assets in the 21st century protecting the nation’s critical ross presentation.pdfunited states...
TRANSCRIPT
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Protecting the Nation’s Critical Assets in the 21st Century
Dr. Ron RossComputer Security DivisionInformation Technology Laboratory
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
OPM.Anthem BCBS.
Ashley Madison.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Houston, we have a problem.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Complexity.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
Sharks and glaciers.
SOFTWARE
FIRMWAREHARDWARE
SYSTEMS
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
The n+1 vulnerabilities problem.2013 Defense Science Board Studyhttp://www.acq.osd.mil/dsb/reports/2010s/ResilientMilitarySystemsCyberThreat.pdf
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
SystemHarden the
targetLimit damage to the target
Make the target survivable
Reducing susceptibility to cyber threats requires a multidimensional
systems engineering approach.Security Architecture
and Design
Achieving Trustworthiness and Resiliency
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
▪ Threat▪ Assets▪ Complexity▪ Integration▪ Trustworthiness
TACIT Security
MERRIAM-WEBSTER DICTIONARY
tac.it adjective : expressed or understood without being directly stated
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
Threat▪ Develop a better understanding of the modern
threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities.▪ Obtain threat data from as many sources as possible.▪ Include external and insider threat analysis.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Assets▪ Conduct a comprehensive criticality analysis of
organizational assets including information and information systems.▪ Focus on mission/business impact.▪ Use triage concept to segregate assets by criticality.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
Complexity▪ Reduce the complexity of the information technology
infrastructure including IT component products and information systems.▪ Employ enterprise architecture to consolidate, optimize,
and standardize the IT infrastructure.▪ Adopt cloud computing architectures to reduce the number
of IT assets through on-demand provisioning of services.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
Integration▪ Integrate information security requirements and the
security expertise of individuals into organizational development and management processes.▪ Embed security personnel into enterprise architecture,
systems engineering, SDLC, and acquisition processes.▪ Coordinate security requirements with mission/business
owners; become key stakeholders.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Trustworthiness▪ Invest in more trustworthy and resilient information
systems supporting organizational missions and business functions.▪ Isolate critical assets into separate enclaves.▪ Implement security design concepts (e.g., modular design,
layered defenses, component isolation, least functionality, least privilege).
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Risk assessment.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Assets and consequences.Criticality Analysis.
Identification of High Value Assets.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Engineer up.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
▪ Conduct threat and vulnerability assessments.▪ United States Computer Emergency Readiness Team▪ https://www.us-cert.gov
▪ Conduct criticality analysis of information assets.▪ FIPS Publication 199▪ http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
▪ Reduce complexity of IT infrastructure.▪ Federal Enterprise Architecture Initiative▪ https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co
mmon_approach_to_federal_ea.pdf
▪ Invest in trustworthy IT components and systems.▪ DHS Software and Supply Chain Assurance▪ https://buildsecurityin.us-cert.gov/swa
Immediate Action Plan and Resources
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
▪ Cybersecurity Framework▪ NIST Special Publication 800-53, Revision 5
Security and Privacy Controls for Information Systems and Organizations
▪ NIST Special Publication 800-37, Revision 2Risk Management Framework for Information Systems and OrganizationsA System Life Cycle Approach for Security and Privacy
▪ NIST Special Publication 800-160Systems Security EngineeringConsiderations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
▪ NIST Special Publication 800-171Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Important NIST Security and Privacy Pubs
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
Some final thoughts.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Institutionalize.
The ultimate objective for security.
Operationalize.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Leadership.Governance.
Accountability.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
Security is a team sport.
Industry
Government Academia
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
Ron Ross100 Bureau Drive Mailstop 7730
Gaithersburg, MD USA 20899-7730
Email [email protected] (301) 651.5083
LinkedIn Twitterwww.linkedin.com/in/ronross-cybersecurity @ronrossecure
Web Commentscsrc.nist.gov [email protected]
We are here to help you be more secure…