Risk-Based Cyber Security for the 21 st Century

Transcription

1 Risk-Based Cyber Security for the 21 st Century 7 th Securing the E-Campus Dartmouth College July 16, 2013 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

2 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

3 The seeds of information security and privacy in the digital age, were planted in United States Constitution over two centuries ago NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

4 The United States Constitution WE THE PEOPLE of the United States, in Order to form a more perfect Union, establish Justice, ensure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

5 The Current Landscape. It s a dangerous world in cyberspace NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

6 What do we worry about? Hostile cyber attacks. Natural disasters. Structural failures. Human errors of omission or commission. Conventional Threats NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

7 Advanced Persistent Threat An adversary that Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted organizations: To exfiltrate information. Undermine / impede critical aspects of a mission, program, or organization. Position itself to carry out these objectives in the future. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

8 Unconventional Threats What should we worry about? Connectivity Complexity Culture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

9 The federal cyber security strategy Build It Right, Continuously Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

10 The First Front. What we have accomplished NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

11 Joint Task Force Transformation Initiative In 2012, completed development of comprehensive security guidelines that can be adopted by all federal agencies including the national security community. Flexible and extensible tool box includes: An enterprise-wide risk management process. State-of-the-practice, comprehensive, security controls. Risk management framework. Risk assessment process. Security control assessment procedures. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

12 Unified Information Security Framework The Generalized Model Unique Information Security Requirements The Delta Intelligence Community Department of Defense Federal Civil Agencies C N S S Private Sector State/Local Govt Common Information Security Requirements Foundational Set of Information Security Standards and Guidance Risk management (organization, mission, information system) Security categorization (information criticality/sensitivity) Security controls (safeguards and countermeasures) Security assessment procedures Security authorization process National security and non national security information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

13 Unified Information Security Framework NIST Special Publication Managing Information Security Risk: Organization, Mission, and Information System View NIST Special Publication Guide for Conducting Risk Assessments NIST Special Publication Applying the Risk Management Framework to Federal Information Systems NIST Special Publication Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication A Guide for Assessing the Security Controls in Federal Information Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

14 The Second Front. What we need to accomplish NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

15 We need to build our security programs like NASA builds space shuttles using the integrated project team concept.. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

16 A New Approach for Information Security Work directly with executives, mission/business owners and program managers. Bring all stakeholders to the table with a vested interest in the success or outcome of the mission or business function. Consider information security requirements as mainstream functional requirements. Conduct security trade-off analyses with regard to cost, schedule, and performance requirements. Implement enforceable metrics for key executives. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

17 Complexity. Ground zero for our current problems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

18 If we can t understand it we can t protect it NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

19 Enterprise Architecture Consolidation. Optimization. Standardization. And the integration of information security requirements Ø Reduces the size and complexity of IT infrastructures, promotes good information security and privacy, and can potentially lower costs (significantly) for organizations. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

20 What can we do to change course? Simplify, Specialize, and Integrate NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

21 Increasing Strength of IT Infrastructure Simplify. Reduce and manage complexity of IT infrastructure. Use enterprise architecture to streamline the IT infrastructure; standardize, optimize, consolidate IT assets. Specialize. Use guidance in SP , Rev 4 to customize security plans to support specific missions/business functions, environments of operation, and technologies. Develop effective monitoring strategies linked to specialized security plans. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

22 Increasing Strength of IT Infrastructure Integrate. Build information security requirements and controls into mainstream organizational processes including: Enterprise Architecture. Systems Engineering. System Development Life Cycle. Acquisition. Eliminate information security programs and practices as stovepipes within organizations. Ensure information security decisions are risk-based and part of routine cost, schedule, and performance tradeoffs. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

23 Think strategic. Execute tactical NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

24 Managing risk. Doesn t mean fixing everything ü Frame ü Assess ü Respond ü Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

25 STRATEGIC (EXECUTIVE) RISK FOCUS Communicating and sharing risk-related information from the strategic to tactical level, that is from the executives to the operators. TIER 1 Organization (Governance) Communicating and sharing risk-related information from the tactical to strategic level, that is from the operators to the executives. TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information System (Environment of Operation) TACTICAL (OPERATIONAL) RISK FOCUS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

26 Risk Tolerance. How you know when to stop deploying security controls NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

27 Risk Management Framework SP MONITOR Security State Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Starting Point FIPS 199 / SP CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Security Life Cycle SP SP A ASSESS Security Controls FIPS 200 / SP SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. SP / SP IMPLEMENT Security Controls Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

28 Defense-in-Depth Links in the Security and Privacy Chain: Security and Privacy Controls ü Risk assessment ü Security planning, policies, procedures ü Configuration management and control ü Contingency planning ü Incident response planning ü Security awareness and training ü Security in acquisitions ü Physical and personnel security ü Security assessments and authorization ü Continuous monitoring ü Privacy protection ü Access control mechanisms ü Identification & authentication mechanisms (Biometrics, tokens, passwords) ü Audit mechanisms ü Encryption mechanisms ü Boundary and network protection devices (Firewalls, guards, routers, gateways) ü Intrusion protection/detection systems ü Security configuration settings ü Anti-viral, anti-spyware, anti-spam software ü Smart cards Adversaries attack the weakest link where is yours? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

29 Resilience. The only way to go for critical missions and information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29

30 Dual Protection Strategies Sometimes your information systems will be compromised even when you do everything right Boundary Protection Primary Consideration: Penetration resistance. Adversary Location: Outside defensive perimeter. Objective: Repel the attack. Agile Defense Primary Consideration: Information system resilience. Adversary Location: Inside defensive perimeter. Objective: Operate while under attack, limit damage, survive. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30

31 Agile Defense Boundary protection is a necessary but not sufficient condition for Agile Defense. Examples of Agile Defense measures Compartmentalization and segregation of critical assets. Targeted allocation of security controls. Virtualization and obfuscation techniques. Encryption of data at rest. Limiting privileges. Routine reconstitution to known secure state. Bottom Line: Limit damage of hostile attack while operating in a (potentially) degraded or debilitated state NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

32 And after we build it right. What next? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32

33 Continuous Monitoring Determine effectiveness of risk responses. Identify changes to information systems and environments of operation. Verify compliance to federal legislation, Executive Orders, directives, policies, standards, and guidelines. Bottom Line: Increase situational awareness to help determine risk to organizational operations and assets, individuals, other organizations, and the Nation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33

34 Necessary and Sufficient Security Solutions Cyber Security Hygiene COUNTING, CONFIGURING, AND PATCHING IT ASSETS Strengthening the IT Infrastructure ARCHITECTURE, ENGINEERING, AND SYSTEM RESILIENCY Has your organization achieved the appropriate balance? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34

35 The bottom line. If adversaries own your information system They own your intellectual property and your national secrets They own your identity They own you. And you have lost your freedom. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35

36 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Project Leader Administrative Support Dr. Ron Ross Peggy Himes (301) (301) Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) (301) Arnold Johnson (301) Web: csrc.nist.gov/sec-cert Comments: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 36