1 / 28

Mike Davis The Security Networks Technical Advisor, TSN Mike@sciap.org and Information Systems Security Association, VP

Cyber What is that - really ? A General Overview of our Cyber Prioritization Crisis. Information Assurance (IA) for Service-Oriented Architecture (SOA). May 20, 2009 Security Summit. Mike Davis The Security Networks Technical Advisor, TSN Mike@sciap.org and

ivana
Download Presentation

Mike Davis The Security Networks Technical Advisor, TSN Mike@sciap.org and Information Systems Security Association, VP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber What is that - really? A General Overview of our Cyber Prioritization Crisis Information Assurance (IA) for Service-Oriented Architecture (SOA) May 20, 2009 Security Summit Mike Davis The Security Networks Technical Advisor, TSN Mike@sciap.org and Information Systems Security Association, VP, ISSA, SD; IA Technical Process Owner (TPO), Warrant Holder (TWH) - SPAWAR 5.0.2 / 5.8 HQ Michael.H.Davis@navy.mil Easy Button Good for public release. No distribution statement needed – SPAWAR review tracking number SR-2009-221.

  2. What is Cyber? “A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.“ -- DoD Definition of Cyberspace Cyber space operations = employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the GIG “The military strategic goal is to ensure US military strategic superiority in cyberspace.” -- National Military Strategy for Cyberspace Operations It could mean just about anything…. But mostly a balanced IO/CNO & IA/CND portfolio

  3. What makes Cyber different? Given Cyber = “virtual” warfare, somewhat different from the kinetic / physical environment we all know well -- Includes ALL Offensive and Defensive IT/IO/IA capabilities and DOTMPLF, ALL aggregated somehow -- Essentially a select critical technical combination of IO/CNO and IA/CND + more integration stuff -- A different virtual ROE than Kinetic – sometimes reversed, legally constrained (and what is “an act of War?”) -- Shared vulnerabilities mandate a proactive, dynamic defensive posture – a “mission kill” is one e-mail away -- Thus a crisis of prioritization, where everything is urgent, mandatory… and the many CoC lines are blurred Many high-level cyber definitions and approaches abound No “definitive” enterprise top down action plans, yet

  4. Cyberspace Characteristics • What’s so different? • Man-made domain… complex and insecure by design • Global stakeholders — public, private and government • Speed of both action and change – zero separation • Transcends physical, organizational and geopolitical boundaries – highly sensitive to political/legal influence • Anonymity – identity/intent of players not always clear Global reach & impact RoE / CONOPS Kinetic = virtual “NO” boundaries Legal aspects rule No clear Cyber IFF! AND sensors everywhere, ISR/METOC, SPACE, Networks, ETC, Etc, etc! (Source: derived from JS Cyber 101 brief)

  5. Cyberspace Characteristics In relation to other mission areas… All of the warfighting domains intersect… C2 IA … cyberspace is a blend of exclusive and inclusive ties The “Venn connections / COIs” are extensive Cyberspace Domain is contained within and transcends the others Numerous dynamic “COIs” dominate relationships Adding complexity and causing “cross domain” data sharing effects (Source: derived from JS Cyber 101 brief)

  6. Cyber must be E2E! WE have a “natural” hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions Apps AND people processes System / services HW/SW/FM “CCE” Network SoS Enclave Site Enterprise Each sub-aggregation is responsible for the IA/cyber controls within their boundaries and also inherits the controls of higher levels andall weaknesses in any layer! Thus, the IA/cyber controls and interfaces in each element / boundary must be quantified / agreed to upfront!

  7. What’s a “simple” IA/Cyber end-state / vision look like? What are the “Requirements” An end-state stresses encapsulation using secure messaging

  8. Cyber Prioritization CrisisDraft paper in circulation– highlights are: -- Cyber is fundamentally enacting a prioritized and balanced approach between existing IO/CNO(aka offense)and IA/CND(aka defense) capabilities, -- with diminishing resources, while also addressing dynamic and emerging threats through targeted R&D/S&T initiatives to fill gaps of the cyber vision. -- The RoE, CONOPS, organization relationships required are NOT the same as kinetic processes, -- Where the political / legal aspects of cyber will impede us all! -- CoC needs an effective situational awareness capability for "cyber" to enhance our decision superiority

  9. Cyber Prioritization CrisisDraft paper in circulation– intended for technical discussions Cyber technical foundations (what matters): 1 - Enterprise risk management process needed 2 - Fix/update/simplify what we have (”CM” too!) 3 - NO clear IA/security/cyber vision or end-state 4 - Supply chain security issues – are everywhere 5 - Lack of enterprise SOA IA / security approach 6 - Enforce a common data strategy, security built in

  10. Securing Cyberspace for the 44th Presidency • A renewed focus on international collaboration, with more overt / open security methods, • Continued emphasis on partnering government with industry, better quantifying the legal aspects of enforcement and proactive responses, • Taking a holistic, overarching, fully integrated / meshed approach to security for the full spectrum IA needed in “D.I.M.E.” (Diplomatic, Intelligence, Military and Economic) - Create a comprehensive national security strategy for cyberspace - Organize and lead from the white house (create a national office for cyberspace) - Reinvent the public – private partnership - Regulate cyberspace (not voluntary anymore, but not overly prescriptive either) - Secure the industrial control systems – ICS / SCADA - Manage Identities - Authenticate digital entities (in an enterprise IDM approach) - Modernize authorities / laws… (e,g, revise FISMA.. merge NSS and other standards) - Use acquisitions policy to improve security - Build the capabilities – research, training and education - Do not start over – leverage CNCI WE must collectively quantify & prioritize these for leadership actions

  11. cyber security social contractto Obama from industry -- We all lack a common enterprise risk management approach -- Need new internet protocols / methods to support security -- "Enforceable" CM is mandatory (can reduce 80% of all attacks!) -- Positive incentives to encourage / enforce folks to follow best practices -- Lack of software quality and assurance -- Multi-organizational coordinated roadmap / vision is essential -- Map / manage the physical to cyber security (ICS / PCS / SCADA / etc) -- Supply chain issues better understood, protected and testing against -- Use / leverage / engage DARPA, IARPA, In-Q-Tel, etc. -- Move from a passive, forensic-based defense to an active posture using real-time intelligence updates to dynamically adjust our protection levels -- Must have both privacy and security built in -- Focus on "insider threat“ (a “determined intruder” – inside or external) -- Government embrace / lead the required IA standards that are effective -- Modern IdM / access control( where our “ZBAC” approach works cross domain) -- Set clear IA/security priorities – then resource, manage and control WE must collectively quantify & prioritize these for leadership actions

  12. Leadership Summary / Recap(Cyber Security Collaboration Summit – SD – Nov 08) • Common vision / end state / master plan – where are we going? • Governance & more governance – coordinate ALL those in charge? • Specified requirements and then some – top down, detailed needs • Prescriptive implementation guidance required – fidelity in the “what” • What’s “good enough” IA/Security? Must have a common threshold • Pedigree approach– simplify verification and compliance (build in) • What is the IA business basis / ROI? (AND success metrics therein?) • What is the future risk environment? Threats, consequences, etc? • Training at all levels, especially user and SW development • Standard architectures / standards / profiles (and a Trust Model!!!) • SOA security is vague - at best(No T&E / C&A Plans at all!), but… • Application security and web security, or lack there, is pervasive too WE must collectively quantify & prioritize these for leadership actions

  13. Representative Navy Operator IA issues • IA Master Plan; IA vision; clear IA goals • IA Governance Structure / Consistent Policies • Workforce Quals / Certs / Training • "Improve Speed to Capability” - Implementing newer technologies.. HBSS, DAR, etc…. • IA Approach, Strategy consistent with SYSCOMs and DoD • IA Policy/Architecture “implementation” guidance • Enterprise Access Control - "Trust Model" • Certification & Accreditation - Aggregation of systems • Supply Chain Security / Defense in Breadth • Sustain current IA and CND posture to ensure readiness Calling things “cyber” will not change the current IA and IO issues These are still the activities that are needed for protecting the GIG

  14. Recent IT/Cyber Leadership perspectives A - Political / legal cyber paper Cyber offense must be strictly monitored controlled, due to potential escalation & state department implications & countries suing each other B - Navy IT FLAG/SES meeting results / paper: -- Greater accountability, completer visibility, net-centric concepts need to be revisited, can't protect all networks - ensure the C2 / enterprise are… -- Need better situational awareness, discipline in development and acquisition, TTPs... And training... -- Senior Advisor’s major conclusions :Stricter CM & SA / inspect traffic -- FLAG / SES participants guidance Common governance and language, eliminate low to medium threats, focus more resources on defensive posture and key critical actions (aka - have a risk management approach), closer collaboration between Service / agencies, include space and undersea cables, exercise In degraded modes, stress education, use the RED TEAM to better effectiveness, avoid issues NMCI found, high speed acquisition and address COTS / supply chain management.. Issues / suggestions are similar to others , but act collectively WE must!

  15. NSPD-54/HSPD-23: CNCI ‘12 Initiatives’ Many are still being finessed, and all need prioritized Establish a front line of defense Trusted Internet Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment of IntrusionPrevention Systems Coordinate and Redirect R&D Efforts Focus Area 1 Resolve to secure cyberspace / set conditions for long-term success Connect Current Centers to Enhance Situational Awareness Develop Gov’t-wide Counterintelligence Plan for Cyberspace Increase Security of the Classified Networks ExpandEducation Focus Area 2 Shape future environment / secure U.S. advantage / address new threats Define and Develop Enduring Lead Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Define Federal Role for Cybersecurity in Critical Infrastructure Domains Focus Area 3 “THESE” are the key long-term business opportunities! (Source: derived from JS Cyber 101 brief)

  16. What can we expect to help us? • NSA / GIAP with CNCI= better IA stuff • Support for “data/content centric security – DCS” • Leaders get it, but we need translate geek speak • ESM / PvM helps automated systems, reporting • COTS IA – commercial suite “B” encryption • Going beyond boundary protection approach • Effective trust binding between data, layers and domains • Develop an IA vision -> enterprise architecture • Easier to build IA in through a top-down structure / standards

  17. Where you can assist • New technologies, methods, processes (CNCI!) • Not so niche areas of general systems engineering, integration, “rapid COTS / GOTS insertion,” etc • Collaboration with other innovative companies • Partner with other security groups, IA/cyber entities • Cyber “packages” needed, not un-integrated SW • Follow issues / concerns – they will not go away • Think tank, study, and discovery support efforts • Top down risk management, prioritization approach!

  18. Summary • There are MANY IA/cyber initiatives in the works • Follow the CNCI trail, that should prevail… • We still need cyber enterprise “R”equirements, just as we do now for IA and IO and C&A and …. • What is needed now, current issues, will exist in cyber • W/o an enterprise risk management approach, any / all paths will do… and we stay in the crisis of prioritization • We ALL need better collaboration – DOD on down • Users / platforms must drive cyber = KISS = commodity • Vendors / integrators need to coalesce, drive the truck Remember the “P6” principle… Planning and communications only gets us part way there That’s our story – what’s yours?

  19. What isInformation Assurance (IA)? “Measures that Protect and Defend Information and Information Systems by Ensuring TheirAvailability, Integrity, Authentication, Confidentiality, and Non-Repudiation. This Includes Providing for Restoration of Information Systems by IncorporatingProtection, Detection, and ReactionCapabilities.” Confidentiality • Assurance that Information is Not Disclosed to Unauthorized Entities or Processes Integrity • Quality of Information System Reflecting Logical Correctness and Reliability of Operating System INFOSEC Availability • Timely, Reliable Access to Data and Information Services for Authorized Users Information Assurance Authentication • Security Measure Designed to Establish Validity of Transmission, Message, or Originator Non-Repudiation • Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s Identity WHAT parts belong where – wrt our collective enterprise trust model? 20

  20. Cyber “Protections” Overview (or why “IA/IO/Cyber” is so complex / hard… because it is ALL of that and more!) " CYBER" PKI/CAC ID Mgmt “CIO” FISMA Operations IAMs “IO” and CNO Defend Attack Exploit CND CA Support C&A IA CMI/KMI Policy Training IA Services Multiple players Multiple PEs/Lines Multiple threats Multiple PMW/S/As Typical IA Acquisition elements Requirements Enterprise Risk Mgmt. NETOPS Strategy AND Governance critical to “implementation” success!

  21. An “Overall” Enterprise Picture(what are the minimal elements, who “owns” them, & how do they get integrated?) “SOA Security” needs to account for more than “just” SOA! Apps & COIs SOA/ESB/Services Business processes There is more to the enterprise IA/C&A picture than “just” CCE, SOA and Apps, which are hard enough to integrate CCE Dynamic Access Control ITIL/ITSM SLA execution Data security strategy / ownership Hardware / Software Assurance Data privacy protection and Auditable anonymity IA/Security strategy must consider the whole enterprise trust model! 22

  22. So what really matters in IA/Cyber E2E?A notional Quality of Protection (QoP) Hierarchy(Wrt our defense in “breadth” position paper – but what REALLY matters?) “DATAQoP” (C-I-A and N & A) Complex… Dynamic… Settings IA&A and CBE / DCS (distributed / transitive trust model … E2E data-centric security and protections) Core / Security Services ( WS* and other security policy / protocols / standards (including versions & extensions therein) Standards IA devices network protection – CND – FW / IDS / VPN / etc (in general, mature capabilities – but multiple unclear “CM” processes are persistent and problematic) Known… Static… IO … and ... IA A&E / Policy CNO/E/A, “I&W”, OPSEC, etc Crypto, KMI, TSM/HAP, policy, etc Mainly: IA standards, IA&A, CBE/DCS and digital policy!

  23. GIG IA Protection Strategy Evolution Transactional “Enterprise IA” Protection Model Required level of Information Protection “Specified” for each Transaction Static “Perimeter” Protection Model Common level of Information Protection provided by System High Environment "Need to SHARE" and Distributed / transitive trust models • Common User Trust Level (Clearances) across sys-high environment • User Trust Level sufficient across Transaction/COI – varies for enterprise • Privilege assigned to user/device based on operational role and can be changed • Privilege gained by access to environment and rudimentary roles Today Future • Information “authority” determines required level of end-to-end protection (QoP) required to access information – translates to a set of IT/IA/“Comms” Standard that must be met for the Transaction to occur • Information “authority” determines required level of protection (QoP) for the most sensitive information in the sys-high environment – high water mark determines IT/IA/“Comms” Standards for all information • Manual Review to Release Information Classified at Less than Sys-high • Manual Analysis and Procedures determine allowed interconnects • Automated mechanisms allow information to be Shared (“Released”) when users/devices have proper privilege and Transaction can meet QoP requirements We will be loosely connected, sharing information – and protected?

  24. The Big Picture: XML Family of Specifications "LOTS" of standards and Specs to coordinate

  25. IA / C&A Building blocks • …. The desired end-state is in general one of a transformed single C&A process that accommodates all C&A needs and activities (re: T&E / V&V) • End-state needs to integrate and accommodate several major perspectives / initiatives: • (1) aggregation into some number of larger systems of systems (SoS) and enclaves / platforms, • (2) platform IT (PIT), • (3) the federal C&A transformation effort (bringing together DOD, IC and federal agencies), and • (4) the new NNWC C&A process (for the Navy aspect). • Develop a "security container" of sorts emulating the "CC" process (see http://www.niap-ccevs.org/cc-scheme/ ) that IA devices go through –establishes the same format / needs • Natural to have a limited and controlled set of IA building blocks for a FEW main classes: • IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc) • IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc )(and we submit the IA/WSS standards need to go here too… prescribe a limited set of IA “profiles” with defined standards / protocols!) • Services and Applications ( we think we can define a standard "security container" for each, ideally a “class” - maybe a couple are needed for SOA/Services – we postulate the earlier three C&A types would work well) ) • Critical IA capability devices (any key IT capabilities, we may have missed and want to specifically consider) • PIT Platform IT variants (there should be ONE general PIT super set, then each SYSCOM takes that and tailors it a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc) • Remainder of NIST 95 descriptions: Intelligence activities; Cyrptologic activities; command and control; weapons and their systems; systems for "direct military / intelligence" missions; and classified systems... Any “special cases” defined • AND/OR consider the remainder of 8500.2 categories: AIS application; enclaves; outsourced IT; PIT interconnection (where Platform IT refers to computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems, such as weapons, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in the R&D of weapons systems, medical technologies, transport vehicles, buildings, and utility distribution systems) Just as “IT” must transition to a “commodity” approach, so must Cyber security!

  26. Cyber – Spans Warfare and Business Mission Areas Net-centric operations as well as the emerging new joint capabilities and integration development process is where the DoD is headed in the “Business of Warfighting” Cyberspace Cyber must effectively integrate Business and Warfighter Mission Areas Where GOVERANCE (or lack of it), still rules… Source: Secretary of State Hillary Clinton Statement, January 21 2009 Source: SSC Atlantic Cyber Strategy (Source: notional – partially derived from industry partner brief)

  27. A National Security Issue Ubiquitous Presence… Salient Danger… • 1.5 billion people on the Internet; much of Asia and Africa still to come (using wireless, which is cheaper to install) • Upwards of 200B e-mails per day • Critical to commerce, government, business processes, safety, etc. • Exponential demand; 8 hours of YouTube uploaded every minute • Increasing connections; global wireless and cellular usage • Volumetric rise in data everywhere, with no enterprise data security and tracking approach (Internet = database) • Cyberspace intrusions and attacks are a real and emerging threat • U.S. faces a dangerous mixture of vulnerabilities and adversaries • Cyberspace situational awareness is not mature (and not at all levels) • PEOPLE, Informationand theC4ISR infrastructureare targets • Exploitation, disruption, exfiltration, misinformation or destruction are adversary goals (& bragging rights) • Maliciouscyberspaceactivityisincreasingin regularity and severity “Attacks on Critical Infrastructure could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident.” -- 2007 National Infrastructure Protection Plan (Source: derived from JS Cyber 101 brief)

More Related