National Academies Press: OpenBook

Information Assurance for Network-Centric Naval Forces (2010)

Chapter: Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance

« Previous: Appendix C: Biographies of Committee Members
Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

Appendix D
Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance

The Committee on Information Assurance for Network-Centric Naval Forces was provided an overview briefing on a number of information assurance studies conducted for the Department of the Navy in recent years.1 Below is a summary of the most recent revelant reports.2

REPORTS PUBLISHED IN 2007

Overview of Data in NCDOC’s Prometheus Database

Authors: C.A. Davis and B. Behrens

Abstract: This document catalogs the data that the Navy Cyber Defense Operations Command (NCDOC) currently collects for use in intrusion detection and forensic analysis. The report provides background material for future reference. It documents the source of the data and how they are collected, processed, and ultimately stored in the NCDOC “Prometheus” database.

Operationalizing Information Assurance into Computer Network Defense

Authors: S.W. Young and C.A. Davis

Abstract: The Department of Defense defines the computer network defense

1

During the course of its study, the committee received (and discussed) materials that are exempt from release under 5 U.S.C. 552(b).

2

Adapted from information provided to the committee by Michael McBeth, Office of Naval Research Science Advisor, Naval Network Warfare Command, April 28, 2008, Norfolk, Va.

Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

(CND) mission as “actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD information systems and computer networks.” In support of this mission, the Naval Network Warfare Command (NETWARCOM) has drafted a CND concept of operations (CONOPS). The CONOPS lays out a six-step process for CND. As the Navy’s CND service provider, the Navy Cyber Defense Operations Command (NCDOC) implements the CND process on Navy-owned networks through its own operational processes and supporting technologies.

Security Information Management for Enclave Networks

Author: R. McQuaid

Abstract: The Air Force enterprise contains networks that are bandwidth-limited, intermittently attached, and/or internally constrained enclaves. These constrained network environments will not support commercial security information management (SIM) feeds and sensors. Recent threat activities have highlighted the need for an information assurance solution that provides consistent SIM-centric monitoring for these enclave networks. This research will improve current SIM deployments within the Air Force by addressing limitations in commercial products. It will influence commercial SIM vendors and the Air Force SIM strategy. By providing IA monitoring to networks that cannot benefit from a centralized SIM, this research will extend the power of SIM technology to the edge of the Air Force enterprise.

Malware Phylogenetics

Authors: P. Chase and D. Beck

Abstract: The nature of malware threats has evolved from widespread outbreaks for the sake of notoriety to large numbers of targeted attacks motivated by economic gain. In this environment it is critical for end users, researchers, investigators, and security tool vendors to have a better understanding of the relationships between malware families and variants in order to improve detection, protection, and response. Understanding the evolutionary relationships between malware threats may provide improved prediction and protection for end users. It may suggest attribution leads and facilitate the reuse of previous analyses by malware analysts and criminal investigators. It could provide a more rigorous basis for naming malware by security vendors, thereby reducing confusion during malware outbreaks and promoting correlation across security tools.

Cross-Boundary Information Sharing

Author: L. Notargiacomo

Abstract: The CIIS Cross Boundary Information Sharing (XBIS) Initiative is a coordinated set of activities at the MITRE Corporation to address critical infor-

Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

mation-sharing problems facing the intelligence community, the Department of Defense, and other MITRE sponsors. This initiative currently focuses on developing an integrated technical laboratory that defines and implements key scenarios that illustrate enablers for and impediments to effective information sharing. The XBIS Laboratory integrates different technologies that enhance information sharing across organizational and classification security boundaries. To demonstrate the capabilities of these technologies, the laboratory provides the ability to simulate many domains and to share information among them. The laboratory architecture supports both integrated scenarios and stand-alone demonstrations, and allows the facility to showcase solutions available today and in the near future.

Navy/OSD Collaborative Review of Acquisition Policy for DoD C3I and Weapons Programs

Authors: D. Gonzales, E. Landree, J. Hollywood, S. Berner, and C. Wong

Abstract: This briefing reviews current U.S. Department of Defense (DOD) policy for ensuring interoperability and information assurance of command, control, communication, intelligence (C3I) and weapons systems. DOD interoperability, information assurance, acquisition, and joint requirement policy are reviewed. This review identifies ambiguities, conflicts, overlaps, and shortfalls in DOD policy and recommends solutions for clarifying policy and remedying other short-comings. The authors find that interoperability-related policy issuance has sharply increased in recent years and that it includes conflicts and redundancies. They also find that Global Information Grid (GIG) technical guidance is still evolving because of continuing advances and change in networking and software technologies. The authors recommend reducing the number of policies and increasing their actionability and traceability. They also recommend that technology risk levels be developed for GIG functional areas, that these be used to track GIG programs during development, and that network-centric implementation documents more carefully define the capabilities for core GIG enterprise services and specify the technical standards with which GIG programs will have to comply for interoperability.

REPORTS PUBLISHED IN 2006

Alarm Types and Sensor Placement: Effects on Computer Network Defense Operations

Author: S.W. Young

Abstract: In the near future, real-time computer network defense (CND) will be an integral part of military operations. Because the Navy is relying more and more on information technology to move large amounts of data quickly, it must protect that information from compromise, especially when confronting near-peer competitors

Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

with known information operations capabilities. To maintain the confidentiality of plans and operations, the Navy needs a real-time intrusion-detection capability to prevent ongoing attacks from exfiltrating sensitive information such as plans and logistics or denying the use of critical information assets. Today, however, most CND in the Navy is on a non-real-time basis.

A Guide for Assessing Navy Enterprise Information Technology

Authors: J.C. Fauntleroy, L.H. Beard, D.A. Birchler, and L.L. Harle

Abstract: Increasingly, within the vision of network-centric warfare, enterprise networks and capabilities are key to the Navy’s achievement of greater coordination and efficiencies in warfare and business functions. To achieve these information technology (IT) and network-related capabilities and efficiencies, expanding enterprise IT (EIT) capabilities must serve the greater needs of the Navy. They must be affordable, given the Navy’s many other funding concerns, and adaptable, given the rapid development of new technologies and the many uses for them. The evaluation and assessment of IT and EIT are particularly challenging because of the well-known difficulty in properly estimating return on investment, which lies in the functional mission lanes. From an EIT assessment perspective, there is a lack of visibility into those lanes. The challenge and responsibility to assess EIT investments in the Navy lie with the Assistant Chief of Naval Operations, Information Technology (ACNO-IT), a relatively new organization established to better manage EIT assets and their development. Much of what constitutes EIT in the Navy still resides within the domain of functional area managers, but with the establishment of the ACNO-IT the Navy is seeing a shift in responsibility for enterprise-wide capabilities and their resourcing.

Detecting Malicious Insiders in Military Networks

Author: M. Maybury

Abstract: Given that a network is only as strong as its weakest link, a key vulnerability to network-centric warfare is the threat from within. This paper summarizes several recent efforts of the MITRE Corporation focused on characterizing and automatically detecting malicious insiders (MIs) within modern information systems. Malicious insiders adversely impact an organization’s mission through a range of actions that compromise information confidentiality, integrity, and/or availability. Their strong organizational knowledge, varying range of abusive behaviors, and ability to exploit legitimate access make their detection particularly challenging. Crucial balances must be struck while performing MI detection. Detection accuracy must be weighed against minimizing time to detect, and aggregating diverse audit data must be balanced against the need to protect the data from abuse. Key lessons learned from MITRE’s MI research include the need to understand the context of the user’s actions, the need to establish models

Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

of normal behavior, the need to reduce the time to detect malicious behavior, the value of non-cyber-observables, and the importance of real-world data collections to evaluate potential solutions.

Using Honeyclients for Detection and Response Against New Attacks

Author: K. Wang

Abstract: Exploits targeting vulnerabilities in client-side applications are a growing threat on today’s Internet. Commonly deployed detection technologies such as honeypots and intrusion-detection systems are useful for detecting server-side attacks but are not effective at detecting client-side attacks. At present there is no proactive client-side attack detection technology. Those using honeyclient technology will gain the capability to proactively detect client exploits in the wild. This project will develop a baseline honeyclient capability and document the ongoing costs of running a honeyclient installation so that informed decisions can be made about how best to apply honeyclient technologies as part of security awareness strategies.

Graph-Based Worm Detection on Operational Enterprise Networks

Authors: D. Ellis, J. Aiken, A. McLeod, D. Keppler, and P. Amman

Abstract: The most significant open challenge to the worm defense community is to develop a sensitive detection method that can detect new worms in real time with a tolerable false-alarm rate. This paper presents a graph-based detection system and validates it on operational enterprise network data. The authors argue that the result is significantly closer to solving this challenge than other published works.

The authors show that a graph-based approach to worm detection in an enterprise network can detect a broad range of active worms with a false-alarm rate of less than two times per day. The supporting analysis comes from running the detection algorithm on a real enterprise network. The sensitivity results are significantly better than what is reported in the literature. The authors can detect all active, fast-spreading unimodal worms, including hit-list, topological, subnet-scanning, and meta-server worms.

REPORTS PUBLISHED IN 2005

Information Technology (IT) Defense, Exploitation, and Attack Study: Identifying Key Maritime IT Domain Technologies for Information Warfare

Author: S.C. Karppi and H. Elitzur

Abstract: At the request of the Office of the Chief of Naval Operations N702, the Center for Naval Analyses (CNA) conducted a study to identify key potential

Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

future U.S. Navy and adversary sea-based/littoral information technologies that, if exploited or attacked, could appreciably alter the Navy’s ability to accomplish its Sea Power 21 (SP-21) missions in certain scenarios of interest. The authors refer to those consequential U.S. Navy and adversary technologies as the maritime information technology domain for information operations (IO). Those technologies are ones for which the Navy should build and maintain IO expertise to effectively carry out its SP-21 missions.

Toward More Meaningful Metrics for Computer Network Defense

Authors: D.P. Shea and S.W. Young

Abstract: Developing and implementing a set of practical and informative metrics for computer network defense (CND) pose significant challenges. A computer network, with the associated servers, routers, intrusion detection systems (IDSs), firewalls, and so on generates volumes of data on a daily basis, much of which might be used to form metrics. Likewise, the results of red-team assessments and exercises, and surveys of compliance with Department of Defense CND policies provide additional inputs. The challenges are deciding what decisions can be informed by metrics, selecting the set of variables to track, deciding how to collect and process the data, and finally interpreting the metric outputs and converting these into actionable steps that can head off a network attack or close a security technology gap.

Threats to the GIG and Some Initial Thoughts on Network Security

Authors: A. Hjelmfelt and A.R. Baldwin

Abstract: This document reviews potential threats against Navy information systems, current reports on computer and network incidents, and the types of information assurance practices needed to lessen the risks.

Navy Investments in Computer Network Defense: The Essential Components

Author: S.W. Young

Abstract: The Office of the Chief of Naval Operations N71 asked the Center for Naval Analyses (CNA) to help support the development of an investment strategy for computer network defense (CND). CND is one component of the Information Systems Security Program (ISSP), which is managed by Program Executive Office for Command, Control, Communications, Computers and Intelligence & Space/PMW 160IA and resource sponsored by OPNAV N71. This annotated brief presents some top-level recommendations for technology investments and the associated training programs and policy needed to support a comprehensive CND strategy. In examining technologies, the author uses both the effectiveness and the maturity level of the technologies as a gauge to determine which ones

Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

will be successful at performing the intended mission. Here, “maturity” refers to the experience level of the security community at large in understanding and applying the emerging technologies. “Effectiveness” is assessed by how well the technologies perform their designed tasks. One of the author’s fundamental assumptions in performing this analysis is that Internet Protocol version 6 (IPv6) and Internet Protocol Security (IPSec) will be implemented by the Department of Defense as currently planned. The rollout is scheduled to begin in fiscal year 2008. The briefer’s recommendations for security technologies are in line with these evolving capabilities.

REPORT PUBLISHED IN 2004

Engaging the Board: Corporate Governance and Information Assurance

Authors: A. Anhal, S. Daman, K. O’Brien, and A. Rathmell

Abstract: This report, prepared for and funded by the Information Assurance Advisory Council, analyzes the relationship between corporate governance and information assurance. The study examines the ways in which information assurance can be embedded into corporate risk management processes in the changing corporate governance environment. Corporate governance now calls for the effective management of risks, but board-level awareness is not yet being translated into effective controls. This study outlines the ways in which information assurance can be embedded into corporate risk management practices and how companies can be incentivized to adopt good practices.

REPORT PUBLISHED IN 2003

The Vulnerability and Assessment Mitigation Methodology

Authors: P. Anton, R. Anderson, R. Mesic, and M. Scheiern

Abstract: Understanding an organization’s reliance on information systems and how to mitigate the vulnerabilities of these systems can be an intimidating challenge—especially when considering less-well-known weaknesses or even unknown vulnerabilities that have not yet been exploited. Understanding the risks posed by new kinds of information security threats, the authors build on previous RAND mitigation techniques by introducing the Vulnerability Assessment and Mitigation (VAM) methodology. The six-step procedure uses a top-down approach to protect against future threats and system failures while mitigating current and past threats and weaknesses. The authors lead evaluators through the procedure of classifying vulnerabilities in their systems’ physical, cyber, human/social, and infrastructure elements, and of identifying which security techniques can be relevant for these vulnerabilities. The authors also use VAM to break down information compromises into five fundamental components of attack or failure:

Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

knowledge, access, target vulnerability, nonretribution, and assessment. In addition, a new automated tool implemented as an Excel spreadsheet is discussed; this tool greatly simplifies using the methodology and emphasizes analysis on cautions, risks, and barriers.

Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 157
Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 158
Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 159
Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 160
Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 161
Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 162
Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 163
Suggested Citation:"Appendix D: Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 164
Next: Appendix E: Naval Information Assurance Architectural Considerations »
Information Assurance for Network-Centric Naval Forces Get This Book
×
Buy Paperback | $62.00 Buy Ebook | $49.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Owing to the expansion of network-centric operating concepts across the Department of Defense (DOD) and the growing threat to information and cybersecurity from lone actors, groups of like-minded actors, nation-states, and malicious insiders, information assurance is an area of significant and growing importance and concern. Because of the forward positioning of both the Navy's afloat and the Marine Corps expeditionary forces, IA issues for naval forces are exacerbated, and are tightly linked to operational success. Broad-based IA success is viewed by the NRC's Committee on Information Assurance for Network-Centric Naval Forces as providing a central underpinning to the DOD's network-centric operational concept and the Department of the Navy's (DON's) FORCEnet operational vision. Accordingly, this report provides a view and analysis of information assurance in the context of naval 'mission assurance'.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!