the top
1 - Ensure
accountability
in federal agencies, cyber security
will be designated as a
key management priority
.
2 - Work with
ALL the key players
, including
state and local
governments and the
private sector
.
3 - Strengthen the
public-private partnerships
.
4 - Continue to invest in the
cutting-edge research
and
development necessary for the innovation and discovery.
5 - Begin a national campaign to promote
cyber security
awareness and digital literacy
.
9
• Cyberspace intrusions and attacks
are a real and emerging threat
• U.S. faces a dangerous mixture of
vulnerabilities and adversaries
• Cyberspace situational awareness is
not mature (and not at all levels) • PEOPLE, Information and the
C4ISR infrastructure are targets
• Exploitation, disruption, exfiltration,
misinformation or destruction are adversary goals (& bragging rights)
• Malicious cyberspace activity is
increasing in regularity and severity
Cyber
= A National Security Issue
“Attacks on Critical Infrastructure could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident.” -- 2007 National Infrastructure Protection Plan
Ubiquitous Presence… Salient Danger…
• 1.5 billion people on the Internet; much of Asia and Africa still to come
(using wireless, which is cheaper to install)
• Upwards of 200B e-mails per day
• Critical to commerce, government,
business processes, safety, etc.
• Exponential demand; 8 hours of
YouTube uploaded every minute • Increasing connections; global
wireless and cellular usage
• Volumetric rise in data everywhere, with no enterprise data security and
tracking approach (Internet = database)
What makes
Cyber
different?
Given Cyber = “virtual” warfare
,
somewhat different from the
kinetic / physical environment we all know well
-- Includes
ALL Offensive and Defensive IT/IO/IA
capabilities and
DOTMPLF, ALL aggregated somehow
--
Essentially a select
critical technical combination of IO/CNO
and IA/CND + more integration
stuff
-- A
different virtual ROE than Kinetic
–
sometimes reversed,
legally constrained (and
what is “an act of War?”)
--
Shared vulnerabilities
mandate a proactive, dynamic defensive
posture –
a “mission kill” is one e-mail away
-- Thus a
crisis of prioritization
,
where everything is urgent,
mandatory… and the
many CoC lines are blurred
11
Cyber
space Characteristics
•
What’s the big deal?
– Man-made domain… complex and insecure by design
– Global stakeholders — public, private and government
– Speed of both action and change – zero separation
– Transcends physical, organizational and geopolitical
boundaries – highly sensitive to political/legal influence
– Anonymity – identity/intent of players not always clear
RoE / CONOPS
Kinetic = virtual
“NO” boundaries
Legal aspects rule
No clear Cyber IFF!
Global reach & impact AND sensors everywhere, ISR/METOC, SPACE, Networks, ETC, Etc, etc!
What “
cyber variables
”
can we affect?
Effective as-is
, or have a lower added ROI
- Prosecution / enforcement –near real-time forensics, global reciprocity?
- Offensive tools – good current capabilities, controlled use, escalation
- Try to fix all issues / problems – as many are intractable, givens, etc. - Continue to emphasize perimeter defense – as they are already in!
Continue to finesse the first set
Go full force on the last!
BEST potential impact and long term effectiveness
- Improve education and training – cyber workforce capital management
- Enterprise risk management – using both threats & consequences
- Effective IA / Cyber Management – enforceable CM & a trust model
- Proactive, dynamic CND / IA defense – DCD, as the best offense
13
NSPD-54/HSPD-23: CNCI ‘12 Initiatives’
(Where are the lines / links / dependencies and CONOPS between all 12?)
Establish a front line of defense
Resolve to secure cyberspace / set conditions for long-term success
Shape future environment / secure U.S. advantage / address new threats
Focus Area 2 Focus Area 1 Focus Area 3 TrustedInternet Connections Deploy Passive SensorsAcross Federal Systems Pursue Deployment of Intrusion Prevention Systems Coordinate and Redirect R&D Efforts Connect Current Centers to Enhance Situational Awareness Develop Gov’t-wide Counterintelligence
Plan for Cyberspace
Increase Security of the Classified
Networks
Expand
Education
Define and Develop Enduring Lead Ahead
Technologies,
Strategies & Programs
Define and Develop Enduring Deterrence
Strategies & Programs
Manage Global
Supply Chain Risk
Define Federal Role for Cybersecurity in Critical Infrastructure Domains
ALL Cyber efforts must leverage the Federal Investments
The HARD part is implementing enterprise integration, interoperability
Integrated CND & IA as a “SoS”
(all defensive “protections” must themselves act as one system)
• It’s all about TRUST – need a common enterprise trust model
– Some HAP/TSM is needed, but where to put which EAL devices?
– Need a common top-down, enforced IA / Cyber architecture / model
– Need an alternative to commercial ISP – leverage existing dark fiber?
• Effective / secure enterprise access control is everything:
– IA&A implementation focus = authorization based access control …
complemented by ABAC, RBAC, even RAdAC as an end-state…
• Proactive/Dynamic Defensive I&W
- Detect abnormal patterns, characteristics, attributes, unusual requests. - Provide auto alerts; divert questionable actions; "wraps" issues/problems
(This is the “catch all” capability, as we can’t protect everything near 99%)
• Life cycle education and training must parallel acquisition
• Integrated Computer Security Operations Centers (eg: GNOSC, etc)
– Centralized V&V / assessment collection and reporting (NCDOC / NIOC)
– Fully integrated with DNDO – dynamic network defensive operations
• Institutionalize Dynamic Cyber Enterprise Management (DCEM)
15
D
ynamic
C
yber
E
nterprise
M
anagement
1 - Institutionalize enforceable configuration management
- Established baselines, manage dynamic “settings ‘C.I.s’” - Properly configured / CCB (servers, routers, firewalls, etc) - Patches, updates, IAVA – “delta / increment” change mgmt - Verification / Auditing / Certification & Accreditation (C&A)
2a - Continuous monitoring & reporting
- Automatic reports / alerts – fed to users & central repository
- Integrated with NetOps and Infocon (IPS-like actions)
2b - Intuitive situational awareness – automated dashboard
- Must have an enterprise network picture – can’t manage unknowns
3 - Life cycle best practices / SOPs – institutionalize rigor
NSA IAD – poor IA management factors (CM, monitoring, follow SOPs) = 80% NCDOC – lack of IA accountability (poor CM, inadequate IAVA, misuse) = 90% Verizon Data Breach Report – not implementing known fixes and capabilities = 87%
2009 SD Cyber Security Summit
Technical actions for leadership
1.
Develop an
enterprise IA/security/cyber strategy
/ vision.
2.
Commission an overall
enterprise risk assessment
(ERA).
3. Prioritize enterprise level mitigations
to best effectively and
affordably resolve the most damaging and impactful risks.
4.
Address the
pervasive lack of basic IA/security hygiene
enterprise wide, especially enforceable CM.
5.
Add a limited set of
new high assurance components
and
capabilities, to the existing IA/CND infrastructure.
(for mapping/implementing requirements across real-world systems and applications)
6. Better
integrate and leverage cyber education & IO/CNO
(optimize cyber overall and ensure synchronization between offensive and defensive parts)17
Key Tactical Thrusts
• Organize DoN cyber security approach / governance - RACI • Update ERA, prioritize mitigations and resources
• Begin Dynamic Cyber Enterprise Management asap
• Top-down enforcement of IA / Cyber architecture
– Secure enterprise access control / Cyber IFF
– Overall Dynamic Cyber Defense (DCD) approach
• Proactive / dynamic defensive I&W – monitor abnormal behavior
• Virtual storefront – reacts quickly to predictive IO/IA I&W
• IA/CND treated as an integrated “SoS” with lead/lag feedback
– Common enterprise trust model
– Reduce complexity - IA Building blocks / APLs with pedigrees
– Integrate into an enterprise cyber security model / framework
• Execute lifecycle awareness, education, and training
High ROI Activities that get us all moving quickly
95% security incident reduction
Areas of Potential
“IA/Cyber”
Research
•
Global Scale Identity
Management
•
Scalable Trustworthy
Systems
•
Survivability of Time-Critical
Systems
•
Situational Understanding
and Attack Attribution
•
Combating Insider Threats
•
Data Provenance
•
Privacy-Aware Security
•
Enterprise Level Metrics
•
Coping with Malware and
Botnets
•
Usability and Security
•
System Evaluation Lifecycle
•
Network recovery and
reconstitution
•
Cyber Security economic
modeling
•
Finance Sector R&D Agenda
•
Modeling of Internet Attacks
-critical infrastructure
•
Process Control System
(PCS) security
• Software Quality Assurance
19
What can we expect to help us?
•
NSA / GIAP with
CNCI
= better IA/Security stuff
•
Support for “
data/content centric security
–
DCS”
•
Leaders get it, maybe, need to
translate geek speak
•
ESM / PvM
/ ZBAC for automated systems, SOA…
•
“COTS IA”
– commercial suite “B” encryption
•
Going beyond boundary protection
approach
– Effective trust binding between data, layers and domains
•
Public / private cyber
vision
->
enterprise architecture
Where WE can assist
• New technologies, methods, processes
(
CNCI
!)
•
Not so niche areas of general systems engineering,
integration, “
rapid COTS / GOTS insertion
,” etc
• Collaboration
with other innovative companies
• Partner with other security groups
, IA/cyber entities
• Cyber “packages” needed
, not un-integrated SW
• Follow current issues / concerns
– they will stay
•
Think tank, study, and
discovery support efforts
• Top down risk management
, prioritization approach!
21
Overall IA/Security Approach
ANY IA/security environment or capability should include these top-ten elements to ensure a well-integrated and “best value” data protection approach.
1 - Comprehensive security policy (and communication & enforcement)
2 - Distribute clear governance (who does what / when, R&R, resources, ROE)
3 - Build in defense-in-depth (maintain multiple fronts)
4 – Follow a strategy, master plan (use an enterprise architecture)
5 - Configuration management (automated reporting to enable enforcement)
6 - Develop an effective tool suite (stress automation & KISS)
7 - Guard major threat entry points (phased attacks, root kit, Phishing)
8 - Guard malware entry methods (monitor web, content filters, Block URLs)
9 - Test critical elements (COOPs, training, compliance, vulnerabilities)
10 – Risk management plan (current threats, vulnerabilities and impacts)
what is “good enough” or minimally acceptable minimize what you don’t know you don’t know
Summary
•
There are MANY IA/cyber initiatives in the works
–
Follow the CNCI trail
,
that approach should prevail…
•
We still need
cyber
enterprise “
R”equirements
, just as we do
now for IA and IO and C&A and ….
–
What is needed now,
current issues, will exist in cyber
–
W/o an
enterprise risk management approach
, any / all
paths will do… and we stay in the crisis of prioritization
– Enterprise
Hygiene
/ CM mgmt
& access control
are key!
•
We ALL need better collaboration – DOD & Industry
–
Users / leaders must drive
cyber = KISS = commodity
–
YOU - drive
–
we ALL must coalesce, perfect the basics!
Cyber = smarter collaboration with ALL stakeholders in COMMON ways..
23
other IA/Security sites (cont):
http://www.cert.org/ http://www.sse-cmm.org/lib/lib.asp http://www.commoncriteriaportal.org/ http://www.amc.army.mil/amc/ci/matrix /policy/policy_new.htm https://www.sans.org/about/sans.php http://iac.dtic.mil/iatac/ http://www.cerias.purdue.edu/ http://security.sdsc.edu/ http://iase.disa.mil/stigs/index.html
IA/security resources
Main sites https://infosec.navy.mil/docs/index. jsp https://www.portal.navy.mil/netwarc om/navycanda http://iase.disa.mil/index2.htmlother IA/Security sites:
https://www.us.army.mil/suite/porta l/index.jsp http://csrc.nist.gov/ http://www.nsa.gov/ia/index.cfm http://www.iatf.net/ Great ISSE / SSE Site This site has almost
everything you need
Great Sites too Navy C&A moved here
[email protected]
CYBER: A Non-Benign Environment
Various Issues • National Threats • Non-Nationals • Criminal Elements • Hackers • Insiders • INFO/EMCON • EMI / RFI / MIJI • Weakest Links • Lack of “CM!”• Anoniminity
25
SO what are were trying to institute?
IA
&
CND
An integrated “Cyber” System using dynamic lead & lag feedback
Establish proactive, dynamic CND / IA Defense = dynamic cyber defense (DCD)
Red Teams Defensive assessments After-the-fact feedback (lagging indicators) Upgrades Changes (developed & installed) “SA” ****** (Sensors, CNA/E inputs OpSec, Intel, etc…) Users & CoC Upfront/Early feedback (leading indicators) Cyber “I&W” “Virtual Storefront” (takes days to months / years) NMS / Security Management tools Change “soft”
settings (takes secondsto minutes)
threats V&V / C&A Forensics threats Incident results Defensive I&W
IA / Security “Best Practices”
• Best practices are not a panacea, complete or what YOU need to do
• Do you even know your business protection needs? Do you have a current asset inventory?
• Determine what is “good enough” or “minimally acceptable? • Quantify your environment’s threats and vulnerabilities
– your list should have 10 – 50 or so threats assessed
• Have a security policy that’s useful, complete, VIP endorsed
– yes, that’s HAVE A POLICY, choose a model, then enforce it too!
• Run self-assessment on security measures (use accepted tests, STIGs, etc) and compliance (HIPAA, PCI, CFR, SOX, etc)
• Training and awareness programs – needed, but not a black hole
• TEST your continuity, recovery plans, backup – can you restore?
• Encrypt where you can (do you need it for: IM, Chat, e-mail, file transfer, online meetings, storage, backup, etc)
• Be familiar with the “NIST” IA/Security series – they are great!
• Always use capabilities off the preferred products lists (PPLs)
• A risk management plan should roll all these into one aspect You can somewhat control and get what you plan,
27
NSA top items to DO
Computer systems with proper security and network controls should beable to withstand about 80 percent of known cyberattacks.
There are common steps that people could take to bolster computer
security and make it more difficult for would-be-hackers to gain access,
Richard Schaeffer Jr., the NSA’s information assurance director, told the Senate Judiciary Committee’s Terrorism and Homeland Security Subcommittee today. He identified 3 measures as especially effective. “We believe that if one institutes (1) best practices, (2) proper
configurations [and] (3) good network monitoring that a system
ought to be able to withstand about 80 percent of the commonly known attack mechanisms against systems today,” Schaeffer said. “You can actually harden your network environment to raise the bar such that the adversary has to resort to much, much more sophisticated means,
thereby raising the risk of detection…
http://fcw.com/articles/2009/11/17/nsa-3-steps--better-cybersecurity.aspx?s=fcwdaily_181109
Cyber Security is ALL about effective basic IA hygiene – otherwise the bad actors just stroll in due to shared vulnerabilities in net-centricity
Cyber
Prioritization Crisis
Our paper in distribution – highlights are:
--
Cyber
is fundamentally enacting a
prioritized and balanced
approach
between existing
IO/CNO
(aka offense)
and
IA/CND
(aka defense)
capabilities,
--
with diminishing resources
, while also
addressing dynamic
and emerging threats
through targeted R&D/S&T initiatives
to fill gaps of the cyber vision.
--
The
RoE, CONOPS
, relationships required are
NOT the
same as existing kinetic
processes, and can be reversed!
--
Political / legal aspects of cyber will impede us all
!
-- CoC needs an
effective situational awareness (SA) capability
29
Federal Plan for
Cyber
Security and Information
Assurance (CSIA) R&D
•
Overarching categories
–
Functional Cyber Security Needs
–
Needs for Securing the Infrastructure
–
Cyber Security Assessment and
–
Characterization
–
Foundations for Cyber Security
–
Domain-Specific Security Needs
–
Enabling Technologies for Cyber Security
and Information Assurance R&D
–
Advanced and Next-Generation Systems
and Architecture for Cyber Security
–
Social Dimensions of Cyber Security
From Homeland Security brief
Leadership Summary / Recap / Results
(Cyber Security Collaboration Summit – SD – Nov 2008)•Common vision / end state / master plan •Governance & more governance
•Specified requirements and then some
•Prescriptive implementation guidance required •What’s “good enough” IA/Security?
