Comply To Connect - The Pentagon's Defense Against Cyber Attacks

By 2025, it is estimated that there will be at least 75 billion connected devices in what is being called the “Internet of Things” (IoT). With advances in microprocessors, sensing devices, and software, pretty soon anything that can be connected will be connected.

The Pentagon's Defense against Cyber Attacks

Here's What You Need to Remember: Seven years ago, the DoD created Comply to Connect (C2C) as a way to secure its growing array of network endpoints.

The proliferation of devices on the Internet is becoming a tidal wave. In addition to your phone, computer, video game console, and television, the Internet now connects practically everything that has electronics and sensors: household appliances, heating, and air conditioning systems, cars, airplanes, ships, industrial robots, public utilities, home security systems, children’s toys, and medical devices. By 2025, it is estimated that there will be at least 75 billion connected devices in what is being called the “Internet of Things” (IoT). With advances in microprocessors, sensing devices, and software, pretty soon anything that can be connected will be connected.

It should come as no surprise that the IoT has extended to government networks, particularly those operated by the Department of Defense. At DoD, everything from motors to battlefield sensors to door access readers may come with a network connection that is required for it to perform its assigned task. In addition to this mission-supporting equipment, DoD also has a litany of consumer devices running on its networks, from printers to video monitors and cameras to refrigerators. These devices are continually communicating with one another, as well as with higher headquarters all the way back to the Pentagon. The result is what some observers call the “Internet of Battlefield Things” (IoBT). There is a consensus among experts that the military which first creates the IoBT will gain a decisive advantage over its competitors.

While the evolution of the Internet into the IoT and IoBT are generally positive developments, with their arrival comes a major cybersecurity challenge. Simply put, the more devices there are on a network, the greater the potential chance that an adversary will be able to achieve penetration. There has been no shortage of news stories about how our adversaries seek to penetrate U.S. critical infrastructure, including our power grid, government networks, and elections systems. In many instances, hackers look for easy avenues for accessing our networks through connected devices. In 2016, it was discovered that implantable cardiac devices used by St. Jude’s Hospital were vulnerable to hacking. Baby monitors have proven remarkably vulnerable to hacking.

This Nation’s adversaries are aggressively trying to penetrate the networks, systems, and even individual weapons of the DoD. An increasing amount of critical, classified information is generated by the mass of devices on the network. Recently, the military found out that the movements of troops could be compromised by accessing the fitness trackers many personnel were wearing. As more and more devices are added to the IoBT—with or without permission, the risk of penetration and the compromising of critical classified information go up.

The exponential growth of the IoT and IoBT is creating new vulnerabilities to cyber-attacks at an alarming rate. Compromised IoT/IoBT devices are increasingly the “easy” way for attackers to get a foothold inside an organization’s network. Today, a device is usually “whitelisted” onto the network, which means it is identified as “trusted.” But that trusted device can then be used to execute commands inside of your firewall, which can help hackers perform reconnaissance and, perhaps ultimately, get to other higher-value parts of a network. In addition, many unauthorized or unrecorded devices are being added to a network, thereby increasing the chances for penetration. Adversaries can attack vulnerable devices not only to get to sensitive information but to physically compromise parts of your system that you depend on, say, in a time of war. As the IoT/IOBT grows, so does the problem of device vulnerability.

What is the DoD doing about this growing vulnerability? Seven years ago, the DoD created Comply to Connect (C2C) as a way to secure its growing array of network endpoints. C2C is a formal system for

1) Identifying and validating new devices that are connected to a network;

2) Evaluating their compliance with DoD security policies;

3) Conducting continuous monitoring of these devices, and;

4) Automatically addressing device issues, thereby reducing the need for maintaining cyber hygiene on cybersecurity administrators.

The C2C approach combines existing cybersecurity technologies with newer technologies to deal with the changing nature of DoD’s network architecture. The core tenet of C2C understands what devices and people are connecting to DoD networks and what their security posture is. With this knowledge, commanders can make informed risk decisions about these connections, and automatically control them based on security policies. C2C also provides DoD a way to continuously monitor the state of networks and devices—computing and non-computing networked devices—with a high degree of fidelity. The information yielded by C2C will feed into a centralized console that will provide these leaders full situational awareness of major areas of risk, which will, in turn, inform policy setting and resource allocation.

Without C2C, the DoD won’t know how many printers, industrial controllers, or refrigerators it has on its networks. It won’t know where its Windows patch management tools have stopped working. It won’t know whether Kaspersky and Huawei-made equipment have been removed from systems, as mandated by Congress. It won’t have a way to funnel network information to leadership for decision making. Lacking these fundamental capabilities, DoD will not be able to meet the basic responsibilities of securing its networks.

The U.S. Congress has twice in recent years directed DoD to move forward with implementing the C2C capability. While the U.S. Marine Corps and U.S. Navy, as well as a few other DoD components, have moved forward with the implementation of this program, most of DoD has not. Congress needs to be relentless in asking DoD when it plans to fully implement C2C to secure its systems and networks against increasingly sophisticated cyber adversaries.

Securing the Outcomes of Government IT with C2C

Multiple breaches have occurred against the Federal Government and Department of Defense (DOD) institutions. Data breaches continue to increase and are expected to reach an all-time high this year. Are you prepared?

New DOD Cybersecurity Regulations Are Here

The cybersecurity challenges facing federal government agencies are more complex than ever before. The federal government has recognized the need to increase cybersecurity protection, detection, and response. This requires tools to ensure trusted users and authorized devices are rigorously inspected for malicious code, prohibited software, noncompliance, human error, and other risks.

On May 12, 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity. The order states, “Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments to defend the vital institutions that underpin the American way of life.”

1 Additionally the policy states, “The federal government must adopt security best practices; advance toward Zero Trust architecture; accelerate movement to secure cloud services and invest in both technology and personnel to match these modernization goals.”

2 This makes it clear that the federal government recognizes the immense risk faced with protecting the confidentiality, integrity, and availability of wide-ranging applications, services, and data.

Earlier this year, a supporting DOD memorandum mandated compliance with C2C. C2C is a logical first step on the pathway Zero Trust within the DOD—successfully rolling out the C2C program, including the integration and operational turn-up of hundreds of DOD sites, to achieve the following steps that are critical to cybersecurity:

Authenticating and authorizing the endpoint
Policy-based authentication
Endpoint reporting and publishing to the DOD Enterprise Endpoint Repository
Appropriately authorizing assets to network segments, regardless of user
Continuously monitoring authorized device activities through the orchestration and integration of detection and validation tools

What a C2C architecture provides

Verification of the identity of all users and devices

With potential threats increasing against our nation, granting network access to any user and their device, before authenticating, is risky. Why? Because:

The device might not be government-owned
Even if the device is permitted, it might not have the latest operating system patches, exposing the network to risk from malware, virus propagation, and denial-of-service attacks
Any user who connects with a device could potentially access data and applications without detection
The device might be infected with malicious software. The DoD currently uses a variety of access-control methods, including port-based security, to control device access. But this requires cross-checking the device’s MAC address against a manually created list of authorized addresses. And port security doesn’t scale and requires manual configuration. Plus MAC addresses can be spoofed.

Prevention of unauthorized and/or compromised endpoints from accessing the network

To help make sure devices connect only when and where they are authorized to, your C2C solutions should be able to:

Authenticate the endpoint and determine if a device complies with the security posture (security profile should include latest operating system patches and antivirus software)
Automate remediation (be able to quarantine non-compliant devices and remediate quickly with minimal user effort; saving time and improving productivity)
Create custom profiles for proprietary systems and devices unique to defense (such as aircraft maintenance systems).

Control the user’s access to resources, based on policy and authorization

Network awareness by authenticating the user and device then connecting the appropriate VLAN or VRF (guest VLAN = Internet access only while all other VLANs access all or subsets of DoD resources)
Access control lists (ACLs) for wired, wireless, and VPN connections (grants access based on user’s specific identity and permissions, after authentication)
Scalable group tags (SGTs) that allow administrators to centrally control access to resources (SGT allows network devices to enforce policy and permit/deny traffic accordingly).

Context: know the “who, what, where, and when” of your network connections

Flexible reporting options with the ability to sort devices by manufacturer, operating system version, antivirus software version, and more
Context of device connections that document each connection attempt, including user identity, device, location, time of day, and type of network connection (wired, wireless, or VPN) · Built-in visibility, eliminating the need to purchase a separate application, lowering costs and reducing deployment issues.

Reduction in operating cost by using automation

Automated network admission control and port security
Automated device profiling
Automated application of security patches when a device connects
Device consolidation (fewer devices mean lower space, power, cooling, and management costs so seek ways to combine your user and device authentication, guest access support, mobile device management (MDM), and bring-your-own-device (BYOD) integration)
Simplified deployment and operation (remember, automation lowers costs, reduces errors, and frees your high-value team members to focus on more critical work).

NHDoD’s highly trained and certified trainers are your secret to success in meeting all your C2C directives and the Zero Trust Executive Order. Implementing C2C is a massive, sprawling initiative with many moving parts. When you’re ready, these classes can prepare the cyber workforce in achieving the necessary skills to guide you through the process. The Technology Training Partner to the Federal Government with more than 25 years of service to the federal government. NHDoD is the proven, premier partner you need for procuring mission-critical IT solutions and improving our country's defense workforce. We are here to ensure your organization is supported with a modern, optimized C2C framework and the technology training necessary to make cybersecurity more effective and efficient across your network.

Highlighted Certification Courses:

**This certification is at no cost:

SC-900: Microsoft Security, Compliance, and Identity

NHDoD is offering this certification course at no cost. The 1-day event will be on March 21, 2022. The class will have Continuing Education Units (CEU) for completing this class. It also meets the Executive Order on Zero Trust.

This course provides foundational level knowledge on security, compliance, and identity protection concepts on Microsoft Azure and Microsoft 365 solutions required to obtain the SC-900 certification. Most courses focus on Azure or Microsoft 365, but not both. The SC-900 course covers technology within both products. Those that new to Azure and/or Microsoft 365 benefit from learning the security and compliance capabilities available to protect data and resources. After completing this course learners will understand Azure security concepts related to networking, firewalls, application security, protection of user and device identities.

Cisco: Network

CompTIA: Infrastructure Foundation

EC-Council: Security

Microsoft: Security & Cloud