What REALLY matters in Cyber? RE: Internet of things, privacy security and beyond
|
|
|
- Baldwin Hampton
- 10 years ago
- Views:
Transcription
1 ISC2 with IEEE Cyber What REALLY matters in Cyber? RE: Internet of things, privacy security and beyond Not sure HOW it can affect you (as it HAS already)? AND what is a thing is that MORE we have to do??? COMPLEXITY Circa 2015 Mike Davis [email protected] ElectEngr/MSEE, CISSP & CISO SysEngr ISSA / ISC2 / SOeC AFCEA / NDIA IEEE / INCOSE / et al easy button Bottom line - As in ALL things it is mostly about the value proposition!
2 What s Wrong With This Security? The issues / gaps therein are where the cyber opportunities are!!! [email protected] When a capability is invisible, like IA, safety, reliability, etc, what you see is not the whole picture! The gates were fully locked, properly configured and validated. I could not get through them. But... Thus Cyber can be an illusion
3 Cutting through the CyberSecurity Fog! B.L.U.F. Bottom Line Up Front The threats are very real, and the news shows a small percentage It does not just happen to the other guy YOU WILL be / ARE affected. You can not buy cyber security, you must manage cyber many parts. The standard IA/Security suite is pretty good IF maintained well in operation. Focus on business risk reduction and minimizing legal liabilities Adequate cyber protections are but one part so is cyber insurance. The P6 principles still apply (being prepared) with strategic partnerships. Few can afford to go it alone TEAM up & use a managed security service. Don t fix cracks in the cyber walls, while the barn door is open! Keeping your cyber suite well maintained cuts incidents by 95%
4 OK, so what does matter in Cyber? CYBER is fundamentally all about TRUST and DATA ( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured) It s NOT about expensive new cyber capabilities / toys but more about the interoperability glue (distributed trust, resiliency, automation, profiles) 90+% of security incidents are from lack of doing the basics! USE effective Security Continuous Monitoring (SCM / SIEM) a MUST DO! With enforced: cyber hygiene, enterprise access control, & reduced complexity (APLs) Shift from only protecting the network, to the DATA security itself information centric view Embrace your Risk Management Plan (RMP) LIVE IT! Have an enforceable security policy what is allowed / not train to it KNOW your baseline - Protect the business from the unknown risks as well Employ a due diligence level of security then transfer residual risks! You can NOT buy cyber, so do the cyber BASICS well!!! An achievable 90-95% reduction in security incidents stabilize the environment!
5 So then, what MUST we DO? (MY TOP TEN - Well, to at least the first / second order effect 95% level!) Follow the SANS top 20 and NSA top 10 mitigations AND map your security mitigations into the NIST SMB Security guide (TR 7621) 1 - KNOW your baseline from several views / aspects: - keep track of your HW / SW assets and their versions / status, as you can't manage what you don't know. Document what your secure baseline is then monitor it. - maintain the cyber suite (hygiene, settings, patches, etc automate where possible) and enforce strict access control (implement least privilege, use two factor authentication on key data / equipment (especially on sensitive data / critical cyber capabilities), two-person control on key assets, limit PC to PC / peer to peer comms, minimize privileged accounts, etc) - make it hard for hackers to get in and get around this is JOB ONE: effective firewall rules (deny all with exception monitor traffic going in and out), segment the networks, tighten / lock down the bowser (where around 80% of all malware comes in and using SSL it bypasses your cyber suite too), and don t allow users / non-admin to install anything on any end user device! 2 - Encrypt, encrypt, encrypt (and have a really good key management program too, as that's the real key ). You can NOT buy cyber, so DO the cyber BASICS well! An achievable 90-95% reduction in security incidents stabilize the environment!
6 So then, what MUST we DO? 3 - Use approved IA / cyber products - Only buy off the NIAP/NSA/DISA lists of Approved / Preferred items (APLs). - Minimizes your product complexity...and... they come with C&A / A&A / V&V security pedigrees too! 4 - Effective SCM / SIEM / monitoring capability - Watch for unusual behavior and keep track of key cyber settings, DNS, etc. - And user actions too (humans when monitored always behave better). 5 - IDS/IPS (signatures) AND anomaly detection capability - Watch for insider threats while monitoring both incoming AND outgoing traffic. - Whitelisting works and is not hard to do put developers in an isolated sand box 6 - DLP /DRM /data tracking capability - Follow the data, complement SCM support a continuous audit (risk) approach You can NOT buy cyber, so DO the cyber BASICS well! An achievable 90-95% reduction in security incidents stabilize the environment!
7 So then, what MUST we DO? All these capabilities exist, are sold by many vendors, and not hard to buy, use, and monitor To build your own effective defense-in-depth / breadth cyber ecosphere see our plan too! User awareness and education / training - Make it personal, targeted (JIT) info to user types, even fun / make a game of it 8 Add in a little "OSI" too (open systems intelligence) - Know who might be targeting you and the methods they would use against you - Join your sector ISACs, etc to be aware of the threats.. common mitigations 9 Risk Management Plan is essential - RMP must integrate and support the business success factors / line managers! - RM has many moving parts to account for so write them down (see following slide) 10 Get Cyber Insurance - Part of risk management transfer risks but know what IS (and is not) included You can NOT buy cyber, so DO the cyber BASICS well! An achievable 90-95% reduction in security incidents stabilize the environment!
8 Security Main Factors Given ALL the NIST / NSA / DISA guidance (see back-ups) - What MUST WE DO? Implement the NIST absolutely necessary elements first and foremost to protect your data (Encryption and back ups) Effective passwords still the bane of basic security and policy is still poor! (tokens / two-factor authentication should be used for critical data / processes) Securing the client, fortifying the browser buying trusted business apps, services where the browser / client is THE largest malware entry point! Minimal security suite: antivirus, firewall, IDS, VPN, ISP / wireless security Monitoring tools need to manage CM/hygiene, track users / data, provide alerts (SCM/SIEM) supports preplanned SoPs / IRP / BCP / COOPs, etc Enforce a living security policy quantify actual risks, strict need to know, DATA protection - encryption, keys, and access control - minimize IP loss, DLP A robust and adaptive security strategy = risk management plan (RMP) to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc Our Cyber Security operator course collates all these guides and maps 8
9 The Integrated Business RM Approach + Making the Risk Management Plan (RMP) work! + Company Vision (business success factors) Security Policy (mobile, social media, etc) C&A / V&V (effective / automated) Known Baseline (security architecture) CMMI / Sustainment (SoPs / processes) RMP Insider Threat Company Intel (open source, FB, etc) SCM / SIEM (monitor / track / mitigate) Privacy by Design (manage PII, HIPAA, compliance) ) MSS / CISO (3 rd party IV&V support) Data Centric Security (DLP, reputation based methods) Cyber insurance (broker & legal council) Education / Training (targeted, JIT, needs based) Common Business RMP model (re: RMF / COBIT & Risk IT) AND using the NIST Cybersecurity Framework (re: CAR / ESA)
10 Complexity of Enterprise IT Systems is Increasing AND so is the associated Cyber Security from sensor to cloud! So - what is good enough security? Follow the DATA where is it who has it how sure are you?
11 What s new in cyber, and what matters? Sensor + WiFi = device --- Things -> systems, machines, equipment, and devices all connected to each other RFID, Apps, MEMS, WSN, sensors, SCADA, PLC, ASIC, API, ETC, etc Is all this stuff secure? How much is needed? COMPLEXITY is everywhere! Where sensors dominate Where / How does privacy fit in IoT? The Internet of things (IoT) is not really new IoT requires ALL the cyber protections we already know - and still need to implement!
12 Gartner's 2013 Hype Cycle for Emerging Technologies How do we prove end-2-end security? Everything connected to everything? Comms Secure? What is an adequate / due diligence level of security??? Automation = machines in control? M2M Secure? Pervasive new technologies? Built secure? CYBER is all about SECURE: technologies, DATA and communications! ALL the technologies need built in security = secure data, comms & privacy!
13 Cyberspace Characteristics All of the warfighting - and related business - domains intersect In relation to other mission areas run by different Communities Of Interest (COI) C2 Banking / retail CIP / infrastructure IA Security Manufacturing Communications Cyberspace Domain is contained within and transcends the others cyberspace is a blend of exclusive and inclusive ties Frequently the COI boundaries / MOAs are implicit These Venn connections / COIs are pervasive Numerous, dynamic COIs dominate relationships - adding Complexity & Comms, & Control overhead - causing cross domain / COI DATA sharing effects Do NOT underestimate this aspect affects CONTROLS needed for Privacy! 13
14 What are KEY cyber elements? (and what can we reasonably expect to influence / affect?) Fundamental issues. (givens?) - Threats are illusive/morph so plan/mitigate around consequences (aka, a fault tree) - KISS, as complexity is our enemy do the basics well (hygiene, anonymity, etc) - In a connected world, it s the shared vulnerabilities that will get you / ALL of us - They have an asymmetrical advantage, plan with it (and they don t follow the rules/laws) - WE ALL need common homogenous security protection in a heterogeneous world Essential gaps / needs (tenets?) - Invest in the OSD / NSA R&D / S&T gap capabilities, as authoritative sources - Apply trade-offs / assessments using a common end-state (an open / ubiquitous world) - Using an enterprise risk management plan (RMP), and FOCUS on proactive SCM! - If you can t integrate it into your IT/network environment, then it is useless - Minimize what you don t know you don t know & get cyber insurance If you don t know where you re headed, any blind alley will do Where the bad actors continue to count on US ALL not being in sync 14
15 Cyber requires enterprise integration Things are only the stuff we need to accommodate all IT/IA aspects! Systems / capabilities are characterized by their boundaries Where interfaces / controlling parameters / PPSM are key IoE = IoT + people, process, policy and DATA
16 Things must communicate No. of paths = n(n-1) = exponential Are ALL using secure channels? Data protected? Adequate Authentication? No covert paths established? 10S of thousands of trillions Of communication paths! Securing low BW channels requires optimal cryptography algorithms and adequate key management systems, and security protocols that connect all these devices
17 Threat Vectors of Interest (examples) Mobile devices and wireless always predicted, yet proliferates in 2014 Increasing Android Trojans, digital wallets, USER provided network services / access points! Wireless security issues expand (besides & WiMAX, to Zigbee, Z-Wave, ARM, etc.) BYOD many hidden costs, legalities and risks than it appears at first Cyber crime: easy money, minimal downside and growing (ransomware, etc) Illicit cyber revenues has essentially equaled all illegal drug trafficking dollars The insider threat is much more impactful than given credit for Considering compromised services and computing devices of all kinds (aka, supply chain security). With Improved social engineering attacks and stealth exfiltration techniques etc Verizon Data Breach Report (2012) MOST breaches avoidable! 96% attacks not difficult; - 85% took weeks to discover (average is 416 days); - 92% discovered by a third party; 85-97% data breaches / security incidents avoidable through simple or intermediate controls Forbes - The Biggest Cybersecurity Threats of Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; & Targeted Malware - AND Cloud security - pretty good, SLAs not enough, but ISPs / data centers better than most Mobile devices and cloud infrastructure hacking are two of the biggest attack vectors in crime / terrorism in 2014 and beyond 17
18 Threat Vectors of Interest (Cont.) SSL/XML/web (HTML5)/browser vulnerabilities will proliferate Browsers remain a major threat vector (80% - bypasses the IA suite) & watering holes JAVA / VM / active code MUST be strictly managed / controlled / under CM Convergence of data security and privacy regulation worldwide.. Compliance gets pervasive (PCI DSS, HIPAA, etc)... Shift focus to privacy by design! Data security goes to the cloud - where security due diligence is more than SLAs! IPv6 transition will provide threat opportunities Data Loss Prevention (DLP) is still needed Containment is the new prevention (folks now get the "resilience" aspect...) Nation-sponsored hacking: When APT meets industrialization More targeted custom malware (Stuxnet -> Duqu / and FLAME! Are only the beginning) Misanthropes and anti-socials / hacktivism morphs ANYONE can do it now! Full time incident response needed: COOP, forensics, reporting, etc, etc Monitoring and analysis capability increase, but not enough (re: near real-time forensics & chain of custody evidence). continuous monitoring is KEY (re: SCM / SIEM) MUCH to consider in the threat equation and it s always changing Hence why you must ALSO practice consequence risk management 18
19 Verizon Data Breach Investigations Report - DBIR (2014) 10 year series, 63,437 incidents, 1367 breaches, 95 countries WHAT - 92% incidents described by just nine patterns - shift from geopolitical attacks to large-scale attacks on payment card system Sectors - Public (47, 479), Information (1132) and Finance (856) Threats (%) - POS intrusions Web App Attacks Cyber espionage Card Skimmers Insider misuse Crimeware - 4 Mitigations HYGIENE Factors A huge sample size! This includes YOUR business category too!!! - restrict remote access - enforce password policies - Minimize non POS activity on those terminals - Deploy A/V (everywhere, POS too) - evaluate threats to prioritize treatments - Look for suspicious network activity - Use two-factor authentication See also - Ponemon Institute s cyber report Key threats from cost based activities Malware, malicious insiders and web-based attacks Forbes lists these: Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; & Targeted Malware We have met the cyber enemy, and they are US(ers) 19
20 Yes, It really is ALL about the DATA* 2020 Data Vision (Courtesy of Dan Green / SPAWAR ): Themes and Memes (Technology vs Technology Adoption) Convergence = Genomics, Robotics, Informatics, Nanotech (each a $B+ market) CBAD = Cloud, Big Data, Analytics, Data Science (are you all-in? ) Telematics = Sensing robotics, Cyber Physical Systems (will kids need to learn to drive?) Interactive 3D = Augmented Reality, HTML 5, Three.js (3D graphics for WebGL) Embedded Computing = ehpc, Tessel (mcpu / Java), Programmable hardware LBS = Location Based Services, IPS, Beaconing, NFC IoT = Internet of Things, M2M, Quantified Self Mobilization = Preparation for Conflict/Competition, Autonomy, The Draft STEM = Science Technology Engineering Math, Generation NOW, Old Dogs (YOU) It s a data-centric world; thus we need Privacy by Design (PbD) Meme: an idea, behavior, or style that spreads from person to person within a culture * and TRUST!
21 What s a simple IA/Cyber vision / end-state look like? AND what are the requirements? Cyber is ALL about TRUST, Rules/MOAs & State KEY C-I-A entities / touch points things comms the cloud IoT = things + comms AND DATA - assured / pedigree / provenance? Privacy satisfied? A cyber end-state stresses encapsulation using secure communications (e.g., object oriented programming)
22 Focus Area 2 Focus Area 1 Focus Area 3 NSPD-54/HSPD-23: CNCI-1 12 Initiatives ( ) Trusted Internet Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment of Intrusion Prevention Systems Coordinate and Redirect R&D Efforts Establish a front line of defense Connect Current Centers to Enhance Situational Awareness Develop Gov t-wide Counterintelligence Plan for Cyberspace Increase Security of the Classified Networks Expand Education Resolve to secure cyberspace / set conditions for long-term success Define and Develop Enduring Lead Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Define Federal Role for Cybersecurity in Critical Infrastructure Domains Shape future environment / secure U.S. advantage / address new threats Cyber efforts must synchronize with Federal Investments The HARD part is implementing enterprise integration, interoperability and controlling emergent behavior - that can affect most focus areas 22
23 DoD Cyber Priority Steering Council (PSC) S&T / R&D Roadmap What matters? Key Capability Gaps / Areas 4+1 Support essential business success functions Autonomous responses and C3 Tools Environment is robust and self-healing Cyber M&S and Experimentation (Cross Cutter) Mixed trust levels in heterogeneous space Cyber PSC PA-Releasable Briefing November 2012 Page-23 Gaps are not things / capabilities but integration and interoperability!
24 KEY Enabling Technology Areas Value / need high Distributed Trust Resilient Architectures Response and Cyber Maneuver Visualization and Decision Support med Component Trust Detection and Autonomic Response Recovery and Reconstitution low Advanced Cross-Domain Solutions Advanced Cryptography Quantum Computing, Comms, and Crypto Biometrics Code Verification and Compliance Correct (Assured) by Construction Software Deception and Information Hiding Human Factors and Training Malware/Forensics Analysis and Reverse Engineering Resilient Infrastructure and Comms Scientific Theory and Measures Sensing and Data Fusion Software Pedigree and Provenance CYBER is fundamentally about distributed trust / assured DATA / secure messaging! Additional specificity / details and needs / gaps in back-up 24
25 Strategic Cyber Elements (1) Collaborate on common enterprise IA / cyber strategy and vision policy mapped to prioritized capabilities with assigned resources = good enough / cyber sufficiency! (2) Develop a common overall enterprise risk assessment (ERA) approach accounts for both significant threat vectors AND vulnerability consequences -> key mitigations use the NIST RMF (Risk Management Framework (800-37)) weighted in the CNCI-2 12 focus areas (3) Align and synchronize resources and cyber gaps / initiatives across federal & commercial organizations and tier 1 tier 3 architecture perspectives (IT & cyber are ONE) (4) Address pervasive lack of basic cyber hygiene enterprise wide within the complete, life-cycle aspects of an organization s people, processes and products (technology) enforce a scalable, global access control model, that preserves least privilege, attenuated delegation (ZBAC) (5) Reduce complexity - Build a trusted cyber infrastructure use APLs along within the existing IA/CND infrastructure, as an integrated SoS - with enforced CM thus optimize our overall cyber package and ensure synchronization and RESILIENCY! (6) Better integrate / leverage education and proactive defense (and IO ) stealth offense best left to law enforcement, qualified federal entities (or escalation / retaliation will occur) Top down approach to a balanced, prioritized cyber execution plan 25
26 sensors SO just what are were trying to orchestrate? An integrated Cyber Defense in Depth / Breadth (DiD) EcoSphere using dynamic lag and lead feedback, establish proactive, dynamic CND / IA Defense) Cyber I&W Virtual Storefront NMS / Security Management tools insider threats Defensive assessments Incident results SA ****** (Sensors, CNA/E inputs OpSec, Intel, etc ) Users & CoC threats IA & CND IDS / IPS DLP / etc V&V / C&A I&W / SCM CERT / FBI Red Teams predictive feedback (leading indicators) Change soft settings (takes secs mins) to Upgrades (developed & installed) With big data / predictive analytics / SIEM (near real-time!) forensic feedback (takes days to months ) (lagging indicators) 26 All PbD capabilities (including IoT) must be well integrated into the cyber system
27 Security Monitor Building a Trusted Cyber Infrastructure = an adequately assured, affordable, net-centric environment (built from disparate heterogeneous capabilities that we must integrate into a homogenous cyber ecosphere!) EAL 6 Focus on a few core capabilities & devices = PC, routers, IA suite, Servers, & SANS all with access control Standard IA/CND suite FW, A/V, IDS/IPS, CDS, VPN, Crypto, Key Mgmt, Security Policy WAN Router IA Suite All connections / communication paths need Assured Identity, Authentication & Authorization Core Router Assured IOS Various EAL EAL 4-5 EAL 4 HW / FW Secure OS kernel Secure Virtual Machine Strict access / ZBAC Servers Distribution Router ALL OSes (MS, Mac, Unix) SANS EAL 5 6 Data centric security Defensive I&W Strict access / ZBAC Network Devices PC End user devices Make IA / CND / Security a commodity: Use & enforce IA building blocks = APLs/PPLs -> NIAP Interoperability and Compose-ability are built in upfront and help dramatically reduce complexity and ambiguity Thus.establishing known risks & pedigrees: Reduces attack surface, risks & TOC = baseline for PbD & IoT! RFID, MEMS, WSN, sensors, ICS / SCADA, etc EAL 3-4 Secure OS TSM HBSS ZBAC Eval Assur Level (EAL):
28 IA / Cyber and DATA must be built E2E! WE have a natural hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions AND, People and processes TOO! How does the DATA move and what are the privacy protections / controls at each layer? DATA Apps / services HW/SW/FM CCE Network SoS Enclave Site Enterprise Each sub-aggregation is responsible for the data / controls within their boundaries and also inherit the controls of their environment, were we need to formalize the reciprocity therein! Thus, the DATA, IA/cyber controls, interfaces and profiles in each element / boundary must be quantified / agreed to upfront! 28
29 Notional Data Centric Architecture (DCA) iso the required privacy needs IA / Security / cyber (e.g., defense in depth (DiD)) Supports quality / assured data (with a pedigree / provenance) Cyber must be preserved in the full data AND capabilities life-cycle Must accommodate BOTH in-house and cloud IA controls / inheritance What IA/security capabilities are needed for the DATA itself? OMG / DDS Reputation-based Security DATA Storage Services Apps Host / device Behavior monitoring How does the DATA move about? Business logic Middleware Must account for the four Vs Volume, Variety, Velocity and Veracity transport FW / IDS / IPS SCM - Continuous monitoring Data is either at rest, being processed OR in transit A PbD Cyber Model translates the data 4V s into privacy attributes and controls
30 DCA major elements Data-centric architecture (DCA) decouples designs and simplifies communication while increasing capability and easing system evolution DCA can link systems of systems into a coherent whole, using an open standard OMG DDS Transports, operating systems, and other location details do not need to be known, and allowing adaptation to performance, scalability, and fault-tolerance requirements Define and modularize DCA components = create specifications (capabilities and profiles) DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets, storage SW, middleware, services, ESB, etc these all also have cyber security aspects built in Use OMG / DSS as a reference AND - the data schema / tagging authoritative sources SECURE DCA services = Data Centric Security (DCS)
31 DCA / DCS Overall Construct (need to V&V that security is built in / adequate in services) Web Services Event processing Database *** Other services / capabilities Data to user authentication Signed / secure applications protected communications Authoritative / assured DBs DATA bus (DDS middleware infrastructure) & DCS services) Virtual private data-stores (e.g., VPNs) Cryptographic boundaries for isolation Target Java and.net for enterprise stacks Legacy Bridge Workflow engine ESB *** + Standard IA / CND / security suite = IA devices = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN + Network infrastructure = CCE = common core computing / network environment - with IA enabled devices A PbD cyber model must map the data methods, controls, & services into privacy aspects.
32 Vendor managed You manage Vendor managed You manage Vendor managed You manage Data centric services and cloud evolution ownership and security PaaS objective for combined / hybrid environments (with premise and cloud) On-premises Pre-cloud Infrastructure as a service Cloud v1 Platform as a Service Cloud v2 Software as a service Application Application Application Application Data Data Data Data Middleware Middleware Middleware Middleware OS OS OS OS Virtualization Virtualization Virtualization Virtualization CPU/Storage CPU/Storage CPU/Storage CPU/Storage Networking Networking Networking Networking Securing the data & application layers can inoculate them from lower layer risks 32
33 Cyber Security is Complex from a Technical Perspective What factors must be addressed in PbD? Which ones are inherent in the IA/CND/Cyber suite? DAC Token Kerberos HIPPA VPN Trusted OS Wireless Cyber Security (From an IBM security brief) Thin Clients SSL FIPS XML Gateways Compliance SOX IPSEC Biometrics SaaS PKI H/W Crypto Digital Certificate Guards Hardening Secure Blades Secure Collaboration Cloud RSBAC
34 +++ Cyber Model for PbD +++ Data Centric Security (DCS) enabling PbD + Data Encryption end2end focused on services / applications (PaaS model) + Multi-factor authentication - add time, location, etc (re: RAdAC end-state) + Security Policy management Automated, serve multiple avatar levels in PbD + Application engineering - Common model for services, apps, phones, APIs, etc + are added on top of the IA/CND/Security cyber suite Monitoring, tracking, assessment = SCM / SIEM, DLP / RBS, R-T C&A/V&V, etc (AND an integrated AI/smart correlation / POA&M tool mapped to NIST cybersecurity framework functions / tiers) Standard IA / CND suite = IA devices = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN Typical Network infrastructure = CCE = common core computing environment (with IA enabled devices properly set-up - operating systems, database management systems, network management systems and web browsers) Use existing products in each + capability we have several favorites ;-))
35 Key Tactical Thrusts to DO Now YES! 95+% COMMON national cyber security approach / end-state Consequence based enterprise risk assessment (don t chase threats) Dynamic Cyber Enterprise Management (enforced hygiene) KEY capability security continuous monitoring (SCM) (can t manage what you can t measure) Top-down enforcement of IA / Cyber architecture Secure enterprise access control / ENFORCE least privilege (re: ZBAC ) / Cyber IFF Common enterprise trust model (and implement TPMs, etc) Reduce complexity - use APLs / VPLs / IA Building blocks with pedigrees USE SCM to manage your IA/cyber suite quasi real-time with SME help! Effective lifecycle education and training Targeted training user awareness and IA/cyber SMEs (who manage it all) 95% security incident reduction High impact activities get us all moving quickly YES! 95+% 35
36 What is Cyber Hygiene? (and the HUGE percentage of security incidents caused by lack of it) National Security Agency (NSA) (80-85%) NSA IAD director Just improving the IA Management aspects of security (aka, hygiene factors) will reduce security incidents by over 80% IA Management = CM, monitoring environment, follow SOPs Verizon (2012 Data Breach Investigations Report) (up to 97%) Report covered 855 incidents, 174 million compromised records --- Breaches almost entirely avoidable through simple or intermediate controls Threats: 98% from external agents, 81% from hacking 69 % used malware Navy (our red team / NCDOC) (over 90%) Poor accountability factors = willful misuse, lack of CM (& IAVA / patches), not having / following procedures, weak enforcement of policy, etc They must spend all their time / resources fixing the easy vulnerabilities HYGIENE = Maintaining / monitoring your IA / Security / cyber equipment settings As any incorrectly set cyber capabilities makes them much less effective! 36
37 Cyber Hygiene the many faces of neglect Our IA/CND/Security cyber suite is quite good IF maintained! Equipment settings (FW, A/V, IDS, etc) Monitor / enforce Social media Content & settings Restrict sharing / privileges Incident reporting No incident too small Notify USCERT / FBI Controlled Access Enforce least privilege Separate / rotate duties Security Awareness ALL levels reinforce Incentivize good vs bad Will lack of cyber hygiene continue to put you at MUCH greater risk? Maintain Cyber Suite Patches, upgrades, etc (compliance == security Standard operating procedures (SOPs) USE / enforce them Know your security baseline AND employ SCM / SIEM Privacy and PII Enforce policy (note - EU is stricter) You cannot buy cyber security (assuming you have an adequate IA/CND//Security/Cyber suite) YOU must manage Cyber actually DO and verify it!
38 Security Continuous monitoring (SCM) - What is SCM anyway? SCM is ongoing observance with intent to provide warning. A SCM capability is the ongoing observance and analysis of the operational states of systems to provide decision support regarding situational awareness and deviations from expectations SCM is a risk management approach to Cybersecurity that maintains a picture of an organization s security posture, provides visibility into assets, leverages use of automated data feeds, monitors effectiveness of security controls, and enables prioritization of remedies. An Enterprise SCM technical reference model (based on Continuous Asset Evaluation, Situational Awareness and Risk Scoring Reference Architecture Report) - What good is it? MANY ROI benefits: Real-time awareness of security posture, cyber benchmarking, complements audit / compliance efforts, improves cyber performance, and reduces risk expose simples risk management overall.. Third party IV&V monitors of hygiene AND potential new threats! - WHO does this now, where do I go for help? DISA and DHS have efforts in play already (DHS is funding continuous monitoring as a service (CMaaS)). State department DID early SCM several years ago, reduced C&A costs over 90% SCM is mandated for government entities (FISMA / DOD CIO / DHS / others) SCM is a cyber / risk management tool and provides added due diligence stopping short of get out of jail free keeps you from being the low hanging fruit! 38
39 Mobile Security perspective Check Point s global survey of 768 IT professionals conducted in the United States, Canada, United Kingdom, Germany, and Japan. The survey gathered data about current mobile computing trends Key Issue / Risk Findings: Extensive use of mobile devices connecting to corporate networks --89% have mobile devices such as smartphones or tablets connecting to corporate networks --Apple ios is the most common mobile platform used to connect in corporate environments Personal mobile devices that connect to corporate networks are extensive and growing --65% allow personal devices to connect to corporate networks --78% have more than twice as many personal devices on corporate networks vs 2 years ago Security risks are on the rise because of mobile devices --71% say mobile devices have contributed to increased security incidents --The Android mobile platform is considered to introduce the greatest security risks Employee behavior impacts security of mobile data --- BYOD is NOT cheap % report customer data is stored on mobile devices --Lack of employee awareness about security policies ranked as greatest impact on data security --72% say careless employees are a greater security threat than hackers. Contrast that 75%+ of users with personal devices with the percentage of employers who have a coordinated and comprehensive mobile security strategy in place (10%), and you see the problem *** NSA/CSS Mobility Capability Package = Architecture / Certification - a MUST DO *** Mobile / wireless are HUGE threat entry points! 39
40 GAO report on mobile vulnerabilities KEY risks / concerns: Mobile devices often do not have passwords enabled. Two-factor authentication is not always used when conducting sensitive transactions. Wireless transmissions are not always encrypted. Mobile devices may contain malware. Mobile devices often do not use security software. Operating systems may be out-of-date. Software / patches on mobile devices may be out-of-date. Mobile devices often do not limit Internet connections. Many mobile devices do not have firewalls to limit connections. Mobile devices may have unauthorized modifications. (known as "jailbreaking" or "rooting") Communication channels / Bluetooth may be poorly secured. --- BYOD is NOT cheap --- Major protection methods: Enable user authentication: Enable two-factor authentication for sensitive transactions: Verify the authenticity of downloaded applications: Install antimalware and a firewall: Install security updates: Remotely disable lost or stolen devices: Enable encryption for data on any device or memory card: Enable whitelisting (on phones too!) : Establish a mobile device security policy: Provide mobile device security training: Establish a deployment plan: Perform risk assessments: Manage hygiene = configuration control and management: 40
41 Cloud Security Factoids The cloud security challenges are principally based on: a. Trusting vendor's security model b. Customer inability to respond to audit findings c. Obtaining support for investigations d. Indirect administrator accountability e. Proprietary implementations can't be examined f. Loss of physical control Shift from only protecting the network, to the DATA itself! (e.g., data centric security) Areas that will mature soon, enhancing enterprise risk management (re: Gartner): Consensus on what constitutes the most significant risks, Cloud services certification standards, Virtual machine governance and control (orchestration), Enterprise control over logging and investigation, Content-based control within SaaS and PaaS, and Cloud security gateways, security "add-ons" based in proxy services Cloud Security Alliance (CSA) nine critical threats: 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues We recommend following both the NIST and CSA cloud guidance: AND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP)
42 Cloud Security Summary Security in the cloud is likely better than you have in-house * Security is the SAME everywhere WHO does which IA controls changes * Don t sell cloud offer security capabilities instead end2end services * Few are all in the 100% - Hence TWO environments to manage * ALL must use the same cloud security standards (and QA in SLA) * Implement SCM / SIEM integrate cloud metrics / status (& QA the SLAs) * Service Level Agreements (SLA) not sufficient trust but verify (Orchestration SW?) * Encrypt everywhere - Yes more key management, but risks greatly reduced * Data owners always accountable for PII / privacy / compliance (& location) * Update Risk management Plan (RMP) = Comms, COOP. with cloud R&R For more details see paper: Cloud Security What really matters? At (under Cyber Body of Knowledge )
43 Integration, execution is everything as if you can t implement well, it costs you everywhere!!! The quantitative benefits of systems integration and interoperability (I&I) are: 1. Shorter/reduced steps in business processes 2. Time taken to process one application/record 3. Less complaints from members of the public 4. No. of applications/records processed over a period 5. Less complaints from end- users 6. Reduced number of errors 7. Reduced software development time/effort 8. Reduced maintenance 9. Reduced no. of IT personnel The qualitative benefits of I&I are: 1. Improved working procedures 2. Better communication with other related organizations 3. Job satisfaction 4. Redefine job specification 5. Improved data accessibility 6. One-stop service 7. More friendly public service Until the user is happy using & benefitting from the new capability, it has no value Buying stuff is easy getting it to work in your environment is hard Plan for I&I - then double it The best capability means little, if it stays in the box 43
44 SO what MUST WE ALL DO??? NIST s absolutely necessary Security Protections NIST - National Institute of Standards and Technology - NISTR 7621 Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, encryption, etc) Provide security for your Internet connection / ISP Install and activate software firewalls on all your business systems Patch your operating systems & applications (and now things too!) Make backup copies of important business data/information Control physical access to your computers and network components Secure your wireless access point and networks Train your employees in basic security principles Require individual user accounts for each employee on business computers and for business applications Limit employee access to data and information, and limit authority to install software MUST DO tasks consider this your due diligence list Where ALL have CM / hygiene aspects 44
45 Cyber Security Best Practices Overview (Best practices are not a panacea just a guide = to DO the basics) Quantify your business protection needs do you have an asset inventory? Determine what is good enough or minimally acceptable for your business Quantify your environment s threats and vulnerabilities Have a security policy that s useful, complete, CEO/leadership endorsed Run self-assessments on security measures (use accepted tests, STIGs, PenTests, etc) and compliance (HIPAA, PCI, CFR, SOX, etc) Training and awareness programs much needed, but not a guarantee TEST your BCP, COOP, recovery plans, backup have you ever restored? Encrypt where you can - asses where / how you need it : IM, , file transfer, storage, backup, etc) Be familiar with / USE the NIST IA/Security series they are very good! DO / check / enforce the cyber basics (re: hygiene, access control, simplify & SCM) Reduce complexity use only approved / preferred products lists (A/PPLs) A risk management plan (RMP) - using both threats AND consequences As, you can somewhat control what you plan, but you usually ONLY get what you enforce! 45
46 What can you DO right now? Ready for immediate implementation = 95+% incident reduction 1- Install tools/scripts to catch USERS mistakes.. lock down the end devices, (only allow root admin to install anything..) Use effective access control (enforce least privilege!) 2 Manage the browser as THE threat vector... (80% of malware comes through here) Have ONE secure browser version (IE9), use the guest account (force downloads to one folder), and manage a specific settings profile (to manage active code / Java, etc) Implement a deny all access approach, allow URLs using only a controlled white list (no this is NOT hard to do!) 3 - Run tools / application firewalls to minimize zero-day problems, and enforce CM/hygiene, along with "defensive I&W" monitoring tools (re: SCM / SIEM - #5) 4 KISS / reduce IA complexity only buy cyber products off APLs/PPLs (they have pedigrees / C&A already!) And USE their security features like TPM!! 5 USE a security continuous monitor (SCM) firm for real-time scans for both current vulnerabilities (SQL injection, et al) and new threats... (where the firm has feeds/data from US CERT, etc, so they are always current on new threats / zero day problems) 6 If you make IT stuff, build IA/security in, there are lots of simple guides We re STILL lax.. Goggle DarkReading Real-World Developers Still Not Coding Securely Cyber continues to be about US ALL doing the basics 46
47 Overall Way Forward (given all the unknowns, variables this is one approximately correct path ;-)) Company Vision embedded in Cyber Plans/RMP know where you are going, where the passion is /what the USER values Hope is Not a Strategy -re: 2012 Annual DDoS Attack and Impact Survey! Risk Management Plan RMP Use NIST s RMF (or COBIT)! Have a dynamic, realistic RMP supporting your business success metrics as you ARE betting your livelihood on cyber! Effective, enforced Policy Embedded in core business success factors, rules to enforce statutory, legal mandates, key processes, to enforce behavior (pos & neg incentives) The Basics, basics, basics New toys matter little, if your environment(s) are not managed (SCM / SIEM!) Poor hygiene / CM causes almost ALL security incidents ( 80-97% ) SO Quit admiring the cyber problem / threat and start DOING something! 47
48 Cyber Security opportunities (Cyber can both protect your business AND enhance the bottom line!) World-wide B2B Trust / cloud / sharing TRUST Distributed / MLS CM / Hygiene patching / settings SIEM / SCM QA hygiene / sensors ESA / simple tools! IT / Cyber Global factors user pull IoT / M2M Automation / Sensors Consumerization of IT Phones / wireless / apps GAPS / Needs (from the Federal cyber priority council S&T gaps) Resiliency SW / apps / APIs / services Agile operations BE the vanguard / integration Vulnerabilities / Threats (Verizon BDR, Forbes, etc threat reports - what ails us most) Access control Authentication is key Top security mitigations Whitelist, patch, limit access, etc Future Opportunities Mobile Security Poor apps / IOS weak billions users = volume Mitigate Obsolescence Minimize patching, legacy vulnerabilities OA / modularity / APIs & SCRM Privacy / Data IP / PII / compliance Effective missions Business success factors Risk Mgmt Adhoc / not global Effective Business Risk Management (BRM) = cybersecurity framework (CMMI / FAR Focus on reducing business risk Managed security services (MSS) & cyber insurance Data Security Predictive analytics Privacy by design
49 SUMMARY SO. What really matters in Cyber? OSD / federal S&T activities Distributed Trust Resilient Architectures Response and Cyber Maneuver Visualization and Decision Support Dynamic policy management (RaDaC ) Detection and Autonomic Response Recovery and Reconstitution NSA / agency S&T activities Mobility, wireless, & secure mobile services Platform integrity / compliance assurance End client security Cyber indications and warning (I&W) Mitigation engineering (affordability) Massive data (date centric security) Advanced technology. (targeted) Virtualization secure capabilities It s all about TRUST and DATA It s NOT all about expensive new cyber capabilities but more about the SoS / I&I glue Doing the BASICS: (1) enforced cyber hygiene, (2) effective access control, (3) reduced complexity in IA / cyber (APLs / NIAP / approved products), *** (4) IA / Cyber SCM / CDM / SIEM *** (ongoing diagnostics AND mitigations = CDM) DO the cyber BASICS well, for things, people AND processes invest in select new capabilities, protect privacy and follow your RMP!!! Take ACTION NOW: (1) security assessment, (2) SCM/SIEM, & (3) Cyber insurance! [email protected] 49
50 50
51 Cyber security URLs / links of interest.. Major cyber / IA sites Others of interest some training sites:
52 IA/Security Axioms to consider / accommodate / educate Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Good security now is better than perfect security never. A false sense of security is worse than a true sense of insecurity. Your security is only as strong as your weakest link. It is best to concentrate on known, probable threats, first Security is an investment (insurance), not an expense with an RoI Security is directly related to the education and ethics of your users. Security is a people problem users stimulate problems, at all levels. Security through obscurity is weak & We can NOT always add security later Who says what we MUST DO? From a business DUE CARE / due diligence level Work through all these in your Risk Management Plan! Collectively: NIST NSA SANS etc - the following slides provide details 52
53 NIST s Highly Recommended Practices Policy / practice for attachments and requests for sensitive information Policy / practice for web links in , instant messages, social media, or other means Policy / practice for popup windows and other hacker tricks Doing online business and secure banking Recommended personnel practices in hiring employees Security considerations for web surfing, prohibited sites Policy / practice for downloading software from the Internet How to get help with information security when you need it How to dispose of old computers, media and fax machines How to protect against Social Engineering, data loss prevention WHAT, more to do? YES, but most are related to standard IA/CND mitigations... 53
54 NSA IAD top ten controls 1 - Application whitelisting - only run approved apps (that SysAdmin reviews) 2 - Control Administrative privileges - minimize escalation, enforce least privilege 3 Limit workstation-to-workstation communications thwart the pass-the-hash 4 Use Anti-virus File Reputation Services leverage cloud-based threat databases 5 Enable Anti-Exploitation Features - for example, MS Windows EMET 6 Implement Host Intrusion Prevention System Rules focus on threat behaviors 7 Set a Secure Baseline Configuration layered security, standard images, etc 8 Use Web Domain Name Service (DNS) Reputation Screen URLs, intrusion alerts 9 Use/Leverage Software improvements software / OS upgrade and patch policy 10 Segregate Networks and functions based on role, functionality monitor sections, then isolate when attacked 54
55 SANS top 20 controls (ver 3) 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Serv 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5: Boundary Defense 6: Maintenance, Monitoring, and Analysis of Security Audit Logs 7: Application Software Security 8: Controlled Use of Administrative Privileges 9: Controlled Access Based on the Need to Know 10: Continuous Vulnerability Assessment and Remediation 11: Account Monitoring and Control 12: Malware Defenses 13: Limitation and Control of Network Ports, Protocols, and Services 14: Wireless Device Control 15: Data Loss Prevention 16: Secure Network Engineering 17: Penetration Tests and Red Team Exercises 18: Incident Response Capability 19: Data Recovery Capability 20: Security Skills Assessment and Appropriate Training to Fill Gaps 55
56 Top 35 Mitigations At least 85% of the targeted cyber intrusions the Australian Signals Directorate responds to could be prevented by following the Top 4 mitigation strategies : use application whitelisting to help prevent malicious software and other unapproved programs from running patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers patch operating system vulnerabilities minimize the number of users with administrative privileges. Examples of Targeted Cyber Intrusions mitigation strategies : Disable local administrator accounts; Multi factor authentication; Network segmentation and segregation; Application based workstation firewall; Host based Intrusion Detection/Prevention System; Centralized and time synchronized logging; Whitelisted content filtering; Web domain whitelisting for all domains; Workstation application security configuration hardening; User education; Computer configuration management ; Server application security configuration hardening; Antivirus software with up to date signatures; Enforce a strong passphrase policy; ETC; Etc; etc
57 Top 25 SW development errors [1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] Missing Authentication for Critical Function [6] Missing Authorization [7] Use of Hard-coded Credentials [8] Missing Encryption of Sensitive Data [9] Unrestricted Upload of File with Dangerous Type [10] Reliance on Untrusted Inputs in a Security Decision [11]Execution with Unnecessary Privileges [12]Cross-Site Request Forgery (CSRF) [13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [14] Download of Code Without Integrity Check [15] Incorrect Authorization [16] Inclusion of Functionality from Untrusted Control Sphere [17]Incorrect Permission Assignment for Critical Resource [18] Use of Potentially Dangerous Function [19] Use of a Broken or Risky Cryptographic Algorithm [20]Incorrect Calculation of Buffer Size [21] Improper Restriction of Excessive Authentication Attempts [22] URL Redirection to Untrusted Site ('Open Redirect') [23] Uncontrolled Format String [24] Integer Overflow or Wraparound [25] Use of a One-Way Hash without a Salt Must BUILD IA IN This starts with SW.. AND Applies to Apps / Services 57
58 What small businesses need to know about cyber security before they can offer services to the government in general, companies must provide a commensurate security level as the government site they are going to do business with... (see NIST & GSA & FISMA web sites below) This NIST provides a good overview of the government requirements, which in general needs to be met by companies connecting to government sites iso services provided... Information Security rules by GSA FISMA rules / regulations are also representative of items to be assessed VA has a contract clause that's fairly standard The education department has a good overview of requirements New LAWs - Government Contractors Subject to Cybersecurity Regulations More are on the Way And-More-are-on-the-Way Small business security overview (and detailed brief on the major security product details too) 58
59 How to find / bid on government contracts MUST have DUNS number or Cage Code (and capability statement/documents) Central source for SBA System for Award Management ( SAM register here first / asap.. it drives many other processes) FedBizOpps SPAWAR small business opportunities Federal Procurement Data System Dynamic Small Business Search Interested in the SBIR / STTR programs, See information in the overview offered below You REALLY need an effective business plan to show clients and investors the big picture. 59
60 Computer Network Attack / Exploit Provide near-real time OPSEC to IA Effectively leverage the black side Intel into unclass protections Establish a War Reserve Mode? We have WARM elsewhere, what s that in cyber? Fusion of diverse data, into KM we can use All sensors, CNA/E effets, OpSec, Intel, etc = improved IA/CND Can t easily / rapidly tell WHO the bad actors are.. Offensive activities best done by NCA / Cybercom, COCOMs Cyber War / ROE undefined, asymmetric nature = lose-lose Offensive cyber methods / tools / activities best used covertly by a skilled few 60
61 Key cyber capabilities to develop (think secure comms / messaging - here proposed wrt top tier ETAs) Distributed Trust --- Enable secure distributed interactions by establishing appropriate levels of trust among remote devices, systems, or users. supports: Models and Protocols for Trust Establishment; Infrastructure; Dynamic Evaluation; Out-of- Band and Physical Trust Maintenance Resilient Architectures --- Enable functional capabilities to continue despite successful disruption or compromise by the adversary. supports: Morphing Engines Generating Unpredictability; Secured Network Storage; System Decomposition for Mission- Tailored Tools; Response and Cyber Maneuver Visualization and Decision Support --- Enable human decision-makers to quickly understand the security and operational implications of the current situation and to rapidly ascertain the best course of action to pursue. supports: Real-Time Analysis Engines ; Common Operational Framework; Holistic Cognitive Environment Response and Cyber Maneuver --- Enable defenders to perform shaping operations that minimize the attack space and frustrate adversary planning and to take action during attacks to block, disrupt, remove, or counter adversary actions. supports: Polymorphic Technologies; Cyber Obfuscation; Network Agility Net-centric Cyber Security = SoS and I&I aspects 61
62 OTHER cyber capabilities (2 nd tier) Detection and Autonomic Response Technologies that analyze data collected about the ongoing state of networks, hosts, applications, data, or user actions, and evaluate whether it represents known or probable malicious activity. Technologies that select and invoke immediate defensive actuators in real-time in response to a stream of detected events, without the need for human input. Complex Attack Pattern Recognition, Trustworthy, Intelligent Agents, Game Theoretic Methods Recovery and Reconstitution Technologies that restore system trust, capabilities, and reserves to fully functional and normal levels after disruption, damage, or depletion due to cyber attack or effects of a defensive response. Technologies that restore or reconstruct lost or tainted information as closely as possible to its previous undamaged state or to what is current and accurate.. Technologies that trace functions, results, or decisions that may have been affected by damaged information and restore or compensate as appropriate. Bio-inspired self-inoculation, Synchronize repair activities without interrupting ongoing mission progression or priorities, Asymmetric redundancy using distributed trust as a recovery metric/mechanism. Component Trust Technologies and methodologies that establish a basis for determining and quantifying the likely trustworthiness of acquired hardware or software products that have been constructed outside an organization s control, by methods such as external and internal physical examination, execution monitors, and supply chain risk countermeasures. Hardware/software DNA that vouches for a component s authenticity (re: enhanced TPM), White-listing of trusted hardware/software components, Root of trust, etc Integration and Interoperability aspects are HUGE 62
63 Trust (U) (U) Objective: Develop measures of trustworthiness for components within the cyber infrastructure and to large systems where components and participants having varying degrees of trustworthiness * Scalable reverse engineering and analysis * Develop tools that validate and verify hardware chip, firmware and software functionality * Develop tools for interoperable and scalable forensic analysis * Trust establishment, propagation, and maintenance techniques * Develop techniques to establish trust anchors within components * Develop algorithms to describe, establish, propagate, and revoke trust with distributed reputation management * Develop algorithms and mechanisms to manage dynamic and transitive trust relations with coalition partners * Measurement of trustworthiness * Develop quantitative techniques to enable context-aware dynamic trust scoring of components and systems * Develop composite measures of trust * Development of trustworthy architectures and trust composition tools * Develop trust architectures that can self attest to their required trust properties * Create techniques to build trustworthy systems from untrustworthy components Cyber PSC PA-Releasable Briefing November 2012 Page-63
64 Resilient Infrastructures (U) (U) Objective: Develop integrated architectures that are optimized for the ability to absorb shock and the speed of recovery to a known secure state * Resiliency for operational systems * Develop efficiency-, risk-, and cost-based approaches to manage real-time tradeoffs among redundancy, randomization, diversity, and other resiliency mechanisms * Mechanisms to compose resilient systems from brittle components * Develop architectural foundations to compose and manage services in massive environments * Develop resiliency-aware abstraction layers that provide dynamic, threat-based component integration * Integration of sensing, detection, response, and recovery mechanisms * Develop automated response tools using information correlated across the infrastructure * Develop algorithms for management and outcome analysis of resiliency properties of systems * Secure modularization and virtualization of nodes and networks * Enable heterogeneity at the hardware, hypervisor, operating system, and application layers * Develop robust cloud architectures to resist intrusions of potentially hostile elements * Develop algorithms for real-time reconstitution based on dynamic feedback of macro-level resilience and health * Resiliency-specific modeling and simulation techniques * Enable the measurement and analysis of systems quantifiable resiliency properties Cyber PSC PA-Releasable Briefing November 2012 Page-64
65 Agile Operations (U) (U) Objective: Speed the ability to reconfigure, heal, optimize, and protect cyber mechanisms via automated sensing and control processes * Techniques for autonomous reprogramming, reconfiguration, and control of cyber components * Develop approaches for autonomous policy-driven reconfiguration using ontologies and control loops * Machine intelligence and automated reasoning techniques for executing course of action * Develop time-constrained automated control loops that select and execute actions within a goalseeking framework * Techniques for mapping assets and describing dependencies between mission elements and cyber infrastructure * Develop sensors, specification languages, and machine learning for near real-time cyber situational awareness * Design static and dynamic models and supporting languages that relate cyber and kinetic domains * Develop near real-time mission analysis tools to support combined cyber/kinetic operations * Techniques for course-of-action analysis and development * Develop modeling and simulation techniques for assessment of asset criticality and effects * Design game-theoretic approaches to predict adversarial behavior * Develop tools for mission simulation, rehearsal, and execution support * Cyber effects assessment * Develop probing, detection, correlation, and visualization techniques
66 Resilient Infrastructures (U) (U) Objective: Develop novel protocols and algorithms to increase the repertoire of resiliency mechanisms available to the architecture * Code-level software resiliency * Develop novel language features, randomizing compilation techniques, and enhanced execution environments * Network overlays and virtualization * Expedite resilient protocol development using overlays from specification to deployment * Develop network reconstitution techniques based on modular design and component virtualization * Network management algorithms * Develop autonomous network management algorithms for scalable reconfiguration and self-healing modeled after biological systems * Mobile computing security * Develop protection models, mechanisms, and algorithms for mobile devices to ensure higher levels of trust * Distributed systems architectures and service application polymorphism * Develop methods for dynamic provisioning, reallocation, reconfiguration, and relocation of cyber assets at both the system and application layers * Network composition based on graph theory * Develop network technologies at the architectural level to enable near real-time reconfiguration * Develop algorithms to enable sequenced network reconfiguration actions orchestrated across time and space * Distributed collaboration and social network theory * Develop collaborative tools to support near real-time distributed maneuver * Realize social networks that incorporate coalition partners offensive and defensive capabilities Cyber PSC PA-Releasable Briefing November 2012 Page-66
67 Cyber Problem statement = Poor State of IA & CND (where all IA/CND capabilities must also act as a SoS ) It s all about TRUST need a common enterprise trust model Some HAP/TSM is needed, but where to put which EAL devices? Need a common top-down, enforced IA/Cyber capable architecture Need an alternative to commercial ISP leverage existing dark fiber Effective / secure enterprise access control is foundational: IA&A implementation focus = authorization based access control complemented by ABAC, RBAC, even RAdAC as an end-state If you don t control entry and exit, you control nothing; this applies to people, NPEs, software and data - foundation for mission assurance (MA)! Proactive/Dynamic Defensive I&W Detect unusual patterns, characteristics, attributes, irregular requests. Provide auto alerts; divert questionable actions; "wraps" issues/problems This is the catch all capability, as we can t protect everything at 99% Institutionalize Dynamic Cyber Enterprise Management 67
68 Reasons the Cyber Problem Exists (re: one perspective - SOA / automation security issues) 1. No top down common implementation IA guidance, with any useable level of details 2. SOA (and overall OA in general) approaches add governance and communications complexities within DOD / Federal spaces 3. Numerous SOA methods, approaches, schemas everyone has one we need just ONE 4. No unified set of security requirements exist that are traceable to a higher level, common IA core set (like IATF, GIG ICD, etc) 5. No Federal consensus on key security issues and barriers and gaps 6. Unclear (too many) authoritative sources, references, standards. 68
69 Reasons the Cyber Problem Exists (cont) (as one perspective - SOA / automation security issues) 7. IA covers virtually everything, so what should SOA prioritize? 8. IAW SysEngr principles, SOA must follow an EA & standards 9. No enterprise trust model, supporting distributed transitive trust or an effective model for secure enterprise cross domain access control 10. Few T&E / V&V thus C&A plans exist (this MUST be our DOD end-state) 11. Institutional blinders to the fact that network/internet computer cannot secure data; no electronic means to assess data leakage and data aggregation. 12. Policy immaturity, pre-dates SOA; hence the electronic security foundation is missing. Technology still forges ahead - tools are generations behind and built for other threats. 69
70 Common Architectural Flaws, exacerbate Cyber Security Fragile Chain of Services Large Real-time Overhead Central Administration Mis-alignment with Practical Administrative boundaries Lack of Support for multiple: Access Control Models No Concept of Risk or Domain Asymmetry or Support for Multiple Mission Vectors Rigid Inheritance Model Use of Hard-coded Rigid Monolithic Access Control Frameworks and Products No Enterprise Concept of Domain Delegation or RAdAC Lack of Appropriate Layering and Abstraction 70
71 Common Architectural Flaws (cont) Inability to Support Multiple and Legacy Models Schema and Ontology often Incompatible Attributes do not Align Methods and Protocols Differ Technology and the Embedded Dependencies Differ Use of Hard-coded Rigid Monolithic Access Control Frameworks and Products Difficult or Inflexible Integration Paths Lack of Trustworthiness No Support for Unanticipated Users Transformations Limited Lack of Flexible Rapid Application Development and Modeling Tools with IA Built in to the Framework Lack of Fidelity or Even Use of Modeling to Test Performance at Scale 71
72 Cyber - Begin with the end in mind It s clearly important to understand the desired end result, instantiation of your vision - having the image of the vision as your frame of reference to evaluate everything else. It is also impossible to integrate capability without having a plan and the correct systems in place to run the business. Vision execution has to do with the "purposes" of capabilities, that have to do with visualization and complete planning! Bundled within personal and business: (a) leadership (what), (b) management (how), and (c) productivity (doing it well) You can take the concept further by questioning the vision itself! Challenge assumptions, barriers, limitations, and obstacles (the five whys?) Always apply critical thinking (reflective skepticism) to the vision, as that brings New Ideas Fosters Teamwork Promotes Options Uncovers Spinoffs simulates a Clear Head and fresh Perspectives emerge. If you don t know where you are headed, Seemingly blind alleys won t cut it either / waste $$$ 72
73 Cyber - Drive out complexity - KISS Complexity leads to variation in practice, opportunities for data / operational errors, and increased risk of mission failure. Reducing complexity is key to improving both risk posture and productivity. Human engineering and complexity theory teach that WE ALL need to smartly, collaboratively: - Simplify - Standardize - Automate - Integrate Reducing complexity is a major competitive factor for ensuring supply chain performance and exceeding customer expectations. Given an increasing share of work is outsourced, the challenge of handling complexity has become all the more demanding. Companies that do not master complexity risk experiencing supply chain inefficiencies, resulting in non-competitive working capital structures, lower transparency of cost drivers and difficulties in achieving service levels. Address complexity in product, processes and organization.. and DATA Use existing initiative to simplify both objectives and processes: Just-In-Time Standardization Strategic Outsourcing. Supplychain management Target costing Performance Measures... Take the "zero-baseline" approach to complexity 73
74 Cyber - Maximize investments / ROI A strategic approach to maintenance and effectively using key performance indicators, organizations can better maximize resources, reduce capital and operating costs, and increase their return on investment (ROI). It s all about managing risk, from a high performance organization - HPO operating perspective. The critical elements of successful project value ROI analysis: Always starting with business goals and challenges versus technology. ROI analysis should be completed both for the past and the future. Business goals can not be achieved through technology alone. Project benefits cannot always be completely or accurately quantified, intangible elements have value too. There are many kinds of project costs in evaluations. Analyzing your entire technology project portfolio. Monitor critical business success metrics and re-evaluating your project alignment process. Four ROI pillars: (1) strong foundation / operating plan, (2) defined enterprise effectiveness, (3) business enablement and (4) optimization / differentiation. Cyber ROI is misleading - as it s more insurance than investment 74
75 COTS / buy versus build (ALWAYS try to drive everything to a commodity state!) MUST balance the business needs, shot-term and long-term goals, key requirements and available technologies and solutions on the market. The company and key stakeholders must always consider and analyze all the options for each project and solution: Speed of implementation for a COTS vs. custom solution Cost of implementation of a COTS vs. custom build Functionality, flexibility and scalability in a COTS vs. custom build Support for COTS VS. custom build Organizational best practices, current technology and skill sets of employees Potential for upgrading, modification and replacement of COTS vs. build Key elements in the process: 1. Properly analyze any COTS systems for suitability the capability requirements and a technical perspective concurrent engineering applies even more here 2. Beware the COTS sales pitch / trap to fall into is being promised functionality that isn't in the COTS at present but they will add for you. 3. Check for unit tests in the COTS and also what development practices they use, be wary if the vendor isn't giving much info about technical aspects. Is the source code is available and have your programmers assessed it? Ultimately, If it's a critical business function then do it yourself, no matter what BUT, with IA/Security/Cyber capabilities only use APLs/VPLs 75
76 CNCI Comprehensive National Cybersecurity Initiative (CNCI). This initiative was launched by the second President Bush in National Security Presidential Directive 54 and Homeland Security Presidential Directive 23 back in January there are 12 mutually-reinforcing initiatives that are intended to establish a front line of defense against today s immediate threats, to defend against the full spectrum of threats, and to strengthen the future cybersecurity environment. INITIATIVE #1 -- Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. This is about consolidating our external access points and creating common security solutions across agencies. INITIATIVE #2 -- Deploy an intrusion detection system of sensors across the Federal enterprise. This is a passive system that watches traffic and helps notify us about unauthorized network intrusions. DHS is deploying signature-based sensors as part of the EINSTEIN-2 (PDF) capability, with notification going to US-CERT. INITIATIVE #3 -- Pursue deployment of intrusion prevention systems across the Federal enterprise. This takes it up a notch with EINSTEIN-3 (PDF) and not only detects intrusions, but actively prevents intrusions into federal systems. This will have serious zero-day and real-time counter-threat capabilities. INITIATIVE #4 -- Coordinate and redirect research and development (R&D) efforts. This initiative serves to help us get all of our R&D efforts working together, with a better communications and tasking infrastructure. It's an important part of utilizing our resources and our smartest people to the best of their abilities. INITIATIVE #5 -- Connect current cyber ops centers to enhance situational awareness. This is our key threat-data sharing initiative. The National Cybersecurity Center (NCSC) within Homeland Security is helping secure U.S. Government networks and systems under this initiative by coordinating and integrating information from the various centers to provide cross-domain situational awareness, analysis, and reporting on the status of our networks. As a side-effect, it's also designed to help our various agencies play better with each other. INITIATIVE #6 -- Develop and implement a government-wide cyber counterintelligence (CI) plan. We're now coordinating activities across all Federal Agencies so we can detect, deter, and mitigate foreign-sponsored cyber intelligence threats to 76 government and private-sector IT.
77 CNCI INITIATIVE #7 -- Increase the security of our classified networks. Our classified networks contain our most valuable and most secret defense and warfighting information. We're continuing to work hard in securing these networks against the changing threat model. INITIATIVE #8 -- Expand cyber education. This is where the Comprehensive National Cybersecurity Initiative begins to break down, because it's where all modern cyberdefense breaks down -- the people. We're training more and more cyberdefense experts, but we also need to expand that education up and down government, to corporations, and to individuals. We can have the very best-trained cyberdefense expert in a corporation, say, and it'll all break down if the CEO won't allocate the time or funds to conduct that defense. It's all about making everyone know just how real these threats are. INITIATIVE #9 -- Define and develop enduring "leap-ahead" technology, strategies, and programs. We'll talk more about future directions later, but the idea of leap-ahead is to get 5 to 10 years ahead of the bad guys and explore out-of-the-box thinking in building a better cyberdefense. This is good stuff, and it's the first CNCI initiative that, essentially, opens the door to concepts like Stuxnet (or what The Times claimed the White House called "Olympic Games"). INITIATIVE #10 -- Define and develop enduring deterrence strategies and programs. Put simply, because of the wildly asymmetric nature of the threat, we can't have a mutually-assured destruction option with cyberattack, the way we do with nuclear attack. We're working on developing deterrence strategies, but we're not there yet, a fact which is sadly all too evidenced by constant level of cyberattack, breach, and threat we find ourselves experiencing. INITIATIVE #11 -- Develop a multi-pronged approach for global supply chain risk management. This area should be one of our biggest concerns. Most Americans get their computers from suppliers who use processors, motherboards, and components made outside the United States -- and often in China. China, as we've seen repeatedly, is one of our most challenging "frenemies". They're clearly important to us financially, but they're also one of the leading sources of cyberattack (and, quite frankly, could be behind the one we re dealing with now). This initiative, though, isn't just about China. Our components and our supplies must be insulated from foreign influence and unapproved modification. INITIATIVE #12 -- Define the Federal role for extending cybersecurity into critical infrastructure domains. The federal government is relying more and more on private sector services. For example, the Department of Interior is about to start using Google for its infrastructure. This initiative encourages public/private-sector cooperation to extend Federalsystems cybersecurity into the wider cyber-infrastructure 77
78 Cyber Security Overall Status (Senior IA/Cyber VIP perspective - same issues as years ago, but better in last 10) Technology --- G trending We have what we NEED NOW Business --- Policy --- Procedures / standards --- Education --- Leadership --- Awareness --- Y Y G Y R Y Some LSIs resist change Legislation poor Can t be voluntary NIST done well Need uniform implementation NICE, 170+ CAEs (schools) 10,000+ / year Complexity vs CISO C-suite complacency and ability to absorb Education starting earlier, STEM, NICE We must provide an integrated, interoperable cyber package that is affordable
79 Is there a cyber equation / model? (something for us all to balance our risks / $$$) Need to address: WHAT, WHO, WHEN, HOW Governance, swim lanes, interfaces, overlap, etc CA, Fn, TA, NESI/NEADS, etc Technical processes Operations ILC/LCS/3M, CM, SOPs, training, O&S, Supports DOTMLPF too Requirements Policy / Regulations DoD, DoN CIO, ASN RDA, DISA, NSA/GIAP, ASD NII, NNFE Acquisition Products, services CM, etc PEOs, SYSCOMs, Fleet Support DOTMLPF too NO common, vetted model exists, SO develop your own! Enterprise risk assessment (best value) = IA/SECURITY/CND (defense) (a1) + IO/CNE/CNA (offense)(a2) + SPECTRUM / TEMPEST (a3) + GOVERNANCE(a4) + REQUIREMENTS(a5) + THREAT / VULNERABILITIES (a6) + C&A / PEDIGREE (a7) + POLICY (a8) + TRAINING / EDUCATION (a9) + OTHER (a10). AND??? OUR risk management plan should address all variables The sensitivity of the coefficients will vary by company79
80 Cyber Security ROI or insurance? ROI. is a big deal in business, but it's a misnomer in security it s an EXPENSE!. Security ROI is difficult to compute, simply because it is hard to predict the probability of a true security event and the costs associated with the loss and mitigation of it. A major issue in cyber security right now is that we ve never been able to construct an intelligent return on investment (ROI) for cyber security. As we ve never been truly able to gauge how big the risk really is. But, you need to be able to gauge the magnitude of the risk. - what exactly the exposure is or if the actual event took place - because there just isn't enough good data... The classic gauge methodology is called annualized loss expectancy (ALE). Cybersecurity ROI is considerably harder, as the threat morphs quickly - so we can't create ALE models. But there's another problem -- the math quickly falls apart when it comes to rare and expensive events - especially if the impact is huge, even low occurrence is costly. Cyber ROI is misleading - as it is insurance a cost of doing business AND You have insurance for every KEY aspect of business RIGHT??? Cyber is NO DIFFERENT In fact the downside can be loss of your business Just as you have an umbrella policy for personal liability, so should you in cyber Even IF you can prove digitally right court preparations = $10-25K / case Cyber Insurance don t get caught in the cyber legal quagmire without it! 80
81 SRA -> SCM -> Insurance (et al) (There is a simple method to mange cyber complexity iaw your RMP!) The below illustration is a general guide to how the cyber risks can be quantified, using authoritative sources and methods, into quantifiable risk levels to ACT on, and then insure Security Risk Assessment (SRA) (several levels, remote, onsite, etc) (Check only key points, or compliance levels, or business tailored, etc) Security Continuous Monitoring (SCM) (monitor hygiene, access, unusual behavior - cyber mgmt informed) (status files sent to central Sec OpsCtr) Assess property value (IP & real) (quantify and value data / IP) (identify other IT / property / assets) Cyber Insurance (contact cyber ins broker) (team with legal firm) Environment is scanned Key IA/CND settings assessed level of security assessed (using standard CVE, etc) ADD in big data analytics To asses Cyber risks in parallel Security OpsCtr assesses data - Changes in key IA/CND settings - Abnormal patterns (SIEM) - Adjusts security level based on changes and thresholds - Feeds security actuarial tables - Alerts sent to multiple entities - Validates compliance aspects too User does inventory (data & IT) puts dollar value on key items Matches mitigations to RMP Quantifies the known and bounds the unknown aspects Broker uses cyber actuarial tables Maps security levels and values Premiums based on both All processes are linked with feedback between analytics (aka, user based behavior insurance as risk takers = higher premiums) SRI / SCM + insurance = major risk / cost reduction = due diligence / profit
82 Proposed Information Dominance (ID) end-state vision Other SatCom Users / sites STEP the GIG DISN Other national sources Other Agencies Intel / Sensors Data Centers DISA / IC Tier 1 & 2 (and DECCs / Services too) SIPR Shore sites Major ID Precepts IT & IA are driven to commodity states One enterprise architecture (stds / specs)(diea/ JIE based) Integrated views (user, system, data, etc) Information centric environment (quality / assured data) NIPR NOCs DIL / austere environments Afloat Systems / Wireless Mobile / Disconnected / Organic Internet Mobile / RAS Teleport SatCom LOS Partners Where ID = decision superiority = quality / assured DATA --- How does all that DATA move about --- (Note most terrestrial connections ( ) are also by DISA / DISN thus technically the GIG too )
83 Capabilities Needed for Information dominance Schema of maneuver (positioning for effect) Assured C2 (OPCON / INFOCON) Cyber (IA/CND protections & CNE/CNA (covert)) Kill / Effect Chains (maximize left side - ISR / I&W) Knowledge IT / network Information environment WAN/transport, network, cloud, ID = Decision superiority Quality / assured data = value, pedigree, provenance Infrastructure / services / apps (right data, to right folks at right time) data centers, cyber, governance = trusted information systems Battlefield victory requires dominant position and maneuver Which require best possible information, before the opposition can: (1) get his own information; (2) react to your movements or (3) infiltrate your environment The best possible info is ID: A DiD with trusted information systems providing assured / quality data, facilitating all levels of command decision superiority N 2 N 6 R o a d m a p s
84 Information Dominance: Comprehensive Data Strategy_OV1 T C Right Info, Right Time, Right Place O O D RAW REFINED RIGHT A P E D Data Governance Policies Standards Ownership COIs Stewardship Traditional Nodes Data, Apps, Systems Data Quality Quality Rules and Policy Data Cleansing Rules Compliance Rules Data Admin Data Profiling A critical USER view! Task Collect Produce Networks and Transport Information Environment Master Data and Metadata Data Definitions Auth Data Source Reference Data Data Valuation / Tagging Indexing Metadata Repositories Registration Store Process Exploit Data Structure Taxonomy Data Models Process Workflows Data Lifecycle Cloud Nodes Data, Services, Rules Data Architecture Sizing Storage Processing Movement Retention and Deletion Data Security IA Compliance Cross Domain PII Access Controls Releasability Supported by a DATA centric architecture Disseminate Archive Dispose
85 LOCAL ENCLAVE DoD CND (and Cyber ) Defense in Depth CND SP - Incident Response / Management IDS - Prometheus PKI - Threat Analysis - Compliance Scans NUDOP Firewalls IAP Monitoring - IAVM Management DNS Blackholes Standard IP Blocks Incident Response Incident Handling Operational Operational PROMETHEUS ACLs NET Cool / INMS View Site Compliance Scans PKI Threat Analysis Funded and Funded and NMCI NIPRNET IDS Feeds Rolling Out AV IAVM Implementation Rolling Out TRICKLER / SIPRNET Firewall PPS Policy Threat Assessment Alert Filtering CENTAUR Proposed or In Vulnerability Scanning GIAP Proposed or In CND Data Strategy Development PKI System Patching Metrics Development NET Cool View CDS IP Sonar DITSCAP/DIACAP NET Cool Data ACLs Vulnerability In-Line Filtering Tutelage Standard IP Block Lists Remediation IPS CENTRIXS Monitoring Global CND UDOP Firewalls AV In-Line Virus Scanning Multi-Layer Protocol CONOPS DITSCAP/DIACAP DNS Blackholing Defense CARS IASM DRRS-N RNOSC IAVM Vulnerability Remediation HBSS In-Line Filtering Content Filtering Compliance ENMS SCCVI- Anti-virus SCRI Deep Packet Inspection PKI CARS Tier 3 SIM WIDS IAVM Compliance TMAT IWCE CND POR Honey Grid HBSS CAC/PKI Wireless Mapping WAN SA SLIDR Deep Packet Inspection SCCVI-SCRI WIDS Enterprise NET Cool Data Functional NIC Standardized Configurations Navy DMZ DMZ DAPE Insider Threat SIPR NAC DAR TMAT HOST POR Management LAN (POP/HUB) Enclave DMZ TIER III WAN (Enclave) NMCI SIPRNET IDS Feeds TIER II Navy GIG (NCDOC) TIER I DoD GIG (JTF-GNO) Cyber = mostly Life-cycle education and proactive, dynamic defense. (From NCDOC briefs) The smart integration and collaboration between MANY needed IO & IA functions 85
86 Notional DiD Ent Arch (EA) DiD has three main elements: people (train and enforce good behavior), operations (policy, management, C&A, COOP) and technology (IA criteria, evaluated products, risk assessment, use layers), we discuss the latter here. Provide Layered protections: (1) Networks and Infrastructure, (2) Enclave boundaries, (3) Quantify security robustness for all components (aka use NIAP), (4) use robust key management and PKI (IA&A), and use IDS/IPS (detection capabilities) - -- Using common cyber capabilities, with known pedigrees / C&A (APLs/VPLs -> NIAP) OSI stack protections: (1) restrict access, port security (2) VLANs, Static ARP, (3) VPNs, NIDS, content filtering, (4) Firewalls, ACLs (5) IAVA, crypto, authentication, (6) IDS, audits, (7) anti-virus, secure software (SDLC), patches AND effective IA&A / access control methods Manage / enforce IA controls at each layer / capability! Use existing IA controls management tools, like the previous AFG / below DISA link: AND SANS top 20 security controls (note AFG is now the Community Gold Standard. Find on Intelink, DKO. It s now an enterprise architectural level versus program) NOTE - This is a general requirements depiction of a DiD - Using the general NIST and GIAC notional references Also for ICS =
87 Essential DiD EA elements Reduce complexity and unknowns: Limit numbers, types and versions of IA capabilities (drive to commodity state) Only use common cyber capacities with known limitations ( enforce APL/VPL = NIAP) Provide a DiD enterprise architecture based on layers / IA controls therein Define specifications for and modularize the below cyber building blocks Include inheritance, interface controlling parameters, and required standards AND profiles Map the DiDEA back to a Navy risk management plan, key issues / risks therein Provide CONOPS for notional DiD EA, including CM, governance, exceptions. Need to take a mission assurance perspective, with affordability / RoI Integrate and Implement DoD / NSA common practices (SCAP, AFG, etc) Manage and enforce an effective, enforced Cyber CM/Hygiene posture and IA&A/IDAM! The basic cyber building blocks of security a limited and controlled set of IA building blocks for a FEW main classes: -IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc) -- IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc)(and the IA/WSS standards need to go here!) -Services and Applications (define a standard "security container" for each service, ideally a class - likely a couple can coverall all services)(see NSSI IA controls) ( and DATA capabilities DCPS, DDSI, Pub / Sub, Java, mobile code, widgets, storage SW, middleware, services, ESB, etc-!) -- Critical HW/SW devices (catch all for any key IT/IA capabilities, we may have missed and want to consider) (see CSRR list of IT classes for examples at the end of this paper - while these are generally already low level aggregated capabilities, they show a class of IT to standardize to) AND actually using the TPM! - PIT (there could be ONE general PIT super set, then each SYSCOM takes that and tailors it a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc)
88 So what REALLY matters in IA/Cyber? A notional Quality of Protection (QoP) Hierarchy / Defense in Breadth Complex Dynamic DATA QoP (C-I-A and N & A) IA&A and DCS / CBE (distributed / transitive trust -- E2E Data-Centric Security -- Content Based Encryption) Settings Core / Security Services ( WS* and other security policy / protocols / standards (including versions & extensions therein) Standards Known Static network protection CND FW / IDS / VPN / etc (in general, mature capabilities but multiple unclear CM processes are persistent and problematic) IO and... IA IA devices A&E / Policy CNO/E/A, I&W, OPSEC, etc Crypto, KMI, TSM/HAP, policy, etc IA profiles (standards), IA&A, CBE/DCS and digital policy! 88
What REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond!
What REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond! HOW to best integrate security into the office AND the cloud? And what is a thing is that MORE we have
Tactical View for Cyber Security Framework
Tactical View for Cyber Security Framework Collaboration with SPAWAR SoS Engineer (Ret.) / Cyber Security Consultant and Cyber Clarity [email protected] And [email protected] What s Wrong With
Cutting through the fog of cybersecurity
SD ISC2 SD IEEE Cutting through the fog of cybersecurity Preparing security operators for what REALLY matters in Cyber! Mike Davis, ElecEngr / MSEE, CISSP / CISO, MA Mgmt, SysEngr Cyber Security / Risk
Cyber Education triangle clarifying the fog of cyber security through targeted training
Cyber Education triangle clarifying the fog of cyber security through targeted training Curriculum & Resources Linked / leveraged (on-line, companies, colleges, etc) MS / BS Cyber CISSP / GISP / CISO /
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
Defending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
Protecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
CompTIA Security+ (Exam SY0-410)
CompTIA Security+ (Exam SY0-410) Length: Location: Language(s): Audience(s): Level: Vendor: Type: Delivery Method: 5 Days 182, Broadway, Newmarket, Auckland English, Entry Level IT Professionals Intermediate
SANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
The Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
Seven Strategies to Defend ICSs
INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take
Unified Threat Management, Managed Security, and the Cloud Services Model
Unified Threat Management, Managed Security, and the Cloud Services Model Kurtis E. Minder CISSP Global Account Manager - Service Provider Group Fortinet, Inc. Introduction Kurtis E. Minder, Technical
Big Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.
Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control
The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
What Do You Mean My Cloud Data Isn t Secure?
Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there
Secure Cloud Computing
Secure Cloud Computing Agenda Current Security Threat Landscape Over View: Cloud Security Overall Objective of Cloud Security Cloud Security Challenges/Concerns Cloud Security Requirements Strategy for
End-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
BlackRidge Technology Transport Access Control: Overview
2011 BlackRidge Technology Transport Access Control: Overview 1 Introduction Enterprises and government agencies are under repeated cyber attack. Attacks range in scope from distributed denial of service
By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
What IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
Security + Certification (ITSY 1076) Syllabus
Security + Certification (ITSY 1076) Syllabus Course: ITSY 1076 Security+ 40 hours Course Description: This course is targeted toward an Information Technology (IT) professional who has networking and
Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
IBM Security Strategy
IBM Security Strategy Intelligence, Integration and Expertise Kate Scarcella CISSP Security Tiger Team Executive M.S. Information Security IBM Security Systems IBM Security: Delivering intelligence, integration
Cyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
Top 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
Cyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs
Mandatory Knowledge Units 1.0 Core2Y 1.1 Basic Data Analysis The intent of this Knowledge Unit is to provide students with basic abilities to manipulate data into meaningful information. 1.1.1 Topics Summary
Security Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
Where every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013
Security Architecture: From Start to Sustainment Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013 Security Architecture Topics Introduction Reverse Engineering the Threat Operational
Enterprise Cybersecurity: Building an Effective Defense
Enterprise Cybersecurity: Building an Effective Defense Chris Williams Oct 29, 2015 14 Leidos 0224 1135 About the Presenter Chris Williams is an Enterprise Cybersecurity Architect at Leidos, Inc. He has
Passing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
Network Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
elearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
future data and infrastructure
White Paper Smart Grid Security: Preparing for the Standards-Based Future without Neglecting the Needs of Today Are you prepared for future data and infrastructure security challenges? Steve Chasko Principal
Payment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
Vulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
Caretower s SIEM Managed Security Services
Caretower s SIEM Managed Security Services Enterprise Security Manager MSS -TRUE 24/7 Service I.T. Security Specialists Caretower s SIEM Managed Security Services 1 Challenges & Solution Challenges During
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute
Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name
REVOLUTIONIZING ADVANCED THREAT PROTECTION
REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist 1 WHY DO I STAND ON MY DESK? "...I stand upon my
High End Information Security Services
High End Information Security Services Welcome Trion Logics Security Solutions was established after understanding the market's need for a high end - End to end security integration and consulting company.
74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015
Arrow ECS University 2015 Radware Hybrid Cloud WAF Service 9 Ottobre 2015 Get to Know Radware 2 Our Track Record Company Growth Over 10,000 Customers USD Millions 200.00 150.00 32% 144.1 16% 167.0 15%
Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
Enterprise Cybersecurity: Building an Effective Defense
: Building an Effective Defense Chris Williams Scott Donaldson Abdul Aslam 1 About the Presenters Co Authors of Enterprise Cybersecurity: How to Implement a Successful Cyberdefense Program Against Advanced
Cybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.
The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com
Critical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC [email protected] @mcncsecurity on Twitter The Critical Security Controls The Critical Security
Continuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP [email protected]
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP [email protected] Security Security is recognized as essential to protect vital processes and the systems that provide those
Did you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
Cloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
SECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
SECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
The Cloud App Visibility Blindspot
The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before
FIVE PRACTICAL STEPS
WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND
Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)
Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses
McAfee Network Security Platform
McAfee Network Security Platform Next Generation Network Security Youssef AGHARMINE, Network Security, McAfee Network is THE Security Battleground Who is behind the data breaches? 81% some form of hacking
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?
WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber
Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection
White Paper: Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection Prepared by: Northrop Grumman Corporation Information Systems Sector Cyber Solutions Division
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
Concierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two
NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015
NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps
Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
FERPA: Data & Transport Security Best Practices
FERPA: Data & Transport Security Best Practices April 2013 Mike Tassey Privacy Technical Assistance Center FERPA and Data Security Unlike HIPAA and other similar federal regulations, FERPA does not require
The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security
The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense Tony Sager The Center for Internet Security Classic Risk Equation Risk = { Vulnerability, Threat, Consequence } countermeasures
FORBIDDEN - Ethical Hacking Workshop Duration
Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once
CS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
