Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Dr. Ron Ross, Fellow, National Institute of Standards and Technology

advertisement 
NDIA Cyber Security Symposium
The National Conversation No One Wants to Have
A New Paradigm for Cyber Resiliency
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
1
First, an easy risk management
problem.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
2
Risk.
Function (threat, vulnerability, impact, likelihood)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
3
The unlikely
threat.
Hi. I’m Sophie.
Welcome to the NDIA Cyber
Security Symposium!
Our three-year old
adopted pit bull.
Cute.
Lovable.
Smart.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
4
The vulnerability.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
5
The impact.
100%
and the
likelihood?.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
6
And now, a more difficult problem.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
7
The computer…
driven by firmware
and software.
Critical missions and business functions
are at risk — affecting national and economic
security interests of the United States…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
8
 We are vulnerable because our
information technology is fragile and
susceptible to a wide range of threats
including:




natural disasters.
structural failures.
cyber attacks.
errors.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
9
Advanced Persistent Threat
An adversary that —
 Possesses significant levels of expertise / resources.
 Creates opportunities to achieve its objectives by using
multiple attack vectors (e.g., cyber, physical, deception).
 Establishes footholds within IT infrastructure of targeted
organizations:
 To exfiltrate information.
 To undermine / impede critical aspects of a mission, program, or
organization.
 To position itself to carry out these objectives in the future.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
10
Classes of Vulnerabilities
A 2013 Defense Science Board Report described—
 Tier 1: Known vulnerabilities.
 Tier 2: Unknown vulnerabilities (zero-day exploits).
 Tier 3: Adversary-created vulnerabilities (APT).
A significant number of vulnerabilities
are “off the radar”
of many organizations…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
11
Good cyber hygiene
is necessary…
But not sufficient.
Which Road to Follow?
You can’t count, configure, or patch your way
out of this problem space.
Difficult decisions ahead.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
12
The hard cybersecurity problems are
buried below the water line…
In the hardware, software, and firmware.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
13
Complexity.
An adversary’s most effective weapon
in the 21st century.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
14
When culture clashes with science…
Science wins.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
15
Weinberg's Second Law
“If builders built buildings the way
programmers wrote programs, then
the first woodpecker that came
along would destroy civilization.”
-- The Psychology of Computer Programming (1971)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
.
16
Estimating Number of Vulnerabilities
Alhazmi and
others estimate
that between 1%
and 5% of flaws
are security
vulnerabilities.
Source: Software Assessments, Benchmarks, and Best Practices, C. Jones.
Source: Security Vulnerabilities in Software Systems - A Quantitative Perspective, O.H. Alhazmi.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
17
Heartbleed and Shellshock should be
a wake up call.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
18
The argument for building stronger, more resilient
information systems…
Software assurance.
Systems security engineering.
Supply chain risk management.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
19
For bridge builders, it's all about
physics—
Equilibrium, static and dynamic
loads, vibrations, and resonance.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
20
For information system developers, it's all about
mathematics, computer science, architecture, and
systems engineering—
Trustworthiness, assurance, penetration resistance
and resilience.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
21
Getting the attention of the C-Suite.
The elevator speech for cybersecurity
requires a tall building.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
22
TACIT Security
 Threat
 Assets
 Complexity
MERRIAM-WEBSTER DICTIONARY
tac.it adjective
: expressed or understood
without being directly stated
 Integration
 Trustworthiness
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
23
Threat
 Develop a better understanding of the modern
threat space, including the capability of adversaries
to launch sophisticated, targeted cyber-attacks that
exploit specific organizational vulnerabilities.
 Obtain threat data from as many sources as possible.
 Include external and insider threat analysis.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
24
Assets
 Conduct a comprehensive criticality analysis of
organizational assets including information and
information systems.
 Focus on mission/business impact.
 Use triage concept to segregate assets by criticality.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
25
Complexity
 Reduce the complexity of the information technology
infrastructure including IT component products and
information systems.
 Employ enterprise architecture to consolidate, optimize,
and standardize the IT infrastructure.
 Adopt cloud computing architectures to reduce the number
of IT assets through on-demand provisioning of services.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
26
Integration
 Integrate information security requirements and the
security expertise of individuals into organizational
development and management processes.
 Coordinate security requirements with mission/business
owners; become key stakeholders.
 Embed security personnel into enterprise architecture,
systems engineering, SDLC, and acquisition processes.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
27
Trustworthiness
 Invest in more trustworthy and resilient information
systems supporting organizational missions and
business functions.
