SlideShare a Scribd company logo

Cyber Security: Past and Future

Download as PPTX, PDF
J
John Gilligan

The document discusses the history and future of cyber security. It covers how the internet has changed security, current cyber threats facing the nation, and recommendations from a cyber security commission. The author advocates for near-term actions like updating procurement practices and the FISMA framework, as well as longer-term initiatives to fundamentally change security approaches and business models through standards like SCAP and new workforce development. The overall message is that cyber security must be treated as a high priority through cooperative public-private efforts.

1 of 17
Cyber Security: Past and Future John M. Gilligan CERT’s 20th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009
Topics • Historical Perspectives • Cyber Security Today--A National Crisis • Cyber Security Commission Recommendations • Near Term Opportunities • Longer-Term Game Changing Initiatives • Closing Thoughts
Historical Perspectives • Computer Security in the Cold War Era • Security “Gurus”—Keepers of the Kingdom • The Internet changes the security landscape-- forever • The Age of Information Sharing • Omissions of the past are now our “Achilles Heel” Our Approaches To Providing Mission Enabling IT Are Stuck In The Past
Cyber Security Today—A New “Ball Game” • Our way of life depends on a reliable cyberspace • Intellectual property is being downloaded at an alarming rate • Cyberspace is now a warfare domain • Attacks increasing at an exponential rate • Fundamental network and system vulnerabilities cannot be fixed quickly • Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National Security Crisis!
Commission Cyber Security for the 44th Presidency: Key Recommendations • Create a comprehensive national security strategy for cyberspace • Lead from the White House • Reinvent public-private partnerships • Regulate cyberspace • Modernize authorities • Leverage government procurement • Build on recent progress with CNCI
Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt the Consensus Audit Guidelines (CAG) • Update FISMA • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security
Use Government IT Procurement • Cyber security needs to be reflected in our contractual requirements • Many “locked down” configuration defined • Use government-industry partnership to accelerate implementation of secure configurations • Get started now, improve configuration guidelines over time and leverage SCAP! Build on FDCC Successes and Lessons Learned
Security Content Automation Protocol (SCAP) • What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security posture of every device in a network. • How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. • Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations
Enhance Public-Private Partnerships • Most of our nation’s critical infrastructure is owned by the private sector • Much of our government-sponsored research intellectual property is “protected” by industry • Regulators need to guide/govern private sector efforts • Private and public sectors must act in cooperation – Defense Industrial Base (DIB): an excellent model Protecting Government and Military Systems Is Not Sufficient
Implement Consensus Audit Guidelines (CAG) • Underlying Rationale – Let “Offense drive Defense” – Focus on most critical areas • CAG: Twenty security controls based on attack patterns • Emphasis on auditable controls and automated implementation/enforcement • Public comment period through March 25th • Pilots and standards for tools later this year
Update FISMA • Emphasize evaluating effectiveness of controls vs. paper reviews • Enhance authority and accountability of CISO • Foster government leadership – Independent, expert reviews – Procurement standards – Dynamic sharing of lessons learned
Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt Consensus Audit Guidelines (CAG) • Update FISMA • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security
Longer-Term: IT Reliably Enabling Economy • Change the dialogue: Reliable, resilient IT is fundamental to future economic growth • New business model for software industry • Redesign the Internet • Get the “man out of the loop”—use automated tools (e.g., SCAP) • Develop professional cyberspace workforce • Foster new IT services models Need to Fundamentally “Change the Game” to Make Progress
Closing Thoughts • Government and Industry need to treat cyber security as an urgent priority • Near-term actions important but need to fundamentally change the game to get ahead of threat • IT community needs to reorient the dialogue on cyber security—the objective is reliable and resilient information Cyber Security is Fundamentally a Leadership Issue!
Contact Information jgilligan@gilligangroupinc.com www.gilligangroupinc.com John M. Gilligan
16 Security Standards Efforts: Security Content Automation Protocol (SCAP) • CPE (Platforms)What IT systems do I have in my enterprise? • CVE (Vulnerabilities)What vulnerabilities do I need to worry about? • CVSS (Scoring System)What vulnerabilities do I need to worry about RIGHT NOW? • CCE (Configurations)How can I configure my systems more securely? • XCCDF (Configuration Checklists)How do I define a policy of secure configurations? • OVAL (Assessment Language)How can I be sure my systems conform to policy?
Security Standards Efforts: Next Steps* 17 • CPE (Platforms)What IT systems do I have in my enterprise? • CVE (Vulnerabilities)What vulnerabilities do I need to worry about? • CVSS (Scoring System)What vulnerabilities do I need to worry about RIGHT NOW? • CCE (Configurations)How can I configure my systems more securely? • XCCDF (Configuration Checklists)How do I define a policy of secure configurations? • OVAL (Assessment Language) In ProgressHow can I be sure my systems conform to policy? • CWE (Weaknesses)What weaknesses in my software could be exploited? • CAPEC (Attack Patterns)What attacks can exploit which weaknesses? • CEE (Events)What should be logged, and how? • CRF (Results)How can I aggregate assessment results? • MAEC (Malware Attributes)How can we recognize malware? * Making Security Measurable – The MITRE Corporation

Recommended

Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
John Gilligan
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
John Gilligan
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
John Gilligan
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
Cimetrics Inc
 
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Resilient Systems
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Burton Lee
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
vngundi
 
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cimetrics Inc
 

Recommended

Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
John Gilligan
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
John Gilligan
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
John Gilligan
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
Cimetrics Inc
 
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Resilient Systems
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Burton Lee
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
vngundi
 
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cimetrics Inc
 
PhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization ResearchPhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization Research
Kulsoom Abdullah
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
Rui Miguel Feio
 
