View
218
Download
1
Tags:
Embed Size (px)
Citation preview
The Information Collaboration Imperative
Discussion of Homeland Security
J. Michael Gibbons, CISSP
Vice President, Unisys Federal Security Solutions
What We Will Discuss Today
• Homeland Security Mission and Challenges
• A View of the History of Information Security
• Anonymity – Biometrics as a Solution
• Security Architectures
• Solutions on the Horizon
Confidentiality, Integrity and Availability
• New Security Tenets– Simplicity – La Sencillez, Einfachheit
– Is there one place to go to get the answer to protect so many different systems and configurations?
– Truth – La Verdad, Wahrheit– What is my true risk and what should I do?
– Empathy – La Empatia, Einfühlung– Any information security success is victory.
Information Sharing Responsibilities,
Challenges and Key Management Issues • U.S. Government report in 2003 said DHS must access,
receive and analyze, law enforcement information, intelligence information, and other threat, incident and vulnerability information from federal, and non-federal sources.
• DHS must develop productive information sharing relationships between federal and state/local governments and between the private sector.
– Private Sector owns or manages 95% of the critical infrastructures.
From The General Accounting Office…
• Department of Homeland Security needs to provide appropriate incentives for non-federal entities to increase information sharing with the federal government and enhance other critical infrastructure protection efforts.
Analysis and Warning
• DHS must improve the federal government’s capabilities incident, threat, and vulnerability information obtained from numerous sources and share as appropriate, timely, useful warnings, and other information concerning both cyber and physical threats to federal entities, state and local governments, and the private sector.
System Integration View Of Homeland Security
Copyright 2004 ST-Infonox
Information Security Historical Perspective• 1986 The Hanover Hackers and Legion of Doom• 1988 Internet Worm - Robert Morris, $196m losses, Internet Stopped• 1995 Mitnick - government alleges $80m losses, Source Code Changes• 1/99 “Cyber warfare” - Civil rights abuses ignite LoU - 2 Chinese hackers
sentenced to death• 4/99 Melissa Virus - $300m, David Smith imprisoned (PC Explore.Zip)• 12/99 Credit Card Fraud - CD Universe 300,000 cards, blackmail threat of $300,000• 2/9/00 DDoS - E-commerce attack, Yankee Group ~ $1.2b losses
Yahoo/Amazon/Ebay/CNN/Buy.com• 5/00 - ILoveYou worm(vbs.loveletter.a) ~$1.0b losses in Pac Rim, Europe and North
America• 8/00 Barclays Bank - security breach revealed 1000’s of individual banking accounts• 7/01 Code Red + Variants – $1.2Billion globally (Nimda, Korna ++)• 2004 DDOS against London’s Online Gambling Sites, Russian Organized Crime
Today, Cyber Terrorists Tomorrow.
Cyber Threats to Critical Infrastructures Observed by the FBI
• Criminal Groups
• Foreign Intelligence Services
• Hacktivists
• Information Warfare
• Hackers
• Insider Threats
• Virus Writers
We should emulate the Hackers
• Real-time global data exchange• Trusted covert channels of communication• Quid pro quo – data exchange in trusted
communities with equal give and take• File and vulnerability sharing with anonymity• Anonymous work groups to solve problems • Portable code and high-reuse of working code• Rapid time to market – Vulnerability to exploit script• Hiding below the radar
Successful Web Site Hacks Daily
0
200
400
600
800
1000
1200
1400
1600
1999 2000 2001 2002 2003 2004
Hacking Probes per Day Against Average Single IP Address
0
50
100
150
200
250
300
350
1999 2000 2001 2002 2003 2004
Trojans & “Bots”2004 is the Year of the Bot
0
100
200
300
400
500
600
700
1999 2000 2001 2002 2003 2004
New Attack Code Monthly
'Owned' Computers x10,000
6.5 Million
Number of Unique Phishing Attacks Against Financial Organizations
0
200
400
600
800
1000
1200
1400
1600
Dec-03 Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04
Unique Attacks
Source: http://www.antiphishing.org/APWG_Phishing_Attack_Report-Jun2004.pdf
Malicious Mail - Spam, Spyware, Worms, Virus, Phishing, Extortion,
Scams…
0
10
20
30
40
50
60
70
80
Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04 Jul-04
Misuse as % of Email
How would you act if you knew you would be caught?
• Anonymity in Cyberspace creates a condition where people who believe their actions are anonymous will act differently than they would if all of their actions were attributable to them.
How do you verify Identity?
• Something You Know – sometimes identifiable– Password, family name, date of birth, word/phrase,
mortgage balance, bank transaction amount, etc.
• Something You Have– Driver license, passport, token (PKI), etc.
• Something You Are– Physical Characteristics: DNA, fingerprint, iris, facial,
retina, voice, hand, etc.– Behavioral Characteristics: Signature, gait, etc.
Biometrics is the automated technique of measuring a
physical characteristic or personal trait and comparing to a
database for purposes of identification
Protecting Access - A Role for Biometrics
Fingerprint ID
Iris Recognition
Face Recognition
Network Access
What you know: Username/Password
Who you are: Biometrics
??Physical Access
Handprint
Fingerprint ID
Iris Recognition
Face Recognition
Access Control• Control access to facilities• Control assess to networks• Eliminate, reduce need for
– PIN numbers– Multiple passwords– Multiple key cards– Physical security personnel
• Can be integrated with– Other biometric solutions for multiple or layered security– Electronic locks, man traps, turnstiles, etc.– Common access, smart, proximity, or other cards
Choosing and Using a Biometric• Accuracy – uniqueness, stability
• User Acceptance – Less Intrusive and Easier to Use is better
• Cost
• Token / card
• Multiple Biometrics & Compatibility
• Security & Privacy
• Integrated Solutions for layered security and record keeping
Hand Geometry
• Uses geometric shape of the hand for verification. For example,– Length– Thickness– Width
• Acceptable for verification purposes.• Not considered robust enough to support
recognition because human geometric measurements are not “unique.”
• “Uniqueness” is a key issue and concern!
Fingerprint Recognition
• Uses relation of key points and features of the finger for verification.
• Acceptable for verification purposes.
• Most widely used biometric today
x
Ridgebifurcation
Ridge
Relation Ridgeending
ClearZone
UnclearZone
Primary Minutia
Neighbour
x
Ridgebifurcation
Ridge
Relation Ridgeending
ClearZone
UnclearZone
Primary Minutia
Neighbour
Facial Recognition
Figure 3: Examples of local features derived by LFA.
The algorithm recognizes the fact that most complex patterns are built from a more fundamental set of “localized” and “stereo-typed” features or landmarks. For example, faces are not global patterns; rather they are built from a collection of local features (eyes, noses, brow, cheek and jaw bone structure, mouths, etc). The algorithm allows for the automatic detection of these landmarks and defines identity in term of the spatial relationship between them. A computer can detect about 80 potential landmarks on a face. However, due to the fact that LFA is characterized by built-in redundancy, only 14 landmarks (the most predictive points) need to be visible for an identity to be determined.
Local Feature Analysis• Complex patterns are built from a more fundamental set
of landmarks
• Defines identity from spatial relationships
• 80 potential landmarks
• Uses 14 most predictive points
• Automatic landmark detection
Iris Pattern• Each iris is theoretically
unique
• Iris is potentially the best biometrics technology because it offers– a large amount of feature data
( 266 measurable)
– is naturally protected from the external environment by the cornea, does not change
– is non-invasive, visible - Easy to photograph
– Probability of producing the exact same IrisCodeTM record is 1 in 1078
Iris
Collarette
Crypts
Radialfurrows
Ciliaryarea
Pupillaryarea
Pupil
Pigmentfrill
Global Third Party Authentication Study – U.S. Government• How do you identify a person on the other end of
a transaction without a biometric or shared secret?• Information on individuals that was “out of
pocket” lay primarily in the financial services industry including credit bureaus and financial institutions. Non-standard and lacking.– Mortgage Amount– Utility Bills– Former Addresses of Residence– Personably Identifiable Data
Regulatory Drivers/Requirements
• United States– Computer Fraud and Abuse Act 1986– Graham-Leach Bliley Act (GLBA)– HIPAA Security & Privacy Act– Federal Information Security Management Act– Aviation and Transportation Security Act– Homeland Security / Patriot Act
• European Union – Data Protection Directive– EU Digital Signature Directive– EU Privacy Act
Agencies now need to Incorporate and Fund Security in Information Systems Investments from Cradle to Grave.
