Date post: | 18-Dec-2015 |
Category: |
Documents |
View: | 216 times |
Download: | 0 times |
11
Mike DavisThe Security NetworksTechnical Advisor, TSN
Information Systems Security Association, VP, ISSA, SD;
IA Technical Process Owner (TPO), Warrant Holder (TWH) - SPAWAR 5.0.2 / 5.8 HQ [email protected]
Information Assurance (IA) for Service-Oriented Architecture (SOA)May 20, 2009
Security Summit
CyberWhat is that - really?
A General Overview of our Cyber Prioritization Crisis
Good for public release. No distribution statement needed – SPAWAR review tracking number SR-2009-221.
EasyButton
EasyButton
22
What is Cyber?What is Cyber?
“A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.“
-- DoD Definition of Cyberspace
“The military strategic goal is to ensure US military strategic superiority in cyberspace.”
-- National Military Strategy for Cyberspace Operations
Cyber space operations = employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the GIG
It could mean just about anything….
But mostly a balanced IO/CNO & IA/CND portfolio
33
What makes Cyber different?What makes Cyber different?
Given Cyber = “virtual” warfare, somewhat different from the kinetic / physical environment we all know well
-- Includes ALL Offensive and Defensive IT/IO/IA capabilities and DOTMPLF, ALL aggregated somehow
-- Essentially a select critical technical combination of IO/CNO and IA/CND + more integration stuff
-- A different virtual ROE than Kinetic – sometimes reversed, legally constrained (and what is “an act of War?”)
-- Shared vulnerabilities mandate a proactive, dynamic defensive posture – a “mission kill” is one e-mail away
-- Thus a crisis of prioritization, where everything is urgent, mandatory… and the many CoC lines are blurred
Many high-level cyber definitions and approaches abound
No “definitive” enterprise top down action plans, yet
44
Cyberspace CharacteristicsCyberspace Characteristics• What’s so different?
– Man-made domain… complex and insecure by design– Global stakeholders — public, private and
government– Speed of both action and change – zero separation– Transcends physical, organizational and geopolitical
boundaries – highly sensitive to political/legal influence
– Anonymity – identity/intent of players not always clearRoE / CONOPS
Kinetic = virtual
“NO” boundaries
Legal aspects rule
No clear Cyber IFF!
Global reach & impact
AND sensors everywhere, ISR/METOC, SPACE, Networks, ETC, Etc, etc!
(Source: derived from JS Cyber 101 brief)
55
Cyberspace CharacteristicsCyberspace Characteristics
All of the warfighting domains intersect…
Cyberspace Domain is contained within and transcends the others
In relation to other mission areas…
… cyberspace is a blend of exclusive and inclusive ties
The “Venn connections / COIs” are extensive
Numerous dynamic “COIs” dominate relationshipsAdding complexity and causing “cross domain” data sharing effects
IA
(Source: derived from JS Cyber 101 brief)
C2C2
66
Cyber must be E2E!Cyber must be E2E!
Thus, the IA/cyber controls and interfaces in each element / boundary must be quantified / agreed to upfront!
Thus, the IA/cyber controls and interfaces in each element / boundary must be quantified / agreed to upfront!
EnterpriseEnterpriseSiteSiteEnclaveEnclaveNetwork SoS
Network SoS
System /services
System /services
HW/SW/FM“CCE”
HW/SW/FM“CCE”
Each sub-aggregation is responsible for the IA/cyber controls within their boundaries and also inherits the controls of higher levels and all weaknesses in any layer!
Each sub-aggregation is responsible for the IA/cyber controls within their boundaries and also inherits the controls of higher levels and all weaknesses in any layer!