•Pedigree approach – simplify V&V / C&A (build it in in)
•What is the IA business basis / ROI?
•What is the future risk environment?
•Training at all levels, especially user and SW development
•Standard architectures / standards / profiles (and a Trust Model!!!)
• SOA security is vague - at best…
31
31
Issues Summary (2008)
Actions to collaborate / facilitate
• What’s our end- state / vision (“start with the end in mind!”) (then
define requirements and determine gaps)
• Who’s in charge anyway? Enforcement? (aka - Governance)
• Prescriptive implementation guidance required (EA, stds, trust
model, CM, etc)
• What’s “good enough” IA/Security? Outcome metrics that matter,
support the business success factors, risk management.
• Complexity is rising versus falling (we can’t begin to do V&V on
SoS – how do we do T&E to prove IA is effective?!)
“IA” is all encompassing, we can’t “win” if we don’t know
where we are collectively going or narrow the playing field
Representative Navy User Concerns
• IA Master Plan;
Architecture vision; clear IA goals
•
IA
Governance
Structure / Consistent Policies
•
Workforce Quals / Certs /
Training
•
"Improve
Speed to Capability
” - Implementing newer
technologies.. HBSS, DAR, etc….
• IA Approach, Strategy consistent
with SYSCOMs and DoD
•
IA Policy/Architecture “
implementation” guidance
• Enterprise Access Control
- "Trust Model"
• Certification & Accreditation
- Aggregation of systems
• Supply Chain Security
/ Defense in Breadth
• Sustain current IA and CND posture
to ensure readiness
Calling things “cyber” will not change the current IA and IO issues
33
Recent
IT/Cyber
Leadership perspectives
A
- Political / legal cyber approach
Cyber offense must be strictly monitored controlled, due to potential escalation & state department implications & countries suing each other
B -
Navy IT FLAG/SES Feb 09 meeting results / paper:
-- Greater accountability, completer visibility, net-centric concepts need to be revisited, can't protect all networks - ensure the C2 / enterprise -- Need better situational awareness, discipline in development and
acquisition, TTPs... And training...
-- focus more resources on defensive posture and key critical actions
(aka - have a risk management approach), closer collaboration…
-- Senior Cyber Advisor’s major conclusions : Stricter CM & SA / inspect traffic
Potential Cyber Way Forward
•
Public Awareness
– Assign to the White House (The Cyber Czar)
– Make it the new “Race to the Moon”
•
Federal Structure and Plans
– Establish a phased plan (start with .mil domain)
– Assign DoD, then DHS (.gov) then outreach
•
Industry Participation – Development
– Subsidize development, assign IP to developers
•
Industry Participation – Application
– Federal standards, liability to suppliers
35
Cyber
space Characteristics
All of the warfighting domains intersect…
Cyberspace Domain is contained within and transcends the others
In relation to other mission areas…
… cyberspace is a blend of exclusive and inclusive ties
The “Venn connections / COIs” are extensive
Numerous dynamic “COIs” dominate relationships
Adding complexity and causing “cross domain” data sharing effects
IA
(Source: derived from JS Cyber 101 brief)
36
Net-centric operations as well as the emerging new joint capabilities and integration development process is where the DoD is headed in the “Business of Warfighting”
Source: Secretary of State Hillary Clinton Statement, January 21 2009 Source: SSC Atlantic Cyber Strategy
Cyberspace
Cyber must effectively integrate Business and Warfighter Mission Areas
Cyber
– Spans Warfare and Business Mission Areas
37
DoD CND (and
“
Cyber
”
) Defense in Depth
DoD GIG (JTF-GNO) Navy GIG (NCDOC)
WAN (Enclave) LAN (POP/HUB) HOST TIER I LOCAL ENCLA V E TIER II TIER III
NET Cool View
CAC/PKI Vulnerability Remediation Anti-virus IAVM Compliance IAP Monitoring CND SP - Incident Response / Management - Prometheus - Threat Analysis - Compliance Scans - IAVM Management IDS Firewalls
DNS Blackholes Standard IP Blocks
