Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Social Psychology

Cyber Policy * Thoughts and Metaphores

advertisement 
Cyber Policy – Thoughts and
Metaphors
Ivan Garcia
COLSA Corporation
Huntsville, AL
Chief Technical Officer
(Ex-Cyber VP)
igarcia@colsa.com
256-964-5301
Your Data
Your Customers Data
Your Liability
Vault History
Notice the “Day Gate”…a form of layered defense
Bank Vaults offer
a good framework
to discuss
Cyber Security and Policy
Vault History
Recent Vault Arms-Race
• Linus Yale invented the modern combination lock 1861
– But burglars learned to drill holes, use mirrors to break or….kidnap the bank manager
• James Sargent (ex-employee of Yale) added the timer mechanism, the door
could only be opened at certain times
– Defeated the drilling approach and kidnapping only worked if you were willing to open the
safe at certain times
– Thieves developed tools to pry a small crack on the safe and place gunpowder to blast open
the safe
• Vault designers develop a way to protect against this by developing
specialized grooves
– Liquid Nitrogen was poured into the grooves and thieves were back in business
• So it started an escalation or thicker walls with new materials that were
several feet thick
– Cutting torch could melt through this
• Copper layer to dissipate the heat
• Heat sensors
• Motion detectors
Physical vs. Cyber Domain
Vault UL Standards
• Defines equipment to be
used
• Defines the ‘breach’ time
• Explicitly states what
conditions this standard
will not apply (explosives
or cutting torch)
• Defines related standards
such as ‘lock picking’, time
lock and other
characteristics
UL-608 Burglary Resistant
Modular Vaults and Vault Doors
Rating
Time to Breach
Vault
Class M
15 minutes
Class I
30 minutes
Class II
60 minutes
Class III
120 minutes
Vaults Shifted to a Risk-Management Framework
Key Thoughts…
• We need to change our thinking about Cyber
Security
• We need to learn from history…physical pen testing
versus cyber
• You will be successfully attacked and compromised
– …or you may already have been and might not be aware of it
• It no longer takes a ‘nation state’ to compromise a
sophisticated defense
– See Sony
Who Is After Us?
• Script kiddies
• Hackers
• Professionals
• Nation states
Easy Access to Sophisticated Malware
• There are several open toolkits to develop new
‘zero-day’ attacks
– New malware that can bypass signature detection
• These tools are easily used by minors without a
college or professional education
• StuxNet provided a robust professional framework
for the community
– Weapons-grade cyber attack
The Bar has Been Significantly Lowered in the Past 5 Years
“Nation State” Level Tools are Available Today to Everyone
Insider Threat
• Attackers have shifted focus to the employees and
home users
–
–
–
–
Phishing
Viruses
Spyware
Social Engineering
• Using Email, peer to peer, IM,
web sites, software downloads
High Value Data
• Protected Health Information (PHI)
– First responders, Ambulatory services
• Personal Identifiable Information (PII)
– Citizen records, Utility and water records
– Criminal records, sheriff departments
• Credit card numbers
–
–
–
–
Property tax payments
Traffic and court fees
Utility bills, water, power
Vehicle registration
• Bank account / payroll information
Example (Target)
• Used weak security at HVAC company to get login
name and password to Target
• Tested software November 15-28
• November 30 pushed to most POS terminals
Attackers
HVAC
Target
Main Office
To drop
sites
Encrypt
and Verify
Malware
Memory
CC
Reader
Defense vs. Asymmetric Threat
• First cyber security is an unfair war
– Defenders must be perfect
– Attackers only need to get it right once.
– Law enforcement often cannot tell if
something happened.
• Lets look at where we are at
– Prevention (defense)
– Detection
– Attribution
State of the Art in Defense
• Most organizations practice
defense in depth
• However we are still often
just reacting to events
• Some times we don’t even
know they are attacking
Attribution – Who Is It?
• Very hard problem
• Device attribution vs. people attribution
– Easier to identify a device than the person
– Often attacks come from place where information is
hard to get
• Many technologies allow users to hide
– Proxy servers
– The Onion Router (TOR)
• Need forensics
– Network
– Computer
Principles of Information
Security Management
• Include the following characteristics that will be the
focus of the current course (six P’s):
– Planning
– Policy
– Programs
– Protection
– People
– Project Management
http://csrc.nist.gov/publications/PubsTC.html
Departing Thoughts
We need to move away from the ‘gear-up’ mentality
in cyber security
– You probably do not need any more defense ‘layers’ than a
normal defensive posture
– Focus on process, review security logs and develop a
proficient staff to do so at least daily
• Beware of insider threat…how would you distribute these tasks?
• Checking account…how often would you check your checking
account for expected large transactions?
– Technology is not enough…
• We need to focus on regular reviews of our systems in light of the
evolving threat
NIST Risk Management Framework
Starting Point
FIPS 199 / SP 800-60
SP 800-37 / SP 800-53A
MONITOR
Security Controls
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness
CATEGORIZE
Information System
Define criticality /sensitivity of
information system according to
potential impact of loss
SP 800-37
FIPS 200 / SP 800-53
SELECT Security
Controls
Select baseline (minimum) security controls to
protect the information system; apply tailoring
guidance as appropriate
SP 800-53 / SP 800-30
AUTHORIZE
SUPPLEMENT
Information System
Security Controls
Determine risk to agency operations, agency assets,
or individuals and, if acceptable, authorize
information system operation
Use risk assessment results to supplement the
tailored security control baseline as needed to
ensure adequate security and due diligence
SP 800-53A
ASSESS
Security Controls
Determine security control effectiveness (i.e.,
controls implemented correctly, operating as
intended, meeting security requirements)
SP 800-70
IMPLEMENT
Security Controls
Implement security controls; apply
security configuration settings
SP 800-18
DOCUMENT Security
Controls
Document in the security plan, the security
requirements for the information system and the
security controls planned or in place
Related documents
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Jorge Valenzuela
Jorge Valenzuela
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
solving national security challenges with information technology by
solving national security challenges with information technology by
2010 Global Symposium for Regulators Dakar, 10 to 12 November 2010
2010 Global Symposium for Regulators Dakar, 10 to 12 November 2010
The Vault Project:
The Vault Project:
Download
advertisement