470 likes | 1.02k Views
Raytheon Information Security Presentation to TAMU. Kent Stout Kent_Stout@Raytheon.com Shelli Richard Shelli@Raytheon.com. April 16, 2009. Agenda. Welcome and Introductions Information Security Overview Current Threat Vectors The IA/IO Landscape Question and Answer.
E N D
Raytheon Information Security Presentation to TAMU Kent Stout Kent_Stout@Raytheon.com Shelli Richard Shelli@Raytheon.com April 16, 2009
Agenda • Welcome and Introductions • Information Security Overview • Current Threat Vectors • The IA/IO Landscape • Question and Answer
Driving Goal of Security Engineering Create the best architecture that: Meets functional requirements within cost and schedule constraints Provides sufficient security control to mitigate risks to an acceptable level for accreditation This is a never-ending balancing act!
Information Security as a Discipline Information Security Engineering Full Life-Cycle Coverage Certified Information Security Engineers Subject Matter Experts Certification and Accreditation Expertise Continuous Learning and Development Systems Engineering Network/System Administration Software Engineering • Network Security • System Administration • Operating Systems • Process • Installation & Configuration • Integration and Test • Operations & • Maintenance • Requirements • Process • Analysis • Design • Development • Implementation • Integration and Test • Operations & • Maintenance • Requirements • Process • Policy • Analysis • Architecture • Integration and Test • Training • Operations & Maintenance • C&A • Requirements • Process • Policy • Analysis • Architecture • Integration and Test • Training • Operations & Maintenance • C&A Information Security Engineering combines key engineering disciplines to span the information security spectrum.
Raytheon InfoSec Competencies • Systems Engineering • Enterprise Architecture Engineering • Security Systems Engineering • Network Systems Engineering • Secure Component Engineering • Continuity of Operations Engineering • Systems Integration / COTS Integration • DCID-6/3 Certification & Accreditation • DIACAP, NISCAP, FISMA, DODIIS, NIST, 8500.xx • Risk Management / Assessment • LAN/WAN/Internet Secure Information Sharing • Identity and Digital Rights Management • Public Key Infrastructure (PKI), Virtual Private Networks (VPN’s), Encryption • Secure Voice & Conferencing (VoIP) • Database/Data Warehouse Security • Anti-Tamper TEMPEST & HEMP Engineering • Integrated Red/Black Networking • Vulnerability Assessment/Penetration Testing • Data Forensics, Data Integrity • Operations, Sustainment, Training & Maintenance (NOC, SOC, CIRT) Raytheon Strives to Provide Robust Solutions to the Evolving Information Assurance Challenges
Cyber Threats are on the Rise Inspectors Disclose Security Breach at Nuclear Lab Pentagon hacked Critical infrastructure central to cyber threat MI5 sends letter to British companies warning systems are under attack Data Breach Reports Up 69 Percent in 2008
2001 2003 2005 2007 Threat Vectors for Critical Infrastructure THREATS individuals criminal syndicates national organizations Criminal Enterprises Scammers Criminals Cyber Terrorists Nation States • Phishing • Spam • Identity Theft • Ransomware • Keyloggers • Money Mules • Credit Card Number Theft • Software and Video Pirates • Web Blackmail • e.g., Tomasz Grygoruk • Intellectual Property • Jihadists • Al-Qaeda • Nationalists • Arab Electronic Jihad Team • Lashkar-e-Taiba • Hate Groups • Supply Chain Exploitation • Vendor spyware • Trade Secret Mining • Illegitimate Front Companies • China - PLA “Net Force” • Russia • France • Israel • Ukraine • India / Pakistan • Targets are both Federal and Commercial • In 2004 revenues produced through cybercrime surpassed those produced through drug trafficking at $105 Billion/year • Between 2003 and 2007 the estimated average commercial cost related to a data breach went from $10 K to $386 K • Between 2003 and 2007 the 100 largest US utilities saw an increase of 95% in penetration attempts • Between 2002 and 2007 military installations went from an estimated 23,000 penetration attempts per year to more than 100,000 attempts per second • Attack sophistication, rewards, and motivations are all expanding TARGETS Cybercrime Surpasses Drug Trafficking Revenue $105B Email 5% SPAM 95% SPAM FaceBook GoogleUsers McCain & Lieberman Websites Individuals MySpace Car NavigationSystems Cisco Businesses Cost per data breach $10K NASDAQ $386K TJ Maxx Shell Oil Univ. of Pennsylvania VodaphoneCellular Rolls Royce Organizations Davis-BesseNuclear Plant TSA Univ. of Mich. US Electric Grid Truck FreightTracking London Stock Exch. Infrastructure 100 LargestUS Utilities 95% increase penetration attempts Oak Ridge Labs Pentagon NIPRNet DOJ Geeks.com Military 23,000 / year 100,000/sec NATO penetration attempts 101stAirborne 4thInfantry US Marines DHS Government Germany Voting Machines
