The Information Collaboration Imperative

Discussion of Homeland Security

J. Michael Gibbons, CISSP

Vice President, Unisys Federal Security Solutions

What We Will Discuss Today

• Homeland Security Mission and Challenges

• A View of the History of Information Security

• Anonymity – Biometrics as a Solution

• Security Architectures

• Solutions on the Horizon

Confidentiality, Integrity and Availability

• New Security Tenets– Simplicity – La Sencillez, Einfachheit

– Is there one place to go to get the answer to protect so many different systems and configurations?

– Truth – La Verdad, Wahrheit– What is my true risk and what should I do?

– Empathy – La Empatia, Einfühlung– Any information security success is victory.

Information Sharing Responsibilities,

Challenges and Key Management Issues • U.S. Government report in 2003 said DHS must access,

receive and analyze, law enforcement information, intelligence information, and other threat, incident and vulnerability information from federal, and non-federal sources.

• DHS must develop productive information sharing relationships between federal and state/local governments and between the private sector.

– Private Sector owns or manages 95% of the critical infrastructures.

From The General Accounting Office…

• Department of Homeland Security needs to provide appropriate incentives for non-federal entities to increase information sharing with the federal government and enhance other critical infrastructure protection efforts.

Analysis and Warning

• DHS must improve the federal government’s capabilities incident, threat, and vulnerability information obtained from numerous sources and share as appropriate, timely, useful warnings, and other information concerning both cyber and physical threats to federal entities, state and local governments, and the private sector.

System Integration View Of Homeland Security

Copyright 2004 ST-Infonox

Information Security Historical Perspective• 1986 The Hanover Hackers and Legion of Doom• 1988 Internet Worm - Robert Morris, $196m losses, Internet Stopped• 1995 Mitnick - government alleges $80m losses, Source Code Changes• 1/99 “Cyber warfare” - Civil rights abuses ignite LoU - 2 Chinese hackers

sentenced to death• 4/99 Melissa Virus - $300m, David Smith imprisoned (PC Explore.Zip)• 12/99 Credit Card Fraud - CD Universe 300,000 cards, blackmail threat of $300,000• 2/9/00 DDoS - E-commerce attack, Yankee Group ~ $1.2b losses

Yahoo/Amazon/Ebay/CNN/Buy.com• 5/00 - ILoveYou worm(vbs.loveletter.a) ~$1.0b losses in Pac Rim, Europe and North

America• 8/00 Barclays Bank - security breach revealed 1000’s of individual banking accounts• 7/01 Code Red + Variants – $1.2Billion globally (Nimda, Korna ++)• 2004 DDOS against London’s Online Gambling Sites, Russian Organized Crime

Today, Cyber Terrorists Tomorrow.

Cyber Threats to Critical Infrastructures Observed by the FBI

• Criminal Groups

• Foreign Intelligence Services

• Hacktivists

• Information Warfare

• Hackers

• Insider Threats

• Virus Writers

We should emulate the Hackers

• Real-time global data exchange• Trusted covert channels of communication• Quid pro quo – data exchange in trusted

communities with equal give and take• File and vulnerability sharing with anonymity• Anonymous work groups to solve problems • Portable code and high-reuse of working code• Rapid time to market – Vulnerability to exploit script• Hiding below the radar

Successful Web Site Hacks Daily

0

200

400

600

800

1000

1200

1400

1600

1999 2000 2001 2002 2003 2004

Hacking Probes per Day Against Average Single IP Address

0

50

100

150

200

250

300

350

1999 2000 2001 2002 2003 2004

Trojans & “Bots”2004 is the Year of the Bot

0

100

200

300

400

500

600

700

1999 2000 2001 2002 2003 2004

New Attack Code Monthly

'Owned' Computers x10,000

6.5 Million

Number of Unique Phishing Attacks Against Financial Organizations

0

200

400

600

800

1000

1200

1400

1600

Dec-03 Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04

Unique Attacks

Source: http://www.antiphishing.org/APWG_Phishing_Attack_Report-Jun2004.pdf

Malicious Mail - Spam, Spyware, Worms, Virus, Phishing, Extortion,

Scams…

0

10

20

30

40

50

60

70

80

Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04 Jul-04

Misuse as % of Email

How would you act if you knew you would be caught?

• Anonymity in Cyberspace creates a condition where people who believe their actions are anonymous will act differently than they would if all of their actions were attributable to them.

How do you verify Identity?

• Something You Know – sometimes identifiable– Password, family name, date of birth, word/phrase,

mortgage balance, bank transaction amount, etc.

• Something You Have– Driver license, passport, token (PKI), etc.

• Something You Are– Physical Characteristics: DNA, fingerprint, iris, facial,

retina, voice, hand, etc.– Behavioral Characteristics: Signature, gait, etc.

Biometrics is the automated technique of measuring a

physical characteristic or personal trait and comparing to a

database for purposes of identification

Protecting Access - A Role for Biometrics

Fingerprint ID

Iris Recognition

Face Recognition

Network Access

What you know: Username/Password

Who you are: Biometrics

??Physical Access

Handprint

Fingerprint ID

Iris Recognition

Face Recognition

Access Control• Control access to facilities• Control assess to networks• Eliminate, reduce need for

– PIN numbers– Multiple passwords– Multiple key cards– Physical security personnel

• Can be integrated with– Other biometric solutions for multiple or layered security– Electronic locks, man traps, turnstiles, etc.– Common access, smart, proximity, or other cards

Choosing and Using a Biometric• Accuracy – uniqueness, stability

• User Acceptance – Less Intrusive and Easier to Use is better

• Cost

• Token / card

• Multiple Biometrics & Compatibility

• Security & Privacy

• Integrated Solutions for layered security and record keeping

Hand Geometry

• Uses geometric shape of the hand for verification. For example,– Length– Thickness– Width

• Acceptable for verification purposes.• Not considered robust enough to support

recognition because human geometric measurements are not “unique.”

• “Uniqueness” is a key issue and concern!

Fingerprint Recognition

• Uses relation of key points and features of the finger for verification.

• Acceptable for verification purposes.

• Most widely used biometric today

x

Ridgebifurcation

Ridge

Relation Ridgeending

ClearZone

UnclearZone

Primary Minutia

Neighbour

x

Ridgebifurcation

Ridge

Relation Ridgeending

ClearZone

UnclearZone

Primary Minutia

Neighbour

Facial Recognition

Figure 3: Examples of local features derived by LFA.

The algorithm recognizes the fact that most complex patterns are built from a more fundamental set of “localized” and “stereo-typed” features or landmarks. For example, faces are not global patterns; rather they are built from a collection of local features (eyes, noses, brow, cheek and jaw bone structure, mouths, etc). The algorithm allows for the automatic detection of these landmarks and defines identity in term of the spatial relationship between them. A computer can detect about 80 potential landmarks on a face. However, due to the fact that LFA is characterized by built-in redundancy, only 14 landmarks (the most predictive points) need to be visible for an identity to be determined.

Local Feature Analysis• Complex patterns are built from a more fundamental set

of landmarks

• Defines identity from spatial relationships

• 80 potential landmarks

• Uses 14 most predictive points

• Automatic landmark detection

Iris Pattern• Each iris is theoretically

unique

• Iris is potentially the best biometrics technology because it offers– a large amount of feature data

( 266 measurable)

– is naturally protected from the external environment by the cornea, does not change

– is non-invasive, visible - Easy to photograph

– Probability of producing the exact same IrisCodeTM record is 1 in 1078

Iris

Collarette

Crypts

Radialfurrows

Ciliaryarea

Pupillaryarea

Pupil

Pigmentfrill

Global Third Party Authentication Study – U.S. Government• How do you identify a person on the other end of

a transaction without a biometric or shared secret?• Information on individuals that was “out of

pocket” lay primarily in the financial services industry including credit bureaus and financial institutions. Non-standard and lacking.– Mortgage Amount– Utility Bills– Former Addresses of Residence– Personably Identifiable Data

Regulatory Drivers/Requirements

• United States– Computer Fraud and Abuse Act 1986– Graham-Leach Bliley Act (GLBA)– HIPAA Security & Privacy Act– Federal Information Security Management Act– Aviation and Transportation Security Act– Homeland Security / Patriot Act

• European Union – Data Protection Directive– EU Digital Signature Directive– EU Privacy Act

Agencies now need to Incorporate and Fund Security in Information Systems Investments from Cradle to Grave.

Our Office of Management and Budget (OMB) will consider new or continued funding only for those system investments that satisfy new security criteria and will consider funding information technology investments only upon demonstration that existing agency systems meet these criteria.

U.S. Government Implementing a Life Cycle Approach

Documented Policy

Level 1

Documented Procedures

Level 2

Implemented Procedures

and Controls

Level 3

Testing Effectiveness of Procedures and Controls

Level 4

Fully Integrated Procedures

and Controls

Level 5

This program needs to be developed over time.

This framework allows you to:

• Measure the current status of your Security Program

• Establish an integrated, repeatable process to manage your Security Program

U.S. Security Program Framework

Defense in Depth Approach

Screening Routers Proxies & Firewalls Intrusion Prevention Configuration Control

Network Segmentation Encryption Certification & Accreditation Risk Assessment

Host Based Intrusion Detection (IDS) System & Event Logging and Analysis User and Identity Management Vulnerability Assessments

Managed Security Services Network Distributed IDS Virus Detection Hostile Code Screening

Detection

Make ExploitsDifficult

IdentifyConcerns

Respond andImprove

Real Time Alerts Console Notification Restrict Access

Active Resets System Analysis Tools Investigate Events

Response

Prevention

Security Architecture

Defense-in-Depth Meets BS-7799

People Process Technology

Preventative

Detective

Reactive

Policies and Procedures

Training & Awareness

System Security Administration

Physical Security

Personnel Security

Identification & Authentication Architecture

User Provisioning

Access Control Architecture

Secure Network Architecture

Acquisition/Integration of Evaluated Products

System Vulnerability Assessment

Security Strategy

Security Policy

Certification and Accreditation

Security Management

Key Management

Legislative Compliance

Readiness Assessments

Legal Countermeasures

Facilities Countermeasures

Recovery & Reconstitution

Data Retention Procedures

Attack Sensing, Warning and Response Services (ASW&R)

Log Monitoring Procedures

Operations Staff

Periodic Independent Audits

Auditing Tools

Intrusion Detection

System Health / Traffic Analysis

Backup Strategies

Managed Federal Security Services

UnisysSecurity Program Management

Ide

nti

ty a

nd

Ac

ce

ss

M

an

ag

em

en

t

Vu

lne

rab

ilit

y a

nd

In

cid

en

t M

an

ag

em

en

t

Co

nfi

gu

rati

on

M

an

ag

em

en

t

Co

nti

nu

ity

of

Op

era

tio

ns

Security Governance

Security Operations

CM/ChangeControl

Inventory/Asset

Mgmt & Control

SDLCSecurity

ACL/GPOMgmt

FirewallMgmt

WirelessSecurity

Policies Procedures Interconnections Situational Awareness

Project Mgmt Planning Training Workflow Resolution Discipline

IR

Forensics

PatchMgmt

IDS/IPS

VulnerabilityMgmt

AV

MaliciousCode

Protection

ContentFiltering

SSO

RA/VPN

PKI

SmartCards

Biometrics

DirectoryServices

BIA

DR

CP

CoS

Policies Oversight Compliance Sourcing & Contract Support Metrics & Reporting

Federal Security Operations Center (SOC)

Control Implementation & Integration

Unisys FederalIT Security Framework

Copyright 2005

Continuous Monitoring

Security Architecture

Sys

tem

Sec

urity

Pla

nS

ecur

ity C

ontr

ol A

sses

smen

t & T

estin

gR

isk

Ass

essm

entN

IST

Sp

ec

ial

Pu

bli

ca

tio

n 8

00

-53

Fin

al

/ F

IPS

20

0

||

Access Control

Security Awareness &Training

Audit & Accountability

Certification, Accreditation& Security Assessment

Configuration Management

Contingency Planning

Identification & Authentication

Incident Response

Maintenance Control

Media Protection

Physical & EnvironmentalProtection

Security Planning

Personnel Security

Risk Assessment

System & ServicesAcquisition

System & CommunicationsProtection

System and InformationIntegrity

Cer

tific

atio

n &

Acc

redi

tatio

n

Ap

pli

cati

on

s a

nd

Sy

stem

s

1986 to 2004 - What Have We Learned?

• Risks and Vulnerabilities are shared Globally in real time. Solutions must follow this trend.

• 16 minutes to Patch new systems. (SANS)

• Technology alone won’t protect you. You need a comprehensive security program that addresses threats from the inside and outside.

• “I was the person quoted that 80% of your risk was from insiders, with Internet connections the reverse is now the case.”– Richard Powers, Computer Security Institute.

Computer Forensics Need on the Rise

Solutions on the Horizon

• Learning intrusion prevention

• High speed service based data analysis

• Application vulnerability analysis

• Natural language analysis vs. signatures

• Behavior based network signatures

• Forensic reconstruction of intercepted data

J. Michael Gibbons, VP / GM Federal Security Solutionsmike.gibbons@unisys.com

•Mr. Gibbons leads the Unisys Federal Security Solutions Practice. Mike Gibbons joined Unisys in May 2004, after a 15-year career with the Federal Bureau of Investigation and five years leading a “Big-5” Security Practice. Mr. Gibbons has managed Information Technology (IT) security projects including requirements development, planning and integration of technical solutions, strategic program development, firewalls, network monitoring, access controls, and Intrusion Detection Systems. He is a Certified Information Systems Security Professional. •Relevant Experience

Leads a Public Services solutions team that delivers security policy, assessment, architecture, and integration of security products and services.

Led the program review and development of an information system security monitoring program for the Federal Deposit Insurance Corporation.

Developed the methodology for independently evaluating the Department of Justice Certification and Accreditation activities.

Led the survey and analysis of third party identification methods available to validate individuals identities in Internet transactions for the U.S. Social Security Administration.

Developed enterprise-wide information security program including policy, training and security governance for the United States Department of Education’s Office of Student Financial Assistance. This office manages $35 Billion in student loan transactions each year.

Developed a white-paper and feasibility study on the use of PKI technology for financial partners doing business with students nationwide, then led a team that developed the policy and system used by students nationwide to sign electronic promissory notes.

Established and managed the National Infrastructure Protection Center’s Computer Investigations Unit. Also established the office tasked to provide integration and technical support to FBI Field Offices including personal computers, network servers, routers, firewalls, intrusion detection systems, and virtual private networks (VPN).

Recognized as an expert witness on telecommunications fraud in United States Federal Court, and has been brought into numerous high-tech companies to discuss management of IT security products and services.

Received a letter of commendation from the FBI Director in 1997 for leading a Red Team that performed an extensive review of the FBI’s internal data processing systems.

Investigating Case Agent on the Hannover Hackers Case, detailed in the best selling book "The Cuckoo's Egg." Special Agent assigned to the Internet Worm Case, which was the first prosecution for the Federal Computer Fraud and Abuse Act of 1986.

•When he left Federal Service, Mr. Gibbons was the Chief of the Computer Investigations Unit located in the National Infrastructure Protection Center, where he directed FBI computer intrusion investigations worldwide. Mr. Gibbons graduated with distinction from the National Defense University's Information Resources Management College April 1993. He speaks on security regularly including the 2002 and 2003 Federal Information Assurance Conferences, Microsoft Fusion Conferences, Department of Energy Computer Security Training Conference, Fox News Channel, The New York Times, Washington Post, Business Week Forbes, Gartner Sector 5 Cyber Terrorism Summit, and the eGov Conference. He holds an active U.S. Government Top Secret Clearance.