15/3The Newsletter for Information Assurance Technology Professionals
Volume 15 Number 3 • Summer 2012
The Keys to Better Security on a Tight Budget
Subject Matter Expert: COL Gregory Conti
The Biometrics Capability Maturity Model
Responsible Information Sharing Part II: Sharing Responsibly
United States Service Academies
Searching For the Best— U.S. Cyber Challenge
USENIX Federated Conferences Week
also inside
EX
CE
LL
EN
CE S
ER
VIC
E
IN INF OR MATIO
N
Tight BudgetIA on a
2 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
contents
8 The Keys to Better Security on a
Tight BudgetInformation security managers in government today are facing the most challenging fiscal environment in decades. While the phrase “doing more with less” sounds like a reasonable and practical approach, how is it really possible to secure systems on decreasing budgets?
11 Subject Matter Expert:
COL Gregory ContiThe subject matter expert profiled in this article is Colonel Gregory Conti at the United States Military Academy (USMA), a Military Intelligence Officer and Academy Professor at the Department of Electrical Engineering and Computer Science.
12 The Biometrics Capability
Maturity ModelOrganizations today are developing enhanced security policies and regulations due to increased awareness of potential security risks. Those who integrate biometrics technologies into existing physical and IT processes are significantly increasing information assurance (IA) and provide a more secure operating environment.
16 Responsible Information Sharing
Part II: Sharing ResponsiblyThe need to share information should be better balanced with the need to protect information. This article highlights challenges and emerging solutions for achieving responsible information sharing.
24 United States Service Academies
The United States Service academies are federal undergraduate academies that offer education and training in a military environment. This article showcases their IA and cybersecurity academic programs.
26 Searching For the Best—
U.S. Cyber ChallengeThe U.S. Cyber Challenge provides a range of opportunities to identify and nurture talented young Americans by casting a wide net to enable them to demonstrate their skills, and then make them aware of other opportunities, help develop their skills, and improve their knowledge in making our nation’s cyber environment safe.
28 USENIX Federated Conferences Week
This event combined a variety of conferences and workshops into a week-long affair that allowed participants to get an intensive look at various IA developments.
Balancing an Agency’s Information Security SpendingThis article presents a simple way ofthinking about the overall informationtechnology (IT) security ecosystem thatcan aid in answering questions relatedto where the next security dollar shouldgo. This article suggests that many organizations may need to rebalance their investments.
4
About IATAC and the IAnewsletterThe IAnewsletter is published quarterly by the Information Assurance Technology Analysis Center (IATAC). IATAC is a Department of Defense (DoD) sponsored Information Analysis Center, administratively managed by the Defense Technical Information Center (DTIC), and Assistant Secretary of Defense for Research & Engineering ASD(R&E).
Contents of the IAnewsletter are not necessarily the official views of or endorsed by the US Government, DoD, DTIC, or ASD(R&E). The mention of commercial products does not imply endorsement by DoD or ASD(R&E).
Inquiries about IATAC capabilities, products, and services may be addressed to—
IATAC Director: Gene Tyler Inquiry Services: Karen Goertzel
If you are interested in contacting an author directly, please e-mail us at [email protected].
IAnewsletter StaffChief Editor Gene Tyler Assistant Editor Kristin Evans Art Director: Tammy Black Copy Editor: Alexandra Sveum Editorial Board: Al Arnold Angela Orebaugh Designers: Tammy Black Michelle Deprenger Lacey Olivares
IAnewsletter Article SubmissionsTo submit your articles, notices, programs, or ideas for future issues, please visit http://iac.dtic.mil/iatac/IA_newsletter.jsp and download an
“Article Instructions” packet.
IAnewsletter Address Changes/Additions/DeletionsTo change, add, or delete your mailing or e-mail address (soft-copy receipt), please contact us at—
IATAC Attn: Peggy O’Connor 13200 Woodland Park Road Suite 6031 Herndon, VA 20171 Phone: 703/984-0775 Fax: 703/984-0773
E-mail: [email protected] URL: http://iac.dtic.mil/iatac
Cover design: Tammy Black Newsletter design: Donald Rowe
Distribution Statement A: Approved for public release; distribution is unlimited.
in every issue3 IATAC Chat25 Letter to the Editor29 Products Order Form30 Calendar
feature
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 3
In our winter 2012 edition of the
IAnewsletter, Christopher Zember,
Deputy Director of the Defense
Technical Information Center (DTIC)
Information Analysis Center (IAC)
Program, contributed an article
detailing the inception of the
Department of Defense’s (DoD)
Cybersecurity IAC (CSIAC). This IAC is
poised to become DoD’s cybersecurity
resource center.
In June 2012, DTIC announced that
Quanterion Solutions Incorporated, a
small business located in Utica, New York
with long-standing ties to the IAC
Program, was awarded the contract to
operate CSIAC for DoD. On 16 July,
Quanterion began working with the
Information Assurance Technology
Analysis Center (IATAC) to begin the
transition and since the signing of their
contract in June, Quanterion has already
begun the stand-up of CSIAC, fully
integrating best practices and resources
that IATAC has developed into CSIAC
ensuring it can provide DoD with critical
cybersecurity information and resources.
With this transition, IATAC will no longer
be publishing the IAnewsletter; however
readers should look forward to receiving
CSIAC’s Cyber Security and Information
Systems IAC Journal in the coming
months, which will continue the long-
standing tradition of publishing cutting-
edge IA/cybersecurity articles from
experts across various organizations.
The IATAC/CSIAC transition will be
complete by 13 October 2012, at which
point IATAC will end its tenure and
Quanterion will be well on its way,
engaging the DoD, the federal
government, academia, and industry
communities to ensure they are receiving
accurate and up-to-date information
about cybersecurity initiatives. As the
Director of IATAC, and from working
closely with Quanterion in support of the
IAC Program, I am confident that CSIAC
will promote continued success across the
IA/cybersecurity community as it
provides organizations with information
products and services essential to
addressing their cyber needs.
Booz Allen Hamilton has taken much
pride in hosting IATAC for you and the
government. It now gives me great
pleasure to introduce our readership to
Tom McGibbon, Quanterion’s CSIAC
Director. See you on the high ground!
CSIAC will serve as a Center of
Excellence for the DoD in Cyber
Security, Modeling & Simulation,
Knowledge Management and Software
Engineering. The Center will be focused
on leveraging knowledge bases, best
practices and expertise from industry,
government and academia in each of the
technology domain areas. It is a
consolidation of three legacy IACs
including IATAC, the Data & Analysis
Center for Software (DACS), and the
Modeling and Simulation Information
Analysis Center (MSIAC). Support
for the mission of these legacy IACs
will now be provided through this
new Center.
Quanterion and its personnel have
had a long history of IAC operation,
including operation of the DACS basic
center operations and operation of the
Reliability Information Analysis Center
core operations as a subcontractor. As
CSIAC’s Director, I bring 17 years of
experience as the DACS Director.
Quanterion’s President, Preston
MacDiarmid, and other senior Quanterion
personnel also have had many years of
IAC management experience.
This new Center, while continuing
much of the legacy IAC work, will also be
focusing on two major new initiatives: (1)
through collaboration with our subject
matter experts and partners, we will be
implementing and facilitating a
collaborative community of practice
website, and (2) we will be focusing our
products on and emphasizing the Better
Buying Power (BBP) Initiative.
More information about these new
initiatives will be covered in our first
Cyber Security and Information Systems
IAC Journal. Look for our first Journal in
October 2012. Also, please check out our
website at http://www.thecsiac.com/!
Cyber Security & Information Systems
Directors’ Chat
4 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
A Growing Role for Proactive Security Solutions
Federal information security officers
(ISOs) have a wide array of different
programs and solutions to try to track:
vulnerability management,
configuration auditing, anti-virus and
end point protection, identity/access
management, and data loss prevention.
Every year adds new classes of threats to
defend against, new categories of
solutions to help secure the enterprise,
and new products and vendors that
claim to solve the current “most critical
issue.” Just assessing the value or the
performance of a single program in itself
is a challenge. Evaluating these variables
generates a new, more difficult set of
questions. What is the right balance of
resources? How should we invest the
incremental security dollar across the
broad range of existing and prospective
security solutions and programs that
comprise the comprehensive
information security program?
While the correct answers depend
on the particulars of an organization’s
mission, programs, data, environment,
and threat context, there are some
helpful ways to think about this balance.
This article presents a simple way of
thinking about the overall information
technology (IT) security ecosystem that
can aid in answering questions related
to where the next security dollar should
go. Note that this methodology suggests
that many organizations may need to
rebalance their investments.
Where Do Solutions Engage? With respect to an attack—one that has
taken place, or one that you are working
to prevent—security solutions fall
somewhere on a spectrum spanning
three categories: proactive, active, and
reactive. For this framing, these are not
normative terms that impute any special
value to one end of the spectrum or the
other (e.g., proactive = good; reactive =
bad). These categories simply describe
where each security solution adds value
with respect to an attack or an undesired
event (before, during, or after).
In the context of an attack, active
security technologies are those that
attempt to “stop the bullets in flight.”
They create barriers to an attack, or they
recognize an attack as it is occurring
Balancing an Agency’s Information Security Spendingby Keren W. Cummins
REACTIVE PROACTIVEACTIVE
Security Information Management
Security Event Management
Log Management
Firewalls
Intrusion Detection System/Intrusion Prevention SystemData Encryption Vulnerability Assessment
Configuration Compliance
Data Monitoring/AuditingWeb App Scanning
File Integrity MonitoringInformation Technology—Governance, Risk Management, and ComplianceNetwork/Data Behavior Analysis
Network/Asset Discovery
Data DiscoveryNetwork Topology Assessment
Identity Access Auditing
Anti-Virus/Spyware
Data Leakage (DLP)
Networking Activity Monitoring
Identity Access Management
Network Access Control (NAC)
E-mail/SPAM/Gateway
Forensics Reporting Monitoring/Altering/Blocking Auditing/Risk Assessment
Figure 1 Security spectrum categories
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 5
and take steps to stop it. Once the
figurative bullet has penetrated, reactive
technologies are then used to
understand what damage it caused. The
reactive technologies are used to
determine what happened in the attack,
what credentials were compromised,
what personally identifiable information
or other sensitive information was
stolen, etc.
Proactive technologies function
independent of any single attack and
operate under the assumption that
attacks will occur and some bullets will
inevitably get past the active defenses.
Their purpose is to constantly “shrink
the targets” prior to any attack, so that
attacks that do penetrate the active
defenses do not necessarily find the
weaknesses and vulnerabilities they
need to perpetrate the intended damage.
Naturally, some solutions fall across
more than one part of the spectrum.
As shown in Figure 1, active
technologies include solutions like
firewalls and identity/access
management designed to block
inappropriate access. Other solutions
are used to detect and counter attack as
they occur. Active solutions are often the
first solutions purchased immediately
after an attack. They are, in a way, self-
justifying because in many cases they
can provide detailed statistics of the
number of attacks/viruses/spyware
detected and deflected. For ISOs who are
unsure of how to demonstrate the value
of their security program to
non-security professionals, active
technologies can often produce fear-
instilling statistics such as the “number
of viruses blocked” or “number of spam
e-mails intercepted.” While these
measures are not always actionable or
useful from a security perspective, they
can sometimes be used to gain attention
and resources.
Reactive technologies include
solutions such as log management and
security information or event
management. While these may also
function in an active sense and provide
some support during an attack, they are
uniquely useful in the aftermath. These
tools produce information that analysts
pore over to painstakingly recreate the
movements of an attacker through the
organization. Analysts also use these in
day-to-day operations to monitor
internal and external network traffic.
Retaining and reviewing this
information makes it possible to
discover problems, to understand what
transpired, to ensure that an attack has
truly been shut down, and to devise
ways to prevent similar attacks in the
future. Reactive technologies are most
effective when supported by the data
collected by proactive technologies
during their standard assessments,
given that events typically involve a
target on the network. Having as much
information as possible about the
composition and posture of that target
makes a world of difference in
accurately diagnosing suspicious
network activity as reactive technologies
log them.
Proactive technologies comprise
solutions that support an ongoing,
continuous effort to assess and/or
harden the security posture of one or
more aspects of the network
environment. Solutions in this category
span asset discovery, data discovery,
vulnerability management,
configuration auditing, access auditing,
and file integrity monitoring. These
solutions serve as a foundation for
day-to-day continuous risk remediation,
supporting the removal of unapproved
assets, the identification of sensitive
data, the remediation of vulnerabilities,
etc. The general impression is that
proactive technologies generate work for
the security and operations teams.
Unlike active technologies that can
report on attacks they stopped, the
effectiveness of proactive technologies is
more difficult to measure. It is
impossible to measure the number of
attacks that did not occur as a result of
vulnerability remediation and patching
activity. Much like an effective ISO,
proactive technologies are successful
when they stay off the front page of the
newspaper. Utilizing proactive security
solutions is considered a best practice
because the consequences of not having
them will be much greater than the
modest investment to purchase them.
6 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
Where is the Balance Today? A good portion of the $60 billion global
IT security solution goes to active
security technologies. [1] According to
Gartner, firewalls alone represent a $6.5
billion market. [2] Corporations will
spend $3.4 billion on corporate desktop
security software, and consumers will
spend even more than that on anti-virus
protection. Identity/access
management, data loss prevention, and
intrusion prevention—all active
technologies—are designed to block or
stop attacks as they are occurring, and
have been high priorities in the
security arena.
At the same time that active
technologies are hardening our outer
defenses to block attacks, however, the
explosion of social media and the
popularity of mobile devices are making
our boundaries porous in new ways. The
sophistication of attacks continues to
increase, and there are commercial,
build-it-yourself malware kits available
that make it very difficult for anti-virus
and anti-spyware solutions to detect and
keep up with the new malware threats to
prevent infection. Despite advances in
security technology, there will always
be malware that can get through
our defenses.
Institutions Driving ChangeA shift in the balance from active
towards proactive technologies dates
back to the 2004-2005 timeframe, when
the then-Chief Information Officer of
the United States Air Force, John
Gilligan, leveraged Air Force
procurement clout to require that
Microsoft and its original equipment
manufacturers deliver Windows systems
configured in accordance with the
Center for Internet Security
benchmarks. [3, 4] According to
estimates from the National Security
Agency, this action eliminated close to
90% of the vulnerability and
configuration risk on these devices,
when compared with the previous
configurations. This unprecedented
action by the Air Force set the stage for
the Office of Management and Budget
(OMB) to impose a Microsoft
workstation configuration standard, the
Federal Desktop Core Configuration
(FDCC), on all civilian agencies. [5] At
the same time, the OMB required the
vendor community to step up and
deliver scanning technologies that could
demonstrate compliance with the FDCC
standard, using a set of shared standards
for communicating information about
assets, vulnerabilities, and
configurations.
Over the last several years, the
OMB, National Institute of Standards
and Technology (NIST), and Department
of Homeland Security (DHS) have been
working together to grow the Microsoft
workstation configuration program from
its modest beginning into a far broader
strategy of continuous monitoring. In
this context, even the word “monitoring”
has shifted in meaning. Previously, the
term was associated with, literally, the
continuous observation and response
associated with the activities of a
security operations center. Today, as
used by Congress and the OMB, it refers
(in a proactive context) to continuously
discovering assets and assessing their
risk posture in support of a systematic
program of risk reduction. Today,
continuous monitoring is one of the
Administration’s three primary IT
security initiatives, along with Trusted
Internet Connection and Homeland
Security Presidential Directive-12
implementation. [6, 7, 8] The most
recent Federal Information Security
Management Act (FISMA) report details
the increase in civilian agencies’
continuous monitoring efforts; [9] the
amendments to FISMA that recently
passed the House also place critical
emphasis in this area. [10]
New CapabilitiesEffective continuous monitoring is not
rocket science. Former Center for
Medicare and Medicaid Services (CMS)
Chief ISO and federal security thought
leader, Ryan Brewer, has frequently
stated that it is simply about getting the
basics right—knowing what you have
and knowing that each element of your
network has been hardened to the
greatest degree possible. [11] According
to Verizon’s Data Breach Investigations
Report, the vast majority of attacks
reported in 2011 leveraged
vulnerabilities or mis-configurations
that were well known and understood,
but unaddressed. [12] These attacks
were not stopped by the active defenses
of anti-virus, firewalls, or intrusion
prevention systems, but they could
readily have been stopped or reduced in
impact through the application of the
appropriate patches or the correct
configuration settings.
That said, there are some
technological and programmatic
innovations that are improving the
efficacy of proactive security solutions.
First, there are an increasing number of
solutions that are able to assess security
risk and configurations “agentlessly”
(i.e., without requiring the installation of
software on each asset to be measured,
which reduces costs). [13]
Second, a number of best practices
have emerged around the use of
scorecards, report cards, and other data
presentation tools that have been shown
to dramatically impact how people—
especially executives and other
non-security professionals—respond to
security information. The Department
of State (DoS), CMS, and others have
demonstrated an overall risk reduction
of 90% and higher in a short timeframe
in this manner. These tools are effective
because they prioritize the volumes of
information collected by continuous
monitoring solutions and make it
extremely actionable. They also use
corporate visibility and peer pressure as
incentives to drive accountability and
improvement. In the private sector, new
tools are emerging that further increase
the visibility of security performance
and offer the ability to benchmark the
performance of a security solution in
one organization against average
performance of similar solutions in a
comparable group. [14]
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 7
Considerations for the Information Assurance (IA) CommunityProactive security solutions have tended
to be under-represented in an IT
security solution portfolio. They are,
frankly, not as appealing as the latest
detection and intervention solutions, as
they do not offer the instant gratification
of tools that showcase events happening
as traffic moves through the network.
When proactive solutions are working
effectively, they generate action items
for the security and operations teams—
not always a popular thing—and unlike
active solutions, they do not produce
fear-inducing statistics that prove their
value by listing all the attacks they
turned away.
Notwithstanding these past trends,
the importance of proactive solutions is
gaining recognition as a key part of the
foundation of a healthy security
ecosystem. This recognition is being
driven in part by Administration
initiatives and OMB, DHS, NIST, and
Department of Defense (DoD) actions to
expand the use of proactive solutions,
specifically those represented by
continuous monitoring. The industry
is responding by delivering more
powerful and more cost-effective
solutions that are compliant with the
requisite standards.
The challenge for the IA community
is two-fold: to recognize the growing
importance of proactive solutions in the
technology portfolio; and to sustain
focus on the fact that the value of
proactive solutions emerges entirely
from the degree to which the
information they generate is
actionable—and is acted upon—as part
of an ongoing risk reduction effort. To
realize the full value of a proactive
solution investment, it must be
accompanied by changes in business
processes and workflows that support
effective and prioritized responses to
the risk elements it identifies.
Additionally, as is always the case
when any security approach becomes a
mandate, there is a danger that some
will implement a solution to
demonstrate compliance with the
mandate for continuous monitoring
[15]—failing to understand that the
value of continuous monitoring (and
other proactive solutions) is achieved
through the associated programs and
processes that act on the collected
information. If there is no will to use the
information as the foundation for a
program of reducing risk, then
measuring risk on a daily basis is no
better than not measuring at all. [16]
Evolving FISMA and DoD directives
provide organizations with a rare
opportunity to take a fresh look at their
security investment ‘portfolio,’ and to
rethink how security investments are
distributed and prioritized. From this
new vantage point, prioritizing and
integrating proactive security
technologies that can help reduce attack
surface and harden each network
element to the greatest possible degree
can help make the allocation of scarce
resources more efficient and in what
really matters…more effective. For those
interested in models of comprehensive
and effective risk monitoring and
remediation programs, the DoS [17],
Medicare, as well as private
organizations, like Pacific Gas and
Electric [18] and St. Luke’s Health
System [19], demonstrate a variety of
best practices in this area. n
About the Author
Keren W. Cummins | is Director at Federal Markets for nCircle, where she works with government agencies to provide tools for large-scale enterprises in the arenas of agentless asset discovery and profiling, configuration compliance management, change auditing, and file integrity monitoring. Previously, Ms. Cummins was Vice President (VP) of the Public Sector for Phoenix Technologies, where she worked with federal agencies and partners on device authentication and other basic input/output system-level services. Ms. Cummins also held the position of VP Government Services for Digital Signature Trust. Before joining the commercial sector, Ms. Cummins worked for the Commerce Department
and served on the Federal Public Key Infrastructure Steering Committee. She can be contacted at [email protected].
References1. http://www.eweek.com/c/a/Security/Cyber-
Security-Spending-to-Hit-60-Billion-in-2011-121173/
2. http://www.wired.com/wiredenterprise/2012/03/
antivirus/
3. http://www.cert.org/podcast/notes/25kreitner.html
4. http://benchmarks.cisecurity.org/
en-us/?route=default
5. http://nvd.nist.gov/fdcc/index.cfm
6. http://csrc.nist.gov/groups/SMA/fisma/documents/
faq-continuous-monitoring.pdf
7. http://www.dhs.gov/files/programs/
gc_1268754123028.shtm
8. http://www.whitehouse.gov/sites/default/files/
omb/memoranda/fy2005/m05-24.pdf
9. http://www.whitehouse.gov/sites/default/files/
omb/assets/egov_docs/fy11_fisma.pdf
10. http://www.executivegov.com/2012/04/cbo-fisma-
update-would-cost-710m/
11. http://scap.nist.gov/events/2009/itsac/
presentations/day2/Day2_HealthIT_Brewer.pdf
12. http://www.verizonbusiness.com/resources/
reports/rp_data-breach-investigations-report-2012_
en_xg.pdf
13. http://www.defensenews.com/apps/pbcs.dll/
article?AID=2012306130003
14. http://www.ncircle.com/pdf/papers/
nCircle-WP-SecurityBenchmarking-
GoingBeyondMetrics-1114-01.pdf
15. http://connect.ncircle.com/t5/Federal-Outlook/
Lowest-Common-Denominator-Security-When-does-
measuring-something/ba-p/1998
16. http://connect.ncircle.com/t5/Federal-Outlook/
Measuring-the-test-not-the-result/ba-p/1962
17. https://www.sans.org/press/department-statewins-
ncia.php
18. http://www.ncircle.com/pdf/studies/nCircle-CS-
PGE-1019-06.pdf
19. http://www.ncircle.com/pdf/studies/nCircle-CS-
SLHS-1120-02.pdf
8 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
Information security managers in
government today are facing the most
challenging fiscal environment in
decades. Despite the vital role that
cybersecurity personnel, departments,
and initiatives play in protecting assets
and infrastructure, federal Chief
Information Security Officers (CISOs)
are not getting the resources they need
to pay for the full range of products,
services, and staff needed to mature
agency-level cybersecurity programs;
therefore, they are now facing an
unprecedented trifecta of challenges of
increased budgets cuts, hiring freezes,
and the inability to fill key positions.
Adding to the complexity of operating in
this limited environment is the reality
that unless there is an actual security
incident, provisions for information
security improvements are few and far
between. While financial complexities
also exist in the private sector, it is safe
to say that those leading cybersecurity
efforts in government are being
impacted to a greater degree.
While the phrase “doing more with
less” sounds like a reasonable and
practical approach, how is it really
possible to secure systems on
decreasing budgets?
In 2005, the Office of Management
and Budget (OMB) attempted to address
this challenge by chartering a program
called the Information Systems Security
Line of Business (ISS LoB) that was
intended to provide agencies with
shared information security services
and subsequent cost efficiencies. [1] The
hope was this: “The ISS LoB investment
will improve the level of cybersecurity
across all government agencies, reduce
costs by consolidating certain security
products and services into centralized
Shared Service Centers, and improve
security decision-making through an
agency-neutral governance structure.”
[2] While this and other government
initiatives over the years have held
promise, the success of ISS LoB has
depended upon the government’s ability
to provide ongoing support. A recent
evaluation by Department of Homeland
Security leadership revealed that
“funding risk exists for ISS LoB, given
the large scope of the program.” [3]
Sadly, the very program that was
intended to help create efficiencies is not
immune to its own funding challenges.
As an organization that is vested in
the success of its members and
government information security
programs as a whole, International
Information Systems Security
Certifications Consortium (ISC)2 has
been monitoring this environment,
conducting research and facilitating
discussions surrounding the practical
steps that government information
security personnel can take to keep
information assets secure when times
are lean. The bad news is that our
research shows little hope for budgetary
change in the near future.
The (ISC)2’s 2012 Career Impact
Survey was conducted between
December 2011 and January 2012 to
track the impact of the economic
climate on cybersecurity salaries, hiring
outlook, budgets, threats, and more. [4]
Of the 2,256 global respondents, 545
respondents from U.S. federal
government agencies reported on their
agency’s current fiscal conditions and
what they anticipate the fiscal climate to
be in 2012. When asked how their
agency’s information security budgets
have changed in the last 12 months,
approximately 80% of federal
respondents said there was either no
change or a decrease in budget. When
asked how they anticipate that changing
in 2012, 84% said there would be no
change or an actual decrease in budget.
Given these statistics and having now
advanced through the first half of 2012,
respondents seem to have painted a
realistic picture that provides little
promise for change.
So what is the good news? From our
community of federal CISOs, Chief
Information Officers (CIOs), and other
front-line information security
managers, we have discovered that
despite the challenges, agencies can and
are recognizing opportunities and
finding new ways to secure assets and
infrastructure efficiently and effectively
on a limited budget [5]; however, that
does not mean that the security needs of
government information systems are
The Keys to Better Security on a Tight Budgetby W. Hord Tipton
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 9
being met. There are some positive
approaches that agencies are using to
cope with limited budgets.
Agencies are applying an austere
approach across all three areas of
“holistic” information security practice:
people, processes/policy, and
technology; however, it appears that the
“people” component—specifically the
ability to hire and keep qualified
personnel—has become the primary
stumbling block, especially given the
broader personnel shortage otherwise
referred to as the current “information
security human capital crisis.” Since
2009, a number of reports show that
there is a radical shortage of qualified
information security professionals
worldwide, driven in large part by the
absence of an effective system that
provides a path for students at every age
to progress in cybersecurity education
and ultimately join the workforce.
Government information security
managers are not only at risk of losing
good people due to budget cuts, but their
challenge is compounded by a pervasive
human capital problem. Much broader
in scale and size, the increased demand
for and decreased supply of qualified
information security professionals
makes it extremely difficult to identify
practical steps toward both short- and
long-term solutions.
In response to this crisis, the U.S.
federal government has implemented
several programs/initiatives with the
immediate goals of expanding
cybersecurity education, identifying
future cybersecurity professionals at the
high school level (and younger), and
fostering educational and professional
development. Such initiatives include
the Comprehensive National
Cybersecurity Initiative [7], the NICE
Initiative [8], the U.S. Cyber Command
[9], and the U.S. Cyber Challenge [10];
however, there still remains a long-term
need to cultivate the pipeline of
qualified, ethical professionals to ensure
the security of our data and critical
infrastructures that must be addressed
on a broader scale by industry,
government, and academia.
Government security managers
must find ways to create an appealing
work environment to recruit and retain
skilled personnel, without having the
funds to compensate and create
incentives. They must ensure that their
agency is able to retain its most talented
cybersecurity personnel despite the
(ISC)2’s Global Information Security Workforce Study projects that there will be 4.2 million information security professionals by 2015. [11]
Top priorities to consider from a technology perspective:
f Evaluate and invest in technologies that are going to save money in the long run, such as building a robust security architecture up-front;
f While most agencies have developed sound IT architectures over the past 5 to 10 years, and in some cases have achieved modernization of critical systems, recognize that there are still countless opportunities for improving IT efficiency;
f Cut the number of redundant technologies that, once reduced, will help improve an agency’s ability to defend its systems at less cost, including the number of portals, disk images, and network gateways;
f Consolidate systems and data centers to obtain major cost efficiencies;
f Consider building a private cloud that will consolidate and manage information and free up personnel and the budget for re-allocation toward an important technology purchase; and
f Consider moving non-critical systems to a public cloud. Although more complex in terms of migration, public clouds afford the same benefit as private clouds, but on a larger scale. With the newly issued guidance on cloud security, FedRAMP, our reliance on cloud technology can and should be given greater consideration. [6]
10 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
numerous opportunities enticing
employees to seek employment
elsewhere, and must find ways to fill
personnel voids when new hiring has
been restricted. In the rare event that a
security manager has sufficient funding
to hire a key position, they must come
up with ways of actually finding
someone whose skills match the
requirements of the position given the
current shortage.
A few things to consider as
personnel, plans, and budgets shift—
f Gaining access to more candidates
is essential to cutting costs so that
you do not end up paying a high
price for moderate-level skills.
Security managers should create
alliances with organizations/
initiatives that are committed to
increasing the pool of skilled
security personnel. Look to
professional communities, such as
local association chapters or
forums, for help.
f Become more “human resource”
savvy—think creatively about
strategies to retain your best
people, such as allowing them to
telework or even work remotely
from a less-expensive city. These
options can also save money on
space and administrative costs.
f Consider offering your staff a
flexible work week. A 4-day, 10-hour
schedule allows people to commute
and avoid rush hours and provides
opportunity for 3-day weekends.
After all, most information
technology security employees
already work 10-hour days.
f Prioritize and seek soft skills when
recruiting. Hire people who have
the communications skills
necessary to present a business
case and convey the immediate
value of a security investment.
f If under a hiring freeze, consider
the use of contractor personnel to
maintain critical capabilities. It is
easier to get money for special tasks
than to add to the current headcount.
Depending upon the source,
categories of advice for how to “do more
with less” range from the general to the
tactical, from issues “technical” to
“people” in nature, but there are several
recommendations that apply to all who
oversee or manage a government
information security budget—
f Make sure you can defend
everything you ask for—tie your
dollars to your mission;
f Focus on the critical work and that
which will be crucial to your success;
f Establish a working relationship
with the chief financial officer, chief
budget officer, and CIO to ensure
that cybersecurity funding
requirements and priorities are
both articulated and understood;
f Look toward the private sector for
ideas and support, since the private
sector is facing similar funding
limitations;
f Evaluate the resources you have
and eliminate what is not critical;
f Further develop alliances and
business relationships; and
f Think “enterprise” and aim to
maximize efficiencies across the
enterprise.
For years, government budgets have
been tight, and security managers have
never received the full budgets they have
requested; however, there is a positive
side to operating from a position of
being lean and hungry—you are always
looking for better efficiencies, and more
often than not, better efficiencies lead to
improved security. n
For additional information on security on a tight budget, refer to the following Web sites—
f http://gcn.com/articles/2012/02/29/rsa-7-cybersecurity-manpower-cisos.aspx?sc_lang=en
f http://www.nextgov.com/nextgov/ng_20120229_6909.php
f http://gcn.com/articles/2011/07/18/8-tips-security-tight-budget.aspx
About the Author
W. Hord Tipton | has over 30 years of business experience including, CIO for the U.S. Department of the Interior for over 5 years, director for international programs for the Minerals Management Service, engineer for Union Carbide Nuclear Corporation for 13 years, and various other high-level positions. He has been a member of the Board of Directors since 2005 and a member of the (ISC)² U.S. Government Advisory Board since 2004, where he is also the Executive Director. Mr. Tipton holds a B.S. from the University of Morehead and an M.S. from the University of Tennessee. He received the Distinguished Rank Award for government service from the President of the United States. He can be contacted at [email protected].
References1. http://www.whitehouse.gov/omb
2. http://www.itdashboard.gov/
investment?buscid=420
3. http://www.dhs.gov/xlibrary/assets/mgmt/itpa-
nppd-lob2011.pdf
4. https://www.isc2.org/uploadedFiles/
Industry_Resources/2012%20Career%20
Impact%20Survey%20Results_US%20Gov%20
Federal_011112.pdf
5. http://www.federalnewsradio.
com/?nid=498&sid=2765954
6. http://www.gsa.gov/graphics/staffoffices/
FedRAMP_CONOPS.pdf
7. http://www.whitehouse.gov/cybersecurity/
comprehensive-national-cybersecurity-initiative
8. http://csrc.nist.gov/nice/
9. http://www.defense.gov/home/
features/2010/0410_cybersec/
10. http://www.uscyberchallenge.org/
11. https://www.isc2.org/uploadedFiles/Industry_
Resources/FS_WP_ISC%20Study_020811_MLW_
Web.pdf
Top priorities to consider from a process/policy perspective:
f Validate each new initiative according to cybersecurity program priorities;
f Mature and document processes; f Integrate security-related processes into the
system development life cycle; f Maximize the use of common controls and utilize
process automation in your compliance efforts; and
f Regardless of bureaucracy or resistance from system owners, shut down systems that are no longer critical to agency operations.
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 11
This article continues our profile
series of members of the
Information Assurance Technology
Analysis Center (IATAC) Subject Matter
Expert (SME) program. The SME
profiled in this article is Colonel Gregory
Conti at the United States Military
Academy (USMA). COL Conti is a
Military Intelligence Officer and
Academy Professor at the Department
of Electrical Engineering and
Computer Science.
COL Conti graduated from USMA in
1989 with a B.S. in Computer Science.
During his first tour, he served in the
24th Infantry Division (ID) and deployed
to the Persian Gulf War in support of
Operation Desert Shield and Operation
Desert Storm. During his time in the
24th ID, his assignments included
Collection Manager, Electronic Warfare
Platoon Leader, and Cavalry Squadron
Intelligence Officer. After completing
the Military Intelligence Officer’s
Advanced Course, he was selected for
the United States Army Intelligence &
Security Command’s National Systems
Development Program at the National
Security Agency (NSA), a program
designed to create Army Officers skilled
in strategic intelligence systems. While
at NSA, he served as Battalion S3 of the
743rd Military Intelligence Battalion and
was selected for company command at
Menwith Hill Station, UK. While at
Menwith Hill, he served as the Deputy
Chief of Current Operations and as
Commander of Headquarters and
Headquarters Company, 713th MI
Group, and became certified as an NSA
Signals Collection Officer. Upon his
departure from Menwith Hill, COL Conti
completed his M.S. in Computer Science
at Johns Hopkins University.
After completing his M.S. in 2000,
COL Conti joined USMA’s Department of
Electrical Engineering and Computer
Science faculty, where he served as a
faculty recruiting officer and taught
networking and information technology
courses. COL Conti founded the
Academy’s cybersecurity club, which is
now in its 10th year and boasts members
from every academic department in
the USMA.
COL Conti completed his Ph.D. in
Computer Science at the Georgia
Institute of Technology in 2006, after
which he was selected as an Academy
Professor and became part of USMA’s
long-term faculty. COL Conti now serves
as the Director of the Cyber Research
Center [1], formerly known at the
Information Technology Operations
Center in the Department of Electrical
Engineering and Computer Science,
where he focuses on developing cadets,
faculty, and staff in cybersecurity;
performs outreach; and helps leverage
the USMA’s intellectual capital to solve
pressing Army and Department of
Defense problems. He also deployed to
Operation Iraqi Freedom, serving as
Officer in Charge of the U.S. Cyber
Command’s Expeditionary Support
Element. He was also invited to return to
U.S. Cyber Command and help create,
develop, and teach the Joint Advanced
Cyber Warfare Course.
COL Conti is the author of Googling
Security [2] and Security Data
Visualization. [3] He has authored more
than 40 research publications, and
spoken at more than 50 industry,
government, hacker community, and
academic events. [4] He is regarded as
an expert in security visualization,
online privacy, usable security, and
cyberwarfare. COL Conti is also an
Associate Professor and a Senior
Member of the Association for
Computing Machinery. n
References1. http://www.itoc.usma.edu/
2. Conti, Greg. Googling Security: How Much
Does Google Know about You? Addison-Wesley
Professional, 2008.
3. Conti, Greg. Security Data Visualization: Graphical
Techniques for Network Analysis. No Starch Press,
2007.
4. http://www.gregconti.com/
S U B J E C T M A T T E R E X P E R T
COL Gregory Contiby Angela Orebaugh
12 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
The Biometrics Capability Maturity Modelby Ryan Triplett, Gregory Zektser, Abel Sussman, and Brian Harrig
Organizations today are developing
enhanced security policies and
regulations due to increased awareness
of potential security risks. Biometrics
technologies are becoming increasingly
significant to security for information
assurance (IA) purposes by applying a
three-factor authentication.
Organizations who integrate biometrics
technologies into existing physical and
information technology (IT) processes
are significantly increasing IA and
providing a more secure operating
environment. Effective processes
provide a foundation for organizations
to adopt and utilize the ever-changing
biometric technologies, and maximize
organizations’ resources to provide the
best rate of success. Today’s marketplace
offers many standards, methodologies,
and best practices that organizations
can deploy to enhance their biometric
capabilities, objectives, and goals, but
taken individually, they do not provide a
disciplined approach to solving
organizations’ biometric challenges in a
holistic, enterprise-wide manner.
Unfortunately, these individual
enhancements have contributed to a
wide implementation of a number of
proprietary, stovepiped biometric
solutions, immature system
capabilities, and inefficient processes
that many biometric organizations are
faced with today.
The Biometrics Capability Maturity
Model (BCMM) methodology and a
framework were developed using
principles of the well-respected
Capability Maturity Model Integration
(CMMI). The BCMM takes a holistic
approach to establishing biometric
organizational profiles, and provides
guidance for efficient, effective
improvements across multiple
capabilities within a biometric-focused
organization or enterprise. The BCMM
Framework defines measurable
characteristics, qualitative and
quantitative, to establish maturity levels
for biometric organizational core
capabilities. The BCMM is designed to
provide enterprise-wide solutions that
require an integrated approach. In
essence, organizations are able to utilize
the BCMM to manage and evolve their
capabilities as part of achieving their
business objectives.
The BCMM DomainsThe BCMM Framework describes three
biometric organizational domains and
their corresponding core component
capabilities. Domains are groups of
related biometric capabilities and
measurable characteristics, which the
BCMM uses to establish maturity
progression. Note that some of the
capabilities listed within a domain may
overlap into other domains; in these
cases, the capability has been placed
within the domain that their
characteristics most closely resemble.
Figure 1 presents the domains and
their components.
The Operational domain
establishes the biometric capabilities
and characteristics that incorporate the
concepts and procedures that involve
biometric data exploitation, application,
and acquisition. The capabilities
described in the Operational domain are
associated with the procedures for
identifying an individual or individuals.
The capabilities within this domain are
an organized set of specialized activities
that have unique processes. Biometric
data exploitation utilizes data to enable
operational applications, which can
then be applied to real-world scenarios
to achieve operational objectives.
Biometric capabilities—Human Factors
and System Usability—that are
associated with ergonomics should be
considered when acquiring biometric
systems and data for operational use.
The Programmatic domain
establishes the biometric capabilities
that incorporate the concepts and
procedures involving communication,
integration, and strategic
implementation. The Programmatic
domain defines a usable set of program
capabilities that support efficiencies,
enable enforcement, and provide
consistency across biometric
organizations. The Programmatic
domain lists key capabilities for
providing a higher probability for
interoperability with entities and
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 13
operational systems outside of the
organization. Communication
capabilities promote awareness and
education, both internal and external to
the organization. Integration
capabilities establish criteria, identify
relationships, and establish functional
needs. Strategic capabilities enable the
enforcement of regulations through the
development and adherence to policy-
driven doctrine. Programmatic
capabilities also include the discipline
of planning and managing resources
and data to strategically align
organizational objectives.
The Technology domain establishes the
biometric capabilities and
characteristics that incorporate the
concepts and procedures involving
functional, measurements, analysis, and
study. The Technology domain lists the
capabilities for providing tools, systems,
and research. The Technology domain
Storage/Match/AnalysisBiometric Enabled
Intelligence Interoperability
ModalitiesMobile
Biometrics
Access ControlForensics
CaptureHuman FactorsSystem Usability
Training andEducationPublic Outreachand Awareness
StandardizationArchitectureRequirements
Doctrine Project ManagementIdentity Management
Data IntegrityData Quality
Biometric Fusion
Test and EvaluationResearch and Development
Figure 1 BCMM domain components
14 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
includes key capabilities to support
enhanced technologies and services to
perform analysis and cutting-edge
development. The Functional
capabilities promote the use of
multimodal biometrics from an array of
inputs and sources. The Measurement
capabilities enable the use of data to
develop metrics for evaluation, and to
establish baselines for developing
objectives. The Analysis & Study
capabilities enable advancements
in technologies.
The BCMM Maturity LevelsFigure 2 depicts how BCMM defines
levels of maturity, which range from Ad
Hoc (Level 1) to Advanced (Level 5).
Each level has distinguishable
differences that are defined by the
characteristics of an organization’s
capabilities and progress towards
achieving business objectives. Each level
of maturity builds upon the previous;
therefore, organizations cannot reach
the next level of maturity without
exhibiting the established goals of the
current level.
The following list contains
additional details on the five levels of
the BCMM—
f Level 1 capabilities may produce
products and services that work;
however, they frequently exceed the
budget and schedule of their
projects, and are often
unpredictable. Processes at this
level are either not performed or
performed partially. Organizations
with capabilities at this level have a
tendency to overcommit, abandon
processes in the time of crisis, and
are not able to repeat their past
successes.
f Level 2 capabilities help to ensure
existing practices are retained
during times of stress. When these
practices are in place, projects are
performed and managed according
to their documented plans. The
status of the work products and the
delivery of services are visible to
management at defined points.
Work products are reviewed with
stakeholders and are controlled;
services satisfy basic requirements,
standards, and objectives.
f Level 3 capabilities have formalized
processes and are described in
standards, procedures, tools, and
methodologies. The capabilities
have well-defined processes
tailored to the organization’s set of
procedures and established
guidelines. Management
establishes objectives based on the
organization’s set of standard
processes, and ensures that these
objectives are appropriately
addressed. The capabilities are
managed more proactively using an
understanding of the
interrelationships.
LEVEL 1:AD HOC
OPE
RATI
ON
AL
TECH
NO
LOG
YPR
OG
RAM
MIN
G
FOUNDATIONALPROGRESSIVE
ENHANCEDADVANCED
LEVEL 2:LEVEL 3:
LEVEL 4:LEVEL 5:
Internal/Externalpolices are
uncoordinated
External privacy and legal policies
are identified
All internal andexternal policies areidentified and linked
Fully integratedexternal regulations
and policies
Program and agencydoctrine is
referenced byexternal organizations
Sharing, analysis, and testing are enriched by
cloud computing
Standardized, quality-driven data with actions
processed in real-time using cloud
Multimodal biometric systems with fusion;
formally testedsecurity techniques
Standards and processes are implemented
enterprise-wide andacross agencies
Multiple sources of information, data quality
is measured, comprehensive test and evaluations
System-wide standards are developed
and implemented
Applies security techniques, testing methodology, and
understands program gaps
Processes and procedures are established.
Able to share basic data exchange
Informal testing anddoes not have
developed metrics
SOPs are nonexistent. NoHuman Factors considered.
System is difficult to use
Figure 2 High-level biometrics capability maturity model
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 15
f Level 4 capabilities have been
formally institutionalized, and
proven metrics have been
established for statistical analysis.
The processes are continually
improved based on a qualitative
and quantitative understanding of
the enhanced processes. Strategic
business decisions are based on the
analysis of enhanced capabilities.
f Level 5 capabilities focus on
continuous improvement with no
significant changes. The processes
at this level are automated in nature
and referenced by the enterprise as
the status quo.
Establishing the BCMM Organizational ProfileTo establish a baseline organizational
biometric capability profile,
organizations are rated in each domain
based on interviews, onsite visits, and
answers provided through a compass
survey. The interviews consist of a
two-way exchange of information to
gather relevant data, build trust, and
establish a relationship between the
organization and assessment team. The
onsite visits are designed to observe the
facilities, access documentation, and
achieve a better understanding of
day-to-day activities. The compass
survey contains specific questions for
each of the capabilities to determine if
the organization possesses the
characteristics of the maturity levels
being assessed. An organization is not
expected to completely exhibit all
characteristics within a maturity level to
achieve the specified level of maturity;
however, the organization should be
prepared to provide enough substantial
evidence for an accurate assessment.
A higher rating for each domain
correlates with the rate of maturity for
each capability. An organization’s rating
is intended to establish an
organizational biometric capability
profile, and will be used to assess
organizational growth over a period of
time. The results may also be used for
benchmarking and developing goals
specific to the organization. As with any
scoring assessment, organizations may
be tempted to compare scores to
determine rankings; however, this is not
advised nor is it a valid use of the model.
Organizations possess various
combinations of capabilities and have
different business and strategic goals;
therefore, each biometric capability
profile is unique. n
About the Authors
Ryan Triplett | is an Institute of Electrical and Electronics Engineers (IEEE) Certified Biometrics Professional (CBP) with 15 years of engineering experience, including 8 years in the field of Biometrics. He supports the vital biometrics standardization process on both national and international fronts by participating, contributing, and leading efforts to implement, develop, and perform conformance testing as well as formally adopt biometrics- and identity management-related standards. Mr. Triplett holds dual B.S. Engineering degrees from West Virginia University in Electrical Engineering and Biometrics Systems, as well as an M.B.A from West Virginia University. He can be contacted at [email protected].
Gregory Zektser | has over 30 years of engineering and management experience, including 10 years in the field of Biometrics. He is an internationally recognized expert in Biometrics standardization, conformance and performance testing, and data quality measurement. Representing his clients in national and international standards bodies on Biometrics, he serves as an editor of Biometric testing standards, and leads Booz Allen Hamilton’s participation in industry forums, conferences, and events. Mr. Zektser holds an M.S. in Engineering with an emphasis on computer-aided design and technological processes automation. He can be contacted at [email protected].
Abel Sussman | is part of Booz Allen Hamilton’s Cyber Technology Team, and is responsible for delivering IA and identity management solutions, especially through biometric development strategies, privacy protection, and associated policy development. He serves as a subject matter expert (SME) to the Department of Homeland
Security Transportation Security Administration. Additionally, Mr. Sussman has developed processes for the Department of Defense (DoD) to assure compliance with federal Homeland Security Presidential Directive – 12 and Federal Information Processing Standards 201 guidelines. He can be contacted at [email protected].
Brian Harrig | is part of Booz Allen Hamilton’s Cyber Technology Team, and is responsible for activities involving the integration of identity management solutions and biometric technology capabilities. He serves as a SME to the DoD Biometrics Identity Management Agency (BIMA). In this role, Mr. Harrig is the lead developer of the DoD Electronic Biometric Transmission Specification, which allows for the sharing of biometric data. Additionally, Mr. Harrig coordinates DoD BIMA interests across the government to promote interoperability. Mr. Harrig holds a B.S. in Computer Engineering and is an IEEE CBP. He can be contacted at [email protected].
References1. CMMI Product Team. CMMI for Acquisition,
Version 1.3 (CMU/SEI-2010-TR-032). Pittsburgh, PA:
Software Engineering Institute, Carnegie Mellon
University, November 2010. http://www.sei.cmu.
edu/library/abstracts/reports/10tr032.cfm
2. CMMI Product Team. CMMI for Development,
Version 1.3 (CMU/SEI-2010-TR-033). Pittsburgh, PA:
Software Engineering Institute, Carnegie Mellon
University, November 2010. http://www.sei.cmu.
edu/library/abstracts/reports/10tr033.cfm
3. CMMI Product Team. CMMI for Services, Version
1.3 (CMU/SEI-2010-TR-034). Pittsburgh, PA:
Software Engineering Institute, Carnegie Mellon
University, November 2010. http://www.sei.cmu.
edu/library/abstracts/reports/10tr034.cfm
4. SGMM Team. SGMM Model Definitions, Version
1.2 (CMU/SEI-2011-TR-025). Pittsburgh, PA:
Software Engineering Institute, Carnegie Mellon
University, September 2011. http://www.sei.cmu.
edu/library/abstracts/reports/11tr025.cfm
16 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
This is the second article in a
two-part series that highlights the need
to share information on one hand, and
the need to protect it on the other.
The hyperlinks throughout this
article provide you quick access to
additional information.
On March 10, 2011, the U.S. Senate
Homeland Security and
Governmental Affairs Committee
hearing “Information Sharing in the Era
of WikiLeaks: Balancing Security and
Collaboration” included testimony from
several information sharing
stakeholders, including the Information
Sharing Environment (ISE) director, on
how the need to share information could
be better balanced with the need to
protect information. [1] How this
balance is struck gets to the heart of a
shift away from the imperative for
assured information sharing and
towards the imperative for responsible
information sharing. This article—
second in our series—highlights
challenges and emerging solutions
for achieving responsible
information sharing.
As we discussed in our previous
article, before 2002, the decision of
whether and what information to share
with certain consumers was entirely at
the information owners’ discretion, with
the owners’ interest in retaining control
over that information often outweighing
consumers’ needs. Prospective
consumers were at the mercy of
information owners. It was the owners
who decided what information they
were willing to share, and the owners
who required the consumers to prove
that they had the “need-to-know” to
whatever information that happened
to be.
This owner-controlled, highly-
restrictive information sharing
paradigm was found to be a key
contributor to the failure in intelligence
that resulted in the government’s failure
to prevent the catastrophic events of
September 11, 2001. As a result of the
findings of the 9/11 Commission, a new
assured information sharing culture was
mandated, as illustrated in our previous
article. Under the Assured Information
Sharing model, information owners
were required to make all of their
information available to any prospective
consumer who was not explicitly
prohibited from accessing it.
Clearly a new approach was
needed…one that would strike a balance
between excessive restrictiveness and
excessive laxity. Responsible
information sharing seeks to recover the
security awareness and re-impose some
of the information owner’s rights to
place justifiable limits on what
information they share and with
whom—security constraints that
characterized pre-9/11 information
sharing culture—while also preserving
the “imperative to share” that, it is
hoped, will continue to ensure that none
of the information needed by consumers
is unjustifiably withheld from them.
Responsible information sharing
operates under the following
principles—
f Information sharing—defined in
Department of Defense’s (DoD)
Information Sharing Strategy as
“making information available to
participants (people, processes, or
systems)”—is not an end in itself.
Which information will be shared,
and the protocols for sharing it,
should be determined based on
mission need.
f Classification levels alone should
not determine whether information
is “shareable.” The information
sharing activity or transaction must
be of mutual value to both the
information consumer and the
information provider. [2] Ideally,
the only information a prospective
information consumer would seek
or request would be that which the
provider would benefit in some way
from sharing.
f Sources and methods must always
be protected. No exceptions.
f Other constraints on whether or not
information can be shared include
whether the desired sharing would
violate any laws, regulations,
policies, ethics, fairness, or
someone’s civil liberties, and
whether it would be consistent with
Responsible Information Sharing Part II: Sharing Responsiblyby Karen Mercedes Goertzel, CISSP
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 17
imperatives for privacy or
proprietary protection of
the information.
f Sharing participants need to define
rules of engagement (ROE) before
sharing. These rules need to
delineate information sensitivity,
including confidentiality, privacy,
and “proprietariness”
requirements. The information
consumer should ensure that the
information can be protected to the
degree required by the provider.
The ROE should also state the
desired outcome of the sharing/
collaboration; this desired outcome
should help determine which
information needs to be shared.
The ROE should also stipulate
mitigations for information
leakage/spillage, misappropriation,
and misuse/abuse.
f The objective is for the information
provider to grant the consumer
access to information, not just to a
network or system in which
information resides. The
information provider should not
expect the consumer to be able to
track down the information in the
provider’s environment unassisted.
f Trust, but verify; the
trustworthiness and accountability
of consumers and the integrity of
information sharing instances/
transactions should be assured
through auditing and monitoring of
all information accesses.
Security and Privacy Imperatives for Responsible Information SharingResponsible information sharing
requires the cooperative sharing of
authority and responsibility, and
presumes an information partnership in
which there is reasonable assurance
that, in the course of sharing
information, the partners will not
interfere with one another’s ability to
accomplish their mission. For
responsible information sharing to be
possible, all partners need to—
f Support single-authorization-per-
user access privileges across all
partner organizations’ information
sources;
f Extend the reach of enforcement of
information access control policy
across traditional domain,
organization, network, and system
boundaries;
f Assure the ability to trust
information sharing by ensuring
that the right information provider
supply the right information to the
right consumer at the right time;
f Define a set of enterprise
architecture profiles that will
enable all information sharing
partners to develop and deploy
consistent interoperable
information sharing capabilities,
including information protection
and information assurance
capabilities, across all
organizations and at all levels of
information; and
f Ensure a common understanding
and respect by all information
sharing partners of the imperatives
for appropriate protection of the
confidentiality, integrity, and
privacy of shared information at its
source, its destination, and in
transit between the two. [3]
Security Challenges in Responsible Information SharingRepresentative Mike Rogers
(R-Michigan) made the following
observation about our current
information environment: “When you
look at information sharing, I think we
have almost overdone it. We have gotten
into an era of need-to-share versus
need-to-know. Need-to-know is an
important provision when you are trying
to do some operation to keep us safer.
But need-to-share got us in trouble with
WikiLeaks and with other leaks.” [4]
A wide range of security challenges
needs to be addressed for responsible
information sharing to be possible.
These include operational, architectural,
cultural, and technical challenges, as
well as challenges emerging from the
information sharing model employed,
and challenges related to the standards
and policies governing the information
18 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
sharing activity. [5] Table 1 lists several
information sharing challenges and
some of the solutions that have emerged
in response.
Responsible Cross-Domain Information SharingDespite the fact that most information
systems need to store and process
information of multiple hierarchical
classification levels, most information
systems in the defense, intelligence,
diplomatic, and other communities
operate in “system high mode.” This is
due to a perception that it is less
expensive and less difficult to operate in
system high mode. Such a perception is
true, however, only in organizations
that do not need to share
information beyond their own system
high environment.
The governing assumption in
system high mode of operation is that
instead of labeling, segregating, and
granting access to information based on
its true content-determined
classification level, all information in a
system high system is treated as if it
were the same classification level as the
most highly-classified information in
that system. In essence, all information
that is, in reality, not that highly
classified is automatically and
arbitrarily “upgraded” to that higher
level when it enters the system high
system, despite the fact that the true
sensitivity of that information content
has not changed at all.
The problem in system high
environments comes when the lower-
classified information needs to be
shared with someone whose clearance is
sufficient to access that information
before it entered the system high system,
but is not sufficient to access the more
highly classified information in that
system. Because the system itself usually
has a general purpose file system with
only discretionary access controls, it
cannot be trusted, and indeed does not
have the mechanisms necessary to
prevent access to or disclosure of its
higher-classified information to the
insufficiently cleared user who is
authorized only to access its lower-
classified information. The only way the
lower-classified information is allowed,
by policy, to be released to the lower-
cleared user (or, more accurately, to the
lower-classified domain in which they
reside) is for the information to undergo
a reliable human review and manual
downgrade—the information is
relabeled from its system high imposed
classification back down to its actual,
original classification, and released,
while also ensuring that no higher-
classified information is inadvertently
commingled and disclosed
(inadvertently or intentionally) along
with it.
Cross-Domain Solutions (CDSs)
have long been the most prevalent
attempt to partially, or fully, automate
that manual review and re-grading
process, not only for “high-to-low”
information flows, but in cases where
there is lack of trust of a lower-classified
information source, for “low-to-high”
flows. In the latter case, the CDS is most
often used to validate the authenticity of
the information source, and to verify
that the lower-level content does not
include malicious code (i.e., is
appropriately encrypted and digitally
signed, etc.) before upgrading and
allowing it to enter the higher-classified
domain. Because more rigorous
approaches required for true multi-level,
secure information handling are
generally too costly and difficult to
implement, CDSs are relied on to enable
information transfers that would
otherwise be precluded by mandatory
access control/information flow policies,
such as Bell-LaPadula and Clark-Wilson.
Because the rule sets they use to
verify the releasability or admissibility
of information are unavoidably limited,
CDSs have been criticized for exposing
information sharers to significant risk of
unintentional disclosure of secrets.
Additionally, while system high mode is
generally favored because it is perceived
as less expensive and less difficult to
implement than Multi-Layer Security
(MLS), in reality, CDSs do not enable an
organization to avoid the need for, or
costs associated with, MLS because a
CDS is an MLS system. All a CDS does is
transfer the cost of the MLS from the
upstream (sharing) system to an
intermediate or downstream special-
purpose, review-and-release automation
system. As with any other model that
proxies security, a CDS cannot possibly
provide the same degree of security that
maintaining the original, content-
appropriate labeling and separation of
information at the upstream
information source could. CDSs can also
cost more to implement than
appropriate upstream information
labeling and handling would in current
information sharing environments.
These current environments involve
large numbers of information formats
(e.g., streaming audio, video, and other
multimedia) and dynamically changing
release and admittance policy rules that
must be accommodated, as well as
information that must be shared among
a growing multiplicity of different
domains with different authorization
and trust profiles. [6]
Insider Threats to Responsible Information SharingThe following paragraphs detail
examples of three very different
compromises that resulted from insider
threats in the context of information
sharing. Each example emphasizes how
wide and complex the insider threat
challenge is, and why it is so difficult to
fully address. These compromises must
be addressed by the various government
and public-private sector information
sharing security and privacy initiatives
to have responsible information sharing
truly become a reality.
Insider Threat 1 – The Human Error Threat —Southern California
Medical-Legal Consultants posted
records containing insurance forms,
physician notes, and social security
numbers of 30,000 medical patients who
had applied for workers’ compensation
on a Web site that the President of the
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 19
consulting firm believed only employees
could access. A researcher employed by
Identity Finder (a data loss prevention
[DLP] vendor) easily discovered the
personal medical records using Google.
The search engine found the
information because Southern
California Medical-Legal Consultants [7]
had neither implemented password
protection for the site, nor instructed
search engines not to index the Web
pages containing the electronic records.
The Insider Threat 2 – The Social Engineering Threat—Even if insider
threat detection/anomaly detection
software had been installed on
Department of Justice and Defense
Intelligence Agency (DIA) systems at the
time, Intelligence Analyst Ana Belen
Montes’ activities defied electronic
means of anomalous usage and other
insider threat detection mechanisms
because she violated no computer
security policies or classification
restrictions. [8] Montes’ excessive file
downloading activity over nearly two
decades from the 1980s to 2000/2001
(when she was finally arrested) should
have triggered alerts, except that she had
used clever social engineering over
many months (even years) to get her
managers and co-workers accustomed
to her being a “hyperproductive
workaholic,” making the time she spent
working in the office outside normal
working hours look like normal
behavior. Because her behavior, which
would have been flagged as abnormal
for any other employee, was accepted as
normal for her, she was able to
download hundreds of documents from
the DIA’s CIRS, which stored
information provided by the Central
Intelligence Agency, the Department of
State (DoS) Bureau of Intelligence and
Research, the National Security Agency,
the Federal Bureau of Investigation, and
other DIA information sharing partners.
Ideologically driven, Montes supplied
the misappropriated data, first to the
government of Nicaragua, and later to
the Cuban Intelligence Service, via an
encrypted transmission from her own
personal shortwave radio transmitter at
home. Montes did not exceed her
clearance in accessing the information,
and deficiencies in DIA’s restriction of
access to information compartments
(criticized after the investigation of
Montes’ activities) had left her need-to-
know violations undetected.
The Insider Threat 3 – The Ideology Threat—According to press reports,
WikiLeaks obtained more than 91,000
secret U.S. military reports and DoS
diplomatic cables (accessible on Secret
Internet Protocol Router Network
[SIPRNet]) and posted most of them,
unredacted, on its Web site in late July
2010, after it had alerted The New York
Times, The Guardian (UK), and Der
Spiegel (Germany) of the pending
disclosures. Private Bradley Manning,
U.S. Army, was arrested and indicted on
22 counts of leaking classified
documents and video footage. According
to Kshemendra Paul, Program Manager
for the Information Sharing
Environment, “[t]he unauthorized
disclosure of classified information as a
result of the WikiLeaks breach illustrates
some fundamental failures to protect
sensitive information properly.”
In his prepared opening statement
to the House Permanent Select
Committee on Intelligence Worldwide
Threat Hearing on February 10, 2011,
Committee Chairman Mike Rogers said,
“We need to make sure we learn the
right lessons from WikiLeaks.” [9]
Among the “right lessons” he
suggested were—
f The need for redoubled efforts to
promote information sharing while
protecting security through a
“smart access” identity-based
information security management
system that improves the ability to
detect and deter bad actors while at
the same time not unnecessarily
constraining or punishing
responsible actors through denial of
access to sensitive information that
they need to get their jobs done.
f The need for the intelligence
community and DoD to follow
through with their plan to
implement smart access tools, such
as auditing controls to detect the
misuse of sensitive data. These
tools could be similar in scope and
accuracy to the fraud detection
systems used by credit card
companies and banks.
According to Richard Best of the
Congressional Research Service in his
report Intelligence Information: Need-to-
Know vs. Need-to-Share, [10], there are
additional lessons to be learned from
WikiLeaks—
f Communications personnel and
message handlers are in a position
to do serious damage.
f The wide spread use of computer
databases increases the number
of individuals with access, as well
as the number of documents that
are accessible.
f Once information is made available
to bloggers or journalists, there are
few legal restraints on their ability
to make it public on the Internet or
in the media.
Since WikiLeaks, the DoS ended its
practice of making diplomatic cables
available on the SIPRNet. [11, 12] As
these changes indicate, WikiLeaks is one
of the worst data breaches the public
sector has experienced. To learn more
about how data breaches are detected in
the private sector in contrast, see page 23.
ConclusionThe failure of assured information
sharing lay in its single-minded
emphasis on breaking down the barriers
to intelligence sharing that had proved
so disastrous in 2001. Unfortunately, by
increasing information access, assured
information sharing also increased the
exposure of information and the
vulnerabilities inherent in information
sharing mechanisms. At the same time,
by placing the criticality to share
information above all other concerns,
20 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
assured information sharing guaranteed
that those increased exposures were not
adequately addressed, leading to
information compromises on a grand
scale (i.e., WikiLeaks) that would have
been far less likely under the pre-2001
approach to information sharing.
Just as 9/11 so dramatically
demonstrated government failures in
information sharing, WikiLeaks
demonstrated government failures in
information protection. Additionally,
just as the numerous information
sharing mandates and initiatives that
arose in the wake of 9/11 succeeded in
overcoming the barriers to information
sharing, the responsible information
sharing initiative following WikiLeaks
hopes to overcome the understatement
of risks that come with increased
information sharing. The security
challenges are certainly many, but they
are not insurmountable. What
responsible information sharing seeks to
do is impose enough constraints
through information sharing policies
and the mechanisms that enforce them
to protect shared information against
inappropriate disclosure, tampering,
and misappropriation, while not unduly
hampering its flow to and access by
demonstrably trustworthy information
consumers. n
About the Author
Karen Mercedes Goertzel | is a Certified Information Systems Security Professional and leads Booz Allen’s Information Security Research and Technology Intelligence Service. An expert in software assurance, information and communications technology (ICT) supply chain risk management, assured information sharing, and the insider threat to information systems, she has performed in-depth research and analysis for customers in the DoD, the intelligence community, civilian agencies, North Atlantic Treaty Organization, and defense establishments in the U.K., Australia, and Canada. She was the lead author/editor of Information Assurance Technology Analysis Center’s (IATAC) State-of-the-Art Reports on Security Risk Management for the Off-the-Shelf ICT Supply Chain, The Insider Threat to Information Systems, and Software Security Assurance as well as a number of other IATAC information products and peer-reviewed journal articles and conference papers on these and other information assurance/cybersecurity topics. She can be contacted at [email protected].
References1. http://www.hsgac.senate.gov/hearings/information-
sharing-in-the-era-of-wikileaks-balancing-security-
and-collaboration
2. This concept is discussed at length in Van den
Heuvel, Gijs, Netherlands Defence Academy, “Share
to Win: Unraveling Information Sharing in Dynamic
Coalitions.” In Proceedings of the 18th European
Conference on Information Systems (ECIS 2010),
Pretoria, South Africa, 7–9 June 2010.
3. http://www.hsdl.org/?view&did=456645
4. Rogers, Mike, (R-Michigan), Chairman of the House
Permanent Select Committee on Intelligence, in an
interview with WTOP News, 19 January 2011.
5. European Network and Information Security Agency
(ENISA), Incentives and Challenges for Information
Sharing in the Context of Network and Information
Security, September 2010.
6. Chanderasekaran, Combinatore, William R.
Simpson, and Andrew Trice, “Cross-Domain
Solutions in an Era of Information Sharing.” In
Proceedings of the 5th International Conference on
Cybernetics and Information Technologies, Systems
and Applications, Orlando, FL, 29 June–2 July 2008.
7. Robertson, Jordan, “New data spill shows risk
of online health records.” Reported by Forbes/
Associated Press, 21 August 2011.
8. McCoy, Stephen A., Affidavit in Support of Criminal
Complaint, Arrest Warrant, and Search Warrants
(September 2001).
9. http://intelligence.house.gov/sites/intelligence.
house.gov/files/documents/021011RogersOpeningS
tatementWWTHearing.pdf
10. https://opencrs.com/document/R40602/
11. Elsea, Jennifer K., Congressional Research
Service, Criminal Prohibitions on the Publication of
Classified Defense Information (CRS Report R41404,
18 October 2010).
12. Op. cit. 2011 Information Sharing Environment
Annual Report to Congress (30 June 2011)--in the
Foreword.
13. http://www.secretservice.gov/Verizon_Data_
Breach_2011.pdf
Security Challenge Examples of Current Mitigations Examples of Emerging Solutions
Data Protection Issues
Incorrect data label, metadata tag, or marking, usually caused by — f Incorrect classification or caveating of the data itself f Conflict between original data label and current classification/
Failure to change or remove label when downgrading and releasing from “system high”
“Removing Information Sharing Barriers Created by Improper Classification” (Focus Area 5 of the DoD Information Sharing Plan)DoD and Intelligence Community Directives and Manuals on information classification and control markings
Defense Research and Development Canada Security Classification using Automated Learning research into automated data classification
Inability to read or understand data label, metadata tag, or marking, usually caused by—
f Lack of common cross-application standard for structuring and/or applying labels to data (especially data shared outside a single community)
f Inability of applications to parse data labels
DoD Discovery Metadata SpecificationDoD 8320.02-G “Guidance for Implementing Net-Centric Data Strategy” (12 April 2006) Chapter 4, C4.5Intelligence Community and Information Security Marking; Common Information Sharing Standard for Information Security MarkingFIPS PUB 188, IETF RFC 1457 (early labeling standards)
Table 1 Information sharing challenges and solutions
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 21
Security Challenge Examples of Current Mitigations Examples of Emerging Solutions
Data label/metadata binding that cannot be reversed by unauthorized parties
Cryptographic binding of metadata Commercial labeling tools (e.g., InfoAssure Need2Know), Architecture Technology Corp. MetaSAFE and Security Labeling Assurance and Pedigree)
Transglobal Secure Collaboration Program Information Labeling and Handling
Failure of information sharing mechanisms to enforce sharing restrictions indicated by labels or using products whose labels are understood by only one application or application suite (e.g., janusNET classificaton labeling for Microsoft Office)
DLP tools configured to filter based on data labelsLabel-based access or transmission restrictions enforced by XACML Policy Decision/Enforcement Points, CDSs, etc.
Karlsruhe Institute of Technology and Technical University of Munich Distributed Data Usage Control
Persistent protection of security and privacy of information after it leaves its owner’s control
Digital rights management (DRM)/DRM 2.0Information Rights Management and Enterprise Content Management (e.g., WatchDox, EMC2 Documentum, Seclore Infosource and Filesecure) Digital signature, digital watermarking, cryptographic hashing, encryption, and obfuscation
Jericho Forum Enterprise Information Protection and ControlIBM Research Trusted Virtual Domains JISC Self Protecting Information for Deperimeterised Electronic Relationships Cardiff University Self-Protecting Data for Deperimeterised Information Sharing
Leaks and Spills
Inability to detect or prevent data leaks/spills
Policies and procedures for data leak/spill response DLP tools [1] [2] [3] Exfiltration and extrusion detection systems [4] DRM and encryption at the data object level to prevent access after leak/spill
Digital forensics to trace/find and sometimes remove leaked data from unauthorized platforms within a network
Detection of/response to insider data exfiltration, theft, tampering, deletion, destruction, relabeling, label removal, etc., that are inappropriate but not unauthorized [5] [6] [7]
Anomaly-based detection of inappropriate data handling (as in DoD Host-Based Security System)H.R. 754, FY2011 Intelligence Authorization Act Section 402 mandates Intelligence Community automated insider threat detection program
University of Arkansas-Fayetteville Detection of Insider Threats at Application Levels
Methods for detecting and removing spyware, keyloggers, other exfiltrating malware, and tracing data leaks to malware
Anti-spyware, keylogger detectors
Using steganography for undetectable exfiltration Steganalysis
Architectural Issues
Boundary/perimeter protections (firewalls, intrusion prevention, DLP, CDS, etc.) impede information sharing by preventing transfer beyond network/enclave/domain boundary
NATO Research and Technology Organization Domain-Based Approach for Coalition-Wide Information ExchangeMITRE Corp. Security Guards for the Future Web
Memory leaks, covert channels, side channel leaks, data remanence, persistent temp files and caches, recoverable “trash,” etc., in systems used for information protection/sharing
Memory leak detection, covert channel analysis, side channel analysis attack mitigationsObject reuse, secure “trash” deletionFrequent purging of temp files, caches, etc.
Hidden data and metadata in shared or published documents, Web page HTML or XML code, etc.
Sanitizing documents, data, Web code before release/publication [8]
22 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
Security Challenge Examples of Current Mitigations Examples of Emerging Solutions
Limitations of public key infrastructure for supporting large-scale, multi-domain information sharing
TecSec—Constructive Key Management
Intellectual property protection against unauthorized/inappropriate handling (e.g., reverse engineering, theft, piracy, plagiarism, forgery, counterfeiting, exfiltration, sale, publication)
Digital watermarkingDRMObfuscation (deters reverse engineering)
Information Sharing Paradigm Issues
Information sharing security challenges of Web 2.0/social mediaAcceptable Use Policies for social media by DoD/IC personnel, (e.g., DTM 09-026)
Naval Postgraduate School (NPS) TWiki
Control and attribution of information discovery and sharing actions by autonomous software entities (e.g., Web services, software agents)
Web Services Security standards (XACML, SAML, WS-Trust, etc.) Galois Multi-level Web Services ComponentsNaval Research Lab MLS-SOA
Trust Establishment Issues
Establishing meaningful basis for trust among information sharing partners
“Federally compliant strong identity and access control” (DoD Information Sharing Strategy)“Extending Identity and Access Management” (DoD Information Sharing Plan Focus Area 8) Federal Identity, Credential and Access Management
NPS Transient Trust Architecture
Detecting and authenticating data pedigree and provenance without disclosing “sources and methods”
RAE Software—Pedigree Management and Assessment Framework
University of Virginia Data Pedigree
Context-aware metrics for information quality and authority of data sources
Semantic Web and Web 2.0 trust/reputation inference models and algorithms (e.g., EigenTrust) and semantic ranking mechanisms (e.g., Google PageRank) rank data by popularity or frequency of repetition (e.g., number of Web page “hits” or RSS feeds) with no guarantee of data quality [9] Informal reader ratings (e.g., 1-5 stars) as crude, subjective “rankings” with no consideration of contextual factors, such as raters’ expertise or purpose in accessing the data (e.g., entertainment versus serious use)
University of California at Davis T-Net Corp. for National Research Initiatives Digital Object Architecture
End User Issues
Failure of users to recognize phishing, spear phishing, and other social engineering and identity theft attempts to obtain their private information, or sensitive information in their custody
Defense Information Systems Agency anti-phishing training Drexel University PhishZooVirginia Tech Enhanced phishing detection
The Threat Landscape
“Information black market” (a.k.a. shadow or underground information economy) of criminals, hackers, terrorists, etc., buying and selling data captured through extrusions, spyware/spybots, phishing, identity theft, insider exfiltration. Data “products” include—
f Details of software, system, and network vulnerabilities f Details of financial system operations f Personally identifying information f Techniques for circumventing security controls and anti-fraud
mechanisms f Stolen credentials and cryptokeys f Pirated software, music, videos, games
Deterrence via privacy, computer crime, cybercrime, anti-identity theft, laws, arrests, prosecutions, convictionsHigh-value data protected against insider and outsider exfiltration and theft
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 23
References
1. Gerber, Cheryl, “Plugs for Data Leaks.” In Military
Information Technology, Volume 12 Issue 1,
January/February
2. Thuermer, Karen E., “Stop that Leak.” In Military
Information Technology, Volume 15 Issue 2, March
2011.
3. Selby, Nick, and Aaron Turner, “Using Technology
to Combat Data Loss—What It Can Do, What It
Can’t.” In IAnewsletter, Volume 12 No. 2, Summer
2009, pages 18-21.
4. Gabrielson, Bruce, Karen Mercedes Goertzel, et
al., The Insider Threat to Information Systems [U//
FOUO] (IATAC, 2008)—Section 4.4.1.1, “Prevention
of Data Exfiltration, Extrusion, and Leakage” (state-
of-the-art) and 4.4.2.1, “Extrusion, Exfiltration, and
Leakage Prevention” (research)
5. Op. cit., Gabrielson, et al., Section 2.3.2.1,
“Undetected Data Exfiltration—The Number One
Insider Threat?”
6. McCormick, Michael, “Data Theft—A Prototypical
Insider Threat.” In Salvatore J. Stolfo, et al., editors,
Insider Attack and Cyber Security—Beyond the
Hacker (Springer, 2008).
7. An excellent example of very hard to detect
inappropriate activities is the case of Ana
Belen Montes, a DIA analyst, never attempted
to exceed her authorized privileges. She did,
however, use social engineering techniques
to get DIA management used to her excessive
productivity—they came to believe that she
accessed, downloaded, and printed vastly greater
quantities of data than her coworkers because
she produced about 10 times as many information
products than they did—and moreover, that such
hyperproductivity was normal for her. She was, in
fact, an agent of the Communist governments in
Nicaragua and Cuba, and was accessing much of
that data for later transmission to her handlers;
however, because she had so successfully social-
engineered her managers, her activities continued
without suspicion for 15 years.
8. Manuals and Guides are available to assist (e.g.,
NSA—Redacting with Confidence).
9. “Information is now more than ever subject to
amplification, modification, and distortion as the
number of possible sources takes off.” In Nel,
François, Marie-Jeanne Lesot, Philippe Capet,
and Thomas Delavallade, “Rumour Detection in
Information Warfare—Understanding Publishing
Behaviours as a Prerequisite” (RTO-MP-IST-091).
Presented at NATO IST-091 Symposium on
Information Assurance and Cyber Defence, Talinn,
Estonia, 22 November 2010.
How Data Breaches are Detected in the Private SectorAccording to the 2011 Verizon/U.S. Secret Service Data Breach Investigations Report [13]—
f Three sectors experienced the vast majority of reported data breach incidents in 2010: Hospitality (40% of all breaches), Retail (25% of all breaches), and Financial Services (22% of all breaches). The next highest number, which was reported in the government sector, represented only 4% of all reported breaches. These proportions remained much the same as in previous years; however, there was a nearly a 600% increase in the total number of breaches across the board between 2009 and 2010.
f The most frequent threat mechanisms in 2010 data breaches were hacking and malware, followed by physical compromises, social media, and insider misuse. The numbers of breaches resulting from errors (e.g., unintentional leaks, incorrect security configuration settings) and environmental factors (e.g., acts of God, power failures, electrical interference) were statistically insignificant. The most frequent targets were servers (malware, hacking, misuse), user devices (malware, hacking, physical breaches—mainly tampering with some surveillance), and offline data (misuse). Social engineering, by definition, exclusively targeted people. In 81% of breaches involving malware, the installation mechanism was a remote attacker’s direct installation or injection of the malware on the target, and the most prevalent malware types were data exfiltration Trojans, backdoors, keyloggers, form-grabbers, and spyware that tampered with system security controls, general system/network utilities, and RAM scrapers. The 2011 Report’s findings were consistent with
reports from 2009 and earlier, where hacking and malware had been the leading threat mechanisms, demonstrating that the 2010 Data Breach Report’s finding that the number one threat mechanism of misuse in 2009 was an anomaly. Of the misuse incidents that were reported, the highest percentage remained embezzlement, skimming, and other financial fraud. Abuse of system/access privileges and the use of unapproved hardware/devices were the next most prevalent. All other abuses trailed far behind these in frequency.
f The most compromises, in terms of incidents and records exposed, continued to be caused by exclusively outsider threats, while the numbers of records exposed by insiders, business partners, or insider/outsider collusion continued to drop. Organized crime groups were the number one source of externally originated breaches (58%, with 65% of those located in Eastern Europe, including Russia and Turkey; 19% in North America; 12% of unknown location; and the rest distributed across other continents and regions), followed by unaffiliated persons (40%), and unknown sources (14%).
f The most frequently compromised data were numbers and other data associated with payment cards (78% of incidents, 96% of records leaked), followed by authentication credentials (45% of incidents, 3% of records), and personal information (15% of incidents, 1% of records). Other types of data that were targeted included organizational proprietary data, bank account information, intellectual property, system information, classified information (3% of all reported incidents with a percentage of total records leaked unknown), medical records, and unknown information types (the last two were statistically
insignificant). f The trends in breach discovery methods shifted
significantly. From 2005 (first data breach report) to 2009, the percentage of breaches detected by external third-party mechanisms (third-party fraud detection/Common Point of Purchase analyses, law enforcement/customer/business partner notifications, third-party event monitoring/alert service, third-party financial audits, and third-party security audits/scans, external reports of threat activity, happenstance discovery by third-party media or third-party press-release reports) had steadily dropped; however, in 2010, it increased by 25% to 86% of all incident reports. Internal detections had previously been mainly “passive” (coincidental or happenstance) (e.g., as the result of employees witnessing and reporting incidents or overhearing bragging/blackmail by perpetrators, or discovery when investigating unusual system behavior or performance issues, etc.), rather than through intentional internal data loss prevention and intrusion detection system detection, internal security audits/scans, or discovery through log/audit trail monitoring and analysis. In 2010, however, the proportion of coincidental to “active” (intentional, focused) discoveries was almost 1:1.
24 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
United States Service Academiesby Angela Orebaugh
I A T A C S P O T L I G H T O N A U N I V E R S I T Y
The United States Service academies
are federal undergraduate
academies that offer education and
training in a military environment.
Admission is very competitive for the
service academies, which offer full
4-year scholarships that include tuition,
books, board, medical, and dental care
in return for a minimum of 5 years
service obligation. Graduates receive a
B.S. and are commissioned as Officers in
their respective service branch. [1]
There are five U.S. Service academies—
f The United States Military Academy
(USMA)—Founded in 1802 in West
Point, NY, the USMA offers 45
academic majors across 13
departments. The Department of
Electrical Engineering and
Computer Science offers majors in
Electrical Engineering, Computer
Science, and Information
Technology with elective courses in
Cybersecurity. [2] The Cyber
Research Center, formerly known as
the Information Technology and
Operations Center, in the
Department of Electrical
Engineering and Computer Science
offers research, education, and
outreach in information assurance
(IA), computer, and network
security. [3] The center also helps
prepare teams for National Security
Agency’s (NSA) annual Cyber
Defense Competition (CDX)
between service academies like the
USMA, which is a designated NSA
Center of Academic Excellence in
Information Assurance (CAE/IA).
Courses include topics such as
forensics, cryptography, and
cyberwarfare. The USMA also offers
the Special Interest Group in
Security, Audit, and Control to
provide students a forum for
learning about IA, information
warfare, and computer security.
f The United States Naval Academy
(USNA)—Founded in 1845 in
Annapolis, MD, the USNA offers 22
academic majors across five
divisions. The Division of
Mathematics and Science offers
majors in Computer Science and
Information Technology with
courses in computer and network
security and IA. [4] It is a
designated NSA CAE/IA. The USNA
also recently established the
Center for Cyber Security Studies
and mandated a cyber course for
all students.
f The United States Coast Guard
Academy (USCGA)—Founded in
1876 and now located in New
London, CT, the USCGA offers eight
academic majors across five
departments. Majors include Civil
Engineering, Mechanical
Engineering, Electrical Engineering,
Naval Architecture and Marine
Engineering, Operations Research
and Computer Analysis, Marine
and Environmental Sciences,
Government, and Management. [5]
The USCGA is the only institution
of higher education in the
Department of Homeland Security,
and offers focused courses,
research, and information
dissemination regarding strategic
intelligence and homeland
security. [6]
f The United States Merchant Marine
Academy (USMMA)—Founded in
1943 in Kings Point, NY, the
USMMA offers six academic majors
across six departments. Majors
USMA’s Cyber Research Center, formerly known as the Information Technology and Operations Center, offers research, education, and outreach in information assurance, computer, and network security.
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 25
include Marine Transportation,
Maritime Operations and
Technology, Logistics and
Intermodal Transportation, Marine
Engineering, Marine Engineering
Systems, and Marine Engineering
and Shipyard Management. [7]
f The United States Air Force
Academy (USAFA)—Founded in
1954 in Colorado Springs, CO, the
USAFA offers 32 academic majors
across four divisions. The Basic
Sciences Division offers a Computer
Science major with courses in
cryptography, computer security
and information warfare, and
network security. [8] It is a
designated NSA CAE/IA. The
Computer Science Department is
also home to the Academy Center
for Cyberspace Research (ACCR),
which conducts research in
cyberwarfare, IA, unmanned aerial
systems, and cyberspace education.
[9] The ACCR assists with IA
curriculum development and
provides student research
opportunities such as cyber
competitions (i.e., CANVAS and the
CDX). It also includes the
Cyberwarfare Club that provides
a sandbox network where
students can practice network
attack, exploitation, and
defense techniques. n
References1. http://www.todaysmilitary.com/before-serving-
in-the-military/service-academies-and-military-
colleges
2. http://www.eecs.usma.edu/outreach/
3. http://www.itoc.usma.edu/
4. http://www.usna.edu/CS/
5. http://www.cga.edu/academics2.aspx?id=129
6. http://www.cga.edu/academics2.aspx?id=299
7. http://www.usmma.edu/academics/curriculum/
default.shtml
8. http://www.usafa.edu/df/dfcs/
9. http://www.usafa.edu/df/dfe/dfer/centers/accr/
What is the general purpose of an “Acquisition Information Assurance Strategy?”
The Assistant Secretary of
Defense for Networks and
Information Integration/
Department of Defense (DoD)
Information Officer released DoD
Instruction (DoDI) 8580.1, “Information
Assurance (IA) in the Defense
Acquisition System,” in July 2004. This
instruction emphasizes the importance
of fully integrating IA across DoD
acquisitions related to information
technology (IT) systems and weapons
systems interfacing with the Global
Information Grid. [1]
DoDI 8580.1 states: “all acquisitions
of mission critical or mission essential
IT systems…shall have an adequate and
appropriate Acquisition IA Strategy that
shall be reviewed prior to all acquisition
milestone decisions, program decision
reviews, and acquisition contract
awards.” [2] Overall, the primary
purpose of an Acquisition IA Strategy is
to enable the DoD to continue to
strengthen IA as it acquires the services
and capabilities that allow its IT and
weapons systems to advance.
By requiring organizations to
develop suitable Acquisition IA
Strategies, and by reviewing the
strategies frequently and at pivotal
decision points, this requirement
provides a procedural mechanism by
which the DoD can assess its IA
weaknesses at a high level. Perhaps more
importantly, the DoD is able to maintain
a strong, more centralized focus on IA
while developing new capabilities as a
result of this requirement. n
References1. http://www.dtic.mil/whs/directives/corres/
pdf/858001p.pdf
2. Ibid.
Letter to the Editor
Q
A
The Basic Sciences Division of USAFA offers a Computer Science major with courses in cryptography, computer security and information warfare, and network security.
26 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
In 2009, Karen Evans, former
Administrator of E-Government and
Information Technology at the White
House, began research to co-author the
publication “A Human Capital Crisis in
Cybersecurity” in conjunction with the
Center for Strategic and International
Studies (CSIS). In the detailed report,
the research reflects the country’s
vulnerabilities in meeting emerging
threats. Shortages of qualified personnel
extend from the federal government to
the U.S. defense industrial base, federal
information systems contractors,
utilities, telecommunications
companies, and most other segments of
the critical national infrastructure.
Jim Gosler, the founding Director of
the Central Intelligence Agency’s (CIA)
Clandestine Information Technology
Office summed it up the best in
“Cyberwarrior Shortage Threatens U.S.
Security,” where he stated, “There are
about 1,000 security people in the U.S.
who have the specialized security skills
to operate effectively in cyberspace. We
need 10,000 to 30,000.” [1]
Ms. Evan’s research led to the initial
launch of the U.S. Cyber Challenge by
the CSIS. [2] The U.S. Cyber Challenge
transitioned to the Center for Internet
Security and was developed as a public-
private partnership to recruit the next
generation of cybersecurity
professionals. This partnership has
since moved to the National Board of
Information Security Examiners
(NBISE), where it presently maintains its
mission.
The U.S. Cyber Challenge is a
national talent search and skills
development program. The program’s
objective is to find 10,000 Americans,
principally young Americans, with the
interests and skills to fill the ranks of
cybersecurity practitioners, researchers,
and warriors. The program nurtures and
develops their skills, enables them to
gain access to advanced education and
exercises, and, where appropriate,
enables them to be recognized by
academia, industry, and governments,
where their skills can be of the greatest
value to the nation.
The U.S. Cyber Challenge provides
a range of opportunities to identify and
nurture talented young Americans by
casting a wide net to enable them to
demonstrate their skills, and then make
them aware of other opportunities, help
develop their skills, and improve their
knowledge in making our nation’s cyber
environment safe. Through the U.S.
Cyber Challenge’s efforts, America’s best
are identified and connected with
employers.
Recently, the U.S. Cyber Challenge
completed its Spring 2012 Cyber Quest
Competition, where over 1,000 young
adults and college students participated.
Participants learned of the competition
through NBISE’s use of social media and
aggressive online activities. The
competition featured a series of quiz
questions based on the analysis of a
packet capture file, which participants
analyzed on their own machines,
searched for signs of an attack, and
assessed other activity. Participants had
24 hours from the time they began the
quiz to complete the task. Winners were
determined based on the highest scores
in the shortest amount of time.
“We encouraged students from
across the country to register for the
Cyber Quest competition and take the
challenge to vie for an invitation to one
of the Cyber Camps. The response has
been overwhelming, and it’s an exciting
time for students to participate—
especially with the explosive growth in
the cybersecurity industry,” said Karen
Searching For the Best— U.S. Cyber Challengeby Rudy Pamintuan
The U.S. Cyber Challenge’s objective is to find 10,000 Americans with the interests and skills to fill the ranks of cybersecurity practitioners, researchers, and warriors.
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 27
Evans, National Director of the U.S.
Cyber Challenge. “The tremendous
knowledge sharing, expert training, and
career opportunities presented at the
camps are invaluable to helping develop
our youth into the next generation
cybersecurity workforce.”
Top performers of the online
competition are now eligible for
invitations to one of four week-long
Cyber Camps being offered from June
through August of this year. State-
specific camps are being offered in
Southern California and Delaware,
while regional camps will take place in
Northern Virginia and California (Bay
Area).
“The Cyber Quest competition and
Cyber Camps are critical as our nation
continually undergoes fast-paced
competitive changes in technology. Our
growing reliance on digital technology
requires concentrated efforts, like these,
to identify the best and develop the next
generation of highly skilled
cybersecurity professionals,” said
Michael Assante, President & Chief
Executive Officer of NBISE.
The camps will feature 1 week of
specialized sessions by college faculty;
System Administration, Networking,
and Security Institute senior instructors;
and cybersecurity experts, capped off by
a live competition and awards ceremony
on the last day. In addition to providing
expert training for participants to
improve their skills and marketability,
the Cyber Camps will also provide
students the opportunity to engage with
major technology companies and
government agencies at onsite job fairs
for scholarship, internship, and
employment opportunities. Many
former competitors were offered
employment within the public and
private sectors shortly after attending
previous Cyber Camps. For several, it
was their first step to an exciting career.
“The U.S. Cyber Challenge is a
program that works with academic and
private sector partners to identify and
develop cybersecurity talent to meet our
growing needs. One part of the Cyber
Challenge involves intensive summer
camp experiences for the best and
brightest cyber talent,” Department of
Homeland Security Secretary Janet
Napolitano stated recently.
The U.S. Cyber Challenge also
recently completed the Cyber
Foundations competition, where more
than 500 high school students
participated in demonstrating their
aptitude in the foundational skills of
cybersecurity. The competitors who rise
to the top will be invited to continue to
participate in the developing U.S. Cyber
Challenge community. Members of the
community will have access to
additional educational and employment
opportunities, such as internships with
government entities and/or private
industry, grants, or scholarships to study
advanced cybersecurity programs.
“Our country’s digital
infrastructure must be defended from
emerging threats. The U.S. Cyber
Challenge offers a unique and exciting
platform to identify the talent we need
to defend our nation,” stated Hon. Mike
McConnell former Director of National
Security and Partner at Booz Allen
Hamilton.
With new and emerging threats
affecting the United States on a daily
basis, the U.S. Cyber Challenge serves as
the necessary pipeline of talent to meet
the growing demands in the
cybersecurity industry. By identifying
the best of the best, the U.S. Cyber
Challenge ensures that the workforce
maintains a constant flow of America’s
brightest and best. n
About the Author
Rudy Pamintuan | is the President of Sherman Consulting and the Managing Partner of Heartland Technology Group. Mr. Pamintuan spends much of his time advising and developing national programs and policies that protect America’s digital infrastructure. He can be contacted at [email protected].
References1. “Cyberwarrior Shortage Threatens U.S. Security,”
NPR Morning Edition, 19 July 2010, http://www.npr.
org/templates/story/story.php?storyId=128574055.
2. http://www.USCyberChallenge.org
28 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac
USENIX Federated Conferences Week
USENIX, the Advanced Computing
Systems Association, hosted its
Federated Conferences Week from 12–15
June 2012 in Boston, MA. This event
combined a variety of conferences and
workshops into a week-long affair that
allowed participants to get an intensive
look at various information assurance
developments and topics of interest. [1]
This event combined the following
workshops: HotCloud ’12, Theory and
Practice of Provenance’12, Women in
Advanced Computing Summit ’12,
Annual Technical Conference ’12,
Configuration Management Summit ’12,
HotStorage ’12, Networked Systems for
Developing Regions ’12, Cyberlaw ’12,
and Web Application Development ’12.
Registrants had the opportunity to
attend all of the events across these
workshops and customize their learning
and collaboration experience.
Perhaps the most unique aspect of
this event was its Birds-of-a-Feather
sessions, which were designed to be
informal gatherings where participants
could either lead or attend discussions
about topics of their own personal
interest. These sessions maximized
participants’ opportunities to
collaborate with like-minded peers and
colleagues. [2]
For more information about this
event, please visit https://www.usenix.
org/conference/atc12. For more
information about USENIX, please visit
https://www.usenix.org/. n
References1. https://www.usenix.org/
2. https://www.usenix.org/conference/atc12
The Department of Defense (DoD) Information Assurance (IA)
Symposium will take place 28–30 August 2012 at the Gaylord Opryland
Resort and Convention Center in Nashville, TN. It will bring together
leaders and IA practitioners from across government, industry, and
academia to network and explore ways to improve IA.
DoD IA Symposium28–30 August 2012 | Nashville, TN
f To attend, contact www.iad.gov/events for more information.
f To participate in the IA Exposition, which will take place in conjunction with IA Symposium, visit www.informationassuranceexpo.com/.
IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 29
Instructions: All IATAC LIMITED DISTRIBUTION reports are distributed through DTIC. If you are not a registered DTIC user, you must do
so prior to ordering any IATAC products (unless you are DoD or Government personnel). To register online:
http://www.dtic.mil/dtic/registration. The IAnewsletter is UNLIMITED DISTRIBUTION and may be requested directly from IATAC.
Name _____________________________________________________________________ DTIC User Code ______________________________
Organization _______________________________________________________________ Ofc. Symbol _________________________________
Address ___________________________________________________________________ Phone ______________________________________
__________________________________________________________________________ E-mail ______________________________________
__________________________________________________________________________ Fax ________________________________________
Please check one: n USA n USMC n USN n USAF n DoD n Industry n Academia n Government n Other Please list the Government program(s)/project(s) that the product(s) will be used to support: _____________________________________________
________________________________________________________________________________________________________________________
LIMITED DISTRIBUTION
IA Tools Reports n Firewalls n Intrusion Detection n Vulnerability Analysis n Malware
Critical Review n Biometrics (soft copy only) n Configuration Management (soft copy only) n Defense in Depth (soft copy only)and Technology n Data Mining (soft copy only) n IA Metrics (soft copy only) n Network Centric Warfare (soft copy only)Assessment (CR/TA) n Wireless Wide Area Network (WWAN) Security n Exploring Biotechnology (soft copy only)Reports n Computer Forensics (soft copy only. DTIC user code MUST be supplied before this report is shipped) State-of-the-Art n Security Risk Management for the Off-the-Shelf Information and Communications Technology Supply Chain (DTIC userReports (SOARs) code must be supplied before this report is shipped) n Measuring Cybersecurity and Information Assurance n Software Security Assurance n The Insider Threat to Information Systems (DTIC user code n IO/IA Visualization Technologies (soft copy only) must be supplied before this report will be shipped) n Modeling & Simulation for IA (soft copy only) n A Comprehensive Review of Common Needs and Capability Gaps n Malicious Code (soft copy only) n Data Embedding for IA (soft copy only) UNLIMITED DISTRIBUTION
IAnewsletter hardcopies are available to order. Softcopy back issues are available for download at http://iac.dtic.mil/iatac/IA_newsletter.html
Volumes 12 n No. 1 n No. 2 n No. 3 n No. 4Volumes 13 n No. 1 n No. 2 n No. 3 n No. 4Volumes 14 n No. 1 n No. 2 n No. 3 n No. 4Volumes 15 n No. 1 n No. 2
SOFTCOPY DISTRIBUTION
The following are available by e-mail distribution:
n IADigest n Technical Inquiries Production Report (TIPR)n Research Update n IA Policy Chart Updaten Cyber Events Calendar n IAnewsletter (beginning in Spring 2012)
Fax completed formto IATAC at 703/984-0773 or
order online at: http://iac.dtic.mil/iatac/form.html
Order FormFREE Products
SeptemberMidwest Information Security Forum 201210–11 September 2012Chicago, IL http://www.iansresearch.com/ians-events
Biometric Consortium Conference18–20 September 2012Tampa, FL http://www.afcea.org/events/
OctoberAUSA Annual Meeting & Exposition22–24 October 2012Washington, DC http://www.ausa.org/meetings/Pages/NationalMeetings.aspx
2012 Naval Science and Technology Partnership Conference22–24 October 2012Arlington, VA http://www.onr.navy.mil/Conference-Event-ONR/science-technology-partnership.aspx
TechNet International 201223–25 October 2012Rome, Italyhttp://www.afcea.org/europe/html/TNI12Home.htm
AFCEA Fall Intelligence Symposium24–25 October 2012Springfield, VAhttp://www.afcea.org/events/
MILCOM ‘1229 October–1 November 2012Orlando, FLhttp://www.milcom.org/
20th IEEE International Conference on Network Protocols (ICNP)30 October–2 November 2012Austin, TXhttp://www.ieee.org/conferences_events/con-ferences/conferencedetails/index.html?Conf_ID=20200
NovemberSoutheast Information Security Forum 20126–7 November 2012Atlanta, GA http://www.iansresearch.com/ians-events
TechNet Asia-Pacific 201213–15 November 2012Honolulu, HIhttp://www.afcea.org/events/
December2012 Annual Computer Security Applications Conference3–7 December 2012Orlando, FLhttp://www.acsac.org/
Information Assurance Technology Analysis Center13200 Woodland Park Road, Suite 6031Herndon, VA 20171
To change, add, or delete your mailing or e-mail address (soft copy receipt), please contact us at the address above or call us at: 703/984-0775, fax us at: 703/984-0773, or send us a message at: [email protected]
Calendar