WE have a “natural” hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions
WE have a “natural” hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions
AppsApps
ANDpeopleprocesses
77An end-state stresses encapsulation using secure messagingAn end-state stresses encapsulation using secure messaging
What’s a “simple” IA/Cyber end-state / vision look like? What are the “Requirements”
What’s a “simple” IA/Cyber end-state / vision look like? What are the “Requirements”
88
Cyber Prioritization CrisisCyber Prioritization CrisisDraft paper in circulationDraft paper in circulation – highlights are:– highlights are:
-- Cyber is fundamentally enacting a prioritized and balanced approach between existing IO/CNO (aka offense) and IA/CND (aka defense) capabilities,
-- with diminishing resources, while also addressing dynamic and emerging threats through targeted R&D/S&T initiatives to fill gaps of the cyber vision.
-- The RoE, CONOPS, organization relationships required are NOT the same as kinetic processes,
-- Where the political / legal aspects of cyber will impede us all!
-- CoC needs an effective situational awareness capability for "cyber" to enhance our decision superiority
99
Cyber Prioritization CrisisCyber Prioritization CrisisDraft paper in circulationDraft paper in circulation – intended for technical discussions– intended for technical discussions
Cyber technical foundations (what matters):
1 - Enterprise risk management process needed
2 - Fix/update/simplify what we have (”CM” too!)
3 - NO clear IA/security/cyber vision or end-state
4 - Supply chain security issues – are everywhere
5 - Lack of enterprise SOA IA / security approach
6 - Enforce a common data strategy, security built in
1010
Securing Cyberspace for the 44th Securing Cyberspace for the 44th PresidencyPresidency
WE must collectively quantify & prioritize these for leadership actionsWE must collectively quantify & prioritize these for leadership actions
• A renewed focus on international collaboration, with more overt / open security methods, • Continued emphasis on partnering government with industry, better quantifying the legal aspects of enforcement and proactive responses,• Taking a holistic, overarching, fully integrated / meshed approach to security for the full spectrum IA needed in “D.I.M.E.” (Diplomatic, Intelligence, Military and Economic)
• A renewed focus on international collaboration, with more overt / open security methods, • Continued emphasis on partnering government with industry, better quantifying the legal aspects of enforcement and proactive responses,• Taking a holistic, overarching, fully integrated / meshed approach to security for the full spectrum IA needed in “D.I.M.E.” (Diplomatic, Intelligence, Military and Economic)
- Create a comprehensive national security strategy for cyberspace- Organize and lead from the white house (create a national office for cyberspace)- Reinvent the public – private partnership- Regulate cyberspace (not voluntary anymore, but not overly prescriptive either)- Secure the industrial control systems – ICS / SCADA- Manage Identities - Authenticate digital entities (in an enterprise IDM approach)- Modernize authorities / laws… (e,g, revise FISMA.. merge NSS and other standards)- Use acquisitions policy to improve security- Build the capabilities – research, training and education- Do not start over – leverage CNCI
- Create a comprehensive national security strategy for cyberspace- Organize and lead from the white house (create a national office for cyberspace)- Reinvent the public – private partnership- Regulate cyberspace (not voluntary anymore, but not overly prescriptive either)- Secure the industrial control systems – ICS / SCADA- Manage Identities - Authenticate digital entities (in an enterprise IDM approach)- Modernize authorities / laws… (e,g, revise FISMA.. merge NSS and other standards)- Use acquisitions policy to improve security- Build the capabilities – research, training and education- Do not start over – leverage CNCI
1111
cyber security social contractcyber security social contractto Obama from industryto Obama from industry
WE must collectively quantify & prioritize these for leadership actionsWE must collectively quantify & prioritize these for leadership actions
-- We all lack a common enterprise risk management approach-- Need new internet protocols / methods to support security-- "Enforceable" CM is mandatory (can reduce 80% of all attacks!)-- Positive incentives to encourage / enforce folks to follow best practices-- Lack of software quality and assurance-- Multi-organizational coordinated roadmap / vision is essential-- Map / manage the physical to cyber security (ICS / PCS / SCADA / etc)-- Supply chain issues better understood, protected and testing against-- Use / leverage / engage DARPA, IARPA, In-Q-Tel, etc.-- Move from a passive, forensic-based defense to an active posture using real-time intelligence updates to dynamically adjust our protection levels-- Must have both privacy and security built in -- Focus on "insider threat“ (a “determined intruder” – inside or external)-- Government embrace / lead the required IA standards that are effective-- Modern IdM / access control ( where our “ZBAC” approach works cross domain)-- Set clear IA/security priorities – then resource, manage and control
-- We all lack a common enterprise risk management approach-- Need new internet protocols / methods to support security-- "Enforceable" CM is mandatory (can reduce 80% of all attacks!)-- Positive incentives to encourage / enforce folks to follow best practices-- Lack of software quality and assurance-- Multi-organizational coordinated roadmap / vision is essential-- Map / manage the physical to cyber security (ICS / PCS / SCADA / etc)-- Supply chain issues better understood, protected and testing against-- Use / leverage / engage DARPA, IARPA, In-Q-Tel, etc.-- Move from a passive, forensic-based defense to an active posture using real-time intelligence updates to dynamically adjust our protection levels-- Must have both privacy and security built in -- Focus on "insider threat“ (a “determined intruder” – inside or external)-- Government embrace / lead the required IA standards that are effective-- Modern IdM / access control ( where our “ZBAC” approach works cross domain)-- Set clear IA/security priorities – then resource, manage and control
1212
Leadership Summary / RecapLeadership Summary / Recap((Cyber Security Collaboration SummitCyber Security Collaboration Summit – SD – Nov 08 – SD – Nov 08))
•Common vision / end state / master plan – where are we going?
•Governance & more governance – coordinate ALL those in charge?
•Specified requirements and then some – top down, detailed needs
•Prescriptive implementation guidance required – fidelity in the “what”
•What’s “good enough” IA/Security? Must have a common threshold
•Pedigree approach – simplify verification and compliance (build in)
•What is the IA business basis / ROI? (AND success metrics therein?)
•What is the future risk environment? Threats, consequences, etc?
•Training at all levels, especially user and SW development
•Standard architectures / standards / profiles (and a Trust Model!!!)
• SOA security is vague - at best (No T&E / C&A Plans at all!), but…• Application security and web security, or lack there, is pervasive too
•Common vision / end state / master plan – where are we going?
•Governance & more governance – coordinate ALL those in charge?
•Specified requirements and then some – top down, detailed needs
•Prescriptive implementation guidance required – fidelity in the “what”
•What’s “good enough” IA/Security? Must have a common threshold
•Pedigree approach – simplify verification and compliance (build in)
•What is the IA business basis / ROI? (AND success metrics therein?)
•What is the future risk environment? Threats, consequences, etc?
•Training at all levels, especially user and SW development
•Standard architectures / standards / profiles (and a Trust Model!!!)
• SOA security is vague - at best (No T&E / C&A Plans at all!), but…• Application security and web security, or lack there, is pervasive too
WE must collectively quantify & prioritize these for leadership actionsWE must collectively quantify & prioritize these for leadership actions
1313
Representative Navy Operator IA Representative Navy Operator IA issuesissues
• IA Master Plan; IA vision; clear IA goals • IA Governance Structure / Consistent Policies• Workforce Quals / Certs / Training• "Improve Speed to Capability” - Implementing newer
technologies.. HBSS, DAR, etc….• IA Approach, Strategy consistent with SYSCOMs and DoD• IA Policy/Architecture “implementation” guidance• Enterprise Access Control - "Trust Model"• Certification & Accreditation - Aggregation of systems• Supply Chain Security / Defense in Breadth• Sustain current IA and CND posture to ensure readiness
Calling things “cyber” will not change the current IA and IO issuesThese are still the activities that are needed for protecting the GIG
1414
Recent IT/Cyber Leadership perspectivesRecent IT/Cyber Leadership perspectives
A - Political / legal cyber paper Cyber offense must be strictly monitored controlled, due to potential escalation & state department implications & countries suing each other
B - Navy IT FLAG/SES meeting results / paper:-- Greater accountability, completer visibility, net-centric concepts need to
be revisited, can't protect all networks - ensure the C2 / enterprise are…
-- Need better situational awareness, discipline in development and acquisition, TTPs... And training...
-- Senior Advisor’s major conclusions : Stricter CM & SA / inspect traffic
-- FLAG / SES participants guidanceCommon governance and language, eliminate low to medium threats, focus more resources on defensive posture and key critical actions (aka - have a risk management approach), closer collaboration between Service / agencies, include space and undersea cables, exercise In degraded modes, stress education, use the RED TEAM to better effectiveness, avoid issues NMCI found, high speed acquisition and address COTS / supply chain management..
Issues / suggestions are similar to others , but act collectively WE must!
1515
NSPD-54/HSPD-23: CNCI ‘12 Initiatives’NSPD-54/HSPD-23: CNCI ‘12 Initiatives’
Establish a front line of defense
Resolve to secure cyberspace / set conditions for long-term success
Shape future environment / secure U.S. advantage / address new threats
Foc
us A
rea
2F
ocus
Are
a 1
Foc
us A
rea
3
Trusted Internet Connections
Trusted Internet Connections
Deploy Passive Sensors Across Federal Systems
Deploy Passive Sensors Across Federal Systems
Pursue Deployment of Intrusion Prevention
Systems
Pursue Deployment of Intrusion Prevention
Systems
Coordinate and Redirect R&D
Efforts
Coordinate and Redirect R&D
Efforts
Connect Current Centers to Enhance
Situational Awareness
Connect Current Centers to Enhance
Situational Awareness
Develop Gov’t-wide Counterintelligence Plan for Cyberspace
Develop Gov’t-wide Counterintelligence Plan for Cyberspace
Increase Security of the Classified
Networks
Increase Security of the Classified
Networks
ExpandEducation
ExpandEducation
Define and Develop Enduring Lead Ahead
Technologies, Strategies & Programs
Define and Develop Enduring Lead Ahead
Technologies, Strategies & Programs
Define and Develop Enduring Deterrence
Strategies & Programs
Define and Develop Enduring Deterrence
Strategies & Programs
Manage Global Supply Chain Risk
Manage Global Supply Chain Risk
Define Federal Role for Cybersecurity in Critical Infrastructure Domains
Define Federal Role for Cybersecurity in Critical Infrastructure Domains
““THESE” are the THESE” are the key long-term business opportunitieskey long-term business opportunities!!
Many are still being finessed, and all need prioritized
(Source: derived from JS Cyber 101 brief)
1616
What can we expect to help us?What can we expect to help us?
• NSA / GIAP with CNCI = better IA stuff
• Support for “data/content centric security – DCS”
• Leaders get it, but we need translate geek speak
• ESM / PvM helps automated systems, reporting
• COTS IA – commercial suite “B” encryption
• Going beyond boundary protection approach – Effective trust binding between data, layers and domains
• Develop an IA vision -> enterprise architecture– Easier to build IA in through a top-down structure / standards
1717
Where you can assist Where you can assist
• New technologies, methods, processes (CNCI!)• Not so niche areas of general systems engineering,
integration, “rapid COTS / GOTS insertion,” etc• Collaboration with other innovative companies• Partner with other security groups, IA/cyber entities• Cyber “packages” needed, not un-integrated SW
• Follow issues / concerns – they will not go away• Think tank, study, and discovery support efforts• Top down risk management, prioritization approach!
1818
SummarySummary• There are MANY IA/cyber initiatives in the works
– Follow the CNCI trail, that should prevail…
• We still need cyber enterprise “R”equirements, just as we do now for IA and IO and C&A and ….– What is needed now, current issues, will exist in cyber– W/o an enterprise risk management approach, any / all
paths will do… and we stay in the crisis of prioritization
• We ALL need better collaboration – DOD on down– Users / platforms must drive cyber = KISS = commodity– Vendors / integrators need to coalesce, drive the truck
Remember the “P6” principle… Planning and communications only gets us part way there
That’s our story – what’s yours?
2020
20
“Measures that Protect and Defend Information and Information Systems by Ensuring Their Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation. This Includes Providing for Restoration of Information
Systems by Incorporating Protection, Detection, and Reaction Capabilities.”
• Timely, Reliable Access to Data and Information Services for Authorized Users
• Timely, Reliable Access to Data and Information Services for Authorized UsersAvailability Availability
• Quality of Information System Reflecting Logical Correctness and Reliability of Operating System
• Quality of Information System Reflecting Logical Correctness and Reliability of Operating SystemIntegrity Integrity
• Security Measure Designed to Establish Validity of Transmission, Message, or Originator
• Security Measure Designed to Establish Validity of Transmission, Message, or OriginatorAuthentication Authentication
• Assurance that Information is Not Disclosed to Unauthorized Entities or Processes
• Assurance that Information is Not Disclosed to Unauthorized Entities or ProcessesConfidentialityConfidentiality
• Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s Identity
• Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s IdentityNon-RepudiationNon-Repudiation
What is Information Assurance (IA)?IN
FO
SE
C
Info
rmatio
n A
ssuran
ceWHAT parts belong where – wrt our collective enterprise trust model?
2121
Cyber “Protections” OverviewCyber “Protections” Overview
CMI/KMI
CND
Policy Training
C&A
Typical IA Acquisition elements
Enterprise Risk Mgmt.
IA Services
CA Support
Multiple playersMultiple PEs/LinesMultiple threatsMultiple PMW/S/As
“IO” and
CNODefendAttackExploit
Requirements
Strategy AND Governance critical to “implementation” success!
“CIO”FISMA
OperationsIAMs
PKI/CACID Mgmt
(or why “IA/IO/Cyber” is so complex / hard… because it is ALL of that and more!)
IA
NETOPS
2222
22
An “Overall” Enterprise PictureAn “Overall” Enterprise Picture(what are the minimal elements, who “owns” them, & how do they get integrated?)(what are the minimal elements, who “owns” them, & how do they get integrated?)
IA/Security strategy must consider the whole enterprise trust model!
There is more to the enterprise IA/C&A picture than “just” CCE, SOA and Apps, which are hard enough to integrate
CCE
SOA/ESB/Services
Dynamic Access Control
Data privacy protection and Auditable anonymity
Data security strategy / ownership Hardware / Software Assurance
Business processes
ITIL/ITSM SLA execution
Apps & COIs
“SOA Security” needs to account for more than “just” SOA!“SOA Security” needs to account for more than “just” SOA!
2323
So what really matters in IA/Cyber E2E?So what really matters in IA/Cyber E2E? A notional Quality of Protection (QoP) HierarchyA notional Quality of Protection (QoP) Hierarchy
(Wrt our defense in “(Wrt our defense in “breadthbreadth” position paper – ” position paper – but what REALLY mattersbut what REALLY matters?)?)
“DATA QoP”(C-I-A and N & A)
IA&A and CBE / DCS(distributed / transitive trust model … E2E data-centric security and protections)
Core / Security Services( WS* and other security policy / protocols / standards (including versions & extensions therein)
network protection – CND – FW / IDS / VPN / etc (in general, mature capabilities – but multiple unclear “CM” processes are persistent and problematic)
IO … and ... IA
CNO/E/A, “I&W”, OPSEC, etc Crypto, KMI, TSM/HAP, policy, etc
Complex… Dynamic…
Known… Static…
Settings
A&E / Policy
Standards
IA devices
Mainly: IA standards, IA&A, CBE/DCS and digital policy!Mainly: IA standards, IA&A, CBE/DCS and digital policy!
2424
GIG IA Protection Strategy EvolutionGIG IA Protection Strategy Evolution
• Manual Review to Release Information Classified at Less than Sys-high
• Manual Analysis and Procedures determine allowed interconnects
• Information “authority” determines required level of protection (QoP) for the most sensitive information in the sys-high environment – high water mark determines IT/IA/“Comms” Standards for all information
• Privilege gained by access to environment and rudimentary roles
• Common User Trust Level (Clearances) across sys-high environment
• Automated mechanisms allow information to be Shared (“Released”) when users/devices have proper privilege and Transaction can meet QoP requirements
• Information “authority” determines required level of end-to-end protection (QoP) required to access information – translates to a set of IT/IA/“Comms” Standard that must be met for the Transaction to occur
• Privilege assigned to user/device based on operational role and can be changed
• User Trust Level sufficient across Transaction/COI – varies for enterprise
Static “Perimeter” Protection Model
Common level of Information Protection provided by System
High Environment
Transactional “Enterprise IA”
Protection ModelRequired level of
Information Protection “Specified” for each
Transaction
We will be loosely connected, sharing information – and protected?
2626
IA / C&A Building blocksIA / C&A Building blocks• …. The desired end-state is in general one of a transformed single C&A process that
accommodates all C&A needs and activities (re: T&E / V&V) • End-state needs to integrate and accommodate several major perspectives / initiatives:
– (1) aggregation into some number of larger systems of systems (SoS) and enclaves / platforms, – (2) platform IT (PIT), – (3) the federal C&A transformation effort (bringing together DOD, IC and federal agencies), and – (4) the new NNWC C&A process (for the Navy aspect).
• Develop a "security container" of sorts emulating the "CC" process (see http://www.niap-ccevs.org/cc-scheme/ ) that IA devices go through –establishes the same format / needs
• Natural to have a limited and controlled set of IA building blocks for a FEW main classes:– IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc) – IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc )(and we submit the
IA/WSS standards need to go here too… prescribe a limited set of IA “profiles” with defined standards / protocols!)– Services and Applications ( we think we can define a standard "security container" for each, ideally a “class” -
maybe a couple are needed for SOA/Services – we postulate the earlier three C&A types would work well) )– Critical IA capability devices (any key IT capabilities, we may have missed and want to specifically consider)– PIT Platform IT variants (there should be ONE general PIT super set, then each SYSCOM takes that and tailors it
a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc) – Remainder of NIST 95 descriptions: Intelligence activities; Cyrptologic activities; command and control; weapons
and their systems; systems for "direct military / intelligence" missions; and classified systems... Any “special cases” defined
– AND/OR consider the remainder of 8500.2 categories: AIS application; enclaves; outsourced IT; PIT interconnection (where Platform IT refers to computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems, such as weapons, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in the R&D of weapons systems, medical technologies, transport vehicles, buildings, and utility distribution systems)
Just as “IT” must transition to a “commodity” approach, so must Cyber security!Just as “IT” must transition to a “commodity” approach, so must Cyber security!
2727
Net-centric operations as well as the emerging new joint capabilities and integration development process is where the DoD is headed in the “Business of
Warfighting”
Source: Secretary of State Hillary Clinton Statement, January 21 2009Source: SSC Atlantic Cyber Strategy
Cyberspace
Cyber must effectively integrate Business and Warfighter Mission Areas
CyberCyber – Spans Warfare and Business Mission – Spans Warfare and Business Mission AreasAreas
Where GOVERANCE (or lack of it), still rules…
(Source: notional – partially derived from industry partner brief)
2828
• Cyberspace intrusions and attacks are a real and emerging threat
• U.S. faces a dangerous mixture of vulnerabilities and adversaries
• Cyberspace situational awareness is not mature (and not at all levels)
• PEOPLE, Information and the C4ISR infrastructure are targets
• Exploitation, disruption, exfiltration, misinformation or destruction are adversary goals (& bragging rights)
• Malicious cyberspace activity is increasing in regularity and severity
A National Security IssueA National Security Issue
“Attacks on Critical Infrastructure could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident.” -- 2007 National Infrastructure Protection Plan
Ubiquitous Presence…Ubiquitous Presence… Salient Danger…Salient Danger…
• 1.5 billion people on the Internet; much of Asia and Africa still to come(using wireless, which is cheaper to install)
• Upwards of 200B e-mails per day
• Critical to commerce, government, business processes, safety, etc.
• Exponential demand; 8 hours of YouTube uploaded every minute
• Increasing connections; global wireless and cellular usage
• Volumetric rise in data everywhere, with no enterprise data security and tracking approach (Internet = database)
(Source: derived from JS Cyber 101 brief)