NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Protecting the Nation’s Critical Assets in the 21st Century

Dr. Ron RossComputer Security DivisionInformation Technology Laboratory

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

OPM.Anthem BCBS.

Ashley Madison.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Houston, we have a problem.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

Complexity.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Sharks and glaciers.

SOFTWARE

FIRMWAREHARDWARE

SYSTEMS

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

The n+1 vulnerabilities problem.2013 Defense Science Board Studyhttp://www.acq.osd.mil/dsb/reports/2010s/ResilientMilitarySystemsCyberThreat.pdf

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

SystemHarden the

targetLimit damage to the target

Make the target survivable

Reducing susceptibility to cyber threats requires a multidimensional

systems engineering approach.Security Architecture

and Design

Achieving Trustworthiness and Resiliency

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

▪ Threat▪ Assets▪ Complexity▪ Integration▪ Trustworthiness

TACIT Security

MERRIAM-WEBSTER DICTIONARY

tac.it adjective : expressed or understood without being directly stated

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Threat▪ Develop a better understanding of the modern

threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities.▪ Obtain threat data from as many sources as possible.▪ Include external and insider threat analysis.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

Assets▪ Conduct a comprehensive criticality analysis of

organizational assets including information and information systems.▪ Focus on mission/business impact.▪ Use triage concept to segregate assets by criticality.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

Complexity▪ Reduce the complexity of the information technology

infrastructure including IT component products and information systems.▪ Employ enterprise architecture to consolidate, optimize,

and standardize the IT infrastructure.▪ Adopt cloud computing architectures to reduce the number

of IT assets through on-demand provisioning of services.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

Integration▪ Integrate information security requirements and the

security expertise of individuals into organizational development and management processes.▪ Embed security personnel into enterprise architecture,

systems engineering, SDLC, and acquisition processes.▪ Coordinate security requirements with mission/business

owners; become key stakeholders.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

Trustworthiness▪ Invest in more trustworthy and resilient information

systems supporting organizational missions and business functions.▪ Isolate critical assets into separate enclaves.▪ Implement security design concepts (e.g., modular design,

layered defenses, component isolation, least functionality, least privilege).

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

Risk assessment.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

Assets and consequences.Criticality Analysis.

Identification of High Value Assets.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

Engineer up.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

▪ Conduct threat and vulnerability assessments.▪ United States Computer Emergency Readiness Team▪ https://www.us-cert.gov

▪ Conduct criticality analysis of information assets.▪ FIPS Publication 199▪ http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

▪ Reduce complexity of IT infrastructure.▪ Federal Enterprise Architecture Initiative▪ https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co

mmon_approach_to_federal_ea.pdf

▪ Invest in trustworthy IT components and systems.▪ DHS Software and Supply Chain Assurance▪ https://buildsecurityin.us-cert.gov/swa

Immediate Action Plan and Resources

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

▪ Cybersecurity Framework▪ NIST Special Publication 800-53, Revision 5

Security and Privacy Controls for Information Systems and Organizations

▪ NIST Special Publication 800-37, Revision 2Risk Management Framework for Information Systems and OrganizationsA System Life Cycle Approach for Security and Privacy

▪ NIST Special Publication 800-160Systems Security EngineeringConsiderations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

▪ NIST Special Publication 800-171Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Important NIST Security and Privacy Pubs

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

Some final thoughts.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Institutionalize.

The ultimate objective for security.

Operationalize.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Leadership.Governance.

Accountability.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

Security is a team sport.

Industry

Government Academia

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Ron Ross100 Bureau Drive Mailstop 7730

Gaithersburg, MD USA 20899-7730

Email Mobileron.ross@nist.gov (301) 651.5083

LinkedIn Twitterwww.linkedin.com/in/ronross-cybersecurity @ronrossecure

Web Commentscsrc.nist.gov sec-cert@nist.gov

We are here to help you be more secure…