protecting the nation s critical assets in the 21st
play

Protecting the Nations Critical Assets in the 21st Century Dr. Ron - PowerPoint PPT Presentation

Nov 01, 2023 •265 likes •506 views

Protecting the Nations Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY OPM. Anthem BCBS. Ashley Madison. NATIONAL INSTITUTE OF

  1. Protecting the Nation’s Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  2. OPM. Anthem BCBS. Ashley Madison. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

  3. Houston, we have a problem. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  4. Complexity. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

  5. Sharks and glaciers. HARDWARE FIRMWARE SYSTEMS SOFTWARE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

  6. The n+1 vulnerabilities problem. 2013 Defense Science Board Study http://www.acq.osd.mil/dsb/reports/2010s/ResilientMilitarySystemsCyberThreat.pdf NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  7. Reducing susceptibility to cyber threats requires a multidimensional systems engineering approach. Security Architecture and Design Harden the Limit damage System target to the target Achieving Trustworthiness and Resiliency Make the target survivable NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  8. TACIT Security ▪ T hreat MERRIAM - WEBSTER DICTIONARY ▪ A ssets tac . it adjective : expressed or understood ▪ C omplexity without being directly stated ▪ I ntegration ▪ T rustworthiness NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

  9. Threat ▪ Develop a better understanding of the modern threat space , including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. ▪ Obtain threat data from as many sources as possible. ▪ Include external and insider threat analysis. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

  10. Assets ▪ Conduct a comprehensive criticality analysis of organizational assets including information and information systems. ▪ Focus on mission/business impact. ▪ Use triage concept to segregate assets by criticality. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

  11. Complexity ▪ Reduce the complexity of the information technology infrastructure including IT component products and information systems. ▪ Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. ▪ Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

  12. Integration ▪ Integrate information security requirements and the security expertise of individuals into organizational development and management processes . ▪ Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. ▪ Coordinate security requirements with mission/business owners; become key stakeholders. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

  13. Trustworthiness ▪ Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. ▪ Isolate critical assets into separate enclaves. ▪ Implement security design concepts (e.g., modular design, layered defenses, component isolation, least functionality, least privilege). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

  14. Risk assessment. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

  15. Assets and consequences. Criticality Analysis. Identification of High Value Assets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

  16. Engineer up. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

  17. Immediate Action Plan and Resources ▪ Conduct threat and vulnerability assessments. ▪ United States Computer Emergency Readiness Team ▪ https://www.us-cert.gov ▪ Conduct criticality analysis of information assets. ▪ FIPS Publication 199 ▪ http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf ▪ Reduce complexity of IT infrastructure. ▪ Federal Enterprise Architecture Initiative ▪ https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co mmon_approach_to_federal_ea.pdf ▪ Invest in trustworthy IT components and systems. ▪ DHS Software and Supply Chain Assurance ▪ https://buildsecurityin.us-cert.gov/swa NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

  18. Important NIST Security and Privacy Pubs ▪ Cybersecurity Framework ▪ NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations ▪ NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy ▪ NIST Special Publication 800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems ▪ NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

  19. Some final thoughts. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

  20. Institutionalize. The ultimate objective for security. Operationalize. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  21. Leadership. Governance. Accountability. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  22. Government Academia Security is a team sport. Industry NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

  23. Ron Ross 100 Bureau Drive Mailstop 7730 Gaithersburg, MD USA 20899-7730 Email Mobile ron.ross@nist.gov (301) 651.5083 LinkedIn Twitter www.linkedin.com/in/ronross-cybersecurity @ronrossecure Web Comments csrc.nist.gov sec-cert@nist.gov We are here to help you be more secure… NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Recommend

Machine Safety Protecting your Most Valuable Assets Putting Performance in the Hands of Your

Machine Safety Protecting your Most Valuable Assets Putting Performance in the Hands of Your

Machine Safety Protecting your Most Valuable Assets Putting Performance in the Hands of Your People Agenda Safety Protecting Your Assets Roadmap to Machine Safety Global CPG Case Study How do you define Safety Define Safety

998 views • 35 slides
Physical and Environmental Security MIS 5206 Protecting Information Assets MIS5206 Week 7

Physical and Environmental Security MIS 5206 Protecting Information Assets MIS5206 Week 7

Protecting Information Assets - Week 7 - Physical and Environmental Security MIS 5206 Protecting Information Assets MIS5206 Week 7 Physical and Environmental Security Test Taking Tip Quiz MIS 5206 Protecting Information Assets

577 views • 34 slides
Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6

Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6

Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6 million 63% Identity fraud is a serious issue. people experienced of confirmed data Fraudsters have identity theft in 2014 breaches involved stolen

605 views • 29 slides
Gray is the New Green : Strengthening Vulnerable Communities, Protecting Limited Assets and

Gray is the New Green : Strengthening Vulnerable Communities, Protecting Limited Assets and

Gray is the New Green : Strengthening Vulnerable Communities, Protecting Limited Assets and Preventing Elder Financial Abuse AGING I IN CAL ALIFORNIA DEMOGRA RAPHIC ICS FINA NANCIAL VULN VULNERABILITY LONG-TERM C ERM CARE S E SERVICES

365 views • 9 slides
Training Assisting the courts in protecting our most vulnerable citizens and their assets.

Training Assisting the courts in protecting our most vulnerable citizens and their assets.

Texas Guardianship Registration and Training Assisting the courts in protecting our most vulnerable citizens and their assets. OFFICE of COURT ADMINISTRATION Judicial Branch Certification Commission (JBCC) JBCC Overview Registrations

298 views • 17 slides
Protecting Your Assets: Results and Recommendations from a Student-led Security Assessment

Protecting Your Assets: Results and Recommendations from a Student-led Security Assessment

Protecting Your Assets: Results and Recommendations from a Student-led Security Assessment BRADLEY RED TEAM ForenSecure 17 April 27, 2017 ENTREPRENEURSHIP EXPERIENTIAL COLLABORATIVE LEARNING GLOBALIZATION LEARNING LEADERSHIP

146 views • 12 slides
and Protecting Assets Information Technology Manager - Redstone Arsenal 15,000 users

and Protecting Assets Information Technology Manager - Redstone Arsenal 15,000 users

Cyber Theft and Protecting Assets Information Technology Manager - Redstone Arsenal 15,000 users Technology and Digital Forensics Counter Drug Agency (Army) Canfield Computer Solutions since 1995 Network and workstation

339 views • 4 slides
Protecting our Local Liquid Assets Rideau Valley Conservation Authority March 21, 2013 Protecting

Protecting our Local Liquid Assets Rideau Valley Conservation Authority March 21, 2013 Protecting

Protecting our Local Liquid Assets Rideau Valley Conservation Authority March 21, 2013 Protecting Watersheds Ontarios Watersheds Eastern Ontario Our Watershed Rideau River Watershed Ottawa Ottawa River West River East Jock River

387 views • 16 slides
Protecting Business Assets From Creditors in Litigation: Strategic Choice of Entities, Avoiding

Protecting Business Assets From Creditors in Litigation: Strategic Choice of Entities, Avoiding

Presenting a live 90-minute webinar with interactive Q&A Protecting Business Assets From Creditors in Litigation: Strategic Choice of Entities, Avoiding Fraudulent Transfers TUESDAY, JULY 21, 2015 1pm Eastern | 12pm Central | 11am

452 views • 28 slides
Information for Action Protecting the Health of the Nation Cliff Lake 23 May 2018 About PHE 2

Information for Action Protecting the Health of the Nation Cliff Lake 23 May 2018 About PHE 2

Information for Action Protecting the Health of the Nation Cliff Lake 23 May 2018 About PHE 2 About PHE Public Health England is an Executive Agency of the Department of Health and Social Care and is the authoritative voice on all public

308 views • 26 slides
Protecting valuable assets around the world METALIZING - LONG TERM CORROSION CONTROL SAVINGS IN

Protecting valuable assets around the world METALIZING - LONG TERM CORROSION CONTROL SAVINGS IN

Protecting valuable assets around the world METALIZING - LONG TERM CORROSION CONTROL SAVINGS IN MATERIAL, LABOR, AND MAINTENANCE COSTS www. metalize.net Quality assurance measures are taken in accordance with SSPC-CS23.00 / AWS C2.23M / NACE

713 views • 34 slides
This presentation provides an overview of the Victorian Auditor Generals report Protecting

This presentation provides an overview of the Victorian Auditor Generals report Protecting

This presentation provides an overview of the Victorian Auditor Generals report Protecting Victorias Coastal Assets. Built and natural coastal assets provide important services to Victorias environment, economy and community. They also

505 views • 13 slides
Dreaming About Jewish Peoplehood A Critical Exploration of Jewish Identity in the 21st Century

Dreaming About Jewish Peoplehood A Critical Exploration of Jewish Identity in the 21st Century

Dreaming About Jewish Peoplehood A Critical Exploration of Jewish Identity in the 21st Century Rabbi Talia Avnon-Benveniste . airb & b's #WeAccept campaign. Super Bowl 2017 What qualities do I preserve? How many can fit in one jar? How

241 views • 11 slides
Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani

Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani

Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani Officer-In-Charge, Computer Emergency Response Team of Mauritius (CERT-MU) Presentation Outline What CERT-MU does? Critical Infrastructures

604 views • 32 slides
Transforming Victorian assets to deliver water through the 21st century Upgrades of Sunderland

Transforming Victorian assets to deliver water through the 21st century Upgrades of Sunderland

Transforming Victorian assets to deliver water through the 21st century Upgrades of Sunderland Groundwater Stations Susan Robinson CEng, CEnv, FIMechE, FCIWEM woodplc.com Associate Director Wood plc Groundwater stations 21 st century

131 views • 9 slides
Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018

Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018

Helping Businesses Grow & Succeed Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018 BYTE-SIZE: The Small Business Cybersecurity Program of the FSBDC Network This presentation is a companion to

573 views • 55 slides
Ron Shultz, WSCC Policy Director All counties must adopt a critical areas ordinance protecting

Ron Shultz, WSCC Policy Director All counties must adopt a critical areas ordinance protecting

Spokane VSP Workgroup June 9, 2016 Spokane, Washington Ron Shultz, WSCC Policy Director All counties must adopt a critical areas ordinance protecting critical areas. Several counties exempted agriculture from CAO. Trend of board

516 views • 30 slides
LCCMR ID: 112-D Project Title: LaSalle Lake: Protecting Critical Mississippi River Headwaters

LCCMR ID: 112-D Project Title: LaSalle Lake: Protecting Critical Mississippi River Headwaters

Environment and Natural Resources Trust Fund 2011-2012 Request for Proposals (RFP) LCCMR ID: 112-D Project Title: LaSalle Lake: Protecting Critical Mississippi River Headwaters Lands Category: D. Land Acquisition for Habitat and Recreation

473 views • 8 slides
April 3, 2013 Protecting public safety, the regional economy and critical infrastructure.

April 3, 2013 Protecting public safety, the regional economy and critical infrastructure.

King County Flood Control District Basin Technical Committee April 3, 2013 Protecting public safety, the regional economy and critical infrastructure. Presentation Overview Proposed Expenditures District Administration Operating

112 views • 9 slides
Protecting your Assets Sept 4th, 2014 Presented by: Chris Nyhuis Vigilant

Protecting your Assets Sept 4th, 2014 Presented by: Chris Nyhuis Vigilant

PSI Tech Expo Protecting your Assets Sept 4th, 2014 Presented by: Chris Nyhuis Vigilant LLC. 9/16/14 1 Chris Nyhuis cnyhuis@vigilantnow.com http://www.vigilantnow.com Owner of Vigilant

1.13k views • 35 slides
August 20, 2012 Protecting public safety, the regional economy and critical infrastructure.

August 20, 2012 Protecting public safety, the regional economy and critical infrastructure.

King County Flood Control District Basin Technical Committee August 20, 2012 Protecting public safety, the regional economy and critical infrastructure. Overview August 22 Advisory Committee Recommendations: 2013 Operating Budget 2013

476 views • 30 slides
Attack Graph Based Metrics for Identifying Critical Cyber Assets in Electric Grid Infrastructure

Attack Graph Based Metrics for Identifying Critical Cyber Assets in Electric Grid Infrastructure

Attack Graph Based Metrics for Identifying Critical Cyber Assets in Electric Grid Infrastructure Chen Huo Panini Sai Patapanchala Dr. Rakesh B. Bobba Dr. Eduardo Cotilla-Sanchez 1 Our Goal Short-term : Developing a method that takes

378 views • 20 slides
Real-time Datalogger To Monitor Your Moving Shipments Monitoring critical, high valued assets

Real-time Datalogger To Monitor Your Moving Shipments Monitoring critical, high valued assets

Real-time Datalogger To Monitor Your Moving Shipments Monitoring critical, high valued assets that are sensitive to environmental conditions is of utmost importance in todays digital world. Kelvin is Adapt Ideations new flagship product

71 views • 5 slides
Defending Critical Assets with Deception Contact Us: https://www.illusivenetworks.com/contact

Defending Critical Assets with Deception Contact Us: https://www.illusivenetworks.com/contact

Defending Critical Assets with Deception Contact Us: https://www.illusivenetworks.com/contact sales@illusivenetworks.com Appearanes can be deceiving Confidential Confidential Who am I A Sr. Solutions Architect for Illusive Networks

392 views • 21 slides

More recommend