Volume 13 Number 2 • Spring 2010


13/2
                                                           The Newsletter for Information Assurance Technology Professionals




Cloud Computing:
                    Silver Lining or
                              Storm Ahead?




                                                              also inside

                                                              Establishing Trust in          Insider Threat Center at    Public/Private Partnership
                                                              Cloud Computing                CERT Grows Solutions from   Becoming a Necessity
                                                                                             Reality-Based Research
                                                              Cloud Computing for the                                    Apples & Oranges: Operating
                                                              Federal Community              Wikis Within the DoD        and Defending the Global
                                                                                                                         Information Grid
                                                              DISA RACE: Certification and   Vulnerability Assessment
         EX




                                                              Accreditation for the Cloud    Processes Within DoD        LPS-Public: Secure
   C E L L E NC E




                                               SE R V CE




                    N
                                                                                                                         Browsing and an Alternative
                                          N




                        I NF              IO
                               O R MA T



                                                              Look Before You Leap           Eight Steps to Holistic     to CAC Middleware
                                                                                             Database Security
contents
                                              feature



 About IATAC and the IAnewsletter
 The IAnewsletter is published quar-
 terly by the Information Assurance
 Technology Analysis Center (IATAC).
 IATAC is a Department of Defense
                                                                                           20	      Look Before You
                                                                                                    Leap: Security
                                                                                           Considerations in a
                                                                                                                                 34	      Eight Steps to Holistic
                                                                                                                                          Database Security
                                                                                                                                 Government organizations are

                                              4
 (DoD) sponsored Information Analysis
 Center, administratively managed by                                                       Web 2.0 World                         finding new ways to secure
 the Defense Technical Information
 Center (DTIC), and Director, Defense                                                      Embracing social media is             their data.
 Research and Engineering (DDR&E).
                                                                                           imperative to success in a new

                                                                                                                                 37	
 Contents of the IAnewsletter are not
 necessarily the official views of or                                                      communications environment, but                Public/Private
 endorsed by the US Government, DoD,
 DTIC, or DDR&E. The mention of            Establishing Trust in Cloud Computing           doing so without adequate planning             Partnership
 commercial products does not imply
 endorsement by DoD or DDR&E.              We can argue that it is not a matter of         can do more harm than good.           Becoming a Necessity
                                           whether cloud computing will become                                                   Combating advanced persistent

                                                                                           25	
 Inquiries about IATAC capabilities,
 products, and services may be
 addressed to—                             ubiquitous—because the economic forces                    Insider Threat Center       threat (APT) in silo efforts is an
 IATAC Director:	 Gene Tyler               are inescapable—but rather what we can                    at CERT Grows               unsustainable strategy.
 Inquiry Services:	 Peggy O’Connor
                                           do to improve our ability to provide cloud      Solutions from Reality-

                                                                                                                                 38	
 If you are interested in contacting an
 author directly, please e-mail us at      computing users with trust in the cloud         Based Research                                 Apples & Oranges:
 Iatac@dtic.mil.
                                           services and infrastructure.                    Educating organizations on how                 Operating and
 IAnewsletter Staff
                                                                                           to detect and manage insider          Defending the Global

                                                      9	
 Art Director:	    Tammy Black
 Copy Editor:	     Kali Wilson
 Designers:	       Michelle Deprenger                        IATAC Spotlight on a          threat is critical.                   Information Grid
 	                 Dustin Hurt
                                                             University                                                          Our language and doctrine needs

                                                                                           26	
 Editorial Board:	 Dr. Ronald Ritchey
 	                 Angela Orebaugh
 	                 Gene Tyler                          Penn State is one of the nation’s            Wikis Within the DoD         to evolve to view cyberspace as
 	                 Kristin Evans	
 	                 Al Arnold	                          ten largest undergraduate                    Reaping the benefits         the contested, warfighting
 IAnewsletter Article Submissions                      engineering schools.                of community-driven information       domain it is.
 To submit your articles, notices,
                                                                                           sharing with wikis.

                                                      10	                                                                        42	
 programs, or ideas for future issues,
 please visit http://iac.dtic.mil/iatac/
                                                                Cloud Computing for                                                        LPS-Public: Secure

                                                                                           29	
 IA_newsletter.html and download an
“Article Instructions” packet.
                                                                the Federal Community               IATAC Spotlight                        Browsing and an
 IAnewsletter Address Changes/
 Additions/Deletions                                   A community cloud is the most                on a Conference              Alternative to CAC Middleware
 To change, add, or delete your mailing
 or email address (soft-copy receipt),                 secure way for the federal          This event provided opportunities     Secure Browsing and an
 please contact us at—
                                                       government to realize the           to learn about research as well       Alternative to CAC Middleware:
IATAC
Attn: Peggy O’Connor                                   potential of cloud computing.       as ongoing developments.              The public edition LPS is a free,
13200 Woodland Park Road
                                                                                                                                 easy to use, install nothing,

                                                      16	                                  30	
Suite 6031
Herndon, VA 20171
                                                                DISA RACE:                          Vulnerability                browsing alternative with
 Phone:	 703/984-0775
 Fax:	   703/984-0773                                           Certification and                   Assessment                   built-in CAC software for
 Email:	 iatac@dtic.mil                                Accreditation for the Cloud         Processes Within DoD                  almost any computer.
 URL:	 http://iac.dtic.mil/iatac
                                                       Government organizations are        Standardizing the vulnerability
 Deadlines for Future Issues
 Summer 2010	 May 8, 2010                              taking full advantage of the        assessment processes can help
 Cover design:	    Tammy Black                         potential benefits offered by       avert disaster.
 Newsletter
                                                       cloud computing.

                                                                                           33	
                                                                                                                                    in every issue
 design:	          Donald Rowe

 Distribution Statement A:                                                                            Subject Matter Expert
 Approved for public release;
 distribution is unlimited.                                                                           The SME profiled in this      3	    IATAC Chat
                                                                                           article is Dr. Peng Liu, at              36	   Letter to the Editor
                                                                                           Pennsylvania State University.           43	   Products Order Form
                                                                                                                                    44	   Calendar



 2        IAnewsletter Vol 13 No 2 Spring 2010             •   http://iac.dtic.mil/iatac
IATAC Chat
                                                                                                      Gene Tyler, IATAC Director




I n early February, I had the
  opportunity to attend the Information
Assurance Symposium (IAS) in
                                             importantly, its weaknesses. I believe
                                             they say it best in their statement, “It is
                                             unclear whether the current set of [cloud
                                                                                            this edition of the IAnewsletter also
                                                                                            provide you with various perspectives
                                                                                            on cloud computing so that you feel
Nashville, TN. I always look forward to      computing] services is sufficiently            inspired to enter into the dialogue. I ask
attending this event because it brings       secure and reliable for use in sensitive       you, is cloud computing the silver lining
together folks who truly care about          government environments.” They                 to computing, and should we storm
information assurance (IA). I am always      advocate a cautious approach to                ahead in implementing it across various
excited to converse with colleagues          implementing cloud computing                   organizations? Or might it weaken our
interested in solving tough IA problems      capabilities across the government and,        computer network defenses and result
ahead, and yet again, the IAS did not        in particular, the Department of               in a potential storm of malicious attacks
fail; I enjoyed talking with people about    Defense (DoD). However, these subject          in the future?
some of the newest innovations               matter experts remain optimistic, which             In addition to cloud computing, I
currently changing our field.                is why they are excited about the              invite you to look at the various other
      One topic that seemed to dominate      research and investigation NPS is doing        articles in this edition that highlight the
the conversations I had with various         to identify methods of securing cloud-         following topics, also discussed at IAS:
colleagues and subject matter experts at     based systems.                                 insider threat; Web 2.0 Security; social
IAS was cloud computing, and as this               On the other hand, some                  media and its use in DoD; vulnerability
edition of the IAnewsletter reflects, this   organizations are beginning to                 assessments; defending the Global
topic is getting a lot of well-deserved      successfully implement cloud                   Information Grid; and our industry
attention, for a multitude of different      computing already. Most notably, the           expert contributes a very interesting
reasons. Cloud computing is                  Defense Information Systems Agency             article on public/private partnerships.
revolutionizing how organizations are        (DISA) successfully developed the Rapid        As I always remind our readers, we are
constructing their networks and              Access Computing Environment (RACE),           interested in your perspectives and
systems; it is changing how                  which is a cloud-based system. Not only        welcome your contributions to this
organizations invest in their information has DISA successfully implemented                 publication. We know our readers are
technology infrastructure; and it is         RACE, but, as the authors point out,           the very subject matter experts who are
forcing organizations to reconsider how “certification and accreditation policy             analyzing and experimenting with
they secure critical information—            has been adapted to allow organizations        innovative solutions like cloud
security is critical and at the forefront of to use RACE cloud resources, thereby           computing. Feel free to contact us at
cloud computing                              quickly connecting to the cloud while          iatac@dtic.mil with your perspective on
      But what, exactly, is cloud            complying with DoD requirements.”              the cloud debate!
computing; and how do you ensure             Munjeet Singh and Troy Giefer remain
information security in the cloud            deeply involved with DISA as it
computing environment? Dr. Bret              implements cloud solutions, and as a                	
Michael and Dr. George Dinolt, of the        result, their article, “DISA RACE:
Naval Postgraduate School (NPS),             Certification and Accreditation for the
address some of these questions in their     Cloud,” provides a different perspective
article, “Establishing Trust in Cloud        on cloud computing and its advantages.
Computing.” They argue that a lot of               As these two articles suggest, there
discovery is necessary before the IA         is a lot of debate over cloud computing,
community can fully understand cloud         the advantages it offers, and the risks it
computing, its benefits, and more            presents. I hope the articles presented in


                                                                           IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   3
F E AT U R E S T O R Y




Establishing Trust in
Cloud Computing
by Dr. Bret Michael and Dr. George Dinolt




I  n the aptly titled article, “Cloud
   Assurance Still Missing,” Allan Carey
wrote, “The security problems that
                                                        computing as a vehicle for maintaining
                                                        their competitive edge.
                                                             A recent technical report published
                                                                                                     ff   IaaS (Infrastructure as a Service)—
                                                                                                          the cloud provides an infrastructure
                                                                                                          including (virtual) platforms,
organizations face related to cloud                     by the University of California, Berkeley,        networking, etc. on which
computing are the same as those related                 states that there is no commonly agreed           applications can be placed;
to virtualization—but even more so.” [1]                upon definition of cloud computing. [5]      ff   SaaS (Software as a Service)—
He goes on to say, “Information                         Instead, a definition is emerging as the          the cloud provides software
assurance practitioners already have                    various organizations that are                    applications.
most of what is needed to make an                       developing cloud services evolve their
informed set of decisions about cloud                   offerings. In addition, there are many            Amazon’s Elastic Compute Cloud
computing.” [2] We would argue that the                 shades of cloud computing, each of           (EC2) is an example of these services. [8]
security problems go well beyond the                    which can be mapped into a                   Google also provides enterprise-level
use of virtualization in distributed                    multidimensional space with the              integrated application services such as
systems. In this article, we discuss the                dimensions being characteristics, service    email, appointment calendars, text
need for asking critical questions about                models, and deployment models. [6]           processing and spreadsheets. [9]
the security implications of cloud                           Cloud computing is a metaphor for            The claimed advantages for an
computing. Answers to our questions                     giving Internet users a growing              enterprise are that it does not require an
are not readily apparent, even though                   collection of computer system resources      investment in computer resources,
viewing computing as a utility, similar                 and associated software architectures to     infrastructure, administration, etc.: the
to that of providing water or electricity               provide application services. [7] The        purveyor of the cloud provides these
on a for-fee basis, dates back to at least              applications include processing and          resources. The user or enterprise only
the 1960s. [3]                                          application integration, storage, and        pays for the resources “consumed.” In the
      As we pointed out in a recent                     communications services. Cloud               Department of Defense (DoD), we have
article, [4] what has changed over time                 services are typically available on          seen the introduction of infrastructure
is the advancement of the underlying                    demand and are charged on a usage            services on demand provided by the
technology, including cheap, fast central               basis. Often, what the user sees is an       Defense Information Systems Agency’s
processing units (CPUs), low-cost                       application instead of a particular          Rapid Access Computing Environment
random access memory (RAM),                             computer. The services are commonly          (DISA RACE). [10] Where available, the
inexpensive storage, and the high-                      described as:                                cost of developing and maintaining
bandwidth standardized                                  ff PaaS (Platform as a Service)­ the
                                                                                           —         specialized applications can be shared
communication needed to efficiently                          cloud provides hardware resources,      among the users of that application. In
move data from one point to another.                         typically virtual machines, which       theory, there is an advantage in having
Additionally, considerations, such as the                    can be loaded with the users,           large-scale resources shared among a
economies of scale involved in building                      operating system and software;          large class of users. However, this has yet
very large data centers, nudged                                                                      to be borne out. [11] There are, of course,
organizations to consider cloud                                                                      applications that require a large number
                                                                                                     of resources. Google Search is one such


4    IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
example. It appears that Google,                        with an appropriate level of security          should be asking to improve the security
Amazon, and others are attempting to                    transparency to alleviate customers’           and privacy clouds afford. However, we
leverage their ability to construct such a              reservations about the security and            can ask fundamental questions like: are
system into other environments.                         privacy afforded by the cloud. [12] How        the current architectures adequate for
     We can argue that it is not a matter               much transparency is enough? How do            building trusted clouds? If not, what
of whether cloud computing will                         we provide for transparency of cloud           types of software system architectures
become ubiquitous but rather what we                    resources (i.e. determining the cloud in       do we need? Consider, for instance, the
can do to improve our ability to provide                which customer data resides)? Is there a       possibility that an organization might
cloud computing users with assurance                    tipping point at which additional levels       opt to fully outsource its computing
that the cloud services and                             of transparency would only serve to            infrastructure and data center to the
infrastructure provide appropriate                      help malefactors compromise services           cloud, retaining only thin clients within
security functionality. Cloud computing                 and datacenters?                               the organization. How do we make the
providers should supply their customers                      In addition, as users and developers      thin client user terminals and the
                                                        find new ways of applying cloud                communications infrastructure secure?
                              o
                    Security Policy
                                                        technologies, there will be new
                                                        expectations about security and privacy.       DoD Enterprise Computing
                                           Provision
    I&A      Compromise       Integrity                 For instance, Twisted Pair Solutions of        What is our motivation for jumping feet
                                           of Service
                                                        Seattle proposes to provide cloud              first into asking hard questions about
                                                        computing resources for state and local        cloud computing? The growing
                                      Informal Map      agencies to link up disparate public           importance of cloud computing makes it
                                                        safety radio systems (e.g., police, fire, or   increasingly imperative that security,
                                                        ambulances)—a novel but difficult-to-          privacy, reliability, and safety
             Integration & Middleware
                                                        predict usage of cloud computing, but          communities grapple with the meaning
                                                        also a usage that makes the cloud part of      of trust in the cloud and how the
                       Formal (Mathematical) Map        mission- and safety-critical systems. [13]     customer, provider, and society in
  Theorems
                  (Proof that Spec Satisfies Model)     The expectations for security, privacy,
 about Policy                                                                                          general gain that trust. Consider the
                                                        reliability, and quality of service and so     initiative of the DoD Enterprise Services
           Top Level System Specification               on will be different in some respects for      & Integration Directorate to make the
                                                        Voice over Internet Protocol (VoIP) radio      DoD Storefront Project a reality. The
                                 Semi Formal Map        systems than for the cloud’s social            Storefront consists of a cloud-based set
                           (System Satisfies Spec)      networking aspects. This raises the            of core and specialized applications that
                                                        question: how do we manage risk when           users can discover through an
                                                        we do not fully understand what we are         application marketplace and which
          Top Level System Implementation
                                                        trying to protect or guard against?            share an identity management
                                                             The fluid nature of cloud computing       framework. How will DoD provide
Figure 1 Process for Integrating Security               makes it a moving target, even when            security for the Storefront? It is more
Into the Cloud                                          trying to determine the questions we           than a matter of having an identity


                                                                                      IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   5
management framework. The obvious                      maintained within the cloud. Several          enterprise providing single sign-on; the
security concerns include data integrity,              vendors have formed the Cloud Security        enterprise user need only log onto their
data availability, protection of                       Alliance (CSA). [14] In the report titled     home system. Once logged on, the
personally identifiable information, data              Security Guidance for Critical Areas of       enterprise user can automatically access
protection, data destruction, and                      Focus in Cloud Computing V2.1, CSA            the users’ files and services on Google
communications security.                               provides its take on some of the security     without an additional login. Although
      Moving beyond the Storefront                     issues related to cloud computing. [15]       convenient, this functionality increases
concept, as the federal government                          In the report, security properties       the security exposure to not only the
migrates its data and applications to the              are described as essentially the same set     weakness of the enterprise system, but
cloud, issues regarding cross-domain                   of properties that a user expects to see      also to the weakness of Google’s
resource sharing will arise within the                 with a self-hosted system. These include      infrastructure. If, for example, Google’s
cloud. For instance, how will DoD link                 the usual:                                    infrastructure has a security flaw, then it
its clouds to those of other agencies?                 ff Identification/Authentication              may be possible for someone in one
Will a DoD user, authenticated to enter                ff Privacy                                    enterprise to access accounts from
the DoD cloudsphere, be trusted to                     ff Integrity                                  another enterprise. On the other hand,
access services owned by the                           ff Provision of Service.                      security flaws in the enterprise system
Department of Homeland Security                                                                      may lead to weaknesses in the access
(DHS)? Is there a need for a federal-wide                   They view assurance as an audit of       controls of the information managed by
cloud infrastructure and common set of                 the function’s implementation, that is,       Google Apps. Additionally, connected
security services? How will data be                    the cloud systems’ administrators and         applications may provide unintended
shared among the various different                     implementers have used ‘best practices’.      connections among users, as was
types of cloud?                                        Other than the notion that encryption is      demonstrated with the introduction of
                                                       used to protect the data, there is little     Google Buzz. [17]
Information Assurance                                  information that defines ‘best practices.’         When each enterprise maintains its
At the Naval Postgraduate School, a                    There is, however, some form of key           own infrastructure, a failure in one
major thrust of our research on cloud                  management included that provides             enterprise may cause failures across the
computing is to investigate the security               potentially strong identification/            cloud. Unless an enterprise uses a single
policies, models, and appropriate                      authentication, as well as some form of       cloud from a single vendor, integrating
architectures to provide security for                  data integrity/recovery facility. The         the various applications,
entities/users of cloud computing                      security architecture proposed is             infrastructures, and policies among
resources. Although cloud computing                    essentially a layered operating system        many different clouds and cloud vendors
may appear to provide reasonably well                  application. It consists of a network layer   will be a significant challenge. In fact, it
understood operating system and                        interposed between application                will be a challenge to ensure that the
application resources, cloud resources                 programming interfaces (APIs) and the         different policies do not contradict and
are distributed in space, time, and scale              underlying operating system                   potentially permit access that should
in ways that were never envisioned in                  infrastructures. ‘Trusted computing’ is       not be allowed at the system level.
the operating-system world. The current                only mentioned at the hardware/                    Ultimately, the proof is in the
architectural approaches, especially                   operating system level. Additionally, the     pudding. Will the cloud vendors be
those concerning security, may not scale               CSA paper enumerates several security         willing to stand behind the security of
to the much larger cloud computing                     issues that should be addressed by the        their systems? In the case of Amazon’s
approaches. In addition, the approaches                cloud-style service provider, but does        EC2 and Simple Storage Services (S3)
for assuring operating system security                 not provide any insight on security           services, Amazon suggests that their
functionality are not necessarily                      policies/models, interfaces or                EC2 and S3 infrastructure not be used
appropriate. It is unclear whether the                 potential solutions.                          for systems that must satisfy the
current set of services is sufficiently                     To provide an example of some of         Payment Card Industry Security
secure and reliable for use in sensitive               the potential issues, Google supports         Standards [18], although it has
government environments. Current                       “Google Apps.” [16] Google Apps applies       published a paper on how Amazon Web
security claims are somewhat limited.                  the usual discretionary access controls       Services can be used in a Health
     One of the fundamental problems                   to the resources it provides – files,         Insurance Portability and Accountability
with adopting cloud computing is                       calendars, address lists, etc. To make life   Act (HIPAA) compliant environment. [19]
providing not only security resources                  easier, Google provides tools that                 In the HIPAA paper, Amazon
but also assurances that those resources               integrate their identification and            essentially places almost all the
are correctly implemented and                          authentication systems into the               requirements on the “user/enterprise”


6   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
to encrypt all the data stored and to         lead to new architectures with better          platform(s). The enterprise loads
manage its keys. Amazon provides              defined, more assured security.                operating systems, applications, etc.,
services to log safely into its systems             Over the past 30-plus years in the       onto the platform(s) and manages all
and provide some data recovery                operating system security world, a lot of      the interfaces and resources provided.
and integrity.                                work has been done to provide highly           The example below assumes that
      In the realm of reliability, prior to   assured components with trustworthy            multiple platforms will be used.
the breakup, AT&T was required to build       systems. Unfortunately, the commercial              The security policy visible to the
systems that had an up-time reliability       world has ignored a lot of this work.          user includes:
of “five nines” (about 5.2 min/yr             Recent efforts have focused on the use of      ff Identification—A set of platform
downtime). Part of the reason for this        separation kernels. For example, Green              names issued by the provider
was to ensure services in case of             Hills has recently received a National              (unique to the enterprise)
national emergency. Current cloud             Information Assurance Partnership              ff Authentication—A secure channel
based systems are advertised as               (NIAP) certificate for its Integrity 178B           that can be used to load the
providing “three nines” (almost 9 hrs/yr      Separation Kernel. [21] Separation                  operating system(s) onto the
downtime). [20]                               kernels provide a minimal set of                    platforms—the provider is trusted
                                              operating system services on which                  to ensure that the only
Determining Where Trust                       other trusted services and applications             communication with the platforms
Should be Placed                              could be built. These may be thought of             is from or to the enterprise
Clearly, there are many challenging           as slightly more functional than a             ff Integrity—The provider should
security issues related to cloud              Virtual Machine Monitor (VMM),                      guarantee that the resources are
computing. In our research, we are            although Green Hills and others are                 “empty” on first use and that none
working on a formal, structured,              looking to implement high assurance                 of the platform resources are
possibly mathematical approach that           VMMs using their technology.                        modifiable by any party other than
will give users and cloud-developers                Our approach to the problem                   the enterprise. This includes any
deeper insight into what should be done,      involves separation of ‘virtual’                    management functions; it is up to
how it might be achieved, and where the       resources. This approach constructs an              the enterprise to ensure that any
trust should be placed. This research         infrastructure that establishes (or                 network interfaces are
includes the investigation of                 reconstructs where appropriate)                     appropriately protected
implementation structures and                 resources, identifies and authenticates        ff Privacy—The provider should
assurance provisions for “security” in        users, and then controls access to the              guarantee that there is no third
cloud-based systems. To do this, we will      resources. Our focus is to provide a                party access to the platform
attempt to provide security                   model and a security architecture that              processor, memory, and/or disk files
architectures and models that satisfy         provides the infrastructure that will          ff Provision of Service—The provider
the following:                                accomplish these goals.                             should provide access to the
ff They are aware of the amorphous                                                                resources on demand, per any
     nature and scale of the cloud            An Example                                          service level agreements between
     computing paradigm                       For instance, consider PaaS. An                     the enterprise and the provider.
ff They include mathematical models           enterprise might wish to run its own
     of the security properties that can      applications. These applications may               There at least two models of this
     be used to help analyze those            only run on an intermittent basis and/or       kind of service:
     properties                               require a large number of resources.           1.	 Resources are provided on an ad
ff They provide the underpinnings on          One way to achieve this is to use a                hoc, intermittent basis. In this
     which applications/enterprise/user       cloud PaaS.                                        version, there is no connection
     level security policies/properties            We use the term ‘enterprise’ to               between consecutive uses of the
     can be implemented                       describe the organization requiring the            resources. The enterprise uses the
ff They provide the foundations on            platform and ‘provider’ for the                    resources once. During subsequent
     which the implementation                 organization providing the cloud                   uses, the enterprise assumes that
     assurances can be ascertained.           platform resources. The PaaS provider              all the previous data does not exist
                                              would provide ‘platforms,’ either ‘real’ as        or has been erased by the provider.
    Our hope is that the results of the       part of a virtual environment (a means             The only connection between the
research will provide a framework that        for downloading an operating system                two usages is that the enterprise
can be at least partially applied to the      and for managing the platforms), or as a           uses the “same identifiers” to access
current cloud architectures and may           possible network interface(s) on the               new instances of the resources.


                                                                            IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   7
There is no guarantee that the same                     The security properties then                     secure systems architectures and secure-
      physical resources will be used for                become statements about the resources                 systems design.
      each run of the platform(s).                       and platforms. For example:
2.	   The enterprise ‘turns off’ the plat-                    No pair of allocations shares                    References
      form, but in subsequent use after                  any common VPlatforms or                              1.	    IAnewsletter, vol. 13, no. 1, winter 2010, p. 34.
      turning it back on, finds the plat-                VPlatformResources.                                   2.	    Ibid.
      form resources in the same state                        As depicted in Figure 1, the security            3.	    M. Campbell-Kelly. “The Rise, Fall, and Resurrection
      they were in after being turned off.               properties can be modeled on a                               of Software as a Service: A Look at the Volatile
      As expected, the enterprise might                  collection of the statements above. Each                     History of Remote Computing and Online Software,”
      pay more for this service. In this                 of the statements should map back to                         Communications of the ACM, vol. 52, no. 5, pp.
      case, the provider must protect the                some aspect of the system’s user-visible                     28–30, May 2009.
      information in the resources                       security property. We could use our                   4.	    B. Michael. “In Clouds Shall We Trust,” IEEE
      between runs from both modifica-                   statements about the relationships of the                    Security & Privacy, vol. 7, no. 5, p. 3, September/
      tion and access by third parties.                  entities (sets) we describe to prove                         October 2009.
      There is no guarantee that the same                additional properties of the system.                  5.	    M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R.
      physical resources will be used in                      Following the security model’s                          H. Katz, A. Konwinski, G. Lee, D. A. Patterson,
      each run of the platform.                          construction, a high-level execution                         A. Rabkin, I. Stoica, and M. Zaharia. “Above the
                                                         model should be constructed and                              Clouds: A Berkeley View of Cloud Computing,”
     Note that in both cases, the                        validated mathematically to determine                        EECS Department University of California, Berkeley.
provider provides access to platforms                    that it satisfies our security model.                        Technical Report UCB/EECS-2009-28, 10 February
and associated data. The platforms are                   Next, it is necessary to map our high-                       2009, http://www.eecs.berkeley.edu/Pubs/
available to others when the enterprise                  level model to varied cloud aspect                           TechRpts/2009/EECS-2009-28.html.
is not using them. Any provider                          implementations as documented by                      6.	    P. Mell and T. Grance, “The NIST Definition of Cloud
configuration data about the platforms                   the vendors.                                                 Computing,” Version 15, 7 October 2009, http://
must be protected from modification                                                                                   csrc.nist.gov/groups/SNS/cloud-computing/cloud-
and, in the second case above, any                       Conclusion                                                   def-v15.doc.
enterprise information that will be                      Cloud security is an ill-defined, little-             7.	    http://en.wikipedia.org/wiki/Cloud_computing.
reused must also be protected.                           understood area of distributed                        8.	    http://aws.amazon.com.
     Informally, a portion of the model                  computing. However, we believe that                   9.	    http://docs.google.com.
might then take the form of:                             progress can be made to provide a level               10.	   http://www.disa.mil/race
ff VPlatform—The set of names of                         of assurance that accommodates the                    11.	   H. G. Miller and J. Veiga. “Cloud Computing: Will
     virtual platforms that will be                      resources needed to support DoD and                          Commodity Services Benefit Users Long Term? IEEE
     provided to enterprises                             the federal government’s information                         ITPro, vol. 11, no. 6, p. 67-69, November/
ff VPlatformType—Whether the                             processing requirements. n                                   December 2009.
     VPlatform resources are persistent                                                                        12.	   http://www.opencloudmanifesto.org.
     (type 2 above) or not                                                                                     13.	   http://www.fcw.com/Articles/2009/04/16/Cloud-
                                                          About the Authors
ff VPlatformResource—The set                                                                                          computing-moving-into-public-safety-realm.aspx.
     of resources associated with                                                                              14.	   http://www.cloudsecurityalliance.org.
                                                         Dr. Bret Michael | is a Professor of Computer
     a VPlatform                                                                                               15.	   http://www.cloudsecurityalliance.org/csaguide.pdf.
                                                         Science and Electrical Engineering at the Naval
ff Enterprise—The set of enterprises                                                                           16.	   http://www.google.com/apps.
                                                         Postgraduate School. He conducts research on the
     that use VPlatforms                                                                                       17.	   http://www.nytimes.com/2010/02/15/technology/
                                                         reliability, safety, and security of distributed
ff Allocation—An association                                                                                          internet/15google.html.
                                                         systems. He is an Associate Editor-in-Chief of IEEE
     of an Enterprise with a                                                                                   18.	   http://www.mckeay.net/2009/08/14/cannot-achieve-
                                                         Security & Privacy magazine and a member of the
     Platform, VPlatformType and                                                                                      pci-compliance-with-amazon-ec2s3
                                                         IATAC Steering Committee.
     VPlatformResources. The same                                                                              19.	   http://awsmedia.s3.amazonaws.com/AWS_HIPAA_
     Enterprise may have multiple                                                                                     Whitepaper_Final.pdf.
                                                         Dr. George Dinolt | is a Professor of Practice
     VPlatforms, and VPlatformResources                                                                        20.	   http://www.google.com/apps/intl/en/business/
                                                         in Cyber Operations at the Naval Postgraduate
     associated with it                                                                                               infrastructure_security.html.
                                                         School. His research interests are primarily in the
ff PlatformCloud—A sequence of sets                                                                            21.	   http://www.niap-ccevs.org/cc-scheme/st/vid10119/
                                                         high assurance portions of Computer Security. His
     of Allocations.                                                                                                  maint200
                                                         research covers formal methods and the
                                                         connections between them and security policies,




8     IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
I ATA C S P O T L I G H T O N A U N I V E R S I T Y




Pennsylvania State University
by Angela Orebaugh




I n 1855, Pennsylvania State University
  (Penn State) was originally founded
on 200 acres in Centre County,
                                            and problems associated with assuring
                                            information confidentiality, integrity
                                            (e.g., social, economic, technology-
                                                                                           ff    The Center for Information
                                                                                                 Assurance plans, coordinates, and
                                                                                                 promotes IA research, education,
Pennsylvania, as an agricultural school     related, and policy issues), as well as the          and outreach. The faculty
that applied scientific principles to       strengths and weaknesses of various                  coordinators for the center include
farming. Engineering Studies were           methods for assessing and mitigating                 Dr. Chao-Hsien Chu and Dr. Peng
introduced in 1882, making Penn State       associated risk. The major provides                  Liu. The center’s missions are:
one of the nation’s ten largest             grounding in the analysis and modeling               •• Conduct broad-based research
undergraduate engineering schools.          efforts used in information search,                      on various aspects (theoretical
Today, Penn State has grown into a large,   visualization, and creative problem                      and applied; technical and
geographically dispersed, major             solving. This knowledge is                               managerial; wired and
research institution. Nineteen              supplemented through an examination                      wireless, etc.) of information
campuses, 15 colleges, and one online       of the legal, ethical, and regulatory                    and cyber security
World Campus currently comprise Penn        issues related to security that includes             •• Educate and train information
State. In Fall 2009, Penn State served      analyzing privacy laws, internal control,                security professionals through
over 80,000 undergraduates and over         regulatory policies, as well as basic                    degree and continuing
13,000 graduate students, with half of      investigative processes and principles.                  education programs, and to
the student population enrolled at the      Such understanding is applied to venues                  insure that information security
main campus in University Park.             that include transnational terrorism,                    awareness is instilled in all Penn
     The National Security Agency (NSA)     cyber crimes, financial fraud, risk                      State students
and the Department of Homeland              mitigation, and security and crisis                  •• Provide assistance and technical
Security (DHS) have designated Penn         management. It also includes overviews                   support to industry, non-profit
State as a National Center of Academic      of the information technology that plays                 organizations, government, and
Excellence in Information Assurance         a critical role in identifying, preventing,              individuals in the information
Education (CAE/IA) since 2003 and           and responding to security-related events.               and cyber security area. [1]
National Center of Academic Excellence             IST also offers a graduate degree in
in Information Assurance Research           Security Informatics, which seeks to           ff    The Networking and Security
(CAE-R) for 2008-2013.                      improve the cyber security of                        Research Center (NSRC) was
     The College of Information Sciences    individuals and organizations by                     established in 2003 to provide a
and Technology (IST) offers a bachelor’s    creating innovative solutions for                    research and education community
degree in Security and Risk Analysis        detecting and removing cyber threats,                for professors, students, and
(SRA). This degree program is intended      recovering from cyber attacks,                       industry collaborators interested in
to familiarize students with the general    protecting privacy, enhancing trust, and             networking and security. It also
frameworks and multidisciplinary            mitigating risks.                                    provides a unique avenue for
theories that define the area of security          Penn State includes a number of               interaction with industry; the
and related risk analyses. Courses in the   research centers focused in cyber and
major engage students in the challenges     information security:                                                     ww continued on page 15


                                                                          IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   9
Cloud Computing for the
Federal Community
by Hannah Wald




T    he question is not whether, but when,
     the U.S. federal government will
embrace cloud computing. The current
                                                        “Cloud computing is a model for enabling convenient,
administration—in particular its Chief                  on-demand network access to a shared pool of
Information Officer, Vivek Kundra—is
very enthusiastic about this                            configurable computing resources (e.g., networks,
technology’s potential. Some federal
agencies are already moving into the                    servers, storage, applications, and services) that can
cloud: the Defense Information Systems
Agency (DISA) is pilot testing a cloud [1];             be rapidly provisioned and released with minimal
the National Aeronautics and Space
Administration (NASA) has announced                     management effort or service provider interaction.”
plans to develop a cloud that can be
used both internally and for
                                                       they survey the landscape and take an       documents (i.e., the NIST 800 series).
collaboration with external research
                                                       inventory of best practices. They are       Alternatively, individual cabinet-level
partners; [2] the Department of the
                                                       concerned about the risks inherent in       agencies could provide clouds for their
Interior (DOI) has an Infrastructure as a
                                                       cloud computing but do not want to         “community” of internal divisions, which
Service (IaaS) offering called the
                                                       restrict innovation. Pro-cloud civil        could serve agencies’ individual
National Business Center Grid
                                                       servants believe cloud computing can        compliance needs more easily than a
(NBCGrid), with other offerings set to
                                                       make federal Information Technology         generalized multi-agency cloud. [5]
roll out in the near future; [3] and the
                                                       (IT) and services cheaper, easier, and      DISA’s Rapid Access Computing
General Services Administration (GSA)
                                                       more secure—and it can—provided             Environment sets a precedent for this
offers access to various externally
                                                       the cloud is implemented and                model: it is intended to serve the entire
provided cloud applications through its
                                                       managed properly.                           Department of Defense, which has its
portal site, http://apps.gov. [4]
                                                              For many federal agencies, a         own set of security standards in
      The federal government is not
                                                       community cloud would be the best           addition to those mandated for civilian
seriously considering cloud computing
                                                       service model to use (regardless of the     agencies. [6] A third possibility is a
simply because of its hype. Agencies are
                                                       exact type of service being provided).     “federated” hybrid of agency-specific
finding it increasingly costly and
                                                       The GSA, or another provider who is         community clouds and a government-
difficult to procure, set up, maintain,
                                                       familiar with federal IT needs, could       wide community cloud, all with certain
and secure traditional computing
                                                       stand up a multi-agency cloud that          common standards (i.e., minimal
architectures. This may explain why
                                                       facilitates and enforces compliance with    security baseline, universal protocols)
bodies such as the National Institute of
                                                       government-wide security standards          but otherwise tailored to specific purposes.
Standards and Technology (NIST) and
                                                       such as those outlined in regulations            Understanding the merits of a
the Government Accountability Office
                                                       (i.e., Federal Information Security         community cloud requires
are holding off on setting rules and
                                                       Management Act [FISMA]) or guidance         understanding fundamental cloud
standards for cloud computing while


10   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
computing concepts, starting with the               customer generally has no control         using a software offering from one
definition of “cloud computing”                     over or knowledge of the provided         provider and an infrastructure offering
provided by NIST:                                   resources’ exact location but may         from another. Commoditization of
     “Cloud computing is a model for                be able to specify location at a          bandwidth allows clients to easily
enabling convenient, on-demand                      higher level of abstraction               leverage distantly located resources—
network access to a shared pool of                  (e.g., country, state, or data center).   something that was difficult only a few
configurable computing resources                    Examples of resources include             years ago—and pay for use of those
(e.g., networks, servers, storage,                  storage, processing, memory,              resources as if they were gas or
applications, and services) that can be             network bandwidth, and                    electricity. Finally, cloud providers are
rapidly provisioned and released with               virtual machines.                         particularly innovative in the services
minimal management effort or service           ff   Rapid elasticity—Capabilities can         they offer and are developing new
provider interaction.” [7]                          be rapidly and elastically                services all the time. [9] Cloud allows
       NIST also lists five essential               provisioned, in some cases                users to leverage IT solutions with an
characteristics of cloud computing:                 automatically, to quickly scale out       unprecedented level of granularity.
ff On-demand self-service—A                         and rapidly released to quickly                An organization can pay an outside
      consumer can unilaterally                     scale in. To the consumer, the            cloud provider for data, applications,
       provision computing capabilities,            capabilities available for                operating platforms, raw digital storage,
       such as server time and network              provisioning often appear                 and/or processing resources: Data as a
       storage, as needed automatically             unlimited and can be purchased in         Service (DaaS), Software as a Service
       without requiring human                      any quantity at any time.                 (SaaS), Platform as a Service (PaaS), and
       interaction with each service’s         ff   Measured service—Cloud systems            Infrastructure as a Service (IaaS),
       provider.                                    automatically control and optimize        respectively. [10] A data-mining
ff Broad network access—                            resource use by leveraging a              company providing its customers with
       Capabilities are available over the          metering capability appropriate to        on-demand access to its records of
       network and accessed through                 the type of service (e.g., storage,       individual purchase histories is an
       standard mechanisms that promote             processing, bandwidth, and active         example of DaaS; Google Apps are SaaS;
       use by client platforms (e.g., mobile        user accounts). The provider and          a firm offering application development
       phones, laptops, and PDAs).                  consumer can monitor, control, and        environments to startups is selling PaaS;
ff Resource pooling—The provider’s                  report resource usage, thus               and a company offering access to raw
      computing resources are pooled to             providing transparency of the             computing resources is selling IaaS.
       serve multiple consumers using a             utilized service. [8]                          The split of assurance
       multi-tenant model, with different                                                     responsibilities between the provider
       physical and virtual resources               Industry expert Dave Linthicum,           and client varies depending on the
      dynamically assigned and                 notes that cloud computing is similar to       service. With DaaS and SaaS, the
       reassigned according to consumer        time-sharing on mainframes, but with           provider has control over almost
      demand. A sense of location              some added features. For example, cloud        everything. With PaaS, the client is
       independence exists because the         clients can “mix and match” solutions          responsible for application security, and


                                                                             IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   11
Software as a Service (SaaS)                                  incentives and goals, which is not
                                                                                                        necessarily the case in cloud computing.
                       Presentation Modality                        Presentation Platform               In a public cloud, the relationship
                                                                                                        between clients and providers is largely
                                                                                                        transactional, and the clients do not
                                                       APIs                                             know each other. The parties involved
                                                                                                        have little basis for trust and may in fact
                                                                                                        distrust one another to a certain extent.
                                                    Applications
                                                                                                              Trust, or lack thereof, is a factor in all
                                                                                                        five of the fundamental cloud security
                                                                                                        challenges. These challenges all involve
                        Data                         Metadata                    Content
                                                                                                        uncertainties about the provider’s
                                                                                                        standard of care and how the provider
                                          Platform as a Service (PaaS)
                                                                                                        will treat the client (and the client’s data)
                                                                                                        in the event of a problem. [12]
                                          Integration & Middleware
                                                                                                        ff Data protection
                                                                                                              •• Where do data physically reside,
                                        Infrastructure as a Service (IaaS)                                        and does the data’s location
                                                                                                                  have legal ramifications?
                                                       APIs                                                   •• Are data safely protected
                                                                                                                  (i.e., by encryption) while
                                                                                                                  stationary or in motion within
                                        Core Connectivity & Delivery
                                                                                                                  and across the cloud?
                                                                                                              •• How is availability of data
                                                                                                                  assured in the cloud?
                                                    Abstraction
                                                                                                              •• Does the provider take measures
                                                                                                                  to ensure that deleted data is
                                                     Hardware                                                     not recoverable?
                                                                                                        ff Security control
                                                                                                              •• What security controls does the
                                                     Facilities                                                   cloud provider need to
                                                                                                                  implement, and how?
                                                                                                              •• How are assurance levels
                                                                                                                  effectively and efficiently
                                                                                                                  managed in the cloud?
                                                                                                        ff Compliance
Figure 1 Provider Assurance Responsibility in Different Types of Service [11]
                                                                                                              •• Is the cloud complying with all
                                                                                                                  the necessary guidance?
everything else is left to the provider.                    also has certain security advantages. For         •• Can the provider substantiate
With IaaS, the client is responsible for                    example, a desktop computer almost                    claims that security controls are
everything but physical and (some                           never complies with an organization’s                 implemented sufficiently?
aspects of) network security. Regardless                    security policy “out of the box,” but a     ff Multi-tenancy
of the service and inherent allocation of                   cloud can be configured so every new              •• Are my assets vulnerable if
responsibility, cloud clients ultimately                    virtual machine created therein is                    another client is exploited by
leave the fate of their information assets                  compliant. Monitoring certain activities              an attack?
in the provider’s hands (see Figure 1).                     and rolling out updates across a cloud is         •• How does the cloud provider
     The service provider is responsible                    relatively easy—unlike doing so across a              keep different clients’ data
for maintaining, upgrading, and securing                    collection of distinct physical machines.             separated and inaccessible from
the hardware and software (where                                 However, cloud computing presents                other clients?
applicable) on which the service runs.                      a variety of information assurance (IA)           •• If a forensic/electronic discovery
Ideally, this setup allows users to stop                    challenges. One salient feature of the                procedure is conducted on one
worrying about the security of their                        time-sharing model was trust. The users               client’s data, how will the
information assets by leaving them in                       and owners of the old mainframes were
more competent hands. Cloud computing                       part of a community with common

12    IAnewsletter Vol 13 No 2 Spring 2010      •   http://iac.dtic.mil/iatac
provider protect the                                                                       may not want to answer questions about                   ignores other kinds of costs. What will it
         confidentiality of other                                                                   its security practices. Cloud SLAs also                  cost an agency if moving to the cloud
         clients’ data?                                                                             generally absolve the provider of liability              compromises its ability to protect
ff Security governance                                                                              in the event of a security breach. (This is              sensitive data or meet mission
     •• Who owns/accesses/deletes/                                                                  not the case with private and                            requirements? Agencies need to consider
         replicates data in the cloud?                                                              community clouds: more on this later.)                   these kinds of costs as they evaluate
     •• How can the client ensure                                                                         If the transition of federal                       their information assets for “cloud
         policy enforcement?                                                                        information assets into the Cloud                        readiness” on a case-by-case basis. [14]
     •• How can the client measure                                                                  Computing Environment (CCE) is                           Once an agency has decided which
         and track service/network                                                                  inevitable, then how can the federal                     assets it can safely transition to the
         performance?                                                                               government effectively mitigate the risks                cloud, it needs to choose the service
     Figure 2 illustrates the layers of the                                                         inherent in the cloud? First, government                 model—or relationship between cloud
cloud and associated layers of security.                                                            organizations must decide whether to                     client and provider—that best fits its
     Exacerbating these problems is the                                                             move certain assets to the cloud at all.                 requirements. The four cloud service
fact that contracts with public cloud                                                               On the face of it, spending $10 a day for                models—public, private, community,
providers almost always take the form of                                                            cloud infrastructure seems less costly                   and hybrid—have different sets of costs
non-negotiable service-level agreements                                                             than spending $100 on in-house                           and benefits (see Figure 3).
(SLA) that severely limit, at best, the                                                             infrastructure (not to mention capital                        The public cloud service model is
client’s ability to see, audit, or control                                                          expenditure; it is less costly to start up a             probably what many people would
back-end operations in the cloud. A                                                                 virtual server in a cloud than to set up a               consider the archetypal model of cloud
client’s ability to do so would create                                                              physical one). However, thinking only in                 computing. In the public cloud model, a
more difficulties than most providers                                                               terms of $10 versus $100 for regular                     provider sells cloud services to multiple
are willing to deal with. The provider                                                              maintenance is dangerous because it                      unrelated clients, or tenants. They leave


                                                   Policy & Procedures                                                               Goal: Trusted Environment, Well-Served &
                                                                                                                                         Satisfied Users, Agency Success

                                                      Presentation                  Presentation
                                                                                                                            Information         Data Encryption, database security
                                                        Modality                      Platform


                                                                         APIs                                                                   Applications/Service access control,
                                                                                                                           Applications
                                                                                                                                                static code analysis, WAFs


                                                                     Applications
 Governance, Controls, Stakeholder Satisfaction…




                                                                                                                                                Policy enforcement, rerouting and throttling of services,
                                                                                                                                                validated identity claims, authentication and authorization,
                                                      Data            Metadata            Content                          Management
                                                                                                                                                security event monitoring, alerting and notification,
                                                                                                                                                contextual dashboard, independent key management

                                                             Integration & Middleware


                                                                                                                                                Firewalls, NIDS, Zone base segmentation, dedicated
                                                                         APIs                                                Network
                                                                                                                                                MPLS/VPN network connections

                                                                                                                                                Secure hypervisor for segmentation,
                                                                Core Connectivity & Delivery                            Trusted Computing
                                                                                                                                                message verification, trusted APIs


                                                                     Abstraction
                                                                                                                                                Massive scale, contractual constraints on storage locations,
                                                                                                                       Compute & Storage
                                                                                                                                                controlled and secured server images, encryption
                                                                      Hardware



                                                                      Facilities                                             Physical           Infrastructure security, physical inventory

                                                                                                                      *Derived from CSA “Security Guidance for Critical Areas of Focus in Cloud Computing


                                                                Technology & Tools

                                         Figure 2 Layers of Cloud Computing Environment (CCE) Security [13]


                                                                                                                                      IAnewsletter Vol 13 No 2 Spring 2010             •   http://iac.dtic.mil/iatac   13
back-end maintenance and operations                           most of the economic benefits of              of the public cloud because it eliminates
to the cloud provider. This arrangement                       outsourced cloud service. For                 a considerable amount of redundant
is very cost-effective and, in theory, lets                   organizations with less sensitive assets,     effort and cost. Members of the client
clients rest easy knowing the security of                     putting everything in a private cloud         community can pay the provider for
their information assets is in good                           may create unnecessary costs,                 only what they use, or for the utility and
hands. However, the fundamental cloud                         inefficiencies, and redundancy. Also, if      subscription cost. The latter would still
security challenges mentioned earlier                         an organization has difficulty securing       likely total less than what the client
are most problematic in this model.                           its information assets in a traditional       would have paid to operate its own
      If a federal agency were to entrust                     setup, it is unlikely that transitioning to   individual data centers.
its information assets to a cloud                             a private cloud will solve its problems.             The last type of service model is a
provider under the terms of a standard                        Such an organization would benefit            hybrid cloud, which combines two or
cloud SLA, the agency would have                              from having a trusted service provider        more of the service models described
difficulty demonstrating compliance                           perform these functions.                      above. An organization could, for
with IA standards mandated by                                       A community cloud is somewhere          example, keep sensitive proprietary data
regulations, such as the FISMA. Most                          on the continuum between the public           in its own private cloud and collaborate
public cloud providers would have to                          and private service models, and it enjoys     on projects with industry partners in a
significantly retool their operations to                      some of the benefits of both. Like a          community cloud. For users belonging
help federal agencies meet their IA                           public cloud, community clouds serve          to the organization, these two clouds
obligations. Some providers are                               multiple tenants. The difference is that      would, in effect, be seamlessly
attempting to do so (Amazon’s “virtual                        the tenants are not strangers but related     integrated through a single sign-on
private cloud” is an example [16]), but,                      entities that share common                    system. The problem with hybrid clouds
for the time being, public clouds are                         characteristics and needs. An individual      is that they share vulnerabilities in the
inappropriate for anything but the least                      client community member, multiple             system’s least secure areas and present
critical, most low-risk federal                               members working cooperatively, or a           new vulnerabilities. For instance, if it is
information assets.                                           dedicated provider can operate                easy for a user to switch between clouds
      A private cloud can be operated by                      community clouds. Unlike public clouds,       on his or her desktop computer, it is also
the same organization that uses it, or a                      community clouds are built and                easy for that user to make a mistake and
dedicated provider can operate the                            operated on the clients’ terms: they can      expose sensitive data. In addition,
cloud on the organization’s behalf. A                         be constructed to facilitate compliance       integrated clouds mean integrated complex
private cloud, when managed properly,                         with standards that all clients use. Of all   systems, which by definition are rife
is the most secure type of cloud service                      the cloud models, the community cloud         with potential security vulnerabilities.
model because it is directly controlled                       is most similar to time-sharing in terms            Returning to the central point of
by its client. Private clouds also make                       of the level of trust between all             this article, a federal community cloud
more efficient use of physical IT assets                      stakeholders. This type of cloud also         can provide a guaranteed IA baseline for
than traditional data centers, but lack                       offers many of the economic advantages        its clients, whether they are
                                                                                                            departments within an agency or
                                                                                                            multiple agencies. It can reduce the cost
                                                                  Compliance/regulatory laws mandate        of providing effective security and
                                                                       on-site ownership of data

                      Pros
                                                                                                            eliminate significant redundancy. It can
                                                                           Security and privacy             also be fully accountable to its clients
                                                                                                            and their oversight bodies (i.e., Office of
                      Reduce costs                                   Latency & bandwidth guarantees
                                                                                                            Management and Budget, Congress).
                                                                          Absence of robust SLAs            The clients and their oversight bodies
           Resource sharing is more efficient
                                                                                                            can have a reasonable level of visibility
          Management moves to cloud provider                       Uncertainty around interoperability,     into, and control over, cloud operations.
                                                                          portability & lock in
                                                                                                            All primary stakeholders could work
               Consumption based on cost
                                                                          Availability & reliability        together to set policy and address
           Faster time to roll out new services                                                             problems. Last but not least, federal

             Dynamic resource availability                             Inhibitors                           community clouds can be used to
                                                                                                            facilitate intra- and inter-agency
                 for crunch periods
                                                                                                            cooperation within the framework of
                                                                                                            the Federal Enterprise Architecture.
                                                                                                                  Setting up a community cloud and
Figure 3 Advantages and Disadvantages of Cloud Computing From a Federal Perspective [15]                    governance structure that will

14   IAnewsletter Vol 13 No 2 Spring 2010         •   http://iac.dtic.mil/iatac
8.	     Ibid.
adequately satisfy all federal clients will          information science from the School of Information
                                                                                                                  9.	     Linthicum, David S. Cloud Computing and SOA
be a challenging endeavor—even if                    at the University of Michigan.
                                                                                                                          Convergence in Your Enterprise. Boston: Pearson
the community is limited to the
                                                                                                                          Education, Inc., 2010. Pages 25–26. Print.
departments of a single agency.                      References
                                                                                                                  10.	    NIST’s definition of cloud computing recognizes
Architecting the technical and                       1.	   http://www.disa.mil/race
                                                                                                                          SaaS, PaaS and IaaS, but not DaaS. However, I
governance structure of a (possibly                  2.	   http://nebula.nasa.gov
                                                                                                                          have included DaaS because it is a fairly common
federated) community cloud for                       3.	   http://cloud.nbc.gov
                                                                                                                          cloud service offering.
multiple agencies is an even more                    4.	   https://apps.gov/cloud/advantage/main/start_page.
                                                                                                                  11.	    Graphic from Hanna, Steve. “Cloud Computing:
daunting prospect. A series of intra-                      do. A link to a cloud service on apps.gov does not
                                                                                                                          Finding the Silver Lining.” 18 March 2009.
agency (as opposed to inter-agency)                        mean that the service is “safe” or that its provider
                                                                                                                  12.	    For a more in-depth discussion of security and
community clouds may be the best                           has demonstrated compliance with federal
                                                                                                                          legal issues in Cloud Computing, refer to guidance
possible outcome. Whether it serves only                   security standards.
                                                                                                                          from the Cloud Security Alliance at
one agency or many, a community cloud                5.	   Some large agencies that are not at the Cabinet
                                                                                                                          http://www.cloudsecurityalliance.org
is the most secure way for the federal                     level, such as the Internal Revenue Service or
                                                                                                                  13.	    Graphic from Theodore Winograd, Holly Lynne
government to realize the potential of                     Social Security Administration, may also benefit
                                                                                                                          Schmidt, Kristy Mosteller, and Karen Goertzel,
cloud computing. n                                         from having their own community cloud (admittedly,
                                                                                                                         “Public Cloud Computing Environment (CCE)
                                                           at that level the distinction between “community”
                                                                                                                          Acquisition: Managing Risks to the Federal
                                                           and “private” cloud is not very clear).
 About the Author                                                                                                         Government.” Booz Allen Hamilton, 2009.
                                                     6.	   On that note, some federal government entities—
                                                                                                                  14.	    Linthicum 2010, pp. 192–193.
                                                           particularly those involved in law enforcement,
Hannah Wald | is an Assurance and Resiliency                                                                      15.	    Graphic from Stephen T. Whitlock, “Cloud’s
                                                           defense, and intelligence—will need private clouds
consultant currently supporting the National                                                                              Illusions: Jericho Forum Future Direction.”
                                                           to protect their classified information assets.
Telecommunications and Information                                                                                        16 February 2009.
                                                     7.	   Grance, Tim, and Peter Mell. “The NIST Definition
Administration at the Department of Commerce.                                                                     16.	    http://aws.amazon.com/vpc
                                                           of Cloud Computing.” National Institute of
Ms. Wald has contributed to the research
                                                           Standards and Technology: Information Technology
conducted for IATAC’s State of the Art Report on
                                                           Laboratory Website. 7 October 2009. National
Supply Chain Security, which is scheduled for
                                                           Institute of Standards and Technology, Information
release this spring. This article draws heavily on
                                                           Technology Laboratory, Web. Accessed 12 January
research conducted and materials produced by her
                                                           2010. http://csrc.nist.gov/groups/SNS/cloud-
colleagues. Ms. Wald has a Master’s degree in
                                                           computing/cloud-def-v15.doc. Page 1.




w continued from page 9
                                                                                        I ATA C S P O T L I G H T O N A U N I V E R S I T Y


      members of the NSRC actively                         Technology. The NSRC includes                                  •• Produce leading scholars in
      consult with industry and                            approximately 50 Doctor of                                        interdisciplinary cyber-
      participate as partners on funded                    Philosophy (Ph.D.) and                                            security research
      projects. Member companies enjoy                     Master of Science (M.S.) students,                             •• Become a national leader
      benefits for sponsoring research                     and several undergraduate honors                                  in information
      and having access to the latest                      theses are advised through NSRC                                   assurance education.
      results and technical reports from                   faculty as well. [2]
      the NSRC. Hosted in the                                                                                          The center currently includes seven
      Department of Computer Science                 ff    The LIONS Center is the IST Center                     core faculty members, 20 collaborating
      and Engineering (CSE) at Penn                        for Cyber-Security, Information                        faculty, two research associates, and
      State, the NSRC is comprised of                      Privacy, and Trust whose mission is to:                19 Ph.D. students. The center has
      nine faculty members in the                          •• Detect and remove threats of                        published over 200 publications since
      College of Engineering, including                        information misuse to the                          2002 and received over $3 million in
      eight members from CSE and one                           human society: mitigate                            research grants. n
      from Electrical Engineering (EE).                        risk, reduce uncertainty,
      Several faculty members also have                        and enhance predictability                         References
      joint appointments in EE and the                         and trust                                          1.	     http://net1.ist.psu.edu/cica/cia-ist.htm
      College of Information Sciences and                                                                         2.	     http://nsrc.cse.psu.edu


                                                                                               IAnewsletter Vol 13 No 2 Spring 2010         •   http://iac.dtic.mil/iatac   15
DISA RACE: Certification and
Accreditation for the Cloud
by Munjeet Singh and Troy Giefer




Background                                              components to rapidly and seamlessly      Approach

S   ince the Obama Administration
    announced plans to use cloud
computing to cut costs on infrastructure
                                                        transition from application development
                                                        to testing and into a full production
                                                        environment, a process known as the
                                                                                                   Before designing a new streamlined
                                                                                                   C&A workflow process, it was important
                                                                                                   to understand the current approval
and improve performance of                              Path-to-Production. Current DoD            process, identify key organizations
government computing systems, the                       certification and accreditation (C&A)      involved in the decision making, and
Department of Defense (DoD) and                         policy has been adapted to allow           identify the artifacts required by each
other federal agencies have become                      organizations to use RACE cloud            organization. The approach used in
increasingly interested in how to take                  resources, thereby quickly connecting      developing the Path-to-Production
full advantage of the potential benefits                to the cloud while complying with          process was conducted in two phases.
offered by cloud computing. [1] Few                     DoD requirements.                               Phase I consisted of data gathering
existing cloud providers meet DoD                            This article describes the goals      and documentation of the current C&A
requirements and choices are primarily                  DISA sought to achieve and the             workflow process. This included
limited to the public domain.                           approach it took as it developed the       identifying all key organizations
Additionally, there are concerns about                  RACE Path-to-Production process. It        involved in data collection, document
government use of public clouds                         will also highlight many of the key        handling and processing, validation,
because of the lack of control and                      characteristics and capabilities of the    certification, and accreditation of a
visibility into the cloud’s underlying                  DISA RACE cloud.                           system. Personnel from each
security infrastructure and the                                                                    organization involved in the approval
challenges of complying with DoD and                    Goals and Objectives                       process were interviewed to define roles
federal information assurance (IA)                     DISA’s primary goals in developing the      and responsibilities. The responsibilities
policy and procedures.                                 RACE Path-to-Production were to:            of each entity were then mapped to a
      Given the high level of interest in              ff Develop a streamlined C&A                process flow diagram that identified
cloud computing, the Defense                               process that would reduce time          each step in the process. In addition, a
Information Systems Agency (DISA)                          and effort required to transition       complete list of artifacts required by
recognized the need for a government-                      an application from development         each key organization as input and
managed cloud that could benefit the                       to test, and ultimately to a            generated as output was compiled. The
DoD community. DISA subsequently                           production environment                  end result captured the comprehensive
developed the Rapid Access Computing                       (Path-to-Production process)           ‘as-is’ DoD Information Assurance
Environment (RACE), which is an agile                  ff Reduce the current C&A approval          Certification and Accreditation Process
and robust cloud computing                                 time from 120 days to under 40 days     (DIACAP). DISA supplemented process
environment that allows DoD                            ff Develop an enhanced RACE portal          steps required to obtain certification.
organizations to provision virtual                         that enables customers to purchase           Phase II consisted of a duplication
servers and storage from a Web portal.                     and manage virtualized RACE             analysis of the organizational roles and
RACE is a streamlined workflow process                     development and test environments       artifacts. The intent of the analysis was
designed for use in a virtualized                          and provided additional storage.        two-fold, specifically to: (1) eliminate
development and test environment.                                                                  duplication of effort across the various
RACE is customized to enable DoD                                                                   organizations involved in the C&A


16   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
workflow process; and (2) reduce or




                                                                                                                                                          ne
eliminate duplication of documentation.


                                                                ) ud




                                                                                                        ) ud




                                                                                                                                                      Zo
                                                              EV lo




                                                                                                      EV lo




                                                                                                                                                  n
                                                            (D C




                                                                                                    (D C




                                                                                                                                                 io
                                                           B ute




                                                                                                   A ute




                                                                                                                                                 ct
Eliminating duplication of effort across




                                                                                                                                            du
                                                        ne mp




                                                                                                ne mp




                                                                                                                                             o
                                                                                                                                          Pr
                                                      Zo Co




                                                                                              Zo Co




                                                                                                                                     ed
                                                        CE




                                                                                                CE
the organizations involved in the




                                                                                                                                     iz
                                                    RA




                                                                                          RA




                                                                                                                                 al
                                                                                                                                tu
                                                                                                                                 r
                                                                                                                              Vi
decision making would reduce the time
required for a system to reach approval              Environment Promotion to Test

to operate (ATO). In addition,
eliminating the duplicate
documentation would both reduce the
possibility of inconsistencies and
                                                                                     Environment Promotion to Production
eliminate the need for the customer to
create multiple documents that contain
                                                                                                                                                                 NIPRNet / GIG
duplicate information, which would
further reduce the time to complete the
C&A process.
                                              Figure 1 Path-To-Production
     The analysis of the current
processes, responsibilities, and artifacts
                                              leveraging inheritance of IA controls from                                   RACE Standards
gave DISA the groundwork for designing
                                              the RACE cloud and DECC environments.                                        A key aspect of designing the RACE
a more efficient C&A workflow process
                                                   A number of characteristics were                                        Path‑to‑Production process was
(Path‑to‑Production).
                                              incorporated into the RACE Path-to-                                          defining a set of standards that provide
                                              Production process that were key to                                          the framework of the streamlined
Path-to-Production
                                              streamlining and customizing the                                             process. These standards enable rapid
DoD organizations use the RACE cloud
                                              current process. DISA focused on the                                         provisioning and promotion within the
for application development and testing,
                                              areas that offered the greatest return:                                      virtual environments. Examples of
and to prepare for deployment into a
                                              ff Define standards and                                                      RACE standards include:
production environment. Path-to-
                                                   entrance criteria                                                       ff The development and test process
Production refers to the process that an
                                              ff Streamline the approval process                                                must be completed in a virtualized
organization follows to promote the
                                              ff Reduce or eliminate duplication of                                             environment.
application developed in a virtualized
                                                   effort and documentation                                                ff Customers must start with
environment from development to test,
                                              ff Incorporate inheritance of IA                                                  provisioned VOEs provided
and from test into a Defense Enterprise
                                                   controls as defined by DoDI 8510.01                                          by RACE.
Computing Center (DECC) production
                                              ff Develop hardened virtual                                                  ff The Enterprise Mission Assurance
environment (Figure 1). The
                                                   operating environments (VOE)                                                 Support Service (eMASS)
Path‑to‑Production process reduces the
                                              ff Implement a RACE portal.                                                       application must be used as the
total time required to obtain accreditation
                                                                                                                                C&A automation tool and
of an application from an average of 120
                                                                                                                                central repository.
days to under 40 days, in part, by
streamlining approval workflows and


                                                                                              IAnewsletter Vol 13 No 2 Spring 2010                    •   http://iac.dtic.mil/iatac   17
ff   Customers must adhere to the                       proposed network topology. The RACE          requirements and artifacts. This often
     RACE standard set of ports and                     IAM also conducts joint validation           required the customer to duplicate data
     protocols while in development,                    activities of the IA controls with the       in multiple documents. Further
     test, and production environments.                 customer early in the process, and           analysis revealed that a number of
ff   Vulnerability Management System                    establishes the parent/child inheritance     documents could be eliminated
     (VMS) must be used to track asset-                 relationship, which allows the system to     because the data was available in other
     level vulnerabilities.                             inherit IA controls from the RACE cloud.     C&A artifacts. Elimination of such
ff   A minimum of an Interim Approval                   This early coordination activity             duplication significantly reduced the
     to Test (IATT) is required to move                 between RACE customers and the RACE          time and effort spent on developing
     an application into the RACE                       IAM supports users as they move              and reviewing C&A artifacts.
     Testing environment.                               through the Path‑to‑Production process,           DISA implemented a key tool—
ff   An IATT is valid for 90 days while                 ensuring that potential challenges are       eMASS—within RACE to manage the
     in the test environment.                           addressed early in the process.              C&A workflow and documentation. A
ff   A minimum of an Interim Approval                        The RACE C&A approval process is        government-owned solution, eMASS
     to Operate (IATO) is required to                   a joint effort shared between the RACE       integrates several capability models to
     move an application into the DECC                  IAM and the customer. The customer           support IA program management
     production environment.                            conducting application development in        needs. It allows an organization to
                                                        the RACE cloud has the primary               enter system information and to track
     Recognizing that organizations                     responsibility to oversee the validation,    the progress of information assurance
often have unique needs that may fall                   certification, and accreditation of the      activities (such as validation
outside of the standards established by                 system or application as it progresses       procedures, compliance status, and
RACE, DISA developed an exception                       through the Path‑to‑Production process.      attachments) and associated action
resolution process to facilitate                                                                     plans for sharing system security
discussions between a RACE                              Duplication Analysis                         information and compliance status.
representative and the RACE customer                    The duplication analysis of the existing
to determine a resolution.                              C&A approach and workflow process            Inheritance of IA controls
                                                        revealed more opportunities to               Inheritance of IA controls was also key
Streamlined Approval Process                            streamline this process. The team            to streamlining the Path‑to‑Production
Delegation of approval responsibilities                 identified opportunities to reduce the       process. RACE customers can directly
to the lowest organizational level                      amount of documentation required for         inherit IA controls from the RACE cloud
possible was key to streamlining the                    a successful accreditation. At each          and DISA DECC (Figure 2). DoDI 8500.2
RACE C&A approval process. This                         approval level, organizations had            defines 32 controls that an automated
approach resulted in a more agile                       developed unique checklists of               information system (AIS) may inherit
workflow adaptable to the robust
environment of the RACE cloud. To
facilitate this streamlined approval
process, the DISA Chief Information
Officer implemented an Information
Assurance Manager (IAM) role created
specifically to manage activities within
the RACE cloud. The RACE IAM’s
                                                                                                                        RACE Inherited Controls
primary role is to provide a final review                                                                                Enclave Boundary
                                                                                                                         Services Controls

and approval of the application and                                                                                      Etc.
                                                                                           VOE
virtual environment before it is
promoted to the test and production
environments. The IAM reviews the
                                                                                                                        DECC Inherited Controls
RACE customer’s documentation to                                                                                         Physical Security
                                                                                                                         Environmental

validate the accreditation decision                                                                                      Continuity



made by the customer’s Designated
Approval Authority (DAA). In addition,
the IAM considers additional                                                              RACE
application-specific data such as the
                                                                                          DECC STL
ports, protocols, and services used by
the system or application, and the                      Figure 2 IA Control Inheritance


18   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
from the enclave in which it resides. The           DISA has configured the virtual        ff    Restoring the environment from
implementation, validation, and                images to be compliant with a variety of          an archive.
monitoring of these controls are the           DISA STIGs, to include Windows Server
responsibility of the enclave and not the      2003 operating system, UNIX, Internet            In addition, the RACE portal
AIS. RACE customers inherit these              Information Services (IIS), and database    provides a document library that
controls, as well as the status and            checklists. The DISA team reviewed the      includes all IA documentation that will
artifacts associated with the validation       recommended security settings from          be used throughout the
of each control.                               these STIGs to determine which had the      Path‑to‑Production process.
     This automated inheritance of IA          potential to restrict application
controls is defined within the eMASS           development. The VOEs are provisioned       On the Horizon
application. RACE serves as the parent         to RACE customers with those                DISA CSD is continually seeking
system for a parent‑child inheritance          particular security settings left in a      opportunities to improve the Path-to-
relationship used for all registered          ‘non-compliant’ status. This practice        Production process to make it even more
systems within eMASS. Every                    allows customers to begin development       agile. This includes implementing
application that a RACE customer               immediately and provisions a                automation to further reduce the C&A
registers within eMASS will                    consistent development environment          burden on RACE customers, and
automatically be set as a child to the         for all customers.                          strengthening the IA posture of VOEs via
parent (i.e., RACE) enclave, establishing           However, these security settings       integration of Host Based Security System
inheritance. A pre-determined list of          will remain in a ‘non-compliant’ status     (HBSS) into the RACE enclave. For more
DoDI 8500.2 IA controls is automatically       only in the RACE development                information, visit http://www.disa.mil/
set as inherited from the parent in every      environment. The RACE customer is           RACE for the latest news. n
child. For example, physical security is       responsible for properly configuring
the responsibility of the parent enclave,      these security settings to achieve a
                                                                                            About the Authors
not the responsibility of the child.           compliant status before promoting the
                                               application to the testing and
                                                                                           Munjeet Singh | is an information assurance
Hardened Virtual                               production environments.
                                                                                           contractor consulting as the Project Manager and
Operating Environments                              The VOEs are also provisioned with
                                                                                           Lead Engineer on cloud focused initiatives in the
Virtual operating environments are             the latest Information Assurance
                                                                                           DoD domain. He is currently involved in deploying
provisioned to RACE customers for use          Vulnerability Management (IAVM)
                                                                                           cloud and data center optimization initiatives to
in the development and test                    patches installed. Once the VOEs have
                                                                                           clients in DISA and across the Army.
environments. The VOEs are delivered           been provisioned, the customer
with a development-friendly Security           assumes responsibility for keeping the
                                                                                           Troy Giefer, CISSP, | is an information
Technical Implementation Guides                images patched.
                                                                                           assurance contractor consulting on cloud
(STIG) implementation, streamlining
                                                                                           computing research and the development of cloud
both the development process and the          RACE Portal
                                                                                           computing security solutions for the DoD
C&A process for RACE customers. RACE          A key component of cloud computing is
                                                                                           marketplace. Troy is a key lead in the effort to
offers the available virtual operating        the ability to provision and maintain
                                                                                           customize DIACAP for use in the DISA RACE cloud.
environments, as listed in Table 1, which     environments in a self-service portal.
are in compliance with DoDI 8500.2 at         DISA Circuit Switched Data (CSD) has
                                                                                           References
the Mission Assurance Category (MAC)          implemented this ability through an
                                                                                           1.	   http://www.whitehouse.gov/omb/budget/fy2010/
II-Sensitive level.                           enhanced RACE portal that allows RACE
                                                                                                 assets/crosscutting.pdf.
                                              customers to take control of their
                                              environments with respect to the
 Operating System             Architecture
                                              following functions:
  Windows Server 2003         32-bit
                                              ff Ordering development, test, and
  Windows Server 2003         64-bit
                                                   production virtual environments
  Red Hat 4.6                 32-bit
                                              ff Ordering additional storage for an
  Red Hat 4.6                 64-bit               existing virtual environment
  Red Hat 5.1                 32-bit          ff Promoting the environment
  Red Hat 5.1                 64-bit               from development to test or test
                                                   to production
Table 1 RACE Virtual Operating Environments
                                              ff Archiving the environment to
                                                   tape backup


                                                                          IAnewsletter Vol 13 No 2 Spring 2010    •   http://iac.dtic.mil/iatac   19
Look Before You Leap:
Security Considerations in a Web 2.0 World
by Sara Estes Cohen and Shala Ann Byers




                                                             Agencies like the Department of        compliance to ensure the protection of
Introduction
                                                        Justice, the Library of Congress, and the   the information shared within the social

I n recent years, social media, also
  known as Web 2.0, has emerged as a
popular and powerful technology that
                                                        Department of State responded by
                                                        establishing Facebook profiles to
                                                                                                    media platform.

                                                        communicate with the public.                Framework
enables individuals to collaborate,
                                                        Additionally, the Federal Bureau of         There are generally three approaches for
communicate, and share information
                                                        Investigation started a Twitter account     implementing social media:
from anywhere and at anytime.
                                                        to send daily news updates to the public.   ff Internal
Currently, more than 30% of the world’s
                                                        The Centers for Disease Control and         ff External
population visits Facebook.com on a
                                                        Prevention (CDC) posts weekly               ff Hybrid.
daily basis [1], and approximately 22%
                                                        Hurricane Health and Safety Tips on its
use YouTube to watch online videos. [2]
                                                        Web site and distributes them to                 Each approach differs in location
First established within the commercial
                                                        registered users via e-mail, mobile         and ownership of underlying
industry, this technology made popular
                                                        phone text messages, and Twitter. [5]       infrastructure (e.g., government or
the economically savvy use of low‑cost
                                                             While embracing social media is        privately-owned), audience (employees,
social media technology. The federal
                                                        key to succeeding in a new                  the public, or both), and direction of
government has since followed suit,
                                                        communications environment, effective       communication (within, outside of, or
launching organizations and
                                                        strategy, planning, and support before      across the firewall):
government agencies into the foray of
                                                        launching a social media program are        ff Internal­ Technology and
                                                                                                                  —
social media as a way of connecting
                                                        equally important. The results of an             infrastructure sit behind a firewall
with the public.
                                                        unstructured and disorganized                    and are owned by the organization.
     On January 21, 2009, President
                                                        adoption of social media can have                This model consists only of internal
Obama signed the Memorandum on
                                                        serious complications, including data            communications, information and
Transparency and Open Government,
                                                        leaks or breaches in security from which         data exchange, storage, and
encouraging agencies to “establish a
                                                        it can be difficult—if not impossible—           management (within the
system of transparency, public
                                                        to recover.                                      organization, not across the
participation, and collaboration.” [3]
                                                             To avoid these complications, it is         firewall) and requires development
On December 8, 2009, the Director of
                                                        imperative for an organization to                of organization‑specific solutions,
the Office of Management and Budget
                                                        identify a ‘best-fit’ solution based on          tools, and technology.
(OMB) issued the Open Government
                                                        internal goals, requirements, and           ff External—This approach leverages
Directive, providing guidelines and
                                                        challenges, before launching a social            public social media for specified
deadlines for all federal agencies on
                                                        media program. Most importantly,                 applications. For example, existing
developing their own ‘open
                                                        organizations must standardize how               social media sites (e.g., Facebook
government’ programs fostering
                                                        they implement social media and                  and Twitter) may be used for
the principles of transparency,
                                                        develop training to educate users.               constituent relations and outreach.
participation, and collaboration. [4]
                                                        Finally, organizations must institute a          This model requires extensive
                                                        mechanism to enforce security                    strategic planning to target the


20   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
appropriate user groups with the        Strategic Planning                            constituent communications,
     right information. Additionally, this   To begin, an organization must first          emergency management, and business
     model must include organization-        identify its goals and objectives for         continuity, among others. Additional
     wide standardization to ensure          adopting social media. Identifying            applications may include training,
     consistency with respect to             appropriate budget, development time,         alert and notification, employee
     messaging (content/brand),              specific features and functionalities         accountability, situational awareness,
     security practices, and access to       required, and level of intended risk are      information gathering, and emergency
     public sites and tools from behind      all factors to consider before                communications. As technology
     the firewall.                           implementing a social media strategy;         advances and user awareness improves,
ff   Hybrid—This model uses internal         by doing so, organizations can avoid          the potential for using social media will
     solutions (behind the firewall),        developing an ill-fitting program. The        grow accordingly.
     developed by the organization for       following section outlines and discusses           Social media is not just about the
     internal communication and              several planning considerations to assist     technology or the tools—it is also about
     operations, while simultaneously        in establishing a ‘best-fit’ approach.        what the technology can help users do.
     leveraging external, public social                                                    Organizations must leverage social
     media for outreach and general          Audience                                      media in a way that resonates best with
     communications. Like the                Who is your target audience? This             the targeted community, chosen goals,
     external model, the hybrid also         question can be answered by first             and objectives.
     requires standardization to ensure      defining the organization’s                        Additionally, proactively identifying
     the security of personnel, data,        responsibilities. Are you required to         potential applications before choosing
     and information.                        communicate with your constituents?           and implementing social media tools
                                             Will you need to communicate with             can help avoid the ‘Shiny New Toy’
     This article focuses on security        your employees during a crisis, or on a       syndrome—investing in a tool that
considerations and challenges                daily basis? These answers will help the      nobody uses because it does not meet
associated with the hybrid model, as it is   organization clearly define its purpose       organizational needs. A strategic
the most complex of the three types of       for using social media; identify the tools    approach will help ensure that the
approaches. Because of its reliance on       that can accomplish that purpose; and         program is functional—for both the
both internal and external                   successfully engage its audience using        audience and organization—while
infrastructure, the hybrid model must        social media. Identifying your audience       remaining aligned with the desired
adhere to both internal and external,        can also help determine the most              goals and objectives.
organization-specific security,              appropriate Web 2.0 model and the best
management, legal, and                       tools and technology to use.                  Standardization
communications policies.                                                                   Standardization is the most important
                                             Technology and Applications                   aspect in adopting social media. Social
                                             Organizations can leverage social media       media standards must be developed in
                                             for many purposes, including daily            line with both organization-specific and
                                             operations, outreach and awareness,           external information technology (IT),


                                                                          IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   21
security, communications, operations                   ff     How the factors above will be        Risk Management
(management), and contractual/legal                           affected by organization-wide        It is no longer feasible to dismiss the use
policies and requirements.                                    use of social media.                 of social media entirely because of its
Organizations must establish standards                                                             potential risk. Web 2.0 users are tech-
for how they implement their own social                      Each of these factors must be taken   savvy and will continue to find new
media solution; there is no one-size-fits               into consideration to develop suitable     ways to access and use social media
all solution.                                           and sustainable standards essential for    despite an organization’s best efforts to
      Without some form of centralized                  enforcing compliance.                      ban the technology. Instead of banning
guidance, departments might develop                                                                social media outright, organizations
policies and processes that are                        Social Media Guidelines                     should identify how to use social media
inconsistent across the organization as                and Governance                              safely and securely. As with adopting
the popularity and use of social media                 Federal policies and guidance               any new technology, risk assessment is
grows. This situation could result in                  governing the use of new and emerging       an integral aspect of adopting social
varying levels of security and                         communications technologies, as well        media and must be conducted on a
inconsistent security procedures. To                   as industry best practices for social       regular basis, allowing for adjustments
avoid this, the organization must                      media, should be carefully evaluated        over time to accommodate changes in
establish technical requirements and                   and followed to ensure compliance. If       technology and the threat environment.
training standards regarding how all                   an organization is just beginning its             The decision to adopt social media
departments and components may use                     foray into social media, it should          should be based on a strong business
internet-based capabilities. Additionally,             consider using Guidelines for Secure Use    case that considers an organization’s
the organization must establish and                    of Social Media by Federal Departments      mission, technical capabilities, threats,
disseminate organization-specific                      and Agencies, released by the Federal       and the expected benefits of adopting
policies and procedures regarding                      Chief Information Officers Council in       this technology. For example, national
technical, legal/contractual,                          September 2009, as a starting point. [6]    security agencies must protect classified
communications, and management                              Agencies need not start from           data, whereas agencies or organizations
concerns. Each department may have                     scratch however – the General Services      that handle PII must protect the privacy
additional requirements but, at a                      Administration (GSA) has already            of individuals. Consequently, different
minimum, its practices should                          contacted third‑party providers Flickr,     organizations have different priorities
comply with the organization‑                          YouTube, Vimeo, and blip.tv to develop      for security and privacy, and must
wide requirements.                                     government-specific terms of service.       address those priorities accordingly.
                                                       Additionally, GSA determined that
Security Requirements                                  Twitter’s standard terms of service are     Challenges
Security requirements must take into                   consistent with government use and          After identifying a ‘best-fit’ solution
account several factors, such as:                      thus need no additional changes. [7]        and socializing the standards, the
ff The purpose the social media is                          Additionally, organizations should     organization must develop an
    intended to accomplish                             consider drafting their own social media    implementation plan and provide the
ff How social media will be                            engagement guidelines before allowing       continuous, reliable support needed for
    used (application)                                 unfettered access to social media and       maintaining a structurally sound and
ff What type of information will be                    online communities. A great example is      sustainable program. Throughout the
    exchanged (e.g., classified                        the Air Force’s Web Posting Response        development and implementation of a
    information, Sensitive But                         Assessment Flow Chart V.2., which           social media program—whether
    Unclassified [SBU] information,                    explains the Air Force’s internal policy    internal, external, or hybrid—
    Personally Identifiable                            on blogs and how to handle both             organizations should consider and
    Information [PII]) and the                         positive and negative commentary            address the following challenges
    associated handling requirements                   posted online. [8] Such guidelines not      related to security, technology,
ff How and where data will be stored                   only protect the organization from a        and infrastructure.
ff Criteria for accessing                              legal standpoint; they can also help
    the information                                    employees understand the implications       Information Assurance and
ff How exceptions are managed                          of personal use, and how to develop and     Operational Security
ff What technical support will                         maintain social media tools in a way        A social media strategy must
    be required                                        that complies with the organization’s       incorporate information assurance and
                                                       standards and best practices.               operational security (IA and OPSEC)
                                                                                                   policies and procedures—as well as an


22   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
organization-wide training, education,       programming languages, social media                   increasing demands on network
and awareness package—focusing on            etiquette, etc.) may place PII at risk of             infrastructure. Consequently, the
IA and OPSEC issues to ensure that the       exposure. Once exposed, PII could place               social media functions may
policies and procedures are followed.        individuals at risk of identity theft and             compete with the organization’s
Otherwise, data leaks and OPSEC              fraud. An organization can reduce this                other functions for use of the
violations are more likely to promulgate     risk by implementing enhanced                         network, which could impair
across all forms of electronic               protection measures for sharing data in               overall mission capabilities over
communications, including e‑mail,            interconnected systems, implementing                  time. Organizations must plan for
social media, and Web sites. The             monitoring capabilities and protocols,                and ensure adequate bandwidth is
organization must also address policies      and educating users on proper social                  available for widespread Internet use.
and develop compliance measures              media etiquette (“safe-surfing”).                     Most hosting environments can
regarding access control, authentication           Despite these challenges, agencies              provide additional bandwidth to
procedures, account and user                 and organizations dealing primarily with              cover surges in Internet or network
management, encryption, content              private, sensitive, or classified information         activity. Organizations should
assurance, and general communications        are not necessarily precluded from                    develop memorandums of
security (COMSEC).                           adopting social media. Rejection of social            understanding (MOU) with their
      The requirement to address IA and      media also poses risks; organizations                 respective hosting companies to
OPSEC is nothing new. Concerns about         that choose not to leverage social media              ensure sufficient bandwidth is
social media are essentially the same        and new technologies may become                       available during surges of activity
as those that arose with the proliferation   obsolete over time.                                   that may occur due to emergency
of the Internet and e‑mail.                        Furthermore, unless an                          events, times of heightened network
Communications policies and                  organization bans access to social                    activity, and increasing popularity
information security procedures that         media completely (which is nearly                     in social media.
apply to social media are similar to         impossible to do), employees will               ff    Malicious Attacks—To one extent
those that have traditionally applied to     inevitably use social media from within               or another, all networks are subject
other forms of communications—               the organization’s network. Those                     to malicious attacks. Use of social
whether electronic communications            organizations that do not establish                   media may increase that risk
(e.g., e-mail) or more traditional forms     policies regarding the use of social                  because, as more external Web sites
of communications (e.g., letter writing      media, and do not implement processes                 are accessed, malicious actors have
or meetings).                                to protect their infrastructures from                 more opportunities to access an
                                             unauthorized use of social media,                     organization’s networks and
Privacy and Confidentiality                  expose themselves to serious legal and                operational data. Implementing
Federal departments and agencies are         security-related problems. Both their                 security controls across all Web 2.0
bound by privacy requirements based          information infrastructures and their                 servers and verifying that
on the Fair Information Practice             reputations can be irreparably damaged.               sufficiently rigorous security
Principles (FIPP), which require                                                                   controls are in place can reduce the
rigorous controls and procedures to          Technical Support                                     threats to internal networks and
protect the privacy of individuals. PII      Although social media may seem to                     operational data. Additionally,
includes any information that can be         offer a quick and efficient                           separating Web 2.0 servers from
directly associated with an individual.      communications solution, it comes                     other internal servers may further
Those organizations that collect PII         with some technical challenges:                       mitigate the threat of unauthorized
must put policies and procedures in          ff Bandwidth­ Social media sites
                                                                —                                  access to information through
place to handle, store, and dispose of PII        may require more bandwidth than                  social media tools and Web sites.
securely. Such measures may address               traditional sites. Therefore,              ff    Network Monitoring—Foreign
terms of use, legal ownership of PII, and         organizations may require                        intelligence services (FIS) have
the consequences of using or                      additional network infrastructure                extensive resources and have
disseminating PII inappropriately.                to support wide-scale use of                     repeatedly demonstrated their
     In addition to addressing privacy            external, resource-intensive Web                 capability to use automated ‘social
policies, organizations must also be aware        sites (e.g., YouTube, Facebook, etc.).           engineering’ techniques to mine
of threats to privacy and must implement          If the organization is successful in             social media sites. By their very
measures to ensure that privacy is                engaging its audience in using                   nature, social media sites have an
maintained. For example, some social              social media, user demand will                   abundance of information, which
media protocols (e.g., certain                    increase dramatically, ultimately                makes them susceptible to data


                                                                            IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   23
mining. Our adversaries can use                   Incident Response                           infrastructure, information, audience,
     this data to analyze aggregated                   Finally, despite best efforts to train      and reputation. With well‑thought‑out
     information. Without adequate                     users on ‘safe-surfing’ and develop         strategy, planning, policies, procedures,
     network monitoring (and user                      safeguards for protecting data and          and technical support, organizations
     education), an organization cannot                information, incidents will inevitably      may successfully and securely leverage
     ensure that users are complying                   occur. Organizations must plan and          social media.
     with its policies regarding the                   develop measures for quickly                     Thank you to DeZario Morales,
     release of high-value information.                responding to and recovering from data      Akira Ikuma, Matthew Doan, and
     Additionally, programming                         spills, misinformation and rumors, and      Mark Macala for their contributions to
     languages used in Web 2.0                         malicious attacks. An important aspect      this article. n
     applications (e.g., Java, Ajax, and               of handling social media is anticipating
     the JSON data interchange format)                 such incidents, then developing and
                                                                                                    About the Authors
     may create other opportunities for                implementing a plan for managing and
     malicious actors to access an                     responding to them. Such planning will
                                                                                                   Sara Estes Cohen | has ten years of experience
     organization’s back-end network                   help ensure that social media becomes
                                                                                                   in communications and three years specifically
     infrastructure and do irreparable                 an integral part in an organization’s
                                                                                                   focused in emergency response, continuity of
     damage (e.g., access or corrupt data              communications toolbox.
                                                                                                   operations, business continuity, and critical
     or applications). Consequently, an
                                                                                                   infrastructure protection. For her masters thesis,
     organization using social media                    Conclusion
                                                                                                   “Using Social Networking for University
     may need to implement increased                    Trends in communications and
                                                                                                   Emergency Communications,” Ms. Cohen worked
     security controls for any separate                 technology are increasingly dynamic
                                                                                                   with the University of California, Los Angeles
     sensitive information residing on                  and fast‑paced. To keep up,
                                                                                                   (UCLA) to develop a model for universities to
     the server’s backend.                              organizations in both the public and
                                                                                                   engage in social media for emergency
                                                        private sectors must readily adapt by
                                                                                                   communications. Ms. Cohen has spoken at several
Compliance and Enforcement                              developing social media capabilities of
                                                                                                   conferences and recently chaired the Advanced
User education and training have                        their own. Although embracing social
                                                                                                   Learning Institute (ALI) Social Media for Crisis
always been crucial in safeguarding                     media is imperative to succeeding in a
                                                                                                   Communications in Government conference in
networks and data. However, with the                    new communications environment,
                                                                                                   November of 2009.
advent of social media, training                        doing so without adequate planning can
programs must be augmented to                           do more harm than good.
                                                                                                   Shala Ann Byers | has worked for two and a
address the additional risks posed by                         Social media is not a one-size-
                                                                                                   half years as an emergency communications and
social media. As organizations develop                  fits‑all solution. Each Web 2.0 tool has
                                                                                                   all-source analyst. She has spent the past year
and adopt social media, users must                      its own purpose, audience, and
                                                                                                   developing a social media reverse mentoring
understand the severity and nature of                   challenges that must be considered
                                                                                                   program linking junior staff with senior leadership
potential threats to security associated                carefully. As with any tool, a Web 2.0
                                                                                                   to facilitate technology and social media learning.
with its use. Organizations can                         tool must be chosen, not based on
                                                                                                   Ms. Byers holds a Bachelor’s degree from
incorporate social media training into                  popularity, but on how effectively it
                                                                                                   Dartmouth College in Government with a specialty
their annual security training programs                 meets the organization’s needs and
                                                                                                   in International Relations.
and address social media tools and sites                selection criteria.
during existing certification and                             Finally, an organization’s social
                                                                                                   References
accreditation procedures, thereby                       media program must align with its goals,
                                                                                                   1.	   http://www.alexa.com/siteinfo/facebook.com.
helping to ensure that their security                   objectives, budget, desired features and
                                                                                                   2.	   http://www.alexa.com/siteinfo/youtube.com.
standards are upheld. Additionally,                     applications, internal and external
                                                                                                   3.	   http://www.whitehouse.gov/the_press_office/
organizations can develop a social                      security, IT, legal, and communications
                                                                                                         TransparencyandOpenGovernment
media mentoring program, leveraging                     policies and requirements. Once
                                                                                                   4.	   http://www.openthegovernment.org/otg/OGD.pdf.
the skills of those employees with                      implemented, the program must be
                                                                                                   5.	   www.bt.cdc.gov/disasters/hurricanes.
more advanced social media skills to                    standardized across the organization
                                                                                                   6.	   http://www.cio.gov/Documents/Guidelines_for_
train those for whom this technology                    through socialization, education, and
                                                                                                         Secure_Use_Social_Media_v01-0.pdf.
is unfamiliar.                                          consistent training. Compliance with
                                                                                                   7.	   http://www.fcw.com/Articles/2009/03/25/web-
                                                        these standards must be upheld through
                                                                                                         GSA-agreement.aspx.
                                                        consistent enforcement; proactive
                                                                                                   8.	   http://www.wired.com/dangerroom/2009/01/usaf-
                                                        engagement is crucial to the security of
                                                                                                         blog-respo
                                                        an organization’s networks,


24   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
Insider Threat Center at
CERT Grows Solutions from
Reality-Based Research
by Dawn Cappelli and Andrew P. Moore




M      any organizations have suffered
       significant losses from insiders
with authorized access to protected
                                             system dynamics techniques, suggest
                                             both the evolution of the threat over
                                             time and possible mitigation strategies.
                                                                                              The insider threat team is very
                                                                                         excited about the impact it has had on
                                                                                         government and industry organizations
information assets. Insiders’ crimes               Armed with these new insights, the    and their ability to mitigate the risk of
include theft, sabotage, fraud, and          Insider Threat Center at CERT has begun     insider threat. The workshops and
espionage. The Computer Emergency            educating organizations on how to           assessments completed to date have
Response Team (CERT), part of the            detect and manage the problem. It offers    proven to be effective tools in raising
Software Engineering Institute (SEI) at      its Insider Threat Workshop several         awareness of the causes, potential
Carnegie Mellon University, began            times throughout the year. Geared to        indicators, and prevention and detection
researching this problem in 2001. It has     managers and executives, the two-day        strategies. CERT now focuses on
compiled a growing database of more          workshop addresses technology,              technical solutions that will enable
than 300 criminal cases in which             organizational culture, policy,             organizations to use people and
current or former employees,                 procedure, and behavioral issues that       technology more effectively.”
contractors, or business partners abused     influence insider threat. The workshops          For more information, please visit
the trust and access associated with         stress the need to foster cooperation       http://www.cert.org/insider_threat/ . n
their positions. As part of its research,    among management, information
CERT interviewed many of the victim          security, human resources, and IT
                                                                                          About the Authors
organizations and some perpetrators          groups to effectively fight the problem.
themselves, complementing a wealth of              CERT has also launched its Insider
                                                                                         Dawn Cappelli | is technical manager of the
case data with first-hand insights into      Threat Vulnerability Assessment
                                                                                         Threat and Incident Management Group at CERT.
the methods and motivations behind           program. Spurred by numerous requests
                                                                                         She has over 25 years of experience in software
these crimes.                                from industry and government, these
                                                                                         engineering, programming, technical project
     This work laid the foundation for       assessments enable organizations to get
                                                                                         management, information security, and research.
the Management and Education of the          a better grasp on this complex problem.
                                                                                         She is technical lead of CERT’s insider threat
Risk of Insider Threats (MERIT) project.     A CERT project team performs the
                                                                                         research, including the Insider Threat Study
Under MERIT, CERT researchers                three-day, on-site assessment,
                                                                                         conducted jointly by the U.S. Secret Service and CERT.
collaborated with noted psychologists,       conducting interviews with key
the United States Secret Service, the        organizational personnel. The
                                                                                         Andrew P. Moore | is a senior member of the
Federal Bureau of Investigation, and the     assessment team explores the
                                                                                         CERT technical staff at the Software Engineering
Department of Defense to uncover key         organization’s technical controls,
                                                                                         Institute. Moore explores ways to improve the
technical, social, and organizational        policies, and [technical and behavioral]
                                                                                         security, survivability, and resiliency of enterprise
patterns of insider behavior. Building on    practices and then produces a
                                                                                         systems through insider threat and defense
this work, CERT researchers are              confidential report presenting findings
                                                                                         modeling, incident processing and analysis, and
constructing models of the four main         and potential mitigation strategies. The
                                                                                         architecture engineering and analysis. Before
classes of insider crimes: IT sabotage,      goal is to create a single, actionable
                                                                                         joining the SEI in 2000, he worked for the Naval
theft of intellectual property, espionage,   framework that engages all stakeholders
                                                                                         Research Laboratory.
and fraud. These models, created using       in the fight against insider threat.


                                                                        IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   25
Wikis Within the DoD
by Tzeyoung Max Wu




Wikis within DoD                                        researchers concluded that the portal        majority of them go unread. [5] Amidst

W      eb 2.0. Social media is all the hype
       these days. October 2008 saw the
launch of DoDTechipedia, one of the
                                                        created a better sense of unity and
                                                        belonging in NASA participants, despite
                                                        being separated both physically and
                                                                                                     data overload, Intellipedia was
                                                                                                     conceived to promote real-time
                                                                                                     information sharing internally across
Department of Defense’s (DoD) ventures                  organizationally. The site allowed users     the community. It now boasts nearly
into wikis. Currently, media buzz                       to openly communicate on a level             one million pages and 100,000 users
surrounds the secretive and ambitious                   playing field, removing barriers such        with over 10,000 edits daily. In 2008,
A-Space social portal within the                        as job status and organizational             following the terrorist bombing of hotels
Intelligence community. In 2009, the                    departments. [2]                             in Mumbai, intelligence analysts
Centers for Disease Control and                                                                      convened on a page, created on
Prevention (CDC) used social media                      Wikis                                        Intellipedia, to share emerging
tools to increase awareness of emerging                 As one popular form of social media,         information and brainstorm ideas. The
data about the H1N1 virus. Information                  wikis entered mainstream vocabulary          page received 7,000 views within three
was disseminated across YouTube,                        with the launch of Wikipedia in 2001.        days and was integral in the
Facebook and Twitter, where data was                    Although the concept of a community-         community’s analysis of the attack. [6]
quickly assimilated by millions and                     driven encyclopedia had surfaced from             DoDTechipedia, itself a relatively
helped promote health awareness across                  time to time for decades, the advent of      new internal wiki solution, run by the
the public. From proprietary corporate                  the Internet finally made it feasible for    Defense Technical Information Center
wiki pages to open video blogging                       millions of individual users to freely add   (DTIC), shows much potential for
forums, we have seen an explosion of all                and edit content to an open repository of    bridging informational silos within DoD.
types of social media implementation                    topical articles. By 2008, Wikipedia         The wiki solution won the 2009
and usage across sectors both public                    housed more than 10 million articles,        Government Computer News (GCN)
and private.                                            and in 2005, this encyclopedia was           Award for agencies. GCN, a news site
     Take the case of NASAsphere, a                     pronounced as accurate as the popular        serving the government market,
pilot social media study where a social                 Encyclopedia Britannica. [3] Attempting      describes DoDTechipedia as more than
media portal was implemented to test                    to reap the benefits of seamless             a wiki, but rather an entire suite of
its value to NASA’s Jet Propulsion                      community-driven information sharing,        services spurring collaboration.
Laboratory (JPL). Within months, the                    corporations and public agencies have
study concluded that participants were                  since implemented their own                  Focused DoD Wikis
sharing information in ways that would                  proprietary wiki solutions. When wiki        A set of one or more targeted wiki sites,
have not happened without the tool.                     solutions work, they provide an              each effectively addressing the needs of
Rather than emailing known coworkers                    enormous amount of value.                    the respective community, can facilitate
for information, NASAsphere users were                       Intellipedia, another solution          communication and promote
encouraged to post inquiries for                        within the government, is a poster-child     collaboration. Note, ‘targeted’ is a must
information on the portal. Almost all                   of wiki success, with core officers          for a wiki site. Too broad a scope risks
informational responses to such queries                 earning Homeland Security Awards in          dilution, since at a certain point there is
came from users at different NASA                       2009. [4] The Intelligence community         a threshold for the amount of content
centers. [1] By the end of the study,                   produces 50,000 reports annually; a          that must be collected before the site

26   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
appears informationally substantial to           As a grassroots styled site, a wiki      within results. Featuring easy use, open
any specific target community. This is      needs to become a natural fabric of the       editing, and proven return for efforts,
especially true within DoD, where           community’s culture. One of the reasons       usage of the encyclopedia skyrocketed.
program managers may be more                that Intellipedia worked well was             Wiki implementations within DoD
secretive about their research. Thus,       because the custom of social                  should be promoted along with
the more categories there are, the more     networking, information inquiry and           complementary solutions and efforts
content that must be generated to           response, and information analysis had        within the organization.
convince communities of its utility.        already been deeply ingrained into the              In the end, any wiki
The key is to focus. Of the handful of      Intelligence community culture. Part of       implementation must be accompanied
success factors mentioned by Larry          the challenge for social media sites in       with patience and persistence.
Sanger, one of the founders of Wikipedia,   DoD will be overcoming a more                 Intellipedia, itself already springing
the contribution of a small core group      conservative culture, where                   from an organizational culture
of good people during the early days        informational secrecy has generally           deliberately conducive to information
was key. [7]                                been critical to military success and         gathering, is touted as a success today,
     A precisely defined target market      where the sheer size of the organization      but was launched in 2005. The broader
segment for any DoD wiki site allows for    has necessitated a level of bureaucracy.      the scope of the target communities in
better and speedier marketing to            A successful wiki implementation has to       the site, the more content that must be
defined communities. With a specified       come hand-in-hand with transforming           generated to reach maturity. Wikipedia,
community in mind, the site can be          this culture. Facing a similar challenge      with incredible scope, took many years
fine-tuned, tailoring everything from       within the private sector, a human            to garner support from millions of
look and feel, navigation, editing          resources firm in Europe devised a            contributors throughout the world. DoD
protocols, registration processes and       comprehensive strategy to build               itself has a deeply ingrained
site promotion to better match the          momentum for their internal site. This        conservative culture, with a population
community’s needs. For at its core,         strategy included employee training,          of subject matter experts many times
social media sites, including wikis, have   proactive wiki gardening, appointing          smaller. Before the different DoD
historically been grassroot efforts         wiki evangelists and mandating that           communities can fully embrace and use
growing from the bottom up in an            meetings be recorded and tracked using        wiki sites to their full potential, a degree
organizational hierarchy, with roots        wiki pages. The latter helped instill into    of culture change will have to occur.
deeply tied to their respective user        the portal the daily activities of            One tactic for effective wiki
groups. Grassroot efforts survive and       individuals in the firm. [8]                  implementation could be to forward
mature because they address unmet                Of course, success cannot happen         social media pilots such as NASAsphere.
recognized needs that differ between        as a solitary effort. Wikipedia’s own         Pilots can be run for short time periods
organizations. As such, participation       success would not have been achievable        to measure the site’s applicability to the
and content management must remain          without the rising popularity of Google’s     respective needs in the community.
in the hands of the general contributors    oft-storied search engine. As Google’s        Shorter pilots building towards more
so that they are empowered to innovate      crawlers started indexing Wikipedia           long-term solutions could be much more
and run with fresh ideas.                   pages, general topical searches on the        cost-effective than a series of failed
                                            engine started to return Wikipedia            large-scale efforts.

                                                                         IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   27
Security                                                Council issued official guidelines for                of Business, and earned a Master’s degree in IT
 Of course, information security will                   Secure Use of Social Media by Federal                 from Virginia Tech.
 remain a key concern, especially with                  Departments and Agencies. [11] The
 national security at risk. Throughout                  very first risk mitigation step suggested             References
 2009, DoD wrestled with a balanced                     was the need for a government-wide                    1.	    Jackson, Joab. NASA program proves the benefits
 social media policy that would allow it                policy for social media that would                           of social networking. Government Computer News.
 to reap benefits, but at an appropriate                address policy controls, acquisition                         2009. http://www.gcn.com/Articles/2009/11/30/A-
 risk level. There were special concerns                controls, training controls, and host and                    Space-side-NASA-social-networking.aspx
 about soldiers and other interested                    network controls. The guidelines define                      (accessed 01/02/2010).
 parties leaking sensitive operational                  four types of information traffic that                2.	    Merryman, Celeste. Findings from the NASAsphere
 information on media sites. The US                     must be managed: inward sharing,                             Pilot. Jet Propulsion Laboratory, California Institute
 Marine Corps dealt with the security                   outward sharing, inbound sharing, and                        of Technology Knowledge Architecture and
 issue by prohibiting all social media use.             outbound sharing. Each of these four                         Technology Task. (Pilot team: Merryman, Celeste;
 However, such a policy entirely                        types of information flow come with                          Hughes, Dougals). California Institute of Technology.
 abdicates the real value that social                   unique risks and mitigation approaches.                      2008. http://www.scribd.com/doc/12759868/
 media can produce. To not fully leverage               From a cultural perspective, DoD users                       NASAsphere-Pilot-Report-2008-Public (accessed
 innovations in technology and media                    should be trained with a practical                           01/02/2010).
 risks DoD falling behind other agencies                sense of caution when utilizing social                3.	    Terdiman, Daniel. Wikipedia hits 10 million total
 in the world. In a recent blog post, even              media systems.                                               articles. CNET. 2008. http://news.cnet.com/8301-
 Rob Carey, US Navy Chief Information                        Wikis within DoD will require a fair                    13772_3-9905726-52.html (accessed 01/02/2010).
 Officer (CIO), said that social media is a             amount of monitoring, both from a                     4.	    Intellipedia Gurus Win 2009 Homeland Security
 resource that DoD should well use to                   content perspective as well as in                            Medal. CIA website. https://www.cia.gov/news-
 facilitate trust and collaboration. [9]                network security and information                             information/featured-story-archive/intellipedia-
“These tools are fundamental to                         assurance. A cultural shift toward data                      homeland-security-medal.html (accessed 01/02/2010).
 collaboration. They have the potential                 sharing and collaboration should also                 5.	    Thompson, Clive. Open-Source Spying. The
 to leverage the collective wisdom of                   be tempered with an appropriate                              New York Times. 2006. http://www.nytimes.
 this 750,000+ member Department,”                      culture of caution and sensibility within                    com/2006/12/03/magazine/03intelligence.html
 said Carey.                                            the user community. This is quite                            (accessed 01/02/2010).
       Security risks are real, but can be              achievable, of course, and will be                    6.	    Intellipedia Gurus Win 2009 Homeland Security
 strategically mitigated to a certain                   important in the ongoing evolution of                        Medal. CIA website. https://www.cia.gov/news-
 degree via a smart architecture and set                DoD to accomplish its missions in the                        information/featured-story-archive/intellipedia-
 of policies. One interesting solution                  hastening change of technology.                              homeland-security-medal.html (accessed 01/02/2010).
 described on the Armed Forces                          Collaboration will accelerate the                     7.	    The Early History of Nupedia and Wikipedia, Part
 Communications and Electronics                         pace of innovative problem resolution                        II. Slashdot. http://features.slashdot.org/article.
 Associate (AFCEA) Web site proposes                    within DoD. n                                                pl?sid=05/04/19/1746205 (accessed 01/02/2010).
 setting up dedicated Internet services                                                                       8.	    Roberts, Bill. How to Marshal wikis: some
 for all staff. [10] Internet services                                                                               human resource professionals are using wikis to
                                                         About the Author
 centralized in this way allow                                                                                       communicate, collaborate. HR Magazine. 2008.
 administrators and automated tools to                                                                               http://findarticles.com/p/articles/mi_m3495/
                                                        Tzeyoung Max Wu | was a DoDTechipedia
 better scan information posted to the                                                                               is_12_53/ai_n31159337/pg_2/?tag=content;col1
                                                        content manager, creating and editing material in
 Internet and catch security data leaks                                                                              (accessed 01/02/2010).
                                                        IA, information warfare, and networking
 more effectively. This could be a broader                                                                    9.	    Carey, Rob. Embracing Social Networking Tools.
                                                        technology areas. His experiences in information
 social computing solution for computer                                                                              Department of the Navy CIO. 2010 http://www.
                                                        technology security have included: administering
 use on the global information grid (GIG)                                                                            doncio.navy.mil/Blog.aspx?ID=891 (accessed 2/3/2010).
                                                        and configuring servers and network devices
 in general, where bare-boned computer                                                                        10.	   Strassman, Paul A. Social (Network Security.
                                                        within organizations; designing secure architecture
 terminals plug onto resources served                                                                                Signal Online. 2010 http://www.afcea.org/signal/
                                                        for enterprise systems; and configuring access
 and managed on the GIG, providing a                                                                                 articles/templates/Signal_Article_Template.
                                                        control lists, profiles, and border controls for
 set of virtual desktops to users wherever                                                                           asp?articleid=2163&zoneid=284 (accessed 2/1/2010).
                                                        network applications.
 they can plug into the GIG.                                                                                  11.	   Guidelines for Secure use of Social Media
                                                               Mr. Wu received his Bachelor’s degree in
       Any technical solution must be                                                                                by Federal Departments and Agencies, v1.0
                                                        computer science from New York University, holds
 coupled with DoD guiding policies as                                                                                http://www.doncio.navy.mil/Download.
                                                        an MBA at the University of Chicago Booth School
 well as real culture change. In                                                                                     aspx?AttachID=1105 (accessed 2/3/2010).
 September 2009, the Federal CIO


28   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
I ATA C S P O T L I G H T O N A C O N F E R E N C E




Penn State Industry Day
Conference
by Rich Coulter




T    The Networking and Security
     Research Center (NSRC) at the
Pennsylvania State University held its
                                              work in data access and privacy, and
                                              Dr. Sean Hallgren was awarded for
                                              developments in quantum computation.
                                                                                            relationship with the Navy and supports
                                                                                            the other services as well as industry.
                                                                                            ARL also provides facilities for
annual Industry Day from 13 to 14                   Dr. Patrick McDaniel, co-director of    conducting classified work in
October 2009 at the University Park           the Systems and Internet Infrastructure       conjunction with the NSRC. The
campus in State College, Pennsylvania.        Security (SIIS) laboratory presented          Industrial Research Office (IRO) focuses
The NSRC provides a research and              analysis of several networked devices         on uncovering researchers in all Penn
education community at Penn State for         intended to monitor and control               State colleges and departments to meet
professors, students, and industry            electrical power usage for a “smart grid.”    industry needs. IRO facilitates industry
collaborators interested in networking        The SIIS lab discovered vulnerabilities       partnerships with the NSRC and other
and security. Industry Day is an              that could be exploited to overload           research centers at Penn State.
opportunity for partners and other            generation plants, deny power to critical          Briefings can be found at http://nsrc.
interested industry members to learn          customers, or obfuscate power usage.          cse.psu.edu/id09.html. More information
about research over the past year and         Dr. McDaniel is also exploring attack         on ARL and the IRO can be found at
ongoing developments.                         causality in Internet-connected cellular      http://www.arl.psu.edu/ and http://www.
      Dr. Frank Siebenlist and Robin Burk     networks with the goal to understand          research.psu.edu/iro/index.asp,
delivered keynote addresses. Dr. Seibenlist   and protect against evolving threats in       respectively. n
is a senior security architect at the         cellular phone systems. Other ongoing
Mathematics and Computer Science              projects in the SIIS lab include
                                                                                             About the Author
Division at the Department of Energy          Telecommunications Security; Voting
Argonne National Laboratory and a             Systems Integrity; and security of
                                                                                            Richard Coulter | currently provides remote
Fellow at the Computation Institute           systems, virtual machines (VM),
                                                                                            systems engineering and project management
of the University of Chicago. Ms. Burk        and storage.
                                                                                            support on various projects, and works to establish
currently manages the basic research                Each graduate student in the NSRC
                                                                                            relationships between IATAC and Penn State,
thrust in cognitive, information, and         also presented posters summarizing
                                                                                            especially in support of the Administration’s
network science for the Defense Threat        their research. Their research focused
                                                                                            Cybersecurity Initiative. Previously, Mr. Coulter
Reduction Agency .                            on networking (security, fault isolation,
                                                                                            performed hardware and embedded design,
      Dr. Tom La Porta, NSRC Director,        coding, efficiency, encryption), mobile
                                                                                            reverse engineering, and data analysis in support
noted that two NSRC faculty members           devices (device security, network
                                                                                            of law enforcement forensic and operational
received National Science Foundation          threats), and systems (VM security
                                                                                            missions, where he served as deputy program
(NSF) Presidential Early Career Awards        policy, software theft detection).
                                                                                            manager. Mr. Coulter received a Bachelor’s degree
for Scientists and Engineers in 2009.               Other affiliated Penn State
                                                                                            in electrical engineering from the Pennsylvania
Only 25 of these prestigious awards are       resources for industry were highlighted.
                                                                                            State University.
presented each year, so it was a truly        The Applied Research Laboratory (ARL)
unique event for two faculty from the         is a DoD-designated U.S. Navy
same university to receive them.              University Affiliated Research Center
Dr. Adam Smith was recognized for his         that maintains a long-term strategic


                                                                           IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   29
Vulnerability Assessment
Processes Within DoD

The Problem                                             vulnerabilities within established          efforts to meet compliance goals and

P   rotecting critical infrastructure and
    the Global Information Grid
continues to be a valuable, yet time-
                                                        configurations, is accomplished by
                                                        performing vulnerability assessments.
                                                             Vulnerability assessment processes
                                                                                                    secure the infrastructure exceptionally
                                                                                                    difficult, because no standardization
                                                                                                    exists across the entire enterprise. This
consuming and expensive effort within                   in many organizations are ad-hoc,           problem is compounded by employee or
the Department of Defense (DoD).                        non-standardized, and incomplete.           contractor turnover, the volatility in
Initiatives and compliance                              They rely on commercially developed         technical or mobile environments, and
requirements including Federal                          tools as well as DoD-provided tools and     the various skill levels of personnel
Information Security Management Act,                    in-house solutions to determine patch       working to manage the infrastructure. It
the Federal Desktop Core Configuration,                 levels, user settings, open ports,          is also exaggerated by the fact that
Computer Network Defense Service                        operating system configurations, and        vulnerability assessments and
Provider compliance efforts, mandates                   other system (mis)configurations.           compliance scans play such a big role in
from the Joint Task Force – Global                      Unfortunately, no one vulnerability         major DoD programs and mandates that
Network Operations (JTF-GNO) and the                    assessment solution is comprehensive        include the information assurance
Defense Information Systems Agency                      enough to cover all niches and corners      vulnerability management process,
(DISA), and general due diligence to                    of the DoD infrastructure. Because of       certification and accreditation,
protect the technology and data that                    this problem, technologists and             computer network defense,
keeps the U.S. military operational are                 oversight organizations are required to     information operations condition,
iterative, redundant, and in many cases,                use multiple vulnerability assessment       and JTF-GNO mandates.
based on manual processes.                              tools to help ensure that all bases are
     Configuration management, patch                    covered. Some assessment tools are          Recommended Solutions
management, and vulnerability and risk                  proficient at scanning Microsoft            The first place to begin addressing
management are all predicated upon                      Windows; some are good for UNIX-            compliance and configuration
processes that are cyclical and typically               based operating systems; some excel in      management issues is to have an
involve hands-on efforts by system or                   evaluating Web applications; and others     overarching configuration management
network administrators. They may also                   do device discovery very well. The shape    plan. It is crucial to have a healthy cross-
require compliance reviews from                         and composition of the environment          section of the technologists within the
information assurance divisions, testing                often dictates what tools need to be used   organization designated as members of
from vendors and system managers,                       to manage compliance and ensure             a configuration control board (CCB) that
approval from configuration control                     secure configuration whenever possible.     is strictly governed by documented
boards, and ultimate acceptance from                         Having to rely on multiple             configuration management processes
the Designated Accrediting Authority for                vulnerability assessment solutions          and procedures. As part of that
the organization, system, or enclave. In                means that technologists and oversight      configuration management plan,
many cases, the process of assessing                    personnel are reduced to seeing             however, there also need to be specific
compliance and validating appropriate                   vulnerability and configuration data in     guidelines and instructions on how to
configuration, and more importantly,                    many disparate, non-standard views.         perform vulnerability assessments
identifying weaknesses and                              This can make managing and tracking         within the organization to ensure


30   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
appropriate configuration and validate           impact operations of the network or             assessment—the system manager,
the mandates of the DoD as interpreted           enclave and ultimately thwart the               program manager, network
and implemented by the CCB. This                 mission of the organization.                    monitors, and even users.
vulnerability assessment process should     ff   Specific attributes and definition        ff    Process for consolidating,
be created and maintained by the                 of each tool—Each approved tool                 distributing, and storing
personnel responsible for                        has information that needs to be                assessment results—The point of a
implementation of the technology as              maintained and remains relevant                 vulnerability assessment manual is
well as those areas of the organization          for the life of the tool. Support               to standardize processes and make
that are responsible for oversight and           information, update processes,                  them repeatable. As such, this is
compliance reporting. The primary goal           training materials, known issues                also a very important part of the
of the plan should be to standardize the         with the tool, the types of targets             process. The plan should outline
process, make it repeatable, and                 the tool is capable of assessing—               acceptable formats for vulnerability
enforce it for all vulnerability                 these are the kinds of things that              assessment results. If results from
assessment activities.                           need to be recorded and kept up to              disparate tools are aggregated or
     A vulnerability assessment manual           date to ensure that anyone required             consolidated in any way, the
for an organization should address and           to perform a vulnerability                      process used to do that should be
define procedures for several key                assessment has the appropriate                  outlined. Where and how the
components of the vulnerability                  information to do so effectively.               vulnerability and configuration
assessment process. These areas include:    ff   Process for coordinating and                    information is stored should also
ff Approved vulnerability assessment             approving vulnerability                         be specifically outlined. Emerging
     tools list—It is important to ensure        assessments—Sufficiently defining               technology has been developed to
     that senior management (the chief           this step is one of the most                    facilitate this process and help
     information officer [CIO] or chief          important goals of any                          bridge the reporting gap
     information security officer [CISO])        vulnerability assessment manual. A              between separate vulnerability
     acknowledges what tools are                 standardized test matrix should be              assessment tools.
     permitted to be used within the             developed and used to define and          ff    Troubleshooting vulnerability
     network or enclave. To this end, a          coordinate any vulnerability                    assessments and the correlation to
     formal memo drafted by the CIO/             assessment activities. The test                 incident response—
     CISO should specifically designate          matrix should include information               Troubleshooting vulnerability
     vulnerability assessment tools that         such as the targets, tools to be used,          assessment tools are also
     are approved for use and prohibit           ports to be scanned, scan policy to             paramount to standardization. If
     the use of any tools not explicitly         be used, scan throttling                        tools are not used or are not
     allowed. This will help ensure that         information, points of contact, and             functioning correctly, results can
     untested, unknown vulnerability             date and time of the scan. The test             be skewed and the configuration
     assessment tools do not adversely           matrix should be used to                        and security posture of the targets
                                                 coordinate with components that                 scanned may not be accurate. It is
                                                 may be impacted by the                          also important to remember


                                                                          IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   31
(especially for legacy systems), that              environments. It is for this reason that      New, emerging technologies attack this
     there is potential to bring down                   many organizations merely do what is          problem head-on by providing the
     production systems if they are                     specifically required by JTF-GNO              capability to consolidate, aggregate, and
     targeted intentionally or                          or DISA or any other oversight                re-present vulnerability information in
     unintentionally. The vulnerability                 organization with the ability to push         a truly meaningful fashion. The process
     assessment process should identify                 down DoD requirements.                        of consolidating vulnerability data for
     incident response procedures in                         Performing the scans is not              system administrators no longer takes
     the event that an assessment causes                generally the difficult or time-              days and hours; with the right solution,
     an outage or adverse reactions by                  consuming part of the process; it is          it can take only minutes.
     the targets being scanned.                         interpreting, processing, and putting to
                                                        work the volumes of information that          Conclusion
     Incorporating these types of                       the vulnerability assessment tools            One of the most important pieces of the
guidelines and parameters into a                        return—especially given the points            configuration management process is
vulnerability assessment plan is vital.                 discussed above. Using only one or two        inspection and validation through
Without standardization and                             vulnerability assessment solutions for        vulnerability and configuration
appropriate training to perform                         most organizations is insufficient,           assessments. These processes can be
vulnerability assessments, it is easy to                especially within the DoD. So                 time consuming; however, their value is
have vulnerabilities or misconfiguration                consolidating, aggregating, and               obvious, and they also play fundamental
missed—ultimately resulting in a false                  presenting the results of disparate           roles in other major programs and
sense of security for the organization                  vulnerability assessment scans is             initiatives implemented by the DoD. It is
and greater risk to the mission and                     generally the most resource-intensive         critical to have standardized processes
the DoD.                                                part of the process.                          when it comes to vulnerability
     Also, don’t be afraid to leverage                       Organizations have two options.          assessments because when ad-hoc
virtualization. Virtualization can be a                 The first is to rely on the native outputs    processes fail, and they do too often,
great tool in the vulnerability                         of the various vulnerability tools            it is difficult to trust the outcome of
assessment space—especially in                          themselves. This could be flat text files,    those assessments, and making
environments with legacy systems and                    XML files, HTML files, PDFs, or               decisions based upon misinformation
antiquated technology. Using                            Microsoft Word documents. For some            can be devastating.
virtualization to take an exact copy of a               tools, it could even mean having to rely            Armed with a thorough and well-
production server or application allows                 on the console of the vulnerability           implemented vulnerability assessment
for extensive vulnerability assessment                  assessment tool itself instead of a report.   plan and with new technology that
that may otherwise not be possible.                     In this scenario, presenting findings in      allows system and network
                                                        terms of high, medium, and low risk is        administrators to focus more on
Options                                                 disjointed and subject to error. It also      resolving vulnerabilities and
Establishing (and following) a                          makes remediation efforts difficult for       misconfiguration and less on combing
vulnerability assessment manual as part                 system and network administrators             through volumes of data for useful
of a bigger configuration management                    because they have to rely on so many          information, maintaining compliance
plan is not difficult, and it is not                    different forms of information from the       with fewer resources becomes reality. n
exceptionally time consuming. In fact,                  various assessment tools that do not
implementing a standard approach to                     look similar and do not always present
                                                                                                       About the Author
vulnerability assessment activities can                 the most useful information.
ultimately save a lot of time and effort                     The second option includes
                                                                                                      Chris Merritt | is the president and CEO of
by streamlining the process and making                  processes of trying to manually
                                                                                                      Prolific Solutions, LLC (www.prolific-solutions.net)
sure that all relevant vulnerability                    consolidate the data to put it into a more
                                                                                                      and has been consulting for the DoD for over
assessment information can be found in                  meaningful/useful format that
                                                                                                      seven years. He is the author of proVM Auditor
one easy-to-use location.                               facilitates the efforts of administrators
                                                                                                      (www.provmauditor.com), a vulnerability
     However, if vulnerability                          and makes tracking progress a bit easier.
                                                                                                      assessment aggregation and compilation tool, and
assessments are conducted at                            The problem with this scenario is that it
                                                                                                      holds a number of information security
recommended (not just required)                         is full of manual copying and pasting,
                                                                                                      certifications, including CISSP and CISA. He
intervals, agencies within the DoD may                  parsing, or scripting that is not vetted or
                                                                                                      earned his Master’s degree in information
find that adhering to rigorous                          standardized, and it remains
                                                                                                      assurance from Norwich University in 2007.
vulnerability assessment processes can                  exceptionally time consuming.
be expensive and time consuming—                             Great strides have been made to
especially in larger, more distributed                  facilitate resolution to this problem.

32   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
S U B J E C T M AT T E R E X P E RT




Dr. Peng Liu
by Angela Orebaugh




T     his article continues our profile
      series of members of the
 Information Assurance Technology
                                            software and hardware. The objective of
                                            this effort is to develop an integrated
                                            end-to-end (spanning the whole ‘life
                                                                                           security. The team will take a systematic
                                                                                           approach that leverages the emerging
                                                                                           virtual machine technologies to
 Analysis Center (IATAC) Subject Matter     cycle’) CSA solution to fill the gap           consolidate four areas of systems
 Expert (SME) program. The SME              between machine information                    security research: microscopic
 profiled in this article is Dr. Peng Liu   processing and analysts’ mental                intrusion analysis and detection;
 from Pennsylvania State University.        processes. The scope of this effort is to      redundancy; automatic response; and
       Dr. Peng Liu is an Associate         develop new capabilities for computer-         diversity-driven protection. Broader
 Professor in the College of Information    aided human-centric CSA. The solution          impacts for this research include a
 Sciences and Technology (IST). He is       adds the new algorithms and techniques         significant advancement in reducing
 also a member of the graduate faculty      that are needed for the machine                risks to business applications and
 for the Department of Computer Science     situational awareness (SA) system to           information systems, increasing
 and Engineering and affiliate associate    work in concert with the human SA              business continuity, and delivering data
 professor for the Department of Supply     system. It integrates the human                assurance in the presence of severe
 Chain and Information Systems (SC&IS)      cognition aspects and the computer             cyber attacks. Liu will co-lead this
 in the Smeal College of Business. In       algorithm aspects of cyber SA. The             project, which will further the team’s
 addition, Dr. Liu is the Director of the   solution also integrates situation             previous research on cyber awareness
 Cyber Security Lab and Director of the     recognition, impact assessment,                and how it can be used to improve
 LIONS Center. His research interests       causality analysis, trend analysis, and        cyber defense.
 include survivable systems, systems        assessment of system assurance. The                 Dr. Liu organizes and presents at
 security, information security,            team will develop prototype capabilities       several conferences in information
 network security, privacy, identity        in each year of the project that build on      security. A few examples include:
 theft, cyber infrastructures, and          prior years’ capabilities, with the goal of    Securecomm 2009 (general chair);
 electronic health. [1]                     having a testable, executable prototype        Inscrypt 2008 (both Program Co‑Chair
       Dr. Liu won a $6.25M grant from      at each stage of the project.                  and keynote speaker); and AsiaCSS 2010
 the Army Research Office in July 2009 to        Dr. Liu was also one of three             (Program Co‑Chair). n
 study cyber situation awareness (CSA).     researchers who received more than
 He and his team received a                 $1M funded by the American Recovery            References
 Multidisciplinary University Research      and Reinvestment Act of 2009. His              1.	   http://ist.psu.edu/s2/pliu
 Initiative Award (MURI) for his project,   project—Collaborative Research:
“Computer-aided Human‑centric Cyber         Towards Self-Protecting Data Centers: A
 Situation Awareness.” They plan to use     Systematic Approach—is aimed at
 the grant funding to further the           safeguarding business applications and
 research on cyber awareness and how it     infrastructure from cyber threats. The
 can be used to improve cyber defense.      research team seeks to improve security
 Research goals include developing tools    consolidation to meet the top two
 that will help bridge the gap between      requirements for modern data centers—
 analysts’ capabilities and existing CSA    business continuity and information

                                                                          IAnewsletter Vol 13 No 2 Spring 2010     •   http://iac.dtic.mil/iatac   33
Eight Steps to Holistic
Database Security
by Dr. Ron Ben Natan




F    inancially motivated attacks,
     malfeasance by insiders, and
regulatory requirements such as the
                                                       now being tasked with ensuring that
                                                       critical databases are secure from
                                                       breaches and unauthorized changes.
                                                                                                     SQL injection jumped
Federal Information Security                                Here are eight essential best            134% in 2008,
Management Act-mandated National                       practices that provide a holistic
Institute of Standards and Technology                  approach to both safeguarding                 increasing from an
(NIST) 800-53 standard are driving                     databases and achieving compliance
government organizations to find new                   with key regulations and standards such       average of a few
ways to secure their data.                             as NIST 800-53 and Defense Information
       Most of the world’s sensitive data is           System Agency Security Technical              thousand per day to
stored in commercial database systems                  Implementation Guides as well as the
such as Oracle, Microsoft SQL Server,                  Sarbanes-Oxley Act (SOX), Payment             several hundred
IBM DB2, and Sybase—making                             Card Industry Data Security Standard
databases an increasingly favorite target              (PCI-DSS), and data protection laws:          thousand per day.
for criminals. This may explain why                    ff Discovery—You cannot secure
external attacks such as SQL injection                       what you do not know. You need to       ff   Vulnerability and Configuration
jumped 134% in 2008, increasing from                         have a good mapping of your                  Assessment—You need to assess
an average of a few thousand per day to                      sensitive assets—both of your                the configuration of your databases
several hundred thousand per day,                           database instances and your                   to ensure they do not have security
according to a report recently published                     sensitive data inside the databases.         holes. This includes verifying both
by IBM. [1]                                                  Plus, you should automate the                the way the database is installed on
      To make matters worse, according                      discovery process because the                 the operating system (e.g., checking
to a study published in February 2009 by                     location of sensitive data is                file privileges for database
the Independent Oracle Users Group                          constantly changing due to changes            configuration files and executables)
(IOUG), nearly half of all Oracle users                      such as new or modified                      and configuration options within
are at least two or more patch cycles                       applications and mergers and                  the database itself (such as how
behind in their database patching. [2] In                   acquisitions. In an interesting twist,        many failed logins will result in a
addition, 74% of all Web application                         some discovery tools can also find           locked account, or which privileges
vulnerabilities disclosed in 2008 did not                    malware placed in your database as           have been assigned to critical
even have an available patch by the end                     a result of SQL injection attacks. In         tables). Plus, you need to verify that
of 2008, according to IBM. [3]                              addition to exposing confidential             you are not running database
      Whereas most attention has                             information, SQL injection                   versions with known vulnerabilities.
previously been focused on securing                         vulnerabilities allow attackers to            Traditional network vulnerability
network perimeters and client systems                       embed other attacks inside the                scanners were not designed for this
(e.g., firewalls, IDS/IPS, and anti-virus),                 database that can then be used                because they do not have
we are now entering a new phase where                       against visitors to the Web site.             embedded knowledge about
information security professionals are                                                                    database structures and expected


34   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
behavior, nor can they issue SQL              Monitoring privileged users is also            employ some form of manual
     queries (via credentialed access to           a requirement for data governance              auditing, utilizing traditional
     the database) in order to reveal              regulations such as SOX and data               native database logging capabilities.
     database configuration information.           privacy regulations such as                    However, these approaches are
ff   Hardening—The result of a                     PCI-DSS. It is also important for              often found to be lacking because
     vulnerability assessment is often a           detecting intrusions because                   of their complexity and high
     set of specific recommendations.              attacks will frequently result in the          operational costs due to manual
     This is the first step in hardening           attacker gaining privileged user               efforts. Other disadvantages
     the database. Other elements of               access (such as via credentials                include high performance overhead,
     hardening involve removing all                owned by your business                         lack of separation of duties
     functions and options that you                applications). DAM is also an                  (because database administrators
     do not use.                                   essential element of vulnerability             can easily tamper with the contents
ff   Change Auditing—Once you have                 assessment because it allows you to            of database logs, thereby affecting
     created a hardened configuration,             go beyond traditional static                   non-repudiation) and the need to
     you must continually track it to              assessments to include dynamic                 purchase and manage large
     ensure that you do not digress from           assessments of “behavioral                     amounts of storage capacity to
     your “gold” (secure) configuration.           vulnerabilities” such as multiple              handle massive amounts of
     You can do this with change                   users sharing privileged credentials           unfiltered transaction information.
     auditing tools that compare                   or an excessive number of failed               Fortunately, a new class of DAM
     snapshots of the configurations (at           database logins. Finally, some DAM             solutions are now available that
     both the operating system level and           technologies offer application-layer           provide granular, database
     at the database level) and                    monitoring, allowing you to detect             management system (DBMS)-
     immediately alert you whenever a              fraud conducted through multi-tier             independent auditing with minimal
     change is made that could affect              applications such as PeopleSoft,               impact on performance, while
     the security of the database.                 SAP, and Oracle e-Business Suite,              reducing operational costs through
ff   Database Activity Monitoring                  rather than through direct                     automation, centralized cross DBMS
     (DAM)—Real-time monitoring of                 connections to the database.                   policies and audit repositories,
     database activity is key to limiting     ff   Auditing—Secure, non-repudiable                filtering, and compression.
     your exposure by immediately                  audit trails must be generated and       ff    Authentication, Access Control,
     detecting intrusions and misuse.              maintained for any database                    and Entitlement Management—
     For example, DAM can alert on                 activities that impact security                Not all data and not all users are
     unusual access patterns indicating            posture, data integrity, or viewing            created equally. You must
     a SQL injection attack,                       sensitive data. In addition to being           authenticate users, ensure full
     unauthorized changes to financial             a key compliance requirement,                  accountability per user, and
     data, elevation of account privileges,        having granular audit trails is also           manage privileges to limit access to
     and configuration changes                     important for forensic investigations.         data. And you should enforce these
     executed via SQL commands.                    Most organizations currently                   privileges—even for the most


                                                                           IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   35
privileged database users. You also                contractors meet NIST 800-53 and                      References
     need to periodically review                        comply with the OMB M-06-16 directive,                1.	   IBM Global Technology Services, “IBM Internet
     entitlement reports (also called                   Protection of Sensitive Agency                              Security Systems X-Force® 2008 Trend & Risk
     User Right Attestation reports) as                 Information, in order to secure                             Report,” January 2009.
     part of a formal audit process.                    personally identifiable information and               2.	   IOUG, “Security Patching Practices by Oracle Users,”
ff   Encryption—Use encryption to                       other sensitive data such as financial                      February 2009.
     render sensitive data unreadable, so               data and classified information. n                    3.	   Ibid.
     that an attacker cannot gain
     unauthorized access to data from
                                                         About the Author
     outside the database. This includes
     both encryption of data-in-transit,
                                                        Dr. Ron Ben Natan | chief technology officer for
     so that an attacker cannot
                                                        Guardium, the database security company, has more
     eavesdrop at the networking layer
                                                        than 20 years of experience developing enterprise
     and gain access to the data when it
                                                        applications and security technology. Guardium, an
     is sent to the database client, as
                                                        IBM Company, delivers a scalable platform that
     well as encryption of data-at-rest,
                                                        prevents information leaks from the data center and
     so that an attacker cannot extract
                                                        ensures the integrity of enterprise data. The
     the data even with access to the
                                                        company’s enterprise security platform is now
     media files.
                                                        installed in more than 450 data centers worldwide,
                                                        including top government agencies. Dr. Natan has
     A holistic database security
                                                        authored 12 technical books, including HOWTO
approach is needed to protect against
                                                        Secure and Audit Oracle 10g and 11g (© 2009 by
cyberattacks, breaches, fraud, and
                                                        Taylor and Francis Group, LLC) and Implementing
insider threats. Additionally, such a
                                                        Database Security and Auditing (© 2005, Elsevier,
strategy helps federal agencies and
                                                        Inc.), the standard texts in the field.




                                                                                           Letter to the Editor

 Q
        There are a lot of information                  conferences a year to take part in critical           and harden networks. The Defend track
        assurance conferences, forums,                  IA discussions, and to promote outreach               looked at how cyber warriors can detect,
        and seminars available to the                   and awareness for the free products and               diagnose, and respond to security
IA community, and the IAnewsletter                      services we offer. The biggest conference             threats effectively. The Survive track
focuses on several each year. What is                   we attend each year is the Information                featured sessions on sustaining mission
the most important IA conference IATAC                  Assurance Symposium (IAS), hosted by                  essential functionalities during network
takes part in annually?                                 the National Security Agency, Defense                 attacks. Finally, the Making it all Happen
                                                        Information Systems Agency, and US                    track analyzed how to staff, equip, train,


 A
        A critical aspect of sharing                    Strategic Command.                                    and certify the cyber warrior.
        information assurance (IA)                           This year’s conference took place in                  IAS stressed the importance of true
        related information is attending                Nashville, TN, February 2-4, bringing                 collaboration and the need to achieve
events where solutions for pressing IA                  together over 2,000 attendees from all                information superiority, and it provided
problems can be discussed. These                        three of IATAC’s target communities:                  the IA community with networking
events also help the IA community learn                 government, industry, and academia.                   opportunities essential to achieving
about the resources available to them                   Attendees had the opportunity to                      these goals. IATAC was glad to take part
and some of the cutting-edge                            participate in one of four tracks. The                in IAS this year, and we look forward to
developments in the IA field. IATAC                     Protect track focused on discovering                  participating again next year. n
attends, exhibits, and presents at several              ways to improve information security

36   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
ASK THE EXPERT




Public/Private Partnership
Becoming a Necessity
by Allan Carey




G    overnments have long dealt with
     espionage and attempts to exfiltrate
state secrets and intellectual property.
                                             The term will be misrepresented,
                                             misused and basically abused to
                                             promote/sell products and services with
                                                                                            will see increased participation from
                                                                                            industry in light of the recent
                                                                                            developments. Other groups/
The interconnected world of computing        the promise of solving this problem. For       relationships are forming behind closed
systems has split our efforts to detect      the misguided, their attention and             doors, but the motivation and business
and thwart such attempts between the         resources will be directed away from           drivers are strong enough to hopefully
physical and logical worlds. The term        solving their real information assurance       change the paradigm between public/
advanced persistent threat (APT) has         problems. For the well informed, they          private partnership and information
had relevancy in the information             should see right through the APT elixir.       sharing overall. n
assurance world, which started in the              On the positive side, senior security
US Air Force around 2006. However,           leaders are now more aware of this              References
beyond government and the defense            threat vector, even though they may not        1.	    http://googleblog.blogspot.com/2010/01/new-
industrial base, no one in the               have the budget or resources to do                    approach-to-china.html.
private sector had really heard or           something about it. As a result,                2.	   www.taosecurity.com.
cared about APT.                             organizations are getting engaged in the        3.	   http://www.csmonitor.com/Commentary/editors-
     Until now…Why? Google vs. China         conversation and looking for ways to                  blog/2010/0126/Why-the-China-virus-hack-at-US-
catapulted APT into the mass media           collaborate and share information.                    energy-companies-is-worrisome.
spotlight for better or worse. [1] Back in   Changing the way in which we interact           4.	   http://www.mandiant.com/news_events/article/
July 2009, Richard Bejtlich ran a Google     and exchange best practices must occur,               mandiant_releases_first_annual_m-trends_report_
search on “advanced persistent threat”       particularly around this topic, because               at_u.s._department_of_d
prior to an Institute for Applied Network    our advanced persistent adversaries, are
Security briefing which yielded 34           incredibly organized and well funded.
unique hits. [2] As of 16 January 2010,      They are sharing best practices and
the same search returned 169 hits.           techniques; as a profession, we must do
During the week of 25 January 2010, The      the same because continuing to fight
Christian Science Monitor reported           the battle in silo efforts is not a
about stolen bid data from three major       sustainable strategy.
energy companies with traces back to               One promising example of public/
China. [3] And Mandiant, a specialized       private partnership is the impending
consulting firm, released its first          Google and the National Security
M-Trends Report which highlighted            Agency relationship. This action is a step
the types of attacks they have               in the right direction for sharing
investigated including ones perpetrated      defensive techniques and enabling
by the APT. [4]                              another organization to better defend
     Let’s start with the negative part of   itself. Another example is the National
this attention. APT has just made the        Security Telecommunications Advisory
buzzword bingo chart of marketing            Committee Network Security
professionals targeting our industry.        Information Exchanges, which I believe

                                                                           IAnewsletter Vol 13 No 2 Spring 2010    •   http://iac.dtic.mil/iatac   37
Apples & Oranges:
Operating and Defending
the Global Information Grid
by Dr. Robert F. Mills, Major Michael B. Birdwell, and Major Kevin R. Beeker




C    yberspace is a contested,
     warfighting domain, but we’re not
really treating it as such, partly because
                                                        and described a shift in culture that
                                                        must occur for the United States to be
                                                        effective in this domain: “We must
                                                                                                    commander involvement and
                                                                                                    responsibility for cyberspace operations.
                                                                                                         Our leaders are making some very
our language and doctrine have not                      think about this domain and the tools in    interesting points here. We are all on the
matured to the point that allows us to do               this domain and the readiness of this       front line of defense and are involved in
so. One reflection of our immature                      domain as commanders, as essential to       cyber operations every day. General
language is our inability to clearly                    successful operations.” General Chilton     Chilton’s analogy of the gate guard who
differentiate the concepts of network                   calls every Soldier, Sailor, Airman,        “keeps the wrong people out” is
operations (NETOPS) and computer                        Marine, DoD civilian, and contractor to     noteworthy, but his use of the word
network defense (CND). This creates                     arms, saying, “They are part of the front   ‘defense’ is misleading—he’s really
confusion about the roles and                           line of defense and in fact they’re         talking about ‘security and force
responsibilities for provisioning,                      engaged in cyber operations that matter     protection.’ But he’s not the only one
sustaining, and defending the network—                  every day, whether they know it or not.”    who falls into this trap—our doctrine is
much less actually using it. In this                    He compares operations in the domain        just as confusing.
article, we resolve this confusion by                   to “the guards who guard your bases,
highlighting the differences among                      who stand there at the gate and make        NETOPS and Network Defense
maintenance, defense, and mission                       sure only the right people come in and      This is how the DoD Dictionary defines
assurance activities. Only by separating                keep the wrong people out—that’s            NETOPS and CND:
these activities can we more effectively                everybody who has a computer on their       ff NETOPS—“activities conducted to
organize, train, and equip people to                    desk in these domains today.” [1]               operate and defend the Global
perform those tasks. We also describe                        Similarly, Air Force Chief of Staff        Information Grid.”
how the mission assurance aspect of                     General Norton A. Schwartz sent an          ff CND—“actions taken to protect,
NETOPS can better be viewed as a force                  e-mail to every member of the Air Force         monitor, analyze, detect, and
protection issue, thereby highlighting                  entitled Cyberspace Operations Culture          respond to unauthorized activity
the importance of the unit commander                    Change on May 27th, 2009. In this e-mail        within DoD information systems
in the cyberspace puzzle.                               he wrote, “Compliance with time critical        and computer networks.” [3]
                                                        software updates will gain new
Culture Change                                          emphasis and commanders will be held             Figure 1 illustrates the NETOPS
There has been much talk about                          accountable…. Our Air Force must move       continuum, and demonstrates the
changing our cyber culture—specifically                 to a system of tight network control,       difficulty in distinguishing between the
with respect to how we use cyberspace.                  personal responsibility, and                two disparate functions of maintenance
General Kevin J. Chilton, the                           accountability as we execute our global     and defense.
Commander of US Strategic Command                       mission on behalf of our Nation.” [2]            Effective CND uses a defense-in-
(USSTRATCOM), hosted a Cyberspace                       General Schwartz made it clear that all     depth strategy and employs intelligence,
Symposium in April 2009. In his opening                 Air Force members operate in                counterintelligence, law enforcement,
remarks, he labeled cyberspace                          cyberspace and echoed General               and other military capabilities as
operations as commanders’ business                      Chilton’s comments emphasizing              required. However, the CND culture is


38   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
Our intent is not to diminish the
                                     NETOPS                                                importance of NETOPS activities—these
                                                                                           activities are critical to our ability to
        Operate the Network                             Defend the Network                 operate in and through cyberspace. But
                                                                                           they are not defensive activities—at least
                                                                                           not in the classical understanding of the
Figure 1 NETOPS and CND Continuum
                                                                                           concept. Turning to Carl von Clausewitz,
                                                                                           we see a much different concept of
largely one of information assurance         achieve that, this is a maintenance
                                                                                           defense than is currently applied to
(e.g., confidentiality, integrity, and       activity. (Indeed, do we even really know
                                                                                           cyberspace:
availability), system interoperability,      how many computers we have, let alone
and operations and maintenance               how many are compliant?) This is no
                                                                                                  What is the concept of defense? The
(O&M). Many of the things that we            more a defensive activity than counting
                                                                                           parrying of a blow. What is its
routinely call ‘cyberspace defense’ in       all the rifles in an infantry company and
                                                                                           characteristic feature? Awaiting the blow.
cyberspace are really just O&M               inspecting them to ensure that they are
                                                                                           It is this feature which turns any action
activities—such as setting firewall rules,   properly cleaned and in working order.
                                                                                           into a defensive one; it is the only test by
patching servers and workstations,                 Our current NETOPS/CND mindset
                                                                                           which defense can be distinguished from
monitoring audit logs, and                   is intentionally focused inward, with
                                                                                           attack in war. Pure defense, however,
troubleshooting circuit problems.            emphasis on ensuring that friendly
                                                                                           would be completely contrary to the idea
      We talk about vulnerabilities and      forces have freedom of action within
                                                                                           of war, since it would mean that only one
the thousands of ‘cyber attacks’ against     and through cyberspace. Contrast this
                                                                                           side was waging it…. But if we are really
our networks every day, but we do not        with a traditional warfighting mentality
                                                                                           waging war, we must return the enemy’s
treat cyberspace operations like those       in which we study an adversary’s
                                                                                           blows; and these offensive acts in a
conducted in other domains. Server           potential courses of action, develop and
                                                                                           defensive war come under the heading of
availability and communications circuit      refine operational plans to meet national
                                                                                           ‘defense’ –in other words, our offensive
status are represented as green, yellow,     and military objectives, parry thrusts,
                                                                                           takes place within our own positions or
and red lights on a stop-light chart, with   and launch counter attacks. While we do
                                                                                           theater of operations. Thus, a defensive
an objective being ‘all green.’ And yet,     worry about internal issues such as
                                                                                           campaign can be fought with offensive
when a system or circuit is reported as      security, force protection, logistics, and
                                                                                           battles, and in a defensive battle, we can
yellow or red, we rarely understand what     sustainment, our focus remains outward
                                                                                           employ our divisions offensively. Even in a
the true operational impact is in a timely   on the adversary. Granted, terms such as
                                                                                           defensive position awaiting the enemy
manner. Furthermore, thousands of            ‘inward’ and ‘outward’ mean different
                                                                                           assault, our bullets take the offensive. So
systems administrators routinely count       things when discussing cyberspace
                                                                                           the defensive form of war is not a simple
and scan computers to ensure that their      (because geographic boundaries are
                                                                                           shield, but a shield made up of well-
software and operating system patches        somewhat irrelevant), but we generally
                                                                                           directed blows. [4]
are current. The objective is 100%           use these terms to refer to friendly forces
compliance, but even if we could             and adversaries, respectively.



                                                                          IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   39
Similarly, Army Field Manual 3-0,                   accomplish assigned missions. This                   ff   Determine the threat via a tailored
Operations, states the following:                       includes areas such as force protection,                  threat assessment
                                                        antiterrorism, information assurance,                ff   Determine critical infrastructure
     Defensive operations defeat an                     and continuity of operations. [7] The                     via a criticality assessment
enemy attack, buy time, economize forces,               security portion of NETOPS then can                  ff   Determine vulnerability via a
or develop conditions favorable for                     be viewed as a form of force                              vulnerability assessment
offensive operations. Defensive operations              protection, where force protection                   ff   Determine acceptable risk via a
alone normally cannot achieve a decision.               is defined as follows:                                    risk assessment
Their purpose is to create conditions for a                                                                  ff   Develop a comprehensive force
counteroffensive that allows Army forces                     Preventive measures taken to                         protection plan
to regain the initiative. [5]                           mitigate hostile actions against DoD                 ff   Exercise the plan to determine
                                                        personnel (to include family members),                    limiting factors and gain
     These definitions of defense do not                resources, facilities, and critical                       process familiarity.
sound like our current approach to                      information. Force protection does not
NETOPS and CND. Clausewitz might say                    include actions to defeat the enemy                        A second reason to look at force
we have a shield mentality about cyber                  or protect against accidents, weather,               protection is that force protection is an
defense. The O&M activities that we                     or disease. [8]                                      inherent responsibility of command. Air
routinely refer to as ‘network defense’                                                                      Force Doctrine Document 2-4.1, Force
are passive and do not try to gain or                        This definition does not say                    Protection, clearly states, “Commanders
maintain the initiative. An active                      anything about defense in terms of                   at all levels must make force protection
defense—one that employs limited                        maneuver and fires, but it does highlight            an imperative.” [10] A fundamental
offensive action and counterattacks to                  that everyone in the DoD has a role in               premise within JP 6-0 is that many of the
deny the adversary—will be required                     ‘mitigating hostile activities’ that can             responsibilities for NETOPS activities
to have a genuinely defensive capability                certainly be extended to cyberspace.                 remain within the purview of the
in cyberspace.                                          There are a several reasons we should                communications community. With a
                                                        look at force protection doctrine as it              force protection mindset, responsibility
A Force Protection Model                                relates to the NETOPS/security problem.              shifts to the person who is accountable
So if NETOPS isn’t CND, then what is it?
           Get in                                       The first is that force protection                   for mission accomplishment—the
Joint Publication (JP) 6-0, Joint                       activities and doctrine are well-defined,            commander. At all levels of warfare, the
Communications System, is the DoD’s                     and force protection experts have                    commander should have the best
capstone document for communications                    developed a rigorous methodology to                  understanding of both the mission and
and network support to joint                            define the force protection process, as              the requirements to accomplish it. The
operations. Chapter IV discusses                        illustrated in Figure 2.                             unit commander is therefore integral to
NETOPS in depth, stating:                                    The following force protection core             cyberspace force protection actions and
ff The effectiveness of NETOPS is                       principles apply to cyberspace:                      is not merely a customer. This
      measured in terms of availability                                                                      conceptual shift integrates cyberspace
      and reliability of network enabled                                                                     force protection at the lowest possible
      services, across all areas of interest,                                                                level, thereby making it a unit
                                                                               Threat
      in adherence to agreed-upon service.                                   Assessment
                                                                                                             commander’s responsibility—which is
ff The purpose of NETOPS is assured                                                                          where General Chilton said it should be!
      system and network availability,                                                                             Finally, the concept of force
                                                            Exercise                          Criticality
      assured information protection,                         Plan                           Assessment      protection brings with it responsibility
      and assured information delivery. [6]                                                                  to every member of the force. The gate
                                                                              Force
      The overarching theme in these                                                                         guards may “let the right people come in
statements is the ability for users
                                                                            Protection                       and keep the wrong people out,” but we
(customers) to accomplish their
                                                                             Planning                        must be on the lookout for those who
                                                               FP                            Vulnerability
missions, which leads us to the concept                                                      Assessment
                                                                                                             have gotten past the perimeter fence and
                                                              Plan
of ‘mission assurance.’ Mission                                                                              those insiders who engage in malicious
assurance includes a number of                                                                               acts. Using a force protection paradigm,
                                                                                Risk
activities and measures taken to ensure                                      Assessment                      information assurance would equate
the availability of required capabilities                                                                    closely to the Air Force (AF) Office of
and supporting infrastructures to                                                                            Special Investigations (OSI) ‘Eagle Eyes’
support military operations and                         Figure 2 Force Protection Planning Process [9]



40   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
construct. The AF OSI Eagle Eyes                      operations, from inward to outward               References
website states:                                       (to our adversaries). CND is about               1.	    General Kevin Chilton, Opening Remarks to the
                                                      delivering warfighting effects (e.g.,                   April, 2009, USSTRATCOM Cyberspace Symposium,
     The Eagle Eyes program is an Air                 denying, degrading, disrupting, and                     http://www.stratcom.mil/speeches/23
Force anti-terrorism initiative that enlists          destroying the cyber capabilities of             2.	    General Norton A. Schwartz, Letter to All Airmen,
the eyes and ears of Air Force members                our adversaries).                                       dated 27 May, 2009.
and citizens in the war on terror. Eagle                                                               3.	    DoD Dictionary of Military Terms,
Eyes teaches people about the typical                Taken together, these concepts                           http://www.dtic.mil/doctrine/dod_dictionary
activities terrorists engage in to plan their   provide a framework to develop                         4.	    Taken from Peter G. Tsouras. Warriors Words: A
attacks. Armed with this information,           cyberspace capabilities and personnel                         Quotation Book. 1992. Arms and Armour Press,
anyone can recognize elements of potential      to meet joint mission requirements and                        London. Page 128.
terror planning when they see it. [12]          to more effectively engage in operations               5.	    US Army Field Manual (FM) 3-0, Operations, 14
                                                in cyberspace. n                                              Jun 2001, p. 1-15, http://www.dtic.mil/doctrine/jel/
                                                                                                              service_pubs/fm3_0a.pdf.
Conclusions                                                                                            6.	    oint Publication (JP) 6-0, Joint Communications
                                                 About the Authors
Semantics matter. One of the                                                                                  System, 20 Mar, 2006, p IV-1, http://www.dtic.mil/
fundamental purposes of joint doctrine                                                                        doctrine/new_pubs/jp6_0.pdf.
                                                Dr. Robert F. Mills | is an Associate Professor
is to provide a common language that                                                                   7.	    DoD Directive 3020.40, Defense Critical
                                                of electrical engineering at the Air Force Institute
describes how we organize, train, equip,                                                                      Infrastructure Program, 19 Aug, 2005, p. 13, http://
                                                of Technology (AFIT), Wright-Patterson AFB, OH.
and employ our military capabilities.                                                                         www.dtic.mil/whs/directives/corres/pdf/302040p.pdf.
                                                He teaches graduate courses and leads sponsored
Inadequate semantics creates confusion                                                                 8.	    DoD Dictionary of Military Terms.
                                                research in support of AFIT’s cyber operations and
and degrades our warfighting capability.                                                               9.	    DODI 2000.16, DoD Antiterrorism (AT) Standards,
                                                warfare program. His research interests include
Our current language confuses the use,                                                                        provides clear guidance on the tools necessary
                                                network management and security,
operations and maintenance, and the                                                                           to define the threat, determine what is critical,
                                                communications systems, cyber warfare, and
defense of the cyberspace domain,                                                                             determine what is vulnerable, determine acceptable
                                                systems engineering. He retired from active duty
which makes roles and responsibilities                                                                        risk, develop a plan, exercise the plan, and then
                                                in the US Air Force after serving 21 years as a
unclear. Our recommendations to                                                                               start over. The AT Risk Management process is
                                                communications officer.
remedy this situation are as follows:                                                                         outlined in enclosure 3 (pages 13—22). Available
1.	 Redefine NETOPS as “actions taken                                                                         at http://www.dtic.mil/whs/directives/corres/
                                                Major Michael B. “Bo” Birdwell | is a
      to provision and maintain the                                                                           pdf/200016p.pdf.
                                                career intelligence officer. He is the Director of
      cyberspace domain.” This would                                                                   10.	   Air Force Doctrine Document 2-4.1, 9 Nov 2004, p. 11.
                                                Operations at the Air Mobility Command Air
      capture the current concepts of                                                                  11.	   http://www.e-publishing.af.mil/shared/media/
                                                Intelligence Squadron at Scott Air Force Base, IL.
      operations and maintenance while                                                                        epubs/AFDD2-4.1.pdf.
                                                Major Birdwell is a graduate of the Air Force
      removing the ambiguity caused by                                                                 12.	   The USAF OSI Eagle Eyes website is http://www.
                                                Academy (1996), the USAF Weapons School
      including defense within the                                                                            osi.andrews.af.mil/eagleeyes/index.asp.
                                                Intelligence Division (2001), and the AFIT’s Cyber
      NETOPS construct.
                                                Warfare Intermediate Developmental Education
2.	 Leverage concepts such as ‘mission                                                                       The views expressed in this article are
                                                Program (2009).
      assurance’ and ‘force protection’ to                                                             those of the authors and do not reflect the
      help change the culture and engage                                                               official policy or position of the United
                                                Major Kevin Keller Beeker | is now the J2
      all personnel—users, maintainers,                                                                States Air Force, Department of Defense,
                                                Targeting Chief for the Joint Functional Component
      and cyber operators. Everyone has a                                                              or the U.S. Government.
                                                Command for Network Warfare (JFCC-NW) at Ft
      role in security and force protec-
                                                Meade, MD. He is a senior A/OA-10 combat pilot,
      tion, but we are not all cyber
                                                who also completed an exchange tour flying
      defenders. Force protection and
                                                F/A-18s with the United States Navy. He is a 1996
      mission assurance are focused
                                                graduate of the United States Air Force Academy,
      inward on our mission.
                                                with a Bachelor of Science in computer science.
3.	 Redefine our CND construct to be
                                                He is also a 2009 graduate of AFIT’s Cyber
      more consistent with our approach
                                                Warfare Intermediate Developmental
      to the concept of ‘defense’ in the
                                                Education Program.
      other domains of warfare, to
      include the concept of active
      defense. This would shift the
      concept from maintenance to


                                                                                    IAnewsletter Vol 13 No 2 Spring 2010         •   http://iac.dtic.mil/iatac    41
LPS-Public: Secure
Browsing and an Alternative
to CAC Middleware
by Lt Col Ken Edge and Kevin Sweere




O    n January 15, 2010, the Air Force
     Portal started granting access only
to those users who have a Common
                                                        Likewise, user’s private sessions
                                                        and sensitive transactions occur
                                                        within a leave‑no‑local‑trace
                                                                                                      Technology Office manages SPI for the
                                                                                                      DDR&E via the High Performance
                                                                                                      Computing and Modernization Program.
Access Card (CAC) or public key                         browsing environment.
infrastructure certificate, blocking login                   LPS-Public provides a thin, secure,          Download the free LPS-Public ISO
via user/password. Other Department of                  end-node for cloud computing. Created         image from http://spi.dod.mil/lipose.htm.
Defense (DoD) sites require CACs for                    by the Software Protection Initiative at
some activities and it is likely many                   the Air Force Research Laboratory                  Those wishing to get more details or
other federal agencies will also soon                   (AFRL), LPS-Public boots from a CD,           interview a subject matter expert
require two‑factor authentication for                   runs only in RAM, installs nothing to         please contact Josh Aycock, 88 ABW/PA,
sensitive Web services.                                 the hard drive, and does not require          at Joshua.aycock@wpafb.af.mil or
     The DoD’s solution for users of                    administrative rights. LPS-Public             937-522-3514. n
Windows XP Pro and Vista (a Windows 7                   provides a Firefox browser with plug-ins,
solution is coming soon) is to download                 CAC middleware, certificates, and a PDF
                                                                                                       About the Authors
licensed ActivClient middleware from an                 viewer within a very thin Linux
internal website. Users must install                    operating system. It’s a great solution for
                                                                                                      Lt Col Kenneth Edge | graduated from the US
smartcard drivers, the middleware, and                  users with Mac, Linux, or Windows 7
                                                                                                      Air Force Academy with a degree in electrical
DoD root certificates on their Windows                  systems, or those using others’ computers.
                                                                                                      engineering. His previous assignments in the Air
Personal Computers (PC). But that leaves                     A derived and accredited version,
                                                                                                      Force have included flying C-141 and C-21 airplanes.
out those running Mac or Linux systems,                 LPS-Remote Access, offers teleworkers
                                                                                                      Lt Col Edge completed his Master’s degree in
those using another’s computer (e.g.,                   remote desktop virtualization of their
                                                                                                      electrical engineering at Wright State University,
friend’s, corporate or public computer),                company’s or agency’s network. This
                                                                                                      and then earned his PhD in computer security from
those lacking administrator privileges,                 means far fewer government laptops.
                                                                                                      the Air Force Institute of Technology. He serves at
and those who just do not want to make                  Now one only needs to carry a
                                                                                                      the AFRL as the Office of the Director, Defense
the requisite changes to update their                   CAC-reader and a custom CD and then
                                                                                                      Research and Engineering’s SPI Program Manager.
computers. Lightweight Portable Security,               use almost any personal, public, or
Public edition (LPS-Public) alleviates all              corporate computer to use a NIPRNet
                                                                                                      Kevin Sweere | serves the SPI as an Advisory
these problems. And it’s free from                      computer remotely.
                                                                                                      and Assistance Services contractor from the
http://spi.dod.mil/.                                         The Software Protection Initiative
                                                                                                      not-for-profit Riverside Research Institute. He holds
     LPS-Public offers other benefits;                  (SPI) protects critical DoD intellectual
                                                                                                      an Master’s degree in Mechanical Engineering from
computers that are old, slow, infected, or              property against nation-state class
                                                                                                      Michigan Technological University and an MBA
crashed, or those that are missing a hard               threats by taking an alternative
                                                                                                      from University of Cincinnati. He was a search and
drive can now browse the Internet                       approach to security based on 3 Tenets:
                                                                                                      rescue dog trainer, snowplow researcher, Army
again. Because LPS-Public operates only                 1) Focus on What’s Critical, 2) Move it
                                                                                                      Ranger, Armor Battalion S4, satellite operator, and
in Randon Access Memory (RAM), users                    Out-of-Band, and 3) Detect, React,
                                                                                                      designer/builder of two bleeding-edge intelligence
may visit risky, malware-infected sites                 Adapt. SPI solves your toughest cyber-
                                                                                                      production centers. He now teaches his Tiger Scout
with very little permanent risk.                        defense challenges. The AFRL’s ATSPI
                                                                                                      den land navigation and fire building.

42   IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac
FREE Products                                                                                            Order Form
Instructions: All IATAC LIMITED DISTRIBUTION reports are distributed through DTIC. If you are not a registered DTIC user, you must do
so prior to ordering any IATAC products (unless you are DoD or Government personnel). To register online:
http://www.dtic.mil/dtic/registration. The IAnewsletter is UNLIMITED DISTRIBUTION and may be requested directly from IATAC.

Name______________________________________________________________________	                  DTIC User Code_______________________________

Organization_ _______________________________________________________________	               Ofc. Symbol_ _________________________________

Address____________________________________________________________________	                 Phone_______________________________________

__________________________________________________________________________	                  Email_ ______________________________________
                                                                                                  _

__________________________________________________________________________	                  Fax_________________________________________

Please check one:	 n USA	       n USMC	        n USN	      n USAF	    n DoD	   n Industry	   n Academia	      n Government	            n Other

Please list the Government Program(s)/Project(s) that the product(s) will be used to support: _ _____________________________________________

________________________________________________________________________________________________________________________

LIMITED DISTRIBUTION

IA Tools Reports	        n Firewalls	        n Intrusion Detection	     n Vulnerability Analysis	      n Malware

Critical Review	    n Biometrics (soft copy only)	 n Configuration Management (soft copy only)	 n Defense in Depth (soft copy only)
and Technology	     n Data Mining (soft copy only)	 n IA Metrics (soft copy only)		               n Network Centric Warfare (soft copy only)
Assessment (CR/TA)	 n Wireless Wide Area Network (WWAN) Security			                               n Exploring Biotechnology (soft copy only)
Reports	            n Computer Forensics (soft copy only. DTIC user code MUST be supplied before these reports will be shipped)
		                                                  	                                    	
State-of-the-Art	   n Measuring Cyber Security and Information Assurance 	               n IO/IA Visualization Technologies (soft copy only)
Reports (SOARs)	    n The Insider Threat to Information Systems (soft copy only. DTIC 	  n Modeling & Simulation for IA (soft copy only)
	                     user code MUST be supplied before these reports will be shipped)	 n Malicious Code (soft copy only)
	                   n Software Security Assurance		                                      n Data Embedding for IA (soft copy only)
	                   n A Comprehensive Review of Common Needs and Capability Gaps


UNLIMITED DISTRIBUTION

IAnewsletters hardcopies are available to order. Softcopy back issues are available for download at http://iac.dtic.mil/iatac/IA_newsletter.html

Volumes 11	         n No. 1	            n No. 2	          n No. 3	        n No. 4
Volumes 12	         n No. 1	            n No. 2	          n No. 3	        n No. 4
Volumes 13	         n No. 1

SOFTCOPY DISTRIBUTION

The following are available by email distribution:

n IADigest
n IA/IO Scheduler
n Research Update
n Technical Inquiries Production Report (TIPR)                                                                       Fax completed form
                                                                                                                   to IATAC at 703/984-0773

                                                                                 IAnewsletter Vol 13 No 2 Spring 2010   •   http://iac.dtic.mil/iatac   43
Calendar
May                                                          June                                                      August
DISA Customer Partnership Conference                         Forum of Incident Response and Security                   LandWarNet 2010
3–7 May 2010                                                 Teams (FIRST) Annual Conference                           3–5 August 2010
Nashville, TN                                                13–18 June 2010                                           Tampa, FL
http://www.disa.mil/conferences/                             Miami, FL                                                 http://events.jspargo.com/lwn10/Public/
                                                             http://conference.first.org/                              MainHall.aspx
New York Metro Information Security Forum
4–5 May 2010                                                 Lone Star Information Security Forum                      Air Force Information Technology Conference
New York, NY                                                 23–24 June 2010                                           (AFITC 2010)
http://www.ianetsec.com/forums/calendar.html                 Dallas, TX                                                30 August–1 September 2010
                                                             http://www.ianetsec.com/forums/calendar.html              Montgomery, AL
Joint Warfighting 2010                                                                                                 http://www.mc2-afitc.com/
11–13 May 2010                                               July
Virginia Beach, VA                                           2010 Software Protection, IA and
http://www.afcea.org/events/jwc/10/intro.asp                 Anti-Tamper SBIR Workshop
                                                             20–22 July 2010
IEEE Symposium on Security and Privacy                       WPAFB, OH
16–19 May 2010                                               http://www.spi.dod.mil/workshop.htm
Oakland, CA
http://oakland31.cs.virginia.edu/index.html                  Black Hat USA 2010
                                                             24–29 July 2010
                                                             Las Vegas, NV
                                                             http://www.blackhat.com/html/events.html

                                                             DEF CON 18
                                                             30 July–1 August 2010
                                                             Las Vegas, NV
                                                             https://www.defcon.org/



 To change, add, or delete your mailing or email address (soft copy receipt), please contact us at the address below
 or call us at: 703/984-0775, fax us at: 703/984-0773, or send us a message at: iatac@dtic.mil




Information Assurance Technology Analysis Center
13200 Woodland Park Road, Suite 6031
Herndon, VA 20171

Vol13 no2

  • 1.
    Volume 13 Number2 • Spring 2010 13/2 The Newsletter for Information Assurance Technology Professionals Cloud Computing: Silver Lining or Storm Ahead? also inside Establishing Trust in Insider Threat Center at Public/Private Partnership Cloud Computing CERT Grows Solutions from Becoming a Necessity Reality-Based Research Cloud Computing for the Apples & Oranges: Operating Federal Community Wikis Within the DoD and Defending the Global Information Grid DISA RACE: Certification and Vulnerability Assessment EX Accreditation for the Cloud Processes Within DoD LPS-Public: Secure C E L L E NC E SE R V CE N Browsing and an Alternative N I NF IO O R MA T Look Before You Leap Eight Steps to Holistic to CAC Middleware Database Security
  • 2.
    contents feature About IATAC and the IAnewsletter The IAnewsletter is published quar- terly by the Information Assurance Technology Analysis Center (IATAC). IATAC is a Department of Defense 20 Look Before You Leap: Security Considerations in a 34 Eight Steps to Holistic Database Security Government organizations are 4 (DoD) sponsored Information Analysis Center, administratively managed by Web 2.0 World finding new ways to secure the Defense Technical Information Center (DTIC), and Director, Defense Embracing social media is their data. Research and Engineering (DDR&E). imperative to success in a new 37 Contents of the IAnewsletter are not necessarily the official views of or communications environment, but Public/Private endorsed by the US Government, DoD, DTIC, or DDR&E. The mention of Establishing Trust in Cloud Computing doing so without adequate planning Partnership commercial products does not imply endorsement by DoD or DDR&E. We can argue that it is not a matter of can do more harm than good. Becoming a Necessity whether cloud computing will become Combating advanced persistent 25 Inquiries about IATAC capabilities, products, and services may be addressed to— ubiquitous—because the economic forces Insider Threat Center threat (APT) in silo efforts is an IATAC Director: Gene Tyler are inescapable—but rather what we can at CERT Grows unsustainable strategy. Inquiry Services: Peggy O’Connor do to improve our ability to provide cloud Solutions from Reality- 38 If you are interested in contacting an author directly, please e-mail us at computing users with trust in the cloud Based Research Apples & Oranges: Iatac@dtic.mil. services and infrastructure. Educating organizations on how Operating and IAnewsletter Staff to detect and manage insider Defending the Global 9 Art Director: Tammy Black Copy Editor: Kali Wilson Designers: Michelle Deprenger IATAC Spotlight on a threat is critical. Information Grid Dustin Hurt University Our language and doctrine needs 26 Editorial Board: Dr. Ronald Ritchey Angela Orebaugh Gene Tyler Penn State is one of the nation’s Wikis Within the DoD to evolve to view cyberspace as Kristin Evans Al Arnold ten largest undergraduate Reaping the benefits the contested, warfighting IAnewsletter Article Submissions engineering schools. of community-driven information domain it is. To submit your articles, notices, sharing with wikis. 10 42 programs, or ideas for future issues, please visit http://iac.dtic.mil/iatac/ Cloud Computing for LPS-Public: Secure 29 IA_newsletter.html and download an “Article Instructions” packet. the Federal Community IATAC Spotlight Browsing and an IAnewsletter Address Changes/ Additions/Deletions A community cloud is the most on a Conference Alternative to CAC Middleware To change, add, or delete your mailing or email address (soft-copy receipt), secure way for the federal This event provided opportunities Secure Browsing and an please contact us at— government to realize the to learn about research as well Alternative to CAC Middleware: IATAC Attn: Peggy O’Connor potential of cloud computing. as ongoing developments. The public edition LPS is a free, 13200 Woodland Park Road easy to use, install nothing, 16 30 Suite 6031 Herndon, VA 20171 DISA RACE: Vulnerability browsing alternative with Phone: 703/984-0775 Fax: 703/984-0773 Certification and Assessment built-in CAC software for Email: iatac@dtic.mil Accreditation for the Cloud Processes Within DoD almost any computer. URL: http://iac.dtic.mil/iatac Government organizations are Standardizing the vulnerability Deadlines for Future Issues Summer 2010 May 8, 2010 taking full advantage of the assessment processes can help Cover design: Tammy Black potential benefits offered by avert disaster. Newsletter cloud computing. 33 in every issue design: Donald Rowe Distribution Statement A: Subject Matter Expert Approved for public release; distribution is unlimited. The SME profiled in this 3 IATAC Chat article is Dr. Peng Liu, at 36 Letter to the Editor Pennsylvania State University. 43 Products Order Form 44 Calendar 2 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 3.
    IATAC Chat Gene Tyler, IATAC Director I n early February, I had the opportunity to attend the Information Assurance Symposium (IAS) in importantly, its weaknesses. I believe they say it best in their statement, “It is unclear whether the current set of [cloud this edition of the IAnewsletter also provide you with various perspectives on cloud computing so that you feel Nashville, TN. I always look forward to computing] services is sufficiently inspired to enter into the dialogue. I ask attending this event because it brings secure and reliable for use in sensitive you, is cloud computing the silver lining together folks who truly care about government environments.” They to computing, and should we storm information assurance (IA). I am always advocate a cautious approach to ahead in implementing it across various excited to converse with colleagues implementing cloud computing organizations? Or might it weaken our interested in solving tough IA problems capabilities across the government and, computer network defenses and result ahead, and yet again, the IAS did not in particular, the Department of in a potential storm of malicious attacks fail; I enjoyed talking with people about Defense (DoD). However, these subject in the future? some of the newest innovations matter experts remain optimistic, which In addition to cloud computing, I currently changing our field. is why they are excited about the invite you to look at the various other One topic that seemed to dominate research and investigation NPS is doing articles in this edition that highlight the the conversations I had with various to identify methods of securing cloud- following topics, also discussed at IAS: colleagues and subject matter experts at based systems. insider threat; Web 2.0 Security; social IAS was cloud computing, and as this On the other hand, some media and its use in DoD; vulnerability edition of the IAnewsletter reflects, this organizations are beginning to assessments; defending the Global topic is getting a lot of well-deserved successfully implement cloud Information Grid; and our industry attention, for a multitude of different computing already. Most notably, the expert contributes a very interesting reasons. Cloud computing is Defense Information Systems Agency article on public/private partnerships. revolutionizing how organizations are (DISA) successfully developed the Rapid As I always remind our readers, we are constructing their networks and Access Computing Environment (RACE), interested in your perspectives and systems; it is changing how which is a cloud-based system. Not only welcome your contributions to this organizations invest in their information has DISA successfully implemented publication. We know our readers are technology infrastructure; and it is RACE, but, as the authors point out, the very subject matter experts who are forcing organizations to reconsider how “certification and accreditation policy analyzing and experimenting with they secure critical information— has been adapted to allow organizations innovative solutions like cloud security is critical and at the forefront of to use RACE cloud resources, thereby computing. Feel free to contact us at cloud computing quickly connecting to the cloud while iatac@dtic.mil with your perspective on But what, exactly, is cloud complying with DoD requirements.” the cloud debate! computing; and how do you ensure Munjeet Singh and Troy Giefer remain information security in the cloud deeply involved with DISA as it computing environment? Dr. Bret implements cloud solutions, and as a Michael and Dr. George Dinolt, of the result, their article, “DISA RACE: Naval Postgraduate School (NPS), Certification and Accreditation for the address some of these questions in their Cloud,” provides a different perspective article, “Establishing Trust in Cloud on cloud computing and its advantages. Computing.” They argue that a lot of As these two articles suggest, there discovery is necessary before the IA is a lot of debate over cloud computing, community can fully understand cloud the advantages it offers, and the risks it computing, its benefits, and more presents. I hope the articles presented in IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 3
  • 4.
    F E ATU R E S T O R Y Establishing Trust in Cloud Computing by Dr. Bret Michael and Dr. George Dinolt I n the aptly titled article, “Cloud Assurance Still Missing,” Allan Carey wrote, “The security problems that computing as a vehicle for maintaining their competitive edge. A recent technical report published ff IaaS (Infrastructure as a Service)— the cloud provides an infrastructure including (virtual) platforms, organizations face related to cloud by the University of California, Berkeley, networking, etc. on which computing are the same as those related states that there is no commonly agreed applications can be placed; to virtualization—but even more so.” [1] upon definition of cloud computing. [5] ff SaaS (Software as a Service)— He goes on to say, “Information Instead, a definition is emerging as the the cloud provides software assurance practitioners already have various organizations that are applications. most of what is needed to make an developing cloud services evolve their informed set of decisions about cloud offerings. In addition, there are many Amazon’s Elastic Compute Cloud computing.” [2] We would argue that the shades of cloud computing, each of (EC2) is an example of these services. [8] security problems go well beyond the which can be mapped into a Google also provides enterprise-level use of virtualization in distributed multidimensional space with the integrated application services such as systems. In this article, we discuss the dimensions being characteristics, service email, appointment calendars, text need for asking critical questions about models, and deployment models. [6] processing and spreadsheets. [9] the security implications of cloud Cloud computing is a metaphor for The claimed advantages for an computing. Answers to our questions giving Internet users a growing enterprise are that it does not require an are not readily apparent, even though collection of computer system resources investment in computer resources, viewing computing as a utility, similar and associated software architectures to infrastructure, administration, etc.: the to that of providing water or electricity provide application services. [7] The purveyor of the cloud provides these on a for-fee basis, dates back to at least applications include processing and resources. The user or enterprise only the 1960s. [3] application integration, storage, and pays for the resources “consumed.” In the As we pointed out in a recent communications services. Cloud Department of Defense (DoD), we have article, [4] what has changed over time services are typically available on seen the introduction of infrastructure is the advancement of the underlying demand and are charged on a usage services on demand provided by the technology, including cheap, fast central basis. Often, what the user sees is an Defense Information Systems Agency’s processing units (CPUs), low-cost application instead of a particular Rapid Access Computing Environment random access memory (RAM), computer. The services are commonly (DISA RACE). [10] Where available, the inexpensive storage, and the high- described as: cost of developing and maintaining bandwidth standardized ff PaaS (Platform as a Service)­ the — specialized applications can be shared communication needed to efficiently cloud provides hardware resources, among the users of that application. In move data from one point to another. typically virtual machines, which theory, there is an advantage in having Additionally, considerations, such as the can be loaded with the users, large-scale resources shared among a economies of scale involved in building operating system and software; large class of users. However, this has yet very large data centers, nudged to be borne out. [11] There are, of course, organizations to consider cloud applications that require a large number of resources. Google Search is one such 4 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 5.
    example. It appearsthat Google, with an appropriate level of security should be asking to improve the security Amazon, and others are attempting to transparency to alleviate customers’ and privacy clouds afford. However, we leverage their ability to construct such a reservations about the security and can ask fundamental questions like: are system into other environments. privacy afforded by the cloud. [12] How the current architectures adequate for We can argue that it is not a matter much transparency is enough? How do building trusted clouds? If not, what of whether cloud computing will we provide for transparency of cloud types of software system architectures become ubiquitous but rather what we resources (i.e. determining the cloud in do we need? Consider, for instance, the can do to improve our ability to provide which customer data resides)? Is there a possibility that an organization might cloud computing users with assurance tipping point at which additional levels opt to fully outsource its computing that the cloud services and of transparency would only serve to infrastructure and data center to the infrastructure provide appropriate help malefactors compromise services cloud, retaining only thin clients within security functionality. Cloud computing and datacenters? the organization. How do we make the providers should supply their customers In addition, as users and developers thin client user terminals and the find new ways of applying cloud communications infrastructure secure? o Security Policy technologies, there will be new expectations about security and privacy. DoD Enterprise Computing Provision I&A Compromise Integrity For instance, Twisted Pair Solutions of What is our motivation for jumping feet of Service Seattle proposes to provide cloud first into asking hard questions about computing resources for state and local cloud computing? The growing Informal Map agencies to link up disparate public importance of cloud computing makes it safety radio systems (e.g., police, fire, or increasingly imperative that security, ambulances)—a novel but difficult-to- privacy, reliability, and safety Integration & Middleware predict usage of cloud computing, but communities grapple with the meaning also a usage that makes the cloud part of of trust in the cloud and how the Formal (Mathematical) Map mission- and safety-critical systems. [13] customer, provider, and society in Theorems (Proof that Spec Satisfies Model) The expectations for security, privacy, about Policy general gain that trust. Consider the reliability, and quality of service and so initiative of the DoD Enterprise Services Top Level System Specification on will be different in some respects for & Integration Directorate to make the Voice over Internet Protocol (VoIP) radio DoD Storefront Project a reality. The Semi Formal Map systems than for the cloud’s social Storefront consists of a cloud-based set (System Satisfies Spec) networking aspects. This raises the of core and specialized applications that question: how do we manage risk when users can discover through an we do not fully understand what we are application marketplace and which Top Level System Implementation trying to protect or guard against? share an identity management The fluid nature of cloud computing framework. How will DoD provide Figure 1 Process for Integrating Security makes it a moving target, even when security for the Storefront? It is more Into the Cloud trying to determine the questions we than a matter of having an identity IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 5
  • 6.
    management framework. Theobvious maintained within the cloud. Several enterprise providing single sign-on; the security concerns include data integrity, vendors have formed the Cloud Security enterprise user need only log onto their data availability, protection of Alliance (CSA). [14] In the report titled home system. Once logged on, the personally identifiable information, data Security Guidance for Critical Areas of enterprise user can automatically access protection, data destruction, and Focus in Cloud Computing V2.1, CSA the users’ files and services on Google communications security. provides its take on some of the security without an additional login. Although Moving beyond the Storefront issues related to cloud computing. [15] convenient, this functionality increases concept, as the federal government In the report, security properties the security exposure to not only the migrates its data and applications to the are described as essentially the same set weakness of the enterprise system, but cloud, issues regarding cross-domain of properties that a user expects to see also to the weakness of Google’s resource sharing will arise within the with a self-hosted system. These include infrastructure. If, for example, Google’s cloud. For instance, how will DoD link the usual: infrastructure has a security flaw, then it its clouds to those of other agencies? ff Identification/Authentication may be possible for someone in one Will a DoD user, authenticated to enter ff Privacy enterprise to access accounts from the DoD cloudsphere, be trusted to ff Integrity another enterprise. On the other hand, access services owned by the ff Provision of Service. security flaws in the enterprise system Department of Homeland Security may lead to weaknesses in the access (DHS)? Is there a need for a federal-wide They view assurance as an audit of controls of the information managed by cloud infrastructure and common set of the function’s implementation, that is, Google Apps. Additionally, connected security services? How will data be the cloud systems’ administrators and applications may provide unintended shared among the various different implementers have used ‘best practices’. connections among users, as was types of cloud? Other than the notion that encryption is demonstrated with the introduction of used to protect the data, there is little Google Buzz. [17] Information Assurance information that defines ‘best practices.’ When each enterprise maintains its At the Naval Postgraduate School, a There is, however, some form of key own infrastructure, a failure in one major thrust of our research on cloud management included that provides enterprise may cause failures across the computing is to investigate the security potentially strong identification/ cloud. Unless an enterprise uses a single policies, models, and appropriate authentication, as well as some form of cloud from a single vendor, integrating architectures to provide security for data integrity/recovery facility. The the various applications, entities/users of cloud computing security architecture proposed is infrastructures, and policies among resources. Although cloud computing essentially a layered operating system many different clouds and cloud vendors may appear to provide reasonably well application. It consists of a network layer will be a significant challenge. In fact, it understood operating system and interposed between application will be a challenge to ensure that the application resources, cloud resources programming interfaces (APIs) and the different policies do not contradict and are distributed in space, time, and scale underlying operating system potentially permit access that should in ways that were never envisioned in infrastructures. ‘Trusted computing’ is not be allowed at the system level. the operating-system world. The current only mentioned at the hardware/ Ultimately, the proof is in the architectural approaches, especially operating system level. Additionally, the pudding. Will the cloud vendors be those concerning security, may not scale CSA paper enumerates several security willing to stand behind the security of to the much larger cloud computing issues that should be addressed by the their systems? In the case of Amazon’s approaches. In addition, the approaches cloud-style service provider, but does EC2 and Simple Storage Services (S3) for assuring operating system security not provide any insight on security services, Amazon suggests that their functionality are not necessarily policies/models, interfaces or EC2 and S3 infrastructure not be used appropriate. It is unclear whether the potential solutions. for systems that must satisfy the current set of services is sufficiently To provide an example of some of Payment Card Industry Security secure and reliable for use in sensitive the potential issues, Google supports Standards [18], although it has government environments. Current “Google Apps.” [16] Google Apps applies published a paper on how Amazon Web security claims are somewhat limited. the usual discretionary access controls Services can be used in a Health One of the fundamental problems to the resources it provides – files, Insurance Portability and Accountability with adopting cloud computing is calendars, address lists, etc. To make life Act (HIPAA) compliant environment. [19] providing not only security resources easier, Google provides tools that In the HIPAA paper, Amazon but also assurances that those resources integrate their identification and essentially places almost all the are correctly implemented and authentication systems into the requirements on the “user/enterprise” 6 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 7.
    to encrypt allthe data stored and to lead to new architectures with better platform(s). The enterprise loads manage its keys. Amazon provides defined, more assured security. operating systems, applications, etc., services to log safely into its systems Over the past 30-plus years in the onto the platform(s) and manages all and provide some data recovery operating system security world, a lot of the interfaces and resources provided. and integrity. work has been done to provide highly The example below assumes that In the realm of reliability, prior to assured components with trustworthy multiple platforms will be used. the breakup, AT&T was required to build systems. Unfortunately, the commercial The security policy visible to the systems that had an up-time reliability world has ignored a lot of this work. user includes: of “five nines” (about 5.2 min/yr Recent efforts have focused on the use of ff Identification—A set of platform downtime). Part of the reason for this separation kernels. For example, Green names issued by the provider was to ensure services in case of Hills has recently received a National (unique to the enterprise) national emergency. Current cloud Information Assurance Partnership ff Authentication—A secure channel based systems are advertised as (NIAP) certificate for its Integrity 178B that can be used to load the providing “three nines” (almost 9 hrs/yr Separation Kernel. [21] Separation operating system(s) onto the downtime). [20] kernels provide a minimal set of platforms—the provider is trusted operating system services on which to ensure that the only Determining Where Trust other trusted services and applications communication with the platforms Should be Placed could be built. These may be thought of is from or to the enterprise Clearly, there are many challenging as slightly more functional than a ff Integrity—The provider should security issues related to cloud Virtual Machine Monitor (VMM), guarantee that the resources are computing. In our research, we are although Green Hills and others are “empty” on first use and that none working on a formal, structured, looking to implement high assurance of the platform resources are possibly mathematical approach that VMMs using their technology. modifiable by any party other than will give users and cloud-developers Our approach to the problem the enterprise. This includes any deeper insight into what should be done, involves separation of ‘virtual’ management functions; it is up to how it might be achieved, and where the resources. This approach constructs an the enterprise to ensure that any trust should be placed. This research infrastructure that establishes (or network interfaces are includes the investigation of reconstructs where appropriate) appropriately protected implementation structures and resources, identifies and authenticates ff Privacy—The provider should assurance provisions for “security” in users, and then controls access to the guarantee that there is no third cloud-based systems. To do this, we will resources. Our focus is to provide a party access to the platform attempt to provide security model and a security architecture that processor, memory, and/or disk files architectures and models that satisfy provides the infrastructure that will ff Provision of Service—The provider the following: accomplish these goals. should provide access to the ff They are aware of the amorphous resources on demand, per any nature and scale of the cloud An Example service level agreements between computing paradigm For instance, consider PaaS. An the enterprise and the provider. ff They include mathematical models enterprise might wish to run its own of the security properties that can applications. These applications may There at least two models of this be used to help analyze those only run on an intermittent basis and/or kind of service: properties require a large number of resources. 1. Resources are provided on an ad ff They provide the underpinnings on One way to achieve this is to use a hoc, intermittent basis. In this which applications/enterprise/user cloud PaaS. version, there is no connection level security policies/properties We use the term ‘enterprise’ to between consecutive uses of the can be implemented describe the organization requiring the resources. The enterprise uses the ff They provide the foundations on platform and ‘provider’ for the resources once. During subsequent which the implementation organization providing the cloud uses, the enterprise assumes that assurances can be ascertained. platform resources. The PaaS provider all the previous data does not exist would provide ‘platforms,’ either ‘real’ as or has been erased by the provider. Our hope is that the results of the part of a virtual environment (a means The only connection between the research will provide a framework that for downloading an operating system two usages is that the enterprise can be at least partially applied to the and for managing the platforms), or as a uses the “same identifiers” to access current cloud architectures and may possible network interface(s) on the new instances of the resources. IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 7
  • 8.
    There is noguarantee that the same The security properties then secure systems architectures and secure- physical resources will be used for become statements about the resources systems design. each run of the platform(s). and platforms. For example: 2. The enterprise ‘turns off’ the plat- No pair of allocations shares References form, but in subsequent use after any common VPlatforms or 1. IAnewsletter, vol. 13, no. 1, winter 2010, p. 34. turning it back on, finds the plat- VPlatformResources. 2. Ibid. form resources in the same state As depicted in Figure 1, the security 3. M. Campbell-Kelly. “The Rise, Fall, and Resurrection they were in after being turned off. properties can be modeled on a of Software as a Service: A Look at the Volatile As expected, the enterprise might collection of the statements above. Each History of Remote Computing and Online Software,” pay more for this service. In this of the statements should map back to Communications of the ACM, vol. 52, no. 5, pp. case, the provider must protect the some aspect of the system’s user-visible 28–30, May 2009. information in the resources security property. We could use our 4. B. Michael. “In Clouds Shall We Trust,” IEEE between runs from both modifica- statements about the relationships of the Security & Privacy, vol. 7, no. 5, p. 3, September/ tion and access by third parties. entities (sets) we describe to prove October 2009. There is no guarantee that the same additional properties of the system. 5. M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. physical resources will be used in Following the security model’s H. Katz, A. Konwinski, G. Lee, D. A. Patterson, each run of the platform. construction, a high-level execution A. Rabkin, I. Stoica, and M. Zaharia. “Above the model should be constructed and Clouds: A Berkeley View of Cloud Computing,” Note that in both cases, the validated mathematically to determine EECS Department University of California, Berkeley. provider provides access to platforms that it satisfies our security model. Technical Report UCB/EECS-2009-28, 10 February and associated data. The platforms are Next, it is necessary to map our high- 2009, http://www.eecs.berkeley.edu/Pubs/ available to others when the enterprise level model to varied cloud aspect TechRpts/2009/EECS-2009-28.html. is not using them. Any provider implementations as documented by 6. P. Mell and T. Grance, “The NIST Definition of Cloud configuration data about the platforms the vendors. Computing,” Version 15, 7 October 2009, http:// must be protected from modification csrc.nist.gov/groups/SNS/cloud-computing/cloud- and, in the second case above, any Conclusion def-v15.doc. enterprise information that will be Cloud security is an ill-defined, little- 7. http://en.wikipedia.org/wiki/Cloud_computing. reused must also be protected. understood area of distributed 8. http://aws.amazon.com. Informally, a portion of the model computing. However, we believe that 9. http://docs.google.com. might then take the form of: progress can be made to provide a level 10. http://www.disa.mil/race ff VPlatform—The set of names of of assurance that accommodates the 11. H. G. Miller and J. Veiga. “Cloud Computing: Will virtual platforms that will be resources needed to support DoD and Commodity Services Benefit Users Long Term? IEEE provided to enterprises the federal government’s information ITPro, vol. 11, no. 6, p. 67-69, November/ ff VPlatformType—Whether the processing requirements. n December 2009. VPlatform resources are persistent 12. http://www.opencloudmanifesto.org. (type 2 above) or not 13. http://www.fcw.com/Articles/2009/04/16/Cloud- About the Authors ff VPlatformResource—The set computing-moving-into-public-safety-realm.aspx. of resources associated with 14. http://www.cloudsecurityalliance.org. Dr. Bret Michael | is a Professor of Computer a VPlatform 15. http://www.cloudsecurityalliance.org/csaguide.pdf. Science and Electrical Engineering at the Naval ff Enterprise—The set of enterprises 16. http://www.google.com/apps. Postgraduate School. He conducts research on the that use VPlatforms 17. http://www.nytimes.com/2010/02/15/technology/ reliability, safety, and security of distributed ff Allocation—An association internet/15google.html. systems. He is an Associate Editor-in-Chief of IEEE of an Enterprise with a 18. http://www.mckeay.net/2009/08/14/cannot-achieve- Security & Privacy magazine and a member of the Platform, VPlatformType and pci-compliance-with-amazon-ec2s3 IATAC Steering Committee. VPlatformResources. The same 19. http://awsmedia.s3.amazonaws.com/AWS_HIPAA_ Enterprise may have multiple Whitepaper_Final.pdf. Dr. George Dinolt | is a Professor of Practice VPlatforms, and VPlatformResources 20. http://www.google.com/apps/intl/en/business/ in Cyber Operations at the Naval Postgraduate associated with it infrastructure_security.html. School. His research interests are primarily in the ff PlatformCloud—A sequence of sets 21. http://www.niap-ccevs.org/cc-scheme/st/vid10119/ high assurance portions of Computer Security. His of Allocations. maint200 research covers formal methods and the connections between them and security policies, 8 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 9.
    I ATA CS P O T L I G H T O N A U N I V E R S I T Y Pennsylvania State University by Angela Orebaugh I n 1855, Pennsylvania State University (Penn State) was originally founded on 200 acres in Centre County, and problems associated with assuring information confidentiality, integrity (e.g., social, economic, technology- ff The Center for Information Assurance plans, coordinates, and promotes IA research, education, Pennsylvania, as an agricultural school related, and policy issues), as well as the and outreach. The faculty that applied scientific principles to strengths and weaknesses of various coordinators for the center include farming. Engineering Studies were methods for assessing and mitigating Dr. Chao-Hsien Chu and Dr. Peng introduced in 1882, making Penn State associated risk. The major provides Liu. The center’s missions are: one of the nation’s ten largest grounding in the analysis and modeling •• Conduct broad-based research undergraduate engineering schools. efforts used in information search, on various aspects (theoretical Today, Penn State has grown into a large, visualization, and creative problem and applied; technical and geographically dispersed, major solving. This knowledge is managerial; wired and research institution. Nineteen supplemented through an examination wireless, etc.) of information campuses, 15 colleges, and one online of the legal, ethical, and regulatory and cyber security World Campus currently comprise Penn issues related to security that includes •• Educate and train information State. In Fall 2009, Penn State served analyzing privacy laws, internal control, security professionals through over 80,000 undergraduates and over regulatory policies, as well as basic degree and continuing 13,000 graduate students, with half of investigative processes and principles. education programs, and to the student population enrolled at the Such understanding is applied to venues insure that information security main campus in University Park. that include transnational terrorism, awareness is instilled in all Penn The National Security Agency (NSA) cyber crimes, financial fraud, risk State students and the Department of Homeland mitigation, and security and crisis •• Provide assistance and technical Security (DHS) have designated Penn management. It also includes overviews support to industry, non-profit State as a National Center of Academic of the information technology that plays organizations, government, and Excellence in Information Assurance a critical role in identifying, preventing, individuals in the information Education (CAE/IA) since 2003 and and responding to security-related events. and cyber security area. [1] National Center of Academic Excellence IST also offers a graduate degree in in Information Assurance Research Security Informatics, which seeks to ff The Networking and Security (CAE-R) for 2008-2013. improve the cyber security of Research Center (NSRC) was The College of Information Sciences individuals and organizations by established in 2003 to provide a and Technology (IST) offers a bachelor’s creating innovative solutions for research and education community degree in Security and Risk Analysis detecting and removing cyber threats, for professors, students, and (SRA). This degree program is intended recovering from cyber attacks, industry collaborators interested in to familiarize students with the general protecting privacy, enhancing trust, and networking and security. It also frameworks and multidisciplinary mitigating risks. provides a unique avenue for theories that define the area of security Penn State includes a number of interaction with industry; the and related risk analyses. Courses in the research centers focused in cyber and major engage students in the challenges information security: ww continued on page 15 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 9
  • 10.
    Cloud Computing forthe Federal Community by Hannah Wald T he question is not whether, but when, the U.S. federal government will embrace cloud computing. The current “Cloud computing is a model for enabling convenient, administration—in particular its Chief on-demand network access to a shared pool of Information Officer, Vivek Kundra—is very enthusiastic about this configurable computing resources (e.g., networks, technology’s potential. Some federal agencies are already moving into the servers, storage, applications, and services) that can cloud: the Defense Information Systems Agency (DISA) is pilot testing a cloud [1]; be rapidly provisioned and released with minimal the National Aeronautics and Space Administration (NASA) has announced management effort or service provider interaction.” plans to develop a cloud that can be used both internally and for they survey the landscape and take an documents (i.e., the NIST 800 series). collaboration with external research inventory of best practices. They are Alternatively, individual cabinet-level partners; [2] the Department of the concerned about the risks inherent in agencies could provide clouds for their Interior (DOI) has an Infrastructure as a cloud computing but do not want to “community” of internal divisions, which Service (IaaS) offering called the restrict innovation. Pro-cloud civil could serve agencies’ individual National Business Center Grid servants believe cloud computing can compliance needs more easily than a (NBCGrid), with other offerings set to make federal Information Technology generalized multi-agency cloud. [5] roll out in the near future; [3] and the (IT) and services cheaper, easier, and DISA’s Rapid Access Computing General Services Administration (GSA) more secure—and it can—provided Environment sets a precedent for this offers access to various externally the cloud is implemented and model: it is intended to serve the entire provided cloud applications through its managed properly. Department of Defense, which has its portal site, http://apps.gov. [4] For many federal agencies, a own set of security standards in The federal government is not community cloud would be the best addition to those mandated for civilian seriously considering cloud computing service model to use (regardless of the agencies. [6] A third possibility is a simply because of its hype. Agencies are exact type of service being provided). “federated” hybrid of agency-specific finding it increasingly costly and The GSA, or another provider who is community clouds and a government- difficult to procure, set up, maintain, familiar with federal IT needs, could wide community cloud, all with certain and secure traditional computing stand up a multi-agency cloud that common standards (i.e., minimal architectures. This may explain why facilitates and enforces compliance with security baseline, universal protocols) bodies such as the National Institute of government-wide security standards but otherwise tailored to specific purposes. Standards and Technology (NIST) and such as those outlined in regulations Understanding the merits of a the Government Accountability Office (i.e., Federal Information Security community cloud requires are holding off on setting rules and Management Act [FISMA]) or guidance understanding fundamental cloud standards for cloud computing while 10 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 11.
    computing concepts, startingwith the customer generally has no control using a software offering from one definition of “cloud computing” over or knowledge of the provided provider and an infrastructure offering provided by NIST: resources’ exact location but may from another. Commoditization of “Cloud computing is a model for be able to specify location at a bandwidth allows clients to easily enabling convenient, on-demand higher level of abstraction leverage distantly located resources— network access to a shared pool of (e.g., country, state, or data center). something that was difficult only a few configurable computing resources Examples of resources include years ago—and pay for use of those (e.g., networks, servers, storage, storage, processing, memory, resources as if they were gas or applications, and services) that can be network bandwidth, and electricity. Finally, cloud providers are rapidly provisioned and released with virtual machines. particularly innovative in the services minimal management effort or service ff Rapid elasticity—Capabilities can they offer and are developing new provider interaction.” [7] be rapidly and elastically services all the time. [9] Cloud allows NIST also lists five essential provisioned, in some cases users to leverage IT solutions with an characteristics of cloud computing: automatically, to quickly scale out unprecedented level of granularity. ff On-demand self-service—A and rapidly released to quickly An organization can pay an outside consumer can unilaterally scale in. To the consumer, the cloud provider for data, applications, provision computing capabilities, capabilities available for operating platforms, raw digital storage, such as server time and network provisioning often appear and/or processing resources: Data as a storage, as needed automatically unlimited and can be purchased in Service (DaaS), Software as a Service without requiring human any quantity at any time. (SaaS), Platform as a Service (PaaS), and interaction with each service’s ff Measured service—Cloud systems Infrastructure as a Service (IaaS), provider. automatically control and optimize respectively. [10] A data-mining ff Broad network access— resource use by leveraging a company providing its customers with Capabilities are available over the metering capability appropriate to on-demand access to its records of network and accessed through the type of service (e.g., storage, individual purchase histories is an standard mechanisms that promote processing, bandwidth, and active example of DaaS; Google Apps are SaaS; use by client platforms (e.g., mobile user accounts). The provider and a firm offering application development phones, laptops, and PDAs). consumer can monitor, control, and environments to startups is selling PaaS; ff Resource pooling—The provider’s report resource usage, thus and a company offering access to raw computing resources are pooled to providing transparency of the computing resources is selling IaaS. serve multiple consumers using a utilized service. [8] The split of assurance multi-tenant model, with different responsibilities between the provider physical and virtual resources Industry expert Dave Linthicum, and client varies depending on the dynamically assigned and notes that cloud computing is similar to service. With DaaS and SaaS, the reassigned according to consumer time-sharing on mainframes, but with provider has control over almost demand. A sense of location some added features. For example, cloud everything. With PaaS, the client is independence exists because the clients can “mix and match” solutions responsible for application security, and IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 11
  • 12.
    Software as aService (SaaS) incentives and goals, which is not necessarily the case in cloud computing. Presentation Modality Presentation Platform In a public cloud, the relationship between clients and providers is largely transactional, and the clients do not APIs know each other. The parties involved have little basis for trust and may in fact distrust one another to a certain extent. Applications Trust, or lack thereof, is a factor in all five of the fundamental cloud security challenges. These challenges all involve Data Metadata Content uncertainties about the provider’s standard of care and how the provider Platform as a Service (PaaS) will treat the client (and the client’s data) in the event of a problem. [12] Integration & Middleware ff Data protection •• Where do data physically reside, Infrastructure as a Service (IaaS) and does the data’s location have legal ramifications? APIs •• Are data safely protected (i.e., by encryption) while stationary or in motion within Core Connectivity & Delivery and across the cloud? •• How is availability of data assured in the cloud? Abstraction •• Does the provider take measures to ensure that deleted data is Hardware not recoverable? ff Security control •• What security controls does the Facilities cloud provider need to implement, and how? •• How are assurance levels effectively and efficiently managed in the cloud? ff Compliance Figure 1 Provider Assurance Responsibility in Different Types of Service [11] •• Is the cloud complying with all the necessary guidance? everything else is left to the provider. also has certain security advantages. For •• Can the provider substantiate With IaaS, the client is responsible for example, a desktop computer almost claims that security controls are everything but physical and (some never complies with an organization’s implemented sufficiently? aspects of) network security. Regardless security policy “out of the box,” but a ff Multi-tenancy of the service and inherent allocation of cloud can be configured so every new •• Are my assets vulnerable if responsibility, cloud clients ultimately virtual machine created therein is another client is exploited by leave the fate of their information assets compliant. Monitoring certain activities an attack? in the provider’s hands (see Figure 1). and rolling out updates across a cloud is •• How does the cloud provider The service provider is responsible relatively easy—unlike doing so across a keep different clients’ data for maintaining, upgrading, and securing collection of distinct physical machines. separated and inaccessible from the hardware and software (where However, cloud computing presents other clients? applicable) on which the service runs. a variety of information assurance (IA) •• If a forensic/electronic discovery Ideally, this setup allows users to stop challenges. One salient feature of the procedure is conducted on one worrying about the security of their time-sharing model was trust. The users client’s data, how will the information assets by leaving them in and owners of the old mainframes were more competent hands. Cloud computing part of a community with common 12 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 13.
    provider protect the may not want to answer questions about ignores other kinds of costs. What will it confidentiality of other its security practices. Cloud SLAs also cost an agency if moving to the cloud clients’ data? generally absolve the provider of liability compromises its ability to protect ff Security governance in the event of a security breach. (This is sensitive data or meet mission •• Who owns/accesses/deletes/ not the case with private and requirements? Agencies need to consider replicates data in the cloud? community clouds: more on this later.) these kinds of costs as they evaluate •• How can the client ensure If the transition of federal their information assets for “cloud policy enforcement? information assets into the Cloud readiness” on a case-by-case basis. [14] •• How can the client measure Computing Environment (CCE) is Once an agency has decided which and track service/network inevitable, then how can the federal assets it can safely transition to the performance? government effectively mitigate the risks cloud, it needs to choose the service Figure 2 illustrates the layers of the inherent in the cloud? First, government model—or relationship between cloud cloud and associated layers of security. organizations must decide whether to client and provider—that best fits its Exacerbating these problems is the move certain assets to the cloud at all. requirements. The four cloud service fact that contracts with public cloud On the face of it, spending $10 a day for models—public, private, community, providers almost always take the form of cloud infrastructure seems less costly and hybrid—have different sets of costs non-negotiable service-level agreements than spending $100 on in-house and benefits (see Figure 3). (SLA) that severely limit, at best, the infrastructure (not to mention capital The public cloud service model is client’s ability to see, audit, or control expenditure; it is less costly to start up a probably what many people would back-end operations in the cloud. A virtual server in a cloud than to set up a consider the archetypal model of cloud client’s ability to do so would create physical one). However, thinking only in computing. In the public cloud model, a more difficulties than most providers terms of $10 versus $100 for regular provider sells cloud services to multiple are willing to deal with. The provider maintenance is dangerous because it unrelated clients, or tenants. They leave Policy & Procedures Goal: Trusted Environment, Well-Served & Satisfied Users, Agency Success Presentation Presentation Information Data Encryption, database security Modality Platform APIs Applications/Service access control, Applications static code analysis, WAFs Applications Governance, Controls, Stakeholder Satisfaction… Policy enforcement, rerouting and throttling of services, validated identity claims, authentication and authorization, Data Metadata Content Management security event monitoring, alerting and notification, contextual dashboard, independent key management Integration & Middleware Firewalls, NIDS, Zone base segmentation, dedicated APIs Network MPLS/VPN network connections Secure hypervisor for segmentation, Core Connectivity & Delivery Trusted Computing message verification, trusted APIs Abstraction Massive scale, contractual constraints on storage locations, Compute & Storage controlled and secured server images, encryption Hardware Facilities Physical Infrastructure security, physical inventory *Derived from CSA “Security Guidance for Critical Areas of Focus in Cloud Computing Technology & Tools Figure 2 Layers of Cloud Computing Environment (CCE) Security [13] IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 13
  • 14.
    back-end maintenance andoperations most of the economic benefits of of the public cloud because it eliminates to the cloud provider. This arrangement outsourced cloud service. For a considerable amount of redundant is very cost-effective and, in theory, lets organizations with less sensitive assets, effort and cost. Members of the client clients rest easy knowing the security of putting everything in a private cloud community can pay the provider for their information assets is in good may create unnecessary costs, only what they use, or for the utility and hands. However, the fundamental cloud inefficiencies, and redundancy. Also, if subscription cost. The latter would still security challenges mentioned earlier an organization has difficulty securing likely total less than what the client are most problematic in this model. its information assets in a traditional would have paid to operate its own If a federal agency were to entrust setup, it is unlikely that transitioning to individual data centers. its information assets to a cloud a private cloud will solve its problems. The last type of service model is a provider under the terms of a standard Such an organization would benefit hybrid cloud, which combines two or cloud SLA, the agency would have from having a trusted service provider more of the service models described difficulty demonstrating compliance perform these functions. above. An organization could, for with IA standards mandated by A community cloud is somewhere example, keep sensitive proprietary data regulations, such as the FISMA. Most on the continuum between the public in its own private cloud and collaborate public cloud providers would have to and private service models, and it enjoys on projects with industry partners in a significantly retool their operations to some of the benefits of both. Like a community cloud. For users belonging help federal agencies meet their IA public cloud, community clouds serve to the organization, these two clouds obligations. Some providers are multiple tenants. The difference is that would, in effect, be seamlessly attempting to do so (Amazon’s “virtual the tenants are not strangers but related integrated through a single sign-on private cloud” is an example [16]), but, entities that share common system. The problem with hybrid clouds for the time being, public clouds are characteristics and needs. An individual is that they share vulnerabilities in the inappropriate for anything but the least client community member, multiple system’s least secure areas and present critical, most low-risk federal members working cooperatively, or a new vulnerabilities. For instance, if it is information assets. dedicated provider can operate easy for a user to switch between clouds A private cloud can be operated by community clouds. Unlike public clouds, on his or her desktop computer, it is also the same organization that uses it, or a community clouds are built and easy for that user to make a mistake and dedicated provider can operate the operated on the clients’ terms: they can expose sensitive data. In addition, cloud on the organization’s behalf. A be constructed to facilitate compliance integrated clouds mean integrated complex private cloud, when managed properly, with standards that all clients use. Of all systems, which by definition are rife is the most secure type of cloud service the cloud models, the community cloud with potential security vulnerabilities. model because it is directly controlled is most similar to time-sharing in terms Returning to the central point of by its client. Private clouds also make of the level of trust between all this article, a federal community cloud more efficient use of physical IT assets stakeholders. This type of cloud also can provide a guaranteed IA baseline for than traditional data centers, but lack offers many of the economic advantages its clients, whether they are departments within an agency or multiple agencies. It can reduce the cost Compliance/regulatory laws mandate of providing effective security and on-site ownership of data Pros eliminate significant redundancy. It can Security and privacy also be fully accountable to its clients and their oversight bodies (i.e., Office of Reduce costs Latency & bandwidth guarantees Management and Budget, Congress). Absence of robust SLAs The clients and their oversight bodies Resource sharing is more efficient can have a reasonable level of visibility Management moves to cloud provider Uncertainty around interoperability, into, and control over, cloud operations. portability & lock in All primary stakeholders could work Consumption based on cost Availability & reliability together to set policy and address Faster time to roll out new services problems. Last but not least, federal Dynamic resource availability Inhibitors community clouds can be used to facilitate intra- and inter-agency for crunch periods cooperation within the framework of the Federal Enterprise Architecture. Setting up a community cloud and Figure 3 Advantages and Disadvantages of Cloud Computing From a Federal Perspective [15] governance structure that will 14 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 15.
    8. Ibid. adequately satisfy all federal clients will information science from the School of Information 9. Linthicum, David S. Cloud Computing and SOA be a challenging endeavor—even if at the University of Michigan. Convergence in Your Enterprise. Boston: Pearson the community is limited to the Education, Inc., 2010. Pages 25–26. Print. departments of a single agency. References 10. NIST’s definition of cloud computing recognizes Architecting the technical and 1. http://www.disa.mil/race SaaS, PaaS and IaaS, but not DaaS. However, I governance structure of a (possibly 2. http://nebula.nasa.gov have included DaaS because it is a fairly common federated) community cloud for 3. http://cloud.nbc.gov cloud service offering. multiple agencies is an even more 4. https://apps.gov/cloud/advantage/main/start_page. 11. Graphic from Hanna, Steve. “Cloud Computing: daunting prospect. A series of intra- do. A link to a cloud service on apps.gov does not Finding the Silver Lining.” 18 March 2009. agency (as opposed to inter-agency) mean that the service is “safe” or that its provider 12. For a more in-depth discussion of security and community clouds may be the best has demonstrated compliance with federal legal issues in Cloud Computing, refer to guidance possible outcome. Whether it serves only security standards. from the Cloud Security Alliance at one agency or many, a community cloud 5. Some large agencies that are not at the Cabinet http://www.cloudsecurityalliance.org is the most secure way for the federal level, such as the Internal Revenue Service or 13. Graphic from Theodore Winograd, Holly Lynne government to realize the potential of Social Security Administration, may also benefit Schmidt, Kristy Mosteller, and Karen Goertzel, cloud computing. n from having their own community cloud (admittedly, “Public Cloud Computing Environment (CCE) at that level the distinction between “community” Acquisition: Managing Risks to the Federal and “private” cloud is not very clear). About the Author Government.” Booz Allen Hamilton, 2009. 6. On that note, some federal government entities— 14. Linthicum 2010, pp. 192–193. particularly those involved in law enforcement, Hannah Wald | is an Assurance and Resiliency 15. Graphic from Stephen T. Whitlock, “Cloud’s defense, and intelligence—will need private clouds consultant currently supporting the National Illusions: Jericho Forum Future Direction.” to protect their classified information assets. Telecommunications and Information 16 February 2009. 7. Grance, Tim, and Peter Mell. “The NIST Definition Administration at the Department of Commerce. 16. http://aws.amazon.com/vpc of Cloud Computing.” National Institute of Ms. Wald has contributed to the research Standards and Technology: Information Technology conducted for IATAC’s State of the Art Report on Laboratory Website. 7 October 2009. National Supply Chain Security, which is scheduled for Institute of Standards and Technology, Information release this spring. This article draws heavily on Technology Laboratory, Web. Accessed 12 January research conducted and materials produced by her 2010. http://csrc.nist.gov/groups/SNS/cloud- colleagues. Ms. Wald has a Master’s degree in computing/cloud-def-v15.doc. Page 1. w continued from page 9 I ATA C S P O T L I G H T O N A U N I V E R S I T Y members of the NSRC actively Technology. The NSRC includes •• Produce leading scholars in consult with industry and approximately 50 Doctor of interdisciplinary cyber- participate as partners on funded Philosophy (Ph.D.) and security research projects. Member companies enjoy Master of Science (M.S.) students, •• Become a national leader benefits for sponsoring research and several undergraduate honors in information and having access to the latest theses are advised through NSRC assurance education. results and technical reports from faculty as well. [2] the NSRC. Hosted in the The center currently includes seven Department of Computer Science ff The LIONS Center is the IST Center core faculty members, 20 collaborating and Engineering (CSE) at Penn for Cyber-Security, Information faculty, two research associates, and State, the NSRC is comprised of Privacy, and Trust whose mission is to: 19 Ph.D. students. The center has nine faculty members in the •• Detect and remove threats of published over 200 publications since College of Engineering, including information misuse to the 2002 and received over $3 million in eight members from CSE and one human society: mitigate research grants. n from Electrical Engineering (EE). risk, reduce uncertainty, Several faculty members also have and enhance predictability References joint appointments in EE and the and trust 1. http://net1.ist.psu.edu/cica/cia-ist.htm College of Information Sciences and 2. http://nsrc.cse.psu.edu IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 15
  • 16.
    DISA RACE: Certificationand Accreditation for the Cloud by Munjeet Singh and Troy Giefer Background components to rapidly and seamlessly Approach S ince the Obama Administration announced plans to use cloud computing to cut costs on infrastructure transition from application development to testing and into a full production environment, a process known as the Before designing a new streamlined C&A workflow process, it was important to understand the current approval and improve performance of Path-to-Production. Current DoD process, identify key organizations government computing systems, the certification and accreditation (C&A) involved in the decision making, and Department of Defense (DoD) and policy has been adapted to allow identify the artifacts required by each other federal agencies have become organizations to use RACE cloud organization. The approach used in increasingly interested in how to take resources, thereby quickly connecting developing the Path-to-Production full advantage of the potential benefits to the cloud while complying with process was conducted in two phases. offered by cloud computing. [1] Few DoD requirements. Phase I consisted of data gathering existing cloud providers meet DoD This article describes the goals and documentation of the current C&A requirements and choices are primarily DISA sought to achieve and the workflow process. This included limited to the public domain. approach it took as it developed the identifying all key organizations Additionally, there are concerns about RACE Path-to-Production process. It involved in data collection, document government use of public clouds will also highlight many of the key handling and processing, validation, because of the lack of control and characteristics and capabilities of the certification, and accreditation of a visibility into the cloud’s underlying DISA RACE cloud. system. Personnel from each security infrastructure and the organization involved in the approval challenges of complying with DoD and Goals and Objectives process were interviewed to define roles federal information assurance (IA) DISA’s primary goals in developing the and responsibilities. The responsibilities policy and procedures. RACE Path-to-Production were to: of each entity were then mapped to a Given the high level of interest in ff Develop a streamlined C&A process flow diagram that identified cloud computing, the Defense process that would reduce time each step in the process. In addition, a Information Systems Agency (DISA) and effort required to transition complete list of artifacts required by recognized the need for a government- an application from development each key organization as input and managed cloud that could benefit the to test, and ultimately to a generated as output was compiled. The DoD community. DISA subsequently production environment end result captured the comprehensive developed the Rapid Access Computing (Path-to-Production process) ‘as-is’ DoD Information Assurance Environment (RACE), which is an agile ff Reduce the current C&A approval Certification and Accreditation Process and robust cloud computing time from 120 days to under 40 days (DIACAP). DISA supplemented process environment that allows DoD ff Develop an enhanced RACE portal steps required to obtain certification. organizations to provision virtual that enables customers to purchase Phase II consisted of a duplication servers and storage from a Web portal. and manage virtualized RACE analysis of the organizational roles and RACE is a streamlined workflow process development and test environments artifacts. The intent of the analysis was designed for use in a virtualized and provided additional storage. two-fold, specifically to: (1) eliminate development and test environment. duplication of effort across the various RACE is customized to enable DoD organizations involved in the C&A 16 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 17.
    workflow process; and(2) reduce or ne eliminate duplication of documentation. ) ud ) ud Zo EV lo EV lo n (D C (D C io B ute A ute ct Eliminating duplication of effort across du ne mp ne mp o Pr Zo Co Zo Co ed CE CE the organizations involved in the iz RA RA al tu r Vi decision making would reduce the time required for a system to reach approval Environment Promotion to Test to operate (ATO). In addition, eliminating the duplicate documentation would both reduce the possibility of inconsistencies and Environment Promotion to Production eliminate the need for the customer to create multiple documents that contain NIPRNet / GIG duplicate information, which would further reduce the time to complete the C&A process. Figure 1 Path-To-Production The analysis of the current processes, responsibilities, and artifacts leveraging inheritance of IA controls from RACE Standards gave DISA the groundwork for designing the RACE cloud and DECC environments. A key aspect of designing the RACE a more efficient C&A workflow process A number of characteristics were Path‑to‑Production process was (Path‑to‑Production). incorporated into the RACE Path-to- defining a set of standards that provide Production process that were key to the framework of the streamlined Path-to-Production streamlining and customizing the process. These standards enable rapid DoD organizations use the RACE cloud current process. DISA focused on the provisioning and promotion within the for application development and testing, areas that offered the greatest return: virtual environments. Examples of and to prepare for deployment into a ff Define standards and RACE standards include: production environment. Path-to- entrance criteria ff The development and test process Production refers to the process that an ff Streamline the approval process must be completed in a virtualized organization follows to promote the ff Reduce or eliminate duplication of environment. application developed in a virtualized effort and documentation ff Customers must start with environment from development to test, ff Incorporate inheritance of IA provisioned VOEs provided and from test into a Defense Enterprise controls as defined by DoDI 8510.01 by RACE. Computing Center (DECC) production ff Develop hardened virtual ff The Enterprise Mission Assurance environment (Figure 1). The operating environments (VOE) Support Service (eMASS) Path‑to‑Production process reduces the ff Implement a RACE portal. application must be used as the total time required to obtain accreditation C&A automation tool and of an application from an average of 120 central repository. days to under 40 days, in part, by streamlining approval workflows and IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 17
  • 18.
    ff Customers must adhere to the proposed network topology. The RACE requirements and artifacts. This often RACE standard set of ports and IAM also conducts joint validation required the customer to duplicate data protocols while in development, activities of the IA controls with the in multiple documents. Further test, and production environments. customer early in the process, and analysis revealed that a number of ff Vulnerability Management System establishes the parent/child inheritance documents could be eliminated (VMS) must be used to track asset- relationship, which allows the system to because the data was available in other level vulnerabilities. inherit IA controls from the RACE cloud. C&A artifacts. Elimination of such ff A minimum of an Interim Approval This early coordination activity duplication significantly reduced the to Test (IATT) is required to move between RACE customers and the RACE time and effort spent on developing an application into the RACE IAM supports users as they move and reviewing C&A artifacts. Testing environment. through the Path‑to‑Production process, DISA implemented a key tool— ff An IATT is valid for 90 days while ensuring that potential challenges are eMASS—within RACE to manage the in the test environment. addressed early in the process. C&A workflow and documentation. A ff A minimum of an Interim Approval The RACE C&A approval process is government-owned solution, eMASS to Operate (IATO) is required to a joint effort shared between the RACE integrates several capability models to move an application into the DECC IAM and the customer. The customer support IA program management production environment. conducting application development in needs. It allows an organization to the RACE cloud has the primary enter system information and to track Recognizing that organizations responsibility to oversee the validation, the progress of information assurance often have unique needs that may fall certification, and accreditation of the activities (such as validation outside of the standards established by system or application as it progresses procedures, compliance status, and RACE, DISA developed an exception through the Path‑to‑Production process. attachments) and associated action resolution process to facilitate plans for sharing system security discussions between a RACE Duplication Analysis information and compliance status. representative and the RACE customer The duplication analysis of the existing to determine a resolution. C&A approach and workflow process Inheritance of IA controls revealed more opportunities to Inheritance of IA controls was also key Streamlined Approval Process streamline this process. The team to streamlining the Path‑to‑Production Delegation of approval responsibilities identified opportunities to reduce the process. RACE customers can directly to the lowest organizational level amount of documentation required for inherit IA controls from the RACE cloud possible was key to streamlining the a successful accreditation. At each and DISA DECC (Figure 2). DoDI 8500.2 RACE C&A approval process. This approval level, organizations had defines 32 controls that an automated approach resulted in a more agile developed unique checklists of information system (AIS) may inherit workflow adaptable to the robust environment of the RACE cloud. To facilitate this streamlined approval process, the DISA Chief Information Officer implemented an Information Assurance Manager (IAM) role created specifically to manage activities within the RACE cloud. The RACE IAM’s RACE Inherited Controls primary role is to provide a final review  Enclave Boundary  Services Controls and approval of the application and  Etc. VOE virtual environment before it is promoted to the test and production environments. The IAM reviews the DECC Inherited Controls RACE customer’s documentation to  Physical Security  Environmental validate the accreditation decision  Continuity made by the customer’s Designated Approval Authority (DAA). In addition, the IAM considers additional RACE application-specific data such as the DECC STL ports, protocols, and services used by the system or application, and the Figure 2 IA Control Inheritance 18 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 19.
    from the enclavein which it resides. The DISA has configured the virtual ff Restoring the environment from implementation, validation, and images to be compliant with a variety of an archive. monitoring of these controls are the DISA STIGs, to include Windows Server responsibility of the enclave and not the 2003 operating system, UNIX, Internet In addition, the RACE portal AIS. RACE customers inherit these Information Services (IIS), and database provides a document library that controls, as well as the status and checklists. The DISA team reviewed the includes all IA documentation that will artifacts associated with the validation recommended security settings from be used throughout the of each control. these STIGs to determine which had the Path‑to‑Production process. This automated inheritance of IA potential to restrict application controls is defined within the eMASS development. The VOEs are provisioned On the Horizon application. RACE serves as the parent to RACE customers with those DISA CSD is continually seeking system for a parent‑child inheritance particular security settings left in a opportunities to improve the Path-to- relationship used for all registered ‘non-compliant’ status. This practice Production process to make it even more systems within eMASS. Every allows customers to begin development agile. This includes implementing application that a RACE customer immediately and provisions a automation to further reduce the C&A registers within eMASS will consistent development environment burden on RACE customers, and automatically be set as a child to the for all customers. strengthening the IA posture of VOEs via parent (i.e., RACE) enclave, establishing However, these security settings integration of Host Based Security System inheritance. A pre-determined list of will remain in a ‘non-compliant’ status (HBSS) into the RACE enclave. For more DoDI 8500.2 IA controls is automatically only in the RACE development information, visit http://www.disa.mil/ set as inherited from the parent in every environment. The RACE customer is RACE for the latest news. n child. For example, physical security is responsible for properly configuring the responsibility of the parent enclave, these security settings to achieve a About the Authors not the responsibility of the child. compliant status before promoting the application to the testing and Munjeet Singh | is an information assurance Hardened Virtual production environments. contractor consulting as the Project Manager and Operating Environments The VOEs are also provisioned with Lead Engineer on cloud focused initiatives in the Virtual operating environments are the latest Information Assurance DoD domain. He is currently involved in deploying provisioned to RACE customers for use Vulnerability Management (IAVM) cloud and data center optimization initiatives to in the development and test patches installed. Once the VOEs have clients in DISA and across the Army. environments. The VOEs are delivered been provisioned, the customer with a development-friendly Security assumes responsibility for keeping the Troy Giefer, CISSP, | is an information Technical Implementation Guides images patched. assurance contractor consulting on cloud (STIG) implementation, streamlining computing research and the development of cloud both the development process and the RACE Portal computing security solutions for the DoD C&A process for RACE customers. RACE A key component of cloud computing is marketplace. Troy is a key lead in the effort to offers the available virtual operating the ability to provision and maintain customize DIACAP for use in the DISA RACE cloud. environments, as listed in Table 1, which environments in a self-service portal. are in compliance with DoDI 8500.2 at DISA Circuit Switched Data (CSD) has References the Mission Assurance Category (MAC) implemented this ability through an 1. http://www.whitehouse.gov/omb/budget/fy2010/ II-Sensitive level. enhanced RACE portal that allows RACE assets/crosscutting.pdf. customers to take control of their environments with respect to the Operating System Architecture following functions: Windows Server 2003 32-bit ff Ordering development, test, and Windows Server 2003 64-bit production virtual environments Red Hat 4.6 32-bit ff Ordering additional storage for an Red Hat 4.6 64-bit existing virtual environment Red Hat 5.1 32-bit ff Promoting the environment Red Hat 5.1 64-bit from development to test or test to production Table 1 RACE Virtual Operating Environments ff Archiving the environment to tape backup IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 19
  • 20.
    Look Before YouLeap: Security Considerations in a Web 2.0 World by Sara Estes Cohen and Shala Ann Byers Agencies like the Department of compliance to ensure the protection of Introduction Justice, the Library of Congress, and the the information shared within the social I n recent years, social media, also known as Web 2.0, has emerged as a popular and powerful technology that Department of State responded by establishing Facebook profiles to media platform. communicate with the public. Framework enables individuals to collaborate, Additionally, the Federal Bureau of There are generally three approaches for communicate, and share information Investigation started a Twitter account implementing social media: from anywhere and at anytime. to send daily news updates to the public. ff Internal Currently, more than 30% of the world’s The Centers for Disease Control and ff External population visits Facebook.com on a Prevention (CDC) posts weekly ff Hybrid. daily basis [1], and approximately 22% Hurricane Health and Safety Tips on its use YouTube to watch online videos. [2] Web site and distributes them to Each approach differs in location First established within the commercial registered users via e-mail, mobile and ownership of underlying industry, this technology made popular phone text messages, and Twitter. [5] infrastructure (e.g., government or the economically savvy use of low‑cost While embracing social media is privately-owned), audience (employees, social media technology. The federal key to succeeding in a new the public, or both), and direction of government has since followed suit, communications environment, effective communication (within, outside of, or launching organizations and strategy, planning, and support before across the firewall): government agencies into the foray of launching a social media program are ff Internal­ Technology and — social media as a way of connecting equally important. The results of an infrastructure sit behind a firewall with the public. unstructured and disorganized and are owned by the organization. On January 21, 2009, President adoption of social media can have This model consists only of internal Obama signed the Memorandum on serious complications, including data communications, information and Transparency and Open Government, leaks or breaches in security from which data exchange, storage, and encouraging agencies to “establish a it can be difficult—if not impossible— management (within the system of transparency, public to recover. organization, not across the participation, and collaboration.” [3] To avoid these complications, it is firewall) and requires development On December 8, 2009, the Director of imperative for an organization to of organization‑specific solutions, the Office of Management and Budget identify a ‘best-fit’ solution based on tools, and technology. (OMB) issued the Open Government internal goals, requirements, and ff External—This approach leverages Directive, providing guidelines and challenges, before launching a social public social media for specified deadlines for all federal agencies on media program. Most importantly, applications. For example, existing developing their own ‘open organizations must standardize how social media sites (e.g., Facebook government’ programs fostering they implement social media and and Twitter) may be used for the principles of transparency, develop training to educate users. constituent relations and outreach. participation, and collaboration. [4] Finally, organizations must institute a This model requires extensive mechanism to enforce security strategic planning to target the 20 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 21.
    appropriate user groupswith the Strategic Planning constituent communications, right information. Additionally, this To begin, an organization must first emergency management, and business model must include organization- identify its goals and objectives for continuity, among others. Additional wide standardization to ensure adopting social media. Identifying applications may include training, consistency with respect to appropriate budget, development time, alert and notification, employee messaging (content/brand), specific features and functionalities accountability, situational awareness, security practices, and access to required, and level of intended risk are information gathering, and emergency public sites and tools from behind all factors to consider before communications. As technology the firewall. implementing a social media strategy; advances and user awareness improves, ff Hybrid—This model uses internal by doing so, organizations can avoid the potential for using social media will solutions (behind the firewall), developing an ill-fitting program. The grow accordingly. developed by the organization for following section outlines and discusses Social media is not just about the internal communication and several planning considerations to assist technology or the tools—it is also about operations, while simultaneously in establishing a ‘best-fit’ approach. what the technology can help users do. leveraging external, public social Organizations must leverage social media for outreach and general Audience media in a way that resonates best with communications. Like the Who is your target audience? This the targeted community, chosen goals, external model, the hybrid also question can be answered by first and objectives. requires standardization to ensure defining the organization’s Additionally, proactively identifying the security of personnel, data, responsibilities. Are you required to potential applications before choosing and information. communicate with your constituents? and implementing social media tools Will you need to communicate with can help avoid the ‘Shiny New Toy’ This article focuses on security your employees during a crisis, or on a syndrome—investing in a tool that considerations and challenges daily basis? These answers will help the nobody uses because it does not meet associated with the hybrid model, as it is organization clearly define its purpose organizational needs. A strategic the most complex of the three types of for using social media; identify the tools approach will help ensure that the approaches. Because of its reliance on that can accomplish that purpose; and program is functional—for both the both internal and external successfully engage its audience using audience and organization—while infrastructure, the hybrid model must social media. Identifying your audience remaining aligned with the desired adhere to both internal and external, can also help determine the most goals and objectives. organization-specific security, appropriate Web 2.0 model and the best management, legal, and tools and technology to use. Standardization communications policies. Standardization is the most important Technology and Applications aspect in adopting social media. Social Organizations can leverage social media media standards must be developed in for many purposes, including daily line with both organization-specific and operations, outreach and awareness, external information technology (IT), IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 21
  • 22.
    security, communications, operations ff How the factors above will be Risk Management (management), and contractual/legal affected by organization-wide It is no longer feasible to dismiss the use policies and requirements. use of social media. of social media entirely because of its Organizations must establish standards potential risk. Web 2.0 users are tech- for how they implement their own social Each of these factors must be taken savvy and will continue to find new media solution; there is no one-size-fits into consideration to develop suitable ways to access and use social media all solution. and sustainable standards essential for despite an organization’s best efforts to Without some form of centralized enforcing compliance. ban the technology. Instead of banning guidance, departments might develop social media outright, organizations policies and processes that are Social Media Guidelines should identify how to use social media inconsistent across the organization as and Governance safely and securely. As with adopting the popularity and use of social media Federal policies and guidance any new technology, risk assessment is grows. This situation could result in governing the use of new and emerging an integral aspect of adopting social varying levels of security and communications technologies, as well media and must be conducted on a inconsistent security procedures. To as industry best practices for social regular basis, allowing for adjustments avoid this, the organization must media, should be carefully evaluated over time to accommodate changes in establish technical requirements and and followed to ensure compliance. If technology and the threat environment. training standards regarding how all an organization is just beginning its The decision to adopt social media departments and components may use foray into social media, it should should be based on a strong business internet-based capabilities. Additionally, consider using Guidelines for Secure Use case that considers an organization’s the organization must establish and of Social Media by Federal Departments mission, technical capabilities, threats, disseminate organization-specific and Agencies, released by the Federal and the expected benefits of adopting policies and procedures regarding Chief Information Officers Council in this technology. For example, national technical, legal/contractual, September 2009, as a starting point. [6] security agencies must protect classified communications, and management Agencies need not start from data, whereas agencies or organizations concerns. Each department may have scratch however – the General Services that handle PII must protect the privacy additional requirements but, at a Administration (GSA) has already of individuals. Consequently, different minimum, its practices should contacted third‑party providers Flickr, organizations have different priorities comply with the organization‑ YouTube, Vimeo, and blip.tv to develop for security and privacy, and must wide requirements. government-specific terms of service. address those priorities accordingly. Additionally, GSA determined that Security Requirements Twitter’s standard terms of service are Challenges Security requirements must take into consistent with government use and After identifying a ‘best-fit’ solution account several factors, such as: thus need no additional changes. [7] and socializing the standards, the ff The purpose the social media is Additionally, organizations should organization must develop an intended to accomplish consider drafting their own social media implementation plan and provide the ff How social media will be engagement guidelines before allowing continuous, reliable support needed for used (application) unfettered access to social media and maintaining a structurally sound and ff What type of information will be online communities. A great example is sustainable program. Throughout the exchanged (e.g., classified the Air Force’s Web Posting Response development and implementation of a information, Sensitive But Assessment Flow Chart V.2., which social media program—whether Unclassified [SBU] information, explains the Air Force’s internal policy internal, external, or hybrid— Personally Identifiable on blogs and how to handle both organizations should consider and Information [PII]) and the positive and negative commentary address the following challenges associated handling requirements posted online. [8] Such guidelines not related to security, technology, ff How and where data will be stored only protect the organization from a and infrastructure. ff Criteria for accessing legal standpoint; they can also help the information employees understand the implications Information Assurance and ff How exceptions are managed of personal use, and how to develop and Operational Security ff What technical support will maintain social media tools in a way A social media strategy must be required that complies with the organization’s incorporate information assurance and standards and best practices. operational security (IA and OPSEC) policies and procedures—as well as an 22 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 23.
    organization-wide training, education, programming languages, social media increasing demands on network and awareness package—focusing on etiquette, etc.) may place PII at risk of infrastructure. Consequently, the IA and OPSEC issues to ensure that the exposure. Once exposed, PII could place social media functions may policies and procedures are followed. individuals at risk of identity theft and compete with the organization’s Otherwise, data leaks and OPSEC fraud. An organization can reduce this other functions for use of the violations are more likely to promulgate risk by implementing enhanced network, which could impair across all forms of electronic protection measures for sharing data in overall mission capabilities over communications, including e‑mail, interconnected systems, implementing time. Organizations must plan for social media, and Web sites. The monitoring capabilities and protocols, and ensure adequate bandwidth is organization must also address policies and educating users on proper social available for widespread Internet use. and develop compliance measures media etiquette (“safe-surfing”). Most hosting environments can regarding access control, authentication Despite these challenges, agencies provide additional bandwidth to procedures, account and user and organizations dealing primarily with cover surges in Internet or network management, encryption, content private, sensitive, or classified information activity. Organizations should assurance, and general communications are not necessarily precluded from develop memorandums of security (COMSEC). adopting social media. Rejection of social understanding (MOU) with their The requirement to address IA and media also poses risks; organizations respective hosting companies to OPSEC is nothing new. Concerns about that choose not to leverage social media ensure sufficient bandwidth is social media are essentially the same and new technologies may become available during surges of activity as those that arose with the proliferation obsolete over time. that may occur due to emergency of the Internet and e‑mail. Furthermore, unless an events, times of heightened network Communications policies and organization bans access to social activity, and increasing popularity information security procedures that media completely (which is nearly in social media. apply to social media are similar to impossible to do), employees will ff Malicious Attacks—To one extent those that have traditionally applied to inevitably use social media from within or another, all networks are subject other forms of communications— the organization’s network. Those to malicious attacks. Use of social whether electronic communications organizations that do not establish media may increase that risk (e.g., e-mail) or more traditional forms policies regarding the use of social because, as more external Web sites of communications (e.g., letter writing media, and do not implement processes are accessed, malicious actors have or meetings). to protect their infrastructures from more opportunities to access an unauthorized use of social media, organization’s networks and Privacy and Confidentiality expose themselves to serious legal and operational data. Implementing Federal departments and agencies are security-related problems. Both their security controls across all Web 2.0 bound by privacy requirements based information infrastructures and their servers and verifying that on the Fair Information Practice reputations can be irreparably damaged. sufficiently rigorous security Principles (FIPP), which require controls are in place can reduce the rigorous controls and procedures to Technical Support threats to internal networks and protect the privacy of individuals. PII Although social media may seem to operational data. Additionally, includes any information that can be offer a quick and efficient separating Web 2.0 servers from directly associated with an individual. communications solution, it comes other internal servers may further Those organizations that collect PII with some technical challenges: mitigate the threat of unauthorized must put policies and procedures in ff Bandwidth­ Social media sites — access to information through place to handle, store, and dispose of PII may require more bandwidth than social media tools and Web sites. securely. Such measures may address traditional sites. Therefore, ff Network Monitoring—Foreign terms of use, legal ownership of PII, and organizations may require intelligence services (FIS) have the consequences of using or additional network infrastructure extensive resources and have disseminating PII inappropriately. to support wide-scale use of repeatedly demonstrated their In addition to addressing privacy external, resource-intensive Web capability to use automated ‘social policies, organizations must also be aware sites (e.g., YouTube, Facebook, etc.). engineering’ techniques to mine of threats to privacy and must implement If the organization is successful in social media sites. By their very measures to ensure that privacy is engaging its audience in using nature, social media sites have an maintained. For example, some social social media, user demand will abundance of information, which media protocols (e.g., certain increase dramatically, ultimately makes them susceptible to data IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 23
  • 24.
    mining. Our adversariescan use Incident Response infrastructure, information, audience, this data to analyze aggregated Finally, despite best efforts to train and reputation. With well‑thought‑out information. Without adequate users on ‘safe-surfing’ and develop strategy, planning, policies, procedures, network monitoring (and user safeguards for protecting data and and technical support, organizations education), an organization cannot information, incidents will inevitably may successfully and securely leverage ensure that users are complying occur. Organizations must plan and social media. with its policies regarding the develop measures for quickly Thank you to DeZario Morales, release of high-value information. responding to and recovering from data Akira Ikuma, Matthew Doan, and Additionally, programming spills, misinformation and rumors, and Mark Macala for their contributions to languages used in Web 2.0 malicious attacks. An important aspect this article. n applications (e.g., Java, Ajax, and of handling social media is anticipating the JSON data interchange format) such incidents, then developing and About the Authors may create other opportunities for implementing a plan for managing and malicious actors to access an responding to them. Such planning will Sara Estes Cohen | has ten years of experience organization’s back-end network help ensure that social media becomes in communications and three years specifically infrastructure and do irreparable an integral part in an organization’s focused in emergency response, continuity of damage (e.g., access or corrupt data communications toolbox. operations, business continuity, and critical or applications). Consequently, an infrastructure protection. For her masters thesis, organization using social media Conclusion “Using Social Networking for University may need to implement increased Trends in communications and Emergency Communications,” Ms. Cohen worked security controls for any separate technology are increasingly dynamic with the University of California, Los Angeles sensitive information residing on and fast‑paced. To keep up, (UCLA) to develop a model for universities to the server’s backend. organizations in both the public and engage in social media for emergency private sectors must readily adapt by communications. Ms. Cohen has spoken at several Compliance and Enforcement developing social media capabilities of conferences and recently chaired the Advanced User education and training have their own. Although embracing social Learning Institute (ALI) Social Media for Crisis always been crucial in safeguarding media is imperative to succeeding in a Communications in Government conference in networks and data. However, with the new communications environment, November of 2009. advent of social media, training doing so without adequate planning can programs must be augmented to do more harm than good. Shala Ann Byers | has worked for two and a address the additional risks posed by Social media is not a one-size- half years as an emergency communications and social media. As organizations develop fits‑all solution. Each Web 2.0 tool has all-source analyst. She has spent the past year and adopt social media, users must its own purpose, audience, and developing a social media reverse mentoring understand the severity and nature of challenges that must be considered program linking junior staff with senior leadership potential threats to security associated carefully. As with any tool, a Web 2.0 to facilitate technology and social media learning. with its use. Organizations can tool must be chosen, not based on Ms. Byers holds a Bachelor’s degree from incorporate social media training into popularity, but on how effectively it Dartmouth College in Government with a specialty their annual security training programs meets the organization’s needs and in International Relations. and address social media tools and sites selection criteria. during existing certification and Finally, an organization’s social References accreditation procedures, thereby media program must align with its goals, 1. http://www.alexa.com/siteinfo/facebook.com. helping to ensure that their security objectives, budget, desired features and 2. http://www.alexa.com/siteinfo/youtube.com. standards are upheld. Additionally, applications, internal and external 3. http://www.whitehouse.gov/the_press_office/ organizations can develop a social security, IT, legal, and communications TransparencyandOpenGovernment media mentoring program, leveraging policies and requirements. Once 4. http://www.openthegovernment.org/otg/OGD.pdf. the skills of those employees with implemented, the program must be 5. www.bt.cdc.gov/disasters/hurricanes. more advanced social media skills to standardized across the organization 6. http://www.cio.gov/Documents/Guidelines_for_ train those for whom this technology through socialization, education, and Secure_Use_Social_Media_v01-0.pdf. is unfamiliar. consistent training. Compliance with 7. http://www.fcw.com/Articles/2009/03/25/web- these standards must be upheld through GSA-agreement.aspx. consistent enforcement; proactive 8. http://www.wired.com/dangerroom/2009/01/usaf- engagement is crucial to the security of blog-respo an organization’s networks, 24 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 25.
    Insider Threat Centerat CERT Grows Solutions from Reality-Based Research by Dawn Cappelli and Andrew P. Moore M any organizations have suffered significant losses from insiders with authorized access to protected system dynamics techniques, suggest both the evolution of the threat over time and possible mitigation strategies. The insider threat team is very excited about the impact it has had on government and industry organizations information assets. Insiders’ crimes Armed with these new insights, the and their ability to mitigate the risk of include theft, sabotage, fraud, and Insider Threat Center at CERT has begun insider threat. The workshops and espionage. The Computer Emergency educating organizations on how to assessments completed to date have Response Team (CERT), part of the detect and manage the problem. It offers proven to be effective tools in raising Software Engineering Institute (SEI) at its Insider Threat Workshop several awareness of the causes, potential Carnegie Mellon University, began times throughout the year. Geared to indicators, and prevention and detection researching this problem in 2001. It has managers and executives, the two-day strategies. CERT now focuses on compiled a growing database of more workshop addresses technology, technical solutions that will enable than 300 criminal cases in which organizational culture, policy, organizations to use people and current or former employees, procedure, and behavioral issues that technology more effectively.” contractors, or business partners abused influence insider threat. The workshops For more information, please visit the trust and access associated with stress the need to foster cooperation http://www.cert.org/insider_threat/ . n their positions. As part of its research, among management, information CERT interviewed many of the victim security, human resources, and IT About the Authors organizations and some perpetrators groups to effectively fight the problem. themselves, complementing a wealth of CERT has also launched its Insider Dawn Cappelli | is technical manager of the case data with first-hand insights into Threat Vulnerability Assessment Threat and Incident Management Group at CERT. the methods and motivations behind program. Spurred by numerous requests She has over 25 years of experience in software these crimes. from industry and government, these engineering, programming, technical project This work laid the foundation for assessments enable organizations to get management, information security, and research. the Management and Education of the a better grasp on this complex problem. She is technical lead of CERT’s insider threat Risk of Insider Threats (MERIT) project. A CERT project team performs the research, including the Insider Threat Study Under MERIT, CERT researchers three-day, on-site assessment, conducted jointly by the U.S. Secret Service and CERT. collaborated with noted psychologists, conducting interviews with key the United States Secret Service, the organizational personnel. The Andrew P. Moore | is a senior member of the Federal Bureau of Investigation, and the assessment team explores the CERT technical staff at the Software Engineering Department of Defense to uncover key organization’s technical controls, Institute. Moore explores ways to improve the technical, social, and organizational policies, and [technical and behavioral] security, survivability, and resiliency of enterprise patterns of insider behavior. Building on practices and then produces a systems through insider threat and defense this work, CERT researchers are confidential report presenting findings modeling, incident processing and analysis, and constructing models of the four main and potential mitigation strategies. The architecture engineering and analysis. Before classes of insider crimes: IT sabotage, goal is to create a single, actionable joining the SEI in 2000, he worked for the Naval theft of intellectual property, espionage, framework that engages all stakeholders Research Laboratory. and fraud. These models, created using in the fight against insider threat. IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 25
  • 26.
    Wikis Within theDoD by Tzeyoung Max Wu Wikis within DoD researchers concluded that the portal majority of them go unread. [5] Amidst W eb 2.0. Social media is all the hype these days. October 2008 saw the launch of DoDTechipedia, one of the created a better sense of unity and belonging in NASA participants, despite being separated both physically and data overload, Intellipedia was conceived to promote real-time information sharing internally across Department of Defense’s (DoD) ventures organizationally. The site allowed users the community. It now boasts nearly into wikis. Currently, media buzz to openly communicate on a level one million pages and 100,000 users surrounds the secretive and ambitious playing field, removing barriers such with over 10,000 edits daily. In 2008, A-Space social portal within the as job status and organizational following the terrorist bombing of hotels Intelligence community. In 2009, the departments. [2] in Mumbai, intelligence analysts Centers for Disease Control and convened on a page, created on Prevention (CDC) used social media Wikis Intellipedia, to share emerging tools to increase awareness of emerging As one popular form of social media, information and brainstorm ideas. The data about the H1N1 virus. Information wikis entered mainstream vocabulary page received 7,000 views within three was disseminated across YouTube, with the launch of Wikipedia in 2001. days and was integral in the Facebook and Twitter, where data was Although the concept of a community- community’s analysis of the attack. [6] quickly assimilated by millions and driven encyclopedia had surfaced from DoDTechipedia, itself a relatively helped promote health awareness across time to time for decades, the advent of new internal wiki solution, run by the the public. From proprietary corporate the Internet finally made it feasible for Defense Technical Information Center wiki pages to open video blogging millions of individual users to freely add (DTIC), shows much potential for forums, we have seen an explosion of all and edit content to an open repository of bridging informational silos within DoD. types of social media implementation topical articles. By 2008, Wikipedia The wiki solution won the 2009 and usage across sectors both public housed more than 10 million articles, Government Computer News (GCN) and private. and in 2005, this encyclopedia was Award for agencies. GCN, a news site Take the case of NASAsphere, a pronounced as accurate as the popular serving the government market, pilot social media study where a social Encyclopedia Britannica. [3] Attempting describes DoDTechipedia as more than media portal was implemented to test to reap the benefits of seamless a wiki, but rather an entire suite of its value to NASA’s Jet Propulsion community-driven information sharing, services spurring collaboration. Laboratory (JPL). Within months, the corporations and public agencies have study concluded that participants were since implemented their own Focused DoD Wikis sharing information in ways that would proprietary wiki solutions. When wiki A set of one or more targeted wiki sites, have not happened without the tool. solutions work, they provide an each effectively addressing the needs of Rather than emailing known coworkers enormous amount of value. the respective community, can facilitate for information, NASAsphere users were Intellipedia, another solution communication and promote encouraged to post inquiries for within the government, is a poster-child collaboration. Note, ‘targeted’ is a must information on the portal. Almost all of wiki success, with core officers for a wiki site. Too broad a scope risks informational responses to such queries earning Homeland Security Awards in dilution, since at a certain point there is came from users at different NASA 2009. [4] The Intelligence community a threshold for the amount of content centers. [1] By the end of the study, produces 50,000 reports annually; a that must be collected before the site 26 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 27.
    appears informationally substantialto As a grassroots styled site, a wiki within results. Featuring easy use, open any specific target community. This is needs to become a natural fabric of the editing, and proven return for efforts, especially true within DoD, where community’s culture. One of the reasons usage of the encyclopedia skyrocketed. program managers may be more that Intellipedia worked well was Wiki implementations within DoD secretive about their research. Thus, because the custom of social should be promoted along with the more categories there are, the more networking, information inquiry and complementary solutions and efforts content that must be generated to response, and information analysis had within the organization. convince communities of its utility. already been deeply ingrained into the In the end, any wiki The key is to focus. Of the handful of Intelligence community culture. Part of implementation must be accompanied success factors mentioned by Larry the challenge for social media sites in with patience and persistence. Sanger, one of the founders of Wikipedia, DoD will be overcoming a more Intellipedia, itself already springing the contribution of a small core group conservative culture, where from an organizational culture of good people during the early days informational secrecy has generally deliberately conducive to information was key. [7] been critical to military success and gathering, is touted as a success today, A precisely defined target market where the sheer size of the organization but was launched in 2005. The broader segment for any DoD wiki site allows for has necessitated a level of bureaucracy. the scope of the target communities in better and speedier marketing to A successful wiki implementation has to the site, the more content that must be defined communities. With a specified come hand-in-hand with transforming generated to reach maturity. Wikipedia, community in mind, the site can be this culture. Facing a similar challenge with incredible scope, took many years fine-tuned, tailoring everything from within the private sector, a human to garner support from millions of look and feel, navigation, editing resources firm in Europe devised a contributors throughout the world. DoD protocols, registration processes and comprehensive strategy to build itself has a deeply ingrained site promotion to better match the momentum for their internal site. This conservative culture, with a population community’s needs. For at its core, strategy included employee training, of subject matter experts many times social media sites, including wikis, have proactive wiki gardening, appointing smaller. Before the different DoD historically been grassroot efforts wiki evangelists and mandating that communities can fully embrace and use growing from the bottom up in an meetings be recorded and tracked using wiki sites to their full potential, a degree organizational hierarchy, with roots wiki pages. The latter helped instill into of culture change will have to occur. deeply tied to their respective user the portal the daily activities of One tactic for effective wiki groups. Grassroot efforts survive and individuals in the firm. [8] implementation could be to forward mature because they address unmet Of course, success cannot happen social media pilots such as NASAsphere. recognized needs that differ between as a solitary effort. Wikipedia’s own Pilots can be run for short time periods organizations. As such, participation success would not have been achievable to measure the site’s applicability to the and content management must remain without the rising popularity of Google’s respective needs in the community. in the hands of the general contributors oft-storied search engine. As Google’s Shorter pilots building towards more so that they are empowered to innovate crawlers started indexing Wikipedia long-term solutions could be much more and run with fresh ideas. pages, general topical searches on the cost-effective than a series of failed engine started to return Wikipedia large-scale efforts. IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 27
  • 28.
    Security Council issued official guidelines for of Business, and earned a Master’s degree in IT Of course, information security will Secure Use of Social Media by Federal from Virginia Tech. remain a key concern, especially with Departments and Agencies. [11] The national security at risk. Throughout very first risk mitigation step suggested References 2009, DoD wrestled with a balanced was the need for a government-wide 1. Jackson, Joab. NASA program proves the benefits social media policy that would allow it policy for social media that would of social networking. Government Computer News. to reap benefits, but at an appropriate address policy controls, acquisition 2009. http://www.gcn.com/Articles/2009/11/30/A- risk level. There were special concerns controls, training controls, and host and Space-side-NASA-social-networking.aspx about soldiers and other interested network controls. The guidelines define (accessed 01/02/2010). parties leaking sensitive operational four types of information traffic that 2. Merryman, Celeste. Findings from the NASAsphere information on media sites. The US must be managed: inward sharing, Pilot. Jet Propulsion Laboratory, California Institute Marine Corps dealt with the security outward sharing, inbound sharing, and of Technology Knowledge Architecture and issue by prohibiting all social media use. outbound sharing. Each of these four Technology Task. (Pilot team: Merryman, Celeste; However, such a policy entirely types of information flow come with Hughes, Dougals). California Institute of Technology. abdicates the real value that social unique risks and mitigation approaches. 2008. http://www.scribd.com/doc/12759868/ media can produce. To not fully leverage From a cultural perspective, DoD users NASAsphere-Pilot-Report-2008-Public (accessed innovations in technology and media should be trained with a practical 01/02/2010). risks DoD falling behind other agencies sense of caution when utilizing social 3. Terdiman, Daniel. Wikipedia hits 10 million total in the world. In a recent blog post, even media systems. articles. CNET. 2008. http://news.cnet.com/8301- Rob Carey, US Navy Chief Information Wikis within DoD will require a fair 13772_3-9905726-52.html (accessed 01/02/2010). Officer (CIO), said that social media is a amount of monitoring, both from a 4. Intellipedia Gurus Win 2009 Homeland Security resource that DoD should well use to content perspective as well as in Medal. CIA website. https://www.cia.gov/news- facilitate trust and collaboration. [9] network security and information information/featured-story-archive/intellipedia- “These tools are fundamental to assurance. A cultural shift toward data homeland-security-medal.html (accessed 01/02/2010). collaboration. They have the potential sharing and collaboration should also 5. Thompson, Clive. Open-Source Spying. The to leverage the collective wisdom of be tempered with an appropriate New York Times. 2006. http://www.nytimes. this 750,000+ member Department,” culture of caution and sensibility within com/2006/12/03/magazine/03intelligence.html said Carey. the user community. This is quite (accessed 01/02/2010). Security risks are real, but can be achievable, of course, and will be 6. Intellipedia Gurus Win 2009 Homeland Security strategically mitigated to a certain important in the ongoing evolution of Medal. CIA website. https://www.cia.gov/news- degree via a smart architecture and set DoD to accomplish its missions in the information/featured-story-archive/intellipedia- of policies. One interesting solution hastening change of technology. homeland-security-medal.html (accessed 01/02/2010). described on the Armed Forces Collaboration will accelerate the 7. The Early History of Nupedia and Wikipedia, Part Communications and Electronics pace of innovative problem resolution II. Slashdot. http://features.slashdot.org/article. Associate (AFCEA) Web site proposes within DoD. n pl?sid=05/04/19/1746205 (accessed 01/02/2010). setting up dedicated Internet services 8. Roberts, Bill. How to Marshal wikis: some for all staff. [10] Internet services human resource professionals are using wikis to About the Author centralized in this way allow communicate, collaborate. HR Magazine. 2008. administrators and automated tools to http://findarticles.com/p/articles/mi_m3495/ Tzeyoung Max Wu | was a DoDTechipedia better scan information posted to the is_12_53/ai_n31159337/pg_2/?tag=content;col1 content manager, creating and editing material in Internet and catch security data leaks (accessed 01/02/2010). IA, information warfare, and networking more effectively. This could be a broader 9. Carey, Rob. Embracing Social Networking Tools. technology areas. His experiences in information social computing solution for computer Department of the Navy CIO. 2010 http://www. technology security have included: administering use on the global information grid (GIG) doncio.navy.mil/Blog.aspx?ID=891 (accessed 2/3/2010). and configuring servers and network devices in general, where bare-boned computer 10. Strassman, Paul A. Social (Network Security. within organizations; designing secure architecture terminals plug onto resources served Signal Online. 2010 http://www.afcea.org/signal/ for enterprise systems; and configuring access and managed on the GIG, providing a articles/templates/Signal_Article_Template. control lists, profiles, and border controls for set of virtual desktops to users wherever asp?articleid=2163&zoneid=284 (accessed 2/1/2010). network applications. they can plug into the GIG. 11. Guidelines for Secure use of Social Media Mr. Wu received his Bachelor’s degree in Any technical solution must be by Federal Departments and Agencies, v1.0 computer science from New York University, holds coupled with DoD guiding policies as http://www.doncio.navy.mil/Download. an MBA at the University of Chicago Booth School well as real culture change. In aspx?AttachID=1105 (accessed 2/3/2010). September 2009, the Federal CIO 28 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 29.
    I ATA CS P O T L I G H T O N A C O N F E R E N C E Penn State Industry Day Conference by Rich Coulter T The Networking and Security Research Center (NSRC) at the Pennsylvania State University held its work in data access and privacy, and Dr. Sean Hallgren was awarded for developments in quantum computation. relationship with the Navy and supports the other services as well as industry. ARL also provides facilities for annual Industry Day from 13 to 14 Dr. Patrick McDaniel, co-director of conducting classified work in October 2009 at the University Park the Systems and Internet Infrastructure conjunction with the NSRC. The campus in State College, Pennsylvania. Security (SIIS) laboratory presented Industrial Research Office (IRO) focuses The NSRC provides a research and analysis of several networked devices on uncovering researchers in all Penn education community at Penn State for intended to monitor and control State colleges and departments to meet professors, students, and industry electrical power usage for a “smart grid.” industry needs. IRO facilitates industry collaborators interested in networking The SIIS lab discovered vulnerabilities partnerships with the NSRC and other and security. Industry Day is an that could be exploited to overload research centers at Penn State. opportunity for partners and other generation plants, deny power to critical Briefings can be found at http://nsrc. interested industry members to learn customers, or obfuscate power usage. cse.psu.edu/id09.html. More information about research over the past year and Dr. McDaniel is also exploring attack on ARL and the IRO can be found at ongoing developments. causality in Internet-connected cellular http://www.arl.psu.edu/ and http://www. Dr. Frank Siebenlist and Robin Burk networks with the goal to understand research.psu.edu/iro/index.asp, delivered keynote addresses. Dr. Seibenlist and protect against evolving threats in respectively. n is a senior security architect at the cellular phone systems. Other ongoing Mathematics and Computer Science projects in the SIIS lab include About the Author Division at the Department of Energy Telecommunications Security; Voting Argonne National Laboratory and a Systems Integrity; and security of Richard Coulter | currently provides remote Fellow at the Computation Institute systems, virtual machines (VM), systems engineering and project management of the University of Chicago. Ms. Burk and storage. support on various projects, and works to establish currently manages the basic research Each graduate student in the NSRC relationships between IATAC and Penn State, thrust in cognitive, information, and also presented posters summarizing especially in support of the Administration’s network science for the Defense Threat their research. Their research focused Cybersecurity Initiative. Previously, Mr. Coulter Reduction Agency . on networking (security, fault isolation, performed hardware and embedded design, Dr. Tom La Porta, NSRC Director, coding, efficiency, encryption), mobile reverse engineering, and data analysis in support noted that two NSRC faculty members devices (device security, network of law enforcement forensic and operational received National Science Foundation threats), and systems (VM security missions, where he served as deputy program (NSF) Presidential Early Career Awards policy, software theft detection). manager. Mr. Coulter received a Bachelor’s degree for Scientists and Engineers in 2009. Other affiliated Penn State in electrical engineering from the Pennsylvania Only 25 of these prestigious awards are resources for industry were highlighted. State University. presented each year, so it was a truly The Applied Research Laboratory (ARL) unique event for two faculty from the is a DoD-designated U.S. Navy same university to receive them. University Affiliated Research Center Dr. Adam Smith was recognized for his that maintains a long-term strategic IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 29
  • 30.
    Vulnerability Assessment Processes WithinDoD The Problem vulnerabilities within established efforts to meet compliance goals and P rotecting critical infrastructure and the Global Information Grid continues to be a valuable, yet time- configurations, is accomplished by performing vulnerability assessments. Vulnerability assessment processes secure the infrastructure exceptionally difficult, because no standardization exists across the entire enterprise. This consuming and expensive effort within in many organizations are ad-hoc, problem is compounded by employee or the Department of Defense (DoD). non-standardized, and incomplete. contractor turnover, the volatility in Initiatives and compliance They rely on commercially developed technical or mobile environments, and requirements including Federal tools as well as DoD-provided tools and the various skill levels of personnel Information Security Management Act, in-house solutions to determine patch working to manage the infrastructure. It the Federal Desktop Core Configuration, levels, user settings, open ports, is also exaggerated by the fact that Computer Network Defense Service operating system configurations, and vulnerability assessments and Provider compliance efforts, mandates other system (mis)configurations. compliance scans play such a big role in from the Joint Task Force – Global Unfortunately, no one vulnerability major DoD programs and mandates that Network Operations (JTF-GNO) and the assessment solution is comprehensive include the information assurance Defense Information Systems Agency enough to cover all niches and corners vulnerability management process, (DISA), and general due diligence to of the DoD infrastructure. Because of certification and accreditation, protect the technology and data that this problem, technologists and computer network defense, keeps the U.S. military operational are oversight organizations are required to information operations condition, iterative, redundant, and in many cases, use multiple vulnerability assessment and JTF-GNO mandates. based on manual processes. tools to help ensure that all bases are Configuration management, patch covered. Some assessment tools are Recommended Solutions management, and vulnerability and risk proficient at scanning Microsoft The first place to begin addressing management are all predicated upon Windows; some are good for UNIX- compliance and configuration processes that are cyclical and typically based operating systems; some excel in management issues is to have an involve hands-on efforts by system or evaluating Web applications; and others overarching configuration management network administrators. They may also do device discovery very well. The shape plan. It is crucial to have a healthy cross- require compliance reviews from and composition of the environment section of the technologists within the information assurance divisions, testing often dictates what tools need to be used organization designated as members of from vendors and system managers, to manage compliance and ensure a configuration control board (CCB) that approval from configuration control secure configuration whenever possible. is strictly governed by documented boards, and ultimate acceptance from Having to rely on multiple configuration management processes the Designated Accrediting Authority for vulnerability assessment solutions and procedures. As part of that the organization, system, or enclave. In means that technologists and oversight configuration management plan, many cases, the process of assessing personnel are reduced to seeing however, there also need to be specific compliance and validating appropriate vulnerability and configuration data in guidelines and instructions on how to configuration, and more importantly, many disparate, non-standard views. perform vulnerability assessments identifying weaknesses and This can make managing and tracking within the organization to ensure 30 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 31.
    appropriate configuration andvalidate impact operations of the network or assessment—the system manager, the mandates of the DoD as interpreted enclave and ultimately thwart the program manager, network and implemented by the CCB. This mission of the organization. monitors, and even users. vulnerability assessment process should ff Specific attributes and definition ff Process for consolidating, be created and maintained by the of each tool—Each approved tool distributing, and storing personnel responsible for has information that needs to be assessment results—The point of a implementation of the technology as maintained and remains relevant vulnerability assessment manual is well as those areas of the organization for the life of the tool. Support to standardize processes and make that are responsible for oversight and information, update processes, them repeatable. As such, this is compliance reporting. The primary goal training materials, known issues also a very important part of the of the plan should be to standardize the with the tool, the types of targets process. The plan should outline process, make it repeatable, and the tool is capable of assessing— acceptable formats for vulnerability enforce it for all vulnerability these are the kinds of things that assessment results. If results from assessment activities. need to be recorded and kept up to disparate tools are aggregated or A vulnerability assessment manual date to ensure that anyone required consolidated in any way, the for an organization should address and to perform a vulnerability process used to do that should be define procedures for several key assessment has the appropriate outlined. Where and how the components of the vulnerability information to do so effectively. vulnerability and configuration assessment process. These areas include: ff Process for coordinating and information is stored should also ff Approved vulnerability assessment approving vulnerability be specifically outlined. Emerging tools list—It is important to ensure assessments—Sufficiently defining technology has been developed to that senior management (the chief this step is one of the most facilitate this process and help information officer [CIO] or chief important goals of any bridge the reporting gap information security officer [CISO]) vulnerability assessment manual. A between separate vulnerability acknowledges what tools are standardized test matrix should be assessment tools. permitted to be used within the developed and used to define and ff Troubleshooting vulnerability network or enclave. To this end, a coordinate any vulnerability assessments and the correlation to formal memo drafted by the CIO/ assessment activities. The test incident response— CISO should specifically designate matrix should include information Troubleshooting vulnerability vulnerability assessment tools that such as the targets, tools to be used, assessment tools are also are approved for use and prohibit ports to be scanned, scan policy to paramount to standardization. If the use of any tools not explicitly be used, scan throttling tools are not used or are not allowed. This will help ensure that information, points of contact, and functioning correctly, results can untested, unknown vulnerability date and time of the scan. The test be skewed and the configuration assessment tools do not adversely matrix should be used to and security posture of the targets coordinate with components that scanned may not be accurate. It is may be impacted by the also important to remember IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 31
  • 32.
    (especially for legacysystems), that environments. It is for this reason that New, emerging technologies attack this there is potential to bring down many organizations merely do what is problem head-on by providing the production systems if they are specifically required by JTF-GNO capability to consolidate, aggregate, and targeted intentionally or or DISA or any other oversight re-present vulnerability information in unintentionally. The vulnerability organization with the ability to push a truly meaningful fashion. The process assessment process should identify down DoD requirements. of consolidating vulnerability data for incident response procedures in Performing the scans is not system administrators no longer takes the event that an assessment causes generally the difficult or time- days and hours; with the right solution, an outage or adverse reactions by consuming part of the process; it is it can take only minutes. the targets being scanned. interpreting, processing, and putting to work the volumes of information that Conclusion Incorporating these types of the vulnerability assessment tools One of the most important pieces of the guidelines and parameters into a return—especially given the points configuration management process is vulnerability assessment plan is vital. discussed above. Using only one or two inspection and validation through Without standardization and vulnerability assessment solutions for vulnerability and configuration appropriate training to perform most organizations is insufficient, assessments. These processes can be vulnerability assessments, it is easy to especially within the DoD. So time consuming; however, their value is have vulnerabilities or misconfiguration consolidating, aggregating, and obvious, and they also play fundamental missed—ultimately resulting in a false presenting the results of disparate roles in other major programs and sense of security for the organization vulnerability assessment scans is initiatives implemented by the DoD. It is and greater risk to the mission and generally the most resource-intensive critical to have standardized processes the DoD. part of the process. when it comes to vulnerability Also, don’t be afraid to leverage Organizations have two options. assessments because when ad-hoc virtualization. Virtualization can be a The first is to rely on the native outputs processes fail, and they do too often, great tool in the vulnerability of the various vulnerability tools it is difficult to trust the outcome of assessment space—especially in themselves. This could be flat text files, those assessments, and making environments with legacy systems and XML files, HTML files, PDFs, or decisions based upon misinformation antiquated technology. Using Microsoft Word documents. For some can be devastating. virtualization to take an exact copy of a tools, it could even mean having to rely Armed with a thorough and well- production server or application allows on the console of the vulnerability implemented vulnerability assessment for extensive vulnerability assessment assessment tool itself instead of a report. plan and with new technology that that may otherwise not be possible. In this scenario, presenting findings in allows system and network terms of high, medium, and low risk is administrators to focus more on Options disjointed and subject to error. It also resolving vulnerabilities and Establishing (and following) a makes remediation efforts difficult for misconfiguration and less on combing vulnerability assessment manual as part system and network administrators through volumes of data for useful of a bigger configuration management because they have to rely on so many information, maintaining compliance plan is not difficult, and it is not different forms of information from the with fewer resources becomes reality. n exceptionally time consuming. In fact, various assessment tools that do not implementing a standard approach to look similar and do not always present About the Author vulnerability assessment activities can the most useful information. ultimately save a lot of time and effort The second option includes Chris Merritt | is the president and CEO of by streamlining the process and making processes of trying to manually Prolific Solutions, LLC (www.prolific-solutions.net) sure that all relevant vulnerability consolidate the data to put it into a more and has been consulting for the DoD for over assessment information can be found in meaningful/useful format that seven years. He is the author of proVM Auditor one easy-to-use location. facilitates the efforts of administrators (www.provmauditor.com), a vulnerability However, if vulnerability and makes tracking progress a bit easier. assessment aggregation and compilation tool, and assessments are conducted at The problem with this scenario is that it holds a number of information security recommended (not just required) is full of manual copying and pasting, certifications, including CISSP and CISA. He intervals, agencies within the DoD may parsing, or scripting that is not vetted or earned his Master’s degree in information find that adhering to rigorous standardized, and it remains assurance from Norwich University in 2007. vulnerability assessment processes can exceptionally time consuming. be expensive and time consuming— Great strides have been made to especially in larger, more distributed facilitate resolution to this problem. 32 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 33.
    S U BJ E C T M AT T E R E X P E RT Dr. Peng Liu by Angela Orebaugh T his article continues our profile series of members of the Information Assurance Technology software and hardware. The objective of this effort is to develop an integrated end-to-end (spanning the whole ‘life security. The team will take a systematic approach that leverages the emerging virtual machine technologies to Analysis Center (IATAC) Subject Matter cycle’) CSA solution to fill the gap consolidate four areas of systems Expert (SME) program. The SME between machine information security research: microscopic profiled in this article is Dr. Peng Liu processing and analysts’ mental intrusion analysis and detection; from Pennsylvania State University. processes. The scope of this effort is to redundancy; automatic response; and Dr. Peng Liu is an Associate develop new capabilities for computer- diversity-driven protection. Broader Professor in the College of Information aided human-centric CSA. The solution impacts for this research include a Sciences and Technology (IST). He is adds the new algorithms and techniques significant advancement in reducing also a member of the graduate faculty that are needed for the machine risks to business applications and for the Department of Computer Science situational awareness (SA) system to information systems, increasing and Engineering and affiliate associate work in concert with the human SA business continuity, and delivering data professor for the Department of Supply system. It integrates the human assurance in the presence of severe Chain and Information Systems (SC&IS) cognition aspects and the computer cyber attacks. Liu will co-lead this in the Smeal College of Business. In algorithm aspects of cyber SA. The project, which will further the team’s addition, Dr. Liu is the Director of the solution also integrates situation previous research on cyber awareness Cyber Security Lab and Director of the recognition, impact assessment, and how it can be used to improve LIONS Center. His research interests causality analysis, trend analysis, and cyber defense. include survivable systems, systems assessment of system assurance. The Dr. Liu organizes and presents at security, information security, team will develop prototype capabilities several conferences in information network security, privacy, identity in each year of the project that build on security. A few examples include: theft, cyber infrastructures, and prior years’ capabilities, with the goal of Securecomm 2009 (general chair); electronic health. [1] having a testable, executable prototype Inscrypt 2008 (both Program Co‑Chair Dr. Liu won a $6.25M grant from at each stage of the project. and keynote speaker); and AsiaCSS 2010 the Army Research Office in July 2009 to Dr. Liu was also one of three (Program Co‑Chair). n study cyber situation awareness (CSA). researchers who received more than He and his team received a $1M funded by the American Recovery References Multidisciplinary University Research and Reinvestment Act of 2009. His 1. http://ist.psu.edu/s2/pliu Initiative Award (MURI) for his project, project—Collaborative Research: “Computer-aided Human‑centric Cyber Towards Self-Protecting Data Centers: A Situation Awareness.” They plan to use Systematic Approach—is aimed at the grant funding to further the safeguarding business applications and research on cyber awareness and how it infrastructure from cyber threats. The can be used to improve cyber defense. research team seeks to improve security Research goals include developing tools consolidation to meet the top two that will help bridge the gap between requirements for modern data centers— analysts’ capabilities and existing CSA business continuity and information IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 33
  • 34.
    Eight Steps toHolistic Database Security by Dr. Ron Ben Natan F inancially motivated attacks, malfeasance by insiders, and regulatory requirements such as the now being tasked with ensuring that critical databases are secure from breaches and unauthorized changes. SQL injection jumped Federal Information Security Here are eight essential best 134% in 2008, Management Act-mandated National practices that provide a holistic Institute of Standards and Technology approach to both safeguarding increasing from an (NIST) 800-53 standard are driving databases and achieving compliance government organizations to find new with key regulations and standards such average of a few ways to secure their data. as NIST 800-53 and Defense Information Most of the world’s sensitive data is System Agency Security Technical thousand per day to stored in commercial database systems Implementation Guides as well as the such as Oracle, Microsoft SQL Server, Sarbanes-Oxley Act (SOX), Payment several hundred IBM DB2, and Sybase—making Card Industry Data Security Standard databases an increasingly favorite target (PCI-DSS), and data protection laws: thousand per day. for criminals. This may explain why ff Discovery—You cannot secure external attacks such as SQL injection what you do not know. You need to ff Vulnerability and Configuration jumped 134% in 2008, increasing from have a good mapping of your Assessment—You need to assess an average of a few thousand per day to sensitive assets—both of your the configuration of your databases several hundred thousand per day, database instances and your to ensure they do not have security according to a report recently published sensitive data inside the databases. holes. This includes verifying both by IBM. [1] Plus, you should automate the the way the database is installed on To make matters worse, according discovery process because the the operating system (e.g., checking to a study published in February 2009 by location of sensitive data is file privileges for database the Independent Oracle Users Group constantly changing due to changes configuration files and executables) (IOUG), nearly half of all Oracle users such as new or modified and configuration options within are at least two or more patch cycles applications and mergers and the database itself (such as how behind in their database patching. [2] In acquisitions. In an interesting twist, many failed logins will result in a addition, 74% of all Web application some discovery tools can also find locked account, or which privileges vulnerabilities disclosed in 2008 did not malware placed in your database as have been assigned to critical even have an available patch by the end a result of SQL injection attacks. In tables). Plus, you need to verify that of 2008, according to IBM. [3] addition to exposing confidential you are not running database Whereas most attention has information, SQL injection versions with known vulnerabilities. previously been focused on securing vulnerabilities allow attackers to Traditional network vulnerability network perimeters and client systems embed other attacks inside the scanners were not designed for this (e.g., firewalls, IDS/IPS, and anti-virus), database that can then be used because they do not have we are now entering a new phase where against visitors to the Web site. embedded knowledge about information security professionals are database structures and expected 34 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 35.
    behavior, nor canthey issue SQL Monitoring privileged users is also employ some form of manual queries (via credentialed access to a requirement for data governance auditing, utilizing traditional the database) in order to reveal regulations such as SOX and data native database logging capabilities. database configuration information. privacy regulations such as However, these approaches are ff Hardening—The result of a PCI-DSS. It is also important for often found to be lacking because vulnerability assessment is often a detecting intrusions because of their complexity and high set of specific recommendations. attacks will frequently result in the operational costs due to manual This is the first step in hardening attacker gaining privileged user efforts. Other disadvantages the database. Other elements of access (such as via credentials include high performance overhead, hardening involve removing all owned by your business lack of separation of duties functions and options that you applications). DAM is also an (because database administrators do not use. essential element of vulnerability can easily tamper with the contents ff Change Auditing—Once you have assessment because it allows you to of database logs, thereby affecting created a hardened configuration, go beyond traditional static non-repudiation) and the need to you must continually track it to assessments to include dynamic purchase and manage large ensure that you do not digress from assessments of “behavioral amounts of storage capacity to your “gold” (secure) configuration. vulnerabilities” such as multiple handle massive amounts of You can do this with change users sharing privileged credentials unfiltered transaction information. auditing tools that compare or an excessive number of failed Fortunately, a new class of DAM snapshots of the configurations (at database logins. Finally, some DAM solutions are now available that both the operating system level and technologies offer application-layer provide granular, database at the database level) and monitoring, allowing you to detect management system (DBMS)- immediately alert you whenever a fraud conducted through multi-tier independent auditing with minimal change is made that could affect applications such as PeopleSoft, impact on performance, while the security of the database. SAP, and Oracle e-Business Suite, reducing operational costs through ff Database Activity Monitoring rather than through direct automation, centralized cross DBMS (DAM)—Real-time monitoring of connections to the database. policies and audit repositories, database activity is key to limiting ff Auditing—Secure, non-repudiable filtering, and compression. your exposure by immediately audit trails must be generated and ff Authentication, Access Control, detecting intrusions and misuse. maintained for any database and Entitlement Management— For example, DAM can alert on activities that impact security Not all data and not all users are unusual access patterns indicating posture, data integrity, or viewing created equally. You must a SQL injection attack, sensitive data. In addition to being authenticate users, ensure full unauthorized changes to financial a key compliance requirement, accountability per user, and data, elevation of account privileges, having granular audit trails is also manage privileges to limit access to and configuration changes important for forensic investigations. data. And you should enforce these executed via SQL commands. Most organizations currently privileges—even for the most IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 35
  • 36.
    privileged database users.You also contractors meet NIST 800-53 and References need to periodically review comply with the OMB M-06-16 directive, 1. IBM Global Technology Services, “IBM Internet entitlement reports (also called Protection of Sensitive Agency Security Systems X-Force® 2008 Trend & Risk User Right Attestation reports) as Information, in order to secure Report,” January 2009. part of a formal audit process. personally identifiable information and 2. IOUG, “Security Patching Practices by Oracle Users,” ff Encryption—Use encryption to other sensitive data such as financial February 2009. render sensitive data unreadable, so data and classified information. n 3. Ibid. that an attacker cannot gain unauthorized access to data from About the Author outside the database. This includes both encryption of data-in-transit, Dr. Ron Ben Natan | chief technology officer for so that an attacker cannot Guardium, the database security company, has more eavesdrop at the networking layer than 20 years of experience developing enterprise and gain access to the data when it applications and security technology. Guardium, an is sent to the database client, as IBM Company, delivers a scalable platform that well as encryption of data-at-rest, prevents information leaks from the data center and so that an attacker cannot extract ensures the integrity of enterprise data. The the data even with access to the company’s enterprise security platform is now media files. installed in more than 450 data centers worldwide, including top government agencies. Dr. Natan has A holistic database security authored 12 technical books, including HOWTO approach is needed to protect against Secure and Audit Oracle 10g and 11g (© 2009 by cyberattacks, breaches, fraud, and Taylor and Francis Group, LLC) and Implementing insider threats. Additionally, such a Database Security and Auditing (© 2005, Elsevier, strategy helps federal agencies and Inc.), the standard texts in the field. Letter to the Editor Q There are a lot of information conferences a year to take part in critical and harden networks. The Defend track assurance conferences, forums, IA discussions, and to promote outreach looked at how cyber warriors can detect, and seminars available to the and awareness for the free products and diagnose, and respond to security IA community, and the IAnewsletter services we offer. The biggest conference threats effectively. The Survive track focuses on several each year. What is we attend each year is the Information featured sessions on sustaining mission the most important IA conference IATAC Assurance Symposium (IAS), hosted by essential functionalities during network takes part in annually? the National Security Agency, Defense attacks. Finally, the Making it all Happen Information Systems Agency, and US track analyzed how to staff, equip, train, A A critical aspect of sharing Strategic Command. and certify the cyber warrior. information assurance (IA) This year’s conference took place in IAS stressed the importance of true related information is attending Nashville, TN, February 2-4, bringing collaboration and the need to achieve events where solutions for pressing IA together over 2,000 attendees from all information superiority, and it provided problems can be discussed. These three of IATAC’s target communities: the IA community with networking events also help the IA community learn government, industry, and academia. opportunities essential to achieving about the resources available to them Attendees had the opportunity to these goals. IATAC was glad to take part and some of the cutting-edge participate in one of four tracks. The in IAS this year, and we look forward to developments in the IA field. IATAC Protect track focused on discovering participating again next year. n attends, exhibits, and presents at several ways to improve information security 36 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 37.
    ASK THE EXPERT Public/PrivatePartnership Becoming a Necessity by Allan Carey G overnments have long dealt with espionage and attempts to exfiltrate state secrets and intellectual property. The term will be misrepresented, misused and basically abused to promote/sell products and services with will see increased participation from industry in light of the recent developments. Other groups/ The interconnected world of computing the promise of solving this problem. For relationships are forming behind closed systems has split our efforts to detect the misguided, their attention and doors, but the motivation and business and thwart such attempts between the resources will be directed away from drivers are strong enough to hopefully physical and logical worlds. The term solving their real information assurance change the paradigm between public/ advanced persistent threat (APT) has problems. For the well informed, they private partnership and information had relevancy in the information should see right through the APT elixir. sharing overall. n assurance world, which started in the On the positive side, senior security US Air Force around 2006. However, leaders are now more aware of this References beyond government and the defense threat vector, even though they may not 1. http://googleblog.blogspot.com/2010/01/new- industrial base, no one in the have the budget or resources to do approach-to-china.html. private sector had really heard or something about it. As a result, 2. www.taosecurity.com. cared about APT. organizations are getting engaged in the 3. http://www.csmonitor.com/Commentary/editors- Until now…Why? Google vs. China conversation and looking for ways to blog/2010/0126/Why-the-China-virus-hack-at-US- catapulted APT into the mass media collaborate and share information. energy-companies-is-worrisome. spotlight for better or worse. [1] Back in Changing the way in which we interact 4. http://www.mandiant.com/news_events/article/ July 2009, Richard Bejtlich ran a Google and exchange best practices must occur, mandiant_releases_first_annual_m-trends_report_ search on “advanced persistent threat” particularly around this topic, because at_u.s._department_of_d prior to an Institute for Applied Network our advanced persistent adversaries, are Security briefing which yielded 34 incredibly organized and well funded. unique hits. [2] As of 16 January 2010, They are sharing best practices and the same search returned 169 hits. techniques; as a profession, we must do During the week of 25 January 2010, The the same because continuing to fight Christian Science Monitor reported the battle in silo efforts is not a about stolen bid data from three major sustainable strategy. energy companies with traces back to One promising example of public/ China. [3] And Mandiant, a specialized private partnership is the impending consulting firm, released its first Google and the National Security M-Trends Report which highlighted Agency relationship. This action is a step the types of attacks they have in the right direction for sharing investigated including ones perpetrated defensive techniques and enabling by the APT. [4] another organization to better defend Let’s start with the negative part of itself. Another example is the National this attention. APT has just made the Security Telecommunications Advisory buzzword bingo chart of marketing Committee Network Security professionals targeting our industry. Information Exchanges, which I believe IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 37
  • 38.
    Apples & Oranges: Operatingand Defending the Global Information Grid by Dr. Robert F. Mills, Major Michael B. Birdwell, and Major Kevin R. Beeker C yberspace is a contested, warfighting domain, but we’re not really treating it as such, partly because and described a shift in culture that must occur for the United States to be effective in this domain: “We must commander involvement and responsibility for cyberspace operations. Our leaders are making some very our language and doctrine have not think about this domain and the tools in interesting points here. We are all on the matured to the point that allows us to do this domain and the readiness of this front line of defense and are involved in so. One reflection of our immature domain as commanders, as essential to cyber operations every day. General language is our inability to clearly successful operations.” General Chilton Chilton’s analogy of the gate guard who differentiate the concepts of network calls every Soldier, Sailor, Airman, “keeps the wrong people out” is operations (NETOPS) and computer Marine, DoD civilian, and contractor to noteworthy, but his use of the word network defense (CND). This creates arms, saying, “They are part of the front ‘defense’ is misleading—he’s really confusion about the roles and line of defense and in fact they’re talking about ‘security and force responsibilities for provisioning, engaged in cyber operations that matter protection.’ But he’s not the only one sustaining, and defending the network— every day, whether they know it or not.” who falls into this trap—our doctrine is much less actually using it. In this He compares operations in the domain just as confusing. article, we resolve this confusion by to “the guards who guard your bases, highlighting the differences among who stand there at the gate and make NETOPS and Network Defense maintenance, defense, and mission sure only the right people come in and This is how the DoD Dictionary defines assurance activities. Only by separating keep the wrong people out—that’s NETOPS and CND: these activities can we more effectively everybody who has a computer on their ff NETOPS—“activities conducted to organize, train, and equip people to desk in these domains today.” [1] operate and defend the Global perform those tasks. We also describe Similarly, Air Force Chief of Staff Information Grid.” how the mission assurance aspect of General Norton A. Schwartz sent an ff CND—“actions taken to protect, NETOPS can better be viewed as a force e-mail to every member of the Air Force monitor, analyze, detect, and protection issue, thereby highlighting entitled Cyberspace Operations Culture respond to unauthorized activity the importance of the unit commander Change on May 27th, 2009. In this e-mail within DoD information systems in the cyberspace puzzle. he wrote, “Compliance with time critical and computer networks.” [3] software updates will gain new Culture Change emphasis and commanders will be held Figure 1 illustrates the NETOPS There has been much talk about accountable…. Our Air Force must move continuum, and demonstrates the changing our cyber culture—specifically to a system of tight network control, difficulty in distinguishing between the with respect to how we use cyberspace. personal responsibility, and two disparate functions of maintenance General Kevin J. Chilton, the accountability as we execute our global and defense. Commander of US Strategic Command mission on behalf of our Nation.” [2] Effective CND uses a defense-in- (USSTRATCOM), hosted a Cyberspace General Schwartz made it clear that all depth strategy and employs intelligence, Symposium in April 2009. In his opening Air Force members operate in counterintelligence, law enforcement, remarks, he labeled cyberspace cyberspace and echoed General and other military capabilities as operations as commanders’ business Chilton’s comments emphasizing required. However, the CND culture is 38 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 39.
    Our intent isnot to diminish the NETOPS importance of NETOPS activities—these activities are critical to our ability to Operate the Network Defend the Network operate in and through cyberspace. But they are not defensive activities—at least not in the classical understanding of the Figure 1 NETOPS and CND Continuum concept. Turning to Carl von Clausewitz, we see a much different concept of largely one of information assurance achieve that, this is a maintenance defense than is currently applied to (e.g., confidentiality, integrity, and activity. (Indeed, do we even really know cyberspace: availability), system interoperability, how many computers we have, let alone and operations and maintenance how many are compliant?) This is no What is the concept of defense? The (O&M). Many of the things that we more a defensive activity than counting parrying of a blow. What is its routinely call ‘cyberspace defense’ in all the rifles in an infantry company and characteristic feature? Awaiting the blow. cyberspace are really just O&M inspecting them to ensure that they are It is this feature which turns any action activities—such as setting firewall rules, properly cleaned and in working order. into a defensive one; it is the only test by patching servers and workstations, Our current NETOPS/CND mindset which defense can be distinguished from monitoring audit logs, and is intentionally focused inward, with attack in war. Pure defense, however, troubleshooting circuit problems. emphasis on ensuring that friendly would be completely contrary to the idea We talk about vulnerabilities and forces have freedom of action within of war, since it would mean that only one the thousands of ‘cyber attacks’ against and through cyberspace. Contrast this side was waging it…. But if we are really our networks every day, but we do not with a traditional warfighting mentality waging war, we must return the enemy’s treat cyberspace operations like those in which we study an adversary’s blows; and these offensive acts in a conducted in other domains. Server potential courses of action, develop and defensive war come under the heading of availability and communications circuit refine operational plans to meet national ‘defense’ –in other words, our offensive status are represented as green, yellow, and military objectives, parry thrusts, takes place within our own positions or and red lights on a stop-light chart, with and launch counter attacks. While we do theater of operations. Thus, a defensive an objective being ‘all green.’ And yet, worry about internal issues such as campaign can be fought with offensive when a system or circuit is reported as security, force protection, logistics, and battles, and in a defensive battle, we can yellow or red, we rarely understand what sustainment, our focus remains outward employ our divisions offensively. Even in a the true operational impact is in a timely on the adversary. Granted, terms such as defensive position awaiting the enemy manner. Furthermore, thousands of ‘inward’ and ‘outward’ mean different assault, our bullets take the offensive. So systems administrators routinely count things when discussing cyberspace the defensive form of war is not a simple and scan computers to ensure that their (because geographic boundaries are shield, but a shield made up of well- software and operating system patches somewhat irrelevant), but we generally directed blows. [4] are current. The objective is 100% use these terms to refer to friendly forces compliance, but even if we could and adversaries, respectively. IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 39
  • 40.
    Similarly, Army FieldManual 3-0, accomplish assigned missions. This ff Determine the threat via a tailored Operations, states the following: includes areas such as force protection, threat assessment antiterrorism, information assurance, ff Determine critical infrastructure Defensive operations defeat an and continuity of operations. [7] The via a criticality assessment enemy attack, buy time, economize forces, security portion of NETOPS then can ff Determine vulnerability via a or develop conditions favorable for be viewed as a form of force vulnerability assessment offensive operations. Defensive operations protection, where force protection ff Determine acceptable risk via a alone normally cannot achieve a decision. is defined as follows: risk assessment Their purpose is to create conditions for a ff Develop a comprehensive force counteroffensive that allows Army forces Preventive measures taken to protection plan to regain the initiative. [5] mitigate hostile actions against DoD ff Exercise the plan to determine personnel (to include family members), limiting factors and gain These definitions of defense do not resources, facilities, and critical process familiarity. sound like our current approach to information. Force protection does not NETOPS and CND. Clausewitz might say include actions to defeat the enemy A second reason to look at force we have a shield mentality about cyber or protect against accidents, weather, protection is that force protection is an defense. The O&M activities that we or disease. [8] inherent responsibility of command. Air routinely refer to as ‘network defense’ Force Doctrine Document 2-4.1, Force are passive and do not try to gain or This definition does not say Protection, clearly states, “Commanders maintain the initiative. An active anything about defense in terms of at all levels must make force protection defense—one that employs limited maneuver and fires, but it does highlight an imperative.” [10] A fundamental offensive action and counterattacks to that everyone in the DoD has a role in premise within JP 6-0 is that many of the deny the adversary—will be required ‘mitigating hostile activities’ that can responsibilities for NETOPS activities to have a genuinely defensive capability certainly be extended to cyberspace. remain within the purview of the in cyberspace. There are a several reasons we should communications community. With a look at force protection doctrine as it force protection mindset, responsibility A Force Protection Model relates to the NETOPS/security problem. shifts to the person who is accountable So if NETOPS isn’t CND, then what is it? Get in The first is that force protection for mission accomplishment—the Joint Publication (JP) 6-0, Joint activities and doctrine are well-defined, commander. At all levels of warfare, the Communications System, is the DoD’s and force protection experts have commander should have the best capstone document for communications developed a rigorous methodology to understanding of both the mission and and network support to joint define the force protection process, as the requirements to accomplish it. The operations. Chapter IV discusses illustrated in Figure 2. unit commander is therefore integral to NETOPS in depth, stating: The following force protection core cyberspace force protection actions and ff The effectiveness of NETOPS is principles apply to cyberspace: is not merely a customer. This measured in terms of availability conceptual shift integrates cyberspace and reliability of network enabled force protection at the lowest possible services, across all areas of interest, level, thereby making it a unit Threat in adherence to agreed-upon service. Assessment commander’s responsibility—which is ff The purpose of NETOPS is assured where General Chilton said it should be! system and network availability, Finally, the concept of force Exercise Criticality assured information protection, Plan Assessment protection brings with it responsibility and assured information delivery. [6] to every member of the force. The gate Force The overarching theme in these guards may “let the right people come in statements is the ability for users Protection and keep the wrong people out,” but we (customers) to accomplish their Planning must be on the lookout for those who FP Vulnerability missions, which leads us to the concept Assessment have gotten past the perimeter fence and Plan of ‘mission assurance.’ Mission those insiders who engage in malicious assurance includes a number of acts. Using a force protection paradigm, Risk activities and measures taken to ensure Assessment information assurance would equate the availability of required capabilities closely to the Air Force (AF) Office of and supporting infrastructures to Special Investigations (OSI) ‘Eagle Eyes’ support military operations and Figure 2 Force Protection Planning Process [9] 40 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 41.
    construct. The AFOSI Eagle Eyes operations, from inward to outward References website states: (to our adversaries). CND is about 1. General Kevin Chilton, Opening Remarks to the delivering warfighting effects (e.g., April, 2009, USSTRATCOM Cyberspace Symposium, The Eagle Eyes program is an Air denying, degrading, disrupting, and http://www.stratcom.mil/speeches/23 Force anti-terrorism initiative that enlists destroying the cyber capabilities of 2. General Norton A. Schwartz, Letter to All Airmen, the eyes and ears of Air Force members our adversaries). dated 27 May, 2009. and citizens in the war on terror. Eagle 3. DoD Dictionary of Military Terms, Eyes teaches people about the typical Taken together, these concepts http://www.dtic.mil/doctrine/dod_dictionary activities terrorists engage in to plan their provide a framework to develop 4. Taken from Peter G. Tsouras. Warriors Words: A attacks. Armed with this information, cyberspace capabilities and personnel Quotation Book. 1992. Arms and Armour Press, anyone can recognize elements of potential to meet joint mission requirements and London. Page 128. terror planning when they see it. [12] to more effectively engage in operations 5. US Army Field Manual (FM) 3-0, Operations, 14 in cyberspace. n Jun 2001, p. 1-15, http://www.dtic.mil/doctrine/jel/ service_pubs/fm3_0a.pdf. Conclusions 6. oint Publication (JP) 6-0, Joint Communications About the Authors Semantics matter. One of the System, 20 Mar, 2006, p IV-1, http://www.dtic.mil/ fundamental purposes of joint doctrine doctrine/new_pubs/jp6_0.pdf. Dr. Robert F. Mills | is an Associate Professor is to provide a common language that 7. DoD Directive 3020.40, Defense Critical of electrical engineering at the Air Force Institute describes how we organize, train, equip, Infrastructure Program, 19 Aug, 2005, p. 13, http:// of Technology (AFIT), Wright-Patterson AFB, OH. and employ our military capabilities. www.dtic.mil/whs/directives/corres/pdf/302040p.pdf. He teaches graduate courses and leads sponsored Inadequate semantics creates confusion 8. DoD Dictionary of Military Terms. research in support of AFIT’s cyber operations and and degrades our warfighting capability. 9. DODI 2000.16, DoD Antiterrorism (AT) Standards, warfare program. His research interests include Our current language confuses the use, provides clear guidance on the tools necessary network management and security, operations and maintenance, and the to define the threat, determine what is critical, communications systems, cyber warfare, and defense of the cyberspace domain, determine what is vulnerable, determine acceptable systems engineering. He retired from active duty which makes roles and responsibilities risk, develop a plan, exercise the plan, and then in the US Air Force after serving 21 years as a unclear. Our recommendations to start over. The AT Risk Management process is communications officer. remedy this situation are as follows: outlined in enclosure 3 (pages 13—22). Available 1. Redefine NETOPS as “actions taken at http://www.dtic.mil/whs/directives/corres/ Major Michael B. “Bo” Birdwell | is a to provision and maintain the pdf/200016p.pdf. career intelligence officer. He is the Director of cyberspace domain.” This would 10. Air Force Doctrine Document 2-4.1, 9 Nov 2004, p. 11. Operations at the Air Mobility Command Air capture the current concepts of 11. http://www.e-publishing.af.mil/shared/media/ Intelligence Squadron at Scott Air Force Base, IL. operations and maintenance while epubs/AFDD2-4.1.pdf. Major Birdwell is a graduate of the Air Force removing the ambiguity caused by 12. The USAF OSI Eagle Eyes website is http://www. Academy (1996), the USAF Weapons School including defense within the osi.andrews.af.mil/eagleeyes/index.asp. Intelligence Division (2001), and the AFIT’s Cyber NETOPS construct. Warfare Intermediate Developmental Education 2. Leverage concepts such as ‘mission The views expressed in this article are Program (2009). assurance’ and ‘force protection’ to those of the authors and do not reflect the help change the culture and engage official policy or position of the United Major Kevin Keller Beeker | is now the J2 all personnel—users, maintainers, States Air Force, Department of Defense, Targeting Chief for the Joint Functional Component and cyber operators. Everyone has a or the U.S. Government. Command for Network Warfare (JFCC-NW) at Ft role in security and force protec- Meade, MD. He is a senior A/OA-10 combat pilot, tion, but we are not all cyber who also completed an exchange tour flying defenders. Force protection and F/A-18s with the United States Navy. He is a 1996 mission assurance are focused graduate of the United States Air Force Academy, inward on our mission. with a Bachelor of Science in computer science. 3. Redefine our CND construct to be He is also a 2009 graduate of AFIT’s Cyber more consistent with our approach Warfare Intermediate Developmental to the concept of ‘defense’ in the Education Program. other domains of warfare, to include the concept of active defense. This would shift the concept from maintenance to IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 41
  • 42.
    LPS-Public: Secure Browsing andan Alternative to CAC Middleware by Lt Col Ken Edge and Kevin Sweere O n January 15, 2010, the Air Force Portal started granting access only to those users who have a Common Likewise, user’s private sessions and sensitive transactions occur within a leave‑no‑local‑trace Technology Office manages SPI for the DDR&E via the High Performance Computing and Modernization Program. Access Card (CAC) or public key browsing environment. infrastructure certificate, blocking login LPS-Public provides a thin, secure, Download the free LPS-Public ISO via user/password. Other Department of end-node for cloud computing. Created image from http://spi.dod.mil/lipose.htm. Defense (DoD) sites require CACs for by the Software Protection Initiative at some activities and it is likely many the Air Force Research Laboratory Those wishing to get more details or other federal agencies will also soon (AFRL), LPS-Public boots from a CD, interview a subject matter expert require two‑factor authentication for runs only in RAM, installs nothing to please contact Josh Aycock, 88 ABW/PA, sensitive Web services. the hard drive, and does not require at Joshua.aycock@wpafb.af.mil or The DoD’s solution for users of administrative rights. LPS-Public 937-522-3514. n Windows XP Pro and Vista (a Windows 7 provides a Firefox browser with plug-ins, solution is coming soon) is to download CAC middleware, certificates, and a PDF About the Authors licensed ActivClient middleware from an viewer within a very thin Linux internal website. Users must install operating system. It’s a great solution for Lt Col Kenneth Edge | graduated from the US smartcard drivers, the middleware, and users with Mac, Linux, or Windows 7 Air Force Academy with a degree in electrical DoD root certificates on their Windows systems, or those using others’ computers. engineering. His previous assignments in the Air Personal Computers (PC). But that leaves A derived and accredited version, Force have included flying C-141 and C-21 airplanes. out those running Mac or Linux systems, LPS-Remote Access, offers teleworkers Lt Col Edge completed his Master’s degree in those using another’s computer (e.g., remote desktop virtualization of their electrical engineering at Wright State University, friend’s, corporate or public computer), company’s or agency’s network. This and then earned his PhD in computer security from those lacking administrator privileges, means far fewer government laptops. the Air Force Institute of Technology. He serves at and those who just do not want to make Now one only needs to carry a the AFRL as the Office of the Director, Defense the requisite changes to update their CAC-reader and a custom CD and then Research and Engineering’s SPI Program Manager. computers. Lightweight Portable Security, use almost any personal, public, or Public edition (LPS-Public) alleviates all corporate computer to use a NIPRNet Kevin Sweere | serves the SPI as an Advisory these problems. And it’s free from computer remotely. and Assistance Services contractor from the http://spi.dod.mil/. The Software Protection Initiative not-for-profit Riverside Research Institute. He holds LPS-Public offers other benefits; (SPI) protects critical DoD intellectual an Master’s degree in Mechanical Engineering from computers that are old, slow, infected, or property against nation-state class Michigan Technological University and an MBA crashed, or those that are missing a hard threats by taking an alternative from University of Cincinnati. He was a search and drive can now browse the Internet approach to security based on 3 Tenets: rescue dog trainer, snowplow researcher, Army again. Because LPS-Public operates only 1) Focus on What’s Critical, 2) Move it Ranger, Armor Battalion S4, satellite operator, and in Randon Access Memory (RAM), users Out-of-Band, and 3) Detect, React, designer/builder of two bleeding-edge intelligence may visit risky, malware-infected sites Adapt. SPI solves your toughest cyber- production centers. He now teaches his Tiger Scout with very little permanent risk. defense challenges. The AFRL’s ATSPI den land navigation and fire building. 42 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac
  • 43.
    FREE Products Order Form Instructions: All IATAC LIMITED DISTRIBUTION reports are distributed through DTIC. If you are not a registered DTIC user, you must do so prior to ordering any IATAC products (unless you are DoD or Government personnel). To register online: http://www.dtic.mil/dtic/registration. The IAnewsletter is UNLIMITED DISTRIBUTION and may be requested directly from IATAC. Name______________________________________________________________________ DTIC User Code_______________________________ Organization_ _______________________________________________________________ Ofc. Symbol_ _________________________________ Address____________________________________________________________________ Phone_______________________________________ __________________________________________________________________________ Email_ ______________________________________ _ __________________________________________________________________________ Fax_________________________________________ Please check one: n USA n USMC n USN n USAF n DoD n Industry n Academia n Government n Other Please list the Government Program(s)/Project(s) that the product(s) will be used to support: _ _____________________________________________ ________________________________________________________________________________________________________________________ LIMITED DISTRIBUTION IA Tools Reports n Firewalls n Intrusion Detection n Vulnerability Analysis n Malware Critical Review n Biometrics (soft copy only) n Configuration Management (soft copy only) n Defense in Depth (soft copy only) and Technology n Data Mining (soft copy only) n IA Metrics (soft copy only) n Network Centric Warfare (soft copy only) Assessment (CR/TA) n Wireless Wide Area Network (WWAN) Security n Exploring Biotechnology (soft copy only) Reports n Computer Forensics (soft copy only. DTIC user code MUST be supplied before these reports will be shipped) State-of-the-Art n Measuring Cyber Security and Information Assurance n IO/IA Visualization Technologies (soft copy only) Reports (SOARs) n The Insider Threat to Information Systems (soft copy only. DTIC n Modeling & Simulation for IA (soft copy only) user code MUST be supplied before these reports will be shipped) n Malicious Code (soft copy only) n Software Security Assurance n Data Embedding for IA (soft copy only) n A Comprehensive Review of Common Needs and Capability Gaps UNLIMITED DISTRIBUTION IAnewsletters hardcopies are available to order. Softcopy back issues are available for download at http://iac.dtic.mil/iatac/IA_newsletter.html Volumes 11 n No. 1 n No. 2 n No. 3 n No. 4 Volumes 12 n No. 1 n No. 2 n No. 3 n No. 4 Volumes 13 n No. 1 SOFTCOPY DISTRIBUTION The following are available by email distribution: n IADigest n IA/IO Scheduler n Research Update n Technical Inquiries Production Report (TIPR) Fax completed form to IATAC at 703/984-0773 IAnewsletter Vol 13 No 2 Spring 2010 • http://iac.dtic.mil/iatac 43
  • 44.
    Calendar May June August DISA Customer Partnership Conference Forum of Incident Response and Security LandWarNet 2010 3–7 May 2010 Teams (FIRST) Annual Conference 3–5 August 2010 Nashville, TN 13–18 June 2010 Tampa, FL http://www.disa.mil/conferences/ Miami, FL http://events.jspargo.com/lwn10/Public/ http://conference.first.org/ MainHall.aspx New York Metro Information Security Forum 4–5 May 2010 Lone Star Information Security Forum Air Force Information Technology Conference New York, NY 23–24 June 2010 (AFITC 2010) http://www.ianetsec.com/forums/calendar.html Dallas, TX 30 August–1 September 2010 http://www.ianetsec.com/forums/calendar.html Montgomery, AL Joint Warfighting 2010 http://www.mc2-afitc.com/ 11–13 May 2010 July Virginia Beach, VA 2010 Software Protection, IA and http://www.afcea.org/events/jwc/10/intro.asp Anti-Tamper SBIR Workshop 20–22 July 2010 IEEE Symposium on Security and Privacy WPAFB, OH 16–19 May 2010 http://www.spi.dod.mil/workshop.htm Oakland, CA http://oakland31.cs.virginia.edu/index.html Black Hat USA 2010 24–29 July 2010 Las Vegas, NV http://www.blackhat.com/html/events.html DEF CON 18 30 July–1 August 2010 Las Vegas, NV https://www.defcon.org/ To change, add, or delete your mailing or email address (soft copy receipt), please contact us at the address below or call us at: 703/984-0775, fax us at: 703/984-0773, or send us a message at: iatac@dtic.mil Information Assurance Technology Analysis Center 13200 Woodland Park Road, Suite 6031 Herndon, VA 20171