What REALLY matters in Cyber? RE: Internet of things, privacy security and beyond

ISC2 with IEEE Cyber What REALLY matters in Cyber? RE: Internet of things, privacy security and beyond Not sure HOW it can affect you (as it HAS already)? AND what is a thing is that MORE we have to do??? COMPLEXITY Circa 2015 Mike Davis Mike.Davis.SD@gmail.com ElectEngr/MSEE, CISSP & CISO SysEngr ISSA / ISC2 / SOeC AFCEA / NDIA IEEE / INCOSE / et al easy button Bottom line - As in ALL things it is mostly about the value proposition!

What s Wrong With This Security? The issues / gaps therein are where the cyber opportunities are!!! Mike.davis.sd@gmail.com When a capability is invisible, like IA, safety, reliability, etc, what you see is not the whole picture! The gates were fully locked, properly configured and validated. I could not get through them. But... Thus Cyber can be an illusion

Cutting through the CyberSecurity Fog! B.L.U.F. Bottom Line Up Front The threats are very real, and the news shows a small percentage It does not just happen to the other guy YOU WILL be / ARE affected. You can not buy cyber security, you must manage cyber many parts. The standard IA/Security suite is pretty good IF maintained well in operation. Focus on business risk reduction and minimizing legal liabilities Adequate cyber protections are but one part so is cyber insurance. The P6 principles still apply (being prepared) with strategic partnerships. Few can afford to go it alone TEAM up & use a managed security service. Don t fix cracks in the cyber walls, while the barn door is open! Keeping your cyber suite well maintained cuts incidents by 95%

OK, so what does matter in Cyber? CYBER is fundamentally all about TRUST and DATA ( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured) It s NOT about expensive new cyber capabilities / toys but more about the interoperability glue (distributed trust, resiliency, automation, profiles) 90+% of security incidents are from lack of doing the basics! USE effective Security Continuous Monitoring (SCM / SIEM) a MUST DO! With enforced: cyber hygiene, enterprise access control, & reduced complexity (APLs) Shift from only protecting the network, to the DATA security itself information centric view Embrace your Risk Management Plan (RMP) LIVE IT! Have an enforceable security policy what is allowed / not train to it KNOW your baseline - Protect the business from the unknown risks as well Employ a due diligence level of security then transfer residual risks! You can NOT buy cyber, so do the cyber BASICS well!!! An achievable 90-95% reduction in security incidents stabilize the environment!

So then, what MUST we DO? (MY TOP TEN - Well, to at least the first / second order effect 95% level!) Follow the SANS top 20 and NSA top 10 mitigations AND map your security mitigations into the NIST SMB Security guide (TR 7621) 1 - KNOW your baseline from several views / aspects: - keep track of your HW / SW assets and their versions / status, as you can't manage what you don't know. Document what your secure baseline is then monitor it. - maintain the cyber suite (hygiene, settings, patches, etc automate where possible) and enforce strict access control (implement least privilege, use two factor authentication on key data / equipment (especially on sensitive data / critical cyber capabilities), two-person control on key assets, limit PC to PC / peer to peer comms, minimize privileged accounts, etc) - make it hard for hackers to get in and get around this is JOB ONE: effective firewall rules (deny all with exception monitor traffic going in and out), segment the networks, tighten / lock down the bowser (where around 80% of all malware comes in and using SSL it bypasses your cyber suite too), and don t allow users / non-admin to install anything on any end user device! 2 - Encrypt, encrypt, encrypt (and have a really good key management program too, as that's the real key ). You can NOT buy cyber, so DO the cyber BASICS well! An achievable 90-95% reduction in security incidents stabilize the environment!

So then, what MUST we DO? 3 - Use approved IA / cyber products - Only buy off the NIAP/NSA/DISA lists of Approved / Preferred items (APLs). - Minimizes your product complexity...and... they come with C&A / A&A / V&V security pedigrees too! 4 - Effective SCM / SIEM / monitoring capability - Watch for unusual behavior and keep track of key cyber settings, DNS, etc. - And user actions too (humans when monitored always behave better). 5 - IDS/IPS (signatures) AND anomaly detection capability - Watch for insider threats while monitoring both incoming AND outgoing traffic. - Whitelisting works and is not hard to do put developers in an isolated sand box 6 - DLP /DRM /data tracking capability - Follow the data, complement SCM support a continuous audit (risk) approach You can NOT buy cyber, so DO the cyber BASICS well! An achievable 90-95% reduction in security incidents stabilize the environment!

So then, what MUST we DO? All these capabilities exist, are sold by many vendors, and not hard to buy, use, and monitor To build your own effective defense-in-depth / breadth cyber ecosphere see our plan too! http://www.sciap.org/blog1/wp-content/uploads/executing-an-effective-security-plan.pdf 7 - User awareness and education / training - Make it personal, targeted (JIT) info to user types, even fun / make a game of it 8 Add in a little "OSI" too (open systems intelligence) - Know who might be targeting you and the methods they would use against you - Join your sector ISACs, etc to be aware of the threats.. common mitigations 9 Risk Management Plan is essential - RMP must integrate and support the business success factors / line managers! - RM has many moving parts to account for so write them down (see following slide) 10 Get Cyber Insurance - Part of risk management transfer risks but know what IS (and is not) included You can NOT buy cyber, so DO the cyber BASICS well! An achievable 90-95% reduction in security incidents stabilize the environment!

Security Main Factors Given ALL the NIST / NSA / DISA guidance (see back-ups) - What MUST WE DO? Implement the NIST absolutely necessary elements first and foremost to protect your data (Encryption and back ups) Effective passwords still the bane of basic security and policy is still poor! (tokens / two-factor authentication should be used for critical data / processes) Securing the client, fortifying the browser buying trusted business apps, services where the browser / client is THE largest malware entry point! Minimal security suite: antivirus, firewall, IDS, VPN, ISP / wireless security Monitoring tools need to manage CM/hygiene, track users / data, provide alerts (SCM/SIEM) supports preplanned SoPs / IRP / BCP / COOPs, etc Enforce a living security policy quantify actual risks, strict need to know, DATA protection - encryption, keys, and access control - minimize IP loss, DLP A robust and adaptive security strategy = risk management plan (RMP) to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc Our Cyber Security operator course collates all these guides and maps 8

The Integrated Business RM Approach + Making the Risk Management Plan (RMP) work! + Company Vision (business success factors) Security Policy (mobile, social media, etc) C&A / V&V (effective / automated) Known Baseline (security architecture) CMMI / Sustainment (SoPs / processes) RMP Insider Threat Company Intel (open source, FB, etc) SCM / SIEM (monitor / track / mitigate) Privacy by Design (manage PII, HIPAA, compliance) ) MSS / CISO (3 rd party IV&V support) Data Centric Security (DLP, reputation based methods) Cyber insurance (broker & legal council) Education / Training (targeted, JIT, needs based) Common Business RMP model (re: RMF / COBIT & Risk IT) AND using the NIST Cybersecurity Framework (re: CAR / ESA)

Complexity of Enterprise IT Systems is Increasing AND so is the associated Cyber Security from sensor to cloud! So - what is good enough security? Follow the DATA where is it who has it how sure are you?

What s new in cyber, and what matters? Sensor + WiFi = device --- Things -> systems, machines, equipment, and devices all connected to each other RFID, Apps, MEMS, WSN, sensors, SCADA, PLC, ASIC, API, ETC, etc Is all this stuff secure? How much is needed? COMPLEXITY is everywhere! Where sensors dominate Where / How does privacy fit in IoT? The Internet of things (IoT) is not really new IoT requires ALL the cyber protections we already know - and still need to implement!

Gartner's 2013 Hype Cycle for Emerging Technologies How do we prove end-2-end security? Everything connected to everything? Comms Secure? What is an adequate / due diligence level of security??? Automation = machines in control? M2M Secure? Pervasive new technologies? Built secure? CYBER is all about SECURE: technologies, DATA and communications! ALL the technologies need built in security = secure data, comms & privacy!

Cyberspace Characteristics All of the warfighting - and related business - domains intersect In relation to other mission areas run by different Communities Of Interest (COI) C2 Banking / retail CIP / infrastructure IA Security Manufacturing Communications Cyberspace Domain is contained within and transcends the others cyberspace is a blend of exclusive and inclusive ties Frequently the COI boundaries / MOAs are implicit These Venn connections / COIs are pervasive Numerous, dynamic COIs dominate relationships - adding Complexity & Comms, & Control overhead - causing cross domain / COI DATA sharing effects Do NOT underestimate this aspect affects CONTROLS needed for Privacy! 13

What are KEY cyber elements? (and what can we reasonably expect to influence / affect?) Fundamental issues. (givens?) - Threats are illusive/morph so plan/mitigate around consequences (aka, a fault tree) - KISS, as complexity is our enemy do the basics well (hygiene, anonymity, etc) - In a connected world, it s the shared vulnerabilities that will get you / ALL of us - They have an asymmetrical advantage, plan with it (and they don t follow the rules/laws) - WE ALL need common homogenous security protection in a heterogeneous world Essential gaps / needs (tenets?) - Invest in the OSD / NSA R&D / S&T gap capabilities, as authoritative sources - Apply trade-offs / assessments using a common end-state (an open / ubiquitous world) - Using an enterprise risk management plan (RMP), and FOCUS on proactive SCM! - If you can t integrate it into your IT/network environment, then it is useless - Minimize what you don t know you don t know & get cyber insurance If you don t know where you re headed, any blind alley will do Where the bad actors continue to count on US ALL not being in sync 14

Cyber requires enterprise integration Things are only the stuff we need to accommodate all IT/IA aspects! Systems / capabilities are characterized by their boundaries Where interfaces / controlling parameters / PPSM are key IoE = IoT + people, process, policy and DATA

Things must communicate No. of paths = n(n-1) = exponential Are ALL using secure channels? Data protected? Adequate Authentication? No covert paths established? 10S of thousands of trillions Of communication paths! Securing low BW channels requires optimal cryptography algorithms and adequate key management systems, and security protocols that connect all these devices

Threat Vectors of Interest (examples) Mobile devices and wireless always predicted, yet proliferates in 2014 Increasing Android Trojans, digital wallets, USER provided network services / access points! Wireless security issues expand (besides 802.11 & WiMAX, to Zigbee, Z-Wave, ARM, etc.) BYOD many hidden costs, legalities and risks than it appears at first Cyber crime: easy money, minimal downside and growing (ransomware, etc) Illicit cyber revenues has essentially equaled all illegal drug trafficking dollars The insider threat is much more impactful than given credit for Considering compromised services and computing devices of all kinds (aka, supply chain security). With Improved social engineering attacks and stealth exfiltration techniques etc Verizon Data Breach Report (2012) MOST breaches avoidable! 96% attacks not difficult; - 85% took weeks to discover (average is 416 days); - 92% discovered by a third party; 85-97% data breaches / security incidents avoidable through simple or intermediate controls Forbes - The Biggest Cybersecurity Threats of 2013+ Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; & Targeted Malware - AND Cloud security - pretty good, SLAs not enough, but ISPs / data centers better than most Mobile devices and cloud infrastructure hacking are two of the biggest attack vectors in crime / terrorism in 2014 and beyond 17

Threat Vectors of Interest (Cont.) SSL/XML/web (HTML5)/browser vulnerabilities will proliferate Browsers remain a major threat vector (80% - bypasses the IA suite) & watering holes JAVA / VM / active code MUST be strictly managed / controlled / under CM Convergence of data security and privacy regulation worldwide.. Compliance gets pervasive (PCI DSS, HIPAA, etc)... Shift focus to privacy by design! Data security goes to the cloud - where security due diligence is more than SLAs! IPv6 transition will provide threat opportunities Data Loss Prevention (DLP) is still needed Containment is the new prevention (folks now get the "resilience" aspect...) Nation-sponsored hacking: When APT meets industrialization More targeted custom malware (Stuxnet -> Duqu / and FLAME! Are only the beginning) Misanthropes and anti-socials / hacktivism morphs ANYONE can do it now! Full time incident response needed: COOP, forensics, reporting, etc, etc Monitoring and analysis capability increase, but not enough (re: near real-time forensics & chain of custody evidence). continuous monitoring is KEY (re: SCM / SIEM) MUCH to consider in the threat equation and it s always changing Hence why you must ALSO practice consequence risk management 18

Verizon Data Breach Investigations Report - DBIR (2014) 10 year series, 63,437 incidents, 1367 breaches, 95 countries WHAT - 92% incidents described by just nine patterns - shift from geopolitical attacks to large-scale attacks on payment card system Sectors - Public (47, 479), Information (1132) and Finance (856) Threats (%) - POS intrusions - 31 - Web App Attacks - 21 - Cyber espionage - 15 - Card Skimmers - 14 - Insider misuse - 8 - Crimeware - 4 Mitigations HYGIENE Factors A huge sample size! This includes YOUR business category too!!! - restrict remote access - enforce password policies - Minimize non POS activity on those terminals - Deploy A/V (everywhere, POS too) - evaluate threats to prioritize treatments - Look for suspicious network activity - Use two-factor authentication See also - Ponemon Institute s cyber report Key threats from cost based activities Malware, malicious insiders and web-based attacks Forbes lists these: Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; & Targeted Malware We have met the cyber enemy, and they are US(ers) 19

Yes, It really is ALL about the DATA* 2020 Data Vision (Courtesy of Dan Green / SPAWAR ): Themes and Memes (Technology vs Technology Adoption) Convergence = Genomics, Robotics, Informatics, Nanotech (each a $B+ market) CBAD = Cloud, Big Data, Analytics, Data Science (are you all-in? ) Telematics = Sensing robotics, Cyber Physical Systems (will kids need to learn to drive?) Interactive 3D = Augmented Reality, HTML 5, Three.js (3D graphics for WebGL) Embedded Computing = ehpc, Tessel (mcpu / Java), Programmable hardware LBS = Location Based Services, IPS, Beaconing, NFC IoT = Internet of Things, M2M, Quantified Self Mobilization = Preparation for Conflict/Competition, Autonomy, The Draft STEM = Science Technology Engineering Math, Generation NOW, Old Dogs (YOU) It s a data-centric world; thus we need Privacy by Design (PbD) Meme: an idea, behavior, or style that spreads from person to person within a culture * and TRUST!

What s a simple IA/Cyber vision / end-state look like? AND what are the requirements? Cyber is ALL about TRUST, Rules/MOAs & State KEY C-I-A entities / touch points things comms the cloud IoT = things + comms AND DATA - assured / pedigree / provenance? Privacy satisfied? A cyber end-state stresses encapsulation using secure communications (e.g., object oriented programming)

Focus Area 2 Focus Area 1 Focus Area 3 NSPD-54/HSPD-23: CNCI-1 12 Initiatives (http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative ) Trusted Internet Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment of Intrusion Prevention Systems Coordinate and Redirect R&D Efforts Establish a front line of defense Connect Current Centers to Enhance Situational Awareness Develop Gov t-wide Counterintelligence Plan for Cyberspace Increase Security of the Classified Networks Expand Education Resolve to secure cyberspace / set conditions for long-term success Define and Develop Enduring Lead Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Define Federal Role for Cybersecurity in Critical Infrastructure Domains Shape future environment / secure U.S. advantage / address new threats Cyber efforts must synchronize with Federal Investments The HARD part is implementing enterprise integration, interoperability and controlling emergent behavior - that can affect most focus areas 22

DoD Cyber Priority Steering Council (PSC) S&T / R&D Roadmap What matters? Key Capability Gaps / Areas 4+1 Support essential business success functions Autonomous responses and C3 Tools Environment is robust and self-healing Cyber M&S and Experimentation (Cross Cutter) Mixed trust levels in heterogeneous space Cyber PSC PA-Releasable Briefing November 2012 Page-23 Gaps are not things / capabilities but integration and interoperability!

KEY Enabling Technology Areas Value / need high Distributed Trust Resilient Architectures Response and Cyber Maneuver Visualization and Decision Support med Component Trust Detection and Autonomic Response Recovery and Reconstitution low Advanced Cross-Domain Solutions Advanced Cryptography Quantum Computing, Comms, and Crypto Biometrics Code Verification and Compliance Correct (Assured) by Construction Software Deception and Information Hiding Human Factors and Training Malware/Forensics Analysis and Reverse Engineering Resilient Infrastructure and Comms Scientific Theory and Measures Sensing and Data Fusion Software Pedigree and Provenance CYBER is fundamentally about distributed trust / assured DATA / secure messaging! Additional specificity / details and needs / gaps in back-up 24

Strategic Cyber Elements (1) Collaborate on common enterprise IA / cyber strategy and vision policy mapped to prioritized capabilities with assigned resources = good enough / cyber sufficiency! (2) Develop a common overall enterprise risk assessment (ERA) approach accounts for both significant threat vectors AND vulnerability consequences -> key mitigations use the NIST RMF (Risk Management Framework (800-37)) weighted in the CNCI-2 12 focus areas (3) Align and synchronize resources and cyber gaps / initiatives across federal & commercial organizations and tier 1 tier 3 architecture perspectives (IT & cyber are ONE) (4) Address pervasive lack of basic cyber hygiene enterprise wide within the complete, life-cycle aspects of an organization s people, processes and products (technology) enforce a scalable, global access control model, that preserves least privilege, attenuated delegation (ZBAC) (5) Reduce complexity - Build a trusted cyber infrastructure use APLs along within the existing IA/CND infrastructure, as an integrated SoS - with enforced CM thus optimize our overall cyber package and ensure synchronization and RESILIENCY! (6) Better integrate / leverage education and proactive defense (and IO ) stealth offense best left to law enforcement, qualified federal entities (or escalation / retaliation will occur) Top down approach to a balanced, prioritized cyber execution plan 25

sensors SO just what are were trying to orchestrate? An integrated Cyber Defense in Depth / Breadth (DiD) EcoSphere using dynamic lag and lead feedback, establish proactive, dynamic CND / IA Defense) Cyber I&W Virtual Storefront NMS / Security Management tools insider threats Defensive assessments Incident results SA ****** (Sensors, CNA/E inputs OpSec, Intel, etc ) Users & CoC threats IA & CND IDS / IPS DLP / etc V&V / C&A I&W / SCM CERT / FBI Red Teams predictive feedback (leading indicators) Change soft settings (takes secs mins) to Upgrades (developed & installed) With big data / predictive analytics / SIEM (near real-time!) forensic feedback (takes days to months ) (lagging indicators) 26 All PbD capabilities (including IoT) must be well integrated into the cyber system

Security Monitor Building a Trusted Cyber Infrastructure = an adequately assured, affordable, net-centric environment (built from disparate heterogeneous capabilities that we must integrate into a homogenous cyber ecosphere!) EAL 6 Focus on a few core capabilities & devices = PC, routers, IA suite, Servers, & SANS all with access control Standard IA/CND suite FW, A/V, IDS/IPS, CDS, VPN, Crypto, Key Mgmt, Security Policy WAN Router IA Suite All connections / communication paths need Assured Identity, Authentication & Authorization Core Router Assured IOS Various EAL EAL 4-5 EAL 4 HW / FW Secure OS kernel Secure Virtual Machine Strict access / ZBAC Servers Distribution Router ALL OSes (MS, Mac, Unix) SANS EAL 5 6 Data centric security Defensive I&W Strict access / ZBAC Network Devices PC End user devices Make IA / CND / Security a commodity: Use & enforce IA building blocks = APLs/PPLs -> NIAP Interoperability and Compose-ability are built in upfront and help dramatically reduce complexity and ambiguity Thus.establishing known risks & pedigrees: Reduces attack surface, risks & TOC = baseline for PbD & IoT! RFID, MEMS, WSN, sensors, ICS / SCADA, etc EAL 3-4 Secure OS TSM HBSS ZBAC Eval Assur Level (EAL): 2 3 4 5 6 7 27

IA / Cyber and DATA must be built E2E! WE have a natural hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions AND, People and processes TOO! How does the DATA move and what are the privacy protections / controls at each layer? DATA Apps / services HW/SW/FM CCE Network SoS Enclave Site Enterprise Each sub-aggregation is responsible for the data / controls within their boundaries and also inherit the controls of their environment, were we need to formalize the reciprocity therein! Thus, the DATA, IA/cyber controls, interfaces and profiles in each element / boundary must be quantified / agreed to upfront! 28

Notional Data Centric Architecture (DCA) iso the required privacy needs IA / Security / cyber (e.g., defense in depth (DiD)) Supports quality / assured data (with a pedigree / provenance) Cyber must be preserved in the full data AND capabilities life-cycle Must accommodate BOTH in-house and cloud IA controls / inheritance What IA/security capabilities are needed for the DATA itself? OMG / DDS Reputation-based Security DATA Storage Services Apps Host / device Behavior monitoring How does the DATA move about? Business logic Middleware Must account for the four Vs Volume, Variety, Velocity and Veracity transport FW / IDS / IPS SCM - Continuous monitoring Data is either at rest, being processed OR in transit A PbD Cyber Model translates the data 4V s into privacy attributes and controls

DCA major elements Data-centric architecture (DCA) decouples designs and simplifies communication while increasing capability and easing system evolution DCA can link systems of systems into a coherent whole, using an open standard OMG DDS Transports, operating systems, and other location details do not need to be known, and allowing adaptation to performance, scalability, and fault-tolerance requirements Define and modularize DCA components = create specifications (capabilities and profiles) DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets, storage SW, middleware, services, ESB, etc these all also have cyber security aspects built in Use OMG / DSS as a reference AND - the data schema / tagging authoritative sources SECURE DCA services = Data Centric Security (DCS)

DCA / DCS Overall Construct (need to V&V that security is built in / adequate in services) Web Services Event processing Database *** Other services / capabilities Data to user authentication Signed / secure applications protected communications Authoritative / assured DBs DATA bus (DDS middleware infrastructure) & DCS services) Virtual private data-stores (e.g., VPNs) Cryptographic boundaries for isolation Target Java and.net for enterprise stacks Legacy Bridge Workflow engine ESB *** + Standard IA / CND / security suite = IA devices = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN + Network infrastructure = CCE = common core computing / network environment - with IA enabled devices A PbD cyber model must map the data methods, controls, & services into privacy aspects.

Vendor managed You manage Vendor managed You manage Vendor managed You manage Data centric services and cloud evolution ownership and security PaaS objective for combined / hybrid environments (with premise and cloud) On-premises Pre-cloud Infrastructure as a service Cloud v1 Platform as a Service Cloud v2 Software as a service Application Application Application Application Data Data Data Data Middleware Middleware Middleware Middleware OS OS OS OS Virtualization Virtualization Virtualization Virtualization CPU/Storage CPU/Storage CPU/Storage CPU/Storage Networking Networking Networking Networking Securing the data & application layers can inoculate them from lower layer risks 32

Cyber Security is Complex from a Technical Perspective What factors must be addressed in PbD? Which ones are inherent in the IA/CND/Cyber suite? DAC Token Kerberos HIPPA VPN Trusted OS Wireless Cyber Security (From an IBM security brief) Thin Clients SSL FIPS 140-2 XML Gateways Compliance SOX IPSEC Biometrics SaaS PKI H/W Crypto Digital Certificate Guards Hardening Secure Blades Secure Collaboration Cloud RSBAC

+++ Cyber Model for PbD +++ Data Centric Security (DCS) enabling PbD + Data Encryption end2end focused on services / applications (PaaS model) + Multi-factor authentication - add time, location, etc (re: RAdAC end-state) + Security Policy management Automated, serve multiple avatar levels in PbD + Application engineering - Common model for services, apps, phones, APIs, etc + are added on top of the IA/CND/Security cyber suite Monitoring, tracking, assessment = SCM / SIEM, DLP / RBS, R-T C&A/V&V, etc (AND an integrated AI/smart correlation / POA&M tool mapped to NIST cybersecurity framework functions / tiers) Standard IA / CND suite = IA devices = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN Typical Network infrastructure = CCE = common core computing environment (with IA enabled devices properly set-up - operating systems, database management systems, network management systems and web browsers) Use existing products in each + capability we have several favorites ;-)) http://www.sciap.org/blog1/wp-content/uploads/privacy-pays-4-cyber.pdf

Key Tactical Thrusts to DO Now YES! 95+% COMMON national cyber security approach / end-state Consequence based enterprise risk assessment (don t chase threats) Dynamic Cyber Enterprise Management (enforced hygiene) KEY capability security continuous monitoring (SCM) (can t manage what you can t measure) Top-down enforcement of IA / Cyber architecture Secure enterprise access control / ENFORCE least privilege (re: ZBAC ) / Cyber IFF Common enterprise trust model (and implement TPMs, etc) Reduce complexity - use APLs / VPLs / IA Building blocks with pedigrees USE SCM to manage your IA/cyber suite quasi real-time with SME help! Effective lifecycle education and training Targeted training user awareness and IA/cyber SMEs (who manage it all) 95% security incident reduction High impact activities get us all moving quickly YES! 95+% 35

What is Cyber Hygiene? (and the HUGE percentage of security incidents caused by lack of it) National Security Agency (NSA) (80-85%) NSA IAD director Just improving the IA Management aspects of security (aka, hygiene factors) will reduce security incidents by over 80% IA Management = CM, monitoring environment, follow SOPs http://www.nsa.gov/ia/_files/vtechrep/manageablenetworkplan.pdf http://www.sans.org/critical-security-controls/guidelines.php Verizon (2012 Data Breach Investigations Report) (up to 97%) Report covered 855 incidents, 174 million compromised records --- Breaches almost entirely avoidable through simple or intermediate controls Threats: 98% from external agents, 81% from hacking 69 % used malware http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf Navy (our red team / NCDOC) (over 90%) Poor accountability factors = willful misuse, lack of CM (& IAVA / patches), not having / following procedures, weak enforcement of policy, etc They must spend all their time / resources fixing the easy vulnerabilities HYGIENE = Maintaining / monitoring your IA / Security / cyber equipment settings As any incorrectly set cyber capabilities makes them much less effective! 36

Cyber Hygiene the many faces of neglect Our IA/CND/Security cyber suite is quite good IF maintained! Equipment settings (FW, A/V, IDS, etc) Monitor / enforce Social media Content & settings Restrict sharing / privileges Incident reporting No incident too small Notify USCERT / FBI Controlled Access Enforce least privilege Separate / rotate duties Security Awareness ALL levels reinforce Incentivize good vs bad Will lack of cyber hygiene continue to put you at MUCH greater risk? Maintain Cyber Suite Patches, upgrades, etc (compliance == security Standard operating procedures (SOPs) USE / enforce them Know your security baseline AND employ SCM / SIEM Privacy and PII Enforce policy (note - EU is stricter) You cannot buy cyber security (assuming you have an adequate IA/CND//Security/Cyber suite) YOU must manage Cyber actually DO and verify it!

Security Continuous monitoring (SCM) - What is SCM anyway? SCM is ongoing observance with intent to provide warning. A SCM capability is the ongoing observance and analysis of the operational states of systems to provide decision support regarding situational awareness and deviations from expectations SCM is a risk management approach to Cybersecurity that maintains a picture of an organization s security posture, provides visibility into assets, leverages use of automated data feeds, monitors effectiveness of security controls, and enables prioritization of remedies. http://scap.nist.gov/events/2011/cm_workshop/presentations/pdf/dulany%20-%20cm%20brief16%20mar.pdf An Enterprise SCM technical reference model (based on Continuous Asset Evaluation, Situational Awareness and Risk Scoring Reference Architecture Report) http://csrc.nist.gov/publications/drafts/nistir-7756/draft-nistir-7756_second-public-draft.pdf - What good is it? MANY ROI benefits: Real-time awareness of security posture, cyber benchmarking, complements audit / compliance efforts, improves cyber performance, and reduces risk expose simples risk management overall.. Third party IV&V monitors of hygiene AND potential new threats! http://raw.rutgers.edu/docs/wcars/23wcars/presentations/mike%20cangemi-the_benefits_of_continuous_monitoring_edited_final_8-11[1].pdf - WHO does this now, where do I go for help? DISA and DHS have efforts in play already (DHS is funding continuous monitoring as a service (CMaaS)). State department DID early SCM several years ago, reduced C&A costs over 90% http://www.disa.mil/scm http://www.gao.gov/new.items/d11149.pdf http://www.nextgov.com/cybersecurity/2013/01/dhs-pick-6-billion-tab-cyber-surveillance-systems-every-department/60445/ - SCM is mandated for government entities (FISMA / DOD CIO / DHS / others) SCM is a cyber / risk management tool and provides added due diligence stopping short of get out of jail free keeps you from being the low hanging fruit! 38

Mobile Security perspective Check Point s global survey of 768 IT professionals conducted in the United States, Canada, United Kingdom, Germany, and Japan. The survey gathered data about current mobile computing trends Key Issue / Risk Findings: Extensive use of mobile devices connecting to corporate networks --89% have mobile devices such as smartphones or tablets connecting to corporate networks --Apple ios is the most common mobile platform used to connect in corporate environments Personal mobile devices that connect to corporate networks are extensive and growing --65% allow personal devices to connect to corporate networks --78% have more than twice as many personal devices on corporate networks vs 2 years ago Security risks are on the rise because of mobile devices --71% say mobile devices have contributed to increased security incidents --The Android mobile platform is considered to introduce the greatest security risks Employee behavior impacts security of mobile data --- BYOD is NOT cheap --- --47% report customer data is stored on mobile devices --Lack of employee awareness about security policies ranked as greatest impact on data security --72% say careless employees are a greater security threat than hackers. Contrast that 75%+ of users with personal devices with the percentage of employers who have a coordinated and comprehensive mobile security strategy in place (10%), and you see the problem *** NSA/CSS Mobility Capability Package = Architecture / Certification - a MUST DO *** http://www.nsa.gov/ia/_files/mobility_capability_pkg_vers_2_3.pdf Mobile / wireless are HUGE threat entry points! http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf 39

GAO report on mobile vulnerabilities KEY risks / concerns: Mobile devices often do not have passwords enabled. Two-factor authentication is not always used when conducting sensitive transactions. Wireless transmissions are not always encrypted. Mobile devices may contain malware. Mobile devices often do not use security software. Operating systems may be out-of-date. Software / patches on mobile devices may be out-of-date. Mobile devices often do not limit Internet connections. Many mobile devices do not have firewalls to limit connections. Mobile devices may have unauthorized modifications. (known as "jailbreaking" or "rooting") Communication channels / Bluetooth may be poorly secured. --- BYOD is NOT cheap --- Major protection methods: Enable user authentication: Enable two-factor authentication for sensitive transactions: Verify the authenticity of downloaded applications: Install antimalware and a firewall: Install security updates: Remotely disable lost or stolen devices: Enable encryption for data on any device or memory card: Enable whitelisting (on phones too!) : Establish a mobile device security policy: Provide mobile device security training: Establish a deployment plan: Perform risk assessments: Manage hygiene = configuration control and management: http://www.networkworld.com/news/2012/091912-mobile-security-262581.html 40

Cloud Security Factoids The cloud security challenges are principally based on: a. Trusting vendor's security model b. Customer inability to respond to audit findings c. Obtaining support for investigations d. Indirect administrator accountability e. Proprietary implementations can't be examined f. Loss of physical control Shift from only protecting the network, to the DATA itself! (e.g., data centric security) Areas that will mature soon, enhancing enterprise risk management (re: Gartner): Consensus on what constitutes the most significant risks, Cloud services certification standards, Virtual machine governance and control (orchestration), Enterprise control over logging and investigation, Content-based control within SaaS and PaaS, and Cloud security gateways, security "add-ons" based in proxy services Cloud Security Alliance (CSA) nine critical threats: 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues We recommend following both the NIST and CSA cloud guidance: https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf http://csrc.nist.gov/publications/pubssps.html AND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP)

Cloud Security Summary Security in the cloud is likely better than you have in-house * Security is the SAME everywhere WHO does which IA controls changes * Don t sell cloud offer security capabilities instead end2end services * Few are all in the cloud @ 100% - Hence TWO environments to manage * ALL must use the same cloud security standards (and QA in SLA) http://www.sciap.org/blog1/wp-content/uploads/cloud-security-standards-sep-20131.xlsx * Implement SCM / SIEM integrate cloud metrics / status (& QA the SLAs) * Service Level Agreements (SLA) not sufficient trust but verify (Orchestration SW?) * Encrypt everywhere - Yes more key management, but risks greatly reduced * Data owners always accountable for PII / privacy / compliance (& location) * Update Risk management Plan (RMP) = Comms, COOP. with cloud R&R http://media.amazonwebservices.com/aws_risk_and_compliance_whitepaper.pdf For more details see paper: Cloud Security What really matters? At http://www.sciap.org/blog1/ (under Cyber Body of Knowledge )

Integration, execution is everything as if you can t implement well, it costs you everywhere!!! The quantitative benefits of systems integration and interoperability (I&I) are: 1. Shorter/reduced steps in business processes 2. Time taken to process one application/record 3. Less complaints from members of the public 4. No. of applications/records processed over a period 5. Less complaints from end- users 6. Reduced number of errors 7. Reduced software development time/effort 8. Reduced maintenance 9. Reduced no. of IT personnel The qualitative benefits of I&I are: 1. Improved working procedures 2. Better communication with other related organizations 3. Job satisfaction 4. Redefine job specification 5. Improved data accessibility 6. One-stop service 7. More friendly public service Until the user is happy using & benefitting from the new capability, it has no value Buying stuff is easy getting it to work in your environment is hard Plan for I&I - then double it The best capability means little, if it stays in the box 43

SO what MUST WE ALL DO??? NIST s absolutely necessary Security Protections NIST - National Institute of Standards and Technology - NISTR 7621 Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, encryption, etc) Provide security for your Internet connection / ISP Install and activate software firewalls on all your business systems Patch your operating systems & applications (and now things too!) Make backup copies of important business data/information Control physical access to your computers and network components Secure your wireless access point and networks Train your employees in basic security principles Require individual user accounts for each employee on business computers and for business applications Limit employee access to data and information, and limit authority to install software MUST DO tasks consider this your due diligence list Where ALL have CM / hygiene aspects http://csrc.nist.gov/publications/drafts/nistir7621-r1/nistir_7621_r1_draft.pdf 44

Cyber Security Best Practices Overview (Best practices are not a panacea just a guide = to DO the basics) Quantify your business protection needs do you have an asset inventory? Determine what is good enough or minimally acceptable for your business Quantify your environment s threats and vulnerabilities Have a security policy that s useful, complete, CEO/leadership endorsed Run self-assessments on security measures (use accepted tests, STIGs, PenTests, etc) and compliance (HIPAA, PCI, CFR, SOX, etc) Training and awareness programs much needed, but not a guarantee TEST your BCP, COOP, recovery plans, backup have you ever restored? Encrypt where you can - asses where / how you need it : IM, e-mail, file transfer, storage, backup, etc) Be familiar with / USE the NIST IA/Security series they are very good! DO / check / enforce the cyber basics (re: hygiene, access control, simplify & SCM) Reduce complexity use only approved / preferred products lists (A/PPLs) A risk management plan (RMP) - using both threats AND consequences As, you can somewhat control what you plan, but you usually ONLY get what you enforce! 45

What can you DO right now? Ready for immediate implementation = 95+% incident reduction 1- Install tools/scripts to catch USERS mistakes.. lock down the end devices, (only allow root admin to install anything..) Use effective access control (enforce least privilege!) 2 Manage the browser as THE threat vector... (80% of malware comes through here) Have ONE secure browser version (IE9), use the guest account (force downloads to one folder), and manage a specific settings profile (to manage active code / Java, etc) Implement a deny all access approach, allow URLs using only a controlled white list (no this is NOT hard to do!) 3 - Run tools / application firewalls to minimize zero-day problems, and enforce CM/hygiene, along with "defensive I&W" monitoring tools (re: SCM / SIEM - #5) 4 KISS / reduce IA complexity only buy cyber products off APLs/PPLs (they have pedigrees / C&A already!) And USE their security features like TPM!! 5 USE a security continuous monitor (SCM) firm for real-time scans for both current vulnerabilities (SQL injection, et al) and new threats... (where the firm has feeds/data from US CERT, etc, so they are always current on new threats / zero day problems) 6 If you make IT stuff, build IA/security in, there are lots of simple guides http://www.sans.org/critical-security-controls/guidelines.php http://www.sans.org/top25-software-errors/ We re STILL lax.. Goggle DarkReading Real-World Developers Still Not Coding Securely Cyber continues to be about US ALL doing the basics 46

Overall Way Forward (given all the unknowns, variables this is one approximately correct path ;-)) Company Vision embedded in Cyber Plans/RMP know where you are going, where the passion is /what the USER values Hope is Not a Strategy -re: 2012 Annual DDoS Attack and Impact Survey! Risk Management Plan RMP Use NIST s RMF (or COBIT)! Have a dynamic, realistic RMP supporting your business success metrics as you ARE betting your livelihood on cyber! Effective, enforced Policy Embedded in core business success factors, rules to enforce statutory, legal mandates, key processes, to enforce behavior (pos & neg incentives) The Basics, basics, basics New toys matter little, if your environment(s) are not managed (SCM / SIEM!) Poor hygiene / CM causes almost ALL security incidents ( 80-97% ) SO Quit admiring the cyber problem / threat and start DOING something! 47

Cyber Security opportunities (Cyber can both protect your business AND enhance the bottom line!) World-wide B2B Trust / cloud / sharing TRUST Distributed / MLS CM / Hygiene patching / settings SIEM / SCM QA hygiene / sensors ESA / simple tools! IT / Cyber Global factors user pull IoT / M2M Automation / Sensors Consumerization of IT Phones / wireless / apps GAPS / Needs (from the Federal cyber priority council S&T gaps) Resiliency SW / apps / APIs / services Agile operations BE the vanguard / integration Vulnerabilities / Threats (Verizon BDR, Forbes, etc threat reports - what ails us most) Access control Authentication is key Top security mitigations Whitelist, patch, limit access, etc Future Opportunities Mobile Security Poor apps / IOS weak billions users = volume Mitigate Obsolescence Minimize patching, legacy vulnerabilities OA / modularity / APIs & SCRM Privacy / Data IP / PII / compliance Effective missions Business success factors Risk Mgmt Adhoc / not global Effective Business Risk Management (BRM) = cybersecurity framework (CMMI / FAR Focus on reducing business risk Managed security services (MSS) & cyber insurance Data Security Predictive analytics Privacy by design

SUMMARY SO. What really matters in Cyber? OSD / federal S&T activities Distributed Trust Resilient Architectures Response and Cyber Maneuver Visualization and Decision Support Dynamic policy management (RaDaC ) Detection and Autonomic Response Recovery and Reconstitution NSA / agency S&T activities Mobility, wireless, & secure mobile services Platform integrity / compliance assurance End client security Cyber indications and warning (I&W) Mitigation engineering (affordability) Massive data (date centric security) Advanced technology. (targeted) Virtualization secure capabilities It s all about TRUST and DATA It s NOT all about expensive new cyber capabilities but more about the SoS / I&I glue Doing the BASICS: (1) enforced cyber hygiene, (2) effective access control, (3) reduced complexity in IA / cyber (APLs / NIAP / approved products), *** (4) IA / Cyber SCM / CDM / SIEM *** (ongoing diagnostics AND mitigations = CDM) DO the cyber BASICS well, for things, people AND processes invest in select new capabilities, protect privacy and follow your RMP!!! Take ACTION NOW: (1) security assessment, (2) SCM/SIEM, & (3) Cyber insurance! Mike.davis.sd@gmail.com 49

50

Cyber security URLs / links of interest.. Major cyber / IA sites https://infosec.navy.mil http://www.doncio.navy.mil/tagresults.aspx?id=28 http://iase.disa.mil/pages/index.aspx http://csrc.nist.gov/publications/pubssps.html http://www.nsa.gov/ia/index.shtml https://cve.mitre.org/ http://www.cisecurity.org/ http://www.cert.org/ http://www.commoncriteriaportal.org/ https://www.thecsiac.com/resources/all http://www.dhs.gov/topic/cybersecurity http://iase.disa.mil/stigs/pages/index.aspx http://niccs.us-cert.gov/ https://www.sans.org/programs/ http://www.cerias.purdue.edu/ https://www.cccure.org/ http://www.rmf.org/ http://nvd.nist.gov/ Others of interest https://www.cool.navy.mil http://www.threatstop.com/ http://www.darkreading.com/ http://www-03.ibm.com/security/xforce/ http://www.iso27001security.com/ http://iac.dtic.mil/csiac/ia_policychart.html http://www.nascio.org/ some training sites: http://doc.opensuse.org/products/draft/sles/sles-security_sd_draft/cha.aide.html http://iase.disa.mil/eta/online-catalog.html#fsotools http://iase.disa.mil/eta/cyberchallenge/launchpage.htm http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html http://www.microsoft.com/security/sdl/default.aspx 51

IA/Security Axioms to consider / accommodate / educate Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Good security now is better than perfect security never. A false sense of security is worse than a true sense of insecurity. Your security is only as strong as your weakest link. It is best to concentrate on known, probable threats, first Security is an investment (insurance), not an expense with an RoI Security is directly related to the education and ethics of your users. Security is a people problem users stimulate problems, at all levels. Security through obscurity is weak & We can NOT always add security later http://www.avolio.com/papers/axioms.html Who says what we MUST DO? From a business DUE CARE / due diligence level Work through all these in your Risk Management Plan! Collectively: NIST NSA SANS etc - the following slides provide details 52

NIST s Highly Recommended Practices http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf Policy / practice for email attachments and requests for sensitive information Policy / practice for web links in email, instant messages, social media, or other means Policy / practice for popup windows and other hacker tricks Doing online business and secure banking Recommended personnel practices in hiring employees Security considerations for web surfing, prohibited sites Policy / practice for downloading software from the Internet How to get help with information security when you need it How to dispose of old computers, media and fax machines How to protect against Social Engineering, data loss prevention WHAT, more to do? YES, but most are related to standard IA/CND mitigations... 53

NSA IAD top ten controls 1 - Application whitelisting - only run approved apps (that SysAdmin reviews) 2 - Control Administrative privileges - minimize escalation, enforce least privilege 3 Limit workstation-to-workstation communications thwart the pass-the-hash 4 Use Anti-virus File Reputation Services leverage cloud-based threat databases 5 Enable Anti-Exploitation Features - for example, MS Windows EMET 6 Implement Host Intrusion Prevention System Rules focus on threat behaviors 7 Set a Secure Baseline Configuration layered security, standard images, etc 8 Use Web Domain Name Service (DNS) Reputation Screen URLs, intrusion alerts 9 Use/Leverage Software improvements software / OS upgrade and patch policy 10 Segregate Networks and functions based on role, functionality monitor sections, then isolate when attacked http://www.sans.org/security-resources/iad_top_10_info_assurance_mitigations.pdf 54

SANS top 20 controls (ver 3) 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Serv 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5: Boundary Defense 6: Maintenance, Monitoring, and Analysis of Security Audit Logs 7: Application Software Security 8: Controlled Use of Administrative Privileges 9: Controlled Access Based on the Need to Know 10: Continuous Vulnerability Assessment and Remediation 11: Account Monitoring and Control 12: Malware Defenses 13: Limitation and Control of Network Ports, Protocols, and Services 14: Wireless Device Control 15: Data Loss Prevention 16: Secure Network Engineering 17: Penetration Tests and Red Team Exercises 18: Incident Response Capability 19: Data Recovery Capability 20: Security Skills Assessment and Appropriate Training to Fill Gaps http://www.sans.org/critical-security-controls/ 55

Top 35 Mitigations At least 85% of the targeted cyber intrusions the Australian Signals Directorate responds to could be prevented by following the Top 4 mitigation strategies : use application whitelisting to help prevent malicious software and other unapproved programs from running patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers patch operating system vulnerabilities minimize the number of users with administrative privileges. Examples of Targeted Cyber Intrusions mitigation strategies : Disable local administrator accounts; Multi factor authentication; Network segmentation and segregation; Application based workstation firewall; Host based Intrusion Detection/Prevention System; Centralized and time synchronized logging; Whitelisted email content filtering; Web domain whitelisting for all domains; Workstation application security configuration hardening; User education; Computer configuration management ; Server application security configuration hardening; Antivirus software with up to date signatures; Enforce a strong passphrase policy; ETC; Etc; etc.. http://www.asd.gov.au/infosec/top35mitigationstrategies.htm 56

Top 25 SW development errors [1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] Missing Authentication for Critical Function [6] Missing Authorization [7] Use of Hard-coded Credentials [8] Missing Encryption of Sensitive Data [9] Unrestricted Upload of File with Dangerous Type [10] Reliance on Untrusted Inputs in a Security Decision [11]Execution with Unnecessary Privileges [12]Cross-Site Request Forgery (CSRF) [13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [14] Download of Code Without Integrity Check [15] Incorrect Authorization [16] Inclusion of Functionality from Untrusted Control Sphere [17]Incorrect Permission Assignment for Critical Resource [18] Use of Potentially Dangerous Function [19] Use of a Broken or Risky Cryptographic Algorithm [20]Incorrect Calculation of Buffer Size [21] Improper Restriction of Excessive Authentication Attempts [22] URL Redirection to Untrusted Site ('Open Redirect') [23] Uncontrolled Format String [24] Integer Overflow or Wraparound [25] Use of a One-Way Hash without a Salt http://cwe.mitre.org/top25/ Must BUILD IA IN This starts with SW.. AND Applies to Apps / Services 57

What small businesses need to know about cyber security before they can offer services to the government in general, companies must provide a commensurate security level as the government site they are going to do business with... (see NIST & GSA & FISMA web sites below) This NIST provides a good overview of the government requirements, which in general needs to be met by companies connecting to government sites iso services provided... http://csrc.nist.gov/publications/fips/fips200/fips-200-final-march.pdf Information Security rules by GSA http://www.gsa.gov/portal/content/104257 FISMA rules / regulations are also representative of items to be assessed http://csrc.nist.gov/groups/sma/fisma/index.html VA has a contract clause that's fairly standard http://www.iprm.oit.va.gov/docs/appendix_c.pdf The education department has a good overview of requirements http://www2.ed.gov/fund/contract/about/bsp.html New LAWs - Government Contractors Subject to Cybersecurity Regulations More are on the Way http://www.scribd.com/doc/89226369/government-contractors-now-subject-to-cybersecurity-regulations-%e2%80%93- And-More-are-on-the-Way Small business security overview (and detailed brief on the major security product details too) http://www.sciap.org/blog1/wp-content/uploads/small-business-security-adt-cluster-v4_mike_davis_july_26_2011.pdf 58

How to find / bid on government contracts MUST have DUNS number or Cage Code (and capability statement/documents) Central source for SBA http://www.sba.gov/content/federal-contracting-resources-small-businesses +++ System for Award Management ( SAM register here first / asap.. it drives many other processes) https://www.sam.gov/index.html FedBizOpps https://www.fbo.gov/ SPAWAR small business opportunities http://www.public.navy.mil/spawar/documents/small_business/spawar_3_year_acquisition_forecast_22_may_2013.pdf Federal Procurement Data System https://www.fpds.gov/fpdsng_cms/ Dynamic Small Business Search http://dsbs.sba.gov/dsbs/search/dsp_dsbs.cfm Interested in the SBIR / STTR programs, See information in the overview offered below http://www.navysbir.com/overview.htm You REALLY need an effective business plan to show clients and investors the big picture. http://100startup.com/resources/business-plan.pdf 59

Computer Network Attack / Exploit Provide near-real time OPSEC to IA Effectively leverage the black side Intel into unclass protections Establish a War Reserve Mode? We have WARM elsewhere, what s that in cyber? Fusion of diverse data, into KM we can use All sensors, CNA/E effets, OpSec, Intel, etc = improved IA/CND Can t easily / rapidly tell WHO the bad actors are.. Offensive activities best done by NCA / Cybercom, COCOMs Cyber War / ROE undefined, asymmetric nature = lose-lose Offensive cyber methods / tools / activities best used covertly by a skilled few 60

Key cyber capabilities to develop (think secure comms / messaging - here proposed wrt top tier ETAs) Distributed Trust --- Enable secure distributed interactions by establishing appropriate levels of trust among remote devices, systems, or users. supports: Models and Protocols for Trust Establishment; Infrastructure; Dynamic Evaluation; Out-of- Band and Physical Trust Maintenance Resilient Architectures --- Enable functional capabilities to continue despite successful disruption or compromise by the adversary. supports: Morphing Engines Generating Unpredictability; Secured Network Storage; System Decomposition for Mission- Tailored Tools; Response and Cyber Maneuver Visualization and Decision Support --- Enable human decision-makers to quickly understand the security and operational implications of the current situation and to rapidly ascertain the best course of action to pursue. supports: Real-Time Analysis Engines ; Common Operational Framework; Holistic Cognitive Environment Response and Cyber Maneuver --- Enable defenders to perform shaping operations that minimize the attack space and frustrate adversary planning and to take action during attacks to block, disrupt, remove, or counter adversary actions. supports: Polymorphic Technologies; Cyber Obfuscation; Network Agility Net-centric Cyber Security = SoS and I&I aspects 61

OTHER cyber capabilities (2 nd tier) Detection and Autonomic Response Technologies that analyze data collected about the ongoing state of networks, hosts, applications, data, or user actions, and evaluate whether it represents known or probable malicious activity. Technologies that select and invoke immediate defensive actuators in real-time in response to a stream of detected events, without the need for human input. Complex Attack Pattern Recognition, Trustworthy, Intelligent Agents, Game Theoretic Methods Recovery and Reconstitution Technologies that restore system trust, capabilities, and reserves to fully functional and normal levels after disruption, damage, or depletion due to cyber attack or effects of a defensive response. Technologies that restore or reconstruct lost or tainted information as closely as possible to its previous undamaged state or to what is current and accurate.. Technologies that trace functions, results, or decisions that may have been affected by damaged information and restore or compensate as appropriate. Bio-inspired self-inoculation, Synchronize repair activities without interrupting ongoing mission progression or priorities, Asymmetric redundancy using distributed trust as a recovery metric/mechanism. Component Trust Technologies and methodologies that establish a basis for determining and quantifying the likely trustworthiness of acquired hardware or software products that have been constructed outside an organization s control, by methods such as external and internal physical examination, execution monitors, and supply chain risk countermeasures. Hardware/software DNA that vouches for a component s authenticity (re: enhanced TPM), White-listing of trusted hardware/software components, Root of trust, etc Integration and Interoperability aspects are HUGE 62

Trust (U) (U) Objective: Develop measures of trustworthiness for components within the cyber infrastructure and to large systems where components and participants having varying degrees of trustworthiness * Scalable reverse engineering and analysis * Develop tools that validate and verify hardware chip, firmware and software functionality * Develop tools for interoperable and scalable forensic analysis * Trust establishment, propagation, and maintenance techniques * Develop techniques to establish trust anchors within components * Develop algorithms to describe, establish, propagate, and revoke trust with distributed reputation management * Develop algorithms and mechanisms to manage dynamic and transitive trust relations with coalition partners * Measurement of trustworthiness * Develop quantitative techniques to enable context-aware dynamic trust scoring of components and systems * Develop composite measures of trust * Development of trustworthy architectures and trust composition tools * Develop trust architectures that can self attest to their required trust properties * Create techniques to build trustworthy systems from untrustworthy components Cyber PSC PA-Releasable Briefing November 2012 Page-63

Resilient Infrastructures (U) (U) Objective: Develop integrated architectures that are optimized for the ability to absorb shock and the speed of recovery to a known secure state * Resiliency for operational systems * Develop efficiency-, risk-, and cost-based approaches to manage real-time tradeoffs among redundancy, randomization, diversity, and other resiliency mechanisms * Mechanisms to compose resilient systems from brittle components * Develop architectural foundations to compose and manage services in massive environments * Develop resiliency-aware abstraction layers that provide dynamic, threat-based component integration * Integration of sensing, detection, response, and recovery mechanisms * Develop automated response tools using information correlated across the infrastructure * Develop algorithms for management and outcome analysis of resiliency properties of systems * Secure modularization and virtualization of nodes and networks * Enable heterogeneity at the hardware, hypervisor, operating system, and application layers * Develop robust cloud architectures to resist intrusions of potentially hostile elements * Develop algorithms for real-time reconstitution based on dynamic feedback of macro-level resilience and health * Resiliency-specific modeling and simulation techniques * Enable the measurement and analysis of systems quantifiable resiliency properties Cyber PSC PA-Releasable Briefing November 2012 Page-64

Agile Operations (U) (U) Objective: Speed the ability to reconfigure, heal, optimize, and protect cyber mechanisms via automated sensing and control processes * Techniques for autonomous reprogramming, reconfiguration, and control of cyber components * Develop approaches for autonomous policy-driven reconfiguration using ontologies and control loops * Machine intelligence and automated reasoning techniques for executing course of action * Develop time-constrained automated control loops that select and execute actions within a goalseeking framework * Techniques for mapping assets and describing dependencies between mission elements and cyber infrastructure * Develop sensors, specification languages, and machine learning for near real-time cyber situational awareness * Design static and dynamic models and supporting languages that relate cyber and kinetic domains * Develop near real-time mission analysis tools to support combined cyber/kinetic operations * Techniques for course-of-action analysis and development * Develop modeling and simulation techniques for assessment of asset criticality and effects * Design game-theoretic approaches to predict adversarial behavior * Develop tools for mission simulation, rehearsal, and execution support * Cyber effects assessment * Develop probing, detection, correlation, and visualization techniques

Resilient Infrastructures (U) (U) Objective: Develop novel protocols and algorithms to increase the repertoire of resiliency mechanisms available to the architecture * Code-level software resiliency * Develop novel language features, randomizing compilation techniques, and enhanced execution environments * Network overlays and virtualization * Expedite resilient protocol development using overlays from specification to deployment * Develop network reconstitution techniques based on modular design and component virtualization * Network management algorithms * Develop autonomous network management algorithms for scalable reconfiguration and self-healing modeled after biological systems * Mobile computing security * Develop protection models, mechanisms, and algorithms for mobile devices to ensure higher levels of trust * Distributed systems architectures and service application polymorphism * Develop methods for dynamic provisioning, reallocation, reconfiguration, and relocation of cyber assets at both the system and application layers * Network composition based on graph theory * Develop network technologies at the architectural level to enable near real-time reconfiguration * Develop algorithms to enable sequenced network reconfiguration actions orchestrated across time and space * Distributed collaboration and social network theory * Develop collaborative tools to support near real-time distributed maneuver * Realize social networks that incorporate coalition partners offensive and defensive capabilities Cyber PSC PA-Releasable Briefing November 2012 Page-66

Cyber Problem statement = Poor State of IA & CND (where all IA/CND capabilities must also act as a SoS ) It s all about TRUST need a common enterprise trust model Some HAP/TSM is needed, but where to put which EAL devices? Need a common top-down, enforced IA/Cyber capable architecture Need an alternative to commercial ISP leverage existing dark fiber Effective / secure enterprise access control is foundational: IA&A implementation focus = authorization based access control complemented by ABAC, RBAC, even RAdAC as an end-state If you don t control entry and exit, you control nothing; this applies to people, NPEs, software and data - foundation for mission assurance (MA)! Proactive/Dynamic Defensive I&W Detect unusual patterns, characteristics, attributes, irregular requests. Provide auto alerts; divert questionable actions; "wraps" issues/problems This is the catch all capability, as we can t protect everything at 99% Institutionalize Dynamic Cyber Enterprise Management 67

Reasons the Cyber Problem Exists (re: one perspective - SOA / automation security issues) 1. No top down common implementation IA guidance, with any useable level of details 2. SOA (and overall OA in general) approaches add governance and communications complexities within DOD / Federal spaces 3. Numerous SOA methods, approaches, schemas everyone has one we need just ONE 4. No unified set of security requirements exist that are traceable to a higher level, common IA core set (like IATF, GIG ICD, etc) 5. No Federal consensus on key security issues and barriers and gaps 6. Unclear (too many) authoritative sources, references, standards. 68

Reasons the Cyber Problem Exists (cont) (as one perspective - SOA / automation security issues) 7. IA covers virtually everything, so what should SOA prioritize? 8. IAW SysEngr principles, SOA must follow an EA & standards 9. No enterprise trust model, supporting distributed transitive trust or an effective model for secure enterprise cross domain access control 10. Few T&E / V&V thus C&A plans exist (this MUST be our DOD end-state) 11. Institutional blinders to the fact that network/internet computer cannot secure data; no electronic means to assess data leakage and data aggregation. 12. Policy immaturity, pre-dates SOA; hence the electronic security foundation is missing. Technology still forges ahead - tools are generations behind and built for other threats. 69

Common Architectural Flaws, exacerbate Cyber Security Fragile Chain of Services Large Real-time Overhead Central Administration Mis-alignment with Practical Administrative boundaries Lack of Support for multiple: Access Control Models No Concept of Risk or Domain Asymmetry or Support for Multiple Mission Vectors Rigid Inheritance Model Use of Hard-coded Rigid Monolithic Access Control Frameworks and Products No Enterprise Concept of Domain Delegation or RAdAC Lack of Appropriate Layering and Abstraction 70

Common Architectural Flaws (cont) Inability to Support Multiple and Legacy Models Schema and Ontology often Incompatible Attributes do not Align Methods and Protocols Differ Technology and the Embedded Dependencies Differ Use of Hard-coded Rigid Monolithic Access Control Frameworks and Products Difficult or Inflexible Integration Paths Lack of Trustworthiness No Support for Unanticipated Users Transformations Limited Lack of Flexible Rapid Application Development and Modeling Tools with IA Built in to the Framework Lack of Fidelity or Even Use of Modeling to Test Performance at Scale 71

Cyber - Begin with the end in mind It s clearly important to understand the desired end result, instantiation of your vision - having the image of the vision as your frame of reference to evaluate everything else. It is also impossible to integrate capability without having a plan and the correct systems in place to run the business. Vision execution has to do with the "purposes" of capabilities, that have to do with visualization and complete planning! Bundled within personal and business: (a) leadership (what), (b) management (how), and (c) productivity (doing it well) You can take the concept further by questioning the vision itself! Challenge assumptions, barriers, limitations, and obstacles (the five whys?) Always apply critical thinking (reflective skepticism) to the vision, as that brings New Ideas Fosters Teamwork Promotes Options Uncovers Spinoffs simulates a Clear Head and fresh Perspectives emerge. If you don t know where you are headed, Seemingly blind alleys won t cut it either / waste $$$ 72

Cyber - Drive out complexity - KISS Complexity leads to variation in practice, opportunities for data / operational errors, and increased risk of mission failure. Reducing complexity is key to improving both risk posture and productivity. Human engineering and complexity theory teach that WE ALL need to smartly, collaboratively: - Simplify - Standardize - Automate - Integrate Reducing complexity is a major competitive factor for ensuring supply chain performance and exceeding customer expectations. Given an increasing share of work is outsourced, the challenge of handling complexity has become all the more demanding. Companies that do not master complexity risk experiencing supply chain inefficiencies, resulting in non-competitive working capital structures, lower transparency of cost drivers and difficulties in achieving service levels. Address complexity in product, processes and organization.. and DATA Use existing initiative to simplify both objectives and processes: Just-In-Time Standardization Strategic Outsourcing. Supplychain management Target costing Performance Measures... Take the "zero-baseline" approach to complexity 73

Cyber - Maximize investments / ROI A strategic approach to maintenance and effectively using key performance indicators, organizations can better maximize resources, reduce capital and operating costs, and increase their return on investment (ROI). It s all about managing risk, from a high performance organization - HPO operating perspective. The critical elements of successful project value ROI analysis: Always starting with business goals and challenges versus technology. ROI analysis should be completed both for the past and the future. Business goals can not be achieved through technology alone. Project benefits cannot always be completely or accurately quantified, intangible elements have value too. There are many kinds of project costs in evaluations. Analyzing your entire technology project portfolio. Monitor critical business success metrics and re-evaluating your project alignment process. Four ROI pillars: (1) strong foundation / operating plan, (2) defined enterprise effectiveness, (3) business enablement and (4) optimization / differentiation. Cyber ROI is misleading - as it s more insurance than investment 74

COTS / buy versus build (ALWAYS try to drive everything to a commodity state!) MUST balance the business needs, shot-term and long-term goals, key requirements and available technologies and solutions on the market. The company and key stakeholders must always consider and analyze all the options for each project and solution: Speed of implementation for a COTS vs. custom solution Cost of implementation of a COTS vs. custom build Functionality, flexibility and scalability in a COTS vs. custom build Support for COTS VS. custom build Organizational best practices, current technology and skill sets of employees Potential for upgrading, modification and replacement of COTS vs. build Key elements in the process: 1. Properly analyze any COTS systems for suitability the capability requirements and a technical perspective concurrent engineering applies even more here 2. Beware the COTS sales pitch / trap to fall into is being promised functionality that isn't in the COTS at present but they will add for you. 3. Check for unit tests in the COTS and also what development practices they use, be wary if the vendor isn't giving much info about technical aspects. Is the source code is available and have your programmers assessed it? Ultimately, If it's a critical business function then do it yourself, no matter what BUT, with IA/Security/Cyber capabilities only use APLs/VPLs 75

CNCI Comprehensive National Cybersecurity Initiative (CNCI). This initiative was launched by the second President Bush in National Security Presidential Directive 54 and Homeland Security Presidential Directive 23 back in January 2008. there are 12 mutually-reinforcing initiatives that are intended to establish a front line of defense against today s immediate threats, to defend against the full spectrum of threats, and to strengthen the future cybersecurity environment. INITIATIVE #1 -- Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. This is about consolidating our external access points and creating common security solutions across agencies. INITIATIVE #2 -- Deploy an intrusion detection system of sensors across the Federal enterprise. This is a passive system that watches traffic and helps notify us about unauthorized network intrusions. DHS is deploying signature-based sensors as part of the EINSTEIN-2 (PDF) capability, with notification going to US-CERT. INITIATIVE #3 -- Pursue deployment of intrusion prevention systems across the Federal enterprise. This takes it up a notch with EINSTEIN-3 (PDF) and not only detects intrusions, but actively prevents intrusions into federal systems. This will have serious zero-day and real-time counter-threat capabilities. INITIATIVE #4 -- Coordinate and redirect research and development (R&D) efforts. This initiative serves to help us get all of our R&D efforts working together, with a better communications and tasking infrastructure. It's an important part of utilizing our resources and our smartest people to the best of their abilities. INITIATIVE #5 -- Connect current cyber ops centers to enhance situational awareness. This is our key threat-data sharing initiative. The National Cybersecurity Center (NCSC) within Homeland Security is helping secure U.S. Government networks and systems under this initiative by coordinating and integrating information from the various centers to provide cross-domain situational awareness, analysis, and reporting on the status of our networks. As a side-effect, it's also designed to help our various agencies play better with each other. INITIATIVE #6 -- Develop and implement a government-wide cyber counterintelligence (CI) plan. We're now coordinating activities across all Federal Agencies so we can detect, deter, and mitigate foreign-sponsored cyber intelligence threats to 76 government and private-sector IT.

CNCI INITIATIVE #7 -- Increase the security of our classified networks. Our classified networks contain our most valuable and most secret defense and warfighting information. We're continuing to work hard in securing these networks against the changing threat model. INITIATIVE #8 -- Expand cyber education. This is where the Comprehensive National Cybersecurity Initiative begins to break down, because it's where all modern cyberdefense breaks down -- the people. We're training more and more cyberdefense experts, but we also need to expand that education up and down government, to corporations, and to individuals. We can have the very best-trained cyberdefense expert in a corporation, say, and it'll all break down if the CEO won't allocate the time or funds to conduct that defense. It's all about making everyone know just how real these threats are. INITIATIVE #9 -- Define and develop enduring "leap-ahead" technology, strategies, and programs. We'll talk more about future directions later, but the idea of leap-ahead is to get 5 to 10 years ahead of the bad guys and explore out-of-the-box thinking in building a better cyberdefense. This is good stuff, and it's the first CNCI initiative that, essentially, opens the door to concepts like Stuxnet (or what The Times claimed the White House called "Olympic Games"). INITIATIVE #10 -- Define and develop enduring deterrence strategies and programs. Put simply, because of the wildly asymmetric nature of the threat, we can't have a mutually-assured destruction option with cyberattack, the way we do with nuclear attack. We're working on developing deterrence strategies, but we're not there yet, a fact which is sadly all too evidenced by constant level of cyberattack, breach, and threat we find ourselves experiencing. INITIATIVE #11 -- Develop a multi-pronged approach for global supply chain risk management. This area should be one of our biggest concerns. Most Americans get their computers from suppliers who use processors, motherboards, and components made outside the United States -- and often in China. China, as we've seen repeatedly, is one of our most challenging "frenemies". They're clearly important to us financially, but they're also one of the leading sources of cyberattack (and, quite frankly, could be behind the one we re dealing with now). This initiative, though, isn't just about China. Our components and our supplies must be insulated from foreign influence and unapproved modification. INITIATIVE #12 -- Define the Federal role for extending cybersecurity into critical infrastructure domains. The federal government is relying more and more on private sector services. For example, the Department of Interior is about to start using Google for its email infrastructure. This initiative encourages public/private-sector cooperation to extend Federalsystems cybersecurity into the wider cyber-infrastructure 77

Cyber Security Overall Status (Senior IA/Cyber VIP perspective - same issues as 40-50 years ago, but better in last 10) Technology --- G trending We have what we NEED NOW Business --- Policy --- Procedures / standards --- Education --- Leadership --- Awareness --- Y Y G Y R Y Some LSIs resist change Legislation poor Can t be voluntary NIST done well Need uniform implementation NICE, 170+ CAEs (schools) 10,000+ / year Complexity vs CISO C-suite complacency and ability to absorb Education starting earlier, STEM, NICE We must provide an integrated, interoperable cyber package that is affordable

Is there a cyber equation / model? (something for us all to balance our risks / $$$) Need to address: WHAT, WHO, WHEN, HOW Governance, swim lanes, interfaces, overlap, etc CA, Fn, TA, NESI/NEADS, etc Technical processes Operations ILC/LCS/3M, CM, SOPs, training, O&S, Supports DOTMLPF too Requirements Policy / Regulations DoD, DoN CIO, ASN RDA, DISA, NSA/GIAP, ASD NII, NNFE Acquisition Products, services CM, etc PEOs, SYSCOMs, Fleet Support DOTMLPF too NO common, vetted model exists, SO develop your own! Enterprise risk assessment (best value) = IA/SECURITY/CND (defense) (a1) + IO/CNE/CNA (offense)(a2) + SPECTRUM / TEMPEST (a3) + GOVERNANCE(a4) + REQUIREMENTS(a5) + THREAT / VULNERABILITIES (a6) + C&A / PEDIGREE (a7) + POLICY (a8) + TRAINING / EDUCATION (a9) + OTHER (a10). AND??? OUR risk management plan should address all variables The sensitivity of the coefficients will vary by company79

Cyber Security ROI or insurance? ROI. is a big deal in business, but it's a misnomer in security it s an EXPENSE!. Security ROI is difficult to compute, simply because it is hard to predict the probability of a true security event and the costs associated with the loss and mitigation of it. A major issue in cyber security right now is that we ve never been able to construct an intelligent return on investment (ROI) for cyber security. As we ve never been truly able to gauge how big the risk really is. But, you need to be able to gauge the magnitude of the risk. - what exactly the exposure is or if the actual event took place - because there just isn't enough good data... The classic gauge methodology is called annualized loss expectancy (ALE). Cybersecurity ROI is considerably harder, as the threat morphs quickly - so we can't create ALE models. But there's another problem -- the math quickly falls apart when it comes to rare and expensive events - especially if the impact is huge, even low occurrence is costly. Cyber ROI is misleading - as it is insurance a cost of doing business AND You have insurance for every KEY aspect of business RIGHT??? Cyber is NO DIFFERENT In fact the downside can be loss of your business Just as you have an umbrella policy for personal liability, so should you in cyber Even IF you can prove digitally right court preparations = $10-25K / case Cyber Insurance don t get caught in the cyber legal quagmire without it! 80

