370 likes | 634 Views
Cyber What is that - really ? A General Overview of our Cyber Prioritization Crisis. Information Assurance (IA) for Service-Oriented Architecture (SOA). October 6, 2009 SecureSD / C4ISR Cyber. Mike Davis for Information Systems Security Association, VP, ISSA, SD; and
E N D
Cyber What is that - really? A General Overview of our Cyber Prioritization Crisis Information Assurance (IA) for Service-Oriented Architecture (SOA) October 6, 2009 SecureSD / C4ISR Cyber Mike Davis for Information Systems Security Association, VP, ISSA, SD; and The Security Networks Technical Advisor, TSN Mike@sciap.org (my “day job” – Chief Systems Engineer (CSE) for large deck ships & shore sites - SPAWAR 5.0.2 / 5.2) Good for public release. No distribution statement needed.
What’s Wrong With This Security?What level of “cyber” protection is provided here? Capabilities that are “invisible” (IA/cyber, safety, reliability) - what you see is not the whole picture! Couldn’t get through the gates because they were completely locked. They were properly installed, configured and validated. I could not get through it. But.... So there seems to be gaps…
Summary Preview • There are MANY IA/cyber initiatives in the works • Follow the CNCI trail, that should prevail… • We still need cyber enterprise “R”equirements, just as we do now for IA and IO and C&A and …. • What is needed now, current issues, will exist in cyber • W/o an enterprise risk management approach, any / all paths will do… and we stay in the crisis of prioritization • We ALL need better collaboration – DOD on down • Users / platforms must drive cyber = KISS = commodity • YOU -Vendors / integrators must coalesce, drive the train Cyber = smarter IO & IA collaboration with ALL stakeholders in COMMON ways..
Setting the “Cyber” Stage • Feb 2008 – Pakistan’s routing mis-configuration denies YouTube access for 2 hours showing routing vulnerability • Aug 2008 – Major vulnerability discovered in DNS • Nov 2008 – Conficker botnet affects as many as 12 million computers worldwide (and still out there) • Symantec reports 15,000 new types of malware daily • Gartner estimates 3.6M victims lost $3.2B in the U.S. in 2007 due to phishing attacks • Consumer Reports estimates U.S. consumers lost $8.5B and replaced 2.1M computers because of viruses, spyware, etc. between 2006 and 2008 • And Many, many, many more ….. Cyber crime revenues are now equal to all illegal drug trade From Homeland Security brief
Cyber = A National Security Issue Ubiquitous Presence… Salient Danger… • 1.5 billion people on the Internet; much of Asia and Africa still to come (using wireless, which is cheaper to install) • Upwards of 200B e-mails per day • Critical to commerce, government, business processes, safety, etc. • Exponential demand; 8 hours of YouTube uploaded every minute • Increasing connections; global wireless and cellular usage • Volumetric rise in data everywhere, with no enterprise data security and tracking approach (Internet = database) • Cyberspace intrusions and attacks are a real and emerging threat • U.S. faces a dangerous mixture of vulnerabilities and adversaries • Cyberspace situational awareness is not mature (and not at all levels) • PEOPLE, Informationand theC4ISR infrastructureare targets • Exploitation, disruption, exfiltration, misinformation or destruction are adversary goals (& bragging rights) • Maliciouscyberspaceactivityisincreasingin regularity and severity “Attacks on Critical Infrastructure could significantly disrupt the functioning of government and business alikeandproduce cascading effects far beyond the targeted sectorand physical location of the incident.” -- 2007 National Infrastructure Protection Plan (Source: derived from JS Cyber 101 brief)
What is “Cyber”? “A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.“ -- DoD Definition of Cyberspace Cyber space operations = employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the GIG “The military strategic goal is to ensure US military strategic superiority in cyberspace.” -- National Military Strategy for Cyberspace Operations It could mean just about anything…. But mostly a balanced IO/CNO & IA/CND portfolio
DoD GIG (JTF-GNO) Navy GIG (NCDOC) WAN (Enclave) LAN (POP/HUB) Secure Locally – Defend Globally HOST DoD CND (and “Cyber”) Defense in Depth The “smart” integration and collaboration between MANY needed IO & IA functions CND SP - Incident Response / Management - Prometheus - Threat Analysis - Compliance Scans - IAVM Management IDS PKI Firewalls NUDOP IAP Monitoring Standard IP Blocks DNS Blackholes Incident Handling Incident Response PROMETHEUS ACLs NET Cool / INMS View Threat Analysis PKI Site Compliance Scans NMCI NIPRNET IDS Feeds Email AV IAVM Implementation TRICKLER / CENTAUR SIPRNET Firewall PPS Policy Threat Assessment Alert Filtering GIAP Vulnerability Scanning CND Data Strategy Metrics PKI System Patching NET Cool View CDS IP Sonar DITSCAP/DIACAP NET Cool Data ACLs Tutelage Vulnerability Remediation In-Line Filtering Standard IP Block Lists Global CND UDOP IPS CENTRIXS Monitoring Firewalls Email AV In-Line Virus Scanning Multi-Layer Protocol Defense • CONOPS • RNOSC • HBSS • SCCVI-SCRI LOCAL ENCLAVE DITSCAP/DIACAP DNS Blackholing DRRS-N CARS IASM In-Line Filtering Vulnerability Remediation IAVM Compliance Content Filtering ENMS Deep Packet Inspection Anti-virus Tier 3 SIM PKI CARS WIDS IAVM Compliance CND POR Honey Grid TMAT IWCE Wireless Mapping WAN SA HBSS CAC/PKI Deep Packet Inspection SLIDR SCCVI-SCRI Enterprise DMZ WIDS Functional NIC NET Cool Data Navy DMZ DAPE Standardized Configurations DAR POR Management Enclave DMZ TIER III TIER II TIER I Insider Threat NMCI SIPRNET IDS Feeds TMAT SIPR NAC Cyber = “mostly” Life-cycle education and proactive, dynamic defense…. (From NCDOC briefs)
HBSS Deployment • Content Filtering • Joint Data Strategy • NMIMC Integration • SLIDR Pilot • Insider Threat Tool Pilot • OCRS / IAVA Spiral Threat New/Custom Trojans Spear Phishing Stolen Credentials Zero Day Exploits Soft Cert Searches Web Based Attacks Social Engineering • Tactical Sensor Pilot • HBSS Pilot • SCCVI/SCRI • Enhanced Collaboration • IDS to IPS Transition • Tactical Sensor Pilot • HBSS Pilot • SCCVI/SCRI • Enhanced Collaboration • IDS to IPS Transition Compromised Password Files Threat Known Trojans and Malware • CARS initiative • Mobius to Prometheus • Cyber Tactical Teams • Enhanced Compliance • LE/CI integration • Threat Analysis • Process Improvements • CARS initiative • Mobius to Prometheus • Cyber Tactical Teams • Enhanced Compliance • LE/CI integration • Threat Analysis • Process Improvements • CARS initiative • Mobius to Prometheus • Cyber Tactical Teams • Enhanced Compliance • LE/CI integration • Threat Analysis • Process Improvements Commonly Known Vulnerabilities Indiscriminant Recon Insider Threat • CCZ • NIOSC Construct • Tactical IDS placement • DNS Blackhole • IP Block Initiative • CAC/PKI • Network Forensics • Malware Analysis • Signature Development • CCZ • NIOSC Construct • Tactical IDS placement • DNS Blackhole • IP Block Initiative • CAC/PKI • Network Forensics • Malware Analysis • Signature Development • CCZ • NIOSC Construct • Tactical IDS placement • DNS Blackhole • IP Block Initiative • CAC/PKI • Network Forensics • Malware Analysis • Signature Development • CCZ • NIOSC Construct • Tactical IDS placement • DNS Blackhole • IP Block Initiative • CAC/PKI • Network Forensics • Malware Analysis • Signature Development • Mobius Project • Trends Analysis • Online Surveys • Mobius Project • Trends Analysis • Online Surveys • Mobius Project • Trends Analysis • Online Surveys • Mobius Project • Trends Analysis • Online Surveys • Mobius Project • Trends Analysis • Online Surveys • IDS Monitoring • Incident Handling • IAVM • IDS Monitoring • Incident Handling • IAVM • IDS Monitoring • Incident Handling • IAVM • IDS Monitoring • Incident Handling • IAVM • IDS Monitoring • Incident Handling • IAVM Integration of Cyber Security and Defense Where, lack of “IA CM” is pervasive and undermines it all Capabilities 2003 / 2004 2005 2006 2007 2008 Synchronized “cyber” capabilities to narrow the Threat Vectors (From NCDOC briefs)
President's Cyber Plan 1 - Ensure accountability in federal agencies, cyber security will be designated as a key management priority. 2 - Work with ALL the key players, including state and local governments and the private sector. 3 - Strengthen the public-private partnerships. 4 - Continue to invest in the cutting-edge research and development necessary for the innovation and discovery. 5 - Begin a national campaign to promote cyber security awareness and digital literacy. Common themes – stresses education and proactive/dynamic defense
What makes Cyber different? Given Cyber = “virtual” warfare, somewhat different from the kinetic / physical environment we all know well -- Includes ALL Offensive and Defensive IT/IO/IA capabilities and DOTMPLF, ALL aggregated somehow -- Essentially a select critical technical combination of IO/CNO and IA/CND + more integration stuff -- A different virtual ROE than Kinetic – sometimes reversed, legally constrained (and what is “an act of War?”) -- Shared vulnerabilities mandate a proactive, dynamic defensive posture – a “mission kill” is one e-mail away -- Thus a crisis of prioritization, where everything is urgent, mandatory… and the many CoC lines are blurred Many high-level cyber definitions and approaches abound FEW “definitive” enterprise top down action plans, yet
Cyberspace Characteristics • What’s different? • Man-made domain… complex and insecure by design • Global stakeholders — public, private and government • Speed of both action and change – zero separation • Transcends physical, organizational and geopolitical boundaries – highly sensitive to political/legal influence • Anonymity – identity/intent of players not always clear Global reach & impact RoE / CONOPS Kinetic = virtual “NO” boundaries Legal aspects rule No clear Cyber IFF! AND sensors everywhere, ISR/METOC, SPACE, Networks, ETC, Etc, etc! (Source: derived from JS Cyber 101 brief)
Cyberspace Characteristics In relation to other mission areas… All of the warfighting domains intersect… C2 IA … cyberspace is a blend of exclusive and inclusive ties The “Venn connections / COIs” are extensive Cyberspace Domain is contained within and transcends the others Numerous dynamic “COIs” dominate relationships Adding complexity and causing “cross domain” data sharing effects (Source: derived from JS Cyber 101 brief)
NSPD-54/HSPD-23: CNCI ‘12 Initiatives’ Many are still being finessed, and all need prioritized Establish a front line of defense Trusted Internet Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment of IntrusionPrevention Systems Coordinate and Redirect R&D Efforts Focus Area 1 Resolve to secure cyberspace / set conditions for long-term success Connect Current Centers to Enhance Situational Awareness Develop Gov’t-wide Counterintelligence Plan for Cyberspace Increase Security of the Classified Networks ExpandEducation Focus Area 2 Shape future environment / secure U.S. advantage / address new threats Define and Develop Enduring Lead Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Define Federal Role for Cybersecurity in Critical Infrastructure Domains Focus Area 3 “THESE” are the key long-term GIG business opportunity areas! (Source: derived from JS Cyber 101 brief)
Cyber Prioritization CrisisOur paper in socialization– highlights are: -- Cyber is fundamentally enacting a prioritized and balanced approach between existing IO/CNO (aka offense) and IA/CND (aka defense) capabilities, -- with diminishing resources, while also addressing dynamic and emerging threats through targeted R&D/S&T initiatives to fill gaps of the cyber vision. -- The RoE, CONOPS, relationships required are NOT the same as existing kinetic processes, and can be reversed! -- Political / legal aspects of cyber will impede us all! -- CoC needs an effective situational awareness (SA) capability for "cyber" to enhance our decision superiority
Cyber Prioritization CrisisPaper in socialization– intended for technical discussions Cyber technical foundations (what matters): 1 - Enterprise risk management process 2 - Fix/update/simplify what we have (and IA CM too!) 3 - NO clear IA/security/cyber vision 4 - Supply chain security issues – intractable? 5 - No enterprise SOA / automated IA approach 6 - Enforce a common data strategy, security aspect
Leadership Summary / Recap / Results(Cyber Security Collaboration Summit – SD – Nov 08) • Common vision / end state / master plan • Governance & more governance • Specified requirements and then some • Prescriptive implementation guidance required • What’s “good enough” IA/Security? • Pedigree approach– simplify V&V / C&A (build it in in) • What is the IA business basis / ROI? • What is the future risk environment? • Training at all levels, especially user and SW development • Standard architectures / standards / profiles (and a Trust Model!!!) • SOA security is vague - at best… WE must collectively quantify & prioritize these for leadership actions
Representative Navy Operator IA issues • IA Master Plan; Architecture vision; clear IA goals • IA Governance Structure / Consistent Policies • Workforce Quals / Certs / Training • "Improve Speed to Capability” - Implementing newer technologies.. HBSS, DAR, etc…. • IA Approach, Strategy consistent with SYSCOMs and DoD • IA Policy/Architecture “implementation” guidance • Enterprise Access Control - "Trust Model" • Certification & Accreditation - Aggregation of systems • Supply Chain Security / Defense in Breadth • Sustain current IA and CND posture to ensure readiness Calling things “cyber” will not change the current IA and IO issues These are still the activities that are needed for protecting the GIG
Recent IT/Cyber Leadership perspectives A - Political / legal cyber approach Cyber offense must be strictly monitored controlled, due to potential escalation & state department implications & countries suing each other B - Navy IT FLAG/SES Feb 09 meeting results / paper: -- Greater accountability, completer visibility, net-centric concepts need to be revisited, can't protect all networks - ensure the C2 / enterprise -- Need better situational awareness, discipline in development and acquisition, TTPs... And training... -- focus more resources on defensive posture and key critical actions (aka - have a risk management approach), closer collaboration… -- Senior Cyber Advisor’s major conclusions :Stricter CM & SA / inspect traffic Issues / suggestions are similar to others , but collectivelyact WE must!
Hard “IA/Cyber” Problems List (HPL) • Original Version • Composed in 1997-98 based on several government sponsored workshops; Published in 1999 • Topics • 1. Intrusion and Misuse Detection • 2. Intrusion and Misuse Response • 3. Security of Foreign and Mobile Code • 4. Controlled Sharing of Sensitive Information • 5. Application Security • 6. Denial of Service • 7. Communications Security • 8. Security Management Infrastructure • 9. Information Security for Mobile Warfare • A. Secure System Composition • B. High Assurance Development • C. Metrics for Security Areas of opportunities in Cyber… From Homeland Security brief
Global Scale Identity Management Scalable Trustworthy Systems Survivability of Time-Critical Systems Situational Understanding and Attack Attribution Combating Insider Threats Data Provenance Privacy-Aware Security Enterprise Level Metrics Coping with Malware and Botnets Usability and Security System Evaluation Lifecycle Network recovery and reconstitution Cyber Security economic modeling Finance Sector R&D Agenda Modeling of Internet Attacks - critical infrastructure Process Control System (PCS) security Software Quality Assurance Areas of Potential “IA/Cyber” Research Other areas of opportunities in Cyber… From Homeland Security brief
Federal Plan for Cyber Security and Information Assurance (CSIA) R&D • Overarching categories • Functional Cyber Security Needs • Needs for Securing the Infrastructure • Cyber Security Assessment and • Characterization • Foundations for Cyber Security • Domain-Specific Security Needs • Enabling Technologies for Cyber Security and Information Assurance R&D • Advanced and Next-Generation Systems and Architecture for Cyber Security • Social Dimensions of Cyber Security More areas of opportunities in Cyber… From Homeland Security brief
What can we expect to help us? • NSA / GIAP with CNCI = better IA stuff • Support for “data/content centric security – DCS” • Leaders get it, but we need translate geek speak • ESM / PvM helps automated systems, reporting • COTS IA – commercial suite “B” encryption • Going beyond boundary protection approach • Effective trust binding between data, layers and domains • Eventually an IA vision -> enterprise architecture • Easier to build IA in through a top-down structure / standards
Where you can assist • New technologies, methods, processes (CNCI!) • Not so niche areas of general systems engineering, integration, “rapid COTS / GOTS insertion,” etc • Collaboration with other innovative companies • Partner with other security groups, IA/cyber entities • Cyber “packages” needed, not un-integrated SW • Follow issues / concerns – they will not go away • Think tank, study, and discovery support efforts • Top down risk management, prioritization approach!
Summary • There are MANY IA/cyber initiatives in the works • Follow the CNCI trail, that should prevail… • We still need cyber enterprise “R”equirements, just as we do now for IA and IO and C&A and …. • What is needed now, current issues, will exist in cyber • W/o an enterprise risk management approach, any / all paths will do… and we stay in the crisis of prioritization • We ALL need better collaboration – DOD on down • Users / platforms must drive cyber = KISS = commodity • YOU -Vendors / integrators must coalesce, drive the train Remember the “P6” principle… That’s our story – what’s yours? “easy” button Mike@sciap.org “easy” button
What isInformation Assurance (IA)? “Measures that Protect and Defend Information and Information Systems by Ensuring TheirAvailability, Integrity, Authentication, Confidentiality, and Non-Repudiation. This Includes Providing for Restoration of Information Systems by IncorporatingProtection, Detection, and ReactionCapabilities.” Confidentiality • Assurance that Information is Not Disclosed to Unauthorized Entities or Processes Integrity • Quality of Information System Reflecting Logical Correctness and Reliability of Operating System INFOSEC Availability • Timely, Reliable Access to Data and Information Services for Authorized Users Information Assurance Authentication • Security Measure Designed to Establish Validity of Transmission, Message, or Originator Non-Repudiation • Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s Identity WHAT parts belong where – wrt our collective enterprise cyber model? 26
Cyber “Protections” Overview (or why “IA/IO/Cyber” is so complex / hard… because it is ALL of this and more!) " CYBER" PKI/CAC ID Mgmt “CIO” FISMA Operations IAMs “IO” and CNO Defend Attack Exploit CND CA Support C&A IA CMI/KMI Policy Training IA Services Multiple players Multiple PEs/Lines Multiple threats Multiple PMW/S/As Typical IA Acquisition elements Enterprise Risk Mgmt. Requirements NETOPS Strategy AND Governance critical to “implementation” success!
Cyber – Spans Warfare and Business Mission Areas Net-centric operations as well as the emerging new joint capabilities and integration development process is where the DoD is headed in the “Business of Warfighting” Cyberspace Cyber must effectively integrate Business and Warfighter Mission Areas Where GOVERANCE (or lack of it), still rules… Source: Secretary of State Hillary Clinton Statement, January 21 2009 Source: SSC Atlantic Cyber Strategy (Source: notional – partially derived from industry partner brief)
IA / Cyber must be E2E! WE have a “natural” hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions AND, People and processes TOO! Apps System / services HW/SW/FM “CCE” Network SoS Enclave Site Enterprise Each sub-aggregation is responsible for the IA controls within their boundaries and also inherit the controls of their environment – need to formalize reciprocity therein! Thus, the IA/cyber controls and interfaces in each element / boundary must be quantified / agreed to upfront!
An “Overall” Enterprise Picture(what are the minimal elements, who “owns” them, & how do they get integrated?) “SOA Security” needs to account for more than “just” SOA! Apps & COIs SOA/ESB/Services Business processes There is more to the enterprise IA/C&A picture than “just” CCE, SOA and Apps, which are hard enough to integrate CCE Dynamic Access Control ITIL/ITSM SLA execution Data security strategy / ownership Hardware / Software Assurance Data privacy protection and Auditable anonymity IA/Security strategy must consider the whole enterprise trust model! 30
What’s a “simple” IA/Cyber end-state / vision look like? What are the “Requirements” An end-state stresses encapsulation through a virtualized fabric
So what really matters in IA/Cyber E2E?A notional Quality of Protection (QoP) Hierarchy(Wrt our defense in “breadth” position paper – but what REALLY matters?) “DATAQoP” (C-I-A and N & A) Complex… Dynamic… Settings IA&A and CBE / DCS (distributed / transitive trust model … E2E data-centric security and protections) Core / Security Services ( WS* and other security policy / protocols / standards (including versions & extensions therein) Standards IA devices network protection – CND – FW / IDS / VPN / etc (in general, mature capabilities – but multiple unclear “CM” processes are persistent and problematic) Known… Static… IO … and ... IA A&E / Policy CNO/E/A, “I&W”, OPSEC, etc Crypto, KMI, TSM/HAP, policy, etc Mainly: IA standards, IA&A, CBE/DCS and digital policy!
GIG IA Protection Strategy Evolution Transactional “Enterprise IA” Protection Model Required level of Information Protection “Specified” for each Transaction Static “Perimeter” Protection Model Common level of Information Protection provided by System High Environment "Need to SHARE" and Distributed / transitive trust models • Common User Trust Level (Clearances) across sys-high environment • User Trust Level sufficient across Transaction/COI – varies for enterprise • Privilege assigned to user/device based on operational role and can be changed • Privilege gained by access to environment and rudimentary roles Today Future • Information “authority” determines required level of end-to-end protection (QoP) required to access information – translates to a set of IT/IA/“Comms” Standard that must be met for the Transaction to occur • Information “authority” determines required level of protection (QoP) for the most sensitive information in the sys-high environment – high water mark determines IT/IA/“Comms” Standards for all information • Manual Review to Release Information Classified at Less than Sys-high • Manual Analysis and Procedures determine allowed interconnects • Automated mechanisms allow information to be Shared (“Released”) when users/devices have proper privilege and Transaction can meet QoP requirements We will be loosely connected, sharing information – and protected?
The Big Picture: XML Family of Specifications "LOTS" of standards and Specs to coordinate
IA / C&A Building blocks • …. The desired end-state is in general one of a transformed single C&A process that accommodates all C&A needs and activities (re: T&E / V&V) • End-state needs to integrate and accommodate several major perspectives / initiatives: • (1) aggregation into some number of larger systems of systems (SoS) and enclaves / platforms, • (2) platform IT (PIT), • (3) the federal C&A transformation effort (bringing together DOD, IC and federal agencies), and • (4) the new NNWC C&A process (for the Navy aspect). • Develop a "security container" of sorts emulating the "CC" process (see http://www.niap-ccevs.org/cc-scheme/ ) that IA devices go through –establishes the same format / needs • Natural to have a limited and controlled set of IA building blocks for a FEW main classes: • IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc) • IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc )(and we submit the IA/WSS standards need to go here too… prescribe a limited set of IA “profiles” with defined standards / protocols!) • Services and Applications ( we think we can define a standard "security container" for each, ideally a “class” - maybe a couple are needed for SOA/Services – we postulate the earlier three C&A types would work well) ) • Critical IA capability devices (any key IT capabilities, we may have missed and want to specifically consider) • PIT Platform IT variants (there should be ONE general PIT super set, then each SYSCOM takes that and tailors it a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc) • Remainder of NIST 95 descriptions: Intelligence activities; Cyrptologic activities; command and control; weapons and their systems; systems for "direct military / intelligence" missions; and classified systems... Any “special cases” defined • AND/OR consider the remainder of 8500.2 categories: AIS application; enclaves; outsourced IT; PIT interconnection (where Platform IT refers to computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems, such as weapons, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in the R&D of weapons systems, medical technologies, transport vehicles, buildings, and utility distribution systems) Just as “IT” must transition to a “commodity” approach, so must Cyber security!