ACLs NUDOP IAVM Implementation Incident Response Vulnerability Scanning Email AV Alert Filtering System Patching DITSCAP/DIACAP Threat Assessment
Site Compliance Scans
Standard IP Block Lists
DITSCAP/DIACAP ACLs Vulnerability Remediation Firewalls Email AV DNS Blackholing IAVM Compliance
In-Line Virus Scanning IPS
Incident Handling
Threat Analysis NET Cool / INMS View
PROMETHEUS PKI PKI PKI PKI CARS CARS In-Line Filtering Global CND UDOP TRICKLER / CENTAUR In-Line Filtering
NET Cool Data
CONOPS • RNOSC • HBSS • SCCVI-SCRI CENTRIXS Monitoring
NMCI SIPRNET IDS Feeds WAN SA
NET Cool Data
HBSS
Standardized Configurations
Tier 3 SIM
SIPRNET Firewall PPS Policy
Wireless Mapping WIDS WIDS IP Sonar Multi-Layer Protocol Defense GIAP DRRS-N POR Management Insider Threat IWCE Functional NIC Navy DMZ SLIDR IASM TMAT ENMS CDS
CND POR Honey Grid
Deep Packet Inspection
Enterprise DMZ
Enclave DMZ DAR
SIPR NAC TMAT
DAPE
Metrics
Cyber = “mostly” Life-cycle education and proactive, dynamic defense….
Deep Packet Inspection
NMCI NIPRNET IDS Feeds
Content Filtering SCCVI-SCRI CND Data Strategy Operational Operational Proposed or In Development Proposed or In Development Funded and Rolling Out Funded and Rolling Out Operational Operational Proposed or In Development Proposed or In Development Funded and Rolling Out Funded and Rolling Out Tutelage
(From NCDOC briefs)
The “smart” integration and collaboration between MANY needed IO & IA functions
38 2003 / 2004 2005 2007 2008 Capabilities •Mobius Project •Trends Analysis •Online Surveys •IDS Monitoring •Incident Handling •IAVM •IDS Monitoring •Incident Handling •IAVM •Mobius Project •Trends Analysis •Online Surveys •CCZ •NIOSC Construct
•Tactical IDS placement
•DNS Blackhole •IP Block Initiative •CAC/PKI •Network Forensics •Malware Analysis •Signature Development Insider Threat
Zero Day Exploits
Known Trojans and Malware
Indiscriminant Recon Commonly Known Vulnerabilities
Compromised Password Files Stolen Credentials
Social Engineering Web Based Attacks
Soft Cert Searches
New/Custom Trojans Spear Phishing
•CARS initiative
•Mobius to Prometheus
•Cyber Tactical Teams
•Enhanced Compliance •LE/CI integration •Threat Analysis •Process Improvements •IDS Monitoring •Incident Handling •IAVM •Mobius Project •Trends Analysis •Online Surveys •CCZ •NIOSC Construct
•Tactical IDS placement
•DNS Blackhole •IP Block Initiative •CAC/PKI •Network Forensics •Malware Analysis •Signature Development •CARS initiative •Mobius to Prometheus
•Cyber Tactical Teams
•Enhanced Compliance •LE/CI integration •Threat Analysis •Process Improvements •IDS Monitoring •Incident Handling •IAVM •Mobius Project •Trends Analysis •Online Surveys
•Tactical Sensor Pilot
•HBSS Pilot
•SCCVI/SCRI
•Enhanced Collaboration
•IDS to IPS Transition
•CCZ
•NIOSC Construct
•Tactical IDS placement
•DNS Blackhole •IP Block Initiative •CAC/PKI •Network Forensics •Malware Analysis •Signature Development • CARS initiative • Mobius to Prometheus
•Cyber Tactical Teams
•Enhanced Compliance •LE/CI integration •Threat Analysis •Process Improvements •IDS Monitoring •Incident Handling •IAVM •Mobius Project •Trends Analysis •Online Surveys
•Tactical Sensor Pilot
•HBSS Pilot
•SCCVI/SCRI
•Enhanced Collaboration
•IDS to IPS Transition
•HBSS Deployment
•Content Filtering
•Joint Data Strategy
•NMIMC Integration
•SLIDR Pilot
•Insider Threat Tool Pilot
•OCRS / IAVA Spiral
•CCZ
•NIOSC Construct
•Tactical IDS placement
•DNS Blackhole •IP Block Initiative •CAC/PKI •Network Forensics •Malware Analysis •Signature Development
Integration of
Cyber Security
and Defense
2006
Synchronized “cyber” capabilities to narrow the Threat Vectors
(From NCDOC briefs)
Where, lack of “IA CM” is pervasive and
39
Cyber
“Protections” Overview
CMI/KMI
CND
Policy Training
C&A
Typical IA Acquisition elements
Enterprise Risk Mgmt. IA Services CA Support Multiple players Multiple PEs/Lines Multiple threats Multiple PMW/S/As“
IO
”
andCNO
Defend Attack Exploit RequirementsStrategy AND Governance critical to “implementation” success!
