awrac overview all service social media conference 23 sep 2010
DESCRIPTION
Army Web Risk Assessment Cell introductory briefing presented at the All Service Social Media Conference Sept 23, 2010.TRANSCRIPT
UNCLASSIFIED
UNCLASSIFIED
All Service Social Media Conference
Army Web Risk Assessment Cell (AWRAC) Mission Overview
MAJ Matthew E. Wear, NETC-ES-IA [email protected], (703) 323-2071
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
• PURPOSE: To present and discuss: The Army Web Risk Assessment Cell (AWRAC) mission and approach, including the internally developed Web Risk Management System.
• OBJECTIVES: By the end of this presentation you will be able to:– Understand the AWRAC’s mission and approach– Understand need for and capabilities of the Web Risk
Management System (WebRMS)– Understand what AWRAC is doing to extend capability to the
OPSEC community and beyond
MAJ Matthew E. Wear, NETC-ES-IA [email protected], (703) 323-2070
UNCLASSIFIED
UNCLASSIFIED04/12/2023
Agenda
• What is the AWRAC?– Mission Overview & Approach
• Why the WebRMS Application? – Background on what it was needed– Application processes overview– Preview of pilot program with OPSEC Community
• AWRAC Strategic Plan Overview– Business process evolutionary changes
• How are we doing?– Examples of findings
• Other Missions Supported by AWRAC– Web Vulnerability Analysis scanning of army.mil websites
UNCLASSIFIED
UNCLASSIFIED4
• Responsible for reviewing the content of Army’s publicly accessible Web sites for policy and OPSEC concerns
• Conduct ongoing operational security and threat assessments of Army Websites (.mil and all other domains used for communicating official information)
• Mission expansion to include Army Knowledge Online (AKO)• Ensure web sites are compliant with DOD and Army
policies and best practices• Review Army related Web Logs (Blogs), Videos Logs,
Photo sharing sites and unofficial Army websites posted by service members for on the World Wide Web:• OPSEC violations• Personal information• Potentially detrimental content to the military
AWRAC Mission
UNCLASSIFIED
UNCLASSIFIED5
• Law Enforcement– Investigative– Punitive
• Politically Motivated– Bad taste is not a search criteria– Commander’s Filter
AWRAC is Not!
UNCLASSIFIED
UNCLASSIFIED
• Org chart
UNCLASSIFIED
UNCLASSIFIED
Army Web Risk Assessment Cell
Texas National GuardWashington
National Guard
Virginia National GuardData Processing Unit / CNO Bn
Army Reserve Element DISA
NETCOM 2 Contractors
Pete Anzulewicz & David Lickwar
12 Mobilized Soldiers
32 M – Day Soldiers
5 M-Day Soldiers
8 M-Day Soldiers
5 TPU Soldiers
5 TPU Soldiers
Army Reserve Element SWIOC
Texas National Guard
Washington National Guard
Virginia National GuardData Processing Unit /
CNO Unit
Army Reserve Element DISA
NETCOM G-36 Staff
20 Mobilized Soldiers
32 M – Day Soldiers
10-15 M-Day Soldiers
30-40 M-Day Soldiers
5 TPU Soldiers
5 TPU Soldiers
Army Reserve Element - SWIOC
MassachusettsNational Guard
Pennsylvania National Guard
2 M-Day Soldiers
2 M-Day Soldiers
UNCLASSIFIED
UNCLASSIFIED
DoD Web Risk Assessment Model
• Army • Navy
• Marines• Air Force
AWRAC NWRAC
MWRACAFRAC
JWRAC
UNCLASSIFIED
UNCLASSIFIED
AWRAC & JWRAC Collaboration
• Mutually beneficial relationship– Overlapping mission scope– Sharing of concerns– Vulnerability Sharing– Sharing of capabilities– Conference participation– Conduit to OSD(I), NII/DOD CIO– Cross flow of information
UNCLASSIFIED
UNCLASSIFIED10
How Sites are Identified for Review
Web SiteTARGETING
Requests from web ownerRandom selection of web sites
Web SpideringJWRAC
Collaboration
Army OperationsCurrent /Future
Remediation
USAR WA ARNG TX ARNG
WebOwner IAPM
AWRAC Analyst FOLLOW-
UP
VA ARNGVA DPUNETCOM
UNCLASSIFIED
UNCLASSIFIED11
• Force Protection: Elements that address physical and operational security.
• Communications: Critical information infrastructure, information system and network or equipment.
• Logistics: Information regarding movement of equipment, inventory or readiness.
• Personnel: Family information, SSN, full DOB or phone numbers.
• Operations: Military action or strategic, operational, tactical, and training mission information
• Critical Infrastructure: Are systems (water, power, sewage treatment, banking and etc) whose destruction would have an impact on defense or economic security.
Concern Categories – What We are Looking For
UNCLASSIFIED
UNCLASSIFIED04/12/2023
Current AWRAC Tools
• Web Risk Management System (WebRMS)– GOTS application developed by AWRAC– Now adopted by the Joint Web Risk Assessment Cell
(JWRAC) as the primary tool for the joint web OPSEC mission
• IBM Rational Policy Tester (Previously WatchFire)– Now fully integrated into WebRMS operations
UNCLASSIFIED
UNCLASSIFIED04/12/2023
Current Army Web Environment
• Mission Challenges:– Web Servers are managed by 4 independent processes:
• Content Management– Web OPSEC (IBM Rational Policy Tester, Google, etc.)– Reporting (WebRMS)
• Infrastructure Security (Hosting)– IAVA Alerts– Patches– Scanning Tools– PKI
• Proxy / Cache Servers– Each cache server houses an independent database of cache
• Registration– White List / Army Central Web Registration– Army A-Z – Official Social Media and Social Networking Sites
UNCLASSIFIED
UNCLASSIFIED04/12/2023
Web Risk Management (WebRMS)
• Established to creates a platform for central compliancy management of the Army’s web space– Provides a Central Validation process– Provides leadership with near real-time overall Web Health
assessment of INFRASTRUCTURE and OPSEC vulnerabilities and concerns
– Scans websites and saves links rather than content for faster processing and lower technical requirements
– Manages the workflow to track what has been validated already to reduce workload to what has changed
• Efficiency gain over repeatedly reviewing the same content– Integrated with IBM’s Rational Policy Tester application for key word
search capability• Allows for rapidly scanning sites for concern in text/documents• Reduces analyst “eyes on” time to focusing more on multi-media
content rather than text– Works with web site owners ensuring sites are AR 25-1 & AR 25-2
Compliant
UNCLASSIFIED
UNCLASSIFIED
Web Risk Management System(WebRMS)
Application Demonstration
UNCLASSIFIED
UNCLASSIFIED04/12/2023
Process Overview
UNCLASSIFIED
UNCLASSIFIED04/12/2023
Concerns Process LanesW
ebR
MS
A
WR
AC
A
nal
yst
AW
RA
C
Sr.
A
nal
yst
OP
SE
CP
M
Scan finds key word
Add findings to database
Prioritizes webpage for
review
High value word?
Review Website
OPSEC found?
Create Concern
ReviewConcern
RemediateConcern
OPSEC found?
RemediateConcern
ReviewConcern
UNCLASSIFIED
UNCLASSIFIED
AWRAC Review Methodology
AWRAC Analysts perform web OPSEC reviews in two main approaches:
Prioritized ConcernsKey word findings result in score that escalates higher priority concerns to the top of their workflow.
URL Start to FinishA root URL is spidered to map all pages and documents as separate review assignments and work through each from start to finishMost often used for either Compliance Verification Team (CVT) or DA Inspector General type inspection or for special request by web owner
Regardless of methodology, each page and document is tracked as an individual assignment for review All pages/documents are eventually reviewed regardless of approachUpon completed review an MD5 hash is recorded for the siteOnce reviewed, site will not be flagged for review again unless a change to the site is detected by MD5 hash modification
18
UNCLASSIFIED
UNCLASSIFIED
OPSEC Pilot – Functional Requirements
• Recently pilot initiated with NGB & MEDCOM• Functional Requirements
– Major Command level granularity for visibility– Findings adjudication
• Progress Notes• Remediation Status
– For concerns not attributable to a major command, ownership at an OPSEC program level
– Concern assignment – based on AWRAC manual review but attributable to a major command
• AWRAC team initiated• Flag for OPSEC review• Assign to OPSEC Program Office if unable to determine MACOM
• Public sites – visibility to OPSEC program manager
19
UNCLASSIFIED
UNCLASSIFIED
• Functional Requirements Continued– Flag Concerns for Critical Information Finding
• Tees up concern for OPSEC program manager review
– Notification – Automated to Major Command OPSEC program manager
– Ability for gaining Critical Information List Key Words from OPSEC PM• Input mechanism• Trigger for AWRAC developer to add to “Regular
Expressions”
OPSEC Pilot – Functional Requirements
20
UNCLASSIFIED
UNCLASSIFIED04/12/2023
WebRMS Methodology
https://webrms.army.mil
21
UNCLASSIFIED
UNCLASSIFIED04/12/2023
A. WebRMS Login
22
UNCLASSIFIED
UNCLASSIFIED04/12/2023
A.1 Enter WebRMS Credentials
AWRAC User Name
AWRAC User Password
23
UNCLASSIFIED
UNCLASSIFIED04/12/2023
A.2 Select Certificate
Select Your Certificate
24
UNCLASSIFIED
UNCLASSIFIED04/12/2023
A.3 Enter CAC Pin
Enter your PIN
25
UNCLASSIFIED
UNCLASSIFIED04/12/2023
A. WebRMS Portal
26
UNCLASSIFIED
UNCLASSIFIED04/12/2023
B. Key Word Expressions
27
UNCLASSIFIED
UNCLASSIFIED04/12/2023
B.1 Select Regular Expression Link
Double Click Link
28
UNCLASSIFIED
UNCLASSIFIED04/12/2023
B.2 Click New Rule Button
Click New Rule Button
29
UNCLASSIFIED
UNCLASSIFIED04/12/2023
B.3 Create Unique Identifier
Enter unique expression name
30
UNCLASSIFIED
UNCLASSIFIED04/12/2023
B.4 Build New Expression
31
Enter acronym (optional)
Enter phrase(optional)
Results displayed
Description of the expression’s expected results
Build button
Continue button
UNCLASSIFIED
UNCLASSIFIED04/12/2023
B.5 Immediate Notification (optional)
32
Select POC for finding
Click to activate option
Note: This option will set the rule to be exclusive to agency building the expression.
Warning: Do not enter classified content
UNCLASSIFIED
UNCLASSIFIED04/12/2023
B.6 Set Agency Parameters
33
Set priority value – per agency SOP
Set category – per agency SOP
Select rule
Enter references or regulations (optional)
Target publicly accessible
Target internal sites(reserved usage)
UNCLASSIFIED
UNCLASSIFIED04/12/2023
C. Analyst Work Screens
34
UNCLASSIFIED
UNCLASSIFIED04/12/2023
C.1 Select WebRMS Link
Double Click Link
35
UNCLASSIFIED
UNCLASSIFIED04/12/2023
C.2 Analyst Work Screen
URL for Review
Rules/Expressions Found & CountClick to review
36
UNCLASSIFIED
UNCLASSIFIED04/12/2023
C.3 Review Web Contents
37
UNCLASSIFIED
UNCLASSIFIED04/12/2023
C.4 Complete Work Screen
Review stats auto updated
Update site findings
Click to mark complete
38
UNCLASSIFIED
UNCLASSIFIED04/12/2023
C.5 Report Concern Screen
Pre-populated fields
Finding updates – per agency SOP
Brief comment about concern. DO NOT POST PII
Click to submit
39
UNCLASSIFIED
UNCLASSIFIED04/12/2023
D. Mediator Work Screens
40
UNCLASSIFIED
UNCLASSIFIED04/12/2023
D.1 Select WebRMS Concerns Link
Double Click Link
41
UNCLASSIFIED
UNCLASSIFIED04/12/2023
D.2 Mediator’s Summary Work Screen
Click to update
Click to review Concern Location Status of Concern
42
UNCLASSIFIED
UNCLASSIFIED04/12/2023
D.4 Review Concern Screen
Open Concerns to OPSEC PMs
Details to review
Notification update
43
UNCLASSIFIED
UNCLASSIFIED04/12/2023
D.5 Update Concern Screen
Finding updates – per agency SOP
Next Action updates
Click to update
New comments
Comment exposure levels
44
UNCLASSIFIED
UNCLASSIFIED
WebRMS SharePoint Portal
Collaboration & Reporting
45
UNCLASSIFIED
UNCLASSIFIED
WebRMS SharePoint Dashboard
46
UNCLASSIFIED
UNCLASSIFIED
Site Content
Quick links to various discussion by the Cells
Provides quick links to Army Regulations, Policies, and AWRAC
Reports
47
UNCLASSIFIED
UNCLASSIFIED
Statistics Summary
Count of the total number of military (.mil) and other sites
recorded or detected
Count of the total number of newly added web sites to the database
48
UNCLASSIFIED
UNCLASSIFIED
Page Statistics Summary
Total count of the web pages for review in the database
49
Count of recently reviewed pages
UNCLASSIFIED
UNCLASSIFIED
Other Statistics
Count of root websites officially registered through AKO
Count of root websites proxy protected
Count of root websites not registered through AKO
50
UNCLASSIFIED
UNCLASSIFIED
WebRMS OPSEC PILOT
Currently
Current Status:WebRMS application is available across DoDWorking with DAIG in preparation for FY11 audit of Army Social Media SitesIntent is to continue to expand this visibility to the MACOM level OPSEC Program Managers and IAPM’sLong term intent is to also include MACOM Public Affairs Officers who are tasked with owning the content for the sites within their command
51
UNCLASSIFIED
UNCLASSIFIED
AWRAC Strategic Plan
How AWRAC is working towards overall process improvement
UNCLASSIFIED
UNCLASSIFIED
AWRAC Business Process Evolution
• AWRAC Evolutionary Objectives– Less than 6 Months
• Tuning of IBM Rational Policy Tester functionality for key word search capability into WebRMS site review and validation processes.
– This functionality’s timing is perfect for AKO EXORD requirements– Working with OPSEC Community for Critical Information List search criteria
• Complete the implement AKO specific version of WebRMS and database synchronization to the main production WebRMS system
– Workload management and reporting
• Fully integrate remote AWRAC team members to leverage additional manpower towards this mission
• Develop PKI validation functionality into WebRMS
UNCLASSIFIED
UNCLASSIFIED
AWRAC Business Process Evolution
• AWRAC Evolutionary Objectives– Less than 1 Year
• Work with OPSEC Program Managers – Provide increased visibility into AWRAC findings– Awareness of high priority findings– Remediation at the organizational level for systemic problems– Improve AWRAC search capabilities through key word collaboration
• Maximize automated review processes for army.mil sites to allow manual reviews and attention to focus on Social Networking/Media sites and other .com concerns
– Less than 2 Years• WebRMS functionality extended to Public Affairs community for
OPSEC validation and review
UNCLASSIFIED
UNCLASSIFIED
AWRAC Web Vulnerability Analysis Reviews
55
UNCLASSIFIED
UNCLASSIFIED
AWRAC Web Vulnerability Analysis
– Defense Information Assurance Program is sponsoring a program to improve web server security across DoD
– Web Risk Assessment Cells will be responsible for scanning their respective Service’s websites
– DIAP will purchase servers and licensing on behalf of each service WRAC
– Services will host and execute their own scans • Results reported to the DIAP & Service CIO
56
UNCLASSIFIED
UNCLASSIFIED
Four Primary Objectives for securing army.mil sites:
1. Checking for invalid DoD PKI Certificates- Verify the DoD PKI Certificate are installed - Identification of Expired Certificates for remediation- Identification of Mismatched hostname to Cert names- Validating website Certificate Authority (CA) - Validating Checking Certificate revocation lists (CRLs) - Method used: Online Certificate Status Protocol (OCSP)
2. Ensuring the use of “approved” FIPS140-2 Security Requirements- Both a DoD and OMB Mandate: This standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information.- Fact: Many DoD websites are not using FIPS 140-2 levels of encryption and security which is unacceptable.
AWRAC Validation & Enforcement TeamWebsite Vulnerability Analysis
57
UNCLASSIFIED
UNCLASSIFIED
Four Primary Objectives for securing army.mil sites:
3. Checking for Cross Site Scripting (XSS) Exploit vulnerabilities• Cross-site scripting (XSS) is a type of vulnerability typically found in web
applications which enable malicious attackers to inject client-side scripts into web pages viewed by other users
• An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls
• Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007
4.Checking for Embedded User Name & Password on Home Page• Still an on-going problem, especially for older web applications
AWRAC Validation & Enforcement TeamWebsite Vulnerability Analysis
58
UNCLASSIFIED
UNCLASSIFIED
Examples of Findings
UNCLASSIFIED
UNCLASSIFIED
Blog Example
As of today the XX Division Xth brigade will be deploying one infantry Battalion along with a company sized element of support troops to Camp Kandahar, Afghanistan. The infantry battalion will be X/X and the support troops will be drawn from BSTB. Also, this deployment is slotted to last only 6 months. (Until NATO can take over)
The rest of the brigade will still be on a 14 day standby as of 13 Feb, which has been the plan for some time. We got 75% of our equipment loaded for deployment. A deployment that we are not sure we are even going on anymore, but ready none the less.
