Building Secure Systems

Similar documents
MINIMUM SECURITY CONTROLS SUMMARY

Altius IT Policy Collection Compliance and Standards Matrix

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Altius IT Policy Collection Compliance and Standards Matrix

Cyber Protections: First Step, Risk Assessment

K12 Cybersecurity Roadmap

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Designing and Building a Cybersecurity Program

Because Security Gives Us Freedom

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Four Deadly Traps of Using Frameworks NIST Examples

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

CIT 480: Securing Computer Systems. Putting It All Together

Using Metrics to Gain Management Support for Cyber Security Initiatives

INFORMATION ASSURANCE DIRECTORATE

BYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013

SAC PA Security Frameworks - FISMA and NIST

The New Security Heroes. Alan Paller

CSAM Support for C&A Transformation

Les joies et les peines de la transformation numérique

Exposing The Misuse of The Foundation of Online Security

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

ENTS 650 Network Security. Dr. Edward Schneider

Automating the Top 20 CIS Critical Security Controls

Ransomware. How to protect yourself?

Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

Establishing a Credible Cybersecurity Program. September 2016

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

How Breaches Really Happen

Mohammad Shahadat Hossain

NIST Special Publication

Art of Performing Risk Assessments

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Building Resilience in a Digital Enterprise

NW NATURAL CYBER SECURITY 2016.JUNE.16

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

DOT/DHS: Joint Agency Work on Vehicle Cyber Security

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

ISE North America Leadership Summit and Awards

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

WHO AM I? Been working in IT Security since 1992

CyberSecurity: Top 20 Controls

SYSTEMS ASSET MANAGEMENT POLICY

Evolving Cybersecurity Strategies

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

Ingram Micro Cyber Security Portfolio

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

TIPS FOR AUDITING CYBERSECURITY

CND Exam Blueprint v2.0

CloudCheckr NIST Matrix

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Engineering Your Software For Attack

Fiscal Year 2013 Federal Information Security Management Act Report

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Cybersecurity Today Avoid Becoming a News Headline

Information Security Policy

Syllabus:))AIT)671)0)Information)Systems)Infrastructure)Lifecycle) Management)

NIST CyberSecurity Framework+ Brian Ventura SANS Community Instructor ISSA Portland, Director of Education Information Security Architect, City of

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Cyber Security 2010 THE THREATS! THE FUTURE!

CONTINUOUS VIGILANCE POLICY

NIST SP , Revision 1 CNSS Instruction 1253

CoreMax Consulting s Cyber Security Roadmap

Security Metrics and Their Importance

CCISO Blueprint v1. EC-Council

Systems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Information Technology General Control Review

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

AWS alignment with Motion Picture of America Association (MPAA) Content Security Best Practices Application in the Cloud

CYBER SECURITY AND MITIGATING RISKS

NIST (NCF) & GDPR to Microsoft Technologies MAP

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

ISACA Arizona May 2016 Chapter Meeting

VIVOTEK. Security Hardening Guide

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

NEN The Education Network

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

INFORMATION ASSURANCE DIRECTORATE

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

TRAINING CURRICULUM 2017 Q2

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

Continuous Monitoring Strategy & Guide

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

External Supplier Control Obligations. Cyber Security

How to Develop Key Performance Indicators for Security

Transcription:

Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission is a registered trademark of Raytheon Company.

Antony Selim - Bio 1997 B.S. in Engineering and a B.S. in Physics from Harvey Mudd College (HMC) 1998 Masters in Engineering from HMC with an emphasis in Communication Theory Licensed Professional Engineer (PE) in the State of California Electrical Engineering Certified Information System Security Professional (CISSP) 1997-Pesent Raytheon Company in Fullerton, California First 8 years working on wireless communication systems More recently working on the security of large integrated computer systems and the networks that support them 11/13/15 2

So what s the problem? Government organizations and major businesses are frequently being compromised 2015 June, U.S. Office of Personnel Management (OPM) 2015 February, Anthem 2014 November, Sony 2014 September, Home Depot 2014 July, JPMorgan Chase 2014 May, ebay 2014 April, Michaels 2014 January, Target 2013 October, Adobe 2011 March, RSA These breaches have several impacts Loss of Intellectual Property (IP) Paying for credit monitoring for customers Class-action lawsuits from customers Damage to reputation = Loss of business 11/13/15 3

How do we begin to address this problem? Designed and build computing systems and networks with security in mind Secure by design, not as an afterthought Consider a two pronged approach Follow robust processes for the development of secure systems Utilize people who are well trained in cyber security 11/13/15 4

Robust Processes for the Development of Secure Systems National Institute of Standards and Technology (NIST) Risk Management Framework (SP 800-37) Security Controls (SP 800-53) Risk Assessment (SP 800-30) Supply Chain Risk Management (SP 800-161) System Security Engineering (SP 800-160) SANS Institute 20 Critical Security Controls for Effective Cyber Defense The Mitre Corporation Common Weakness Enumeration (CWE) Common Vulnerabilities and Exposure (CVE) 11/13/15 5

Risk Management Framework SP 800-37 Governing document for the overall design, development, assessment and authorization of a secure system within the context of an organization References many of the other documents 11/13/15 6

Security Controls SP 800-53 18 Control Families Each family has dozens of controls (eg. AC-24, IA-11, PS-4) Security Architecting should consider each of these controls ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment and Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management 11/13/15 7

Risk Assessment SP 800-30 Step-by-step guide How to prepare for risk assessments How to conduct risk assessments How to communicate risk assessment results How to maintain the risk assessments over time Identification of threats External Internal Determination of asset criticality Evaluation of currently deployed controls Effectiveness Pervasiveness Assessment of residual risks 11/13/15 8

Supply Chain Risk Management SP 800-161 Supplier Interface Assessment of supplier computing system and network Access controls on supplier access to buyer s system Monitoring or supplier interface (email, VPN) Supplied Hardware Inspection and testing Determine providence (origin along with the history) Implement configuration control Detect counterfeit parts Supplied Software Evaluation and testing Commercial Off The Shelf (COTS) software Free and Open Source Software (FOSS) Determine providence Implement configuration control and maintenance plans Detect software defects Detect malicious code insertion 11/13/15 9

System Security Engineering SP 800-160 System Engineering Process with a focus on Security Requirements definition Requirements analysis Architectural design Implementation Integration Verification Transition Validation Operation Maintenance Disposal 11/13/15 10

SANS Top 20 Critical Security Controls for Effective Cyber Defense An alternative list of Security Controls to consider when Security Architecting CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises 11/13/15 11

Mitre Databases Common Weakness Enumeration (CWE) List of poor software coding structures/practices CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Common Vulnerabilities and Exposure (CVE) List of known product vulnerabilities CVE-2014-0160: Heartbleed CVE-2014-6271: ShellShock CVE-2014-3566: Poodle 11/13/15 12

Developing Well Trained People Certified Information Systems Security Professional (CISSP) Administered by International Information System Security Certification Consortium (ISC) 2 Most widely recognized 8 security domains Security and Risk Management Asset Security Security Engineering Communications and Network Security Identity and Access Management Security Assessment and Testing Security Operations Software Development Security Certified Ethical Hacker Administered by EC-Council General user training Security Awareness Briefings 11/13/15 13

Jobs at Raytheon General website http://www.raytheon.com/ General jobs website http://jobs.raytheon.com/ Cyber website http://www.raytheoncyber.com/ Cyber jobs website http://www.rtncyberjobs.com/ Includes cyber challenges on the website 11/13/15 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback