Raytheon and NGA Transformation - TAMU Computer Science ...

solidseniorΔιακομιστές

9 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

149 εμφανίσεις

Unclassified

Unclassified

Raytheon

Information Security

Presentation to TAMU

Kent Stout

Kent_Stout@Raytheon.com



Shelli Richard

Shelli@Raytheon.com

April 16, 2009

Page
2

Unclassified

Unclassified

Agenda


Welcome and Introductions


Information Security Overview


Current Threat Vectors


The IA/IO Landscape


Question and Answer

Page
3

Unclassified

Unclassified

Driving Goal of Security Engineering

Create the best architecture that:

Meets functional
requirements within
cost and schedule
constraints

This is a never
-
ending balancing act!

Provides sufficient
security control to mitigate
risks to an acceptable
level for accreditation

Unclassified

Unclassified


Requirements


Process


Policy


Analysis


Architecture


Integration and Test


Training


Operations &


Maintenance


C&A


Information Security as a Discipline



Network Security


System
Administration


Operating Systems


Process


Installation &


Configuration


Integration and Test


Operations &


Maintenance



Requirements


Process


Analysis


Design


Development


Implementation


Integration and Test


Operations &


Maintenance

Full Life
-
Cycle Coverage


Certified Information Security Engineers

Subject Matter Experts


Certification and Accreditation Expertise

Continuous Learning and Development

Information

Security Engineering

Systems

Engineering

Network/System

Administration

Software

Engineering

Information Security Engineering combines key engineering
disciplines to span the information security spectrum.


Requirements


Process


Policy


Analysis


Architecture


Integration and Test


Training


Operations &


Maintenance


C&A

Page
5

Unclassified

Unclassified

Raytheon InfoSec Competencies


Systems Engineering

-
Enterprise Architecture Engineering

-
Security Systems Engineering

-
Network Systems Engineering

-
Secure Component Engineering

-
Continuity of Operations Engineering


Systems Integration / COTS Integration


DCID
-
6/3 Certification & Accreditation

-
DIACAP, NISCAP, FISMA, DODIIS, NIST, 8500.xx

-
Risk Management / Assessment


LAN/WAN/Internet Secure Information Sharing


Identity and Digital Rights Management


Public Key Infrastructure (PKI), Virtual Private
Networks (VPN’s), Encryption


Secure Voice & Conferencing (VoIP)


Database/Data Warehouse Security


Anti
-
Tamper TEMPEST & HEMP Engineering


Integrated Red/Black Networking


Vulnerability Assessment/Penetration Testing


Data Forensics, Data Integrity


Operations, Sustainment, Training &
Maintenance (NOC, SOC, CIRT)

Policy/Compliance
Technology
Physical
Personnel
Environmental
Confidentiality
Integrity
Availability
Accountability
Information
Assurance
Risk
Governance
Policy/Compliance
Technology
Physical
Personnel
Environmental
Policy/Compliance
Technology
Physical
Personnel
Environmental
Confidentiality
Integrity
Availability
Accountability
Information
Assurance
Risk
Governance
Confidentiality
Confidentiality
Integrity
Integrity
Availability
Availability
Accountability
Accountability
Information
Assurance
Information
Assurance
Risk
Governance
Raytheon Strives to Provide Robust Solutions to the Evolving Information
Assurance Challenges

Page
6

Unclassified

Unclassified

Cyber Threats are on the Rise

MI5 sends letter to British companies warning systems

are under attack

Data Breach Reports Up 69 Percent in 2008


Pentagon hacked

Inspectors Disclose Security Breach

at Nuclear Lab


Critical infrastructure central to cyber threat


Page
7

Unclassified

Unclassified

Cybercrime Surpasses Drug Trafficking Revenue

Threat Vectors for Critical Infrastructure

Cyber Terrorists



Criminal Enterprises



Nation States



Scammers



Criminals




Money Mules


Credit Card Number Theft


Software and Video

Pirates


Web Blackmail


e.g., Tomasz Grygoruk


Intellectual Property


Phishing


Spam


Identity Theft


Ransomware


Keyloggers


Supply Chain Exploitation


Vendor spyware


Trade Secret Mining


Illegitimate Front Companies


China
-

PLA “Net Force”


