Cybersecurity:

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Cybersecurity: Trust, Visibility, Resilience

Tom Albert

Senior Advisor, Cybersecurity

“No single company can

solve the complex challenge

presented by the Internet,

but the inherent role of the

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

network positions Cisco as the

natural partner in developing

and executing a successful

cyber security strategy”

Cybersecurity Challenges

Operational

Management

Data

Capacity

Supply

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

Business

Resiliency

Supply

Chain

Data

Loss

Federal Cybersecurity Priorities

Situational

Awareness

Real-time

Identity

Mgmt.Secure

Supply

Chain

Continuous

Monitoring

Vulnerabilit

y

Analysis/ID

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

Real-time

Continuous

Monitoring

Application

Security

Education

and

Training

Vulnerability

Analysis/IDS

Application

Security

Analysis/ID

S

Limited

Access

Points

Security

Products

Visibility

Why Cisco?

Cisco’s Pervasive Footprint

The Network is the Sensor

Public/Private Partnerships

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

e

Embedded Security

Capabilities Cross

Architecture

Visibility Tools

Services

Trusted HW/SW

Public/Private Partnerships

Education

Certifications

Incident Response

Supply Chain Management

Inside Threat

Data Capacity

Access

Visibility

Trust

Mission: CybersecurityCisco IS the Cyber secure PlatformCisco IS the Cyber secure Platform

Customer

Requirements

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

Data Loss

Trustworthiness

Resilience

Trust Identify and Manage

Challenges Solution Framework

Solutions Supply ChainPublic Policy Messaging Capture

Identity and Access Continuous Monitoring

Trust Visibility Resilience

Cisco Cyber Solutions

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

Identity and Access

Secure Mobility

Wireless Integrity

Configuration Assurance

Physical Security

Audit and Compliance

Continuous Monitoring

Data Exfiltration

Boundary Defense

Malware and APT Defense

Situational Awareness

COOP

Incident Handling

Availability

Service Level Assurance

Data Center/

Virtualization

Collaboration

• Cisco Works LMS 4.0

• Cisco Configuration Engine

• Cisco TrustSec (Identity)

• Cisco AnyConnect Client

• Cisco VPN Services

• Cisco Mobility Engine &

Wireless Solution

• Cisco Unified Border Element

• ASA Firewall

• IOS Firewall

TRUST

VISIBILITY

•Access Control

•Audit & Accountability

•Configuration Management

•Identification &

•Authentication

Maintenance

•System & Communication

Protection

NIS

T 8

00

-53

Critical Control Family

Identity and Access

Secure Mobility

Wireless Integrity

Audit and Compliance

Configuration Assurance

Physical Security

SOLUTION

S

ARCHITECTURESSTRATEGY

Borderless

Networks

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

•Contingency Planning

•System & Communication

Protection

•Incident Monitoring

•Physical & Environmental

• Performance Routing

• NSF/SSO

• EnergyWise

• Policy Based Routing

• Security Intelligence

Operations

• IPS 4200 Series

• Clean Air Technology

• NBAR

• IOS Intrusion Prevention

• IOS NetFlow

• Service Control Engine

• ASA BotNet Filter

VISIBILITY

RESILIENCE

•Security Assessment &

Authorization

•System & Communication

Protection

•System & Information

Integrity

•Incident Monitoring

NIS

T 8

00

-53

NIS

T 8

00

-53

Critical Control Family

Critical Control Family

Continuous Monitoring

Data Exfiltration

Boundary Defense

Malware Defense

Situational Awareness

COOP

Incident Handling

Availability

Service Level Assurance

Systems Integrators

SIEM Partners

Building solutions with best of breed ISVs & Technology Partners

Cybersecurity Partner Ecosystem:

• IRAD projects to address customer requirements

• Integrate component parts in proof-of-concept environments to foster

learning and innovation

• Ecosystem partners to meet diverse customer security incident and

event management requirements

• Cisco validated design and deployment methodologies

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

SIEM Partners

ImplementationPartners

Technology Partners

• Cisco validated design and deployment methodologies

• Cybersecurity focus partners to ensure consistent delivery of Cisco and

partner systems

• Agile custom solution development

• Complimentary technology partners to complete Cybersecurity solution

offerings

• Best of bread market proven technologies

The Cybersecurity Journey

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

Regulatory Alignment

Private/Public PartnershipsCybersecurity Innovation

Thought leadership

Manufacturing Integrity

Education

Investment

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

Managing RiskThrough Trust, Visibility, and Resilience

DGI Government Solutions Forum

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

Dr. Ron Ross

Computer Security Division

Information Technology Laboratory

March 1, 2011

The Stuxnet Worm

Targeting critical infrastructure companies—

� Infected industrial control systems around the world.

� Uploads payload to Programmable Logic Controllers.

� Gives attacker control of the physical system.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

� Gives attacker control of the physical system.

� Provides back door to steal data and remotely and secretly control critical plant operations.

� Found in Siemens Simatic Win CC software used to control industrial manufacturing and utilities.

The Flash Drive Incident

Targeting U.S. Department of Defense—

� Malware on flash drive infected military laptop computer at base in Middle East.

� Foreign intelligence agency was source of malware.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

� Foreign intelligence agency was source of malware.

� Malware uploaded itself to Central Command network.

� Code spread undetected to classified and unclassified systems establishing digital beachhead.

� Rogue program poised to silently steal military secrets.

The Stolen Laptop Incident

U.S. Department of Veterans Affairs—

� VA employee took laptop home with over 26 million veterans records containing personal information.

� Laptop was stolen from residence and information was

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

� Laptop was stolen from residence and information was not protected.

� Law enforcement agency recovered laptop; forensic analysis indicated no compromise of information.

� Incident prompted significant new security measures and lessons learned.

“Red Zone” Information Security

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

The New SP 800-39

TIER 1

Organization(Governance)

STRATEGIC RISK

FOCUS� Multi-tiered Risk Management Approach

� Implemented by the Risk Executive Function

� Enterprise Architecture and SDLC Focus

� Flexible and Agile Implementation

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

TIER 3

Information System(Environment of Operation)

TIER 2

Mission / Business Process(Information and Information Flows)

TACTICAL RISK

FOCUS

Tier 1 – Organization

� Governance

� Risk management strategy

� Investment strategy

� Risk tolerance

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

� Risk tolerance

� Trust

� Transparency

� Culture

Tier 2 – Mission/Business Process

� Influenced by risk management decisions at Tier 1.

� Identification of missions/business processes.

� Determination of information types and flows.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

� Identification of information security requirements.

� Development of enterprise architecture with embedded information security architecture.

Tier 3 – Information System

� Influenced by risk management decisions at Tiers 1 & 2.

� Allocation of necessary and sufficient security controls to information systems and environments of operation.

� Uses Risk Management Framework to guide process.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

� Uses Risk Management Framework to guide process.

� Information security managed as part of the SDLC.

� Feedback to Tiers 1 & 2 for continuous improvement.

Risk Management Framework

Security Life Cycle

Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.

CATEGORIZE Information System

Starting Point

Continuously track changes to the information system that may affect

security controls and reassess control effectiveness.

MONITORSecurity Controls

SELECT Security Controls

Select baseline security controls; apply tailoring guidance and

supplement controls as needed based on risk assessment.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

Security Life Cycle

Determine security control effectiveness(i.e., controls implemented correctly,

operating as intended, meeting security requirements for information system).

ASSESSSecurity Controls

control effectiveness.

AUTHORIZE Information System

Determine risk to organizational operations and assets, individuals,

other organizations, and the Nation;if acceptable, authorize operation.

Implement security controls within enterprise architecture using sound

systems engineering practices; apply security configuration settings.

IMPLEMENT Security Controls

based on risk assessment.

Risk Management Process

RRRRiskiskiskisk

RespondAssess

Risk Framing

Risk Framing

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

RRRRiskiskiskisk

MonitorRisk Framing

Risk Framing

Unified Information Security Framework

The Generalized Model

Unique Information Security Requirements

The “Delta”

Intelligence Community

Department of Defense

Federal Civil Agencies

Private SectorState/Local Govt

CNSS

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

CommonInformation Security Requirements

The “Delta”

National security and non national security information systems

Foundational Set of Information Security Standards and Guidance

• Risk management (organization, mission, information system)• Security categorization (information criticality/sensitivity)• Security controls (safeguards and countermeasures)• Security assessment procedures• Security authorization process

Joint Task Force Transformation InitiativeCore Risk Management Publications

� NIST Special Publication 800-53, Revision 3Recommended Security Controls for Federal InformationSystems and Organizations

� NIST Special Publication 800-37, Revision 1

Completed

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

� NIST Special Publication 800-37, Revision 1Applying the Risk Management Framework to FederalInformation Systems: A Security Lifecycle Approach

� NIST Special Publication 800-53A, Revision 1Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

Completed

Completed

Joint Task Force Transformation InitiativeCore Risk Management Publications

� NIST Special Publication 800-39Managing Information Security Risk: Organization, Mission, and Information System View

� NIST Special Publication 800-30, Revision 1

Completed

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

� NIST Special Publication 800-30, Revision 1Guide for Conducting Risk Assessments

Projected April 2011 (Public Draft)

Defense-in-Depth

� Risk assessment

� Security planning, policies, procedures

� Configuration management and control

� Contingency planning

� Access control mechanisms

� Identification & authentication mechanisms

(Biometrics, tokens, passwords)

� Audit mechanisms

Links in the Security Chain: Management, Operational, and Technical Controls

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

Adversaries attack the weakest link…where is yours?

� Contingency planning

� Incident response planning

� Security awareness and training

� Security in acquisitions

� Physical security

� Personnel security

� Security assessments and authorization

� Continuous monitoring

� Audit mechanisms

� Encryption mechanisms

� Boundary and network protection devices

(Firewalls, guards, routers, gateways)

� Intrusion protection/detection systems

� Security configuration settings

� Anti-viral, anti-spyware, anti-spam software

� Smart cards

Focus Areas — 2011 and Beyond

� Complete Joint Task Force Publications and Unified Information Security Framework

� Continuous Monitoring Guideline

� Systems and Security Engineering Guideline

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

� Systems and Security Engineering Guideline

� Update to NIST Special Publication 800-53, Revision 4� Insider Threats

� Advanced Persistent Threats

� Industrial Control Systems

� Mobile Devices, Cloud Computing

� Privacy Controls

Contact Information

100 Bureau Drive Mailstop 8930Gaithersburg, MD USA 20899-8930

Project Leader Administrative Support

Dr. Ron Ross Peggy Himes(301) 975-5390 (301) 975-2489ron.ross@nist.gov peggy.himes@nist.gov

Senior Information Security Researchers and Technical Support

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

Senior Information Security Researchers and Technical Support

Marianne Swanson Kelley Dempsey (301) 975-3293 (301) 975-2827marianne.swanson@nist.gov kelley.dempsey@nist.gov

Pat Toth Arnold Johnson(301) 975-5140 (301) 975-3247 patricia.toth@nist.gov arnold.johnson@nist.gov

Web: csrc.nist.gov Comments: sec-cert@nist.gov