VA Cyber Security Program:Status Report

Presented to the VA CIO Conference

August 2002

Department of Veterans AffairsOffice of the Assistant Secretary for Information and Technology

Office of Cyber Security

Bruce A. Brody, CISSP

Associate Deputy Assistant Secretary

for Cyber Security

2

What’s Changed?

• Cyber security is no longer fragmented

– Consolidation of headquarters staff

– Eventual relationship with field elements and operational activities to be resolved

• Our breakout sessions will focus on organizational structure and financial planning– We have a “once-in-a-lifetime”opportunity to

organize as a world class cyber security organization

– No operational disruptions

– What SLAs must be executed, and with whom?

• The challenge is huge, and there is much work ahead of us– We start figuring out the answers this week

3

Vision

Developed at the February 28, 2002 CIO Conference by the

Cyber Security Working Group

Become the model cyber security program within the federal government with a

standardized, secure, controlled environment, where the organizational culture

collaboratively balances business requirements with security to meet VA’s missions.

4

Cyber Security Mission

Provide cyber security services to veterans and their dependents that protect the confidentiality, integrity and availability of their private information and enable the timely, uninterrupted and trusted nature of those services

Provide assurances that cost-effective cyber security controls are in place to protect automated information systems from financial fraud, waste and abuse

Together, we will accomplish this mission.

5

Good News – Bad News

• The OIG, GAO and Congressional oversight bodies tell us that significant progress has been made, although there is much more to do

• OMB considers the Department’s GISRA report to be among the top five in government

• The VA CIRC is awarded and will provide “world class” incident response capability

• VA’s anti-virus program is the largest and most successful in the government – and one of the largest in the world!

• Information security is still a “material weakness”

• OIG: “Much work remains to implement key security initiatives and establish a comprehensive integrated VA security program”

• OIG: GISRA reporting not credible

• GAO: Many actions required to establish a comprehensive security management program

• Progress on Departmental cyber security priorities has been inconsistent

6

Material Weakness Shortfalls

Existing policy, procedure and security requirements are not being

enforced;

Risk assessments/penetration testing are not being done;

Incident reporting to CIRC is not being done or is not timely;

Annual security awareness training is not being held;

Warning banners are not being used;

There is no proactive network monitoring to identify intrusion

attempts or other suspicious/unusual activities; and

There is no structured training curriculum for cyber security staff.

Entity-wide Security Shortfalls

Unauthorized modem utilization is not being identified;

Password and user IDs are inadequate to non-existent;

Some facilities are operating uncertified independent Internet gateways;

Generic user IDs are being created and shared among multiple users,

Unlimited logon attempts are allowed; and

User IDs are not disabled for former/transferred employees or linked to adverse personnel actions.

Access Controls Shortfalls

Administrator privileges in Windows NT 4.0 are not

controlled;

Unapproved software is being installed at the desktop; and

There are inadequate change controls including controls to

ensure that only authorized program code is used in program

modifications.

Application Software Development and Change

Controls Shortfalls

Application and system change controls are inadequate to

protect production data from disclosure to programmer staffs;

A single person has ability to request, approve and receive

goods and/or services;

Chain of command for security officers impairs independence;

and

Information security is often a collateral duty.

Segregation of Duties Shortfalls

Administrator privileges in Windows NT 4.0 are not controlled;

Remote access software is being installed that opens security

vulnerabilities;

There are inadequate configuration management controls;

There are inadequate testing, approval and migration controls for

system software changes; and

Upgrades and patches are not current.

System Software Control Shortfalls

Physical access to computer facilities is not controlled;

Some centers are vulnerable to water or blast damage;

Contingency plans are incomplete or not done;

Annual testing of the plan is not conducted;

Backups are not stored off-site;

Combustible materials were stored in telephone closet; and

There is no incident response plan or associated team, to

include forensics capabilities.

Service Continuity, Planning, Implementation

and Exercise Shortfalls

7

Remediation of OIG’s Top 10 GISRA

Priority Weakness Areas(as of July 1, 2002)

Priority Weakness Areas

1. Intrusion Detection Systems

2. Anti-virus Protection

3. Critical Infrastructure Protection

4. Data Center Contingency Planning

5. Certification and Accreditation

6. Internet Gateway Security

7. Configuration Management

8. Relocation of the VACO Data Center

9. Application Program/Operating System

Change Controls

10. Physical Access at Certain Data Centers

1/31/02

725

297

928

18

300

272

232

1

7,574

12

7/1/02

537

0

928

15

300

167

83

1

4,013

8

Completed

26%

100%

0

17%

0

39%

61%

0

47%

33%

Totals 10,359 6,044 42%

8

VA’s GISRA Results(Summary as of July 1, 2002)

During the past year, VA compliance with GISRA

has escalated from 53% to 78%

9

Significant Progress

since March 2001

ADAS for

Cyber

Security

Arrives

2001 GISRA

Annual Report2001 VA

INFOSEC

Conference

Enterprise

Architecture

Expedition

1st Quarter

GISRA

Report

ECSIP

MS 0

Approval

Began VA-wide

Anti-Virus

Rollout

March

2001

VA GISRA

Process

Top 5 in Gov’t

VA CIRC

Awarded

C&A

Policy

Published

2002 VA

INFOSEC

Conference

July

2002

Privacy /

HIPAA

Kickoff

ROC

Pilot

VA CIO

Confirmed

VA Anti-Virus Program is

now the 3rd largest anti-virus

implementation in the world

– prevented over 1 million

virus attacks in the first six

months of operations.

Completed

VA-wide

Anti-Virus

Rollout

OMB Considers VA’s approach to

GISRA and its GISRA report to be

among the top five in Government.

January

2002

OCS Reorg

JPO standup

10

The New VA CIRC Is Awarded

• VAST (“VA Security Team”), LLC– Joint venture of SecureInfo, ADTECH Systems, AEM Corp.,

DSD Labs, SEIDCON Inc., TeamBI Solutions

– Large partners Signal Corp., SAIC, Compaq

• The VA CIRC will provide “world class” incident analysis and response capability for the VA– 24x7x365 operations through the SOC(s)

– Threat analysis

– Event correlation and analysis

– Forensics

– Technical help desk/Fly away support

• The VA CIRC is the:– Only incident response capability in the VA

– Central node in VA operational control of security

– Mandatory contract vehicle for VA managed security services

11

The New VA CIRC

VA-CIRC

SOCSOC

24 x 7 x 365 Incident Response and Incident Management

•Command and Control•Liaison with National Agencies•Threat Analysis•National Help Desk•Central Incident Database•Fly Away Support•Forensics Analysis•Alerts/Advisories/Bulletins

NOC

Centralized Managed Security Services:•Intrusion Detection Monitoring•Firewall Management•Anti-Virus Management•Software Patch Distribution•Event Correlation and Analysis•Audit Log Analysis•Vulnerability Scanning•Penetration Testing•Rapid Engineering•Remediation Planning •Compliance Monitoring

ECSIP

For these

services, the

contract will be

the mandatory

vehicle for the

entire VA

12

ECSIP Milestone I/II

Approved by SMC( August 6, 2002)

• ECSIP will procure and install cyber security systems to protect external gateway connections and critical information repositories located at the VA’s data centers

– Other internal connections will be protected once the above is complete

• All existing legacy external connections will migrate to an ECSIP configured gateway by September 30, 2004

• Security Operations Centers (SOCs) will centrally and remotely configure, manage and monitor all VA installed cyber security systems

• Local IT staff will provide “hands-on” support of installed cyber security systems

13

Enterprise Cyber Security Infrastructure Project’s Architecture

N RegionalData Processing Centers

VBA - 3?VHA - 6?NCA - 1?

VACO – 1?

