Information Assurance Efforts at the Defense Information Systems Agency & in the DoD

Richard HaleInformation Assurance Engineering

Defense Information Systems Agencyhale1r@ncr.disa.mil

Critical Infrastructure Protection Day March 14, 2000

2

Success in Combat Depends on Protecting Information & Information Systems

DoD Information Assurance efforts are aimed at

providing assurance that war fighters and those who

support them can safely rely on the information and

information infrastructures required to fulfill their

missions.

DoD Information Assurance efforts are aimed at

providing assurance that war fighters and those who

support them can safely rely on the information and

information infrastructures required to fulfill their

missions.

3

National Plan forInformation Systems Protection

• Prepare and Prevent

• Detect and Respond

• Build Strong Foundations

4

Internet

DoD TCP/IP Networks

Classified networks are physically and cryptographically separated from the unclassified nets

Classified networks are physically and cryptographically separated from the unclassified nets

JWICS

SIPRNET

NIPRNET

5

Some of DISA’s Missions

• Designing, building, & operating DoD intranets– The NIPRNET (an unclassified network)

– The SIPRNET (a classified intranet)

• Designing and building core DoD command and control systems and software processes– Global Command and Control System (GCCS)

– Global Combat Support System (GCSS)

– Common Operating Environment (COE)

• Designing and operating the DoD’s large processing facilities

6

One More DISA Mission

• Designing and Operating the DoD Computer Emergency Response Team (DoD CERT)– As well as regional CERTs

– Integrated with the management of the networks and information systems

– Primary technical support to the DoD Computer Network Defense Joint Task Force

7

Prepare and Prevent

8

DoD Global Information GridDraft Information Assurance Policy

“The DoD shall follow an enterprise-wide IA architecture that implements a defense-in-depth strategy which incorporates both technical and non-technical means…”

“The DoD shall follow an enterprise-wide IA architecture that implements a defense-in-depth strategy which incorporates both technical and non-technical means…”

9

Defense-In-DepthLayered Security Strategy

• Counter full range of attacks– Defense in multiple places– Defenses & detection against insiders and outsiders

• Multiple complimentary roadblocks to certain attacks– Increases resistance– Allows increased use of COTS solutions– Contains some insiders– May buy time to detect, analyze, and react

• Protect, Detect, React/Respond Paradigm– Detect is critical owing to imperfection of protections

• Quality control via Certification and Accreditation

Defense-in-Depth: Defend the Computing Environment (End System Security)

10

End System

• Properly configured operating systems• DISA provides guidance documents

• For Microsoft and various UNIX operating systems• Properly designed and configured application software

• Common Operating Environment, Command and Control Software, Combat Support Software

• Security services at the workstation• Anti-virus software, etc.

• System administrator training/certification• Host incident monitoring/intrusion detection• Physical security and clearances

Defense-in-Depth: Defend the Enclave Boundary

11

• Inventory/Mapping of Enclave• Including all paths in

and out• Proper defenses on each path

• Firewalls, dial-in security• Placement of externally visible servers (e.g., web servers)

• Enclave level incident monitoring, correlation, situation awareness• Hardening of infrastructure components

• Routers, Domain Name System, etc.• DoD Policy on Allowed & Disallowed protocols in draft

Enclave(Building, Base, Processing Center)

End System

12

DoD Networks

Internet

Enclave

End System

• Encrypted circuits for classified nets• Hardened infrastructure

• Routers, switches, Domain Name System (DNS) servers

• Including intra-component signaling• Infrastructure security services

• Public Key Infrastructure, Directories• Firewalls for network control centers• Incident monitoring, correlation,

response• Joint Task Force-Computer Network

Defense (JTF-CND)• Regional and Global Operations &

Security Centers• Connection approval processes• NIPRNET Redesign• Control of DoD connection to the

Internet• Including stopping certain protocols

Defense-in-Depth:

Defend the Networks & Infrastructure

Enclave(Building, Base, Processing center)

DoD Defense-in-Depth Summary

13

DoD Networks

End System

Internet

There is no magic bulletThere is no magic bullet

14

Public Key Infrastructure (PKI) in DoD

Currently two pieces to the DoD PKI1. “Medium Assurance” or Class 3

• Essentially best commercial practice

• Based on commercial technology

• Many organizations issuing or preparing to issue certificates from this infrastructure

2. Fortezza• Being fielded as part of Defense Message System

Enabling (some) Trust in the Digital World

Enabling (some) Trust in the Digital World

15

What’s A Public Key Infrastructure?

CertificateAuthority

RegistrationAuthority

Relying Party(Bob)

All the components, processes, and procedures required to issue and manage digital certificates

Directory(Public Keys andRevocation Lists)

Subscriber(Key Owner, e.g. Alice)

$$to Bob

16

DoD Class 3PKI Components

Directory

Users

NSA

Registration Authority

• The System Is Operational and Issuing Identity Certificates

• Initial Customers– Defense Travel System– Defense Security Service– DFAS– Army Chief of Staff– JEDMICS– Navy San Diego Region– DISA

• The System Is Operational and Issuing Identity Certificates

• Initial Customers– Defense Travel System– Defense Security Service– DFAS– Army Chief of Staff– JEDMICS– Navy San Diego Region– DISA

CertificateServerRoot

Server

Local RegistrationAuthority

At Two Defense Processing Centers

17

How Good Are the Certificates?(or, how tight is the tie between the key and the name?)

• A variety of dimensions of assurance– Strength of cryptography at end user & at Certificate

Authority

– Form and protection of private keys at end user & CA

– Processes & controls employed in operation of the PKI• User registration, certificate issuance, auditing of various things, etc.

• One selects a particular level of assurance by:– Considering overall security requirements for information

being protected

18

PKI Assurance May Get Better in COTS Without Much Action on Our Part

E.g., If smart cards become standard and interoperable, we may be able to move to hardware storage of the private key with relatively little pain

Ass

uran

ceS

uppo

rted

by

CO

TS

Now Then

Private KeyProtectedin Software

Private KeyProtectedin Hardware Token,(e.g., Smart Card)

19

Detect and Respond

20

DISA Maintains Global Operational Situational Awareness...

PhysicalAttack

ComponentFailure

AccidentalOutage

CyberAttack

. . . To determine if an operational capability is degraded by attack, outage, or both

– Monitor current and plannedmilitary operations andcontingencies

– Information warfare events

– Intelligence reports

– Weather/natural disasters

– Scheduled outages

– Facility and equipment failures

– System and application failures

– IA sensor grid

21

Global Network Operations & the DoD CERT are an Integrated Team

Defense and Protection of the Global Information Grid

Event Correlation

• Intrusion Detection Systems Management

• Global Management of the DII

• Global Situational Awareness

GNOSCGlobal Network

Operations& Security

Center • Strategic Intrusion Analysis

• Incident Handling and Response

• Information Assurance Vulnerability Alerts (IAVA)

DOD CERT Computer Emergency

Response Team

Sensor Grid Reporting Analysis

SUPPORTINGSUPPORTINGthe Joint Taskthe Joint Task

Force -Force -ComputerComputer

Network DefenseNetwork Defense

22

IAVA DB

Getting the Word Out: Information Assurance Vulnerability Alert (IAVA)

• Acknowledge Receipt

• Apply Fixes

• Acknowledge Compliance

DOD

IAVA

IAVB

Technical Advisory

DOD CERT

Response to Critical Vulnerabilities

Bulletin

Alert

Vulnerability Compliance

Tracking System

•Global distribution to DoD System Administrators & Program Managers

•Organizational accountability

http://www.cert.mil/

23

Build Strong Foundations

24

• Collect the measurements• Analyze the measurements• Report the measurements and observations• Review metrics and modify process

How do we know Security is Improving?

DISA IA Metrics Program

# of Sensors

# o

f Events2. Analysis of the data

“For example, is there a relationship between the number of events and the number of sensors?”

3. Aimed at answering questions like...• Are we spending our money wisely?• Where is more effort/resources required?• Are we more or less secure than N months ago?

4. Institutionalizing the Metrics Process

1. What to measure?• Objective not subjective• What is our current baseline, and how do we know if we’ve improved?

25

One More Thing…Training

• DISA develops IA training materials and classes for the DoD

• Over 100 security classes provided annually • C100,000 IA training CDs and videos sent out

government-wide

http://its4dod.iiie.disa.milhttp://its4dod.iiie.disa.mil