The protection of Navy shipboard networks is critical to national security. An important part of maintaining a secure network posture is the timely application of software maintenance patches.
In response to this need, the Computer and Network Security Branch at Space and Naval Warfare (SPAWAR) Systems Center Pacific (SSC Pacific) developed the Vulnerability Remediation Asset Manager (VRAM), a new Web portal initiative designed to assist ships in achieving Information Assurance Vulnerability (IAV) compliance.
The tool is used by both the Computer Network Defense-in-Depth Baseline Assessment (CNDIDBA) teams and shipboard personnel to verify shipboard IAV compliancy.
An independent team of Computer Network Defense (CND) experts executes a CNDIDBA during each ship's unit level training phase. The CNDIDBA consists of an IAV compliance scan, a password policy assessment and various security checks on the Common PC Operating System Environment (COMPOSE).
The independent CNDIDBA team performs the IAV compliance portion using the Secure Configuration Compliance Validation Initiative (SCCVI) tool. Each ship must complete a baseline assessment every 24 months or within 60 days following a systems upgrade or major configuration change to the network.
COMPOSE combines commercial off-the-shelf and government off-the-shelf products that deliver directory services, e-mail, Web acceleration, office automation applications, collaboration tools and antivirus software for the Integrated Shipboard Network System (ISNS), Combined Enterprise Regional Information Exchange System (CENTRIXS), Sensitive Compartmented Information (SCI) networks, and Submarine Local Area Network (SubLAN).
COMPOSE delivers these services to the warfighter in a secure software bundle that aligns to the latest Defense Information Systems Agency (DISA) standards and guidelines.
SCCVI is currently employed as eEye Digital Security's Retina© Network Security Scanner; it is DISA's tool of choice for network vulnerability scanning within the Defense Department. Its use is mandated by Navy Cyber Defense Operations Command (NCDOC) Computer Tasking Order (CTO) 06-02. Monthly scans are also conducted by ship's personnel to identify and mitigate network vulnerabilities as they are discovered. This requirement, mandated by NCDOC CTO 06-02, is in response to increased attacks on Navy networks.
To assist the fleet with meeting these monthly requirements, Program Executive Officer for Command, Control, Communications, Computers and Intelligence (PEO C4I), Program Manager Warfare for Tactical Networks (PMW 160) fielded SCCVI on afloat networks.
SCCVI enables the fleet to scan its networks and aggressively track compliance within the IAV Management (IAVM) program. SCCVI provides the ship's information assurance manager an independent analysis of installed IAV patches.
Missing patches identified by SCCVI are downloaded, from SPAWAR's Naval Networks Web site, installed and pushed to the vulnerable machines.
The Naval Networks Web site is the only authorized repository for downloading patches for all PMW 160 programs of record (POR) such as the COMPOSE network systems. Each ship is responsible for achieving 100 percent compliance for all networked systems for which an IAV exists and for which a fix has been released by the respective POR office.
However, a major difficulty with the use of SCCVI is that it does not cross-reference scan results with patches released by the respective POR office. For example, results for a SCCVI scan for COMPOSE would include all missing patches whether or not the patches are approved by the COMPOSE program office.
Until recently, it was the responsibility of either the ship's IAM or the CNDIDBA team to manually parse SCCVI results and determine which IAVs were ship's force fixable or unfixable patches.
Fixable IAVs are patches released by the responsible POR office. Unfixable IAVs are patches that have been identified by the program office but have not yet been released. Ships are not responsible for installing unfixable patches until the responsible program office releases a patch.
To remedy this situation, SSC Pacific launched VRAM, in conjunction with the Fleet Numerical Meteorology and Oceanography Center located in Monterey, Calif., to automate the manual parsing of the SCCVI results as well as establish a repository for the scan data.
VRAM enables the ship’s IAM to track and monitor compliance with IAVs by removing the labor-intensive manual end user process of cross-referencing SCCVI scan results with approved patches on the Naval Networks Web site.
To better understand the connection and synergy between SCCVI and VRAM, let us step through a typical vulnerability scan of a shipboard network running COMPOSE.
The ship’s IAM would first install and then launch the vulnerability scanner from a workstation that is connected to either the unclassified NIPRNET or classified SIPRNET enclave. The IAM would then perform a discovery scan of the enclave based on the active subnets to identify all live hosts.
The discovery scan results would then be combined into various address groups, defined as a collection of hosts (servers or workstations) related to a specific POR system. For example, the COMPOSE address group would contain only COMPOSE hosts. Once all of the address groups are created, the next step would be to conduct an IAV audit scan of each group to enumerate a list of vulnerabilities on each system.
For this example, let us continue with the COMPOSE POR. During the IAV audit, the scanner connects to each machine in the address group and compares the machine’s installed patches with SCCVI’s complete list of IAV patches.
Once the audit is complete, the IAM exports the scan results by generating a Vulnerability Management System (VMS) export file on the completed scan. Instead of manually trudging through the scan results, the IAM can upload the VMS export file to VRAM where it is parsed and automatically cross-referenced with all of the approved patches released by the COMPOSE program office.
Once the VMS file is uploaded, VRAM will output results similar to those shown in Figure 1.
VRAM provides the IAM with a scan summaries report page that contains the following information:
-- Total number of hosts scanned;
-- Total number of hosts fully patched;
-- Total number of patches available;
-- Total number of patches fully applied;
-- Number of fixable IAV Alerts, Bulletins and Technical Advisories missing; and
-- Number of unfixable IAV Alerts, Bulletins and Technical Advisories missing.
The IAM can drill down from the scan summaries report into the remediation report page.
Here the IAM can choose to display the results as follows:
-- Vulnerability by Host – displays all available IAV patches missing for each host scanned (illustrated in Figure 2), or
-- Hosts by Vulnerability – displays all affected hosts for each available IAV.
The IAM would then use the IAV links on the remediation report page to download the missing fixable patches from the Naval Networks Web site and apply these selected patches to the affected hosts.
The use of VRAM provides a huge improvement for monitoring and fixing network vulnerabilities. Its use not only assists ship IAMs in aggressively managing the IAVM program, but it can also provide Immediate Superior in Command (ISIC), program offices and other computer network defense organizations with visibility into the status of their commands or systems.
There are three types of VRAM accounts:
-- Site Administrator – the user-based role for a ship IAM; site administrators are able to upload SCCVI scan results and view scan summaries.
-- Staff Administrator – the user-based role for ISICs or strike group information warfare commanders; staff administrators can create groups of several ships to view the “site posture,” i.e., track each unit’s IAV compliance trends.
-- Program Office – the user-based role for the POR office to manage the IAV patch database for its program, view the posture of its cognizant POR systems, or add or associate a unit with a particular POR.
VRAM has proven its usefulness in providing a less labor-intensive means for finding network vulnerabilities, thus improving the CNDIDBA process and expediting remediation actions — as well as
freeing ship‘s personnel to pursue other critical security activities.
Lt. Cmdr. Vigil was the Computer Network Defense-in-Depth Baseline Assessment project officer for SSC Pacific. He is currently assigned to Space and Naval Warfare Systems Center Bahrain.