Cybersecurity Test and Evaluation Achievable and Defensible Architectures October 2015, ITEA Francis Scott Key Chapter Mr. Robert L. Laughman for COL Scott D. Brooks, Director, Survivability Evaluation Directorate, Army Evaluation Center U.S. Army Evaluation Center Approved for public release; distribution is unlimited. Understanding
Trends Agenda Technology Cyber Security Testing & Evaluation New Approaches Challenges
2015 2020 3
4 Reported Breaches by Year
Operational Cybersecurity Testing Blue Team Assessment Tools Nmap network mapping, traffic generation Q-Tip, Retina, Nessus signature based vulnerability scanners, malware signatures updated daily SCAP Compliance Checker Automated scanner of systems based on DISA Secure Technical Implementation Guidelines (STIGs) Burp Proxy web application proxy (man-inthe-middle for assessing web application vulnerabilities) Wireshark, Tcpdump traffic analysis, can capture wired and wireless packets. John, Cain password crackers THC-Hydra password guessers Red Team Assessment Tools Nmap covert network mapping, firewall evasion, traffic generation Metasploit exploitation and postexploitation toolset (exploits vulnerabilities and delivers a payload) Meterpreter Windows Metasploit Payload used for keyboard logging, enabling camera, microphone, data theft, maintaining access, and covert communications. Burp Proxy, Zed Attack Proxy web application attacks BEEF web browser exploitation toolset MimiKatz memory forensics Cobalt Strike advanced exploitation toolset with graphic interface John, Cain password crackers THC-Hydra password guessers 5
Shift Left Cybersecurity Testing Formally add cybersecurity DT to the TEMP ATEC: Leverage existing test capabilities rather than build new Build T&E plans starting with Risk Management Framework (RMF) products Risk Management Framework (RMF) replaces DIACAP with intent to manage risk over the system s lifecycle Score Card 6
7 Phase 1 Understand Cybersecurity Requirements Analysis phase Test phase A B C RMF https://acc.dau.mil/adl/en- US/722865/file/80161/Cyberse curity%20te%20guidebook% 20July%201%202015%20v1_0.pdf Shift Left Cybersecurity T&E Earlier Than IOT&E Phase 2 Characterize Cyber Attack Surface Developmental Test Integrated DT/OT Phase 3 Test Event DT Cooperative Vulnerability and Penetration Assessment Phase 4 Test Event DT Adversarial Assessment Operational Test IATT OTRR Phase 5 Test Event Phase 6 Test Event OT Cooperative Vulnerability and Penetration Assessment FRP Events derived from DASD(DT&E) DoD Cybersecurity Test and Evaluation Guidebook 1 July 2015 ver 1, and DOT&E Cybersecurity Operational Test and Evaluation Guidance Memo (01 August 2014) OT Adversarial Assessment
Subsystem Examples Cybersecurity Test and Evaluation Approach Major Software Updates Cybersecurity T&E approach (IAW AR 25-2, DoDI 8510.01, and DASD(DT&E) & DOT&E guidance*) mitigates software and security risks of fielding unproven platform equipment. Applicable data will be leveraged whenever available. Software Drop Post-OEM Testing Software Drop Post-DT Software Drop Post-OT OEM Cybersecurity Testing DT Cybersecurity Testing OT Cybersecurity Testing Software Lifecycle Maintenance Continuous New Hardware - Computing Systems - Improved Displays - New Processor Units - Maneuver Control Enhancements Cooperative Vulnerability and Penetration Assessments (CVPA): system focused Risk-Based most likely to be exploited Actionable Information New Software - Cross Domain Solution Adjustments - Enhanced Training - Improved Vehicle Management - Improved Communications Manager Network End to End Data Exchange Relationships Security Approach Existing Evaluation New Integration - CREW Device - Tactical Communication Devices - Battle Command Systems - Power Distribution Systems 8
NDIA Summit DoD Program Protection May 19-22 2014 Security Engineering Challenges Incorporation of security engineering as a discipline of systems engineering Engineering methodology, processes, and practices System security engineering workforce Quantification of security risks Vulnerability detection, and validated mitigation Articulation of security requirements Threat-driven, evolving over time Risk-based affordable trade off analysis; Measurable, testable system specifications Protection of technical data Consequences of unclassified controlled technical information losses Common Themes: Security Engineering as Discipline Earlier & Often in the Development Process Architecture In Contracts: Part of Section L and M in RFPs Cyber Testing http://www.ndia.org/divisions/divisions/systemsengineering/pages/past_projects.aspx 9
Challenges for T&E OSD policies on cybersecurity T&E still draft DoDI 5000.02 states need for cybersecurity in DT AR 73-1 Draft in Process Modeling & Simulation Operational Requirements Addressing DOTMLPF Training and CND activity at Echelon Metrics Work underway with MIT-LL Measurable, Testable, Repeatable Configuration Operational Mission Risk 10
Measures Account Management - Accounts are established only after screening users for membership, need-to-know, and functional tasks, and disestablished promptly when retired. Default credentials are designed into software to be changed on first use. Least Privilege Use Role based account privileges assuring only access to systems/applications user has need to use. Identification and Authentication - Organizational users are uniquely identified and authenticated when accessing the system, including accounts. Two level authentication or higher. Content of Audit Records - Audit records contain sufficient information to establish the nature, time, location, source and outcome of malicious events, as well as the identity of any individuals associated with such events. Audit Review, Analysis and Reporting - Audit records are reviewed and analyzed promptly for indications of inappropriate activity, and any findings are reported to the defenders. Continuous Monitoring The system is continuously monitored for vulnerabilities, to include regular assessments by test teams. Configuration Settings.The system is installed in accordance with an established baseline configuration following the principle of least functionality, and any deviations from this baseline are recorded. Backup, Recovery and Restoration System data is backed up and preserved, and a recovery and restoration plan for the system is DOT&E Cybersecurity Operational Test and Evaluation Guidance Memo (01 August 2014) Device Identification and Authentication The information system uniquely identifies and authenticates devices before a connection. Authenticator Management The cryptographic strength, maximum lifetime and storage methods for system authenticators(e.g., password, tokens) are compliant with organizational policy. Default Authenticators System authenticators (e.g., password, tokens) are changed from their default settings. Physical Access Control The information system, including data ports, is physically protected from unauthorized access appropriate to the level of classification. Boundary Protection The system monitors and data exchanges at the external boundary and at key internal boundaries, including: Firewalls or guard; IPS/IDS/HBSS Secure Network Communications Network communications are secure and remote sessions require a secure form of authentication. Update Management Security-related software firmware updates (e.g. patches) are centrally managed and applied to all instances of the system in accordance with the relevant direction and timeliness. Malicious Code Protection Mechanisms for preventing the deployment of malicious code (e.g., viruses, malware) are installed, configured and kept up-to-date.
Path to Achievable and Defensible Networks Operational Requirements Documents Contract Language Architecture Design and Planning Inherited Controls Testing (ACAS, SCAP, CVPA and Adversarial) Changes in HW, SW or Architecture Defensible Systems 12