RISK ASSESSMENT on the Department of the Army IT Systems Essay Example for Free

RISK ASSESSMENT on the Department of the Army IT Systems Essay 1.Introduction 1.1 Purpose This risk assessment was to identify threats and vulnerabilities related to the Department of the Army (DoA) Information Technology (IT) systems. It will be utilized to identify vulnerabilities in the Computer Network Defense (CND) Capabilities and mitigation plans related to DoA’s IT systems. It was realized that this was a potential high-risk system as noted by the Department of Defense (DoD) Chief Information Officer (CIO). (DoD, 2012) 1.2 Scope This risk assessment applies to all DoA Non-secured Internet Protocol Router Network (NIPRNET) and Secured Internet Protocol Router Network (SIPRNET) for Regular Army and Reserve Components. This is a major system that is used by millions of Soldiers, contractors and DA civilians worldwide. The DoA’s IT system is comprised of Army Global Network Operations and Security Center (A-GNOSC) which is responsible for the Army’s day-to-day Tier 2 CND Service Provider. The research methods will present both quantitative and qualitative data which will identify hazards and vulnerabilities to include International-Transnational Terrorism and Domestic Terrorism and present an assessment of the potential risks from them. Information will be collected mainly from DoD’s and DA’s websites. SYSTEM CHARACTERIZATION The DoD uses DODI 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), as the process for implementing Certification and Accreditation (CA) within their information system. The Information Assurance (IA) Controls, or security measures that must be implemented on a system, as stated in the DODI 8500.2, Information Assurance (IA) Implementation. The control selection relies on the Mission Assurance Categories (MAC) and Confidentiality Levels (CL). Information Systems (IS) will be allotted a MAC level which shows the importance of the information which is used to determine the IA controls for integrity and availability regarding DODI 8500.2 and will be decided by the DoD or Army by the DIACAP  team (Information Assurance, 2009) MISSION ASSURANCE CATEGORY MAC IIs a high integrity, high availability for DoD ISs handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequence of loss of integrity or availability is unacceptable and could include the immediate and sustained loss of mission effectiveness. MAC IIIs a high integrity, medium availability for DoD ISs handling information that is important to the support of deployed and contingency forces. The consequence of loss of integrity is unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. MAC IIIIs a basic integrity, basic availability for DoD ISs handling information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short- term. The consequences of loss of integrity or availability can be tolerated or overcome witho ut significant impacts on mission effectiveness or operational readiness. CONFIDENTIALITY LEVELAll ISs will be assigned a confidentiality level based on the classification or sensitivity of the information processed. The confidentiality level is used to establish acceptable access factors and to determine the DODI 8500.2 IA Controls applicable to the information system. DOD has defined the following three confidentiality levels: 1.ClassifiedInformation designated top secret, secret or confidential in accordance with Executive Order 12356. 2.SensitiveInformation the loss, or unauthorized access to or modification of could adversely affect the national interest or conduct of Federal programs, or Privacy Act information. Includes, but is not limited to For Official Use Only (FOUO), Privacy data, unclassified controlled nuclear information, and unclassified technical data. 3.PublicInformation has been reviewed and approved for public release. Note. Mission Assurance Categories table is taken from Information Assurance. (2009) Applications (not an inclusive list): Anti-Spyware General –V4R1, 3 Dec 09, Application Services –V1R1, 17 Jan 06  Application Security Development V3R1, 10 May 10 CITRIX Xen App, V1R1, 23 Jul 09 ESX Server -V1R1, 22 Apr 08 Database –V8R1, 19 Sep 07 Desktop Applications General –V4R1, 3 Dec 09 Directory Services –V1R1, 24 Aug 07 ERP –V1R1, 7 Dec 06 ESM –V1R1, 5 Jun 06 HBSS STIG –V2R5, 22 Feb 10 IM –V1R2, 15 Feb 08 InTFOT-V1R1, 2 Oct 09 ISA Server 2006 OWA STIG, V1R1 5 Feb 10 McAfee Antivirus –V4R1 –3 Dec 09 Microsoft Exchange 2003 –V1R1, 6 Aug 09 MicrosoftIE6 –V4R1, 3 Dec 09 MicrosoftIE7 –V4R1, 3 Dec 09 MicrosoftIE8 –V1R1, 26 Apr 10 Microsoft Office 2003 –V4R1, 3 Dec 09 Microsoft Office 2007 –V4R1, 3 Dec 09 Mozilla Firefox –V4R1, 3 Dec 09 Symantec Antivirus –V4R1, 3 Dec 09 SunRay4 Thin Client –V1R1 –26 Mar 09 VTC STIG –V1R1 –08 Jan 08 Web Server –V6R1, 11 Dec 06. DISA STIG. (2012) THREAT IDENTIFICATION Data from the DoD shows a 20% rise in attacks against its information systems from 43,880 to 54,640 between 2007 to 2008. â€Å"Each of these penetrations involves a series of actions that do not differ substantially whether the intruder is acting on behalf of a terrorist group, a foreign government, a corporation, or is acting as individual. The severe intrusions into cyber systems involve penetrating system security, navigating and mapping the cyber system, targeting the nodes that control the system and contain the most critical data, and often, extracting the data.† (Wortzel, 2009) â€Å"In February 2011, the Deputy Secretary of Defense said that more than 100 foreign intelligence agencies have tried to breach DOD computer networks and that one was successful in breaching networks containing classified information.2 Also, the President of the United States has identified this threat as one of the most serious national security challenges facing the nation.† (Dâ€⠄¢Agostino, 2011, pp. 1) VULNERABILITY IDENTIFICATION THREAT CapabilitySecurity Test ResultsAudit CommentsSeverity SW BaselineNo SW baselineThe DA does not have a documented software inventory. A failure of this control does not lead to an immediate risk. IA Impact AssessmentConfiguration Management Plan (CMP) is not completeThe certification team through document review, that DA does not have formal procedures for IA impact assessment.Failure to assess changes for IA impact could lead to changes being made to the environment that unknowingly  introduce vulnerabilities increasing the risk of compromise. Ports, Protocols, and ServicesOpen ports protocols and services (PPS)The certification team determined through interviews and device configuration reviews, that DA does not perform regular review of their open PPS.Unnecessary open PPS increase the risk of systems being compromised. CONTROL ANALYSIS Incident Handling, IA Training and Certification, Information Assurance Vulnerability Management (IAVM), IA Program Management, Public Key Infrastructure (PKI), Certification and Accreditation, Federal Information Security Management Act (FISMA), Wireless Security, Army Web Risk Content Management, Personally Identifiable Information (PII), Portable Electronic Devices (PED), Minimal Information Assurance Technical Requirements, Classified Systems Management and Physical Security and Environmental Controls (Information Assurance, 2009) LIKELIHOOD DETERMINATION THREATSTerrorist (mail bomb)Denial of ServiceUnauthorized Access 1. VulnerabilityUncontrolled accessUpgrading Firmware onlineUnattended computer while logged on 2. MitigationControlled access e.g. common access card, buzzerUpgrade from trusted source onlyLog off computer before leaving area 3. Threat Probability615 Threat Probability: Highest number equals highest probability Note. Threat Matrix is taken from DA Anti-Terrorism Plan (2012). (CH 5 DOD O 2000.12H) IMPACT ANAYLYSIS Criticality Assessment Matrix AssetImportanceEffectRecoverabilityMission FunctionalityTotal Servers 1097834 Routers875626 Highest score = most critical Lowest score = least critical RISK DETERMINATION ValueNumeric Rating Major Deficiency9-10 Significant Deficiency7-8 Moderate Deficiency5-6 Minor Deficiency3-4 Negligible Deficiency1-2 CONTROL RECOMMENDATIONS Move the IA Program out of Technical lanes and into Command lanes, clearly define functions for a Command IA Program, define Concept for the Command IA Team (technical and non-technical), develop a reporting methodology for the Command IA Program, develop and provide a Command IA Training Program, develop a Command IA Program Management Course (CIAPMC), develop a Risk Management Model for Information Protection (IP): IA/CND, establish an â€Å"Acceptable Risk Criteria† for the Command IA Program and transform the Army’s IA Policy Formulation Process. (DAIG IA, 2009) SUMMARY Risk Vulnerability/ThreatRisk LevelRecommended ControlsAction Priority Hardware baseline inventory is incomplete. This could lead to the introduction of unauthorized into the network and also makes it difficult to maintain an effective life cycle managementLowComplete current hardware baseline and continue to identify and document future assets.Low Configuration management is not complete and this could lead to changes being made to the environment that unknowingly introduce vulnerabilities. This should be assessed by an IA team before introduced to the network.LowFinalize the configuration management process and implement a plan to assess IA impact of change to the system.Low Open ports, protocols and services. Changes made to the open PPS will lead to exploits and/or data compromise.MediumEnsure that the change management process relating to PPS are developed and enforced.Medium REFERENCES Bendel, B. (2006). An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP). Retrieved from http://www.xlr8technologies.com/CMS/admin/Assets/lunarline/pdfs/lunarline_dia cap_process1.pdf D’Agostino, D. (2011). Defense Department Cyber Efforts: More Detailed Guidance needed to Ensure Military ServicesDevelop Appropriate Cyberspace Capabilities. Retrieved from http://www.gao.gov/new.items/d11421.pdf DoD CIO. (2012). Department of Defense Instruction, Number 8582.01. Security of Unclassified DoD Information on Non-DoD Information Systems. Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/858201p.pdf Hudson, J. (2009). Department of the Army Information Security Program. Retrieved from http://www.apd.army.mil/pdffiles/r380_5.pdf Stonebumer, G., Goguen, A. Feringa, A. (2002). Risk Management Guide for Information Technology Systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Information Assurance. (2009). Retrieved from www.apd.army.mil/pdffiles/r25_2.pdf DIACAP (n.d.) – DoD 8500. Retrieved from http://www.securestate.com/Federal/Certification%20and%20%20Accreditation/Pages/DIACAP-D0D8500.aspx DISA STIG. (2012). Retrieved from http://iase.disa.mil/stigs/a-z.html DoD Anti-Terrorism Program. (2012). Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/200012p.pdf Wilson, C. (2005). Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress. Retrieved from http://www.history.navy.mil/library/online/computerattack.htm Wortzel, L. (2009). Preventing Terrorist Attacks, Countering Cyber Intrusions, and Protecting Privacy in Cyberspace. Retrieved from