Appendix D
Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance

The Committee on Information Assurance for Network-Centric Naval Forces was provided an overview briefing on a number of information assurance studies conducted for the Department of the Navy in recent years.1 Below is a summary of the most recent revelant reports.2

REPORTS PUBLISHED IN 2007

Overview of Data in NCDOC’s Prometheus Database

Authors: C.A. Davis and B. Behrens

Abstract: This document catalogs the data that the Navy Cyber Defense Operations Command (NCDOC) currently collects for use in intrusion detection and forensic analysis. The report provides background material for future reference. It documents the source of the data and how they are collected, processed, and ultimately stored in the NCDOC “Prometheus” database.

Operationalizing Information Assurance into Computer Network Defense

Authors: S.W. Young and C.A. Davis

Abstract: The Department of Defense defines the computer network defense

1

During the course of its study, the committee received (and discussed) materials that are exempt from release under 5 U.S.C. 552(b).

2

Adapted from information provided to the committee by Michael McBeth, Office of Naval Research Science Advisor, Naval Network Warfare Command, April 28, 2008, Norfolk, Va.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 157
Appendix D Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance The Committee on Information Assurance for Network-Centric Naval Forces was provided an overview briefing on a number of information assurance studies conducted for the Department of the Navy in recent years.1 Below is a summary of the most recent revelant reports.2 REPORTS PUBLISHED IN 2007 Overview of Data in NCDOC’s Prometheus Database Authors: C.A. Davis and B. Behrens Abstract: This document catalogs the data that the Navy Cyber Defense Opera- tions Command (NCDOC) currently collects for use in intrusion detection and forensic analysis. The report provides background material for future reference. It documents the source of the data and how they are collected, processed, and ultimately stored in the NCDOC “Prometheus” database. Operationalizing Information Assurance into Computer Network Defense Authors: S.W. young and C.A. Davis Abstract: The Department of Defense defines the computer network defense 1 During the course of its study, the committee received (and discussed) materials that are exempt from release under 5 U.S.C. 552(b). 2Adapted from information provided to the committee by Michael McBeth, Office of Naval Research Science Advisor, Naval Network Warfare Command, April 28, 2008, Norfolk, Va. 157

OCR for page 157
158 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES (CND) mission as “actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD information systems and computer networks.” In support of this mission, the Naval Network Warfare Command (NETWARCOM) has drafted a CND concept of operations (CONOPS). The CONOPS lays out a six-step process for CND. As the Navy’s CND service pro- vider, the Navy Cyber Defense Operations Command (NCDOC) implements the CND process on Navy-owned networks through its own operational processes and supporting technologies. Security Information Management for Enclave Networks Author: R. Mcquaid Abstract: The Air Force enterprise contains networks that are bandwidth-limited, intermittently attached, and/or internally constrained enclaves. These constrained network environments will not support commercial security information manage- ment (SIM) feeds and sensors. Recent threat activities have highlighted the need for an information assurance solution that provides consistent SIM-centric monitoring for these enclave networks. This research will improve current SIM deployments within the Air Force by addressing limitations in commercial products. It will influ- ence commercial SIM vendors and the Air Force SIM strategy. By providing IA monitoring to networks that cannot benefit from a centralized SIM, this research will extend the power of SIM technology to the edge of the Air Force enterprise. Malware Phylogenetics Authors: P. Chase and D. Beck Abstract: The nature of malware threats has evolved from widespread outbreaks for the sake of notoriety to large numbers of targeted attacks motivated by eco- nomic gain. In this environment it is critical for end users, researchers, investiga - tors, and security tool vendors to have a better understanding of the relationships between malware families and variants in order to improve detection, protection, and response. Understanding the evolutionary relationships between malware threats may provide improved prediction and protection for end users. It may suggest attribution leads and facilitate the reuse of previous analyses by malware analysts and criminal investigators. It could provide a more rigorous basis for naming malware by security vendors, thereby reducing confusion during malware outbreaks and promoting correlation across security tools. Cross-Boundary Information Sharing Author: L. Notargiacomo Abstract: The CIIS Cross Boundary Information Sharing (XBIS) Initiative is a coordinated set of activities at the MITRE Corporation to address critical infor-

OCR for page 157
159 APPENDIX D mation-sharing problems facing the intelligence community, the Department of Defense, and other MITRE sponsors. This initiative currently focuses on develop- ing an integrated technical laboratory that defines and implements key scenarios that illustrate enablers for and impediments to effective information sharing. The XBIS Laboratory integrates different technologies that enhance information shar- ing across organizational and classification security boundaries. To demonstrate the capabilities of these technologies, the laboratory provides the ability to simu - late many domains and to share information among them. The laboratory archi - tecture supports both integrated scenarios and stand-alone demonstrations, and allows the facility to showcase solutions available today and in the near future. Navy/OSD Collaborative Review of Acquisition Policy for DoD C3I and Weapons Programs Authors: D. Gonzales, E. Landree, J. Hollywood, S. Berner, and C. Wong Abstract: This briefing reviews current U.S. Department of Defense (DOD) policy for ensuring interoperability and information assurance of command, control, communication, intelligence (C3I) and weapons systems. DOD interoperability, information assurance, acquisition, and joint requirement policy are reviewed. This review identifies ambiguities, conflicts, overlaps, and shortfalls in DOD policy and recommends solutions for clarifying policy and remedying other short- comings. The authors find that interoperability-related policy issuance has sharply increased in recent years and that it includes conflicts and redundancies. They also find that Global Information Grid (GIG) technical guidance is still evolving because of continuing advances and change in networking and software technolo - gies. The authors recommend reducing the number of policies and increasing their actionability and traceability. They also recommend that technology risk levels be developed for GIG functional areas, that these be used to track GIG programs during development, and that network-centric implementation docu- ments more carefully define the capabilities for core GIG enterprise services and specify the technical standards with which GIG programs will have to comply for interoperability. REPORTS PUBLISHED IN 2006 Alarm Types and Sensor Placement: Effects on Computer Network Defense Operations Author: S.W. young Abstract: In the near future, real-time computer network defense (CND) will be an integral part of military operations. Because the Navy is relying more and more on information technology to move large amounts of data quickly, it must protect that information from compromise, especially when confronting near-peer competitors

OCR for page 157
160 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES with known information operations capabilities. To maintain the confidentiality of plans and operations, the Navy needs a real-time intrusion-detection capability to prevent ongoing attacks from exfiltrating sensitive information such as plans and logistics or denying the use of critical information assets. Today, however, most CND in the Navy is on a non-real-time basis. A Guide for Assessing Navy Enterprise Information Technology Authors: J.C. Fauntleroy, L.H. Beard, D.A. Birchler, and L.L. Harle Abstract: Increasingly, within the vision of network-centric warfare, enterprise networks and capabilities are key to the Navy’s achievement of greater coordina - tion and efficiencies in warfare and business functions. To achieve these informa - tion technology (IT) and network-related capabilities and efficiencies, expanding enterprise IT (EIT) capabilities must serve the greater needs of the Navy. They must be affordable, given the Navy’s many other funding concerns, and adaptable, given the rapid development of new technologies and the many uses for them. The evaluation and assessment of IT and EIT are particularly challenging because of the well-known difficulty in properly estimating return on investment, which lies in the functional mission lanes. From an EIT assessment perspective, there is a lack of visibility into those lanes. The challenge and responsibility to assess EIT investments in the Navy lie with the Assistant Chief of Naval Operations, Information Technology (ACNO-IT), a relatively new organization established to better manage EIT assets and their development. Much of what constitutes EIT in the Navy still resides within the domain of functional area managers, but with the establishment of the ACNO-IT the Navy is seeing a shift in responsibility for enterprise-wide capabilities and their resourcing. Detecting Malicious Insiders in Military Networks Author: M. Maybury Abstract: Given that a network is only as strong as its weakest link, a key vulner- ability to network-centric warfare is the threat from within. This paper summa - rizes several recent efforts of the MITRE Corporation focused on characterizing and automatically detecting malicious insiders (MIs) within modern information systems. Malicious insiders adversely impact an organization’s mission through a range of actions that compromise information confidentiality, integrity, and/or availability. Their strong organizational knowledge, varying range of abusive behaviors, and ability to exploit legitimate access make their detection particu - larly challenging. Crucial balances must be struck while performing MI detec - tion. Detection accuracy must be weighed against minimizing time to detect, and aggregating diverse audit data must be balanced against the need to protect the data from abuse. Key lessons learned from MITRE’s MI research include the need to understand the context of the user’s actions, the need to establish models

OCR for page 157
161 APPENDIX D of normal behavior, the need to reduce the time to detect malicious behavior, the value of non-cyber-observables, and the importance of real-world data collections to evaluate potential solutions. Using Honeyclients for Detection and Response Against New Attacks Author: K. Wang Abstract: Exploits targeting vulnerabilities in client-side applications are a grow - ing threat on today’s Internet. Commonly deployed detection technologies such as honeypots and intrusion-detection systems are useful for detecting server-side attacks but are not effective at detecting client-side attacks. At present there is no proactive client-side attack detection technology. Those using honeyclient technology will gain the capability to proactively detect client exploits in the wild. This project will develop a baseline honeyclient capability and document the ongoing costs of running a honeyclient installation so that informed decisions can be made about how best to apply honeyclient technologies as part of security awareness strategies. Graph-Based Worm Detection on Operational Enterprise Networks Authors: D. Ellis, J. Aiken, A. McLeod, D. Keppler, and P. Amman Abstract: The most significant open challenge to the worm defense community is to develop a sensitive detection method that can detect new worms in real time with a tolerable false-alarm rate. This paper presents a graph-based detection system and validates it on operational enterprise network data. The authors argue that the result is significantly closer to solving this challenge than other published works. The authors show that a graph-based approach to worm detection in an enterprise network can detect a broad range of active worms with a false-alarm rate of less than two times per day. The supporting analysis comes from running the detection algorithm on a real enterprise network. The sensitivity results are significantly better than what is reported in the literature. The authors can detect all active, fast-spreading unimodal worms, including hit-list, topological, subnet- scanning, and meta-server worms. REPORTS PUBLISHED IN 2005 Information Technology (IT) Defense, Exploitation, and Attack Study: Identifying Key Maritime IT Domain Technologies for Information Warfare Author: S.C. Karppi and H. Elitzur Abstract: At the request of the Office of the Chief of Naval Operations N702, the Center for Naval Analyses (CNA) conducted a study to identify key potential

OCR for page 157
162 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES future U.S. Navy and adversary sea-based/littoral information technologies that, if exploited or attacked, could appreciably alter the Navy’s ability to accomplish its Sea Power 21 (SP-21) missions in certain scenarios of interest. The authors refer to those consequential U.S. Navy and adversary technologies as the maritime infor- mation technology domain for information operations (IO). Those technologies are ones for which the Navy should build and maintain IO expertise to effectively carry out its SP-21 missions. Toward More Meaningful Metrics for Computer Network Defense Authors: D.P. Shea and S.W. young Abstract: Developing and implementing a set of practical and informative metrics for computer network defense (CND) pose significant challenges. A computer network, with the associated servers, routers, intrusion detection systems (IDSs), firewalls, and so on generates volumes of data on a daily basis, much of which might be used to form metrics. Likewise, the results of red-team assessments and exercises, and surveys of compliance with Department of Defense CND policies provide additional inputs. The challenges are deciding what decisions can be informed by metrics, selecting the set of variables to track, deciding how to collect and process the data, and finally interpreting the metric outputs and converting these into actionable steps that can head off a network attack or close a security technology gap. Threats to the GIG and Some Initial Thoughts on Network Security Authors: A. Hjelmfelt and A.R. Baldwin Abstract: This document reviews potential threats against Navy information systems, current reports on computer and network incidents, and the types of information assurance practices needed to lessen the risks. Navy Investments in Computer Network Defense: The Essential Components Author: S.W. young Abstract: The Office of the Chief of Naval Operations N71 asked the Center for Naval Analyses (CNA) to help support the development of an investment strategy for computer network defense (CND). CND is one component of the Informa - tion Systems Security Program (ISSP), which is managed by Program Executive Office for Command, Control, Communications, Computers and Intelligence & Space/PMW 160IA and resource sponsored by OPNAV N71. This annotated brief presents some top-level recommendations for technology investments and the associated training programs and policy needed to support a comprehensive CND strategy. In examining technologies, the author uses both the effectiveness and the maturity level of the technologies as a gauge to determine which ones

OCR for page 157
163 APPENDIX D will be successful at performing the intended mission. Here, “maturity” refers to the experience level of the security community at large in understanding and applying the emerging technologies. “Effectiveness” is assessed by how well the technologies perform their designed tasks. One of the author’s fundamental assumptions in performing this analysis is that Internet Protocol version 6 (IPv6) and Internet Protocol Security (IPSec) will be implemented by the Department of Defense as currently planned. The rollout is scheduled to begin in fiscal year 2008. The briefer’s recommendations for security technologies are in line with these evolving capabilities. REPORT PUBLISHED IN 2004 Engaging the Board: Corporate Governance and Information Assurance Authors: A. Anhal, S. Daman, K. O’Brien, and A. Rathmell Abstract: This report, prepared for and funded by the Information Assurance Advisory Council, analyzes the relationship between corporate governance and information assurance. The study examines the ways in which information assur- ance can be embedded into corporate risk management processes in the chang - ing corporate governance environment. Corporate governance now calls for the effective management of risks, but board-level awareness is not yet being trans - lated into effective controls. This study outlines the ways in which information assurance can be embedded into corporate risk management practices and how companies can be incentivized to adopt good practices. REPORT PUBLISHED IN 2003 The Vulnerability and Assessment Mitigation Methodology Authors: P. Anton, R. Anderson, R. Mesic, and M. Scheiern Abstract: Understanding an organization’s reliance on information systems and how to mitigate the vulnerabilities of these systems can be an intimidating challenge—especially when considering less-well-known weaknesses or even unknown vulnerabilities that have not yet been exploited. Understanding the risks posed by new kinds of information security threats, the authors build on previ - ous RAND mitigation techniques by introducing the Vulnerability Assessment and Mitigation (VAM) methodology. The six-step procedure uses a top-down approach to protect against future threats and system failures while mitigating current and past threats and weaknesses. The authors lead evaluators through the procedure of classifying vulnerabilities in their systems’ physical, cyber, human/ social, and infrastructure elements, and of identifying which security techniques can be relevant for these vulnerabilities. The authors also use VAM to break down information compromises into five fundamental components of attack or failure:

OCR for page 157
164 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES knowledge, access, target vulnerability, nonretribution, and assessment. In addi - tion, a new automated tool implemented as an Excel spreadsheet is discussed; this tool greatly simplifies using the methodology and emphasizes analysis on cautions, risks, and barriers.