Mr. LeRoy Lundgren, Deputy Director Army Office of Information Assurance

1
Track 1 Session 7 Information Assurance The
Art of Information Sabotage Threat Factors in
the Public Domain Mr. LeRoy Lundgren

Mr. LeRoy Lundgren, Deputy Director
Army Office of Information
Assurance Compliance (CIO/G6-NETC-ESTA-I) https
//informationassurance.us.army.mil
2
Purpose

• To provide a brief overview of the threat
  posed to the Army organizations and the Army road
  ahead to counter the threat and to remain
  vigilant!

3
Agenda

• Overview of threats
• Army Road Ahead

4
Moonlight Maze

• Thursday, October 7, 1999 Los Angeles Times
• In what appears to be the most extensive
  cyber-attack ever aimed at the U.S. government,
  covert hackers apparently working from Russia
  have systematically broken into Defense
  Department computers for more than a year and
  plundered vast amounts of sensitive information,
  U.S. officials said yesterday.
• Besides penetrating the Pentagon's defenses, the
  cyber-thieves have raided unclassified computer
  networks at Energy Department nuclear weapons and
  research labs, at the National Aeronautics and
  Space Administration and at numerous university
  research facilities and defense contractors,
  officials said.
• Despite an intense FBI-led inquiry code-named
  Moonlight Maze, investigators have failed to
  identify the hackers. The intrusions appear to
  have originated in Russia,'' Michael Vatis,
  director of the FBI's National Infrastructure
  Protection Center, told a Senate subcommittee
  yesterday in the first public confirmation of
  Moonlight Maze.

5
Titan Rain

• Thursday, August 25, 2005 Time Magazine
• Hackers breaking into official U.S. networks are
  not just using Chinese systems as a launch pad,
  but are based in China.
• Hackers sat down at computers in southern China
  and set off once again on their daily hunt for
  U.S. secrets.
• Since 2003 the group had been conducting
  wide-ranging assaults on U.S. government targets
  to steal sensitive information, part of a massive
  cyberespionage ring that U.S. investigators have
  codenamed Titan Rain.
• This was a simple program, but one that had been
  cleverly modified to fit their needs, and then
  used with ruthless efficiency against a vast
  array of U.S. networks. The attackers returned
  within a day or two and, as they had on dozens of
  military networks, broke into the computers to
  steal away as much data as possible.

6
Unclassified Information

•   An Al Qaeda training manual found in
  Manchester, England, in 2003 stated that using
  public sources openly and without resorting to
  illegal means, it is possible to gather at least
  80 of information about the enemy.
• Of course gaining access to a systems and
  downloading the information illegally is probably
  not going to be an issue for Al Qaeda.

7
The Spy

• What would you prefer to do if you want to steal
  information ?
• Do it like James Bond ?
• Spend a significant period of time reviewing
  physical security routines
• in order to find a weakness ?
• Physically break in and risk injury, capture
  and imprisonment and a direct connection to your
  sponsor ?
• Like a hacker over the network ?
• Use automated tools that will identify access
  points to targeted hosts ?
• Easily gain access and be able to download
  significant amounts of data without risking
  injury, capture, imprisonment or attribution ?

8
Implementing World Class Network Defense
Defense-in-Depth Strategy - 2004 Into the Future
9
Army Enterprise NetOps Integrated Architecture
v6.0
Architecture Refresh
IP Transport Management
Computing PlatformManagement
Security Management
EnterpriseSupport
Enterprise Services Apps Management
Non-IP TransportManagement
Anti-Virus(Anti-Malware)
Backup and RecoveryManagement
Host IntrusionDetection System (HIDS)
Host IntrusionPrevention System (HIPS)
Network Attached Storage (NAS) Element Manager
Secure Configuration(Patch) Management
Storage Area Network (SAN) Element Manager
Systems Management
Data Security at Rest
Host-basedSecurity System
AENIA - TRADOC APPROVED NETOPS ARCHITECTURE
10
LandWarNet IA Architecture

• Establish a coordinated Army strategy and
  architecture for defining IA capabilities in the
  LandWarNet in the 2010-2015 timeframe
• Coordinate End-to-End alignment of IA
  capabilities
• components across Enterprise Architectures
• (e.g., GIG, AENIA, AILA, FCS, etc.)
• Emphasis on Tactical Environment
• LIAA concepts used to
• Guide PEOs/PMs in the development of network
  security
• systems and the development of secure systems
• Enable NetCentric Information Sharing (identify
  IA
• requirements, technologies, dependencies, gaps,
  etc.)
• Help Army influence the GIG IA Architecture
  Portfolio (GIAP)
• and other NII/NSA/DISA GIG initiatives

Bottom Line Provide Army Enterprise-Level
Information Assurance Strategy Direction
11
DoD / STRATCOM IA/CND Enterprise-Wide Solutions
Steering Group (ESSG) DoD Mandated Requirements

• Mission Provide oversight, planning, and
  advocacy for IA/CND solutions. Assess IA/CND
  shortfalls and identify, validate, and implement
  viable and affordable enterprise-wide solutions
• Tri-Chairs DoD, STRATCOM, JTF-GNO
• Members Combatant Commands, Services,
  Agencies (CC/S/A)
• Army Rep Director - Office of Information
  Assurance Compliance
• Tools in process Insider Threat, Remote
  Forensics, Security Information Management
  (SIM), more.
• Acquired tools
• Scanning and Patch Management - Retina and
  Hercules
• Wireless Discovery Flying Squirrel (GOTS)
• Host Based Security System (HBSS)

12
Enterprise Consolidation of IT Services
Army Area Processing Centers (APC)

• Stop all access to desktops from outside
  LandWarNet
• Applications and data positioned on the DOD
  high-speed backbone fiber network
• Isolation of compromised servers and PCs
• Global plug-n-play (units access via identical
  capabilities in each theater)
• Designed to support the Warfighter

• Manageable security - Protected Army LandWarNet
  with limited entry points to DISN (from 300 to
  approximately 12)-- masses IA resources to
  address threat
• Automated IA policy verification and enforcement
• Globalized standards for Army networks,
  workstations, servers, applications, and data
• Enterprise DMZs for all public and private
  applications
• Secure/reliable service, anywhere, anytime
• Defense-in-depth from data center to end user

Army FY 05-07 investment 96.9M
13
Perimeter Defense
From Intrusion Detection (IDS) to
Intrusion Prevention Systems (IPS)

• IPS actively and automatically respond to
  suspicious activities
• Scan for intrusion signatures
• Search for protocol anomalies
• Detect commands not normally executed on the
  network
• Are placed inline and will intercept all network
  traffic real-time
• Detect attacks and intrusions more accurately and
  reliably with fewer false positives

Army FY 05-07 investment 37.8M
14
Active Directory Implementation

• Enables NETCOMs mission to operate, manage and
  defend the LandWarNet by unifying control under
  the TNOSCs
• Standardized Microsoft operating system
  integrating a common directory service.
• Centralizes IT support processes, simplifying
  network manageability and enabling net-centric
  enterprise objectives and operations,
• Protects installations and tactical information
  infrastructures from both internal and external
  cyber-based attacks and espionage activities
• NIPRNet AD migration is 98 complete Remaining
  un-approved forests jeopardizing the security of
  the entire Enterprise

Army FY 05-07 investment 43.8M
15
Army Golden Master

• The authoritative source for Army-defined
  standard configurations for the office
  productivity computing environment
• CIO G-6 Memo (August 2006)
• Meets OMBs requirement for a single baseline.
• Leverages Army Enterprise Software Agreements
  and Enterprise Application Proponents to
  provide
• Baseline Operating Systems
• Army Enterprise Desktop Application environments
• DISA/NSA-based Security Configurations
• Deployment Support
• Activation Support (Vista)
• Reduced enterprise costs

Army FY 05-07 investment 162M
16
Information Assurance Vulnerability Management
Find, Fix, Report, and Verify Compliance!
Find Scan Tools Harris STAT eEye Retina
Fix Remediation Tools to push fixes/patches
McAfee Hercules Microsoft SMS
Report Rescan / send results to Army Asset
Vulnerability Tracking Resource (AVTR)
Verify Army Compliance Verification Teams
conduct random / directed inspections
17
Host Based Security System (HBSS)

• Provides the first-ever, DoD enterprise-wide
  integrated means to actively operate, manage,
  and defend all endpoint systems and networks by
  employing firewall, intrusion prevention, and
  other security modules on host workstations and
  servers
• Employs one central management
  console for many
  tools/modules
  controlled by a Common
  Management
• Agent (CMA)
• Provides ability for DoD/STRATCOM
• to implement Information Condition
• (INFOCON) policies and procedures

18
Data-at-Rest

• Office of Management and Budget memorandum
  M-06-16, 23 June 2006, Subject Protection of
  Sensitive Agency Information
• Department of Defense Memorandum, 18 August 2006
• DoDD Policy 8500.2 Information Assurance
  Implementation
• Army Regulation AR 25-2 Information Assurance
• Army Road Warrior Laptop Security BBP (Feb 2006)
• CIO/G-6 Memo, 28 SEP 06, subj Army Data-At-Rest
  (DAR) Protection Strategy
• VCSA ALARACT, 271600Z Oct 06, subj Army
  Data-At-Rest (DAR) Protection Strategy

• Currently
• Mandates/Policy are in place
• Five tools are approved

• MS Encrypting Files System 2) Pointsec
• 3) Credant 4) Guardian Edge 5) Mobile Armor

• User-Directed Actions
• Immediately identify mobile stuff
• Categorize by mobile vs non-mobile
• Label appropriately
• Then - Dont remove from secure area unless
  protected
• Future Solution
• Army Acquisition

19
CAC Cryptographic Logon (CCL)

• Supports Federal and DoD mandates
• Rapidly eliminating the need for lengthy,
  complex passwords that are forgotten, lost or
  compromised
• Over 94 of all the Army's computer users and
  system administrators have CCL enabled accounts
• Over 77 of the Army's workstations enforce CAC
  to authenticate

CCL implementation across DoD has resulted in a
46 reduction in successful NIPRNet intrusions.
Lt Gen Charles Croom, Director, DISA and
Commander, Joint Task Force-Global Network
Operations at the AFCEA SpaceComm 2007 Conference
Army FY 05-07 investment 29.7M
20
DoDs Wireless Discovery Device Flying Squirrel

• Detects and segregates traffic signals produced
  by wireless devices
• Employs passive detection to identify wireless
  stations or access points
• Sensor data can be filtered, sorted, or searched
  to facilitate analysis of the legitimacy of a
  detected wireless device
• Identify the physical location of the detected
  wireless device
• Provide depictions of emitters signal strength
• Identify and isolate specific devices
• Detect unauthorized or rogue access points
• Account for all authorized/unauthorized wireless
  devices

21
Modernizing the Tactical Force JNTC-S IA
Architecture
X-Band Satellite
Ku-Band Satellite
TDMA

IP
FDMA

IP CKT
EHF via SMART
-
T
STEP/Teleport
X
-
Band via GMF
Terrestrial Circuits
LOS
Other Comms available UHF SATCOM, L-Band (BFT
INMARSAT), SINCGARS, IRIDIUM, MBITR, GBS, CSS,
Trojan Spirit, and HF
Unit Hub Node
EHF-Band Satellite
UEx MAIN
UA Command Post
UA Command Post
USMC
Battalion CP
Battalion CP
22
Joint Network Node
Subscriber voice, video, and data services to
medium size force elements
23
Certification and Accreditation (CA) DITSCAP to
DIACAP

• Army replacing the DITSCAP process for
  accrediting information systems leads all
  Services in fielding DoD DIACAP
• DIACAP is metric-based and concentrates on
  information that is much clearer and efficient,
  resulting in significant time and cost-savings.
• The DAA remains decentralized, but will be
  appointed by the CIO/G-6 at the General
  Officer, SES level upon nomination

24
Army Web Risk Analysis Cell (AWRAC)
ACTUAL BLOG STATED Yesterday, I received an
email from a Captain who works for a team that
scans the Internet for OPSEC security breaches
telling me that one of the pictures I had posted
was a potential OPSEC breach. I removed it
because there was certainly the appearance of
this risk. -- My Days at Division
Typical AWRAC finding Pictures are a problem,
since soldiers do not always look at what may be
in the background.
AWRAC BLOG Reviews From Jun 06 to Jun 07
2,319 BLOG sites 1,669,452
pages 44 OPSEC violations
25
ON CYBER PATROL
Information Assurance Awareness On Cyber Patrol
Always in the Top 10 of Downloads from AKO
26
Integrating NetOps
Over Arching Effort CIO/G6, 500 day Campaign
Plan Integrate Strategic, Business, Warfighting,
and Intel Domains into Single Army NetOps
Management Structure
To Achieve
Assured Information Protection
NetOps
Assured Network System Availability
Assured Information Delivery
27
HQDA IG IA Division

• 3rd Qtr FY07
• Staffing of the IA Compliance Checklist
• Incorporate IA requirements into IG doctrine
• 4th Qtr FY07
• Collective Training of Inspector General IA
  Teams
• Coordinate Regional assessment plan
• Establish / Co-chair the IA De-confliction WG
• Coordinate staffing of Implementation memo
• to be signed by CSA or VCSA

28
HQDA IG IA Division

• 1st Qtr FY08
• Develop the IA Relational Database
• Participate in the Joint IA Compliance WG
• Establish / Co-chair the IA Compliance
  Configuration Board
• 2nd 4th Qtrs FY08
• Complete 1st Round of Regional Inspections
  (Non-reportable)
• Coordinate FY09 Compliance Inspection Calendar
• FY09
• Conduct IA Compliance Inspections (Reportable)

29
Defending The GIG How Are We Doing?

• IA/CND implemented measures have
• Decreased successful attacks by 54 from 2004 to
  2006
• Forced intruders to change their tactics
• Reduced successful compromises
• Improved compliance and network discipline
• Increased security as compared to the Internet

30
Questions ?