defense information systems agency disa securing computing services

1. Defense InformationSystems Agency (DISA)Securing Computing Services Mr. David Hughes 14 January 2003 (717) 267-9901 hughesd@ritchie.disa.mil This is an information briefing designed to provide an overview of the security program applied to DISA Computing ServicesThis is an information briefing designed to provide an overview of the security program applied to DISA Computing Services

2. 2 DISA Computing Services � Combat Support Processing

3. 3

4. 4 Information Assurance must cover many areas in an Enterprise. Computing Services has to cover all the areas shown. Information Assurance must cover many areas in an Enterprise. Computing Services has to cover all the areas shown.

5. 5 Information Assurance These are the highlights of our security program in DISA. Traditional security covers those areas normally thought of in the protection of a facility and it�s people. Electronic security covers the cyber side of our environment. Note that both areas are multi-layered demonstrating our strong belief in a �defense in depth� approach. These are the highlights of our security program in DISA. Traditional security covers those areas normally thought of in the protection of a facility and it�s people. Electronic security covers the cyber side of our environment. Note that both areas are multi-layered demonstrating our strong belief in a �defense in depth� approach.

6. Traditional Security Our Security handbook was developed by Mr Gulledge and his team to provide a cookbook approach to interpreting the thousands of pages of guidance available on traditional security into a form readily available and understandable to our facility security managers. This book is intended for use by WESTHEM/Computing Services sites but it�s common sense approach makes it a popular item for our other customers as well. The handbook does not replace the policy and regs. It merely cites essential guidance from the regs and tells one where to look for additional information. He handbook is used as the base policy for our traditional security readiness reviews.Our Security handbook was developed by Mr Gulledge and his team to provide a cookbook approach to interpreting the thousands of pages of guidance available on traditional security into a form readily available and understandable to our facility security managers. This book is intended for use by WESTHEM/Computing Services sites but it�s common sense approach makes it a popular item for our other customers as well. The handbook does not replace the policy and regs. It merely cites essential guidance from the regs and tells one where to look for additional information. He handbook is used as the base policy for our traditional security readiness reviews.

7. 7 Traditional Security Highlights Data centers located on military base or federal facility with controlled entry Controlled access to data centers Secondary controls at computer room Computer rooms alarmed with 24 hour police response Closed circuit TV monitoring 24x7 Background investigation required for all employees All personnel require badges Differentiate among federal and contractor employees and personnel requiring escort Access lists are maintained Visitors must sign in Property control, including inventory and bar codes

8. 8 Electronic Security Security Technical Implementation Guide (STIG): A guide for information security A compendium of security regulations and best practices from many sources that apply to an operating system or a part of the Defense infrastructure Goals Intrusion avoidance Intrusion detection Response and recovery Security implementation guidance Checklists and evaluation scripts provided for each technology We have numerous Security Technical Implementation Guides (STIGs) a list of which will follow. This slide describes the general content and purpose. The STIGs provide precise information on how to securely configure computers, routers, applications, LANs, etc. They are used as the base security policies for our technical security readiness reviews.We have numerous Security Technical Implementation Guides (STIGs) a list of which will follow. This slide describes the general content and purpose. The STIGs provide precise information on how to securely configure computers, routers, applications, LANs, etc. They are used as the base security policies for our technical security readiness reviews.

9. 9 Working from the inside out we start with a Host-based Intrusion Detection System that sits on top of the operating system of critical servers. The Host IDS monitors and detects intrusions at the host level by monitoring system activity and provides alerts to the local system administrator and/or security manager. Next, a Vulnerability Assessment tool is another important capability. It monitors key assets to identify configuration errors; examines the integrity of system files and password strength; and determines if critical patches are applied. Alerts again are sent to the local SA and/or SM. All too often the logging feature of production servers is turned off in order to mitigate any degradation of processor efficiency. Not a good idea from a security perspective! However, with the Audit Server, the auditing overhead of critical systems is greatly reduced. That is because the audit data of the servers is sent to the Audit Server where it is protected and stored in an Oracle DBMS and available for retrospective analysis. It is also stored in its native format and archived on CDs for long term storage and for use as evidence in a court of law if required. Next, the local Network IDS monitors the traffic of the internal network. Constantly on the lookout for anomalous activity initiated either inside or outside of the enclave. Real time alerts are sent to the local SA and/or SM. Closer to the enclave perimeter we find a hybrid firewall. Hybrid in the sense that it features application proxies for robust security as well as stateful inspection characteristics so as not to impede network throughput. Finally, on the outside edge of the enclave is another network IDS, the Joint Intrusion Detection System. JIDS provides near real time reporting of suspicious network activity. JIDS data feeds are sent directly to a DISA Regional Computer Emergency Response Team and confirmed incidents are reported to the DOD CERT for global correlation Working from the inside out we start with a Host-based Intrusion Detection System that sits on top of the operating system of critical servers. The Host IDS monitors and detects intrusions at the host level by monitoring system activity and provides alerts to the local system administrator and/or security manager. Next, a Vulnerability Assessment tool is another important capability. It monitors key assets to identify configuration errors; examines the integrity of system files and password strength; and determines if critical patches are applied. Alerts again are sent to the local SA and/or SM. All too often the logging feature of production servers is turned off in order to mitigate any degradation of processor efficiency. Not a good idea from a security perspective! However, with the Audit Server, the auditing overhead of critical systems is greatly reduced. That is because the audit data of the servers is sent to the Audit Server where it is protected and stored in an Oracle DBMS and available for retrospective analysis. It is also stored in its native format and archived on CDs for long term storage and for use as evidence in a court of law if required. Next, the local Network IDS monitors the traffic of the internal network. Constantly on the lookout for anomalous activity initiated either inside or outside of the enclave. Real time alerts are sent to the local SA and/or SM. Closer to the enclave perimeter we find a hybrid firewall. Hybrid in the sense that it features application proxies for robust security as well as stateful inspection characteristics so as not to impede network throughput. Finally, on the outside edge of the enclave is another network IDS, the Joint Intrusion Detection System. JIDS provides near real time reporting of suspicious network activity. JIDS data feeds are sent directly to a DISA Regional Computer Emergency Response Team and confirmed incidents are reported to the DOD CERT for global correlation

10. 10 Electronic Security Highlights Robust technical security standards Tools, checklists, scripts for self-assessment Annual independent reviews to ensure standards enforcement Vulnerability Management System (VMS) All findings tracked to resolution Registrations of all assets Identification of new vulnerabilities Training and certification programs Two levels of intrusion detection

11. DISA Security Readiness Review (SRR) Process This chart demonstrates the application of the Process Guide, the handbook and the STIGs in an SRR. We use them as policy and examine each facility, each network, and each system (copy of an operating system) for deviations from the policies. (This process sounds laborious but we have developed automated scripts which help productivity. (The scripts are also available on the WEB site) All deviations are recorded as findings in a database. We work with the affected site to develop resolution plans which are entered as well. The affected site records all activity to clear findings and we verify correction independently. We also use the database to provide monthly oversight reports to commanders. The constant attention insures they are corrected in a timely fashion. The Database allows constant monitoring of the security status of facilities which eases documentation requirements for Certification and Accreditation. The data is also available for DOD IG and GAO inquiries. We also perform penetration testing (using Internet Security Scanner (ISS)) from outside and inside our firewalls to check security from a network perspective. Any findings are also recorded in our Database. Our goal with the scans is to discover and correct problems before they are discovered and exploited by our adversaries. This chart demonstrates the application of the Process Guide, the handbook and the STIGs in an SRR. We use them as policy and examine each facility, each network, and each system (copy of an operating system) for deviations from the policies. (This process sounds laborious but we have developed automated scripts which help productivity. (The scripts are also available on the WEB site) All deviations are recorded as findings in a database. We work with the affected site to develop resolution plans which are entered as well. The affected site records all activity to clear findings and we verify correction independently. We also use the database to provide monthly oversight reports to commanders. The constant attention insures they are corrected in a timely fashion. The Database allows constant monitoring of the security status of facilities which eases documentation requirements for Certification and Accreditation. The data is also available for DOD IG and GAO inquiries. We also perform penetration testing (using Internet Security Scanner (ISS)) from outside and inside our firewalls to check security from a network perspective. Any findings are also recorded in our Database. Our goal with the scans is to discover and correct problems before they are discovered and exploited by our adversaries.

12. 12 We take our responsibilities and mission seriously and tend to be fanatics about Security. We need to all be fanatics to insure the safety and security of our nation and it�s people. Thanks for your support.We take our responsibilities and mission seriously and tend to be fanatics about Security. We need to all be fanatics to insure the safety and security of our nation and it�s people. Thanks for your support.

13. Are there any questions?Are there any questions?