presented by: cyber operations division 1 navigating the compliance, risk and engineering cyber...
TRANSCRIPT
Presented by:Cyber Operations Division
1
Navigating the Compliance, Risk and Engineering Cyber Security Challenges Impacting Navy Programs
2015 ASNE Intelligent Ship Symposium
Eric Matthews, CISM, CISSP, FQNV
D DELPHINUSENGINEERING
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
“Some organizations will be a target regardless of what they do, but most become a target because of what they do. Your organization is a target, you should understand as much as you can about what your opponent is likely to do and how far they are willing to go.”
-Verizon 2013 Data Breach Investigation Report
It’s the commanders business…Cyber is part of the warfighting system. We’ve elevated it from a business discussion to a warfighting discussion.
-Matthew Swartz, Director Navy Cyber Awakening Taskforce
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Profiling threat actors
ORGANIZED CRIME STATE-AFFILIATED ACTIVISTS
VICTIM INDUSTRY
Finance
Retail
Food
Manufacturing
Professional
Transportation
Information
Public
Other Services
REGION OF OPERATION Eastern Europe
North America
East Asia (China) Western Europe
North America
COMMON ACTIONS
TARGETED ASSETS
DESIRED DATA
Tampering (Physical)
Brute force (Hacking)
Spyware (Malware)
Capture stored data (Malware)
Adminware (Malware)
RAM Scraper (Malware)
ATM
POS controller
POS terminal
Database
Desktop
Payment cards
Credentials
Bank account info
Backdoor (Malware)
Phishing (Social)
Command/Control (C2) (Malware, Hacking)
Export data (Malware)
Password dumper (Malware)
Downloader (Malware)
Stolen creds (Hacking)
Laptop/desktop
File server
Mail server
D irectory server
Credentials
Internal organization data
Trade secrets
System info
SQLi (Hacking)
Stolen creds (Hacking)
Brute force (Hacking)
RFI (Hacking)
Backdoor (Malware)
Web application
Database
Mail server
Personal info
Credentials
Internal organization data
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Origin of external actors: Top 10
China
Romania
U nited States
Bulgaria
Russia
N etherlands 1%
Armenia 1%
Germany 1%
Colom bia 1%
Brazil 1%
18%
7%
5%
F inancial Esp ionage O ther
30%
28%
398
• Majority of financially motivated incidents involved actors in either the U.S. or Eastern European countries (e.g., Romania, Bulgaria, and the Russian Federation).
• 96% of espionage cases were attributed to threat actors in China and the remaining 4% were unknown.
• China is the most active source of national and industrial espionage in the world today.
Current Environment
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
When 2nd place is good enough!!In May 2014, the U.S. Justice Department charged five Chinese military officers with cyber-theft from five U.S.-based corporations
China has compromised a range of U.S. networks, including those of DoD, defense contractors, and private enterprises.
The Washington Post has identified various reports confirming dozens of critical system designs compromised by Chinese cyber actors, including:
• The Patriot Advanced Capability-3 air defense system,
• F–35 and the F/A–18 fighter aircraft, P–8A reconnaissance aircraft,
• Global Hawk UAV, Black Hawk helicopter,
• Aegis Ballistic Missile Defense System, and the Littoral Combat Ship.
The report also revealed Chinese cyber actors have obtained information on various DoD technologies, including directed energy, the UAV video system, tactical data links, satellite communications, electronic warfare systems, and the electromagnetic aircraft launch system (EMALS).
The J–31 appears to share similarities to Lockheed Martin’s F–35 and F–22 fighters. Credible reporting indicates Chinese cyber operators stole data on the design, performance, and other characteristics of the F–35 from the Western defense firms. The aircraft is designed for export to China’s friends and allies that are unable to purchase the F–35
The J–31 will serve as the basis for China’s next-generation carrier-based aircraft
The actors seeking information on these weapon systems and technologies are not just stealing the designs themselves, but they also are targeting internal communications, program schedules, meeting minutes, and human resource records, among other documents.
