130 likes | 507 Views
2. DISA Computing Services
E N D
1. Defense InformationSystems Agency (DISA)Securing Computing Services Mr. David Hughes
14 January 2003
(717) 267-9901
hughesd@ritchie.disa.mil
This is an information briefing designed to provide an overview of the security program applied to DISA Computing ServicesThis is an information briefing designed to provide an overview of the security program applied to DISA Computing Services
2. 2 DISA Computing Services – Combat Support Processing
3. 3
4. 4 Information Assurance must cover many areas in an Enterprise. Computing Services has to cover all the areas shown. Information Assurance must cover many areas in an Enterprise. Computing Services has to cover all the areas shown.
5. 5 Information Assurance These are the highlights of our security program in DISA. Traditional security covers those areas normally thought of in the protection of a facility and it’s people.
Electronic security covers the cyber side of our environment.
Note that both areas are multi-layered demonstrating our strong belief in a “defense in depth” approach. These are the highlights of our security program in DISA. Traditional security covers those areas normally thought of in the protection of a facility and it’s people.
Electronic security covers the cyber side of our environment.
Note that both areas are multi-layered demonstrating our strong belief in a “defense in depth” approach.
6. Traditional Security Our Security handbook was developed by Mr Gulledge and his team to provide a cookbook approach to interpreting the thousands of pages of guidance available on traditional security into a form readily available and understandable to our facility security managers. This book is intended for use by WESTHEM/Computing Services sites but it’s common sense approach makes it a popular item for our other customers as well.
The handbook does not replace the policy and regs. It merely cites essential guidance from the regs and tells one where to look for additional information.
He handbook is used as the base policy for our traditional security readiness reviews.Our Security handbook was developed by Mr Gulledge and his team to provide a cookbook approach to interpreting the thousands of pages of guidance available on traditional security into a form readily available and understandable to our facility security managers. This book is intended for use by WESTHEM/Computing Services sites but it’s common sense approach makes it a popular item for our other customers as well.
The handbook does not replace the policy and regs. It merely cites essential guidance from the regs and tells one where to look for additional information.
He handbook is used as the base policy for our traditional security readiness reviews.
7. 7 Traditional Security Highlights Data centers located on military base or federal facility with controlled entry
Controlled access to data centers
Secondary controls at computer room
Computer rooms alarmed with 24 hour police response
Closed circuit TV monitoring 24x7
Background investigation required for all employees
All personnel require badges
Differentiate among federal and contractor employees and personnel requiring escort
Access lists are maintained
Visitors must sign in
Property control, including inventory and bar codes
8. 8 Electronic Security Security Technical Implementation Guide (STIG): A guide for information security
A compendium of security regulations and best practices from many sources that apply to an operating system or a part of the Defense infrastructure
Goals
Intrusion avoidance
Intrusion detection
Response and recovery
Security implementation guidance
Checklists and evaluation scripts provided for each technology We have numerous Security Technical Implementation Guides (STIGs) a list of which will follow. This slide describes the general content and purpose.
The STIGs provide precise information on how to securely configure computers, routers, applications, LANs, etc. They are used as the base security policies for our technical security readiness reviews.We have numerous Security Technical Implementation Guides (STIGs) a list of which will follow. This slide describes the general content and purpose.
The STIGs provide precise information on how to securely configure computers, routers, applications, LANs, etc. They are used as the base security policies for our technical security readiness reviews.
9. 9 Working from the inside out we start with a Host-based Intrusion Detection System that sits on top of the operating system of critical servers. The Host IDS monitors and detects intrusions at the host level by monitoring system activity and provides alerts to the local system administrator and/or security manager.
Next, a Vulnerability Assessment tool is another important capability. It monitors key assets to identify configuration errors; examines the integrity of system files and password strength; and determines if critical patches are applied. Alerts again are sent to the local SA and/or SM.
All too often the logging feature of production servers is turned off in order to mitigate any degradation of processor efficiency. Not a good idea from a security perspective! However, with the Audit Server, the auditing overhead of critical systems is greatly reduced. That is because the audit data of the servers is sent to the Audit Server where it is protected and stored in an Oracle DBMS and available for retrospective analysis. It is also stored in its native format and archived on CDs for long term storage and for use as evidence in a court of law if required.
Next, the local Network IDS monitors the traffic of the internal network. Constantly on the lookout for anomalous activity initiated either inside or outside of the enclave. Real time alerts are sent to the local SA and/or SM.
Closer to the enclave perimeter we find a hybrid firewall. Hybrid in the sense that it features application proxies for robust security as well as stateful inspection characteristics so as not to impede network throughput.
Finally, on the outside edge of the enclave is another network IDS, the Joint Intrusion Detection System. JIDS provides near real time reporting of suspicious network activity. JIDS data feeds are sent directly to a DISA Regional Computer Emergency Response Team and confirmed incidents are reported to the DOD CERT for global correlation
Working from the inside out we start with a Host-based Intrusion Detection System that sits on top of the operating system of critical servers. The Host IDS monitors and detects intrusions at the host level by monitoring system activity and provides alerts to the local system administrator and/or security manager.
Next, a Vulnerability Assessment tool is another important capability. It monitors key assets to identify configuration errors; examines the integrity of system files and password strength; and determines if critical patches are applied. Alerts again are sent to the local SA and/or SM.
All too often the logging feature of production servers is turned off in order to mitigate any degradation of processor efficiency. Not a good idea from a security perspective! However, with the Audit Server, the auditing overhead of critical systems is greatly reduced. That is because the audit data of the servers is sent to the Audit Server where it is protected and stored in an Oracle DBMS and available for retrospective analysis. It is also stored in its native format and archived on CDs for long term storage and for use as evidence in a court of law if required.
Next, the local Network IDS monitors the traffic of the internal network. Constantly on the lookout for anomalous activity initiated either inside or outside of the enclave. Real time alerts are sent to the local SA and/or SM.
Closer to the enclave perimeter we find a hybrid firewall. Hybrid in the sense that it features application proxies for robust security as well as stateful inspection characteristics so as not to impede network throughput.
Finally, on the outside edge of the enclave is another network IDS, the Joint Intrusion Detection System. JIDS provides near real time reporting of suspicious network activity. JIDS data feeds are sent directly to a DISA Regional Computer Emergency Response Team and confirmed incidents are reported to the DOD CERT for global correlation
10. 10 Electronic Security Highlights Robust technical security standards
Tools, checklists, scripts for self-assessment
Annual independent reviews to ensure standards enforcement
Vulnerability Management System (VMS)
All findings tracked to resolution
Registrations of all assets
Identification of new vulnerabilities
Training and certification programs
Two levels of intrusion detection
11. DISA Security Readiness Review (SRR) Process This chart demonstrates the application of the Process Guide, the handbook and the STIGs in an SRR.
We use them as policy and examine each facility, each network, and each system (copy of an operating system) for deviations from the policies. (This process sounds laborious but we have developed automated scripts which help productivity. (The scripts are also available on the WEB site) All deviations are recorded as findings in a database. We work with the affected site to develop resolution plans which are entered as well. The affected site records all activity to clear findings and we verify correction independently.
We also use the database to provide monthly oversight reports to commanders. The constant attention insures they are corrected in a timely fashion.
The Database allows constant monitoring of the security status of facilities which eases documentation requirements for Certification and Accreditation.
The data is also available for DOD IG and GAO inquiries.
We also perform penetration testing (using Internet Security Scanner (ISS)) from outside and inside our firewalls to check security from a network perspective. Any findings are also recorded in our Database. Our goal with the scans is to discover and correct problems before they are discovered and exploited by our adversaries.
This chart demonstrates the application of the Process Guide, the handbook and the STIGs in an SRR.
We use them as policy and examine each facility, each network, and each system (copy of an operating system) for deviations from the policies. (This process sounds laborious but we have developed automated scripts which help productivity. (The scripts are also available on the WEB site) All deviations are recorded as findings in a database. We work with the affected site to develop resolution plans which are entered as well. The affected site records all activity to clear findings and we verify correction independently.
We also use the database to provide monthly oversight reports to commanders. The constant attention insures they are corrected in a timely fashion.
The Database allows constant monitoring of the security status of facilities which eases documentation requirements for Certification and Accreditation.
The data is also available for DOD IG and GAO inquiries.
We also perform penetration testing (using Internet Security Scanner (ISS)) from outside and inside our firewalls to check security from a network perspective. Any findings are also recorded in our Database. Our goal with the scans is to discover and correct problems before they are discovered and exploited by our adversaries.
12. 12 We take our responsibilities and mission seriously and tend to be fanatics about Security. We need to all be fanatics to insure the safety and security of our nation and it’s people.
Thanks for your support.We take our responsibilities and mission seriously and tend to be fanatics about Security. We need to all be fanatics to insure the safety and security of our nation and it’s people.
Thanks for your support.
13. Are there any questions?Are there any questions?