Protecting the Nation’s Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
OPM. Anthem BCBS. Ashley Madison. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
Houston, we have a problem. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Complexity. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Sharks and glaciers. HARDWARE FIRMWARE SYSTEMS SOFTWARE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
The n+1 vulnerabilities problem. 2013 Defense Science Board Study http://www.acq.osd.mil/dsb/reports/2010s/ResilientMilitarySystemsCyberThreat.pdf NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Reducing susceptibility to cyber threats requires a multidimensional systems engineering approach. Security Architecture and Design Harden the Limit damage System target to the target Achieving Trustworthiness and Resiliency Make the target survivable NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
TACIT Security ▪ T hreat MERRIAM - WEBSTER DICTIONARY ▪ A ssets tac . it adjective : expressed or understood ▪ C omplexity without being directly stated ▪ I ntegration ▪ T rustworthiness NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
Threat ▪ Develop a better understanding of the modern threat space , including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. ▪ Obtain threat data from as many sources as possible. ▪ Include external and insider threat analysis. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
Assets ▪ Conduct a comprehensive criticality analysis of organizational assets including information and information systems. ▪ Focus on mission/business impact. ▪ Use triage concept to segregate assets by criticality. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Complexity ▪ Reduce the complexity of the information technology infrastructure including IT component products and information systems. ▪ Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. ▪ Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
Integration ▪ Integrate information security requirements and the security expertise of individuals into organizational development and management processes . ▪ Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. ▪ Coordinate security requirements with mission/business owners; become key stakeholders. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
Trustworthiness ▪ Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. ▪ Isolate critical assets into separate enclaves. ▪ Implement security design concepts (e.g., modular design, layered defenses, component isolation, least functionality, least privilege). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Risk assessment. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Assets and consequences. Criticality Analysis. Identification of High Value Assets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Engineer up. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Immediate Action Plan and Resources ▪ Conduct threat and vulnerability assessments. ▪ United States Computer Emergency Readiness Team ▪ https://www.us-cert.gov ▪ Conduct criticality analysis of information assets. ▪ FIPS Publication 199 ▪ http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf ▪ Reduce complexity of IT infrastructure. ▪ Federal Enterprise Architecture Initiative ▪ https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co mmon_approach_to_federal_ea.pdf ▪ Invest in trustworthy IT components and systems. ▪ DHS Software and Supply Chain Assurance ▪ https://buildsecurityin.us-cert.gov/swa NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Important NIST Security and Privacy Pubs ▪ Cybersecurity Framework ▪ NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations ▪ NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy ▪ NIST Special Publication 800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems ▪ NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
Some final thoughts. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
Institutionalize. The ultimate objective for security. Operationalize. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Leadership. Governance. Accountability. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Government Academia Security is a team sport. Industry NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
Ron Ross 100 Bureau Drive Mailstop 7730 Gaithersburg, MD USA 20899-7730 Email Mobile ron.ross@nist.gov (301) 651.5083 LinkedIn Twitter www.linkedin.com/in/ronross-cybersecurity @ronrossecure Web Comments csrc.nist.gov sec-cert@nist.gov We are here to help you be more secure… NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
Recommend
More recommend