Imagine a networked world for our Navy where the well-publicized benefits of the Navy Marine Corps Intranet (NMCI) allow us access to information anywhere, at any time...faster information searches... faster collaboration... faster, better decisions. A-h-h! Web-surfing nirvana!
As we become more of a "clicks and steel" Navy, increasingly dependent on information, we tend to assume that data integrity is intact and that online systems are always available when we need them. For availability and convenience, Department of Defense (DoD) information resides on the network and within the backbone itself. Many of our goods and services have become online transactions traveling along secure, confidential channels for transferring data up and down the entire online information "supply chain." What a lucrative target for hackers, crackers, potential foes and terrorists!
Now imagine a world where system security breaches force us to dust off manuals, find those paper files...and make important decisions without all the information we need.
"Information Fort" versus "Information Trading Post"
Because of our growing dependence on information systems and the advent of the NMCI, we are wrestling with the issue of security versus network access.
Whether we are denied access or lose our connectivity because of network attacks, system problems or overly strict security rules, each instance equates to an opportunity cost. This phenomenon is what I'll describe loosely as knowledge loss—either the inability to create knowledge or gain efficiency from access to information, or loss from theft of intellectual property. Knowledge loss is hard to measure, but we do know that without access to network information and collaboration, our efficiency, productivity and ability to make sound decisions take a marked dive. We want our networks to be secure, to make them less inviting targets for accessing or disruption by potential adversaries.
A simple comparison illustrates our dichotomy between security and access. Whether a museum curator or a store manager, you face the same kind of tough choice.
Curators are experts on the invaluable artifacts housed in their museums, and they pride themselves in displaying these to a curious public. Still, they must strike a balance between the ongoing need to protect all those valuable artifacts from theft, destruction or damage, and the risk of offering enough access to view the valuables.
Similarly, store managers must allow customers to sample their goods to make sales, so they often use "transparent," static physical security methods to protect goods that incur the greatest risks.
Stores and museums could escalate security measures ad infinitum—security guards in every room 24x7, tagging all the items, putting sensors on all the doors to detect tags and surveillance cameras to watch all employees and visitors—but at a high cost and at the risk of losing their customers or viewing public.
If their goal is either to achieve perfect security and achieve ubiquitous access, then they could find themselves in a costly and endless loop of failing to achieve either.
Let's explore our goal. Do we want to build an information fort for greater security or an information trading post for greater access? Obviously, the solution falls somewhere in between, but I'll divulge my thesis now: we must start with a predominantly secure solution and work backwards towards transparent access.
At the outset, we need a better way to measure our security risks—or knowledge loss expectancy—and then balance the benefits we gain from using information with the risks of losing it.
When a risk outweighs a benefit, we try to find a way to reduce the risk without losing the benefit—much the same way museum curators maximize viewing opportunities even as they install unseen alarms and transparent screens. Thus, we need to base our decisions on a risk management approach versus a risk avoidance approach.
With tens of thousands of communications ports on any given network device, attackers can work their way through each potential entry into the security infrastructure. Perfect security literally means guarding simultaneously every one of the doors on a 24x7x365 basis—and never resting.
Can you information security experts determine if the NMCI infrastructure is reasonably secure from this threat without imposing unreasonable obstructions to accessing the vital treasure of information? How can we also master the risk inherent in one of our most vital treasures—information—while doing so in a manner that seems transparent to performing our warfighting and support missions?
Guarding the Information Fort: Security Risk Management
A solid point at which to start is to gather core expertise to manage network security residual risk. We are starting a step ahead of many newly networked organizations by having a risk management infrastructure in place: Commander Naval Network Operations Command (COMNAVNETOPSCOM) (CNNOC—a merger of the former CNCTC and CTF NMCI) is the designated approval authority. Other team members include the DON CIO; OPNAV (N64); PMW 161); HQMC C4; FIWC; Navy Component Task Force-Computer Network Defense (NCTF CND); the Information Strike Force (ISF, the NMCI vendor team); and the Security Enterprise Action Group. They form an experienced and fully networked security community of practice.
The security team’s challenge will be to strive continually to master risk through constant network vigilance, accounting for each and every change in the network state, while considering implications of these changes on security access and ease of management.
Pressure from users and limited staff resources could create tension between security policy and its actual implementation. We need to recognize this enormous undertaking needs to be a core competency inherent in our rapidly growing network.
To get there, we should start with a far greater push toward information systems training and education. Our Navy culture of paying attention to security matters is also a benefit to creating a secure system. First, we can ask you to read network security policy and approach security in a mature, responsible way—and we will…
You can view the NMCI security policies on the NMCI Homeport and the DON CIO website: http://www.doncio.navy.mil/.
We are still working to refine, with the necessary granularity, levels of information we’re trying to protect beyond the classic classification system.
Other improvements we are working on, include the ability to streamline and automate operations and enhance platform integration and distribution.
“Great reading, ho-hum,” you are thinking. “If you ask me to comply, I’ll do it—if it doesn’t become too inconvenient.”
Well, to a great extent, we can make your access to NMCI convenient and still enforce security.
Security Enforcement: Password/USERID
One of the most notable features of the NMCI security strategy is the enterprise-wide attention it gives to deploying a layered, defense-in-depth strategy. Some elements of policy are fairly easily enforceable for any network segment or device.
Contained within this strategy is an integrated security capability build on Public Key Infrastructure (PKI), with username and password authentication. You likely know we employ “userid” and password combinations to increase our confidence in who is getting connected. Both methods are relatively easy to implement and both come bundled as a basic component in Web browsers and servers.
DoD policy dictates that passwords must be eight characters long, combine letters, numbers and punctuation marks, and must be changed frequently. Yet poorly chosen passwords, borrowed card keys and misconfigured network devices easily foil access control and authentication. Further, in most cases, those userid and password strings are transmitted in the clear.
Smart hackers have learned ways to “sniff” authentication mechanisms and then use the stolen combinations and information. They can then disrupt the encryption stream, corrupt our network traffic, gain system access and cause expensive data integrity repairs. Therefore, the userid/password method provides a minimal obstacle to attack and misuse.
Encryption helps to protect the data, but data can be at risk at any time. Let’s shift our attention to another part of the security solution.
When you are using a computer at work, you know you are inside the local area network (LAN) and you can almost imagine the wire that runs from your machine to the server you are accessing. When you want to connect from outside—say your PC at home—it’s whole different ball game… right?
Well, not really. That’s because it’s relatively easy, given the operating systems and applications we use, to spoof an address (pretend to be someone other than who you really are). While the likelihood of spoofing increases when we connect from the outside, it’s only a matter of volume—there are lots more folks out there—but the ability to spoof and address is the same, both inside and out.
Thus, we need to do more. Inside the LAN, we can and do employ a variety of tools to authenticate devices to each other, tools to limit the IP addresses with which users can communicate, tools to define the range of services each user is entitled to, and tools to restrict the kinds of code that can be sent and received. We perform some of these functions for users accessing our networks from the outside, but it’s harder—and because the population of potential points of origin are so much greater—we need to open the door a little wider.
These tools combined with risk management and security policies are not enough. As we open the door to access the World Wide Web, where we know we have the most threats, what else can we do to mitigate security risk?
There are a number of more subtle ways. Here’s one which will soon become familiar to you because you will carry it—literally—in your wallet or purse. It’s called the Common Access Card (CAC) and will replace military and civilian identification cards over the next 18 months. The CAC will allow you access to military bases, the commissary, and medical facilities. It’s what guarantees your Geneva Convention protections if you become a prisoner of war—and it will be what you use to access the NMCI.
On the card is a chip that is actually a tiny computer with three digital certificates embedded, a part of PKI, and you will use them for a variety of purposes, including accessing NMCI.
These certificates are totally unique to each individual, and in the network, prove virtually without question that you are who you say you are. They can’t be sniffed, reused or stolen. Whether you are inside the LAN or accessing the network from home, you will use you CAC and the network will know who you are. Are we secure yet? Getting there…
Next we will employ enforcement mechanisms, such as systematically and regularly testing hosts, networks, applications and databases for vulnerabilities.
Certain vulnerabilities can only be identified over the network. For example, the best way to verify that a Web server is susceptible to a denial of service attack is by simulating the attack across a network under controlled conditions. Online weaknesses range from easily guessed or missed passwords to misconfigured or unauthorized devices, to physical evidence of improper user activity.
These steps illustrate how well we will audit our system to assess the relative risk of our networked world. Then we will be measuring risks and benefits, ranging from the applications from the top of the network stack down to the data moving through copper, fiber and the radio frequency at the bottom.
To manage security risk, we need to guard against threats, understand our vulnerabilities and deploy countermeasures at each layer. Point solutions are barely sufficient to protect a basic networked environment, and only if devices are deployed at a sufficient number of access points.
That’s why NMCI will use the digital equivalent of silent alarms and transparent screens used by museums to protect your data, even as it gives you ample access to it, enabling you to work, learn and communicate globally.
Key to NMCI’s tiered defense-in-depth infrastructure is a sophisticated host—and network-based intrusion detection system. Using the security policy as the basis for its architecture, it includes the installation of firewalls, filtering routers, encryption servers, virus and malicious code scanning software, PKI-enabled Web servers, card keys, virtual private networks (VPNs) and similar technologies.
As a system, these technologies serve as a savvy, experienced online security guard, providing the NMCI the capability to protect, respond and recover from intrusions.
NMCI’s host-based intrusion detection system monitors system event and security logs on servers and workstations. When any of these files change, the intrusion detection system compares the new log entry with attack signatures—telltale patterns indicating the mechanism of an attack—to see if there is a match. If so, the system responds with administrator alerts, port and service closings, and other calls to action, based on the severity of the incursion.
The ISF system administrators in the Global Network Operating Center (GNOC), monitored by the DON security team and headed by CNNOC Navy watch teams, will identify and reconfigure other parts of the network susceptible to similar attack. All of these actions are being coordinated with the CINCs, fleet NOCs, NCTF Computer Network Defense, the NMCI program office, and other organizations. They are outlined in “pre-planned responses (PPR).” These PPRs will help us to respond quickly and accurately to network events.
Host-based intrusion detection has grown to include other technologies, such as detecting intrusions by checking key system files and executables at regular intervals, for unexpected changes. Our timeliness of response will become directly related to the frequency of the polling interval.
Complementary to this system is network-based intrusion detection, which listens to port activity, and alerts us when specific ports are accessed. The Network Intrusion Detection System (NIDS) analyzes raw network packets at the data source, utilizing a network adapter running in promiscuous mode to monitor and interpret all traffic in real-time as it travels across the network.
Network-based systems recognize and respond to attacks and misuse in near real-time. Therefore, they are ideal tools for stopping a network penetration before damage occurs and for monitoring an attack in progress. Monitoring is recorded for later forensic examination or possible prosecution.
Included in our scans will be both network devices and the NMCI infrastructure, all Web files, applications, intranet servers, firewalls, routers, bridges, hubs, modem banks, remote gateways and databases.
Our service level agreements provide performance targets to maximize the capabilities of security solutions such as firewalls, authentication devices and encryption devices. Contracted technology refreshes will also help to prevent premature security systems obsolescence.
Note that we aren’t focusing solely on the NMCI perimeter because we would still be exposed to internal misuse. Nor are we preventing access to information outside our network environment to discourage internal misuse. It would cause network performance to degrade and leave NMCI users with unnecessary barriers to job performance. If NMCI users become frustrated with obstacles to their efficiency and performance they may begin to subvert the security safeguards. Improper user, group, or file permissions fall into this category. Therefore, we will remain vigilant for internal misuses, since traditionally, insiders conduct the majority of computer intrusions.
Make no mistake—even with all of the tiered network defense security layers in place, including risk management, security training and education, policy, userid/password, CAC/PKI, network auditing, and intrusion detection systems—we cannot cover all security needs and eventualities.
These processes interact with and support point solutions to monitor network security performance, detect vulnerabilities, attacks and misuse, and respond quickly to security violations. Together, they limit the effects of an attack, prevent future incursions and allow us to manage NMCI at an acceptable level of risk.
The more secure we can make NMCI, the greater confidence we will have in information integrity, systems availability, and our ability to improve productivity.
In a world where information is the currency of knowledge superiority, we can’t afford to allow our systems to be bankrupted by knowledge loss.
Recognizing perfect security may not be attainable; NMCI must be able to provide reasonable assurance that we can achieve information availability, integrity, authentication, confidentiality, and non-repudiation. We can achieve ubiquitous access without security, but it is much harder to do with security in place.
Therefore, we must build the best fort we can to enable an information trading post network economy. In other words, access can be achieved with all the pieces in place to protect us from knowledge loss. And that is what we need—limited risk with maximum capability to share information—critical to NMCI’s success.
Capt. Briganti is the Commander Task Force (CTF) Navy Marine Corps Intranet. Capt. Jim Newman (OPNAV N64) and Scott Henderson (PMW 161) provided technical assistance for this article.