Russia


France


Israel


Ukraine


India / Pakistan


Jihadists


Al
-
Qaeda


Nationalists


Arab Electronic Jihad Team


Lashkar
-
e
-
Taiba


Hate Groups

THREATS

TARGETS

individuals




criminal syndicates



national organizations

2001

2007

2005

2003

Individuals

Organizations

Businesses

Government


Infrastructure

Email

5% SPAM

95% SPAM

Google

Users

McCain &


Lieberman

Websites

Car Navigation

Systems

100 Largest

US Utilities

95% increase penetration attempts

DHS

DOJ

US Electric Grid

Davis
-
Besse

Nuclear Plant

Truck Freight

Tracking

Shell Oil

Military

Germany

NATO

TJ Maxx

TSA

Oak Ridge

Labs

Univ. of
Pennsylvania

Voting

Machines

$10K

Cost per data breach

101
st


Airborne

4
th

Infantry

US Marines

penetration attempts

MySpace

FaceBook

Pentagon NIPRNet

Rolls Royce

$386K

London Stock Exch.

23,000 / year

100,000/sec

Univ. of Mich.

Cisco

Geeks.com

Vodaphone

Cellular

NASDAQ

$105B

Targets are both Federal and Commercial


In 2004 revenues produced through cybercrime surpassed those produced through
drug trafficking at $105 Billion/year


Between 2003 and 2007 the estimated average commercial cost related to a data
breach went from $10 K to $386 K


Between 2003 and 2007 the 100 largest US utilities saw an increase of 95% in
penetration attempts


Between 2002 and 2007 military installations went from an estimated 23,000
penetration attempts per year to more than 100,000 attempts per second


Attack sophistication, rewards, and motivations are all expanding

Page
8

Unclassified

Unclassified

Critical Need



More devices, more connectivity and more software



Software is becoming more complex


This complexity provides a wealth of IO
-
related opportunities


Strategic and tactical advantage go to those who can understand then
control the execution of software and software systems



Providing IO capability to the US Government is a high growth niche


In lock step with the growth in information technology



Raytheon is positioned at the tip of the spear

Yesterday’s Attackers

Today’s Terrorists

Weapons of the Future?

Page
9

Unclassified

Unclassified

What is a Security Engineer?


The perfect security engineer is part


Network Engineer


Routers, Switches, Firewalls, Intrusion Detection Systems


Operating Systems guru


Linux, Unix, Trusted
OSes
, Windows


Systems Engineer


Architecture, Requirements, Documentation


Software developer


Protocol expert


HTTP, SSL, SSH, FTP, SMTP, SNMP, NTP, LDAP


Applications guru


Web, LDAP, Database, Custom Apps, XML


Integration and Test Engineer


Integrate custom and COTS products


Good team builders with excellent written and verbal communication
skills


Is that too much to ask for?

Page
10

Unclassified

Unclassified

Post
-
Graduate Security Education

3
-
5 years

0
-
2 years

6
-
9 years

10+ years

SANS Security Essentials (Technical)

Vendor Bootcamps, Technical Training

CISSP Certification

ISSEP Certification

SANS Level 2 Specialization Track(s)

Security Conference Attendance

Security Conference (Speaker)

Additional Certifications (Customer
-
driven)

Internal Corporate Certifications

Experience

Continued Education is Vital

Page
11

Unclassified

Unclassified

Information Operations /

Information Assurance (IO/IA) Defined

INFORMATION

OPERATIONS

Kinetic

Psyops

Computer

Network

Operations

Non
-
Kinetic

(DEW)

Offense (IO)

Defense (IA)

Access

Attack

Defend

Exploit


Passive


Active


Deny


Decept


Destroy


Deter


Detract


Passive


Active


Analysis


Triggering


KM/KD

Current Suppliers & Customers

Suppliers


Small niche providers (none
with turn
-
key solutions)

Customers


DoD


Intelligence Community


DARPA


DHS

Page
12

Unclassified

Unclassified

Assessment Methodology


Information Gathering


Interview System Owners


Determine high value targets


Study and Identify Gaps in Policies/Procedures


Conduct Network Mapping Scans


Create Network Layout Diagram


Vulnerability Analysis (VA)


Conduct VA Scans


Analyze Patch Management Effectiveness


Define Secondary Targets


Determine risk posed


Penetration Attack (if requested by customer)


Results Analysis


Analyze all data gathered


Final Analysis Documentation


Document findings, recommendations

Page
13

Unclassified

Unclassified

Assessment Methodology (Cont.)


Risk Recommendations


Accept Risk, Transfer or Remediate


Remediate the Risk (Prioritized)


Could generate new requirements to correct


findings


Starts the development cycle


Remediation approaches



System Mechanisms


Security COTS Products


Custom Software Development


IDS/IPS


Enterprise Security Monitoring


Cross
-
Domain Solutions


Non
-
traditional approaches



Software Vulnerability Analysis


Reverse Engineering



Risk Mitigated According to Plan


Risk Reduction Effectively Realized

Page
14

Unclassified

Unclassified


Commercial Hardware


Network equipment


Cisco, Summit, Juniper, Allied Telesyn


Operating Systems


Linux, UNIX, Windows, Trusted OSes


SAN switches, Console Servers, etc.


Hardening default installation


Disabling unused services or features, Ingress/Egress Filtering, Logon Banner, etc.


Formal guidance (e.g., DISA, NSA, CERT, SANS, CIS, NIST)


Required capabilities defined by


Mission purpose
-

Development, Production, Testing, Failover Spare


Enterprise Infrastructure


Time synchronization (i.e. NTP), centralized logging/monitoring
(i.e. Syslog, SNMP), remote maintenance (i.e. SSH), centralized authentication (i.e.
TACACS+)


Type of equipment
-

Controlled Interfaces, Core Servers, End User workstations


Automated tools


repeatable results


Custom scripts


Solaris Security Toolkit, DISA SRR/Gold, Titan, Bastille, YASSP

Remediation begins at the Equipment level.

Remediation

via System Mechanisms

Page
15

Unclassified

Unclassified

Firewalls/

ACLs

Trusted

OS

LDAP

Servers

Oracle

Db

PKI

Certificate

Authority

Secure

Shell

(SSH)

DNS

Install &

Hardening

Load

Balancers

Trusted

Guard

Cisco

Routers


Web

Servers

Vulnerability

Testing

COTS Products often offer cost
-
effective solutions

Remediation

via COTS Product Integration

Page
16

Unclassified

Unclassified

Remediation

via COTS Product Integration


Cisco Routers and Switches


Load Balancers


F5 Big IP


Web Servers


Netscape


Apache


Directory (LDAP) Servers


Netscape


PKI Certificate Authority


Netscape


Intrusion Detection Systems (IDS)


Network IDS


SourceFire, SNORT,
ISS RealSecure, NFR


Host IDS


ISS RealSecure, custom
log alerts


Decoy systems


Symantec
ManTrap


File Integrity


Tripwire


Firewalls


Gauntlet


CyberGuard


Cisco PIX


Oracle Databases


Including Oracle Label Security
(OLS)


Cross Domain firewall


Secure Shell (SSH) for
administration and system control
scripts


Washington University FTP


DNS installation and hardening


CORBA


Orbix


Page
17

Unclassified

Unclassified


Frequently, customer requirements for security exceed commercial
product capabilities


Information Security often requires developing custom software
solutions securely

Remediation

via Developed Software

Software Development enables bridging the gaps in integrating
COTS applications based on customers’ needs.

Page
18

Unclassified

Unclassified


Initial design and deployment decisions


Bandwidth


segregate network, multiple sensors


Encrypted traffic


limited visibility, decrypt prior to sensor


Outside perimeter


Noise, Shows growing threats


Inside perimeter


Focuses on compromises


Mechanism


Mirroring on switches


Cheaper, possible load failures


Taps


More expensive, configuration more difficult and involved


Customize to context of environment (i.e. tuning)


Minimizes false positives


Configure appropriate notifications and/or response


Detect violations of policy


Devise scheme to efficiently update signatures


Monitoring and investigation into alerts


Escalation Procedures / Remediation Actions

IDS/IPS solutions offer significant contributions to overall situational
awarenes

but can be very complex in nature and customization.

Remediation

via Intrusion Detection/Prevention Systems

Page
19

Unclassified

Unclassified


Overarching security monitoring layer


Consolidates information from variety of security equipment


Integrate existing sensors


Syslog


Log files


SNMP Traps


Smart agents


Normalize information gathered


Filter noise


Aggregate/correlate events/threats/alerts


Policy violations


Heuristic Analysis


Reports/visualization


COTS packages


CA eTrust, ArcSight, e
-
Security, Symantec, Intellitactics, netForensics, etc.


GOTS



Audit Log Evaluation and Reduction Tool (ALERT), custom scripts, etc

Enterprise Security Monitoring combines the technical solutions
for risk mitigation and risk management.

Remediation

via Enterprise Security Monitoring

Page
20

Unclassified

Unclassified


High Assurance Guard functionality that can validate data at
entry/exit points in the system


Raytheon High
-
Speed Guard


Lockheed Martin Radiant Mercury


Northrop Grumman Information Support Server Environment (ISSE)



Oracle Label Security (OLS) for row level database control


Oracle Data Vault cross domain product is built upon OLS

Cross
-
domain solutions are as unique as our customer set.

Remediation

via Cross Domain Solutions

Page
21

Unclassified

Unclassified

Cross
-
Domain Sharing Approaches


Architectures Currently In Vogue


Multiple Single
-
Level (MSL)


Multi
-
Level Security (MLS)


Multiple Independent Levels of Security (MILS)


Multiple Single
-
Level


Systems confined to multiple single
-
level domains


Systems remain relatively ‘dumb’ about security levels


Security controls enforced at the boundaries by Controlled Interfaces, a type of
Cross Domain Solution (CDS)


Multi
-
Level Security


The entire system inherently understands and enforces security requirements


Typically requires Trusted Operating Systems


i.e., SELinux, Solaris 10 Trusted Extensions, HP NetTop, etc


Very complicated, extremely limited vendor support


Multiple Independent Levels of Security


Layered Architecture (Separation Kernel, middleware, applications)


Implements an Information Flow/Data Isolation Security Policy

MSL is still only practical solution for most applications

Page
22

Unclassified

Unclassified

Non
-
Traditional Approach

ACTIVE ASSURANCE


Active Protection


Role
-
Based Access Control


Predictive Active Assurance

INFORMATION SECURITY


Device Protection


Biometrics


Forensics

ACTIVE I/O


Persistent Agents


Social Network Analysis


Infrastructure Indep. Comms

CYBER CI


Agent Networks (BOTS)


Implants


Reverse Engineering

POLICY & ARCH


Role Based Access


Vulnerability Analysis


Identity Management

COLLECT & EXPLOIT


Virtual Networks


COLLECT & EXPLOIT


Non
-
traditional Devices


Network Access/Redirect


Covert Delivery & Agents

POLICY & ARCH


H/W Validation


F/W Validation


S/W Validation

Technology

Services and Support

Offensive

Defensive

Page
23

Unclassified

Unclassified

The Problem with Software


Intended
Behavior


Actual
Behavior

Missing functionality
(Bugs)

Intended
functionality

Unintended

functionality

(Bugs?)

The unintentional functionality in information systems can
be leveraged in unique ways to provide creative, bold
and aggressive advantage

Page
24

Unclassified

Unclassified

Vulnerability Research


Discovering and exploiting flaws in software is the key to
success in information operations


Open source development has dramatically increased
accessibility and collaboration


A zero
-
day vulnerability is one that:


Vendor has no knowledge so no patch exists


Target has no knowledge so he can’t protect himself


Others in the community have no knowledge so lifespan is prolonged



Active Vulnerability Research is key to discovery prior to
adversary exploitation

Page
25

Unclassified

Unclassified

Reverse Engineering


The DoD is aggressively pursuing the development of software
protection and anti
-
tamper technologies


The government requires assessment of these emergent technologies


Requires an ability to reverse engineer heavily armored software


Forensic reverse engineering analysis of malicious code on a Quick
Reaction Capability (QRC) turnaround is often desirable


Analysis to determine what the code has potentially compromised


Analysis to determine what the code is capable of doing


Determine attribution


Reverse engineering analysis is required as the first step in any binary
modification exercise


The government often requires covert functionality to be implemented in
commercially available devices

Page
26

Unclassified

Unclassified

Questions and Answers


What questions can we answer for you?




What have we forgotten to cover?

Unclassified

Unclassified

Backup

Page
28

Unclassified

Unclassified


Lead system architecture definition


Conduct trade studies


Develop SOW/SOR for security
requirements and implications


Specify network security architecture


Determine appropriate security
certification methods and processes

Concept Definition

Development

Integration

Operations


Define certifiable security architecture


Perform trade studies on security products


Evaluate interactions of security products
with other system components


Develop custom tools where industry
products are not available or do not meet
requirements


Prepare security certification plans



Install/configure/support security products


Evaluate security architecture


Implement security controls


Development of operational procedures


Lead Certification and Accreditation


Periodic vulnerability analysis of security
architecture


Install/config/support of security products


Continual research of emerging security
threats and deterrents


Maintenance and obsolescence management
of core security products

Our Information Security credentials span the entire life cycle spectrum.

Full Life Cycle Coverage

Page
29

Unclassified

Unclassified

IO Threat Environment

HISTORICAL

CURRENT

PROJECTED

ACTOR

Hackers

Nation States

Networks

Physical Access Controls

Forced Password Changes

Firewalls, Encryption

Virus Scanners

Wired Communications

TARGET

MARKET

Account Management

Pushed Updates

Remote Administration

SPAM Filtering

Open Website Access

INFOSEC

Focused Nation States

Hackers

Industrial Espionage

Funded Terrorists

Companies, Online Businesses

(Switches, Routers, Firewalls)

Identity Management

Single Sign
-
On

DCID 6/3 Compliance

Active Content Filtering

Session Encryption

Wired/Wireless Communications

Policy Adherence

Data at Rest Encryption

Remote Access Solutions

Situational Awareness / Monitoring
Access Points

ITAR Compliance / Architecture

Nation States

Organized Crime

Industrial

Hackers

Individuals, User Devices, Mobile
& Wireless Applications

(Laptops, Cell, VOIP, PDAs)

ACTIVE ASSURANCE


Active Protection


Role
-
Based Access Control


Predictive Active Assurance

INFORMATION SECURITY


Device Protection


Biometrics


Forensics

Coordinated

Networks

ACTIVE I/O


Persistent Agents


Social Network Analysis


Infrastructure Indep. Comms

CYBER CI


Agent Networks (BOTS)


Implants


Reverse Engineering

POLICY & ARCH


Role Based Access


Vulnerability Analysis


Identity Management

COLLECT & EXPLOIT


Virtual Networks


COLLECT & EXPLOIT


Non
-
traditional Devices


Network Access/Redirect


Covert Delivery & Agents

POLICY & ARCH


H/W Validation


F/W Validation


S/W Validation

Page
30

Unclassified

Unclassified

DARPA contract (CHAIN deployment)


$14 million DARPA base year contract


4 option years


Build the DARPA Secure Enterprise
Network (DSEN)


Migrate legacy networks and data to the
DSEN


Manage legacy assets prior to DSEN
transition


Provide technology refresh and upgrades


Support business re
-
engineering for DSEN
migration



Address the “DARPA HARD” paradigm


Provide a low risk solution using an
advanced technology approach


Integrate proven innovative solutions using
“defense
-
in
-
depth” with COTS components

Advanced DoD Technology


Protecting Critical Research

FIREWALKER
FIREWALKER
STARBURST
STARBURST
Proprietary Programs:

Page
31

Unclassified

Unclassified

CHAIN PL3+ Network Capabilities

Key Features


PKI authentication


E
-
Mail


File sharing


Video transmission


Voice conferencing


White Boarding


Chat (instant messaging)


Provides secure knowledge management at all stages:


Creation, processing, storage, retrieval, and transmission

-
COTS operating system, COTS hardware

Fully Integrated, Compartmentalized, Collaborative System

Page
32

Unclassified

Unclassified

Raytheon High
-
Speed Guard


Key Features


High data rates eliminate
bottlenecks


900Mb/sec on 1Gbit network


DCID 6/3 Accreditation


140+ instances


NGA, Proprietary


Flexible Data Validation Rules


allows O&M admins to maintain
system


Supports file or message transfers


Supports socket or file
-
based
transfers


Selectable Features include
-


Digital Signature Validation


Virus scanning


Reliable Human Review Manager




Guards are key components in securing Cross Domain solutions necessary
for data sharing between security level




Page
33

Unclassified

Unclassified

Multiple Security Levels (MSL) Example


MSL


Multiple Security Levels


Fully segregated classification levels with specific interconnection points


Trusted “Controlled Interface” device at interconnection points


Implicit

enforcement of Mandatory Access Control (MAC) policy

MLS DB

Secret

Data

“Unclass”

Data

TS Enclave

Secret Enclave

Unclass Enclave

Secret

Data

“Other”

Data

TS

Data

Trusted Guard

Trusted


Bi
-
directional

Guard

Trusted Guard

MLS DB Trusted

Server

Page
34

Unclassified

Unclassified

Multiple Level Security (MLS) Example


MLS


Multi
-
Level Security


Requires certified trusted computing base to enforce security policy and
properly label all subjects and objects


Simultaneously permits controlled limited access by users with different security
clearances and needs to know


Explicit

enforcement of Mandatory Access Control (MAC) policy over all
resources

MLS Enclave

MLS DB Trusted

Server

MLS DB

TS/SCI

Data

Secret

Data

“Other”

Data

MLS Servers

MLS Enclave

TS Enclave

S Enclave

Other Enclave

Page
35

Unclassified

Unclassified

Multiple Independent Levels of Security
(MILS)



MILS is about:



High Assurance

(Evaluatable Systems Design)




Safety



(It does what it is supposed to do)



Security



(It does nothing else)



Real Time



(It meets its deadlines)




Embedded


(F/A
-
22, JTRS, I/O Chips…)




Standards
-
based

(Highly Independent)



COTS



(Multiple Vendors
)

MILS GOAL: To create a COTS and standards
-
based infrastructure


to enable end
-
to
-
end, secure data fusion on the GIG

MILS Architecture


Layered architecture
(separation kernel,
middleware, applications)


Implements an Information
Flow/Data Isolation Security
Policy


Leverages off COTS vendor
DO
-
178B RTOS and
middleware products

MILS Program

Raytheon participates in the
development of MILS through
AFRL/IF sponsored SIRES and
HAMES CRAD programs and
participation in The Open Group
Real
-
time Embedded Systems
forum.


Page
36

Unclassified

Unclassified

Experience

3
-
5 years

0
-
2 years

6
-
9 years

10+ years

SANS Security Essentials (Technical)

Vendor Bootcamps, Technical Training

CISSP Certification

ISSEP Certification

SANS Level 2 Specialization Track(s)

Security Conference Attendance

Security Conference (Speaker)

Additional Certifications (Customer
-
driven)

Principles of Systems Engineering

Our training curriculum is world
-
class.

Training

Page
37

Unclassified

Unclassified

Raytheon’s Information Systems
Security Engineering Process

Raytheon ISSE Process supplements internal development processes and
defines how Information Security Engineering achieves successful
Certification and Accreditation.

Page
38

Unclassified

Unclassified

Raytheon IA Reference Architecture
Approach

Determine the
Intended Use of the
Architecture
Determine Scope
of Architecture
Determine
Characteristics
to be Captured
Determine Views
and Products to
be Built
Gather Data and
Build the Requisite
Products
Use Architecture
for Intended
Purpose

Geographical/
Operational Bounds

Time Phase(s)

Functional Bounds

Technology Constraints

Architecture
Resources/Schedule
Required
Characteristics
(Commensurate Detail
Across the Different
Views) and Measure
of Performance
Products and
Data Content
Determined by
Intended Use
Completed
Architecture
(Populated
Product Set)

Investment
Decisions

Requirements
Identification

Acquisition

Operations Planning
and Execution

Purpose

Critical Uses

Target Objectives

Key Tradeoffs

Probable Analysis Methods
2
2
3
3
4
4
5
5
6
6
1
1
Enables
Enables
Vision Workshop
Zachman
Analysis
DODAF Blitz
DODAF Follow up

Raytheon Enterprise Architecture
Process (REAP)


DODAF 6
-
step Process


Leverage existing work from NCOW
-
RM
and GIG IA working group




I:

Enterprise

Understanding

Raytheon

Enterprise

Architecture

Process

I:

Enterprise

Understanding

II:

Architecture

Planning

V:

Architecture

Validation

IV:

Technical

Archit
ecting

III:

Business

Architecting

Page
39

Unclassified

Unclassified

Government Certification Experience


Experienced with DCID 6/3, DITSCAP/DIACAP, and NIST 800
-
37 C&A
methodologies


Team includes highly
-
trained specialists in DCID 6/3 concepts and requirements, including
Appendix E


Support for DITSCAP/DIACAP and NIST 800
-
37 increasing



Information Security “baked
-
in” from the beginning


Security architecture design


MLS architecture experience on multiple programs


High performance, cross
-
security level communication components


Multi
-
level and cross
-
level security experience on multiple programs


Implementation


Product configuration, installation, tuning, analysis, training


Vulnerability assessment


Custom software development


Security documentation development


System Security Plan / System Security Accreditation Agreement


Security CONOPS


Certification and Accreditation Test Plans and Procedures


Security Administration Procedures and Configuration Management

Our track record for successfully certifying systems is 100%

Page
40

Unclassified

Unclassified

Raytheon ISSE Past Performance


Freedom
-

Proprietary


Within the last 24 months, 22 Certification packages received

Full Authorization to Operate


DCID 6/3 PL2, PL3 and PL4 systems


Mission Integration and Development


Integration of legacy infrastructure at different security

levels into new architecture


DCID 6/3 PL 3
-

Multi compartment SCI system


Information Assurance Services (IAS)
-
NGA


Provide overarching Information Assurance Services for all National Geospatial
Intelligence Agency operational sites


Global Broadcast System (GBS)


DIACAP certification of entire system


US Patent Trade Office


NIST 800
-
37 certification of Raytheon components

Raytheon Information Security delivers solutions

for a variety of customers with success

Page
41

Unclassified

Unclassified

Network Security Infrastructure


A Successful IT Security infrastructure


Is championed by management


Is user friendly, cost effective, dependable, manageable, and flexible


Involves collaboration with various Lines of Business, organizations, partners, vendors,
customers, and users


Leverages and integrates best of breed commercial products

Page
42

Unclassified

Unclassified

Network Security Landscape


Environment


IT systems are targeted by competitors, adversaries,
crackers, and criminals, both externally and internally


We protect valuable assets

(money and National Security Information)


Highly Government regulated


(GLB Act, Sarbanes
-
Oxley Act, Computer Security Act,
Computer Fraud and Abuse Act, Federal Acquisition
Regulations, Electronic Communications Privacy Act, DoD
regulations, Executive Orders, etc.)


We implement compliant security solutions

(ie. DCID 6/3, DITSCAP)


Heterogeneous interconnected system with various
security levels


We implement global, WAN, LAN security solutions for diverse
customers

(national and foreign)

Page
43

Unclassified

Unclassified

Network Security Landscape


Environment (continued)


Technically complex (switches, routers, firewalls, VPNs, Anti
Virus, mainframe, midrange, client
-
server, widely distributed
networks, etc. )


Must integrate both legacy systems and new technologies


Subject to Public and Government accountability and scrutiny


Risk Management is a primary business function


Reputation is paramount


Secure massive amounts of data (images, documents,
transactions, logs and reports)


7 x 24 x 365 Operations


We implement redundant and high availability network devices, firewalls,
and security applications to protect our assets.


We support foreign and domestic global, national,

and regional operations centers

Page
44

Unclassified

Unclassified

Network Security Landscape


Implement secure

Methodologies, concepts, principles


Least Privilege


Defense in Depth


DMZs and Security Zones


Layered Security


Compartmentalization


Separation


Default Deny


Use the same or similar “Best Practices”, standards, professional organizations


FIPS, NIST, GASSP, Common Criteria, BS/ISO 17799, SAS 70, COBIT


SEI, ISO, IETF, IEEE, NIST, ISC2, NIAP, SANS Institute, TruSecure, ISACA