GSF 2011 Tom Albert 2-1 Web-Cybersecurity


Published on

Trust, Visibility, Resilience

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

GSF 2011 Tom Albert 2-1 Web-Cybersecurity

  1. 1. Cybersecurity:Trust, Visibility, Resilience Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
  2. 2. “No single company can solve the complex challenge presented by the Internet, but the inherent role of thenetwork positions Cisco as thenatural partner in developing and executing a successful cyber security strategy” NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
  3. 3. Cybersecurity Challenges Operational Management Data Capacity Supply Chain BusinessData ResiliencyLoss NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
  4. 4. Federal Cybersecurity Priorities Continuous Identity Monitoring Mgmt. Situational Secure Awareness Supply ChainVulnerabilit y Real-timeAnalysis/ID Continuous S Monitoring Education and Training Application Security Vulnerability Limited Analysis/IDS Access Points Application NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Security 4
  5. 5. Why Cisco? Security Cisco’s Pervasive Footprint Products The Network is the Sensor Public/Private Partnerships Visibility Tools EducationEmbedded Certifications SecurityCapabilities Cross Services Incident ResponseArchitectur e Supply Chain Management Trusted HW/SW NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
  6. 6. Mission: Cybersecurity Cisco IS the Cyber secure Platform Access Trust Inside Threat Customer Requirements Data Capacity Visibility Trustworthiness Data Loss Resilience Challenges Solution FrameworkPublic Policy Supply Chain Solutions Trust Identify and Manage Messaging Capture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
  7. 7. Cisco Cyber Solutions Trust Visibility ResilienceIdentity and Access Continuous MonitoringSecure Mobility Data Exfiltration COOPWireless Integrity Boundary Defense Incident HandlingConfiguration Assurance Malware and APT Defense AvailabilityPhysical Security Situational Awareness Service Level AssuranceAudit and Compliance NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
  8. 8. STRATEGY SOLUTION ARCHITECTURES TRUST S Borderless Data Center/ Collaboration •Access Control Networks Virtualization •Audit & Accountability Identity and Access • Cisco Works LMS 4.0NIST 800-53 •Configuration Management Secure Mobility •Identification & • Cisco Configuration Engine •Authentication Wireless Integrity • Cisco TrustSec (Identity) Maintenance Audit and Compliance • Cisco AnyConnect Client •System & Communication Configuration Assurance • Cisco VPN Services Protection • Cisco Mobility Engine & Physical Security Wireless Solution Critical Control Family • Cisco Unified Border Element • ASA Firewall • IOS Firewall VISIBILITY •Security Assessment & Continuous Monitoring Authorization • Security IntelligenceNIST 800-53 •System & Communication Data Exfiltration Operations Protection Boundary Defense • IPS 4200 Series •System & Information Malware Defense • Clean Air Technology Integrity Situational Awareness • NBAR •Incident Monitoring • IOS Intrusion Prevention • IOS NetFlow Critical Control Family • Service Control Engine • ASA BotNet Filter RESILIENCE •Contingency Planning COOPNIST 800-53 •System & Communication • Performance Routing Protection Incident Handling • NSF/SSO •Incident Monitoring Availability • EnergyWise NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY •Physical & Environmental Service Level Assurance • Policy Based Routing 8 Critical Control Family
  9. 9. Cybersecurity Partner Ecosystem: Building solutions with best of breed ISVs & Technology Partners • IRAD projects to address customer requirements Systems • Integrate component parts in proof-of-concept environments to foster learning and innovation Integrators • Ecosystem partners to meet diverse customer security incident and event management requirementsSIEM Partners • Cisco validated design and deployment methodologies • Cybersecurity focus partners to ensure consistent delivery of Cisco andImplementation partner systems • Agile custom solution development Partners • Complimentary technology partners to complete Cybersecurity solution Technology offerings • Best of bread market proven technologies Partners NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
  10. 10. The Cybersecurity Journey Investment Education Manufacturing Integrity Thought leadership Regulatory AlignmentPrivate/Public Partnerships NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10 Cybersecurity Innovation
  12. 12. Managing Risk Through Trust, Visibility, and Resilience DGI Government Solutions Forum March 1, 2011 Dr. Ron Ross Computer Security Division Information Technology LaboratoryNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
  13. 13. The Stuxnet WormTargeting critical infrastructure companies— Infected industrial control systems around the world. Uploads payload to Programmable Logic Controllers. Gives attacker control of the physical system. Provides back door to steal data and remotely and secretly control critical plant operations. Found in Siemens Simatic Win CC software used to control industrial manufacturing and utilities. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
  14. 14. The Flash Drive IncidentTargeting U.S. Department of Defense— Malware on flash drive infected military laptop computer at base in Middle East. Foreign intelligence agency was source of malware. Malware uploaded itself to Central Command network. Code spread undetected to classified and unclassified systems establishing digital beachhead. Rogue program poised to silently steal military secrets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
  15. 15. The Stolen Laptop IncidentU.S. Department of Veterans Affairs— VA employee took laptop home with over 26 million veterans records containing personal information. Laptop was stolen from residence and information was not protected. Law enforcement agency recovered laptop; forensic analysis indicated no compromise of information. Incident prompted significant new security measures and lessons learned. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
  16. 16. “Red Zone” Information SecurityNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
  17. 17. The New SP 800-39Multi-tiered Risk Management Approach STRATEGIC RISKImplemented by the Risk Executive Function FOCUSEnterprise Architecture and SDLC Focus TIER 1Flexible and Agile Implementation Organization (Governance) TIER 2 Mission / Business Process (Information and Information Flows) TACTICAL RISK FOCUS TIER 3 Information System (Environment of Operation) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
  18. 18. Tier 1 – OrganizationGovernanceRisk management strategyInvestment strategyRisk toleranceTrustTransparencyCulture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
  19. 19. Tier 2 – Mission/Business ProcessInfluenced by risk management decisions at Tier 1.Identification of missions/business processes.Determination of information types and flows.Identification of information security requirements.Development of enterprise architecture with embeddedinformation security architecture. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
  20. 20. Tier 3 – Information SystemInfluenced by risk management decisions at Tiers 1 & 2.Allocation of necessary and sufficient security controlsto information systems and environments of operation.Uses Risk Management Framework to guide process.Information security managed as part of the SDLC.Feedback to Tiers 1 & 2 for continuous improvement. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
  21. 21. Risk Management Framework Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to MONITOR potential worst-case, adverse SELECT Security Controls impact to mission/business. Security ControlsContinuously track changes to the Select baseline security controls;information system that may affect apply tailoring guidance and security controls and reassess supplement controls as needed control effectiveness. based on risk assessment. Security Life Cycle AUTHORIZE IMPLEMENT Information System Security Controls Determine risk to organizational Implement security controls within operations and assets, individuals, enterprise architecture using soundother organizations, and the Nation; ASSESS systems engineering practices; apply if acceptable, authorize operation. Security Controls security configuration settings. Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
  22. 22. Risk Management Process Risk RiskFraming Framing Assess Respond Risk Risk Risk Monitor FramingFraming NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
  23. 23. Unified Information Security Framework The Generalized ModelUniqueInformation CSecurity Intelligence Department Federal Civil N Private SectorRequirements Community of Defense Agencies S State/Local Govt SThe “Delta”Common Foundational Set of Information Security Standards and GuidanceInformation • Risk management (organization, mission, information system)Security • Security categorization (information criticality/sensitivity)Requirements • Security controls (safeguards and countermeasures) • Security assessment procedures • Security authorization process National security and non national security information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
  24. 24. Joint Task Force Transformation Initiative Core Risk Management Publications NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations Completed NIST Special Publication 800-37, Revision 1 Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach Completed NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Completed Assessment Plans NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
  25. 25. Joint Task Force Transformation Initiative Core Risk Management Publications NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View Completed NIST Special Publication 800-30, Revision 1 Guide for Conducting Risk Assessments Projected April 2011 (Public Draft) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
  26. 26. Defense-in-Depth Links in the Security Chain: Management, Operational, and Technical ControlsRisk assessment Access control mechanismsSecurity planning, policies, procedures Identification & authentication mechanismsConfiguration management and control (Biometrics, tokens, passwords)Contingency planning Audit mechanismsIncident response planning Encryption mechanismsSecurity awareness and training Boundary and network protection devicesSecurity in acquisitions (Firewalls, guards, routers, gateways)Physical security Intrusion protection/detection systemsPersonnel security Security configuration settingsSecurity assessments and authorization Anti-viral, anti-spyware, anti-spam softwareContinuous monitoring Smart cards Adversaries attack the weakest link…where is yours? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
  27. 27. Focus Areas — 2011 and BeyondComplete Joint Task Force Publications and UnifiedInformation Security FrameworkContinuous Monitoring GuidelineSystems and Security Engineering GuidelineUpdate to NIST Special Publication 800-53, Revision 4 Insider Threats Advanced Persistent Threats Industrial Control Systems Mobile Devices, Cloud Computing Privacy Controls NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
  28. 28. Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930Project Leader Administrative SupportDr. Ron Ross Peggy Himes(301) 975-5390 (301) peggy.himes@nist.govSenior Information Security Researchers and Technical SupportMarianne Swanson Kelley Dempsey(301) 975-3293 (301) kelley.dempsey@nist.govPat Toth Arnold Johnson(301) 975-5140 (301) arnold.johnson@nist.govWeb: Comments: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28