Information Assurance Efforts at the Defense Information Systems Agency & in the DoD
Richard HaleInformation Assurance Engineering
Defense Information Systems [email protected]
Critical Infrastructure Protection Day March 14, 2000
2
Success in Combat Depends on Protecting Information & Information Systems
DoD Information Assurance efforts are aimed at
providing assurance that war fighters and those who
support them can safely rely on the information and
information infrastructures required to fulfill their
missions.
3
National Plan forInformation Systems Protection
• Prepare and Prevent• Detect and Respond• Build Strong Foundations
4
Internet
DoD TCP/IP Networks
Classified networks are physically and cryptographically separated from the unclassified nets
JWICS
SIPRNET
NIPRNET
5
Some of DISA’s Missions
• Designing, building, & operating DoD intranets– The NIPRNET (an unclassified network)– The SIPRNET (a classified intranet)
• Designing and building core DoD command and control systems and software processes– Global Command and Control System (GCCS)– Global Combat Support System (GCSS)– Common Operating Environment (COE)
• Designing and operating the DoD’s large processing facilities
6
One More DISA Mission
• Designing and Operating the DoD Computer Emergency Response Team (DoD CERT)– As well as regional CERTs– Integrated with the management of the networks and
information systems– Primary technical support to the DoD Computer Network
Defense Joint Task Force
7
Prepare and Prevent
8
DoD Global Information GridDraft Information Assurance Policy
“The DoD shall follow an enterprise-wide IA architecture that implements a defense-in-depth strategy which incorporates both technical and non-technical means…”
9
Defense-In-DepthLayered Security Strategy
• Counter full range of attacks– Defense in multiple places– Defenses & detection against insiders and outsiders
• Multiple complimentary roadblocks to certain attacks– Increases resistance– Allows increased use of COTS solutions– Contains some insiders– May buy time to detect, analyze, and react
• Protect, Detect, React/Respond Paradigm– Detect is critical owing to imperfection of protections
• Quality control via Certification and Accreditation
Defense-in-Depth: Defend the Computing Environment (End System Security)
10
End System
• Properly configured operating systems• DISA provides guidance documents
• For Microsoft and various UNIX operating systems• Properly designed and configured application software
• Common Operating Environment, Command and Control Software, Combat Support Software
• Security services at the workstation• Anti-virus software, etc.
• System administrator training/certification• Host incident monitoring/intrusion detection• Physical security and clearances
Defense-in-Depth: Defend the Enclave Boundary
11
• Inventory/Mapping of Enclave• Including all paths in
and out• Proper defenses on each path
• Firewalls, dial-in security• Placement of externally visible servers (e.g., web servers)
• Enclave level incident monitoring, correlation, situation awareness• Hardening of infrastructure components
• Routers, Domain Name System, etc.• DoD Policy on Allowed & Disallowed protocols in draft
Enclave(Building, Base, Processing Center)
End System
12
DoD Networks
Internet
Enclave
End System
• Encrypted circuits for classified nets• Hardened infrastructure
• Routers, switches, Domain Name System (DNS) servers
• Including intra-component signaling• Infrastructure security services
• Public Key Infrastructure, Directories• Firewalls for network control centers• Incident monitoring, correlation,
response• Joint Task Force-Computer Network
Defense (JTF-CND)• Regional and Global Operations &
Security Centers• Connection approval processes• NIPRNET Redesign• Control of DoD connection to the
Internet• Including stopping certain protocols
Defense-in-Depth:Defend the Networks &
Infrastructure
Enclave(Building, Base, Processing center)
DoD Defense-in-Depth Summary
13
DoD Networks
End System
Internet
There is no magic bullet
14
Public Key Infrastructure (PKI) in DoD
Currently two pieces to the DoD PKI1. “Medium Assurance” or Class 3
• Essentially best commercial practice• Based on commercial technology• Many organizations issuing or preparing to issue
certificates from this infrastructure
2. Fortezza• Being fielded as part of Defense Message System
Enabling (some) Trust in the Digital World
15
What’s A Public Key Infrastructure?
