presented by: cyber operations division 1 navigating the compliance, risk and engineering cyber...

Presented by:Cyber Operations Division

1

Navigating the Compliance, Risk and Engineering Cyber Security Challenges Impacting Navy Programs

2015 ASNE Intelligent Ship Symposium

Eric Matthews, CISM, CISSP, FQNV

D DELPHINUSENGINEERING


2015 ASNE – Intelligent Ship Symposium May 21, 2015

“Some organizations will be a target regardless of what they do, but most become a target because of what they do. Your organization is a target, you should understand as much as you can about what your opponent is likely to do and how far they are willing to go.”

-Verizon 2013 Data Breach Investigation Report

It’s the commanders business…Cyber is part of the warfighting system. We’ve elevated it from a business discussion to a warfighting discussion.

-Matthew Swartz, Director Navy Cyber Awakening Taskforce



Profiling threat actors

ORGANIZED CRIME STATE-AFFILIATED ACTIVISTS

VICTIM INDUSTRY

Finance

Retail

Food

Manufacturing

Professional

Transportation

Information

Public

Other Services

REGION OF OPERATION Eastern Europe

North America

East Asia (China) Western Europe

North America

COMMON ACTIONS

TARGETED ASSETS

DESIRED DATA

Tampering (Physical)

Brute force (Hacking)

Spyware (Malware)

Capture stored data (Malware)

Adminware (Malware)

RAM Scraper (Malware)

ATM

POS controller

POS terminal

Database

Desktop

Payment cards

Credentials

Bank account info

Backdoor (Malware)

Phishing (Social)

Command/Control (C2) (Malware, Hacking)

Export data (Malware)

Password dumper (Malware)

Downloader (Malware)

Stolen creds (Hacking)

Laptop/desktop

File server

Mail server

D irectory server

Credentials

Internal organization data

Trade secrets

System info

SQLi (Hacking)

Stolen creds (Hacking)

Brute force (Hacking)

RFI (Hacking)

Backdoor (Malware)

Web application

Database

Mail server

Personal info

Credentials

Internal organization data



Origin of external actors: Top 10

China

Romania

U nited States

Bulgaria

Russia

N etherlands 1%

Armenia 1%

Germany 1%

Colom bia 1%

Brazil 1%

18%

7%

5%

F inancial Esp ionage O ther

30%

28%

398

• Majority of financially motivated incidents involved actors in either the U.S. or Eastern European countries (e.g., Romania, Bulgaria, and the Russian Federation).

• 96% of espionage cases were attributed to threat actors in China and the remaining 4% were unknown.

• China is the most active source of national and industrial espionage in the world today.

Current Environment



When 2nd place is good enough!!In May 2014, the U.S. Justice Department charged five Chinese military officers with cyber-theft from five U.S.-based corporations

China has compromised a range of U.S. networks, including those of DoD, defense contractors, and private enterprises.

The Washington Post has identified various reports confirming dozens of critical system designs compromised by Chinese cyber actors, including:

• The Patriot Advanced Capability-3 air defense system,

• F–35 and the F/A–18 fighter aircraft, P–8A reconnaissance aircraft,

• Global Hawk UAV, Black Hawk helicopter,

• Aegis Ballistic Missile Defense System, and the Littoral Combat Ship.

The report also revealed Chinese cyber actors have obtained information on various DoD technologies, including directed energy, the UAV video system, tactical data links, satellite communications, electronic warfare systems, and the electromagnetic aircraft launch system (EMALS).

The J–31 appears to share similarities to Lockheed Martin’s F–35 and F–22 fighters. Credible reporting indicates Chinese cyber operators stole data on the design, performance, and other characteristics of the F–35 from the Western defense firms. The aircraft is designed for export to China’s friends and allies that are unable to purchase the F–35

The J–31 will serve as the basis for China’s next-generation carrier-based aircraft

The actors seeking information on these weapon systems and technologies are not just stealing the designs themselves, but they also are targeting internal communications, program schedules, meeting minutes, and human resource records, among other documents.



