Protecting the Nation s Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory
OPM. Anthem BCBS. Ashley Madison. 2
Houston, we have a problem.
Complexity. 4
Sharks and glaciers. HARDWARE SYSTEMS FIRMWARE SOFTWARE 5
The n+1 vulnerabilities problem. 2013 Defense Science Board Study http://www.acq.osd.mil/dsb/reports/2010s/resilientmilitarysystemscyberthreat.pdf
Reducing susceptibility to cyber threats requires a multidimensional systems engineering approach. Security Architecture and Design Harden the target System Limit damage to the target Achieving Trustworthiness and Resiliency Make the target survivable
TACIT Security Threat Assets Complexity MERRIAM-WEBSTER DICTIONARY tac.it : adjective expressed or understood without being directly stated Integration Trustworthiness 8
Threat Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Obtain threat data from as many sources as possible. Include external and insider threat analysis. 9
Assets Conduct a comprehensive criticality analysis of organizational assets including information and information systems. Focus on mission/business impact. Use triage concept to segregate assets by criticality. 10
Complexity Reduce the complexity of the information technology infrastructure including IT component products and information systems. Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services. 11
Integration Integrate information security requirements and the security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business owners; become key stakeholders. 12
Trustworthiness Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement security design concepts (e.g., modular design, layered defenses, component isolation, least functionality, least privilege). 13
Risk assessment. 14
Assets and consequences. Criticality Analysis. Identification of High Value Assets. 15
Engineer up. 16
Immediate Action Plan and Resources Conduct threat and vulnerability assessments. United States Computer Emergency Readiness Team https://www.us-cert.gov Conduct criticality analysis of information assets. FIPS Publication 199 http://csrc.nist.gov/publications/fips/fips199/fips-pub-199-final.pdf Reduce complexity of IT infrastructure. Federal Enterprise Architecture Initiative https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co mmon_approach_to_federal_ea.pdf Invest in trustworthy IT components and systems. DHS Software and Supply Chain Assurance https://buildsecurityin.us-cert.gov/swa 17
Important NIST Security and Privacy Pubs Cybersecurity Framework NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy NIST Special Publication 800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 18
Some final thoughts. 19
Institutionalize. The ultimate objective for security. Operationalize.
Leadership. Governance. Accountability.
Government Academia Security is a team sport. Industry 22
Ron Ross 100 Bureau Drive Mailstop 7730 Gaithersburg, MD USA 20899-7730 Email Mobile ron.ross@nist.gov LinkedIn (301) 651.5083 Twitter www.linkedin.com/in/ronross-cybersecurity Web Comments csrc.nist.gov sec-cert@nist.gov @ronrossecure We are here to help you be more secure 23