Cybersecurity Test and Evaluation Achievable and Defensible Architectures

Similar documents
Shift Left: Putting the Process Into Action

T&E Workforce Development

Test and Evaluation Methodology and Principles for Cybersecurity

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

The Perfect Storm Cyber RDT&E

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

DoD Strategy for Cyber Resilient Weapon Systems

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

DOE and Test Automation for System of Systems T&E

Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation

MIS Week 9 Host Hardening

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Cybersecurity in Acquisition

Avionics Cyber T&E Examples Testing Cyber Security Resilience to support Operations in the 3rd Offset Environment

INFORMATION ASSURANCE DIRECTORATE

Providing Cybersecurity Inventory, Compliance Tracking, and C2 in a Heterogeneous Tool Environment

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Automating the Top 20 CIS Critical Security Controls

New DoD Approach on the Cyber Survivability of Weapon Systems

Cybersecurity vs. Cyber Survivability: A Paradigm Shift

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Air Force Test Center

The Common Controls Framework BY ADOBE

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

The Operational Test & Evaluation Cybersecurity Terrain

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Program Protection Implementation Considerations

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Information Warfare Industry Day

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Checklist: Credit Union Information Security and Privacy Policies

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

AMRDEC CYBER Capabilities

CND Exam Blueprint v2.0

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cyber Protections: First Step, Risk Assessment

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

WHO AM I? Been working in IT Security since 1992

New Guidance on Privacy Controls for the Federal Government

Training for the cyber professionals of tomorrow

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

CyberSecurity: Top 20 Controls

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

CompTIA Cybersecurity Analyst+

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Security+ SY0-501 Study Guide Table of Contents

AUTHORITY FOR ELECTRICITY REGULATION

Introducing Cyber Resiliency Concerns Into Engineering Education

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Improving SCADA System Security

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Designing and Building a Cybersecurity Program

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Cybersecurity Planning Lunch and Learn

Information Technology Branch Organization of Cyber Security Technical Standard

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Implementing NIST Cybersecurity Framework Standards with BeyondTrust Solutions

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Information Security Controls Policy

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

Security Solutions. Overview. Business Needs

Defense Security Service Industrial Security Field Operations National Industrial Security Program (NISP) Authorization Office (NAO)

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

SECURITY & PRIVACY DOCUMENTATION

Data Management & Test Scenarios Exercise

THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC ACQUISITION, TECHNOLOGY AND LOGISTICS January 11, 2017

ACM Retreat - Today s Topics:

NEN The Education Network

CIT 480: Securing Computer Systems. Putting It All Together

INFORMATION ASSURANCE DIRECTORATE

Cybersecurity Test and Evaluation

RiskSense Attack Surface Validation for IoT Systems

Engineering Your Software For Attack

INFORMATION ASSURANCE DIRECTORATE

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cybersecurity and Program Protection

Cyber security tips and self-assessment for business

Putting the 20 Critical Controls into Action: Real World Use Cases. Lawrence Wilson, UMass, CSO Wolfgang Kandek, Qualys, CTO

Achieving DoD Software Assurance (SwA)

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

K12 Cybersecurity Roadmap

the SWIFT Customer Security

April 25, 2018 Version 2.0

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Client Computing Security Standard (CCSS)

Transcription:

Cybersecurity Test and Evaluation Achievable and Defensible Architectures October 2015, ITEA Francis Scott Key Chapter Mr. Robert L. Laughman for COL Scott D. Brooks, Director, Survivability Evaluation Directorate, Army Evaluation Center U.S. Army Evaluation Center Approved for public release; distribution is unlimited. Understanding

Trends Agenda Technology Cyber Security Testing & Evaluation New Approaches Challenges

2015 2020 3

4 Reported Breaches by Year

Operational Cybersecurity Testing Blue Team Assessment Tools Nmap network mapping, traffic generation Q-Tip, Retina, Nessus signature based vulnerability scanners, malware signatures updated daily SCAP Compliance Checker Automated scanner of systems based on DISA Secure Technical Implementation Guidelines (STIGs) Burp Proxy web application proxy (man-inthe-middle for assessing web application vulnerabilities) Wireshark, Tcpdump traffic analysis, can capture wired and wireless packets. John, Cain password crackers THC-Hydra password guessers Red Team Assessment Tools Nmap covert network mapping, firewall evasion, traffic generation Metasploit exploitation and postexploitation toolset (exploits vulnerabilities and delivers a payload) Meterpreter Windows Metasploit Payload used for keyboard logging, enabling camera, microphone, data theft, maintaining access, and covert communications. Burp Proxy, Zed Attack Proxy web application attacks BEEF web browser exploitation toolset MimiKatz memory forensics Cobalt Strike advanced exploitation toolset with graphic interface John, Cain password crackers THC-Hydra password guessers 5

Shift Left Cybersecurity Testing Formally add cybersecurity DT to the TEMP ATEC: Leverage existing test capabilities rather than build new Build T&E plans starting with Risk Management Framework (RMF) products Risk Management Framework (RMF) replaces DIACAP with intent to manage risk over the system s lifecycle Score Card 6

7 Phase 1 Understand Cybersecurity Requirements Analysis phase Test phase A B C RMF https://acc.dau.mil/adl/en- US/722865/file/80161/Cyberse curity%20te%20guidebook% 20July%201%202015%20v1_0.pdf Shift Left Cybersecurity T&E Earlier Than IOT&E Phase 2 Characterize Cyber Attack Surface Developmental Test Integrated DT/OT Phase 3 Test Event DT Cooperative Vulnerability and Penetration Assessment Phase 4 Test Event DT Adversarial Assessment Operational Test IATT OTRR Phase 5 Test Event Phase 6 Test Event OT Cooperative Vulnerability and Penetration Assessment FRP Events derived from DASD(DT&E) DoD Cybersecurity Test and Evaluation Guidebook 1 July 2015 ver 1, and DOT&E Cybersecurity Operational Test and Evaluation Guidance Memo (01 August 2014) OT Adversarial Assessment

Subsystem Examples Cybersecurity Test and Evaluation Approach Major Software Updates Cybersecurity T&E approach (IAW AR 25-2, DoDI 8510.01, and DASD(DT&E) & DOT&E guidance*) mitigates software and security risks of fielding unproven platform equipment. Applicable data will be leveraged whenever available. Software Drop Post-OEM Testing Software Drop Post-DT Software Drop Post-OT OEM Cybersecurity Testing DT Cybersecurity Testing OT Cybersecurity Testing Software Lifecycle Maintenance Continuous New Hardware - Computing Systems - Improved Displays - New Processor Units - Maneuver Control Enhancements Cooperative Vulnerability and Penetration Assessments (CVPA): system focused Risk-Based most likely to be exploited Actionable Information New Software - Cross Domain Solution Adjustments - Enhanced Training - Improved Vehicle Management - Improved Communications Manager Network End to End Data Exchange Relationships Security Approach Existing Evaluation New Integration - CREW Device - Tactical Communication Devices - Battle Command Systems - Power Distribution Systems 8

NDIA Summit DoD Program Protection May 19-22 2014 Security Engineering Challenges Incorporation of security engineering as a discipline of systems engineering Engineering methodology, processes, and practices System security engineering workforce Quantification of security risks Vulnerability detection, and validated mitigation Articulation of security requirements Threat-driven, evolving over time Risk-based affordable trade off analysis; Measurable, testable system specifications Protection of technical data Consequences of unclassified controlled technical information losses Common Themes: Security Engineering as Discipline Earlier & Often in the Development Process Architecture In Contracts: Part of Section L and M in RFPs Cyber Testing http://www.ndia.org/divisions/divisions/systemsengineering/pages/past_projects.aspx 9

Challenges for T&E OSD policies on cybersecurity T&E still draft DoDI 5000.02 states need for cybersecurity in DT AR 73-1 Draft in Process Modeling & Simulation Operational Requirements Addressing DOTMLPF Training and CND activity at Echelon Metrics Work underway with MIT-LL Measurable, Testable, Repeatable Configuration Operational Mission Risk 10

Measures Account Management - Accounts are established only after screening users for membership, need-to-know, and functional tasks, and disestablished promptly when retired. Default credentials are designed into software to be changed on first use. Least Privilege Use Role based account privileges assuring only access to systems/applications user has need to use. Identification and Authentication - Organizational users are uniquely identified and authenticated when accessing the system, including accounts. Two level authentication or higher. Content of Audit Records - Audit records contain sufficient information to establish the nature, time, location, source and outcome of malicious events, as well as the identity of any individuals associated with such events. Audit Review, Analysis and Reporting - Audit records are reviewed and analyzed promptly for indications of inappropriate activity, and any findings are reported to the defenders. Continuous Monitoring The system is continuously monitored for vulnerabilities, to include regular assessments by test teams. Configuration Settings.The system is installed in accordance with an established baseline configuration following the principle of least functionality, and any deviations from this baseline are recorded. Backup, Recovery and Restoration System data is backed up and preserved, and a recovery and restoration plan for the system is DOT&E Cybersecurity Operational Test and Evaluation Guidance Memo (01 August 2014) Device Identification and Authentication The information system uniquely identifies and authenticates devices before a connection. Authenticator Management The cryptographic strength, maximum lifetime and storage methods for system authenticators(e.g., password, tokens) are compliant with organizational policy. Default Authenticators System authenticators (e.g., password, tokens) are changed from their default settings. Physical Access Control The information system, including data ports, is physically protected from unauthorized access appropriate to the level of classification. Boundary Protection The system monitors and data exchanges at the external boundary and at key internal boundaries, including: Firewalls or guard; IPS/IDS/HBSS Secure Network Communications Network communications are secure and remote sessions require a secure form of authentication. Update Management Security-related software firmware updates (e.g. patches) are centrally managed and applied to all instances of the system in accordance with the relevant direction and timeliness. Malicious Code Protection Mechanisms for preventing the deployment of malicious code (e.g., viruses, malware) are installed, configured and kept up-to-date.

Path to Achievable and Defensible Networks Operational Requirements Documents Contract Language Architecture Design and Planning Inherited Controls Testing (ACAS, SCAP, CVPA and Adversarial) Changes in HW, SW or Architecture Defensible Systems 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback