Hardy threat analyses protect mission-essential foreign affairs networks.
The U.S. State Department is conducting “junkyard dog” network penetration tests and vulnerability assessments at U.S. embassies and consulates worldwide. Simultaneously, a network intrusion detection program will provide rapid warning of unauthorized access to the department’s far-flung sensitive information systems.
Working with industry, the department has set up various sensor systems to monitor its information technology infrastructure for possible network intrusions. Network monitoring technologies respond automatically to detected attacks, and vulnerability conditions are analyzed and corrected to prevent exploitation.
Network and system misuse can be reduced or eliminated through this process, says Mary Stone Holland, chief of the Assessment and Certification Division, State Department. The division is part of the Diplomatic Security (DS) Bureau and reviews computer and communications security at overseas and domestic sites.
Personnel at the network monitoring center in Beltsville, Maryland, oversee intrusion detection sensors. Staffed by trained contractors around the clock, 75 central reporting consoles display information about more than 500 network intrusion detection devices. Special software sensors check data as it crosses network communications points, searching for known data patterns that could damage or disrupt network operations, compromise network information or alter network security settings. As the software finds patterns on any network, it reports them to the Beltsville facility in real time. If espionage or criminal activity is detected and the source identified, the State Department’s law enforcement agency responds, Holland explains.
Creating policy, raising awareness, monitoring systems and ensuring compliance to procedures and policies are the cornerstone of the division’s activities. “We provide policy and requirements to the foreign affairs community and State Department in broad environments and at varying levels of concern, both domestically and overseas. Policy is the foundation for critical infrastructure security, and we have an extremely active awareness program,” Holland contends. The division must ensure that department personnel know their responsibilities to foster information assurance, she adds.
Holland’s division operates with 130 employees and an annual budget of approximately $7 million. Last year, 387 network intrusion detection engines were installed at more than 260 sites. In the third of a five-phase engine deployment, this program is expected to provide approximately 550 sensors locally and abroad for sensitive OpenNet systems before moving into the department’s classified networks.
Another State Department information assurance program involves cyberthreat analysis. Information is developed and coordinated from both the Network Intrusion Detection System (NIDS) and the division’s Computer Incident Response Team (CIRT), Holland maintains. To better understand the network threat, the division operates an analysis cell that works with a variety of open and government agency sources. “This cell uses a DS environment approach to help us make better decisions on risks and to better prioritize our needs. We must be extremely alert against real threats and avoid false alarms,” Holland stresses.
Close coordination takes place between the cyberthreat analysis officials and elements of the intelligence community to produce reports for specific overseas posts and to meet unique departmental needs. “We also have regional computer security officers [RCSOs] to deal full-time with network problems. In addition to improving computer security for local missions, the RCSOs conduct security assessments and awareness training overseas and act as front line authorities on computer security issues,” she explains.
RCSOs are based in Frankfurt, Germany; Pretoria, South Africa; Manila, the Philippines; and Fort Lauderdale, Florida. Regional information system security officers are assigned to Shanghai, China, and Moscow, Russia.
A department computer forensics laboratory lends technical expertise and assists the DS Bureau in criminal investigations and damage assessment. DS special agents are trained in both criminal investigations and computer forensics. They work closely with other elements within the State Department and other federal law enforcement agencies such as the Federal Bureau of Investigation (FBI), Internal Revenue Service and Immigration and Naturalization Service.
When a network penetration is detected, responses are based on vendor recommendations, network configuration analyses patterns or policy established by network security analysts. This information is provided to the DS CIRT database and externally reported to the Federal Computer Incident Response Center and the FBI’s National Infrastructure Protection Center. Information reported by network sensors is reviewed and, if it meets certain NIDS and CIRT analysts’ criteria, reported as an event or, if more serious, as an incident.
By October 2001, the DS CIRT analyzed 2,000 events, up from 1,018 in 2000. Of these events, four were elevated to the incident level. Analysis of an event or incident determines whether an operational error or other nondamaging condition occurred, such as misconfigured software, and evaluates its potential for damaging and disrupting the network.
The division’s next step is to couple network intrusion detection, which involves procedures similar to packet monitoring, with host-based detection at servers and workstations. “This is very exciting because when you put the two capabilities together, a comprehensive near-real-time picture of network and system security emerges,” Holland emphasizes.
The intrusion detection sensor being installed in DS networks is the RealSecure system from Internet Security Systems, Atlanta. This device operates in both network- and host-based modes. The network sensor sniffs packets and analyzes them to locate attack signatures. Its large database has information about more than 400 types of attacks. The host-based version monitors the system to look for patterns and anomalies.
In addition to contractor efforts, Holland’s division also employs personnel from Sandia National Laboratories, Albuquerque, New Mexico, to conduct some vulnerability assessments, especially in the areas of information technology expansion. “They went after possible vulnerabilities externally, operating just as hackers would, and internally as ‘Joe Average’ user somewhere inside an embassy,” she asserts.
Based on Sandia’s findings, Holland’s division is developing a plan to correct security shortcomings. This work involves close coordination with the Information Resources Management Division of the DS Bureau.
As part of the DS, Holland’s mission also involves identifying and correcting system and network vulnerabilities that result from a lack of standards compliance. Last year, the division expected to conduct network security evaluations at 45 locations worldwide. Evaluations in 2000 were completed at 37 sites.
The computer security awareness program provides material geared toward eight levels of users, from ambassadors to Marine Corps security guards. Over the past two years, 7,751 State Department staff members have received this training. The program also is used to host security events such as the Cyber-Threat Summit and handles community-industry outreach through the Overseas Security Advisory Council.
Holland notes that the division relies heavily on the experience and expertise of industry—companies such as ManTech Security Technologies Corporation, Bethesda, Maryland. The company is working closely with a variety of security programs, including the installation of intrusion detection sensors throughout the State Department.
ManTech Security Technologies conducts critical vulnerability and risk assessment programs for the department, Dr. Kurt J. Snapper says. He is president of the company, which is a subsidiary of Fair Oaks, Virginia-based ManTech International. The security company has provided the State Department with cyber- and physical infrastructure protection for more than 15 years.
According to Stewart Godwin, assistant executive director at ManTech, the firm is designing and demonstrating a network analysis tool that the State Department will consider for use on its networks. “The tool fills a void the company discovered from its daily efforts in providing comprehensive network security analysis at the State Department. We are developing Network Assurance Sentinel to leverage each managed network component and critical server as a network sensor. Thorough network security analysis requires extensive information from every device in the network,” he reveals.
Godwin discloses that Sentinel uses information either resident in or reported by each device regardless of vendor-specific format. “We deposit that data into a central database from which we correlate either by relevant event or over time. Though designed as a security tool, this system also provides insight into functions and configuration issues among network components.
“The goal is to have a tool that enables an analyst to efficiently ask and answer questions concerning network security events without having to read system logs or compare data from various network management programs,” Godwin recounts. “We are not duplicating other commercial tools, but we use information from those tools to support comprehensive network security analysis.”
During a demonstration, Sentinel was operated by an employee skilled as a strategic intelligence analyst, not as a computer scientist. It is believed that this practical approach assists the development process.
According to Snapper, ManTech provides the State Department with a full threat assessment along with development of risk exposure models. The company’s contract encompasses worldwide network management, intrusion detection, security and vulnerability audits and evaluations.
“Conducting the department’s vulnerability assessment means defining the threat environment, vulnerabilities and pathways,” Snapper confirms. “It also requires defining mission-essential processes and minimum-essential infrastructures and assessing the impact of an attack on essential infrastructure resources.” This project demands integration of electronic systems and engineering services, he adds.
The company’s approach builds on previous success in cybersecurity, including worldwide network management and intrusion detection, security and vulnerability audits and evaluations, physical and technical security protection requirements, threat modeling and security architectures development, Snapper points out.
In addition to the State Department and its Diplomatic Security Bureau, ManTech also serves the Overseas Security Policy Board. This board consists of representatives from all federal agencies with overseas interests and formulates and disseminates federal government foreign affairs cyberprotection policy.
As part of the department’s intrusion detection support program, ManTech acquires and configures sensor system components to meet specific requirements. Hardware units use client-approved configurations and intrusion detection system software. The components operate for at least 24 hours prior to shipping and installation to ensure proper function. According to Kenneth C. Gongaware, vice president for information assurance, ManTech Security, this process provides confirmation that common hardware and software faults have been identified, reducing maintenance and service costs.
Company technicians perform turnkey installation of intrusion detection systems and can install cable, both fiber and twisted pair, in both secure and open environments. ManTech engineers work with clients to identify network points of concentration and define locations best suited for packet monitoring, Gongaware emphasizes. In cases where network designs are not clearly defined or adequately documented, the engineers conduct on-site surveys. Following system installation by company engineers, on-site monitoring of system-generated detection reports transpires on a continuous basis.