Protecting the Nation s Critical Assets in the 21st Century

Similar documents
TACIT Security Institutionalizing Cyber Protection for Critical Assets

Rethinking Cybersecurity from the Inside Out

Risk-Based Cyber Security for the 21 st Century

Evolving Cybersecurity Strategies

Cybersecurity: Trust, Visibility, Resilience. Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

NIST Security Certification and Accreditation Project

Building More Secure Information Systems

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

NIST SP , Revision 1 CNSS Instruction 1253

New Guidance on Privacy Controls for the Federal Government

Cybersecurity & Privacy Enhancements

TEL2813/IS2621 Security Management

The Future of Cyber Security NIST Special Publication , Revision 4

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Cybersecurity in Acquisition

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Innovation policy for Industry 4.0

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

National Cybersecurity Center of Excellence

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cybersecurity, Trade, and Economic Development

Cyber Semantic Landscape Ontology and Taxonomy

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Guide for Assessing the Security Controls in Federal Information Systems

NW NATURAL CYBER SECURITY 2016.JUNE.16

Threat and Vulnerability Assessment Tool

The Perfect Storm Cyber RDT&E

The NIST Cybersecurity Framework

INFORMATION ASSURANCE DIRECTORATE

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Section One of the Order: The Cybersecurity of Federal Networks.

Building an Assurance Foundation for 21 st Century Information Systems and Networks

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Defining IT Security Requirements for Federal Systems and Networks

National Institute of Standards and Technology

Cyber Resilience. Think18. Felicity March IBM Corporation

Operationalizing Cyber Security Risk Assessments for the Dams Sector

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Implementing Executive Order and Presidential Policy Directive 21

SYSTEMS ASSET MANAGEMENT POLICY

Gujarat Forensic Sciences University

Aligning Agency Cybersecurity Practices with the Cybersecurity Framework

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Cybersecurity Risk Management

INFORMATION ASSURANCE DIRECTORATE

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

CSD Project Overview DHS SCIENCE AND TECHNOLOGY. Dr. Ann Cox. March 13, 2018

Heavy Vehicle Cyber Security Bulletin

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

SAC PA Security Frameworks - FISMA and NIST

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Special Publication

Cyber Security & Homeland Security:

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

CyRiE Cyber Risk Economics. Erin Kenneally, M.F.S., J.D. Program Manager Cyber Security Division

Dr. Stephanie Carter CISM, CISSP, CISA

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Understanding the Changing Cybersecurity Problem

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

FAA Cybersecurity Test Facility (CyTF) By: Enterprise Information Security Team ANG-B31 Patrick Hyle, William J Hughes Technical Center

Control Systems Cyber Security Awareness

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

THE POWER OF TECH-SAVVY BOARDS:

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Streamlined FISMA Compliance For Hosted Information Systems

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

The Office of Infrastructure Protection

Securing an IT. Governance, Risk. Management, and Audit

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Mitigating Software Supply Chain Risks

Election Infrastructure Security: The How and Why of It

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Why you should adopt the NIST Cybersecurity Framework

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Transcription:

Protecting the Nation s Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory

OPM. Anthem BCBS. Ashley Madison. 2

Houston, we have a problem.

Complexity. 4

Sharks and glaciers. HARDWARE SYSTEMS FIRMWARE SOFTWARE 5

The n+1 vulnerabilities problem. 2013 Defense Science Board Study http://www.acq.osd.mil/dsb/reports/2010s/resilientmilitarysystemscyberthreat.pdf

Reducing susceptibility to cyber threats requires a multidimensional systems engineering approach. Security Architecture and Design Harden the target System Limit damage to the target Achieving Trustworthiness and Resiliency Make the target survivable

TACIT Security Threat Assets Complexity MERRIAM-WEBSTER DICTIONARY tac.it : adjective expressed or understood without being directly stated Integration Trustworthiness 8

Threat Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Obtain threat data from as many sources as possible. Include external and insider threat analysis. 9

Assets Conduct a comprehensive criticality analysis of organizational assets including information and information systems. Focus on mission/business impact. Use triage concept to segregate assets by criticality. 10

Complexity Reduce the complexity of the information technology infrastructure including IT component products and information systems. Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services. 11

Integration Integrate information security requirements and the security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business owners; become key stakeholders. 12

Trustworthiness Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement security design concepts (e.g., modular design, layered defenses, component isolation, least functionality, least privilege). 13

Risk assessment. 14

Assets and consequences. Criticality Analysis. Identification of High Value Assets. 15

Engineer up. 16

Immediate Action Plan and Resources Conduct threat and vulnerability assessments. United States Computer Emergency Readiness Team https://www.us-cert.gov Conduct criticality analysis of information assets. FIPS Publication 199 http://csrc.nist.gov/publications/fips/fips199/fips-pub-199-final.pdf Reduce complexity of IT infrastructure. Federal Enterprise Architecture Initiative https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co mmon_approach_to_federal_ea.pdf Invest in trustworthy IT components and systems. DHS Software and Supply Chain Assurance https://buildsecurityin.us-cert.gov/swa 17

Important NIST Security and Privacy Pubs Cybersecurity Framework NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy NIST Special Publication 800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 18

Some final thoughts. 19

Institutionalize. The ultimate objective for security. Operationalize.

Leadership. Governance. Accountability.

Government Academia Security is a team sport. Industry 22

Ron Ross 100 Bureau Drive Mailstop 7730 Gaithersburg, MD USA 20899-7730 Email Mobile ron.ross@nist.gov LinkedIn (301) 651.5083 Twitter www.linkedin.com/in/ronross-cybersecurity Web Comments csrc.nist.gov sec-cert@nist.gov @ronrossecure We are here to help you be more secure 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback