15/3The Newsletter for Information Assurance Technology Professionals

Volume 15 Number 3 • Summer 2012

The Keys to Better Security on a Tight Budget

Subject Matter Expert: COL Gregory Conti

The Biometrics Capability Maturity Model

Responsible Information Sharing Part II: Sharing Responsibly

United States Service Academies

Searching For the Best— U.S. Cyber Challenge

USENIX Federated Conferences Week

also inside

EX

CE

LL

EN

CE S

ER

VIC

E

IN INF OR MATIO

N

Tight BudgetIA on a

2 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

contents

8 The Keys to Better Security on a

Tight BudgetInformation security managers in government today are facing the most challenging fiscal environment in decades. While the phrase “doing more with less” sounds like a reasonable and practical approach, how is it really possible to secure systems on decreasing budgets?

11 Subject Matter Expert:

COL Gregory ContiThe subject matter expert profiled in this article is Colonel Gregory Conti at the United States Military Academy (USMA), a Military Intelligence Officer and Academy Professor at the Department of Electrical Engineering and Computer Science.

12 The Biometrics Capability

Maturity ModelOrganizations today are developing enhanced security policies and regulations due to increased awareness of potential security risks. Those who integrate biometrics technologies into existing physical and IT processes are significantly increasing information assurance (IA) and provide a more secure operating environment.

16 Responsible Information Sharing

Part II: Sharing ResponsiblyThe need to share information should be better balanced with the need to protect information. This article highlights challenges and emerging solutions for achieving responsible information sharing.

24 United States Service Academies

The United States Service academies are federal undergraduate academies that offer education and training in a military environment. This article showcases their IA and cybersecurity academic programs.

26 Searching For the Best—

U.S. Cyber ChallengeThe U.S. Cyber Challenge provides a range of opportunities to identify and nurture talented young Americans by casting a wide net to enable them to demonstrate their skills, and then make them aware of other opportunities, help develop their skills, and improve their knowledge in making our nation’s cyber environment safe.

28 USENIX Federated Conferences Week

This event combined a variety of conferences and workshops into a week-long affair that allowed participants to get an intensive look at various IA developments.

Balancing an Agency’s Information Security SpendingThis article presents a simple way ofthinking about the overall informationtechnology (IT) security ecosystem thatcan aid in answering questions relatedto where the next security dollar shouldgo. This article suggests that many organizations may need to rebalance their investments.

4

About IATAC and the IAnewsletterThe IAnewsletter is published quarterly by the Information Assurance Technology Analysis Center (IATAC). IATAC is a Department of Defense (DoD) sponsored Information Analysis Center, administratively managed by the Defense Technical Information Center (DTIC), and Assistant Secretary of Defense for Research & Engineering ASD(R&E).

Contents of the IAnewsletter are not necessarily the official views of or endorsed by the US Government, DoD, DTIC, or ASD(R&E). The mention of commercial products does not imply endorsement by DoD or ASD(R&E).

Inquiries about IATAC capabilities, products, and services may be addressed to—

IATAC Director: Gene Tyler Inquiry Services: Karen Goertzel

If you are interested in contacting an author directly, please e-mail us at iatac@dtic.mil.

IAnewsletter StaffChief Editor Gene Tyler Assistant Editor Kristin Evans Art Director: Tammy Black Copy Editor: Alexandra Sveum Editorial Board: Al Arnold Angela Orebaugh Designers: Tammy Black Michelle Deprenger Lacey Olivares

IAnewsletter Article SubmissionsTo submit your articles, notices, programs, or ideas for future issues, please visit http://iac.dtic.mil/iatac/IA_newsletter.jsp and download an

“Article Instructions” packet.

IAnewsletter Address Changes/Additions/DeletionsTo change, add, or delete your mailing or e-mail address (soft-copy receipt), please contact us at—

IATAC Attn: Peggy O’Connor 13200 Woodland Park Road Suite 6031 Herndon, VA 20171 Phone: 703/984-0775 Fax: 703/984-0773

E-mail: iatac@dtic.mil URL: http://iac.dtic.mil/iatac

Cover design: Tammy Black Newsletter design: Donald Rowe

Distribution Statement A: Approved for public release; distribution is unlimited.

in every issue3 IATAC Chat25 Letter to the Editor29 Products Order Form30 Calendar

feature

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 3

In our winter 2012 edition of the

IAnewsletter, Christopher Zember,

Deputy Director of the Defense

Technical Information Center (DTIC)

Information Analysis Center (IAC)

Program, contributed an article

detailing the inception of the

Department of Defense’s (DoD)

Cybersecurity IAC (CSIAC). This IAC is

poised to become DoD’s cybersecurity

resource center.

In June 2012, DTIC announced that

Quanterion Solutions Incorporated, a

small business located in Utica, New York

with long-standing ties to the IAC

Program, was awarded the contract to

operate CSIAC for DoD. On 16 July,

Quanterion began working with the

Information Assurance Technology

Analysis Center (IATAC) to begin the

transition and since the signing of their

contract in June, Quanterion has already

begun the stand-up of CSIAC, fully

integrating best practices and resources

that IATAC has developed into CSIAC

ensuring it can provide DoD with critical

cybersecurity information and resources.

With this transition, IATAC will no longer

be publishing the IAnewsletter; however

readers should look forward to receiving

CSIAC’s Cyber Security and Information

Systems IAC Journal in the coming

months, which will continue the long-

standing tradition of publishing cutting-

edge IA/cybersecurity articles from

experts across various organizations.

The IATAC/CSIAC transition will be

complete by 13 October 2012, at which

point IATAC will end its tenure and

Quanterion will be well on its way,

engaging the DoD, the federal

government, academia, and industry

communities to ensure they are receiving

accurate and up-to-date information

about cybersecurity initiatives. As the

Director of IATAC, and from working

closely with Quanterion in support of the

IAC Program, I am confident that CSIAC

will promote continued success across the

IA/cybersecurity community as it

provides organizations with information

products and services essential to

addressing their cyber needs.

Booz Allen Hamilton has taken much

pride in hosting IATAC for you and the

government. It now gives me great

pleasure to introduce our readership to

Tom McGibbon, Quanterion’s CSIAC

Director. See you on the high ground!

CSIAC will serve as a Center of

Excellence for the DoD in Cyber

Security, Modeling & Simulation,

Knowledge Management and Software

Engineering. The Center will be focused

on leveraging knowledge bases, best

practices and expertise from industry,

government and academia in each of the

technology domain areas. It is a

consolidation of three legacy IACs

including IATAC, the Data & Analysis

Center for Software (DACS), and the

Modeling and Simulation Information

Analysis Center (MSIAC). Support

for the mission of these legacy IACs

will now be provided through this

new Center.

Quanterion and its personnel have

had a long history of IAC operation,

including operation of the DACS basic

center operations and operation of the

Reliability Information Analysis Center

core operations as a subcontractor. As

CSIAC’s Director, I bring 17 years of

experience as the DACS Director.

Quanterion’s President, Preston

MacDiarmid, and other senior Quanterion

personnel also have had many years of

IAC management experience.

This new Center, while continuing

much of the legacy IAC work, will also be

focusing on two major new initiatives: (1)

through collaboration with our subject

matter experts and partners, we will be

implementing and facilitating a

collaborative community of practice

website, and (2) we will be focusing our

products on and emphasizing the Better

Buying Power (BBP) Initiative.

More information about these new

initiatives will be covered in our first

Cyber Security and Information Systems

IAC Journal. Look for our first Journal in

October 2012. Also, please check out our

website at http://www.thecsiac.com/!

Cyber Security & Information Systems

Directors’ Chat

4 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

A Growing Role for Proactive Security Solutions

Federal information security officers

(ISOs) have a wide array of different

programs and solutions to try to track:

vulnerability management,

configuration auditing, anti-virus and

end point protection, identity/access

management, and data loss prevention.

Every year adds new classes of threats to

defend against, new categories of

solutions to help secure the enterprise,

and new products and vendors that

claim to solve the current “most critical

issue.” Just assessing the value or the

performance of a single program in itself

is a challenge. Evaluating these variables

generates a new, more difficult set of

questions. What is the right balance of

resources? How should we invest the

incremental security dollar across the

broad range of existing and prospective

security solutions and programs that

comprise the comprehensive

information security program?

While the correct answers depend

on the particulars of an organization’s

mission, programs, data, environment,

and threat context, there are some

helpful ways to think about this balance.

This article presents a simple way of

thinking about the overall information

technology (IT) security ecosystem that

can aid in answering questions related

to where the next security dollar should

go. Note that this methodology suggests

that many organizations may need to

rebalance their investments.

Where Do Solutions Engage? With respect to an attack—one that has

taken place, or one that you are working

to prevent—security solutions fall

somewhere on a spectrum spanning

three categories: proactive, active, and

reactive. For this framing, these are not

normative terms that impute any special

value to one end of the spectrum or the

other (e.g., proactive = good; reactive =

bad). These categories simply describe

where each security solution adds value

with respect to an attack or an undesired

event (before, during, or after).

In the context of an attack, active

security technologies are those that

attempt to “stop the bullets in flight.”

They create barriers to an attack, or they

recognize an attack as it is occurring

Balancing an Agency’s Information Security Spendingby Keren W. Cummins

REACTIVE PROACTIVEACTIVE

Security Information Management

Security Event Management

Log Management

Firewalls

Intrusion Detection System/Intrusion Prevention SystemData Encryption Vulnerability Assessment

Configuration Compliance

Data Monitoring/AuditingWeb App Scanning

File Integrity MonitoringInformation Technology—Governance, Risk Management, and ComplianceNetwork/Data Behavior Analysis

Network/Asset Discovery

Data DiscoveryNetwork Topology Assessment

Identity Access Auditing

Anti-Virus/Spyware

Data Leakage (DLP)

Networking Activity Monitoring

Identity Access Management

Network Access Control (NAC)

E-mail/SPAM/Gateway

Forensics Reporting Monitoring/Altering/Blocking Auditing/Risk Assessment

Figure 1 Security spectrum categories

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 5

and take steps to stop it. Once the

figurative bullet has penetrated, reactive

technologies are then used to

understand what damage it caused. The

reactive technologies are used to

determine what happened in the attack,

what credentials were compromised,

what personally identifiable information

or other sensitive information was

stolen, etc.

Proactive technologies function

independent of any single attack and

operate under the assumption that

attacks will occur and some bullets will

inevitably get past the active defenses.

Their purpose is to constantly “shrink

the targets” prior to any attack, so that

attacks that do penetrate the active

defenses do not necessarily find the

weaknesses and vulnerabilities they

need to perpetrate the intended damage.

Naturally, some solutions fall across

more than one part of the spectrum.

As shown in Figure 1, active

technologies include solutions like

firewalls and identity/access

management designed to block

inappropriate access. Other solutions

are used to detect and counter attack as

they occur. Active solutions are often the

first solutions purchased immediately

after an attack. They are, in a way, self-

justifying because in many cases they

can provide detailed statistics of the

number of attacks/viruses/spyware

detected and deflected. For ISOs who are

unsure of how to demonstrate the value

of their security program to

non-security professionals, active

technologies can often produce fear-

instilling statistics such as the “number

of viruses blocked” or “number of spam

e-mails intercepted.” While these

measures are not always actionable or

useful from a security perspective, they

can sometimes be used to gain attention

and resources.

Reactive technologies include

solutions such as log management and

security information or event

management. While these may also

function in an active sense and provide

some support during an attack, they are

uniquely useful in the aftermath. These

tools produce information that analysts

pore over to painstakingly recreate the

movements of an attacker through the

organization. Analysts also use these in

day-to-day operations to monitor

internal and external network traffic.

Retaining and reviewing this

information makes it possible to

discover problems, to understand what

transpired, to ensure that an attack has

truly been shut down, and to devise

ways to prevent similar attacks in the

future. Reactive technologies are most

effective when supported by the data

collected by proactive technologies

during their standard assessments,

given that events typically involve a

target on the network. Having as much

information as possible about the

composition and posture of that target

makes a world of difference in

accurately diagnosing suspicious

network activity as reactive technologies

log them.

Proactive technologies comprise

solutions that support an ongoing,

continuous effort to assess and/or

harden the security posture of one or

more aspects of the network

environment. Solutions in this category

span asset discovery, data discovery,

vulnerability management,

configuration auditing, access auditing,

and file integrity monitoring. These

solutions serve as a foundation for

day-to-day continuous risk remediation,

supporting the removal of unapproved

assets, the identification of sensitive

data, the remediation of vulnerabilities,

etc. The general impression is that

proactive technologies generate work for

the security and operations teams.

Unlike active technologies that can

report on attacks they stopped, the

effectiveness of proactive technologies is

more difficult to measure. It is

impossible to measure the number of

attacks that did not occur as a result of

vulnerability remediation and patching

activity. Much like an effective ISO,

proactive technologies are successful

when they stay off the front page of the

newspaper. Utilizing proactive security

solutions is considered a best practice

because the consequences of not having

them will be much greater than the

modest investment to purchase them.

6 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

Where is the Balance Today? A good portion of the $60 billion global

IT security solution goes to active

security technologies. [1] According to

Gartner, firewalls alone represent a $6.5

billion market. [2] Corporations will

spend $3.4 billion on corporate desktop

security software, and consumers will

spend even more than that on anti-virus

protection. Identity/access

management, data loss prevention, and

intrusion prevention—all active

technologies—are designed to block or

stop attacks as they are occurring, and

have been high priorities in the

security arena.

At the same time that active

technologies are hardening our outer

defenses to block attacks, however, the

explosion of social media and the

popularity of mobile devices are making

our boundaries porous in new ways. The

sophistication of attacks continues to

increase, and there are commercial,

build-it-yourself malware kits available

that make it very difficult for anti-virus

and anti-spyware solutions to detect and

keep up with the new malware threats to

prevent infection. Despite advances in

security technology, there will always

be malware that can get through

our defenses.

Institutions Driving ChangeA shift in the balance from active

towards proactive technologies dates

back to the 2004-2005 timeframe, when

the then-Chief Information Officer of

the United States Air Force, John

Gilligan, leveraged Air Force

procurement clout to require that

Microsoft and its original equipment

manufacturers deliver Windows systems

configured in accordance with the

Center for Internet Security

benchmarks. [3, 4] According to

estimates from the National Security

Agency, this action eliminated close to

90% of the vulnerability and

configuration risk on these devices,

when compared with the previous

configurations. This unprecedented

action by the Air Force set the stage for

the Office of Management and Budget

(OMB) to impose a Microsoft

workstation configuration standard, the

Federal Desktop Core Configuration

(FDCC), on all civilian agencies. [5] At

the same time, the OMB required the

vendor community to step up and

deliver scanning technologies that could

demonstrate compliance with the FDCC

standard, using a set of shared standards

for communicating information about

assets, vulnerabilities, and

configurations.

Over the last several years, the

OMB, National Institute of Standards

and Technology (NIST), and Department

of Homeland Security (DHS) have been

working together to grow the Microsoft

workstation configuration program from

its modest beginning into a far broader

strategy of continuous monitoring. In

this context, even the word “monitoring”

has shifted in meaning. Previously, the

term was associated with, literally, the

continuous observation and response

associated with the activities of a

security operations center. Today, as

used by Congress and the OMB, it refers

(in a proactive context) to continuously

discovering assets and assessing their

risk posture in support of a systematic

program of risk reduction. Today,

continuous monitoring is one of the

Administration’s three primary IT

security initiatives, along with Trusted

Internet Connection and Homeland

Security Presidential Directive-12

implementation. [6, 7, 8] The most

recent Federal Information Security

Management Act (FISMA) report details

the increase in civilian agencies’

continuous monitoring efforts; [9] the

amendments to FISMA that recently

passed the House also place critical

emphasis in this area. [10]

New CapabilitiesEffective continuous monitoring is not

rocket science. Former Center for

Medicare and Medicaid Services (CMS)

Chief ISO and federal security thought

leader, Ryan Brewer, has frequently

stated that it is simply about getting the

basics right—knowing what you have

and knowing that each element of your

network has been hardened to the

greatest degree possible. [11] According

to Verizon’s Data Breach Investigations

Report, the vast majority of attacks

reported in 2011 leveraged

vulnerabilities or mis-configurations

that were well known and understood,

but unaddressed. [12] These attacks

were not stopped by the active defenses

of anti-virus, firewalls, or intrusion

prevention systems, but they could

readily have been stopped or reduced in

impact through the application of the

appropriate patches or the correct

configuration settings.

That said, there are some

technological and programmatic

innovations that are improving the

efficacy of proactive security solutions.

First, there are an increasing number of

solutions that are able to assess security

risk and configurations “agentlessly”

(i.e., without requiring the installation of

software on each asset to be measured,

which reduces costs). [13]

Second, a number of best practices

have emerged around the use of

scorecards, report cards, and other data

presentation tools that have been shown

to dramatically impact how people—

especially executives and other

non-security professionals—respond to

security information. The Department

of State (DoS), CMS, and others have

demonstrated an overall risk reduction

of 90% and higher in a short timeframe

in this manner. These tools are effective

because they prioritize the volumes of

information collected by continuous

monitoring solutions and make it

extremely actionable. They also use

corporate visibility and peer pressure as

incentives to drive accountability and

improvement. In the private sector, new

tools are emerging that further increase

the visibility of security performance

and offer the ability to benchmark the

performance of a security solution in

one organization against average

performance of similar solutions in a

comparable group. [14]

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 7

Considerations for the Information Assurance (IA) CommunityProactive security solutions have tended

to be under-represented in an IT

security solution portfolio. They are,

frankly, not as appealing as the latest

detection and intervention solutions, as

they do not offer the instant gratification

of tools that showcase events happening

as traffic moves through the network.

When proactive solutions are working

effectively, they generate action items

for the security and operations teams—

not always a popular thing—and unlike

active solutions, they do not produce

fear-inducing statistics that prove their

value by listing all the attacks they

turned away.

Notwithstanding these past trends,

the importance of proactive solutions is

gaining recognition as a key part of the

foundation of a healthy security

ecosystem. This recognition is being

driven in part by Administration

initiatives and OMB, DHS, NIST, and

Department of Defense (DoD) actions to

expand the use of proactive solutions,

specifically those represented by

continuous monitoring. The industry

is responding by delivering more

powerful and more cost-effective

solutions that are compliant with the

requisite standards.

The challenge for the IA community

is two-fold: to recognize the growing

importance of proactive solutions in the

technology portfolio; and to sustain

focus on the fact that the value of

proactive solutions emerges entirely

from the degree to which the

information they generate is

actionable—and is acted upon—as part

of an ongoing risk reduction effort. To

realize the full value of a proactive

solution investment, it must be

accompanied by changes in business

processes and workflows that support

effective and prioritized responses to

the risk elements it identifies.

Additionally, as is always the case

when any security approach becomes a

mandate, there is a danger that some

will implement a solution to

demonstrate compliance with the

mandate for continuous monitoring

[15]—failing to understand that the

value of continuous monitoring (and

other proactive solutions) is achieved

through the associated programs and

processes that act on the collected

information. If there is no will to use the

information as the foundation for a

program of reducing risk, then

measuring risk on a daily basis is no

better than not measuring at all. [16]

Evolving FISMA and DoD directives

provide organizations with a rare

opportunity to take a fresh look at their

security investment ‘portfolio,’ and to

rethink how security investments are

distributed and prioritized. From this

new vantage point, prioritizing and

integrating proactive security

technologies that can help reduce attack

surface and harden each network

element to the greatest possible degree

can help make the allocation of scarce

resources more efficient and in what

really matters…more effective. For those

interested in models of comprehensive

and effective risk monitoring and

remediation programs, the DoS [17],

Medicare, as well as private

organizations, like Pacific Gas and

Electric [18] and St. Luke’s Health

System [19], demonstrate a variety of

best practices in this area. n

About the Author

Keren W. Cummins | is Director at Federal Markets for nCircle, where she works with government agencies to provide tools for large-scale enterprises in the arenas of agentless asset discovery and profiling, configuration compliance management, change auditing, and file integrity monitoring. Previously, Ms. Cummins was Vice President (VP) of the Public Sector for Phoenix Technologies, where she worked with federal agencies and partners on device authentication and other basic input/output system-level services. Ms. Cummins also held the position of VP Government Services for Digital Signature Trust. Before joining the commercial sector, Ms. Cummins worked for the Commerce Department

and served on the Federal Public Key Infrastructure Steering Committee. She can be contacted at kcummins@ncircle.com.

References1. http://www.eweek.com/c/a/Security/Cyber-

Security-Spending-to-Hit-60-Billion-in-2011-121173/

2. http://www.wired.com/wiredenterprise/2012/03/

antivirus/

3. http://www.cert.org/podcast/notes/25kreitner.html

4. http://benchmarks.cisecurity.org/

en-us/?route=default

5. http://nvd.nist.gov/fdcc/index.cfm

6. http://csrc.nist.gov/groups/SMA/fisma/documents/

faq-continuous-monitoring.pdf

7. http://www.dhs.gov/files/programs/

gc_1268754123028.shtm

8. http://www.whitehouse.gov/sites/default/files/

omb/memoranda/fy2005/m05-24.pdf

9. http://www.whitehouse.gov/sites/default/files/

omb/assets/egov_docs/fy11_fisma.pdf

10. http://www.executivegov.com/2012/04/cbo-fisma-

update-would-cost-710m/

11. http://scap.nist.gov/events/2009/itsac/

presentations/day2/Day2_HealthIT_Brewer.pdf

12. http://www.verizonbusiness.com/resources/

reports/rp_data-breach-investigations-report-2012_

en_xg.pdf

13. http://www.defensenews.com/apps/pbcs.dll/

article?AID=2012306130003

14. http://www.ncircle.com/pdf/papers/

nCircle-WP-SecurityBenchmarking-

GoingBeyondMetrics-1114-01.pdf

15. http://connect.ncircle.com/t5/Federal-Outlook/

Lowest-Common-Denominator-Security-When-does-

measuring-something/ba-p/1998

16. http://connect.ncircle.com/t5/Federal-Outlook/

Measuring-the-test-not-the-result/ba-p/1962

17. https://www.sans.org/press/department-statewins-

ncia.php

18. http://www.ncircle.com/pdf/studies/nCircle-CS-

PGE-1019-06.pdf

19. http://www.ncircle.com/pdf/studies/nCircle-CS-

SLHS-1120-02.pdf

8 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

Information security managers in

government today are facing the most

challenging fiscal environment in

decades. Despite the vital role that

cybersecurity personnel, departments,

and initiatives play in protecting assets

and infrastructure, federal Chief

Information Security Officers (CISOs)

are not getting the resources they need

to pay for the full range of products,

services, and staff needed to mature

agency-level cybersecurity programs;

therefore, they are now facing an

unprecedented trifecta of challenges of

increased budgets cuts, hiring freezes,

and the inability to fill key positions.

Adding to the complexity of operating in

this limited environment is the reality

that unless there is an actual security

incident, provisions for information

security improvements are few and far

between. While financial complexities

also exist in the private sector, it is safe

to say that those leading cybersecurity

efforts in government are being

impacted to a greater degree.

While the phrase “doing more with

less” sounds like a reasonable and

practical approach, how is it really

possible to secure systems on

decreasing budgets?

In 2005, the Office of Management

and Budget (OMB) attempted to address

this challenge by chartering a program

called the Information Systems Security

Line of Business (ISS LoB) that was

intended to provide agencies with

shared information security services

and subsequent cost efficiencies. [1] The

hope was this: “The ISS LoB investment

will improve the level of cybersecurity

across all government agencies, reduce

costs by consolidating certain security

products and services into centralized

Shared Service Centers, and improve

security decision-making through an

agency-neutral governance structure.”

[2] While this and other government

initiatives over the years have held

promise, the success of ISS LoB has

depended upon the government’s ability

to provide ongoing support. A recent

evaluation by Department of Homeland

Security leadership revealed that

“funding risk exists for ISS LoB, given

the large scope of the program.” [3]

Sadly, the very program that was

intended to help create efficiencies is not

immune to its own funding challenges.

As an organization that is vested in

the success of its members and

government information security

programs as a whole, International

Information Systems Security

Certifications Consortium (ISC)2 has

been monitoring this environment,

conducting research and facilitating

discussions surrounding the practical

steps that government information

security personnel can take to keep

information assets secure when times

are lean. The bad news is that our

research shows little hope for budgetary

change in the near future.

The (ISC)2’s 2012 Career Impact

Survey was conducted between

December 2011 and January 2012 to

track the impact of the economic

climate on cybersecurity salaries, hiring

outlook, budgets, threats, and more. [4]

Of the 2,256 global respondents, 545

respondents from U.S. federal

government agencies reported on their

agency’s current fiscal conditions and

what they anticipate the fiscal climate to

be in 2012. When asked how their

agency’s information security budgets

have changed in the last 12 months,

approximately 80% of federal

respondents said there was either no

change or a decrease in budget. When

asked how they anticipate that changing

in 2012, 84% said there would be no

change or an actual decrease in budget.

Given these statistics and having now

advanced through the first half of 2012,

respondents seem to have painted a

realistic picture that provides little

promise for change.

So what is the good news? From our

community of federal CISOs, Chief

Information Officers (CIOs), and other

front-line information security

managers, we have discovered that

despite the challenges, agencies can and

are recognizing opportunities and

finding new ways to secure assets and

infrastructure efficiently and effectively

on a limited budget [5]; however, that

does not mean that the security needs of

government information systems are

The Keys to Better Security on a Tight Budgetby W. Hord Tipton

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 9

being met. There are some positive

approaches that agencies are using to

cope with limited budgets.

Agencies are applying an austere

approach across all three areas of

“holistic” information security practice:

people, processes/policy, and

technology; however, it appears that the

“people” component—specifically the

ability to hire and keep qualified

personnel—has become the primary

stumbling block, especially given the

broader personnel shortage otherwise

referred to as the current “information

security human capital crisis.” Since

2009, a number of reports show that

there is a radical shortage of qualified

information security professionals

worldwide, driven in large part by the

absence of an effective system that

provides a path for students at every age

to progress in cybersecurity education

and ultimately join the workforce.

Government information security

managers are not only at risk of losing

good people due to budget cuts, but their

challenge is compounded by a pervasive

human capital problem. Much broader

in scale and size, the increased demand

for and decreased supply of qualified

information security professionals

makes it extremely difficult to identify

practical steps toward both short- and

long-term solutions.

In response to this crisis, the U.S.

federal government has implemented

several programs/initiatives with the

immediate goals of expanding

cybersecurity education, identifying

future cybersecurity professionals at the

high school level (and younger), and

fostering educational and professional

development. Such initiatives include

the Comprehensive National

Cybersecurity Initiative [7], the NICE

Initiative [8], the U.S. Cyber Command

[9], and the U.S. Cyber Challenge [10];

however, there still remains a long-term

need to cultivate the pipeline of

qualified, ethical professionals to ensure

the security of our data and critical

infrastructures that must be addressed

on a broader scale by industry,

government, and academia.

Government security managers

must find ways to create an appealing

work environment to recruit and retain

skilled personnel, without having the

funds to compensate and create

incentives. They must ensure that their

agency is able to retain its most talented

cybersecurity personnel despite the

(ISC)2’s Global Information Security Workforce Study projects that there will be 4.2 million information security professionals by 2015. [11]

Top priorities to consider from a technology perspective:

f Evaluate and invest in technologies that are going to save money in the long run, such as building a robust security architecture up-front;

f While most agencies have developed sound IT architectures over the past 5 to 10 years, and in some cases have achieved modernization of critical systems, recognize that there are still countless opportunities for improving IT efficiency;

f Cut the number of redundant technologies that, once reduced, will help improve an agency’s ability to defend its systems at less cost, including the number of portals, disk images, and network gateways;

f Consolidate systems and data centers to obtain major cost efficiencies;

f Consider building a private cloud that will consolidate and manage information and free up personnel and the budget for re-allocation toward an important technology purchase; and

f Consider moving non-critical systems to a public cloud. Although more complex in terms of migration, public clouds afford the same benefit as private clouds, but on a larger scale. With the newly issued guidance on cloud security, FedRAMP, our reliance on cloud technology can and should be given greater consideration. [6]

10 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

numerous opportunities enticing

employees to seek employment

elsewhere, and must find ways to fill

personnel voids when new hiring has

been restricted. In the rare event that a

security manager has sufficient funding

to hire a key position, they must come

up with ways of actually finding

someone whose skills match the

requirements of the position given the

current shortage.

A few things to consider as

personnel, plans, and budgets shift—

f Gaining access to more candidates

is essential to cutting costs so that

you do not end up paying a high

price for moderate-level skills.

Security managers should create

alliances with organizations/

initiatives that are committed to

increasing the pool of skilled

security personnel. Look to

professional communities, such as

local association chapters or

forums, for help.

f Become more “human resource”

savvy—think creatively about

strategies to retain your best

people, such as allowing them to

telework or even work remotely

from a less-expensive city. These

options can also save money on

space and administrative costs.

f Consider offering your staff a

flexible work week. A 4-day, 10-hour

schedule allows people to commute

and avoid rush hours and provides

opportunity for 3-day weekends.

After all, most information

technology security employees

already work 10-hour days.

f Prioritize and seek soft skills when

recruiting. Hire people who have

the communications skills

necessary to present a business

case and convey the immediate

value of a security investment.

f If under a hiring freeze, consider

the use of contractor personnel to

maintain critical capabilities. It is

easier to get money for special tasks

than to add to the current headcount.

Depending upon the source,

categories of advice for how to “do more

with less” range from the general to the

tactical, from issues “technical” to

“people” in nature, but there are several

recommendations that apply to all who

oversee or manage a government

information security budget—

f Make sure you can defend

everything you ask for—tie your

dollars to your mission;

f Focus on the critical work and that

which will be crucial to your success;

f Establish a working relationship

with the chief financial officer, chief

budget officer, and CIO to ensure

that cybersecurity funding

requirements and priorities are

both articulated and understood;

f Look toward the private sector for

ideas and support, since the private

sector is facing similar funding

limitations;

f Evaluate the resources you have

and eliminate what is not critical;

f Further develop alliances and

business relationships; and

f Think “enterprise” and aim to

maximize efficiencies across the

enterprise.

For years, government budgets have

been tight, and security managers have

never received the full budgets they have

requested; however, there is a positive

side to operating from a position of

being lean and hungry—you are always

looking for better efficiencies, and more

often than not, better efficiencies lead to

improved security. n

For additional information on security on a tight budget, refer to the following Web sites—

f http://gcn.com/articles/2012/02/29/rsa-7-cybersecurity-manpower-cisos.aspx?sc_lang=en

f http://www.nextgov.com/nextgov/ng_20120229_6909.php

f http://gcn.com/articles/2011/07/18/8-tips-security-tight-budget.aspx

About the Author

W. Hord Tipton | has over 30 years of business experience including, CIO for the U.S. Department of the Interior for over 5 years, director for international programs for the Minerals Management Service, engineer for Union Carbide Nuclear Corporation for 13 years, and various other high-level positions. He has been a member of the Board of Directors since 2005 and a member of the (ISC)² U.S. Government Advisory Board since 2004, where he is also the Executive Director. Mr. Tipton holds a B.S. from the University of Morehead and an M.S. from the University of Tennessee. He received the Distinguished Rank Award for government service from the President of the United States. He can be contacted at hord.tipton@isc2.org.

References1. http://www.whitehouse.gov/omb

2. http://www.itdashboard.gov/

investment?buscid=420

3. http://www.dhs.gov/xlibrary/assets/mgmt/itpa-

nppd-lob2011.pdf

4. https://www.isc2.org/uploadedFiles/

Industry_Resources/2012%20Career%20

Impact%20Survey%20Results_US%20Gov%20

Federal_011112.pdf

5. http://www.federalnewsradio.

com/?nid=498&sid=2765954

6. http://www.gsa.gov/graphics/staffoffices/

FedRAMP_CONOPS.pdf

7. http://www.whitehouse.gov/cybersecurity/

comprehensive-national-cybersecurity-initiative

8. http://csrc.nist.gov/nice/

9. http://www.defense.gov/home/

features/2010/0410_cybersec/

10. http://www.uscyberchallenge.org/

11. https://www.isc2.org/uploadedFiles/Industry_

Resources/FS_WP_ISC%20Study_020811_MLW_

Web.pdf

Top priorities to consider from a process/policy perspective:

f Validate each new initiative according to cybersecurity program priorities;

f Mature and document processes; f Integrate security-related processes into the

system development life cycle; f Maximize the use of common controls and utilize

process automation in your compliance efforts; and

f Regardless of bureaucracy or resistance from system owners, shut down systems that are no longer critical to agency operations.

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 11

This article continues our profile

series of members of the

Information Assurance Technology

Analysis Center (IATAC) Subject Matter

Expert (SME) program. The SME

profiled in this article is Colonel Gregory

Conti at the United States Military

Academy (USMA). COL Conti is a

Military Intelligence Officer and

Academy Professor at the Department

of Electrical Engineering and

Computer Science.

COL Conti graduated from USMA in

1989 with a B.S. in Computer Science.

During his first tour, he served in the

24th Infantry Division (ID) and deployed

to the Persian Gulf War in support of

Operation Desert Shield and Operation

Desert Storm. During his time in the

24th ID, his assignments included

Collection Manager, Electronic Warfare

Platoon Leader, and Cavalry Squadron

Intelligence Officer. After completing

the Military Intelligence Officer’s

Advanced Course, he was selected for

the United States Army Intelligence &

Security Command’s National Systems

Development Program at the National

Security Agency (NSA), a program

designed to create Army Officers skilled

in strategic intelligence systems. While

at NSA, he served as Battalion S3 of the

743rd Military Intelligence Battalion and

was selected for company command at

Menwith Hill Station, UK. While at

Menwith Hill, he served as the Deputy

Chief of Current Operations and as

Commander of Headquarters and

Headquarters Company, 713th MI

Group, and became certified as an NSA

Signals Collection Officer. Upon his

departure from Menwith Hill, COL Conti

completed his M.S. in Computer Science

at Johns Hopkins University.

After completing his M.S. in 2000,

COL Conti joined USMA’s Department of

Electrical Engineering and Computer

Science faculty, where he served as a

faculty recruiting officer and taught

networking and information technology

courses. COL Conti founded the

Academy’s cybersecurity club, which is

now in its 10th year and boasts members

from every academic department in

the USMA.

COL Conti completed his Ph.D. in

Computer Science at the Georgia

Institute of Technology in 2006, after

which he was selected as an Academy

Professor and became part of USMA’s

long-term faculty. COL Conti now serves

as the Director of the Cyber Research

Center [1], formerly known at the

Information Technology Operations

Center in the Department of Electrical

Engineering and Computer Science,

where he focuses on developing cadets,

faculty, and staff in cybersecurity;

performs outreach; and helps leverage

the USMA’s intellectual capital to solve

pressing Army and Department of

Defense problems. He also deployed to

Operation Iraqi Freedom, serving as

Officer in Charge of the U.S. Cyber

Command’s Expeditionary Support

Element. He was also invited to return to

U.S. Cyber Command and help create,

develop, and teach the Joint Advanced

Cyber Warfare Course.

COL Conti is the author of Googling

Security [2] and Security Data

Visualization. [3] He has authored more

than 40 research publications, and

spoken at more than 50 industry,

government, hacker community, and

academic events. [4] He is regarded as

an expert in security visualization,

online privacy, usable security, and

cyberwarfare. COL Conti is also an

Associate Professor and a Senior

Member of the Association for

Computing Machinery. n

References1. http://www.itoc.usma.edu/

2. Conti, Greg. Googling Security: How Much

Does Google Know about You? Addison-Wesley

Professional, 2008.

3. Conti, Greg. Security Data Visualization: Graphical

Techniques for Network Analysis. No Starch Press,

2007.

4. http://www.gregconti.com/

S U B J E C T M A T T E R E X P E R T

COL Gregory Contiby Angela Orebaugh

12 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

The Biometrics Capability Maturity Modelby Ryan Triplett, Gregory Zektser, Abel Sussman, and Brian Harrig

Organizations today are developing

enhanced security policies and

regulations due to increased awareness

of potential security risks. Biometrics

technologies are becoming increasingly

significant to security for information

assurance (IA) purposes by applying a

three-factor authentication.