SRA -> SCM -> Insurance (et al) (There is a simple method to mange cyber complexity iaw your RMP!) The below illustration is a general guide to how the cyber risks can be quantified, using authoritative sources and methods, into quantifiable risk levels to ACT on, and then insure Security Risk Assessment (SRA) (several levels, remote, onsite, etc) (Check only key points, or compliance levels, or business tailored, etc) Security Continuous Monitoring (SCM) (monitor hygiene, access, unusual behavior - cyber mgmt informed) (status files sent to central Sec OpsCtr) Assess property value (IP & real) (quantify and value data / IP) (identify other IT / property / assets) Cyber Insurance (contact cyber ins broker) (team with legal firm) Environment is scanned Key IA/CND settings assessed level of security assessed (using standard CVE, etc) ADD in big data analytics To asses Cyber risks in parallel Security OpsCtr assesses data - Changes in key IA/CND settings - Abnormal patterns (SIEM) - Adjusts security level based on changes and thresholds - Feeds security actuarial tables - Alerts sent to multiple entities - Validates compliance aspects too User does inventory (data & IT) puts dollar value on key items Matches mitigations to RMP Quantifies the known and bounds the unknown aspects Broker uses cyber actuarial tables Maps security levels and values Premiums based on both All processes are linked with feedback between analytics (aka, user based behavior insurance as risk takers = higher premiums) SRI / SCM + insurance = major risk / cost reduction = due diligence / profit

Proposed Information Dominance (ID) end-state vision Other SatCom Users / sites STEP the GIG DISN Other national sources Other Agencies Intel / Sensors Data Centers DISA / IC Tier 1 & 2 (and DECCs / Services too) SIPR Shore sites Major ID Precepts IT & IA are driven to commodity states One enterprise architecture (stds / specs)(diea/ JIE based) Integrated views (user, system, data, etc) Information centric environment (quality / assured data) NIPR NOCs DIL / austere environments Afloat Systems / Wireless Mobile / Disconnected / Organic Internet Mobile / RAS Teleport SatCom LOS Partners Where ID = decision superiority = quality / assured DATA --- How does all that DATA move about --- (Note most terrestrial connections ( ) are also by DISA / DISN thus technically the GIG too )

Capabilities Needed for Information dominance Schema of maneuver (positioning for effect) Assured C2 (OPCON / INFOCON) Cyber (IA/CND protections & CNE/CNA (covert)) Kill / Effect Chains (maximize left side - ISR / I&W) Knowledge IT / network Information environment WAN/transport, network, cloud, ID = Decision superiority Quality / assured data = value, pedigree, provenance Infrastructure / services / apps (right data, to right folks at right time) data centers, cyber, governance = trusted information systems Battlefield victory requires dominant position and maneuver Which require best possible information, before the opposition can: (1) get his own information; (2) react to your movements or (3) infiltrate your environment The best possible info is ID: A DiD with trusted information systems providing assured / quality data, facilitating all levels of command decision superiority N 2 N 6 R o a d m a p s

Information Dominance: Comprehensive Data Strategy_OV1 T C Right Info, Right Time, Right Place O O D RAW ------------------- REFINED -------------------RIGHT A P E D Data Governance Policies Standards Ownership COIs Stewardship Traditional Nodes Data, Apps, Systems Data Quality Quality Rules and Policy Data Cleansing Rules Compliance Rules Data Admin Data Profiling A critical USER view! Task Collect Produce Networks and Transport Information Environment Master Data and Metadata Data Definitions Auth Data Source Reference Data Data Valuation / Tagging Indexing Metadata Repositories Registration Store Process Exploit Data Structure Taxonomy Data Models Process Workflows Data Lifecycle Cloud Nodes Data, Services, Rules Data Architecture Sizing Storage Processing Movement Retention and Deletion Data Security IA Compliance Cross Domain PII Access Controls Releasability Supported by a DATA centric architecture Disseminate Archive Dispose

LOCAL ENCLAVE DoD CND (and Cyber ) Defense in Depth CND SP - Incident Response / Management IDS - Prometheus PKI - Threat Analysis - Compliance Scans NUDOP Firewalls IAP Monitoring - IAVM Management DNS Blackholes Standard IP Blocks Incident Response Incident Handling Operational Operational PROMETHEUS ACLs NET Cool / INMS View Site Compliance Scans PKI Threat Analysis Funded and Funded and NMCI NIPRNET IDS Feeds Rolling Out Email AV IAVM Implementation Rolling Out TRICKLER / SIPRNET Firewall PPS Policy Threat Assessment Alert Filtering CENTAUR Proposed or In Vulnerability Scanning GIAP Proposed or In CND Data Strategy Development PKI System Patching Metrics Development NET Cool View CDS IP Sonar DITSCAP/DIACAP NET Cool Data ACLs Vulnerability In-Line Filtering Tutelage Standard IP Block Lists Remediation IPS CENTRIXS Monitoring Global CND UDOP Firewalls Email AV In-Line Virus Scanning Multi-Layer Protocol CONOPS DITSCAP/DIACAP DNS Blackholing Defense CARS IASM DRRS-N RNOSC IAVM Vulnerability Remediation HBSS In-Line Filtering Content Filtering Compliance ENMS SCCVI- Anti-virus SCRI Deep Packet Inspection PKI CARS Tier 3 SIM WIDS IAVM Compliance TMAT IWCE CND POR Honey Grid HBSS CAC/PKI Wireless Mapping WAN SA SLIDR Deep Packet Inspection SCCVI-SCRI WIDS Enterprise NET Cool Data Functional NIC Standardized Configurations Navy DMZ DMZ DAPE Insider Threat SIPR NAC DAR TMAT HOST POR Management LAN (POP/HUB) Enclave DMZ TIER III WAN (Enclave) NMCI SIPRNET IDS Feeds TIER II Navy GIG (NCDOC) TIER I DoD GIG (JTF-GNO) Cyber = mostly Life-cycle education and proactive, dynamic defense. (From NCDOC briefs) The smart integration and collaboration between MANY needed IO & IA functions 85

Notional DiD Ent Arch (EA) DiD has three main elements: people (train and enforce good behavior), operations (policy, management, C&A, COOP) and technology (IA criteria, evaluated products, risk assessment, use layers), we discuss the latter here. Provide Layered protections: (1) Networks and Infrastructure, (2) Enclave boundaries, (3) Quantify security robustness for all components (aka use NIAP), (4) use robust key management and PKI (IA&A), and use IDS/IPS (detection capabilities) - -- Using common cyber capabilities, with known pedigrees / C&A (APLs/VPLs -> NIAP) OSI stack protections: (1) restrict access, port security (2) VLANs, Static ARP, (3) VPNs, NIDS, content filtering, (4) Firewalls, ACLs (5) IAVA, crypto, authentication, (6) IDS, audits, (7) anti-virus, secure software (SDLC), patches AND effective IA&A / access control methods Manage / enforce IA controls at each layer / capability! Use existing IA controls management tools, like the previous AFG / below DISA link: http://www.disa.mil/services/network-services/video/dvs-g/becoming-a-customer/vtf-diacap/assigning-ia-controls AND SANS top 20 security controls http://www.sans.org/critical-security-controls/guidelines.php (note AFG is now the Community Gold Standard. Find on Intelink, DKO. It s now an enterprise architectural level versus program) NOTE - This is a general requirements depiction of a DiD - Using the general NIST and GIAC notional references http://www.giac.org/paper/gsec/2868/osi-defense-in-depth-increase-application-security/104841 http://www.nsa.gov/ia/_files/support/defenseindepth.pdf Also for ICS = http://www.us-cert.gov/control_systems/practices/documents/defense_in_depth_oct09.pdf

Essential DiD EA elements Reduce complexity and unknowns: Limit numbers, types and versions of IA capabilities (drive to commodity state) Only use common cyber capacities with known limitations ( enforce APL/VPL = NIAP) Provide a DiD enterprise architecture based on layers / IA controls therein Define specifications for and modularize the below cyber building blocks Include inheritance, interface controlling parameters, and required standards AND profiles Map the DiDEA back to a Navy risk management plan, key issues / risks therein Provide CONOPS for notional DiD EA, including CM, governance, exceptions. Need to take a mission assurance perspective, with affordability / RoI Integrate and Implement DoD / NSA common practices (SCAP, AFG, etc) Manage and enforce an effective, enforced Cyber CM/Hygiene posture and IA&A/IDAM! The basic cyber building blocks of security a limited and controlled set of IA building blocks for a FEW main classes: -IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc) -- IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc)(and the IA/WSS standards need to go here!) -Services and Applications (define a standard "security container" for each service, ideally a class - likely a couple can coverall all services)(see NSSI IA controls) ( and DATA capabilities DCPS, DDSI, Pub / Sub, Java, mobile code, widgets, storage SW, middleware, services, ESB, etc-!) -- Critical HW/SW devices (catch all for any key IT/IA capabilities, we may have missed and want to consider) (see CSRR list of IT classes for examples at the end of this paper - while these are generally already low level aggregated capabilities, they show a class of IT to standardize to) AND actually using the TPM! - PIT (there could be ONE general PIT super set, then each SYSCOM takes that and tailors it a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc)

So what REALLY matters in IA/Cyber? A notional Quality of Protection (QoP) Hierarchy / Defense in Breadth Complex Dynamic DATA QoP (C-I-A and N & A) IA&A and DCS / CBE (distributed / transitive trust -- E2E Data-Centric Security -- Content Based Encryption) Settings Core / Security Services ( WS* and other security policy / protocols / standards (including versions & extensions therein) Standards Known Static network protection CND FW / IDS / VPN / etc (in general, mature capabilities but multiple unclear CM processes are persistent and problematic) IO and... IA IA devices A&E / Policy CNO/E/A, I&W, OPSEC, etc Crypto, KMI, TSM/HAP, policy, etc IA profiles (standards), IA&A, CBE/DCS and digital policy! 88