Cyber Security Risk Management: A New and Holistic Approach

Transcription

1 Cyber Security Risk Management: A New and Holistic Approach Understanding and Applying NIST SP WebEx Hosted by: Business of Security and Federal InfoSec Forum April 12, 2011 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

2 Information technology is our greatest strength and at the same time, our greatest weakness NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

3 The Perfect Storm Explosive growth and aggressive use of information technology. Proliferation of information systems and networks with virtually unlimited connectivity. Increasing sophistication of threat including exponential growth rate in malware (malicious code). Resulting in an increasing number of penetrations of information systems in the public and private sectors NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

4 The Threat Situation Continuing serious cyber attacks on public and private sector information systems targeting key operations, assets, and individuals Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated. Adversaries are nation states, terrorist groups, criminals, hackers, and individuals or groups with hostile intentions. Effective deployment of malware causing significant exfiltration of sensitive information (e.g., intellectual property). Potential for disruption of critical systems and services. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

5 Unconventional Threats to Security Connectivity Complexity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

6 We expend far too many resources on back-end security (chasing the latest vulnerabilities and patching systems) and far too few resources on front-end security (building information security into IT products and systems) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

7 Red Zone Security NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

8 The New SP Multi-tiered Risk Management Approach Implemented by the Risk Executive Function Enterprise Architecture and SDLC Focus Flexible and Agile Implementation TIER 1 Organization (Governance) STRATEGIC RISK FOCUS TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information System (Environment of Operation) TACTICAL RISK FOCUS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

9 Characteristics of Risk-Based Approaches (1 of 2) Integrates information security more closely into the enterprise architecture and system life cycle. Promotes near real-time risk management and ongoing system authorization through the implementation of robust continuous monitoring processes. Provides senior leaders with necessary information to make risk-based decisions regarding information systems supporting their core missions and business functions. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

10 Characteristics of Risk-Based Approaches (2 of 2) Links risk management activities at the organization, mission, and information system levels through a risk executive (function). Establishes responsibility and accountability for security controls deployed within information systems. Encourages the use of automation to increase consistency, effectiveness, and timeliness of security control implementation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

11 Risk Management Process Risk Framing Risk Framing Assess Respond Risk Risk Framing Monitor Risk Framing NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

12 Risk Framing Establishing the context for how organizations manage information security risk. Assumptions. Constraints. Risk tolerance. Priorities and tradeoffs. Applied across all three tiers: organization, mission, and information systems. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

13 Risk Assessment Identifying threats and vulnerabilities. Determining risk. Potential mission/business impact. Likelihood of occurrence. Determining uncertainty. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

14 Risk Response Developing risk response strategy. Accept risk. Reject risk. Mitigate risk. Share risk. Transfer risk. Developing, evaluating, deciding upon, and implementing courses of action to respond to risk. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

15 Risk Monitoring Verifying compliance. Determining effectiveness of risk mitigation measures. Identifying changes to information systems and environments of operation. Bottom Line: Increase situational awareness to help determine risk to organizational operations and assets, individuals, other organizations, and the Nation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

16 Defense-in-Depth Links in the Security Chain: Management, Operational, and Technical Controls Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments and authorization Continuous monitoring Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Adversaries attack the weakest link where is yours? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

17 Defense-in-Breadth RISK EXECUTIVE FUNCTION Organization-wide Risk Governance and Oversight Ongoing Authorization Decisions Security Plan Security Assessment Report Plan of Action and Milestones Core Missions / Business Processes Security Requirements Policy Guidance INFORMATION SYSTEM System-specific Controls Hybrid Controls RISK MANAGEMENT FRAMEWORK (RMF) INFORMATION SYSTEM System-specific Controls Hybrid Controls Security Plan Security Assessment Report Plan of Action and Milestones Ongoing Authorization Decisions COMMON CONTROLS Security Controls Inherited by Organizational Information Systems Security Plan Security Assessment Report Plan of Action and Milestones Ongoing Authorization Decisions NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

18 Joint Task Force Transformation Initiative Core Risk Management Publications NIST Special Publication , Revision 3 Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication , Revision 1 Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach NIST Special Publication A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans Completed Completed Completed NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

19 Joint Task Force Transformation Initiative Core Risk Management Publications NIST Special Publication Managing Information Security Risk: Organization, Mission, and Information System View Completed NIST Special Publication , Revision 1 Guide for Conducting Risk Assessments Projected May2011 (Public Draft) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

20 Contact Information Project Leader 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Administrative Support Dr. Ron Ross Peggy Himes (301) (301) Senior Information Security Researchers and Technical Support Marianne Swanson Kelley Dempsey (301) (301) Pat Toth Arnold Johnson (301) (301) Web: csrc.nist.gov/sec-cert Comments: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20