“
CIO
” FISMA Operations IAMs PKI/CAC ID Mgmt(or why “IA/IO/Cyber” is so complex / hard… because it is ALL of this and more!)
IA
IA / Cyber must be E2E!
Thus, the IA/cyber controls and interfaces in each element / boundary must be quantified / agreed to upfront!
Enterprise Site Enclave Network SoS System / services HW/SW/FM “CCE”
Each sub-aggregation is responsible for the IA controls within their boundaries and
also inherit the controls of their environment – need to formalize reciprocity therein!
WE have a “natural” hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions
Apps
AND, People and processes TOO!
41
WAN Router
Make IT security a commodity:
Use IA building blocks = APLs/PPLs – “NIAP”
Interoperability and Compose-ability are built in upfront and help dramatically reduce complexity and ambiguity
Thus….establishing known risks & pedigrees: Reduces attack surface, impacts & TOC
Building a Trusted Cyber Infrastructure
“an adequately assured, affordable, net-centric environment”
IA Suite
Distribution Router Core Router
PC
End user devices
Servers
SANS NetworkDevices
“Assured” IOS Various EAL
EAL 4- 5
EAL 4 Focus on a few
core capabilities & devices
= PC, routers, IA suite, Servers, & SANS –all with access control
EAL 3 - 4
Secure OS TSM HBSS ZBAC
Standard IA/CND suite FW, A/V, IDS/IPS, CDS,, etc Treat as a “SoS”: with high EAL
HW / FW
Secure OS kernel Secure Virtual Machine
Strict access / ZBAC ALL OSes (MS, Mac, Unix)
Security Monitor EAL
6
EAL 5 – 6
Data centric security Defensive I&W Strict access / ZBAC
IAW: NNE 2016 / NGEN vision
Eval Assur Level (EAL): 3
Glossary
• APL/PPL – approved /preferredproduct list
• ACL – access control list
• CA – certification authority
• C&A – certification & accreditation
• CCB – configuration control board
• CI – configuration item
• CIP – critical infrastructure protection
• CNCI – Comprehensive National Cybersecurity Initiative
• CND/CNO – computer network defense/operations
• CSIS – Center for Strategic and International Studies
• DCD – dynamic cyber defense
• DCEM – dynamic cyber enterprise management
• EAL – evaluation assurance level
• ERA – enterprise risk assessment
• HAP – high assurance platform
• HBSS – host based security system
• IAD – Information Assurance
Directorate (@ NSA)
• IAVA – information assurance
vulnerability alert
• IA&A – identification, authentication
and authorization (access control)
• IDS/IPS – intrusion detection/
protection system
• IOS – internetwork operating
system (OS for routers)
• ITMC – IT Management Council
• I&W – indications and warnings
• KM – knowledge management
• NIAP – National IA Partnership
• RAdAC – risk adaptive access control
• SANS – storage area network systems
• TSM – trusted security module
• VM – virtual machine
• V&V – verification and validation
• ZBAC – authoriZation-Based
43
Key Cyber Elements
•
What are
Requirements
?
–
Who sets them… Who knows, agrees?
•
What is our public/private “
value proposition
?”
–
How do we differentiate the largest impacts?
–
What are the ROI and success metrics?
•
Did we include all major factors – “
P3
”?
–
Accommodate
p
eople,
p
rocesses and
p
roducts
–
Show an
integrated, coordinated
cyber package
It used to be “follow the money”
Cyber prioritization makes that “where to put it”
SysEngr C3 Etc….
Presentation Value Proposition
Why did you attend this meeting versus others?
•
Today’s presentation
– Independent view, accommodates commercial and government
– Technical / capability aspects versus organizational / political
– Covers a wide range of assessments and perspectives
– Presents perspectives based on many IA/cyber papers and efforts
•
All questions addressed, initial perspectives answered
– “easy button” ->
[email protected]
– In IA/CND/Cyber – little is new, collaborate & leverage what exists!
•
Bottom line:
We’ll make Cyber interesting and funWhere what really matters in ‘cyber” is mostly the same as what ails us today and correlating, education, IO/CNO and IA/CND efforts
Warning…. This is an engineer’s perspective, so it’s overly busy and all power point rules are violated! Don’t try to absorb it, but just get a “sense” of it all…;-))
45
What is “
Cyber”
?
“A global domain within the information environment consisting of the interdependent network of information technology
infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.“
-- DoD Definition of Cyberspace
“The military strategic goal is to ensure US military strategic superiority in cyberspace.”
-- National Military Strategy for Cyberspace Operations Cyber space operations = employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the GIG
It could mean just about anything….
Setting the “
Cyber
” Stage
•
Feb 2008 – Pakistan’s routing mis-configuration denies
YouTube access for 2 hours showing routing vulnerability
•
Aug 2008 – Major vulnerability discovered in DNS
•
Nov 2008 –
Conficker botnet
affects as many as 12 million
computers worldwide (and still out there)
•
Symantec reports
15,000 new types of malware
daily
•
Gartner estimates
3.6M victims lost $3.2B
in the U.S. in
2007 due to phishing attacks
•
Consumer Reports estimates U.S.
consumers lost $8.5B
and replaced 2.1M computers
because of viruses, spyware,
etc. between 2006 and 2008
•
And Many, many, many more …..
http://www.symantec.com/about/news/release/article.jsp?prid=20090910_01
Cyber crime revenues
(which come from YOU!)47
Who’s in Charge? When? Where?
•
POTUS … (Cyber Security Coordinator, et al)
•
SECDEF / SECSTATE …
•
Congress, DHS, OMB, other agencies…
•
STRATCOM
•
USCYBERCOM
•
FLTCYBERCOM
•
Navy, Army, AF, Marine Corps
•
Federal, Industry, Consumers …
Re: CIP is 85% industry
- No direct federal control, so what then?
Authority and Enforcement are KEY!
“CNCI faces several challenges
in meeting its objectives“ (GAO)
•
Defining
roles and responsibilities
..
•
Establishing
measures of effectiveness
..
•
Establishing an
appropriate level of transparency
..
•
Reaching agreement on the
scope of educational efforts
..
Until these challenges are adequately addressed, there is a risk that CNCI will not fully
achieve its goal to reduce vulnerabilities, protect against intrusions, and anticipate future threats against federal executive branch information systems.
The federal government also faces strategic challenges beyond the scope of CNCI in securing federal information systems:
•
Coordinating actions with
international
entities.. coalitions…
•
Strategically address
identity management & authentication
.
Cyber prioritization & coordination are still key As well as hygiene/CM and effective access control!
49
An end-state stresses encapsulation through a virtualized fabric
What’s a “simple” IA/Cyber end-state / vision look like?
C
omputer
N
etwork
A
ttack /
E
xploit
• Provide near-real time OPSEC to IA
– Effectively leverage the black side Intel into secret (& below) protections
• Establish “Cyber” War Reserve Modes”
– Isolated networks, C2 “order wire”, mil using dark fiber, etc
• Fusion of diverse data, into KM we can use in all of cyber
– All sensors, CNE / A effects, OpSec, Intel, etc = improved CND / IA
• Can’t easily / rapidly tell WHO the bad actors are…
– Need cyber detection / forensic capabilities (Service's responsibility)
– Offensive uses best done by STRATCOM / USCYBERCOM / C10F…
• “Cyber War” / ROE undefined, unclear if win-lose / lose-lose