Rethinking Cybersecurity from the Inside Out

Similar documents
Protecting the Nation s Critical Assets in the 21st Century

TACIT Security Institutionalizing Cyber Protection for Critical Assets

Risk-Based Cyber Security for the 21 st Century

Evolving Cybersecurity Strategies

NIST SP , Revision 1 CNSS Instruction 1253

Building More Secure Information Systems

Cybersecurity: Trust, Visibility, Resilience. Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

The Future of Cyber Security NIST Special Publication , Revision 4

NIST Security Certification and Accreditation Project

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

THE POWER OF TECH-SAVVY BOARDS:

NCSF Foundation Certification

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cyber Hygiene: A Baseline Set of Practices

New Guidance on Privacy Controls for the Federal Government

INFORMATION ASSURANCE DIRECTORATE

Cyber Security Program

National Initiative for Cybersecurity Education

CYBERSECURITY RISK ASSESSMENT

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Position Description IT Auditor

NCSF Foundation Certification

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

The NIST Cybersecurity Framework

Guide for Assessing the Security Controls in Federal Information Systems

Implementation Strategy for Cybersecurity Workshop ITU 2016

Gujarat Forensic Sciences University

Introducing Cyber Resiliency Concerns Into Engineering Education

INFORMATION ASSURANCE DIRECTORATE

Framework for Improving Critical Infrastructure Cybersecurity

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Securing an IT. Governance, Risk. Management, and Audit

Education Network Security

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

David Fletcher Co-Principal Investigator Western Management & Consulting LLC Albuquerque, NM

CYBERSECURITY MATURITY ASSESSMENT

National Initiative for Cyber Education (NICE) and the Cybersecurity Workforce Framework: Attract and Retain the Best in InfoSec.

Affordable Security. Sarah Pramanik April 10, 2013

The Perfect Storm Cyber RDT&E

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Evolving the Security Strategy for Growth. Eric Schlesinger Global Director and CISO Polaris Alpha

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Section One of the Order: The Cybersecurity of Federal Networks.

Defining IT Security Requirements for Federal Systems and Networks

NISTCSF Enterprise Training Solutions. By David Nichols & Rick Lemieux December 2018

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Security by Default: Enabling Transformation Through Cyber Resilience

AMRDEC CYBER Capabilities

Computing Accreditation Commission Version 2.0 CRITERIA FOR ACCREDITING COMPUTING PROGRAMS

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cyber Semantic Landscape Ontology and Taxonomy

Handbook Webinar

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity Risk Management:

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

Cybersecurity Risk Management

Cybersecurity & Privacy Enhancements

Information Security In Pakistan. & Software Security As A Quality Aspect. Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

Framework for Improving Critical Infrastructure Cybersecurity

TEL2813/IS2621 Security Management

State of South Carolina Interim Security Assessment

The Common Controls Framework BY ADOBE

FISMAand the Risk Management Framework

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Moderator: Presenters: Ross Albert Damon D Levine

CYBERSECURITY RESILIENCE

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

NIST SP : For the Rest of Us. An ICIT Summary. May James Scott (ICIT Senior Fellow Institute for Critical Infrastructure Technology)

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Security Director - VisionFund International

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

External Supplier Control Obligations. Cyber Security

Streamlined FISMA Compliance For Hosted Information Systems

M.S. IN INFORMATION ASSURANCE MAJOR: CYBERSECURITY. Graduate Program

Access Control and Physical Security Management. Contents are subject to change. For the latest updates visit

Developing a Model for Cyber Security Maturity Assessment

Why you should adopt the NIST Cybersecurity Framework

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Dr. Stephanie Carter CISM, CISSP, CISA

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Security and Privacy Governance Program Guidelines

SDLC Maturity Models

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Transcription:

Rethinking Cybersecurity from the Inside Out An Engineering and Life Cycle-Based Approach for Building Trustworthy Resilient Systems Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

The current landscape. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

Our appetite for advanced technology is rapidly exceeding our ability to protect it. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

Complexity. An adversary s most effective weapon in the 21 st century. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

One organization s IT product feature is another organization s attack surface. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Estimating Number of Vulnerabilities Between 1% and 5% of software flaws are security vulnerabilities. Source: Software Assessments, Benchmarks, and Best Practices, C. Jones. So, 50mLOC / 1kLOC * 4.9 Flaws / 1kLOC 245,000 flaws Or approximately 2,400 to 12,200 potential security vulnerabilities. Source: Security Vulnerabilities in Software Systems - A Quantitative Perspective, O.H. Alhazmi. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

The n+ 1 vulnerabilities problem. Unconstrained due to increasing attack surface. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

When culture clashes with science Science wins. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

The hard cybersecurity problems are buried below the water line In the hardware, software, and firmware. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Security Architecture and Design Reducing susceptibility to cyber threats requires a multidimensional systems engineering approach. Harden the target System Limit damage to the target Make the target survivable Achieving Trustworthiness and Resiliency NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

How we do security today Bottom up, instead of top down. Outside in, instead of inside out. Tactical instead of strategic. We are managing the trees, but not the forest. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

The road ahead. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

Institutionalize. The ultimate objective for security. Operationalize. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

On the Horizon NIST Special Publication 800 160 Systems Security Engineering An Integrated Approach to Building Trustworthy Resilient Systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

Multidisciplinary integration of security best practices. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

Command and control of the security space. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

ISO/IEC/IEEE 15288:201x(E) Systems and software engineering System life cycle processes Technical Processes Business or mission analysis Stakeholder needs and requirements definition System requirements definition Architecture definition Design definition System analysis Implementation Integration Verification Transition Validation Operation Maintenance Disposal NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

ISO/IEC/IEEE 15288:201x(E) Systems and software engineering System life cycle processes Nontechnical Processes Project planning Project assessment and control Decision management Risk management Configuration management Information management Measurement Quality assurance Acquisition and Supply Life cycle model management Infrastructure management Portfolio management Human resource management Quality management Knowledge management NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

An example. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

Human Resource Management Process Systems Engineering View The purpose of the Human Resource Management process is to ensure the organization is provided with necessary human resources and to maintain their competencies, consistent with business needs. -- ISO/IEC/IEEE 15288-2008. Reprinted with permission from IEEE, Copyright IEEE 2008, All rights reserved. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

Human Resource Management Process Systems Security Engineering View Systems security engineering, as part of the Human Resource Management process, defines the criteria for qualification, assessment, and ongoing training of individuals that apply scientific, engineering, and information assurance principles to deliver trustworthy and resilient systems that satisfy stakeholder needs and requirements within their established risk tolerance. -- NIST Special Publication 800-160. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

Systems Security Engineering HR Management Process Outcomes Required system security engineering skills are identified. System security engineering skills are developed, maintained or enhanced. Individuals with system security engineering skills are provided to projects. System security engineering knowledge, skills, and information are collected, shared, reused and improved throughout the organization. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

Human Resource Management Process Security-Related Activities and Tasks HR 1 IDENTIFY SYSTEMS SECURITY ENGINEERING SKILLS HR 1.1 Identify systems security engineering skills needed based on current and expected projects. Supplemental Guidance: The National Cybersecurity Workforce Framework defines various categories and specialty areas of cybersecurity work including systems security engineering and also identifies common tasks and knowledge, skills, and abilities (KSA's) associated with each specialty area. The framework can be used by government, industry, and academia to describe cybersecurity work and workforces, and related education, training, and professional development. The cybersecurity categories include: securely provision; operate and maintain; protect and defend; investigate; collect and operate; analyze; and oversight and development. HR 1.2 Identify systems security engineering skills of organizational personnel and conduct a skills gap analysis. Supplemental Guidance: Comparing the systems security engineering skills of organizational personnel with the skills needed to support current and expected projects can serve to inform training and education requirements and activities. References: National Cybersecurity Workforce Framework: http://csrc.nist.gov/nice/framework. Cybersecurity Framework, Identify Function: http://www.nist.gov/cyberframework. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

SP 800-160 References Section Incorporating by reference and aligning, national and international security standards, guidelines, frameworks, and best practices. 30 ISO/IEC/IEEE 15288 Engineering Process Steps Demonstrating in a transparent and inclusive manner, that multiple security solutions and approaches can be employed to achieve a trustworthy resilient systems. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

SP 800-160 Structure and Content Chapter 1 INTRODUCTION Chapter 2 THE FUNDAMENTALS Chapter 3 THE PROCESSES Appendix A Appendix B Appendix C Appendix D Appendix E Appendix F Appendix G Appendix H Appendix I Appendix J REFERENCES GLOSSARY ACRONYMS SUMMARY OF ACTIVITIES AND TASKS SECURE DESIGN PRINCIPLES AND CONCEPTS SOFTWARE, HARDWARE, AND SYSTEM ASSURANCE INFORMATION SECURITY RISK MANAGEMENT USE CASE SCENARIOS SYSTEM RESILIENCY DOD ENGINEERING PROCESS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

Some final thoughts. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

A Winning Strategy To survive in the digital age of total IT dependence Build the Right Solution Meets operational intent Systems Engineering Software Assurance System Life Cycle Testing/Evaluation Trustworthiness Resiliency Design Architecture Acquisition Secure Coding Static Code Analysis Systems Integration Systems Security Engineering Build the Solution Right Meets design intent Cyber Threat A two pronged attack on the threat space Critical Missions and Business Functions Foundation of Components, Systems, Services Continuously Monitor Preserves operational intent over time Security Configurations Ongoing Authorization Separation of Duties Software Patching Traffic Analyses Security State Asset Inventory Network Sensors Incident Response Threat Assessment Situational Awareness Administrative Privileges Vulnerability Assessment Continuously Maintain Preserves design intent over time NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

Be proactive, not reactive when it comes to protecting your organizational assets from cyber threats. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

Security should be a by product of good design and development practices integrated throughout the organization. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29

Government Security is a team sport. Academia Industry NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

Contact Information Project Leader 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov LinkedIn http://www.linkedin.com/in/ronrossnist Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) 975-5140 (301) 975-2827 patricia.toth@nist.gov kelley.dempsey@nist.gov Web: csrc.nist.gov Comments: sec-cert@nist.gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback