Cyber

What is that - really?

A General Overview of our
Cyber Prioritization Crisis

Information Assurance (IA) for Service-

October 26, 2009
Oriented Architecture (SOA)
NDIA
Mike Davis
for
Information Systems Security Association,
VP, ISSA, SD;
and
The Security Networks
Technical Advisor, TSN
Mike@sciap.org

(my “day job” – Chief Systems Engineer (CSE) for large deck ships & shore sites - SPAWAR HQ 5.0.2 / 5.2)

1
1
1 Good for public release.
 What’s Wrong With This “Security”?
What level of “cyber” protection is provided here?

Capabilities that are “invisible” (IA/cyber, safety, reliability) - what you see is not the whole picture!
Gates were completely locked, properly installed, configured and validated.
I could not get through them, but it seems there are “cyber” issues!
2
2
2
 Presentation Value Proposition
• Today’s presentation
– Independent view, accommodates commercial and government
– Technical / capability aspects versus organizational / political
– Covers a wide range of assessments and perspectives
– Presents actions based on several IA/cyber papers and efforts

• All questions addressed, initial perspectives answered

– “easy button” -> mike@sciap.org
– In IA/CND/Cyber – little is new, leverage what exists!!!

• Bottom line:
– What really matters in ‘cyber” is essentially the same as what ails
us today in effectively correlating IO/CNO and IA/CND “protections”

Warning…. This is an engineer’s perspective, so it’s overly busy and all power
point rules are violated! Don’t try to absorb it, but get a “sense” of it all…;-))
3
3
3
 Summary Preview

• There are MANY IA/cyber initiatives in the works

– Follow the CNCI trail, that approach should prevail…

• We still need cyber enterprise “R”equirements, just

as we do now for IA and IO and C&A and ….
– What is needed now, current issues, will exist in cyber
– W/o an enterprise risk management approach, any / all
paths will do… and we stay in the crisis of prioritization

• We ALL need better collaboration – DOD on down

– Users / leaders must drive cyber = KISS = commodity
– YOU - drive the train -Vendors / integrators must coalesce!

Cyber = smarter IO & IA collaboration with ALL stakeholders in COMMON ways..

4
4
4
 What is “Cyber”?
“A global domain within the information environment consisting of
the interdependent network of information technology
infrastructures, including the Internet, telecommunications
networks, computer systems, and embedded processors and
controllers.“
-- DoD Definition of Cyberspace

Cyber space operations = employment of cyber capabilities where

the primary purpose is to achieve military objectives or effects in
or through cyberspace. Such operations include computer
network operations and activities to operate and defend the GIG

“The military strategic goal is to ensure US military strategic

superiority in cyberspace.”
-- National Military Strategy for Cyberspace Operations

It could mean just about anything….

But mostly a balanced IO/CNO & IA/CND portfolio
5
5
5
 Setting the “Cyber” Stage

• Feb 2008 – Pakistan’s routing mis-configuration denies

YouTube access for 2 hours showing routing vulnerability
• Aug 2008 – Major vulnerability discovered in DNS
• Nov 2008 – Conficker botnet affects as many as 12 million
computers worldwide (and still out there)
• Symantec reports 15,000 new types of malware daily
• Gartner estimates 3.6M victims lost $3.2B in the U.S. in
2007 due to phishing attacks
• Consumer Reports estimates U.S. consumers lost $8.5B
and replaced 2.1M computers because of viruses, spyware,
etc. between 2006 and 2008
• And Many, many, many more …..
Cyber crime revenues (from YOU!)
are now roughly equal to all illegal drug trade!!!
6
From Homeland Security brief
6
6
 Cyber = A National Security Issue
Ubiquitous Presence…
• 1.5 billion people on the Internet;
much of Asia and Africa still to come
(using wireless, which is cheaper to install)
• Upwards of 200B e-mails per day
• Critical to commerce, government,
business processes, safety, etc.
• Exponential demand; 8 hours of
YouTube uploaded every minute
• Increasing connections; global
wireless and cellular usage
• Volumetric rise in data everywhere,
with no enterprise data security and
tracking approach (Internet = database)
Salient Danger…
• Cyberspace intrusions and attacks
are a real and emerging threat
• U.S. faces a dangerous mixture of
vulnerabilities and adversaries
• Cyberspace situational awareness is
not mature (and not at all levels)
• PEOPLE, Information and the
C4ISR infrastructure are targets
• Exploitation, disruption, exfiltration,
misinformation or destruction are
adversary goals (& bragging rights)
• Malicious cyberspace activity is
increasing in regularity and severity

“Attacks on Critical Infrastructure could significantly disrupt the

functioning of government and business alike and produce cascading
effects far beyond the targeted sector and physical location of the incident.”
-- 2007 National Infrastructure Protection Plan
7
7
7 (Source: derived from JS Cyber 101 brief)
 Cyberspace Characteristics
• What’s the big deal?
– Man-made domain… complex and insecure by design
– Global stakeholders — public, private and government
– Speed of both action and change – zero separation
– Transcends physical, organizational and geopolitical
boundaries – highly sensitive to political/legal influence
– Anonymity – identity/intent of players not always clear

Global reach
RoE / CONOPS & impact
Kinetic = virtual
AND sensors
“NO” boundaries everywhere,
ISR/METOC,
SPACE,
Legal aspects rule Networks,
ETC, Etc, etc!
No clear Cyber IFF!
8
8
8 (Source: derived from JS Cyber 101 brief)
 What makes Cyber different?
Given Cyber = “virtual” warfare, somewhat different from
the kinetic / physical environment we all know well
-- Includes ALL Offensive and Defensive IT/IO/IA
capabilities and DOTMPLF, ALL aggregated somehow
-- Essentially a select critical technical combination of
IO/CNO and IA/CND + more integration stuff
-- A different virtual ROE than Kinetic – sometimes
reversed, legally constrained (and what is “an act of War?”)
-- Shared vulnerabilities mandate a proactive, dynamic
defensive posture – a “mission kill” is one e-mail away
-- Thus a crisis of prioritization, where everything is
urgent, mandatory… and the many CoC lines are blurred
Many high-level cyber definitions and approaches abound
Yet FEW “definitive” enterprise top down action plans
9
9
9
 DoD CND (and “Cyber”) Defense in Depth
The “smart” integration and collaboration
CND SP
CND SP
- Incident Response /
between MANY needed IO & IA functions
Management
- Incident Response /
Management IDS PKI
- Prometheus IDS PKI
- Prometheus
- Threat Analysis
- Threat Analysis NUDOP Firewalls
- Compliance Scans NUDOP Firewalls IAP Monitoring
- Compliance Scans IAP Monitoring
- IAVM Management
- IAVM Management Standard IP Blocks
DNS Blackholes Operational
DNS Blackholes Standard IP Blocks Incident Handling
Incident Response Incident Handling Operational
Incident Response
PROMETHEUS ACLs NET Cool / INMS View
PROMETHEUS ACLs NET Cool / INMS View
Site Compliance Scans PKI Threat Analysis Funded and
Site Compliance Scans PKI Threat Analysis Funded and
NMCI NIPRNET IDS Feeds Rolling Out
Email AV IAVM Implementation NMCI NIPRNET IDS Feeds Rolling Out
Email AV IAVM Implementation TRICKLER /
SIPRNET Firewall PPS Policy TRICKLER
CENTAUR / Proposed or In
ly
Threat Assessment Alert Filtering SIPRNET Firewall PPS Policy CENTAUR Proposed or In
Threat Assessment Alert Filtering Vulnerability Scanning
PKI System Patching Vulnerability Scanning Metrics
ba l
CND Data Strategy
CND Data Strategy
GIAP
GIAP Development
Development
PKI System Patching
DITSCAP/DIACAP
DITSCAP/DIACAP
NET Cool View
NET Cool View
Metrics

Gl
CDSo
CDS NET Cool Data
IP Sonar
IP Sonar
ACLs
ACLs Vulnerability
Vulnerability
Remediation
e nd In-Line Filtering
In-Line Filtering
NET Cool Data Tutelage
Tutelage

ef
Standard IP Block Lists IPS Remediation Global CND UDOP
Standard IP Block Lists IPS CENTRIXS Monitoring Global CND UDOP
Firewalls
Firewalls
Email AV
Email AV
– D
In-Line Virus Scanning
In-Line Virus Scanning
CENTRIXS Monitoring
CONOPS
Multi-Layer Protocol
Multi-Layer Protocol
ly
LOCAL ENCLAVE

DITSCAP/DIACAP DNS Blackholing CONOPS Defense

DITSCAP/DIACAP DNS Blackholing
al CARS IASM DRRS-N • RNOSC
• RNOSC
Defense

oc
CARS IASM DRRS-N
IAVM Vulnerability Remediation • HBSS In-Line Filtering
Content Filtering • HBSS In-Line Filtering
IAVM
Compliance
Compliance
e L
Vulnerability Remediation Content Filtering
ENMS •
•
SCCVI-
SCCVI-
Anti-virus
Anti-virus
c ur
PKI
PKI
CARS
CARS
Tier 3 SIM
Tier 3 SIM WIDS
ENMS SCRI
SCRI
Deep Packet Inspection
Deep Packet Inspection

Se
IAVM Compliance TMAT WIDS CND POR Honey Grid
IAVM Compliance IWCE CND POR Honey Grid
TMAT IWCE
HBSS CAC/PKI Wireless Mapping WAN SA
HBSS CAC/PKI Wireless Mapping SLIDR WAN SA Deep Packet Inspection
SLIDR Deep Packet Inspection
SCCVI-SCRI WIDS Enterprise
SCCVI-SCRI WIDS NET Cool Data Functional NIC Enterprise
NET Cool Data Navy DMZ Functional NIC DMZ
Standardized Configurations Navy DMZ DMZ DAPE
Standardized Configurations DAPE
DAR POR Management Enclave DMZ
Insider Threat DAR POR Management Enclave DMZ NMCI SIPRNET IDS Feeds
Insider Threat NMCI SIPRNET IDS Feeds
TMAT TIER III TIER II TIER I
SIPR NAC TMAT
SIPR NAC HOST LAN (POP/HUB) WAN (Enclave) Navy GIG (NCDOC) DoD GIG (JTF-GNO)
HOST LAN (POP/HUB) WAN (Enclave) Navy GIG (NCDOC) DoD GIG (JTF-GNO)

Cyber
Cyber==“mostly”
“mostly”Life-cycle
Life-cycleeducation
educationand
andproactive,
proactive,dynamic
dynamicdefense….
defense….
10
10
(From NCDOC briefs)
10
 Integration of Cyber Security and Defense
Where, lack of “IA
Threat New/Custom Trojans CM” is pervasive and
• HBSS Deployment
• Content Filtering
Stolen Credentials Spear Phishing undermines it all • Joint Data Strategy
Zero Day Exploits • NMIMC Integration
Soft Cert Searches • SLIDR Pilot
Web Based Attacks • Insider Threat Tool Pilot
Social Engineering • OCRS / IAVA Spiral
• Tactical Sensor Pilot • Tactical Sensor Pilot
Compromised Password Files • HBSS Pilot • HBSS Pilot
• SCCVI/SCRI • SCCVI/SCRI
Capabilities

Known Trojans and Malware t

r ea
Commonly Known Th
Vulnerabilities
Indiscriminant Recon
Insider Threat
• CCZ
• NIOSC Construct
• Tactical IDS placement
• DNS Blackhole
• IP Block Initiative
• CAC/PKI
• Network Forensics
• Malware Analysis
• Signature Development
• Mobius Project • Mobius Project
• Trends Analysis • Trends Analysis
• Online Surveys • Online Surveys
• IDS Monitoring • IDS Monitoring
• Incident Handling • Incident Handling
• IAVM • IAVM
• Enhanced Collaboration
• IDS to IPS Transition
• Enhanced Collaboration
• IDS to IPS Transition
• CARS initiative • CARS initiative • CARS initiative
• Mobius to Prometheus • Mobius to Prometheus • Mobius to Prometheus
• Cyber Tactical Teams • Cyber Tactical Teams • Cyber Tactical Teams
• Enhanced Compliance • Enhanced Compliance • Enhanced Compliance
• LE/CI integration • LE/CI integration • LE/CI integration
• Threat Analysis • Threat Analysis • Threat Analysis
• Process Improvements • Process Improvements • Process Improvements
• CCZ • CCZ • CCZ
• NIOSC Construct • NIOSC Construct • NIOSC Construct
• Tactical IDS placement • Tactical IDS placement • Tactical IDS placement
• DNS Blackhole • DNS Blackhole • DNS Blackhole
• IP Block Initiative • IP Block Initiative • IP Block Initiative
• CAC/PKI • CAC/PKI • CAC/PKI
• Network Forensics • Network Forensics • Network Forensics
• Malware Analysis • Malware Analysis • Malware Analysis
• Signature Development • Signature Development • Signature Development
• Mobius Project • Mobius Project • Mobius Project
• Trends Analysis • Trends Analysis • Trends Analysis
• Online Surveys • Online Surveys • Online Surveys
• IDS Monitoring • IDS Monitoring • IDS Monitoring
• Incident Handling • Incident Handling • Incident Handling
• IAVM • IAVM • IAVM

2003 / 2004 2005 2006 2007 2008

Synchronized
Synchronized“cyber”
“cyber”capabilities
capabilitiesto
tonarrow
narrowthe
theThreat
ThreatVectors
Vectors
11
11
11 (From NCDOC briefs)
 President's Cyber Plan

1 - Ensure accountability in federal agencies, cyber security

will be designated as a key management priority.

2 - Work with ALL the key players, including state and local
governments and the private sector.

3 - Strengthen the public-private partnerships.

4 - Continue to invest in the cutting-edge research and

development necessary for the innovation and discovery.

5 - Begin a national campaign to promote cyber security

awareness and digital literacy.

Common theme – stresses education and proactive/dynamic defense

12
12
12
 NSPD-54/HSPD-23: CNCI ‘12 Initiatives’
Many are still being finessed, and all need prioritized
Focus Area 3 Focus Area 2 Focus Area 1

Deploy
DeployPassive
Passive Pursue
PursueDeployment
Deploymentof
of Coordinate
Coordinateand
and
Trusted
TrustedInternet
Internet Sensors
SensorsAcross
Across Intrusion Prevention
Intrusion Prevention Redirect R&D
Redirect R&D
Connections
Connections Federal Systems
Federal Systems Systems
Systems Efforts
Efforts

Establish a front line of defense

Connect
ConnectCurrent
Current Develop
DevelopGov’t-wide
Gov’t-wide Increase
IncreaseSecurity
Security Expand
Expand
Centers to Enhance
Centers to Enhance Counterintelligence
Counterintelligence of the Classified
of the Classified Education
Education
Situational
SituationalAwareness
Awareness Plan
Planfor
forCyberspace
Cyberspace Networks
Networks

Resolve to secure cyberspace / set conditions for long-term success

Define
Defineand
andDevelop
Develop Define
DefineFederal
FederalRole
Rolefor
for
Enduring Define
Defineand
andDevelop
Develop
Enduring LeadAhead
Lead Ahead Enduring Deterrence
Manage
ManageGlobal
Global Cybersecurity in
Cybersecurity in
Technologies, Enduring Deterrence Supply
Technologies, Strategies Supply ChainRisk
Chain Risk Critical
CriticalInfrastructure
Infrastructure
Strategies Strategies&&Programs
Programs
Strategies&&Programs
Programs Domains
Domains
Shape future environment / secure U.S. advantage / address new threats

“THESE” are the key long-term GIG business opportunity areas!

13
13
13 (Source: derived from JS Cyber 101 brief)
 Areas of Potential “IA/Cyber” Research

• Global Scale Identity • Usability and Security

Management
• System Evaluation Lifecycle
• Scalable Trustworthy
• Network recovery and
Systems
reconstitution
• Survivability of Time-Critical
• Cyber Security economic
Systems
modeling
• Situational Understanding
• Finance Sector R&D Agenda
and Attack Attribution
• Modeling of Internet Attacks -
• Combating Insider Threats
critical infrastructure
• Data Provenance
• Process Control System
• Privacy-Aware Security (PCS) security
• Enterprise Level Metrics • Software Quality Assurance
• Coping with Malware and
Botnets
Other areas of opportunities in Cyber…
From Homeland Security brief
14
14
14
 Federal Plan for Cyber Security and Information
Assurance (CSIA) R&D
• Overarching categories
– Functional Cyber Security Needs
– Needs for Securing the Infrastructure
– Cyber Security Assessment and
– Characterization
– Foundations for Cyber Security
– Domain-Specific Security Needs
– Enabling Technologies for Cyber Security
and Information Assurance R&D
– Advanced and Next-Generation Systems
and Architecture for Cyber Security
– Social Dimensions of Cyber Security
More areas of opportunities in Cyber…
From Homeland Security brief
15
15
15
 Cyber Prioritization Crisis
Our paper in distribution – highlights are:

-- Cyber is fundamentally enacting a prioritized and balanced

approach between existing IO/CNO (aka offense) and
IA/CND (aka defense) capabilities,

-- with diminishing resources, while also addressing dynamic

and emerging threats through targeted R&D/S&T initiatives
to fill gaps of the cyber vision.

-- The RoE, CONOPS, relationships required are NOT the

same as existing kinetic processes, and can be reversed!

-- Political / legal aspects of cyber will impede us all!

-- CoC needs an effective situational awareness (SA) capability

for "cyber" to enhance our decision superiority
16
16
16
 Cyber Prioritization Crisis
Paper in distribution – intended for technical discussions

Cyber technical foundations (what matters):

1 - Enterprise risk management process

2 - Fix/update/simplify what we have (and IA CM too!)

3 - NO clear IA/security/cyber vision

4 - Supply chain security issues – intractable?

5 - No enterprise SOA / automated IA approach

6 - Enforce a common data strategy, security aspect

17
17
17
 Leadership Summary / Recap / Results
(Cyber Security Collaboration Summit – SD – Nov 08)

•Common vision / end state / master plan

•Governance & more governance
•Specified requirements and then some
•Prescriptive implementation guidance required
•What’s “good enough” IA/Security?
•Pedigree approach – simplify V&V / C&A (build it in in)
•What is the IA business basis / ROI?
•What is the future risk environment?
•Training at all levels, especially user and SW development
•Standard architectures / standards / profiles (and a Trust Model!!!)
• SOA security is vague - at best…

WE must collectively quantify & prioritize these for leadership actions

18
18
18
 Representative Navy Operator IA issues
• IA Master Plan; Architecture vision; clear IA goals
• IA Governance Structure / Consistent Policies
• Workforce Quals / Certs / Training
• "Improve Speed to Capability” - Implementing newer
technologies.. HBSS, DAR, etc….
• IA Approach, Strategy consistent with SYSCOMs and DoD
• IA Policy/Architecture “implementation” guidance
• Enterprise Access Control - "Trust Model"
• Certification & Accreditation - Aggregation of systems
• Supply Chain Security / Defense in Breadth
• Sustain current IA and CND posture to ensure readiness

Calling things “cyber” will not change the current IA and IO issues
These are still the activities that are needed for protecting the GIG
19
19
19
 Recent IT/Cyber Leadership perspectives
A - Political / legal cyber approach
Cyber offense must be strictly monitored controlled, due to potential
escalation & state department implications & countries suing each
other

B - Navy IT FLAG/SES Feb 09 meeting results / paper:

-- Greater accountability, completer visibility, net-centric concepts need
to be revisited, can't protect all networks - ensure the C2 / enterprise

-- Need better situational awareness, discipline in development and

acquisition, TTPs... And training...

-- focus more resources on defensive posture and key critical actions

(aka - have a risk management approach), closer collaboration…

-- Senior Cyber Advisor’s major conclusions : Stricter CM & SA /

inspect traffic

Issues / suggestions are similar to others , but collectively act WE must!

20
20
20
 What can we expect to help us?
• NSA / GIAP with CNCI = better IA stuff

• Support for “data/content centric security – DCS”

• Leaders get it, but we need translate geek speak

• ESM / PvM helps automated systems, reporting

• COTS IA – commercial suite “B” encryption

• Going beyond boundary protection approach

– Effective trust binding between data, layers and domains

• Eventually an IA vision -> enterprise architecture

– Easier to build IA in through a top-down structure / standards
21
21
21
 Overall IA/Security Approach

ANY IA/security environment or capability should include these top-ten elements to

ensure a well-integrated and “best value” data protection approach.

