CD FY10 Budget and Tactical Plan Review FY10 Tactical Plans for Computer Security Ron Cudzewicz...

CD FY10 Budget and Tactical Plan Review

FY10 Tactical Plans forComputer Security

Ron Cudzewicz

October 8, 2009

Tactical plan names listed here… DocDB#

FY10 Tactical Plan for Computer Security 3378

CD FY10 Budget and Tactical Plan Review 2

FY10 Tactical Plan for Computer Security

• Tactical Plan Leader: Joe Klemencic

Service Activity List• Compliance-Auditing-

Oversight

• Information Systems Security Manager

• Information Security Officer

• Certification Agent

• Integrated Security Management

• Security Researcher

Project Activity List• DOE Compliance

• Scanning Infrastructure

• Vulnerability Detection and Management

• NLCIO, DOE, CSWG

• CS Administration


Service Activity: Information Systems Security Manager

• Goals Related to this Activity (Project 511)

– Comply with the ISSM responsibilities as assigned in DOE M 205.1-5

– Define and communicate the strategic direction of the Fermilab Computer Security program.

– FNAL computer security representative to the DOE.

– Continuous review and updating of all existing computer security policies and plans.

– Formulate new policies and plans as needed.

• Key Metrics– Effort Reporting

• Service Documentation:

• Issues and Risks– None


Service Activity: Information Security Officer


– Comply with the ISO responsibilities as assigned in DOE M 205.1-5

– Communicates individual incident and potential incident reports to the ISSM.

– Initiates ISSM-approved protective or corrective actions.

– Participation in ISSM self-assessment and training programs.

– Communicate OSE policies to the OSG and other participating organizations and policy enforcement.

• Key Metrics– Effort Reporting– Milestones: Continued DOE funding.


• Issues and Risks (specific to this activity, includes allocation impact)1. None


Service Activity: Certification Agent


– Comply with the CA responsibilities as assigned in DOE M 205.1-5

– Conducts comprehensive assessment of management, operations, assurance, and technical security controls in an information system.

– Provides the system owners with the level of effort and resource requirements for conducting the ST&E process.

– Provide forensics expertise during and/or after computer security incidents.

• Key Metrics– Percentage of ST&E controls assessed within the past 12 month period as part of the ongoing continuous

monitoring process.– All DOE Office of Science data calls responded to on or before their deadlines. – Datacalls : current status chart: https://cd-docdb.fnal.gov:440/cgi-bin/ShowDocument?docid=2959 – Datacalls: yearly response chart rollup.

– Milestones: Continued DOE funding.


• Issues and Risks1. None

https://cd-docdb.fnal.gov:440/cgi-bin/ShowDocument?docid=2959


Service Activity: Integrated Security Management

• Goals Related to this Activity (Project 50, not members of computer security team)

– Special requests related to Computer Security requirements, eg• Effort requested by computer security for data collections• FCIRT incident response activity• Audit preparation and interviews

• Key Metrics– Effort Reporting– Milestones,




Service Activity: Security Researcher

• Goals Related to this Activity are still under development by security management.

• Key Metrics– Effort Reporting– Milestones, if any applicable (may be none for some Service Activities)

• Service Documentation: Location of a Service Definition and related documentation

• Issues and Risks


Service Activity: Compliance-Auditing-Oversight

• Goals Related to this Activity (Project 50 only members of Computer Security Team)

– Re-architect the business internet traffic inspection to facilitate the increase in bandwidth

– Expand the CST central logging facilities horizontally

– Implement internal sensors to alert on potentially malicious traffic

– Encourage use of central services.

– Minimize impact of DOE requirements on scientific program.

– Continue to refine security controls for Open Science Enclave (OSE).

• Key Metrics– Effort Reporting– Milestones


• Issues and Risks


Project Activity: DOE Compliance

• Goals Related to this Activity

– Maintain hardware and software on currently installed systems to support data collection, anomaly detection and policy enforcement as mandated by the DOE.

– Implement DNS Blackhole servers to redirect users to restricted resources when attempting to contact malicious sites or services.

– Implement Intrusion Detection Systems and Traffic Profilers on internal networks to facilitate anomaly detection and rapid detection of compromised nodes

– Augment training and general security awareness among Fermilab employees through the Computer Security Awareness Day and ongoing computer security awareness training.

– Provide resources to facilitate metrics creation, data mining and introduction of automated utility computing

– Procure the equipment and services to facilitate the relocation of equipment in FCC2 computer room.– Procure larger hard drives for continuous growth of data collection and to replace failed units.– Procure additional equipment to support new DOE directives and initiatives on a contingency basis.

• Key Milestones

• Project Documentation:

• Issues and Risks1. Developing an agile posture toward possible, unplanned-for DOE new requirements to minimize non-compliance risks.


Project Activity: Scanning Infrastructure

• Goals Related to this Activity – Install new distributed scanner hardware.– Maintain and expand existing scanner infrastructure– memory, processor, storage upgrades.

• Key Milestones– Metrics: More comprehensive scanner results.

• Project Documentation: URL to Project Web Site or project definition documentation

• Issues and Risks1. An aging scanner infrastructure leaves the lab more vulnerable .


Project Activity: Vulnerability Detection and Management

• Goals Related to this Activity– Installation of additional Splunk systems– hardware and software licenses. Special FY09 funding

provided by DOE for this purpose, $216K– Procure software maintenance and updates for production web proxies

• Key Milestones– Procurement– Installation– Metrics: More comprehensive metrics generation by the Splunk systems.


• Issues and Risks1. Potential compromise of Fermilab’s ability to respond quickly to cyber attacks. 2. Increased vulnerability to data loss, corruption and web based services.


Project Activity: NLCIO, DOE, CSWG


– Attend Cyber Security-related workshops, conferences and training sponsored by the DOE Office of Science.

• Key Milestones– Metrics,


• Issues and Risks1. Failure to understand and influence current regulations increases the operational burden on the Lab.


Project Activity: CS Administration


– Provide sufficient equipment, technologies, personal computers, etc. to carry out the mission of the CST Group.

• Key Milestones– Metrics




Ripple Effect on Shared IT Services(What new requirements does your service have for other services)

• Enhanced email log collection• Long term digital certificate offering• Multi-factor authentication• Electronic ID Management• Adoption of Centralized Authentication• Exemption Processing and Recording

Note: Help avoid emergency procurements, whih incur added costs.At least put an ‘X’ where need is expected, even if details are not yet known.

Descriptors: Agreed to? Whose budget covers costs? Is the driver a service or a project?A = Agreed with service provider; N = New need, not yet agreed to by service provider.M = “My” budget contains this; T = Shared service budget should contain this.S = Steady-state service drives this; P = Project activity alone drives this.

Only activities with “new” demands on shared IT services since last FY need be listed. * Network Connectivity: expansion of existing service * Network-Attached Storage a.k.a. BlueArc: additional storage space

FY10 FTE and M&S: Request vs. Allocation

Level 0/1 Activity: Computer Security


Impact of Preliminary Allocation

• With this preliminary allocation, we will be able to continue our strategic direction of becoming more proactive.

• Maintain our active role in understanding and influencing DOE cyber security policy.


Summary of Past Action Items

• None

CD FY09 Tactical Plan Status 18

Tactical Plan Summary

• Summary– Failure to complete the rearchitecure of the FY09 purchased

hardware for the internet data inspection efforts due to external dependencies (facilities, networking, vendor bugs) will result in an even greater loss of inspected packets which is currently around 60%-80% packet loss as the internet bandwidth increases.

– Failure to obtain and implement internal IDS/Profilers will result in a continued diminishing view into internal anomaly detection.

– Delays incurred by the DNS rearchitecture project by the LAN group will result in a missed opportunity to implement DNS Blackhole servers to deny and track access attempts to hostile external resources.



• Summary (cont’d)– Due to the ever increasing data collection sources, the current

Splunk server will be operating beyond the implemented index licensing and hardware specifications, resulting in data loss and missed log collection opportunities.

– Scanning and data processing devices are in a constant need of upgrades or replacement due to the ever increasing data collection and data mining efforts. Failure to stay on top of performance and storage issues will result in data loss, excessive analysis time and a reduced data retention interval as specified in the GCE Security Plans.



• Summary (cont’d)– Due to the specialized hardware and software in use,

maintenance costs continue to rise as we increase the licensing to align with the additional data collection. Failure to renew maintenance will result in a freeze of signature and other constantly changing analyzer datasets resulting in mis-detection of new threats and failure to repair failed hardware.

– Business injects and out of scope operational issues interfere with the successful implementation of new resources, data mining efforts and support of existing infrastructure.

CD FY10 Budget and Tactical Plan Review FY10 Tactical Plans for Computer Security Ron Cudzewicz...

Documents

Transcript of CD FY10 Budget and Tactical Plan Review FY10 Tactical Plans for Computer Security Ron Cudzewicz...