security in the supply chain
DESCRIPTION
How much security is enough..and where should investments be applied? John Gilligan thinks it is time to require that IT vendors deliver “locked down” configurations and employ standards as well as automated tools to “enforce” continued security compliance.TRANSCRIPT
Leveraging Purchase Power and Standards to Improve Security in the IT
Supply Chain
John M. GilliganGilligan Group, Inc.
December 10, 2008
Topics
• Background• The “Good Old Days”—Status Quo• The “Aha” Moment• Standard Desktop becomes Federal Desktop• Next steps– Cyber Security Commission Recommendation– Evolving Standards
• Summary
2(c) 2008, All Rights Reserved. Gilligan Group Inc.
Relevant Background
• Air Force – 700,000 Unclassified Desktops– 60,000 Classified Desktops– IT Spending $7B; Security Spending of $700 M
• Federal Government– Approximately 4 million desktops– IT Spending $60B; Security spending of $5B
• National Institutes of Standards and Technology (NIST) Provides IT Security Standards/Guidance
3(c) 2008, All Rights Reserved. Gilligan Group Inc.
Air Force CIO Observations Regarding Software Security
• Spending more to “patch and fix” software systems than to purchase them
• SW vendor contract terms—no warranties, no standards, and no legal precedents for remedy
• AF IT purchasing is ad hoc (and expensive)• Air Force is largest enterprise buyer for many
vendors
4
COTS software business model is fundamentally broken!(c) 2008, All Rights Reserved. Gilligan
Group Inc.
5From National Institute of Standards and Technology briefing--http://nvd.nist.gov/scap.cfm
NIST provides a lot of guidance in security—is it addressing the right problem?(c) 2008, All Rights Reserved. Gilligan
Group Inc.
The Cyber Security Dilemma
• There are only so many resources available to be allocated against all IT priorities
• There is no such thing as perfect cyber security
• Finding flaws in cyber security implementation is a “target rich” environment
How much security is enough, and where should investments be applied?
6(c) 2008, All Rights Reserved. Gilligan Group Inc.
How to Assess Effective Security
7
GAO Reports?Congressional FISMA Grades?
Percentage of
Systems C
ertified?
Number of Systems with
Contingency Plans?
Agency Auditor Reports?
The threat is increasing! Are we focusing on the right things?
"Pentagon Shuts Down Systems After Cyber-Attack"
Malicious scans of DoD increase 300%!
(c) 2008, All Rights Reserved. Gilligan Group Inc.
An “Aha” Moment!
• Scene: 2002 briefing by NSA regarding latest penetration assessment of DoD systems
• Objective: Embarrass DoD CIOs for failure to provide adequate security.
• Subplot: If CIOs patch/fix current avenues of penetration, NSA would likely find others
• Realization: Let’s use NSA’s offensive capabilities to guide security investments
8
Let “Offense Inform Defense”! (c) 2008, All Rights Reserved. Gilligan
Group Inc.
AF Standard Desktop Concept
• NSA “Offensive Team” briefings to Air Force on attack patterns and vulnerabilities exploited
• ~80% of vulnerabilities tied to incorrectly configured COTS software
• Joint effort by NSA, NIST, DISA, DHS, CIS, Microsoft to create Standard Desktop Configuration (SDC) for Microsoft Windows/Office/IE
9
Address the source of the biggest problem—and do it in the supply chain!
(c) 2008, All Rights Reserved. Gilligan Group Inc.
Secure Desktop Configuration
• Defined ~ 600 security configuration settings for Windows XP and VISTA (out of 4477)– Leveraged prior work by MS, NIST, CIS, NSA, DISA
• Protocols and software tools to validate implementation – CVE/OVAL
• Phased Implementation (2005-2007)– Senior-level governance process
10
Software delivered from hardware vendors in “locked down” configuration(c) 2008, All Rights Reserved. Gilligan
Group Inc.
AF Standard Desktop Configuration Results
• Improved Security– Drop in security events– Reduced Patching time 57 days to 72 hours
• Reduced Costs of Operation and Ownership– Hundreds of millions saved to date*
• Improved System Performance• Common platform for COTS/GOTS
applications11
* SDC Linked with Enterprise License Agreement and Commodity Purchasing Efforts(c) 2008, All Rights Reserved. Gilligan
Group Inc.
Enterprise Client PC HardwareStep 1: USAF Quarterly Enterprise Buy (QEB) Standards – 700K purchased since Aug 2003;
$200M+ avoidance
Enterprise Licensing and ServicesStep 2: USAF Enterprise License Agreements –
Implemented in Jul – Sep 2004$100M+ savings by 2010
Enterprise Client, Server, and Active Directory Configurations
Step 3: USAF Standard Desktop Configuration – AF wide implementation in 2006; Servers 2008
Enterprise Configuration and Patch Management
Step 4: USAF Enterprise Configuration Management processes – Implementation 2006-2008
Comply and Connect Enforcement
Step 5: USAF Comply, Connect and Remediate policy and processes – Incremental improvements 2006-2009
Security As Part of IT Commodity Life Cycle Management
Incremental Improvements in End Point and Server Capability and Security
1212(c) 2008, All Rights Reserved. Gilligan
Group Inc.
AF Standard Desktop Configuration FDCC
• Adopt AF-validated standard desktop concept• OMB mandate for Federal Desktop Core
Configuration (FDCC)—March 2007• Security Content Automation Protocol (SCAP)– Validate configuration– Check/remediate patching– Asset management– Standard vulnerability list
13
Expanded across Federal government and extended automation support
(XCCDF-CCE-OVAL)
(CVE-OVAL)(CPE)
(NVD-CVE-CVSS)
(c) 2008, All Rights Reserved. Gilligan Group Inc.
Next Steps--Cyber Security Commission Recommendation
• Mandate “Locked-down” configurations for all software delivered to the government
• Build on existing efforts (e.g., NIST, BITS, FERC, NIAP, CIS)– Public-private partnership to develop guidelines
• Self-certification by software vendors– Satisfy security guidelines– Do not “unlock” security of other software
14
Expand FDCC Concept to all Software Products(c) 2008, All Rights Reserved. Gilligan
Group Inc.
15
Security Standards Efforts:Security Content Automation Protocol (SCAP)
(c) 2008, All Rights Reserved. Gilligan Group Inc.
Security Standards Efforts: Next Steps*
16* Making Security Measurable – The MITRE Corporation(c) 2008, All Rights Reserved. Gilligan Group Inc.
Summary
• Need to fundamentally change business model for buying COTS software– Vendors deliver “secure” configuration of products– Use automated tools to validate security
• Integrate security with improved commodity supply chain management (planning, purchase, operations, disposal)
• Advancement of Standards and related Tools holds great promise for dramatic improvements to the IT Supply Chain
17(c) 2008, All Rights Reserved. Gilligan Group Inc.
Contact InformationJohn Gilligan
www.gilligangroupinc.com
Making Security MeasurableBob Martin—MITRE Corporation
18(c) 2008, All Rights Reserved. Gilligan Group Inc.