IT01.34 Information Assurance Assessment

COALITION WARRIOR INTEROPERABILITY DEMONSTRATION 2006 FINAL REPORT

IT01.34

Mobile/Static Real-Time Radiological Surveillance Network
(MobRadNet)

Information assurance (IA) RESULTS

IT01.34 ASSESSMENT COMPONENTS
WARFIGHTER | TECHNICAL INTEROPERABILITY | INFORMATION ASSURANCE | SEIWG
(If a text entry is not linked, there is no assessment in that category for this trial)

Executive Summary

The Coalition Warrior Interoperability Demonstration (CWID) Assessments Working Group (AWG), Information Assurance (IA) Team performed a high-level assessment of IT01.34, MobRadNet. Overall, this trial implemented mechanisms to provide assurance that the information processed by the vendor’s product was secure in the CWID operating environment.

OVERVIEW

This report is a result of an assessment that the AWG-IA Team performed on Trial 1.34, MobRadNet. This report gives general background information regarding IA principles and certification & accreditation methodologies. It briefly describes the approach and methodology the team used throughout CWID 06 planning and execution. I t gives the results of the data collection, analysis, and testing performed on this specific trial.

PURPOSE

The purpose of this Assessment was to provide a high-level analysis of a trial’s security architecture for the trial vendors and sponsors. It is not intended for this assessment to serve as evidence that a product will provide adequate assurance in other operating environments or systems.

In order to receive this assessment, a trial had to meet two criteria:

The trial required some IA functionality - either the trial had to perform an IA service as its function or it had to use IA service(s), or
The trial required United States (U.S.) involvement - the trial was sponsored by the U.S. and/or executed at a U.S. site

While CWID 06 primarily focused on making information available to warfighters and first responders, fielded products needed to demonstrate that the data/information processed was adequately protected. It was intended that the CWID IA Assessment process would encourage the trial vendor and sponsor to consider IA functions and how to achieve an appropriate IA level. This assessment considered both technical and administrative functions that contribute to the protection of information.

Background

CWID is the Chairman of the Joint Chiefs of Staff's (CJCS) annual event that enables the U.S. combatant commands and international community to investigate command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) solutions that focus on relevant and timely objectives for enhancing coalition interoperability. CWID conducts trials of C4ISR capabilities, which can then be moved into operational use within 6-12 months following the execution period. The scenario for CWID 2006 incorporated aspects of Homeland Defense (HLD) and Homeland Security (HLS) in addition to traditional coalition operations. USNORTHCOM intends to use CWID as a proving ground for emerging C4ISR technologies relevant to HLD and HLS. International participants included Australia, Canada, New Zealand, the United Kingdom (UK), and the North Atlantic Treaty Organization (NATO). CWID was conducted in a simulated operational environment.

Information Assurance Principles

There are three common security principles/services that should be considered by a developer or risk acceptor when deciding the appropriate level of assurance a product must demonstrate. These are confidentiality, integrity, and availability. Some have included other principles such as authentication and non-repudiation when listing the principles.

Confidentiality - Assurance that information is not disclosed to unauthorized individuals, processes, or devices.
Integrity - protection against unauthorized modification or destruction of information.
Availability - Timely, reliable access to data and information services for authorized users.
Authentication - a means of verifying an individual's authorization to receive specific categories of information.
Non-repudiation - Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data.

Frequently, it seems that security services are at odds with each other. A battlefield commander might feel that it is more important to have information available than to keep information confidential--knowing the location of high-value targets (availability) might be more important than protecting the location of a sensor or information source (confidentiality). In another scenario, a decision maker might feel that that data integrity is the dominant service. For systems that process classified information, confidentiality is typically the dominant service.

Threats

Generally, threats to information systems are described as intentional, non-intentional, and natural. Human threats are considered insider or outsider threats, depending on the level of trust the person has.

Non-intentional outsider - a construction crew severs fiber cable providing communications to a facility; sever weather causes power loss to user terminals
Non-intentional insider - an employee leaves their terminal unlocked during lunch; an employee accidentally sends classified information in an unclassified e-mail
Intentional outsider - foreign intelligence agency “hacks” network to gain access to classified information; competitor places a Trojan on a corporate network to disrupt service at a critical time
Intentional insider - a trusted employee tampers with data, steals trade secrets, or opens an avenue for a malicious outsider
Natural - these include System Environment (Poor Wiring, Insufficient Cooling, etc.) and Natural Events (Fire, Lightning, Hurricane, Tornados, Flood, etc.)

