FY10 Tactical Plans for Computer Security

1
FY10 Tactical Plans forComputer Security
Tactical plan names listed here DocDB
FY10 Tactical Plan for Computer Security 3378

• Ron Cudzewicz
• October 8, 2009

2
FY10 Tactical Plan for Computer Security

• Tactical Plan Leader Joe Klemencic

• Service Activity List
• Compliance-Auditing-Oversight
• Information Systems Security Manager
• Information Security Officer
• Certification Agent
• Integrated Security Management
• Security Researcher

• Project Activity List
• DOE Compliance
• Scanning Infrastructure
• Vulnerability Detection and Management
• NLCIO, DOE, CSWG
• CS Administration

3
Service Activity Information Systems Security
Manager

• Goals Related to this Activity (Project 511)
• Comply with the ISSM responsibilities as
  assigned in DOE M 205.1-5
• Define and communicate the strategic direction of
  the Fermilab Computer Security program.
• FNAL computer security representative to the DOE.
• Continuous review and updating of all existing
  computer security policies and plans.
• Formulate new policies and plans as needed.
• Key Metrics
• Effort Reporting
• Service Documentation
• Issues and Risks
• None

4
Service Activity Information Security Officer

• Goals Related to this Activity (Project 511)
• Comply with the ISO responsibilities as assigned
  in DOE M 205.1-5
• Communicates individual incident and potential
  incident reports to the ISSM.
• Initiates ISSM-approved protective or corrective
  actions.
• Participation in ISSM self-assessment and
  training programs.
• Communicate OSE policies to the OSG and other
  participating organizations and policy
  enforcement.
• Key Metrics
• Effort Reporting
• Milestones Continued DOE funding.
• Service Documentation
• Issues and Risks (specific to this activity,
  includes allocation impact)

5
Service Activity Certification Agent

• Goals Related to this Activity (Project 511)
• Comply with the CA responsibilities as assigned
  in DOE M 205.1-5
• Conducts comprehensive assessment of management,
  operations, assurance, and technical security
  controls in an information system.
• Provides the system owners with the level of
  effort and resource requirements for conducting
  the STE process.
• Provide forensics expertise during and/or after
  computer security incidents.
• Key Metrics
• Percentage of STE controls assessed within the
  past 12 month period as part of the ongoing
  continuous monitoring process.
• All DOE Office of Science data calls responded to
  on or before their deadlines.
• Datacalls current status chart
  https//cd-docdb.fnal.gov440/cgi-bin/ShowDocument
  ?docid2959
• Datacalls yearly response chart rollup.
• Milestones Continued DOE funding.
• Service Documentation
• Issues and Risks

6
Service Activity Integrated Security
Management

• Goals Related to this Activity (Project 50, not
  members of computer security team)
• Special requests related to Computer Security
  requirements, eg
• Effort requested by computer security for data
  collections
• FCIRT incident response activity
• Audit preparation and interviews
• Key Metrics
• Effort Reporting
• Milestones,
• Service Documentation
• Issues and Risks
• None

7
Service Activity Security Researcher

• Goals Related to this Activity are still under
  development by security management.
• Key Metrics
• Effort Reporting
• Milestones, if any applicable (may be none for
  some Service Activities)
• Service Documentation Location of a Service
  Definition and related documentation
• Issues and Risks

8
Service Activity Compliance-Auditing-Oversight

• Goals Related to this Activity (Project 50 only
  members of Computer Security Team)
• Re-architect the business internet traffic
  inspection to facilitate the increase in
  bandwidth
• Expand the CST central logging facilities
  horizontally
• Implement internal sensors to alert on
  potentially malicious traffic
• Encourage use of central services.
• Minimize impact of DOE requirements on scientific
  program.
• Continue to refine security controls for Open
  Science Enclave (OSE).
• Key Metrics
• Effort Reporting
• Milestones
• Service Documentation

9
Project Activity DOE Compliance

• Goals Related to this Activity
• Maintain hardware and software on currently
  installed systems to support data collection,
  anomaly detection and policy enforcement as
  mandated by the DOE.
• Implement DNS Blackhole servers to redirect users
  to restricted resources when attempting to
  contact malicious sites or services.
• Implement Intrusion Detection Systems and Traffic
  Profilers on internal networks to facilitate
  anomaly detection and rapid detection of
  compromised nodes
• Augment training and general security awareness
  among Fermilab employees through the Computer
  Security Awareness Day and ongoing computer
  security awareness training.
• Provide resources to facilitate metrics creation,
  data mining and introduction of automated utility
  computing
• Procure the equipment and services to facilitate
  the relocation of equipment in FCC2 computer
  room.
• Procure larger hard drives for continuous growth
  of data collection and to replace failed units.
• Procure additional equipment to support new DOE
  directives and initiatives on a contingency
  basis.
• Key Milestones
• Project Documentation
• Issues and Risks
• Developing an agile posture toward possible,
  unplanned-for DOE new requirements to minimize
  non-compliance risks.

10
Project Activity Scanning Infrastructure

• Goals Related to this Activity
• Install new distributed scanner hardware.
• Maintain and expand existing scanner
  infrastructure memory, processor, storage
  upgrades.
• Key Milestones
• Metrics More comprehensive scanner results.
• Project Documentation URL to Project Web Site or
  project definition documentation
• Issues and Risks
• An aging scanner infrastructure leaves the lab
  more vulnerable .

11
Project Activity Vulnerability Detection and
Management

• Goals Related to this Activity
• Installation of additional Splunk systems
  hardware and software licenses. Special FY09
  funding provided by DOE for this purpose, 216K
• Procure software maintenance and updates for
  production web proxies
• Key Milestones
• Procurement
• Installation
• Metrics More comprehensive metrics generation by
  the Splunk systems.
• Project Documentation
• Issues and Risks
• Potential compromise of Fermilabs ability to
  respond quickly to cyber attacks.
• Increased vulnerability to data loss, corruption
  and web based services.

12
Project Activity NLCIO, DOE, CSWG

• Goals Related to this Activity
• Attend Cyber Security-related workshops,
  conferences and training sponsored by the DOE
  Office of Science.
• Key Milestones
• Metrics,
• Project Documentation
• Issues and Risks
• Failure to understand and influence current
  regulations increases the operational burden on
  the Lab.

13
Project Activity CS Administration

• Goals Related to this Activity
• Provide sufficient equipment, technologies,
  personal computers, etc. to carry out the mission
  of the CST Group.
• Key Milestones
• Metrics
• Project Documentation
• Issues and Risks
• None

14
Ripple Effect on Shared IT Services(What new
requirements does your service have for other
services)

• Enhanced email log collection
• Long term digital certificate offering
• Multi-factor authentication
• Electronic ID Management
• Adoption of Centralized Authentication
• Exemption Processing and Recording

Note Help avoid emergency procurements, whih
incur added costs. At least put an X where need
is expected, even if details are not yet
known. ? Descriptors Agreed to? Whose budget
covers costs? Is the driver a service or a
project? A Agreed with service provider N
New need, not yet agreed to by service
provider. M My budget contains this
T Shared service budget should contain this. S
Steady-state service drives this P Project
activity alone drives this. Only activities with
new demands on shared IT services since last FY
need be listed. Network Connectivity
expansion of existing service
Network-Attached Storage a.k.a. BlueArc
additional storage space
15
FY10 FTE and MS Request vs. Allocation
Level 0/1 Activity Computer Security
Project Priorities High Already committed to
stakeholders to meet identified demands. Medium
Provisioning for planned stakeholder demands,
especially demand coming in near-term. Low
Exploration to prepare for anticipated demand,
especially demand coming in long-term. If you
wish to raise a priority beyond these
definitions, please make your case in the
Discussion.
16
Impact of Preliminary Allocation

• With this preliminary allocation, we will be able
  to continue our strategic direction of becoming
  more proactive.
• Maintain our active role in understanding and
  influencing DOE cyber security policy.

17
Summary of Past Action Items

• None

18
Tactical Plan Summary

• Summary
• Failure to complete the rearchitecure of the FY09
  purchased hardware for the internet data
  inspection efforts due to external dependencies
  (facilities, networking, vendor bugs) will result
  in an even greater loss of inspected packets
  which is currently around 60-80 packet loss as
  the internet bandwidth increases.
• Failure to obtain and implement internal
  IDS/Profilers will result in a continued
  diminishing view into internal anomaly detection.
• Delays incurred by the DNS rearchitecture project
  by the LAN group will result in a missed
  opportunity to implement DNS Blackhole servers to
  deny and track access attempts to hostile
  external resources.

19
Tactical Plan Summary

• Summary (contd)
• Due to the ever increasing data collection
  sources, the current Splunk server will be
  operating beyond the implemented index licensing
  and hardware specifications, resulting in data
  loss and missed log collection opportunities.
• Scanning and data processing devices are in a
  constant need of upgrades or replacement due to
  the ever increasing data collection and data
  mining efforts. Failure to stay on top of
  performance and storage issues will result in
  data loss, excessive analysis time and a reduced
  data retention interval as specified in the GCE
  Security Plans.

20
Tactical Plan Summary

• Summary (contd)
• Due to the specialized hardware and software in
  use, maintenance costs continue to rise as we
  increase the licensing to align with the
  additional data collection. Failure to renew
  maintenance will result in a freeze of signature
  and other constantly changing analyzer datasets
  resulting in mis-detection of new threats and
  failure to repair failed hardware.
• Business injects and out of scope operational
  issues interfere with the successful
  implementation of new resources, data mining
  efforts and support of existing infrastructure.