cyber security readiness - ftknox.afceachapters.org newport cio bob bernardo • 70 days to ccri:...

© SAIC. All rights reserved.

Cyber Security Readiness:

The Boy Scout Motto, “Be Prepared,” is in Effect

Ft. Knox AFCEA Charles Onstott VP, Cyber, Cloud and Data Science SAIC 24 September 2014

S A I C . co m


How to Improve Cyber Security Readiness

• Define “Cyber Security Readiness” • Cyber Command Readiness Inspections:

good. Unannounced CCRIs: even better • Cyber security readiness must include

traditional security readiness • Cyber security readiness tools, processes • Lessons-Learned from CCRI • SAIC’s CyberSecurity Edge™ • Risk Management Framework: effects

on day-to-day cyber security readiness

2

S A I C . co m


What is “Cyber Security Readiness?”

• Cybersecurity readiness is the ability to have critical information and tools rapidly available and in place in order to proactively assess your security posture, identify vulnerabilities, combat threats, deter attacks and to quickly remediate risks.

• Cybersecurity readiness improves the organization’s overall operational readiness and security posture so you can perform your mission. Plus, your organization will remain compliant with policy, regulations, and the law.

3

S A I C . co m


Ten Reasons To Welcome Unannounced CCRIs • Avoid system compromise • Decrease threat window of opportunity • Remain connected to GIG, no mission

interruption or degradation • Improve security program effectiveness • Maintain system Integrity and availability • Assure data confidentiality • Identify improvement opportunities • Boost staff confidence • Promote awareness • Satisfy reporting requirements

4

S A I C . co m


Score Yourself on 13 Traditional Security Checks

Cyber security readiness rests on the foundation of traditional security readiness. That means maintaining an appropriate level of security in the key traditional security areas, which are also evaluated during a CCRI: • Physical Security • Operational Security • Administrative Security • Procedural Controls • Legal, Regulations, and Investigations and Compliance

5

S A I C . co m


“Stay Alert! Stay Alive!” SAIC Lessons Learned

Maintain Cyber Readiness: Staying Alert May Mean Keeping Your Mission Alive

• Perform mock CCRIs to evaluate current security posture • Scan systems continuously. Remediate vulnerabilities • Train your team to be ever-ready: be alert, know

appropriate actions, understand tools and their use • Ensure continuous monitoring and auditing throughout the

system’s full lifecycle, beginning as soon as possible. • Update policies, procedures, and plans frequently • Secure web servers and workstations to avoid exploits • Ensure password policy is applicable and appropriate and

that protections are properly applied and implemented • Invite a third party to perform pre-inspections • Address CTOs and security bulletins to maintain security

awareness

6

S A I C . co m


7

A misconfigured scanner, an omitted HBSS setting, or a

poor ACL can convert a near perfect CCRI grade into a failure.

• A Washington, DC, facility spent weeks preparing for its first CCRI. Reps from another site performed physec inspections. Non-compliant

doors, windows, and interior spaces were fixed before the CCRI. Every plan, policy, and procedure was reviewed and updated, and staff

ensured each was implemented. Documents were bound and indexed. Boundary perimeter devices were updated and hardened. Systems were scanned repeatedly; new vulnerabilities were remedied. IA staff 8570 certifications were verified; training was scheduled; all

was included in an IAWF document (adopted for future CCSRIs). Mock interviews were performed.

• During the CCRI, the site had nearly a perfect score until…. • HBSS was evaluated. The site had not modified an HBSS setting to

satisfy guidance issued days earlier. Result: automatic failure. • Reason: CyberSecurity readiness means continuous readiness.

How One Site Failed CCRI After a Near Perfect Score

S A I C . co m


8

“Your assistance and sharing of your knowledge played a huge role in this success.” -NUWC Newport CIO Bob Bernardo

• 70 days to CCRI: thousands of pre-assessment failures • SAIC team plan: Build on lessons learned in other CCRIs Review NUWC procedures, processes, plans. Fix problems. Scan network, hundreds of devices: Remediate vulnerabilities. Interview leadership, systems and network administrators, physec

team, lab staff. Train on identified knowledge deficiencies. Perform full four-day mock inspection. Catch critical shortfalls. Perform final remediations for all findings from 36 checklists Support actual CCRI event. Fix issues. Capture lessons learned.

• Passing Score: 94.7%, dropped to 78.7% (for FRAG-O failure). • Assessors said NUWC Newport processes for physical security,

documentation, IAVM and HBSS set the standard and should be shared with other commands.

CCRI Team: NUWC Newport “One of the Best Inspected”

S A I C . co m


9

• SAIC’s first Data Center systems scans at a customer uncovered a highly vulnerable network: 18,389 vulnerabilities.

• The customer embraced innovation: SAIC’s 3-phase Get Well plan • Inspect the site to identify all vulnerabilities (Discover) • Eliminate or mitigate all vulnerabilities using technical, procedural, or

administrative methods (Mitigate). • Simultaneously protect against emerging threats and vulnerabilities.

(Manage)

• With our get well plan, the customer eliminated or mitigated 18,000 initiation and 7,000 additional vulnerabilities.

• With the new Phase 3 CCRI grading criteria, the customer achieved a dual (classified, unclassified) Excellent rating

• The customer also realized cost savings. Implementing SAIC’s Security Management Plan enabled IA activities to be completed 40% faster, lowering overall project labor costs.

Successful CCRI With 21,000 Vulnerabilities?

S A I C . co m


Improved Cyber Readiness Just May Be “Tuning”

10

• HBSS- monitoring at the host level

• ACAS – system assessment solution

• SPLUNK (insider threat)

S A I C . co m


Process Foundations to Cyber Security Readiness

Four processes, Continuous Monitoring, Configuration Management, Patch Management, and IA Vulnerability Management are foundations to cyber security readiness. When your software, hardware, applications, devices, and deployments all follow processes that guard against the introduction of vulnerabilities, you build a firm foundation on which to perform continuous monitoring.

11

Continuous Monitoring

Patch Management

Configuration Management

IA Vulnerability Management

S A I C . co m


RMF Builds, Assesses Cyber Security Readiness

12

What is the RMF?

The Risk Management Framework (RMF) is the “common information security framework.” It streamlines process for easier interconnection and sharing of information and provides a single repository for controls using NIST SP 800-53 The 4 goals of the RMF are:

• To improve information security • To strengthen the risk management processes • To encourage reciprocity among federal agencies • Provide a control continuous monitoring service Programs will be able to build, assess, and monitor their systems using RMF

S A I C . co m


13

• Risk Governance

• Risk Evaluation

• Risk Response

How RMF Will Help Your Day-to-Day Security Readiness

Missile Defense Agency Example MDA faced challenges under the previous DIACAP C&A process to get an accreditation approval. So before when using the DIACAP C&A process MDA needed the session lock control disabled for mission purposes in order for safety of life, this particular control was require and had to be applied in order to receive an accreditation when using the DIACAP C&A process. RMF will alleviate this particular issue by allowing organizations to tailor security control settings using the overlay to complement the security control baselines while still allowing organization to implement the necessary required level of security.

S A I C . co m


14

• The 3-phase process, now known as “SAIC CyberSecurity Edge™ employs a proven methodology built on 20+ years of SAIC cyber experience.

• Highly trained and experienced IA analysts worked closely with MCEITS and NUWC and other sites to evaluate technical, administrative, physical, environmental, and personnel security.

CyberSecurity Edge: Common Process in CCRI Successes

Mitigate Manage Discover

• CyberSecurity Edge™ is cybersecurity readiness: • A Vulnerability Management Plan identifies and closes

new vulnerabilities • A Plan of Action and Milestones (POA&M) tracks

vulnerabilities requiring research or special attention • Tailored plans and processes support Incident

Response, Continuity of Operations, and Disaster Recovery.

• Using CyberSecurity Edge, an organization can identify and mitigate vulnerabilities within seven days.

S A I C . co m


Thanks! Questions?

To learn how SAIC can help you maintain constant cyber security readiness or prepare for announced and unannounced Cyber Command Readiness Inspections (CCRIs), contact:

Mary Mayonado, Cyber Service Line Director Tel: 301-862-6396 | Email: [email protected]

For more details on SAIC’s CyberSecurity Edge™ Discovery, Mitigate, and Manage phases, and how they can yield greater cyber security readiness for your organization, contact:

William Kaczor, Product Manager Cyber Security Edge™ Tel: 321-626-7576 | Email: [email protected]

15

mailto:[email protected]

mailto:[email protected]