Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

NIST’s Role in Computer Security Ed Roback Computer Security Division

advertisement 
NIST’s Role in Computer Security
Ed Roback
Computer Security Division
NIST Information Technology Laboratory
November 9, 1999
1
Agenda
Who we are
 Computer security program
 NIST partnerships
 Summary

November 9, 1999
2
Promote the U.S. economy
and public welfare by
providing technical
leadership for the
Nation’s measurement
and standards
infrastructure for
information technology

Advanced Network Technologies

Computer Security

Distributed Computing and
Information Services
High Performance Systems and
Services
Information Access and User
Interfaces
Mathematical and Computational
Sciences
Software Diagnostics and
Conformance Testing
Statistical Engineering





November 9, 1999
4
NIST Mandate for Computer
Security

Develop standards and guidelines for the Federal
government

Improve the competitiveness of the American IT
industry
November 9, 1999
5
Computer Security Division Mission
To improve the state-of-the-art in information security through:
Awareness
Standards,
Metrics, Tests
Guidance to increase effective
Guidance
security
planning and
implementation of cost-effective
security in Federal systems
Standards,
Metrics, Tests Awareness to promote, measure, and
of IT
validate security
vulnerabilities
improvements and enable
and
confidence for marketplace
transactions and minimum
protection
standards for Federal
requirements
systems
November 9, 1999
6
Agenda
Who we are
 Computer security program
 NIST partnerships
 Summary

November 9, 1999
7
Security Program Strategy

Collaboration with industry and government
– Work to develop IT specifications and conformance
tests to promote secure, interoperable products and
systems
– Develop standards in cooperation with industry and
voluntary consensus standards bodies to promote and
protect USG and IT industry interests

Acting as “honest broker”
November 9, 1999
8
Security Program Strategy
(Concluded)

Focus on Improving the security of products and
systems
– Develop standards for secure, interoperable products
– Validate conformance of commercial products to selected
Federal Information Processing Standards (FIPS)
– Perform research and conduct studies to identify
vulnerabilities and devise solutions
– Develop new test methods and procedures that will make
testing of security requirements/ specifications more efficient
and cost effective
November 9, 1999
9
Key Components of NIST’s
Computer Security Program
Security standards development
 Security testing
 Exploring new security technologies
 Assistance and guidance

November 9, 1999
10
Security Standards Development

Work with industry and government to develop
standards for computer security
–
–
–
–
–
Cryptography
Policies, management, and operational controls
Best practices
Common Criteria
Public Key Infrastructure (PKI)
November 9, 1999
11
Key Efforts -- Standards
 AES
 FIPS 46-3
 DSS Upgrade
 SHA-2
 FIPS 140-2
 X9.82
 Key Exchange
 ISO 15408
 IETF
 ISO 15292/15446
 FIPA
 PKI
November 9, 1999
Advanced Encryption Standard
Triple Data Encryption Standard (DES)
to include RSA, Elliptic Curve
Upgrade of SHA-1
Upgrade of 140-1
Random Number Generator
Key Exchange/Agreement Standard(s)
Common Criteria v.2
PKIX, IPSec, DNSSec, etc.
Protection Profile Registration and
Development Guidance
Foundation for Intelligent Physical Agents
Security Requirements for Certificate Issuing
and Management Components (CIMCs)
12
Security Testing
Develop the tests, tools, profiles, methods, and
implementations for timely, cost effective
evaluation and testing
 Validation

– Cryptographic Module Validation Program (CMVP)
– National Information Assurance Partnership (NIAP)

Conformance and interoperability testing
– MISPC
– IPv6 test resource
November 9, 1999
13
Key Efforts -- Testing











Crypto Module Validation Program
Algorithm Testing
Random Number Generator Testing
MISPC Testing
Certificate Authority Testing
Firewall Security & Evaluation Tests
Telecommunications Switch Security
Protection Profile Testing
Automated Test Development/Generation
Common Criteria Evaluation and Validation
Scheme
Laboratory Accreditation
November 9, 1999
14
Exploring New Security
Technologies
Identify and use emerging technologies,
especially infrastructure niches
 Develop prototypes, reference implementations,
and demonstrations
 Transition new technology and tools to public &
private sectors
 Advise Federal agencies

November 9, 1999
15
Key Efforts -- New Technologies
Role-Based Access Control
 Policy Management
 Intrusion Detection
 Mobile Agents
 Automated Security Test Generation
 IPSec/web interface testing
 Security Service Interfaces

November 9, 1999
16
Assistance and Guidance





Assist U.S. Government agencies and other users with
technical security and management issues
Assist in development of security infrastructures
Develop or point to cost-effective security guidance
Actively transfer security technology and guidance
from NIST to agencies/industry
Support agencies on specific security projects on a costreimbursable basis
November 9, 1999
17
Key Efforts -- Assistance and Guidance

NIST Special Publications:
– 800-18, “Guide for Developing Security Plans for Information Technology
Systems”
– 800-16, “Information Technology Security Training Requirements”
– “Guideline for Implementing Cryptography in the Federal Government”
(Forthcoming)
– “Security Incident Handling -- A Cooperative Approach”

ITL Bulletins (1999):
– November
– September
– August
– May
November 9, 1999
Intrusion Detection
Securing Web Servers
The Advanced Encryption Standard: A Status
Report
Computer Attacks: What They Are and How to Defend
Against Them
18
Agenda
Who we are
 Computer security program
 NIST partnerships
 Summary

November 9, 1999
19
In carrying out NIST’s programs,
we don’t work alone...
November 9, 1999
20
Federal
Agencies
IT
Industry
Testing
Labs
NIST
Outreach
Standards
Community
Academia
November 9, 1999
21
•ACM Workshops on Access Control
•Agency Assistance Federal Computer
Security Training Resource Center
•Best Practice Task Force
•CIO Council Security Privacy-Critical
Infrastructure
•Computer System Security & Privacy
Advisory
Board (CSSPAB)
•ANSI
Accredited
Standards Committee X9F3
•Critical
Infrastructure
Protection
•ANSI
X9.82
Random
Number
Generation
•American Bar Association
Information
Security
•Department
of
Justice
Executive
Advisory
Standard
Ctte
Team X9F, X9F1, X9F3
•ANSI
•Common
Criteria Mutual Recognition
•Director
Forum
of CIO Council
•ANSI-NCITS
Computer
Security
ArrangementT4
Management
Ctte
•DoC/CIO
Contingency
Planning
Affinity
Group
•Nat'l Committee
for Information
Technology
•Critical
Infrastructure
Coordination
Group
•FedCIRC
Partners
Standards,
Committee
T3-Open
Education &Technical
Awareness
Ctte
•Federal
Computer
Security
Program
Managers'
Distributed
Processing
•Federal
Public
Key Infrastructure Technical
Forum
•NIST-NSA
Technical Working Group
Working
Group
•CEAL:
aInformation
Cygnacom
Solutions
Laboratory
•Federal
Systems
Security Educators'
•IETF
S/MIME
V3 Working
Group
•Forum
•Critical
for
Infrastructure
Privacy
&
Security
Coordination
in
Group
•DOMUS
IT
Security
Laboratory,
A Healthcare
Division
of LGS
Association
(FISSEA)
•IETF
Public&Key
Infrastructure
Working Group
•Information
Education
Industry
Awareness
Group
Ctte
Group,
Inc.
•Federal
Key Infrastructure Steering
(PKIX) Public
•National
Colloquium
for
•InfoGard
Laboratories,
Inc.Information Systems
Committee
& Subgroups
•IETF
Internet
Protocol
Security (IPSEC)
Security Education (NCISSE)
•Forum
for
PrivacySecure
& Security
in (IPSP)
Healthcare
•Internet
Protocol
Policy
•National Science Foundation
Career
Proposal
•High
Performance
Computing
and
Internet
Protocol
Secure
Remote
Access
(IPSRA)
Review Panel
Communications
•ISO/Internat'l
Electrotechnical
Commission
Joint
•Nat'l
Ctte for Information
Technology
Standards,
•Information
Industry Group
Technical
Committee
1
T3-Open Distributed Processing
•INFOSEC
Research
Council
•ISO
JTCI Security
SC27
Computer
Security
•Network
Information
Exchange
•National
Colloquium
for
Information
Systems
•Smart Card
Card Security
Security Users
Users Group
Group
•Smart
Security Education (NCISSE)
•Steering Ctte Member of ACM Workshop on
•National Science Foundation Career Proposal
Access Control
Review Panel
•National Security Telecommunications &
Information
Systems Security Committee (NSTISSC)
•Network Security Information Exchange
•NIST-NSA Technical Working Group
•Open Source Security Working Group
•Smart Card Security Users Group
Key Theme: Improving Security Products
How we improve security
through standards and testing
November 9, 1999
22
Develop security
standards
Therefore…
Security is
Improved!
Test products against
security standards
Identify needs for security standards
- industry and government
Users get more
secure products
November 9, 1999
Vendors improve
products
23
Agenda
Who we are
 Computer security program
 NIST partnerships
 Summary

November 9, 1999
24
Summary & Conclusions
NIST is improving security by:
 Raising awareness of the need for cost-effective security
 Engaging in key U.S. voluntary standards activities
 Developing standards and guidelines to secure Federal
systems (often adopted voluntarily by private sector)
– Cryptographic algorithms
– Policy, management, operations, and best practices guidance
– PKI

Providing National leadership role for security testing and
evaluation
– Cryptographic Module Validation Program
– National Information Assurance Partnership
November 9, 1999
25
Yet,
there is more
we could do...
November 9, 1999
26
President’s 9/99 Proposal for
Increasing NIST CIP Activities

Establish an Expert Review Team at NIST
– Assist Government-wide agencies in adhering to
Federal computer security requirements
– Director to consult with OMB and NSC on plans to
protect and enhance computer security for Federal
agencies

Fund a permanent 15-member team responsible
for
– Helping agencies identify vulnerabilities
– Plan secure systems, and 27implement CIP plans
November 9, 1999
President’s 9/99 Proposal for Increasing
NIST CIP Activities (Concluded)

Establish an operational fund at NIST for
computer security projects among Federal
agencies
– Independent vulnerability assessments
– Computer intrusion drills
– Emergency funds to cover security fixes for systems
identified to have unacceptable security risks
November 9, 1999
28
Questions?
November 9, 1999
29
Related documents
Florida Information Technology Resource Security Policies and
Florida Information Technology Resource Security Policies and
Section_02_Rev7-03.doc
Section_02_Rev7-03.doc
Risk is the net negative impact of the exercise of a vulnerability
Risk is the net negative impact of the exercise of a vulnerability
National Institute of Standards and Technology NIST Assets Include:
National Institute of Standards and Technology NIST Assets Include:
EE426: Fundamentals of Instrumentation Problem Set 1
EE426: Fundamentals of Instrumentation Problem Set 1
Chapter1a
Chapter1a
Shomate equation
Shomate equation
Download
advertisement