Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Assurance Efforts at the Defense Information Systems Agency & in the DoD Richard Hale Information Assurance Engineering Defense Information.

Published byMagnus Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Assurance Efforts at the Defense Information Systems Agency & in the DoD Richard Hale Information Assurance Engineering Defense Information."— Presentation transcript:

1 Information Assurance Efforts at the Defense Information Systems Agency & in the DoD Richard Hale Information Assurance Engineering Defense Information Systems Agency hale1r@ncr.disa.mil Critical Infrastructure Protection Day March 14, 2000

2 2 Success in Combat Depends on Protecting Information & Information Systems DoD Information Assurance efforts are aimed at providing assurance that war fighters and those who support them can safely rely on the information and information infrastructures required to fulfill their missions.

3 3 National Plan for Information Systems Protection Prepare and Prevent Detect and Respond Build Strong Foundations

4 4 Internet DoD TCP/IP Networks Classified networks are physically and cryptographically separated from the unclassified nets JWICS SIPRNET NIPRNET

5 5 Some of DISA’s Missions Designing, building, & operating DoD intranets –The NIPRNET (an unclassified network) –The SIPRNET (a classified intranet) Designing and building core DoD command and control systems and software processes –Global Command and Control System (GCCS) –Global Combat Support System (GCSS) –Common Operating Environment (COE) Designing and operating the DoD’s large processing facilities

6 6 One More DISA Mission Designing and Operating the DoD Computer Emergency Response Team (DoD CERT) –As well as regional CERTs –Integrated with the management of the networks and information systems –Primary technical support to the DoD Computer Network Defense Joint Task Force

7 7 Prepare and Prevent

8 8 DoD Global Information Grid Draft Information Assurance Policy “The DoD shall follow an enterprise- wide IA architecture that implements a defense-in-depth strategy which incorporates both technical and non- technical means…”

9 9 Defense-In-Depth Layered Security Strategy Counter full range of attacks –Defense in multiple places –Defenses & detection against insiders and outsiders Multiple complimentary roadblocks to certain attacks –Increases resistance –Allows increased use of COTS solutions –Contains some insiders –May buy time to detect, analyze, and react Protect, Detect, React/Respond Paradigm –Detect is critical owing to imperfection of protections Quality control via Certification and Accreditation

10 Defense-in-Depth: Defend the Computing Environment (End System Security) 10 End System Properly configured operating systems DISA provides guidance documents For Microsoft and various UNIX operating systems Properly designed and configured application software Common Operating Environment, Command and Control Software, Combat Support Software Security services at the workstation Anti-virus software, etc. System administrator training/certification Host incident monitoring/intrusion detection Physical security and clearances

11 Defense-in-Depth: Defend the Enclave Boundary 11 Inventory/Mapping of Enclave Including all paths in and out Proper defenses on each path Firewalls, dial-in security Placement of externally visible servers (e.g., web servers) Enclave level incident monitoring, correlation, situation awareness Hardening of infrastructure components Routers, Domain Name System, etc. DoD Policy on Allowed & Disallowed protocols in draft Enclave (Building, Base, Processing Center) End System

12 12 DoD Networks Internet Enclave End System Encrypted circuits for classified nets Hardened infrastructure Routers, switches, Domain Name System (DNS) servers Including intra-component signaling Infrastructure security services Public Key Infrastructure, Directories Firewalls for network control centers Incident monitoring, correlation, response Joint Task Force-Computer Network Defense (JTF-CND) Regional and Global Operations & Security Centers Connection approval processes NIPRNET Redesign Control of DoD connection to the Internet Including stopping certain protocols Defense-in-Depth: Defend the Networks & Infrastructure

13 Enclave (Building, Base, Processing center) DoD Defense-in-Depth Summary 13 DoD Networks End System Internet There is no magic bullet

14 14 Public Key Infrastructure (PKI) in DoD Currently two pieces to the DoD PKI 1. “Medium Assurance” or Class 3 Essentially best commercial practice Based on commercial technology Many organizations issuing or preparing to issue certificates from this infrastructure 2. Fortezza Being fielded as part of Defense Message System Enabling (some) Trust in the Digital World

15 15 What’s A Public Key Infrastructure? Certificate Authority Registration Authority Relying Party (Bob) All the components, processes, and procedures required to issue and manage digital certificates Directory (Public Keys and Revocation Lists) Subscriber (Key Owner, e.g. Alice) $$ to Bob

16 16 DoD Class 3 PKI Components Directory Users NSA Registration Authority The System Is Operational and Issuing Identity Certificates Initial Customers –Defense Travel System –Defense Security Service –DFAS –Army Chief of Staff –JEDMICS –Navy San Diego Region –DISA The System Is Operational and Issuing Identity Certificates Initial Customers –Defense Travel System –Defense Security Service –DFAS –Army Chief of Staff –JEDMICS –Navy San Diego Region –DISA Certificate Server Root Server Local Registration Authority At Two Defense Processing Centers

17 17 How Good Are the Certificates? (or, how tight is the tie between the key and the name?) A variety of dimensions of assurance –Strength of cryptography at end user & at Certificate Authority –Form and protection of private keys at end user & CA –Processes & controls employed in operation of the PKI User registration, certificate issuance, auditing of various things, etc. One selects a particular level of assurance by: –Considering overall security requirements for information being protected

18 18 PKI Assurance May Get Better in COTS Without Much Action on Our Part E.g., If smart cards become standard and interoperable, we may be able to move to hardware storage of the private key with relatively little pain Assurance Supported by COTS NowThen Private Key Protected in Software Private Key Protected in Hardware Token, (e.g., Smart Card)

19 19 Detect and Respond

20 20 DISA Maintains Global Operational Situational Awareness... Physical Attack Component Failure Accidental Outage Cyber Attack... To determine if an operational capability is degraded by attack, outage, or both –Monitor current and planned military operations and contingencies –Information warfare events –Intelligence reports –Weather/natural disasters –Scheduled outages –Facility and equipment failures –System and application failures –IA sensor grid

21 21 Global Network Operations & the DoD CERT are an Integrated Team Defense and Protection of the Global Information Grid Event Correlation Intrusion Detection Systems Management Global Management of the DII Global Situational Awareness GNOSC Global Network Operations & Security Center Strategic Intrusion Analysis Incident Handling and Response Information Assurance Vulnerability Alerts (IAVA) DOD CERT Computer Emergency Response Team Sensor Grid Reporting Analysis SUPPORTING the Joint Task Force - Computer Network Defense

22 22 IAVA DB Getting the Word Out: Information Assurance Vulnerability Alert (IAVA) Acknowledge Receipt Apply Fixes Acknowledge Compliance DOD IAVA IAVB Technical Advisory DOD CERT Response to Critical Vulnerabilities Bulletin Alert Vulnerability Compliance Tracking System Global distribution to DoD System Administrators & Program Managers Organizational accountability http://www.cert.mil/

23 23 Build Strong Foundations

24 24 Collect the measurements Analyze the measurements Report the measurements and observations Review metrics and modify process How do we know Security is Improving? DISA IA Metrics Program # of Sensors # of Events 2. Analysis of the data “For example, is there a relationship between the number of events and the number of sensors?” 3. Aimed at answering questions like... Are we spending our money wisely? Where is more effort/resources required? Are we more or less secure than N months ago? 4. Institutionalizing the Metrics Process 1. What to measure? Objective not subjective What is our current baseline, and how do we know if we’ve improved?

25 25 One More Thing…Training DISA develops IA training materials and classes for the DoD Over 100 security classes provided annually C100,000 IA training CDs and videos sent out government-wide http://its4dod.iiie.disa.mil

Download ppt "Information Assurance Efforts at the Defense Information Systems Agency & in the DoD Richard Hale Information Assurance Engineering Defense Information."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
A Combat Support Agency 1 Mission Assurance FY12 Opportunities Mission Assurance FY12 Opportunities.

A Combat Support Agency 1 Mission Assurance FY12 Opportunities Mission Assurance FY12 Opportunities.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
United States DoD Public Key Infrastructure: Deploying the PKI Token

United States DoD Public Key Infrastructure: Deploying the PKI Token
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
The Security Network Track # 2, Panel #3 Presented by John C. Deal Erik Visnyak October 6, 2009 CyberSecurity for the GIG; a historical perspective.

The Security Network Track # 2, Panel #3 Presented by John C. Deal Erik Visnyak October 6, 2009 CyberSecurity for the GIG; a historical perspective.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security Controls – What Works

Security Controls – What Works
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Similar presentations

Ads by Google