sd ieee cutting through the fog of...
TRANSCRIPT
Mike Davis, MSEE, EE, CISSP
Cyber Security Consultant [email protected]
Glenn JacobsBSEE, Security+
Cybersecurity Small Business & [email protected]
Doug MagedmanMS Cybersecurity and IA, MS OA/HSI, BS-BME,
SPAWAR HQ Technical [email protected]
Cutting through the fog of cybersecurityWhat “REALLY” matters in Cyber?
25 April, 2014
COMPLEXITY
“easy button”
Bottom line – it’s all about risk management AND – the ‘value proposition!’
SD ISC2SD IEEE
What’s Wrong With This Security?What level of protection is provided here?
The gates were fully locked, properly configured and validated.I could not get through them. But.... So Cyber can be an illusion…
When a capability is “invisible”, like IA, safety, reliability, etc, what you see is not the whole picture!
Cutting through the CyberSecurity Fog!B.L.U.F. – Bottom Line Up Front
The threats are very real, and the news shows a small percentageIt does not just happen to the other guy – YOU WILL be / ARE affected.
Focus on business risk reduction and minimizing legal liabilitiesAdequate cyber protections are but one part – so is insurance…
You can not buy cyber security, you must manage it – many parts.The standard IA/Security suite is pretty good – IF maintained
“P6” principles still applies – as does strategic partnerships Few can afford to go it alone – use MSS, 3rd party SMEs
Don’t fix cracks in the cyber walls, while the barn door is open!Fixing / maintaining your cyber suite cuts incidents by 95%
The Heartbleed Saga
4
Affects more than just PCs!!! A Billion Smartphone Users May Be Affected by the Heartbleed Security Flaw. The OpenSSL Heartbleed does not affect most of the providers of enterprise mobile management solutions, but…http://www.forbes.com/sites/bobegan/2014/04/11/a-billion-smartphones-users-may-be-affected-by-the-heartbleed-security-flaw/
Even the infrastructure we rely on is not immune to “zero day” flaws
CNET compiled a list of the top 100 sites across the Web, and checked to see if the Heartbleed bug was patched… Once patched, Certs re-issued, change passwords!http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
In -depth explanation of what exactly Heartbleed is, and what it does,…open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored….;.http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/
Most Americans Haven't Even Checked To See If They Were Affected By Heartbleed (Only 23 percent of respondents have even checked to see if any websites they use were affected by the
bug, while 77 percent said they have not checked. Slightly more people -- 38 percent -- have changed their passwords) http://www.huffingtonpost.com/2014/04/21/heartbleed-bug-poll_n_5175663.html
SO… what does matter in Cyber?
It’s NOT about expensive new cyber capabilities / “toys”but more about the interoperability “glue” (distributed trust, resiliency, automation, profiles)
You can NOT buy cyber, so do the cyber BASICS well!!!An achievable 90-95% solution to MOST vulnerabilities – stabilize the environment!
CYBER is fundamentally all about TRUST and DATA( Identity / authentication / secure comms - -- provenance, quality, pedigree, assured)
90+% of security incidents are from lack of doing the basics! HAVE effective Security Continuous Monitoring (SCM / SIEM) – a MUST DO!USE enforced: cyber hygiene, enterprise access control, & reduce complexity (APLs)Shift from only protecting the network, to the DATA security itself – information centric view
Embrace your Risk Management Plan (RMP) – LIVE IT!Have an enforceable security policy – what is allowed / not – train to itKNOW your baseline - Protect the business from the unknown risks as wellEmploy a due diligence level of security – then transfer residual risks!
Yes, It is ALL about the DATA!2020 Vision
(Courtesy of Dan Green / SPAWAR ):
Themes and Memes (Technology vs Technology Adoption)
Convergence = Genomics, Robotics, Informatics, Nanotech (each a $B+ market)
Meme: an idea, behavior, or style that spreads from person to person within a culture
It’s a data-centric world, we need privacy by design – is your data ‘safe’?
“CBAD” = Cloud, Big Data, Analytics, Data Science (are you ‘all‐in?”)Telematics = Sensing robotics, Cyber Physical Systems (will kids need to learn to drive?)
Interactive 3D = Augmented Reality, HTML 5, Three.js (3D graphics for WebGL)
Embedded Computing = eHPC, Tessel (mCPU / Java), Programmable hardware
LBS = Location Based Services, IPS, Beaconing, NFCIoT = Internet of Things, M2M, Quantified Self
Mobilization = Preparation for Conflict/Competition, Autonomy, The Draft
STEM = Science Technology Engineering Math , Generation NOW, Old Dogs (YOU)
Cyber Security opportunities(& related System Engineering / Integration efforts)
IT / Cyber Global factors – user pullWorld-wide B2BTrust / cloud / sharing
IoT / M2M Automation / Sensors
Consumerization of ITPhones / wireless / apps
Privacy / DataIP / PII / compliance
GAPS / Needs(from the Federal cyber priority council S&T gaps)
TRUSTDistributed / MLS
ResiliencySW / apps / APIs / services
Agile operations BE the vanguard / integration
Effective missionsBusiness success factors
Vulnerabilities / Threats(Verizon BDR, Forbes, etc threat reports - what ails us most)
CM / Hygienepatching / settings
Access controlAuthentication is key
TOP security mitigations Whitelist, patch, limit access
Risk MgmtAdhoc / not global
Future Opportunities
SIEM / SCMQA hygiene / sensors“ESA” / simple tools!
Mobile SecurityPoor apps / IOS weakbillions users = volume
Mitigate ObsolescenceMinimize patching, legacy vulnerabilities
OA / modularity / APIs & SCRM
Data SecurityPredictive analyticsPrivacy by design
Effective Business risk management (BRM) = cybersecurity framework (CMMI / RMF / COBIT)Reducing business risk / liabilities… Managed security services (MSS) & cyber insurance …
The Integrated BRM Approach + Small / Medium Business (SMB) - THE ANSWER +
RMP
Company Vision(business success factors)
C&A / V&V(effective / automated)
Security Policy(mobile, social media, etc)
Education / Training(targeted, JIT, needs based)
Known Baseline(security architecture)
CMMI / Sustainment(SoPs / processes)
MSS / vCISO(3rd party IV&V support)
Data Centric Security(DLP, reputation based methods)
Insider ThreatCompany Intel
(open source, FB, etc)
SCM / SIEM(monitor / track / mitigate)
Cyber insurance(broker & legal council)
Privacy by Design(manage PII, HIPAA, compliance) )
Common Risk Management Plan (RMP) model (RMF / COBIT & Risk IT)
AND IAW the NIST Cybersecurity Framework (CAR / ESA)
What’s Left to Consider?
The background / rationale
Threats / scare tactics
Complexity factors (that you can minimize)
The bigger picture
THEN
The cyber educational approach to minimize all the these factors / issues
And Summary….
Again, just go with the flow… for now… we’ll slow down in the next briefs
A “LOT” of slides(aka, ‘infographs”)10-15 minutes max.
So skim / visualize.
6-8 slides15minutes
What is “Cyber”?“A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.“
-- DoD Definition of Cyberspace
“The military strategic goal is to ensure US military strategic superiority in cyberspace.”
-- National Military Strategy for Cyberspace Operations
Cyber space operations = employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the GIG
It could mean just about anything…. Protecting data and resources…But mostly a prioritized, balanced security portfolio
“Measures that Protect and Defend Information and Information Systems by Ensuring Their Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation. This Includes Providing for Restoration of Information Systems
by Incorporating Protection, Detection, and Reaction Capabilities.”
• Timely, Reliable Access to Data and Information Services for Authorized UsersAvailability
• Quality of Information System Reflecting Logical Correctness and Reliability of Operating SystemIntegrity
• Security Measure Designed to Establish Validity of Transmission, Message, or OriginatorAuthentication
• Assurance that Information is Not Disclosed to Unauthorized Entities or ProcessesConfidentiality
• Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s Identity
Non-Repudiation
What isInformation Assurance (IA)?
INFO
SEC
Information A
ssuranceDATA is your most critical asset – is it adequately protected?
IA covers more than Networks• Land‐mobile radio cryptographic and key management
systems (high and medium assurance)• ASW / SONAR buoy and other disposable sensor clandestine
communications• Aircraft wireless intercom systems• Software cryptography (medium & basic) assurance• Software anti‐tamper systems• RF identification devices (RFID) security• OPSEC/COMSEC monitoring systems (i.e., email monitoring
software)• Spectrum management inclusion of TRANSEC• Emanations security (TEMPEST and other vulnerability
assessments)• VoIP integration with E‐911 services• Security markings standards & software• Open Source software security (freeware and shareware)• Secure CHAT (XMPP) systems
WE need an enterprise “protections” risk management approach
Complex needs,complex systemscomplex security
IoT adds trillions of sensors!
Cyberspace Characteristics• What’s the big deal?
– Man-made domain… complex and insecure by design– Global stakeholders — public, private and government and criminals / terrorists– Speed of both action and change – zero separation– Transcends physical, organizational and geopolitical boundaries – highly sensitive
to political/legal influence– Anonymity – identity/intent of players not always clear
RoE / CONOPSKinetic = virtual
“NO” boundaries
Legal aspects rule
No clear Cyber IFF!
Global reach & impact
AND sensors everywhere, (IoT) ISR/METOC, SPACE, Networks, ETC, Etc, etc!
(Source: derived from JS Cyber 101 brief)
What makes Cyber different?Given Cyber = “virtual” warfare, somewhat different from the kinetic /
physical environment we all know well
‐‐ Includes ALL Offensive and Defensive IT/Network/IA/Security capabilities and DOTMPLF, ALL aggregated somehow
‐‐ Essentially a select critical technical combination of offensive and defensive cyber capabilities + more integration stuff
The virtual / digital world is vastly / inherently different than physical / kinetic one
‐‐ A different virtual ROE than Kinetic – sometimes reversed, legally constrained (and what is “an act of War?” / what is “force in kind”)
‐‐ Shared vulnerabilitiesmandate a proactive, dynamic defensive posture – a “mission kill” is one e‐mail away
‐‐ Thus a crisis of prioritization, where everything is urgent, mandatory… and the many CoC lines are blurred
Cyber Security – Overall Status (Senior IA/Cyber VIP – The same issues as 40-50 years ago, but better in last 10)
Technology ---
Business ---
Policy ---
Procedures / standards ---
Education ---
Leadership ---
Awareness ---
G
Y
Y
R
G
G
G
trending
We all need to provide an integrated, cyber package that is affordable
We have what we NEED NOW
Some LSIs resist change
Legislation poorCan’t be voluntary
NIST done wellNeed uniform implementation
170+ CAEs (schools)10,000+ / year
Complexity vs CISOC-suite complacency and inability to absorb
Education starting earlier, STEM, NICE
What are KEY cyber elements?(and what can we reasonably expect to influence / affect?)
Fundamental issues…. (givens?)‐ Threats are illusive/morph – so plan/mitigate around consequences (aka, a fault tree)‐ KISS, as complexity is our enemy – do the basics well (hygiene, anonymity, etc) ‐ In a connected world, it’s the shared vulnerabilities that will get you / ALL of us‐ “They” have an asymmetrical advantage, plan with it (and they don’t follow the rules/laws) ‐WE ALL need common homogenous security protection in a heterogeneous world
If you don’t know where you’re headed, any blind alley will doWhere the bad actors continue to count on US ALL not being in sync
Essential gaps / needs… (tenets?)‐ Invest in the OSD / NSA R&D / S&T “gap” capabilities, as authoritative sources‐ Apply trade‐offs / assessments using a common end‐state (an ‘open’ / ubiquitous world)‐ Using an enterprise risk management plan (RMP), and FOCUS on proactive SCM!‐ If you can’t integrate “it” into your IT/network environment, then “it” is useless‐Minimize “what you don’t know you don’t know’ “&” get cyber insurance
17
Unintentional• Poorly trained administrator
• Accidents
• Lazy or untrained employee
• Fired employee• Disgruntled employee• Subverted employee• Service providers• Contractors
Source
• Fires
• Floods
• Power failures
NaturalIntentional
InsiderOutsider
• Foreign intelligence agents• Terrorists• Criminals• Corporate raiders• Crackers
Threat Vectors(note MOST sources are operational, not technical *)
* Lack of adequate “CM” (including useable, reportable audits) are “THE” main IA control most often not met
• Mobile devices … and wireless always predicted, yet proliferates in 2014– Increasing Android Trojans, digital wallets, USER provided network services / access points!– BYOD – many hidden costs, legalities and risks than it appears at first…
• Cyber crime: easy money, minimal downside and growing (ransomware, etc) – Illicit cyber revenues equals all illegal drug trafficking dollars (CryptoLocker)
• The insider threat is much more “impactful” than given credit for– Considering compromised services and computing devices of all kinds (aka, supply chain security).
• Forbes ‐ The Biggest Cybersecurity Threats of 2013 – Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; & Targeted Malware
Threat Vectors of Interest (examples)
Mobile devices and cloud infrastructure hacking - biggest attack vectors
• SSL/XML/web (HTML5)/browser vulnerabilities will proliferate– Browsers remain a major threat vector (80% ‐ bypasses the IA suite) & ‘watering holes’– JAVA / VM / active code MUST be strictly managed / controlled / under “CM”
• Convergence of data security and privacy regulation worldwide..– Compliance gets pervasive (PCI DSS, HIPAA, etc) ... Shift focus to ‘”privacy by design”!– More targeted custom malware (Stuxnet ‐> Duqu / and FLAME! Are only the beginning)
• Misanthropes and anti‐socials / hacktivism morphs – ANYONE can do it now!
Verizon Data Breach Investigations Report - DBIR (2014)
19We have met the cyber enemy, and they are US
10 year series, 63,437 incidents, 1367 breaches, 95 countries
WHAT - 92% incidents described by just nine patterns- from geopolitical attacks to large-scale attacks on payment card system
Sectors - Public (47, 479), Information (1132) and Finance (856)
Threats (%) - POS intrusions - 31- Web App Attacks - 21- Cyber espionage - 15- Card Skimmers - 14- Insider misuse - 8- Crimeware - 4
Mitigations - restrict remote access- enforce password policies- Minimize “non” POS activity on those terminals- Deploy A/V (on POS too) - evaluate threats to prioritize treatments- Look for suspicious network activity- Use two-factor authentication
HYGIENE Factors
See also - Ponemon Institute’s cyber reportKey threats – from cost based activities
Malware, malicious insiders and web-based attacks
A huge sample size! This includes YOUR business category too !!!
Strategic Cyber Elements
(1) Collaborate on common enterprise IA / cyber strategy and visionpolicy mapped to prioritized capabilities with assigned resources = “good enough” / cyber sufficiency!
(2) Develop a common overall enterprise risk management (ERM) approachaccounts for both significant threat vectors AND vulnerability consequences ‐> key mitigationsuse the NIST “RMF” (Risk Management Framework (800‐37)) weighted in the CNCI‐2 12 focus areas
(3) Align and synchronize resources and cyber gaps / initiativesacross federal & commercial organizations and tier 1 – tier 3 architecture perspectives (IT & cyber are ONE)
Top down approach to a balanced, prioritized cyber execution plan
(4) Address pervasive lack of basic cyber hygiene enterprise widewithin the complete, life‐cycle aspects of an organization’s people, processes and products (technology) enforce a scalable, global access control model, that preserves least privilege, “attenuated delegation” (ZBAC)
(5) Reduce complexity ‐ Build a trusted cyber infrastructureuse APLs along within the existing IA/CND infrastructure, as an integrated “SoS” ‐ with enforced CMthus optimize our overall cyber package and ensure synchronization and RESILIENCY!
(6) Better integrate / leverage education and ‘proactive defense’“stealth offense” best left to law enforcement, qualified federal entities (or escalation / retaliation will occur)
21
WAN Router
Make IA / CND / security a commodity:Use IA building blocks = APLs/PPLs -> “NIAP”Interoperability and Compose-ability are built in upfrontand help dramatically reduce complexity and ambiguityThus….establishing known risks & pedigrees: Reduces attack surface, risks / impacts & TOC
Building a Trusted Cyber Infrastructure“an adequately assured, affordable, net‐centric environment”
(all from disparate heterogeneous capabilities that we must integrate into a homogenous cyber ecosphere!)
IA Suite
Distribution Router
Core Router
PCEnd user devices
Servers
SANS NetworkDevices
“Assured” IOSVarious EAL
EAL 4- 5
EAL 4
Focus on a few core capabilities & devices
= PC, routers, IA suite, Servers, & SANS – all with access control
EAL 3 - 4Secure OS
TSMHBSSZBAC
Standard IA/CND suiteFW, A/V, IDS/IPS, CDS,, etc
Treat as a “SoS”: with high EAL
HW / FWSecure OS kernel
Secure Virtual MachineStrict access / ZBAC
ALL OSes (MS, Mac, Unix)
Sec
urity
M
onito
r
EAL
6
EAL 5 – 6Data centric securityDefensive I&WStrict access / ZBAC
Eval Assur Level (EAL):32 5 6 74
All connections / communication paths need Assured Identity, authentication & authorization
RFID, MEMS, WSN, sensors,ICS / SCADA, etc
Data centric services and cloud evolutionownership and security
22
On-premises“Pre-cloud”
You
man
age Yo
um
anag
eApplication
Data
Middleware
OS
Virtualization
CPU/Storage
Networking
Application
Data
Middleware
OS
Virtualization
CPU/Storage
Networking
Vend
or m
anag
ed
You
man
age
Application
Data
Middleware
OS
Virtualization
CPU/Storage
Networking
Vend
or m
anag
ed
Application
Data
Middleware
OS
Virtualization
CPU/Storage
Networking
Vend
or m
anag
ed
Infrastructure as a service“Cloud v1”
Platformas a Service“Cloud v2”
Softwareas a service
PaaS objective for combined / hybrid environments (with premise and cloud)
Securing the data & application layers can inoculate them from lower layer risks
“Privacy by Design” cyber model
Standard IA / CND suite = “IA devices” = Firewall, A/V, IDS/IPS, Cyrpto / Key Management, & VPN
Typical Network infrastructure = “CCE” = common core computing environment(with ‘IA – enabled’ devices properly set-up - operating systems , database management systems, network management systems and web browsers)
Monitoring, tracking, assessment = SCM / SIEM, DLP / RbS, R-T C&A/V&V, etc
DCS iso PbDData Encryption end2end – focused on services / applications (PaaS model)
Multi-factor authentication - add time, location, etc (re: RAdAC end-state)
Security Policy management – Automated, serve multiple ‘avatar’ levels in PbD
Application engineering - Common model for services, applications, APIs, etc
Cloud Security Factoids
Areas that will mature soon, enhancing enterprise risk management (re: Gartner):• Consensus on what constitutes the most significant risks,• Cloud services certification standards,• Virtual machine governance and control (orchestration),• Enterprise control over logging and investigation,• Content-based control within SaaS and PaaS, and • Cloud security gateways, security "add-ons" based in proxy services
We recommend following both the NIST and CSA cloud guidance:https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdfhttp://csrc.nist.gov/publications/PubsSPs.html
AND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP)
The cloud security challenges are principally based on:a. Trusting vendor's security modelb. Customer inability to respond to audit findingsc. Obtaining support for investigationsd. Indirect administrator accountabilitye. Proprietary implementations can't be examinedf. Loss of physical control
Cloud Security Alliance (CSA) nine critical threats:1. Data Breaches 2. Data Loss3. Account Hijacking 4. Insecure APIs5. Denial of Service 6. Malicious Insiders7. Abuse of Cloud Services 8. Insufficient Due Diligence9. Shared Technology Issues
Shift from only protecting the network, to the DATA itself!
(e.g., data centric security)
Cloud Security SummarySecurity in the cloud is likely better than you have in-house
* Security is the SAME everywhere – ‘WHO does which’ IA controls changes
For more details see paper: Cloud Security – What really matters? At http://www.sciap.org/blog1/ (under Cyber Body of Knowledge )
* Don’t sell cloud – offer security capabilities instead – end2end services
* Few are “all in” the cloud @ 100% - Hence TWO environments to manage
* ALL must use the same cloud security standards (and QA in SLA)http://www.sciap.org/blog1/wp-content/uploads/Cloud-Security-Standards-SEP-20131.xlsx
* Implement SCM / SIEM – integrate cloud metrics / status (& QA the SLAs)
* Service Level Agreements (SLA) not sufficient – trust but verify (Orchestration SW ?)
* Encrypt everywhere - Yes more key management, but risks greatly reduced
* Data owners always accountable for PII / privacy / compliance (& location)
* Update Risk management Plan (RMP) = Comms, COOP…. with cloud R&Rhttp://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
Mobile Security perspective
http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf
Key Issue / Risk Findings:
• Extensive use of mobile devices connecting to corporate networks--89% have mobile devices such as smartphones or tablets connecting to corporate networks--Apple iOS is the most common mobile platform used to connect in corporate environments
• Personal mobile devices that connect to corporate networks are extensive and growing--65% allow personal devices to connect to corporate networks--78% have more than twice as many personal devices on corporate networks vs 2 years ago
• Security risks are on the rise because of mobile devices--71% say mobile devices have contributed to increased security incidents--The Android mobile platform is considered to introduce the greatest security risks
Check Point’s global survey of 768 IT professionals conducted in the United States, Canada, United Kingdom, Germany, and Japan. The survey gathered data about current mobile computing trends…
Mobile / wireless are HUGE threat entry points!
--- BYOD is NOT ‘cheap’ ---• Employee behavior impacts security of mobile data--47% report customer data is stored on mobile devices--Lack of employee awareness about security policies ranked as greatest impact on data security --72% say careless employees are a greater security threat than hackers
•. Contrast that 75%+ of users with personal devices with the percentage of employers who have a coordinated and comprehensive mobile security strategy in place (10%), and you see the problem…
*** NSA/CSS “Mobility Capability Package” = Architecture / Certification - a MUST DO *** http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_2_0.pdf
Integration, execution is everythingas if you can’t implement well, it costs you everywhere!!!
The quantitative benefits of systems integration and interoperability (I&I) are:1. Shorter/reduced steps in business processes2. Time taken to process one application/record3. Less complaints from members of the public4. No. of applications/records processed over a period5. Less complaints from end- users6. Reduced number of errors7. Reduced software development time/effort8. Reduced maintenance9. Reduced no. of IT personnel
The best capability means little, if it stays in the box
Until the user is happy using & benefitting from the new capability, it has no value
Buying stuff is “easy” getting it to work in your environment is hard…
Plan for “I&I” -then double it
The qualitative benefits of I&I are:1. Improved working procedures2. Better communication with other related organizations3. Job satisfaction4. Redefine job specification5. Improved data accessibility6. One-stop service7. More friendly public service
SO… what MUSTWE ALL DO???NIST’s “absolutely necessary” Security Protections
NIST ‐ National Institute of Standards and Technology
• Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, encryption, etc)
• Provide security for your Internet connection / ISP• Install and activate software firewalls on all your business systems• Patch your operating systems & applications (and now “things” too!)• Make backup copies of important business data/information
MUST DO tasks – consider this your ‘due diligence’ listWhere ALL have “CM / hygiene” aspects
• Control physical access to your computers and network components• Secure your wireless access point and networks• Train your employees in basic security principles• Require individual user accounts for each employee on business
computers and for business applications• Limit employee access to data and information, and limit authority to
install software
Cyber Security “Best Practices” Overview(Best practices are not a panacea – just a guide = to DO the basics)
– Quantify your business protection needs– do you have an asset inventory?– Determine what is “good enough” or minimally acceptable for your business– Quantify your environment’s threats and vulnerabilities – Have a security policy that’s useful, complete, CEO/leadership endorsed– Run self‐assessments on security measures (use accepted tests, STIGs,
PenTests, etc) and compliance (HIPAA, PCI, CFR, SOX, etc)– Training and awareness programs – much needed, but not a guarantee
As, you can somewhat control what you plan, but you usually ONLY get what you enforce!
– TEST your BCP, COOP, recovery plans, backup – have you ever restored?– Encrypt where you can ‐ asses where / how you need it : IM, e‐mail, file
transfer, storage, backup, etc)– Be familiar with / USE the “NIST” IA/Security series – they are very good!– DO / check / enforce the cyber basics (re: hygiene, access control, simplify & SCM)– Reduce complexity – use only approved / preferred products lists (A/PPLs)– A risk management plan (RMP) ‐ using both threats AND consequences
Key Tactical Thrusts to DO Now
• COMMON national cyber security approach / end‐state
• Consequence based enterprise risk assessment (don’t chase threats)• Dynamic Cyber Enterprise Management (enforced hygiene)
KEY capability – security continuous monitoring (SCM) (can’t manage what you can’t measure)
High impact activities get us all moving quickly
95%securityincident
reduction
YES!“95+%”
YES!“95+%”
• Top‐down enforcement of IA / Cyber architecture– Secure enterprise access control / ENFORCE least privilege (re: ZBAC…) / Cyber IFF
– Common enterprise trust model (and implement TPMs, etc)
– Reduce complexity ‐ use APLs / VPLs / IA Building blocks with pedigrees– USE SCM to manage your IA/cyber suite quasi real‐time… with SME help!
• Effective lifecycle education and training– Targeted training – user awareness and IA/cyber SMEs (who manage it all)
What is Cyber Hygiene ?(and the HUGE percentage of security incidents caused by lack of it)
National Security Agency (NSA) (80-85%)NSA IAD director “ Just improving the “IA Management” aspects of security (aka, hygiene factors) will reduce security incidents by over 80%IA Management = CM, monitoring environment , follow SOPshttp://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdfhttp://www.sans.org/critical-security-controls/guidelines.php
HYGIENE = Maintaining / monitoring your IA / Security / cyber equipment settingsAs any incorrectly set cyber capabilities makes them much less effective!
Verizon (2012 Data Breach Investigations Report) (up to 97%)Report covered 855 incidents, 174 million compromised records--- Breaches almost entirely avoidable through simple or intermediate controlsThreats: 98% from external agents, 81% from hacking… 69 % used malwarehttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Navy (our “red team” / NCDOC) (over 90%)Poor “accountability” factors = willful misuse, lack of CM (& IAVA / patches) , not having / following procedures, weak enforcement of policy, etcThey must spend all their time / resources fixing the “easy” vulnerabilities…
Cyber Hygiene – the many faces of neglectOur IA/CND/Security cyber suite is quite good – IF maintained!
Equipment settings(FW, A/V, IDS, etc)Monitor / enforce
Standard operating procedures (SOPs)USE / enforce them
Social media Content & settings
Restrict sharing / privileges
Security EducationALL levels – reinforce
Incentivize – good vs bad
Privacy and “PII”Enforce policy (note - “EU” is stricter)
Incident reportingNo incident too smallNotify USCERT / FBI
Forbes top threats for 2013: “MOST” have “CM / hygiene” AND / or “access control “aspects
Social Engineering; APTs; Internal Threats; BYOD / mobile malware; HTML5; Botnets; CLOUD infrastructure, & Precision Targeted Malware
Controlled AccessEnforce least privilegeSeparate / rotate duties
Know your security baselineAND employ SCM / SIEM
Maintain Cyber SuitePatches, upgrades, etc
(compliance == securityWill lack of cyber hygiene
continue to put you at MUCH greater risk?
MS / BS Cyber
CISSP / GISP / CISO / etcforensics / ethical hacker / etc
Firewall / cloud security/ Crypto & Key mgmt / “*”
Security +Awareness Education STEM (grades 7-12)
Curriculum &Resources
Linked / leveraged(on-line, companies,
colleges, etc)
Advanced
Targeted
Foundational(KEY break point ->)
Expands the pool for advanced education
Small business security course & practicum
Education levels
(“*” = IDS/IPS, anti-virus, wireless, application development / management, web/mobile code, mobile, etc…)
Cyber Education triangle“clarifying the fog of cyber security through targeted training”
Hierarchy of Cyber Needs (i.e..…Maslow…)Where if you don’t take care of the level before the one you are operating in, focusing on, then your efforts are for the most part mute, as you are in a higher risk status until the earlier level is satisfied!
1 – Resiliency - Survival / recovery+ Secure backup (Types / methods, various sites / levels)+ Incident responses (company processes, comms with LE / FBI, etc) + Recovery Plan - COOP / BCP (phases of recovery, hot / mirror site, etc)
2 – Cyber foundation+ Access control (PW, CAC, enforce least privilege, separate / rotate duties, etc) + Layered Defense - IA/CND strategy – WHAT capabilities are needed + Security Policy (privacy, social media, PII, etc) - enforcement aspects too+ Monitoring / Know your baseline – SCM / SIEM.. + Tools – selection and integration + Business Risk Management / Assessment (RMF / COBIT) / requirements analysis with an AoA
3 – Cyber Maintenance - security Hygiene / CM / SoPs+ Manage Policy - social media - content & settings… restrict sharing / privileges = proactive monitoring+ Maintain Cyber Security Suite – patches, upgrades, etc.. control system settings… & dashboard!+ Standard operating procedures (SOPs).. USE / enforce them+ Security training / education awareness – ALL levels – reinforce / Incentivize – pos & neg
4 – Applied cyber security (IA / CND / security capabilities best practices)Given the below best practices, cyber protections approach, then distill the key attributes for each IA/CND capability, while following and tailoring for the company’s environment the install instructions of the products… specific equipment settings for ‘secure’ sustainment / operations = Firewall, A/V suite, IDS/IPS, Crypto, Key mgmt., Mobile, wireless, Network, apps, data security, etc
5 – Cyber actualization - compliance / assessment / analytics+ V&V / TE&C / C&A – formal proof -> residual risks -> cyber value proposition+ KEY compliance activities – PII, PCI, HIPAA, etc + Forensics / ethical hacker+ Big data / predictive analytics (integrate SCM / SIEM, IA/CND reports, etc…l)+ Pen / security testing (of all cyber capabilities, backup, PW, etc)
ApprenticeBASICs
MasterOptimized Value
JourneymanOperations
KSA / practicum based on small business security
NSA IAD top ten tasksTop 20 security controlsTop 35 mitigations
Why Technical Level Application?• IT Professionals lack applied cyber skills
– Certs and degrees but no demonstrated practical experience
• Small/medium sized businesses have needs but unclear idea of scope– Raise awareness for covering basics ‐ 95% of the operational incidents
• Availability and cost of training– Boot Camp education and certification doesn’t work as practiced– SANS conference training is long and costly (at major cities)
• SANS Boot Camp for Cyber Essentials ‐ Austin, Tx Apr 28‐3May $4,895.00
– Where are all the local Cybersecurity education resources?• UCSD, National University, SDSU, Coleman College – Not applied cyber curriculums
Cyber Essentials Course for SMB
1600
1200
1100
0800
Lunch Lunch
LunchLunch
Return to office
Resiliency Foundations
FoundationsFoundations Applied
Operations & Maintenance
Actualization& Review
Applied
Cyber Overview
Mon Tue Wed Thu Fri
What can you DO right now?Ready for immediate implementation = 95+% incident reduction
1‐ Install tools/scripts to catch USERS mistakes.. lock down the end devices, (only allow root admin to install anything..) Use effective access control (enforce least privilege!)
2 – Manage the browser as THE threat vector... (80% of malware comes through here)Have ONE secure browser version (IE9), use the ‘guest’ account (force downloads to one folder), andmanage a specific settings profile (to manage active code / Java, etc)Implement a ‘deny all’ access approach, allow URLs using only a controlled white list (no this is NOT hard to do!)
Cyber continues to be about “US ALL” doing the basics
3 ‐ Run tools / application firewalls to minimize zero‐day problems, and enforce CM/hygiene, along with "defensive I&W" monitoring tools (re: SCM / SIEM ‐ #5)
4 – KISS / reduce IA complexity… only buy cyber products off APLs/PPLs (they have pedigrees / C&A already!)… And USE their security features … like TPM!!
5 – USE a security continuous monitor (SCM) firm for real‐time scans for both current vulnerabilities (SQL injection, et al) and new threats... (where the firm has feeds/data from US CERT, etc, so they are always current on new threats / zero day problems)
6 – If you make IT stuff, build IA/security in, there are lots of simple guideshttp://www.sans.org/critical‐security‐controls/guidelines.phphttp://www.sans.org/top25‐software‐errors/We’re STILL lax.. Goggle “DarkReading Real‐World Developers Still Not Coding Securely”
“Overall Way Forward”(given all the unknowns, variables… this is “one” approximately correct path…;‐))
• Company Vision embedded in Cyber Plans/RMP…– know where you are going, where the passion is /what the USER values– Hope is Not a Strategy ‐re: 2012 Annual DDoS Attack and Impact Survey!
38SO… Quit admiring the “cyber problem / threat” and start DOING something!
• Risk Management Plan… RMP– Use NIST’s RMF! Have a dynamic, realistic RMP supporting your business
success metrics… as you ARE betting your livelihood on cyber!
• Effective, enforced Policy…– Embedded in core business success factors, rules to enforce statutory, legal
mandates, key processes, to enforce behavior (pos & neg incentives)
• The Basics, basics, basics…– New toys matter little, if your environment(s) are not managed (SCM / SIEM!)
– Poor hygiene / CM causes almost ALL security incidents ( 80 ‐ 97% )
39
in general, companies must provide a commensurate security level as the government site they are going to do business with... (see NIST & GSA & FISMA web sites below)
This NIST provides a good overview of the government requirements, which in general needs to be met by companies connecting to government sites iso services provided... http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Information Security rules by GSAhttp://www.gsa.gov/portal/content/104257
FISMA rules / regulations are also representative of items to be assessedhttp://csrc.nist.gov/groups/SMA/fisma/index.html
VA has a contract clause that's fairly standardhttp://www.iprm.oit.va.gov/docs/Appendix_C.pdf
The education department has a good overview of requirementshttp://www2.ed.gov/fund/contract/about/bsp.html
New LAWs - Government Contractors Subject to Cybersecurity Regulations –More are on the Wayhttp://www.scribd.com/doc/89226369/Government-Contractors-Now-Subject-to-Cybersecurity-Regulations-%E2%80%93-And-More-are-on-the-Way
Small business security overview (and detailed brief on the major security product details too)http://www.sciap.org/blog1/wp-content/uploads/Small-Business-Security-ADT-Cluster-v4_Mike_Davis_July_26_2011.pdf
What small businesses need to know about cyber security before they can offer services to the government
40
How to find / bid on government contractsMUST have DUNS number or Cage Code (and capability statement/documents)
Central source for SBAhttp://www.sba.gov/content/federal-contracting-resources-small-businesses
+++ System for Award Management (“SAM” register here first / asap.. it drives many other processes)https://www.sam.gov/index.html
FedBizOppshttps://www.fbo.gov/
SPAWAR small business opportunitieshttp://www.public.navy.mil/spawar/Documents/Small_Business/SPAWAR_3_year_Acquisition_Forecast_22_May_2013.pdf
Federal Procurement Data Systemhttps://www.fpds.gov/fpdsng_cms/
Dynamic Small Business Searchhttp://dsbs.sba.gov/dsbs/search/dsp_dsbs.cfm
Interested in the SBIR / STTR programs, See information in the overview offered belowhttp://www.navysbir.com/overview.htm
You REALLY need an effective business plan to show clients and investors the big picture.http://100startup.com/resources/business-plan.pdf
other IA/Security sites (cont):
http://www.cert.org/
https://www.cccure.org/
http://www.commoncriteriaportal.org/
https://www.sans.org/programs/
https://www.thecsiac.com/resources/all
http://www.cerias.purdue.edu/
http://www.dhs.gov/topic/cybersecurity
http://iase.disa.mil/stigs/index.html
IA/security resourcesMain sites
https://infosec.navy.mil
http://www.doncio.navy.mil/TagResults.aspx?ID=28
http://iase.disa.mil/index2.html
other IA/Security sites:
http://csrc.nist.gov/
http://www.nsa.gov/ia/index.shtml
http://www.cisecurity.org/
SUMMARYSO…. What “really” matters in Cyber?
DO the cyber BASICS well, for things, people & processesinvest in select, KEY new capabilities & follow your RMP!!!
Take ACTION: (1) security assessment, (2) SCM/SIEM, & (3) Cyber insurance!
• OSD / federal S&T activities• Distributed Trust • Resilient Architectures• Response and Cyber Maneuver• Visualization and Decision Support• Dynamic policy management (RaDaC )• Detection and Autonomic Response • Recovery and Reconstitution
• NSA / agency S&T activities• Mobility, wireless, & secure mobile services• Platform integrity / compliance assurance• End client security• Cyber indications and warning (I&W)• Mitigation engineering (affordability)• Massive data – (date centric security)• Advanced technology…. (targeted)• Virtualization – secure capabilities
AND doing the BASICS: (1) enforced cyber hygiene, (2) effective access control, (3) reduced complexity in IA / cyber (APLs / NIAP / approved products), (4) IT / IA / Cyber “SCM / SIEM”(ongoing diagnostics AND mitigations / SIEM)
It’s all about TRUST and DATA
*** ***
It’s NOT all about expensive new “cyber capabilities” but more about interoperability