protecting the nation s critical assets in the 21st
play

Protecting the Nations Critical Assets in the 21st Century Dr. Ron - PowerPoint PPT Presentation

Nov 01, 2023 •265 likes •506 views

Protecting the Nations Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY OPM. Anthem BCBS. Ashley Madison. NATIONAL INSTITUTE OF

  1. Protecting the Nation’s Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  2. OPM. Anthem BCBS. Ashley Madison. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

  3. Houston, we have a problem. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  4. Complexity. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

  5. Sharks and glaciers. HARDWARE FIRMWARE SYSTEMS SOFTWARE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

  6. The n+1 vulnerabilities problem. 2013 Defense Science Board Study http://www.acq.osd.mil/dsb/reports/2010s/ResilientMilitarySystemsCyberThreat.pdf NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  7. Reducing susceptibility to cyber threats requires a multidimensional systems engineering approach. Security Architecture and Design Harden the Limit damage System target to the target Achieving Trustworthiness and Resiliency Make the target survivable NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  8. TACIT Security ▪ T hreat MERRIAM - WEBSTER DICTIONARY ▪ A ssets tac . it adjective : expressed or understood ▪ C omplexity without being directly stated ▪ I ntegration ▪ T rustworthiness NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

  9. Threat ▪ Develop a better understanding of the modern threat space , including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. ▪ Obtain threat data from as many sources as possible. ▪ Include external and insider threat analysis. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

  10. Assets ▪ Conduct a comprehensive criticality analysis of organizational assets including information and information systems. ▪ Focus on mission/business impact. ▪ Use triage concept to segregate assets by criticality. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

  11. Complexity ▪ Reduce the complexity of the information technology infrastructure including IT component products and information systems. ▪ Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. ▪ Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

  12. Integration ▪ Integrate information security requirements and the security expertise of individuals into organizational development and management processes . ▪ Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. ▪ Coordinate security requirements with mission/business owners; become key stakeholders. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

  13. Trustworthiness ▪ Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. ▪ Isolate critical assets into separate enclaves. ▪ Implement security design concepts (e.g., modular design, layered defenses, component isolation, least functionality, least privilege). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

  14. Risk assessment. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

  15. Assets and consequences. Criticality Analysis. Identification of High Value Assets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

  16. Engineer up. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

  17. Immediate Action Plan and Resources ▪ Conduct threat and vulnerability assessments. ▪ United States Computer Emergency Readiness Team ▪ https://www.us-cert.gov ▪ Conduct criticality analysis of information assets. ▪ FIPS Publication 199 ▪ http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf ▪ Reduce complexity of IT infrastructure. ▪ Federal Enterprise Architecture Initiative ▪ https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co mmon_approach_to_federal_ea.pdf ▪ Invest in trustworthy IT components and systems. ▪ DHS Software and Supply Chain Assurance ▪ https://buildsecurityin.us-cert.gov/swa NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

  18. Important NIST Security and Privacy Pubs ▪ Cybersecurity Framework ▪ NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations ▪ NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy ▪ NIST Special Publication 800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems ▪ NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

  19. Some final thoughts. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

  20. Institutionalize. The ultimate objective for security. Operationalize. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  21. Leadership. Governance. Accountability. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  22. Government Academia Security is a team sport. Industry NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

  23. Ron Ross 100 Bureau Drive Mailstop 7730 Gaithersburg, MD USA 20899-7730 Email Mobile ron.ross@nist.gov (301) 651.5083 LinkedIn Twitter www.linkedin.com/in/ronross-cybersecurity @ronrossecure Web Comments csrc.nist.gov sec-cert@nist.gov We are here to help you be more secure… NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Machine Safety Protecting your Most Valuable Assets Putting Performance in the Hands of Your

Machine Safety Protecting your Most Valuable Assets Putting Performance in the Hands of Your

Machine Safety Protecting your Most Valuable Assets Putting Performance in the Hands of Your People Agenda Safety Protecting Your Assets Roadmap to Machine Safety Global CPG Case Study How do you define Safety Define Safety

998 views • 35 slides
Physical and Environmental Security MIS 5206 Protecting Information Assets MIS5206 Week 7

Physical and Environmental Security MIS 5206 Protecting Information Assets MIS5206 Week 7

Protecting Information Assets - Week 7 - Physical and Environmental Security MIS 5206 Protecting Information Assets MIS5206 Week 7 Physical and Environmental Security Test Taking Tip Quiz MIS 5206 Protecting Information Assets

577 views • 34 slides
Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6

Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6

Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6 million 63% Identity fraud is a serious issue. people experienced of confirmed data Fraudsters have identity theft in 2014 breaches involved stolen

605 views • 29 slides
Gray is the New Green : Strengthening Vulnerable Communities, Protecting Limited Assets and

Gray is the New Green : Strengthening Vulnerable Communities, Protecting Limited Assets and

Gray is the New Green : Strengthening Vulnerable Communities, Protecting Limited Assets and Preventing Elder Financial Abuse AGING I IN CAL ALIFORNIA DEMOGRA RAPHIC ICS FINA NANCIAL VULN VULNERABILITY LONG-TERM C ERM CARE S E SERVICES

365 views • 9 slides
Training Assisting the courts in protecting our most vulnerable citizens and their assets.

Training Assisting the courts in protecting our most vulnerable citizens and their assets.

Texas Guardianship Registration and Training Assisting the courts in protecting our most vulnerable citizens and their assets. OFFICE of COURT ADMINISTRATION Judicial Branch Certification Commission (JBCC) JBCC Overview Registrations

298 views • 17 slides
Protecting Your Assets: Results and Recommendations from a Student-led Security Assessment

Protecting Your Assets: Results and Recommendations from a Student-led Security Assessment

Protecting Your Assets: Results and Recommendations from a Student-led Security Assessment BRADLEY RED TEAM ForenSecure 17 April 27, 2017 ENTREPRENEURSHIP EXPERIENTIAL COLLABORATIVE LEARNING GLOBALIZATION LEARNING LEADERSHIP

146 views • 12 slides
and Protecting Assets Information Technology Manager - Redstone Arsenal 15,000 users

and Protecting Assets Information Technology Manager - Redstone Arsenal 15,000 users

Cyber Theft and Protecting Assets Information Technology Manager - Redstone Arsenal 15,000 users Technology and Digital Forensics Counter Drug Agency (Army) Canfield Computer Solutions since 1995 Network and workstation

339 views • 4 slides
Protecting our Local Liquid Assets Rideau Valley Conservation Authority March 21, 2013 Protecting

Protecting our Local Liquid Assets Rideau Valley Conservation Authority March 21, 2013 Protecting

Protecting our Local Liquid Assets Rideau Valley Conservation Authority March 21, 2013 Protecting Watersheds Ontarios Watersheds Eastern Ontario Our Watershed Rideau River Watershed Ottawa Ottawa River West River East Jock River

387 views • 16 slides
Protecting Business Assets From Creditors in Litigation: Strategic Choice of Entities, Avoiding

Protecting Business Assets From Creditors in Litigation: Strategic Choice of Entities, Avoiding

Presenting a live 90-minute webinar with interactive Q&A Protecting Business Assets From Creditors in Litigation: Strategic Choice of Entities, Avoiding Fraudulent Transfers TUESDAY, JULY 21, 2015 1pm Eastern | 12pm Central | 11am

452 views • 28 slides
Information for Action Protecting the Health of the Nation Cliff Lake 23 May 2018 About PHE 2

Information for Action Protecting the Health of the Nation Cliff Lake 23 May 2018 About PHE 2

Information for Action Protecting the Health of the Nation Cliff Lake 23 May 2018 About PHE 2 About PHE Public Health England is an Executive Agency of the Department of Health and Social Care and is the authoritative voice on all public

308 views • 26 slides
Protecting valuable assets around the world METALIZING - LONG TERM CORROSION CONTROL SAVINGS IN

Protecting valuable assets around the world METALIZING - LONG TERM CORROSION CONTROL SAVINGS IN

Protecting valuable assets around the world METALIZING - LONG TERM CORROSION CONTROL SAVINGS IN MATERIAL, LABOR, AND MAINTENANCE COSTS www. metalize.net Quality assurance measures are taken in accordance with SSPC-CS23.00 / AWS C2.23M / NACE

713 views • 34 slides
This presentation provides an overview of the Victorian Auditor Generals report Protecting

This presentation provides an overview of the Victorian Auditor Generals report Protecting

This presentation provides an overview of the Victorian Auditor Generals report Protecting Victorias Coastal Assets. Built and natural coastal assets provide important services to Victorias environment, economy and community. They also

505 views • 13 slides
Dreaming About Jewish Peoplehood A Critical Exploration of Jewish Identity in the 21st Century

Dreaming About Jewish Peoplehood A Critical Exploration of Jewish Identity in the 21st Century

Dreaming About Jewish Peoplehood A Critical Exploration of Jewish Identity in the 21st Century Rabbi Talia Avnon-Benveniste . airb & b's #WeAccept campaign. Super Bowl 2017 What qualities do I preserve? How many can fit in one jar? How

241 views • 11 slides
Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani

Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani

Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani Officer-In-Charge, Computer Emergency Response Team of Mauritius (CERT-MU) Presentation Outline What CERT-MU does? Critical Infrastructures

604 views • 32 slides
Transforming Victorian assets to deliver water through the 21st century Upgrades of Sunderland

Transforming Victorian assets to deliver water through the 21st century Upgrades of Sunderland

Transforming Victorian assets to deliver water through the 21st century Upgrades of Sunderland Groundwater Stations Susan Robinson CEng, CEnv, FIMechE, FCIWEM woodplc.com Associate Director Wood plc Groundwater stations 21 st century

131 views • 9 slides
Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018

Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018

Helping Businesses Grow & Succeed Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018 BYTE-SIZE: The Small Business Cybersecurity Program of the FSBDC Network This presentation is a companion to

573 views • 55 slides
Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory Requirements Cyber Hygiene How to Develop a Culture of Security What is a Culture of Security A set of values, shared by everyone in an

350 views • 11 slides
Using Efficient Access Control To Protect Multi-Task Execution LI Yan Background Background

Using Efficient Access Control To Protect Multi-Task Execution LI Yan Background Background

Using Efficient Access Control To Protect Multi-Task Execution LI Yan Background Background Task an activity that needs to be accomplished by individual users or a team of users within a defined period of time Multi-task

743 views • 10 slides
Common Security Requirement Language for Procurements & Maintenance Contracts Julio

Common Security Requirement Language for Procurements & Maintenance Contracts Julio

Common Security Requirement Language for Procurements & Maintenance Contracts Julio Rodriguez Idaho National Laboratory National Cyber Security Division (NCSD) Control Systems Security Program (CSSP) December 8, 2006 1 Background

682 views • 13 slides
1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos

Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos

Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos National Laboratory LA-UR-17-27644 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA A Cyber-Physical Model

837 views • 7 slides
Healthcare: Is the Cyber Threat Real? President Obama has identified cybersecurity as one of the

Healthcare: Is the Cyber Threat Real? President Obama has identified cybersecurity as one of the

Healthcare: Is the Cyber Threat Real? President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation..!Whitehouse.gov Dr. Emma Garrison-Alexander Vice Dean, Cybersecurity

355 views • 8 slides
Corporation $405,180,000* Subordinated Excise Tax Revenue & Revenue Refunding Bonds, Series

Corporation $405,180,000* Subordinated Excise Tax Revenue & Revenue Refunding Bonds, Series

City of Phoenix Civic Improvement Corporation $405,180,000* Subordinated Excise Tax Revenue & Revenue Refunding Bonds, Series 2020 Subordinated Excise Tax Subordinated Excise Tax Subordinated Excise Tax Revenue Bonds Revenue Bonds

447 views • 26 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides

More recommend