protecting the nation s critical assets in the 21st
play

Protecting the Nations Critical Assets in the 21st Century Dr. Ron - PowerPoint PPT Presentation

Protecting the Nations Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY OPM. Anthem BCBS. Ashley Madison. NATIONAL INSTITUTE OF


  1. Protecting the Nation’s Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  2. OPM. Anthem BCBS. Ashley Madison. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

  3. Houston, we have a problem. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  4. Complexity. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

  5. Sharks and glaciers. HARDWARE FIRMWARE SYSTEMS SOFTWARE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

  6. The n+1 vulnerabilities problem. 2013 Defense Science Board Study http://www.acq.osd.mil/dsb/reports/2010s/ResilientMilitarySystemsCyberThreat.pdf NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  7. Reducing susceptibility to cyber threats requires a multidimensional systems engineering approach. Security Architecture and Design Harden the Limit damage System target to the target Achieving Trustworthiness and Resiliency Make the target survivable NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  8. TACIT Security ▪ T hreat MERRIAM - WEBSTER DICTIONARY ▪ A ssets tac . it adjective : expressed or understood ▪ C omplexity without being directly stated ▪ I ntegration ▪ T rustworthiness NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

  9. Threat ▪ Develop a better understanding of the modern threat space , including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. ▪ Obtain threat data from as many sources as possible. ▪ Include external and insider threat analysis. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

  10. Assets ▪ Conduct a comprehensive criticality analysis of organizational assets including information and information systems. ▪ Focus on mission/business impact. ▪ Use triage concept to segregate assets by criticality. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

  11. Complexity ▪ Reduce the complexity of the information technology infrastructure including IT component products and information systems. ▪ Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. ▪ Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

  12. Integration ▪ Integrate information security requirements and the security expertise of individuals into organizational development and management processes . ▪ Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. ▪ Coordinate security requirements with mission/business owners; become key stakeholders. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

  13. Trustworthiness ▪ Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. ▪ Isolate critical assets into separate enclaves. ▪ Implement security design concepts (e.g., modular design, layered defenses, component isolation, least functionality, least privilege). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

  14. Risk assessment. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

  15. Assets and consequences. Criticality Analysis. Identification of High Value Assets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

  16. Engineer up. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

  17. Immediate Action Plan and Resources ▪ Conduct threat and vulnerability assessments. ▪ United States Computer Emergency Readiness Team ▪ https://www.us-cert.gov ▪ Conduct criticality analysis of information assets. ▪ FIPS Publication 199 ▪ http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf ▪ Reduce complexity of IT infrastructure. ▪ Federal Enterprise Architecture Initiative ▪ https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co mmon_approach_to_federal_ea.pdf ▪ Invest in trustworthy IT components and systems. ▪ DHS Software and Supply Chain Assurance ▪ https://buildsecurityin.us-cert.gov/swa NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

  18. Important NIST Security and Privacy Pubs ▪ Cybersecurity Framework ▪ NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations ▪ NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy ▪ NIST Special Publication 800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems ▪ NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

  19. Some final thoughts. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

  20. Institutionalize. The ultimate objective for security. Operationalize. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  21. Leadership. Governance. Accountability. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  22. Government Academia Security is a team sport. Industry NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

  23. Ron Ross 100 Bureau Drive Mailstop 7730 Gaithersburg, MD USA 20899-7730 Email Mobile ron.ross@nist.gov (301) 651.5083 LinkedIn Twitter www.linkedin.com/in/ronross-cybersecurity @ronrossecure Web Comments csrc.nist.gov sec-cert@nist.gov We are here to help you be more secure… NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Recommend


More recommend