Protecting the Nations Critical Assets in the 21st Century Dr. Ron - - PowerPoint PPT Presentation

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Protecting the Nation’s Critical Assets in the 21st Century

• Dr. Ron Ross

Computer Security Division Information Technology Laboratory

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

2

OPM. Anthem BCBS. Ashley Madison.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Houston, we have a problem.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

4

Complexity.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

5

Sharks and glaciers.

SOFTWARE FIRMWARE HARDWARE SYSTEMS

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

The n+1 vulnerabilities problem.

2013 Defense Science Board Study

http://www.acq.osd.mil/dsb/reports/2010s/ResilientMilitarySystemsCyberThreat.pdf

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

System

Harden the target Limit damage to the target Make the target survivable

Reducing susceptibility to cyber threats requires a multidimensional systems engineering approach.

Security Architecture and Design Achieving Trustworthiness and Resiliency

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

8

▪ Threat ▪ Assets ▪ Complexity ▪ Integration ▪ Trustworthiness

TACIT Security

MERRIAM-WEBSTER DICTIONARY

tac.it adjective

: expressed or understood

without being directly stated

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

9

Threat

▪ Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities.

▪ Obtain threat data from as many sources as possible. ▪ Include external and insider threat analysis.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

10

Assets

▪ Conduct a comprehensive criticality analysis of

• rganizational assets including information and

information systems.

▪ Focus on mission/business impact. ▪ Use triage concept to segregate assets by criticality.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

11

Complexity

▪ Reduce the complexity of the information technology infrastructure including IT component products and information systems.

▪ Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. ▪ Adopt cloud computing architectures to reduce the number

• f IT assets through on-demand provisioning of services.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

12

Integration

▪ Integrate information security requirements and the security expertise of individuals into organizational development and management processes.

▪ Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. ▪ Coordinate security requirements with mission/business

• wners; become key stakeholders.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

13

Trustworthiness

▪ Invest in more trustworthy and resilient information systems supporting organizational missions and business functions.

▪ Isolate critical assets into separate enclaves. ▪ Implement security design concepts (e.g., modular design, layered defenses, component isolation, least functionality, least privilege).

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

14

Risk assessment.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

15

Assets and consequences.

Criticality Analysis.

Identification of High Value Assets.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

16

Engineer up.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

17

▪ Conduct threat and vulnerability assessments.

▪ United States Computer Emergency Readiness Team ▪ https://www.us-cert.gov

▪ Conduct criticality analysis of information assets.

▪ FIPS Publication 199 ▪ http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

▪ Reduce complexity of IT infrastructure.

▪ Federal Enterprise Architecture Initiative ▪ https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co mmon_approach_to_federal_ea.pdf

▪ Invest in trustworthy IT components and systems.

▪ DHS Software and Supply Chain Assurance ▪ https://buildsecurityin.us-cert.gov/swa

Immediate Action Plan and Resources

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

18

▪ Cybersecurity Framework ▪ NIST Special Publication 800-53, Revision 5

Security and Privacy Controls for Information Systems and Organizations

▪ NIST Special Publication 800-37, Revision 2

Risk Management Framework for Information Systems and Organizations

A System Life Cycle Approach for Security and Privacy

▪ NIST Special Publication 800-160

Systems Security Engineering

Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

▪ NIST Special Publication 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Important NIST Security and Privacy Pubs

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

19

Some final thoughts.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Institutionalize.

The ultimate objective for security.

Operationalize.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Leadership. Governance. Accountability.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

22

Security is a team sport.

Industry Government Academia

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

23

Ron Ross

100 Bureau Drive Mailstop 7730 Gaithersburg, MD USA 20899-7730

Email Mobile

ron.ross@nist.gov (301) 651.5083

LinkedIn Twitter

www.linkedin.com/in/ronross-cybersecurity @ronrossecure

Web Comments

csrc.nist.gov sec-cert@nist.gov

We are here to help you be more secure…