140 likes | 152 Views
Operational Assessments of Information Assurance (IA) and Interoperability (IOP) during Combatant Command Exercises Brief for the 2006 DoD Enterprise Architecture Conference Williamsburg, VA October 19, 2006. Mr Dave Aland Supporting OSD DOT&E Deputy Director of Naval and C4ISR Systems.
E N D
Operational Assessments of Information Assurance (IA) and Interoperability (IOP) during Combatant Command ExercisesBrief for the 2006 DoD Enterprise Architecture ConferenceWilliamsburg, VA October 19, 2006 Mr Dave Aland Supporting OSD DOT&E Deputy Director of Naval and C4ISR Systems
Operational IA&I Assessments • Congressional mandate • Independent Assessments • Annual, both IA & IOP • COCOM and Service exercises • With NSA, IWCs, OTAs • Integrated into Joint Exercise planning cycle • Blue Team assessments • Red Team opposition • Green Team assistance • Partnered with JCS / DIAP • Annual report to Congress Preparation: Baseline Surveys Remediation: Training, Tech Support, Focus Exercise Planning Final Planning DoD Stakeholders Initial Planning Exercise Assessment: Realistic Opposition Resolution: Address Issues Small Large • Identify and assist the resolution of basic problems, prepare for and train against threat-representative foes, sort out responsibility for resolving complex issues.
Flexible Leader, Agile Response, Austere Challenge, Lion Challenge, Digital Storm, Sharp Focus, CWID, Talisman Sabre NORTHCOM Bright Star, Unified Endeavor (OEF/OIF), Internal Look USAF Terminal Fury, Ulchi Focus Lens, RSOI Salt Lake Shake, Unified Defense, JWID, Determined Promise, Ardent Sentry, Northern Edge, Vigilant Shield, Alaskan Shield EUCOM SOUTHCOM Fuertas Defensas, Blue Advance, Global Guardian, Global Lightning, Global Shield, Bulwark Defender CENTCOM USA Turbo Challenge, Turbo Distribution USN JNTC, CJTFEx, United Endeavor (OEF/OIF) Warfighter, ABCS, Cobra Gold, USA-Ex, Roving Sands PACOM JTFEx, FleetEx, AWI JFCOM Black Demon TRANSCOM MEFEx, OEF/OIF, JNTC, FEDOS STRATCOM USMC IA&I Assessment Status • 50+ Assessments • “Raise the Bar”, trending • Stabilized Metrics • 8500.2M IA Standards • Expanded Core Metrics • Build IOP metrics • IA & Interoperability • Assess risks and trade-offs • Impact to Mission Thread • Facilitate Solutions • Track and re-test issues • Provide input to solution sources • Improve new acquisitions
Observations • Overall trend is up: assessments raise the IA bar • Findings relevant to both IA & IOP: • “Blocking and Tackling” issues - passwords, poor configuration management, slow response to upgrades/patches, lack of licenses and authorized integrations • Personnel shortfalls - No standard manning templates, lack of training • Common network shortfalls - Unpatched vulnerabilities, slow POR response for to patches/changes, functionality trumps security • Physical Security -- Network components unprotected • IDS/IPS - Few can optimally operate IDS/IPS • Lack of situation awareness - Lack of anomaly correlation, lack of internal monitors, integrations defeating security, Lack of network sensors • New Technologies – Wireless, BlueTooth, portable storage media accountability, web-configured peripherals • Continuity of Operations not planned - No COOP standards, few COOPs prepared, not often exercised • No data recovery plans - Off-site storage, “safe baselines”, back-ups
Recent Exercise Observation • Combined use of CAC, NTLMv2, and selected 15-character passwords, added to strong vulnerability/patch management is a very effective deterrent to intrusion. • CAC logon for all users, SysAds use 15-character passwords • Disable LANMAN hashes, enable NTLMv2 hashes • Initial Observation: Red Team was contained and stopped. • Red Team probed for unpatched servers/workstations one by one CAC + NTLMv2 + 15-char passwords Intruder must individually probe for unpatched vulnerabilities on each machine, cannot transit to additional machines or compromise logons. CAC/NTLM/15cpw blocks transit within network and prevents logon compromises. If patches are up to date, and shares are OFF, the intruder has few options for entry or compromise. Intruder compromises one machine, via an unpatched vulnerability or by cracking the logon and password, then transits to other machines in the domain by exploiting network trust relationships. LANMAN + user/password
Synchronized IA & IOP Assessment • IA and IOP are a question of “plumbing”: balance the flow of information across the network, and limit the flow of information beyond the network. • To assess the balance, evaluate both IA & IOP, the mission impact, the appropriateness of the risks accepted, and whether or not the balance is successful. THE INFORMATION “PIPE” Data IA Data IA INTEROPERABILITY IA Data IA ASSESSMENT IOP ASSESSMENT COMBINED ASSESSMENT OF NETWORK HEALTH Exercise threats, objectives, scenario
Interoperability Assessments • Mission: Assess end-to-end operational effectiveness of exchanged information as required for mission accomplishment • Perspective: Interoperability is more than just information exchange - it includes systems, process, procedures, organizations and missions; and it must be balanced with Information Assurance • Focus: • Assess Interoperability within context of mission effectiveness • Address both positive and negative mission outcomes • Discover & characterize interoperability problems (e.g. DOTMLPF) • Assess operational impact • Recommend viable solutions & track implementation
Joint Mission Thread (JMT) • Identify high-impact C2 training objectives aligned to COCOM needs and C2 architecture shortfalls • Joint Task Force Command & Control selected as primary JMT • Address COCOM specific interoperability issues • Common Thread across all COCOMs • Highlight trends of interoperability • Expand from Core to a wider base of mission threads
Identify Venue, Build Assessment Plan, & Data Collection Procedures IOP Assessment Process Identify Focus & Mission Threads / Strands Assess past events Select appropriate exercise Selected C2 threads COCOM interest areas JSTEM Map Threads to architecture Joint Task Articles (JTAs) Develop Plan & Procedures Mission Threads / Strands DOT&E JFCOM ATEC COTF* JS Recommend viable solutions Observe and collect data MCOTEA AFOTEC DOTMLPF Change Request Develop event specific analysis JITC Populate DOT&E DEKMS database Integrate & validate solutions Quick Look & Final Report Implement solutions Conduct Assessment & Report Findings Recommend, Validate & Implement Solutions
Interoperability Reporting • Quarterly Analysis • Characterize interoperability trends and identify key issues • Track progress on key issues and recommended solutions • Nominate programs to the interoperability watch list based upon mission impact and associated risk • Provide quarterly input to the JS, Services and others for action • Annual Report to Congress • Report key issues / programs and Joint Mission Thread (JMT) • Address mission thread accomplishment and operational impacts of issues found • Highlight recommended solutions and progress made on implementation
IA&IOP Assessment Road Show • Brief COCOM leadership • Reinforce IA efforts • Awareness of IOP efforts • Develop relationships • Gain COCOM support • Identify COCOM IOP issues for assessment focus areas • Identify a COCOM IOP POC to begin the coordination process, exercise planning, JMT identification
IA Solution Sources • Local • COCOM / Component CERTs, Network Support and Operations Ctrs • “Triage” assistance for training / technical support • Service • CIO / NetOps • Program Managers • Enterprise • USSTRATCOM Enterprise Solutions Steering Group • IA Senior Leadership / IA-CND Working Group • GIAP (GIG IA Portfolio) / DIAP • DISA[FSO] • Long-Range • GIG IA Component design and procurement
IOP Solution Sources (?) • Local • COCOM / Component CIPOs, Network Support and Operations Ctrs • JITC (Technical) / JCSJ7 (Training) / JSTEMs • Service • CIO / NetOps • Program Managers • Enterprise • MCEB / MCEB Interoperability Panel (JCSJ6I) • C2 Portfolio Manager (USJFCOM) • DISA[FSO] and JSIC trying to keep up with demand • Long-Range • Needed: an ESSG-like entity