cyber security professionalism cyber security becomes a profession navigating u.s. sectoral security...
Post on 21-Dec-2015
214 views
TRANSCRIPT
Cyber Security Professionalism
Cyber Security Becomes a Profession Navigating U.S. Sectoral Security
S.773 - the Current Impetus
Is “CyberSecurity” a Profession?What About “Risk Analysis?”
Are these Trick/Gotcha Questions? Maybe
Why…What is the Dilemma? Long tradition of fields, disciplines, callings
actively seek legitimacy of professional status Vs. Once you’re a Professional, Public Expectations
Hold you Feet to the Fire What is the Role of S.773 & S.778 in
CyberSecurity Professionalism?
What is a Profession? Traditionally only 3 professions:
Divinity, Medicine, Law Persons/firms who supply specialized knowledge (subject, field,
science) to fee-paying clients Also the body of qualified professional persons Derived from Latin professiō - to swear (an oath), avowal, public
declaration Professional (adj) - behaves properly, not amateurish The oath dictates ethical standards, usually include
confidentiality, truthfulness, expertise, all for client’s benefit; also upholding profession’s good name
EX: Architects, Accountants, Actuaries, Chiropractors, Clergy,
Dentists, Engineers, Lawyers, Librarians, Nurses, Occupational/ Physical Therapists, Pharmacists, Physicians, Professors/Teachers, Psychiatrists, Veterinarians
(Cyber-)Security “Professionals” too?!?
Milestones towards Profession
Full-Time Occupation Training & University Instruction Accreditation of Instruction & Qualifications Associations: local, national, int’l Codes of Conduct (govt & self-)
ethics, professional responsibility, self-discipline Law/Regulation Compels Professional Status
Licensure, Certification
Characteristics of Most Professions Skill based on theoretical
knowledge Professional associations Extensive period of education Testing of competence Institutional training
(apprenticeship) Licensure/Certification Work autonomy Code of professional conduct
or ethics Self-regulation Self-Discipline Public service and altruism
(pro bono)
Exclusion, monopoly & legal recognition
Fee & advertising control High status & rewards Individual clients vs. In-House
single client Legitimacy, legal authority over
some activities Body of Knowledge
Inaccessible to Laity Professional interpretation
required for body of knowledge Professional Mobility
Is CNSSI a Professional Program?
Ostensibly, but is it persistent?!? CNSS standards for training & education were
embraced by 169 U.S. institutions Provides baseline for cadre of IA professionals
Educational Standards for IA professionals NSTISSI 4011-Information Systems Security (INFOSEC)
Professionals CNSSI 4012-Senior Systems Managers CNSSI 4013-System Administrators CNSSI 4014-Information Systems Security Officers NSTISSI 4015-System Certifiers CNSSI 4016-Risk Analyst
IT Governance Drives Professionalism
“specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.”
“the leadership and organizational structures and processes that ensure that [IT serves strategic objectives].”
Corporate governance constraints; impact of law, regulators, security & privacy standards; SOX; Implemented through:
technology transfer agreements private contracts employment restrictions IP constraints eCommerce commercial practice
Standardization of Security Duties
ISO 17799 (predecessor: BS7799) & : Progeny: now replaced by ISO/IEC 27000 series
ISO 27001 Info. Security Mgt. ISO 27002 Best Practices
ISO 15408 Common Criteria: Computer Security
PCI DSS payment card security COBIT (ISACA: Info. Sys. Audit & Control Assn) ITIL IT Infrastructure Library: IT Service Mgt NIST’s Fed. Info. Processing Stds Fair Information Practice Principles (FIPP):
(1) Notice, (2) Choice, (3) Participation, (4) Security, (5) Redress
Why are Standards Important? Stds are emerging from obscurity More widely understood to impact most economic
activity Increasingly viewed less as technically objective
matters; more as arbitrary choices from among near infinite alternatives
Increasingly perceived to favor particular nations, industries, identifiable groups or individual firms who participate most effectively
Increasingly have behavioral component
Why Standards Impact CyberSecurity Duties
Stds Created CyberSpace: Consider: html, ftp, http, xml, 802.11
Facilitates comparison, interoperability, competition Attracts investment in compatible technologies, products &
services Standardization promises superior process design & best
practice integration Domain experts develop rather than meddlers
Standards Reduce Risks of Variety Incompatibility, Incompetence
Conformity Assessment Analyzes Non-Compliance Risk, Provides Feedback Incentivizes Compliance & Improvement
Risks of Security Standardization
General Disadvantages of Standardization Lock in old/obsolete technology Resists favorable evolution or adaptation Favors/disfavors particular groups
Voluntary Consensus is really a Sub-optimal Compromise that Dictates too much Design However, Standardization Risks Stagnancy & Communicates Widespread Vulnerability
Economic Analysis of Security The Law & Economics Approach:
legal theory applies methods of economics to law; economic concepts explain effects of law/regulation; assesses efficient rules; predicts legal rules will/should be promulgated
Micro-Economics Fundamentals1. Information Asymmetries 2. Market Failure & its Justification for alternative policies 3. Adverse Selection 4. Moral Hazard 5. Positive vs. Negative Externalities 6. Free Rider & Tragedy of the Commons
Game Theoretic Framework & Network Economics Approach1. Critical Mass 2. Network Externality 3. Vulnerability Markets & Disclosure Incentive
Some Public Policies Pressing Security Duties
Privacy Law Requires CyberSecurity G/L/B, SourBox (a/k/a SOX), FCPA
Internal Control The Primary Federal Privacy Regulator: FTC
Enforcement Caselaw, deceptive trade practices State Privacy & Info Security Laws
CA state Privacy Czar Breach Notification, see: Privacyrights.org Mass, Nev. Comprehensive Regulations Tort Liability for Privacy Violations
HIPAA now HITECH PHI std IA laws Impact Security Duties
Outsourcing (SAS70) Trade Secrecy (IP) & National Security
USA PATRIOT Act FTC Privacy Enforcement Common Law History
Red Flags (best/worst practices), Disposal Rule, Exposing then Stamping Out Deception
Example of Security Complexity: the Purported IPAS Drivers PSU “Policies”
FN07, Credit Card Sales AD11 - University Policy on Confidentiality of Student Records AD19 - Use of Penn State Identifier and Social Security Number AD20, Computer and Network Security AD22 - Health Insurance Portability and Accountability Act (HIPAA) AD23, Use of Institutional Data Trusted Network Specifications AD35, University Archives and Records Management AD53 - Privacy Statement
Public Policies Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (G/L/B) Family Educational Rights and Privacy Act (FERPA) PA Breach of Personal Information Notification Act 73 P.S. § 2301 PA Mental Health Law 21 USC Ch. 16 - Drug Abuse Prevention, Treatment, & Rehab
What is Federal Pre-Emption?
Only the most central institutional design feature in the whole “American Experience” E.g., Reaction to English Crown, Articles of
Confederation, Civil War, New Deal, Reagan’s New Federalism
Fed. Law May Displace State Law EX: FDA labeling overrides state products liability Why would it be good to bar the states from
regulating CyberSecurity? Why would it be good to include states in
regulating CyberSecurity?
S.773 & S.778 S.773=Cyber Security Act of 2009
Sponsors John Rockefeller [D, WV] + 3 Co-Sponsors Evan Bayh [D, IN] Bill Nelson [D, FL] Olympia Snowe [R, ME]
S.773 Bill Actions 4.1.09: Introduced & Read twice Referred to Commerce, Science & Transportation.
S.778 Companion to S.773 Creates White House Office of National Cybersecurity Advisor Authority/Power: from S.773 & later legislation/delegation
Some S.773 & S.778 Provisions Raise CyberSecurity profile within Fed. Govt. Streamline cyber-related govt functions & authorities Establish: Office of the National CyberSecurity Advisor Develop CyberSecurity national strategy Quadrennial Cybersecurity Review
modeled after the DoD Quadrennial Defense Review to examine cyber strategy, budget, plans & policies
Require a threat & vulnerability assessment Promote public awareness Protect civil liberties Require comprehensive legal review
More S.773 & S.778 Provisions ISAC:
pub-pvt clearinghouse for cyber threat & vulnerability info-sharing CyberSecurity Advisory Panel
industry, academia, not-for, advocacy organizations review & advise President
Establish enforceable cybersecurity standards NIST to create measureable, auditable CyberSecurity stds
Licensing & certification of CyberSecurity professionals Establish & negotiate international norms
cybersecurity deterrence measures Foster innovation and creativity in cybersecurity Scholarship-For-Cyber-Service program NSF: Increase federal cybersecurity R&D Develop CyberSecurity risk evaluation framework$
Probability of S.773 Passage
Much proposed legislation is arguably political grandstanding, with scant probability of success Passage of any proposed legislation is uncertain Predictions based on heuristics of domain experts
Few sectors reactive, most pro-active Limits of empirical approaches to prediction
See: “Resume of Congressional Activity:” http://www.senate.gov/pagelayout/reference/two_column_table/Resumes.htm
110th Cong. 1st Sess. (Jan. 4-Dec. 31, 2007) 138 enacted/9227 introduced = 1.5% yield
110th Cong. 2nd Sess. (Jan. 3, 2008 – Jan. 2, 2009) 278 enacted/4815 introduced = 5.8% yield
Security Risk Analysis is Sectoral Risk Analysis Differs by Domain
Just like U.S. Privacy Law, but not EU Privacy Law Major Differences: Physical vs. Intangible Security
Most domains blend tangible w/ information Many Key Domains Track Critical Infrastructures as defined in
USA Patriot’s CIPA §1016(e) “…systems and assets, whether physical or virtual, so vital to the U.S.
that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
telecommunications; electrical power systems; gas & oil storage & transportation; banking & finance; transportation; water supply systems; emergency services (e.g., medical, police, fire, & rescue), govt. continuity & CyberSpace
Calls for National Effort to Enhance Modeling & Analytical Capacities appropriate mechanisms to ensure the stability [of] complex & interdependent
systems, [incl] continuous viability & adequate protection of critical infrastructures
What is Shared Among these Vastly Different Sectors?
Law Permits/Regulates Risk Analytics
Quantitative Statistical Actuarial Mortality & Morbidity Admissibility of
Forensic Quality Expertise
Decision Analysis Failure Analysis
Qualitative Heuristic Visualization Interdependence Risk Assessment
Education Demographics Risk Recognition Emotion
Epilogue
There is far more here than meets the eye! A website devoted to the developing public
policy of cyber security professionalism http://faculty.ist.psu.edu/bagby/SecurityProfession
alism/
This IS interdisciplinary! Good luck w/o interdisciplinarity…
Financial Info Security Risks: SEC Financial Institutions w/in SEC Juris. Must:
Adopt written policies & procedures, reasonably designed to …
Insure security & confidentiality of customer records Protect against anticipated threats or hazards Protect against unauthorized access or use that could
result in substantial harm or inconvenience
Disposal Rule: must properly dispose of PII using reasonable measures to
protect against unauthorized access to or use of PII
Controls over Internal Risks
COSO’s Definition of Internal Control “a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in these categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.
Components of Internal Control are: - Control Environment- Risk Assessment - Control Activities- Information & Communication- Monitoring
GLB Safeguards Rule Financial institutions must design, implement and maintain
safeguards Purpose: to protect private info Must implement written information security program
appropriate to company's size & complexity, nature & scope of activities, & sensitivity of customer data
Security program must also: assign one or more employees to oversee program; conduct risk assessment; put safeguards in place to control risks identified in assessment then
regularly test & monitor them require service providers, by written contract, to protect customers'
personal information; & periodically update security program
Admitting then Analyzing Outsourcing Risks
Not Outsourcing Risks Internal Failure Interdependency Reduces (Some) Risks of Conflict
Outsourcing Sacrifices Monitoring Risking Injury from Diminished Control Slipshod Rush to Outsource for $avings Cross-Cultural Ignorance Obscures Outsourcing
Vulnerabilities
SAS 70 Requires Outsourcing Risk Analysis/Mgt SLC Negotiation Opportunities to Reduce Risk
NIST Risk Mgt Method
Asset Valuation Information, software, personnel, hardware, & physical
assets Intrinsic value & the near-term impacts & long-term
consequences of its compromise
Consequence Assessment Degree of harm or consequence that could occur
Threat Identification Typical threats are error, fraud, disgruntled employees,
fires, water damage, hackers, viruses
Vulnerability Analysis Safeguard Analysis
Any action that reduces an entity’s vulnerability to a threat Includes the examination of existing security measures &
the identification of new safeguards
Risk Management Requires Risk Analysis Analyzed in terms of missing safeguards“The Process of
Identifying, Controlling and Minimizing the Impact of Uncertain Events” (NIST, 1995 @59)
NIST Risk Mgt Method
Source: NIST Handbook
Roles of Law/Reg/Policy in Risk Analysis & Risk Management Law Resolves Disputes, Shifts Risk of Loss
Risk Analysis Failure Shifts Liability Risks to Creator Actual Injuries Trigger Disputes over Risk Duties
Law Defines Risks & Duties of Care Crimes, Torts, Contracts, Standards, Determination of Injury Law Dis-Incentivizes Risky Deeds (DD&tDDC)
Law Defines Risk Management Duties Law Compensates Injuries Derived from Law Defines/Constrains Damage Computation
Law Encourages Risk Mgt Law Defines Risk Mgt Professionalism Law Enforces Risk Shifting Contracts Law Requires Risk Analysis & Impacts Methods But Law may Disincentivize Introspection w/o Self-Eval Privilege
Law Regulates Risk Management Industry Law Enforces Risk Mgt Profession’s Arrangements