overview
agenda
speakers
attendee info
exhibitor info
faq
sponsors
location
•
directions
•
parking
•
metro
•
hotels
•
floorplan
fiac committee
contact
home
VIEW PRESENTATIONS
Agenda
printer-friendly version
October 27, 2008
Registration and Continental Breakfast (Atrium Ballroom)
6:30 - 8:00
Conference Welcome (Atrium Ballroom)
8:00 - 8:15
Keynote
9:45 - 10:30
Mischel Kwon, Director, U.S. Computer Emergency Readiness Team (US-CERT), National Cyber Security Division, U.S. Department of Homeland Security
view abstract
hide abstract
Information assurance professionals struggle daily to protect cyber infrastructure, deliver essential services, and keep abreast of new security risks. At this 8th Federal Information Assurance Conference and the agenda fully captures the appropriate mix of "people, process and technology" needed to fulfill missions and serve citizens and customers.
In many ways, very little has changed since the initial FIAC conference:
cyber threats are growing and continue to grow in severity, speed, and destructive capacity while information technology enables our institutions to deploy key services, whether in government, business or academia. However, attacks on our cyber infrastructure are not dissipating. But other factors are changing - most prominent, our "people" are more important than ever: education and information assurance expertise, analysis, and customer service will continue to grow in importance as we confront the risks of the next eight years.
This year's FIAC agenda captures these realities. Each of the threads - from Mobile Security and Infrastructure to Software Assurance, Data Protection, Information Sharing, and Education ties the information assurance professional to a key area of risk. Eight years from now strategic risks may change, but the importance of our people will remain constant.
Exhibits Open (Atrium Hall)
10:30 - 4:00
Lunch/Visit Exhibits
12:00 - 1:30
ANATOMY OF AN ATTACK
Scott Paisley, Principal Security Architect, IBM Internet Security Systems
view abstract
hide abstract
The complexities that federal IT security experts face in safeguarding their environments are constantly increasing in their frequency and threat. Known threats weaken the security perimeter while unknown threats can compromise your entire systems.
What do the hackers know and how are they launching attacks at these known and unknown threats?
This live demonstration walks attendees through a "Real-World" attack on systems similar to those utilized by US Government agencies, including examples of network, desktop and server attacks.
Come see how the enemy targets systems and how agencies can combat these new and evolving threats.
The interactive demonstration and discussion includes topics such as:
• The state of current online threats and the threat landscape
• What techniques hackers are using to bypass security methods
• How to protect organizations from these threats
• The strategies used to discover and protect against new threats and emerging vulnerabilities
Networking Reception
4:30 - 5:30
Thread 1: Mobile Security
Session A:
Wireless Security
8:30 - 9:30
John Benson, Deputy Director, Office of Information Systems Security, FAA
Wireless LAN Security: A Layered Approach to Protecting Your Network
Amit Sinha, Vice President and Chief Technology Officer, AirDefense, Inc.
view abstract
hide abstract
Just as with corporate enterprises, government organizations are taking advantage of the productivity-boosting and cost-saving benefits of 802.11 wireless LANs. But with today's growing concern over cyber terrorism, some government organizations quickly grew weary over the initial vulnerabilities of wireless LANs. AirDefense works with government organizations to secure enterprise wireless LANs by identifying security risks, such as rogue access points and unencrypted traffic; monitoring the network in real-time to identify impending threats, such as unknown stations scanning the network; detecting and preventing intruders by quickly identifying attacks and eliminating the threats; and enforcing WLAN policies (dedicated wireless or no wireless) to maximize security and performance.
This presentation will cover best practices for organizations to confidently deploy and secure their network and protect against security threats, rogue devices, and policy violations.
John Benson, Deputy Director for the Office of Information Systems Security at the FAA, will then discuss the FAA's key drivers in deploying a full-time, dedicated wireless advanced intrusion detection and prevention system, describe the FAA's experience with securing its wireless LANs, and explain why a layered approach to defense is key to a secure wireless LAN system.
Topics will include:
• Vulnerabilities inherent in wireless protection
• Monitoring for security and policy compliance
• Best practices for threat mitigation
• Real-time and accurate detection of rogue access points
• Case Study: Federal Aviation Administration
Session B:
Blackberry Security
11:00 - 12:00
David McGuire, Senior Information Assurance Engineer, SRA
view abstract
hide abstract
With over 19 million subscribers, Blackberry devices are ubiquitous in corporate and government sectors, giving employees ready access to what have become essential services. Blackberries have become like miniature laptops, allowing users to stay connected with wireless access to email, corporate data, phone, web, and organizer features.
A consequence of all this functionality is that every Blackberry is an endpoint into the corporate Intranet, bypassing all perimeter defenses. While Blackberries and the Blackberry Enterprise Solution are inherently robust security platforms, they are still vulnerable to bad security practices. With poor configurations an attacker could steal data, access internal resources or even bring down your network.
This presentation will begin with the basics of Blackberry security and then dive into advanced security features, threats and defenses for Blackberry devices and give some basic recommendations and best practices for securing the Blackberry platform.
Terry Poulias, Technical Account Manager for the DoD for Research In Motion (RIM), will then discuss current and future security initiatives for the Blackberry platform and new products as well as be available to answer any questions directly.
Terry Poulias, Technical Account Manager for the DoD, Research In Motion (RIM)
Session C:
BlueTooth Security
1:45 - 2:45
John Padgette, Booz Allen Hamilton
view abstract
hide abstract
Bluetooth is one of the most widely available wireless technologies with over 1.5 billion Bluetooth-enabled devices shipped. Used by cell phones, laptops, gaming consoles and many other devices, it is the predominant wireless personal area networking technology.
Over the last couple of years, US government agencies have begun to embrace Bluetooth due to its standards-based cable replacement features for devices such as smart card readers. Further, security risks associated with using the technology have been determined and mitigating recommendations have been published.
This presentation will provide a technical background on how Bluetooth works, and then dive into the security risks and recommended best practices associated with designing and deploying Bluetooth-based solutions.
Session D:
Remote Access
3:15 - 4:15
Maximize the Potential of Your SSL VPN
Tim LeMaster, Director of Systems Engineering, Juniper Networks
view abstract
hide abstract
SSL VPNs for employee remote access have become essential in today's distributed federal enterprise. By leveraging existing SSL VPN investments, agencies are looking at additional ways to maximize the potential of their SSL VPN infrastructures. This session will focus on how enterprises can utilize SSL VPNs (Secure Socket Layer Virtual Private Networks) for cost-effective Teleworking, continuity of operations (COOP), and various partner extranet portals, where traditional means of remote collaboration aren't effective. Discover how the use of SSL VPNs, intrusion detection, unified access control, and other approaches can ensure that end user computers meet set guidelines before allowing access to enterprise networks, and enable anytime, anywhere access to vital employee resources during emergency business disruptions.
Thread 2: Infrastructure
Session A:
Firewalls
8:30 - 9:30
Paul Mockapetris, Nominum
view abstract
hide abstract
DNS is the protocol that directs all email, web access, and other Internet traffic to its correct destination. In 2008, the Kaminsky attack made much of the Internet and intranets vulnerable to hijacking by hackers via cache poisoning. A concerted effort by leading DNS vendors such as Cisco, Microsoft and Nominum distributed fixes to much of the Internet, but unupdated servers remain and are extremely vulnerable. In the broadband world, Nominum's service provider customers updated DNS security for over 150 million users worldwide.
This presentation discusses the attack, how your risk can be assessed, how it can be addressed, and the use of a secure DNS to distribute real-time threat and reputation information to enforcement devices such as anti-spam, firewalls, and the like. The secure DNS is provided by Kaminsky-resistant server technology today, and will be enhanced by the federally-mandated DNSSEC infrastructure in the future.
Scott Montgomery, Vice President of Product Management, Secure Computing
Session B:
Mobile Computing
11:00 - 12:00
William Miller, President, MaCT
view abstract
hide abstract
A mobile Ad hoc network (MANET) is self-configuring group of wireless routers designed for mobility that forms an arbitrary topology that adapts to the environment. A mobile wireless router moves randomly and requires the topology may change rapidly and unpredictably. This type of network can operate standalone or may be connected to multiple points on a wired network. MANET can eliminate any single point of failure that would bring down the network. MANET offers multi-hop routing, alternate paths, cross spectrum bridging, with redundancy offering fault tolerance and reliability. Various protocols have been evaluated based on packet loss and routing overhead. To provide reliable operation the protocol must adapt rapidly in the presence of interference, and will coexist with other devices that occupy the spectrum. MANET security is equally challenging requiring sophisticated, scalable, and efficient key management allowing trusted devices to be easily provisioned through inclusion or exclusion.
This presentation will discuss the use of a MANET for industrial applications and the advantages of de-centralized systems and security management. Industrial wireless networks can benefit from MANET research that was originally developed for the military. MANET can serve as backhaul for wide range of converged services including process control. It goes beyond mesh requiring distributed intelligence residing on each node. MANET provides next generation broadband capabilities for safe and secure wireless operations with mobility for use in challenging environments such as industrial plants. MANET offers rapid deployment and cost savings for applications such as wire replacement, IP video, VoIP, asset management, and process control.
Session C:
Enterprise Architecture Security & Privacy Profile
1:45 - 2:45
The Federal Enterprise Architecture Security and Privacy Profile
Waylon Krush, CISSP, CISA, Co-Founder and CEO, Lunarline, Inc.
view abstract
hide abstract
The Federal Enterprise Architecture Security and Privacy Profile (FEA SPP) is a scalable and repeatable methodology for addressing information security and privacy as it relates to the FEA. The FEA SPP Tool provides users the ability to develop a baseline of security and privacy requirements when developing an Enterprise, Segment, or Solution architecture. The FEA SPP tool integrates the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the System Development Life Cycle (SDLC) planning to provide users with the ability to understand and select information security controls relevant to the system or process risk associated with the mission of the Agency.
The FEA SPP Tool works under the assumption that the system or process has undergone a preliminary security categorization In Accordance With (IAW) Federal Information Processing Standard (FIPS) 199, NIST Special Publication (SP) 800-60, the NIST RFM, and you understand what phase of the SDLC (initiation 1 - disposal 5) or acquisition lifecycle (pre-acquisition, acquisition, or sustainment) the system or process is in.
The tool is also more effective if the organization has undergone a common control selection and has a clear understanding of when, where, and how Agency specific controls apply. The idea behind the tool is that it will de-scope controls based on the Security Categorization (SC), the phase of the SDLC (1-5) or acquisition phase (pre-acquisition, acquisition, or sustainment), and what type of EA SPP you are developing.
For example, if you have a Financial Business Segment that crosses several areas in the organization, the FEA SPP Tool would allow you to select the most likely information security controls for that segment. Also if within the Financial Business Segment, you also had two systems (solutions) - one for Accounts Payable (AP) and one for Accounts Receivable (AR), the tool would allow you to select the information security controls based on each solutions security categorization and where they are in the SDLC (even if they both have different SC's and are in different phases of the SDLC).
Session D:
Privacy
3:15 - 4:15
Barbra Symonds, Associate Partner, Security, Privacy, Wireless & IT Governance, IBM Global Business Services
Thread 3: Software Assurance
Session A:
Secure Software Development
8:30 - 9:30
Being Explicit About Software Weaknesses
Sean Barnum, Principal Consultant, Cigital
view abstract
hide abstract
The secure software development community is developing a standard dictionary of the weaknesses that lead to exploitable software vulnerabilities. The Common Weakness Enumeration (CWE) and related efforts are intended to serve as a unifying language of discourse and act as a measuring stick for comparing the tools and services that analyze software for security issues. Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best, only solving part of the problem. Various efforts at DHS, DoD, NIST, NSA, and in industry will not be able to move forward in a meaningful fashion or with any hope of their efforts being aligned and integrated with each other so we can protect our networked systems starting with the source - the software development lifecycle. While the current driver for CWE is in code assessment tool and service analysis, we believe that CWE and its related efforts could a have broader impact.
Session B:
Security Configuration Management Session
11:00 - 12:00
Sue Kreigline
Defense Information Agency Field Security Operations
view abstract
hide abstract
This Application Security and Development Security Technical Implementation Guide (STIG) provides security guidance for use throughout the application development lifecycle. This STIG provides the guidance needed to promote the development, integration, and updating of secure applications. Subjects covered in this document
are:
development, design, testing, conversions and upgrades for existing applications, maintenance, software configuration management, education, and training. Defense Information Systems Agency (DISA) encourages sites to use these guidelines as early as possible in the application development process. Some vulnerabilities may require significant application changes to correct. The earlier the STIG requirements are integrated into the development lifecycle, the less disruptive the remediation process will be.
Vern Williams, Senior Security Architect, ISSA/SAIC
view abstract
hide abstract
Change control is a common thread that ends up being a valuable tool for keeping the infrastructure that enforces security functioning correctly.
ITILs and Visible Ops address improving change control and what are the distinguishing features of a high performing company. However, effective change control can have a significant impact on security as well as IT management. The net result of these practices is a stable and manageable environment to conduct business. The amount of "security" provided to the business will then be determined by the decision to apply resources to securing perimeters, servers, Internet facing systems, databases, network equipment and desktops as is appropriate for the needs of the business. Without change control processes you cannot ensure that money spent on improving security today is not undone by actions of the users, systems administrator or even your security staff.
Session C:
How to Make It Happen
1:45 - 2:45
Tackling Software Assurance in the Federal Enterprise: USAF Application Software Assurance Center of Excellence (USACoE)
Sean Barnum, Principal Consultant, Cigital
view abstract
hide abstract
Federal enterprises depend on secure, reliable software to reduce vulnerability to cyber attacks and to ensure reliable operations. More and more enterprises are becoming aware of the importance of software assurance as an element of their broader IA focus. Savvy organizations realize that effectively addressing software assurance is a strategic rather than simply a tactical problem and are looking to integrate its concerns into all areas of the enterprise. Given their limited experience with software assurance, many organizations are looking to the few existing enterprise programs as examples on how to tackle the problem. The USAF Application Software Assurance Center of Excellence (ASACoE) is a trailblazer in this area and offers interested organizations a useful role model. This session will give a brief overview of the ASACoE's background, mission, strategic CONOPS, current tactical focus and technical toolbox as well as a sampling of some of the results found so far and some of the challenges facing most federal enterprises looking to undertake such an effort.
Session D:
Managing Supply Chains
3:15 - 4:15
Brad Botwin, Director, Industrial Base Studies, Office of Technology Evaluation, U.S. Department of Commerce
Mitchell Komaroff, Director, Globalization Task Force, Office of the Assistant Secretary of Defense for Networks and Information Integration / Department of Defense Chief Information Officer, Department of Defense
Rama Moorthy, Hatha Systems
Sydney Pope, Office of the Deputy Under Secretary of Defense (Industrial Policy)
view abstract
hide abstract
The globalization of information & communications technology (ICT)
infrastructure and supply chain has enabled tremendous increases in
productivity -- within DoD this force multiplication due to ubiquitous
deployment of networked ICT is the foundation of netcentricity. At the same
time, dependence of mission essential functions on globally interconnected
and globally sourced ICT presents a risk. The panel discussion on Supply
Chain Management will explore current issues with counterfeit ICT products
and components within the Supply Chain, and will begin dialogue on
approaches to manage this supply chain risk.
Thread 4: Awareness, Training, and Education
Session A:
Are You Aware?
8:30 - 9:30
Louis Numkin, CISM, Senior IT Security Specialist, Formerly with IRS
Todd Lefkowitz, Director, Education Services - Americas, Symantec
view abstract
hide abstract
According to independent surveys, the risk posed by employees - whether intentional or not - makes up approximately 70 percent of all security breaches in an organization. The breaches are a direct result of inadequate internal processes and employee negligence. Management must recognize the risks and incorporate a security awareness training program while also complying with federally mandated policies and procedures.
Symantec's Todd Lefkowitz will discuss how an active security awareness training program, that touches all individuals interacting with an organization, provides a security culture that is built on trust by incorporating proper security policies and procedures. Todd will also highlight the following areas of risk management:
• Education/Training
• Motivational Performance Management
• Risk Assessment Monitoring
Session B:
Research at Centers of Excellence
11:00 - 12:00
Ouanessa Boubsil, Associate Researcher and Associate Professor, University of Maryland University College
Finally, An Online Immersive Opportunity for Teaching the OSI Model and Information Assurance
Loyce Pailen, University of Maryland University College Director, Center for Support of Instruction, University of Maryland University College
view abstract
hide abstract
In the area of Information Assurance (IA) education, the Open Systems Interconnection (OSI) reference model is a concept in teaching networking, telecommunications and other technology-related subjects that has been difficult to convey. It is an elementary Network/IT fundamental, of which students must possess a firm understanding prior to moving on to advanced security and IA concepts. Students are required to have solid knowledge of this concept prior to taking industry certification exams, for entering the technology workforce and for maintaining currency in IA related careers.
The University of Maryland University College (UMUC) was funded with an NSA grant to develop an IA learning object for use in online classrooms. Under the grant, a UMUC team developed an Adobe Flashr multi-media learning object that would teach students the concepts of the OSI model. The object provides an immersive, engaging and interactive representation of the seven layers that bridge the gap in understanding the OSI model and its relationship to information assurance. Complementing the online module is a faculty user manual to guide instructors on the proper use of the object.
Session C:
Certification & Accreditation Session
1:45 - 2:45
Steve Ostrowski, CompTIA
Lynn McNulty, CISSP, Director of Government Affairs, (ISC)2
Janet Rusterucci, ISACA
Session D:
DoD 8570 and Other Training and Workforce Development Updates
3:15 - 4:15
Steve Busch, Senior Managing Consultant for IBM Global Business Solutions, IBM/DoD, DIAP
Susan Hansche, Nortel Government Solutions / Department of State
Mark Wilson, NIST
view abstract
hide abstract
In this session you will hear the latest about DoD's 8570 information assurance training and certification program, including future expectations of that program. In addition, you will hear about other federally focused information security training and workforce development initiatives that you may not have heard about before, and some others that are being developed.
October 28, 2008
Registration and Continental Breakfast (Atrium Ballroom)
8:00 - 9:00
Plenary Session: (Atrium Ballroom)
10:30 - 12:00
The Comprehensive National Cybersecurity Initiative
Jim Richberg, Chief of Staff, Joint Interagency Cyber Task Force
view abstract
hide abstract
Our economy and national security are dependent upon information technology and information infrastructure. The U.S. Government is aware of and has defended against malicious cyber activity directed at Federal networks and systems. Many of these attacks are designed to steal information and disrupt, deny access to, degrade or destroy critical Federal information systems. The Cybersecurity Initiative is a multi-faceted Federal government effort set forth in Homeland Security Presidential Directive-23 / National Security Presidential Directive-54 on cybersecurity policy, which the President issued in January 2008. Within the overarching Cybersecurity Initiative, there are several initiatives to secure the cybersecurity of our Federal networks including:
•Manage the Federal Enterprise Network as a single network enterprise, with Trusted Internet Connections (TIC).
•Pursue deployment of intrusion detection systems across the Federal enterprise.
•Coordinate and redirect research and development efforts across the Federal government.
•Connect current cyber centers to enhance situational awareness.
•Ensure that government information security offices and strategic operations centers share data as legally appropriate regarding malicious activities against Federal systems in order to have better situational awareness of the entire threat to government systems.
•Expand cyber education.
•Develop a multi-pronged approach for global supply chain risk management.
•Define the Federal role for strengthening cybersecurity in critical infrastructure domains.
Lunch/Visit Exhibits
12:00 - 1:30
Getting to the Next Level
Brian Snow, Independent Security Advisor
view abstract
hide abstract
Cybersecurity research and products are not keeping up with the malice on the net. What steps can we take to turn this around, both in research and in deployable products?
Thread 5: Information Sharing
Session A:
Cross Domain Solutions
9:00 - 10:00
Cross Domain Information Sharing and Redaction through Encryption
Jon-Michael C. Brook, Vice President, Security Solutions & Sales, Eruces, Inc.
view abstract
hide abstract
Cross Domain Solutions control data through boundaries, typically stripping out information before it passes to lower classification levels. Encryption effectively "removes" information as well, and is approved for transport of high side data on a lower classified network. From a cross domain standpoint, key access becomes paramount.
This presentation will cover two cross domain data protection/sharing concepts:
1. XML dependent encryption: A single document which effectively presents information appropriate to a recipient's classification level and need to know. This becomes of great interest when classified information must be pushed down from the Intelligence Community or Department of Homeland Security to Federal State and Local Law Enforcement Groups. Through the use of XML and encryption, a single document may be distributed to multiple groups without fear of information leakage.
2. Cross Domain Data Redaction through Pseudonymization: Not all data set patterns are discernable within an enclave; computing resources, new techniques or appropriately trained staff may hinder data mining attempts. Methods of redacting this information may expose the data to reconstruction techniques or insider threats. Cryptography may be used to automatically create pseudonyms which appear lossy to the low side and still allow mining and later appropriate reconstitution.
The reasons these approaches are novel, innovative and how they may be applied will be discussed, as will a short demonstration of a couple of prototypes.
Trusted Mobility
Robert Jueneman, Chief Scientist, SPYRUS Inc.
view abstract
hide abstract
Whether we are talking about a soldier in Iraq, or a bank auditor, or a corporate "road-warrior" who is travelling across the country and preparing last minute updates to a briefing, today almost everyone who uses a computer needs to use it outside of the office. The need for information security is increasingly well recognized, and the consequences of a compromise caused by a lost or stolen laptop or other portable storage devices can be severe.
Last year, the primary thrust of Information Assurance at the federal level was to take steps to address the lost or stolen laptop problem, particularly through the use of software-based Full Disk Encryption (FDE) solutions. This year, that problem, and the solution, is relatively well understood, although the implementation of such solutions has been slow to occur for budgetary and other reasons. In addition, many agencies are still using unapproved "thumb drives" to move sensitive information from one computer to another - perhaps even classified information.
But the lost and stolen laptop or media is only part of the overall problem, and Full Disk Encryption is necessary but not sufficient for the overall problem. Information must be shared in order to be useful, and that raises very substantial issues with respect to who is authorized to receive such information; who is trusted as a reliable source of such information; and in what locations the information can be securely processed. In addition, there are substantive issues of key backup and recovery to be addressed. What good does it do to encrypt a document so carefully that it will be secure 100 years from now, if we can't decrypt it a decade after it was created?
SPYRUS has solved both the lost and stolen laptop and secure information-sharing problem, through the use of our high-assurance, high-strength Hydra PC devices. AES-256 Full Disk Encryption of the laptop's hard drive is supported with high-strength Suite B key management, together with high-strength, high-assurance individual encryption and digital sealing of individual files and folders in a multiple-recipient environment.
However, this is of no avail if the operating system itself has been compromised, if malware is broadcasting information after it has been decrypted, or if a careless user can transmit the information to an unauthorized destination, or print it on an insecure printer.
This talk will provide a peek into the future, and describe SPYRUS' approach towards solving this overall problem in a holistic way, through enhancements to existing systems plus complementary solutions from third-parties. We will describe how the use of such concepts as a trusted boot loader with pre-boot authentication, an encrypted operating system with encrypted temporary files, a mandatory VPN connected to the trusted enterprise network, guard processors to limit the connectivity to untrusted sites and storage media, end-to-end file encryption, and a layered approach to information rights management that is integrated into the applications and data files to control who can access them and for how long; can be combined to solve the problem of trusted mobility.
Session B:
Emergency Preparedness
1:45 - 2:45
"Lessons from Defending Cyberspace - The Challenge of Addressing the Cyber Risk"
Andy Purdy
view abstract
hide abstract
Objective: promote thinking and discussion about the lessons that should be learned from the cyber wars; about how to enhance the preparedness and improve the strategic approach, of all levels of government, including law enforcement, of the owners and operators of the critical infrastructure, and of the other major institutions in our society.
Key stakeholders who own, run, or depend on the information infrastructure -- governments,critical infrastructure operators, and private organizations -- must learn the lessons from past disasters like Hurricane Katrina and the terrorist attacks of September 11, 2001, to ensure that cyber preparedness is a national, regional, and local priority for partnership between government and the private sector, and that prioritization of effort and resources is based on a dynamic risk management model involving stakeholders.
Governments and global companies should work together domestically and internationally to:
o collaborate on the assessment of cyber risk and the coordination and
prioritization of risk reduction efforts;
o facilitate law enforcement cooperation and strategic contributions to risk
reduction that goes well beyond the current paradigm;
o prioritize and leverage spending on research and development; and
o share information and collaborate more effectively regarding cyber
incident respond, recovery, preparedness, and analytical capabilities.
Organizations need to develop and implement a dynamic risk management
program that addresses risk while meeting compliance and reporting requirements
Organizations need to identify and implement strong requirements for IT systems
management, and information security and assurance:
o Accurate, real-time situational awareness of what is connected to your
network;
o Ability to know in real time what software is running on every device;
o Ability to know in real-time the security and compliance status of
anything connected, or attempting to connect, to your network;
o Ability to report on real-time security status to inform C-level awareness,
audits, and compliance requirements, generally;
o An ability to rapidly evaluate incidents and deploy mitigative measures,
o Ability to remediate policy noncompliance in real time, whether or not
devices are connected to the network; and
o A capability to effectively control access to, and track, sensitive data.
Session C:
Identity Management
3:15 - 4:15
Interoperability and the Government-wide Implementation of HSPD-12
David Temoshok, Director, Identity Policy and Management, GSA Office of Governmentwide Policy
view abstract
hide abstract
Homeland Security Presidential Directive 12 (HSPD-12) required the issuance of standard secure identification credentials to Federal employees and contractors for physical access to federal facilities and logical access to systems and networks. Federal Information Processing Standard (FIPS) 201 established the Personal Identity Verification (PIV) standard for the Federal Government under HSPD-12. FIPS 201 requires the recording and use of standard biometrics, PKI and digital certificates, and standards-based identifiers for the government-wide implementation of HSPD-12. The U.S. General Services Administration was designated by the Office of Management and Budget as the "Executive Agent for the Acquisition of Information Technology for HSPD-12" to provide for government-wide interoperability and provide common identity management infrastructure to facilitate HSPD-12 implementation across the Federal Government. This session will explain the requirements for interoperability and how it is being achieved and provide the status of government-wide implementation of HSPD-12, including:
• The Federal Government's product testing and approval programs for identity management equipment, identity credentials, and systems
• The status of approved devices and components on the GSA FIPS 201 Approved Product List
• Data interface requirements for systems interoperability
• Status of national deployment
• Use cases for PIV cards
• Interoperability and next steps
Thread 6: Data Protection
Session A:
Key Management
9:00 - 10:00
Manuel Cintron, SAIC
view abstract
hide abstract
Complexities of executing a secure cryptographic key management infastructure. The presententation will look at various process and technical controls associated with the lifecycle of asymmetric and symmetric cryptographic keys regardless of standard.
Session C:
Authentication
3:15 - 4:15
External Interoperability: Issuing PIV-Interoperable Credentials
Nick Piazzola, Vice President, Government Programs, VeriSign, Inc.
view abstract
hide abstract
The Federal government has defined external interoperability requirements for non-Federal applications needing smartcards that are interoperable with the PIV card currently being deployed to Federal employees and contractors. One such application is the FRAC (First Responder Authentication Card) for state and local government first responders. The presentation will describe an approach to implementation of a PIV-Interoperable credentialing solution using a clone of a Federal Shared Service Provider (SSP) PKI service and a FIPS 201-certified Card Management System.
Judith Spencer, Chair, Federal Identity Credentialing Committee (FICC), GSA
Session B:
Network Security
3:15 - 4:15
Network Intrusions: Case Studies and Network Security Recommendations
Eric Eifert, Executive Director, Cyber Defense Division, ManTech Security and Mission Assurance
view abstract
hide abstract
This presentation will provide in-depth examples of several real-world network intrusions targeting large enterprise networks that have occurred in the past 18 months. It describes the intricate details of the tools used to target internal users and penetrate the network and provides a breakdown of the tools used to establish command and control access to the users' computer systems. Next, it dissects the intruders' utilities for conducting lateral movement across the network and the methodology used by the intruders for data gathering & exfiltration. Finally, recommendations for mitigation techniques will be provided that will help organizations defend themselves against these types of attacks that target their users.
This presentation provides audience members with a variety of investigative and incident handling techniques for identifying, containing, and mitigating external attacks against their organization that target internal users. Additionally, it provides security recommendations for thwarting future activities and for reducing the risk of a successful network penetration.
Getting Ahead of the Curve: Deep Packet Inspection for Federal Information Assurance
Greg Kopchinski, Senior Product Manager, Bivio Network
view abstract
hide abstract
President Bush's Comprehensive National Cybersecurity Initiative addresses a long-held concern for federal IT managers: lapses in information assurance and the growing threat they represent to the federal government's vital data.
The CNCI recognizes the role public-private partnerships will play as agencies seek to detect and prevent intrusions in real-time, before they can cause significant damage. Such partnerships can bring to bear the programmable, policy-centric technologies federal agencies need to manage internal and external security threats across multiple agency networks while ensuring the integrity of data.
One such technology, Deep Packet Inspection (DPI), allows more advanced knowledge of and control over data crossing the network. By enabling the examination of a data packet's entire payload, DPI gives unprecedented "visibility" into deeper levels of network traffic to identify and remedy security vulnerabilities.
The audience will learn the fundamentals of DPI, as well as how the technology will be a primary component of agency efforts to meet and satisfy the CNCI mandate.
Thread 7: IA Updates
Session C:
Future Needs
9:00 - 10:00
Drury Norris, Senior Manager, Raytheon Information Solutions
Using Security Policies To Strengthen Information Assurance
Linda Wilbanks, CIO for the National Nuclear Security Administration, NNSA DOE
view abstract
hide abstract
NNSA CIO has the responsibility to oversee, monitor, and control an IT investment portfolio of $1.2 billion with a focus on nuclear defense, non proliferation and nuclear safety and security IT initiatives. Dr. Wilbanks presents a management perspective with a focus on NNSA's security environment, drivers, and challenges and how these require a strong policy framework. Mr. Norris describes the methods and challenges associated with making the security policy framework operational in the complex NNSA IT environment.
Session B:
FISMA
1:45 - 2:45
Cyber Security & Compliance/ Monitoring IT Compliance inside the Federal Government
Bob Gourley, CTOvision.com
view abstract
hide abstract
Government IT professionals are becoming subject to enhanced requirements for IT compliance. Balanced scorecard approaches to governance and regulations such as the Federal Information Security Management Act (FISMA), the Federal Desktop Core Configuration (FDCC), and the Security Technical Implementation Guides (STIG) of DISA, are mandating actions throughout the federal government. Fortunately, many of the lessons learned by industry's compliance with regulation can be directly applied by government IT professionals. A key lesson is the smart use of automation in compliance.
In this discussion, Bob Gourley, former CTO of the Defense Intelligence Agency (DIA), will discuss how automating compliance reduces risk and cost and enhances security and the contributions of IT to strategic performance. Using real-world examples Gourley will show how Government can apply best-practices from Industry to monitor IT compliance and reduce the risks and costs of regulatory and security breaches.
Dennis Heretick, DeepWaterPoint
Session A:
NIST Updates
3:15 - 4:15
Developing Assessment Cases for NIST SP 800-53A
Gary Stoneburner, Information System Security Engineer, JHU APL
view abstract
hide abstract
The presentation will provide an overview of the results the NIST Assessment Case Project where a joint-agency working group lead by DOJ and including NIST, DOE, DOT, and DNI developed a multi-agency recommendation for the specific actions an assessor might perform in order to obtain the evidence necessary for making the determinations identified in the assessment procedures in NIST Special Publication 800-53A "Guide for Assessing the Security Controls in Federal Information Systems - Building Effective Security Assessment Plans". The presentation will describe the assessment cases and how they provide worked examples for organizations to use in developing their own assessment plans. In addition the presentation will describe the other results obtained such as generating over 400 specific change suggestions for NIST documents and the extensive dialog between NIST and organizational assessors that provided valuable insights in both directions.
Pat Toth, National Institute of Standards and Technology
Thread 8: Security Requirements
Session A:
Private Sector Update
9:00 - 10:00
Data-centric security - the new mandate for a new threatscape
A.N. Ananth, CEO, Prism Microsystems
view abstract
hide abstract
Hackers have evolved from thrill-seeking mischief makers and fame seekers to members of organized criminal groups that infiltrate business processes and surreptitiously steal sensitive data. For these profit driven crime groups, government agencies are lucrative targets for their databases rich in social security, identity and other information that can be mined for financial gain. This monetary motivation has driven an enormous change in the threat landscape - In 2007, the emergence of polymorphic strains such as Nugache and Storm and the subsequent widespread infections are evidence that new attacks are rapidly outpacing traditional blacklist types of security efforts. In this challenging and fast-changing environment, all institutions, both public and private must be especially vigilant about protecting their data from theft to maintain public confidence and trust.
In this session, A.N. Ananth, CEO of Prism Microsystems, will discuss the new security mandate in the context of withstanding the new threatscape - with the blacklist thinking of current defense models proving to be ineffective against new attack vectors, the focus must shift to safeguarding critical data, be it at rest, in motion or in use. A blended approach of blacklisting and whitelisting is essential for defending against both the traditional and new forms of attacks, while limiting resources typically consumed in defending against such threats.
In addition to practical advice on implementing this new data-centric security mandate, attendees will also learn:
- A detailed taxonomy of how attackers undermine systems
- The 5 Code-red security threats to government agencies
- Techniques for identifying indications of an attack to proactively prevent damage
- Methods that go beyond the perimeter to protect data where it resides
- `After the fact' forensic analysis techniques to enable more effective preventive and detective measures in the future.
As a Service: How Cloud Computing Is Changing The Enterprise Security Landscape
Eran Feigenbaum, Director of Security, Google Apps
view abstract
hide abstract
More organizations than ever before are using software in the "cloud" instead of those that are installed on PCs. With this new computing model also come new requirements for security.
Google's Eran Feigenbaum will address the following:
o Current state of computing: Many organizations, are moving their computing infrastructure from locally-based servers to the web and are benefiting from anytime, anywhere access and real-time collaboration;
o Advantages of cloud computing: Hardware, software and energy cost-savings, greater efficiency, higher productivity, and greater data protection are just some of the advantages of cloud computing that businesses & government agencies cite;
o New model for security in the cloud: As more people entrust their information to the cloud, security needs to be addressed in new ways. Security in the cloud revolves around several axes including physical data center protection, multiple code reviews, and data replication.
Session B:
Trusted Internet Connection (TIC) Session
1:45 - 2:45
Michael Markulec, Chief Operating Officer, Lumeta Corporation
view abstract
hide abstract
With the Trusted Internet Connections (TIC) initiative, the Federal government is moving forward to consolidating Internet POPs to insulate federal networks from risk and intrusion with more tightly managed Internet gateways. Begun more than a decade ago at Bell Labs, Lumeta's Internet Mapping Project and the unique snapshot of the world's cyber infrastructure that it provides is more relevant than ever. The Internet Mapping Project provides a unique insight into connectivity at the backbone of the Internet, and how that connectivity is impacted as either network or geo-political conditions change.
Michael Markulec, COO of Lumeta Corporation will provide insights into the world's cyber infrastructure culled from 10 years of Internet Mapping research which have a direct bearing on today's most onerous network management, security, and geo-political issues. This research holds important lessons in the changing nature of connectivity for Information Assurance officers as they embrace the TIC initiative.
David Stender, Associate Chief Information Officer (ACIO), Cybersecurity, IRS
view abstract
hide abstract
In November 2007, OMB announced the implementation of the Trusted Internet Connections (TIC) Initiative. The overall purpose is to optimize individual external connections, including Internet points of presence currently in use by the federal government. It will improve the federal government's incident response capability through the reduction of external connections and centralized gateway monitoring at a select group of TIC Access Providers (TICAP's).
Session C:
Which Requirements Do You Need?
3:15 - 4:15
Earnest Neal, ASG
Security Control Assessment Requirements –Implementation across the Enterprise
Dennis Seymour, Senior Program Manager, STG
view abstract
hide abstract
Pre-Site (Organizational)
• Security Categorization
• Select Security Controls
• Implement Security Controls
Pre-Site
• SCA Notification
• SCA Conference Call
• Document Review & Evaluation
On-Site
• Assess Security Controls
• Policy Assessment
• Technical Assessment
• Management Out-Brief
Post Site
• SCA Report
• Appendices based on system
• Authorize System
• Certification Program Office (CPO) Review
• Accreditation Program Office (APO) Review
• Authorizing Official Desig. Rep. (AODR) Decision
• Monitor Controls
• Selected controls tested quarterly
• Same scripts used as in SCA assessment
• POAM monitoring
•
Benefits to the Organization
• Reduced SCA Costs (per system and therefore overall)
• Time savings
• Time on site - 3 to 4.5 days
• Report Production - 8 hours versus 400
• Apples to Apples
• Improving FISMA status
October 29, 2008
Session T
9:00 - 12:00
Tutorial 1: Software Assurance
Larry Wagoner, NSA
view abstract
hide abstract
Software assurance is defined as the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle and that the software functions in the intended manner. This tutorial will provide a broad overview of software assurance such as what software assurance entails, why it is needed, and practical ways that it can be implemented at all steps in the software development life cycle. Details of some common attacks will be shown in order to understand both the ease with which vulnerabilities can be unintentionally placed in software and the difficulties in preventing and detecting them. Current activities in software assurance will also be described as well as a brief look into the future of software assurance.
Tutorial 2: Certification & Accreditation
Marianne Swanson, Senior Advisor for Information Technology Security Management, NIST
view abstract
hide abstract
The certification and accreditation process described in NIST Special Publication 800-37 Revision 1, "Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach" will be explored in this tutorial. The publication contains the proposed new security authorization process for the federal government (currently commonly referred to as certification and accreditation, or C&A). The new process is consistent with the requirements of the Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130, Appendix III, promotes the concept of near real-time risk management based on continuous monitoring of federal information systems, and more closely couples information security requirements to the Federal Enterprise Architecture (FEA) and System Development Life Cycle (SDLC). In addition, this publication provides a common process for authorizing federal information systems in the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and Committee on National Security Systems (CNSS).
The session will begin with the NIST Risk Management Framework and the fundamental steps that lead to and follow certifying and accrediting an information system. Key publications that directly support the steps in the Risk Management Framework will be introduced. The tutorial will continue with an in depth discussion of the draft publication and the six system authorization steps. The session will conclude with a description of future activities planned for the NIST FISMA Implementation Project.
Tutorial 3: Encryption
Dennis Toothman, Co-Founder, Chief Technical Officer and Senior Vice President of Engineering, CipherOptics
view abstract
hide abstract
This session will begin with a brief discussion of symmetric and asymmetric encryption algorithms, hashing algorithms, and key exchange protocols. These will include 3-DES, AES, MD5, SHA-1, RSA, Diffie-Hellman and IKE.
Application of the algorithms to implementation of IPSec and SSL solutions will build on the knowledge gained regarding algorithms. Performance considerations will be discussed.
Finally, some new approaches to key and policy management will reveal how encryption can be applied to applications where encryption would normally cause network issues, such as multicast, load balancing, VPLS/MPLS networks, and fully meshed VoIP configurations.
Tutorial 4: Personally Identifiable Information (PII)
Kim Mott, Privacy Officer, GSA
view abstract
hide abstract
The Privacy Act of 1974, as amended (5 USC 552a), is the first and most comprehensive law governing the protection of personal information in the possession of the Federal government. The Privacy Act establishes for individuals the right to privacy for records that Federal agencies collect, maintain, and use. This law protects an individual's privacy from unwarranted invasion by requiring that personal information in possession of Federal agencies is properly used, and that agencies institute measures to prevent any potential misuse of information in their possession.
Agencies without a strong program in place and a solid governance model may lose opportunities to assess their privacy posture to discern future needs and considerations or to embed privacy objectives across multiple agency activities.
Privacy affects an agency's mission and functions, with implications for offices of human resources, information technology, financial reporting, inspectors general, general counsel and communications. A major goal of the privacy program is to integrate, where appropriate, privacy considerations and privacy controls throughout an agency's activities. This ensures that agency Privacy Programs have the greatest opportunity for improving privacy safeguards, lowering risks, and reducing duplicative efforts.
This session will provide information on identifying Personally Identifiable Information (PII) and best practices for handling it. Federal agencies are entrusted with vast amounts of personal information. Knowing simple steps to protect PII is the best defense.
©2006 Federal Business Council, Inc.
All rights reserved.
