Protecting the Nation s Critical Assets in the 21st Century

Transcription

1 Protecting the Nation s Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory

2 OPM. Anthem BCBS. Ashley Madison. 2

3 Houston, we have a problem.

4 Complexity. 4

5 Sharks and glaciers. HARDWARE SYSTEMS FIRMWARE SOFTWARE 5

6 The n+1 vulnerabilities problem Defense Science Board Study

7 Reducing susceptibility to cyber threats requires a multidimensional systems engineering approach. Security Architecture and Design Harden the target System Limit damage to the target Achieving Trustworthiness and Resiliency Make the target survivable

8 TACIT Security Threat Assets Complexity MERRIAM-WEBSTER DICTIONARY tac.it : adjective expressed or understood without being directly stated Integration Trustworthiness 8

9 Threat Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Obtain threat data from as many sources as possible. Include external and insider threat analysis. 9

10 Assets Conduct a comprehensive criticality analysis of organizational assets including information and information systems. Focus on mission/business impact. Use triage concept to segregate assets by criticality. 10

11 Complexity Reduce the complexity of the information technology infrastructure including IT component products and information systems. Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services. 11

12 Integration Integrate information security requirements and the security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business owners; become key stakeholders. 12

13 Trustworthiness Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement security design concepts (e.g., modular design, layered defenses, component isolation, least functionality, least privilege). 13

14 Risk assessment. 14

15 Assets and consequences. Criticality Analysis. Identification of High Value Assets. 15

16 Engineer up. 16

17 Immediate Action Plan and Resources Conduct threat and vulnerability assessments. United States Computer Emergency Readiness Team Conduct criticality analysis of information assets. FIPS Publication Reduce complexity of IT infrastructure. Federal Enterprise Architecture Initiative mmon_approach_to_federal_ea.pdf Invest in trustworthy IT components and systems. DHS Software and Supply Chain Assurance 17

18 Important NIST Security and Privacy Pubs Cybersecurity Framework NIST Special Publication , Revision 5 Security and Privacy Controls for Information Systems and Organizations NIST Special Publication , Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy NIST Special Publication Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems NIST Special Publication Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 18

19 Some final thoughts. 19

20 Institutionalize. The ultimate objective for security. Operationalize.

21 Leadership. Governance. Accountability.

22 Government Academia Security is a team sport. Industry 22

23 Ron Ross 100 Bureau Drive Mailstop 7730 Gaithersburg, MD USA Mobile LinkedIn (301) Twitter Web Comments We are here to help you be more secure 23