There are a number of technical techniques to mitigate these threats. They include technical and administrative measures. Some technical techniques include:

Using passwords and accounts to control access
Encrypting communication channels
Incorporating mandatory access controls
Using a data filter to provide domain separation
Configuring switches, routers, and gateways
Establishing a virtual private network
Auditing

Some administrative measures could be:

Establishing policy to use strong passwords and change them periodically
Limiting the number of times users can access information system to duty hours
Requiring peer review before performing certain functions
Performing background investigations on employees
Establishing policies and procedures for certain functions
Performing reviews of audit logs
Establishing and performing formal and/or information training

Non-intentional insiders cause a significant number of security incidents. This is due primarily to frequency that users operate information systems. System owners frequently rely upon administrative controls to prevent these incidents from occurring. However, there are techniques to technically mitigate these threats. Auditing attempts to visit restricted web sites or maintaining a tightly configured firewall might be a cost-effective manner to prevent abuse of Internet privileges.

While the non-malicious insider causes the most security incidents, the impact of most of these incidents is negligible. The most dangerous threat is an intentional insider. Often, by the time a security incident caused by a non-malicious insider is detected, serious damage or compromise has already been done.

Risk acceptors must consider the potential threats they face prior to fielding new systems or use new products and implement the appropriate mitigation strategy.

Threats, Assumptions and Policies

Certain IA functions are vulnerable to specific threats. For example, communications channels have a probable vulnerability to eavesdropping. Another example is that client software on non-vendor workstations (i.e. DoD) are vulnerable to users who behave maliciously. The AWG-IA Team considered a number of specific threats during the assessment, such as the above mentioned ones, when designing testing scripts for Information Assurance testing for CWID. These are listed at the end of this report.

Typically, decision makers will make a number of assumptions when considering security. For example, they assume that users will avoid visiting suspect Internet sites. They might assume that a user will create a strong password that is not related to previous passwords. They might assume that power will constantly be available.

If a decision maker feels that they don’t get sufficient assurance from these assumptions, they could establish a policy. These policies could be enforced technically or administratively. Consider the threat of a non-malicious insider visiting a restricted site. A manager could require all account holders to sign user agreements acknowledging the policy. The manager could monitor Internet use. If a user attempted to go to a restricted site, the event could be audited and the manager could be notified. Generally, policies are stronger than assumptions.

Certification and Acceditation Methods

Information systems have some level of residual risk to the information after the security services have been applied. The government officially appoints someone as a risk acceptor/accreditor. When a system is accredited, the accreditor is stating that the system provides an acceptable level of risk for the environment in which it is operating. Accreditors consider all aspects of a system. They consider specific hardware and software, configuration, system administration, physical security, IA tools, product integration, foreign involvement, known threats, operating environment, and a number of other factors. Typically, the risk acceptor has broad programmatic knowledge. Often, they will rely upon a technical expert or certifier to technically assess whether or not the system’s security mechanisms are adequate. When the risk acceptor considers the certifier’s recommendation and knowledge regarding the threats anticipated in the system’s operating environment, they are able to make an informed decision regarding whether or not to accredit a system.

There are a number of certification and accreditation processes that the government uses for information systems.
Some of these are:

Defense Information Technology System Certification & Accreditation Process (DITSCAP), for Department of Defense (DoD) Information Technology Systems
National Information Assurance Certification & Accreditation Process (NIACAP)
Joint Air Force, Army, Navy 6/3 for systems that process Special Access Required or Special Access Programs data
Director of Central Intelligence Directive 6/3 for systems that process Intelligence data

Depending on the type of data being processed, other authoritative directives might apply. Each of these processes describes the activities that must be accomplished and the roles of the players involved with accrediting an information system.

Product Certification

According the National Security Telecommunications and Information Systems Security Policy No. 11, IA products and IA-enabled products must be evaluated. Commercial cryptographic products are evaluated against the Federal Information Protection Standard (FIPS). National Information Assurance Partnership (NIAP) laboratories evaluate other commercial IA products. NIAP labs evaluate products against standards presented in the Common Criteria Evaluation and Validation Scheme. The data and operating environment will determine the Evaluation Assurance Level (EAL) that is required. The amount of evidence that a vendor must supply to the NIAP labs depends on the required EAL. More information is available at the common criteria portal www.commoncriteriaportal.org and the NIAP website http://niap.bahialab.com/.