1 Information TechnologyIntegration Center

Product Acceptance Testing

Electronic S/W Distribution

3? CorporateData Processing Centers

Electronically Vaulted Data

Distributed Processing(Supports COOP)

2 Network/SecurityOperating Centers

Collocated

ONE VA

SOC and Cyber Security Services

Other Networks

Pilot

3A

3B

Legend

14

One

VA

Bac

kbone In

ternet &

Oth

er

Netw

ork

s

VA Facing Server Farm

(SDNS/HIDS/Anti-Virus/Content Filter)

Externally Facing Server Farm

(SDNS/HIDS)

Local Network

Security Infrastructure for a Generic Data Processing

Center (Simplified)

VPN Gateway

& IDS

Dial Up RAS*

& IDS

Firewall

& IDSFirewall

Firewall

& IDS

* Dial Up RAS May Be An Outsourced Service

15

The Secretary’s

Commitments to Congress

• June 7, 2002 letters to Reps. Buyer and Carson

• VA will implement the following:

– A rigorous qualification and certification program for

information security practitioners, managed by OCS

– ISOs will report routinely to OCS on facility security posture

– OCS will add a review and inspection capability to its mission

– OCS will review and have input to ISO performance

evaluations

– All training, qualification, certification, credentialing,

reporting and audit functions will be managed by OCS

• Initial credentialing to be completed by October 1, 2003

16

The ISO….

• Must have the authority to

– Enforce the Department’s cyber security policies

– Act on behalf of the CIO and OCS in executing the Department’s cyber security programs

• Must have the independence to

– Report accurately on the security posture of the ISO’s domain

– Report directly to the VA CIRC on all security incidents

– Not be influenced by local pressure

• Must be empowered and motivated to

– Remove the material weakness

– Eliminate GISRA deficiencies

17

Certification and

Accreditation

1. Project Manager

prepares C&A package

SSAA

OCS Provides:

Tools

Templates

Reference Docs

Help Desk

BPAs

Certify

3. Certification

decision

CA is the ADAS

for Cyber

Security

4. Accreditation

decision

Accredit

DAA is

the VA

CIO

2. Package

submitted to OCS

Technical

Review

Security Test

and Evaluation

OCS performs

the technical

review and

conducts ST&E

18

Need for Increased VA Effort

FY2003 Cyber Security

Budget at 8% of VA’s

$1.4 billion IT Budget

$112M

Existing OCS

Spend Plan$27M

$22M

Administration

Cyber Security

Spend Plans

Richard ClarkePresidential Cyber Security Advisor

Government Computer News

3/19/2002

“8% of the $52 billion proposed

Fiscal 2003 IT budget is

earmarked for security.”

$80M

The VA can go a long way towards addressing its cyber security

deficiencies if the entire $80 million is spent on doing the right things.

Administration

Cyber Security

Salaries$27M

$4M OCS Salaries

19

The Department’s

Cyber Security Priorities

• Protect the boundary of the enterprise from external attack and lay the Defense in Depth security groundwork for implementing the VA Enterprise Architecture

• Centralize cyber security technology and operational controls wherever practical

• Remove the “material weakness”

• Comply with GISRA and all other legislative requirements

• Achieve Federal CIO Council and NIST FITSAF Level 4 and get on the path to Level 5

• Professionalize the VA’s cyber security practitioners

• Become the model cyber security program in the Federal Government

All of which ensures the confidentiality, integrity and availability of veterans’ private information, and assures that our systems are free from financial fraud, waste and abuse.

Target: FY 2002/3

Target: FY 2002/3

Target: FY 2003/4

Target: Ongoing

Target: FY 2003/4

Target: FY 2003/4

Target: FY 2005

20

Breakout Sessions

• We have a lot of new business to discuss

– How to organize and staff for the future

– Preparation and submission of action plans and spend plans

• We have a lot of regular business to work on

– Updates on ISO certification, ECSIP, VA CIRC

– Review of GAO and OIG recommendations

– Demonstration of the TESS tool

• We will answer all of your questions to the best of our ability

– And we might not have all of the answers this week