It looks like I will be home from the 23rd of December until the 6th of January. The rest of my battalion will have leave dates between 23rd and the 9th…”
Army PFC, “Ramblings of a medic gone mad... “
60
UNCLASSIFIED
UNCLASSIFIED04/12/2023
Battle Damage Assessment
UNCLASSIFIED
UNCLASSIFIED
Site was previously not password protected and
contained information for every dam in the
country including downstream damage estimates in terms of
population.
Critical Infrastructure Protection
UNCLASSIFIED
UNCLASSIFIED
Critical Infrastructure Protection issue. In
this case the information provided
exceeds what they are authorized to provide.
Critical Infrastructure Protection
UNCLASSIFIED
UNCLASSIFIED
Content not authorized for publication but
located on the internet for anyone to obtain?
Unauthorized Disclosure
UNCLASSIFIED
UNCLASSIFIED
Too descriptive base map published noting barracks and
Battle Tech Lab locations.
Force Protection
UNCLASSIFIED
UNCLASSIFIED
Biography including family names, ages &
locations
AWRAC PII on Army Websites
UNCLASSIFIED
UNCLASSIFIED
Yesterday, I received an email from a Captain who works for a team that scans the Internet for OPSEC security breaches telling me that one of the pictures I had posted was a potential OPSEC
breach.
I changed it because there was certainly the appearance of this risk.
-- “My Days at Division”
Potential classification
issue
Soldier weblog site findings
FOUO
UNCLASSIFIED
UNCLASSIFIED
Soldier weblog site findings
FOUO
There are several other civilians who work on MRAP’s and they are very skilledmechanics. Some are DA or DOD civilians, some are contractors. DOD civilians wear
uniforms, but without rank or unit patches. Contractors wear civilian clothes… (Goes on to describe the role of the major players based on what they are wearing)
…they have a “V” shaped hull, to deflect blasts away from passengers…(AWRAC reviews so that inappropriate vehicle capabilities are not being disclosed)
UNCLASSIFIED
UNCLASSIFIED
AWRAC PII on Army Websites
Note Name & SSN
UNCLASSIFIED
UNCLASSIFIED
Photos from Flickr
70FOUO
Note Name &
SSN
UNCLASSIFIED
UNCLASSIFIED
PII including names, school year, name of
school, information on school and location.
Screenshots
UNCLASSIFIED
UNCLASSIFIED
Screenshots
PII continued.
UNCLASSIFIED
UNCLASSIFIED
Flickr photo of a Tactical Operations Center in Afghanistan revealing potentially classified information.
Screenshots
UNCLASSIFIED
UNCLASSIFIED
Photo displays potential PII information of soldier’s family which include identifying names and ages of children belonging to PFC Damian Petee ,in addition to the name of the current unit.
Screenshots
UNCLASSIFIED
UNCLASSIFIED
Analytical Concerns
• Ability to store screen shots on WebRMS
• Do company level and below Army Social Media Sites receive PAO attention for verification? Are these pages registered? If not, do we review such websites?
• If there is a weblink posted on a particular media site, can it and should it be opened?
• http://www.slideshare.net/USArmySocialMedia/harmy-social-media-best-practices-3-18-10
UNCLASSIFIED
UNCLASSIFIED
SGM Erick Guidinetti (AWRAC NCOIC )E-Mail: [email protected] 703-323-2072
Army Web Risk Assessment Cell (AWRAC)
MAJ Matthew Wear (Government Lead) E-Mail: [email protected] 804-514-3860 (Cell)
CW2 Mike Coppage (AWRAC Technical Lead) E-Mail: [email protected] 703-323-2072
SGT John McDonald (AWRAC Application Development Lead)E-Mail: [email protected] 703-323-2072
CPT Darren Hunter (AWRAC Operations Officer) E-Mail: [email protected] 703-323-2072
76
UNCLASSIFIED
UNCLASSIFIED
Questions?