may 4, 2009 1 2/7/20141 stevens institute of technology security systems engineering jennifer bayuk...
TRANSCRIPT
![Page 1: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/1.jpg)
May 4, 2009 1
04/10/23 1
Stevens Institute of TechnologySecurity Systems Engineering
Jennifer BayukCybersecurity Program DirectorSchool of Systems and [email protected]
![Page 2: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/2.jpg)
May 4, 2009 2
Stevens Institute Security Research
National Center for Secure and Resilient Maritime Commerce Naval Security Infrastructure Technology Laboratory Center for the Advancement of Secure Systems and
Information Assurance National Cybersecurity Center of Excellence in Information
Assurance Education National Cybersecurity Center of Excellence in Information
Assurance Research Leader of the DoD University Affiliated Research Center for
Systems Engineering Systems Security Core Research Topic
Why new focus on Systems Engineering Security?
![Page 3: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/3.jpg)
May 4, 2009 3
»3
VPN
Remote Access Server
Policy Servers
CertificateAuthority
AntiVirus
Mgmt
Personal Computers
User Workstation
User Terminal
Mainframe
LAN
Multiplexor
Time Sharing or Bulletin Board Service
»Modem
Internet
Router
External ServersRouter
Physical Perimeter
Email Server
Server Farm
::::::
Firewall
Web Servers
»Modem
Procedure
V
Proxy
Server
IDS
IDS
IPS
IPSIsolate and Harden Servers
::::::Firewall
SIM
WAFW
Content
Filters
EXTERNAL THREATS
Wireless
Token Admin
VPN
Secure Storage
Key Management
Online Services and Outsourcing Arrangements
::::::
Firewall
Current attacker
path to data
The Problem
IdentityMgmt
![Page 4: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/4.jpg)
SERC Security EngineeringResearch Roadmap
1. Define systems security2. Measure systems security3. Devise system security
frameworks 4. Improve the proficiency of the
security engineering workforce
![Page 5: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/5.jpg)
1. Define systems security
Reassess periphery models Focus on whole systems Examine interfaces and
interactions Understand similarities and
differences across domains
Security Roadmap
![Page 6: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/6.jpg)
2. Measure systems security
Achievable and comparable security attributes
Outcome-based rather than vulnerability-based
Identify systemic value of currently available control standards
Identify and measure trade-offs with respect to security features
Security Roadmap
![Page 7: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/7.jpg)
3. Devise systems security frameworks
Include policy, process and technology
Provide basis for evaluation New classes of system-level
solutions Security-receptive
architectures
Security Roadmap
![Page 8: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/8.jpg)
4. Improve the proficiency of the security
engineering workforce Encourage and educate
workforce Operational security
requirements Community force multipliers Engage stakeholders
Security Roadmap
![Page 9: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/9.jpg)
Systemigram software from: Boardman and Sauser, Systems Thinking: Coping with 21st century problems, Taylor & Francis, 2008.
Example:
Systemic Security
![Page 10: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/10.jpg)
::::::
Example System
![Page 11: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/11.jpg)
Metaphorical Construct
![Page 12: May 4, 2009 1 2/7/20141 Stevens Institute of Technology Security Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and](https://reader036.vdocuments.us/reader036/viewer/2022062618/5514a7df550346ea6e8b5cf1/html5/thumbnails/12.jpg)
Discovery
ISO 27005:2008Security Risk AssessmentTask Order:1. Identification of assets2. Identification of threats3. Identification of existing controls4. Identification of vulnerabilities5. Identification of consequences
1
2
3
4
5