1 - Comprehensive security policy (and communication & enforcement)

2 - Distribute clear governance (who does what / when, R&R, resources, ROE)

3 - Build in defense-in-depth (maintain multiple fronts)

4 – Follow a strategy, master plan (use an enterprise architecture)

5 - Configuration management (automated reporting to enable enforcement)
6 - Develop an effective tool suite (stress automation & KISS)
7 - Guard major threat entry points (phased attacks, root kit, Phishing)
8 - Guard malware entry methods (monitor web, content filters, Block URLs)
9 - Test critical elements (COOPs, training, compliance, vulnerabilities)

10 – Risk management plan (current threats, vulnerabilities and impacts)

what is “good enough” or minimally acceptable

minimize what you don’t know you don’t know

22
22
22
IA/Security is more leadership, strategic direction, than technical!
 IA / Security “Best Practices”
• Best practices are not a panacea, complete or what YOU need to do
• Do you even know your business protection needs? Do you have a
current asset inventory?
• Determine what is “good enough” or “minimally acceptable?
• Quantify your environment’s threats and vulnerabilities
– your list should have 10 – 50 or so threats assessed
• Have a security policy that’s useful, complete, VIP endorsed
– yes, that’s HAVE A POLICY, choose a model, then enforce it too!
• Run self-assessment on security measures (use accepted tests,
STIGs, etc) and compliance (HIPAA, PCI, CFR, SOX, etc)
• Training and awareness programs – needed, but not a black hole
• TEST your continuity, recovery plans, backup – can you restore?
• Encrypt where you can (do you need it for: IM, Chat, e-mail, file
transfer, online meetings, storage, backup, etc)
• Be familiar with the “NIST” IA/Security series – they are great!
• Always use capabilities off the preferred products lists (PPLs)
• A risk management plan should roll all these into one aspect
You can somewhat control and get what you plan,
but will only get what you ENFORCE…
23
23
23
 Where you can assist

• New technologies, methods, processes (CNCI!)

• Not so niche areas of general systems engineering,
integration, “rapid COTS / GOTS insertion,” etc
• Collaboration with other innovative companies
• Partner with other security groups, IA/cyber entities
• Cyber “packages” needed, not un-integrated SW

• Follow issues / concerns – they will not go away

• Think tank, study, and discovery support efforts
• Top down risk management, prioritization approach!

24
24
24
 Summary
• There are MANY IA/cyber initiatives in the works
– Follow the CNCI trail, that approach should prevail…

• We still need cyber enterprise “R”equirements, just

as we do now for IA and IO and C&A and ….
– What is needed now, current issues, will exist in cyber
– W/o an enterprise risk management approach, any / all
paths will do… and we stay in the crisis of prioritization

• We ALL need better collaboration – DOD on down

– Users / leaders must drive cyber = KISS = commodity
– YOU - drive the train -Vendors / integrators must coalesce!
Remember the “P6” principle…
That’s our story – what’s yours?
25
“easy” button Mike@sciap.org “easy” button
25
25
 IA/security resources
This site has almost other IA/Security sites (cont):
Main sites everything you need
http://www.cert.org/ Great ISSE /
https://infosec.navy.mil/docs/index. SSE Site
jsp http://www.sse-cmm.org/lib/lib.asp

https://www.portal.navy.mil/netwar http://www.commoncriteriaportal.org/
com/navycanda
Navy C&A http://www.amc.army.mil/amc/ci/matrix
http://iase.disa.mil/index2.html moved here /policy/policy_new.htm

other IA/Security sites: https://www.sans.org/about/sans.php

https://www.us.army.mil/suite/porta http://iac.dtic.mil/iatac/
l/index.jsp
Great http://www.cerias.purdue.edu/
http://csrc.nist.gov/ Sites
too http://security.sdsc.edu/
http://www.nsa.gov/ia/index.cfm
http://iase.disa.mil/stigs/index.html
http://www.iatf.net/

26
26
26
 CYBER: A Non-Benign Environment

Various Issues
• National Threats
• Non-Nationals
• Criminal Elements
• Hackers
• Insiders
• INFO/EMCON
• EMI / RFI / MIJI
• Weakest Links
• Lack of “CM!”

It’s what you can’t “see” or the unknowns that WILL GET YOU / US!!!
27
27
27
28
28
28
 What’s a “simple” IA/Cyber
end-state / vision look like?
What are the “Requirements”

An end-state stresses encapsulation through a virtualized fabric

29
29
29
 What is Information Assurance (IA)?
“Measures that Protect and Defend Information and Information Systems by
Ensuring Their Availability, Integrity, Authentication, Confidentiality, and
Non-Repudiation. This Includes Providing for Restoration of Information
Systems by Incorporating Protection, Detection, and Reaction Capabilities.”

• • Assurance
Assurancethat
thatInformation
InformationisisNot
NotDisclosed
Disclosedto
to
Information Assurance

Confidentiality
Confidentiality Unauthorized Entities or Processes
Unauthorized Entities or Processes
INFOSEC

• • Quality
Qualityof
ofInformation
InformationSystem
SystemReflecting
ReflectingLogical
Logical
Integrity
Integrity Correctness and Reliability of Operating System
Correctness and Reliability of Operating System
• • Timely,
Timely,Reliable
ReliableAccess
Accessto
toData
Dataand
andInformation
InformationServices
Services
Availability
Availability for Authorized Users
for Authorized Users
• • Security
SecurityMeasure
MeasureDesigned
Designedto
toEstablish
EstablishValidity
Validityof
of
Authentication
Authentication Transmission, Message, or Originator
Transmission, Message, or Originator

Non-Repudiation • • Assurance
AssuranceSender
Senderof
ofData
DataisisProvided
Providedwith
withProof
Proofof
of
Non-Repudiation Delivery and Recipient with Proof of Sender’s Identity
Delivery and Recipient with Proof of Sender’s Identity

WHAT parts belong where – wrt our collective enterprise cyber model?
30
30
30
30
 Cyberspace Characteristics
In relation to other
All of the warfighting mission areas…
domains intersect…

C2

IA

… cyberspace is a blend of exclusive and

Cyberspace Domain is contained inclusive ties
within and transcends the others
The “Venn connections / COIs” are extensive

Numerous dynamic “COIs” dominate relationships

Adding complexity and causing “cross domain” data sharing effects
31
31
31 (Source: derived from JS Cyber 101 brief)
 Cyber “Protections” Overview
(or why “IA/IO/Cyber” is so complex / hard… because it is ALL of this and more!)

“CIO ” PKI/CAC
ID Mgmt
CND “IO”
FISMA and
Operations CNO
CA Support C&A
IAMs Defend
Attack

Policy
CMI/KMI
IA IA Services
Exploit

Training

Multiple players
Multiple PEs/Lines
Typical IA Acquisition elements Multiple threats
Multiple PMW/S/As
Enterprise Risk Mgmt. Requirements
NETOPS

Strategy AND Governance critical to “implementation” success!

32
32
32
 IA / Cyber must be E2E!
WE have a “natural” hierarchy in our enterprise IT/network environment,
where complexities arise in the numerous interfaces and many to many
communications paths typically involved in end-to-end (E2E) transactions
AND, People and
processes TOO!

Apps

System / HW/SW/FM Network Enclave Site Enterprise

services “CCE” SoS

Each sub-aggregation is responsible for the IA controls within their boundaries and
also inherit the controls of their environment – need to formalize reciprocity therein!

Thus, the IA/cyber controls and interfaces in each element /

boundary must be quantified / agreed to upfront!
33
33
33
 An “Overall” Enterprise Picture
(what are the minimal elements, who “owns”
owns” them, & how do they get integrated?)

“SOA Security” needs to account for more than “just” SOA!

Apps & COIs

SOA/ESB/Services Business processes

There is more to the enterprise IA/C&A picture than “just”
CCE, SOA and Apps, which are hard enough to integrate

ITIL/ITSM SLA execution CCE Dynamic Access Control

Data security strategy / ownership Hardware / Software Assurance

Data privacy protection and Auditable anonymity

IA/Security strategy must consider the whole enterprise trust model!

34
34
34
34
 Cyber – Spans Warfare and Business Mission Areas

Net-centric operations as well as the emerging new joint capabilities and integration development process is
where the DoD is headed in the “Business of Warfighting”

Cyberspace

Cyber must effectively integrate Business and Warfighter Mission Areas

Where GOVERANCE (or lack of it), still rules…
Source:  Secretary of State Hillary Clinton Statement, January 21 2009
Source:  SSC Atlantic Cyber Strategy
35
35
35 (Source: notional – partially derived from industry partner brief)
 So what really matters in IA/Cyber E2E?
A notional Quality of Protection (QoP
(QoP)) Hierarchy
(Wrt our defense in “breadth”
breadth” position paper – but what REALLY matters?)
matters?)

“DATA QoP”
(C-I-A and N & A)
Complex… Settings
Dynamic… IA&A and CBE / DCS
(distributed / transitive trust model … E2E data-centric security and protections)

Core / Security Services Standards

( WS* and other security policy / protocols / standards (including versions & extensions therein)

IA devices
network protection – CND – FW / IDS / VPN / etc
Known… (in general, mature capabilities – but multiple unclear “CM” processes are persistent and problematic)
Static…
IO … and ... IA A&E /
Policy

CNO/E/A, “I&W”, OPSEC, etc Crypto, KMI, TSM/HAP, policy, etc

Mainly: IA standards, IA&A, CBE/DCS and digital policy!

36
36
36
 GIG IA Protection Strategy Evolution

Static “Perimeter” Transactional

Protection Model “Enterprise IA”
Protection Model
Common level of
Required level of
Information Protection Information Protection
provided by System “Specified” for each
High Environment Transaction

• Common User Trust Level (Clearances) across sys-high • User Trust Level sufficient across Transaction/COI – varies for
environment enterprise

• Privilege gained by access to environment and rudimentary • Privilege assigned to user/device based on operational role and
roles can be changed

• Information “authority” determines required level of protection • Information “authority” determines required level of end-to-end
(QoP) for the most sensitive information in the sys-high protection (QoP) required to access information – translates to a
environment – high water mark determines IT/IA/“Comms” set of IT/IA/“Comms” Standard that must be met for the
Standards for all information Transaction to occur

• Manual Review to Release Information Classified at Less

than Sys-high • Automated mechanisms allow information to be Shared
(“Released”) when users/devices have proper privilege and
• Manual Analysis and Procedures determine allowed Transaction can meet QoP requirements
interconnects

37
37
37
We will be loosely connected, sharing information – and protected?
 The Big Picture: XML Family of Specifications

38
38
38
 Hard “IA/Cyber” Problems List (HPL)

• Original Version
– Composed in 1997-98 based on several government sponsored
workshops; Published in 1999
• Topics
– 1. Intrusion and Misuse Detection
– 2. Intrusion and Misuse Response
– 3. Security of Foreign and Mobile Code
– 4. Controlled Sharing of Sensitive Information
– 5. Application Security
– 6. Denial of Service
– 7. Communications Security
– 8. Security Management Infrastructure
– 9. Information Security for Mobile Warfare
– A. Secure System Composition
– B. High Assurance Development
– C. Metrics for Security
Areas of opportunities in Cyber…
From Homeland Security brief
39
39
39
 IA / C&A Building blocks
• …. The desired end-state is in general one of a transformed single C&A process that
accommodates all C&A needs and activities (re: T&E / V&V)
• End-state needs to integrate and accommodate several major perspectives / initiatives:
– (1) aggregation into some number of larger systems of systems (SoS) and enclaves / platforms,
– (2) platform IT (PIT),
– (3) the federal C&A transformation effort (bringing together DOD, IC and federal agencies), and
– (4) the new NNWC C&A process (for the Navy aspect).
• Develop a "security container" of sorts emulating the "CC" process (see http://www.niap-
ccevs.org/cc-scheme/ ) that IA devices go through –establishes the same format / needs
• Natural to have a limited and controlled set of IA building blocks for a FEW main classes:
– IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc)
– IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc )(and we submit the
IA/WSS standards need to go here too… prescribe a limited set of IA “profiles” with defined standards / protocols!)
– Services and Applications ( we think we can define a standard "security container" for each, ideally a “class” -
maybe a couple are needed for SOA/Services – we postulate the earlier three C&A types would work well) )
– Critical IA capability devices (any key IT capabilities, we may have missed and want to specifically consider)
– PIT Platform IT variants (there should be ONE general PIT super set, then each SYSCOM takes that and tailors it
a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc)
– Remainder of NIST 95 descriptions: Intelligence activities; Cyrptologic activities; command and control; weapons
and their systems; systems for "direct military / intelligence" missions; and classified systems... Any “special cases”
defined
– AND/OR consider the remainder of 8500.2 categories: AIS application; enclaves; outsourced IT; PIT
interconnection (where Platform IT refers to computer resources, both hardware and software, that are physically
part of, dedicated to, or essential in real time to the mission performance of special purpose systems, such as
weapons, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in
the R&D of weapons systems, medical technologies, transport vehicles, buildings, and utility distribution systems)

Just as “IT” must transition to a “commodity” approach, so must Cyber security!

40
40
40