Cyber Security: Past and Future
John M. Gilligan
CERT’s 20th Anniversary Technical Symposium
Pittsburgh, PA
www.gilligangr...
Topics
• Historical Perspectives
• Cyber Security Today--A National Crisis
• Cyber Security Commission Recommendations
• N...
Historical Perspectives
• Computer Security in the Cold War Era
• Security “Gurus”—Keepers of the Kingdom
• The Internet c...
Cyber Security Today—A New “Ball Game”
• Our way of life depends on a reliable cyberspace
• Intellectual property is being...
Commission Cyber Security for the 44th Presidency:
Key Recommendations
• Create a comprehensive national security
strategy...
Near-Term Opportunities
• Use government IT acquisitions to change IT
business model
• Enhance public-private partnerships...
Use Government IT Procurement
• Cyber security needs to be reflected in our
contractual requirements
• Many “locked down” ...
Security Content Automation Protocol (SCAP)
• What is it: A set of open standards that allows for
the monitoring, positive...
Enhance Public-Private Partnerships
• Most of our nation’s critical infrastructure is
owned by the private sector
• Much o...
Implement Consensus Audit Guidelines (CAG)
• Underlying Rationale
– Let “Offense drive Defense”
– Focus on most critical a...
Update FISMA
• Emphasize evaluating effectiveness of controls
vs. paper reviews
• Enhance authority and accountability of ...
Near-Term Opportunities
• Use government IT acquisitions to change IT
business model
• Enhance public-private partnerships...
Longer-Term: IT Reliably Enabling Economy
• Change the dialogue: Reliable, resilient IT is
fundamental to future economic ...
Closing Thoughts
• Government and Industry need to treat cyber
security as an urgent priority
• Near-term actions importan...
Contact Information
jgilligan@gilligangroupinc.com
www.gilligangroupinc.com
John M. Gilligan
15
16
Security Standards Efforts:
Security Content Automation Protocol (SCAP)
• CPE (Platforms)What IT systems do I have in
m...
Security Standards Efforts: Next Steps*
17
• CPE (Platforms)What IT systems do I have in my enterprise?
• CVE (Vulnerabili...
Upcoming SlideShare
Loading in …5
×

Cyber Security: Past and Future

1,446 views

Published on

Cyber Security: Past and Future, a presentation by John M. Gilligan at CERT's 20th Anniversary Technology Symposium, held in March 2009 in Pittsburgh, PA.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,446
On SlideShare
0
From Embeds
0
Number of Embeds
66
Actions
Shares
0
Downloads
85
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cyber Security: Past and Future

  1. 1. Cyber Security: Past and Future John M. Gilligan CERT’s 20th Anniversary Technical Symposium Pittsburgh, PA www.gilligangroupinc.com March 10, 2009
  2. 2. Topics • Historical Perspectives • Cyber Security Today--A National Crisis • Cyber Security Commission Recommendations • Near Term Opportunities • Longer-Term Game Changing Initiatives • Closing Thoughts 2
  3. 3. Historical Perspectives • Computer Security in the Cold War Era • Security “Gurus”—Keepers of the Kingdom • The Internet changes the security landscape-- forever • The Age of Information Sharing • Omissions of the past are now our “Achilles Heel” Our Approaches To Providing Mission Enabling IT Are Stuck In The Past 3
  4. 4. Cyber Security Today—A New “Ball Game” • Our way of life depends on a reliable cyberspace • Intellectual property is being downloaded at an alarming rate • Cyberspace is now a warfare domain • Attacks increasing at an exponential rate • Fundamental network and system vulnerabilities cannot be fixed quickly • Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National Security Crisis! 4
  5. 5. Commission Cyber Security for the 44th Presidency: Key Recommendations • Create a comprehensive national security strategy for cyberspace • Lead from the White House • Reinvent public-private partnerships • Regulate cyberspace • Modernize authorities • Leverage government procurement • Build on recent progress with CNCI 5
  6. 6. Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt the Consensus Audit Guidelines (CAG) • Update FISMA • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security 6
  7. 7. Use Government IT Procurement • Cyber security needs to be reflected in our contractual requirements • Many “locked down” configuration defined • Use government-industry partnership to accelerate implementation of secure configurations • Get started now, improve configuration guidelines over time and leverage SCAP! Build on FDCC Successes and Lessons Learned 7
  8. 8. Security Content Automation Protocol (SCAP) • What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security posture of every device in a network. • How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. • Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations 8
  9. 9. Enhance Public-Private Partnerships • Most of our nation’s critical infrastructure is owned by the private sector • Much of our government-sponsored research intellectual property is “protected” by industry • Regulators need to guide/govern private sector efforts • Private and public sectors must act in cooperation – Defense Industrial Base (DIB): an excellent model Protecting Government and Military Systems Is Not Sufficient9
  10. 10. Implement Consensus Audit Guidelines (CAG) • Underlying Rationale – Let “Offense drive Defense” – Focus on most critical areas • CAG: Twenty security controls based on attack patterns • Emphasis on auditable controls and automated implementation/enforcement • Public comment period through March 25th • Pilots and standards for tools later this year 10
  11. 11. Update FISMA • Emphasize evaluating effectiveness of controls vs. paper reviews • Enhance authority and accountability of CISO • Foster government leadership – Independent, expert reviews – Procurement standards – Dynamic sharing of lessons learned 11
  12. 12. Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt Consensus Audit Guidelines (CAG) • Update FISMA • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security 12
  13. 13. Longer-Term: IT Reliably Enabling Economy • Change the dialogue: Reliable, resilient IT is fundamental to future economic growth • New business model for software industry • Redesign the Internet • Get the “man out of the loop”—use automated tools (e.g., SCAP) • Develop professional cyberspace workforce • Foster new IT services models Need to Fundamentally “Change the Game” to Make Progress 13
  14. 14. Closing Thoughts • Government and Industry need to treat cyber security as an urgent priority • Near-term actions important but need to fundamentally change the game to get ahead of threat • IT community needs to reorient the dialogue on cyber security—the objective is reliable and resilient information Cyber Security is Fundamentally a Leadership Issue! 14
  15. 15. Contact Information jgilligan@gilligangroupinc.com www.gilligangroupinc.com John M. Gilligan 15
  16. 16. 16 Security Standards Efforts: Security Content Automation Protocol (SCAP) • CPE (Platforms)What IT systems do I have in my enterprise? • CVE (Vulnerabilities)What vulnerabilities do I need to worry about? • CVSS (Scoring System)What vulnerabilities do I need to worry about RIGHT NOW? • CCE (Configurations)How can I configure my systems more securely? • XCCDF (Configuration Checklists)How do I define a policy of secure configurations? • OVAL (Assessment Language)How can I be sure my systems conform to policy?
  17. 17. Security Standards Efforts: Next Steps* 17 • CPE (Platforms)What IT systems do I have in my enterprise? • CVE (Vulnerabilities)What vulnerabilities do I need to worry about? • CVSS (Scoring System)What vulnerabilities do I need to worry about RIGHT NOW? • CCE (Configurations)How can I configure my systems more securely? • XCCDF (Configuration Checklists)How do I define a policy of secure configurations? • OVAL (Assessment Language) In ProgressHow can I be sure my systems conform to policy? • CWE (Weaknesses)What weaknesses in my software could be exploited? • CAPEC (Attack Patterns)What attacks can exploit which weaknesses? • CEE (Events)What should be logged, and how? • CRF (Results)How can I aggregate assessment results? • MAEC (Malware Attributes)How can we recognize malware? * Making Security Measurable – The MITRE Corporation

×