nist’s role in computer security
DESCRIPTION
NIST’s Role in Computer Security. Ed Roback Computer Security Division NIST Information Technology Laboratory. Agenda. Who we are Computer security program NIST partnerships Summary. - PowerPoint PPT PresentationTRANSCRIPT
November 9, 1999 1
NIST’s Role in Computer SecurityNIST’s Role in Computer Security
Ed RobackEd Roback
Computer Security DivisionComputer Security Division
NIST Information Technology LaboratoryNIST Information Technology Laboratory
November 9, 1999 2
AgendaAgenda
Who we areWho we are Computer security programComputer security program NIST partnershipsNIST partnerships SummarySummary
November 9, 1999 4
Promote the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure for information technology
Advanced Network TechnologiesAdvanced Network Technologies
Computer SecurityComputer Security Distributed Computing and Distributed Computing and
Information ServicesInformation Services High Performance Systems and High Performance Systems and
ServicesServices Information Access and User InterfacesInformation Access and User Interfaces Mathematical and Computational Mathematical and Computational
SciencesSciences Software Diagnostics and Software Diagnostics and
Conformance TestingConformance Testing Statistical EngineeringStatistical Engineering
November 9, 1999 5
NIST Mandate for Computer NIST Mandate for Computer SecuritySecurity
Develop standards and guidelines for the Federal Develop standards and guidelines for the Federal government government
Improve the competitiveness of the American IT Improve the competitiveness of the American IT industryindustry
November 9, 1999 6
Computer Security Division MissionComputer Security Division MissionTo improve the state-of-the-art in information security through:
GuidanceA
war
enes
s
Sta
nd
ard
s,
Met
rics
, Tes
ts
Awareness - of IT
vulnerabilities and
protection requirements
Standards, Metrics, Tests -
to promote, measure, and validate security
improvements and enable confidence for marketplace transactions and minimum
standards for Federal systems
Guidance - to increase effective
security planning and implementation of cost-effective
security in Federal systems
November 9, 1999 7
AgendaAgenda
Who we areWho we are Computer security programComputer security program NIST partnershipsNIST partnerships SummarySummary
November 9, 1999 8
Security Program StrategySecurity Program Strategy
Collaboration with industry and governmentCollaboration with industry and government– Work to develop IT specifications and conformance Work to develop IT specifications and conformance
tests to promote secure, interoperable products and tests to promote secure, interoperable products and systemssystems
– Develop standards in cooperation with industry and Develop standards in cooperation with industry and voluntary consensus standards bodies to promote and voluntary consensus standards bodies to promote and protect USG and IT industry interestsprotect USG and IT industry interests
Acting as “honest broker”Acting as “honest broker”
November 9, 1999 9
Security Program Strategy Security Program Strategy (Concluded)(Concluded)
Focus on Improving the security of products and Focus on Improving the security of products and systemssystems– Develop standards for secure, interoperable productsDevelop standards for secure, interoperable products
– Validate conformance of commercial products to selected Validate conformance of commercial products to selected Federal Information Processing Standards (FIPS)Federal Information Processing Standards (FIPS)
– Perform research and conduct studies to identify Perform research and conduct studies to identify vulnerabilities and devise solutionsvulnerabilities and devise solutions
– Develop new test methods and procedures that will make Develop new test methods and procedures that will make testing of security requirements/ specifications more efficient testing of security requirements/ specifications more efficient and cost effectiveand cost effective
November 9, 1999 10
Key Components of NIST’s Key Components of NIST’s Computer Security ProgramComputer Security Program
Security standards developmentSecurity standards development Security testingSecurity testing Exploring new security technologiesExploring new security technologies Assistance and guidanceAssistance and guidance
November 9, 1999 11
Security Standards DevelopmentSecurity Standards Development
Work with industry and government to develop Work with industry and government to develop standards for computer securitystandards for computer security– CryptographyCryptography– Policies, management, and operational controlsPolicies, management, and operational controls– Best practices Best practices – Common CriteriaCommon Criteria– Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)
November 9, 1999 12
Key Efforts -- StandardsKey Efforts -- Standards