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Navy Cyber Security VisionEnsure that Navy cyberspace activity operations provides operational advantage by:
• Assuring access to cyberspace and confident command and control,
• Preventing strategic surprise in cyberspace,
• Delivering decisive cyber effects
Navy Cyber Power 2020
The key end-state characteristics that the Navy must create and the major strategic initiatives to achieve success
• Integrated Operations;
• Optimized Cyber Workforce;
• Technology Innovation; and
• Planning, programming, budgeting and execution, and acquisition reform.
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Regulatory ComplianceDoD and Navy Policy states that a successful cyber security program will identify all security requirements and should be included in the initial implementation and included in the design, acquisition, installation, operation, upgrade, or replacement of all DoD information systems
Responsibility of senior leadership to focus on creating the mechanisms organization use to ensure that personnel follow established processes and policies
Understand that cyber security extends beyond the bounds of information security
• Sound Engineering – include design features that promote stability and security
• Training and Awareness – should provide the Fleet with proper training to ensure they are vigilant of cyber security threats
• Response, Recovery, and Restoration - actively respond to internal and external malicious attacks, as well as recover from system failures caused by inadvertent operator error, internal and external malicious attack
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Certification & Accreditation DIACAP to RMF Transformation
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Cyber security risk is a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the mission of the system.
Developing a risk management process to protect the organization and its ability to perform its mission, not just its information assets should be an organizations principal goal
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Risk ManagementThe risk management processes that are most important to cyber security is the risk assessment, threat analysis, and risk mitigation
Prepare for Risk Mgmt.
Establish a Risk Mgmt.
Strategy
Define Risk Parameters
Identify and Analyze Risk
Determine Risk Sources
and Categories
Identify and document
risks
Evaluate, categorize,
and prioritize risks
Mitigate Risks
Develop risk mitigation
plans
Implement risk
mitigation plans
Continuous Monitoring
Risk Management Process
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
The process includes identification and evaluation of risks and risk impacts, and concludes with recommended risk-reducing measures
Risk Assessment
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Cyber Security Threat Analysis A cyber security threat analysis results in a specific list of tools, techniques, and methodologies that can be used to attack and/or compromise the system under development.
In order to conduct a cyber-security threat analysis, engineers should start with a defined list of threats (i.e., methods, tools, and techniques) that can be used to attack the information system or the information being processed.
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Malware Threat Taxonomy
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Vulnerability/Patch Management
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Process of prioritizing, implementing, and maintaining the appropriate risk-reducing measures recommended from the output of the risk assessment process.
Risk Mitigation
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Integrating Cyber Security with Engineering Processes
Systems Engineering Processes
– Simplified System Engineering Process
– Systems Engineering Technical Review (NAVAIR)
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Systems Engineering Technical Review
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Compliance is necessary in ensuring that organizations programs support and enable the achievement of the Navy’s strategies and objectives.
Offensive cyber operations require sustained privileged access to a target system or network. Gaining such privileged access is challenging for most targets of military interest.
The threat must discover or create useful vulnerabilities to gain access, and escalate privilege. Target system or network configurations are subject to unexpected changes and upgrades, so an avenue of access that worked one day might not work the next.
Our adversary can also be expected to employ highly-trained system and network administrators, and this operational staff will be equipped with continuously improving network defensive tools and techniques (the same tools we advocate to improve our defenses).
Summary
Presented by:Cyber Operations Division
2015 ASNE – Intelligent Ship Symposium May 21, 2015
Once an organization has fully implemented the risk assessment, threat analysis and risk mitigation processes, management will be able to determine asset value, analyze potential threats by plotting likelihood against severity of harm and then prioritize on the basis of the organizational mission and the projected resources required for effective mitigation efforts.
Navy organizations must become more diligent with protecting every aspect of their systems; integrating cyber security into existing engineering processes allows for a much more comprehensive approach to lifecycle management.
Sustainment procedures should include cyber security operational and procedural guidelines to protect the Navy ensuring adequate protection is being maintained throughout the entire system life cycle
Every upgrade and advancement should integrate the cyber security aspect within the design and planning phase to ensure vulnerabilities have been addressed. Configuration Management.
Summary
21