CertificateAuthority
RegistrationAuthority
Relying Party(Bob)
All the components, processes, and procedures required to issue and manage digital certificates
Directory(Public Keys andRevocation Lists)
Subscriber(Key Owner, e.g. Alice)
$$to Bob
16
DoD Class 3PKI Components
Directory
Users
NSA
Registration Authority
• The System Is Operational and Issuing Identity Certificates
• Initial Customers– Defense Travel System– Defense Security Service– DFAS– Army Chief of Staff– JEDMICS– Navy San Diego Region– DISA
CertificateServerRoot
Server
Local RegistrationAuthority
At Two Defense Processing Centers
17
How Good Are the Certificates?(or, how tight is the tie between the key and the name?)
• A variety of dimensions of assurance– Strength of cryptography at end user & at Certificate Authority– Form and protection of private keys at end user & CA– Processes & controls employed in operation of the PKI
• User registration, certificate issuance, auditing of various things, etc.
• One selects a particular level of assurance by:– Considering overall security requirements for information
being protected
18
PKI Assurance May Get Better in COTS Without Much Action on Our Part
E.g., If smart cards become standard and interoperable, we may be able to move to hardware storage of the private key with relatively little pain
Ass
uran
ceSu
ppor
ted
byC
OTS
Now Then
Private KeyProtectedin Software
Private KeyProtectedin Hardware Token,(e.g., Smart Card)
19
Detect and Respond
20
DISA Maintains Global Operational Situational Awareness...
PhysicalAttack
ComponentFailure
AccidentalOutage
CyberAttack
. . . To determine if an operational capability is degraded by attack, outage, or both
– Monitor current and plannedmilitary operations andcontingencies
– Information warfare events– Intelligence reports– Weather/natural disasters– Scheduled outages– Facility and equipment failures– System and application failures– IA sensor grid
21
Global Network Operations & the DoD CERT are an Integrated Team
Defense and Protection of the Global Information Grid
Event Correlation
• Intrusion Detection Systems Management
• Global Management of the DII
• Global Situational
Awareness
GNOSCGlobal Network
Operations& Security
Center • Strategic Intrusion Analysis
• Incident Handling and Response
• Information Assurance Vulnerability Alerts (IAVA)
DOD CERT Computer Emergency
Response Team
Sensor Grid Reporting Analysis
SUPPORTINGSUPPORTINGthe Joint Taskthe Joint Task
Force -Force -ComputerComputer
Network DefenseNetwork Defense
22
IAVA DB
Getting the Word Out: Information Assurance Vulnerability Alert (IAVA)
• Acknowledge Receipt
• Apply Fixes• Acknowledge Compliance
DOD
IAVAIAVB
Technical Advisory
DOD CERT
Response to Critical Vulnerabilities
Bulletin
Alert
Vulnerability Compliance
Tracking System
•Global distribution to DoD System Administrators & Program Managers
•Organizational accountability
http://www.cert.mil/
23
Build Strong Foundations
24
• Collect the measurements• Analyze the measurements• Report the measurements and observations• Review metrics and modify process
How do we know Security is Improving?DISA IA Metrics Program
# of Sensors
# of
Eve
nts2. Analysis of the data
“For example, is there a relationship between the number of events and the number of sensors?”
3. Aimed at answering questions like...• Are we spending our money wisely?• Where is more effort/resources required?• Are we more or less secure than N months ago?
4. Institutionalizing the Metrics Process
1. What to measure?• Objective not subjective• What is our current baseline, and how do we know if we’ve improved?
25
One More Thing…Training
• DISA develops IA training materials and classes for the DoD
• Over 100 security classes provided annually • C100,000 IA training CDs and videos sent out
government-wide
http://its4dod.iiie.disa.mil