AESAES Advanced Encryption StandardAdvanced Encryption Standard FIPS 46-3FIPS 46-3 Triple Data Encryption Standard (DES) Triple Data Encryption Standard (DES) DSS UpgradeDSS Upgrade to include RSA, Elliptic Curveto include RSA, Elliptic Curve SHA-2 SHA-2 Upgrade of SHA-1Upgrade of SHA-1 FIPS 140-2FIPS 140-2 Upgrade of 140-1Upgrade of 140-1 X9.82X9.82 Random Number GeneratorRandom Number Generator Key ExchangeKey Exchange Key Exchange/Agreement Standard(s)Key Exchange/Agreement Standard(s) ISO 15408ISO 15408 Common Criteria v.2Common Criteria v.2 IETFIETF PKIX, IPSec, DNSSec, etc.PKIX, IPSec, DNSSec, etc. ISO 15292/15446ISO 15292/15446 Protection Profile Registration and Protection Profile Registration and
Development Guidance Development Guidance FIPAFIPA Foundation for Intelligent Physical AgentsFoundation for Intelligent Physical Agents PKIPKI Security Requirements for Certificate Issuing Security Requirements for Certificate Issuing
and Management Components (CIMCs)and Management Components (CIMCs)
November 9, 1999 13
Security TestingSecurity Testing Develop the tests, tools, profiles, methods, and Develop the tests, tools, profiles, methods, and
implementations for timely, cost effective evaluation implementations for timely, cost effective evaluation and testingand testing
ValidationValidation– Cryptographic Module Validation Program (CMVP)Cryptographic Module Validation Program (CMVP)– National Information Assurance Partnership (NIAP)National Information Assurance Partnership (NIAP)
Conformance and interoperability testingConformance and interoperability testing– MISPCMISPC– IPv6 test resourceIPv6 test resource
November 9, 1999 14
Key Efforts -- TestingKey Efforts -- Testing Crypto Module Validation ProgramCrypto Module Validation Program Algorithm TestingAlgorithm Testing Random Number Generator TestingRandom Number Generator Testing MISPC TestingMISPC Testing Certificate Authority TestingCertificate Authority Testing Firewall Security & Evaluation TestsFirewall Security & Evaluation Tests Telecommunications Switch SecurityTelecommunications Switch Security Protection Profile TestingProtection Profile Testing Automated Test Development/GenerationAutomated Test Development/Generation Common Criteria Evaluation and Validation SchemeCommon Criteria Evaluation and Validation Scheme Laboratory AccreditationLaboratory Accreditation
November 9, 1999 15
Exploring New Security Exploring New Security TechnologiesTechnologies
Identify and use emerging technologies, Identify and use emerging technologies, especially infrastructure nichesespecially infrastructure niches
Develop prototypes, reference implementations, Develop prototypes, reference implementations, and demonstrationsand demonstrations
Transition new technology and tools to public & Transition new technology and tools to public & private sectorsprivate sectors
Advise Federal agenciesAdvise Federal agencies
November 9, 1999 16
Key Efforts -- New TechnologiesKey Efforts -- New Technologies
Role-Based Access ControlRole-Based Access Control Policy ManagementPolicy Management Intrusion DetectionIntrusion Detection Mobile AgentsMobile Agents Automated Security Test GenerationAutomated Security Test Generation IPSec/web interface testingIPSec/web interface testing Security Service InterfacesSecurity Service Interfaces
November 9, 1999 17
Assistance and GuidanceAssistance and Guidance
Assist U.S. Government agencies and other users with Assist U.S. Government agencies and other users with technical security and management issuestechnical security and management issues
Assist in development of security infrastructuresAssist in development of security infrastructures Develop or point to cost-effective security guidanceDevelop or point to cost-effective security guidance Actively transfer security technology and guidance Actively transfer security technology and guidance
from NIST to agencies/industryfrom NIST to agencies/industry Support agencies on specific security projects on a cost-Support agencies on specific security projects on a cost-
reimbursable basisreimbursable basis
November 9, 1999 18
Key Efforts -- Assistance and GuidanceKey Efforts -- Assistance and Guidance NIST Special Publications: NIST Special Publications:
– 800-18, “Guide for Developing Security Plans for Information Technology Systems”800-18, “Guide for Developing Security Plans for Information Technology Systems”– 800-16, “Information Technology Security Training Requirements”800-16, “Information Technology Security Training Requirements”– ““Guideline for Implementing Cryptography in the Federal Government” Guideline for Implementing Cryptography in the Federal Government”
(Forthcoming)(Forthcoming)– ““Security Incident Handling -- A Cooperative Approach”Security Incident Handling -- A Cooperative Approach”
ITL Bulletins (1999):ITL Bulletins (1999):– November November Intrusion DetectionIntrusion Detection– September September Securing Web Servers Securing Web Servers – August August The Advanced Encryption Standard: A Status The Advanced Encryption Standard: A Status
ReportReport– May May Computer Attacks: What They Are and How to Defend Computer Attacks: What They Are and How to Defend
Against ThemAgainst Them
November 9, 1999 19
AgendaAgenda
Who we areWho we are Computer security programComputer security program NIST partnershipsNIST partnerships SummarySummary
November 9, 1999 20
In carrying out NIST’s programs,In carrying out NIST’s programs,
we don’t work alone...we don’t work alone...
November 9, 1999 21
ITIndustry
FederalAgencies
StandardsCommunity
Academia
Testing Labs
NISTOutreach
•ACM Workshops on Access Control•Agency Assistance Federal Computer Security Training Resource Center•Best Practice Task Force•CIO Council Security Privacy-Critical Infrastructure•Computer System Security & Privacy Advisory Board (CSSPAB)•Critical Infrastructure Protection•Department of Justice Executive Advisory Team•Director Forum of CIO Council•DoC/CIO Contingency Planning Affinity Group•FedCIRC Partners•Federal Computer Security Program Managers' Forum•Federal Information Systems Security Educators' Association (FISSEA)•Federal Public Key Infrastructure Steering Committee & Subgroups•Forum for Privacy & Security in Healthcare•High Performance Computing and Communications•Information Industry Group•INFOSEC Research Council•National Colloquium for Information Systems Security Education (NCISSE)•National Science Foundation Career Proposal Review Panel•National Security Telecommunications & Information Systems Security Committee (NSTISSC)•Network Security Information Exchange•NIST-NSA Technical Working Group•Open Source Security Working Group•Smart Card Security Users Group
•American Bar Association Information Security Ctte•Common Criteria Mutual Recognition Arrangement Management Ctte•Critical Infrastructure Coordination Group Education & Awareness Ctte•Federal Public Key Infrastructure Technical Working Group•Forum for Privacy & Security in Healthcare•Information Industry Group•National Colloquium for Information Systems Security Education (NCISSE)•National Science Foundation Career Proposal Review Panel•Nat'l Ctte for Information Technology Standards, T3-Open Distributed Processing •Network Security Information Exchange•Smart Card Security Users Group•Steering Ctte Member of ACM Workshop on Access Control
•CEAL: a Cygnacom Solutions Laboratory•DOMUS IT Security Laboratory, A Division of LGS Group, Inc.•InfoGard Laboratories, Inc.
•ANSI Accredited Standards Committee X9F3•ANSI X9.82 Random Number Generation Standard•ANSI X9F, X9F1, X9F3•ANSI-NCITS T4 Computer Security•Nat'l Committee for Information Technology Standards, Technical Committee T3-Open Distributed Processing•NIST-NSA Technical Working Group•IETF S/MIME V3 Working Group•IETF Public Key Infrastructure Working Group (PKIX)•IETF Internet Protocol Security (IPSEC) •Internet Protocol Secure Policy (IPSP) Internet Protocol Secure Remote Access (IPSRA) •ISO/Internat'l Electrotechnical Commission Joint Technical Committee 1•ISO JTCI SC27 Computer Security•Smart Card Security Users Group
•Critical Infrastructure Coordination Group Education & Awareness Ctte•National Colloquium for Information Systems Security Education (NCISSE)
November 9, 1999 22
How we improve securityHow we improve securitythrough standards and testingthrough standards and testing
Key Theme: Improving Security ProductsKey Theme: Improving Security Products
November 9, 1999 23
Develop securitystandards
Identify needs for security standards- industry and government
Therefore… Therefore… Security is Security is Improved!Improved!
Test products against security standards
Vendors improveproducts
Users get moresecure products
November 9, 1999 24
AgendaAgenda
Who we areWho we are Computer security programComputer security program NIST partnershipsNIST partnerships SummarySummary
November 9, 1999 25
Summary & ConclusionsSummary & Conclusions
Raising awareness of the need for cost-effective securityRaising awareness of the need for cost-effective security Engaging in key U.S. voluntary standards activitiesEngaging in key U.S. voluntary standards activities Developing standards and guidelines to secure Federal systems (often adopted Developing standards and guidelines to secure Federal systems (often adopted
voluntarily by private sector)voluntarily by private sector)– Cryptographic algorithmsCryptographic algorithms– Policy, management, operations, and best practices guidancePolicy, management, operations, and best practices guidance– PKIPKI
Providing National leadership role for security testing and evaluationProviding National leadership role for security testing and evaluation– Cryptographic Module Validation ProgramCryptographic Module Validation Program– National Information Assurance PartnershipNational Information Assurance Partnership
NIST is improving security by:NIST is improving security by:
November 9, 1999 26
Yet, Yet,
there is more there is more
we could do...we could do...
November 9, 1999 27
President’s 9/99 Proposal for President’s 9/99 Proposal for Increasing NIST CIP ActivitiesIncreasing NIST CIP Activities
Establish an Expert Review Team at NISTEstablish an Expert Review Team at NIST– Assist Government-wide agencies in adhering to Federal Assist Government-wide agencies in adhering to Federal
computer security requirementscomputer security requirements
– Director to consult with OMB and NSC on plans to Director to consult with OMB and NSC on plans to protect and enhance computer security for Federal protect and enhance computer security for Federal agenciesagencies
Fund a permanent 15-member team responsible for Fund a permanent 15-member team responsible for – Helping agencies identify vulnerabilitiesHelping agencies identify vulnerabilities
– Plan secure systems, and implement CIP plansPlan secure systems, and implement CIP plans
November 9, 1999 28
President’s 9/99 Proposal for Increasing President’s 9/99 Proposal for Increasing NIST CIP Activities (Concluded)NIST CIP Activities (Concluded)
Establish an operational fund at NIST for Establish an operational fund at NIST for computer security projects among Federal computer security projects among Federal agenciesagencies– Independent vulnerability assessmentsIndependent vulnerability assessments– Computer intrusion drillsComputer intrusion drills– Emergency funds to cover security fixes for systems Emergency funds to cover security fixes for systems
identified to have unacceptable security risksidentified to have unacceptable security risks
November 9, 1999 29
Questions?Questions?