Risk-Based Cyber Security for the 21 st Century

Similar documents
TACIT Security Institutionalizing Cyber Protection for Critical Assets

NIST SP , Revision 1 CNSS Instruction 1253

Cybersecurity: Trust, Visibility, Resilience. Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Evolving Cybersecurity Strategies

New Guidance on Privacy Controls for the Federal Government

Building More Secure Information Systems

The Future of Cyber Security NIST Special Publication , Revision 4

Rethinking Cybersecurity from the Inside Out

NIST Security Certification and Accreditation Project

Protecting the Nation s Critical Assets in the 21st Century

Cybersecurity & Privacy Enhancements

The NIST Cybersecurity Framework

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

TEL2813/IS2820 Security Management

Security by Default: Enabling Transformation Through Cyber Resilience

Guide for Assessing the Security Controls in Federal Information Systems

Defining IT Security Requirements for Federal Systems and Networks

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

QuickBooks Online Security White Paper July 2017

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Security Management Models And Practices Feb 5, 2008

Framework for Improving Critical Infrastructure Cybersecurity

TEL2813/IS2621 Security Management

Ensuring System Protection throughout the Operational Lifecycle

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Cyber Hygiene: A Baseline Set of Practices

Building an Assurance Foundation for 21 st Century Information Systems and Networks

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

NCSF Foundation Certification

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

NIST s Industrial Control System (ICS) Security Project

DHS Cybersecurity: Services for State and Local Officials. February 2017

Information Technology Branch Organization of Cyber Security Technical Standard

INFORMATION ASSURANCE DIRECTORATE

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Section One of the Order: The Cybersecurity of Federal Networks.

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

Information Security Controls Policy

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Altius IT Policy Collection Compliance and Standards Matrix

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

align security instill confidence

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

CCISO Blueprint v1. EC-Council

NW NATURAL CYBER SECURITY 2016.JUNE.16

Altius IT Policy Collection Compliance and Standards Matrix

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Security+ SY0-501 Study Guide Table of Contents

Cybersecurity Overview

Office of Infrastructure Protection Overview

National Policy and Guiding Principles

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Consolidation Committee Final Report

Security and Architecture SUZANNE GRAHAM

Cyber Security Strategy

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Protecting your data. EY s approach to data privacy and information security

Security Standards for Electric Market Participants

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Information Security Continuous Monitoring (ISCM) Program Evaluation

Cybersecurity Risk Management

Statement for the Record

Information Technology General Control Review

NEN The Education Network

Appendix 12 Risk Assessment Plan

Ransomware. How to protect yourself?

The Common Controls Framework BY ADOBE

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

K12 Cybersecurity Roadmap

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

The Office of Infrastructure Protection

Appendix 12 Risk Assessment Plan

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cybersecurity Risk Management:

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

ISA 201 Intermediate Information Systems Acquisition

Security and Privacy Governance Program Guidelines

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

OA Cyber Security Plan FY 2018 (Abridged)

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

The Office of Infrastructure Protection

SFC strengthens internet trading regulatory controls

NIST Special Publication

Supporting the Cloud Transformation of Agencies across the Public Sector

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Security Architecture

Transcription:

Risk-Based Cyber Security for the 21 st Century 7 th Securing the E-Campus Dartmouth College July 16, 2013 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

The seeds of information security and privacy in the digital age, were planted in United States Constitution over two centuries ago NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

The United States Constitution WE THE PEOPLE of the United States, in Order to form a more perfect Union, establish Justice, ensure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

The Current Landscape. It s a dangerous world in cyberspace NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

What do we worry about? Hostile cyber attacks. Natural disasters. Structural failures. Human errors of omission or commission. Conventional Threats NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

Advanced Persistent Threat An adversary that Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted organizations: To exfiltrate information. Undermine / impede critical aspects of a mission, program, or organization. Position itself to carry out these objectives in the future. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

Unconventional Threats What should we worry about? Connectivity Complexity Culture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

The federal cyber security strategy Build It Right, Continuously Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

The First Front. What we have accomplished NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

Joint Task Force Transformation Initiative In 2012, completed development of comprehensive security guidelines that can be adopted by all federal agencies including the national security community. Flexible and extensible tool box includes: An enterprise-wide risk management process. State-of-the-practice, comprehensive, security controls. Risk management framework. Risk assessment process. Security control assessment procedures. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

Unified Information Security Framework The Generalized Model Unique Information Security Requirements The Delta Intelligence Community Department of Defense Federal Civil Agencies C N S S Private Sector State/Local Govt Common Information Security Requirements Foundational Set of Information Security Standards and Guidance Risk management (organization, mission, information system) Security categorization (information criticality/sensitivity) Security controls (safeguards and countermeasures) Security assessment procedures Security authorization process National security and non national security information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

Unified Information Security Framework NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View NIST Special Publication 800-30 Guide for Conducting Risk Assessments NIST Special Publication 800-37 Applying the Risk Management Framework to Federal Information Systems NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

The Second Front. What we need to accomplish NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

We need to build our security programs like NASA builds space shuttles using the integrated project team concept.. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

A New Approach for Information Security Work directly with executives, mission/business owners and program managers. Bring all stakeholders to the table with a vested interest in the success or outcome of the mission or business function. Consider information security requirements as mainstream functional requirements. Conduct security trade-off analyses with regard to cost, schedule, and performance requirements. Implement enforceable metrics for key executives. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

Complexity. Ground zero for our current problems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

If we can t understand it we can t protect it NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

Enterprise Architecture Consolidation. Optimization. Standardization. And the integration of information security requirements Ø Reduces the size and complexity of IT infrastructures, promotes good information security and privacy, and can potentially lower costs (significantly) for organizations. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

What can we do to change course? Simplify, Specialize, and Integrate NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

Increasing Strength of IT Infrastructure Simplify. Reduce and manage complexity of IT infrastructure. Use enterprise architecture to streamline the IT infrastructure; standardize, optimize, consolidate IT assets. Specialize. Use guidance in SP 800-53, Rev 4 to customize security plans to support specific missions/business functions, environments of operation, and technologies. Develop effective monitoring strategies linked to specialized security plans. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

Increasing Strength of IT Infrastructure Integrate. Build information security requirements and controls into mainstream organizational processes including: Enterprise Architecture. Systems Engineering. System Development Life Cycle. Acquisition. Eliminate information security programs and practices as stovepipes within organizations. Ensure information security decisions are risk-based and part of routine cost, schedule, and performance tradeoffs. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

Think strategic. Execute tactical NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Managing risk. Doesn t mean fixing everything ü Frame ü Assess ü Respond ü Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

STRATEGIC (EXECUTIVE) RISK FOCUS Communicating and sharing risk-related information from the strategic to tactical level, that is from the executives to the operators. TIER 1 Organization (Governance) Communicating and sharing risk-related information from the tactical to strategic level, that is from the operators to the executives. TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information System (Environment of Operation) TACTICAL (OPERATIONAL) RISK FOCUS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

Risk Tolerance. How you know when to stop deploying security controls NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

Risk Management Framework SP 800-137 MONITOR Security State Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP 800-37 AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Starting Point FIPS 199 / SP 800-60 CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Security Life Cycle SP 800-39 SP 800-53A ASSESS Security Controls FIPS 200 / SP 800-53 SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. SP 800-70 / SP 800-160 IMPLEMENT Security Controls Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

Defense-in-Depth Links in the Security and Privacy Chain: Security and Privacy Controls ü Risk assessment ü Security planning, policies, procedures ü Configuration management and control ü Contingency planning ü Incident response planning ü Security awareness and training ü Security in acquisitions ü Physical and personnel security ü Security assessments and authorization ü Continuous monitoring ü Privacy protection ü Access control mechanisms ü Identification & authentication mechanisms (Biometrics, tokens, passwords) ü Audit mechanisms ü Encryption mechanisms ü Boundary and network protection devices (Firewalls, guards, routers, gateways) ü Intrusion protection/detection systems ü Security configuration settings ü Anti-viral, anti-spyware, anti-spam software ü Smart cards Adversaries attack the weakest link where is yours? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

Resilience. The only way to go for critical missions and information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29

Dual Protection Strategies Sometimes your information systems will be compromised even when you do everything right Boundary Protection Primary Consideration: Penetration resistance. Adversary Location: Outside defensive perimeter. Objective: Repel the attack. Agile Defense Primary Consideration: Information system resilience. Adversary Location: Inside defensive perimeter. Objective: Operate while under attack, limit damage, survive. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30

Agile Defense Boundary protection is a necessary but not sufficient condition for Agile Defense. Examples of Agile Defense measures Compartmentalization and segregation of critical assets. Targeted allocation of security controls. Virtualization and obfuscation techniques. Encryption of data at rest. Limiting privileges. Routine reconstitution to known secure state. Bottom Line: Limit damage of hostile attack while operating in a (potentially) degraded or debilitated state NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

And after we build it right. What next? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32

Continuous Monitoring Determine effectiveness of risk responses. Identify changes to information systems and environments of operation. Verify compliance to federal legislation, Executive Orders, directives, policies, standards, and guidelines. Bottom Line: Increase situational awareness to help determine risk to organizational operations and assets, individuals, other organizations, and the Nation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33

Necessary and Sufficient Security Solutions Cyber Security Hygiene COUNTING, CONFIGURING, AND PATCHING IT ASSETS Strengthening the IT Infrastructure ARCHITECTURE, ENGINEERING, AND SYSTEM RESILIENCY Has your organization achieved the appropriate balance? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34

The bottom line. If adversaries own your information system They own your intellectual property and your national secrets They own your identity They own you. And you have lost your freedom. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35

Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Project Leader Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) 975-5140 (301) 975-2827 patricia.toth@nist.gov kelley.dempsey@nist.gov Arnold Johnson (301) 975-3247 arnold.johnson@nist.gov Web: csrc.nist.gov/sec-cert Comments: sec-cert@nist.gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback