DSLC Rm (3E813) Layout - Mil-Only Session - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

DSLC Rm (3E813) Layout - Mil-Only Session

Description:

Cyber What is that - really? A General Overview of our Cyber Prioritization Crisis Information Assurance (IA) for Service-Oriented Architecture (SOA) – PowerPoint PPT presentation

Number of Views:16
Avg rating:3.0/5.0
Slides: 29
Provided by: JCS94
Category:

less

Transcript and Presenter's Notes

Title: DSLC Rm (3E813) Layout - Mil-Only Session


1
Cyber What is that - really? A General
Overview of our Cyber Prioritization Crisis
Information Assurance (IA) for Service-Oriented
Architecture (SOA)
May 20, 2009 Security Summit
Mike Davis The Security Networks Technical
Advisor, TSN Mike_at_sciap.org and Information
Systems Security Association, VP, ISSA, SD
IA Technical Process Owner (TPO), Warrant
Holder (TWH) - SPAWAR 5.0.2 / 5.8 HQ
Michael.H.Davis_at_navy.mil
Easy Button
Good for public release. No distribution
statement needed SPAWAR review tracking number
SR-2009-221.
2
What is Cyber?
A global domain within the information
environment consisting of the interdependent
network of information technology
infrastructures, including the Internet,
telecommunications networks, computer systems,
and embedded processors and controllers. -- DoD
Definition of Cyberspace
Cyber space operations employment of cyber
capabilities where the primary purpose is to
achieve military objectives or effects in or
through cyberspace. Such operations include
computer network operations and activities to
operate and defend the GIG
The military strategic goal is to ensure US
military strategic superiority in cyberspace.
-- National Military Strategy for Cyberspace
Operations
It could mean just about anything. But mostly
a balanced IO/CNO IA/CND portfolio
3
What makes Cyber different?
  • Given Cyber virtual warfare, somewhat
    different from the kinetic / physical environment
    we all know well
  • -- Includes ALL Offensive and Defensive IT/IO/IA
    capabilities and DOTMPLF, ALL aggregated somehow
  • -- Essentially a select critical technical
    combination of IO/CNO and IA/CND more
    integration stuff
  • -- A different virtual ROE than Kinetic
    sometimes reversed, legally constrained (and what
    is an act of War?)
  • -- Shared vulnerabilities mandate a proactive,
    dynamic defensive posture a mission kill is
    one e-mail away
  • -- Thus a crisis of prioritization, where
    everything is urgent, mandatory and the many CoC
    lines are blurred

Many high-level cyber definitions and approaches
abound No definitive enterprise top down action
plans, yet
4
Cyberspace Characteristics
  • Whats so different?
  • Man-made domain complex and insecure by design
  • Global stakeholders public, private and
    government
  • Speed of both action and change zero separation
  • Transcends physical, organizational and
    geopolitical boundaries highly sensitive to
    political/legal influence
  • Anonymity identity/intent of players not always
    clear

Global reach impact
RoE / CONOPS Kinetic virtual NO
boundaries Legal aspects rule No clear Cyber
IFF!
AND sensors everywhere, ISR/METOC, SPACE,
Networks, ETC, Etc, etc!
(Source derived from JS Cyber 101 brief)
5
Cyberspace Characteristics
In relation to other mission areas
All of the warfighting domains intersect
C2
IA
cyberspace is a blend of exclusive and
inclusive ties The Venn connections / COIs are
extensive
Cyberspace Domain is contained within and
transcends the others
Numerous dynamic COIs dominate
relationships Adding complexity and causing
cross domain data sharing effects
(Source derived from JS Cyber 101 brief)
6
Cyber must be E2E!
WE have a natural hierarchy in our enterprise
IT/network environment, where complexities arise
in the numerous interfaces and many to many
communications paths typically involved in
end-to-end (E2E) transactions
Apps
AND people processes
Enterprise
Site
Enclave
Network SoS
System / services
HW/SW/FM CCE
Each sub-aggregation is responsible for the
IA/cyber controls within their boundaries and
also inherits the controls of higher levels and
all weaknesses in any layer!
Thus, the IA/cyber controls and interfaces in
each element / boundary must be quantified /
agreed to upfront!
7
Whats a simple IA/Cyber end-state / vision
look like? What are the Requirements
An end-state stresses encapsulation using secure
messaging
8
Cyber Prioritization CrisisDraft paper in
circulation highlights are
  • -- Cyber is fundamentally enacting a prioritized
    and balanced approach between existing IO/CNO
    (aka offense) and IA/CND (aka defense)
    capabilities,
  • -- with diminishing resources, while also
    addressing dynamic and emerging threats through
    targeted RD/ST initiatives to fill gaps of the
    cyber vision.
  • -- The RoE, CONOPS, organization relationships
    required are NOT the same as kinetic processes,
  • -- Where the political / legal aspects of cyber
    will impede us all!
  • -- CoC needs an effective situational awareness
    capability for "cyber" to enhance our decision
    superiority

9
Cyber Prioritization CrisisDraft paper in
circulation intended for technical discussions
  • Cyber technical foundations (what matters)
  • 1 - Enterprise risk management process needed
  • 2 - Fix/update/simplify what we have (CM too!)
  • 3 - NO clear IA/security/cyber vision or
    end-state
  • 4 - Supply chain security issues are everywhere
  • 5 - Lack of enterprise SOA IA / security approach
  • 6 - Enforce a common data strategy, security
    built in

10
Securing Cyberspace for the 44th Presidency
  • A renewed focus on international collaboration,
    with more overt / open security methods,
  • Continued emphasis on partnering government with
    industry, better quantifying the legal aspects of
    enforcement and proactive responses,
  • Taking a holistic, overarching, fully integrated
    / meshed approach to security for the full
    spectrum IA needed in D.I.M.E. (Diplomatic,
    Intelligence, Military and Economic)

- Create a comprehensive national security
strategy for cyberspace - Organize and lead from
the white house (create a national office for
cyberspace) - Reinvent the public private
partnership - Regulate cyberspace (not voluntary
anymore, but not overly prescriptive either) -
Secure the industrial control systems ICS /
SCADA - Manage Identities - Authenticate digital
entities (in an enterprise IDM approach) -
Modernize authorities / laws (e,g, revise
FISMA.. merge NSS and other standards) - Use
acquisitions policy to improve security - Build
the capabilities research, training and
education - Do not start over leverage CNCI
WE must collectively quantify prioritize these
for leadership actions
11
cyber security social contractto Obama from
industry
-- We all lack a common enterprise risk
management approach -- Need new internet
protocols / methods to support security --
"Enforceable" CM is mandatory (can reduce 80 of
all attacks!) -- Positive incentives to encourage
/ enforce folks to follow best practices -- Lack
of software quality and assurance --
Multi-organizational coordinated roadmap / vision
is essential -- Map / manage the physical to
cyber security (ICS / PCS / SCADA / etc) --
Supply chain issues better understood, protected
and testing against -- Use / leverage / engage
DARPA, IARPA, In-Q-Tel, etc. -- Move from a
passive, forensic-based defense to an active
posture using real-time intelligence updates to
dynamically adjust our protection levels -- Must
have both privacy and security built in --
Focus on "insider threat (a determined
intruder inside or external) -- Government
embrace / lead the required IA standards that are
effective -- Modern IdM / access control ( where
our ZBAC approach works cross domain) -- Set
clear IA/security priorities then resource,
manage and control
WE must collectively quantify prioritize these
for leadership actions
12
Leadership Summary / Recap(Cyber Security
Collaboration Summit SD Nov 08)
  • Common vision / end state / master plan where
    are we going?
  • Governance more governance coordinate ALL
    those in charge?
  • Specified requirements and then some top down,
    detailed needs
  • Prescriptive implementation guidance required
    fidelity in the what
  • Whats good enough IA/Security? Must have a
    common threshold
  • Pedigree approach simplify verification and
    compliance (build in)
  • What is the IA business basis / ROI? (AND
    success metrics therein?)
  • What is the future risk environment? Threats,
    consequences, etc?
  • Training at all levels, especially user and SW
    development
  • Standard architectures / standards / profiles
    (and a Trust Model!!!)

WE must collectively quantify prioritize these
for leadership actions
13
Representative Navy Operator IA issues
  • IA Master Plan IA vision clear IA goals
  • IA Governance Structure / Consistent Policies
  • Workforce Quals / Certs / Training
  • "Improve Speed to Capability - Implementing
    newer technologies.. HBSS, DAR, etc.
  • IA Approach, Strategy consistent with SYSCOMs and
    DoD
  • IA Policy/Architecture implementation guidance
  • Enterprise Access Control - "Trust Model"
  • Certification Accreditation - Aggregation of
    systems
  • Supply Chain Security / Defense in Breadth
  • Sustain current IA and CND posture to ensure
    readiness

Calling things cyber will not change the
current IA and IO issues These are still the
activities that are needed for protecting the GIG
14
Recent IT/Cyber Leadership perspectives
  • A - Political / legal cyber paper
  • Cyber offense must be strictly monitored
    controlled, due to potential escalation state
    department implications countries suing each
    other
  • B - Navy IT FLAG/SES meeting results / paper
  • -- Greater accountability, completer visibility,
    net-centric concepts need to be revisited, can't
    protect all networks - ensure the C2 / enterprise
    are
  • -- Need better situational awareness, discipline
    in development and acquisition, TTPs... And
    training...
  • -- Senior Advisors major conclusions
    Stricter CM SA / inspect traffic
  • -- FLAG / SES participants guidance
  • Common governance and language, eliminate low
    to medium threats, focus more resources on
    defensive posture and key critical actions (aka -
    have a risk management approach), closer
    collaboration between Service / agencies,
    include space and undersea cables, exercise In
    degraded modes, stress education, use the RED
    TEAM to better effectiveness, avoid issues NMCI
    found, high speed acquisition and address COTS /
    supply chain management..

Issues / suggestions are similar to others , but
act collectively WE must!
15
NSPD-54/HSPD-23 CNCI 12 Initiatives
Many are still being finessed, and all need
prioritized
Establish a front line of defense
Trusted Internet Connections
Deploy Passive Sensors Across Federal Systems
Pursue Deployment of Intrusion Prevention Systems
Coordinate and Redirect RD Efforts
Focus Area 1
Resolve to secure cyberspace / set
conditions for long-term success
Connect Current Centers to Enhance Situational
Awareness
Develop Govt-wide Counterintelligence Plan for
Cyberspace
Increase Security of the Classified Networks
ExpandEducation
Focus Area 2
Shape future environment / secure U.S.
advantage / address new threats
Define and Develop Enduring Lead Ahead
Technologies, Strategies Programs
Define and Develop Enduring Deterrence Strategies
Programs
Manage Global Supply Chain Risk
Define Federal Role for Cybersecurity in Critical
Infrastructure Domains
Focus Area 3
THESE are the key long-term business
opportunities!
(Source derived from JS Cyber 101 brief)
16
What can we expect to help us?
  • NSA / GIAP with CNCI better IA stuff
  • Support for data/content centric security DCS
  • Leaders get it, but we need translate geek speak
  • ESM / PvM helps automated systems, reporting
  • COTS IA commercial suite B encryption
  • Going beyond boundary protection approach
  • Effective trust binding between data, layers and
    domains
  • Develop an IA vision -gt enterprise architecture
  • Easier to build IA in through a top-down
    structure / standards

17
Where you can assist
  • New technologies, methods, processes (CNCI!)
  • Not so niche areas of general systems
    engineering, integration, rapid COTS / GOTS
    insertion, etc
  • Collaboration with other innovative companies
  • Partner with other security groups, IA/cyber
    entities
  • Cyber packages needed, not un-integrated SW
  • Follow issues / concerns they will not go away
  • Think tank, study, and discovery support efforts
  • Top down risk management, prioritization approach!

18
Summary
  • There are MANY IA/cyber initiatives in the works
  • Follow the CNCI trail, that should prevail
  • We still need cyber enterprise Requirements,
    just as we do now for IA and IO and CA and .
  • What is needed now, current issues, will exist in
    cyber
  • W/o an enterprise risk management approach, any /
    all paths will do and we stay in the crisis of
    prioritization
  • We ALL need better collaboration DOD on down
  • Users / platforms must drive cyber KISS
    commodity
  • Vendors / integrators need to coalesce, drive
    the truck

Remember the P6 principle Planning and
communications only gets us part way there Thats
our story whats yours?
19
(No Transcript)
20
What is Information Assurance (IA)?
Measures that Protect and Defend Information and
Information Systems by Ensuring Their
Availability, Integrity, Authentication,
Confidentiality, and Non-Repudiation. This
Includes Providing for Restoration of Information
Systems by Incorporating Protection, Detection,
and Reaction Capabilities.
Confidentiality
  • Assurance that Information is Not Disclosed to
    Unauthorized Entities or Processes

Integrity
  • Quality of Information System Reflecting Logical
    Correctness and Reliability of Operating System

INFOSEC
Availability
  • Timely, Reliable Access to Data and Information
    Services for Authorized Users

Information Assurance
Authentication
  • Security Measure Designed to Establish Validity
    of Transmission, Message, or Originator

Non-Repudiation
  • Assurance Sender of Data is Provided with Proof
    of Delivery and Recipient with Proof of Senders
    Identity

20
WHAT parts belong where wrt our collective
enterprise trust model?
21
Cyber Protections Overview
(or why IA/IO/Cyber is so complex / hard
because it is ALL of that and more!)
" CYBER"
PKI/CAC ID Mgmt
CIO FISMA Operations IAMs
IO and CNO Defend Attack Exploit
CND
CA
CA Support
IA
CMI/KMI
Policy
Training
IA Services
Multiple players Multiple PEs/Lines Multiple
threats Multiple PMW/S/As
Typical IA Acquisition elements
Requirements
Enterprise Risk Mgmt.
NETOPS
Strategy AND Governance critical to
implementation success!
22
An Overall Enterprise Picture(what are the
minimal elements, who owns them, how do they
get integrated?)
SOA Security needs to account for more than
just SOA!
Apps COIs
SOA/ESB/Services
Business processes
There is more to the enterprise IA/CA picture
than just CCE, SOA and Apps, which are hard
enough to integrate
CCE
Dynamic Access Control
ITIL/ITSM SLA execution
Data security strategy / ownership
Hardware / Software Assurance
Data privacy protection and Auditable anonymity
IA/Security strategy must consider the whole
enterprise trust model!
22
23
So what really matters in IA/Cyber E2E? A
notional Quality of Protection (QoP)
Hierarchy(Wrt our defense in breadth position
paper but what REALLY matters?)
DATA QoP (C-I-A and N A)
Complex Dynamic
Settings
IAA and CBE / DCS (distributed / transitive
trust model E2E data-centric security and
protections)
Core / Security Services ( WS and other security
policy / protocols / standards (including
versions extensions therein)
Standards
IA devices
network protection CND FW / IDS / VPN / etc
(in general, mature capabilities but multiple
unclear CM processes are persistent and
problematic)
Known Static
IO and ... IA
AE / Policy
CNO/E/A, IW, OPSEC, etc
Crypto, KMI, TSM/HAP, policy, etc
Mainly IA standards, IAA, CBE/DCS and digital
policy!
24
GIG IA Protection Strategy Evolution
Transactional Enterprise IA Protection
Model Required level of Information Protection
Specified for each Transaction
Static Perimeter Protection Model Common level
of Information Protection provided by System
High Environment
"Need to SHARE" and Distributed / transitive
trust models
  • Common User Trust Level (Clearances) across
    sys-high environment
  • User Trust Level sufficient across
    Transaction/COI varies for enterprise
  • Privilege assigned to user/device based on
    operational role and can be changed
  • Privilege gained by access to environment and
    rudimentary roles

Future
Today
  • Information authority determines required level
    of protection (QoP) for the most sensitive
    information in the sys-high environment high
    water mark determines IT/IA/Comms Standards for
    all information
  • Information authority determines required level
    of end-to-end protection (QoP) required to access
    information translates to a set of
    IT/IA/Comms Standard that must be met for the
    Transaction to occur
  • Manual Review to Release Information Classified
    at Less than Sys-high
  • Manual Analysis and Procedures determine allowed
    interconnects
  • Automated mechanisms allow information to be
    Shared (Released) when users/devices have
    proper privilege and Transaction can meet QoP
    requirements

We will be loosely connected, sharing information
and protected?
25
The Big Picture XML Family of Specifications
"LOTS" of standards and Specs to coordinate
26
IA / CA Building blocks
  • . The desired end-state is in general one of a
    transformed single CA process that accommodates
    all CA needs and activities (re TE / VV)
  • End-state needs to integrate and accommodate
    several major perspectives / initiatives
  • (1) aggregation into some number of larger
    systems of systems (SoS) and enclaves /
    platforms,
  • (2) platform IT (PIT),
  • (3) the federal CA transformation effort
    (bringing together DOD, IC and federal agencies),
    and
  • (4) the new NNWC CA process (for the Navy
    aspect).
  • Develop a "security container" of sorts emulating
    the "CC" process (see http//www.niap-ccevs.org/cc
    -scheme/ ) that IA devices go through
    establishes the same format / needs
  • Natural to have a limited and controlled set of
    IA building blocks for a FEW main classes
  • IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall,
    IDS/IPS, HBSS, HAP/TPM devices, reference
    monitor, etc)
  • IA enabled capabilities (OS, web browsers,
    messaging systems, screening routers, etc
    )(and we submit the IA/WSS standards need to go
    here too prescribe a limited set of IA
    profiles with defined standards / protocols!)
  • Services and Applications ( we think we can
    define a standard "security container" for each,
    ideally a class - maybe a couple are needed for
    SOA/Services we postulate the earlier three CA
    types would work well) )
  • Critical IA capability devices (any key IT
    capabilities, we may have missed and want to
    specifically consider)
  • PIT Platform IT variants (there should be ONE
    general PIT super set, then each SYSCOM takes
    that and tailors it a little more for HME,
    WPNs/CBS, Avionics/Controls, SATCOM/LOS radios,
    etc)
  • Remainder of NIST 95 descriptions Intelligence
    activities Cyrptologic activities command and
    control weapons and their systems systems for
    "direct military / intelligence" missions and
    classified systems... Any special cases
    defined
  • AND/OR consider the remainder of 8500.2
    categories AIS application enclaves
    outsourced IT PIT interconnection (where
    Platform IT refers to computer resources, both
    hardware and software, that are physically part
    of, dedicated to, or essential in real time to
    the mission performance of special purpose
    systems, such as weapons, training simulators,
    diagnostic test and maintenance equipment,
    calibration equipment, equipment used in the RD
    of weapons systems, medical technologies,
    transport vehicles, buildings, and utility
    distribution systems)

Just as IT must transition to a commodity
approach, so must Cyber security!
27
Cyber Spans Warfare and Business Mission Areas
Net-centric operations as well as the emerging
new joint capabilities and integration
development process is where the DoD is headed in
the Business of Warfighting
Cyberspace
Cyber must effectively integrate Business and
Warfighter Mission Areas
Where GOVERANCE (or lack of it), still rules
Source Secretary of State Hillary Clinton
Statement, January 21 2009 Source SSC Atlantic
Cyber Strategy
(Source notional partially derived from
industry partner brief)
28
A National Security Issue
Ubiquitous Presence
Salient Danger
  • Cyberspace intrusions and attacks are a real and
    emerging threat
  • U.S. faces a dangerous mixture of vulnerabilities
    and adversaries
  • Cyberspace situational awareness is not mature
    (and not at all levels)
  • PEOPLE, Information and the C4ISR infrastructure
    are targets
  • Exploitation, disruption, exfiltration,
    misinformation or destruction are adversary goals
    ( bragging rights)
  • Malicious cyberspace activity is increasing in
    regularity and severity
  • 1.5 billion people on the Internet much of Asia
    and Africa still to come
  • (using wireless, which is cheaper to install)
  • Upwards of 200B e-mails per day
  • Critical to commerce, government, business
    processes, safety, etc.
  • Exponential demand 8 hours of YouTube uploaded
    every minute
  • Increasing connections global wireless and
    cellular usage
  • Volumetric rise in data everywhere, with no
    enterprise data security and tracking approach
    (Internet database)

Attacks on Critical Infrastructure could
significantly disrupt the functioning of
government and business alike and produce
cascading effects far beyond the targeted sector
and physical location of the incident. --
2007 National Infrastructure Protection Plan
(Source derived from JS Cyber 101 brief)
Write a Comment
User Comments (0)
About PowerShow.com