cyber security - cio conference
TRANSCRIPT
VA Cyber Security Program:Status Report
Presented to the VA CIO Conference
August 2002
Department of Veterans AffairsOffice of the Assistant Secretary for Information and Technology
Office of Cyber Security
Bruce A. Brody, CISSP
Associate Deputy Assistant Secretary
for Cyber Security
2
What’s Changed?
• Cyber security is no longer fragmented
– Consolidation of headquarters staff
– Eventual relationship with field elements and operational activities to be resolved
• Our breakout sessions will focus on organizational structure and financial planning– We have a “once-in-a-lifetime”opportunity to
organize as a world class cyber security organization
– No operational disruptions
– What SLAs must be executed, and with whom?
• The challenge is huge, and there is much work ahead of us– We start figuring out the answers this week
3
Vision
Developed at the February 28, 2002 CIO Conference by the
Cyber Security Working Group
Become the model cyber security program within the federal government with a
standardized, secure, controlled environment, where the organizational culture
collaboratively balances business requirements with security to meet VA’s missions.
4
Cyber Security Mission
Provide cyber security services to veterans and their dependents that protect the confidentiality, integrity and availability of their private information and enable the timely, uninterrupted and trusted nature of those services
Provide assurances that cost-effective cyber security controls are in place to protect automated information systems from financial fraud, waste and abuse
Together, we will accomplish this mission.
5
Good News – Bad News
• The OIG, GAO and Congressional oversight bodies tell us that significant progress has been made, although there is much more to do
• OMB considers the Department’s GISRA report to be among the top five in government
• The VA CIRC is awarded and will provide “world class” incident response capability
• VA’s anti-virus program is the largest and most successful in the government – and one of the largest in the world!
• Information security is still a “material weakness”
• OIG: “Much work remains to implement key security initiatives and establish a comprehensive integrated VA security program”
• OIG: GISRA reporting not credible
• GAO: Many actions required to establish a comprehensive security management program
• Progress on Departmental cyber security priorities has been inconsistent
6
Material Weakness Shortfalls
Existing policy, procedure and security requirements are not being
enforced;
Risk assessments/penetration testing are not being done;
Incident reporting to CIRC is not being done or is not timely;
Annual security awareness training is not being held;
Warning banners are not being used;
There is no proactive network monitoring to identify intrusion
attempts or other suspicious/unusual activities; and
There is no structured training curriculum for cyber security staff.
Entity-wide Security Shortfalls
Unauthorized modem utilization is not being identified;
Password and user IDs are inadequate to non-existent;
Some facilities are operating uncertified independent Internet gateways;
Generic user IDs are being created and shared among multiple users,
Unlimited logon attempts are allowed; and
User IDs are not disabled for former/transferred employees or linked to adverse personnel actions.
Access Controls Shortfalls
Administrator privileges in Windows NT 4.0 are not
controlled;
Unapproved software is being installed at the desktop; and
There are inadequate change controls including controls to
ensure that only authorized program code is used in program
modifications.
Application Software Development and Change
Controls Shortfalls
Application and system change controls are inadequate to
protect production data from disclosure to programmer staffs;
A single person has ability to request, approve and receive
goods and/or services;
Chain of command for security officers impairs independence;
and
Information security is often a collateral duty.
Segregation of Duties Shortfalls
Administrator privileges in Windows NT 4.0 are not controlled;
Remote access software is being installed that opens security
vulnerabilities;
There are inadequate configuration management controls;
There are inadequate testing, approval and migration controls for
system software changes; and
Upgrades and patches are not current.
System Software Control Shortfalls
Physical access to computer facilities is not controlled;
Some centers are vulnerable to water or blast damage;
Contingency plans are incomplete or not done;
Annual testing of the plan is not conducted;
Backups are not stored off-site;
Combustible materials were stored in telephone closet; and
There is no incident response plan or associated team, to
include forensics capabilities.
Service Continuity, Planning, Implementation
and Exercise Shortfalls
7
Remediation of OIG’s Top 10 GISRA
Priority Weakness Areas(as of July 1, 2002)
Priority Weakness Areas
1. Intrusion Detection Systems
2. Anti-virus Protection
3. Critical Infrastructure Protection
4. Data Center Contingency Planning
5. Certification and Accreditation
6. Internet Gateway Security
7. Configuration Management
8. Relocation of the VACO Data Center
9. Application Program/Operating System
Change Controls
10. Physical Access at Certain Data Centers
1/31/02
725
297
928
18
300
272
232
1
7,574
12
7/1/02
537
0
928
15
300
167
83
1
4,013
8
Completed
26%
100%
0
17%
0
39%
61%
0
47%
33%
Totals 10,359 6,044 42%
8
VA’s GISRA Results(Summary as of July 1, 2002)
During the past year, VA compliance with GISRA
has escalated from 53% to 78%
9
Significant Progress
since March 2001
ADAS for
Cyber
Security
Arrives
2001 GISRA
Annual Report2001 VA
INFOSEC
Conference
Enterprise
Architecture
Expedition
1st Quarter
GISRA
Report
ECSIP
MS 0
Approval
Began VA-wide
Anti-Virus
Rollout
March
2001
VA GISRA
Process
Top 5 in Gov’t
VA CIRC
Awarded
C&A
Policy
Published
2002 VA
INFOSEC
Conference
July
2002
Privacy /
HIPAA
Kickoff
ROC
Pilot
VA CIO
Confirmed
VA Anti-Virus Program is
now the 3rd largest anti-virus
implementation in the world
– prevented over 1 million
virus attacks in the first six
months of operations.
Completed
VA-wide
Anti-Virus
Rollout
OMB Considers VA’s approach to
GISRA and its GISRA report to be
among the top five in Government.
January
2002
OCS Reorg
JPO standup
10
The New VA CIRC Is Awarded
• VAST (“VA Security Team”), LLC– Joint venture of SecureInfo, ADTECH Systems, AEM Corp.,
DSD Labs, SEIDCON Inc., TeamBI Solutions
– Large partners Signal Corp., SAIC, Compaq
• The VA CIRC will provide “world class” incident analysis and response capability for the VA– 24x7x365 operations through the SOC(s)
– Threat analysis
– Event correlation and analysis
– Forensics
– Technical help desk/Fly away support
• The VA CIRC is the:– Only incident response capability in the VA
– Central node in VA operational control of security
– Mandatory contract vehicle for VA managed security services
11
The New VA CIRC
VA-CIRC
SOCSOC
24 x 7 x 365 Incident Response and Incident Management
•Command and Control•Liaison with National Agencies•Threat Analysis•National Help Desk•Central Incident Database•Fly Away Support•Forensics Analysis•Alerts/Advisories/Bulletins
NOC
Centralized Managed Security Services:•Intrusion Detection Monitoring•Firewall Management•Anti-Virus Management•Software Patch Distribution•Event Correlation and Analysis•Audit Log Analysis•Vulnerability Scanning•Penetration Testing•Rapid Engineering•Remediation Planning •Compliance Monitoring
ECSIP
For these
services, the
contract will be
the mandatory
vehicle for the
entire VA
12
ECSIP Milestone I/II
Approved by SMC( August 6, 2002)
• ECSIP will procure and install cyber security systems to protect external gateway connections and critical information repositories located at the VA’s data centers
– Other internal connections will be protected once the above is complete
• All existing legacy external connections will migrate to an ECSIP configured gateway by September 30, 2004
• Security Operations Centers (SOCs) will centrally and remotely configure, manage and monitor all VA installed cyber security systems
• Local IT staff will provide “hands-on” support of installed cyber security systems
13
Enterprise Cyber Security Infrastructure Project’s Architecture
N RegionalData Processing Centers
VBA - 3?VHA - 6?NCA - 1?
VACO – 1?
1 Information TechnologyIntegration Center
Product Acceptance Testing
Electronic S/W Distribution
3? CorporateData Processing Centers
Electronically Vaulted Data
Distributed Processing(Supports COOP)
2 Network/SecurityOperating Centers
Collocated
ONE VA
SOC and Cyber Security Services
Other Networks
Pilot
3A
3B
Legend
14
One
VA
Bac
kbone In
ternet &
Oth
er
Netw
ork
s
VA Facing Server Farm
(SDNS/HIDS/Anti-Virus/Content Filter)
Externally Facing Server Farm
(SDNS/HIDS)
Local Network
Security Infrastructure for a Generic Data Processing
Center (Simplified)
VPN Gateway
& IDS
Dial Up RAS*
& IDS
Firewall
& IDSFirewall
Firewall
& IDS
* Dial Up RAS May Be An Outsourced Service
15
The Secretary’s
Commitments to Congress
• June 7, 2002 letters to Reps. Buyer and Carson
• VA will implement the following:
– A rigorous qualification and certification program for
information security practitioners, managed by OCS
– ISOs will report routinely to OCS on facility security posture
– OCS will add a review and inspection capability to its mission
– OCS will review and have input to ISO performance
evaluations
– All training, qualification, certification, credentialing,
reporting and audit functions will be managed by OCS
• Initial credentialing to be completed by October 1, 2003
16
The ISO….
• Must have the authority to
– Enforce the Department’s cyber security policies
– Act on behalf of the CIO and OCS in executing the Department’s cyber security programs
• Must have the independence to
– Report accurately on the security posture of the ISO’s domain
– Report directly to the VA CIRC on all security incidents
– Not be influenced by local pressure
• Must be empowered and motivated to
– Remove the material weakness
– Eliminate GISRA deficiencies
17
Certification and
Accreditation
1. Project Manager
prepares C&A package
SSAA
OCS Provides:
Tools
Templates
Reference Docs
Help Desk
BPAs
Certify
3. Certification
decision
CA is the ADAS
for Cyber
Security
4. Accreditation
decision
Accredit
DAA is
the VA
CIO
2. Package
submitted to OCS
Technical
Review
Security Test
and Evaluation
OCS performs
the technical
review and
conducts ST&E
18
Need for Increased VA Effort
FY2003 Cyber Security
Budget at 8% of VA’s
$1.4 billion IT Budget
$112M
Existing OCS
Spend Plan$27M
$22M
Administration
Cyber Security
Spend Plans
Richard ClarkePresidential Cyber Security Advisor
Government Computer News
3/19/2002
“8% of the $52 billion proposed
Fiscal 2003 IT budget is
earmarked for security.”
$80M
The VA can go a long way towards addressing its cyber security
deficiencies if the entire $80 million is spent on doing the right things.
Administration
Cyber Security
Salaries$27M
$4M OCS Salaries
19
The Department’s
Cyber Security Priorities
• Protect the boundary of the enterprise from external attack and lay the Defense in Depth security groundwork for implementing the VA Enterprise Architecture
• Centralize cyber security technology and operational controls wherever practical
• Remove the “material weakness”
• Comply with GISRA and all other legislative requirements
• Achieve Federal CIO Council and NIST FITSAF Level 4 and get on the path to Level 5
• Professionalize the VA’s cyber security practitioners
• Become the model cyber security program in the Federal Government
All of which ensures the confidentiality, integrity and availability of veterans’ private information, and assures that our systems are free from financial fraud, waste and abuse.
Target: FY 2002/3
Target: FY 2002/3
Target: FY 2003/4
Target: Ongoing
Target: FY 2003/4
Target: FY 2003/4
Target: FY 2005
20
Breakout Sessions
• We have a lot of new business to discuss
– How to organize and staff for the future
– Preparation and submission of action plans and spend plans
• We have a lot of regular business to work on
– Updates on ISO certification, ECSIP, VA CIRC
– Review of GAO and OIG recommendations
– Demonstration of the TESS tool
• We will answer all of your questions to the best of our ability
– And we might not have all of the answers this week