Opening Up a Second Front for Cyber Security and Risk Management

Similar documents
Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

Cyber Security Risk Management: A New and Holistic Approach

Managing Security and Privacy Risk in Healthcare Applications

Security Risk Management For Health IT Systems and Networks

Managing Security Risk In a World of Complex Systems and IT Infrastructures

FREQUENTLY ASKED QUESTIONS

Looking at the SANS 20 Critical Security Controls

Rethinking Cybersecurity from the Inside Out

FISMA Implementation Project

Security Controls Assessment for Federal Information Systems

Security and Privacy Controls for Federal Information Systems and Organizations

Get Confidence in Mission Security with IV&V Information Assurance

IT Security Management Risk Analysis and Controls

Supply Chain Risk Management For Modern Software Development

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

CTR System Report FISMA

Recommended Security Controls for Federal Information Systems

Security Compliance In a Post-ACA World

System Security Certification and Accreditation (C&A) Framework

Cybersecurity. Cloud. and the. 4TH Annual NICE Workshop Navigating the National Cybersecurity Education InterState Highway September 2013

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Altius IT Policy Collection Compliance and Standards Matrix

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

DIVISION OF INFORMATION SECURITY (DIS)

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

CRR-NIST CSF Crosswalk 1

Minimum Security Requirements for Federal Information and Information Systems

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Compliance Risk Management IT Governance Assurance

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Compliance Overview: FISMA / NIST SP800 53

Cloud Security for Federal Agencies

Mission Assurance and Security Services

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Security Control Standard

HHS Information System Security Controls Catalog V 1.0

Industrial Security Field Operations

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

Security Self-Assessment Tool

Security Control Standard

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Bellevue University Cybersecurity Programs & Courses

Security Control Standard

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Enterprise Cybersecurity: Building an Effective Defense

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY. Version 2.

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Discussion Draft of the Preliminary Cybersecurity Framework

POSTAL REGULATORY COMMISSION

Building Security In:

Enterprise Cybersecurity: Building an Effective Defense

Bellingham Control System Cyber Security Case Study

Framework for Improving Critical Infrastructure Cybersecurity

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Industrial Control Systems Security Guide

security standards and guidelines within one year of the publication date unless otherwise directed by OMB or NIST.2

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Enterprise Security Tactical Plan

Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1

Cybersecurity Enhancement Account. FY 2017 President s Budget

IT Security and Compliance Program Plan for Maxistar Medical Supplies Company

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

White Paper. Information Security -- Network Assessment

Risk Management Guide for Information Technology Systems. NIST SP Overview

Software Application Control and SDLC

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

Information Security Program Management Standard

Cybersecurity and internal audit. August 15, 2014

ICT Supply Chain Risk Management

Policy on Information Assurance Risk Management for National Security Systems

External Supplier Control Requirements

Information Security for Managers

Dr. Ron Ross National Institute of Standards and Technology

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Cybersecurity Throughout DoD Acquisition

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Security Control Standards Catalog

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

COMMONWEALTH OF VIRGINIA

Selecting RMF Controls for National Security Systems

Microsoft s Compliance Framework for Online Services

Middle Class Economics: Cybersecurity Updated August 7, 2015

Framework for Improving Critical Infrastructure Cybersecurity

DoD Strategy for Defending Networks, Systems, and Data

Transcription:

Opening Up a Second Front for Cyber Security and Risk Management Annual Computer Security Applications Conference December 4, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

The seeds of information security and privacy in the digital age, were planted in United States Constitution over two centuries ago NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

The United States Constitution WE THE PEOPLE of the United States, in Order to form a more perfect Union, establish Justice, ensure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

Information security and privacy, traditional societal values, are at greater risk today due to the ever increasing size of our digital footprint NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Why Is Cyber Security Important? Because many information systems in the public and private sectors that are part of the U.S. critical infrastructure are extremely vulnerable to hostile cyber attacks and other threats... These systems must be more reliable, trustworthy, and resilient. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

What do we worry about? Hostile cyber attacks Natural disasters Structural failures Human errors of omission or commission Conventional Threats NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

Advanced Persistent Threat An adversary that Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted organizations To exfiltrate information. Undermine / impede critical aspects of a mission, program, or organization. Position itself to carry out these objectives in the future. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

The First Front. What we have accomplished NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Unified Information Security Framework The Generalized Model Unique Information Security Requirements The Delta Intelligence Community Department of Defense Federal Civil Agencies C N S S Private Sector State/Local Govt Common Information Security Requirements Foundational Set of Information Security Standards and Guidance Risk management (organization, mission, information system) Security categorization (information criticality/sensitivity) Security controls (safeguards and countermeasures) Security assessment procedures Security authorization process National security and non national security information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

Joint Task Force Transformation Initiative In 2012, completed development of comprehensive security guidelines that can be adopted by all federal agencies including the national security community. Flexible and extensible tool box includes: An enterprise-wide risk management process. State-of-the-practice, comprehensive, security controls. Risk management framework. Risk assessment process. Security control assessment procedures. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

Unified Information Security Framework NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View NIST Special Publication 800-30 Guide for Conducting Risk Assessments NIST Special Publication 800-37 Applying the Risk Management Framework to Federal Information Systems NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

The Second Front. What we need to accomplish NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

The federal cyber security strategy Build It Right, Then Continuously Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

Unconventional Threats What should we worry about? Connectivity Complexity Culture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

Complexity. Ground zero for our current problems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

If we can t understand it we can t protect it NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

We need to build our security programs like NASA builds space shuttles using the integrated project team concept.. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

What can we do to change course? Simplify, Specialize, and Integrate NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

STRATEGIC RISK FOCUS Communicating and sharing risk-related information from the strategic to tactical level. TIER 1 Organization (Governance) Communicating and sharing risk-related information from the tactical to strategic level. TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information System (Environment of Operation) TACTICAL RISK FOCUS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

A New Approach for Information Security Work directly with mission/business owners and program managers. Bring all stakeholders to the table with a vested interest in the success or outcome of the mission or business function. Consider information security requirements as mainstream functional requirements. Conduct security trade-off analyses with regard to cost, schedule, and performance requirements. Implement enforceable metrics for key officials. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

Increasing Strength of IT Infrastructure Simplify. Reduce and manage complexity of IT infrastructure. Use enterprise architecture to streamline the IT infrastructure; standardize, optimize, consolidate IT assets. Specialize. Use guidance in SP 800-53, Rev 4 to customize security plans to support specific missions/business functions, environments of operation, and technologies. Develop effective monitoring strategies linked to specialized security plans. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

Increasing Strength of IT Infrastructure Integrate. Build information security requirements and controls into mainstream organizational processes including: Enterprise Architecture. Systems Engineering. System Development Life Cycle. Acquisition. Eliminate information security programs and practices as stovepipes within organizations. Ensure information security decisions are risk-based and part of routine cost, schedule, and performance tradeoffs. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Defense-in-Depth Links in the Security and Privacy Chain: Security and Privacy Controls Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical and personnel security Security assessments and authorization Continuous monitoring Privacy protection Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Adversaries attack the weakest link where is yours? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

Defense In Depth is a Good Strategy Until it fails then what? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

Resilience. The only way to go for critical missions and information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

Dual Protection Strategies Sometimes your information systems will be compromised even when you do everything right Boundary Protection Primary Consideration: Penetration resistance. Adversary Location: Outside defensive perimeter. Objective: Repel the attack. Agile Defense Primary Consideration: Information system resilience. Adversary Location: Inside defensive perimeter. Objective: Operate while under attack, limit damage. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

Agile Defense Boundary protection is a necessary but not sufficient condition for Agile Defense. Examples of Agile Defense measures Compartmentalization and segregation of critical assets. Targeted allocation of security controls. Virtualization and obfuscation techniques. Encryption of data at rest. Limiting privileges. Routine reconstitution to known secure state. Bottom Line: Limit damage of hostile attack while operating in a (potentially) degraded or debilitated state NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

Special Publication 800-53, Revision 4. Big changes on the way NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29

Gap Areas Addressed Insider threat. Application security. Supply chain risk. Security assurance and trustworthy systems. Mobile and cloud computing technologies. Advanced persistent threat. Tailoring guidance and overlays. Privacy. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30

SP 800-53 Rev 4 Driving Major Changes (1 of 2) Special Publication 800-82 (Industrial Control System Security) undergoing major changes. Phase I: ICS Appendix from SP 800-53, Revision 3, moving to SP 800-82 (simultaneous release with SP 800-53, Revision 4). Phase II: Full update to SP 800-82 by September 2013. Privacy requirements and controls will be part of standard lexicon and coordinated with security requirements. Overlay concept promotes specialization of security plans for federal agencies; potential significant expansion of use by private sector (voluntary basis). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

SP 800-53 Rev 4 Driving Major Changes (2 of 2) Special Publication 800-160 (Security Engineering Guideline) targeted for publication in late 2013. Security controls in SP 800-53, Revision 4, addressing trustworthy systems, assurance, and system resilience. Exploring the possibility of system resiliency appendix in SP 800-53. Opening up new discussions on the concept of assurance. How federal agencies can obtain IT products and information systems with greater assurance. SP 800-53, Revision 4, (internal) mapping to Common Criteria (ISO/IEC 15408) requirements. Impacting ISO/IEC 27001 and 27002. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32

Functionality and Assurance. They ride together FUNCTIONALITY What is observable behind the wall. ASSURANCE What is observable in front of the wall. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33

Assurance and Trustworthiness TRUSTWORTHINESS Information Systems Security Capability Prevent Attacks, Deter Attacks, Limit Harm from Attacks, Respond to Attacks, Recover from Attacks FUNCTIONALITY Security Features, Functions, Services, Mechanisms, Procedures ASSURANCE Measures of Confidence Security Strength Correctness, Completeness, Resistance to Tamper and Bypass Development Actions Operational Actions Security Evidence Development Artifacts, Test/Evaluation Results, Flaw Reports Enables Understanding of Security Capability NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34

Assurance. You don t need it until you need it NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35

Rebranding the Concept of Assurance Making the assurance argument for today s practitioners Objectives for Special Publication 800-53, Revision 4 What is assurance? Why is assurance important? When is assurance needed? How are organizations obtaining assurance now? How can organizations obtain increased levels of assurance in the future? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 36

Trustworthiness and Assurance Significant changes to security controls and control enhancements Configuration Management (CM) family. System and Services Acquisition (SA) family. System and Information Integrity (SI) family. Applying best practices in software application development at all stages in the SDLC. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 37

Significant Updates to Security Controls Development processes, standards, and tools. Developer security architecture and design. Developer configuration management. Developer security testing. Developer-provided training. Supply chain protection. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 38

Minimum Assurance Appendix E Appendix E has been completely revised. The minimum required assurance is provided by implementation of the appropriate baseline set of controls. The assurance-related controls for each baseline are provided in tables E-1, E-2, and E-3. Table E-1 Minimum Assurance for Low Impact Baseline ID CONTROLS ID CONTROLS AC AC-1 MP MP-1 AT AT-1, AT-2, AT-3, AT-4 PE PE-1, PE-6, PE-8 AU AU-1, AU-6 PL PL-1, PL-2, PL-4 CA CA-1, CA-2, CA-3, CA-5, CA-6, CA-7 PS PS-1, PS-6, PS-7 CM CM-1, CM-2, CM-8 RA RA-1, RA-3, RA-5 CP CP-1, CP-3, CP-4 SA SA-1, SA-2, SA-3, SA-4, SA-5, SA-9 IA IA-1 SC SC-1, SC-41 IR IR-1, IR-2, IR-5 SI SI-1, SI-4, SI-5 MA MA-1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 39

And after we build it right. What next? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 40

Continuous Monitoring Determine effectiveness of risk responses. Identify changes to information systems and environments of operation. Verify compliance to federal legislation, Executive Orders, directives, policies, standards, and guidelines. Bottom Line: Increase situational awareness to help determine risk to organizational operations and assets, individuals, other organizations, and the Nation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 41

And until we build it right. What should we do? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 42

Important Stop-Gap Actions For high-end adversaries launching sophisticated and well-coordinated cyber attacks targeting: U.S. critical infrastructure; federal mission-essential functions and systems; and private sector industries Develop, implement, and exercise robust contingency plans to support full scale continuity of operations; Implement continuous monitoring programs; and Use technology wisely! NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 43

Some random thoughts. In not so random order NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 44

Information security is hard. But it is important NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 45

Think strategic. Execute tactical NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 46

Information has value. But not all information is valuable NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 47

Least privilege and least functionality. Powerful concepts that reduce risk NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 48

Adversaries are not ten feet tall. They have work factors and attack sequences that can be disrupted NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 49

Managing risk. Doesn t mean fixing everything Frame Assess Respond Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 50

Risk Tolerance. How you know when to stop deploying security controls NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 51

The Desired End State Security Visibility Among Business/Mission Partners ORGANIZATION INFORMATION SYSTEM Business / Mission Information Flow ORGANIZATION INFORMATION SYSTEM System Security Plan Security Assessment Report Plan of Action and Milestones Security Information System Security Plan Security Assessment Report Plan of Action and Milestones Determining the risk to the first organization s operations and assets and the acceptability of such risk Determining the risk to the second organization s operations and assets and the acceptability of such risk The objective is to achieve visibility into prospective business/mission partners information security programs establishing levels of security due diligence and trust. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 52

Contact Information Project Leader 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) 975-5140 (301) 975-2827 patricia.toth@nist.gov kelley.dempsey@nist.gov Arnold Johnson (301) 975-3247 arnold.johnson@nist.gov Web: csrc.nist.gov/sec-cert Comments: sec-cert@nist.gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 53

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information