Critical Need • More devices, more connectivity and more software • Software is becoming more complex • This complexity provides a wealth of IO-related opportunities • Strategic and tactical advantage go to those who can understand then control the execution of software and software systems • Providing IO capability to the US Government is a high growth niche • In lock step with the growth in information technology • Raytheon is positioned at the tip of the spear Yesterday’s Attackers Today’s Terrorists Weapons of the Future?
What is a Security Engineer? • The perfect security engineer is part • Network Engineer • Routers, Switches, Firewalls, Intrusion Detection Systems • Operating Systems guru • Linux, Unix, Trusted OSes, Windows • Systems Engineer • Architecture, Requirements, Documentation • Software developer • Protocol expert • HTTP, SSL, SSH, FTP, SMTP, SNMP, NTP, LDAP • Applications guru • Web, LDAP, Database, Custom Apps, XML • Integration and Test Engineer • Integrate custom and COTS products • Good team builders with excellent written and verbal communication skills Is that too much to ask for?
Additional Certifications (Customer-driven) 10+ years Security Conference (Speaker) Security Conference Attendance 6-9 years SANS Level 2 Specialization Track(s) ISSEP Certification Internal Corporate Certifications 3-5 years CISSP Certification Vendor Bootcamps, Technical Training 0-2 years SANS Security Essentials (Technical) Post-Graduate Security Education Experience Continued Education is Vital
Information Operations / Information Assurance (IO/IA) Defined INFORMATIONOPERATIONS Computer Network Operations Non-Kinetic (DEW) Kinetic Psyops
Assessment Methodology • Information Gathering • Interview System Owners • Determine high value targets • Study and Identify Gaps in Policies/Procedures • Conduct Network Mapping Scans • Create Network Layout Diagram • Vulnerability Analysis (VA) • Conduct VA Scans • Analyze Patch Management Effectiveness • Define Secondary Targets • Determine risk posed • Penetration Attack (if requested by customer) • Results Analysis • Analyze all data gathered • Final Analysis Documentation • Document findings, recommendations
Assessment Methodology (Cont.) • Risk Recommendations • Accept Risk, Transfer or Remediate • Remediate the Risk (Prioritized) • Could generate new requirements to correct findings • Starts the development cycle • Remediation approaches • System Mechanisms • Security COTS Products • Custom Software Development • IDS/IPS • Enterprise Security Monitoring • Cross-Domain Solutions • Non-traditional approaches • Software Vulnerability Analysis • Reverse Engineering Risk Mitigated According to Plan Risk Reduction Effectively Realized
Remediationvia System Mechanisms • Commercial Hardware • Network equipment – Cisco, Summit, Juniper, Allied Telesyn • Operating Systems – Linux, UNIX, Windows, Trusted OSes • SAN switches, Console Servers, etc. • Hardening default installation • Disabling unused services or features, Ingress/Egress Filtering, Logon Banner, etc. • Formal guidance (e.g., DISA, NSA, CERT, SANS, CIS, NIST) • Required capabilities defined by • Mission purpose - Development, Production, Testing, Failover Spare • Enterprise Infrastructure – Time synchronization (i.e. NTP), centralized logging/monitoring (i.e. Syslog, SNMP), remote maintenance (i.e. SSH), centralized authentication (i.e. TACACS+) • Type of equipment - Controlled Interfaces, Core Servers, End User workstations • Automated tools – repeatable results • Custom scripts • Solaris Security Toolkit, DISA SRR/Gold, Titan, Bastille, YASSP Remediation begins at the Equipment level.
Remediationvia COTS Product Integration Trusted Guard Vulnerability Testing Trusted OS Firewalls/ ACLs Cisco Routers LDAP Servers Secure Shell (SSH) DNS Install & Hardening PKI Certificate Authority Oracle Db Load Balancers Web Servers COTS Products often offer cost-effective solutions
Cisco Routers and Switches Load Balancers F5 Big IP Web Servers Netscape Apache Directory (LDAP) Servers Netscape PKI Certificate Authority Netscape Intrusion Detection Systems (IDS) Network IDS – SourceFire, SNORT, ISS RealSecure, NFR Host IDS – ISS RealSecure, custom log alerts Decoy systems – Symantec ManTrap File Integrity – Tripwire Firewalls Gauntlet CyberGuard Cisco PIX Oracle Databases Including Oracle Label Security (OLS) Cross Domain firewall Secure Shell (SSH) for administration and system control scripts Washington University FTP DNS installation and hardening CORBA Orbix Remediationvia COTS Product Integration
Remediationvia Developed Software • Frequently, customer requirements for security exceed commercial product capabilities • Information Security often requires developing custom software solutions securely Software Development enables bridging the gaps in integrating COTS applications based on customers’ needs.
Remediationvia Intrusion Detection/Prevention Systems • Initial design and deployment decisions • Bandwidth – segregate network, multiple sensors • Encrypted traffic – limited visibility, decrypt prior to sensor • Outside perimeter – Noise, Shows growing threats • Inside perimeter – Focuses on compromises • Mechanism • Mirroring on switches – Cheaper, possible load failures • Taps – More expensive, configuration more difficult and involved • Customize to context of environment (i.e. tuning) • Minimizes false positives • Configure appropriate notifications and/or response • Detect violations of policy • Devise scheme to efficiently update signatures • Monitoring and investigation into alerts • Escalation Procedures / Remediation Actions IDS/IPS solutions offer significant contributions to overall situational awarenes but can be very complex in nature and customization.
Remediationvia Enterprise Security Monitoring • Overarching security monitoring layer • Consolidates information from variety of security equipment • Integrate existing sensors • Syslog • Log files • SNMP Traps • Smart agents • Normalize information gathered • Filter noise • Aggregate/correlate events/threats/alerts • Policy violations • Heuristic Analysis • Reports/visualization • COTS packages • CA eTrust, ArcSight, e-Security, Symantec, Intellitactics, netForensics, etc. • GOTS • Audit Log Evaluation and Reduction Tool (ALERT), custom scripts, etc Enterprise Security Monitoring combines the technical solutions for risk mitigation and risk management.
Remediationvia Cross Domain Solutions • High Assurance Guard functionality that can validate data at entry/exit points in the system • Raytheon High-Speed Guard • Lockheed Martin Radiant Mercury • Northrop Grumman Information Support Server Environment (ISSE) • Oracle Label Security (OLS) for row level database control • Oracle Data Vault cross domain product is built upon OLS Cross-domain solutions are as unique as our customer set.
Cross-Domain Sharing Approaches • Architectures Currently In Vogue • Multiple Single-Level (MSL) • Multi-Level Security (MLS) • Multiple Independent Levels of Security (MILS) • Multiple Single-Level • Systems confined to multiple single-level domains • Systems remain relatively ‘dumb’ about security levels • Security controls enforced at the boundaries by Controlled Interfaces, a type of Cross Domain Solution (CDS) • Multi-Level Security • The entire system inherently understands and enforces security requirements • Typically requires Trusted Operating Systems • i.e., SELinux, Solaris 10 Trusted Extensions, HP NetTop, etc • Very complicated, extremely limited vendor support • Multiple Independent Levels of Security • Layered Architecture (Separation Kernel, middleware, applications) • Implements an Information Flow/Data Isolation Security Policy MSL is still only practical solution for most applications
Offensive Non-Traditional Approach Technology Services and Support • ACTIVE I/O • Persistent Agents • Social Network Analysis • Infrastructure Indep. Comms • CYBER CI • Agent Networks (BOTS) • Implants • Reverse Engineering • COLLECT & EXPLOIT • Non-traditional Devices • Network Access/Redirect • Covert Delivery & Agents • POLICY & ARCH • H/W Validation • F/W Validation • S/W Validation Defensive • ACTIVE ASSURANCE • Active Protection • Role-Based Access Control • Predictive Active Assurance • INFORMATION SECURITY • Device Protection • Biometrics • Forensics • POLICY & ARCH • Role Based Access • Vulnerability Analysis • Identity Management • COLLECT & EXPLOIT • Virtual Networks
Actual Behavior Intended Behavior Missing functionality (Bugs) Unintended functionality (Bugs?) Intended functionality The Problem with Software The unintentional functionality in information systems can be leveraged in unique ways to provide creative, bold and aggressive advantage
Vulnerability Research • Discovering and exploiting flaws in software is the key to success in information operations • Open source development has dramatically increased accessibility and collaboration • A zero-day vulnerability is one that: • Vendor has no knowledge so no patch exists • Target has no knowledge so he can’t protect himself • Others in the community have no knowledge so lifespan is prolonged Active Vulnerability Research is key to discovery prior to adversary exploitation
Reverse Engineering • The DoD is aggressively pursuing the development of software protection and anti-tamper technologies • The government requires assessment of these emergent technologies • Requires an ability to reverse engineer heavily armored software • Forensic reverse engineering analysis of malicious code on a Quick Reaction Capability (QRC) turnaround is often desirable • Analysis to determine what the code has potentially compromised • Analysis to determine what the code is capable of doing • Determine attribution • Reverse engineering analysis is required as the first step in any binary modification exercise • The government often requires covert functionality to be implemented in commercially available devices
Questions and Answers • What questions can we answer for you? • What have we forgotten to cover?
Full Life Cycle Coverage • Periodic vulnerability analysis of security architecture • Install/config/support of security products • Continual research of emerging security threats and deterrents • Maintenance and obsolescence management of core security products • Lead system architecture definition • Conduct trade studies • Develop SOW/SOR for security requirements and implications • Specify network security architecture • Determine appropriate security certification methods and processes Concept Definition Development Integration Operations • Define certifiable security architecture • Perform trade studies on security products • Evaluate interactions of security products with other system components • Develop custom tools where industry products are not available or do not meet requirements • Prepare security certification plans • Install/configure/support security products • Evaluate security architecture • Implement security controls • Development of operational procedures • Lead Certification and Accreditation Our Information Security credentials span the entire life cycle spectrum.
IO Threat Environment HISTORICAL CURRENT PROJECTED Nation States Organized Crime Industrial Hackers Focused Nation States Hackers Industrial Espionage Funded Terrorists Hackers Nation States Coordinated Networks ACTOR Individuals, User Devices, Mobile & Wireless Applications(Laptops, Cell, VOIP, PDAs) Companies, Online Businesses(Switches, Routers, Firewalls) TARGET Networks • ACTIVE I/O • Persistent Agents • Social Network Analysis • Infrastructure Indep. Comms • CYBER CI • Agent Networks (BOTS) • Implants • Reverse Engineering • COLLECT & EXPLOIT • Non-traditional Devices • Network Access/Redirect • Covert Delivery & Agents • POLICY & ARCH • H/W Validation • F/W Validation • S/W Validation Physical Access Controls Forced Password Changes Firewalls, Encryption Virus Scanners Wired Communications Identity Management Single Sign-On DCID 6/3 Compliance Active Content Filtering Session Encryption Wired/Wireless Communications MARKET Account Management Pushed Updates Remote Administration SPAM Filtering Open Website Access Policy Adherence Data at Rest Encryption Remote Access Solutions Situational Awareness / Monitoring Access Points ITAR Compliance / Architecture • ACTIVE ASSURANCE • Active Protection • Role-Based Access Control • Predictive Active Assurance • INFORMATION SECURITY • Device Protection • Biometrics • Forensics • POLICY & ARCH • Role Based Access • Vulnerability Analysis • Identity Management • COLLECT & EXPLOIT • Virtual Networks INFOSEC
DARPA contract (CHAIN deployment) • $14 million DARPA base year contract • 4 option years • Build the DARPA Secure Enterprise Network (DSEN) • Migrate legacy networks and data to the DSEN • Manage legacy assets prior to DSEN transition • Provide technology refresh and upgrades • Support business re-engineering for DSEN migration • Address the “DARPA HARD” paradigm • Provide a low risk solution using an advanced technology approach • Integrate proven innovative solutions using “defense-in-depth” with COTS components Proprietary Programs: Advanced DoD Technology – Protecting Critical Research
CHAIN PL3+ Network Capabilities Key Features • PKI authentication • E-Mail • File sharing • Video transmission • Voice conferencing • White Boarding • Chat (instant messaging) • Provides secure knowledge management at all stages: • Creation, processing, storage, retrieval, and transmission • COTS operating system, COTS hardware Fully Integrated, Compartmentalized, Collaborative System
Raytheon High-Speed Guard • Key Features • High data rates eliminate bottlenecks • 900Mb/sec on 1Gbit network • DCID 6/3 Accreditation • 140+ instances • NGA, Proprietary • Flexible Data Validation Rules – allows O&M admins to maintain system • Supports file or message transfers • Supports socket or file-based transfers • Selectable Features include - • Digital Signature Validation • Virus scanning • Reliable Human Review Manager • Guards are key components in securing Cross Domain solutions necessary for data sharing between security level
TS Enclave MLS DB TS Data Secret Data Trusted Bi-directional Guard Secret Data “Other” Data Secret Enclave Trusted Guard MLS DB Trusted Server Trusted Guard Unclass Enclave “Unclass” Data Multiple Security Levels (MSL) Example • MSL – Multiple Security Levels • Fully segregated classification levels with specific interconnection points • Trusted “Controlled Interface” device at interconnection points • Implicit enforcement of Mandatory Access Control (MAC) policy
MLS Enclave MLS DB Trusted Server TS Enclave MLS DB TS/SCI Data Secret Data MLS Servers S Enclave “Other” Data Other Enclave MLS Enclave Multiple Level Security (MLS) Example • MLS – Multi-Level Security • Requires certified trusted computing base to enforce security policy and properly label all subjects and objects • Simultaneously permits controlled limited access by users with different security clearances and needs to know • Explicit enforcement of Mandatory Access Control (MAC) policy over all resources
MILS is about: High Assurance (Evaluatable Systems Design) Safety (It does what it is supposed to do) Security (It does nothing else) Real Time (It meets its deadlines) Embedded (F/A-22, JTRS, I/O Chips…) Standards-based (Highly Independent) COTS (Multiple Vendors) Multiple Independent Levels of Security (MILS) MILS Architecture • Layered architecture (separation kernel, middleware, applications) • Implements an Information Flow/Data Isolation Security Policy • Leverages off COTS vendor DO-178B RTOS and middleware products MILS Program Raytheon participates in the development of MILS through AFRL/IF sponsored SIRES and HAMES CRAD programs and participation in The Open Group Real-time Embedded Systems forum. MILS GOAL: To create a COTS and standards-based infrastructure to enable end-to-end, secure data fusion on the GIG
Additional Certifications (Customer-driven) 10+ years Security Conference (Speaker) Security Conference Attendance 6-9 years SANS Level 2 Specialization Track(s) ISSEP Certification Principles of Systems Engineering 3-5 years CISSP Certification Vendor Bootcamps, Technical Training 0-2 years SANS Security Essentials (Technical) Training Experience Our training curriculum is world-class.
Raytheon’s Information Systems Security Engineering Process Raytheon ISSE Process supplements internal development processes and defines how Information Security Engineering achieves successful Certification and Accreditation.
Raytheon IA Reference Architecture Approach • Raytheon Enterprise Architecture Process (REAP) • DODAF 6-step Process • Leverage existing work from NCOW-RM and GIG IA working group
Government Certification Experience • Experienced with DCID 6/3, DITSCAP/DIACAP, and NIST 800-37 C&A methodologies • Team includes highly-trained specialists in DCID 6/3 concepts and requirements, including Appendix E • Support for DITSCAP/DIACAP and NIST 800-37 increasing • Information Security “baked-in” from the beginning • Security architecture design • MLS architecture experience on multiple programs • High performance, cross-security level communication components • Multi-level and cross-level security experience on multiple programs • Implementation • Product configuration, installation, tuning, analysis, training • Vulnerability assessment • Custom software development • Security documentation development • System Security Plan / System Security Accreditation Agreement • Security CONOPS • Certification and Accreditation Test Plans and Procedures • Security Administration Procedures and Configuration Management Our track record for successfully certifying systems is 100%
Raytheon ISSE Past Performance • Freedom - Proprietary • Within the last 24 months, 22 Certification packages received Full Authorization to Operate • DCID 6/3 PL2, PL3 and PL4 systems • Mission Integration and Development • Integration of legacy infrastructure at different security levels into new architecture • DCID 6/3 PL 3 - Multi compartment SCI system • Information Assurance Services (IAS)-NGA • Provide overarching Information Assurance Services for all National Geospatial Intelligence Agency operational sites • Global Broadcast System (GBS) • DIACAP certification of entire system • US Patent Trade Office • NIST 800-37 certification of Raytheon components Raytheon Information Security delivers solutions for a variety of customers with success
Network Security Infrastructure • A Successful IT Security infrastructure • Is championed by management • Is user friendly, cost effective, dependable, manageable, and flexible • Involves collaboration with various Lines of Business, organizations, partners, vendors, customers, and users • Leverages and integrates best of breed commercial products
Network Security Landscape • Environment • IT systems are targeted by competitors, adversaries, crackers, and criminals, both externally and internally • We protect valuable assets (money and National Security Information) • Highly Government regulated • (GLB Act, Sarbanes-Oxley Act, Computer Security Act, Computer Fraud and Abuse Act, Federal Acquisition Regulations, Electronic Communications Privacy Act, DoD regulations, Executive Orders, etc.) • We implement compliant security solutions (ie. DCID 6/3, DITSCAP) • Heterogeneous interconnected system with various security levels • We implement global, WAN, LAN security solutions for diverse customers (national and foreign)
Network Security Landscape • Environment (continued) • Technically complex (switches, routers, firewalls, VPNs, Anti Virus, mainframe, midrange, client-server, widely distributed networks, etc. ) • Must integrate both legacy systems and new technologies • Subject to Public and Government accountability and scrutiny • Risk Management is a primary business function • Reputation is paramount • Secure massive amounts of data (images, documents, transactions, logs and reports) • 7 x 24 x 365 Operations • We implement redundant and high availability network devices, firewalls, and security applications to protect our assets. • We support foreign and domestic global, national, and regional operations centers
Network Security Landscape • Implement secure Methodologies, concepts, principles • Least Privilege • Defense in Depth • DMZs and Security Zones • Layered Security • Compartmentalization • Separation • Default Deny • Use the same or similar “Best Practices”, standards, professional organizations • FIPS, NIST, GASSP, Common Criteria, BS/ISO 17799, SAS 70, COBIT • SEI, ISO, IETF, IEEE, NIST, ISC2, NIAP, SANS Institute, TruSecure, ISACA