Information Technology Infrastructure Committee (ITIC) Report to NAC Al Edmonds aedmonds@logapp.com

Similar documents
Information Technology Infrastructure Committee (ITIC)

Information Technology Infrastructure Committee (ITIC)

IBM Security Strategy

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Security and Privacy

Educa&onal Event Spring Cyber Security - Implications for Records Managers Art Ehuan

How To Hack A Corporate Network

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Network Security Landscape

Advanced Cyber Threats Demand a New Privileged Account Security Model Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

Threats to Local Governments and What You Can Do to Mitigate the Risks

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Cybersecurity The role of Internal Audit

SecurityMetrics Vision whitepaper

Protecting Your Organisation from Targeted Cyber Intrusion

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

Ty Miller. Director, Threat Intelligence Pty Ltd

Security Challenges and Solutions for Higher Education. May 2011

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Incident Response 101: You ve been hacked, now what?

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Gregg Gerber. Strategic Engagement, Emerging Markets

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Security from the Cloud

NASA OFFICE OF INSPECTOR GENERAL

Presented by Evan Sylvester, CISSP

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Get Confidence in Mission Security with IV&V Information Assurance

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

INDUSTRY OVERVIEW: HEALTHCARE

Cybersecurity Awareness. Part 1

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software

IIABSC Spring Conference

Defending Against Data Beaches: Internal Controls for Cybersecurity

INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK

Website Security: It s Not all About the Hacker Anymore

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Fighting Advanced Threats

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Security of NASA s Publicly Accessible Web Applications

Information Security Services

Information Security for the Rest of Us

Protecting Organizations from Cyber Attack

Nuclear Security Requires Cyber Security

WRITTEN TESTIMONY OF

Data Security: Fight Insider Threats & Protect Your Sensitive Data

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Digital Evidence and Threat Intelligence

Predictive Cyber Defense A Strategic Thought Paper

NATIONAL CYBER SECURITY AWARENESS MONTH

Cybersecurity in SMEs: Evaluating the Risks and Possible Solutions. BANCHE E SICUREZZA 2015 Rome, Italy 5 June 2015 Arthur Brocato, UNICRI

The SQL Injection Threat & Recent Retail Breaches

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

A Love Affair: Cyber Security, Big-data and Risk

Welcome. HITRUST 2014 Conference April 22, 2014 HITRUST. Health Information Trust Alliance

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

Principle of Information Security. Asst. Prof. Kemathat Vibhatavanij Ph.D.

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Office of Inspector General

NASA Cybersecurity: An Examination of the Agency s Information Security

Jumpstarting Your Security Awareness Program

October 24, Mitigating Legal and Business Risks of Cyber Breaches

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

High-Risk User Monitoring

How To Audit Telecommunication Services And Enterprise Security

Cisco Security Optimization Service

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

Department of Homeland Security Office of Inspector General

Cybersecurity: What CFO s Need to Know

Your Network Has Been Compromised. Is It Time To Reevaluate Your Traditional Cybersecurity Paradigms?

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

Catbird 6.0: Private Cloud Security

Cloud Security Specialist Certification Self-Study Kit Bundle

SPEAR PHISHING UNDERSTANDING THE THREAT

Cyber Security Risks for Banking Institutions.

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Is your business prepared for Cyber Risks in 2016

The Protection Mission a constant endeavor

Information Security Officer (# 1773) Salary: Grade 25 ($81,808-$102,167) / Grade 27 ($90,595 to $113,141) Summary of Duties. Minimum Qualifications

Guy Ron Managing Director, Bayon Security

Cyber Security An Exercise in Predicting the Future

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Threat Advisory: Accellion File Transfer Appliance Vulnerability

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Ahead of the threat with Security Intelligence

How To Audit The Mint'S Information Technology

Presenters: Glen Elliott and Bryan Johnson

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Proactive security IT body armor against business attacks WHITE PAPER

IT Security Testing Services

Transcription:

Information Technology Infrastructure Committee (ITIC) Report to NAC Al Edmonds aedmonds@logapp.com 5/5/20105/2010 NAC Information Technology Infrastructure Committee 1

OUTLINE Committee Members Meeting 4/15/2010 and 4/16/2010 Future meetings (ITIC & ASCS) Cyber security High Performance Computing Revised Work Plan Questions/Comments Observations 5/5/2010 NAC Information Technology Infrastructure Committee 2

Committee Members Membership Ret. General Albert (Al) Edmonds (Chair), President - Edmonds Enterprise Services, Inc. Mr. Alan Paller, Research Director - SANS Institute Dr. Robert Grossman, Professor University of Illinois Dr. David Waltz, Director, CCLS Columbia University Dr. Larry Smarr, Director California Institute for Telecommunications and Information Technology Dr. Charles Holmes, Retired NASA Ms. Debra Chrapaty, Senior VP CISCO Dr. Alexander Szalay, Professor Johns Hopkins University Dr. Alexander H. Levis, Professor - George Mason University Ms. Tereda J. Frazier (Exec Sec), Special Assist. to CIO, NASA 5/5/2010 NAC Information Technology Infrastructure Committee 3

April 15 th and 16 th MEETING Meeting Location: NASA Headquarters, Rm. 2O43 Meet-Me-Number available for virtual members Presentations from the following areas: IT Security Operations ASCS Status Briefing Status of NASA Supercomputing IT Summit Briefing IT Governance Making IT Stellar at NASA Revised ITIC Work Plan Logistics for future meetings 5/5/2010 NAC Information Technology Infrastructure Committee 4

Future Meetings ITIC Meetings Ad-hoc groups visiting centers to meet with NASA operational function personnel to have fact finding discussions Next planned ITIC FACA meeting is July 27 th as a telecon Last planned ITIC FACA meeting for FY10 is September 28 th and 29 th, location TBD ASCS Meetings Next meeting scheduled for May 14 th and 15 th, at NASA Headquarters Remaining meeting schedules for FY10 are TBD 5/5/2010 NAC Information Technology Infrastructure Committee 5

Cyber Security - The Threat Actors NASA is an interesting target: Between 2007 and 2009, NASA on average logged nearly 1 billion vulnerability scans of its network perimeters on a monthly bases NASA is witnessing attacks perpetrated by threat actors from all categories Criminal Groups Ankle Biters, Script Kiddies, and Hacktivist Nation States Together, these actors instigated: 1,120 incidents between FY 2007 and 2008 2,844 incidents between FY 2008 and 2009 5/5/2010 NAC Information Technology Infrastructure Committee 6

Cyber Security - Threat Actions and Vectors Threat actors exploited vulnerabilities using a number of well known threat actions and vectors: Web applications that have common security vulnerabilities Spear Phishing, with email as a vector. Spear phishing attacks are designed to acquire credentials or create a back door on the compromised system and surreptitiously exfiltrate data Phishing, with email as the primary vector and social engineering as a secondary vector. Phishing attacks are designed to steal personally identifiable information or user credentials Exploitation of improper configurations with network devices as the vector 5/5/2010 NAC Information Technology Infrastructure Committee 7

Cyber Security - Enterprise Risk Management As NASA s foremost IT risk management entity, the IT Security Division is developing an all sources IT security risk assessment. The assessment focuses on three risk impact areas: Data loss Disruption to enterprise services Disruption to mission operations Classic risk formula, Threat x Vulnerability x Likelihood x Impact = Risk All sources include: Security Operations Center (SOC) incident information, Cyber Threat Analysis Program (CTAP) reports, Cyber Counter Intelligence/Counter Terrorism (CI/CT) reports and classified channels 5/5/2010 NAC Information Technology Infrastructure Committee 8

High Performance Computing Linking the Calit2 Auditoriums at UCSD and UCI with LifeSize HD for Shared Seminars 5/5/2010 NAC Information Technology Infrastructure Committee 9

High Performance Computing Very Large Images Can be Viewed Using CGLX s TiffViewer Spitzer Space Telescope (Infrared) Hubble Space Telescope (Optical) Source: Falko Kuester, Calit2@UCSD 5/5/2010 NAC Information Technology Infrastructure Committee 10

Two 64K Images From a Cosmological Simulation of Galaxy Cluster Formation High Performance Computing Providing End-to-End CI for Petascale End Users Mike Norman, SDSC October 10, 2008 log of gas temperature log of gas density 5/5/2010 NAC Information Technology Infrastructure Committee 11

High Definition Video Connected OptIPortals: Virtual Working Spaces for Data Intensive Research NASA Interest in Supporting Virtual Institutes LifeSize HD NASA Ames Lunar Science Institute Mountain View, CA Source: Falko Kuester, Kai Doerr Calit2; Michael Sims, NASA 5/5/2010 NAC Information Technology Infrastructure Committee 12

Toward a Data and Visualization Intensive Working Environment Across Remote Sites NASA Ames Visit Feb. 29, 2008 Calit2@ UCI wall Calit2@ UCSD wall UCSD cluster: 15 x Quad core Dell XPS with Dual nvidia 5600s UCI cluster: 25 x Dual Core Apple G5 5/5/2010 NAC Information Technology Infrastructure Committee 13

Revised Work Plan Examine the ongoing and planned efforts for the IT Infrastructure and mission areas. Develop recommendations for an investment strategy for updating the infrastructure while greening it and at the same time reduce lifecycle costs. Investigate the state of NASA s high performance networks, high performance computing systems, and data intensive computing systems. Investigate the state of NASA s software and infrastructure support for collaborative teams. Examine NASA s data and communications environment for its aerospace operations and point out areas in need of attention. Examine the role of the OCIO, its strategic plans and projected resources, and IT governance across NASA. Creating green cloud computing. 5/5/2010 NAC Information Technology Infrastructure Committee 14

Questions or Comments 5/5/2010 NAC Information Technology Infrastructure Committee 15

Early Observations on NASA Security vis-á-vis Other Agencies 5/5/2010 NAC Information Technology Infrastructure Committee 16

NASA Differences from Other Agencies Negative: very high number of separate systems subject to security requirements Positive: access to situational awareness data on nearly every system (not mission systems yet) Positive: leadership technical skills that identify actual attack vectors, sense of urgency 5/5/2010 NAC Information Technology Infrastructure Committee 17

Possible Findings More than $12 million is being spent on out-of-date security compliance reports and can be shifted into continuous monitoring and improvement. Security is not being engineered effectively into systems at the beginning of and throughout the design/development process, increasing the costs and reducing the impact of bolting it on later. Security audits that find dozens of specific problems on individual machines do not lead to broad cost-effective changes. 5/5/2010 NAC Information Technology Infrastructure Committee 18

Short term task plan Briefings on security at the centers Briefings on how security can be introduced at the beginning of planning and development for major systems Meeting in May at headquarters on the day before cyber security subcommittee meeting 5/5/2010 NAC Information Technology Infrastructure Committee 19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information