Professional Documents
Culture Documents
IA-Vol14 No4
IA-Vol14 No4
14/4
The Newsletter for Information Assurance Technology Professionals
Security Automation:
Addressing Operational Problems
also inside
S E R VICE
N
Enabling Distributed Technology Standards Security Automation from
I
I NF IO
O R MA T
4
(DoD) sponsored Information Analysis
Center, administratively managed by Configuration complexity imposes Security automation can
the Defense Technical Information
Center (DTIC), and Assistant Secretary a heavy burden on both regular harmonize vast amounts of
of Defense for Research & Engineering
ASD(R&E). users and experienced information technology (IT) data.
Contents of the IAnewsletter are not administrators.
37
necessarily the official views of or
endorsed by the US Government, DoD, An Introduction to Security Automation
Overcoming the
20
DTIC, or ASD(R&E). The mention of
commercial products does not imply United States Cyber Command has made major
endorsement by DoD or ASD(R&E). On Providing Risk Detail Devil through
strides in defending, securing and improving
Inquiries about IATAC capabilities, Metrics Using Open Technology Standards
products, and services may be the operations of Defense networks.
addressed to— Security Automation, This article highlights one
7
IATAC Director: Gene Tyler Protocols, and Standards example of how technology
Inquiry Services: Yida Li IATAC Spotlight
This article describes the findings standards enabled a customer.
If you are interested in contacting an on a University
author directly, please e-mail us at to support an enterprise-wide,
The University of North Carolina
40
iatac@dtic.mil.
standards-based, tool-agnostic
IAnewsletter Staff at Charlotte (UNCC) is a research Ask the Expert
Chief Editor Gene Tyler information system risk
Assistant Editor Kristin Evans intensive university. Information security
Art Director: Tammy Black awareness capability.
practitioners recognize the
8
Copy Editor: Alexandra Sveum
24
Editorial Board: Al Arnold
Angela Orebaugh Enabling Distributed importance of personnel
Dr. Ronald Ritchey Under Constant
Designers: Tammy Black Security in Cyberspace screening.
Michelle Deprenger Attack
Lacey Olivares The Department of Homeland
A recent survey confirmed that
42
IAnewsletter Article Submissions Security (DHS) has the lead for
To submit your articles, notices, organizations of all sizes, from Evaluating the
programs, or ideas for future issues, the federal government to secure
please visit http://iac.dtic.mil/iatac/ all sectors are vulnerable to Benefits of Network
IA_newsletter.html and download an federal civilian executive branch
“Article Instructions” packet. cyber attacks. Security Systems
computer systems.
Network security has clearly
26
IAnewsletter Address Changes/
11
Additions/Deletions
To change, add, or delete your mailing Applying and become a key issue for all
or e-mail address (soft-copy receipt), Security Automation:
please contact us at— Extending SCAP to organizations in the face of
Commercial Sector
IATAC Deliver the Trusted Cloud a variety of cyber attacks.
Attn: Peggy O’Connor Perspectives and
13200 Woodland Park Road This article will show how
Suite 6031 Contributions
Herndon, VA 20171 monitoring and software
Many companies and key players
Phone: 703/984-0775 reference measurements are
Fax: 703/984-0773 across the commercial sector
critical ingredients for delivering
E-mail: iatac@dtic.mil have played a part in the
URL: http://iac.dtic.mil/iatac the trusted cloud.
advancement of security
33
Deadlines for Future Issues
automation.
Spring 2012 Jan 27, 2012
Subject Matter Expert in every issue
13
Cover design: Tammy Black
Newsletter The SME profiled in this
design: Donald Rowe SCAPVal: Validating 3 IATAC Chat
article is Ehab S. Al-Shaer at the
Distribution Statement A: Specification 18 Letter to the Editor
Approved for public release; University of North Carolina at
distribution is unlimited. Conformance 19 DoDTechipedia Happenings
Charlotte (UNCC).
SCAPVal is a command-line 47 Products Order Form
Java application that is 48 Calendar
freely available.
An Introduction to
Security Automation
by MG David B. Lacquement, Tony Sager, and Paul Bartock
ff
Information Technology: Ethics,
Policy, and Security
Network-based Application
objective of CyberDNA is to enable
assurable and usable security and
privacy for a smart, open society by
Charlotte, NC. UNCC offers 92 Bachelor’s, Development making cyber defense provable,
59 Master’s, and 19 Doctoral degree ff Computer Communication enforceable, measurable, and
programs to over 25,000 students. [1] Networks automated. CyberDNA has a unique
The College of Computing and ff Network Security vision and approach among other
Informatics, one of seven colleges at ff IT Internship Project national centers including promoting
UNCC, includes the Computer Science, ff Software Testing and Quality automated analytics and synthesis of
Software and Information Systems, and Assurance designing, configuration, and evaluation
Bioinformatics and Genomics ff Software Assurance. [2] of mission-oriented security systems;
departments. The Software and offering leap-ahead research by
Information Systems Department is Through the Federal Cyber Corps integrating multidisciplinary research
responsible for information technology Scholarship for Service, UNCC also from security, networking, reliability,
(IT) research and education, offers the Carolina Cyber Defender risk management, economical,
emphasizing designing and deploying IT Scholarship Program, which provides behavioral, and physical world
infrastructures that deliver integrated, up to 2 years tuition, fees, books, and communities; and developing
secure, reliable, and easy-to-use salary for students seeking a degree in deployable tools to facilitate technology
services. The National Security Agency information assurance. The scholarship transfer and workforce education and
recognizes the department’s is in exchange for a match of 1-to-1 years preparation.” CyberDNA is led by
Information Security and Privacy of employment in an information Dr. Ehab Al-Shaer and includes faculty
program as a National Center of assurance position at a government from different colleges and external
Academic Excellence in Information agency or laboratory after graduation. collaborators who cover a wide range of
Assurance Education. Students earn a [3] Since 2001, the Carolina Cyber security expertise. [4] n
certificate from the Information Defender Scholarship Program has
Security and Privacy program that provided approximately 100 full References
requires 12 hours of course work in one scholarships. 1. http://publicrelations.uncc.edu/information-media-
of the following topics— The Software and Information kit
ff Information Security and Privacy Systems Department also houses the 2. http://sis.uncc.edu/?q=content/certificate-
ff Vulnerability Assessment and Cyber Defense and Network Assurability information-security-and-privacy
System Assurance (CyberDNA) Center. “The CyberDNA 3. http://cci.uncc.edu/?q=news/carolinas-cyber-
ff Computer Forensics offers a unique environment to facilitate defender-scholarship-0
ff Access Control and Security joint research and development 4. http://www.arc.uncc.edu/
Architecture programs (consortia, seminars, and
ff Information Infrastructure workshops) with the industry, financial
Protection institutions, utility service providers,
ff Applied Cryptography and government agencies. The main
T he Department of Homeland
Security (DHS) has the lead for the
federal government to secure federal
The white paper suggests three
interdependent building blocks are
needed for distributed security—
private sector and at all levels
of government.
In general, these security
civilian executive branch computer ff Authentication—Enable a capabilities operate independently.
systems, to work with industry to defend network to know if it can trust a Security products, such as vulnerability
privately-owned and -operated critical request to connect; scanners, intrusion detection systems,
infrastructure, and to work with state, ff Automation—Enable immediate and anti-virus software, do not
local, tribal, and territorial governments response to intrusions and exchange data and have inconsistent
to secure their information systems. In anomalies; and security policies. Competing
March 2011, DHS published a white ff Interoperability—Enable manufacturers develop this technology
paper that explores the idea of a future standards-based devices to and have little incentive to share
cyber ecosystem in which cyber devices share information. information or enable a coordinated
collaborate in near-real time in their response. The result is an environment
own defense. [1] The cyber ecosystem is Properly combining these three where security products protect a single
global and includes U.S. government building blocks would permit automated community, a single user, or even a
and private sector information collective action in response to single aspect of a single user’s
infrastructure; the full variety of malicious activity, including financial experience. Mutual defense is almost
interacting persons, processes, fraud, identity theft, and advanced by accident.
information, and communications persistent threats that exploit access
technologies; and the conditions that to intellectual property and A Future Cyber Ecosystem
influence their cybersecurity. In this sensitive information. To create a safe, secure, and resilient
future, devices are able to anticipate and Identified by the Quadrennial cyberspace, we must leverage the
prevent attacks, limit the spread of Homeland Security Review last year, expertise that exists across the
attacks across participating devices, safeguarding and securing cyberspace enterprise and use the distributed
minimize the consequences of attacks, is one of DHS’s five core security nature of cyberspace in its own
and recover to a trusted state. missions. [2] The white paper lays out protection. There is no prospect that
To realize this future, security part of DHS’s vision for carrying out this an external boundary defense can do
capabilities must be built into cyber mission, which we believe requires the the job. Instead, standards-based
devices in a way that allows preventive creation of a fundamentally safer and products and services can be used to
and defensive courses of action to be more secure cyber environment. To do strengthen local and individual
coordinated among communities of this, we must change the way people capabilities and unite those capabilities
devices. Near-real time coordination and devices work together. in collective actions to realize shared
would be enabled by combining the security interests.
innate capabilities of individual devices The Current Cyber Ecosystem There are potentially many benefits
with trusted information exchanges and Security capabilities are naturally to automated collective action. If cyber
shared, configurable policies. distributed in cyberspace, and devices communicated in near-real time
substantial expertise resides in the with each other about incidents and
A
The Security Content new assessment compares the then- accredited validation process to become
Automation Protocol (SCAP) is current system configuration and an official SCAP Validated product. SCAP
actually designed to provide detected vulnerabilities against the is one concrete example of a set of
interoperability between tools to measure original security baseline. This highlights specifications based on a standardized
the integrity of a system’s secure any changes or deviations, which could format that have been implemented to
configuration over time. The SCAP be considered indications that the help quantify the integrity of a system
framework enables tools to measure the integrity of the system’s security posture or solution. n
combination of: 1) a system’s compliance has diminished—or, in very rare cases,
with a standard secure configuration, and increased—over time.
2) the known vulnerabilities detected in
the system.
Conclusion
Dayna Harris | is a computer scientist on the
Network security continuous monitoring
CND R&T team in the Security Automation Office
and supporting concepts have become
of NSA. Since joining the NSA team, she has been
the foundation for many new initiatives
working on SCAP-related initiatives, contributing
in securing this nation’s information
to the emerging data exchange standards and
systems. This strategy can boost risk
developing the ARCAT and Assessment Results
awareness, prioritize necessary
Measure of Risk (ARMOR) Continuous Monitoring
remediation actions, and improve
initiatives. Ms. Harris has 15+ years of software
overall security posture. For the
engineering experience leading design and
government to achieve an enterprise-
development for database-driven, web-based
wide network security continuous
software systems. She received her B.S. in
monitoring capability, supportive
Computer Science from Hawaii Pacific University
federal, industry, and international
and is currently pursuing her MSCS at Johns
processes and governance bodies must
Hopkins University. She can be contacted at
be implemented in harmony with the
iatac@dtic.mil.
technical solutions.
Decomposition
Harvest
supply chain integrity, it is useful, and in Capture
Step
some cases crucial, to verify the supply Relationships Location, package, etc.
Enterprise Trust
Server (ETS)
( )
Build
Info Operational
Assurance
Patch
Info Deployment
Assurance
Other
Windows
Global Trust
Repository
Manufacturer’s (GTR)
Root of Trust Explicit and Continuous Trust Validation
Schematron is much more expressive conformant with the specification. NIST Automation Program. He developed the SCAP
than an XML schema and allows for defines multiple tiers of “checklist Schematron rules for the SCAPVal, and he now
more fine gained XML validation. It then content” maturity on the NVD Web site, maintains that tool. He can be contacted at
runs an SCAP Schematron rule set and SCAPVal assists NIST and content iatac@dtic.mil.
against the entire bundle. The SCAP authors with producing content that is
Schematron rules check an extensive consistent with a higher level tier. [12] Angela Orebaugh | is a technologist,
number of requirements documented in Currently, there are three versions researcher, and cybersecurity executive. She leads
the SP 800-126. Those rules enforce of the SCAP specification. SP 800-126 a team of security experts supporting the NIST
restrictions placed on individual and SP 800-126 Rev 1 are final NIST Security Automation Program, including the NVD
specifications as well as relationships publications that define the first two and SCAP projects. She is also the IATAC Director
between specifications. For example, iterations of SCAP. SP 800-126 Rev 2 is of Research and Academic Integration. Ms.
SCAP requires that certain XCCDF rules currently a draft. The current release of Orebaugh is an international author and invited
and OVAL definitions identify the CVE, SCAPVal supports validating content speaker for technology and security events. Follow
CCE, or CPE for which they are checking. that is consistent with both SP 800-126 her on Twitter @AngelaOrebaugh and connect
SCAPVal ensures that those identifiers and SP 800-126 Rev 1. In addition, with her on Google at http://gplus.to/
are provided where appropriate, and SCAPVal can validate result content that angelaorebaugh.
using the CCE and CPE data feeds from is produced by tools compliant with SP
the NVD Web site, it ensures that those 800-126 Rev 1. Result content includes References
identifiers are correct and active. In the results of performing an SCAP scan 1. http://scap.nist.gov/revision/1.2/index.html
addition, it enforces how XCCDF and the against a target host. SCAPVal can assist 2. http://scap.nist.gov/specifications/xccdf/
CPE dictionary reference OVAL and tool vendors and the NVD Validation 3. http://oval.mitre.org/
OCIL components and checks that those Program in checking that an SCAP- 4. http://scap.nist.gov/specifications/ocil/
references are appropriate. The results compliant tool produces results 5. http://cce.mitre.org/
of each failure are tied back to a specific consistent with the SCAP specification. 6. http://cve.mitre.org/
statement in the SP 800-126 and are [13] Another version of SCAPVal is 7. http://scap.nist.gov/specifications/cpe/
reported as XML and hypertext markup expected to be released that will support 8. http://nvd.nist.gov/fdcc/index.cfm
language for easy computer and SP 800-126 Rev 2 when that specification 9. http://usgcb.nist.gov/
human consumption. is finalized. n 10. http://scap.nist.gov/revision/1.1/index.
SCAPVal is a critical tool for rapidly html#validation
ensuring that SCAP content is 11. http://www.schematron.com/
About the Authors
reasonably well-formed. While SCAPVal 12. http://web.nvd.nist.gov/view/ncp/repository/
cannot automatically check every glossary?cid=1#tierDesc
Adam Halbardier | is a security professional
requirement in the SP 800-126, it provides 13. http://scap.nist.gov/validation/
and software engineer working for Booz Allen
a level of assurance that content is
Hamilton. He supports the NIST Security
Dr.Ehab S. Al-Shaer
by Angela Orebaugh
Using our information resources and subject matter expert network, IATAC can provide
government customers and their contractors with four hours of free research to answer their
most pressing information assurance questions. To submit your inquiry or to learn more about
this service, please visit http://iac.dtic.mil/iatac/inquires.html or contact us at iatac@dtic.mil.
FUD Counter-Valence
Downward pressure exerted by
large or incumbent vendors through Standards Supported
various means amplifies risk Edge Large incumbent
aversion inherent in human nature Early Majority/ vendors agree
Pragmatists and Doers to standards
Dis-Innovation
Move on to the next
Bleeding Edge target market
Innovators, Enthusiasts
Market Growth
Time
Original work by David O’Berry Adapted from “Crossing the
with input from Steve Hanna Chasm”, Moore, 1991
Re
ali
ze
M
ign
on
itor
age
es
an
s
in the future.
ce
e
Us
Threat Cycle
The knowledge and ideas put forth
iv e
LandWarNet 2011
B1 B2 B3
attack rate increases. This is as expected
since as the rate increases, the greater
$20
the expected number of attacks will be
detected. As a result of the detection by
the new sensor, responses can be taken $15
Benefits
Address____________________________________________________________________ Phone_______________________________________
__________________________________________________________________________ E-mail_______________________________________
__________________________________________________________________________ Fax_________________________________________
Please check one: n USA n USMC n USN n USAF n DoD n Industry n Academia n Government n Other
Please list the Government program(s)/project(s) that the product(s) will be used to support: ______________________________________________
________________________________________________________________________________________________________________________
LIMITED DISTRIBUTION
Critical Review n Biometrics (soft copy only) n Configuration Management (soft copy only) n Defense in Depth (soft copy only)
and Technology n Data Mining (soft copy only) n IA Metrics (soft copy only) n Network Centric Warfare (soft copy only)
Assessment (CR/TA) n Wireless Wide Area Network (WWAN) Security n Exploring Biotechnology (soft copy only)
Reports n Computer Forensics (soft copy only. DTIC user code MUST be supplied before this report is shipped)
State-of-the-Art n Security Risk Management for the Off-the-Shelf Information and Communications Technology Supply Chain (DTIC user
Reports (SOARs) code must be supplied before this report is shipped)
n Measuring Cybersecurity and Information Assurance n Software Security Assurance
n The Insider Threat to Information Systems (DTIC user code n IO/IA Visualization Technologies (soft copy only)
must be supplied before this report will be shipped) n Modeling & Simulation for IA (soft copy only)
n A Comprehensive Review of Common Needs and Capability Gaps n Malicious Code (soft copy only)
n Data Embedding for IA (soft copy only)
UNLIMITED DISTRIBUTION
IAnewsletter hardcopies are available to order. Softcopy back issues are available for download at http://iac.dtic.mil/iatac/IA_newsletter.html
SOFTCOPY DISTRIBUTION
Calendar
November December January
CSI 2011 Annual Conference ACSAC 2011 International Conference on Cyber Security
6-11 November 2011 5-9 December 2011 9-12 January 2012
Washington, DC Orlando, FL New York, NY
http://gocsi.com/events http://www.acsac.org http://www.iccs.fordham.edu/
NSA OPS 1 2011 Law Enforcement & Homeland Security SANS North America SCADA 2012
15 November 2011 Conference and Tech Expo 21-30 January 2012
Fort Meade, MD 7-8 December 2011 Lake Buena Vista, FL
http://fbcinc.com/event. Chantilly, VA http://www.sans.org
aspx?eventid=Q6UJ9A00PCJ2 http://www.ncsi.com/lehs11/index.html
DoD Cyber Crime Conference 2012
USSTRATCOM Cyber and Space Symposium Enterprise Mobility Conference & Expo 20-27 January 2012
15-17 November 2011 8 December 2011 Atlanta, GA
Omaha, NE Washington, DC http://www.dodcybercrime.com/12cc/
http://www.afcea.org/events/stratcom/11/intro- http://download.1105media.com/gig/Events/ overview.asp
duction.asp Mobile2011/Mobile_LP.html
February
SANS Cyber Defense Initiative 2011 NDSS Symposium 2012
9-16 December 2011 5-8 February 2012
Washington, DC San Diego, CA
http://www.sans.org http://www.isoc.org/isoc/conferences/ndss/12/
CT-RSA 2012
27 February– 2 March 2012
San Francisco, CA
http://ctrsa2012.cs.haifa.ac.il/
To change, add, or delete your mailing or e-mail address (soft copy receipt), please contact us at the address above
or call us at: 703/984-0775, fax us at: 703/984-0773, or send us a message at: iatac@dtic.mil