nist’s role in computer security

November 9, 1999 1

NIST’s Role in Computer SecurityNIST’s Role in Computer Security

Ed RobackEd Roback

Computer Security DivisionComputer Security Division

NIST Information Technology LaboratoryNIST Information Technology Laboratory

November 9, 1999 2

AgendaAgenda

Who we areWho we are Computer security programComputer security program NIST partnershipsNIST partnerships SummarySummary

November 9, 1999 4

Promote the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure for information technology

Advanced Network TechnologiesAdvanced Network Technologies

Computer SecurityComputer Security Distributed Computing and Distributed Computing and

Information ServicesInformation Services High Performance Systems and High Performance Systems and

ServicesServices Information Access and User InterfacesInformation Access and User Interfaces Mathematical and Computational Mathematical and Computational

SciencesSciences Software Diagnostics and Software Diagnostics and

Conformance TestingConformance Testing Statistical EngineeringStatistical Engineering

November 9, 1999 5

NIST Mandate for Computer NIST Mandate for Computer SecuritySecurity

Develop standards and guidelines for the Federal Develop standards and guidelines for the Federal government government

Improve the competitiveness of the American IT Improve the competitiveness of the American IT industryindustry

November 9, 1999 6

Computer Security Division MissionComputer Security Division MissionTo improve the state-of-the-art in information security through:

GuidanceA

war

enes

s

Sta

nd

ard

s,

Met

rics

, Tes

ts

Awareness - of IT

vulnerabilities and

protection requirements

Standards, Metrics, Tests -

to promote, measure, and validate security

improvements and enable confidence for marketplace transactions and minimum

standards for Federal systems

Guidance - to increase effective

security planning and implementation of cost-effective

security in Federal systems

November 9, 1999 7

AgendaAgenda


November 9, 1999 8

Security Program StrategySecurity Program Strategy

Collaboration with industry and governmentCollaboration with industry and government– Work to develop IT specifications and conformance Work to develop IT specifications and conformance

tests to promote secure, interoperable products and tests to promote secure, interoperable products and systemssystems

– Develop standards in cooperation with industry and Develop standards in cooperation with industry and voluntary consensus standards bodies to promote and voluntary consensus standards bodies to promote and protect USG and IT industry interestsprotect USG and IT industry interests

Acting as “honest broker”Acting as “honest broker”

November 9, 1999 9

Security Program Strategy Security Program Strategy (Concluded)(Concluded)

Focus on Improving the security of products and Focus on Improving the security of products and systemssystems– Develop standards for secure, interoperable productsDevelop standards for secure, interoperable products

– Validate conformance of commercial products to selected Validate conformance of commercial products to selected Federal Information Processing Standards (FIPS)Federal Information Processing Standards (FIPS)

– Perform research and conduct studies to identify Perform research and conduct studies to identify vulnerabilities and devise solutionsvulnerabilities and devise solutions

– Develop new test methods and procedures that will make Develop new test methods and procedures that will make testing of security requirements/ specifications more efficient testing of security requirements/ specifications more efficient and cost effectiveand cost effective

November 9, 1999 10

Key Components of NIST’s Key Components of NIST’s Computer Security ProgramComputer Security Program

Security standards developmentSecurity standards development Security testingSecurity testing Exploring new security technologiesExploring new security technologies Assistance and guidanceAssistance and guidance

November 9, 1999 11

Security Standards DevelopmentSecurity Standards Development

Work with industry and government to develop Work with industry and government to develop standards for computer securitystandards for computer security– CryptographyCryptography– Policies, management, and operational controlsPolicies, management, and operational controls– Best practices Best practices – Common CriteriaCommon Criteria– Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)

November 9, 1999 12

Key Efforts -- StandardsKey Efforts -- Standards

AESAES Advanced Encryption StandardAdvanced Encryption Standard FIPS 46-3FIPS 46-3 Triple Data Encryption Standard (DES) Triple Data Encryption Standard (DES) DSS UpgradeDSS Upgrade to include RSA, Elliptic Curveto include RSA, Elliptic Curve SHA-2 SHA-2 Upgrade of SHA-1Upgrade of SHA-1 FIPS 140-2FIPS 140-2 Upgrade of 140-1Upgrade of 140-1 X9.82X9.82 Random Number GeneratorRandom Number Generator Key ExchangeKey Exchange Key Exchange/Agreement Standard(s)Key Exchange/Agreement Standard(s) ISO 15408ISO 15408 Common Criteria v.2Common Criteria v.2 IETFIETF PKIX, IPSec, DNSSec, etc.PKIX, IPSec, DNSSec, etc. ISO 15292/15446ISO 15292/15446 Protection Profile Registration and Protection Profile Registration and

Development Guidance Development Guidance FIPAFIPA Foundation for Intelligent Physical AgentsFoundation for Intelligent Physical Agents PKIPKI Security Requirements for Certificate Issuing Security Requirements for Certificate Issuing

and Management Components (CIMCs)and Management Components (CIMCs)

November 9, 1999 13

Security TestingSecurity Testing Develop the tests, tools, profiles, methods, and Develop the tests, tools, profiles, methods, and

implementations for timely, cost effective evaluation implementations for timely, cost effective evaluation and testingand testing

ValidationValidation– Cryptographic Module Validation Program (CMVP)Cryptographic Module Validation Program (CMVP)– National Information Assurance Partnership (NIAP)National Information Assurance Partnership (NIAP)

Conformance and interoperability testingConformance and interoperability testing– MISPCMISPC– IPv6 test resourceIPv6 test resource

November 9, 1999 14

Key Efforts -- TestingKey Efforts -- Testing Crypto Module Validation ProgramCrypto Module Validation Program Algorithm TestingAlgorithm Testing Random Number Generator TestingRandom Number Generator Testing MISPC TestingMISPC Testing Certificate Authority TestingCertificate Authority Testing Firewall Security & Evaluation TestsFirewall Security & Evaluation Tests Telecommunications Switch SecurityTelecommunications Switch Security Protection Profile TestingProtection Profile Testing Automated Test Development/GenerationAutomated Test Development/Generation Common Criteria Evaluation and Validation SchemeCommon Criteria Evaluation and Validation Scheme Laboratory AccreditationLaboratory Accreditation

November 9, 1999 15

Exploring New Security Exploring New Security TechnologiesTechnologies

Identify and use emerging technologies, Identify and use emerging technologies, especially infrastructure nichesespecially infrastructure niches

Develop prototypes, reference implementations, Develop prototypes, reference implementations, and demonstrationsand demonstrations

Transition new technology and tools to public & Transition new technology and tools to public & private sectorsprivate sectors

Advise Federal agenciesAdvise Federal agencies

November 9, 1999 16

Key Efforts -- New TechnologiesKey Efforts -- New Technologies

Role-Based Access ControlRole-Based Access Control Policy ManagementPolicy Management Intrusion DetectionIntrusion Detection Mobile AgentsMobile Agents Automated Security Test GenerationAutomated Security Test Generation IPSec/web interface testingIPSec/web interface testing Security Service InterfacesSecurity Service Interfaces

November 9, 1999 17

Assistance and GuidanceAssistance and Guidance

Assist U.S. Government agencies and other users with Assist U.S. Government agencies and other users with technical security and management issuestechnical security and management issues

Assist in development of security infrastructuresAssist in development of security infrastructures Develop or point to cost-effective security guidanceDevelop or point to cost-effective security guidance Actively transfer security technology and guidance Actively transfer security technology and guidance

from NIST to agencies/industryfrom NIST to agencies/industry Support agencies on specific security projects on a cost-Support agencies on specific security projects on a cost-

reimbursable basisreimbursable basis

November 9, 1999 18

Key Efforts -- Assistance and GuidanceKey Efforts -- Assistance and Guidance NIST Special Publications: NIST Special Publications:

– 800-18, “Guide for Developing Security Plans for Information Technology Systems”800-18, “Guide for Developing Security Plans for Information Technology Systems”– 800-16, “Information Technology Security Training Requirements”800-16, “Information Technology Security Training Requirements”– ““Guideline for Implementing Cryptography in the Federal Government” Guideline for Implementing Cryptography in the Federal Government”

(Forthcoming)(Forthcoming)– ““Security Incident Handling -- A Cooperative Approach”Security Incident Handling -- A Cooperative Approach”

ITL Bulletins (1999):ITL Bulletins (1999):– November November Intrusion DetectionIntrusion Detection– September September Securing Web Servers Securing Web Servers – August August The Advanced Encryption Standard: A Status The Advanced Encryption Standard: A Status

ReportReport– May May Computer Attacks: What They Are and How to Defend Computer Attacks: What They Are and How to Defend

Against ThemAgainst Them

November 9, 1999 19

AgendaAgenda


November 9, 1999 20

In carrying out NIST’s programs,In carrying out NIST’s programs,

we don’t work alone...we don’t work alone...

November 9, 1999 21

ITIndustry

FederalAgencies

StandardsCommunity

Academia

Testing Labs

NISTOutreach

•ACM Workshops on Access Control•Agency Assistance Federal Computer Security Training Resource Center•Best Practice Task Force•CIO Council Security Privacy-Critical Infrastructure•Computer System Security & Privacy Advisory Board (CSSPAB)•Critical Infrastructure Protection•Department of Justice Executive Advisory Team•Director Forum of CIO Council•DoC/CIO Contingency Planning Affinity Group•FedCIRC Partners•Federal Computer Security Program Managers' Forum•Federal Information Systems Security Educators' Association (FISSEA)•Federal Public Key Infrastructure Steering Committee & Subgroups•Forum for Privacy & Security in Healthcare•High Performance Computing and Communications•Information Industry Group•INFOSEC Research Council•National Colloquium for Information Systems Security Education (NCISSE)•National Science Foundation Career Proposal Review Panel•National Security Telecommunications & Information Systems Security Committee (NSTISSC)•Network Security Information Exchange•NIST-NSA Technical Working Group•Open Source Security Working Group•Smart Card Security Users Group

•American Bar Association Information Security Ctte•Common Criteria Mutual Recognition Arrangement Management Ctte•Critical Infrastructure Coordination Group Education & Awareness Ctte•Federal Public Key Infrastructure Technical Working Group•Forum for Privacy & Security in Healthcare•Information Industry Group•National Colloquium for Information Systems Security Education (NCISSE)•National Science Foundation Career Proposal Review Panel•Nat'l Ctte for Information Technology Standards, T3-Open Distributed Processing •Network Security Information Exchange•Smart Card Security Users Group•Steering Ctte Member of ACM Workshop on Access Control

•CEAL: a Cygnacom Solutions Laboratory•DOMUS IT Security Laboratory, A Division of LGS Group, Inc.•InfoGard Laboratories, Inc.

•ANSI Accredited Standards Committee X9F3•ANSI X9.82 Random Number Generation Standard•ANSI X9F, X9F1, X9F3•ANSI-NCITS T4 Computer Security•Nat'l Committee for Information Technology Standards, Technical Committee T3-Open Distributed Processing•NIST-NSA Technical Working Group•IETF S/MIME V3 Working Group•IETF Public Key Infrastructure Working Group (PKIX)•IETF Internet Protocol Security (IPSEC) •Internet Protocol Secure Policy (IPSP) Internet Protocol Secure Remote Access (IPSRA) •ISO/Internat'l Electrotechnical Commission Joint Technical Committee 1•ISO JTCI SC27 Computer Security•Smart Card Security Users Group

•Critical Infrastructure Coordination Group Education & Awareness Ctte•National Colloquium for Information Systems Security Education (NCISSE)

November 9, 1999 22

How we improve securityHow we improve securitythrough standards and testingthrough standards and testing

Key Theme: Improving Security ProductsKey Theme: Improving Security Products

November 9, 1999 23

Develop securitystandards

Identify needs for security standards- industry and government

Therefore… Therefore… Security is Security is Improved!Improved!

Test products against security standards

Vendors improveproducts

Users get moresecure products

November 9, 1999 24

AgendaAgenda


November 9, 1999 25

Summary & ConclusionsSummary & Conclusions

Raising awareness of the need for cost-effective securityRaising awareness of the need for cost-effective security Engaging in key U.S. voluntary standards activitiesEngaging in key U.S. voluntary standards activities Developing standards and guidelines to secure Federal systems (often adopted Developing standards and guidelines to secure Federal systems (often adopted

voluntarily by private sector)voluntarily by private sector)– Cryptographic algorithmsCryptographic algorithms– Policy, management, operations, and best practices guidancePolicy, management, operations, and best practices guidance– PKIPKI

Providing National leadership role for security testing and evaluationProviding National leadership role for security testing and evaluation– Cryptographic Module Validation ProgramCryptographic Module Validation Program– National Information Assurance PartnershipNational Information Assurance Partnership

NIST is improving security by:NIST is improving security by:

November 9, 1999 26

Yet, Yet,

there is more there is more

we could do...we could do...

November 9, 1999 27

President’s 9/99 Proposal for President’s 9/99 Proposal for Increasing NIST CIP ActivitiesIncreasing NIST CIP Activities

Establish an Expert Review Team at NISTEstablish an Expert Review Team at NIST– Assist Government-wide agencies in adhering to Federal Assist Government-wide agencies in adhering to Federal

computer security requirementscomputer security requirements

– Director to consult with OMB and NSC on plans to Director to consult with OMB and NSC on plans to protect and enhance computer security for Federal protect and enhance computer security for Federal agenciesagencies

Fund a permanent 15-member team responsible for Fund a permanent 15-member team responsible for – Helping agencies identify vulnerabilitiesHelping agencies identify vulnerabilities

– Plan secure systems, and implement CIP plansPlan secure systems, and implement CIP plans

November 9, 1999 28

President’s 9/99 Proposal for Increasing President’s 9/99 Proposal for Increasing NIST CIP Activities (Concluded)NIST CIP Activities (Concluded)

Establish an operational fund at NIST for Establish an operational fund at NIST for computer security projects among Federal computer security projects among Federal agenciesagencies– Independent vulnerability assessmentsIndependent vulnerability assessments– Computer intrusion drillsComputer intrusion drills– Emergency funds to cover security fixes for systems Emergency funds to cover security fixes for systems

identified to have unacceptable security risksidentified to have unacceptable security risks

November 9, 1999 29

Questions?Questions?

nist’s role in computer security

Documents