METHODOLOGY

Assumptions

It was assumed that the trial vendor had an understanding of basic IA principles and that they incorporated sound security engineering practices during the development of the product.

LIMITATIONS/CONSTRAINTS

During the CWID planning conferences, the AWG-IA team attempted to identify trial IA functions. This was based primarily upon the vendor’s trial submission package and personal interviews with trial representatives. Despite controls implemented by the AWG-IA team, some IA functions might have been misidentified or overlooked. This could be due to a shaping of the way the product is used during CWID execution, semantics, limited resources (vendor and AWG), etc. Selection of assessment tools (i.e. port scanners and password inspectors) was based completely upon vendor inputs made during the CWID planning. The AWG-IA team did not visit vendors’ sites.

The CWID operating environment also limited the amount of intrusive testing that the AWG-IA team performed. Security/IA testing was a lower priority than the demonstration of interoperability capabilities; therefore, the AWG-IA team was not allowed to perform testing that would significantly degrade the performance of the networks.

Also, this assessment did not examine IA functions that were inherently provided by the CWID 06 operating environment (i.e. physical security, external firewalls, bulk encryption, etc.); it focused on evaluating the functions that the vendor provided.

*** This IA Assessment provided by the AWG-IA team is not related to the assessments offered by the Warfighter Assessment Team and Interoperability Assessment Team.

Information Assurance Functionality Identification

Prior to the planning conferences, each trial submitted a package that described the proposed capability a trial would perform. Based upon the narrative and supporting diagrams, the IA team prepared a Security Functionality Diagram that showed the relationship of various IA functions within the trial. During the initial planning conference, IA team representatives interviewed each of the trials, confirmed that the trial was eligible for an IA Assessment, and updated the Security Diagram.

Security Capability Packages

Each of the elements on the Security Functionality Diagram was identified as a System Function, User Function, Power User Function, or Transmission Line. The team identified standard threats associated with each of these functions. Product unique threats were also identified.

The team prepared a blank Threat Mitigation Survey for the vendor to complete. This survey asked the vendor to describe what sorts of mitigations were used in each of the nodes. For example, a vendor might mitigate an eavesdropping threat along a transmission line by encrypting the communications—the vendor would annotate this in the survey. The survey also asked the vendor to identify threats that were mitigated by the operating environment (i.e. physical security, access controls client machines, etc.), IA mechanisms that were evaluated (i.e. NIAP, FIPS, etc.), and threats that did not apply. The Security Functionality Diagram was updated based upon information from the survey.

The Security Capabilities Package (SCP) consists of the Security Functionality Diagram and Threat Mitigation Survey.

Testing

Based upon the SCP and the constraints of the CWID execution environment, the AWG-IA team identified functions that were feasible to test. During CWID 06, the AWG-IA Team used the following tools during execution to perform security testing. These and similar tools are freely available and can be used by product vendors to assess their systems at their discretion.

Ethereal
Kismet
Nessus
NMAP
Retina

Information Assurance Results

IT01.34 completed the Information Assurance testing with no difficulties. In an actual operational environment, IT01.34 will utilize a Virtual Private Network (VPN) in transmission between the main Data Server / Application Services Machine and its clients to prevent most of the possible threats that were discovered during CWID 06 Execution. The few open ports found are subject to hacker activity and should be turned off to prevent such a threat. Recommended that a strong Anti-Virus program be installed and enabled to aid in the prevention of viruses, Trojans, and worms that would compromise the integrity of IT01.34. Also recommend that a firewall be installed at the machine at each site that has the Data Server / Application Services machine to aid in the prevention malicious activity.

VALIDATED INFORMATION ASSURANCE COVERAGE
IT01.34 mitigated the threat of T.Eavesdrop, T.Hack_Crypto, T.Hack_Msg_Data, T.Malicious_Code, and T.Modify_EndUnitData by encrypting the data using Advanced Encryption Standards (AES) and utilized HTTPS on their VPN. IT01.34 also encrypted the data using AES between the sensor and encryption unit to prevent the threat of T.Spoofing.

INFORMATION ASSURANCE COVERAGE
IT01.34 used administrative documentation and training coupled with provisioning to mitigate the following threats:
T.Admin_Error
T.Hack_AC
T.Hack_Avl_Resource
T.Malicious_Code
T.Modify_EndUnitData
T.Modify_System
T.User_Err_Conf
T.User_Send
T.User_Modify

To further prevent threats of T.Eavesdrop, T.Hack_Msg_Data, and T.Spoofing from the GPS receiver/Sensor and the Encryption Unit, IT01.34 noted that there is a GPS chip inside the detection unit, thus making it very difficult to intercept communications between the two modules, being that they are in the same box. It was recommended to place the detection unit in a locked and shielded container to further prevent this threat.

To prevent T.Hack_AC, a program was included on the Data Server that recognized when there is no data coming from the decryption unit (while the data server is being queried) and notified administrators of a possible threat.

IT01.34 ensured that secure passwords for VPN and server access further mitigated the threat of T.Hack_Avl_Resource. Additionally, the system used a VPN tunnel from the user to the servers (secure password and encryption) to prevent T.Hack_Masq, Modify_EndUnitData, and T.Spoofing

IT01.34 also ensured that data validation and integrity from the client application to the application server would prevent the threats of T.User_Err_Inaccess and T.User_Err_Integrity at those locations.

INFORMATION ASSURANCE TESTING RESULTS/CONCLUSION

Threat	Target	Result	Note
T.Admin_Error	GPS Receiver / Sensor	PASS
T.Malicious_Code	GPS Receiver / Sensor	PASS
T.Modify_EndUnitData	GPS Receiver / Sensor	PASS
T.User_Err_Conf	GPS Receiver / Sensor	PASS
T.User_Error_Inaccess	GPS Receiver / Sensor	PASS
T.User_Err_Integrity	GPS Receiver / Sensor	PASS
T.User_Modify	GPS Receiver / Sensor	PASS
T.User_Send	GPS Receiver / Sensor	PASS
T.Admin_Error	Encryption Unit	PASS
T.Hack_AC	Encryption Unit	PASS
T.Hack_Avl_Resource	Encryption Unit	PASS
T.Hack_Masq	Encryption Unit	PASS
T.Modify_System	Encryption Unit	PASS
T.Admin_Error	Data Server / Application Services	PASS
T.Hack_AC	Data Server / Application Services	PASS
T.Hack_Avl_Resource	Data Server / Application Services	INCONCLUSIVE	2
T.Hack_Masq	Data Server / Application Services	PASS
T.Malicious_Code	Data Server / Application Services	FAIL	2
T.Modify_EndUnitData	Data Server / Application Services	INCONCLUSIVE	2
T.Modify_System	Data Server / Application Services	INCONCLUSIVE	2
T.Eavesdrop	Transmission between GPS Receiver and Encryption Device	PASS
T.Hack_Msg_Data	Transmission between GPS Receiver and Encryption Device	PASS
T.Spoofing	Transmission between GPS Receiver and Encryption Device	PASS

Ref	Port Number	Transport Protocol	Description
1	443	TCP	HTTP – SSL
2	7000	TCP	Serbian Badman (renamed Trojan)
3	500	UDP	ISAKMP
4	27444	UDP	TRINOO_BCAST (Trinoo Attack Tool)
5	31335	UDP	TRINOO_REGISTER (Trinoo Attack Tool)
6	31337	UDP	BO (BackOrifice)

NOTES

1. The Virtual Private Network (VPN) that was to exist between the Application Services and the Clients was not implemented during the CWID exercise due to concerns to performance (speed) of the application at the CWID event. Many of the threat mitigations that this trial had implemented were directly related to the exclusion of the VPN.
2. Several ports were found open (Port table Ref 2, 4, 5, 6) that had Trojan Application Protocols that can introduce vulnerabilities to the system and the network that it is connected to. Further testing would result in solidifying the assessment of the vulnerabilities.
3. AES 1024 bit encryption was detected in use for this trial.

4. It was noted during the execution week interview that there was only one administrator account (shared). IT01.34 noted that there would be separate accounts for each user (including normal users) for system access.

BACK TO TOP

EXPOSURE ADDRESSED BY OPERATIONAL ENVIRONMENT
No specific warfighter mission threats were identified that were solely addressed by the operational environment for IT01.34.

INFORMATION ASSURANCE EXPOSURE - UNADDRESSED
IT01.34 had an open vulnerability to T.Eavesdrop between the sensor and the encryption unit. To mitigate this threat, the encryption unit and sensor was recommended to be stored in a locked and shielded container. This is considered sufficient to prevent this threat.

SECURITY ENVIRONMENT DIAGRAM

Threat and Policy Definitions

T.Admin_Error: Administrator Commits errors on the system or application Administrator introduces vulnerabilities by committing errors in the configuration or management of the system.
T.Eavesdrop: Threat Agent Eavesdrops on Transmission Lines
Threat Agent eavesdrops on communication exchanges that occur across a transmission line.
T.Hack_AC: Hacker undetected system access
A hacker gains undetected access to a system due to missing, weak and/or incorrectly implemented access control causing potential violations of integrity, confidentiality, or availability.
T.Hack_Avl_Resource: Hacker attempts resource denial of service
A hacker executes commands, sends data, or performs other operations that make system resources unavailable to system users.
T.Hack_Crypto: Cryptoanalysis for theft of information
A hacker performs cryptoanalysis on encrypted data in order to recover message content
T.Hack_Masq: Hacker masquerading as a legitimate user or as system process
A hacker masquerades as an authorized user to perform operations that will be attributed to the authorized user or a system process
T.Hack_Msg_Data: Message content modification
A hacker modifies information intercepted from a communication link between two unsuspecting entities before passing it on, thereby deceiving the intended recipient.
T.Malicious_Code: Malicious code exploitation
An authorized user, IT system, or hacker downloads and executes malicious code, which causes abnormal processes that violate the integrity, availability, or confidentiality of system assets.
T.Modify_EndUnit-Data: Threat Agent Modifies Mission Data
Threat Agent changes the mission data to disrupt or misdirect operations.
T.Modify_System: Threat Agent Modifies System Components
Threat Agent Modifies System Components to change the behavior of the component, which may allow unauthorized activity.
T.Spoofing: Legitimate system services are spoofed
An attacker tricks users into interacting with spurious system services
T.User_Err_Conf: User errors cause confidentiality breaches
A user commits errors that cause information to be delivered to the wrong place or wrong person.
T.User_Err_Inaccess: User error makes data inaccessible
A user accidentally deletes user data or changes system data rendering user data inaccessible.
T.User_Err_Integrity: User errors cause integrity breaches
A user commits errors that induce erroneous actions by the system and/or erroneous statements its user
T.User_Modify: User abuses authorization to modify data
A user abuses granted authorizations to improperly change or destroy sensitive or security-critical data
T.User_Send: User abuses authorization to send data
A user abuses granted authorizations to improperly send sensitive or security-critical data.
P.Accountability: Individual accountability
Individuals shall be held accountable for their actions.
P.Authorities: Notification of threats and vulnerabilities
Appropriate authorities shall be immediately notified of any threats or vulnerabilities impacting systems that process their data.
P.Authorized_Use: Authorized use of information
Information shall be used only for its authorized purpose(s).
P.Availability: Information availability
Information shall be available to satisfy mission requirements.
P.Guidance: Installation and Usage Guidance
Guidance shall be provided for the secure installation and use of the system.
P.Information_AC: Information access control
Information shall be accessed only by authorized individuals and processes.
P.Integrity: Information content integrity
Information shall retain its content integrity.
P.Lifecycle: System lifecycle phases integrate security
Information systems security shall be an integral part of all system lifecycle phases.
P.Marking: Information marking
Information shall be appropriately marked and labeled to support the appropriate access control, release/disclosure, and/or guarding policies.
P.Physical_Control: Physical Protection
Information shall be physically protected to prevent unauthorized disclosure, destruction, or modification.

IT01.34 ASSESSMENT COMPONENTS
WARFIGHTER | TECHNICAL INTEROPERABILITY | INFORMATION ASSURANCE | SEIWG
(If a text entry is not linked, there is no assessment in that category for this trial)

GENERAL DIRECTORIES
FINAL REPORT DIRECTORY | ASSESSMENT BRIEFS BOOKLET | HOME

COALITION WARRIOR INTEROPERABILITY DEMONSTRATION 2006 FINAL REPORT