Organizations who integrate biometrics

technologies into existing physical and

information technology (IT) processes

are significantly increasing IA and

providing a more secure operating

environment. Effective processes

provide a foundation for organizations

to adopt and utilize the ever-changing

biometric technologies, and maximize

organizations’ resources to provide the

best rate of success. Today’s marketplace

offers many standards, methodologies,

and best practices that organizations

can deploy to enhance their biometric

capabilities, objectives, and goals, but

taken individually, they do not provide a

disciplined approach to solving

organizations’ biometric challenges in a

holistic, enterprise-wide manner.

Unfortunately, these individual

enhancements have contributed to a

wide implementation of a number of

proprietary, stovepiped biometric

solutions, immature system

capabilities, and inefficient processes

that many biometric organizations are

faced with today.

The Biometrics Capability Maturity

Model (BCMM) methodology and a

framework were developed using

principles of the well-respected

Capability Maturity Model Integration

(CMMI). The BCMM takes a holistic

approach to establishing biometric

organizational profiles, and provides

guidance for efficient, effective

improvements across multiple

capabilities within a biometric-focused

organization or enterprise. The BCMM

Framework defines measurable

characteristics, qualitative and

quantitative, to establish maturity levels

for biometric organizational core

capabilities. The BCMM is designed to

provide enterprise-wide solutions that

require an integrated approach. In

essence, organizations are able to utilize

the BCMM to manage and evolve their

capabilities as part of achieving their

business objectives.

The BCMM DomainsThe BCMM Framework describes three

biometric organizational domains and

their corresponding core component

capabilities. Domains are groups of

related biometric capabilities and

measurable characteristics, which the

BCMM uses to establish maturity

progression. Note that some of the

capabilities listed within a domain may

overlap into other domains; in these

cases, the capability has been placed

within the domain that their

characteristics most closely resemble.

Figure 1 presents the domains and

their components.

The Operational domain

establishes the biometric capabilities

and characteristics that incorporate the

concepts and procedures that involve

biometric data exploitation, application,

and acquisition. The capabilities

described in the Operational domain are

associated with the procedures for

identifying an individual or individuals.

The capabilities within this domain are

an organized set of specialized activities

that have unique processes. Biometric

data exploitation utilizes data to enable

operational applications, which can

then be applied to real-world scenarios

to achieve operational objectives.

Biometric capabilities—Human Factors

and System Usability—that are

associated with ergonomics should be

considered when acquiring biometric

systems and data for operational use.

The Programmatic domain

establishes the biometric capabilities

that incorporate the concepts and

procedures involving communication,

integration, and strategic

implementation. The Programmatic

domain defines a usable set of program

capabilities that support efficiencies,

enable enforcement, and provide

consistency across biometric

organizations. The Programmatic

domain lists key capabilities for

providing a higher probability for

interoperability with entities and

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 13

operational systems outside of the

organization. Communication

capabilities promote awareness and

education, both internal and external to

the organization. Integration

capabilities establish criteria, identify

relationships, and establish functional

needs. Strategic capabilities enable the

enforcement of regulations through the

development and adherence to policy-

driven doctrine. Programmatic

capabilities also include the discipline

of planning and managing resources

and data to strategically align

organizational objectives.

The Technology domain establishes the

biometric capabilities and

characteristics that incorporate the

concepts and procedures involving

functional, measurements, analysis, and

study. The Technology domain lists the

capabilities for providing tools, systems,

and research. The Technology domain

Storage/Match/AnalysisBiometric Enabled

Intelligence Interoperability

ModalitiesMobile

Biometrics

Access ControlForensics

CaptureHuman FactorsSystem Usability

Training andEducationPublic Outreachand Awareness

StandardizationArchitectureRequirements

Doctrine Project ManagementIdentity Management

Data IntegrityData Quality

Biometric Fusion

Test and EvaluationResearch and Development

Figure 1 BCMM domain components

14 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

includes key capabilities to support

enhanced technologies and services to

perform analysis and cutting-edge

development. The Functional

capabilities promote the use of

multimodal biometrics from an array of

inputs and sources. The Measurement

capabilities enable the use of data to

develop metrics for evaluation, and to

establish baselines for developing

objectives. The Analysis & Study

capabilities enable advancements

in technologies.

The BCMM Maturity LevelsFigure 2 depicts how BCMM defines

levels of maturity, which range from Ad

Hoc (Level 1) to Advanced (Level 5).

Each level has distinguishable

differences that are defined by the

characteristics of an organization’s

capabilities and progress towards

achieving business objectives. Each level

of maturity builds upon the previous;

therefore, organizations cannot reach

the next level of maturity without

exhibiting the established goals of the

current level.

The following list contains

additional details on the five levels of

the BCMM—

f Level 1 capabilities may produce

products and services that work;

however, they frequently exceed the

budget and schedule of their

projects, and are often

unpredictable. Processes at this

level are either not performed or

performed partially. Organizations

with capabilities at this level have a

tendency to overcommit, abandon

processes in the time of crisis, and

are not able to repeat their past

successes.

f Level 2 capabilities help to ensure

existing practices are retained

during times of stress. When these

practices are in place, projects are

performed and managed according

to their documented plans. The

status of the work products and the

delivery of services are visible to

management at defined points.

Work products are reviewed with

stakeholders and are controlled;

services satisfy basic requirements,

standards, and objectives.

f Level 3 capabilities have formalized

processes and are described in

standards, procedures, tools, and

methodologies. The capabilities

have well-defined processes

tailored to the organization’s set of

procedures and established

guidelines. Management

establishes objectives based on the

organization’s set of standard

processes, and ensures that these

objectives are appropriately

addressed. The capabilities are

managed more proactively using an

understanding of the

interrelationships.

LEVEL 1:AD HOC

OPE

RATI

ON

AL

TECH

NO

LOG

YPR

OG

RAM

MIN

G

FOUNDATIONALPROGRESSIVE

ENHANCEDADVANCED

LEVEL 2:LEVEL 3:

LEVEL 4:LEVEL 5:

Internal/Externalpolices are

uncoordinated

External privacy and legal policies

are identified

All internal andexternal policies areidentified and linked

Fully integratedexternal regulations

and policies

Program and agencydoctrine is

referenced byexternal organizations

Sharing, analysis, and testing are enriched by

cloud computing

Standardized, quality-driven data with actions

processed in real-time using cloud

Multimodal biometric systems with fusion;

formally testedsecurity techniques

Standards and processes are implemented

enterprise-wide andacross agencies

Multiple sources of information, data quality

is measured, comprehensive test and evaluations

System-wide standards are developed

and implemented

Applies security techniques, testing methodology, and

understands program gaps

Processes and procedures are established.

Able to share basic data exchange

Informal testing anddoes not have

developed metrics

SOPs are nonexistent. NoHuman Factors considered.

System is difficult to use

Figure 2 High-level biometrics capability maturity model

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 15

f Level 4 capabilities have been

formally institutionalized, and

proven metrics have been

established for statistical analysis.

The processes are continually

improved based on a qualitative

and quantitative understanding of

the enhanced processes. Strategic

business decisions are based on the

analysis of enhanced capabilities.

f Level 5 capabilities focus on

continuous improvement with no

significant changes. The processes

at this level are automated in nature

and referenced by the enterprise as

the status quo.

Establishing the BCMM Organizational ProfileTo establish a baseline organizational

biometric capability profile,

organizations are rated in each domain

based on interviews, onsite visits, and

answers provided through a compass

survey. The interviews consist of a

two-way exchange of information to

gather relevant data, build trust, and

establish a relationship between the

organization and assessment team. The

onsite visits are designed to observe the

facilities, access documentation, and

achieve a better understanding of

day-to-day activities. The compass

survey contains specific questions for

each of the capabilities to determine if

the organization possesses the

characteristics of the maturity levels

being assessed. An organization is not

expected to completely exhibit all

characteristics within a maturity level to

achieve the specified level of maturity;

however, the organization should be

prepared to provide enough substantial

evidence for an accurate assessment.

A higher rating for each domain

correlates with the rate of maturity for

each capability. An organization’s rating

is intended to establish an

organizational biometric capability

profile, and will be used to assess

organizational growth over a period of

time. The results may also be used for

benchmarking and developing goals

specific to the organization. As with any

scoring assessment, organizations may

be tempted to compare scores to

determine rankings; however, this is not

advised nor is it a valid use of the model.

Organizations possess various

combinations of capabilities and have

different business and strategic goals;

therefore, each biometric capability

profile is unique. n

About the Authors

Ryan Triplett | is an Institute of Electrical and Electronics Engineers (IEEE) Certified Biometrics Professional (CBP) with 15 years of engineering experience, including 8 years in the field of Biometrics. He supports the vital biometrics standardization process on both national and international fronts by participating, contributing, and leading efforts to implement, develop, and perform conformance testing as well as formally adopt biometrics- and identity management-related standards. Mr. Triplett holds dual B.S. Engineering degrees from West Virginia University in Electrical Engineering and Biometrics Systems, as well as an M.B.A from West Virginia University. He can be contacted at triplett_ryan@bah.com.

Gregory Zektser | has over 30 years of engineering and management experience, including 10 years in the field of Biometrics. He is an internationally recognized expert in Biometrics standardization, conformance and performance testing, and data quality measurement. Representing his clients in national and international standards bodies on Biometrics, he serves as an editor of Biometric testing standards, and leads Booz Allen Hamilton’s participation in industry forums, conferences, and events. Mr. Zektser holds an M.S. in Engineering with an emphasis on computer-aided design and technological processes automation. He can be contacted at zektser_gregory@bah.com.

Abel Sussman | is part of Booz Allen Hamilton’s Cyber Technology Team, and is responsible for delivering IA and identity management solutions, especially through biometric development strategies, privacy protection, and associated policy development. He serves as a subject matter expert (SME) to the Department of Homeland

Security Transportation Security Administration. Additionally, Mr. Sussman has developed processes for the Department of Defense (DoD) to assure compliance with federal Homeland Security Presidential Directive – 12 and Federal Information Processing Standards 201 guidelines. He can be contacted at sussman_abel@bah.com.

Brian Harrig | is part of Booz Allen Hamilton’s Cyber Technology Team, and is responsible for activities involving the integration of identity management solutions and biometric technology capabilities. He serves as a SME to the DoD Biometrics Identity Management Agency (BIMA). In this role, Mr. Harrig is the lead developer of the DoD Electronic Biometric Transmission Specification, which allows for the sharing of biometric data. Additionally, Mr. Harrig coordinates DoD BIMA interests across the government to promote interoperability. Mr. Harrig holds a B.S. in Computer Engineering and is an IEEE CBP. He can be contacted at harrig_brian@bah.com.

References1. CMMI Product Team. CMMI for Acquisition,

Version 1.3 (CMU/SEI-2010-TR-032). Pittsburgh, PA:

Software Engineering Institute, Carnegie Mellon

University, November 2010. http://www.sei.cmu.

edu/library/abstracts/reports/10tr032.cfm

2. CMMI Product Team. CMMI for Development,

Version 1.3 (CMU/SEI-2010-TR-033). Pittsburgh, PA:

Software Engineering Institute, Carnegie Mellon

University, November 2010. http://www.sei.cmu.

edu/library/abstracts/reports/10tr033.cfm

3. CMMI Product Team. CMMI for Services, Version

1.3 (CMU/SEI-2010-TR-034). Pittsburgh, PA:

Software Engineering Institute, Carnegie Mellon

University, November 2010. http://www.sei.cmu.

edu/library/abstracts/reports/10tr034.cfm

4. SGMM Team. SGMM Model Definitions, Version

1.2 (CMU/SEI-2011-TR-025). Pittsburgh, PA:

Software Engineering Institute, Carnegie Mellon

University, September 2011. http://www.sei.cmu.

edu/library/abstracts/reports/11tr025.cfm

16 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

This is the second article in a

two-part series that highlights the need

to share information on one hand, and

the need to protect it on the other.

The hyperlinks throughout this

article provide you quick access to

additional information.

On March 10, 2011, the U.S. Senate

Homeland Security and

Governmental Affairs Committee

hearing “Information Sharing in the Era

of WikiLeaks: Balancing Security and

Collaboration” included testimony from

several information sharing

stakeholders, including the Information

Sharing Environment (ISE) director, on

how the need to share information could

be better balanced with the need to

protect information. [1] How this

balance is struck gets to the heart of a

shift away from the imperative for

assured information sharing and

towards the imperative for responsible

information sharing. This article—

second in our series—highlights

challenges and emerging solutions

for achieving responsible

information sharing.

As we discussed in our previous

article, before 2002, the decision of

whether and what information to share

with certain consumers was entirely at

the information owners’ discretion, with

the owners’ interest in retaining control

over that information often outweighing

consumers’ needs. Prospective

consumers were at the mercy of

information owners. It was the owners

who decided what information they

were willing to share, and the owners

who required the consumers to prove

that they had the “need-to-know” to

whatever information that happened

to be.

This owner-controlled, highly-

restrictive information sharing

paradigm was found to be a key

contributor to the failure in intelligence

that resulted in the government’s failure

to prevent the catastrophic events of

September 11, 2001. As a result of the

findings of the 9/11 Commission, a new

assured information sharing culture was

mandated, as illustrated in our previous

article. Under the Assured Information

Sharing model, information owners

were required to make all of their

information available to any prospective

consumer who was not explicitly

prohibited from accessing it.

Clearly a new approach was

needed…one that would strike a balance

between excessive restrictiveness and

excessive laxity. Responsible

information sharing seeks to recover the

security awareness and re-impose some

of the information owner’s rights to

place justifiable limits on what

information they share and with

whom—security constraints that

characterized pre-9/11 information

sharing culture—while also preserving

the “imperative to share” that, it is

hoped, will continue to ensure that none

of the information needed by consumers

is unjustifiably withheld from them.

Responsible information sharing

operates under the following

principles—

f Information sharing—defined in

Department of Defense’s (DoD)

Information Sharing Strategy as

“making information available to

participants (people, processes, or

systems)”—is not an end in itself.

Which information will be shared,

and the protocols for sharing it,

should be determined based on

mission need.

f Classification levels alone should

not determine whether information

is “shareable.” The information

sharing activity or transaction must

be of mutual value to both the

information consumer and the

information provider. [2] Ideally,

the only information a prospective

information consumer would seek

or request would be that which the

provider would benefit in some way

from sharing.

f Sources and methods must always

be protected. No exceptions.

f Other constraints on whether or not

information can be shared include

whether the desired sharing would

violate any laws, regulations,

policies, ethics, fairness, or

someone’s civil liberties, and

whether it would be consistent with

Responsible Information Sharing Part II: Sharing Responsiblyby Karen Mercedes Goertzel, CISSP

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 17

imperatives for privacy or

proprietary protection of

the information.

f Sharing participants need to define

rules of engagement (ROE) before

sharing. These rules need to

delineate information sensitivity,

including confidentiality, privacy,

and “proprietariness”

requirements. The information

consumer should ensure that the

information can be protected to the

degree required by the provider.

The ROE should also state the

desired outcome of the sharing/

collaboration; this desired outcome

should help determine which

information needs to be shared.

The ROE should also stipulate

mitigations for information

leakage/spillage, misappropriation,

and misuse/abuse.

f The objective is for the information

provider to grant the consumer

access to information, not just to a

network or system in which

information resides. The

information provider should not

expect the consumer to be able to

track down the information in the

provider’s environment unassisted.

f Trust, but verify; the

trustworthiness and accountability

of consumers and the integrity of

information sharing instances/

transactions should be assured

through auditing and monitoring of

all information accesses.

Security and Privacy Imperatives for Responsible Information SharingResponsible information sharing

requires the cooperative sharing of

authority and responsibility, and

presumes an information partnership in

which there is reasonable assurance

that, in the course of sharing

information, the partners will not

interfere with one another’s ability to

accomplish their mission. For

responsible information sharing to be

possible, all partners need to—

f Support single-authorization-per-

user access privileges across all

partner organizations’ information

sources;

f Extend the reach of enforcement of

information access control policy

across traditional domain,

organization, network, and system

boundaries;

f Assure the ability to trust

information sharing by ensuring

that the right information provider

supply the right information to the

right consumer at the right time;

f Define a set of enterprise

architecture profiles that will

enable all information sharing

partners to develop and deploy

consistent interoperable

information sharing capabilities,

including information protection

and information assurance

capabilities, across all

organizations and at all levels of

information; and

f Ensure a common understanding

and respect by all information

sharing partners of the imperatives

for appropriate protection of the

confidentiality, integrity, and

privacy of shared information at its

source, its destination, and in

transit between the two. [3]

Security Challenges in Responsible Information SharingRepresentative Mike Rogers

(R-Michigan) made the following

observation about our current

information environment: “When you

look at information sharing, I think we

have almost overdone it. We have gotten

into an era of need-to-share versus

need-to-know. Need-to-know is an

important provision when you are trying

to do some operation to keep us safer.

But need-to-share got us in trouble with

WikiLeaks and with other leaks.” [4]

A wide range of security challenges

needs to be addressed for responsible

information sharing to be possible.

These include operational, architectural,

cultural, and technical challenges, as

well as challenges emerging from the

information sharing model employed,

and challenges related to the standards

and policies governing the information

18 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

sharing activity. [5] Table 1 lists several

information sharing challenges and

some of the solutions that have emerged

in response.

Responsible Cross-Domain Information SharingDespite the fact that most information

systems need to store and process

information of multiple hierarchical

classification levels, most information

systems in the defense, intelligence,

diplomatic, and other communities

operate in “system high mode.” This is

due to a perception that it is less

expensive and less difficult to operate in

system high mode. Such a perception is

true, however, only in organizations

that do not need to share

information beyond their own system

high environment.

The governing assumption in

system high mode of operation is that

instead of labeling, segregating, and

granting access to information based on

its true content-determined

classification level, all information in a

system high system is treated as if it

were the same classification level as the

most highly-classified information in

that system. In essence, all information

that is, in reality, not that highly

classified is automatically and

arbitrarily “upgraded” to that higher

level when it enters the system high

system, despite the fact that the true

sensitivity of that information content

has not changed at all.

The problem in system high

environments comes when the lower-

classified information needs to be

shared with someone whose clearance is

sufficient to access that information

before it entered the system high system,

but is not sufficient to access the more

highly classified information in that

system. Because the system itself usually

has a general purpose file system with

only discretionary access controls, it

cannot be trusted, and indeed does not

have the mechanisms necessary to

prevent access to or disclosure of its

higher-classified information to the

insufficiently cleared user who is

authorized only to access its lower-

classified information. The only way the

lower-classified information is allowed,

by policy, to be released to the lower-

cleared user (or, more accurately, to the

lower-classified domain in which they

reside) is for the information to undergo

a reliable human review and manual

downgrade—the information is

relabeled from its system high imposed

classification back down to its actual,

original classification, and released,

while also ensuring that no higher-

classified information is inadvertently

commingled and disclosed

(inadvertently or intentionally) along

with it.

Cross-Domain Solutions (CDSs)

have long been the most prevalent

attempt to partially, or fully, automate

that manual review and re-grading

process, not only for “high-to-low”

information flows, but in cases where

there is lack of trust of a lower-classified

information source, for “low-to-high”

flows. In the latter case, the CDS is most

often used to validate the authenticity of

the information source, and to verify

that the lower-level content does not

include malicious code (i.e., is

appropriately encrypted and digitally

signed, etc.) before upgrading and

allowing it to enter the higher-classified

domain. Because more rigorous

approaches required for true multi-level,

secure information handling are

generally too costly and difficult to

implement, CDSs are relied on to enable

information transfers that would

otherwise be precluded by mandatory

access control/information flow policies,

such as Bell-LaPadula and Clark-Wilson.

Because the rule sets they use to

verify the releasability or admissibility

of information are unavoidably limited,

CDSs have been criticized for exposing

information sharers to significant risk of

unintentional disclosure of secrets.

Additionally, while system high mode is

generally favored because it is perceived

as less expensive and less difficult to

implement than Multi-Layer Security

(MLS), in reality, CDSs do not enable an

organization to avoid the need for, or

costs associated with, MLS because a

CDS is an MLS system. All a CDS does is

transfer the cost of the MLS from the

upstream (sharing) system to an

intermediate or downstream special-

purpose, review-and-release automation

system. As with any other model that

proxies security, a CDS cannot possibly

provide the same degree of security that

maintaining the original, content-

appropriate labeling and separation of

information at the upstream

information source could. CDSs can also

cost more to implement than

appropriate upstream information

labeling and handling would in current

information sharing environments.

These current environments involve

large numbers of information formats

(e.g., streaming audio, video, and other

multimedia) and dynamically changing

release and admittance policy rules that

must be accommodated, as well as

information that must be shared among

a growing multiplicity of different

domains with different authorization

and trust profiles. [6]

Insider Threats to Responsible Information SharingThe following paragraphs detail

examples of three very different

compromises that resulted from insider

threats in the context of information

sharing. Each example emphasizes how

wide and complex the insider threat

challenge is, and why it is so difficult to

fully address. These compromises must

be addressed by the various government

and public-private sector information

sharing security and privacy initiatives

to have responsible information sharing

truly become a reality.

Insider Threat 1 – The Human Error Threat —Southern California

Medical-Legal Consultants posted

records containing insurance forms,

physician notes, and social security

numbers of 30,000 medical patients who

had applied for workers’ compensation

on a Web site that the President of the

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 19

consulting firm believed only employees

could access. A researcher employed by

Identity Finder (a data loss prevention

[DLP] vendor) easily discovered the

personal medical records using Google.

The search engine found the

information because Southern

California Medical-Legal Consultants [7]

had neither implemented password

protection for the site, nor instructed

search engines not to index the Web

pages containing the electronic records.

The Insider Threat 2 – The Social Engineering Threat—Even if insider

threat detection/anomaly detection

software had been installed on

Department of Justice and Defense

Intelligence Agency (DIA) systems at the

time, Intelligence Analyst Ana Belen

Montes’ activities defied electronic

means of anomalous usage and other

insider threat detection mechanisms

because she violated no computer

security policies or classification

restrictions. [8] Montes’ excessive file

downloading activity over nearly two

decades from the 1980s to 2000/2001

(when she was finally arrested) should

have triggered alerts, except that she had

used clever social engineering over

many months (even years) to get her

managers and co-workers accustomed

to her being a “hyperproductive

workaholic,” making the time she spent

working in the office outside normal

working hours look like normal

behavior. Because her behavior, which

would have been flagged as abnormal

for any other employee, was accepted as

normal for her, she was able to

download hundreds of documents from

the DIA’s CIRS, which stored

information provided by the Central

Intelligence Agency, the Department of

State (DoS) Bureau of Intelligence and

Research, the National Security Agency,

the Federal Bureau of Investigation, and

other DIA information sharing partners.

Ideologically driven, Montes supplied

the misappropriated data, first to the

government of Nicaragua, and later to

the Cuban Intelligence Service, via an

encrypted transmission from her own

personal shortwave radio transmitter at

home. Montes did not exceed her

clearance in accessing the information,

and deficiencies in DIA’s restriction of

access to information compartments

(criticized after the investigation of

Montes’ activities) had left her need-to-

know violations undetected.

The Insider Threat 3 – The Ideology Threat—According to press reports,

WikiLeaks obtained more than 91,000

secret U.S. military reports and DoS

diplomatic cables (accessible on Secret

Internet Protocol Router Network

[SIPRNet]) and posted most of them,

unredacted, on its Web site in late July

2010, after it had alerted The New York

Times, The Guardian (UK), and Der

Spiegel (Germany) of the pending

disclosures. Private Bradley Manning,

U.S. Army, was arrested and indicted on

22 counts of leaking classified

documents and video footage. According

to Kshemendra Paul, Program Manager

for the Information Sharing

Environment, “[t]he unauthorized

disclosure of classified information as a

result of the WikiLeaks breach illustrates

some fundamental failures to protect

sensitive information properly.”

In his prepared opening statement

to the House Permanent Select

Committee on Intelligence Worldwide

Threat Hearing on February 10, 2011,

Committee Chairman Mike Rogers said,

“We need to make sure we learn the

right lessons from WikiLeaks.” [9]

Among the “right lessons” he

suggested were—

f The need for redoubled efforts to

promote information sharing while

protecting security through a

“smart access” identity-based

information security management

system that improves the ability to

detect and deter bad actors while at

the same time not unnecessarily

constraining or punishing

responsible actors through denial of

access to sensitive information that

they need to get their jobs done.

f The need for the intelligence

community and DoD to follow

through with their plan to

implement smart access tools, such

as auditing controls to detect the

misuse of sensitive data. These

tools could be similar in scope and

accuracy to the fraud detection

systems used by credit card

companies and banks.

According to Richard Best of the

Congressional Research Service in his

report Intelligence Information: Need-to-

Know vs. Need-to-Share, [10], there are

additional lessons to be learned from

WikiLeaks—

f Communications personnel and

message handlers are in a position

to do serious damage.

f The wide spread use of computer

databases increases the number

of individuals with access, as well

as the number of documents that

are accessible.

f Once information is made available

to bloggers or journalists, there are

few legal restraints on their ability

to make it public on the Internet or

in the media.

Since WikiLeaks, the DoS ended its

practice of making diplomatic cables

available on the SIPRNet. [11, 12] As

these changes indicate, WikiLeaks is one

of the worst data breaches the public

sector has experienced. To learn more

about how data breaches are detected in

the private sector in contrast, see page 23.

ConclusionThe failure of assured information

sharing lay in its single-minded

emphasis on breaking down the barriers

to intelligence sharing that had proved

so disastrous in 2001. Unfortunately, by

increasing information access, assured

information sharing also increased the

exposure of information and the

vulnerabilities inherent in information

sharing mechanisms. At the same time,

by placing the criticality to share

information above all other concerns,

20 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

assured information sharing guaranteed

that those increased exposures were not

adequately addressed, leading to

information compromises on a grand

scale (i.e., WikiLeaks) that would have

been far less likely under the pre-2001

approach to information sharing.

Just as 9/11 so dramatically

demonstrated government failures in

information sharing, WikiLeaks

demonstrated government failures in

information protection. Additionally,

just as the numerous information

sharing mandates and initiatives that

arose in the wake of 9/11 succeeded in

overcoming the barriers to information

sharing, the responsible information

sharing initiative following WikiLeaks

hopes to overcome the understatement

of risks that come with increased

information sharing. The security

challenges are certainly many, but they

are not insurmountable. What

responsible information sharing seeks to

do is impose enough constraints

through information sharing policies

and the mechanisms that enforce them

to protect shared information against

inappropriate disclosure, tampering,

and misappropriation, while not unduly

hampering its flow to and access by

demonstrably trustworthy information

consumers. n

About the Author

Karen Mercedes Goertzel | is a Certified Information Systems Security Professional and leads Booz Allen’s Information Security Research and Technology Intelligence Service. An expert in software assurance, information and communications technology (ICT) supply chain risk management, assured information sharing, and the insider threat to information systems, she has performed in-depth research and analysis for customers in the DoD, the intelligence community, civilian agencies, North Atlantic Treaty Organization, and defense establishments in the U.K., Australia, and Canada. She was the lead author/editor of Information Assurance Technology Analysis Center’s (IATAC) State-of-the-Art Reports on Security Risk Management for the Off-the-Shelf ICT Supply Chain, The Insider Threat to Information Systems, and Software Security Assurance as well as a number of other IATAC information products and peer-reviewed journal articles and conference papers on these and other information assurance/cybersecurity topics. She can be contacted at iatac@dtic.mil.

References1. http://www.hsgac.senate.gov/hearings/information-

sharing-in-the-era-of-wikileaks-balancing-security-

and-collaboration

2. This concept is discussed at length in Van den

Heuvel, Gijs, Netherlands Defence Academy, “Share

to Win: Unraveling Information Sharing in Dynamic

Coalitions.” In Proceedings of the 18th European

Conference on Information Systems (ECIS 2010),

Pretoria, South Africa, 7–9 June 2010.

3. http://www.hsdl.org/?view&did=456645

4. Rogers, Mike, (R-Michigan), Chairman of the House

Permanent Select Committee on Intelligence, in an

interview with WTOP News, 19 January 2011.

5. European Network and Information Security Agency

(ENISA), Incentives and Challenges for Information

Sharing in the Context of Network and Information

Security, September 2010.

6. Chanderasekaran, Combinatore, William R.

Simpson, and Andrew Trice, “Cross-Domain

Solutions in an Era of Information Sharing.” In

Proceedings of the 5th International Conference on

Cybernetics and Information Technologies, Systems

and Applications, Orlando, FL, 29 June–2 July 2008.

7. Robertson, Jordan, “New data spill shows risk

of online health records.” Reported by Forbes/

Associated Press, 21 August 2011.

8. McCoy, Stephen A., Affidavit in Support of Criminal

Complaint, Arrest Warrant, and Search Warrants

(September 2001).

9. http://intelligence.house.gov/sites/intelligence.

house.gov/files/documents/021011RogersOpeningS

tatementWWTHearing.pdf

10. https://opencrs.com/document/R40602/

11. Elsea, Jennifer K., Congressional Research

Service, Criminal Prohibitions on the Publication of

Classified Defense Information (CRS Report R41404,

18 October 2010).

12. Op. cit. 2011 Information Sharing Environment

Annual Report to Congress (30 June 2011)--in the

Foreword.

13. http://www.secretservice.gov/Verizon_Data_

Breach_2011.pdf

Security Challenge Examples of Current Mitigations Examples of Emerging Solutions

Data Protection Issues

Incorrect data label, metadata tag, or marking, usually caused by — f Incorrect classification or caveating of the data itself f Conflict between original data label and current classification/

Failure to change or remove label when downgrading and releasing from “system high”

“Removing Information Sharing Barriers Created by Improper Classification” (Focus Area 5 of the DoD Information Sharing Plan)DoD and Intelligence Community Directives and Manuals on information classification and control markings

Defense Research and Development Canada Security Classification using Automated Learning research into automated data classification

Inability to read or understand data label, metadata tag, or marking, usually caused by—

f Lack of common cross-application standard for structuring and/or applying labels to data (especially data shared outside a single community)

f Inability of applications to parse data labels

DoD Discovery Metadata SpecificationDoD 8320.02-G “Guidance for Implementing Net-Centric Data Strategy” (12 April 2006) Chapter 4, C4.5Intelligence Community and Information Security Marking; Common Information Sharing Standard for Information Security MarkingFIPS PUB 188, IETF RFC 1457 (early labeling standards)

Table 1 Information sharing challenges and solutions

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 21

Security Challenge Examples of Current Mitigations Examples of Emerging Solutions

Data label/metadata binding that cannot be reversed by unauthorized parties

Cryptographic binding of metadata Commercial labeling tools (e.g., InfoAssure Need2Know), Architecture Technology Corp. MetaSAFE and Security Labeling Assurance and Pedigree)

Transglobal Secure Collaboration Program Information Labeling and Handling

Failure of information sharing mechanisms to enforce sharing restrictions indicated by labels or using products whose labels are understood by only one application or application suite (e.g., janusNET classificaton labeling for Microsoft Office)

DLP tools configured to filter based on data labelsLabel-based access or transmission restrictions enforced by XACML Policy Decision/Enforcement Points, CDSs, etc.

Karlsruhe Institute of Technology and Technical University of Munich Distributed Data Usage Control

Persistent protection of security and privacy of information after it leaves its owner’s control

Digital rights management (DRM)/DRM 2.0Information Rights Management and Enterprise Content Management (e.g., WatchDox, EMC2 Documentum, Seclore Infosource and Filesecure) Digital signature, digital watermarking, cryptographic hashing, encryption, and obfuscation

Jericho Forum Enterprise Information Protection and ControlIBM Research Trusted Virtual Domains JISC Self Protecting Information for Deperimeterised Electronic Relationships Cardiff University Self-Protecting Data for Deperimeterised Information Sharing

Leaks and Spills

Inability to detect or prevent data leaks/spills

Policies and procedures for data leak/spill response DLP tools [1] [2] [3] Exfiltration and extrusion detection systems [4] DRM and encryption at the data object level to prevent access after leak/spill

Digital forensics to trace/find and sometimes remove leaked data from unauthorized platforms within a network

Detection of/response to insider data exfiltration, theft, tampering, deletion, destruction, relabeling, label removal, etc., that are inappropriate but not unauthorized [5] [6] [7]

Anomaly-based detection of inappropriate data handling (as in DoD Host-Based Security System)H.R. 754, FY2011 Intelligence Authorization Act Section 402 mandates Intelligence Community automated insider threat detection program

University of Arkansas-Fayetteville Detection of Insider Threats at Application Levels

Methods for detecting and removing spyware, keyloggers, other exfiltrating malware, and tracing data leaks to malware

Anti-spyware, keylogger detectors

Using steganography for undetectable exfiltration Steganalysis

Architectural Issues

Boundary/perimeter protections (firewalls, intrusion prevention, DLP, CDS, etc.) impede information sharing by preventing transfer beyond network/enclave/domain boundary

NATO Research and Technology Organization Domain-Based Approach for Coalition-Wide Information ExchangeMITRE Corp. Security Guards for the Future Web

Memory leaks, covert channels, side channel leaks, data remanence, persistent temp files and caches, recoverable “trash,” etc., in systems used for information protection/sharing

Memory leak detection, covert channel analysis, side channel analysis attack mitigationsObject reuse, secure “trash” deletionFrequent purging of temp files, caches, etc.

Hidden data and metadata in shared or published documents, Web page HTML or XML code, etc.

Sanitizing documents, data, Web code before release/publication [8]

22 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

Security Challenge Examples of Current Mitigations Examples of Emerging Solutions

Limitations of public key infrastructure for supporting large-scale, multi-domain information sharing

TecSec—Constructive Key Management

Intellectual property protection against unauthorized/inappropriate handling (e.g., reverse engineering, theft, piracy, plagiarism, forgery, counterfeiting, exfiltration, sale, publication)

Digital watermarkingDRMObfuscation (deters reverse engineering)

Information Sharing Paradigm Issues

Information sharing security challenges of Web 2.0/social mediaAcceptable Use Policies for social media by DoD/IC personnel, (e.g., DTM 09-026)

Naval Postgraduate School (NPS) TWiki

Control and attribution of information discovery and sharing actions by autonomous software entities (e.g., Web services, software agents)

Web Services Security standards (XACML, SAML, WS-Trust, etc.) Galois Multi-level Web Services ComponentsNaval Research Lab MLS-SOA

Trust Establishment Issues

Establishing meaningful basis for trust among information sharing partners

“Federally compliant strong identity and access control” (DoD Information Sharing Strategy)“Extending Identity and Access Management” (DoD Information Sharing Plan Focus Area 8) Federal Identity, Credential and Access Management

NPS Transient Trust Architecture

Detecting and authenticating data pedigree and provenance without disclosing “sources and methods”

RAE Software—Pedigree Management and Assessment Framework

University of Virginia Data Pedigree

Context-aware metrics for information quality and authority of data sources

Semantic Web and Web 2.0 trust/reputation inference models and algorithms (e.g., EigenTrust) and semantic ranking mechanisms (e.g., Google PageRank) rank data by popularity or frequency of repetition (e.g., number of Web page “hits” or RSS feeds) with no guarantee of data quality [9] Informal reader ratings (e.g., 1-5 stars) as crude, subjective “rankings” with no consideration of contextual factors, such as raters’ expertise or purpose in accessing the data (e.g., entertainment versus serious use)

University of California at Davis T-Net Corp. for National Research Initiatives Digital Object Architecture

End User Issues

Failure of users to recognize phishing, spear phishing, and other social engineering and identity theft attempts to obtain their private information, or sensitive information in their custody

Defense Information Systems Agency anti-phishing training Drexel University PhishZooVirginia Tech Enhanced phishing detection

The Threat Landscape

“Information black market” (a.k.a. shadow or underground information economy) of criminals, hackers, terrorists, etc., buying and selling data captured through extrusions, spyware/spybots, phishing, identity theft, insider exfiltration. Data “products” include—

f Details of software, system, and network vulnerabilities f Details of financial system operations f Personally identifying information f Techniques for circumventing security controls and anti-fraud

mechanisms f Stolen credentials and cryptokeys f Pirated software, music, videos, games

Deterrence via privacy, computer crime, cybercrime, anti-identity theft, laws, arrests, prosecutions, convictionsHigh-value data protected against insider and outsider exfiltration and theft

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 23

References

1. Gerber, Cheryl, “Plugs for Data Leaks.” In Military

Information Technology, Volume 12 Issue 1,

January/February

2. Thuermer, Karen E., “Stop that Leak.” In Military

Information Technology, Volume 15 Issue 2, March

2011.

3. Selby, Nick, and Aaron Turner, “Using Technology

to Combat Data Loss—What It Can Do, What It

Can’t.” In IAnewsletter, Volume 12 No. 2, Summer

2009, pages 18-21.

4. Gabrielson, Bruce, Karen Mercedes Goertzel, et

al., The Insider Threat to Information Systems [U//

FOUO] (IATAC, 2008)—Section 4.4.1.1, “Prevention

of Data Exfiltration, Extrusion, and Leakage” (state-

of-the-art) and 4.4.2.1, “Extrusion, Exfiltration, and

Leakage Prevention” (research)

5. Op. cit., Gabrielson, et al., Section 2.3.2.1,

“Undetected Data Exfiltration—The Number One

Insider Threat?”

6. McCormick, Michael, “Data Theft—A Prototypical

Insider Threat.” In Salvatore J. Stolfo, et al., editors,

Insider Attack and Cyber Security—Beyond the

Hacker (Springer, 2008).

7. An excellent example of very hard to detect

inappropriate activities is the case of Ana

Belen Montes, a DIA analyst, never attempted

to exceed her authorized privileges. She did,

however, use social engineering techniques

to get DIA management used to her excessive

productivity—they came to believe that she

accessed, downloaded, and printed vastly greater

quantities of data than her coworkers because

she produced about 10 times as many information

products than they did—and moreover, that such

hyperproductivity was normal for her. She was, in

fact, an agent of the Communist governments in

Nicaragua and Cuba, and was accessing much of

that data for later transmission to her handlers;

however, because she had so successfully social-

engineered her managers, her activities continued

without suspicion for 15 years.

8. Manuals and Guides are available to assist (e.g.,

NSA—Redacting with Confidence).

9. “Information is now more than ever subject to

amplification, modification, and distortion as the

number of possible sources takes off.” In Nel,

François, Marie-Jeanne Lesot, Philippe Capet,

and Thomas Delavallade, “Rumour Detection in

Information Warfare—Understanding Publishing

Behaviours as a Prerequisite” (RTO-MP-IST-091).

Presented at NATO IST-091 Symposium on

Information Assurance and Cyber Defence, Talinn,

Estonia, 22 November 2010.

How Data Breaches are Detected in the Private SectorAccording to the 2011 Verizon/U.S. Secret Service Data Breach Investigations Report [13]—

f Three sectors experienced the vast majority of reported data breach incidents in 2010: Hospitality (40% of all breaches), Retail (25% of all breaches), and Financial Services (22% of all breaches). The next highest number, which was reported in the government sector, represented only 4% of all reported breaches. These proportions remained much the same as in previous years; however, there was a nearly a 600% increase in the total number of breaches across the board between 2009 and 2010.

f The most frequent threat mechanisms in 2010 data breaches were hacking and malware, followed by physical compromises, social media, and insider misuse. The numbers of breaches resulting from errors (e.g., unintentional leaks, incorrect security configuration settings) and environmental factors (e.g., acts of God, power failures, electrical interference) were statistically insignificant. The most frequent targets were servers (malware, hacking, misuse), user devices (malware, hacking, physical breaches—mainly tampering with some surveillance), and offline data (misuse). Social engineering, by definition, exclusively targeted people. In 81% of breaches involving malware, the installation mechanism was a remote attacker’s direct installation or injection of the malware on the target, and the most prevalent malware types were data exfiltration Trojans, backdoors, keyloggers, form-grabbers, and spyware that tampered with system security controls, general system/network utilities, and RAM scrapers. The 2011 Report’s findings were consistent with

reports from 2009 and earlier, where hacking and malware had been the leading threat mechanisms, demonstrating that the 2010 Data Breach Report’s finding that the number one threat mechanism of misuse in 2009 was an anomaly. Of the misuse incidents that were reported, the highest percentage remained embezzlement, skimming, and other financial fraud. Abuse of system/access privileges and the use of unapproved hardware/devices were the next most prevalent. All other abuses trailed far behind these in frequency.

f The most compromises, in terms of incidents and records exposed, continued to be caused by exclusively outsider threats, while the numbers of records exposed by insiders, business partners, or insider/outsider collusion continued to drop. Organized crime groups were the number one source of externally originated breaches (58%, with 65% of those located in Eastern Europe, including Russia and Turkey; 19% in North America; 12% of unknown location; and the rest distributed across other continents and regions), followed by unaffiliated persons (40%), and unknown sources (14%).

f The most frequently compromised data were numbers and other data associated with payment cards (78% of incidents, 96% of records leaked), followed by authentication credentials (45% of incidents, 3% of records), and personal information (15% of incidents, 1% of records). Other types of data that were targeted included organizational proprietary data, bank account information, intellectual property, system information, classified information (3% of all reported incidents with a percentage of total records leaked unknown), medical records, and unknown information types (the last two were statistically

insignificant). f The trends in breach discovery methods shifted

significantly. From 2005 (first data breach report) to 2009, the percentage of breaches detected by external third-party mechanisms (third-party fraud detection/Common Point of Purchase analyses, law enforcement/customer/business partner notifications, third-party event monitoring/alert service, third-party financial audits, and third-party security audits/scans, external reports of threat activity, happenstance discovery by third-party media or third-party press-release reports) had steadily dropped; however, in 2010, it increased by 25% to 86% of all incident reports. Internal detections had previously been mainly “passive” (coincidental or happenstance) (e.g., as the result of employees witnessing and reporting incidents or overhearing bragging/blackmail by perpetrators, or discovery when investigating unusual system behavior or performance issues, etc.), rather than through intentional internal data loss prevention and intrusion detection system detection, internal security audits/scans, or discovery through log/audit trail monitoring and analysis. In 2010, however, the proportion of coincidental to “active” (intentional, focused) discoveries was almost 1:1.

24 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

United States Service Academiesby Angela Orebaugh

I A T A C S P O T L I G H T O N A U N I V E R S I T Y

The United States Service academies

are federal undergraduate

academies that offer education and

training in a military environment.

Admission is very competitive for the

service academies, which offer full

4-year scholarships that include tuition,

books, board, medical, and dental care

in return for a minimum of 5 years

service obligation. Graduates receive a

B.S. and are commissioned as Officers in

their respective service branch. [1]

There are five U.S. Service academies—

f The United States Military Academy

(USMA)—Founded in 1802 in West

Point, NY, the USMA offers 45

academic majors across 13

departments. The Department of

Electrical Engineering and

Computer Science offers majors in

Electrical Engineering, Computer

Science, and Information

Technology with elective courses in

Cybersecurity. [2] The Cyber

Research Center, formerly known as

the Information Technology and

Operations Center, in the

Department of Electrical

Engineering and Computer Science

offers research, education, and

outreach in information assurance

(IA), computer, and network

security. [3] The center also helps

prepare teams for National Security

Agency’s (NSA) annual Cyber

Defense Competition (CDX)

between service academies like the

USMA, which is a designated NSA

Center of Academic Excellence in

Information Assurance (CAE/IA).

Courses include topics such as

forensics, cryptography, and

cyberwarfare. The USMA also offers

the Special Interest Group in

Security, Audit, and Control to

provide students a forum for

learning about IA, information

warfare, and computer security.

f The United States Naval Academy

(USNA)—Founded in 1845 in

Annapolis, MD, the USNA offers 22

academic majors across five

divisions. The Division of

Mathematics and Science offers

majors in Computer Science and

Information Technology with

courses in computer and network

security and IA. [4] It is a

designated NSA CAE/IA. The USNA

also recently established the

Center for Cyber Security Studies

and mandated a cyber course for

all students.

f The United States Coast Guard

Academy (USCGA)—Founded in

1876 and now located in New

London, CT, the USCGA offers eight

academic majors across five

departments. Majors include Civil

Engineering, Mechanical

Engineering, Electrical Engineering,

Naval Architecture and Marine

Engineering, Operations Research

and Computer Analysis, Marine

and Environmental Sciences,

Government, and Management. [5]

The USCGA is the only institution

of higher education in the

Department of Homeland Security,

and offers focused courses,

research, and information

dissemination regarding strategic

intelligence and homeland

security. [6]

f The United States Merchant Marine

Academy (USMMA)—Founded in

1943 in Kings Point, NY, the

USMMA offers six academic majors

across six departments. Majors

USMA’s Cyber Research Center, formerly known as the Information Technology and Operations Center, offers research, education, and outreach in information assurance, computer, and network security.

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 25

include Marine Transportation,

Maritime Operations and

Technology, Logistics and

Intermodal Transportation, Marine

Engineering, Marine Engineering

Systems, and Marine Engineering

and Shipyard Management. [7]

f The United States Air Force

Academy (USAFA)—Founded in

1954 in Colorado Springs, CO, the

USAFA offers 32 academic majors

across four divisions. The Basic

Sciences Division offers a Computer

Science major with courses in

cryptography, computer security

and information warfare, and

network security. [8] It is a

designated NSA CAE/IA. The

Computer Science Department is

also home to the Academy Center

for Cyberspace Research (ACCR),

which conducts research in

cyberwarfare, IA, unmanned aerial

systems, and cyberspace education.

[9] The ACCR assists with IA

curriculum development and

provides student research

opportunities such as cyber

competitions (i.e., CANVAS and the

CDX). It also includes the

Cyberwarfare Club that provides

a sandbox network where

students can practice network

attack, exploitation, and

defense techniques. n

References1. http://www.todaysmilitary.com/before-serving-

in-the-military/service-academies-and-military-

colleges

2. http://www.eecs.usma.edu/outreach/

3. http://www.itoc.usma.edu/

4. http://www.usna.edu/CS/

5. http://www.cga.edu/academics2.aspx?id=129

6. http://www.cga.edu/academics2.aspx?id=299

7. http://www.usmma.edu/academics/curriculum/

default.shtml

8. http://www.usafa.edu/df/dfcs/

9. http://www.usafa.edu/df/dfe/dfer/centers/accr/

What is the general purpose of an “Acquisition Information Assurance Strategy?”

The Assistant Secretary of

Defense for Networks and

Information Integration/

Department of Defense (DoD)

Information Officer released DoD

Instruction (DoDI) 8580.1, “Information

Assurance (IA) in the Defense

Acquisition System,” in July 2004. This

instruction emphasizes the importance

of fully integrating IA across DoD

acquisitions related to information

technology (IT) systems and weapons

systems interfacing with the Global

Information Grid. [1]

DoDI 8580.1 states: “all acquisitions

of mission critical or mission essential

IT systems…shall have an adequate and

appropriate Acquisition IA Strategy that

shall be reviewed prior to all acquisition

milestone decisions, program decision

reviews, and acquisition contract

awards.” [2] Overall, the primary

purpose of an Acquisition IA Strategy is

to enable the DoD to continue to

strengthen IA as it acquires the services

and capabilities that allow its IT and

weapons systems to advance.

By requiring organizations to

develop suitable Acquisition IA

Strategies, and by reviewing the

strategies frequently and at pivotal

decision points, this requirement

provides a procedural mechanism by

which the DoD can assess its IA

weaknesses at a high level. Perhaps more

importantly, the DoD is able to maintain

a strong, more centralized focus on IA

while developing new capabilities as a

result of this requirement. n

References1. http://www.dtic.mil/whs/directives/corres/

pdf/858001p.pdf

2. Ibid.

Letter to the Editor

Q

A

The Basic Sciences Division of USAFA offers a Computer Science major with courses in cryptography, computer security and information warfare, and network security.

26 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

In 2009, Karen Evans, former

Administrator of E-Government and

Information Technology at the White

House, began research to co-author the

publication “A Human Capital Crisis in

Cybersecurity” in conjunction with the

Center for Strategic and International

Studies (CSIS). In the detailed report,

the research reflects the country’s

vulnerabilities in meeting emerging

threats. Shortages of qualified personnel

extend from the federal government to

the U.S. defense industrial base, federal

information systems contractors,

utilities, telecommunications

companies, and most other segments of

the critical national infrastructure.

Jim Gosler, the founding Director of

the Central Intelligence Agency’s (CIA)

Clandestine Information Technology

Office summed it up the best in

“Cyberwarrior Shortage Threatens U.S.

Security,” where he stated, “There are

about 1,000 security people in the U.S.

who have the specialized security skills

to operate effectively in cyberspace. We

need 10,000 to 30,000.” [1]

Ms. Evan’s research led to the initial

launch of the U.S. Cyber Challenge by

the CSIS. [2] The U.S. Cyber Challenge

transitioned to the Center for Internet

Security and was developed as a public-

private partnership to recruit the next

generation of cybersecurity

professionals. This partnership has

since moved to the National Board of

Information Security Examiners

(NBISE), where it presently maintains its

mission.

The U.S. Cyber Challenge is a

national talent search and skills

development program. The program’s

objective is to find 10,000 Americans,

principally young Americans, with the

interests and skills to fill the ranks of

cybersecurity practitioners, researchers,

and warriors. The program nurtures and

develops their skills, enables them to

gain access to advanced education and

exercises, and, where appropriate,

enables them to be recognized by

academia, industry, and governments,

where their skills can be of the greatest

value to the nation.

The U.S. Cyber Challenge provides

a range of opportunities to identify and

nurture talented young Americans by

casting a wide net to enable them to

demonstrate their skills, and then make

them aware of other opportunities, help

develop their skills, and improve their

knowledge in making our nation’s cyber

environment safe. Through the U.S.

Cyber Challenge’s efforts, America’s best

are identified and connected with

employers.

Recently, the U.S. Cyber Challenge

completed its Spring 2012 Cyber Quest

Competition, where over 1,000 young

adults and college students participated.

Participants learned of the competition

through NBISE’s use of social media and

aggressive online activities. The

competition featured a series of quiz

questions based on the analysis of a

packet capture file, which participants

analyzed on their own machines,

searched for signs of an attack, and

assessed other activity. Participants had

24 hours from the time they began the

quiz to complete the task. Winners were

determined based on the highest scores

in the shortest amount of time.

“We encouraged students from

across the country to register for the

Cyber Quest competition and take the

challenge to vie for an invitation to one

of the Cyber Camps. The response has

been overwhelming, and it’s an exciting

time for students to participate—

especially with the explosive growth in

the cybersecurity industry,” said Karen

Searching For the Best— U.S. Cyber Challengeby Rudy Pamintuan

The U.S. Cyber Challenge’s objective is to find 10,000 Americans with the interests and skills to fill the ranks of cybersecurity practitioners, researchers, and warriors.

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 27

Evans, National Director of the U.S.

Cyber Challenge. “The tremendous

knowledge sharing, expert training, and

career opportunities presented at the

camps are invaluable to helping develop

our youth into the next generation

cybersecurity workforce.”

Top performers of the online

competition are now eligible for

invitations to one of four week-long

Cyber Camps being offered from June

through August of this year. State-

specific camps are being offered in

Southern California and Delaware,

while regional camps will take place in

Northern Virginia and California (Bay

Area).

“The Cyber Quest competition and

Cyber Camps are critical as our nation

continually undergoes fast-paced

competitive changes in technology. Our

growing reliance on digital technology

requires concentrated efforts, like these,

to identify the best and develop the next

generation of highly skilled

cybersecurity professionals,” said

Michael Assante, President & Chief

Executive Officer of NBISE.

The camps will feature 1 week of

specialized sessions by college faculty;

System Administration, Networking,

and Security Institute senior instructors;

and cybersecurity experts, capped off by

a live competition and awards ceremony

on the last day. In addition to providing

expert training for participants to

improve their skills and marketability,

the Cyber Camps will also provide

students the opportunity to engage with

major technology companies and

government agencies at onsite job fairs

for scholarship, internship, and

employment opportunities. Many

former competitors were offered

employment within the public and

private sectors shortly after attending

previous Cyber Camps. For several, it

was their first step to an exciting career.

“The U.S. Cyber Challenge is a

program that works with academic and

private sector partners to identify and

develop cybersecurity talent to meet our

growing needs. One part of the Cyber

Challenge involves intensive summer

camp experiences for the best and

brightest cyber talent,” Department of

Homeland Security Secretary Janet

Napolitano stated recently.

The U.S. Cyber Challenge also

recently completed the Cyber

Foundations competition, where more

than 500 high school students

participated in demonstrating their

aptitude in the foundational skills of

cybersecurity. The competitors who rise

to the top will be invited to continue to

participate in the developing U.S. Cyber

Challenge community. Members of the

community will have access to

additional educational and employment

opportunities, such as internships with

government entities and/or private

industry, grants, or scholarships to study

advanced cybersecurity programs.

“Our country’s digital

infrastructure must be defended from

emerging threats. The U.S. Cyber

Challenge offers a unique and exciting

platform to identify the talent we need

to defend our nation,” stated Hon. Mike

McConnell former Director of National

Security and Partner at Booz Allen

Hamilton.

With new and emerging threats

affecting the United States on a daily

basis, the U.S. Cyber Challenge serves as

the necessary pipeline of talent to meet

the growing demands in the

cybersecurity industry. By identifying

the best of the best, the U.S. Cyber

Challenge ensures that the workforce

maintains a constant flow of America’s

brightest and best. n

About the Author

Rudy Pamintuan | is the President of Sherman Consulting and the Managing Partner of Heartland Technology Group. Mr. Pamintuan spends much of his time advising and developing national programs and policies that protect America’s digital infrastructure. He can be contacted at Rudy@ShermanConsultingInc.com.

References1. “Cyberwarrior Shortage Threatens U.S. Security,”

NPR Morning Edition, 19 July 2010, http://www.npr.

org/templates/story/story.php?storyId=128574055.

2. http://www.USCyberChallenge.org

28 IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac

USENIX Federated Conferences Week

USENIX, the Advanced Computing

Systems Association, hosted its

Federated Conferences Week from 12–15

June 2012 in Boston, MA. This event

combined a variety of conferences and

workshops into a week-long affair that

allowed participants to get an intensive

look at various information assurance

developments and topics of interest. [1]

This event combined the following

workshops: HotCloud ’12, Theory and

Practice of Provenance’12, Women in

Advanced Computing Summit ’12,

Annual Technical Conference ’12,

Configuration Management Summit ’12,

HotStorage ’12, Networked Systems for

Developing Regions ’12, Cyberlaw ’12,

and Web Application Development ’12.

Registrants had the opportunity to

attend all of the events across these

workshops and customize their learning

and collaboration experience.

Perhaps the most unique aspect of

this event was its Birds-of-a-Feather

sessions, which were designed to be

informal gatherings where participants

could either lead or attend discussions

about topics of their own personal

interest. These sessions maximized

participants’ opportunities to

collaborate with like-minded peers and

colleagues. [2]

For more information about this

event, please visit https://www.usenix.

org/conference/atc12. For more

information about USENIX, please visit

https://www.usenix.org/. n

References1. https://www.usenix.org/

2. https://www.usenix.org/conference/atc12

The Department of Defense (DoD) Information Assurance (IA)

Symposium will take place 28–30 August 2012 at the Gaylord Opryland

Resort and Convention Center in Nashville, TN. It will bring together

leaders and IA practitioners from across government, industry, and

academia to network and explore ways to improve IA.

DoD IA Symposium28–30 August 2012 | Nashville, TN

f To attend, contact www.iad.gov/events for more information.

f To participate in the IA Exposition, which will take place in conjunction with IA Symposium, visit www.informationassuranceexpo.com/.

IAnewsletter Vol 15 No 3 Summer 2012 • http://iac.dtic.mil/iatac 29

Instructions: All IATAC LIMITED DISTRIBUTION reports are distributed through DTIC. If you are not a registered DTIC user, you must do

so prior to ordering any IATAC products (unless you are DoD or Government personnel). To register online:

http://www.dtic.mil/dtic/registration. The IAnewsletter is UNLIMITED DISTRIBUTION and may be requested directly from IATAC.

Name _____________________________________________________________________ DTIC User Code ______________________________

Organization _______________________________________________________________ Ofc. Symbol _________________________________

Address ___________________________________________________________________ Phone ______________________________________

__________________________________________________________________________ E-mail ______________________________________

__________________________________________________________________________ Fax ________________________________________

Please check one: n USA n USMC n USN n USAF n DoD n Industry n Academia n Government n Other Please list the Government program(s)/project(s) that the product(s) will be used to support: _____________________________________________

________________________________________________________________________________________________________________________

LIMITED DISTRIBUTION

IA Tools Reports n Firewalls n Intrusion Detection n Vulnerability Analysis n Malware

Critical Review n Biometrics (soft copy only) n Configuration Management (soft copy only) n Defense in Depth (soft copy only)and Technology n Data Mining (soft copy only) n IA Metrics (soft copy only) n Network Centric Warfare (soft copy only)Assessment (CR/TA) n Wireless Wide Area Network (WWAN) Security n Exploring Biotechnology (soft copy only)Reports n Computer Forensics (soft copy only. DTIC user code MUST be supplied before this report is shipped) State-of-the-Art n Security Risk Management for the Off-the-Shelf Information and Communications Technology Supply Chain (DTIC userReports (SOARs) code must be supplied before this report is shipped) n Measuring Cybersecurity and Information Assurance n Software Security Assurance n The Insider Threat to Information Systems (DTIC user code n IO/IA Visualization Technologies (soft copy only) must be supplied before this report will be shipped) n Modeling & Simulation for IA (soft copy only) n A Comprehensive Review of Common Needs and Capability Gaps n Malicious Code (soft copy only) n Data Embedding for IA (soft copy only) UNLIMITED DISTRIBUTION

IAnewsletter hardcopies are available to order. Softcopy back issues are available for download at http://iac.dtic.mil/iatac/IA_newsletter.html

Volumes 12 n No. 1 n No. 2 n No. 3 n No. 4Volumes 13 n No. 1 n No. 2 n No. 3 n No. 4Volumes 14 n No. 1 n No. 2 n No. 3 n No. 4Volumes 15 n No. 1 n No. 2

SOFTCOPY DISTRIBUTION

The following are available by e-mail distribution:

n IADigest n Technical Inquiries Production Report (TIPR)n Research Update n IA Policy Chart Updaten Cyber Events Calendar n IAnewsletter (beginning in Spring 2012)

Fax completed formto IATAC at 703/984-0773 or

order online at: http://iac.dtic.mil/iatac/form.html

Order FormFREE Products

SeptemberMidwest Information Security Forum 201210–11 September 2012Chicago, IL http://www.iansresearch.com/ians-events

Biometric Consortium Conference18–20 September 2012Tampa, FL http://www.afcea.org/events/

OctoberAUSA Annual Meeting & Exposition22–24 October 2012Washington, DC http://www.ausa.org/meetings/Pages/NationalMeetings.aspx

2012 Naval Science and Technology Partnership Conference22–24 October 2012Arlington, VA http://www.onr.navy.mil/Conference-Event-ONR/science-technology-partnership.aspx

TechNet International 201223–25 October 2012Rome, Italyhttp://www.afcea.org/europe/html/TNI12Home.htm

AFCEA Fall Intelligence Symposium24–25 October 2012Springfield, VAhttp://www.afcea.org/events/

MILCOM ‘1229 October–1 November 2012Orlando, FLhttp://www.milcom.org/

20th IEEE International Conference on Network Protocols (ICNP)30 October–2 November 2012Austin, TXhttp://www.ieee.org/conferences_events/con-ferences/conferencedetails/index.html?Conf_ID=20200

NovemberSoutheast Information Security Forum 20126–7 November 2012Atlanta, GA http://www.iansresearch.com/ians-events

TechNet Asia-Pacific 201213–15 November 2012Honolulu, HIhttp://www.afcea.org/events/

December2012 Annual Computer Security Applications Conference3–7 December 2012Orlando, FLhttp://www.acsac.org/

Information Assurance Technology Analysis Center13200 Woodland Park Road, Suite 6031Herndon, VA 20171

To change, add, or delete your mailing or e-mail address (soft copy receipt), please contact us at the address above or call us at: 703/984-0775, fax us at: 703/984-0773, or send us a message at: iatac@dtic.mil

Calendar