Cyber R &D Research Roundtable

Similar documents
Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)

Presented by Frederick J. Santarsiere

A Systems Engineering Approach to Developing Cyber Security Professionals

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

locuz.com Professional Services Security Audit Services

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Bellevue University Cybersecurity Programs & Courses

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Presented by Evan Sylvester, CISSP

EC-Council. Certified Ethical Hacker. Program Brochure

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy

Penetration Testing in Romania

NERC CIP VERSION 5 COMPLIANCE

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Cybersecurity in a Mobile IP World

PENETRATION TESTING GUIDE. 1

Information Blue Valley Schools FEBRUARY 2015

Adobe Systems Incorporated

INFORMATION SECURITY FOR YOUR AGENCY

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

A Comprehensive Cyber Compliance Model for Tactical Systems

Cybersecurity: What CFO s Need to Know

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Vulnerability management lifecycle: defining vulnerability management

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

Cybersecurity and internal audit. August 15, 2014

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Access FedVTE online at: fedvte.usalearning.gov

Secure Web Applications. The front line defense

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Web Application Security

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Big Data, Big Risk, Big Rewards. Hussein Syed

How To Build A Cybersecurity Company

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Penetration testing & Ethical Hacking. Security Week 2014

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

IBM Managed Security Services Vulnerability Scanning:

Professional Services Overview

Network Security Audit. Vulnerability Assessment (VA)

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Web Application Report

Audit Tools That Won t Break the Bank

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Middle Class Economics: Cybersecurity Updated August 7, 2015

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

The Business Case for Security Information Management

CCA CYBER SECURITY TRACK

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Defending Against Data Beaches: Internal Controls for Cybersecurity

IBM Security Strategy

LINUX / INFORMATION SECURITY

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Data Loss Prevention Program

Information Security Office

A Love Affair: Cyber Security, Big-data and Risk

5 Steps to Advanced Threat Protection

CYBERSECURITY HOT TOPICS

FREQUENTLY ASKED QUESTIONS

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

How To Test For Security On A Network Without Being Hacked

EC Council Certified Ethical Hacker V8

OWASP Top Ten Tools and Tactics

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Developing Secure Software in the Age of Advanced Persistent Threats

Cyber Security Management

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Effective Software Security Management

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Team Redstone Exhibition (TREx)

G-Cloud Definition of Services Security Penetration Testing

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Principles of Information Assurance Syllabus

What is Really Needed to Secure the Internet of Things?

Information Security Services

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Transcription:

Cyber R &D Research Roundtable 2 May 2013 N A T I O N A L S E C U R I T Y E N E R G Y & E N V I R O N M E N T H E A L T H C Y B E R S E C U R I T Y

Changing Environment Rapidly Evolving Threat Changes faster than the assumed risk we think we have The bad guys are sophisticated Organized Crime Nation States Cybersecurity Enhancement Act of 2009 (S.773) US legislation intended to improve cybersecurity within the federal government and throughout the public and private sectors Establishes research and development (R&D) requirements for federal agencies and promotes public-private partnerships Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 624) Proposed US federal law that would allow for the sharing of Web data between the government and technology companies

SAIC Cyber Overview Full Spectrum Cyber Security Solutions Secure Network Deployment Vulnerability Assessments Security Engineering Policy and Standards Requirements Penetration Testing Research and Development Awareness and Training SAIC Huntsville Cyber Lab System Owner Support Software Assurance Agent of the Certification Authority Penetration Testing Embedded Information Systems Security Engineers at the PEOs Integrate System Security Core Project Team members Scan New or Existing Code to Detect Vulnerabilities Train SW Developers on Secure Coding Practices Provide independent, 3 rd party evaluations to determine the security posture of Army systems Scan to Identify and Report Discovered Vulnerabilities Exploit Identification / Vulnerability Scanning Operational Assessment of Networks System Hardening Network Attack Simulation Handheld Device Security Analysis Computer Network Defense Training Supply Chain Risk Management Blue Team Assessments Detect, identify and analyze malicious attack vectors against DoD Systems Developed POI for CND Training ALARNG received a 40-hour block of instruction on Interrogator Cyber Security Awareness Training ISC2 CISSP / CompTia Security+ Microsoft Certified Training (MCT) - Windows7, Windows Server 2008, Active Directory Certified Ethical Hacker (CEH) Accredited Training Center Work With SMDC To Support Integrity Engineering Analysis Invest AMRDEC Core S&T Funds For A Study To Develop AMRDEC Path Forward Determine security posture for DoD systems Network and vulnerability scanning NIST Guidelines

Definitions Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Risk = Threat * Vulnerability * Cost

Bottom Line If a soldier receives an order to launch a missile, he needs to be assured that it is a valid order (integrity) and the missile will actually launch (availability). The commander needs to ensure only the correct people receive the order (confidentiality) Mission Assurance

Change in Mind Set - Continuous Security Real Time Assessments Continuous Monitoring Don t just assess systems periodically Create a realistic Residual Risk Follow NIST Guidelines Holistic Risk Management Constant Improvement

Software Development Application Security Where do you begin? Integrate from the onset key component of the Software Development Lifecycle Tacked on at the end is usually expensive Cradle to grave - Evolving Support identified requirements Identify and mitigate risks early

Software Development Security Trends Common Coding Practices Not Followed User Input Validation not Implemented Old Applications More Vulnerable Clear Text Connection Strings Single Tier Applications Common Attacks SQL Injection OS Command Injection Buffer Overflow Path Manipulation <connectionstrings> <add name="sqlconnectionprovided" connectionstring="data Source=.; Initial Catalog=TestApp; User Id=User1;Password=P@$$W0rd; enlist=true;" providername="system.data.sqlclient" /> </connectionstrings>

User Insider Threat Trends Insider Threat Not Necessarily Malicious Basic Education - Training Knowing Certifications CISSP Security+ Certified Ethical Hacker Operating System Certification More Awareness Less Reliance Lack of Policies Social Engineering Phishing Tailgating Dumpster Diving Social Networks Information Sharing Logins/Passwords Taped to a Computer

System Configuration Trends Patching Mainly 3 rd Party (Java and Adobe) Outdated Operating Systems Lack of Auditing Consolidation/Alerting Back-up and Restoration Plan Excessive Permissions Wireless Configuration Handheld Device Configuration Big Data Consolidation Default Passwords

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information