TACIT Security Institutionalizing Cyber Protection for Critical Assets

Similar documents
Risk-Based Cyber Security for the 21 st Century

Protecting the Nation s Critical Assets in the 21st Century

Evolving Cybersecurity Strategies

Rethinking Cybersecurity from the Inside Out

The Future of Cyber Security NIST Special Publication , Revision 4

Cybersecurity: Trust, Visibility, Resilience. Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

NIST SP , Revision 1 CNSS Instruction 1253

Building More Secure Information Systems

NIST Security Certification and Accreditation Project

New Guidance on Privacy Controls for the Federal Government

Cybersecurity & Privacy Enhancements

The NIST Cybersecurity Framework

TEL2813/IS2621 Security Management

Guide for Assessing the Security Controls in Federal Information Systems

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

NCSF Foundation Certification

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Framework for Improving Critical Infrastructure Cybersecurity

ISA 201 Intermediate Information Systems Acquisition

Framework for Improving Critical Infrastructure Cybersecurity

Supply Chain Risk Management Practices for Federal Information Systems and Organizations by Boyens et al. comprises public domain material from the

Cybersecurity Risk Management

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

NCSF Foundation Certification

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Cybersecurity Risk Management:

NIST s Industrial Control System (ICS) Security Project

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Security by Default: Enabling Transformation Through Cyber Resilience

Cyber Hygiene: A Baseline Set of Practices

INFORMATION ASSURANCE DIRECTORATE

TEL2813/IS2820 Security Management

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Implementing Executive Order and Presidential Policy Directive 21

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

DoD Strategy for Cyber Resilient Weapon Systems

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cyber Resilience. Think18. Felicity March IBM Corporation

THE POWER OF TECH-SAVVY BOARDS:

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

CYBERSECURITY MATURITY ASSESSMENT

DELIVERING SIMPLIFIED CYBER SECURITY JOURNEYS

Supply Chain (In)Security

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Section One of the Order: The Cybersecurity of Federal Networks.

deep (i) the most advanced solution for managed security services

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

The Perfect Storm Cyber RDT&E

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

General Framework for Secure IoT Systems

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

RISK MANAGEMENT FRAMEWORK COURSE

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Cybersecurity, Trade, and Economic Development

Defense Engineering Excellence

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

The Interim Report on the Revision of the Guidelines for U.S.-Japan Defense Cooperation

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

National Cybersecurity Challenges and NIST. Matthew Scholl Chief Computer Security Division

Dr. Stephanie Carter CISM, CISSP, CISA

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

FDA & Medical Device Cybersecurity

Navy Cyber Resilience

INFORMATION ASSURANCE DIRECTORATE

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Security Management Models And Practices Feb 5, 2008

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Streamlined FISMA Compliance For Hosted Information Systems

Ensuring System Protection throughout the Operational Lifecycle

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

Defining IT Security Requirements for Federal Systems and Networks

Transcription:

TACIT Security Institutionalizing Cyber Protection for Critical Assets MeriTalk Cyber Security Exchange Quarterly Meeting December 18, 2013 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Some initial thoughts. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

The United States Constitution WE THE PEOPLE of the United States, in Order to form a more perfect Union, establish Justice, ensure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

We are living in the golden age of information technology. Ironically, the same information technology that has brought unprecedented innovation and prosperity to millions, has now become a significant vulnerability to nation states, corporate entities, and individuals. How do we provide for the common defense in the digital age? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

We are vulnerable because our information technology is fragile and susceptible to a wide range of threats including: natural disasters; structural failures; cyber attacks; and errors. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Advanced Persistent Threat An adversary that Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted organizations: To exfiltrate information; To undermine / impede critical aspects of a mission, program, or organization; and To position itself to carry out these objectives in the future. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

Classes of Vulnerabilities A 2013 Defense Science Board Report described Tier 1: Known vulnerabilities. Tier 2: Unknown vulnerabilities (zero-day exploits). Tier 3: Adversary-created vulnerabilities (APT). Two-thirds of these vulnerability classes are off the radar of most organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

You can t stop hurricanes and you can t stop cyber attacks. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

Time for an honest discussion. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Good cyber hygiene is necessary But not sufficient. Which Road to Follow? You can t count, configure, or patch your way out of this problem space. Tough decisions ahead. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

The United States Federal Cyber Security Strategy Build It Right, Continuously Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

The Cyber Security Toolset NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View NIST Special Publication 800-30 Guide for Conducting Risk Assessments NIST Special Publication 800-37 Applying the Risk Management Framework to Federal Information Systems NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

We have spent the last ten years developing and refining our information security toolset but have not focused on the most effective ways to use the tools, techniques, and technologies. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

TACIT security focuses on the organizational aspects of cyber security that is, how to effectively use the security tools, techniques, and technologies to achieve desired solutions. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

TACIT security addresses institutional and cultural issues that help organizations Build It Right NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

For bridge builders, it's all about physics Equilibrium, static and dynamic loads, vibrations, and resonance. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

For information system developers, it's all about mathematics, computer science, architecture, and systems engineering Trustworthiness, assurance, penetration resistance and resilience. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

The national imperative for building stronger, more resilient information systems Software assurance. Systems and security engineering. Supply chain risk management. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

The security controls in NIST SP 800-53, Revision 4, move beyond good cyber security hygiene and continuous monitoring into the space of system resiliency and strengthening the IT infrastructure to achieve that resiliency. Does your information system have 9 lives? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

Security should be a by-product of good design and development practices. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

TACIT Security Threat Assets Complexity Integration Trustworthiness MERRIAM-WEBSTER DICTIONARY tac. it adjective : expressed or understood without being directly stated NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

Threat Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Clear key organizational personnel at Top Secret and/or TS SCI levels for access to classified threat data. Include external and insider threat assessments. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

Assets Conduct a comprehensive criticality analysis of organizational assets including information and information systems. Use FIPS Publication 199 for mission/business impact analysis (triage). Subdivide high, moderate, and low impact levels to provide greater fidelity on risk assessments. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Complexity Reduce the complexity of the information technology infrastructure including IT component products and information systems. Use enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. Employ cloud computing architectures to reduce the number of IT assets that need to be managed. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

Integration Integrate information security requirements and the security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business owners; become key stakeholders. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

Trustworthiness Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement solutions with greater strength of mechanism. Increase developmental and evaluation assurance. Use modular design, layered defenses, component isolation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

Summary TACIT Security Understand the cyber threat space. Conduct a thorough criticality analysis of organizational assets. Reduce complexity of IT infrastructure. Integrate security requirements into organizational processes. Invest in trustworthiness and resilience of IT components and systems. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

Concepts supporting TACIT. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

Dual Protection Strategies Sometimes your information systems will be compromised even when you do everything right Boundary Protection Primary Consideration: Penetration resistance. Adversary Location: Outside defensive perimeter. Objective: Repel the attack. Agile Defense Primary Consideration: Information system resilience. Adversary Location: Inside defensive perimeter. Objective: Operate while under attack, limit damage, survive. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29

Institutionalizing Risk-Based Security Communicating and sharing risk-related information from the strategic to tactical level, that is from the executives to the operators. TIER 1 Organization (Governance) Communicating and sharing risk-related information from the tactical to strategic level, that is from the operators to the executives. TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information System (Environment of Operation) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30

RMF Support TACIT Security Starting Point CATEGORIZE Information System MONITOR Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Security Life Cycle SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). IMPLEMENT Security Controls Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

Strengthening Specification Language Significant changes to security controls and control enhancements in Configuration Management family. System and Services Acquisition family. System and Information Integrity family. Applying best practices in software development at all stages in the SDLC. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32

Platform Integrity Investments in highly-assured trust technologies to establish the foundation for effective security including for example Trusted Platform Module (hardware root of trust). Protected BIOS (digitally-signed firmware). Network Admissions Control (interaction between trusted platforms). KEY CONCEPTS: secure generation of cryptographic keys (endorsement keys), memory curtaining/protected execution, sealed storage, remote attestation, and Trusted Third Party. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33

Key Publications Built It Right NIST Special Publication 800-53, Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations April 2013 New NIST Special Publication 800-161 Supply Chain Risk Management Guideline Initial Public Draft August 2013 NIST Special Publication 800-160 Security Engineering Guideline Initial Public Draft Spring 2014 New New NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34

Significant Updates to Security Controls Development processes, standards, and tools. Developer security architecture and design. Developer configuration management. Developer security testing. Developer-provided training. Supply chain protection. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35

Build It Right Continuously Monitor State-of-the-practice security and privacy controls to protect federal missions and business functions. Overlays tailored to missions/business functions, environments of operation, and technologies. Greater situational awareness from continuous monitoring. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 36

Some final thoughts. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 37

We choose to go to the moon in this decade and do other things. Not because they are easy, but because they are hard. -- John F. Kennedy, 1961 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 38

Cybersecurity is the great challenge of the 21 st century. Cybersecurity problems are hard not easy. Are we prepared to do the heavy lifting? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 39

Critical assets must be protected differently than non-critical assets. Critical organizational missions and business functions are at risk NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 40

Be proactive, not reactive when it comes to protecting your organizational assets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 41

Necessary and Sufficient Security Solutions Cyber Security Hygiene COUNTING, CONFIGURING, AND PATCHING IT ASSETS Strengthening the IT Infrastructure SYSTEM/SECURITY ENGINEERING, ARCHITECTURE, AND RESILIENCY Has your organization achieved the appropriate balance? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 42

The clock is ticking the time to act is now. Failure is not an option when freedom and economic prosperity are at stake. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 43

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 44

Contact Information Project Leader 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) 975-5140 (301) 975-2827 patricia.toth@nist.gov kelley.dempsey@nist.gov Arnold Johnson (301) 975-3247 arnold.johnson@nist.gov Web: csrc.nist.gov/sec-cert Comments: sec-cert@nist.gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback