The Security Network Track # 2, Panel #3 Presented by John C. Deal Erik Visnyak October 6, 2009

1. CyberSecurity for the GIG; a historical perspective The Security Network Track # 2, Panel #3 Presented by John C. Deal Erik Visnyak October 6, 2009

2. He who does not learn from history… • Almon Strowger - 1889 • Cliff Stoll – 1987-1989 • Compromise of the Greek Telephone System – 2004/2005 • Cyber Attack on Estonia and the Republic of Georgia – 2007/2008 • Others

3. Internet Hacker External IDS ACL ACL • Installation Firewall • DMZ Public Servers 2nd Perimeter – DMZ + Stop Attacks FW Intrusion Detection System 3rd Perimeter - Internal Trip-Wire 4th Perimeter - Allow Only Verified Enclave Users & Applications Deny All Others Final Defensive Perimeter - Server Trip-Wire & Other Server Security Mechanisms A Classic Approach to Defense-In-Depth - 1999 Defense in Depth is more than Technology; It is about Security Controls working thru Operations, People, and Technologies 1st Perimeter - Stop Common Hackers & Vulnerabilities + “Trip-Wire” 1st Perimeter - Stop Common Hackers & Vulnerabilities + “Trip-Wire” Internal IDS Enclave Firewall FW Server Tools

4. Functional Architecture for Information Assurance IA Workstation Software IA SW Components Wireless Security CDS Workstation Software - Access Firewall Agent IPSec Gateway Data at Rest Encryption Security Management Software Policy Management Threat Management Application Guard IDPS Management Vulnerability Scanner Application Guard Hardware Identity Management Audit Management Application Guard Software - Transfer Security Patch Management Rogue System Detection Management Standard Implementation of IA Controls and STIGs to Protect, Detect and Harden Networked Information Systems - 2009 DoD Publishes STIGs: aSecurity Technical Implementation Guide is a methodology for standardized secure installation and maintenance of computer software and hardware. a STIG describes what needs to be done for minimizing network-based attacks and also for stopping system access if a computer criminal is next to the device. Lastly, a STIG may also be used to describe the processes and lifecycles for maintenance (such as software updates and vulnerability patching). http://iase.disa.mil/stigs/index.html http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml http://www.nsa.gov/ia/programs/h_a_p/releases/index.shtml http://www.ucdmo.gov/

5. Descriptions of IA and Security Controls

6. It’s All About Trust Trust is the Basic Security Issue • Information Access and Info Sharing based on role, clearance and need to know • Challenges to Cyber-trust • Pervasive computing – pda, phones, • Social networking • Processing Speeds Trust and Security Control mechanisms (establishing and maintaining trust) • Basic Defense in Depth – passwords, ACL, bio-metrics, encryption, etc • IA Controls and Security Hardening Monitoring and Maintaining Cyber-trust • Knowing where your trust relations are vulnerable • Deterrents to trust-violations • Hacking deterrents • Snooping • Cyber-attacks • Knowing when your trust has been violated • IDPS and AND (Signature Based and Behavioral Based) • Host, Wireless and Network Sensors System Vision of the Target GIG Version 1.0, June 2007

7. Any Questions? Contact Information: E-Mail: john.deal@baesystems.com Phone: 619-788-5200 858-592-5626