Affordable Security. Sarah Pramanik April 10, 2013

Transcription

1 Affordable Security Sarah Pramanik April 10, 2013

2 It s a Balancing Act Affordability Security 2

3 Overview Defining Cyber Security Defense in Depth Program Risk vs. Security Risk Life Cycle Phases Pre-proposal/Proposal Development Metrics Production Maintenance/End of Life Conclusion 3

4 Defining Cyber Security Software Assurance System Security Engineering Program Protection Information Assurance Network Security Computer Security 4

5 Communications A 5 [4]

6 Defense in Depth Defense in Depth attempts to mitigate risk by layering defense techniques Defense techniques are both technical and nontechnical Policies What has to be applied? This typically includes personnel policies as well, such as who has access Procedures Process of applying This includes such things as manuals and step by step instructions Technical techniques How to apply Hardware, software, firmware, and network security techniques Everything has to work together 6 risk mitigation NOT risk elimination

7 Program Risk vs. Security Risk Program Risk Something that will keep a program from meeting requirements on time and within a given cost constraint Security Risk = Threat x Vulnerability Certain Security Risks are Programs Risks If they risk getting the system accredited Or if a mitigation causes program to go over budget or schedule VS 7

8 Proposal How do you come up with your basis of estimate (BOE)? Need to keep appropriate metrics Do you know what your customer really wants? (Not just what you think they want ) Have candid conversations early on Don t forget to include the cost of security! This might mean haggling with management 8

9 Development Continue to keep track of your metrics This will be helpful in the future, but not necessarily immediately Include cost as an element of all your trade studies Initial and maintenance costs Don t engineer in a vacuum Throwing security over the wall will cost you 9

10 Metrics IPT and supplier engagement Time to create a security architecture How skilled are the engineers? Time to apply security configurations to a box Each box may take a different amount of time This is cyclical, so these hours can add up! Equipment Cost Maintenance Cost Testing Initial and regression 10

11 Production Maintain the posture Keep up the patching Lookout for product end of life Does the new product compromise the security posture? 11

12 Maintenance / End of Life Plan for it in development Ensure that personnel are trained DoDD M Maintain the posture (still) And plan for disaster its not if, but when End of Life Reuse? 12

13 Conclusion It s a balancing act Plan for the cost Its about risk mitigation not risk elimination 13

14 14

15 Acronyms BOE - basis of estimate CISSP Certified Information System Security Professional CNSSI - Committee on National Security Systems Instruction DoD Department of Defense DoDD Department of Defense Directive DoDI Department of Defense Instruction IA - Information Assurance IAVA Information Assurance Vulnerability Alert IPT Integrated Product Team NIST SP National Institute of Standards and Technology Special Publication NSA National Security Agency STIG - Security Technical Implementation Guides 15

16 References [1] CNSS Instruction No. 4009, Information Assurance Glossary, 26 April [2] Department of Defense Instruction , February 6, [3] National Institute for Standards and Technology Special Publication R1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD , February [4] 16