How to get from laws to technical requirements

Transcription

1 How to get from laws to technical requirements And how the OPM hack relates technology, policy, and law June 30, 2015 Isaac Potoczny-Jones

2 Galois, Inc. Overview Outline! OPM Breach What s it all about How cybersecurity policy becomes technical requirements Recent cybersecurity bills that came through congress What are the challenges for all these laws Page 2

3 OPM Hack Page 3

4 Galois, Inc. Overview OPM Breach What happened! March 2014: Chinese hackers attack OPM but it was Thwarted November 2014: OIG says, as they ve said before, that OPM is insecure and doesn t use multi-factor authentication December 2014: Discovery of Chinese hackers breach of KeyPoint Passwords to OPM network stolen December 2014: Chinese hackers breach OPM At some point: OPM updates its security and monitoring tools April 2015: OPM discover the December breaches June 2015: FBI Director Corney says 18 million people are affected Page 4

5 Galois, Inc. Overview OPM Breach What was disclosed! Job title and sensitivity Social security numbers of the applicant and their family members Current and prior names, addresses, and phone numbers Physical description and possibly fingerprints School history and graduation information Employment history and employer contact information List of friends, relatives, and associates with their contact information Details on current and former spouses and marital status Details on children and their addresses Mental health diagnosis and treatment history Police and court records Drug and alcohol habits Details on bankruptcy, debt delinquencies, and liens Page 5

6 Galois, Inc. Overview OPM Breach What s the impact! This was the most significant breach of federal networks in U.S. history Rep. Michael McCaul, Chairman - House Homeland Security Committee Targeting people who have access to sensitive information Blackmail Stealing credentials Identity theft Punishment of foreign contacts Page 6

7 Galois, Inc. Overview OPM Breach Predictability! The OPM Office of Inspector General analyzed their security in major systems are not considered secure enough to exist No agency-wide configuration management No comprehensive inventory of servers, databases, network devices No vulnerability scanning program Known vulnerabilities are not fixed Multi-factor authentication not in place No consequences for these failures Also, for other reports: Agency had no IT security staff until 2013 Data not encrypted 20 year old COBOL systems Page 7

8 How a law becomes a technical requirement Page 8

9 Galois, Inc. Overview FISMA! How a law becomes a technical requirement! 2002 The Federal Information Security Management Act (FISMA) FISMA Says: OMB gets to provide oversight Each federal agency must implement cybersecurity standards NIST gets to set the technical security standard that defines the law Page 9

10 Galois, Inc. Overview So NIST Creates the RMF! The Risk Management Framework Often known as NIST Page 10

11 Galois, Inc. Overview NIST RMF Summary! Page 11

12 Galois, Inc. How Overview NIST RMF Works An Example! Let s say you have a very sensitive database of personal information STEP 1: Determine how sensitive it is There s a doc for that: FIPS 199 Low, Moderate, or High Page 12

13 Galois, Inc. Overview How much impact to loss of C.I.A.?! Low = Limited Degraded mission Minor damage Minor financial loss Minor harm to ppl Moderate = Serious Significant mission impact Significant damage Significant financial loss Significant harm to ppl But not loss of life High = Severe or Catastrophic Can t perform mission Major damage Major financial loss Severe harm to ppl Loss of life or life threatening injuries Page 13

14 Galois, Inc. Overview Impact: What does OIG say?! High = Severe or Catastrophic Can t perform mission Major damage Major financial loss Severe harm to ppl Loss of life or life threatening injuries Page 14

15 Galois, Select Inc. Overview Security Controls NIST ! A huge and impressive collection of security mitigations Ranked by Low, Moderate, High. Page 15

16 Galois, Inc. Overview Example Control Selection! Multi-Factor Authentication! IA-2 Identification and Authentication The system uniquely identifies and authenticates users Enhancements: (1) MFA for network access for privileged accounts (2) MFA for network access for non-privilege accounts (3) MFA for local access to privileged accounts (4) MFA for local access to non-privileged accounts Page 16

17 Galois, Security Inc. Overview Controls: What does OIG say?! OIG Audit: Multi-factor authentication is not required to access OPM systems Washington Post: "The breach of OPM s network occurred through the theft of login and password data for an employee of KeyPoint Government Solutions, an OPM contractor, sometime before last October, officials said." Page 17

18 Galois, Inc. Overview Authorization to Operate! If the authorizing official, after reviewing the authorization package deems that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable, an authorization to operate is issued for the information system Page 18

19 Galois, Inc. Overview Authorization: What does OIG say?! OIG Audit: Eleven major OPM information systems are operating without a valid Authorization. This represents a material weakness in the internal control structure of OPM s IT security program. Page 19

20 Galois, Inc. Overview OPM Hack - Summary! OPM holds the most personal imaginable information About millions of people With access to the most sensitive information in the world The law says that OPM should implement technical standards Including multi-factor authentication (MFA) OIG said in 2014 that they are insecure and didn t have MFA They knew their contractor credentials were breached in Dec They realized in March 2015 that their own networks were breached 18 million peoples security clearance data is stolen by a foreign nation Page 20

21 Cybersecurity Legislation Page 21

22 Galois, Cybersecurity Inc. Overview Bills: Types of legislation! Requirements to secure critical infrastructure Optional cyber threat information sharing Government -> Companies Companies -> Government Immunity for companies sharing information Limiting surveillance / hacking tools (CFAA, Wassenaar) Surveillance laws PATRIOT Act Requirements to inform customers of attacks Mandatory backdoors in consumer products Increased penalties for hacking Increased anti-piracy / intellectual property laws Page 22

23 Galois, Inc. Overview Recent Cybersecurity Bills! COICA (2010) - Combating Online Infringement and Counterfeits Act PIPA ( ) - PROTECT IP Act SECURE-IT (2012) - Strengthening and Enhancing Cybersecurity SOPA ( ) - Stop Online Piracy Act The one w/ big protests CISPA ( ) - Cyber Intelligence Sharing and Protection Act CISA (2014) - Cybersecurity Information Sharing Act Page 23

24 Galois, Inc. What s Overview the problem with these bills?! No laws proposed that require organizations to be secure Threat information sharing with the government is a privacy risk Any information-sharing legislation that lacks adequate privacy protections is not simply a cybersecurity bill, but a surveillance bill by another name - Senator Wyden Intellectual property shouldn t be considered a cybersecurity issue Page 24

25 Galois, Inc. Overview Cybersecurity Bills: Crystal Ball! Increased requirements to secure critical infrastructure Why? An administration priority; it s already required for contractors Optional cyber threat information sharing with limited immunity Why? Congress has been trying to pass this for years Limiting export and sale of 0-Days and Intrusion Software Why? Draft rules already passed PATRIOT Act bulk data collection expired May 31 But some provisions still in place Page 25

26 Users Protected from cyber attack, terrorists and illegal surveillance Access to legal security technology Industry held accountable Protect users from attackers Protect national security Legal framework for intercept Reelection Government Free sites, apps, content Personal info kept confidential Limited financial risk Personal info: Marketing Mediocre security: Costs Limit liability: Risk Hide attacks: Brand Protect users with crypto Resist regulation: Costs Maintain access to PII Industry Tension: Privacy vs. Profit Tension: Security vs. Surveillance Tension: Regulation vs. Growth Protect industry with law (e.g. CFAA, CISA) Protect users with regulation (e.g. HIPAA) Encryption challenges Backdoors for lawful intercept Protect national security interests User PII Botnets Intellectual property Identity theft Financial theft Other nations interests Espionage Cyber war Attackers

27 Galois, Inc. Overview Conclusions! The OPM hack is an enormous failure of policy, law, and technology Current cybersecurity laws are focused only on threat sharing It s not clear to me that real cybersecurity laws will help anyway We need to find a way to break the logjam of competing interests Page 27

28 Galois, Inc. Overview Thank you!! Isaac Potoczny-Jones Page 28