what “really” matters in cyber?
TRANSCRIPT
What “REALLY” matters in Cyber?(Where it’s not ALL about security ‘things’ – it’s more like settings / hygiene!)
Can’t happen to you?
Wi 2012
pp y6.5M Linked in passwords (“unsalted hashes”) stolen…
Facebook hacks proliferate – contain hacker links, questionable “friends” Yahoo email accounts hacked – almost 500,00 passwords compromised- etc, etc..
And the list / examples go on and on and on….
Mike Davis
Winter, 2012
[email protected]/MSEE, CISSP, SysEngr
ISSA / TSN / SOeC… AFCEA / NDIA… IEEE / INCOSE / et al
“easy button”
What “really” matters in Cyber?(aka ‐ the “bottom line” up front) (and who says so?)
• OSD / federal S&T activities•Distributed Trust
CYBER is all about TRUST and DATAKEY gaps / needs
Distributed Trust •Resilient Architectures•Response and Cyber Maneuver•Visualization and Decision Support• Dynamic policy management (RaDaC )
It’s NOT all about expensive new “cyber capabilities”
but more about the SoS / I&Iy p y g ( )•Detection and Autonomic Response •Recovery and Reconstitution
• NSA / agency S&T activities
“glue” (profiles, common EA, SoPs, standards, etc)
AND doing the basics:– Mobility, wireless, & secure mobile services– Platform integrity / compliance assurance– End client security– Cyber indications and warning (I&W)
Mi i i i i ( ff d bili )
AND doing the basics: (1) enforced cyber hygiene, (2) effective access control, (3) reduced complexity in IA /
– Mitigation engineering (affordability)– Massive data – (date centric security)– Advanced technology…. (targeted)– Virtualization – secure capabilities
( ) p ycyber (use approved products), (4) IT/IA continuous monitoring(ongoing diagnostics AND mitigations / SIEM)
*** ***
2
When in doubt, do the cyber BASICS well, THEN acquire critical / key needs & capability gaps
The Complexity of Enterprise IT Systems is IncreasingAND so is the associated Cyber Security!
SO.. where is your DATA, who has it – are you sure?
Cyberspace Characteristics
All of the warfighting - and related business - domains intersect…
In relation to other mission areas… run by different Communities Of Interest (COI)
C2
IACIP / infrastructureBanking / retail
Security
Manufacturing Communications
cyberspace is a blend of exclusive and inclusive ties
Manufacturing Communications
Cyberspace Domain is contained within and transcends the others
y pFrequently the COI boundaries / MOAs are implicitThese Venn connections / COIs are pervasive
Numerous dynamic “COIs” dominate relationships - adding Complexity & Comms
4
Numerous, dynamic COIs dominate relationships adding Complexity & Comms, Control overhead - causing “cross domain” DATA sharing effects
What are KEY cyber elements?(and what can we reasonably expect to influence / affect?)(and what can we reasonably expect to influence / affect?)
Fundamental issues…. (givens?)‐ Threats are illusive – so also plan /mitigate around consequences (aka, a fault tree)‐ KISS, as complexity is our enemy – do the basics well (hygiene, anonymity, etc) ‐ In a connected world, it’s the shared vulnerabilities that will get you / ALL of us‐ “They” have an asymmetrical advantage, plan on it (and they don’t follow the rules/laws) WE ALL d h i i i h ld‐WE ALL need common homogenous security protection in a heterogeneous world
Essential gaps / needs… (tenets?)‐ Invest in the OSD / NSA R&D / S&T “gap” perspectives, as authoritative sourcesInvest in the OSD / NSA R&D / S&T gap perspectives, as authoritative sources‐ Apply trade‐offs / assessments from a common end‐state (an ‘open’ / ubiquitous world)‐ Using an enterprise risk management plan (RMP), develop YOUR cyber action plan‐ If you can’t integrate “it” into your IT/network environment, then “it” is uselessy g y‐Most of the gaps /needs are “SoS” and “I&I” factors (the “glue”), not “things”
If you don’t know where you’re headed, any blind alley will do
5
If you don t know where you re headed, any blind alley will doWhere the bad actors continue to count on us not being in sync
What’s a “simple” IA/Cyber vision / end-state look like?AND what are the “requirements”?AND what are the requirements ?
KEY C-I-A entities / touch points
Where is your data? Is it “assured” / what’s it’s pedigree?Where is your data? Is it assured / what s it s pedigree?
A cyber end-state stresses encapsulation through a secure virtualized fabric
M bil d i d i l l di d lif i 2012/13
Threat Vectors of Interest• Mobile devices … and wireless always predicted, yet proliferates in 2012/13
– Starting with more Android Trojans, digital wallets, USER provided network services!
– Wireless security issues expand (besides 802.11 & WiMAX, to Zigbee, WirelessHART, Z‐Wave, etc.) ARM hacking increasesetc.) … ARM hacking increases
– BYOD – many more hidden costs, legalities and risks than it seems on the surface…
• Cyber crime: easy money, minimal downside and growing– Illicit cyber revenues has essentially equaled all illegal drug trafficking dollarsy y q g g g
• Nation‐sponsored hacking: When APT meets industrialization – More targeted custom malware (Stuxnet ‐> Duqu is but one example and now FLAME!)
• The insider threat is much more than you had imaginedThe insider threat is much more than you had imagined– Coming from employees, partners, clients and compromised services and computing devices of
all kinds (aka, supply chain security). With Improved social engineering attack… and…
– social media critical data leaks / malware distribution ‐ a pervasive threat vector
• Misanthropes and anti‐socials / hacktivism morphs – ANYONE can do it now!– Privacy vs. security (and trust) in social networks. Small radical group’s DDOS attack can be
effective on small businesses! Collaboration between isolated nefarious groups gets easier…
7
… mobile devices and cloud infrastructure hacking are likely the two of the biggest rising stars in cyber crime in 2013…
Threat Vectors of Interest (Cont.)• SSL/XML/web (HTML5)/browser vulnerabilities will proliferate
– Browsers remain a major threat vector (as it bypasses the IA suite) –for 80% of all malware
– JAVA / VM / active code MUST be strictly managed / controlled / under “CM”JAVA / VM / active code MUST be strictly managed / controlled / under CM
• Hackers feeling the heat… (the easy vulnerabilities are diminishing)
– they need to invest in better attack techniques and detection evasion….
• Cyber security becomes a business process…Cyber security becomes a business process…– focused on data security, no longer a niche Industry…. EVERYONE will spin their capabilities
• Convergence of data security and privacy regulation worldwide..– Compliance even more so (PCI DSS, HIPAA, etc) ..What is “good enough” security?Compliance even more so (PCI DSS, HIPAA, etc) .. What is good enough security?
– Data security goes to the cloud ‐ where security due diligence is more than SLAs!
– IPv6 transition will provide threat opportunities… Data Loss Prevention (DLP) is still key…
• Containment is the new prevention (folks now get the "resilience" aspect...)p ( g p )
• Full time incident responders needed, versus only virtual– Monitoring and analysis capability increase, but not enough (re: near real‐time forensics
&“chain of custody” evidence)…. “continuous monitoring” is KEY… (re: NIST docs)
8
There is MUCH to consider in the “threat” equation… and it’s always changingHence why you must ALSO practice “consequence” risk management
Major Threats the experts report? Which ones must we all “really” worry about?
• Summary of the top threats– Malicious Code – viruses, botnets, etc– Stolen/Lost Laptop or Mobile Device– Spear Phishing – targeted SPAM Where’s your data?Spear Phishing targeted SPAM– Unsecured Wireless Internet Networks– Insider/Disgruntled Employee
• Key Business Security problems ‐ Computer Security Institute Survey (2008)
y
– 42% reported laptop theft; 44% reported insider abuse; 50% detected computer viruses; 21% reported denial of service attacks; 20% reported systems being made bots
• Survey of 10,413 IT security professionals top threat concernsapplication vulnerabilities (cited by 73%)– application vulnerabilities (cited by 73%),
– mobile devices (66%) viruses and worms (65%) internal employees (63%)– hackers (55%) and contractors (45%) … also cyber terrorism (44%), – cloud‐based services (43%), and organized crime (38%).
WHO has it?
Basically Everything So follow the risk consequences
Cloud security - pretty decent, where ISPs / data centers are better than mostBUT - SLAs are not enough… need full visibility into data, adjacent incidents, etc
9
Basically Everything… So follow the risk consequencesby practicing defense in depth – all affordably….
(note - See data centric architecture approach in B/U slides)
NSPD‐54/HSPD‐23: CNCI‐1 ‘12 Initiatives’(http://www.whitehouse.gov/cybersecurity/comprehensive‐national‐cybersecurity‐initiative )
s A
rea
1
Trusted Internet Connections
Deploy Passive Sensors Across Federal Systems
Pursue Deployment of Intrusion Prevention
Systems
Coordinate and Redirect R&D
Efforts
Establish a front line of defense
a 2
Focu
s Federal Systems Systems Efforts
ocus
Are
a Connect Current Centers to Enhance
Situational Awareness
Develop Gov’t-wide CounterintelligencePlan for Cyberspace
Increase Security of the Classified
Networks
ExpandEducation
Resolve to secure cyberspace / set conditions for long-term successFA
rea
3
Define and Develop Enduring Lead Ahead
TechnologiesDefine and Develop
Enduring Deterrence Manage Global Supply Chain Risk
Define Federal Role for Cybersecurity in Critical
Shape future environment / secure U.S. advantage / address new threatsFocu
s A Technologies,
Strategies & Programs
gStrategies & Programs Supply Chain Risk y y
Infrastructure Domains
10
Cyber Cyber efforts must efforts must synchronize with synchronize with Federal InvestmentsFederal InvestmentsThe HARD part is implementing enterprise integration, interoperability and controlling emergent behavior - that can affect most focus areas
Is there a “cyber” equation / model?(something for us all to “balance’ our risks / $$$)( g f )
Need to address: WHAT, WHO, WHEN, HOW…Governance, swim lanes, interfaces, overlap, etc
Requirements
Technical processes
AcquisitionOperations
CA, Fn, TA, NESI/NEADS, etc
Products, services CM, etcILC/LCS/3M, CM,
Policy / Regulations
PEOs, SYSCOMs, FleetSupport DOTMLPF too
DoD, DoN CIO, ASN RDA, DISA, NSA/GIAP, ASD NII, NNFE
SOPs, training, O&S,Supports DOTMLPF too
Enterprise risk assessment (best value) = IA/SECURITY/CND (defense) (a1) + IO/CNE/CNA ( ff )( 2) SPECTRUM / TEMPEST ( 3) GOVERNANCE( 4)
NO common, vetted model exists, SO… develop your own!
IO/CNE/CNA (offense)(a2) + SPECTRUM / TEMPEST (a3) + GOVERNANCE(a4) + REQUIREMENTS(a5) + THREAT / VULNERABILITIES (a6) + C&A / PEDIGREE (a7) + POLICY (a8) + TRAINING / EDUCATION (a9) + OTHER (a10) …. AND ???
11
“OUR” risk management plan should address all variablesThe sensitivity of the coefficients will vary by company
Prioritization of the Consolidated Enabling Technology Areas (ETAs)
• Response and Cyber Maneuver• Visualization and Decision Support
• Distributed Trust • Resilient Architectures
high
Value / need
• Component Trust • Recovery and Reconstitutionmed
• Human Factors and Training
• Detection and Autonomic Response
• Advanced Cross-Domain Solutions
med
• Malware/Forensics Analysis and Reverse Engineering
• Resilient Infrastructure and Comms• Scientific Theory and Measures
• Advanced Cryptography• Quantum Computing, Comms, and
Crypto• Biometrics
lowScientific Theory and Measures
• Sensing and Data Fusion• Software Pedigree and Provenance
• Biometrics• Code Verification and Compliance• Correct (Assured) by Construction
Software• Deception and Information Hiding
12
Source – QDR / DPPG study by OSD (Sep 2010)
CYBER is fundamentally about distributed trust & secure messaging!
Key cyber capabilities to develop(think “secure comms / messaging” - here proposed wrt top tier ETAs)
• Distributed Trust --- Enable secure distributed interactions by establishing appropriate levels of trust among remote devices, systems, or users …. supports: Models and Protocols for Trust Establishment; Infrastructure; Dynamic Evaluation; Out-of-Band and Physical Trust Maintenance
• Resilient Architectures --- Enable functional capabilities to continue despite successful disruption or compromise by the adversary …. supports: Morphing Enginessuccessful disruption or compromise by the adversary …. supports: Morphing Engines Generating Unpredictability; Secured Network Storage; System Decomposition for Mission-Tailored Tools; Response and Cyber Maneuver
• Visualization and Decision Support --- Enable human decision-makers to quickly• Visualization and Decision Support --- Enable human decision-makers to quickly understand the security and operational implications of the current situation and to rapidly ascertain the best course of action to pursue …. supports: Real-Time Analysis Engines ; Common Operational Framework; Holistic Cognitive Environment
• Response and Cyber Maneuver --- Enable defenders to perform shaping operations that minimize the attack space and frustrate adversary planning and to take action during attacks to block, disrupt, remove, or counter adversary actions.
t P l hi T h l i C b Obf ti N t k A ilit
13
supports: Polymorphic Technologies; Cyber Obfuscation; Network Agility
Net-centric Cyber Security = SoS and I&I aspects
Strategic Cyber Elements
(1) Collaborate on common enterprise IA / cyber strategy and visionpolicy mapped to prioritized capabilities with assigned resources = “good enough” / cyber sufficiency!
(2) Develop a common overall enterprise risk assessment (ERA)(2) Develop a common overall enterprise risk assessment (ERA)accounts for both significant threat vectors AND vulnerability consequences ‐> key mitigationsUse the NIST “RMF” (Risk Management Framework (800‐37)) weighted in the CNCI‐2 12 focus areas
(3) Align and synchronize resources and cyber gaps / initiatives(3) Align and synchronize resources and cyber gaps / initiativesacross federal & commercial organizations and tier 1 – tier 3 architecture perspectives (IT & cyber are ONE)
(4) Address pervasive lack of basic cyber hygiene enterprise widewithin the complete, life‐cycle aspects of an organization’s people, processes and products (technology) p , y p g p p , p p ( gy)enforce a scalable, global access control model, that preserves least privilege, “attenuated delegation” (ZBAC)
(5) Reduce complexity ‐ Build a trusted cyber infrastructureon top of the existing IA/CND infrastructure, as an integrated “SoS” ‐ with enforced CMthus optimize our overall cyber package and ensure synchronization and RESILIENCY!
(6) Better integrate / leverage education and ‘proactive defense’ (and ‘IO’)“stealth offense” best left to law enforcement, qualified federal entities (or escalation / retaliation will occur)
14
Top down approach to a balanced, prioritized cyber execution plan
Key Tactical Thrusts• COMMON national cyber security approach / governance
• Consequence based ERA, prioritize mitigations and resources
• Dynamic Cyber Enterprise Management (enforced hygiene)KEY capability – effective continuous monitoring!!!! (can’t manage what you can’t measure)
• Top‐down enforcement of IA / Cyber architecture95%
securityTop down enforcement of IA / Cyber architecture– Secure enterprise access control / Cyber IFF (re: ZBAC…)– Overall Dynamic Cyber Defense (DCD) approach
• Proactive / dynamic defensive I&W – monitor abnormal behavior
yincident
reduction
Proactive / dynamic defensive I&W monitor abnormal behavior• Virtual storefront – reacts quickly to predictive IO/IA I&W• IA/CND treated as an integrated “SoS” with lead/lag feedback
– Common enterprise trust model (and implement TPMs, etc) p ( p , )
– Reduce complexity ‐ IA Building blocks / APLs / VPLs with pedigrees– Integrate into a common enterprise cyber security model / framework
ff i lif l d i d i i
15
• Effective lifecycle awareness, education, and training
High ROI Activities that get us all moving quickly
What is Cyber Hygiene ?(and the HUGE percentage of security incidents caused)( p g y )
National Security Agency (NSA) (over 80%)NSA IAD director “ Just improving the “IA Management” aspects of security (aka, h i f t ) ill d it i id t b 80%hygiene factors) will reduce security incidents by over 80%IA Management = CM, monitoring environment , follow SOPshttp://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdfhttp://www.sans.org/critical-security-controls/guidelines.php
Verizon (2012 Data Breach Investigations Report) (97%)Report covered 855 incidents, 174 million compromised records--- Breaches almost entirely avoidable through simple or intermediate controlsThreats: 98% from external agents 81% from hacking 69 % used malwareThreats: 98% from external agents, 81% from hacking… 69 % used malwarehttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Navy (our “red team” / NCDOC) (over 90%)Poor “accountability” factors = willful misuse lack of CM (& IAVA / patches) notPoor accountability factors = willful misuse, lack of CM (& IAVA / patches) , not having / following procedures, weak enforcement of policy, etcThey must spend all their time / resources fixing the “easy” vulnerabilities…
16
HYGIENE = Maintaining / monitoring your IA / Security / cyber equipment settingsAs any incorrectly set cyber capabilities makes them much less effective!
SO what are were trying to institute?An integrated “Cyber DiD” System using dynamic lead & lag feedback
Establish proactive, dynamic CND / IA Defense = dynamic cyber defense (DCD)
Defensive“Virtual Storefront”
NMS / SecurityassessmentsCyber “I&W”
NMS / Security Management tools
Incident results“insiderthreats”
IA&
“SA”******
(Sensors,CNA/E i t
Users& CoC V&V / C&A
I&W / SCMenso
rs
CND
Red Teams
CNA/E inputsOpSec,
Intel, etc…)threats CERT / FBI
I&W / SCM
IDS / IPS
se
Red Teams
forensicUpgradespredictive Change(near real-time!))
17
forensicfeedback(lagging
indicators)
UpgradesChanges(developed & installed)
predictivefeedback(leadingindicators)
(takes days to months )
g“soft”
settings(takes seconds
to minutes)
Integration, execution is everythingas if you can’t implement well, it costs you everywhere!!!as if you can t implement well, it costs you everywhere!!!
The quantitative benefits of systems integration and interoperability (I&I) are:1. Shorter/reduced steps in business processes2. Time taken to process one application/recordp pp3. Less complaints from members of the public4. No. of applications/records processed over a period5. Less complaints from end- users6 Reduced number of errors
Until the user is happy using 6. Reduced number of errors7. Reduced software development time/effort8. Reduced maintenance9. Reduced no. of IT personnel
/ benefitting from the new capability, it has no value
Buying stuff is “easy”The qualitative benefits of I&I are:1. Improved working procedures2. Better communication with other related organizations
Buying stuff is easy getting it to work in your environment is hard…
3. Job satisfaction4. Redefine job specification5. Improved data accessibility6 One-stop service
Plan for “I&I”- Integration & Interoperability -then do ble it
18
6. One stop service7. More friendly public service
The best capability means little, if it stays in the box
then double it
What can you DO right now?Ready for immediate implementation = 95+% incident reduction
1‐ Install tools/scripts to catch USERS mistakes.. lock down the end devices, )only allow root admin to install anything..) Use effective access control (yes, ZBAC!)
2 ‐We know the browser is THE threat vector... (80% of malware comes through here)
Have ONE secure browser version (IE9), add in HP's Polaris (free tool to control browser access), and manage a specific settings profile (to control active code / Java, etc)
Implement a ‘deny all’ access approach, allow URLs using only a controlled white list
3 ‐ Run tools / application firewalls to minimize zero‐day problems, and enforce CM/hygiene, along with "defensive I&W" monitoring tools (and / or use #5)
4 – KISS / reduce IA complexity… only buy cyber products off APLs/PPLs (they have ) d h f l k !!pedigrees / C&A already!)… And USE their security features … like TPM!!
5 ‐ Hire a security continuous monitor firm for real‐time access for both current vulnerabilities (SQL injection, et al) and new threats... (where the firm has feeds/data f US CERT t th l t th t / d bl )from US CERT, etc, so they are always current on new threats / zero day problems)
6 – If you make IT stuff, build IA/security in, there are lots of simple guideshttp://www.sans.org/critical‐security‐controls/guidelines.phphttp://www sans org/top25‐software‐errors/
19
http://www.sans.org/top25‐software‐errors/We’re STILL lax.. Goggle “DarkReading Real‐World Developers Still Not Coding Securely”
Cyber continues to be about “US ALL” doing the basics
Mobile Security perspectiveCheck Point’s global survey of 768 IT professionals conducted in the United States, Canada, United
Key Issue / Risk Findings:
• Extensive use of mobile devices connecting to corporate networks
Kingdom, Germany, and Japan. The survey gathered data about current mobile computing trends…
--89% have mobile devices such as smartphones or tablets connecting to corporate networks--Apple iOS is the most common mobile platform used to connect in corporate environments
• Personal mobile devices that connect to corporate networks are extensive and growing--65% allow personal devices to connect to corporate networks
78% have more than twice as many personal devices on corporate networks vs 2 years ago--78% have more than twice as many personal devices on corporate networks vs 2 years ago
• Security risks are on the rise because of mobile devices--71% say mobile devices have contributed to increased security incidents--The Android mobile platform is considered to introduce the greatest security risks
• Employee behavior impacts security of mobile data--47% report customer data is stored on mobile devices--Lack of employee awareness about security policies ranked as greatest impact on data security --72% say careless employees are a greater security threat than hackers
C t t th t 75% f ith l d i ith th t f l h h
BYOD is NOT ‘free’
•. Contrast that 75%+ of users with personal devices with the percentage of employers who have a coordinated and comprehensive mobile security strategy in place (10%), and you see the problem…
*** NSA/CSS “Mobility Capability Package” = Architecture / Certification - a MUST DO *** http://www.nsa.gov/ia/ files/Mobility Capability Pkg Vers 2 0.pdf
20http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf
http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_2_0.pdf
Mobile / wireless are HUGE threat entry points!
GAO report on mobile vulnerabilities KEY risks / concerns:KEY risks / concerns:• Mobile devices often do not have passwords enabled.• Two-factor authentication is not always used when conducting sensitive transactions.• Wireless transmissions are not always encrypted.
Mobile devices may contain malware• Mobile devices may contain malware.• Mobile devices often do not use security software.• Operating systems may be out-of-date.• Software / patches on mobile devices may be out-of-date.• Mobile devices often do not limit Internet connections Many mobile devices do not have• Mobile devices often do not limit Internet connections. Many mobile devices do not have firewalls to limit connections.• Mobile devices may have unauthorized modifications. (known as "jailbreaking" or "rooting") • Communication channels / Bluetooth may be poorly secured.
BYOD is NOT ‘free’Major protection methods:Enable user authentication: Enable two-factor authentication for sensitive transactions: Verify the authenticity of downloaded applications: Install
BYOD is NOT ‘free’
y y ppantimalware capability: Install a firewall: Install security updates: Remotely disable lost or stolen devices: Enable encryption for data on any device or memory card: Enable whitelisting (? PDAs ?) : Establish a mobile device security policy: Provide mobile device security training: Establish a deployment plan:
21
Provide mobile device security training: Establish a deployment plan: Perform risk assessments: Perform configuration control and management:
http://www.networkworld.com/news/2012/091912-mobile-security-262581.html
Cyber Security “Best Practices” Overview(Best practices are not a panacea or only what you need to do but a guide DO basics)(Best practices are not a panacea, or only what you need to do – but a guide = DO basics)
– Quantify your business protection needs – do you have an asset inventory?– Determine what is “good enough” or minimally acceptable for your business
Q tif i t’ th t d l biliti– Quantify your environment’s threats and vulnerabilities • your list should have 10 – 50 or so threats assessed – check out USCERT, others
– Have a security policy that’s useful, complete, CEO/leadership endorsed• yes, that’s actually HAVE A POLICY, profiles, access control, BYOD, etc then enforce it!
– Run self‐assessments on security measures (use accepted tests, STIGs, PenTests, etc) and compliance (HIPAA, PCI, CFR, SOX, etc)
– Training and awareness programs – much needed, but not a guarantee– TEST your continuity recovery plans backup – have you ever you restored?– TEST your continuity, recovery plans, backup have you ever you restored?– Encrypt where you can ‐ asses where / how you need it : IM, e‐mail, file
transfer, storage, backup, etc)– Be familiar with / USE the “NIST” IA/Security series – they are very good!– DO / check / enforce the cyber basics (previous slides, as they are all linked)– Reduce complexity – use only approved / preferred products lists (A/PPLs)– A risk management plan (RMP) ‐ using both threats AND consequences
22
As, you can somewhat control what you plan, but you usually ONLY get what you enforce!
“Overall Way Forward”(given all the unknowns, variables… this is “one” approximately correct path…;‐))
• Company Vision embedded in Cyber Plans…know where you are going where the passion is and what the USER– know where you are going, where the passion is and what the USER values… as instantiated in your business success factors = PROFIT!
• Risk Management Plan… RMP– Use NIST’s RMF! Have a dynamic, realistic RMP supporting your business
metrics… as cyber reallymatters… as you ARE betting your livelihood on it
• Effective working Policy• Effective, working Policy…– Embedded in core business success factors, rules to enforce statutory, legal
mandates, key processes, to enforce behavior (pos & neg incentives)
• Basics, basics, basics…– New toys matter little, if your environment is not maintained, monitored
Poor hygiene / CM causes almost ALL security incidents ( 80 97% )– Poor hygiene / CM causes almost ALL security incidents ( 80 ‐ 97% )
23So… Quit admiring the “cyber problem / threat” and start DOING something!
SUMMARYSO…. What “really” matters in Cyber?
• OSD / federal S&T activities•Distributed Trust •Resilient Architectures
It’ NOT ll b t i
It’s all about TRUST and DATA
•Response and Cyber Maneuver•Visualization and Decision Support• Dynamic policy management (RaDaC )•Detection and Autonomic Response R d R tit ti
It’s NOT all about expensive new “cyber capabilities”
but more about the SoS / I&I“glue” (profiles common EA•Recovery and Reconstitution
• NSA / agency S&T activities– Mobility, wireless, & secure mobile services– Platform integrity / compliance assurance
“glue” (profiles, common EA, SoPs, standards, etc)
AND doing the BASICS: (1) enforced cyber hygienePlatform integrity / compliance assurance
– End client security– Cyber indications and warning (I&W)– Mitigation engineering (affordability)– Massive data – (date centric security)
(1) enforced cyber hygiene, (2) effective access control, (3) reduced complexity in IA / cyber (use approved products)
DO the cyber BASICS well
( y)– Advanced technology…. (targeted)– Virtualization – secure capabilities
cyber (use approved products), (4) IT/IA continuous monitoring(ongoing diagnostics AND mitigations / SIEM)
*** ***
24
DO the cyber BASICS well, invest in KEY new capabilities & follow your RMP!!!
Know your limitations / gaps , build in consequence risk management
Building a Trusted Cyber Infrastructure“an adequately assured, affordable, net‐centric environment”
WAN Router
q y
Focus on a few core capabilities & devices
= PC, routers, IA suite, Servers, & SANS ll ith t l
IA SuiteC R t
“Assured” IOSVarious EAL
EAL 4- 5
EAL 4
SANS – all with access control
Standard IA/CND suiteFW, A/V, IDS/IPS, CDS,, etc
Treat as a “SoS”: with high EAL
Distribution Router
Core Router
Servers
EAL 4Treat as a SoS : with high EAL
HW / FWSecure OS kernel
Secure Virtual Machinecurit
y on
itor
AL
6
PCEnd user devices
SANS NetworkDevices
Strict access / ZBAC
ALL OSes (MS, Mac, Unix)
Sec
Mo EA
EAL 5 – 6Data centric securityDefensive I&WStrict access / ZBAC
Make IT security a commodity:Use IA building blocks = APLs/PPLs -> “NIAP”Interoperability and Compose-ability are built in upfront
d h l d ti ll d l it d bi it
EAL 3 - 4Secure OS
TSMHBSS
Strict access / ZBAC
26
and help dramatically reduce complexity and ambiguityThus….establishing known risks & pedigrees: Reduces attack surface, risks / impacts & TOC
ZBACEval Assur Level (EAL):
32 5 6 74
So what REALLY matters in IA/Cyber?A notional Quality of Protection (QoP) Hierarchy / Defense in “Breadth”
“DATA QoP”(C-I-A and N & A)
CIA&A and DCS / CBE
(distributed / transitive trust -- E2E Data-Centric Security -- Content Based Encryption)
Complex… Dynamic…
Settings
Core / Security Services( WS* and other security policy / protocols / standards (including versions & extensions therein)
Standards
network protection – CND – FW / IDS / VPN / etc (in general, mature capabilities – but multiple unclear “CM” processes are persistent and problematic)
IO and IA
Known… Static…
A&E /
IA devices
IO … and ... IA
CNO/E/A, “I&W”, OPSEC, etc Crypto, KMI, TSM/HAP, policy, etc
A&E / Policy
27IA “profiles”(standards), IA&A, CBE/DCS and digital policy!
Proposed ‘Information Dominance (ID)’ end-state vision“th GIG”
STEPOther SatComUsers / sites
“the GIG”
Other national sourcesDISN
DISA / IC Tier 1 & 2
(and DECCs / Services too)InternetOther
AgenciesSIPR NIPR Mobile / RAS
TeleportData Centers
gIntel / Sensors
Teleport
SatComNOCs
Data CentersShore sites
Major ID Precepts
DIL / austereenvironments
Afloat Systems / WirelessMobile / Disconnected / Organic PartnersLOS
Major ID PreceptsIT & IA are driven to commodity statesOne enterprise architecture (stds / specs)(DIEA/ JIE based)Integrated views (user, system, data, etc)Information centric environment (quality / assured data)
Where “ID” = decision superiority = quality / assured DATA--- How does all that DATA move about ---
(Note – most terrestrial connections ( ) are also by DISA / “DISN” thus technically “the GIG too”)
Capabilities Needed for “Information dominance”
Assured C2 (OPCON / INFOCON)
Cyber (IA/CND protections & CNE/CNA (covert))
Schema of maneuver(positioning for effect)
Kill / Effect Chains(maximize left side - ISR / I&W)
“ID” = Decision superiority
Q li / d d l di“Knowledge”
N2N
WAN/transport network cloud data centers cyber governance
Information environment (right data, to right folks at right time)
Quality / assured data = value, pedigree, provenanceo edge
6
Ro
WAN/transport, network, cloud, data centers, cyber, governance…
Infrastructure / services / apps = trusted information systems
“IT / network”
adma
Battlefield victory requires dominant position and maneuverWhich require best possible information, before the opposition can: (1) get his own
information; (2) react to your movements or (3) infiltrate your environment…
Th b t ibl i f i ID
IT / network ps
The best possible info is ID:A DiD with trusted information systems providing assured / quality data ,
facilitating all levels of command decision superiority
IA / Cyber (and DATA ) must be E2E!WE have a “natural” hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions
AND, People and How does the DATA move about?pprocesses TOO!
DATA
EnterpriseSiteEnclaveNetwork SoS
Apps /services
HW/SW/FM“CCE” SoSservices “CCE”
Each sub-aggregation is responsible for the data / controls within their boundaries and also inherit the controls of their environment – and need to formalize reciprocity
30
Thus, the DATA, IA/cyber controls, interfaces and profiles in eachelement / boundary must be quantified / agreed to upfront!
therein!
“Notional” Data Centric Architectureiso the information environment
IA / Security / cyber (e.g., defense in depth (DiD))
IA controls / inheritance
Supports quality / assured data (with pedigree / provenance)
What IA/security capabilitiesCyber must be preserved in the IA controls / inheritance What IA/security capabilities are needed for the DATAitself?
Cyber must be preserved in the full data AND capabilities life-cycle
DATA Storage Services Apps Host / transportDATA Storage Services Appsdevice
transport
Business logicMiddleware
Behavior monitoringFW/IDS/IPS
Continuous monitoring OMG / DDS
ALL must adhere to Standards / profiles!
Data is always, eitherAt rest, being processedOR in transit
How does the DATA move about?OR in transit
Must account for the “four ‘Vs’”Volume, variety, velocity and veracity
And what of “viscosity and virality”? http://www.slideshare.net/rawnshah/the-opportunity-in-big-data-analytics-and-social-business
DoD CND (and “Cyber”) Defense in Depth
IAP Monitoring
CND SP- Incident Response /
Management- Prometheus- Threat Analysis- Compliance Scans- IAVM Management
IDS
FirewallsNUDOP
PKI
The “smart” integration and collaboration between MANY needed IO & IA functions
DNS Blackholes Standard IP Blocks
ACLs
IAVM Implementation
Incident Response
Email AV
Alert FilteringThreat Assessment
Site Compliance Scans
Incident Handling
Threat AnalysisNET Cool / INMS ViewPROMETHEUS
PKI
TRICKLER / CENTAURSIPRNET Firewall PPS Policy
GIAP
NMCI NIPRNET IDS Feeds
OperationalOperational
Proposed or InProposed or In
Funded and Rolling Out
Funded and Rolling Out
OperationalOperational
Proposed or InProposed or In
Funded and Rolling Out
Funded and Rolling Out
NET Cool View
Vulnerability Remediation
Vulnerability Scanningg
System Patching
DITSCAP/DIACAP
Standard IP Block Lists
ACLs
Firewalls Email AV In Line Virus Scanning
IPS
PKI
Global CND UDOP
In-Line FilteringNET Cool Data
CENTRIXS Monitoring
IP Sonar
Multi Layer Protocol
GIAP
CDSMetrics CND Data Strategy
Proposed or In DevelopmentDevelopmentProposed or In DevelopmentDevelopment
Tutelage
AL
ENC
LAVE
Anti-virus
IAVM Compliance
DITSCAP/DIACAP
Vulnerability Remediation
DNS Blackholing
IAVM Compliance
In-Line Virus Scanning
PKI
CARS
CARS
In-Line Filtering
CONOPS• RNOSC• HBSS• SCCVI-
SCRITier 3 SIMWIDS
Multi-Layer Protocol Defense
DRRS-N
IWCE
IASM
TMAT
ENMS
CND POR Honey Grid
Deep Packet Inspection
Content Filtering
) TIER I
LOC
A
TIER IITIER III
CAC/PKI
NMCI SIPRNET IDS Feeds
WAN SA
NET Cool Data
HBSS
Standardized Configurations
Wireless Mapping
WIDS
POR ManagementInsider Threat
Functional NICNavy DMZ
SLIDREnterprise
DMZ
Enclave DMZDAR
SIPR NAC TMAT
DAPE
Deep Packet Inspection
SCCVI-SCRI
32
DoD GIG (JTF-GNO)Navy GIG (NCDOC)WAN (Enclave)LAN (POP/HUB)HOSTSIPR NAC
Cyber = “mostly” Life-cycle education and proactive, dynamic defense….(From NCDOC briefs)
Notional DiD Ent Arch (EA)DiD has three main elements: people (train and enforce good behavior) , operations (policy, management, C&A, COOP) and technology (IA criteria, evaluated products, risk assessment, use layers), we discuss the latter here.
Provide Layered protections: (1) Networks and Infrastructure, (2) Enclave boundaries, (3) Quantify security robustness for all components (aka – use NIAP), (4) use robust key management and PKI (IA&A), and use IDS/IPS (detection capabilities)- -- Using common cyber capabilities, with known pedigrees / C&A (APLs/VPLs -> NIAP)y ( )
OSI stack protections: (1) restrict access, port security (2) VLANs, Static ARP, (3) VPNs, NIDS, content filtering, (4) Firewalls, ACLs (5) IAVA, crypto, authentication, (6) IDS, audits, (7) anti-virus, secure software (SDLC), patches… AND effective IA&A / access control methodsmethods…
Manage / enforce IA controls at each layer / capability!Use existing IA controls management tools, like the previous “AFG” / below DISA link:http://www.disa.mil/Services/Network-Services/Video/DVS-G/Becoming-a-Customer/VTF-DIACAP/Assigning-IA-ControlsAND SANS t 20 it t l htt // / iti l it t l / id li h
NOTE - This is a general requirements depiction of a DiD - Using the general NIST and GIAC notional referenceshttp://www giac org/paper/gsec/2868/osi defense in depth increase application security/104841
AND SANS top 20 security controls http://www.sans.org/critical-security-controls/guidelines.php(note – AFG is now the Community Gold Standard. Find on Intelink, DKO. It’s now an enterprise architectural level versus program)
http://www.giac.org/paper/gsec/2868/osi-defense-in-depth-increase-application-security/104841http://www.nsa.gov/ia/_files/support/defenseindepth.pdfAlso for ICS = http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
Essential DiD EA elementsReduce complexity and unknowns:Reduce complexity and unknowns:
Limit numbers, types and versions of IA capabilities (drive to commodity state)Only use common cyber capacities with known limitations ( enforce APL/VPL = NIAP)
Pro ide a DiD enterprise architect re based on la ers / IA controls thereinProvide a DiD enterprise architecture based on layers / IA controls thereinDefine specifications for and modularize the below cyber building blocksInclude inheritance, interface controlling parameters, and required standards AND profilesMap the DiDEA back to a Navy risk management plan, key issues / risks therein
Provide CONOPS for notional DiD EA, including CM, governance, exceptions.Need to take a “mission assurance” perspective, with affordability / RoIIntegrate and Implement DoD / NSA common practices (SCAP, AFG, etc)
The basic cyber building blocks of security… a limited and controlled set of IA building blocks for a FEW main classes:-IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc)
IA bl d biliti (OS b b i t i t t )( d th IA/WSS t d d
Manage and enforce an effective, enforced Cyber CM/Hygiene posture and IA&A/IDAM!
-- IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc)(and the IA/WSS standards need to go here!)-Services and Applications (define a standard "security container" for each service, ideally a “class” - likely a couple can coverall all services)(see NSSI IA controls) (‘and’DATA capabilities DCPS, DDSI, Pub / Sub, Java, mobile code, widgets, storage SW, middleware, services, ESB, etc-!)-- Critical HW/SW devices (catch all for any key IT/IA capabilities we may have missed and want to consider) (see CSRRCritical HW/SW devices (catch all for any key IT/IA capabilities, we may have missed and want to consider) (see CSRR list of “IT classes” for examples… at the end of this paper - while these are generally already low level aggregated capabilities, they show a “class” of IT to standardize to) AND actually using the “TPM”!- PIT (there could be ONE general PIT super set, then each SYSCOM takes that and tailors it a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc)
Cyber Problem statement = Poor State of IA & CND (where all IA/CND capabilities must also act as a “SoS”)
• It’s all about TRUST – need a common enterprise trust model– Some HAP/TSM is needed, but where to put which EAL devices?– Need a common top‐down, enforced IA/Cyber capable architecture– Need an alternative to commercial ISP – leverage existing dark fiber
• Effective / secure enterprise access control is foundational:– IA&A implementation focus = authorization based access control …IA&A implementation focus authorization based access control …
complemented by ABAC, RBAC, even RAdAC as an end‐state…– If you don’t control entry and exit, you control nothing; this applies to people,
NPEs, software and data ‐ foundation for mission assurance (MA)!
• Proactive/Dynamic Defensive I&W– Detect unusual patterns, characteristics, attributes, irregular requests. – Provide auto alerts; divert questionable actions; "wraps" issues/problems; q ; p /p– This is the “catch all” capability, as we can’t protect everything at 99%
• Institutionalize Dynamic Cyber Enterprise Management
35
Reasons the Cyber Problem Exists(re: one perspective ‐ SOA / automation security issues)
1. No top down common implementation IA guidance, with any useable level of details
2. SOA (and overall OA in general) approaches add governance and communications complexities within DOD / Federal spaces
3 N SOA th d h h h3. Numerous SOA methods, approaches, schemas – everyone has one – we need just ONE
4. No unified set of security requirements exist – that are traceable h h l l (l k )to a higher level, common IA core set (like IATF, GIG ICD, etc)
5. No Federal consensus on key security issues and barriers and gapsg p
6. Unclear (too many) authoritative sources, references, standards.
36
Reasons the Cyber Problem Exists (cont)(as one perspective ‐ SOA / automation security issues)
7. “IA” covers virtually everything, so what should SOA prioritize?
8. IAW SysEngr principles, SOA must follow an EA & standardsy g p p ,
9. No enterprise trust model, supporting distributed transitive trust or an effective model for secure enterprise cross domain access controlcontrol
10. Few T&E / V&V thus C&A plans exist (this MUST be our DOD end‐state)
l bl d h f h k/11. Institutional blinders to the fact that network/internet computer cannot secure data; no electronic means to assess data leakage and data aggregation.
12. Policy immaturity, pre‐dates SOA; hence the electronic security foundation is missing. Technology still forges ahead ‐ tools are generations behind and built for other threats.
37
Common Architectural Flaws, exacerbate Cyber Security
• Fragile Chain of Services
• Large Real‐time Overhead
C t l Ad i i t ti Mi li t ith P ti l• Central Administration Mis‐alignment with Practical Administrative boundaries
• Lack of Support for multiple:pp p
– Access Control Models
– No Concept of Risk or Domain Asymmetry or Support for Multiple Mission Vectors
• Rigid Inheritance Model
U f H d d d Ri id M lithi A C t l F k• Use of Hard‐coded Rigid Monolithic Access Control Frameworks and Products
• No Enterprise Concept of Domain Delegation or RAdAC
38
p p g
• Lack of Appropriate Layering and Abstraction
Common Architectural Flaws (cont)bili l i l d d l• Inability to Support Multiple and Legacy Models
– Schema and Ontology often Incompatible– Attributes do not Aligng– Methods and Protocols Differ– Technology and the Embedded Dependencies Differ– Use of Hard‐coded Rigid Monolithic Access Control– Use of Hard‐coded Rigid Monolithic Access Control Frameworks and Products
• Difficult or Inflexible Integration Paths• Difficult or Inflexible Integration Paths– Lack of Trustworthiness– No Support for Unanticipated Users– Transformations Limited– Lack of Flexible Rapid Application Development and Modeling Tools with IA Built in to the Framework
39
– Lack of Fidelity or Even Use of Modeling to Test Performance at Scale
What small businesses need to know about cyber security before they can offer services to the government
in general, companies must provide a commensurate security level as the government site they are going to do business with... (see NIST & GSA & FISMA web sites below)
This NIST provides a good overview of the government requirements, which in general needs to be met by companies connecting to government sites iso services provided... http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Information Security rules by GSAhttp://www gsa gov/portal/content/104257http://www.gsa.gov/portal/content/104257
FISMA rules / regulations are also representative of items to be assessedhttp://csrc.nist.gov/groups/SMA/fisma/index.html
VA has a contract clause that's fairly standardhttp://www.iprm.oit.va.gov/docs/Appendix_C.pdf
The education department has a good overview of requirementshttp://www2.ed.gov/fund/contract/about/bsp.html
New LAWs - Government Contractors Subject to Cybersecurity Regulations –More are on the Wayhttp://www.scribd.com/doc/89226369/Government-Contractors-Now-Subject-to-Cybersecurity-Regulations-%E2%80%93-And More are on the Way
40
And-More-are-on-the-Way
Small business security overview (and detailed brief on the major security product details too)http://www.sciap.org/blog1/wp-content/uploads/Small-Business-Security-ADT-Cluster-v4_Mike_Davis_July_26_2011.pdf
Cyber ‐ Begin with the end in mindIt’s clearly important to understand the desired end result, instantiation of your vision - having the image of the vision as your frame of reference to evaluate everything else. It is also impossible to integrate capability without having a plan and the correct systems in place to run the business.
Vision execution has to do with the "purposes" of capabilities, that have to do p p p ,with visualization and complete planning! Bundled within personal and business: (a) leadership (what), (b) management (how), and (c) productivity (doing it well)…
You can take the concept further by questioning the vision itself! Challenge assumptions, barriers, limitations, and obstacles…(the five whys?)
Always apply critical thinking (reflective skepticism) to the vision as thatAlways apply critical thinking (reflective skepticism) to the vision, as that brings New Ideas… Fosters Teamwork… Promotes Options… Uncovers Spinoffs… simulates a Clear Head… and fresh Perspectives emerge….
41If you don’t know where you are headed,
Seemingly blind alleys won’t cut it either / waste $$$
Cyber ‐ Drive out complexity ‐ KISSComplexity leads to variation in practice, opportunities for data / operational errors, and increased risk of mission failure. Reducing complexity is key to improving both risk posture and productivity.
Human engineering and complexity theory teach that WE ALL need to smartly, collaboratively: - Simplify - Standardize - Automate - Integrate
Reducing complexity is a major competitive factor for ensuring supply chain performance and exceeding customer expectations. Given an increasing share of work is outsourced, the challenge of handling complexity has become all the more demanding. Companies that do not master complexity risk experiencing supply chain inefficiencies, resulting in non-competitive working capital structures, lower transparency of cost drivers and difficulties in achieving service levels. Address complexity in product, processes and organization.. and DATA
Use existing initiative to simplify both objectives and processes: Just-In-Time… Standardization… Strategic Outsourcing…. Supply-chain management… Target costing… Performance Measures....
42Take the "zero-baseline" approach to complexity
Cyber ‐Maximize investments / ROIA t t i h t i t d ff ti l i k f i di tA strategic approach to maintenance and effectively using key performance indicators, organizations can better maximize resources, reduce capital and operating costs, and increase their return on investment (ROI). It’s all about managing risk, from a “high performance organization - HPO” operating perspective.p g p g p p
The critical elements of successful project value ROI analysis:• Always starting with business goals and challenges versus technology.• ROI analysis should be completed both for the past and the future ROI analysis should be completed both for the past and the future.• Business goals can not be achieved through technology alone.• Project benefits cannot always be completely or accurately quantified, intangible elements have value too.g• There are many kinds of project costs in evaluations.• Analyzing your entire technology project portfolio.• Monitor critical business success metrics and re-evaluating your project alignment process.
Four ROI pillars: (1) strong foundation / operating plan, (2) defined enterprise effectiveness, (3) business enablement and (4) optimization / differentiation.
43
( ) ( ) p
Cyber ROI is misleading - as it’s more insurance than investment
Cyber Security ROI – NOT?ROI is a big deal in business, but it's a misnomer in security. . g , y
Security ROI is difficult to compute, simply because it is hard to predict the probability of a true security event and the costs associated with the loss and mitigation of it.
A major issue in cyber security right now is that we’ve never been able to construct anA major issue in cyber security right now is that we ve never been able to construct an intelligent return on investment (ROI) for cyber security.
As we’ve never been truly able to gauge how big the risk really is. But you need to be able to gauge the magnitude of the risk what exactly the exposure is or if theBut, you need to be able to gauge the magnitude of the risk. what exactly the exposure is or if the actual event took place. because there just isn't enough good data.. There aren't good crime rates for cyberspace, and we have a lot less data about how individual security countermeasures—or specific configurations of countermeasures—mitigate those risks. We don't even have data on incident costs
The classic methodology is called annualized loss expectancy (ALE). Calculate the cost of a security incident in both tangibles like time and money, and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk.
Cybersecurity ROI is considerably harder, as the threat moves too quickly ‐ so we can't create ALE models. But there's another problem, and it's that the math quickly falls apart when it comes to rare and expensive events. … especially if the impact is huge, even low
44Cyber ROI is misleading - as it is insurance – a cost of doing business
occurrence is very costly...
COTS / buy versus build(ALWAYS try to drive everything to a commodity state!)
MUST balance the business needs, shot-term and long-term goals, key requirements and available technologies and solutions on the market. The company and key stakeholders must always consider and analyze all the
ti f h j t d l tioptions for each project and solution:• Speed of implementation for a COTS vs. custom solution• Cost of implementation of a COTS vs. custom build• Functionality, flexibility and scalability in a COTS vs. custom build
S t f COTS VS t b ild• Support for COTS VS. custom build• Organizational best practices, current technology and skill sets of employees• Potential for upgrading, modification and replacement of COTS vs. build
Key elements in the process:Key elements in the process:1. Properly analyze any COTS systems for suitability – the capability requirements and a technical perspective … concurrent engineering applies even more here2. Beware the COTS sales pitch / trap to fall into is being promised functionality that isn't in the COTS at present but they will add for you. 3. Check for unit tests in the COTS and also what development practices they use, be wary if the vendor isn't giving much info about technical aspects. Is the source code is available and have your programmers assessed it?
45
code is available and have your programmers assessed it?
Ultimately, If it's a critical business function – then do it yourself, no matter whatBUT, with IA/Security/Cyber capabilities – only use APLs/VPLs
CNCIComprehensive National Cybersecurity Initiative (CNCI) This initiative was launched by the second President Bush inComprehensive National Cybersecurity Initiative (CNCI). This initiative was launched by the second President Bush in National Security Presidential Directive 54 and Homeland Security Presidential Directive 23 back in January 2008.
there are 12 mutually-reinforcing initiatives that are intended to establish a front line of defense against today’s immediate threats, to defend against the full spectrum of threats, and to strengthen the future cybersecurity environment.
INITIATIVE #1 -- Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. This is about consolidating our external access points and creating common security solutions across agencies.
INITIATIVE #2 -- Deploy an intrusion detection system of sensors across the Federal enterprise. This is a passive system that watches traffic and helps notify us about unauthorized network intrusions. DHS is deploying signature-based sensors as
t f th EINSTEIN 2 (PDF) bilit ith tifi ti i t US CERTpart of the EINSTEIN-2 (PDF) capability, with notification going to US-CERT.
INITIATIVE #3 -- Pursue deployment of intrusion prevention systems across the Federal enterprise. This takes it up a notch with EINSTEIN-3 (PDF) and not only detects intrusions, but actively prevents intrusions into federal systems. This will have serious zero-day and real-time counter-threat capabilities.
INITIATIVE #4 -- Coordinate and redirect research and development (R&D) efforts. This initiative serves to help us get all of our R&D efforts working together, with a better communications and tasking infrastructure. It's an important part of utilizing our resources and our smartest people to the best of their abilities.
INITIATIVE #5 -- Connect current cyber ops centers to enhance situational awareness. This is our key threat-data sharing y p y ginitiative.
The National Cybersecurity Center (NCSC) within Homeland Security is helping secure U.S. Government networks and systems under this initiative by coordinating and integrating information from the various centers to provide cross-domain situational awareness, analysis, and reporting on the status of our networks. As a side-effect, it's also designed to help our
i i l b tt ith h th
46
various agencies play better with each other.
INITIATIVE #6 -- Develop and implement a government-wide cyber counterintelligence (CI) plan. We're now coordinating activities across all Federal Agencies so we can detect, deter, and mitigate foreign-sponsored cyber intelligence threats to government and private-sector IT.
CNCIINITIATIVE #7 -- Increase the security of our classified networks. Our classified networks contain our most valuable and most ysecret defense and warfighting information. We're continuing to work hard in securing these networks against the changing threat model.
INITIATIVE #8 -- Expand cyber education. This is where the Comprehensive National Cybersecurity Initiative begins to break down, because it's where all modern cyberdefense breaks down -- the people. We're training more and more cyberdefense
t b t l d t d th t d ti d d t t ti d t i di id lexperts, but we also need to expand that education up and down government, to corporations, and to individuals. We can have the very best-trained cyberdefense expert in a corporation, say, and it'll all break down if the CEO won't allocate the time or funds to conduct that defense. It's all about making everyone know just how real these threats are.
INITIATIVE #9 -- Define and develop enduring "leap-ahead" technology, strategies, and programs. We'll talk more about future directions later but the idea of leap-ahead is to get 5 to 10 years ahead of the bad guys and explore out-of-the-box thinking indirections later, but the idea of leap ahead is to get 5 to 10 years ahead of the bad guys and explore out of the box thinking in building a better cyberdefense. This is good stuff, and it's the first CNCI initiative that, essentially, opens the door to concepts like Stuxnet (or what The Times claimed the White House called "Olympic Games").
INITIATIVE #10 -- Define and develop enduring deterrence strategies and programs. Put simply, because of the wildly asymmetric nature of the threat, we can't have a mutually-assured destruction option with cyberattack, the way we do with nuclear attack. We're working on developing deterrence strategies, but we're not there yet, a fact which is sadly all too evidenced by constant level of cyberattack, breach, and threat we find ourselves experiencing.
INITIATIVE #11 -- Develop a multi-pronged approach for global supply chain risk management. This area should be one of our biggest concerns. Most Americans get their computers from suppliers who use processors, motherboards, and components
d t id th U it d St t d ft i Chimade outside the United States -- and often in China. China, as we've seen repeatedly, is one of our most challenging "frenemies". They're clearly important to us financially, but they're also one of the leading sources of cyberattack (and, quite frankly, could be behind the one we’re dealing with now). This initiative, though, isn't just about China. Our components and our supplies must be insulated from foreign influence andunapproved modification.
47
INITIATIVE #12 -- Define the Federal role for extending cybersecurity into critical infrastructure domains. The federal government is relying more and more on private sector services. For example, the Department of Interior is about to start using Google for its email infrastructure. This initiative encourages public/private-sector cooperation to extend Federal-systems cybersecurity into the wider cyber-infrastructure
IA/security resourcesother IA/Security sites (cont):
IA/security resourcesMain sites
G t ISSE /
This site has almost everything you need
http://www.cert.org/
http://www.sse‐cmm.org/lib/lib.asp
https://infosec.navy.mil
https://www fleetforces navy mil/netwar
Great ISSE / SSE Site
http://www.commoncriteriaportal.org/
http://www.amc.army.mil/amc/ci/matrix/policy/policy_new.htm
https://www.fleetforces.navy.mil/netwarcom/navycanda (??? URL???)
http://iase disa mil/diacap/index html
C&A movedto here
https://www.sans.org/about/sans.php
http://iac.dtic.mil/iatac/
http://iase.disa.mil/diacap/index.html
other IA/Security sites:
http://www.cerias.purdue.edu/
http://security.sdsc.edu/
http://csrc.nist.gov/
http://www nsa gov/ia/index shtmlhttp://iase.disa.mil/stigs/index.html
http://www.nsa.gov/ia/index.shtml