Cybersecurity: Trust, Visibility, Resilience. Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Transcription

1 Cybersecurity: Trust, Visibility, Resilience Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

2 No single company can solve the complex challenge presented by the Internet, but the inherent role of the network positions Cisco as the natural partner in developing and executing a successful cyber security strategy NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

3 Cybersecurity Challenges Operational Management Supply Chain Data Capacity Data Loss Business Resiliency NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

4 Federal Cybersecurity Priorities Situational Awareness Continuous Monitoring Identity Mgmt. Secure Supply Chain Vulnerabilit y Analysis/ID S Real-time Continuous Monitoring Education and Training Limited Access Points Application Security Application Security Vulnerability Analysis/IDS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

5 Why Cisco? Embedded Security Capabilities Cross Architectur e Security Products Visibility Tools Services Cisco s Pervasive Footprint The Network is the Sensor Public/Private Partnerships Education Certifications Incident Response Supply Chain Management Trusted HW/SW NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

6 Mission: Cybersecurity Cisco IS the Cyber secure Platform Access Inside Threat Data Capacity Trustworthiness Data Loss Customer Requirements Trust Visibility Resilience Challenges Solution Framework Public Policy Supply Chain Trust Identify and Solutions Manage Messaging Capture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

7 Cisco Cyber Solutions Trust Visibility Resilience Identity and Access Secure Mobility Wireless Integrity Configuration Assurance Physical Security Audit and Compliance Continuous Monitoring Data Exfiltration Boundary Defense Malware and APT Defense Situational Awareness COOP Incident Handling Availability Service Level Assurance NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

8 NIST STRATEGY TRUST Access Control Audit & Accountability Configuration Management Identification & Authentication Maintenance System & Communication Protection Critical Control Family SOLUTION S Identity and Access Secure Mobility Wireless Integrity Audit and Compliance Configuration Assurance Physical Security Borderless Networks Cisco Works LMS 4.0 Cisco Configuration Engine Cisco TrustSec (Identity) Cisco AnyConnect Client Cisco VPN Services Cisco Mobility Engine & Wireless Solution Cisco Unified Border Element ASA Firewall IOS Firewall ARCHITECTURES Data Center/ Virtualization Collaboration VISIBILITY NIST Security Assessment & Authorization System & Communication Protection System & Information Integrity Incident Monitoring Critical Control Family Continuous Monitoring Data Exfiltration Boundary Defense Malware Defense Situational Awareness Security Intelligence Operations IPS 4200 Series Clean Air Technology NBAR IOS Intrusion Prevention IOS NetFlow Service Control Engine ASA BotNet Filter RESILIENCE NIST Contingency Planning COOP System & Communication Performance Routing Incident Handling Protection NSF/SSO Incident Monitoring Availability EnergyWise NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Physical & Environmental Service Level Assurance Policy Based Routing 8 Critical Control Family

9 Cybersecurity Partner Ecosystem: Building solutions with best of breed ISVs & Technology Partners Systems Integrators SIEM Partners IRAD projects to address customer requirements Integrate component parts in proof-of-concept environments to foster learning and innovation Ecosystem partners to meet diverse customer security incident and event management requirements Cisco validated design and deployment methodologies Implementation Partners Cybersecurity focus partners to ensure consistent delivery of Cisco and partner systems Agile custom solution development Technology Partners Complimentary technology partners to complete Cybersecurity solution offerings Best of bread market proven technologies NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

10 The Cybersecurity Journey Manufacturing Integrity Investment Education Regulatory Alignment Thought leadership Private/Public Partnerships Cybersecurity Innovation NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

11 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

12 Managing Risk Through Trust, Visibility, and Resilience DGI Government Solutions Forum March 1, 2011 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

13 The Stuxnet Worm Targeting critical infrastructure companies Infected industrial control systems around the world. Uploads payload to Programmable Logic Controllers. Gives attacker control of the physical system. Provides back door to steal data and remotely and secretly control critical plant operations. Found in Siemens Simatic Win CC software used to control industrial manufacturing and utilities. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

14 The Flash Drive Incident Targeting U.S. Department of Defense Malware on flash drive infected military laptop computer at base in Middle East. Foreign intelligence agency was source of malware. Malware uploaded itself to Central Command network. Code spread undetected to classified and unclassified systems establishing digital beachhead. Rogue program poised to silently steal military secrets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

15 The Stolen Laptop Incident U.S. Department of Veterans Affairs VA employee took laptop home with over 26 million veterans records containing personal information. Laptop was stolen from residence and information was not protected. Law enforcement agency recovered laptop; forensic analysis indicated no compromise of information. Incident prompted significant new security measures and lessons learned. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

16 Red Zone Information Security NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

17 The New SP Multi-tiered Risk Management Approach Implemented by the Risk Executive Function Enterprise Architecture and SDLC Focus Flexible and Agile Implementation TIER 1 Organization (Governance) STRATEGIC RISK FOCUS TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information System (Environment of Operation) TACTICAL RISK FOCUS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

18 Tier 1 Organization Governance Risk management strategy Investment strategy Risk tolerance Trust Transparency Culture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

19 Tier 2 Mission/Business Process Influenced by risk management decisions at Tier 1. Identification of missions/business processes. Determination of information types and flows. Identification of information security requirements. Development of enterprise architecture with embedded information security architecture. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

20 Tier 3 Information System Influenced by risk management decisions at Tiers 1 & 2. Allocation of necessary and sufficient security controls to information systems and environments of operation. Uses Risk Management Framework to guide process. Information security managed as part of the SDLC. Feedback to Tiers 1 & 2 for continuous improvement. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

21 Risk Management Framework Starting Point CATEGORIZE Information System MONITOR Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Security Life Cycle SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). IMPLEMENT Security Controls Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

22 Risk Management Process Risk Framing Risk Framing Assess Respond Risk Risk Framing Monitor Risk Framing NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

23 Unified Information Security Framework The Generalized Model Unique Information Security Requirements The Delta Intelligence Community Department of Defense Federal Civil Agencies C N S S Private Sector State/Local Govt Common Information Security Requirements Foundational Set of Information Security Standards and Guidance Risk management (organization, mission, information system) Security categorization (information criticality/sensitivity) Security controls (safeguards and countermeasures) Security assessment procedures Security authorization process National security and non national security information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

24 Joint Task Force Transformation Initiative Core Risk Management Publications NIST Special Publication , Revision 3 Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication , Revision 1 Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach NIST Special Publication A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans Completed Completed Completed NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

25 Joint Task Force Transformation Initiative Core Risk Management Publications NIST Special Publication Managing Information Security Risk: Organization, Mission, and Information System View Completed NIST Special Publication , Revision 1 Guide for Conducting Risk Assessments Projected April 2011 (Public Draft) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

26 Defense-in-Depth Links in the Security Chain: Management, Operational, and Technical Controls Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments and authorization Continuous monitoring Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Adversaries attack the weakest link where is yours? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

27 Focus Areas 2011 and Beyond Complete Joint Task Force Publications and Unified Information Security Framework Continuous Monitoring Guideline Systems and Security Engineering Guideline Update to NIST Special Publication , Revision 4 Insider Threats Advanced Persistent Threats Industrial Control Systems Mobile Devices, Cloud Computing Privacy Controls NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

28 Contact Information Project Leader 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Administrative Support Dr. Ron Ross Peggy Himes (301) (301) Senior Information Security Researchers and Technical Support Marianne Swanson Kelley Dempsey (301) (301) Pat Toth Arnold Johnson (301) (301) Web: csrc.nist.gov Comments: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28