 Isolate critical assets into separate enclaves.
 Implement solutions using modular design, layered
defenses, component isolation.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
28
The road ahead.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
29
Security should be a by-product
of good design and development
practices.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
30
On the Horizon…
NIST Special Publication 800-160
Systems Security Engineering
An Integrated Approach to Building Trustworthy
Resilient Systems
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
31
First Objective
 Provide a comprehensive statement of the systems
security engineering discipline —
 its principles, concepts, and activities.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
32
Second Objective
 Foster a common mindset to deliver security for any
system, regardless of —
 its scope, size, complexity, or system life cycle stage.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
33
Third Objective
 Demonstrate how systems security engineering
processes —
 can be effectively integrated into systems
engineering processes.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
34
Building on International Standards
 Stakeholder requirements definition.
 Requirements analysis.
 Architectural design.
 Implementation.
Integrating the RMF and security
 Integration.
concepts, principles, and best
practices into IEEE/ISO/IEC 15288
 Verification.
 Transition.
Systems and software engineering
— System life cycle processes
 Validation.
 Operation.
 Maintenance.
 Disposal.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
35
A Winning Strategy
THREAT
“Build It Right”
Systems Engineering
Software Assurance
System Life Cycle
Testing/Evaluation
Trustworthiness
Resiliency
Design
Architecture
Acquisition
Secure Coding
Static Code Analysis
Systems Integration
Systems Security Engineering
“Continuously Monitor”
A two-pronged attack
on the threat space
Critical Missions
and Business
Functions
Security Configurations
Ongoing Authorization
Separation of Duties
Software Patching
Traffic Analyses
Security State
Asset Inventory
Network Sensors
Incident Response
Threat Assessment
Situational Awareness
Administrative Privileges
Vulnerability Assessment
Foundation of IT Components, Systems, Services
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
36
Some final thoughts.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
37
Cybersecurity is the great challenge
of the 21st century.
Cybersecurity problems are hard—
not easy.
Are we prepared to do the heavy lifting?
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
38
Necessary and Sufficient Security Solutions…
Cyber Security
Hygiene
COUNTING, CONFIGURING,
AND PATCHING IT ASSETS
Strengthening
the IT Infrastructure
SYSTEM/SECURITY ENGINEERING,
ARCHITECTURE, AND RESILIENCY
Has your organization achieved the appropriate balance?
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
39
Government
Academia
The essential partnership.
Industry
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
40
Immediate Action Plan and Resources
 Conduct threat and vulnerability assessments.
 United States Computer Emergency Readiness Team
 https://www.us-cert.gov
 Conduct criticality analysis of information assets.
 FIPS Publication 199
 http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
 Reduce complexity of IT infrastructure.
 Federal Enterprise Architecture Initiative
 http://www.whitehouse.gov/omb/e-gov/fea
 Invest in trustworthy IT components and systems.
 DHS Software and Supply Chain Assurance
 https://buildsecurityin.us-cert.gov/swa
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
41
The clock is ticking—
the time to act is now.
Failure is not an option…
when freedom and economic
prosperity are at stake.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
42
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
43
Contact Information
100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Leader
Administrative Support
Dr. Ron Ross
(301) 975-5390
ron.ross@nist.gov
Peggy Himes
(301) 975-2489
peggy.himes@nist.gov
LinkedIn
http://www.linkedin.com/in/ronrossnist
Senior Information Security Researchers and Technical Support
Pat Toth
(301) 975-5140
patricia.toth@nist.gov
Kelley Dempsey
(301) 975-2827
kelley.dempsey@nist.gov
Web: csrc.nist.gov
Comments: sec-cert@nist.gov
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
44
Related documents
Section 3 Directives & Best Practices
Section 3 Directives & Best Practices
Managing Security Risk Object Management Group Technical Meeting
Managing Security Risk Object Management Group Technical Meeting
8_Bay - CSIAC Cyber metrics
8_Bay - CSIAC Cyber metrics
Cyber-Security Awareness PowerPoint
Cyber-Security Awareness PowerPoint
Session confirmation form
Session confirmation form
Stress Management - Dr. Fayose
Stress Management - Dr. Fayose
Automated Security Testing with Formal Threat Models
Automated Security Testing with Formal Threat Models
Jing_Zhang
Jing_Zhang
Topics - tri
Topics - tri
The foremost goal of the information security function should be to
The foremost goal of the information security function should be to
NIST 800-30 Risk Assessment Steps
NIST 800-30 Risk Assessment Steps
Download
advertisement