Our Office of Management and Budget (OMB) will consider new or continued funding only for those system investments that satisfy new security criteria and will consider funding information technology investments only upon demonstration that existing agency systems meet these criteria.
U.S. Government Implementing a Life Cycle Approach
Documented Policy
Level 1
Documented Procedures
Level 2
Implemented Procedures
and Controls
Level 3
Testing Effectiveness of Procedures and Controls
Level 4
Fully Integrated Procedures
and Controls
Level 5
This program needs to be developed over time.
This framework allows you to:
• Measure the current status of your Security Program
• Establish an integrated, repeatable process to manage your Security Program
U.S. Security Program Framework
Defense in Depth Approach
Screening Routers Proxies & Firewalls Intrusion Prevention Configuration Control
Network Segmentation Encryption Certification & Accreditation Risk Assessment
Host Based Intrusion Detection (IDS) System & Event Logging and Analysis User and Identity Management Vulnerability Assessments
Managed Security Services Network Distributed IDS Virus Detection Hostile Code Screening
Detection
Make ExploitsDifficult
IdentifyConcerns
Respond andImprove
Real Time Alerts Console Notification Restrict Access
Active Resets System Analysis Tools Investigate Events
Response
Prevention
Security Architecture
Defense-in-Depth Meets BS-7799
People Process Technology
Preventative
Detective
Reactive
Policies and Procedures
Training & Awareness
System Security Administration
Physical Security
Personnel Security
Identification & Authentication Architecture
User Provisioning
Access Control Architecture
Secure Network Architecture
Acquisition/Integration of Evaluated Products
System Vulnerability Assessment
Security Strategy
Security Policy
Certification and Accreditation
Security Management
Key Management
Legislative Compliance
Readiness Assessments
Legal Countermeasures
Facilities Countermeasures
Recovery & Reconstitution
Data Retention Procedures
Attack Sensing, Warning and Response Services (ASW&R)
Log Monitoring Procedures
Operations Staff
Periodic Independent Audits
Auditing Tools
Intrusion Detection
System Health / Traffic Analysis
Backup Strategies
Managed Federal Security Services
UnisysSecurity Program Management
Ide
nti
ty a
nd
Ac
ce
ss
M
an
ag
em
en
t
Vu
lne
rab
ilit
y a
nd
In
cid
en
t M
an
ag
em
en
t
Co
nfi
gu
rati
on
M
an
ag
em
en
t
Co
nti
nu
ity
of
Op
era
tio
ns
Security Governance
Security Operations
CM/ChangeControl
Inventory/Asset
Mgmt & Control
SDLCSecurity
ACL/GPOMgmt
FirewallMgmt
WirelessSecurity
Policies Procedures Interconnections Situational Awareness
Project Mgmt Planning Training Workflow Resolution Discipline
IR
Forensics
PatchMgmt
IDS/IPS
VulnerabilityMgmt
AV
MaliciousCode
Protection
ContentFiltering
SSO
RA/VPN
PKI
SmartCards
Biometrics
DirectoryServices
BIA
DR
CP
CoS
Policies Oversight Compliance Sourcing & Contract Support Metrics & Reporting
Federal Security Operations Center (SOC)
Control Implementation & Integration
Unisys FederalIT Security Framework
Copyright 2005
Continuous Monitoring
Security Architecture
Sys
tem
Sec
urity
Pla
nS
ecur
ity C
ontr
ol A
sses
smen
t & T
estin
gR
isk
Ass
essm
entN
IST
Sp
ec
ial
Pu
bli
ca
tio
n 8
00
-53
Fin
al
/ F
IPS
20
0
||
Access Control
Security Awareness &Training
Audit & Accountability
Certification, Accreditation& Security Assessment
Configuration Management
Contingency Planning
Identification & Authentication
Incident Response
Maintenance Control
Media Protection
Physical & EnvironmentalProtection
Security Planning
Personnel Security
Risk Assessment
System & ServicesAcquisition
System & CommunicationsProtection
System and InformationIntegrity
Cer
tific
atio
n &
Acc
redi
tatio
n
Ap
pli
cati
on
s a
nd
Sy
stem
s
1986 to 2004 - What Have We Learned?
• Risks and Vulnerabilities are shared Globally in real time. Solutions must follow this trend.
• 16 minutes to Patch new systems. (SANS)
• Technology alone won’t protect you. You need a comprehensive security program that addresses threats from the inside and outside.
• “I was the person quoted that 80% of your risk was from insiders, with Internet connections the reverse is now the case.”– Richard Powers, Computer Security Institute.
Computer Forensics Need on the Rise
Solutions on the Horizon
• Learning intrusion prevention
• High speed service based data analysis
• Application vulnerability analysis
• Natural language analysis vs. signatures
• Behavior based network signatures
• Forensic reconstruction of intercepted data
J. Michael Gibbons, VP / GM Federal Security [email protected]
•Mr. Gibbons leads the Unisys Federal Security Solutions Practice. Mike Gibbons joined Unisys in May 2004, after a 15-year career with the Federal Bureau of Investigation and five years leading a “Big-5” Security Practice. Mr. Gibbons has managed Information Technology (IT) security projects including requirements development, planning and integration of technical solutions, strategic program development, firewalls, network monitoring, access controls, and Intrusion Detection Systems. He is a Certified Information Systems Security Professional. •Relevant Experience
Leads a Public Services solutions team that delivers security policy, assessment, architecture, and integration of security products and services.
Led the program review and development of an information system security monitoring program for the Federal Deposit Insurance Corporation.
Developed the methodology for independently evaluating the Department of Justice Certification and Accreditation activities.
Led the survey and analysis of third party identification methods available to validate individuals identities in Internet transactions for the U.S. Social Security Administration.
Developed enterprise-wide information security program including policy, training and security governance for the United States Department of Education’s Office of Student Financial Assistance. This office manages $35 Billion in student loan transactions each year.
Developed a white-paper and feasibility study on the use of PKI technology for financial partners doing business with students nationwide, then led a team that developed the policy and system used by students nationwide to sign electronic promissory notes.
Established and managed the National Infrastructure Protection Center’s Computer Investigations Unit. Also established the office tasked to provide integration and technical support to FBI Field Offices including personal computers, network servers, routers, firewalls, intrusion detection systems, and virtual private networks (VPN).
Recognized as an expert witness on telecommunications fraud in United States Federal Court, and has been brought into numerous high-tech companies to discuss management of IT security products and services.
Received a letter of commendation from the FBI Director in 1997 for leading a Red Team that performed an extensive review of the FBI’s internal data processing systems.
Investigating Case Agent on the Hannover Hackers Case, detailed in the best selling book "The Cuckoo's Egg." Special Agent assigned to the Internet Worm Case, which was the first prosecution for the Federal Computer Fraud and Abuse Act of 1986.
•When he left Federal Service, Mr. Gibbons was the Chief of the Computer Investigations Unit located in the National Infrastructure Protection Center, where he directed FBI computer intrusion investigations worldwide. Mr. Gibbons graduated with distinction from the National Defense University's Information Resources Management College April 1993. He speaks on security regularly including the 2002 and 2003 Federal Information Assurance Conferences, Microsoft Fusion Conferences, Department of Energy Computer Security Training Conference, Fox News Channel, The New York Times, Washington Post, Business Week Forbes, Gartner Sector 5 Cyber Terrorism Summit, and the eGov Conference. He holds an active U.S. Government Top Secret Clearance.