• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Vol13 no2

Vol13 no2






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Vol13 no2 Vol13 no2 Document Transcript

    • Volume 13 Number 2 • Spring 201013/2 The Newsletter for Information Assurance Technology ProfessionalsCloud Computing: Silver Lining or Storm Ahead? also inside Establishing Trust in Insider Threat Center at Public/Private Partnership Cloud Computing CERT Grows Solutions from Becoming a Necessity Reality-Based Research Cloud Computing for the Apples & Oranges: Operating Federal Community Wikis Within the DoD and Defending the Global Information Grid DISA RACE: Certification and Vulnerability Assessment EX Accreditation for the Cloud Processes Within DoD LPS-Public: Secure C E L L E NC E SE R V CE N Browsing and an Alternative N I NF IO O R MA T Look Before You Leap Eight Steps to Holistic to CAC Middleware Database Security
    • contents feature About IATAC and the IAnewsletter The IAnewsletter is published quar- terly by the Information Assurance Technology Analysis Center (IATAC). IATAC is a Department of Defense 20 Look Before You Leap: Security Considerations in a 34 Eight Steps to Holistic Database Security Government organizations are 4 (DoD) sponsored Information Analysis Center, administratively managed by Web 2.0 World finding new ways to secure the Defense Technical Information Center (DTIC), and Director, Defense Embracing social media is their data. Research and Engineering (DDR&E). imperative to success in a new 37 Contents of the IAnewsletter are not necessarily the official views of or communications environment, but Public/Private endorsed by the US Government, DoD, DTIC, or DDR&E. The mention of Establishing Trust in Cloud Computing doing so without adequate planning Partnership commercial products does not imply endorsement by DoD or DDR&E. We can argue that it is not a matter of can do more harm than good. Becoming a Necessity whether cloud computing will become Combating advanced persistent 25 Inquiries about IATAC capabilities, products, and services may be addressed to— ubiquitous—because the economic forces Insider Threat Center threat (APT) in silo efforts is an IATAC Director: Gene Tyler are inescapable—but rather what we can at CERT Grows unsustainable strategy. Inquiry Services: Peggy O’Connor do to improve our ability to provide cloud Solutions from Reality- 38 If you are interested in contacting an author directly, please e-mail us at computing users with trust in the cloud Based Research Apples & Oranges: Iatac@dtic.mil. services and infrastructure. Educating organizations on how Operating and IAnewsletter Staff to detect and manage insider Defending the Global 9 Art Director: Tammy Black Copy Editor: Kali Wilson Designers: Michelle Deprenger IATAC Spotlight on a threat is critical. Information Grid Dustin Hurt University Our language and doctrine needs 26 Editorial Board: Dr. Ronald Ritchey Angela Orebaugh Gene Tyler Penn State is one of the nation’s Wikis Within the DoD to evolve to view cyberspace as Kristin Evans Al Arnold ten largest undergraduate Reaping the benefits the contested, warfighting IAnewsletter Article Submissions engineering schools. of community-driven information domain it is. To submit your articles, notices, sharing with wikis. 10 42 programs, or ideas for future issues, please visit http://iac.dtic.mil/iatac/ Cloud Computing for LPS-Public: Secure 29 IA_newsletter.html and download an“Article Instructions” packet. the Federal Community IATAC Spotlight Browsing and an IAnewsletter Address Changes/ Additions/Deletions A community cloud is the most on a Conference Alternative to CAC Middleware To change, add, or delete your mailing or email address (soft-copy receipt), secure way for the federal This event provided opportunities Secure Browsing and an please contact us at— government to realize the to learn about research as well Alternative to CAC Middleware:IATACAttn: Peggy O’Connor potential of cloud computing. as ongoing developments. The public edition LPS is a free,13200 Woodland Park Road easy to use, install nothing, 16 30 Suite 6031Herndon, VA 20171 DISA RACE: Vulnerability browsing alternative with Phone: 703/984-0775 Fax: 703/984-0773 Certification and Assessment built-in CAC software for Email: iatac@dtic.mil Accreditation for the Cloud Processes Within DoD almost any computer. URL: http://iac.dtic.mil/iatac Government organizations are Standardizing the vulnerability Deadlines for Future Issues Summer 2010 May 8, 2010 taking full advantage of the assessment processes can help Cover design: Tammy Black potential benefits offered by avert disaster. Newsletter cloud computing. 33 in every issue design: Donald Rowe Distribution Statement A: Subject Matter Expert Approved for public release; distribution is unlimited. The SME profiled in this 3 IATAC Chat article is Dr. Peng Liu, at 36 Letter to the Editor Pennsylvania State University. 43 Products Order Form 44 Calendar 2 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • IATAC Chat Gene Tyler, IATAC DirectorI n early February, I had the opportunity to attend the InformationAssurance Symposium (IAS) in importantly, its weaknesses. I believe they say it best in their statement, “It is unclear whether the current set of [cloud this edition of the IAnewsletter also provide you with various perspectives on cloud computing so that you feelNashville, TN. I always look forward to computing] services is sufficiently inspired to enter into the dialogue. I askattending this event because it brings secure and reliable for use in sensitive you, is cloud computing the silver liningtogether folks who truly care about government environments.” They to computing, and should we storminformation assurance (IA). I am always advocate a cautious approach to ahead in implementing it across variousexcited to converse with colleagues implementing cloud computing organizations? Or might it weaken ourinterested in solving tough IA problems capabilities across the government and, computer network defenses and resultahead, and yet again, the IAS did not in particular, the Department of in a potential storm of malicious attacksfail; I enjoyed talking with people about Defense (DoD). However, these subject in the future?some of the newest innovations matter experts remain optimistic, which In addition to cloud computing, Icurrently changing our field. is why they are excited about the invite you to look at the various other One topic that seemed to dominate research and investigation NPS is doing articles in this edition that highlight thethe conversations I had with various to identify methods of securing cloud- following topics, also discussed at IAS:colleagues and subject matter experts at based systems. insider threat; Web 2.0 Security; socialIAS was cloud computing, and as this On the other hand, some media and its use in DoD; vulnerabilityedition of the IAnewsletter reflects, this organizations are beginning to assessments; defending the Globaltopic is getting a lot of well-deserved successfully implement cloud Information Grid; and our industryattention, for a multitude of different computing already. Most notably, the expert contributes a very interestingreasons. Cloud computing is Defense Information Systems Agency article on public/private partnerships.revolutionizing how organizations are (DISA) successfully developed the Rapid As I always remind our readers, we areconstructing their networks and Access Computing Environment (RACE), interested in your perspectives andsystems; it is changing how which is a cloud-based system. Not only welcome your contributions to thisorganizations invest in their information has DISA successfully implemented publication. We know our readers aretechnology infrastructure; and it is RACE, but, as the authors point out, the very subject matter experts who areforcing organizations to reconsider how “certification and accreditation policy analyzing and experimenting withthey secure critical information— has been adapted to allow organizations innovative solutions like cloudsecurity is critical and at the forefront of to use RACE cloud resources, thereby computing. Feel free to contact us atcloud computing quickly connecting to the cloud while iatac@dtic.mil with your perspective on But what, exactly, is cloud complying with DoD requirements.” the cloud debate!computing; and how do you ensure Munjeet Singh and Troy Giefer remaininformation security in the cloud deeply involved with DISA as itcomputing environment? Dr. Bret implements cloud solutions, and as a Michael and Dr. George Dinolt, of the result, their article, “DISA RACE:Naval Postgraduate School (NPS), Certification and Accreditation for theaddress some of these questions in their Cloud,” provides a different perspectivearticle, “Establishing Trust in Cloud on cloud computing and its advantages.Computing.” They argue that a lot of As these two articles suggest, therediscovery is necessary before the IA is a lot of debate over cloud computing,community can fully understand cloud the advantages it offers, and the risks itcomputing, its benefits, and more presents. I hope the articles presented in IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 3
    • F E AT U R E S T O R YEstablishing Trust inCloud Computingby Dr. Bret Michael and Dr. George DinoltI n the aptly titled article, “Cloud Assurance Still Missing,” Allan Careywrote, “The security problems that computing as a vehicle for maintaining their competitive edge. A recent technical report published ff IaaS (Infrastructure as a Service)— the cloud provides an infrastructure including (virtual) platforms,organizations face related to cloud by the University of California, Berkeley, networking, etc. on whichcomputing are the same as those related states that there is no commonly agreed applications can be placed;to virtualization—but even more so.” [1] upon definition of cloud computing. [5] ff SaaS (Software as a Service)—He goes on to say, “Information Instead, a definition is emerging as the the cloud provides softwareassurance practitioners already have various organizations that are applications.most of what is needed to make an developing cloud services evolve theirinformed set of decisions about cloud offerings. In addition, there are many Amazon’s Elastic Compute Cloudcomputing.” [2] We would argue that the shades of cloud computing, each of (EC2) is an example of these services. [8]security problems go well beyond the which can be mapped into a Google also provides enterprise-leveluse of virtualization in distributed multidimensional space with the integrated application services such assystems. In this article, we discuss the dimensions being characteristics, service email, appointment calendars, textneed for asking critical questions about models, and deployment models. [6] processing and spreadsheets. [9]the security implications of cloud Cloud computing is a metaphor for The claimed advantages for ancomputing. Answers to our questions giving Internet users a growing enterprise are that it does not require anare not readily apparent, even though collection of computer system resources investment in computer resources,viewing computing as a utility, similar and associated software architectures to infrastructure, administration, etc.: theto that of providing water or electricity provide application services. [7] The purveyor of the cloud provides theseon a for-fee basis, dates back to at least applications include processing and resources. The user or enterprise onlythe 1960s. [3] application integration, storage, and pays for the resources “consumed.” In the As we pointed out in a recent communications services. Cloud Department of Defense (DoD), we havearticle, [4] what has changed over time services are typically available on seen the introduction of infrastructureis the advancement of the underlying demand and are charged on a usage services on demand provided by thetechnology, including cheap, fast central basis. Often, what the user sees is an Defense Information Systems Agency’sprocessing units (CPUs), low-cost application instead of a particular Rapid Access Computing Environmentrandom access memory (RAM), computer. The services are commonly (DISA RACE). [10] Where available, theinexpensive storage, and the high- described as: cost of developing and maintainingbandwidth standardized ff PaaS (Platform as a Service)­ the — specialized applications can be sharedcommunication needed to efficiently cloud provides hardware resources, among the users of that application. Inmove data from one point to another. typically virtual machines, which theory, there is an advantage in havingAdditionally, considerations, such as the can be loaded with the users, large-scale resources shared among aeconomies of scale involved in building operating system and software; large class of users. However, this has yetvery large data centers, nudged to be borne out. [11] There are, of course,organizations to consider cloud applications that require a large number of resources. Google Search is one such4 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • example. It appears that Google, with an appropriate level of security should be asking to improve the securityAmazon, and others are attempting to transparency to alleviate customers’ and privacy clouds afford. However, weleverage their ability to construct such a reservations about the security and can ask fundamental questions like: aresystem into other environments. privacy afforded by the cloud. [12] How the current architectures adequate for We can argue that it is not a matter much transparency is enough? How do building trusted clouds? If not, whatof whether cloud computing will we provide for transparency of cloud types of software system architecturesbecome ubiquitous but rather what we resources (i.e. determining the cloud in do we need? Consider, for instance, thecan do to improve our ability to provide which customer data resides)? Is there a possibility that an organization mightcloud computing users with assurance tipping point at which additional levels opt to fully outsource its computingthat the cloud services and of transparency would only serve to infrastructure and data center to theinfrastructure provide appropriate help malefactors compromise services cloud, retaining only thin clients withinsecurity functionality. Cloud computing and datacenters? the organization. How do we make theproviders should supply their customers In addition, as users and developers thin client user terminals and the find new ways of applying cloud communications infrastructure secure? o Security Policy technologies, there will be new expectations about security and privacy. DoD Enterprise Computing Provision I&A Compromise Integrity For instance, Twisted Pair Solutions of What is our motivation for jumping feet of Service Seattle proposes to provide cloud first into asking hard questions about computing resources for state and local cloud computing? The growing Informal Map agencies to link up disparate public importance of cloud computing makes it safety radio systems (e.g., police, fire, or increasingly imperative that security, ambulances)—a novel but difficult-to- privacy, reliability, and safety Integration & Middleware predict usage of cloud computing, but communities grapple with the meaning also a usage that makes the cloud part of of trust in the cloud and how the Formal (Mathematical) Map mission- and safety-critical systems. [13] customer, provider, and society in Theorems (Proof that Spec Satisfies Model) The expectations for security, privacy, about Policy general gain that trust. Consider the reliability, and quality of service and so initiative of the DoD Enterprise Services Top Level System Specification on will be different in some respects for & Integration Directorate to make the Voice over Internet Protocol (VoIP) radio DoD Storefront Project a reality. The Semi Formal Map systems than for the cloud’s social Storefront consists of a cloud-based set (System Satisfies Spec) networking aspects. This raises the of core and specialized applications that question: how do we manage risk when users can discover through an we do not fully understand what we are application marketplace and which Top Level System Implementation trying to protect or guard against? share an identity management The fluid nature of cloud computing framework. How will DoD provideFigure 1 Process for Integrating Security makes it a moving target, even when security for the Storefront? It is moreInto the Cloud trying to determine the questions we than a matter of having an identity IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 5
    • management framework. The obvious maintained within the cloud. Several enterprise providing single sign-on; thesecurity concerns include data integrity, vendors have formed the Cloud Security enterprise user need only log onto theirdata availability, protection of Alliance (CSA). [14] In the report titled home system. Once logged on, thepersonally identifiable information, data Security Guidance for Critical Areas of enterprise user can automatically accessprotection, data destruction, and Focus in Cloud Computing V2.1, CSA the users’ files and services on Googlecommunications security. provides its take on some of the security without an additional login. Although Moving beyond the Storefront issues related to cloud computing. [15] convenient, this functionality increasesconcept, as the federal government In the report, security properties the security exposure to not only themigrates its data and applications to the are described as essentially the same set weakness of the enterprise system, butcloud, issues regarding cross-domain of properties that a user expects to see also to the weakness of Google’sresource sharing will arise within the with a self-hosted system. These include infrastructure. If, for example, Google’scloud. For instance, how will DoD link the usual: infrastructure has a security flaw, then itits clouds to those of other agencies? ff Identification/Authentication may be possible for someone in oneWill a DoD user, authenticated to enter ff Privacy enterprise to access accounts fromthe DoD cloudsphere, be trusted to ff Integrity another enterprise. On the other hand,access services owned by the ff Provision of Service. security flaws in the enterprise systemDepartment of Homeland Security may lead to weaknesses in the access(DHS)? Is there a need for a federal-wide They view assurance as an audit of controls of the information managed bycloud infrastructure and common set of the function’s implementation, that is, Google Apps. Additionally, connectedsecurity services? How will data be the cloud systems’ administrators and applications may provide unintendedshared among the various different implementers have used ‘best practices’. connections among users, as wastypes of cloud? Other than the notion that encryption is demonstrated with the introduction of used to protect the data, there is little Google Buzz. [17]Information Assurance information that defines ‘best practices.’ When each enterprise maintains itsAt the Naval Postgraduate School, a There is, however, some form of key own infrastructure, a failure in onemajor thrust of our research on cloud management included that provides enterprise may cause failures across thecomputing is to investigate the security potentially strong identification/ cloud. Unless an enterprise uses a singlepolicies, models, and appropriate authentication, as well as some form of cloud from a single vendor, integratingarchitectures to provide security for data integrity/recovery facility. The the various applications,entities/users of cloud computing security architecture proposed is infrastructures, and policies amongresources. Although cloud computing essentially a layered operating system many different clouds and cloud vendorsmay appear to provide reasonably well application. It consists of a network layer will be a significant challenge. In fact, itunderstood operating system and interposed between application will be a challenge to ensure that theapplication resources, cloud resources programming interfaces (APIs) and the different policies do not contradict andare distributed in space, time, and scale underlying operating system potentially permit access that shouldin ways that were never envisioned in infrastructures. ‘Trusted computing’ is not be allowed at the system level.the operating-system world. The current only mentioned at the hardware/ Ultimately, the proof is in thearchitectural approaches, especially operating system level. Additionally, the pudding. Will the cloud vendors bethose concerning security, may not scale CSA paper enumerates several security willing to stand behind the security ofto the much larger cloud computing issues that should be addressed by the their systems? In the case of Amazon’sapproaches. In addition, the approaches cloud-style service provider, but does EC2 and Simple Storage Services (S3)for assuring operating system security not provide any insight on security services, Amazon suggests that theirfunctionality are not necessarily policies/models, interfaces or EC2 and S3 infrastructure not be usedappropriate. It is unclear whether the potential solutions. for systems that must satisfy thecurrent set of services is sufficiently To provide an example of some of Payment Card Industry Securitysecure and reliable for use in sensitive the potential issues, Google supports Standards [18], although it hasgovernment environments. Current “Google Apps.” [16] Google Apps applies published a paper on how Amazon Websecurity claims are somewhat limited. the usual discretionary access controls Services can be used in a Health One of the fundamental problems to the resources it provides – files, Insurance Portability and Accountabilitywith adopting cloud computing is calendars, address lists, etc. To make life Act (HIPAA) compliant environment. [19]providing not only security resources easier, Google provides tools that In the HIPAA paper, Amazonbut also assurances that those resources integrate their identification and essentially places almost all theare correctly implemented and authentication systems into the requirements on the “user/enterprise”6 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • to encrypt all the data stored and to lead to new architectures with better platform(s). The enterprise loadsmanage its keys. Amazon provides defined, more assured security. operating systems, applications, etc.,services to log safely into its systems Over the past 30-plus years in the onto the platform(s) and manages alland provide some data recovery operating system security world, a lot of the interfaces and resources provided.and integrity. work has been done to provide highly The example below assumes that In the realm of reliability, prior to assured components with trustworthy multiple platforms will be used.the breakup, AT&T was required to build systems. Unfortunately, the commercial The security policy visible to thesystems that had an up-time reliability world has ignored a lot of this work. user includes:of “five nines” (about 5.2 min/yr Recent efforts have focused on the use of ff Identification—A set of platformdowntime). Part of the reason for this separation kernels. For example, Green names issued by the providerwas to ensure services in case of Hills has recently received a National (unique to the enterprise)national emergency. Current cloud Information Assurance Partnership ff Authentication—A secure channelbased systems are advertised as (NIAP) certificate for its Integrity 178B that can be used to load theproviding “three nines” (almost 9 hrs/yr Separation Kernel. [21] Separation operating system(s) onto thedowntime). [20] kernels provide a minimal set of platforms—the provider is trusted operating system services on which to ensure that the onlyDetermining Where Trust other trusted services and applications communication with the platformsShould be Placed could be built. These may be thought of is from or to the enterpriseClearly, there are many challenging as slightly more functional than a ff Integrity—The provider shouldsecurity issues related to cloud Virtual Machine Monitor (VMM), guarantee that the resources arecomputing. In our research, we are although Green Hills and others are “empty” on first use and that noneworking on a formal, structured, looking to implement high assurance of the platform resources arepossibly mathematical approach that VMMs using their technology. modifiable by any party other thanwill give users and cloud-developers Our approach to the problem the enterprise. This includes anydeeper insight into what should be done, involves separation of ‘virtual’ management functions; it is up tohow it might be achieved, and where the resources. This approach constructs an the enterprise to ensure that anytrust should be placed. This research infrastructure that establishes (or network interfaces areincludes the investigation of reconstructs where appropriate) appropriately protectedimplementation structures and resources, identifies and authenticates ff Privacy—The provider shouldassurance provisions for “security” in users, and then controls access to the guarantee that there is no thirdcloud-based systems. To do this, we will resources. Our focus is to provide a party access to the platformattempt to provide security model and a security architecture that processor, memory, and/or disk filesarchitectures and models that satisfy provides the infrastructure that will ff Provision of Service—The providerthe following: accomplish these goals. should provide access to theff They are aware of the amorphous resources on demand, per any nature and scale of the cloud An Example service level agreements between computing paradigm For instance, consider PaaS. An the enterprise and the provider.ff They include mathematical models enterprise might wish to run its own of the security properties that can applications. These applications may There at least two models of this be used to help analyze those only run on an intermittent basis and/or kind of service: properties require a large number of resources. 1. Resources are provided on an adff They provide the underpinnings on One way to achieve this is to use a hoc, intermittent basis. In this which applications/enterprise/user cloud PaaS. version, there is no connection level security policies/properties We use the term ‘enterprise’ to between consecutive uses of the can be implemented describe the organization requiring the resources. The enterprise uses theff They provide the foundations on platform and ‘provider’ for the resources once. During subsequent which the implementation organization providing the cloud uses, the enterprise assumes that assurances can be ascertained. platform resources. The PaaS provider all the previous data does not exist would provide ‘platforms,’ either ‘real’ as or has been erased by the provider. Our hope is that the results of the part of a virtual environment (a means The only connection between theresearch will provide a framework that for downloading an operating system two usages is that the enterprisecan be at least partially applied to the and for managing the platforms), or as a uses the “same identifiers” to accesscurrent cloud architectures and may possible network interface(s) on the new instances of the resources. IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 7
    • There is no guarantee that the same The security properties then secure systems architectures and secure- physical resources will be used for become statements about the resources systems design. each run of the platform(s). and platforms. For example:2. The enterprise ‘turns off’ the plat- No pair of allocations shares References form, but in subsequent use after any common VPlatforms or 1. IAnewsletter, vol. 13, no. 1, winter 2010, p. 34. turning it back on, finds the plat- VPlatformResources. 2. Ibid. form resources in the same state As depicted in Figure 1, the security 3. M. Campbell-Kelly. “The Rise, Fall, and Resurrection they were in after being turned off. properties can be modeled on a of Software as a Service: A Look at the Volatile As expected, the enterprise might collection of the statements above. Each History of Remote Computing and Online Software,” pay more for this service. In this of the statements should map back to Communications of the ACM, vol. 52, no. 5, pp. case, the provider must protect the some aspect of the system’s user-visible 28–30, May 2009. information in the resources security property. We could use our 4. B. Michael. “In Clouds Shall We Trust,” IEEE between runs from both modifica- statements about the relationships of the Security & Privacy, vol. 7, no. 5, p. 3, September/ tion and access by third parties. entities (sets) we describe to prove October 2009. There is no guarantee that the same additional properties of the system. 5. M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. physical resources will be used in Following the security model’s H. Katz, A. Konwinski, G. Lee, D. A. Patterson, each run of the platform. construction, a high-level execution A. Rabkin, I. Stoica, and M. Zaharia. “Above the model should be constructed and Clouds: A Berkeley View of Cloud Computing,” Note that in both cases, the validated mathematically to determine EECS Department University of California, Berkeley.provider provides access to platforms that it satisfies our security model. Technical Report UCB/EECS-2009-28, 10 Februaryand associated data. The platforms are Next, it is necessary to map our high- 2009, http://www.eecs.berkeley.edu/Pubs/available to others when the enterprise level model to varied cloud aspect TechRpts/2009/EECS-2009-28.html.is not using them. Any provider implementations as documented by 6. P. Mell and T. Grance, “The NIST Definition of Cloudconfiguration data about the platforms the vendors. Computing,” Version 15, 7 October 2009, http://must be protected from modification csrc.nist.gov/groups/SNS/cloud-computing/cloud-and, in the second case above, any Conclusion def-v15.doc.enterprise information that will be Cloud security is an ill-defined, little- 7. http://en.wikipedia.org/wiki/Cloud_computing.reused must also be protected. understood area of distributed 8. http://aws.amazon.com. Informally, a portion of the model computing. However, we believe that 9. http://docs.google.com.might then take the form of: progress can be made to provide a level 10. http://www.disa.mil/raceff VPlatform—The set of names of of assurance that accommodates the 11. H. G. Miller and J. Veiga. “Cloud Computing: Will virtual platforms that will be resources needed to support DoD and Commodity Services Benefit Users Long Term? IEEE provided to enterprises the federal government’s information ITPro, vol. 11, no. 6, p. 67-69, November/ff VPlatformType—Whether the processing requirements. n December 2009. VPlatform resources are persistent 12. http://www.opencloudmanifesto.org. (type 2 above) or not 13. http://www.fcw.com/Articles/2009/04/16/Cloud- About the Authorsff VPlatformResource—The set computing-moving-into-public-safety-realm.aspx. of resources associated with 14. http://www.cloudsecurityalliance.org. Dr. Bret Michael | is a Professor of Computer a VPlatform 15. http://www.cloudsecurityalliance.org/csaguide.pdf. Science and Electrical Engineering at the Navalff Enterprise—The set of enterprises 16. http://www.google.com/apps. Postgraduate School. He conducts research on the that use VPlatforms 17. http://www.nytimes.com/2010/02/15/technology/ reliability, safety, and security of distributedff Allocation—An association internet/15google.html. systems. He is an Associate Editor-in-Chief of IEEE of an Enterprise with a 18. http://www.mckeay.net/2009/08/14/cannot-achieve- Security & Privacy magazine and a member of the Platform, VPlatformType and pci-compliance-with-amazon-ec2s3 IATAC Steering Committee. VPlatformResources. The same 19. http://awsmedia.s3.amazonaws.com/AWS_HIPAA_ Enterprise may have multiple Whitepaper_Final.pdf. Dr. George Dinolt | is a Professor of Practice VPlatforms, and VPlatformResources 20. http://www.google.com/apps/intl/en/business/ in Cyber Operations at the Naval Postgraduate associated with it infrastructure_security.html. School. His research interests are primarily in theff PlatformCloud—A sequence of sets 21. http://www.niap-ccevs.org/cc-scheme/st/vid10119/ high assurance portions of Computer Security. His of Allocations. maint200 research covers formal methods and the connections between them and security policies,8 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • I ATA C S P O T L I G H T O N A U N I V E R S I T YPennsylvania State Universityby Angela OrebaughI n 1855, Pennsylvania State University (Penn State) was originally foundedon 200 acres in Centre County, and problems associated with assuring information confidentiality, integrity (e.g., social, economic, technology- ff The Center for Information Assurance plans, coordinates, and promotes IA research, education,Pennsylvania, as an agricultural school related, and policy issues), as well as the and outreach. The facultythat applied scientific principles to strengths and weaknesses of various coordinators for the center includefarming. Engineering Studies were methods for assessing and mitigating Dr. Chao-Hsien Chu and Dr. Pengintroduced in 1882, making Penn State associated risk. The major provides Liu. The center’s missions are:one of the nation’s ten largest grounding in the analysis and modeling •• Conduct broad-based researchundergraduate engineering schools. efforts used in information search, on various aspects (theoreticalToday, Penn State has grown into a large, visualization, and creative problem and applied; technical andgeographically dispersed, major solving. This knowledge is managerial; wired andresearch institution. Nineteen supplemented through an examination wireless, etc.) of informationcampuses, 15 colleges, and one online of the legal, ethical, and regulatory and cyber securityWorld Campus currently comprise Penn issues related to security that includes •• Educate and train informationState. In Fall 2009, Penn State served analyzing privacy laws, internal control, security professionals throughover 80,000 undergraduates and over regulatory policies, as well as basic degree and continuing13,000 graduate students, with half of investigative processes and principles. education programs, and tothe student population enrolled at the Such understanding is applied to venues insure that information securitymain campus in University Park. that include transnational terrorism, awareness is instilled in all Penn The National Security Agency (NSA) cyber crimes, financial fraud, risk State studentsand the Department of Homeland mitigation, and security and crisis •• Provide assistance and technicalSecurity (DHS) have designated Penn management. It also includes overviews support to industry, non-profitState as a National Center of Academic of the information technology that plays organizations, government, andExcellence in Information Assurance a critical role in identifying, preventing, individuals in the informationEducation (CAE/IA) since 2003 and and responding to security-related events. and cyber security area. [1]National Center of Academic Excellence IST also offers a graduate degree inin Information Assurance Research Security Informatics, which seeks to ff The Networking and Security(CAE-R) for 2008-2013. improve the cyber security of Research Center (NSRC) was The College of Information Sciences individuals and organizations by established in 2003 to provide aand Technology (IST) offers a bachelor’s creating innovative solutions for research and education communitydegree in Security and Risk Analysis detecting and removing cyber threats, for professors, students, and(SRA). This degree program is intended recovering from cyber attacks, industry collaborators interested into familiarize students with the general protecting privacy, enhancing trust, and networking and security. It alsoframeworks and multidisciplinary mitigating risks. provides a unique avenue fortheories that define the area of security Penn State includes a number of interaction with industry; theand related risk analyses. Courses in the research centers focused in cyber andmajor engage students in the challenges information security: ww continued on page 15 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 9
    • Cloud Computing for theFederal Communityby Hannah WaldT he question is not whether, but when, the U.S. federal government willembrace cloud computing. The current “Cloud computing is a model for enabling convenient,administration—in particular its Chief on-demand network access to a shared pool ofInformation Officer, Vivek Kundra—isvery enthusiastic about this configurable computing resources (e.g., networks,technology’s potential. Some federalagencies are already moving into the servers, storage, applications, and services) that cancloud: the Defense Information SystemsAgency (DISA) is pilot testing a cloud [1]; be rapidly provisioned and released with minimalthe National Aeronautics and SpaceAdministration (NASA) has announced management effort or service provider interaction.”plans to develop a cloud that can beused both internally and for they survey the landscape and take an documents (i.e., the NIST 800 series).collaboration with external research inventory of best practices. They are Alternatively, individual cabinet-levelpartners; [2] the Department of the concerned about the risks inherent in agencies could provide clouds for theirInterior (DOI) has an Infrastructure as a cloud computing but do not want to “community” of internal divisions, whichService (IaaS) offering called the restrict innovation. Pro-cloud civil could serve agencies’ individualNational Business Center Grid servants believe cloud computing can compliance needs more easily than a(NBCGrid), with other offerings set to make federal Information Technology generalized multi-agency cloud. [5]roll out in the near future; [3] and the (IT) and services cheaper, easier, and DISA’s Rapid Access ComputingGeneral Services Administration (GSA) more secure—and it can—provided Environment sets a precedent for thisoffers access to various externally the cloud is implemented and model: it is intended to serve the entireprovided cloud applications through its managed properly. Department of Defense, which has itsportal site, http://apps.gov. [4] For many federal agencies, a own set of security standards in The federal government is not community cloud would be the best addition to those mandated for civilianseriously considering cloud computing service model to use (regardless of the agencies. [6] A third possibility is asimply because of its hype. Agencies are exact type of service being provided). “federated” hybrid of agency-specificfinding it increasingly costly and The GSA, or another provider who is community clouds and a government-difficult to procure, set up, maintain, familiar with federal IT needs, could wide community cloud, all with certainand secure traditional computing stand up a multi-agency cloud that common standards (i.e., minimalarchitectures. This may explain why facilitates and enforces compliance with security baseline, universal protocols)bodies such as the National Institute of government-wide security standards but otherwise tailored to specific purposes.Standards and Technology (NIST) and such as those outlined in regulations Understanding the merits of athe Government Accountability Office (i.e., Federal Information Security community cloud requiresare holding off on setting rules and Management Act [FISMA]) or guidance understanding fundamental cloudstandards for cloud computing while10 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • computing concepts, starting with the customer generally has no control using a software offering from onedefinition of “cloud computing” over or knowledge of the provided provider and an infrastructure offeringprovided by NIST: resources’ exact location but may from another. Commoditization of “Cloud computing is a model for be able to specify location at a bandwidth allows clients to easilyenabling convenient, on-demand higher level of abstraction leverage distantly located resources—network access to a shared pool of (e.g., country, state, or data center). something that was difficult only a fewconfigurable computing resources Examples of resources include years ago—and pay for use of those(e.g., networks, servers, storage, storage, processing, memory, resources as if they were gas orapplications, and services) that can be network bandwidth, and electricity. Finally, cloud providers arerapidly provisioned and released with virtual machines. particularly innovative in the servicesminimal management effort or service ff Rapid elasticity—Capabilities can they offer and are developing newprovider interaction.” [7] be rapidly and elastically services all the time. [9] Cloud allows NIST also lists five essential provisioned, in some cases users to leverage IT solutions with ancharacteristics of cloud computing: automatically, to quickly scale out unprecedented level of granularity.ff On-demand self-service—A and rapidly released to quickly An organization can pay an outside consumer can unilaterally scale in. To the consumer, the cloud provider for data, applications, provision computing capabilities, capabilities available for operating platforms, raw digital storage, such as server time and network provisioning often appear and/or processing resources: Data as a storage, as needed automatically unlimited and can be purchased in Service (DaaS), Software as a Service without requiring human any quantity at any time. (SaaS), Platform as a Service (PaaS), and interaction with each service’s ff Measured service—Cloud systems Infrastructure as a Service (IaaS), provider. automatically control and optimize respectively. [10] A data-miningff Broad network access— resource use by leveraging a company providing its customers with Capabilities are available over the metering capability appropriate to on-demand access to its records of network and accessed through the type of service (e.g., storage, individual purchase histories is an standard mechanisms that promote processing, bandwidth, and active example of DaaS; Google Apps are SaaS; use by client platforms (e.g., mobile user accounts). The provider and a firm offering application development phones, laptops, and PDAs). consumer can monitor, control, and environments to startups is selling PaaS;ff Resource pooling—The provider’s report resource usage, thus and a company offering access to raw computing resources are pooled to providing transparency of the computing resources is selling IaaS. serve multiple consumers using a utilized service. [8] The split of assurance multi-tenant model, with different responsibilities between the provider physical and virtual resources Industry expert Dave Linthicum, and client varies depending on the dynamically assigned and notes that cloud computing is similar to service. With DaaS and SaaS, the reassigned according to consumer time-sharing on mainframes, but with provider has control over almost demand. A sense of location some added features. For example, cloud everything. With PaaS, the client is independence exists because the clients can “mix and match” solutions responsible for application security, and IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 11
    • Software as a Service (SaaS) incentives and goals, which is not necessarily the case in cloud computing. Presentation Modality Presentation Platform In a public cloud, the relationship between clients and providers is largely transactional, and the clients do not APIs know each other. The parties involved have little basis for trust and may in fact distrust one another to a certain extent. Applications Trust, or lack thereof, is a factor in all five of the fundamental cloud security challenges. These challenges all involve Data Metadata Content uncertainties about the provider’s standard of care and how the provider Platform as a Service (PaaS) will treat the client (and the client’s data) in the event of a problem. [12] Integration & Middleware ff Data protection •• Where do data physically reside, Infrastructure as a Service (IaaS) and does the data’s location have legal ramifications? APIs •• Are data safely protected (i.e., by encryption) while stationary or in motion within Core Connectivity & Delivery and across the cloud? •• How is availability of data assured in the cloud? Abstraction •• Does the provider take measures to ensure that deleted data is Hardware not recoverable? ff Security control •• What security controls does the Facilities cloud provider need to implement, and how? •• How are assurance levels effectively and efficiently managed in the cloud? ff ComplianceFigure 1 Provider Assurance Responsibility in Different Types of Service [11] •• Is the cloud complying with all the necessary guidance?everything else is left to the provider. also has certain security advantages. For •• Can the provider substantiateWith IaaS, the client is responsible for example, a desktop computer almost claims that security controls areeverything but physical and (some never complies with an organization’s implemented sufficiently?aspects of) network security. Regardless security policy “out of the box,” but a ff Multi-tenancyof the service and inherent allocation of cloud can be configured so every new •• Are my assets vulnerable ifresponsibility, cloud clients ultimately virtual machine created therein is another client is exploited byleave the fate of their information assets compliant. Monitoring certain activities an attack?in the provider’s hands (see Figure 1). and rolling out updates across a cloud is •• How does the cloud provider The service provider is responsible relatively easy—unlike doing so across a keep different clients’ datafor maintaining, upgrading, and securing collection of distinct physical machines. separated and inaccessible fromthe hardware and software (where However, cloud computing presents other clients?applicable) on which the service runs. a variety of information assurance (IA) •• If a forensic/electronic discoveryIdeally, this setup allows users to stop challenges. One salient feature of the procedure is conducted on oneworrying about the security of their time-sharing model was trust. The users client’s data, how will theinformation assets by leaving them in and owners of the old mainframes weremore competent hands. Cloud computing part of a community with common12 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • provider protect the may not want to answer questions about ignores other kinds of costs. What will it confidentiality of other its security practices. Cloud SLAs also cost an agency if moving to the cloud clients’ data? generally absolve the provider of liability compromises its ability to protectff Security governance in the event of a security breach. (This is sensitive data or meet mission •• Who owns/accesses/deletes/ not the case with private and requirements? Agencies need to consider replicates data in the cloud? community clouds: more on this later.) these kinds of costs as they evaluate •• How can the client ensure If the transition of federal their information assets for “cloud policy enforcement? information assets into the Cloud readiness” on a case-by-case basis. [14] •• How can the client measure Computing Environment (CCE) is Once an agency has decided which and track service/network inevitable, then how can the federal assets it can safely transition to the performance? government effectively mitigate the risks cloud, it needs to choose the service Figure 2 illustrates the layers of the inherent in the cloud? First, government model—or relationship between cloudcloud and associated layers of security. organizations must decide whether to client and provider—that best fits its Exacerbating these problems is the move certain assets to the cloud at all. requirements. The four cloud servicefact that contracts with public cloud On the face of it, spending $10 a day for models—public, private, community,providers almost always take the form of cloud infrastructure seems less costly and hybrid—have different sets of costsnon-negotiable service-level agreements than spending $100 on in-house and benefits (see Figure 3).(SLA) that severely limit, at best, the infrastructure (not to mention capital The public cloud service model isclient’s ability to see, audit, or control expenditure; it is less costly to start up a probably what many people wouldback-end operations in the cloud. A virtual server in a cloud than to set up a consider the archetypal model of cloudclient’s ability to do so would create physical one). However, thinking only in computing. In the public cloud model, amore difficulties than most providers terms of $10 versus $100 for regular provider sells cloud services to multipleare willing to deal with. The provider maintenance is dangerous because it unrelated clients, or tenants. They leave Policy & Procedures Goal: Trusted Environment, Well-Served & Satisfied Users, Agency Success Presentation Presentation Information Data Encryption, database security Modality Platform APIs Applications/Service access control, Applications static code analysis, WAFs Applications Governance, Controls, Stakeholder Satisfaction… Policy enforcement, rerouting and throttling of services, validated identity claims, authentication and authorization, Data Metadata Content Management security event monitoring, alerting and notification, contextual dashboard, independent key management Integration & Middleware Firewalls, NIDS, Zone base segmentation, dedicated APIs Network MPLS/VPN network connections Secure hypervisor for segmentation, Core Connectivity & Delivery Trusted Computing message verification, trusted APIs Abstraction Massive scale, contractual constraints on storage locations, Compute & Storage controlled and secured server images, encryption Hardware Facilities Physical Infrastructure security, physical inventory *Derived from CSA “Security Guidance for Critical Areas of Focus in Cloud Computing Technology & Tools Figure 2 Layers of Cloud Computing Environment (CCE) Security [13] IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 13
    • back-end maintenance and operations most of the economic benefits of of the public cloud because it eliminatesto the cloud provider. This arrangement outsourced cloud service. For a considerable amount of redundantis very cost-effective and, in theory, lets organizations with less sensitive assets, effort and cost. Members of the clientclients rest easy knowing the security of putting everything in a private cloud community can pay the provider fortheir information assets is in good may create unnecessary costs, only what they use, or for the utility andhands. However, the fundamental cloud inefficiencies, and redundancy. Also, if subscription cost. The latter would stillsecurity challenges mentioned earlier an organization has difficulty securing likely total less than what the clientare most problematic in this model. its information assets in a traditional would have paid to operate its own If a federal agency were to entrust setup, it is unlikely that transitioning to individual data centers.its information assets to a cloud a private cloud will solve its problems. The last type of service model is aprovider under the terms of a standard Such an organization would benefit hybrid cloud, which combines two orcloud SLA, the agency would have from having a trusted service provider more of the service models describeddifficulty demonstrating compliance perform these functions. above. An organization could, forwith IA standards mandated by A community cloud is somewhere example, keep sensitive proprietary dataregulations, such as the FISMA. Most on the continuum between the public in its own private cloud and collaboratepublic cloud providers would have to and private service models, and it enjoys on projects with industry partners in asignificantly retool their operations to some of the benefits of both. Like a community cloud. For users belonginghelp federal agencies meet their IA public cloud, community clouds serve to the organization, these two cloudsobligations. Some providers are multiple tenants. The difference is that would, in effect, be seamlesslyattempting to do so (Amazon’s “virtual the tenants are not strangers but related integrated through a single sign-onprivate cloud” is an example [16]), but, entities that share common system. The problem with hybrid cloudsfor the time being, public clouds are characteristics and needs. An individual is that they share vulnerabilities in theinappropriate for anything but the least client community member, multiple system’s least secure areas and presentcritical, most low-risk federal members working cooperatively, or a new vulnerabilities. For instance, if it isinformation assets. dedicated provider can operate easy for a user to switch between clouds A private cloud can be operated by community clouds. Unlike public clouds, on his or her desktop computer, it is alsothe same organization that uses it, or a community clouds are built and easy for that user to make a mistake anddedicated provider can operate the operated on the clients’ terms: they can expose sensitive data. In addition,cloud on the organization’s behalf. A be constructed to facilitate compliance integrated clouds mean integrated complexprivate cloud, when managed properly, with standards that all clients use. Of all systems, which by definition are rifeis the most secure type of cloud service the cloud models, the community cloud with potential security vulnerabilities.model because it is directly controlled is most similar to time-sharing in terms Returning to the central point ofby its client. Private clouds also make of the level of trust between all this article, a federal community cloudmore efficient use of physical IT assets stakeholders. This type of cloud also can provide a guaranteed IA baseline forthan traditional data centers, but lack offers many of the economic advantages its clients, whether they are departments within an agency or multiple agencies. It can reduce the cost Compliance/regulatory laws mandate of providing effective security and on-site ownership of data Pros eliminate significant redundancy. It can Security and privacy also be fully accountable to its clients and their oversight bodies (i.e., Office of Reduce costs Latency & bandwidth guarantees Management and Budget, Congress). Absence of robust SLAs The clients and their oversight bodies Resource sharing is more efficient can have a reasonable level of visibility Management moves to cloud provider Uncertainty around interoperability, into, and control over, cloud operations. portability & lock in All primary stakeholders could work Consumption based on cost Availability & reliability together to set policy and address Faster time to roll out new services problems. Last but not least, federal Dynamic resource availability Inhibitors community clouds can be used to facilitate intra- and inter-agency for crunch periods cooperation within the framework of the Federal Enterprise Architecture. Setting up a community cloud andFigure 3 Advantages and Disadvantages of Cloud Computing From a Federal Perspective [15] governance structure that will14 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • 8. Ibid.adequately satisfy all federal clients will information science from the School of Information 9. Linthicum, David S. Cloud Computing and SOAbe a challenging endeavor—even if at the University of Michigan. Convergence in Your Enterprise. Boston: Pearsonthe community is limited to the Education, Inc., 2010. Pages 25–26. Print.departments of a single agency. References 10. NIST’s definition of cloud computing recognizesArchitecting the technical and 1. http://www.disa.mil/race SaaS, PaaS and IaaS, but not DaaS. However, Igovernance structure of a (possibly 2. http://nebula.nasa.gov have included DaaS because it is a fairly commonfederated) community cloud for 3. http://cloud.nbc.gov cloud service offering.multiple agencies is an even more 4. https://apps.gov/cloud/advantage/main/start_page. 11. Graphic from Hanna, Steve. “Cloud Computing:daunting prospect. A series of intra- do. A link to a cloud service on apps.gov does not Finding the Silver Lining.” 18 March 2009.agency (as opposed to inter-agency) mean that the service is “safe” or that its provider 12. For a more in-depth discussion of security andcommunity clouds may be the best has demonstrated compliance with federal legal issues in Cloud Computing, refer to guidancepossible outcome. Whether it serves only security standards. from the Cloud Security Alliance atone agency or many, a community cloud 5. Some large agencies that are not at the Cabinet http://www.cloudsecurityalliance.orgis the most secure way for the federal level, such as the Internal Revenue Service or 13. Graphic from Theodore Winograd, Holly Lynnegovernment to realize the potential of Social Security Administration, may also benefit Schmidt, Kristy Mosteller, and Karen Goertzel,cloud computing. n from having their own community cloud (admittedly, “Public Cloud Computing Environment (CCE) at that level the distinction between “community” Acquisition: Managing Risks to the Federal and “private” cloud is not very clear). About the Author Government.” Booz Allen Hamilton, 2009. 6. On that note, some federal government entities— 14. Linthicum 2010, pp. 192–193. particularly those involved in law enforcement,Hannah Wald | is an Assurance and Resiliency 15. Graphic from Stephen T. Whitlock, “Cloud’s defense, and intelligence—will need private cloudsconsultant currently supporting the National Illusions: Jericho Forum Future Direction.” to protect their classified information assets.Telecommunications and Information 16 February 2009. 7. Grance, Tim, and Peter Mell. “The NIST DefinitionAdministration at the Department of Commerce. 16. http://aws.amazon.com/vpc of Cloud Computing.” National Institute ofMs. Wald has contributed to the research Standards and Technology: Information Technologyconducted for IATAC’s State of the Art Report on Laboratory Website. 7 October 2009. NationalSupply Chain Security, which is scheduled for Institute of Standards and Technology, Informationrelease this spring. This article draws heavily on Technology Laboratory, Web. Accessed 12 Januaryresearch conducted and materials produced by her 2010. http://csrc.nist.gov/groups/SNS/cloud-colleagues. Ms. Wald has a Master’s degree in computing/cloud-def-v15.doc. Page 1.w continued from page 9 I ATA C S P O T L I G H T O N A U N I V E R S I T Y members of the NSRC actively Technology. The NSRC includes •• Produce leading scholars in consult with industry and approximately 50 Doctor of interdisciplinary cyber- participate as partners on funded Philosophy (Ph.D.) and security research projects. Member companies enjoy Master of Science (M.S.) students, •• Become a national leader benefits for sponsoring research and several undergraduate honors in information and having access to the latest theses are advised through NSRC assurance education. results and technical reports from faculty as well. [2] the NSRC. Hosted in the The center currently includes seven Department of Computer Science ff The LIONS Center is the IST Center core faculty members, 20 collaborating and Engineering (CSE) at Penn for Cyber-Security, Information faculty, two research associates, and State, the NSRC is comprised of Privacy, and Trust whose mission is to: 19 Ph.D. students. The center has nine faculty members in the •• Detect and remove threats of published over 200 publications since College of Engineering, including information misuse to the 2002 and received over $3 million in eight members from CSE and one human society: mitigate research grants. n from Electrical Engineering (EE). risk, reduce uncertainty, Several faculty members also have and enhance predictability References joint appointments in EE and the and trust 1. http://net1.ist.psu.edu/cica/cia-ist.htm College of Information Sciences and 2. http://nsrc.cse.psu.edu IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 15
    • DISA RACE: Certification andAccreditation for the Cloudby Munjeet Singh and Troy GieferBackground components to rapidly and seamlessly ApproachS ince the Obama Administration announced plans to use cloudcomputing to cut costs on infrastructure transition from application development to testing and into a full production environment, a process known as the Before designing a new streamlined C&A workflow process, it was important to understand the current approvaland improve performance of Path-to-Production. Current DoD process, identify key organizationsgovernment computing systems, the certification and accreditation (C&A) involved in the decision making, andDepartment of Defense (DoD) and policy has been adapted to allow identify the artifacts required by eachother federal agencies have become organizations to use RACE cloud organization. The approach used inincreasingly interested in how to take resources, thereby quickly connecting developing the Path-to-Productionfull advantage of the potential benefits to the cloud while complying with process was conducted in two phases.offered by cloud computing. [1] Few DoD requirements. Phase I consisted of data gatheringexisting cloud providers meet DoD This article describes the goals and documentation of the current C&Arequirements and choices are primarily DISA sought to achieve and the workflow process. This includedlimited to the public domain. approach it took as it developed the identifying all key organizationsAdditionally, there are concerns about RACE Path-to-Production process. It involved in data collection, documentgovernment use of public clouds will also highlight many of the key handling and processing, validation,because of the lack of control and characteristics and capabilities of the certification, and accreditation of avisibility into the cloud’s underlying DISA RACE cloud. system. Personnel from eachsecurity infrastructure and the organization involved in the approvalchallenges of complying with DoD and Goals and Objectives process were interviewed to define rolesfederal information assurance (IA) DISA’s primary goals in developing the and responsibilities. The responsibilitiespolicy and procedures. RACE Path-to-Production were to: of each entity were then mapped to a Given the high level of interest in ff Develop a streamlined C&A process flow diagram that identifiedcloud computing, the Defense process that would reduce time each step in the process. In addition, aInformation Systems Agency (DISA) and effort required to transition complete list of artifacts required byrecognized the need for a government- an application from development each key organization as input andmanaged cloud that could benefit the to test, and ultimately to a generated as output was compiled. TheDoD community. DISA subsequently production environment end result captured the comprehensivedeveloped the Rapid Access Computing (Path-to-Production process) ‘as-is’ DoD Information AssuranceEnvironment (RACE), which is an agile ff Reduce the current C&A approval Certification and Accreditation Processand robust cloud computing time from 120 days to under 40 days (DIACAP). DISA supplemented processenvironment that allows DoD ff Develop an enhanced RACE portal steps required to obtain certification.organizations to provision virtual that enables customers to purchase Phase II consisted of a duplicationservers and storage from a Web portal. and manage virtualized RACE analysis of the organizational roles andRACE is a streamlined workflow process development and test environments artifacts. The intent of the analysis wasdesigned for use in a virtualized and provided additional storage. two-fold, specifically to: (1) eliminatedevelopment and test environment. duplication of effort across the variousRACE is customized to enable DoD organizations involved in the C&A16 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • workflow process; and (2) reduce or neeliminate duplication of documentation. ) ud ) ud Zo EV lo EV lo n (D C (D C io B ute A ute ctEliminating duplication of effort across du ne mp ne mp o Pr Zo Co Zo Co ed CE CEthe organizations involved in the iz RA RA al tu r Videcision making would reduce the timerequired for a system to reach approval Environment Promotion to Testto operate (ATO). In addition,eliminating the duplicatedocumentation would both reduce thepossibility of inconsistencies and Environment Promotion to Productioneliminate the need for the customer tocreate multiple documents that contain NIPRNet / GIGduplicate information, which wouldfurther reduce the time to complete theC&A process. Figure 1 Path-To-Production The analysis of the currentprocesses, responsibilities, and artifacts leveraging inheritance of IA controls from RACE Standardsgave DISA the groundwork for designing the RACE cloud and DECC environments. A key aspect of designing the RACEa more efficient C&A workflow process A number of characteristics were Path‑to‑Production process was(Path‑to‑Production). incorporated into the RACE Path-to- defining a set of standards that provide Production process that were key to the framework of the streamlinedPath-to-Production streamlining and customizing the process. These standards enable rapidDoD organizations use the RACE cloud current process. DISA focused on the provisioning and promotion within thefor application development and testing, areas that offered the greatest return: virtual environments. Examples ofand to prepare for deployment into a ff Define standards and RACE standards include:production environment. Path-to- entrance criteria ff The development and test processProduction refers to the process that an ff Streamline the approval process must be completed in a virtualizedorganization follows to promote the ff Reduce or eliminate duplication of environment.application developed in a virtualized effort and documentation ff Customers must start withenvironment from development to test, ff Incorporate inheritance of IA provisioned VOEs providedand from test into a Defense Enterprise controls as defined by DoDI 8510.01 by RACE.Computing Center (DECC) production ff Develop hardened virtual ff The Enterprise Mission Assuranceenvironment (Figure 1). The operating environments (VOE) Support Service (eMASS)Path‑to‑Production process reduces the ff Implement a RACE portal. application must be used as thetotal time required to obtain accreditation C&A automation tool andof an application from an average of 120 central repository.days to under 40 days, in part, bystreamlining approval workflows and IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 17
    • ff Customers must adhere to the proposed network topology. The RACE requirements and artifacts. This often RACE standard set of ports and IAM also conducts joint validation required the customer to duplicate data protocols while in development, activities of the IA controls with the in multiple documents. Further test, and production environments. customer early in the process, and analysis revealed that a number offf Vulnerability Management System establishes the parent/child inheritance documents could be eliminated (VMS) must be used to track asset- relationship, which allows the system to because the data was available in other level vulnerabilities. inherit IA controls from the RACE cloud. C&A artifacts. Elimination of suchff A minimum of an Interim Approval This early coordination activity duplication significantly reduced the to Test (IATT) is required to move between RACE customers and the RACE time and effort spent on developing an application into the RACE IAM supports users as they move and reviewing C&A artifacts. Testing environment. through the Path‑to‑Production process, DISA implemented a key tool—ff An IATT is valid for 90 days while ensuring that potential challenges are eMASS—within RACE to manage the in the test environment. addressed early in the process. C&A workflow and documentation. Aff A minimum of an Interim Approval The RACE C&A approval process is government-owned solution, eMASS to Operate (IATO) is required to a joint effort shared between the RACE integrates several capability models to move an application into the DECC IAM and the customer. The customer support IA program management production environment. conducting application development in needs. It allows an organization to the RACE cloud has the primary enter system information and to track Recognizing that organizations responsibility to oversee the validation, the progress of information assuranceoften have unique needs that may fall certification, and accreditation of the activities (such as validationoutside of the standards established by system or application as it progresses procedures, compliance status, andRACE, DISA developed an exception through the Path‑to‑Production process. attachments) and associated actionresolution process to facilitate plans for sharing system securitydiscussions between a RACE Duplication Analysis information and compliance status.representative and the RACE customer The duplication analysis of the existingto determine a resolution. C&A approach and workflow process Inheritance of IA controls revealed more opportunities to Inheritance of IA controls was also keyStreamlined Approval Process streamline this process. The team to streamlining the Path‑to‑ProductionDelegation of approval responsibilities identified opportunities to reduce the process. RACE customers can directlyto the lowest organizational level amount of documentation required for inherit IA controls from the RACE cloudpossible was key to streamlining the a successful accreditation. At each and DISA DECC (Figure 2). DoDI 8500.2RACE C&A approval process. This approval level, organizations had defines 32 controls that an automatedapproach resulted in a more agile developed unique checklists of information system (AIS) may inheritworkflow adaptable to the robustenvironment of the RACE cloud. Tofacilitate this streamlined approvalprocess, the DISA Chief InformationOfficer implemented an InformationAssurance Manager (IAM) role createdspecifically to manage activities withinthe RACE cloud. The RACE IAM’s RACE Inherited Controlsprimary role is to provide a final review  Enclave Boundary  Services Controlsand approval of the application and  Etc. VOEvirtual environment before it ispromoted to the test and productionenvironments. The IAM reviews the DECC Inherited ControlsRACE customer’s documentation to  Physical Security  Environmentalvalidate the accreditation decision  Continuitymade by the customer’s DesignatedApproval Authority (DAA). In addition,the IAM considers additional RACEapplication-specific data such as the DECC STLports, protocols, and services used bythe system or application, and the Figure 2 IA Control Inheritance18 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • from the enclave in which it resides. The DISA has configured the virtual ff Restoring the environment fromimplementation, validation, and images to be compliant with a variety of an archive.monitoring of these controls are the DISA STIGs, to include Windows Serverresponsibility of the enclave and not the 2003 operating system, UNIX, Internet In addition, the RACE portalAIS. RACE customers inherit these Information Services (IIS), and database provides a document library thatcontrols, as well as the status and checklists. The DISA team reviewed the includes all IA documentation that willartifacts associated with the validation recommended security settings from be used throughout theof each control. these STIGs to determine which had the Path‑to‑Production process. This automated inheritance of IA potential to restrict applicationcontrols is defined within the eMASS development. The VOEs are provisioned On the Horizonapplication. RACE serves as the parent to RACE customers with those DISA CSD is continually seekingsystem for a parent‑child inheritance particular security settings left in a opportunities to improve the Path-to-relationship used for all registered ‘non-compliant’ status. This practice Production process to make it even moresystems within eMASS. Every allows customers to begin development agile. This includes implementingapplication that a RACE customer immediately and provisions a automation to further reduce the C&Aregisters within eMASS will consistent development environment burden on RACE customers, andautomatically be set as a child to the for all customers. strengthening the IA posture of VOEs viaparent (i.e., RACE) enclave, establishing However, these security settings integration of Host Based Security Systeminheritance. A pre-determined list of will remain in a ‘non-compliant’ status (HBSS) into the RACE enclave. For moreDoDI 8500.2 IA controls is automatically only in the RACE development information, visit http://www.disa.mil/set as inherited from the parent in every environment. The RACE customer is RACE for the latest news. nchild. For example, physical security is responsible for properly configuringthe responsibility of the parent enclave, these security settings to achieve a About the Authorsnot the responsibility of the child. compliant status before promoting the application to the testing and Munjeet Singh | is an information assuranceHardened Virtual production environments. contractor consulting as the Project Manager andOperating Environments The VOEs are also provisioned with Lead Engineer on cloud focused initiatives in theVirtual operating environments are the latest Information Assurance DoD domain. He is currently involved in deployingprovisioned to RACE customers for use Vulnerability Management (IAVM) cloud and data center optimization initiatives toin the development and test patches installed. Once the VOEs have clients in DISA and across the Army.environments. The VOEs are delivered been provisioned, the customerwith a development-friendly Security assumes responsibility for keeping the Troy Giefer, CISSP, | is an informationTechnical Implementation Guides images patched. assurance contractor consulting on cloud(STIG) implementation, streamlining computing research and the development of cloudboth the development process and the RACE Portal computing security solutions for the DoDC&A process for RACE customers. RACE A key component of cloud computing is marketplace. Troy is a key lead in the effort tooffers the available virtual operating the ability to provision and maintain customize DIACAP for use in the DISA RACE cloud.environments, as listed in Table 1, which environments in a self-service portal.are in compliance with DoDI 8500.2 at DISA Circuit Switched Data (CSD) has Referencesthe Mission Assurance Category (MAC) implemented this ability through an 1. http://www.whitehouse.gov/omb/budget/fy2010/II-Sensitive level. enhanced RACE portal that allows RACE assets/crosscutting.pdf. customers to take control of their environments with respect to the Operating System Architecture following functions: Windows Server 2003 32-bit ff Ordering development, test, and Windows Server 2003 64-bit production virtual environments Red Hat 4.6 32-bit ff Ordering additional storage for an Red Hat 4.6 64-bit existing virtual environment Red Hat 5.1 32-bit ff Promoting the environment Red Hat 5.1 64-bit from development to test or test to productionTable 1 RACE Virtual Operating Environments ff Archiving the environment to tape backup IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 19
    • Look Before You Leap:Security Considerations in a Web 2.0 Worldby Sara Estes Cohen and Shala Ann Byers Agencies like the Department of compliance to ensure the protection ofIntroduction Justice, the Library of Congress, and the the information shared within the socialI n recent years, social media, also known as Web 2.0, has emerged as apopular and powerful technology that Department of State responded by establishing Facebook profiles to media platform. communicate with the public. Frameworkenables individuals to collaborate, Additionally, the Federal Bureau of There are generally three approaches forcommunicate, and share information Investigation started a Twitter account implementing social media:from anywhere and at anytime. to send daily news updates to the public. ff InternalCurrently, more than 30% of the world’s The Centers for Disease Control and ff Externalpopulation visits Facebook.com on a Prevention (CDC) posts weekly ff Hybrid.daily basis [1], and approximately 22% Hurricane Health and Safety Tips on itsuse YouTube to watch online videos. [2] Web site and distributes them to Each approach differs in locationFirst established within the commercial registered users via e-mail, mobile and ownership of underlyingindustry, this technology made popular phone text messages, and Twitter. [5] infrastructure (e.g., government orthe economically savvy use of low‑cost While embracing social media is privately-owned), audience (employees,social media technology. The federal key to succeeding in a new the public, or both), and direction ofgovernment has since followed suit, communications environment, effective communication (within, outside of, orlaunching organizations and strategy, planning, and support before across the firewall):government agencies into the foray of launching a social media program are ff Internal­ Technology and —social media as a way of connecting equally important. The results of an infrastructure sit behind a firewallwith the public. unstructured and disorganized and are owned by the organization. On January 21, 2009, President adoption of social media can have This model consists only of internalObama signed the Memorandum on serious complications, including data communications, information andTransparency and Open Government, leaks or breaches in security from which data exchange, storage, andencouraging agencies to “establish a it can be difficult—if not impossible— management (within thesystem of transparency, public to recover. organization, not across theparticipation, and collaboration.” [3] To avoid these complications, it is firewall) and requires developmentOn December 8, 2009, the Director of imperative for an organization to of organization‑specific solutions,the Office of Management and Budget identify a ‘best-fit’ solution based on tools, and technology.(OMB) issued the Open Government internal goals, requirements, and ff External—This approach leveragesDirective, providing guidelines and challenges, before launching a social public social media for specifieddeadlines for all federal agencies on media program. Most importantly, applications. For example, existingdeveloping their own ‘open organizations must standardize how social media sites (e.g., Facebookgovernment’ programs fostering they implement social media and and Twitter) may be used forthe principles of transparency, develop training to educate users. constituent relations and outreach.participation, and collaboration. [4] Finally, organizations must institute a This model requires extensive mechanism to enforce security strategic planning to target the20 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • appropriate user groups with the Strategic Planning constituent communications, right information. Additionally, this To begin, an organization must first emergency management, and business model must include organization- identify its goals and objectives for continuity, among others. Additional wide standardization to ensure adopting social media. Identifying applications may include training, consistency with respect to appropriate budget, development time, alert and notification, employee messaging (content/brand), specific features and functionalities accountability, situational awareness, security practices, and access to required, and level of intended risk are information gathering, and emergency public sites and tools from behind all factors to consider before communications. As technology the firewall. implementing a social media strategy; advances and user awareness improves,ff Hybrid—This model uses internal by doing so, organizations can avoid the potential for using social media will solutions (behind the firewall), developing an ill-fitting program. The grow accordingly. developed by the organization for following section outlines and discusses Social media is not just about the internal communication and several planning considerations to assist technology or the tools—it is also about operations, while simultaneously in establishing a ‘best-fit’ approach. what the technology can help users do. leveraging external, public social Organizations must leverage social media for outreach and general Audience media in a way that resonates best with communications. Like the Who is your target audience? This the targeted community, chosen goals, external model, the hybrid also question can be answered by first and objectives. requires standardization to ensure defining the organization’s Additionally, proactively identifying the security of personnel, data, responsibilities. Are you required to potential applications before choosing and information. communicate with your constituents? and implementing social media tools Will you need to communicate with can help avoid the ‘Shiny New Toy’ This article focuses on security your employees during a crisis, or on a syndrome—investing in a tool thatconsiderations and challenges daily basis? These answers will help the nobody uses because it does not meetassociated with the hybrid model, as it is organization clearly define its purpose organizational needs. A strategicthe most complex of the three types of for using social media; identify the tools approach will help ensure that theapproaches. Because of its reliance on that can accomplish that purpose; and program is functional—for both theboth internal and external successfully engage its audience using audience and organization—whileinfrastructure, the hybrid model must social media. Identifying your audience remaining aligned with the desiredadhere to both internal and external, can also help determine the most goals and objectives.organization-specific security, appropriate Web 2.0 model and the bestmanagement, legal, and tools and technology to use. Standardizationcommunications policies. Standardization is the most important Technology and Applications aspect in adopting social media. Social Organizations can leverage social media media standards must be developed in for many purposes, including daily line with both organization-specific and operations, outreach and awareness, external information technology (IT), IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 21
    • security, communications, operations ff How the factors above will be Risk Management(management), and contractual/legal affected by organization-wide It is no longer feasible to dismiss the usepolicies and requirements. use of social media. of social media entirely because of itsOrganizations must establish standards potential risk. Web 2.0 users are tech-for how they implement their own social Each of these factors must be taken savvy and will continue to find newmedia solution; there is no one-size-fits into consideration to develop suitable ways to access and use social mediaall solution. and sustainable standards essential for despite an organization’s best efforts to Without some form of centralized enforcing compliance. ban the technology. Instead of banningguidance, departments might develop social media outright, organizationspolicies and processes that are Social Media Guidelines should identify how to use social mediainconsistent across the organization as and Governance safely and securely. As with adoptingthe popularity and use of social media Federal policies and guidance any new technology, risk assessment isgrows. This situation could result in governing the use of new and emerging an integral aspect of adopting socialvarying levels of security and communications technologies, as well media and must be conducted on ainconsistent security procedures. To as industry best practices for social regular basis, allowing for adjustmentsavoid this, the organization must media, should be carefully evaluated over time to accommodate changes inestablish technical requirements and and followed to ensure compliance. If technology and the threat environment.training standards regarding how all an organization is just beginning its The decision to adopt social mediadepartments and components may use foray into social media, it should should be based on a strong businessinternet-based capabilities. Additionally, consider using Guidelines for Secure Use case that considers an organization’sthe organization must establish and of Social Media by Federal Departments mission, technical capabilities, threats,disseminate organization-specific and Agencies, released by the Federal and the expected benefits of adoptingpolicies and procedures regarding Chief Information Officers Council in this technology. For example, nationaltechnical, legal/contractual, September 2009, as a starting point. [6] security agencies must protect classifiedcommunications, and management Agencies need not start from data, whereas agencies or organizationsconcerns. Each department may have scratch however – the General Services that handle PII must protect the privacyadditional requirements but, at a Administration (GSA) has already of individuals. Consequently, differentminimum, its practices should contacted third‑party providers Flickr, organizations have different prioritiescomply with the organization‑ YouTube, Vimeo, and blip.tv to develop for security and privacy, and mustwide requirements. government-specific terms of service. address those priorities accordingly. Additionally, GSA determined thatSecurity Requirements Twitter’s standard terms of service are ChallengesSecurity requirements must take into consistent with government use and After identifying a ‘best-fit’ solutionaccount several factors, such as: thus need no additional changes. [7] and socializing the standards, theff The purpose the social media is Additionally, organizations should organization must develop an intended to accomplish consider drafting their own social media implementation plan and provide theff How social media will be engagement guidelines before allowing continuous, reliable support needed for used (application) unfettered access to social media and maintaining a structurally sound andff What type of information will be online communities. A great example is sustainable program. Throughout the exchanged (e.g., classified the Air Force’s Web Posting Response development and implementation of a information, Sensitive But Assessment Flow Chart V.2., which social media program—whether Unclassified [SBU] information, explains the Air Force’s internal policy internal, external, or hybrid— Personally Identifiable on blogs and how to handle both organizations should consider and Information [PII]) and the positive and negative commentary address the following challenges associated handling requirements posted online. [8] Such guidelines not related to security, technology,ff How and where data will be stored only protect the organization from a and infrastructure.ff Criteria for accessing legal standpoint; they can also help the information employees understand the implications Information Assurance andff How exceptions are managed of personal use, and how to develop and Operational Securityff What technical support will maintain social media tools in a way A social media strategy must be required that complies with the organization’s incorporate information assurance and standards and best practices. operational security (IA and OPSEC) policies and procedures—as well as an22 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • organization-wide training, education, programming languages, social media increasing demands on networkand awareness package—focusing on etiquette, etc.) may place PII at risk of infrastructure. Consequently, theIA and OPSEC issues to ensure that the exposure. Once exposed, PII could place social media functions maypolicies and procedures are followed. individuals at risk of identity theft and compete with the organization’sOtherwise, data leaks and OPSEC fraud. An organization can reduce this other functions for use of theviolations are more likely to promulgate risk by implementing enhanced network, which could impairacross all forms of electronic protection measures for sharing data in overall mission capabilities overcommunications, including e‑mail, interconnected systems, implementing time. Organizations must plan forsocial media, and Web sites. The monitoring capabilities and protocols, and ensure adequate bandwidth isorganization must also address policies and educating users on proper social available for widespread Internet use.and develop compliance measures media etiquette (“safe-surfing”). Most hosting environments canregarding access control, authentication Despite these challenges, agencies provide additional bandwidth toprocedures, account and user and organizations dealing primarily with cover surges in Internet or networkmanagement, encryption, content private, sensitive, or classified information activity. Organizations shouldassurance, and general communications are not necessarily precluded from develop memorandums ofsecurity (COMSEC). adopting social media. Rejection of social understanding (MOU) with their The requirement to address IA and media also poses risks; organizations respective hosting companies toOPSEC is nothing new. Concerns about that choose not to leverage social media ensure sufficient bandwidth issocial media are essentially the same and new technologies may become available during surges of activityas those that arose with the proliferation obsolete over time. that may occur due to emergencyof the Internet and e‑mail. Furthermore, unless an events, times of heightened networkCommunications policies and organization bans access to social activity, and increasing popularityinformation security procedures that media completely (which is nearly in social media.apply to social media are similar to impossible to do), employees will ff Malicious Attacks—To one extentthose that have traditionally applied to inevitably use social media from within or another, all networks are subjectother forms of communications— the organization’s network. Those to malicious attacks. Use of socialwhether electronic communications organizations that do not establish media may increase that risk(e.g., e-mail) or more traditional forms policies regarding the use of social because, as more external Web sitesof communications (e.g., letter writing media, and do not implement processes are accessed, malicious actors haveor meetings). to protect their infrastructures from more opportunities to access an unauthorized use of social media, organization’s networks andPrivacy and Confidentiality expose themselves to serious legal and operational data. ImplementingFederal departments and agencies are security-related problems. Both their security controls across all Web 2.0bound by privacy requirements based information infrastructures and their servers and verifying thaton the Fair Information Practice reputations can be irreparably damaged. sufficiently rigorous securityPrinciples (FIPP), which require controls are in place can reduce therigorous controls and procedures to Technical Support threats to internal networks andprotect the privacy of individuals. PII Although social media may seem to operational data. Additionally,includes any information that can be offer a quick and efficient separating Web 2.0 servers fromdirectly associated with an individual. communications solution, it comes other internal servers may furtherThose organizations that collect PII with some technical challenges: mitigate the threat of unauthorizedmust put policies and procedures in ff Bandwidth­ Social media sites — access to information throughplace to handle, store, and dispose of PII may require more bandwidth than social media tools and Web sites.securely. Such measures may address traditional sites. Therefore, ff Network Monitoring—Foreignterms of use, legal ownership of PII, and organizations may require intelligence services (FIS) havethe consequences of using or additional network infrastructure extensive resources and havedisseminating PII inappropriately. to support wide-scale use of repeatedly demonstrated their In addition to addressing privacy external, resource-intensive Web capability to use automated ‘socialpolicies, organizations must also be aware sites (e.g., YouTube, Facebook, etc.). engineering’ techniques to mineof threats to privacy and must implement If the organization is successful in social media sites. By their verymeasures to ensure that privacy is engaging its audience in using nature, social media sites have anmaintained. For example, some social social media, user demand will abundance of information, whichmedia protocols (e.g., certain increase dramatically, ultimately makes them susceptible to data IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 23
    • mining. Our adversaries can use Incident Response infrastructure, information, audience, this data to analyze aggregated Finally, despite best efforts to train and reputation. With well‑thought‑out information. Without adequate users on ‘safe-surfing’ and develop strategy, planning, policies, procedures, network monitoring (and user safeguards for protecting data and and technical support, organizations education), an organization cannot information, incidents will inevitably may successfully and securely leverage ensure that users are complying occur. Organizations must plan and social media. with its policies regarding the develop measures for quickly Thank you to DeZario Morales, release of high-value information. responding to and recovering from data Akira Ikuma, Matthew Doan, and Additionally, programming spills, misinformation and rumors, and Mark Macala for their contributions to languages used in Web 2.0 malicious attacks. An important aspect this article. n applications (e.g., Java, Ajax, and of handling social media is anticipating the JSON data interchange format) such incidents, then developing and About the Authors may create other opportunities for implementing a plan for managing and malicious actors to access an responding to them. Such planning will Sara Estes Cohen | has ten years of experience organization’s back-end network help ensure that social media becomes in communications and three years specifically infrastructure and do irreparable an integral part in an organization’s focused in emergency response, continuity of damage (e.g., access or corrupt data communications toolbox. operations, business continuity, and critical or applications). Consequently, an infrastructure protection. For her masters thesis, organization using social media Conclusion “Using Social Networking for University may need to implement increased Trends in communications and Emergency Communications,” Ms. Cohen worked security controls for any separate technology are increasingly dynamic with the University of California, Los Angeles sensitive information residing on and fast‑paced. To keep up, (UCLA) to develop a model for universities to the server’s backend. organizations in both the public and engage in social media for emergency private sectors must readily adapt by communications. Ms. Cohen has spoken at severalCompliance and Enforcement developing social media capabilities of conferences and recently chaired the AdvancedUser education and training have their own. Although embracing social Learning Institute (ALI) Social Media for Crisisalways been crucial in safeguarding media is imperative to succeeding in a Communications in Government conference innetworks and data. However, with the new communications environment, November of 2009.advent of social media, training doing so without adequate planning canprograms must be augmented to do more harm than good. Shala Ann Byers | has worked for two and aaddress the additional risks posed by Social media is not a one-size- half years as an emergency communications andsocial media. As organizations develop fits‑all solution. Each Web 2.0 tool has all-source analyst. She has spent the past yearand adopt social media, users must its own purpose, audience, and developing a social media reverse mentoringunderstand the severity and nature of challenges that must be considered program linking junior staff with senior leadershippotential threats to security associated carefully. As with any tool, a Web 2.0 to facilitate technology and social media learning.with its use. Organizations can tool must be chosen, not based on Ms. Byers holds a Bachelor’s degree fromincorporate social media training into popularity, but on how effectively it Dartmouth College in Government with a specialtytheir annual security training programs meets the organization’s needs and in International Relations.and address social media tools and sites selection criteria.during existing certification and Finally, an organization’s social Referencesaccreditation procedures, thereby media program must align with its goals, 1. http://www.alexa.com/siteinfo/facebook.com.helping to ensure that their security objectives, budget, desired features and 2. http://www.alexa.com/siteinfo/youtube.com.standards are upheld. Additionally, applications, internal and external 3. http://www.whitehouse.gov/the_press_office/organizations can develop a social security, IT, legal, and communications TransparencyandOpenGovernmentmedia mentoring program, leveraging policies and requirements. Once 4. http://www.openthegovernment.org/otg/OGD.pdf.the skills of those employees with implemented, the program must be 5. www.bt.cdc.gov/disasters/hurricanes.more advanced social media skills to standardized across the organization 6. http://www.cio.gov/Documents/Guidelines_for_train those for whom this technology through socialization, education, and Secure_Use_Social_Media_v01-0.pdf.is unfamiliar. consistent training. Compliance with 7. http://www.fcw.com/Articles/2009/03/25/web- these standards must be upheld through GSA-agreement.aspx. consistent enforcement; proactive 8. http://www.wired.com/dangerroom/2009/01/usaf- engagement is crucial to the security of blog-respo an organization’s networks,24 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • Insider Threat Center atCERT Grows Solutions fromReality-Based Researchby Dawn Cappelli and Andrew P. MooreM any organizations have suffered significant losses from insiderswith authorized access to protected system dynamics techniques, suggest both the evolution of the threat over time and possible mitigation strategies. The insider threat team is very excited about the impact it has had on government and industry organizationsinformation assets. Insiders’ crimes Armed with these new insights, the and their ability to mitigate the risk ofinclude theft, sabotage, fraud, and Insider Threat Center at CERT has begun insider threat. The workshops andespionage. The Computer Emergency educating organizations on how to assessments completed to date haveResponse Team (CERT), part of the detect and manage the problem. It offers proven to be effective tools in raisingSoftware Engineering Institute (SEI) at its Insider Threat Workshop several awareness of the causes, potentialCarnegie Mellon University, began times throughout the year. Geared to indicators, and prevention and detectionresearching this problem in 2001. It has managers and executives, the two-day strategies. CERT now focuses oncompiled a growing database of more workshop addresses technology, technical solutions that will enablethan 300 criminal cases in which organizational culture, policy, organizations to use people andcurrent or former employees, procedure, and behavioral issues that technology more effectively.”contractors, or business partners abused influence insider threat. The workshops For more information, please visitthe trust and access associated with stress the need to foster cooperation http://www.cert.org/insider_threat/ . ntheir positions. As part of its research, among management, informationCERT interviewed many of the victim security, human resources, and IT About the Authorsorganizations and some perpetrators groups to effectively fight the problem.themselves, complementing a wealth of CERT has also launched its Insider Dawn Cappelli | is technical manager of thecase data with first-hand insights into Threat Vulnerability Assessment Threat and Incident Management Group at CERT.the methods and motivations behind program. Spurred by numerous requests She has over 25 years of experience in softwarethese crimes. from industry and government, these engineering, programming, technical project This work laid the foundation for assessments enable organizations to get management, information security, and research.the Management and Education of the a better grasp on this complex problem. She is technical lead of CERT’s insider threatRisk of Insider Threats (MERIT) project. A CERT project team performs the research, including the Insider Threat StudyUnder MERIT, CERT researchers three-day, on-site assessment, conducted jointly by the U.S. Secret Service and CERT.collaborated with noted psychologists, conducting interviews with keythe United States Secret Service, the organizational personnel. The Andrew P. Moore | is a senior member of theFederal Bureau of Investigation, and the assessment team explores the CERT technical staff at the Software EngineeringDepartment of Defense to uncover key organization’s technical controls, Institute. Moore explores ways to improve thetechnical, social, and organizational policies, and [technical and behavioral] security, survivability, and resiliency of enterprisepatterns of insider behavior. Building on practices and then produces a systems through insider threat and defensethis work, CERT researchers are confidential report presenting findings modeling, incident processing and analysis, andconstructing models of the four main and potential mitigation strategies. The architecture engineering and analysis. Beforeclasses of insider crimes: IT sabotage, goal is to create a single, actionable joining the SEI in 2000, he worked for the Navaltheft of intellectual property, espionage, framework that engages all stakeholders Research Laboratory.and fraud. These models, created using in the fight against insider threat. IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 25
    • Wikis Within the DoDby Tzeyoung Max WuWikis within DoD researchers concluded that the portal majority of them go unread. [5] AmidstW eb 2.0. Social media is all the hype these days. October 2008 saw thelaunch of DoDTechipedia, one of the created a better sense of unity and belonging in NASA participants, despite being separated both physically and data overload, Intellipedia was conceived to promote real-time information sharing internally acrossDepartment of Defense’s (DoD) ventures organizationally. The site allowed users the community. It now boasts nearlyinto wikis. Currently, media buzz to openly communicate on a level one million pages and 100,000 userssurrounds the secretive and ambitious playing field, removing barriers such with over 10,000 edits daily. In 2008,A-Space social portal within the as job status and organizational following the terrorist bombing of hotelsIntelligence community. In 2009, the departments. [2] in Mumbai, intelligence analystsCenters for Disease Control and convened on a page, created onPrevention (CDC) used social media Wikis Intellipedia, to share emergingtools to increase awareness of emerging As one popular form of social media, information and brainstorm ideas. Thedata about the H1N1 virus. Information wikis entered mainstream vocabulary page received 7,000 views within threewas disseminated across YouTube, with the launch of Wikipedia in 2001. days and was integral in theFacebook and Twitter, where data was Although the concept of a community- community’s analysis of the attack. [6]quickly assimilated by millions and driven encyclopedia had surfaced from DoDTechipedia, itself a relativelyhelped promote health awareness across time to time for decades, the advent of new internal wiki solution, run by thethe public. From proprietary corporate the Internet finally made it feasible for Defense Technical Information Centerwiki pages to open video blogging millions of individual users to freely add (DTIC), shows much potential forforums, we have seen an explosion of all and edit content to an open repository of bridging informational silos within DoD.types of social media implementation topical articles. By 2008, Wikipedia The wiki solution won the 2009and usage across sectors both public housed more than 10 million articles, Government Computer News (GCN)and private. and in 2005, this encyclopedia was Award for agencies. GCN, a news site Take the case of NASAsphere, a pronounced as accurate as the popular serving the government market,pilot social media study where a social Encyclopedia Britannica. [3] Attempting describes DoDTechipedia as more thanmedia portal was implemented to test to reap the benefits of seamless a wiki, but rather an entire suite ofits value to NASA’s Jet Propulsion community-driven information sharing, services spurring collaboration.Laboratory (JPL). Within months, the corporations and public agencies havestudy concluded that participants were since implemented their own Focused DoD Wikissharing information in ways that would proprietary wiki solutions. When wiki A set of one or more targeted wiki sites,have not happened without the tool. solutions work, they provide an each effectively addressing the needs ofRather than emailing known coworkers enormous amount of value. the respective community, can facilitatefor information, NASAsphere users were Intellipedia, another solution communication and promoteencouraged to post inquiries for within the government, is a poster-child collaboration. Note, ‘targeted’ is a mustinformation on the portal. Almost all of wiki success, with core officers for a wiki site. Too broad a scope risksinformational responses to such queries earning Homeland Security Awards in dilution, since at a certain point there iscame from users at different NASA 2009. [4] The Intelligence community a threshold for the amount of contentcenters. [1] By the end of the study, produces 50,000 reports annually; a that must be collected before the site26 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • appears informationally substantial to As a grassroots styled site, a wiki within results. Featuring easy use, openany specific target community. This is needs to become a natural fabric of the editing, and proven return for efforts,especially true within DoD, where community’s culture. One of the reasons usage of the encyclopedia skyrocketed.program managers may be more that Intellipedia worked well was Wiki implementations within DoDsecretive about their research. Thus, because the custom of social should be promoted along withthe more categories there are, the more networking, information inquiry and complementary solutions and effortscontent that must be generated to response, and information analysis had within the organization.convince communities of its utility. already been deeply ingrained into the In the end, any wikiThe key is to focus. Of the handful of Intelligence community culture. Part of implementation must be accompaniedsuccess factors mentioned by Larry the challenge for social media sites in with patience and persistence.Sanger, one of the founders of Wikipedia, DoD will be overcoming a more Intellipedia, itself already springingthe contribution of a small core group conservative culture, where from an organizational cultureof good people during the early days informational secrecy has generally deliberately conducive to informationwas key. [7] been critical to military success and gathering, is touted as a success today, A precisely defined target market where the sheer size of the organization but was launched in 2005. The broadersegment for any DoD wiki site allows for has necessitated a level of bureaucracy. the scope of the target communities inbetter and speedier marketing to A successful wiki implementation has to the site, the more content that must bedefined communities. With a specified come hand-in-hand with transforming generated to reach maturity. Wikipedia,community in mind, the site can be this culture. Facing a similar challenge with incredible scope, took many yearsfine-tuned, tailoring everything from within the private sector, a human to garner support from millions oflook and feel, navigation, editing resources firm in Europe devised a contributors throughout the world. DoDprotocols, registration processes and comprehensive strategy to build itself has a deeply ingrainedsite promotion to better match the momentum for their internal site. This conservative culture, with a populationcommunity’s needs. For at its core, strategy included employee training, of subject matter experts many timessocial media sites, including wikis, have proactive wiki gardening, appointing smaller. Before the different DoDhistorically been grassroot efforts wiki evangelists and mandating that communities can fully embrace and usegrowing from the bottom up in an meetings be recorded and tracked using wiki sites to their full potential, a degreeorganizational hierarchy, with roots wiki pages. The latter helped instill into of culture change will have to occur.deeply tied to their respective user the portal the daily activities of One tactic for effective wikigroups. Grassroot efforts survive and individuals in the firm. [8] implementation could be to forwardmature because they address unmet Of course, success cannot happen social media pilots such as NASAsphere.recognized needs that differ between as a solitary effort. Wikipedia’s own Pilots can be run for short time periodsorganizations. As such, participation success would not have been achievable to measure the site’s applicability to theand content management must remain without the rising popularity of Google’s respective needs in the community.in the hands of the general contributors oft-storied search engine. As Google’s Shorter pilots building towards moreso that they are empowered to innovate crawlers started indexing Wikipedia long-term solutions could be much moreand run with fresh ideas. pages, general topical searches on the cost-effective than a series of failed engine started to return Wikipedia large-scale efforts. IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 27
    • Security Council issued official guidelines for of Business, and earned a Master’s degree in IT Of course, information security will Secure Use of Social Media by Federal from Virginia Tech. remain a key concern, especially with Departments and Agencies. [11] The national security at risk. Throughout very first risk mitigation step suggested References 2009, DoD wrestled with a balanced was the need for a government-wide 1. Jackson, Joab. NASA program proves the benefits social media policy that would allow it policy for social media that would of social networking. Government Computer News. to reap benefits, but at an appropriate address policy controls, acquisition 2009. http://www.gcn.com/Articles/2009/11/30/A- risk level. There were special concerns controls, training controls, and host and Space-side-NASA-social-networking.aspx about soldiers and other interested network controls. The guidelines define (accessed 01/02/2010). parties leaking sensitive operational four types of information traffic that 2. Merryman, Celeste. Findings from the NASAsphere information on media sites. The US must be managed: inward sharing, Pilot. Jet Propulsion Laboratory, California Institute Marine Corps dealt with the security outward sharing, inbound sharing, and of Technology Knowledge Architecture and issue by prohibiting all social media use. outbound sharing. Each of these four Technology Task. (Pilot team: Merryman, Celeste; However, such a policy entirely types of information flow come with Hughes, Dougals). California Institute of Technology. abdicates the real value that social unique risks and mitigation approaches. 2008. http://www.scribd.com/doc/12759868/ media can produce. To not fully leverage From a cultural perspective, DoD users NASAsphere-Pilot-Report-2008-Public (accessed innovations in technology and media should be trained with a practical 01/02/2010). risks DoD falling behind other agencies sense of caution when utilizing social 3. Terdiman, Daniel. Wikipedia hits 10 million total in the world. In a recent blog post, even media systems. articles. CNET. 2008. http://news.cnet.com/8301- Rob Carey, US Navy Chief Information Wikis within DoD will require a fair 13772_3-9905726-52.html (accessed 01/02/2010). Officer (CIO), said that social media is a amount of monitoring, both from a 4. Intellipedia Gurus Win 2009 Homeland Security resource that DoD should well use to content perspective as well as in Medal. CIA website. https://www.cia.gov/news- facilitate trust and collaboration. [9] network security and information information/featured-story-archive/intellipedia-“These tools are fundamental to assurance. A cultural shift toward data homeland-security-medal.html (accessed 01/02/2010). collaboration. They have the potential sharing and collaboration should also 5. Thompson, Clive. Open-Source Spying. The to leverage the collective wisdom of be tempered with an appropriate New York Times. 2006. http://www.nytimes. this 750,000+ member Department,” culture of caution and sensibility within com/2006/12/03/magazine/03intelligence.html said Carey. the user community. This is quite (accessed 01/02/2010). Security risks are real, but can be achievable, of course, and will be 6. Intellipedia Gurus Win 2009 Homeland Security strategically mitigated to a certain important in the ongoing evolution of Medal. CIA website. https://www.cia.gov/news- degree via a smart architecture and set DoD to accomplish its missions in the information/featured-story-archive/intellipedia- of policies. One interesting solution hastening change of technology. homeland-security-medal.html (accessed 01/02/2010). described on the Armed Forces Collaboration will accelerate the 7. The Early History of Nupedia and Wikipedia, Part Communications and Electronics pace of innovative problem resolution II. Slashdot. http://features.slashdot.org/article. Associate (AFCEA) Web site proposes within DoD. n pl?sid=05/04/19/1746205 (accessed 01/02/2010). setting up dedicated Internet services 8. Roberts, Bill. How to Marshal wikis: some for all staff. [10] Internet services human resource professionals are using wikis to About the Author centralized in this way allow communicate, collaborate. HR Magazine. 2008. administrators and automated tools to http://findarticles.com/p/articles/mi_m3495/ Tzeyoung Max Wu | was a DoDTechipedia better scan information posted to the is_12_53/ai_n31159337/pg_2/?tag=content;col1 content manager, creating and editing material in Internet and catch security data leaks (accessed 01/02/2010). IA, information warfare, and networking more effectively. This could be a broader 9. Carey, Rob. Embracing Social Networking Tools. technology areas. His experiences in information social computing solution for computer Department of the Navy CIO. 2010 http://www. technology security have included: administering use on the global information grid (GIG) doncio.navy.mil/Blog.aspx?ID=891 (accessed 2/3/2010). and configuring servers and network devices in general, where bare-boned computer 10. Strassman, Paul A. Social (Network Security. within organizations; designing secure architecture terminals plug onto resources served Signal Online. 2010 http://www.afcea.org/signal/ for enterprise systems; and configuring access and managed on the GIG, providing a articles/templates/Signal_Article_Template. control lists, profiles, and border controls for set of virtual desktops to users wherever asp?articleid=2163&zoneid=284 (accessed 2/1/2010). network applications. they can plug into the GIG. 11. Guidelines for Secure use of Social Media Mr. Wu received his Bachelor’s degree in Any technical solution must be by Federal Departments and Agencies, v1.0 computer science from New York University, holds coupled with DoD guiding policies as http://www.doncio.navy.mil/Download. an MBA at the University of Chicago Booth School well as real culture change. In aspx?AttachID=1105 (accessed 2/3/2010). September 2009, the Federal CIO28 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • I ATA C S P O T L I G H T O N A C O N F E R E N C EPenn State Industry DayConferenceby Rich CoulterT The Networking and Security Research Center (NSRC) at thePennsylvania State University held its work in data access and privacy, and Dr. Sean Hallgren was awarded for developments in quantum computation. relationship with the Navy and supports the other services as well as industry. ARL also provides facilities forannual Industry Day from 13 to 14 Dr. Patrick McDaniel, co-director of conducting classified work inOctober 2009 at the University Park the Systems and Internet Infrastructure conjunction with the NSRC. Thecampus in State College, Pennsylvania. Security (SIIS) laboratory presented Industrial Research Office (IRO) focusesThe NSRC provides a research and analysis of several networked devices on uncovering researchers in all Penneducation community at Penn State for intended to monitor and control State colleges and departments to meetprofessors, students, and industry electrical power usage for a “smart grid.” industry needs. IRO facilitates industrycollaborators interested in networking The SIIS lab discovered vulnerabilities partnerships with the NSRC and otherand security. Industry Day is an that could be exploited to overload research centers at Penn State.opportunity for partners and other generation plants, deny power to critical Briefings can be found at http://nsrc.interested industry members to learn customers, or obfuscate power usage. cse.psu.edu/id09.html. More informationabout research over the past year and Dr. McDaniel is also exploring attack on ARL and the IRO can be found atongoing developments. causality in Internet-connected cellular http://www.arl.psu.edu/ and http://www. Dr. Frank Siebenlist and Robin Burk networks with the goal to understand research.psu.edu/iro/index.asp,delivered keynote addresses. Dr. Seibenlist and protect against evolving threats in respectively. nis a senior security architect at the cellular phone systems. Other ongoingMathematics and Computer Science projects in the SIIS lab include About the AuthorDivision at the Department of Energy Telecommunications Security; VotingArgonne National Laboratory and a Systems Integrity; and security of Richard Coulter | currently provides remoteFellow at the Computation Institute systems, virtual machines (VM), systems engineering and project managementof the University of Chicago. Ms. Burk and storage. support on various projects, and works to establishcurrently manages the basic research Each graduate student in the NSRC relationships between IATAC and Penn State,thrust in cognitive, information, and also presented posters summarizing especially in support of the Administration’snetwork science for the Defense Threat their research. Their research focused Cybersecurity Initiative. Previously, Mr. CoulterReduction Agency . on networking (security, fault isolation, performed hardware and embedded design, Dr. Tom La Porta, NSRC Director, coding, efficiency, encryption), mobile reverse engineering, and data analysis in supportnoted that two NSRC faculty members devices (device security, network of law enforcement forensic and operationalreceived National Science Foundation threats), and systems (VM security missions, where he served as deputy program(NSF) Presidential Early Career Awards policy, software theft detection). manager. Mr. Coulter received a Bachelor’s degreefor Scientists and Engineers in 2009. Other affiliated Penn State in electrical engineering from the PennsylvaniaOnly 25 of these prestigious awards are resources for industry were highlighted. State University.presented each year, so it was a truly The Applied Research Laboratory (ARL)unique event for two faculty from the is a DoD-designated U.S. Navysame university to receive them. University Affiliated Research CenterDr. Adam Smith was recognized for his that maintains a long-term strategic IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 29
    • Vulnerability AssessmentProcesses Within DoDThe Problem vulnerabilities within established efforts to meet compliance goals andP rotecting critical infrastructure and the Global Information Gridcontinues to be a valuable, yet time- configurations, is accomplished by performing vulnerability assessments. Vulnerability assessment processes secure the infrastructure exceptionally difficult, because no standardization exists across the entire enterprise. Thisconsuming and expensive effort within in many organizations are ad-hoc, problem is compounded by employee orthe Department of Defense (DoD). non-standardized, and incomplete. contractor turnover, the volatility inInitiatives and compliance They rely on commercially developed technical or mobile environments, andrequirements including Federal tools as well as DoD-provided tools and the various skill levels of personnelInformation Security Management Act, in-house solutions to determine patch working to manage the infrastructure. Itthe Federal Desktop Core Configuration, levels, user settings, open ports, is also exaggerated by the fact thatComputer Network Defense Service operating system configurations, and vulnerability assessments andProvider compliance efforts, mandates other system (mis)configurations. compliance scans play such a big role infrom the Joint Task Force – Global Unfortunately, no one vulnerability major DoD programs and mandates thatNetwork Operations (JTF-GNO) and the assessment solution is comprehensive include the information assuranceDefense Information Systems Agency enough to cover all niches and corners vulnerability management process,(DISA), and general due diligence to of the DoD infrastructure. Because of certification and accreditation,protect the technology and data that this problem, technologists and computer network defense,keeps the U.S. military operational are oversight organizations are required to information operations condition,iterative, redundant, and in many cases, use multiple vulnerability assessment and JTF-GNO mandates.based on manual processes. tools to help ensure that all bases are Configuration management, patch covered. Some assessment tools are Recommended Solutionsmanagement, and vulnerability and risk proficient at scanning Microsoft The first place to begin addressingmanagement are all predicated upon Windows; some are good for UNIX- compliance and configurationprocesses that are cyclical and typically based operating systems; some excel in management issues is to have aninvolve hands-on efforts by system or evaluating Web applications; and others overarching configuration managementnetwork administrators. They may also do device discovery very well. The shape plan. It is crucial to have a healthy cross-require compliance reviews from and composition of the environment section of the technologists within theinformation assurance divisions, testing often dictates what tools need to be used organization designated as members offrom vendors and system managers, to manage compliance and ensure a configuration control board (CCB) thatapproval from configuration control secure configuration whenever possible. is strictly governed by documentedboards, and ultimate acceptance from Having to rely on multiple configuration management processesthe Designated Accrediting Authority for vulnerability assessment solutions and procedures. As part of thatthe organization, system, or enclave. In means that technologists and oversight configuration management plan,many cases, the process of assessing personnel are reduced to seeing however, there also need to be specificcompliance and validating appropriate vulnerability and configuration data in guidelines and instructions on how toconfiguration, and more importantly, many disparate, non-standard views. perform vulnerability assessmentsidentifying weaknesses and This can make managing and tracking within the organization to ensure30 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • appropriate configuration and validate impact operations of the network or assessment—the system manager,the mandates of the DoD as interpreted enclave and ultimately thwart the program manager, networkand implemented by the CCB. This mission of the organization. monitors, and even users.vulnerability assessment process should ff Specific attributes and definition ff Process for consolidating,be created and maintained by the of each tool—Each approved tool distributing, and storingpersonnel responsible for has information that needs to be assessment results—The point of aimplementation of the technology as maintained and remains relevant vulnerability assessment manual iswell as those areas of the organization for the life of the tool. Support to standardize processes and makethat are responsible for oversight and information, update processes, them repeatable. As such, this iscompliance reporting. The primary goal training materials, known issues also a very important part of theof the plan should be to standardize the with the tool, the types of targets process. The plan should outlineprocess, make it repeatable, and the tool is capable of assessing— acceptable formats for vulnerabilityenforce it for all vulnerability these are the kinds of things that assessment results. If results fromassessment activities. need to be recorded and kept up to disparate tools are aggregated or A vulnerability assessment manual date to ensure that anyone required consolidated in any way, thefor an organization should address and to perform a vulnerability process used to do that should bedefine procedures for several key assessment has the appropriate outlined. Where and how thecomponents of the vulnerability information to do so effectively. vulnerability and configurationassessment process. These areas include: ff Process for coordinating and information is stored should alsoff Approved vulnerability assessment approving vulnerability be specifically outlined. Emerging tools list—It is important to ensure assessments—Sufficiently defining technology has been developed to that senior management (the chief this step is one of the most facilitate this process and help information officer [CIO] or chief important goals of any bridge the reporting gap information security officer [CISO]) vulnerability assessment manual. A between separate vulnerability acknowledges what tools are standardized test matrix should be assessment tools. permitted to be used within the developed and used to define and ff Troubleshooting vulnerability network or enclave. To this end, a coordinate any vulnerability assessments and the correlation to formal memo drafted by the CIO/ assessment activities. The test incident response— CISO should specifically designate matrix should include information Troubleshooting vulnerability vulnerability assessment tools that such as the targets, tools to be used, assessment tools are also are approved for use and prohibit ports to be scanned, scan policy to paramount to standardization. If the use of any tools not explicitly be used, scan throttling tools are not used or are not allowed. This will help ensure that information, points of contact, and functioning correctly, results can untested, unknown vulnerability date and time of the scan. The test be skewed and the configuration assessment tools do not adversely matrix should be used to and security posture of the targets coordinate with components that scanned may not be accurate. It is may be impacted by the also important to remember IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 31
    • (especially for legacy systems), that environments. It is for this reason that New, emerging technologies attack this there is potential to bring down many organizations merely do what is problem head-on by providing the production systems if they are specifically required by JTF-GNO capability to consolidate, aggregate, and targeted intentionally or or DISA or any other oversight re-present vulnerability information in unintentionally. The vulnerability organization with the ability to push a truly meaningful fashion. The process assessment process should identify down DoD requirements. of consolidating vulnerability data for incident response procedures in Performing the scans is not system administrators no longer takes the event that an assessment causes generally the difficult or time- days and hours; with the right solution, an outage or adverse reactions by consuming part of the process; it is it can take only minutes. the targets being scanned. interpreting, processing, and putting to work the volumes of information that Conclusion Incorporating these types of the vulnerability assessment tools One of the most important pieces of theguidelines and parameters into a return—especially given the points configuration management process isvulnerability assessment plan is vital. discussed above. Using only one or two inspection and validation throughWithout standardization and vulnerability assessment solutions for vulnerability and configurationappropriate training to perform most organizations is insufficient, assessments. These processes can bevulnerability assessments, it is easy to especially within the DoD. So time consuming; however, their value ishave vulnerabilities or misconfiguration consolidating, aggregating, and obvious, and they also play fundamentalmissed—ultimately resulting in a false presenting the results of disparate roles in other major programs andsense of security for the organization vulnerability assessment scans is initiatives implemented by the DoD. It isand greater risk to the mission and generally the most resource-intensive critical to have standardized processesthe DoD. part of the process. when it comes to vulnerability Also, don’t be afraid to leverage Organizations have two options. assessments because when ad-hocvirtualization. Virtualization can be a The first is to rely on the native outputs processes fail, and they do too often,great tool in the vulnerability of the various vulnerability tools it is difficult to trust the outcome ofassessment space—especially in themselves. This could be flat text files, those assessments, and makingenvironments with legacy systems and XML files, HTML files, PDFs, or decisions based upon misinformationantiquated technology. Using Microsoft Word documents. For some can be devastating.virtualization to take an exact copy of a tools, it could even mean having to rely Armed with a thorough and well-production server or application allows on the console of the vulnerability implemented vulnerability assessmentfor extensive vulnerability assessment assessment tool itself instead of a report. plan and with new technology thatthat may otherwise not be possible. In this scenario, presenting findings in allows system and network terms of high, medium, and low risk is administrators to focus more onOptions disjointed and subject to error. It also resolving vulnerabilities andEstablishing (and following) a makes remediation efforts difficult for misconfiguration and less on combingvulnerability assessment manual as part system and network administrators through volumes of data for usefulof a bigger configuration management because they have to rely on so many information, maintaining complianceplan is not difficult, and it is not different forms of information from the with fewer resources becomes reality. nexceptionally time consuming. In fact, various assessment tools that do notimplementing a standard approach to look similar and do not always present About the Authorvulnerability assessment activities can the most useful information.ultimately save a lot of time and effort The second option includes Chris Merritt | is the president and CEO ofby streamlining the process and making processes of trying to manually Prolific Solutions, LLC (www.prolific-solutions.net)sure that all relevant vulnerability consolidate the data to put it into a more and has been consulting for the DoD for overassessment information can be found in meaningful/useful format that seven years. He is the author of proVM Auditorone easy-to-use location. facilitates the efforts of administrators (www.provmauditor.com), a vulnerability However, if vulnerability and makes tracking progress a bit easier. assessment aggregation and compilation tool, andassessments are conducted at The problem with this scenario is that it holds a number of information securityrecommended (not just required) is full of manual copying and pasting, certifications, including CISSP and CISA. Heintervals, agencies within the DoD may parsing, or scripting that is not vetted or earned his Master’s degree in informationfind that adhering to rigorous standardized, and it remains assurance from Norwich University in 2007.vulnerability assessment processes can exceptionally time consuming.be expensive and time consuming— Great strides have been made toespecially in larger, more distributed facilitate resolution to this problem.32 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • S U B J E C T M AT T E R E X P E RTDr. Peng Liuby Angela OrebaughT his article continues our profile series of members of the Information Assurance Technology software and hardware. The objective of this effort is to develop an integrated end-to-end (spanning the whole ‘life security. The team will take a systematic approach that leverages the emerging virtual machine technologies to Analysis Center (IATAC) Subject Matter cycle’) CSA solution to fill the gap consolidate four areas of systems Expert (SME) program. The SME between machine information security research: microscopic profiled in this article is Dr. Peng Liu processing and analysts’ mental intrusion analysis and detection; from Pennsylvania State University. processes. The scope of this effort is to redundancy; automatic response; and Dr. Peng Liu is an Associate develop new capabilities for computer- diversity-driven protection. Broader Professor in the College of Information aided human-centric CSA. The solution impacts for this research include a Sciences and Technology (IST). He is adds the new algorithms and techniques significant advancement in reducing also a member of the graduate faculty that are needed for the machine risks to business applications and for the Department of Computer Science situational awareness (SA) system to information systems, increasing and Engineering and affiliate associate work in concert with the human SA business continuity, and delivering data professor for the Department of Supply system. It integrates the human assurance in the presence of severe Chain and Information Systems (SC&IS) cognition aspects and the computer cyber attacks. Liu will co-lead this in the Smeal College of Business. In algorithm aspects of cyber SA. The project, which will further the team’s addition, Dr. Liu is the Director of the solution also integrates situation previous research on cyber awareness Cyber Security Lab and Director of the recognition, impact assessment, and how it can be used to improve LIONS Center. His research interests causality analysis, trend analysis, and cyber defense. include survivable systems, systems assessment of system assurance. The Dr. Liu organizes and presents at security, information security, team will develop prototype capabilities several conferences in information network security, privacy, identity in each year of the project that build on security. A few examples include: theft, cyber infrastructures, and prior years’ capabilities, with the goal of Securecomm 2009 (general chair); electronic health. [1] having a testable, executable prototype Inscrypt 2008 (both Program Co‑Chair Dr. Liu won a $6.25M grant from at each stage of the project. and keynote speaker); and AsiaCSS 2010 the Army Research Office in July 2009 to Dr. Liu was also one of three (Program Co‑Chair). n study cyber situation awareness (CSA). researchers who received more than He and his team received a $1M funded by the American Recovery References Multidisciplinary University Research and Reinvestment Act of 2009. His 1. http://ist.psu.edu/s2/pliu Initiative Award (MURI) for his project, project—Collaborative Research:“Computer-aided Human‑centric Cyber Towards Self-Protecting Data Centers: A Situation Awareness.” They plan to use Systematic Approach—is aimed at the grant funding to further the safeguarding business applications and research on cyber awareness and how it infrastructure from cyber threats. The can be used to improve cyber defense. research team seeks to improve security Research goals include developing tools consolidation to meet the top two that will help bridge the gap between requirements for modern data centers— analysts’ capabilities and existing CSA business continuity and information IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 33
    • Eight Steps to HolisticDatabase Securityby Dr. Ron Ben NatanF inancially motivated attacks, malfeasance by insiders, andregulatory requirements such as the now being tasked with ensuring that critical databases are secure from breaches and unauthorized changes. SQL injection jumpedFederal Information Security Here are eight essential best 134% in 2008,Management Act-mandated National practices that provide a holisticInstitute of Standards and Technology approach to both safeguarding increasing from an(NIST) 800-53 standard are driving databases and achieving compliancegovernment organizations to find new with key regulations and standards such average of a fewways to secure their data. as NIST 800-53 and Defense Information Most of the world’s sensitive data is System Agency Security Technical thousand per day tostored in commercial database systems Implementation Guides as well as thesuch as Oracle, Microsoft SQL Server, Sarbanes-Oxley Act (SOX), Payment several hundredIBM DB2, and Sybase—making Card Industry Data Security Standarddatabases an increasingly favorite target (PCI-DSS), and data protection laws: thousand per day.for criminals. This may explain why ff Discovery—You cannot secureexternal attacks such as SQL injection what you do not know. You need to ff Vulnerability and Configurationjumped 134% in 2008, increasing from have a good mapping of your Assessment—You need to assessan average of a few thousand per day to sensitive assets—both of your the configuration of your databasesseveral hundred thousand per day, database instances and your to ensure they do not have securityaccording to a report recently published sensitive data inside the databases. holes. This includes verifying bothby IBM. [1] Plus, you should automate the the way the database is installed on To make matters worse, according discovery process because the the operating system (e.g., checkingto a study published in February 2009 by location of sensitive data is file privileges for databasethe Independent Oracle Users Group constantly changing due to changes configuration files and executables)(IOUG), nearly half of all Oracle users such as new or modified and configuration options withinare at least two or more patch cycles applications and mergers and the database itself (such as howbehind in their database patching. [2] In acquisitions. In an interesting twist, many failed logins will result in aaddition, 74% of all Web application some discovery tools can also find locked account, or which privilegesvulnerabilities disclosed in 2008 did not malware placed in your database as have been assigned to criticaleven have an available patch by the end a result of SQL injection attacks. In tables). Plus, you need to verify thatof 2008, according to IBM. [3] addition to exposing confidential you are not running database Whereas most attention has information, SQL injection versions with known vulnerabilities.previously been focused on securing vulnerabilities allow attackers to Traditional network vulnerabilitynetwork perimeters and client systems embed other attacks inside the scanners were not designed for this(e.g., firewalls, IDS/IPS, and anti-virus), database that can then be used because they do not havewe are now entering a new phase where against visitors to the Web site. embedded knowledge aboutinformation security professionals are database structures and expected34 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • behavior, nor can they issue SQL Monitoring privileged users is also employ some form of manual queries (via credentialed access to a requirement for data governance auditing, utilizing traditional the database) in order to reveal regulations such as SOX and data native database logging capabilities. database configuration information. privacy regulations such as However, these approaches areff Hardening—The result of a PCI-DSS. It is also important for often found to be lacking because vulnerability assessment is often a detecting intrusions because of their complexity and high set of specific recommendations. attacks will frequently result in the operational costs due to manual This is the first step in hardening attacker gaining privileged user efforts. Other disadvantages the database. Other elements of access (such as via credentials include high performance overhead, hardening involve removing all owned by your business lack of separation of duties functions and options that you applications). DAM is also an (because database administrators do not use. essential element of vulnerability can easily tamper with the contentsff Change Auditing—Once you have assessment because it allows you to of database logs, thereby affecting created a hardened configuration, go beyond traditional static non-repudiation) and the need to you must continually track it to assessments to include dynamic purchase and manage large ensure that you do not digress from assessments of “behavioral amounts of storage capacity to your “gold” (secure) configuration. vulnerabilities” such as multiple handle massive amounts of You can do this with change users sharing privileged credentials unfiltered transaction information. auditing tools that compare or an excessive number of failed Fortunately, a new class of DAM snapshots of the configurations (at database logins. Finally, some DAM solutions are now available that both the operating system level and technologies offer application-layer provide granular, database at the database level) and monitoring, allowing you to detect management system (DBMS)- immediately alert you whenever a fraud conducted through multi-tier independent auditing with minimal change is made that could affect applications such as PeopleSoft, impact on performance, while the security of the database. SAP, and Oracle e-Business Suite, reducing operational costs throughff Database Activity Monitoring rather than through direct automation, centralized cross DBMS (DAM)—Real-time monitoring of connections to the database. policies and audit repositories, database activity is key to limiting ff Auditing—Secure, non-repudiable filtering, and compression. your exposure by immediately audit trails must be generated and ff Authentication, Access Control, detecting intrusions and misuse. maintained for any database and Entitlement Management— For example, DAM can alert on activities that impact security Not all data and not all users are unusual access patterns indicating posture, data integrity, or viewing created equally. You must a SQL injection attack, sensitive data. In addition to being authenticate users, ensure full unauthorized changes to financial a key compliance requirement, accountability per user, and data, elevation of account privileges, having granular audit trails is also manage privileges to limit access to and configuration changes important for forensic investigations. data. And you should enforce these executed via SQL commands. Most organizations currently privileges—even for the most IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 35
    • privileged database users. You also contractors meet NIST 800-53 and References need to periodically review comply with the OMB M-06-16 directive, 1. IBM Global Technology Services, “IBM Internet entitlement reports (also called Protection of Sensitive Agency Security Systems X-Force® 2008 Trend & Risk User Right Attestation reports) as Information, in order to secure Report,” January 2009. part of a formal audit process. personally identifiable information and 2. IOUG, “Security Patching Practices by Oracle Users,”ff Encryption—Use encryption to other sensitive data such as financial February 2009. render sensitive data unreadable, so data and classified information. n 3. Ibid. that an attacker cannot gain unauthorized access to data from About the Author outside the database. This includes both encryption of data-in-transit, Dr. Ron Ben Natan | chief technology officer for so that an attacker cannot Guardium, the database security company, has more eavesdrop at the networking layer than 20 years of experience developing enterprise and gain access to the data when it applications and security technology. Guardium, an is sent to the database client, as IBM Company, delivers a scalable platform that well as encryption of data-at-rest, prevents information leaks from the data center and so that an attacker cannot extract ensures the integrity of enterprise data. The the data even with access to the company’s enterprise security platform is now media files. installed in more than 450 data centers worldwide, including top government agencies. Dr. Natan has A holistic database security authored 12 technical books, including HOWTOapproach is needed to protect against Secure and Audit Oracle 10g and 11g (© 2009 bycyberattacks, breaches, fraud, and Taylor and Francis Group, LLC) and Implementinginsider threats. Additionally, such a Database Security and Auditing (© 2005, Elsevier,strategy helps federal agencies and Inc.), the standard texts in the field. Letter to the Editor Q There are a lot of information conferences a year to take part in critical and harden networks. The Defend track assurance conferences, forums, IA discussions, and to promote outreach looked at how cyber warriors can detect, and seminars available to the and awareness for the free products and diagnose, and respond to securityIA community, and the IAnewsletter services we offer. The biggest conference threats effectively. The Survive trackfocuses on several each year. What is we attend each year is the Information featured sessions on sustaining missionthe most important IA conference IATAC Assurance Symposium (IAS), hosted by essential functionalities during networktakes part in annually? the National Security Agency, Defense attacks. Finally, the Making it all Happen Information Systems Agency, and US track analyzed how to staff, equip, train, A A critical aspect of sharing Strategic Command. and certify the cyber warrior. information assurance (IA) This year’s conference took place in IAS stressed the importance of true related information is attending Nashville, TN, February 2-4, bringing collaboration and the need to achieveevents where solutions for pressing IA together over 2,000 attendees from all information superiority, and it providedproblems can be discussed. These three of IATAC’s target communities: the IA community with networkingevents also help the IA community learn government, industry, and academia. opportunities essential to achievingabout the resources available to them Attendees had the opportunity to these goals. IATAC was glad to take partand some of the cutting-edge participate in one of four tracks. The in IAS this year, and we look forward todevelopments in the IA field. IATAC Protect track focused on discovering participating again next year. nattends, exhibits, and presents at several ways to improve information security36 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • ASK THE EXPERTPublic/Private PartnershipBecoming a Necessityby Allan CareyG overnments have long dealt with espionage and attempts to exfiltratestate secrets and intellectual property. The term will be misrepresented, misused and basically abused to promote/sell products and services with will see increased participation from industry in light of the recent developments. Other groups/The interconnected world of computing the promise of solving this problem. For relationships are forming behind closedsystems has split our efforts to detect the misguided, their attention and doors, but the motivation and businessand thwart such attempts between the resources will be directed away from drivers are strong enough to hopefullyphysical and logical worlds. The term solving their real information assurance change the paradigm between public/advanced persistent threat (APT) has problems. For the well informed, they private partnership and informationhad relevancy in the information should see right through the APT elixir. sharing overall. nassurance world, which started in the On the positive side, senior securityUS Air Force around 2006. However, leaders are now more aware of this Referencesbeyond government and the defense threat vector, even though they may not 1. http://googleblog.blogspot.com/2010/01/new-industrial base, no one in the have the budget or resources to do approach-to-china.html.private sector had really heard or something about it. As a result, 2. www.taosecurity.com.cared about APT. organizations are getting engaged in the 3. http://www.csmonitor.com/Commentary/editors- Until now…Why? Google vs. China conversation and looking for ways to blog/2010/0126/Why-the-China-virus-hack-at-US-catapulted APT into the mass media collaborate and share information. energy-companies-is-worrisome.spotlight for better or worse. [1] Back in Changing the way in which we interact 4. http://www.mandiant.com/news_events/article/July 2009, Richard Bejtlich ran a Google and exchange best practices must occur, mandiant_releases_first_annual_m-trends_report_search on “advanced persistent threat” particularly around this topic, because at_u.s._department_of_dprior to an Institute for Applied Network our advanced persistent adversaries, areSecurity briefing which yielded 34 incredibly organized and well funded.unique hits. [2] As of 16 January 2010, They are sharing best practices andthe same search returned 169 hits. techniques; as a profession, we must doDuring the week of 25 January 2010, The the same because continuing to fightChristian Science Monitor reported the battle in silo efforts is not aabout stolen bid data from three major sustainable strategy.energy companies with traces back to One promising example of public/China. [3] And Mandiant, a specialized private partnership is the impendingconsulting firm, released its first Google and the National SecurityM-Trends Report which highlighted Agency relationship. This action is a stepthe types of attacks they have in the right direction for sharinginvestigated including ones perpetrated defensive techniques and enablingby the APT. [4] another organization to better defend Let’s start with the negative part of itself. Another example is the Nationalthis attention. APT has just made the Security Telecommunications Advisorybuzzword bingo chart of marketing Committee Network Securityprofessionals targeting our industry. Information Exchanges, which I believe IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 37
    • Apples & Oranges:Operating and Defendingthe Global Information Gridby Dr. Robert F. Mills, Major Michael B. Birdwell, and Major Kevin R. BeekerC yberspace is a contested, warfighting domain, but we’re notreally treating it as such, partly because and described a shift in culture that must occur for the United States to be effective in this domain: “We must commander involvement and responsibility for cyberspace operations. Our leaders are making some veryour language and doctrine have not think about this domain and the tools in interesting points here. We are all on thematured to the point that allows us to do this domain and the readiness of this front line of defense and are involved inso. One reflection of our immature domain as commanders, as essential to cyber operations every day. Generallanguage is our inability to clearly successful operations.” General Chilton Chilton’s analogy of the gate guard whodifferentiate the concepts of network calls every Soldier, Sailor, Airman, “keeps the wrong people out” isoperations (NETOPS) and computer Marine, DoD civilian, and contractor to noteworthy, but his use of the wordnetwork defense (CND). This creates arms, saying, “They are part of the front ‘defense’ is misleading—he’s reallyconfusion about the roles and line of defense and in fact they’re talking about ‘security and forceresponsibilities for provisioning, engaged in cyber operations that matter protection.’ But he’s not the only onesustaining, and defending the network— every day, whether they know it or not.” who falls into this trap—our doctrine ismuch less actually using it. In this He compares operations in the domain just as confusing.article, we resolve this confusion by to “the guards who guard your bases,highlighting the differences among who stand there at the gate and make NETOPS and Network Defensemaintenance, defense, and mission sure only the right people come in and This is how the DoD Dictionary definesassurance activities. Only by separating keep the wrong people out—that’s NETOPS and CND:these activities can we more effectively everybody who has a computer on their ff NETOPS—“activities conducted toorganize, train, and equip people to desk in these domains today.” [1] operate and defend the Globalperform those tasks. We also describe Similarly, Air Force Chief of Staff Information Grid.”how the mission assurance aspect of General Norton A. Schwartz sent an ff CND—“actions taken to protect,NETOPS can better be viewed as a force e-mail to every member of the Air Force monitor, analyze, detect, andprotection issue, thereby highlighting entitled Cyberspace Operations Culture respond to unauthorized activitythe importance of the unit commander Change on May 27th, 2009. In this e-mail within DoD information systemsin the cyberspace puzzle. he wrote, “Compliance with time critical and computer networks.” [3] software updates will gain newCulture Change emphasis and commanders will be held Figure 1 illustrates the NETOPSThere has been much talk about accountable…. Our Air Force must move continuum, and demonstrates thechanging our cyber culture—specifically to a system of tight network control, difficulty in distinguishing between thewith respect to how we use cyberspace. personal responsibility, and two disparate functions of maintenanceGeneral Kevin J. Chilton, the accountability as we execute our global and defense.Commander of US Strategic Command mission on behalf of our Nation.” [2] Effective CND uses a defense-in-(USSTRATCOM), hosted a Cyberspace General Schwartz made it clear that all depth strategy and employs intelligence,Symposium in April 2009. In his opening Air Force members operate in counterintelligence, law enforcement,remarks, he labeled cyberspace cyberspace and echoed General and other military capabilities asoperations as commanders’ business Chilton’s comments emphasizing required. However, the CND culture is38 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • Our intent is not to diminish the NETOPS importance of NETOPS activities—these activities are critical to our ability to Operate the Network Defend the Network operate in and through cyberspace. But they are not defensive activities—at least not in the classical understanding of theFigure 1 NETOPS and CND Continuum concept. Turning to Carl von Clausewitz, we see a much different concept oflargely one of information assurance achieve that, this is a maintenance defense than is currently applied to(e.g., confidentiality, integrity, and activity. (Indeed, do we even really know cyberspace:availability), system interoperability, how many computers we have, let aloneand operations and maintenance how many are compliant?) This is no What is the concept of defense? The(O&M). Many of the things that we more a defensive activity than counting parrying of a blow. What is itsroutinely call ‘cyberspace defense’ in all the rifles in an infantry company and characteristic feature? Awaiting the blow.cyberspace are really just O&M inspecting them to ensure that they are It is this feature which turns any actionactivities—such as setting firewall rules, properly cleaned and in working order. into a defensive one; it is the only test bypatching servers and workstations, Our current NETOPS/CND mindset which defense can be distinguished frommonitoring audit logs, and is intentionally focused inward, with attack in war. Pure defense, however,troubleshooting circuit problems. emphasis on ensuring that friendly would be completely contrary to the idea We talk about vulnerabilities and forces have freedom of action within of war, since it would mean that only onethe thousands of ‘cyber attacks’ against and through cyberspace. Contrast this side was waging it…. But if we are reallyour networks every day, but we do not with a traditional warfighting mentality waging war, we must return the enemy’streat cyberspace operations like those in which we study an adversary’s blows; and these offensive acts in aconducted in other domains. Server potential courses of action, develop and defensive war come under the heading ofavailability and communications circuit refine operational plans to meet national ‘defense’ –in other words, our offensivestatus are represented as green, yellow, and military objectives, parry thrusts, takes place within our own positions orand red lights on a stop-light chart, with and launch counter attacks. While we do theater of operations. Thus, a defensivean objective being ‘all green.’ And yet, worry about internal issues such as campaign can be fought with offensivewhen a system or circuit is reported as security, force protection, logistics, and battles, and in a defensive battle, we canyellow or red, we rarely understand what sustainment, our focus remains outward employ our divisions offensively. Even in athe true operational impact is in a timely on the adversary. Granted, terms such as defensive position awaiting the enemymanner. Furthermore, thousands of ‘inward’ and ‘outward’ mean different assault, our bullets take the offensive. Sosystems administrators routinely count things when discussing cyberspace the defensive form of war is not a simpleand scan computers to ensure that their (because geographic boundaries are shield, but a shield made up of well-software and operating system patches somewhat irrelevant), but we generally directed blows. [4]are current. The objective is 100% use these terms to refer to friendly forcescompliance, but even if we could and adversaries, respectively. IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 39
    • Similarly, Army Field Manual 3-0, accomplish assigned missions. This ff Determine the threat via a tailoredOperations, states the following: includes areas such as force protection, threat assessment antiterrorism, information assurance, ff Determine critical infrastructure Defensive operations defeat an and continuity of operations. [7] The via a criticality assessmentenemy attack, buy time, economize forces, security portion of NETOPS then can ff Determine vulnerability via aor develop conditions favorable for be viewed as a form of force vulnerability assessmentoffensive operations. Defensive operations protection, where force protection ff Determine acceptable risk via aalone normally cannot achieve a decision. is defined as follows: risk assessmentTheir purpose is to create conditions for a ff Develop a comprehensive forcecounteroffensive that allows Army forces Preventive measures taken to protection planto regain the initiative. [5] mitigate hostile actions against DoD ff Exercise the plan to determine personnel (to include family members), limiting factors and gain These definitions of defense do not resources, facilities, and critical process familiarity.sound like our current approach to information. Force protection does notNETOPS and CND. Clausewitz might say include actions to defeat the enemy A second reason to look at forcewe have a shield mentality about cyber or protect against accidents, weather, protection is that force protection is andefense. The O&M activities that we or disease. [8] inherent responsibility of command. Airroutinely refer to as ‘network defense’ Force Doctrine Document 2-4.1, Forceare passive and do not try to gain or This definition does not say Protection, clearly states, “Commandersmaintain the initiative. An active anything about defense in terms of at all levels must make force protectiondefense—one that employs limited maneuver and fires, but it does highlight an imperative.” [10] A fundamentaloffensive action and counterattacks to that everyone in the DoD has a role in premise within JP 6-0 is that many of thedeny the adversary—will be required ‘mitigating hostile activities’ that can responsibilities for NETOPS activitiesto have a genuinely defensive capability certainly be extended to cyberspace. remain within the purview of thein cyberspace. There are a several reasons we should communications community. With a look at force protection doctrine as it force protection mindset, responsibilityA Force Protection Model relates to the NETOPS/security problem. shifts to the person who is accountableSo if NETOPS isn’t CND, then what is it? Get in The first is that force protection for mission accomplishment—theJoint Publication (JP) 6-0, Joint activities and doctrine are well-defined, commander. At all levels of warfare, theCommunications System, is the DoD’s and force protection experts have commander should have the bestcapstone document for communications developed a rigorous methodology to understanding of both the mission andand network support to joint define the force protection process, as the requirements to accomplish it. Theoperations. Chapter IV discusses illustrated in Figure 2. unit commander is therefore integral toNETOPS in depth, stating: The following force protection core cyberspace force protection actions andff The effectiveness of NETOPS is principles apply to cyberspace: is not merely a customer. This measured in terms of availability conceptual shift integrates cyberspace and reliability of network enabled force protection at the lowest possible services, across all areas of interest, level, thereby making it a unit Threat in adherence to agreed-upon service. Assessment commander’s responsibility—which isff The purpose of NETOPS is assured where General Chilton said it should be! system and network availability, Finally, the concept of force Exercise Criticality assured information protection, Plan Assessment protection brings with it responsibility and assured information delivery. [6] to every member of the force. The gate Force The overarching theme in these guards may “let the right people come instatements is the ability for users Protection and keep the wrong people out,” but we(customers) to accomplish their Planning must be on the lookout for those who FP Vulnerabilitymissions, which leads us to the concept Assessment have gotten past the perimeter fence and Planof ‘mission assurance.’ Mission those insiders who engage in maliciousassurance includes a number of acts. Using a force protection paradigm, Riskactivities and measures taken to ensure Assessment information assurance would equatethe availability of required capabilities closely to the Air Force (AF) Office ofand supporting infrastructures to Special Investigations (OSI) ‘Eagle Eyes’support military operations and Figure 2 Force Protection Planning Process [9]40 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • construct. The AF OSI Eagle Eyes operations, from inward to outward Referenceswebsite states: (to our adversaries). CND is about 1. General Kevin Chilton, Opening Remarks to the delivering warfighting effects (e.g., April, 2009, USSTRATCOM Cyberspace Symposium, The Eagle Eyes program is an Air denying, degrading, disrupting, and http://www.stratcom.mil/speeches/23Force anti-terrorism initiative that enlists destroying the cyber capabilities of 2. General Norton A. Schwartz, Letter to All Airmen,the eyes and ears of Air Force members our adversaries). dated 27 May, 2009.and citizens in the war on terror. Eagle 3. DoD Dictionary of Military Terms,Eyes teaches people about the typical Taken together, these concepts http://www.dtic.mil/doctrine/dod_dictionaryactivities terrorists engage in to plan their provide a framework to develop 4. Taken from Peter G. Tsouras. Warriors Words: Aattacks. Armed with this information, cyberspace capabilities and personnel Quotation Book. 1992. Arms and Armour Press,anyone can recognize elements of potential to meet joint mission requirements and London. Page 128.terror planning when they see it. [12] to more effectively engage in operations 5. US Army Field Manual (FM) 3-0, Operations, 14 in cyberspace. n Jun 2001, p. 1-15, http://www.dtic.mil/doctrine/jel/ service_pubs/fm3_0a.pdf.Conclusions 6. oint Publication (JP) 6-0, Joint Communications About the AuthorsSemantics matter. One of the System, 20 Mar, 2006, p IV-1, http://www.dtic.mil/fundamental purposes of joint doctrine doctrine/new_pubs/jp6_0.pdf. Dr. Robert F. Mills | is an Associate Professoris to provide a common language that 7. DoD Directive 3020.40, Defense Critical of electrical engineering at the Air Force Institutedescribes how we organize, train, equip, Infrastructure Program, 19 Aug, 2005, p. 13, http:// of Technology (AFIT), Wright-Patterson AFB, OH.and employ our military capabilities. www.dtic.mil/whs/directives/corres/pdf/302040p.pdf. He teaches graduate courses and leads sponsoredInadequate semantics creates confusion 8. DoD Dictionary of Military Terms. research in support of AFIT’s cyber operations andand degrades our warfighting capability. 9. DODI 2000.16, DoD Antiterrorism (AT) Standards, warfare program. His research interests includeOur current language confuses the use, provides clear guidance on the tools necessary network management and security,operations and maintenance, and the to define the threat, determine what is critical, communications systems, cyber warfare, anddefense of the cyberspace domain, determine what is vulnerable, determine acceptable systems engineering. He retired from active dutywhich makes roles and responsibilities risk, develop a plan, exercise the plan, and then in the US Air Force after serving 21 years as aunclear. Our recommendations to start over. The AT Risk Management process is communications officer.remedy this situation are as follows: outlined in enclosure 3 (pages 13—22). Available1. Redefine NETOPS as “actions taken at http://www.dtic.mil/whs/directives/corres/ Major Michael B. “Bo” Birdwell | is a to provision and maintain the pdf/200016p.pdf. career intelligence officer. He is the Director of cyberspace domain.” This would 10. Air Force Doctrine Document 2-4.1, 9 Nov 2004, p. 11. Operations at the Air Mobility Command Air capture the current concepts of 11. http://www.e-publishing.af.mil/shared/media/ Intelligence Squadron at Scott Air Force Base, IL. operations and maintenance while epubs/AFDD2-4.1.pdf. Major Birdwell is a graduate of the Air Force removing the ambiguity caused by 12. The USAF OSI Eagle Eyes website is http://www. Academy (1996), the USAF Weapons School including defense within the osi.andrews.af.mil/eagleeyes/index.asp. Intelligence Division (2001), and the AFIT’s Cyber NETOPS construct. Warfare Intermediate Developmental Education2. Leverage concepts such as ‘mission The views expressed in this article are Program (2009). assurance’ and ‘force protection’ to those of the authors and do not reflect the help change the culture and engage official policy or position of the United Major Kevin Keller Beeker | is now the J2 all personnel—users, maintainers, States Air Force, Department of Defense, Targeting Chief for the Joint Functional Component and cyber operators. Everyone has a or the U.S. Government. Command for Network Warfare (JFCC-NW) at Ft role in security and force protec- Meade, MD. He is a senior A/OA-10 combat pilot, tion, but we are not all cyber who also completed an exchange tour flying defenders. Force protection and F/A-18s with the United States Navy. He is a 1996 mission assurance are focused graduate of the United States Air Force Academy, inward on our mission. with a Bachelor of Science in computer science.3. Redefine our CND construct to be He is also a 2009 graduate of AFIT’s Cyber more consistent with our approach Warfare Intermediate Developmental to the concept of ‘defense’ in the Education Program. other domains of warfare, to include the concept of active defense. This would shift the concept from maintenance to IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 41
    • LPS-Public: SecureBrowsing and an Alternativeto CAC Middlewareby Lt Col Ken Edge and Kevin SweereO n January 15, 2010, the Air Force Portal started granting access onlyto those users who have a Common Likewise, user’s private sessions and sensitive transactions occur within a leave‑no‑local‑trace Technology Office manages SPI for the DDR&E via the High Performance Computing and Modernization Program.Access Card (CAC) or public key browsing environment.infrastructure certificate, blocking login LPS-Public provides a thin, secure, Download the free LPS-Public ISOvia user/password. Other Department of end-node for cloud computing. Created image from http://spi.dod.mil/lipose.htm.Defense (DoD) sites require CACs for by the Software Protection Initiative atsome activities and it is likely many the Air Force Research Laboratory Those wishing to get more details orother federal agencies will also soon (AFRL), LPS-Public boots from a CD, interview a subject matter expertrequire two‑factor authentication for runs only in RAM, installs nothing to please contact Josh Aycock, 88 ABW/PA,sensitive Web services. the hard drive, and does not require at Joshua.aycock@wpafb.af.mil or The DoD’s solution for users of administrative rights. LPS-Public 937-522-3514. nWindows XP Pro and Vista (a Windows 7 provides a Firefox browser with plug-ins,solution is coming soon) is to download CAC middleware, certificates, and a PDF About the Authorslicensed ActivClient middleware from an viewer within a very thin Linuxinternal website. Users must install operating system. It’s a great solution for Lt Col Kenneth Edge | graduated from the USsmartcard drivers, the middleware, and users with Mac, Linux, or Windows 7 Air Force Academy with a degree in electricalDoD root certificates on their Windows systems, or those using others’ computers. engineering. His previous assignments in the AirPersonal Computers (PC). But that leaves A derived and accredited version, Force have included flying C-141 and C-21 airplanes.out those running Mac or Linux systems, LPS-Remote Access, offers teleworkers Lt Col Edge completed his Master’s degree inthose using another’s computer (e.g., remote desktop virtualization of their electrical engineering at Wright State University,friend’s, corporate or public computer), company’s or agency’s network. This and then earned his PhD in computer security fromthose lacking administrator privileges, means far fewer government laptops. the Air Force Institute of Technology. He serves atand those who just do not want to make Now one only needs to carry a the AFRL as the Office of the Director, Defensethe requisite changes to update their CAC-reader and a custom CD and then Research and Engineering’s SPI Program Manager.computers. Lightweight Portable Security, use almost any personal, public, orPublic edition (LPS-Public) alleviates all corporate computer to use a NIPRNet Kevin Sweere | serves the SPI as an Advisorythese problems. And it’s free from computer remotely. and Assistance Services contractor from thehttp://spi.dod.mil/. The Software Protection Initiative not-for-profit Riverside Research Institute. He holds LPS-Public offers other benefits; (SPI) protects critical DoD intellectual an Master’s degree in Mechanical Engineering fromcomputers that are old, slow, infected, or property against nation-state class Michigan Technological University and an MBAcrashed, or those that are missing a hard threats by taking an alternative from University of Cincinnati. He was a search anddrive can now browse the Internet approach to security based on 3 Tenets: rescue dog trainer, snowplow researcher, Armyagain. Because LPS-Public operates only 1) Focus on What’s Critical, 2) Move it Ranger, Armor Battalion S4, satellite operator, andin Randon Access Memory (RAM), users Out-of-Band, and 3) Detect, React, designer/builder of two bleeding-edge intelligencemay visit risky, malware-infected sites Adapt. SPI solves your toughest cyber- production centers. He now teaches his Tiger Scoutwith very little permanent risk. defense challenges. The AFRL’s ATSPI den land navigation and fire building.42 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
    • FREE Products Order FormInstructions: All IATAC LIMITED DISTRIBUTION reports are distributed through DTIC. If you are not a registered DTIC user, you must doso prior to ordering any IATAC products (unless you are DoD or Government personnel). To register online:http://www.dtic.mil/dtic/registration. The IAnewsletter is UNLIMITED DISTRIBUTION and may be requested directly from IATAC.Name______________________________________________________________________ DTIC User Code_______________________________Organization_ _______________________________________________________________ Ofc. Symbol_ _________________________________Address____________________________________________________________________ Phone_________________________________________________________________________________________________________________ Email_ ______________________________________ ___________________________________________________________________________ Fax_________________________________________Please check one: n USA n USMC n USN n USAF n DoD n Industry n Academia n Government n OtherPlease list the Government Program(s)/Project(s) that the product(s) will be used to support: _ _____________________________________________________________________________________________________________________________________________________________________LIMITED DISTRIBUTIONIA Tools Reports n Firewalls n Intrusion Detection n Vulnerability Analysis n MalwareCritical Review n Biometrics (soft copy only) n Configuration Management (soft copy only) n Defense in Depth (soft copy only)and Technology n Data Mining (soft copy only) n IA Metrics (soft copy only) n Network Centric Warfare (soft copy only)Assessment (CR/TA) n Wireless Wide Area Network (WWAN) Security n Exploring Biotechnology (soft copy only)Reports n Computer Forensics (soft copy only. DTIC user code MUST be supplied before these reports will be shipped) State-of-the-Art n Measuring Cyber Security and Information Assurance n IO/IA Visualization Technologies (soft copy only)Reports (SOARs) n The Insider Threat to Information Systems (soft copy only. DTIC n Modeling & Simulation for IA (soft copy only) user code MUST be supplied before these reports will be shipped) n Malicious Code (soft copy only) n Software Security Assurance n Data Embedding for IA (soft copy only) n A Comprehensive Review of Common Needs and Capability GapsUNLIMITED DISTRIBUTIONIAnewsletters hardcopies are available to order. Softcopy back issues are available for download at http://iac.dtic.mil/iatac/IA_newsletter.htmlVolumes 11 n No. 1 n No. 2 n No. 3 n No. 4Volumes 12 n No. 1 n No. 2 n No. 3 n No. 4Volumes 13 n No. 1SOFTCOPY DISTRIBUTIONThe following are available by email distribution:n IADigestn IA/IO Schedulern Research Updaten Technical Inquiries Production Report (TIPR) Fax completed form to IATAC at 703/984-0773 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 43
    • CalendarMay June AugustDISA Customer Partnership Conference Forum of Incident Response and Security LandWarNet 20103–7 May 2010 Teams (FIRST) Annual Conference 3–5 August 2010Nashville, TN 13–18 June 2010 Tampa, FLhttp://www.disa.mil/conferences/ Miami, FL http://events.jspargo.com/lwn10/Public/ http://conference.first.org/ MainHall.aspxNew York Metro Information Security Forum4–5 May 2010 Lone Star Information Security Forum Air Force Information Technology ConferenceNew York, NY 23–24 June 2010 (AFITC 2010)http://www.ianetsec.com/forums/calendar.html Dallas, TX 30 August–1 September 2010 http://www.ianetsec.com/forums/calendar.html Montgomery, ALJoint Warfighting 2010 http://www.mc2-afitc.com/11–13 May 2010 JulyVirginia Beach, VA 2010 Software Protection, IA andhttp://www.afcea.org/events/jwc/10/intro.asp Anti-Tamper SBIR Workshop 20–22 July 2010IEEE Symposium on Security and Privacy WPAFB, OH16–19 May 2010 http://www.spi.dod.mil/workshop.htmOakland, CAhttp://oakland31.cs.virginia.edu/index.html Black Hat USA 2010 24–29 July 2010 Las Vegas, NV http://www.blackhat.com/html/events.html DEF CON 18 30 July–1 August 2010 Las Vegas, NV https://www.defcon.org/ To change, add, or delete your mailing or email address (soft copy receipt), please contact us at the address below or call us at: 703/984-0775, fax us at: 703/984-0773, or send us a message at: iatac@dtic.milInformation Assurance Technology Analysis Center13200 Woodland Park Road, Suite 6031Herndon, VA 20171