Security In The Supply Chain
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Security In The Supply Chain

on

  • 2,223 views

How much security is enough..and where should investments be applied? John Gilligan thinks it is time to require that IT vendors deliver “locked down” configurations and employ standards as well ...

How much security is enough..and where should investments be applied? John Gilligan thinks it is time to require that IT vendors deliver “locked down” configurations and employ standards as well as automated tools to “enforce” continued security compliance.

Statistics

Views

Total Views
2,223
Views on SlideShare
2,215
Embed Views
8

Actions

Likes
2
Downloads
70
Comments
0

4 Embeds 8

http://www.gilligangroupinc.com 4
http://www.slideshare.net 2
https://squid18.laughingsquid.net:8443 1
http://gilligangroupinc.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security In The Supply Chain Presentation Transcript

  • 1. Leveraging Purchase Power and Standards to Improve Security in the IT Supply Chain John M. Gilligan Gilligan Group, Inc. December 10, 2008
  • 2. Topics
    • Background
    • The “Good Old Days”—Status Quo
    • The “Aha” Moment
    • Standard Desktop becomes Federal Desktop
    • Next steps
      • Cyber Security Commission Recommendation
      • Evolving Standards
    • Summary
    (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 3. Relevant Background
    • Air Force
      • 700,000 Unclassified Desktops
      • 60,000 Classified Desktops
      • IT Spending $7B; Security Spending of $700 M
    • Federal Government
      • Approximately 4 million desktops
      • IT Spending $60B; Security spending of $5B
    • National Institutes of Standards and Technology (NIST) Provides IT Security Standards/Guidance
    (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 4. Air Force CIO Observations Regarding Software Security
    • Spending more to “patch and fix” software systems than to purchase them
    • SW vendor contract terms—no warranties, no standards, and no legal precedents for remedy
    • AF IT purchasing is ad hoc (and expensive)
    • Air Force is largest enterprise buyer for many vendors
    COTS software business model is fundamentally broken! (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 5. From National Institute of Standards and Technology briefing--http://nvd.nist.gov/scap.cfm NIST provides a lot of guidance in security—is it addressing the right problem? (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 6. The Cyber Security Dilemma
    • There are only so many resources available to be allocated against all IT priorities
    • There is no such thing as perfect cyber security
    • Finding flaws in cyber security implementation is a “target rich” environment
    How much security is enough, and where should investments be applied? (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 7. How to Assess Effective Security GAO Reports? Congressional FISMA Grades? Percentage of Systems Certified? Number of Systems with Contingency Plans? Agency Auditor Reports? The threat is increasing! Are we focusing on the right things? "Pentagon Shuts Down Systems After Cyber - Attack " Malicious scans of DoD increase 300%! (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 8. An “Aha” Moment!
    • Scene : 2002 briefing by NSA regarding latest penetration assessment of DoD systems
    • Objective: Embarrass DoD CIOs for failure to provide adequate security.
    • Subplot : If CIOs patch/fix current avenues of penetration, NSA would likely find others
    • Realization : Let’s use NSA’s offensive capabilities to guide security investments
    Let “Offense Inform Defense”! (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 9. AF Standard Desktop Concept
    • NSA “Offensive Team” briefings to Air Force on attack patterns and vulnerabilities exploited
    • ~80% of vulnerabilities tied to incorrectly configured COTS software
    • Joint effort by NSA, NIST, DISA, DHS, CIS, Microsoft to create Standard Desktop Configuration (SDC) for Microsoft Windows/Office/IE
    Address the source of the biggest problem—and do it in the supply chain! (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 10. Secure Desktop Configuration
    • Defined ~ 600 security configuration settings for Windows XP and VISTA (out of 4477)
      • Leveraged prior work by MS, NIST, CIS, NSA, DISA
    • Protocols and software tools to validate implementation – CVE/OVAL
    • Phased Implementation (2005-2007)
      • Senior-level governance process
    Software delivered from hardware vendors in “locked down” configuration (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 11. AF Standard Desktop Configuration Results
    • Improved Security
      • Drop in security events
      • Reduced Patching time 57 days to 72 hours
    • Reduced Costs of Operation and Ownership
      • Hundreds of millions saved to date*
    • Improved System Performance
    • Common platform for COTS/GOTS applications
    * SDC Linked with Enterprise License Agreement and Commodity Purchasing Efforts (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 12. Security As Part of IT Commodity Life Cycle Management Enterprise Client PC Hardware Step 1: USAF Quarterly Enterprise Buy (QEB) Standards – 700K purchased since Aug 2003; $200M+ avoidance Enterprise Licensing and Services Step 2: USAF Enterprise License Agreements – Implemented in Jul – Sep 2004 $100M+ savings by 2010 Enterprise Client, Server, and Active Directory Configurations Step 3: USAF Standard Desktop Configuration – AF wide implementation in 2006; Servers 2008 Enterprise Configuration and Patch Management Step 4: USAF Enterprise Configuration Management processes – Implementation 2006-2008 Comply and Connect Enforcement Step 5: USAF Comply, Connect and Remediate policy and processes – Incremental improvements 2006-2009 (c) 2008, All Rights Reserved. Gilligan Group Inc. Incremental Improvements in End Point and Server Capability and Security
  • 13. AF Standard Desktop Configuration FDCC
    • Adopt AF-validated standard desktop concept
    • OMB mandate for Federal Desktop Core Configuration (FDCC)—March 2007
    • Security Content Automation Protocol (SCAP)
      • Validate configuration
      • Check/remediate patching
      • Asset management
      • Standard vulnerability list
    Expanded across Federal government and extended automation support (c) 2008, All Rights Reserved. Gilligan Group Inc. ( XCCDF-CCE-OVAL) (CVE-OVAL) ( CPE) (NVD-CVE-CVSS)
  • 14. Next Steps--Cyber Security Commission Recommendation
    • Mandate “Locked-down” configurations for all software delivered to the government
    • Build on existing efforts (e.g., NIST, BITS, FERC, NIAP, CIS)
      • Public-private partnership to develop guidelines
    • Self-certification by software vendors
      • Satisfy security guidelines
      • Do not “unlock” security of other software
    Expand FDCC Concept to all Software Products (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 15. Security Standards Efforts: Security Content Automation Protocol (SCAP) (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 16. Security Standards Efforts: Next Steps* * Making Security Measurable – The MITRE Corporation (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 17. Summary
    • Need to fundamentally change business model for buying COTS software
      • Vendors deliver “secure” configuration of products
      • Use automated tools to validate security
    • Integrate security with improved commodity supply chain management (planning, purchase, operations, disposal)
    • Advancement of Standards and related Tools holds great promise for dramatic improvements to the IT Supply Chain
    (c) 2008, All Rights Reserved. Gilligan Group Inc.
  • 18. Contact Information
    • John Gilligan
    • [email_address]
    • 703-503-3232
    • www.gilligangroupinc.com
    • Making Security Measurable
    • Bob Martin—MITRE Corporation
    • [email_address]
    (c) 2008, All Rights Reserved. Gilligan Group Inc.