Navy Cyber Security VisionEnsure that Navy cyberspace activity operations provides operational advantage by:

• Assuring access to cyberspace and confident command and control,

• Preventing strategic surprise in cyberspace,

• Delivering decisive cyber effects

Navy Cyber Power 2020

The key end-state characteristics that the Navy must create and the major strategic initiatives to achieve success

• Integrated Operations;

• Optimized Cyber Workforce;

• Technology Innovation; and

• Planning, programming, budgeting and execution, and acquisition reform.



Regulatory ComplianceDoD and Navy Policy states that a successful cyber security program will identify all security requirements and should be included in the initial implementation and included in the design, acquisition, installation, operation, upgrade, or replacement of all DoD information systems

Responsibility of senior leadership to focus on creating the mechanisms organization use to ensure that personnel follow established processes and policies

Understand that cyber security extends beyond the bounds of information security

• Sound Engineering – include design features that promote stability and security

• Training and Awareness – should provide the Fleet with proper training to ensure they are vigilant of cyber security threats

• Response, Recovery, and Restoration - actively respond to internal and external malicious attacks, as well as recover from system failures caused by inadvertent operator error, internal and external malicious attack



Certification & Accreditation DIACAP to RMF Transformation



Cyber security risk is a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the mission of the system.

Developing a risk management process to protect the organization and its ability to perform its mission, not just its information assets should be an organizations principal goal



Risk ManagementThe risk management processes that are most important to cyber security is the risk assessment, threat analysis, and risk mitigation

Prepare for Risk Mgmt.

Establish a Risk Mgmt.

Strategy

Define Risk Parameters

Identify and Analyze Risk

Determine Risk Sources

and Categories

Identify and document

risks

Evaluate, categorize,

and prioritize risks

Mitigate Risks

Develop risk mitigation

plans

Implement risk

mitigation plans

Continuous Monitoring

Risk Management Process



The process includes identification and evaluation of risks and risk impacts, and concludes with recommended risk-reducing measures

Risk Assessment



Cyber Security Threat Analysis A cyber security threat analysis results in a specific list of tools, techniques, and methodologies that can be used to attack and/or compromise the system under development.

In order to conduct a cyber-security threat analysis, engineers should start with a defined list of threats (i.e., methods, tools, and techniques) that can be used to attack the information system or the information being processed.



Malware Threat Taxonomy



Vulnerability/Patch Management



Process of prioritizing, implementing, and maintaining the appropriate risk-reducing measures recommended from the output of the risk assessment process.

Risk Mitigation



Integrating Cyber Security with Engineering Processes

Systems Engineering Processes

– Simplified System Engineering Process

– Systems Engineering Technical Review (NAVAIR)



Systems Engineering Technical Review



Compliance is necessary in ensuring that organizations programs support and enable the achievement of the Navy’s strategies and objectives.

Offensive cyber operations require sustained privileged access to a target system or network. Gaining such privileged access is challenging for most targets of military interest.

The threat must discover or create useful vulnerabilities to gain access, and escalate privilege. Target system or network configurations are subject to unexpected changes and upgrades, so an avenue of access that worked one day might not work the next.

Our adversary can also be expected to employ highly-trained system and network administrators, and this operational staff will be equipped with continuously improving network defensive tools and techniques (the same tools we advocate to improve our defenses).

Summary



Once an organization has fully implemented the risk assessment, threat analysis and risk mitigation processes, management will be able to determine asset value, analyze potential threats by plotting likelihood against severity of harm and then prioritize on the basis of the organizational mission and the projected resources required for effective mitigation efforts.

Navy organizations must become more diligent with protecting every aspect of their systems; integrating cyber security into existing engineering processes allows for a much more comprehensive approach to lifecycle management.

Sustainment procedures should include cyber security operational and procedural guidelines to protect the Navy ensuring adequate protection is being maintained throughout the entire system life cycle

Every upgrade and advancement should integrate the cyber security aspect within the design and planning phase to ensure vulnerabilities have been addressed. Configuration Management.

Summary

21



Questions

presented by: cyber operations division 1 navigating the compliance, risk and engineering cyber...

Documents

cyber operations division

chinese cyber actors

chinese cyber operators

warfighting system

air defense system

uav video system

littoral combat ship

threat actors