Tuesday, April 9, 2019
RISK ASSESSMENT on the Department of the Army IT Systems Essay Example for Free
RISK ASSESSMENT on the segment of the multitude IT Systems Essay1.Introduction1.1 PurposeThis risk assessment was to identify threats and vulnerabilities related to the discussion section of the military (DoA) reading Technology (IT) forms. It allow for be utilized to identify vulnerabilities in the Computer Network Defense (CND) Capabilities and mitigation plans related to DoAs IT systems. It was realized that this was a potential high-risk system as noted by the surgical incision of Defense ( demurrer) Chief discipline Officer (CIO). (DoD, 2012) 1.2 ScopeThis risk assessment applies to all DoA Non-secured cyberspace Protocol R unwraper Network (NIPRNET) and Secured Internet Protocol Router Network (SIPRNET) for Regular armament and Reserve Components. This is a major(ip) system that is used by millions of Soldiers, contractors and DA civilians worldwide. The DoAs IT system is comprised of Army Global Network operations and Security Center (A-GNOSC) which is responsi ble for the Armys day-to-day Tier 2 CND Service Provider. The inquiry methods leave behind present both quantitative and qualitative data which will identify hazards and vulnerabilities to include Inter field-Transnational terrorist act and Domestic Terrorism and present an assessment of the potential risks from them. schooling will be collected in general from DoDs and DAs websites. SYSTEM CHARACTERIZATIONThe DoD uses DODI 8510.01, DoD Information self-reliance Certification and Accreditation Process (DIACAP), as the cultivate for implementing Certification and Accreditation (CA) within their instruction system. The Information self-confidence (IA) Controls, or security measures that must be implemented on a system, as stated in the DODI 8500.2, Information Assurance (IA) Implementation. The control selection relies on the Mission Assurance Categories (MAC) and Confidentiality Levels (CL). Information Systems (IS) will be assign a MAC level which shows the importance of th e information which is used to determine the IA controls for integrity and availability regarding DODI 8500.2 and will be decided by the DoD or Army by the DIACAP team up (Information Assurance, 2009) MISSION agency CATEGORYMAC IIs a high integrity, high availability for DoD ISs discourse information that is set(p) to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in toll of both content and timeliness. The consequence of loss of integrity or availability is unacceptable and could include the neighboring(a) and sustained loss of mission effectiveness. MAC IIIs a high integrity, medium availability for DoD ISs handling information that is important to the support of deployed and contingency forces. The consequence of loss of integrity is unacceptable. Loss of availability is knockout to deal with and ordure only be tolerated for a short time. MAC IIIIs a underlying integrity, basic availability for DoD ISs handling informatio n that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short- term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness.CONFIDENTIALITY LEVELAll ISs will be assigned a confidentiality level based on the classification or sensitivity of the information processed. The confidentiality level is used to establish acceptable access factors and to determine the DODI 8500.2 IA Controls applicable to the information system. DOD has be the following three confidentiality levels 1.ClassifiedInformation designated top secret, secret or confidential in accordance with Executive recount 12356. 2.SensitiveInformation the loss, or unauthorized access to or modification of could adversely affect the national interest or conduct of national programs, or Privacy Act information. Includes, but is not limited to For Official manipulation Only (FOUO), Privacy data, unclassified controlled nuclear information, and unclassified technical data. 3. earthly concernInformation has been reviewed and approved for public release. Note. Mission Assurance Categories table is taken from Information Assurance. (2009)Applications (not an inclusive list)Anti-Spyware General V4R1, 3 declination 09, Application Services V1R1, 17 Jan 06Application Security Development V3R1, 10 May 10 CITRIX Xen App, V1R1, 23 Jul 09 ESX Server -V1R1, 22 Apr 08 Database V8R1, 19 Sep 07 Desktop Applications General V4R1, 3 Dec 09 Directory Services V1R1, 24 Aug 07 ERP V1R1, 7 Dec 06 electronic warfare-support measures V1R1, 5 Jun 06 HBSS STIG V2R5, 22 Feb 10 IM V1R2, 15 Feb 08 InTFOT-V1R1, 2 Oct 09 ISA Server 2006 OWA STIG, V1R1 5 Feb 10 McAfee Antivirus V4R1 3 Dec 09 Microsoft Ex modify 2003 V1R1, 6 Aug 09 MicrosoftIE6 V4R1, 3 Dec 09 MicrosoftIE7 V4R1, 3 Dec 09 MicrosoftIE8 V1R1, 26 Apr 10 Microsoft Office 2003 V4R1, 3 De c 09 Microsoft Office 2007 V4R1, 3 Dec 09 Mozilla Firefox V4R1, 3 Dec 09 Symantec Antivirus V4R1, 3 Dec 09 SunRay4 Thin node V1R1 26 Mar 09 VTC STIG V1R1 08 Jan 08 Web Server V6R1, 11 Dec 06. DISA STIG. (2012)THREAT IDENTIFICATIONData from the DoD shows a 20% rise in attacks against its information systems from 43,880 to 54,640 between 2007 to 2008. Each of these penetrations involves a series of actions that do not differ substantially whether the intruder is acting on behalf of a terrorist group, a foreign government, a corporation, or is acting as individual. The severe intrusions into cyber systems involve penetrating system security, navigating and mapping the cyber system, targeting the nodes that control the system and contain the most critical data, and often, extracting the data. (Wortzel, 2009) In February 2011, the Deputy Secretary of Defense said that more than one C foreign intelligence agencies have tried to breach DOD computer networks and that one was successful in breaching networks containing classified information.2 Also, the President of the United States has identified this threat as one of the most serious national security challenges facing the nation. (DAgostino, 2011, pp. 1) VULNERABILITY IDENTIFICATIONTHREAT CapabilitySecurity Test ResultsAudit CommentsSeverity SW BaselineNo SW baselineThe DA does not have a documented software instrument. A failure of this control does not lead to an warm risk. IA Impact assessmentConfiguration focal point Plan (CMP) is not completeThe certification team through document review, that DA does not have formal procedures for IA impact assessment.Failure to assess changes for IA impact could lead to changes beingness made to the environment that inadvertentlyintroduce vulnerabilities increasing the risk of compromise. Ports, Protocols, and ServicesOpen ports protocols and services (PPS)The certification team determined through interviews and device conformity reviews, that DA does not perform re gular review of their open PPS.Unnecessary open PPS increase the risk of systems being compromised.CONTROL ANALYSISIncident Handling, IA formulation and Certification, Information Assurance Vulnerability Management (IAVM), IA Program Management, Public Key Infrastructure (PKI), Certification and Accreditation, Federal Information Security Management Act (FISMA), Wireless Security, Army Web Risk Content Management, Personally Identifiable Information (PII), Portable Electronic Devices (PED), Minimal Information Assurance Technical Requirements, Classified Systems Management and Physical Security and Environmental Controls (Information Assurance, 2009)LIKELIHOOD useTHREATSTerrorist (mail bomb)Denial of ServiceUnauthorized approach path 1. VulnerabilityUncontrolled accessUpgrading Firmware onlineUnattended computer while logged on 2. MitigationControlled access e.g. common access card, buzzerUpgrade from trusted source onlyLog complete computer before leaving area 3. affright Prob ability615Threat Probability Highest number equals highest probability Note. Threat Matrix is taken from DA Anti-Terrorism Plan (2012). (CH 5 DOD O 2000.12H) IMPACT ANAYLYSISCriticality Assessment MatrixAssetImportanceEffectRecoverabilityMission FunctionalityTotal Servers 1097834Routers875626Highest score = most critical Lowest score = least critical RISK DETERMINATIONValueNumeric RatingMajor Deficiency9-10Significant Deficiency7-8Moderate Deficiency5-6Minor Deficiency3-4Negligible Deficiency1-2CONTROL RECOMMENDATIONSMove the IA Program out of Technical lanes and into Command lanes, clearly define functions for a Command IA Program, define Concept for the Command IA police squad (technical and non-technical), develop a reporting methodology for the Command IA Program, develop and provide a Command IA Training Program, develop a Command IA Program Management Course (CIAPMC), develop a Risk Management Model for Information Protection (IP) IA/CND, establish an Acceptable Risk Criteria for the Command IA Program and transform the Armys IA Policy Formulation Process. (DAIG IA, 2009)SUMMARYRisk Vulnerability/ThreatRisk LevelRecommended ControlsAction Priority Hardware baseline inventory is incomplete. This could lead to the introduction of unauthorized into the network and also makes it difficult to maintain an effective life cycle per second managementLowComplete current hardware baseline and continue to identify and document future assets.Low Configuration management is not complete and this could lead to changes being made to the environment that unknowingly introduce vulnerabilities. This should be assessed by an IA team before introduced to the network.LowFinalize the configuration management process and implement a plan to assess IA impact of change to the system.Low Open ports, protocols and services. Changes made to the open PPS will lead to exploits and/or data compromise.MediumEnsure that the change management process relating to PPS are developed and en forced.MediumREFERENCESBendel, B. (2006). An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP). Retrieved from http//www.xlr8technologies.com/CMS/admin/Assets/lunarline/pdfs/lunarline_diacap_process1.pdfDAgostino, D. (2011). Defense Department Cyber Efforts More Detailed Guidance needed to Ensure Military ServicesDevelop Appropriate Cyberspace Capabilities. Retrieved from http//www.gao.gov/new.items/d11421.pdfDoD CIO. (2012). Department of Defense Instruction, Number 8582.01. Security of Unclassified DoD Information on Non-DoD Information Systems. Retrieved from http//www.dtic.mil/whs/directives/corres/pdf/858201p.pdfHudson, J. (2009). Department of the Army Information Security Program. Retrieved from http//www.apd.army.mil/pdffiles/r380_5.pdfStonebumer, G., Goguen, A. Feringa, A. (2002). Risk Management Guide for Information Technology Systems. Retrieved from http//csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdfInformation Assurance . (2009). Retrieved from www.apd.army.mil/pdffiles/r25_2.pdfDIACAP (n.d.) DoD 8500. Retrieved from http//www.securestate.com/Federal/Certification%20and%20%20Accreditation/Pages/DIACAP-D0D8500.aspxDISA STIG. (2012). Retrieved from http//iase.disa.mil/stigs/a-z.htmlDoD Anti-Terrorism Program. (2012). Retrieved from http//www.dtic.mil/whs/directives/corres/pdf/200012p.pdfWilson, C. (2005). Computer Attack and Cyberterrorism Vulnerabilities and Policy Issues for Congress. Retrieved from http//www.history.navy.mil/library/online/computerattack.htmWortzel, L. (2009). Preventing Terrorist Attacks, Countering Cyber Intrusions, and Protecting Privacy in Cyberspace. Retrieved from
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment