Mike Davis, MSEE, EE, CISSP

Cyber Security Consultant Mike.davis.sd@gmail.com

Glenn JacobsBSEE, Security+

Cybersecurity Small Business & InstructorGlenn@sciap.org

Doug MagedmanMS Cybersecurity and IA, MS OA/HSI, BS-BME,

SPAWAR HQ Technical Authoritydougmagedman@hotmail.com

Cutting through the fog of cybersecurityWhat  “REALLY” matters in Cyber?

25 April, 2014   

COMPLEXITY

“easy button”

Bottom line – it’s all about risk management AND – the ‘value proposition!’

SD ISC2SD IEEE

What’s Wrong With This Security?What level of protection is provided here?

The gates were fully locked, properly configured and validated.I could not get through them. But.... So Cyber can be an illusion…

When a capability is “invisible”, like IA, safety, reliability, etc, what you see is not the whole picture!

Cutting through the CyberSecurity Fog!B.L.U.F. – Bottom Line Up Front

The threats are very real, and the news shows a small percentageIt does not just happen to the other guy – YOU WILL be / ARE affected.

Focus on business risk reduction and minimizing legal liabilitiesAdequate cyber protections are but one part – so is insurance…

You can not buy cyber security, you must manage it – many parts.The standard IA/Security suite is pretty good – IF maintained

“P6” principles still applies – as does strategic partnerships Few can afford to go it alone – use MSS, 3rd party SMEs

Don’t fix cracks in the cyber walls, while the barn door is open!Fixing / maintaining your cyber suite cuts incidents by 95%

The Heartbleed Saga

4

Affects more than just PCs!!! A Billion Smartphone Users May Be Affected by the Heartbleed Security Flaw. The OpenSSL Heartbleed does not affect most of the providers of enterprise mobile management solutions, but…http://www.forbes.com/sites/bobegan/2014/04/11/a-billion-smartphones-users-may-be-affected-by-the-heartbleed-security-flaw/

Even the infrastructure we rely on is not immune to “zero day” flaws

CNET compiled a list of the top 100 sites across the Web, and checked to see if the Heartbleed bug was patched… Once patched, Certs re-issued, change passwords!http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

In -depth explanation of what exactly Heartbleed is, and what it does,…open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored….;.http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

Most Americans Haven't Even Checked To See If They Were Affected By Heartbleed (Only 23 percent of respondents have even checked to see if any websites they use were affected by the

bug, while 77 percent said they have not checked. Slightly more people -- 38 percent -- have changed their passwords) http://www.huffingtonpost.com/2014/04/21/heartbleed-bug-poll_n_5175663.html

SO… what does matter in Cyber?

It’s NOT about expensive new cyber capabilities / “toys”but more about the interoperability “glue” (distributed trust, resiliency, automation, profiles)

You can NOT buy cyber, so do the cyber BASICS well!!!An achievable 90-95% solution to MOST vulnerabilities – stabilize the environment!

CYBER is fundamentally all about TRUST and DATA( Identity / authentication / secure comms - -- provenance, quality, pedigree, assured)

90+% of security incidents are from lack of doing the basics! HAVE effective Security Continuous Monitoring (SCM / SIEM) – a MUST DO!USE enforced: cyber hygiene, enterprise access control, & reduce complexity (APLs)Shift from only protecting the network, to the DATA security itself – information centric view

Embrace your Risk Management Plan (RMP) – LIVE IT!Have an enforceable security policy – what is allowed / not – train to itKNOW your baseline - Protect the business from the unknown risks as wellEmploy a due diligence level of security – then transfer residual risks!

Yes, It is ALL about the DATA!2020 Vision 

(Courtesy of Dan Green / SPAWAR ):

Themes and Memes  (Technology vs Technology Adoption)

Convergence = Genomics,  Robotics, Informatics, Nanotech (each a $B+ market)

Meme: an idea, behavior, or style that spreads from person to person within a culture

It’s a data-centric world, we need privacy by design – is your data ‘safe’?

“CBAD” = Cloud, Big Data, Analytics, Data Science (are you ‘all‐in?”)Telematics =  Sensing robotics, Cyber Physical Systems (will kids need to learn to drive?)

Interactive 3D = Augmented Reality,  HTML 5,  Three.js (3D graphics for  WebGL)

Embedded Computing  =  eHPC,  Tessel (mCPU / Java),  Programmable hardware

LBS = Location Based Services,  IPS,  Beaconing,  NFCIoT = Internet of Things,  M2M,  Quantified Self

Mobilization =  Preparation for Conflict/Competition,  Autonomy,  The Draft

STEM = Science Technology Engineering Math ,  Generation NOW,  Old Dogs (YOU)

Cyber Security opportunities(& related System Engineering / Integration efforts)

IT / Cyber Global factors – user pullWorld-wide B2BTrust / cloud / sharing

IoT / M2M Automation / Sensors

Consumerization of ITPhones / wireless / apps

Privacy / DataIP / PII / compliance

GAPS / Needs(from the Federal cyber priority council S&T gaps)

TRUSTDistributed / MLS

ResiliencySW / apps / APIs / services

Agile operations BE the vanguard / integration

Effective missionsBusiness success factors

Vulnerabilities / Threats(Verizon BDR, Forbes, etc threat reports - what ails us most)

CM / Hygienepatching / settings

Access controlAuthentication is key

TOP security mitigations Whitelist, patch, limit access

Risk MgmtAdhoc / not global

Future Opportunities

SIEM / SCMQA hygiene / sensors“ESA” / simple tools!

Mobile SecurityPoor apps / IOS weakbillions users = volume

Mitigate ObsolescenceMinimize patching, legacy vulnerabilities

OA / modularity / APIs & SCRM

Data SecurityPredictive analyticsPrivacy by design

Effective Business risk management (BRM) = cybersecurity framework (CMMI / RMF / COBIT)Reducing business risk / liabilities… Managed security services (MSS) & cyber insurance …

The Integrated BRM Approach + Small / Medium Business (SMB) - THE ANSWER +

RMP

Company Vision(business success factors)

C&A / V&V(effective / automated)

Security Policy(mobile, social media, etc)

Education / Training(targeted, JIT, needs based)

Known Baseline(security architecture)

CMMI / Sustainment(SoPs / processes)

MSS / vCISO(3rd party IV&V support)

Data Centric Security(DLP, reputation based methods)

Insider ThreatCompany Intel

(open source, FB, etc)

SCM / SIEM(monitor / track / mitigate)

Cyber insurance(broker & legal council)

Privacy by Design(manage PII, HIPAA, compliance) )

Common Risk Management Plan (RMP) model (RMF / COBIT & Risk IT)

AND IAW the NIST Cybersecurity Framework (CAR / ESA)

What’s Left to Consider?

The background / rationale

Threats / scare tactics

Complexity factors (that you can minimize)

The bigger picture

THEN

The cyber educational approach to minimize all the these factors / issues

And Summary….

Again, just go with the flow… for now… we’ll slow down in the next briefs

A “LOT” of slides(aka, ‘infographs”)10-15 minutes max.

So skim / visualize.

6-8 slides15minutes

What is “Cyber”?“A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.“

-- DoD Definition of Cyberspace

“The military strategic goal is to ensure US military strategic superiority in cyberspace.”

-- National Military Strategy for Cyberspace Operations

Cyber space operations = employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the GIG

It could mean just about anything…. Protecting data and resources…But mostly a prioritized, balanced security portfolio

“Measures that Protect and Defend Information and Information Systems by Ensuring Their Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation. This Includes Providing for Restoration of Information Systems

by Incorporating Protection, Detection, and Reaction Capabilities.”

• Timely, Reliable Access to Data and Information Services for Authorized UsersAvailability

• Quality of Information System Reflecting Logical Correctness and Reliability of Operating SystemIntegrity

• Security Measure Designed to Establish Validity of Transmission, Message, or OriginatorAuthentication

• Assurance that Information is Not Disclosed to Unauthorized Entities or ProcessesConfidentiality

• Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s Identity

Non-Repudiation

What isInformation Assurance (IA)?

INFO

SEC

Information A

ssuranceDATA is your most critical asset – is it adequately protected?

IA covers more than Networks• Land‐mobile radio cryptographic and key management 

systems (high and medium assurance)• ASW / SONAR buoy and other disposable sensor clandestine 

communications• Aircraft wireless intercom systems• Software cryptography (medium & basic) assurance• Software anti‐tamper systems• RF identification devices (RFID) security• OPSEC/COMSEC monitoring systems (i.e., email monitoring 

software)• Spectrum management inclusion of TRANSEC• Emanations security (TEMPEST and other vulnerability 

assessments)• VoIP integration with E‐911 services• Security markings standards & software• Open Source software security (freeware and shareware)• Secure CHAT (XMPP) systems

WE need an enterprise “protections” risk management approach

Complex needs,complex systemscomplex security

IoT adds trillions of sensors!

Cyberspace Characteristics• What’s the big deal?

– Man-made domain… complex and insecure by design– Global stakeholders — public, private and government and criminals / terrorists– Speed of both action and change – zero separation– Transcends physical, organizational and geopolitical boundaries – highly sensitive

to political/legal influence– Anonymity – identity/intent of players not always clear

RoE / CONOPSKinetic = virtual

“NO” boundaries

Legal aspects rule

No clear Cyber IFF!

Global reach & impact

AND sensors everywhere, (IoT) ISR/METOC, SPACE, Networks, ETC, Etc, etc!

(Source: derived from JS Cyber 101 brief)

What makes Cyber different?Given Cyber =  “virtual” warfare, somewhat different from the kinetic / 

physical environment we all know well

‐‐ Includes ALL Offensive and Defensive IT/Network/IA/Security capabilities and DOTMPLF,  ALL aggregated somehow

‐‐ Essentially a select critical technical combination of offensive and defensive cyber  capabilities  + more integration stuff

The virtual / digital world is vastly / inherently different than physical / kinetic one

‐‐ A different virtual ROE than Kinetic – sometimes reversed, legally constrained (and what is “an act of War?” / what is “force in kind”)

‐‐ Shared vulnerabilitiesmandate a proactive, dynamic defensive posture  – a “mission kill” is one e‐mail away

‐‐ Thus a crisis of prioritization, where everything is urgent, mandatory… and the many CoC lines are blurred

Cyber Security – Overall Status (Senior IA/Cyber VIP – The same issues as 40-50 years ago, but better in last 10)

Technology ---

Business ---

Policy ---

Procedures / standards ---

Education ---

Leadership ---

Awareness ---

G

Y

Y

R

G

G

G

trending

We all need to provide an integrated, cyber package that is affordable

We have what we NEED NOW

Some LSIs resist change

Legislation poorCan’t be voluntary

NIST done wellNeed uniform implementation

170+ CAEs (schools)10,000+ / year

Complexity vs CISOC-suite complacency and inability to absorb

Education starting earlier, STEM, NICE

What are KEY cyber elements?(and what can we reasonably expect to influence / affect?)

Fundamental issues…. (givens?)‐ Threats are illusive/morph – so plan/mitigate around consequences (aka, a fault tree)‐ KISS, as complexity is our enemy – do the basics well (hygiene, anonymity, etc) ‐ In a connected world, it’s the shared vulnerabilities that will get you / ALL of us‐ “They” have an asymmetrical advantage, plan with it (and they don’t follow the rules/laws) ‐WE ALL need common homogenous security protection in a heterogeneous world

If you don’t know where you’re headed, any blind alley will doWhere the bad actors continue to count on US ALL not being in sync

Essential gaps / needs… (tenets?)‐ Invest in the OSD / NSA R&D / S&T “gap” capabilities, as authoritative sources‐ Apply trade‐offs / assessments using a common end‐state (an ‘open’ / ubiquitous world)‐ Using an enterprise risk management plan (RMP),  and FOCUS on proactive SCM!‐ If you can’t integrate “it” into your IT/network environment,  then “it” is useless‐Minimize “what you don’t know you don’t know’  “&” get cyber insurance

17

Unintentional• Poorly trained administrator

• Accidents

• Lazy or untrained employee

• Fired employee• Disgruntled employee• Subverted employee• Service providers• Contractors

Source

• Fires

• Floods

• Power failures

NaturalIntentional

InsiderOutsider

• Foreign intelligence agents• Terrorists• Criminals• Corporate raiders• Crackers

Threat Vectors(note MOST sources are operational, not technical *)

* Lack of adequate “CM” (including useable, reportable audits) are “THE” main IA control most often not met

• Mobile devices …  and wireless always predicted, yet proliferates in 2014– Increasing Android Trojans, digital wallets,  USER provided network services / access points!– BYOD – many hidden costs, legalities and risks than it appears  at first…

• Cyber crime:  easy money, minimal downside and growing (ransomware, etc) – Illicit cyber revenues equals all illegal drug trafficking dollars  (CryptoLocker)

• The insider threat is much more “impactful” than given credit for– Considering compromised services and computing devices of all kinds (aka, supply chain security). 

• Forbes ‐ The Biggest Cybersecurity Threats of 2013 – Social Engineering;  APTs;  Internal Threats;  BYOD;  HTML5;  Botnets;  & Targeted Malware

Threat Vectors of Interest (examples)

Mobile devices and cloud infrastructure hacking - biggest attack vectors

• SSL/XML/web (HTML5)/browser vulnerabilities will proliferate– Browsers remain  a major threat vector (80% ‐ bypasses the IA suite)  & ‘watering holes’– JAVA / VM / active code MUST be strictly managed / controlled / under “CM”

• Convergence of data security and privacy regulation worldwide..– Compliance gets pervasive (PCI DSS, HIPAA, etc) ... Shift focus to ‘”privacy by design”!– More targeted custom malware (Stuxnet ‐> Duqu / and FLAME! Are only the beginning)

• Misanthropes and anti‐socials / hacktivism morphs – ANYONE can do it now!

Verizon Data Breach Investigations Report - DBIR (2014)

19We have met the cyber enemy, and they are US

10 year series, 63,437 incidents, 1367 breaches, 95 countries

WHAT - 92% incidents described by just nine patterns- from geopolitical attacks to large-scale attacks on payment card system

Sectors - Public (47, 479), Information (1132) and Finance (856)

Threats (%) - POS intrusions - 31- Web App Attacks - 21- Cyber espionage - 15- Card Skimmers - 14- Insider misuse - 8- Crimeware - 4

Mitigations - restrict remote access- enforce password policies- Minimize “non” POS activity on those terminals- Deploy A/V (on POS too) - evaluate threats to prioritize treatments- Look for suspicious network activity- Use two-factor authentication

HYGIENE Factors

See also - Ponemon Institute’s cyber reportKey threats – from cost based activities

Malware, malicious insiders and web-based attacks

A huge sample size! This includes YOUR business category too !!!

Strategic Cyber Elements

(1) Collaborate on common enterprise IA / cyber strategy and visionpolicy mapped to prioritized capabilities with assigned resources = “good enough” / cyber sufficiency!

(2)  Develop a common overall enterprise risk management  (ERM) approachaccounts for both significant threat vectors AND vulnerability consequences ‐>  key mitigationsuse the NIST  “RMF” (Risk Management Framework (800‐37))  weighted in the CNCI‐2 12 focus areas

(3) Align and synchronize resources and cyber gaps / initiativesacross federal  & commercial organizations and tier 1 – tier 3 architecture perspectives (IT & cyber are ONE)

Top down approach to a balanced, prioritized cyber execution plan

(4) Address pervasive lack of basic cyber hygiene enterprise widewithin the complete, life‐cycle aspects of an organization’s people, processes and products (technology) enforce a scalable, global access control model, that preserves least privilege, “attenuated delegation” (ZBAC)

(5) Reduce complexity ‐ Build a trusted cyber infrastructureuse APLs along within the existing IA/CND infrastructure, as an integrated “SoS” ‐ with enforced CMthus optimize our overall cyber package and ensure synchronization and RESILIENCY!

(6) Better integrate / leverage education and  ‘proactive defense’“stealth offense” best left to law enforcement, qualified federal entities (or escalation / retaliation will occur)

21

WAN Router

Make IA / CND / security a commodity:Use IA building blocks = APLs/PPLs -> “NIAP”Interoperability and Compose-ability are built in upfrontand help dramatically reduce complexity and ambiguityThus….establishing known risks & pedigrees: Reduces attack surface, risks / impacts & TOC

Building a Trusted Cyber Infrastructure“an adequately assured, affordable, net‐centric environment”

(all from disparate heterogeneous capabilities that we must integrate into a homogenous cyber ecosphere!)

IA Suite

Distribution Router

Core Router

PCEnd user devices

Servers

SANS NetworkDevices

“Assured” IOSVarious EAL

EAL 4- 5

EAL 4

Focus on a few core capabilities & devices

= PC, routers, IA suite, Servers, & SANS – all with access control

EAL 3 - 4Secure OS

TSMHBSSZBAC

Standard IA/CND suiteFW, A/V, IDS/IPS, CDS,, etc

Treat as a “SoS”: with high EAL

HW / FWSecure OS kernel

Secure Virtual MachineStrict access / ZBAC

ALL OSes (MS, Mac, Unix)

Sec

urity

M

onito

r

EAL

6

EAL 5 – 6Data centric securityDefensive I&WStrict access / ZBAC

Eval Assur Level (EAL):32 5 6 74

All connections / communication paths need Assured Identity, authentication & authorization

RFID, MEMS, WSN, sensors,ICS / SCADA, etc

Data centric services and cloud evolutionownership and security

22

On-premises“Pre-cloud”

You

man

age Yo

um

anag

eApplication

Data

Middleware

OS

Virtualization

CPU/Storage

Networking

Application

Data

Middleware

OS

Virtualization

CPU/Storage

Networking

Vend

or m

anag

ed

You

man

age

Application

Data

Middleware

OS

Virtualization

CPU/Storage

Networking

Vend

or m

anag

ed

Application

Data

Middleware

OS

Virtualization

CPU/Storage

Networking

Vend

or m

anag

ed

Infrastructure as a service“Cloud v1”

Platformas a Service“Cloud v2”

Softwareas a service

PaaS objective for combined / hybrid environments (with premise and cloud)

Securing the data & application layers can inoculate them from lower layer risks

“Privacy by Design” cyber model

Standard IA / CND suite = “IA devices” = Firewall, A/V, IDS/IPS, Cyrpto / Key Management, & VPN

Typical Network infrastructure = “CCE” = common core computing environment(with ‘IA – enabled’ devices properly set-up - operating systems , database management systems, network management systems and web browsers)

Monitoring, tracking, assessment = SCM / SIEM, DLP / RbS, R-T C&A/V&V, etc

DCS iso PbDData Encryption end2end – focused on services / applications (PaaS model)

Multi-factor authentication - add time, location, etc (re: RAdAC end-state)

Security Policy management – Automated, serve multiple ‘avatar’ levels in PbD

Application engineering - Common model for services, applications, APIs, etc

Cloud Security Factoids

Areas that will mature soon, enhancing enterprise risk management (re: Gartner):• Consensus on what constitutes the most significant risks,• Cloud services certification standards,• Virtual machine governance and control (orchestration),• Enterprise control over logging and investigation,• Content-based control within SaaS and PaaS, and • Cloud security gateways, security "add-ons" based in proxy services

We recommend following both the NIST and CSA cloud guidance:https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdfhttp://csrc.nist.gov/publications/PubsSPs.html

AND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP)

The cloud security challenges are principally based on:a. Trusting vendor's security modelb. Customer inability to respond to audit findingsc. Obtaining support for investigationsd. Indirect administrator accountabilitye. Proprietary implementations can't be examinedf. Loss of physical control

Cloud Security Alliance (CSA) nine critical threats:1. Data Breaches 2. Data Loss3. Account Hijacking 4. Insecure APIs5. Denial of Service 6. Malicious Insiders7. Abuse of Cloud Services 8. Insufficient Due Diligence9. Shared Technology Issues

Shift from only protecting the network, to the DATA itself!

(e.g., data centric security)

Cloud Security SummarySecurity in the cloud is likely better than you have in-house

* Security is the SAME everywhere – ‘WHO does which’ IA controls changes

For more details see paper: Cloud Security – What really matters? At http://www.sciap.org/blog1/ (under Cyber Body of Knowledge )

* Don’t sell cloud – offer security capabilities instead – end2end services

* Few are “all in” the cloud @ 100% - Hence TWO environments to manage

* ALL must use the same cloud security standards (and QA in SLA)http://www.sciap.org/blog1/wp-content/uploads/Cloud-Security-Standards-SEP-20131.xlsx

* Implement SCM / SIEM – integrate cloud metrics / status (& QA the SLAs)

* Service Level Agreements (SLA) not sufficient – trust but verify (Orchestration SW ?)

* Encrypt everywhere - Yes more key management, but risks greatly reduced

* Data owners always accountable for PII / privacy / compliance (& location)

* Update Risk management Plan (RMP) = Comms, COOP…. with cloud R&Rhttp://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf

Mobile Security perspective

http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf

Key Issue / Risk Findings:

• Extensive use of mobile devices connecting to corporate networks--89% have mobile devices such as smartphones or tablets connecting to corporate networks--Apple iOS is the most common mobile platform used to connect in corporate environments

• Personal mobile devices that connect to corporate networks are extensive and growing--65% allow personal devices to connect to corporate networks--78% have more than twice as many personal devices on corporate networks vs 2 years ago

• Security risks are on the rise because of mobile devices--71% say mobile devices have contributed to increased security incidents--The Android mobile platform is considered to introduce the greatest security risks

Check Point’s global survey of 768 IT professionals conducted in the United States, Canada, United Kingdom, Germany, and Japan. The survey gathered data about current mobile computing trends…

Mobile / wireless are HUGE threat entry points!

--- BYOD is NOT ‘cheap’ ---• Employee behavior impacts security of mobile data--47% report customer data is stored on mobile devices--Lack of employee awareness about security policies ranked as greatest impact on data security --72% say careless employees are a greater security threat than hackers

•. Contrast that 75%+ of users with personal devices with the percentage of employers who have a coordinated and comprehensive mobile security strategy in place (10%), and you see the problem…

*** NSA/CSS “Mobility Capability Package” = Architecture / Certification - a MUST DO *** http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_2_0.pdf

Integration, execution is everythingas if you can’t implement well, it costs you everywhere!!!

The quantitative benefits of systems integration and interoperability (I&I) are:1. Shorter/reduced steps in business processes2. Time taken to process one application/record3. Less complaints from members of the public4. No. of applications/records processed over a period5. Less complaints from end- users6. Reduced number of errors7. Reduced software development time/effort8. Reduced maintenance9. Reduced no. of IT personnel

The best capability means little, if it stays in the box

Until the user is happy using & benefitting from the new capability, it has no value

Buying stuff is “easy” getting it to work in your environment is hard…

Plan for “I&I” -then double it

The qualitative benefits of I&I are:1. Improved working procedures2. Better communication with other related organizations3. Job satisfaction4. Redefine job specification5. Improved data accessibility6. One-stop service7. More friendly public service

SO… what MUSTWE ALL DO???NIST’s “absolutely necessary” Security Protections

NIST ‐ National Institute of Standards and Technology

• Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, encryption, etc)

• Provide security for your Internet connection / ISP• Install and activate software firewalls on all your business systems• Patch your operating systems & applications (and now “things” too!)• Make backup copies of important business data/information

MUST DO tasks – consider this your ‘due diligence’ listWhere ALL have “CM / hygiene” aspects

• Control physical access to your computers and network components• Secure your wireless access point and networks• Train your employees in basic security principles• Require individual user accounts for each employee on business 

computers and for business applications• Limit employee access to data and information, and limit authority to 

install software

Cyber Security “Best Practices” Overview(Best practices are not a panacea – just a guide = to DO the basics)

– Quantify your business protection needs– do you have an asset inventory?– Determine what is “good enough” or minimally acceptable for your business– Quantify your environment’s threats and vulnerabilities  – Have a security policy that’s useful, complete, CEO/leadership endorsed– Run self‐assessments on security measures (use accepted tests, STIGs, 

PenTests, etc) and compliance (HIPAA, PCI, CFR, SOX, etc)– Training and awareness programs – much needed, but not a guarantee

As, you can somewhat control what you plan, but you usually ONLY get what you enforce!

– TEST your BCP, COOP, recovery plans, backup – have you ever restored?– Encrypt where you can  ‐ asses where  / how you need it : IM, e‐mail, file 

transfer,  storage, backup, etc)– Be familiar with / USE the “NIST” IA/Security series – they are very good!– DO / check / enforce the cyber basics (re: hygiene, access control, simplify & SCM)– Reduce complexity – use only approved / preferred products lists (A/PPLs)– A risk management plan (RMP) ‐ using both threats AND consequences

Key Tactical Thrusts to DO Now

• COMMON national cyber security approach / end‐state

• Consequence based enterprise risk assessment (don’t chase threats)• Dynamic Cyber Enterprise Management  (enforced hygiene)

KEY capability – security continuous monitoring (SCM) (can’t manage what you can’t measure) 

High impact activities get us all moving quickly

95%securityincident

reduction

YES!“95+%”

YES!“95+%”

• Top‐down enforcement of IA / Cyber architecture– Secure enterprise access control /  ENFORCE least privilege (re: ZBAC…)  / Cyber IFF  

– Common enterprise trust model (and implement TPMs, etc) 

– Reduce complexity ‐ use APLs / VPLs / IA Building blocks with pedigrees– USE SCM to manage your IA/cyber suite quasi real‐time… with SME help!

• Effective lifecycle education and training– Targeted training – user awareness and IA/cyber SMEs (who manage it all)

What is Cyber Hygiene ?(and the HUGE percentage of security incidents caused by lack of it)

National Security Agency (NSA) (80-85%)NSA IAD director “ Just improving the “IA Management” aspects of security (aka, hygiene factors) will reduce security incidents by over 80%IA Management = CM, monitoring environment , follow SOPshttp://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdfhttp://www.sans.org/critical-security-controls/guidelines.php

HYGIENE = Maintaining / monitoring your IA / Security / cyber equipment settingsAs any incorrectly set cyber capabilities makes them much less effective!

Verizon (2012 Data Breach Investigations Report) (up to 97%)Report covered 855 incidents, 174 million compromised records--- Breaches almost entirely avoidable through simple or intermediate controlsThreats: 98% from external agents, 81% from hacking… 69 % used malwarehttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Navy (our “red team” / NCDOC) (over 90%)Poor “accountability” factors = willful misuse, lack of CM (& IAVA / patches) , not having / following procedures, weak enforcement of policy, etcThey must spend all their time / resources fixing the “easy” vulnerabilities…

Cyber Hygiene – the many faces of neglectOur IA/CND/Security cyber suite is quite good – IF maintained!

Equipment settings(FW, A/V, IDS, etc)Monitor / enforce

Standard operating procedures (SOPs)USE / enforce them

Social media Content & settings

Restrict sharing / privileges

Security EducationALL levels – reinforce

Incentivize – good vs bad

Privacy and “PII”Enforce policy (note - “EU” is stricter)

Incident reportingNo incident too smallNotify USCERT / FBI

Forbes top threats for 2013: “MOST” have “CM / hygiene” AND / or “access control “aspects

Social Engineering; APTs; Internal Threats; BYOD / mobile malware; HTML5; Botnets; CLOUD infrastructure, & Precision Targeted Malware

Controlled AccessEnforce least privilegeSeparate / rotate duties

Know your security baselineAND employ SCM / SIEM

Maintain Cyber SuitePatches, upgrades, etc

(compliance == securityWill lack of cyber hygiene

continue to put you at MUCH greater risk?

MS / BS Cyber

CISSP / GISP / CISO / etcforensics / ethical hacker / etc

Firewall / cloud security/ Crypto & Key mgmt / “*”

Security +Awareness Education STEM (grades 7-12)

Curriculum &Resources

Linked / leveraged(on-line, companies,

colleges, etc)

Advanced

Targeted

Foundational(KEY break point ->)

Expands the pool for advanced education

Small business security course & practicum

Education levels

(“*” = IDS/IPS, anti-virus, wireless, application development / management, web/mobile code, mobile, etc…)

Cyber Education triangle“clarifying the fog of cyber security through targeted training”

Hierarchy of Cyber Needs (i.e..…Maslow…)Where if you don’t take care of the level before the one you are operating in, focusing on, then your efforts are for the most part mute, as you are in a higher risk status until the earlier level is satisfied!

1 – Resiliency - Survival / recovery+ Secure backup (Types / methods, various sites / levels)+ Incident responses (company processes, comms with LE / FBI, etc) + Recovery Plan - COOP / BCP (phases of recovery, hot / mirror site, etc)

2 – Cyber foundation+ Access control (PW, CAC, enforce least privilege, separate / rotate duties, etc) + Layered Defense - IA/CND strategy – WHAT capabilities are needed + Security Policy (privacy, social media, PII, etc) - enforcement aspects too+ Monitoring / Know your baseline – SCM / SIEM.. + Tools – selection and integration + Business Risk Management / Assessment (RMF / COBIT) / requirements analysis with an AoA

3 – Cyber Maintenance - security Hygiene / CM / SoPs+ Manage Policy - social media - content & settings… restrict sharing / privileges = proactive monitoring+ Maintain Cyber Security Suite – patches, upgrades, etc.. control system settings… & dashboard!+ Standard operating procedures (SOPs).. USE / enforce them+ Security training / education awareness – ALL levels – reinforce / Incentivize – pos & neg

4 – Applied cyber security (IA / CND / security capabilities best practices)Given the below best practices, cyber protections approach, then distill the key attributes for each IA/CND capability, while following and tailoring for the company’s environment the install instructions of the products… specific equipment settings for ‘secure’ sustainment / operations = Firewall, A/V suite, IDS/IPS, Crypto, Key mgmt., Mobile, wireless, Network, apps, data security, etc

5 – Cyber actualization - compliance / assessment / analytics+ V&V / TE&C / C&A – formal proof -> residual risks -> cyber value proposition+ KEY compliance activities – PII, PCI, HIPAA, etc + Forensics / ethical hacker+ Big data / predictive analytics (integrate SCM / SIEM, IA/CND reports, etc…l)+ Pen / security testing (of all cyber capabilities, backup, PW, etc)

ApprenticeBASICs

MasterOptimized Value

JourneymanOperations

KSA / practicum based on small business security

NSA IAD top ten tasksTop 20 security controlsTop 35 mitigations

Why Technical Level Application?• IT Professionals lack applied cyber skills

– Certs and degrees but no demonstrated practical experience

• Small/medium sized businesses have needs but unclear idea of scope– Raise awareness for covering basics ‐ 95% of the operational incidents 

• Availability and cost of training– Boot Camp education and certification doesn’t work as practiced– SANS conference training is long and costly (at major cities)

• SANS Boot Camp for Cyber Essentials ‐ Austin, Tx Apr 28‐3May   $4,895.00 

– Where are all the local Cybersecurity education resources?• UCSD, National University, SDSU, Coleman College – Not applied cyber curriculums 

Cyber Essentials Course for SMB

1600

1200

1100

0800

Lunch Lunch

LunchLunch

Return to office

Resiliency Foundations

FoundationsFoundations Applied

Operations & Maintenance

Actualization& Review

Applied

Cyber Overview

Mon Tue Wed Thu Fri

What can you DO right now?Ready for immediate  implementation  =  95+% incident reduction

1‐ Install tools/scripts  to catch USERS mistakes..     lock down the end devices, (only allow root admin to install anything..)    Use effective access control (enforce least privilege!)

2 – Manage the browser as THE threat vector...   (80% of malware comes through here)Have ONE secure browser version (IE9),  use the ‘guest’ account (force downloads to one folder), andmanage a specific settings profile (to manage active code / Java, etc)Implement a ‘deny all’ access approach, allow URLs using only a controlled white list (no this is NOT hard to do!)

Cyber continues to be about “US ALL” doing the basics

3 ‐ Run tools / application firewalls to minimize zero‐day problems, and enforce CM/hygiene,  along with "defensive I&W" monitoring tools (re: SCM / SIEM ‐ #5)

4 – KISS / reduce IA complexity…  only buy cyber products off APLs/PPLs (they have pedigrees / C&A already!)…  And USE their security features …   like TPM!!

5 – USE a security continuous monitor (SCM) firm for real‐time scans for both current vulnerabilities (SQL injection, et al) and new threats... (where the firm has feeds/data from US CERT, etc, so they are always current on new threats / zero day problems) 

6 – If you make IT stuff, build IA/security in, there are lots of simple guideshttp://www.sans.org/critical‐security‐controls/guidelines.phphttp://www.sans.org/top25‐software‐errors/We’re STILL lax.. Goggle “DarkReading Real‐World Developers Still Not Coding Securely”

“Overall Way Forward”(given all the unknowns, variables… this  is “one” approximately correct path…;‐))

• Company Vision embedded in Cyber Plans/RMP…– know where you are going, where the passion is /what the USER values– Hope is Not a Strategy ‐re: 2012 Annual DDoS Attack and Impact Survey!

38SO… Quit admiring the “cyber problem / threat” and start DOING something!

• Risk Management Plan… RMP– Use NIST’s RMF!  Have a dynamic, realistic RMP supporting your business 

success metrics…  as you ARE betting your livelihood on cyber!

• Effective, enforced Policy…– Embedded in core business success factors, rules to enforce statutory, legal 

mandates, key processes, to enforce behavior (pos & neg incentives)

• The Basics, basics, basics…– New toys matter little, if your environment(s) are not managed (SCM / SIEM!)

– Poor hygiene / CM causes almost ALL security incidents ( 80 ‐ 97% ) 

39

in general, companies must provide a commensurate security level as the government site they are going to do business with... (see NIST & GSA & FISMA web sites below)

This NIST provides a good overview of the government requirements, which in general needs to be met by companies connecting to government sites iso services provided... http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

Information Security rules by GSAhttp://www.gsa.gov/portal/content/104257

FISMA rules / regulations are also representative of items to be assessedhttp://csrc.nist.gov/groups/SMA/fisma/index.html

VA has a contract clause that's fairly standardhttp://www.iprm.oit.va.gov/docs/Appendix_C.pdf

The education department has a good overview of requirementshttp://www2.ed.gov/fund/contract/about/bsp.html

New LAWs - Government Contractors Subject to Cybersecurity Regulations –More are on the Wayhttp://www.scribd.com/doc/89226369/Government-Contractors-Now-Subject-to-Cybersecurity-Regulations-%E2%80%93-And-More-are-on-the-Way

Small business security overview (and detailed brief on the major security product details too)http://www.sciap.org/blog1/wp-content/uploads/Small-Business-Security-ADT-Cluster-v4_Mike_Davis_July_26_2011.pdf

What small businesses need to know about cyber security before they can offer services to the government

40

How to find / bid on government contractsMUST have DUNS number or Cage Code (and capability statement/documents)

Central source for SBAhttp://www.sba.gov/content/federal-contracting-resources-small-businesses

+++ System for Award Management (“SAM” register here first / asap.. it drives many other processes)https://www.sam.gov/index.html

FedBizOppshttps://www.fbo.gov/

SPAWAR small business opportunitieshttp://www.public.navy.mil/spawar/Documents/Small_Business/SPAWAR_3_year_Acquisition_Forecast_22_May_2013.pdf

Federal Procurement Data Systemhttps://www.fpds.gov/fpdsng_cms/

Dynamic Small Business Searchhttp://dsbs.sba.gov/dsbs/search/dsp_dsbs.cfm

Interested in the SBIR / STTR programs, See information in the overview offered belowhttp://www.navysbir.com/overview.htm

You REALLY need an effective business plan to show clients and investors the big picture.http://100startup.com/resources/business-plan.pdf

other IA/Security sites (cont):

http://www.cert.org/

https://www.cccure.org/

http://www.commoncriteriaportal.org/

https://www.sans.org/programs/

https://www.thecsiac.com/resources/all

http://www.cerias.purdue.edu/

http://www.dhs.gov/topic/cybersecurity

http://iase.disa.mil/stigs/index.html

IA/security resourcesMain sites

https://infosec.navy.mil

http://www.doncio.navy.mil/TagResults.aspx?ID=28

http://iase.disa.mil/index2.html

other IA/Security sites:

http://csrc.nist.gov/

http://www.nsa.gov/ia/index.shtml

http://www.cisecurity.org/

SUMMARYSO…. What “really” matters in Cyber?

DO the cyber BASICS well, for things, people & processesinvest in select, KEY new capabilities & follow your RMP!!!

Take ACTION: (1) security assessment, (2) SCM/SIEM, & (3) Cyber insurance!

• OSD / federal S&T activities• Distributed Trust • Resilient Architectures• Response and Cyber Maneuver• Visualization and Decision Support• Dynamic policy management (RaDaC )• Detection and Autonomic Response • Recovery and Reconstitution

• NSA / agency S&T activities• Mobility, wireless, & secure mobile services• Platform integrity / compliance assurance• End client security• Cyber indications and warning (I&W)• Mitigation engineering (affordability)• Massive data – (date centric security)• Advanced technology…. (targeted)• Virtualization – secure capabilities

AND doing the BASICS: (1) enforced cyber hygiene, (2) effective access control, (3) reduced complexity in IA / cyber (APLs / NIAP / approved products), (4) IT / IA / Cyber “SCM / SIEM”(ongoing diagnostics AND mitigations / SIEM)

It’s all about TRUST and DATA

*** ***

It’s NOT all about expensive new “cyber capabilities” but more about interoperability