OSINT DATA – SHOW RAPID INCR IN SIZE, SCOPE, AND DANGER OF CYBER OPS SEE EVOLUTION - INDIVIDUAL SCAMMERS PERFORMING INCONVENIENT ACTS (PART OF THE COST OF DOING BUSINESS) => TO TERRORIST GROUPS, ORGANIZED CRIMINAL ORGS AND NATION STATES USING CYBER-OPS AS AN EFFECTIVE AND COSTLY MECHANISM TO ROB BILLIONS FORM INDUSTRY, AND THREATEN NATION STATES AND CRITICAL INFRASTRUCTURE. NOTE - IN 2004, REVENUES FOR CYBER CRIME EXCEEDED DRUG TRAFFICKING. ANOTHER INDICATOR - USE OF BOTNETS (NETWORKS OF PIRATED COMPUTERS FOR SCAMMING, TERRORISM OR ATTACK. [I.E. ESTONIA]). GROWN TO MILLIONS OF COMPUTERS UNKNOWINGLY USED. ONE OF THE MOST INFAMOUS OF THESE IS THE STORM BOTNET . LEASES OUT ITS CAPABILITIES, AND THEY NOW HAVE A COMPETITOR DHS REPORTS THAT THERE WERE 37,258 ATTACKS ON GOVERNMENT AND PRIVATE NETWORKS LAST YEAR, COMPARED WITH 4,095 IN 2005. THE ‘COOL HACKS’ OF 2007 INCLUDED THE FACE BOOK AND MY SPACE ACCOUNTS OF PRESIDENTIAL CANDIDATES, CAR NAV SYS (LOCATE & UNLOCK), & TRUCK FREIGHT TRACKING SYS (TRACK/STEAL CARGO). CURRENTLY, > 120 COUNTRIES ARE ESTABLISHING AN IO ATTACK CAPABILITY OSINT & HAVE CLASSIFIED KNOWLEDGE OF MORE PROBLEM - REQUIRES TECHNOLOGY, DEEP KNOWLEDGE OF THE THREAT, & TRADE CRAFT. NEED TO UNDERSTAND WHERE THIS THREAT IS EVOLVING SO WE ARE PREPARED FOR THE WORLD FIVE YEARS FROM NOW. [LATER CHARTS]
Information Operations (IO) encompasses all communications from sensors to networks to effectors - which include kinetic, non-kinetic and psyops along with Computer Network Operations, the focus of this discussion CNO includes offensive and defense elements, IO and IA. IO includes network or device access, attack, or exploitation for intelligence and operational purposes. IA assures that our own systems are not subject to access, corruption for forced network shut down. Examples of this would encompass both the protection and exploitation of flaws and malicious in-plants in software systems; flaws [or ‘malicious’ in-plants in microelectronics]; as well as spoofed biometrics; forged credentials, etc. What we are not including includes items in the grey boxes…Emissions from electronic systems; directed energy attacks on electronic systems; Kinetic attacks on information systems; We are also not including pure tangential services, such as physical security of facilities; personnel security of IT facilities; theft of computer storage; or Psyops [i.e. a disinformation campaigns]. Grow Raytheon into the most critical emerging defense market Integrate cyber capability into all Raytheon products and services (offensive and defensive) Brand Raytheon synonymous with information security; critical to sustained mission assurance Our Strategic Objectives in regards to the IO IA business are: Grow Raytheon into a critical emerging defense market - Build a world-class end to end IO/IA capability via Raytheon Information Security Solutions (ISS) [~$0.5B sales within 5 years w/ 33% CAGR] Establish IA as a discriminator/component in all RTN solutions - Develop and implement a “best in class” proactive solution that provides unimpeded and secure enterprise services. Better protect and secure Raytheon’s systems and information – deploying this capability for our own internal systems.
The Raytheon Garland security team has hands-on experience with this list of products. While some of these products are core security products, our experience also extends to creating secure installation of non-security products.
FUNDAMENTAL ELT OF STRATEGY – BUILD CAPABILITIES RELEVANT IN FUTURE – KEEP AHEAD OF ADVERSARIES & COMPETITORS – OUT OF COMMODITY SECURITY PROD BUS. PROJECTED THREAT – EVOLVES TO HIGHLY COORDINATED NETS OPERATED BY NATION STATES, TERRORIST ORGS, ORG CRIME, INDUSTRIAL ESPIONAGE & HACKERS TARGET DEVICES CHANGE – LARGE ORGS TO TARGETED INDIVIDUALS & SPECIFIC DEVICES/APPS (E.G. LAPTOPS, CELL, VOIP, ETC) – APPLY TO BOTH OFFENSIVE TARGETING & IA SIDE IN BOTTOM WE SEE THE MARKET FOCUS AND THE ENVIRONMENT PRIORITIES OF CORP/GOV’T INFOSEC GROUP. BOTTOM RIGHT - SOLUTION PROVIDERS & INTERNAL IS GROUPS NEED TO FOCUS ACTIVE IO – PERSISTENT AGENTS, AGENT NETWORKS AND BOTS, ANONYMIZATION, DEVICE ACCESS, REVERSE ENGINEERING AND SOCIAL NETWORK ANALYSIS. IO COLLECTION AND EXPLOITATION – ‘NON TRADITIONAL’ DEVICES [I.E. A NEW SONY PLAY STATION], NETWORK ACCESS/COLLECTION/REDIRECTION, COVERT DELIVERY OR EXFIL. CYBER COUNTER INTEL – IMPLANTS AND REVERSE ENGINEERING ACTIVE ASSURANCE – INSIDER THREAT, BIOMETRIC VALIDATION, REAL TIME ID OF POLICY VIOLATIONS, SIT AWARENESS OF ATTACK OR PENETRATION POLICY AND ARCHITECTURE – ROLE-BASED ACCESS, HW AND FW VALIDATION, VULNERABILITY ANALYSIS. ADV INFO SEC CAPABILITIES - DEVICE PROTECTION, FORENSICS, OR CONTENT FILTERING. [DEVICE ACCESS& PROTECTION PARTICULARLY FOR PERSONAL, FINANCIAL AND MEDICAL INFO]
Raytheon Garland has executed security engineering tasks in all phases of a system. From the proposal effort through the operations and maintenance, our security engineering staff has the experience and skills to navigate through all security requirements for the life of the program.
FUNDAMENTAL ELT OF STRATEGY – BUILD CAPABILITIES RELEVANT IN FUTURE – KEEP AHEAD OF ADVERSARIES & COMPETITORS – OUT OF COMMODITY SECURITY PROD BUS. PROJECTED THREAT – EVOLVES TO HIGHLY COORDINATED NETS OPERATED BY NATION STATES, TERRORIST ORGS, ORG CRIME, INDUSTRIAL ESPIONAGE & HACKERS TARGET DEVICES CHANGE – LARGE ORGS TO TARGETED INDIVIDUALS & SPECIFIC DEVICES/APPS (E.G. LAPTOPS, CELL, VOIP, ETC) – APPLY TO BOTH OFFENSIVE TARGETING & IA SIDE IN BOTTOM WE SEE THE MARKET FOCUS AND THE ENVIRONMENT PRIORITIES OF CORP/GOV’T INFOSEC GROUP. BOTTOM RIGHT – WHERE (PROVIDERS & INTERNAL IS GROUPS) NEED TO FOCUS ACTIVE IO – PERSISTENT AGENTS, AGENT NETWORKS AND BOTS, ANONYMIZATION, DEVICE ACCESS, REVERSE ENGINEERING AND SOCIAL NETWORK ANALYSIS. IO COLLECTION AND EXPLOITATION – ‘NON TRADITIONAL’ DEVICES [I.E. A NEW SONY PLAY STATION], NETWORK ACCESS/COLLECTION/REDIRECTION, COVERT DELIVERY OR EXFIL. CYBER COUNTER INTEL – IMPLANTS AND REVERSE ENGINEERING ACTIVE ASSURANCE – INSIDER THREAT, BIOMETRIC VALIDATION, REAL TIME ID OF POLICY VIOLATIONS, SIT AWARENESS OF ATTACK OR PENETRATION POLICY AND ARCHITECTURE – ROLE-BASED ACCESS, HW AND FW VALIDATION, VULNERABILITY ANALYSIS. ADV INFO SEC CAPABILITIES - DEVICE PROTECTION, FORENSICS, OR CONTENT FILTERING. [DEVICE ACCESS& PROTECTION PARTICULARLY FOR PERSONAL, FINANCIAL AND MEDICAL INFO]
Now let me talk to you about three (3) markets we see for CHAIN First, for DOD, government agencies like DARPA. We recently won a $14 million contract from DARPA. This contract calls for us install a new “enterprise” network, which will replace a number of disparate DARPA networks. DARAP envisions a single, integrated network support the PM’s and their programs. This single Network will dramatically change the business practices at DARPA as well as the way that DARPA personnel communicate with one another. Today, they have to rely on sneaker net, manually pulling out their hard drives and sharing information. Our solution, automates that and allows sharing of information based on security clearances so that they have access to only the information they should access.
Opportunity to highlight specific CHAIN capabilities in response to what the customer said during the previous slide.
In an MSL Architecture the systems are operating at a single classification level and the users are cleared for their specific level. This MSL architecture has as Top Secret, Secret , and Unclassified enclaves sharing data via controlled interfaces (I.e., trusted guards). For some users their maximum clearance is Secret and others their maximum clearance is Top Secret. A trusted bi-directional guard is used to release information classified as Secret from the TS network to a network consisting of only Secret users and systems. Low-to-High (one way guards) are used to pass information from the Unclassified network to both the Secret and TS networks. The single level systems must implement mechanisms to provide assurance that the system's security policy is strictly enforced.
Here an MLS Architecture which is composed of four interconnected enclaves. The MLS Enclave which is enforcing MAC policy and explicitly labeling all data objects. Users on the MLS enclave workstations are cleared to the highest level of data classification and can open multiple “ labeled ” windows to access and manipulate data at the various data classification levels. Users in the TS, Secret, or Other enclaves are cleared to only those data classification levels respectively. Based on the domain security policy these users could open “ labeled ” windows of data elements that their access authorization dominates. Multilevel Web and mail services are made available via MLS servers. To amplify the definition, an MLS system might process both Secret and Top Secret collateral data and have some users whose maximum clearance is Secret and others whose maximum clearance is Top Secret. Another MLS system might have all its users cleared at the Top Secret level, but have the ability to release information classified as Secret to a network consisting of only Secret users and systems. Still another system might process both Secret and Unclassified information and have some users with no clearance. In each of these instances, the system must implement mechanisms to provide assurance that the system's security policy is strictly enforced. In these examples, the policy allows access to the data by only those users who are appropriately cleared and authorized (e.g., having formal access approval) and who have an official need to know for the data.
Raytheon Garland’s security engineering team is comprised mostly of engineering brought on to work security engineering for the MIND program with started in May of 1999. The MIND program was one of the first large programs to enter into development under DCID 6/3. The MIND was also one of the first large program to work architectural issues with the DICAST. Our experience in working with the DICAST has been gained over the last 2.5 years. This experience is invaluable in helping other programs navigate getting their architectures approved by the DICAST.
MIND Integration of legacy infrastructure, at different security levels, into new architecture Multi-level security management (Radiant Mercury) Security Engineering led Certification & Accreditation (C&A) compliance with DCID 6/3 PL4 (working w/NRO accreditors and DICAST mission partner). Developed Audit Log Evaluation and Reduction Tool (ALERT) to provide DCID 6/3 compliant audit reports
Raytheon Information Security Presentation to TAMU Kent Stout [email_address] Shelli Richard [email_address] April 16, 2009
Information Security as a Discipline Information Security Engineering combines key engineering disciplines to span the information security spectrum.
Integration and Test
Operations & Maintenance
Installation & Configuration
Integration and Test
Integration and Test
Full Life-Cycle Coverage Certified Information Security Engineers Subject Matter Experts Certification and Accreditation Expertise Continuous Learning and Development Information Security Engineering Systems Engineering Network/System Administration Software Engineering
Public Key Infrastructure (PKI), Virtual Private Networks (VPN’s), Encryption
Secure Voice & Conferencing (VoIP)
Database/Data Warehouse Security
Anti-Tamper TEMPEST & HEMP Engineering
Integrated Red/Black Networking
Vulnerability Assessment/Penetration Testing
Data Forensics, Data Integrity
Operations, Sustainment, Training & Maintenance (NOC, SOC, CIRT)
Raytheon Strives to Provide Robust Solutions to the Evolving Information Assurance Challenges
Cyber Threats are on the Rise MI5 sends letter to British companies warning systems are under attack Data Breach Reports Up 69 Percent in 2008 Pentagon hacked Inspectors Disclose Security Breach at Nuclear Lab Critical infrastructure central to cyber threat
Threat Vectors for Critical Infrastructure Cybercrime Surpasses Drug Trafficking Revenue Cyber Terrorists Criminal Enterprises Nation States Scammers Criminals
Credit Card Number Theft
Software and Video Pirates
e.g., Tomasz Grygoruk
Supply Chain Exploitation
Trade Secret Mining
Illegitimate Front Companies
China - PLA “Net Force”
India / Pakistan
Arab Electronic Jihad Team
THREATS TARGETS individuals criminal syndicates national organizations Individuals Organizations Businesses Government Infrastructure Email 5% SPAM 95% SPAM Google Users McCain & Lieberman Websites Car Navigation Systems 100 Largest US Utilities 95% increase penetration attempts DHS DOJ US Electric Grid Davis-Besse Nuclear Plant Truck Freight Tracking Shell Oil Military Germany NATO TJ Maxx TSA Oak Ridge Labs Univ. of Pennsylvania Voting Machines $10K Cost per data breach 101 st Airborne 4 th Infantry US Marines penetration attempts MySpace FaceBook Pentagon NIPRNet Rolls Royce $386K London Stock Exch. 23,000 / year 100,000/sec Univ. of Mich. Cisco Geeks.com Vodaphone Cellular NASDAQ $105B
Targets are both Federal and Commercial
In 2004 revenues produced through cybercrime surpassed those produced through drug trafficking at $105 Billion/year
Between 2003 and 2007 the estimated average commercial cost related to a data breach went from $10 K to $386 K
Between 2003 and 2007 the 100 largest US utilities saw an increase of 95% in penetration attempts
Between 2002 and 2007 military installations went from an estimated 23,000 penetration attempts per year to more than 100,000 attempts per second
Attack sophistication, rewards, and motivations are all expanding
Technology Services and Support Offensive Defensive
The Problem with Software The unintentional functionality in information systems can be leveraged in unique ways to provide creative, bold and aggressive advantage Intended Behavior Actual Behavior Missing functionality (Bugs) Intended functionality Unintended functionality (Bugs?)
Implements an Information Flow/Data Isolation Security Policy
Leverages off COTS vendor DO-178B RTOS and middleware products
MILS Program Raytheon participates in the development of MILS through AFRL/IF sponsored SIRES and HAMES CRAD programs and participation in The Open Group Real-time Embedded Systems forum.
Training Experience Our training curriculum is world-class. 3-5 years 0-2 years 6-9 years 10+ years SANS Security Essentials (Technical) Vendor Bootcamps, Technical Training CISSP Certification ISSEP Certification SANS Level 2 Specialization Track(s) Security Conference Attendance Security Conference (Speaker) Additional Certifications (Customer-driven) Principles of Systems Engineering
Raytheon’s Information Systems Security Engineering Process Raytheon ISSE Process supplements internal development processes and defines how Information Security Engineering achieves successful Certification and Accreditation.