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatData Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Resilient Systems
 
Cybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT NetworksCybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT Networks
Yokogawa1
 
What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?
Nixu Corporation
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
EnergySec
 
(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)
Rui Miguel Feio
 
2017 - Data Privacy and GDPR (v1.1)
2017 - Data Privacy and GDPR (v1.1)2017 - Data Privacy and GDPR (v1.1)
2017 - Data Privacy and GDPR (v1.1)
Rui Miguel Feio
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Nanda Mohan Shenoy
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
IoT613
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security
Robert Smith
 
NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John Fehan
North Texas Chapter of the ISSA
 
Webinar: The role of Threat Intelligence Feeds in the battle against evolving...
Webinar: The role of Threat Intelligence Feeds in the battle against evolving...Webinar: The role of Threat Intelligence Feeds in the battle against evolving...
Webinar: The role of Threat Intelligence Feeds in the battle against evolving...
Blueliv
 
SACON Orientation
SACON OrientationSACON Orientation
SACON Orientation
Priyanka Aash
 
IoT PPT Deck
IoT PPT DeckIoT PPT Deck
IoT PPT Deck
John Yates
 
How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...
Giulio Coraggio
 
David doughty presentation 181119
David doughty presentation 181119David doughty presentation 181119
David doughty presentation 181119
David Doughty
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
PECB
 
2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL
2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL
2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL
Russ Dietz
 
Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology Stakeholders
John Gilligan
 
Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and Challenges
John Gilligan
 

More Related Content

What's hot

PhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization ResearchPhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization Research
Kulsoom Abdullah
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
Rui Miguel Feio
 
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatData Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Resilient Systems
 
Cybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT NetworksCybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT Networks
Yokogawa1
 
What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?
Nixu Corporation
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
EnergySec
 
(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)
Rui Miguel Feio
 
2017 - Data Privacy and GDPR (v1.1)
2017 - Data Privacy and GDPR (v1.1)2017 - Data Privacy and GDPR (v1.1)
2017 - Data Privacy and GDPR (v1.1)
Rui Miguel Feio
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Nanda Mohan Shenoy
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
IoT613
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security
Robert Smith
 
NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John Fehan
North Texas Chapter of the ISSA
 
Webinar: The role of Threat Intelligence Feeds in the battle against evolving...
Webinar: The role of Threat Intelligence Feeds in the battle against evolving...Webinar: The role of Threat Intelligence Feeds in the battle against evolving...
Webinar: The role of Threat Intelligence Feeds in the battle against evolving...
Blueliv
 
SACON Orientation
SACON OrientationSACON Orientation
SACON Orientation
Priyanka Aash
 
IoT PPT Deck
IoT PPT DeckIoT PPT Deck
IoT PPT Deck
John Yates
 
How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...
Giulio Coraggio
 
David doughty presentation 181119
David doughty presentation 181119David doughty presentation 181119
David doughty presentation 181119
David Doughty
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
PECB
 
2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL
2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL
2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL
Russ Dietz
 

What's hot (20)

PhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization ResearchPhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization Research
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
 
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatData Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
 
Cybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT NetworksCybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT Networks
 
What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
 
(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)
 
2017 - Data Privacy and GDPR (v1.1)
2017 - Data Privacy and GDPR (v1.1)2017 - Data Privacy and GDPR (v1.1)
2017 - Data Privacy and GDPR (v1.1)
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security
 
NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John Fehan
 
Webinar: The role of Threat Intelligence Feeds in the battle against evolving...
Webinar: The role of Threat Intelligence Feeds in the battle against evolving...Webinar: The role of Threat Intelligence Feeds in the battle against evolving...
Webinar: The role of Threat Intelligence Feeds in the battle against evolving...
 
SACON Orientation
SACON OrientationSACON Orientation
SACON Orientation
 
IoT PPT Deck
IoT PPT DeckIoT PPT Deck
IoT PPT Deck
 
How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...
 
David doughty presentation 181119
David doughty presentation 181119David doughty presentation 181119
David doughty presentation 181119
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
 
2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL
2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL
2016-CyberWeek-TLV-Next-Generation-Cyber-FINAL
 

Similar to Cyber Security: Past and Future

Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology Stakeholders
John Gilligan
 
Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and Challenges
John Gilligan
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
John Gilligan
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
John Gilligan
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
OCTF Industry Engagement
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
John Gilligan
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
HelpSystems
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in Manufacturing
CentraComm
 
Securing and Modernizing Technology in the Commonwealth: Better Together
Securing and Modernizing Technology in the Commonwealth: Better TogetherSecuring and Modernizing Technology in the Commonwealth: Better Together
Securing and Modernizing Technology in the Commonwealth: Better Together
EOTSS
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
John Gilligan
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
NISIInstituut
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
SaraPia5
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014
Peter ODell
 
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleDigital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
ForgeRock
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
Misha Hanin
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security
Malachi Jones
 
Scaling IoT Security
Scaling IoT SecurityScaling IoT Security
Scaling IoT Security
Bill Harpley
 

Similar to Cyber Security: Past and Future (20)

Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology Stakeholders
 
Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and Challenges
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in Manufacturing
 
Securing and Modernizing Technology in the Commonwealth: Better Together
Securing and Modernizing Technology in the Commonwealth: Better TogetherSecuring and Modernizing Technology in the Commonwealth: Better Together
Securing and Modernizing Technology in the Commonwealth: Better Together
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014
 
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleDigital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security
 
Scaling IoT Security
Scaling IoT SecurityScaling IoT Security
Scaling IoT Security
 

More from John Gilligan

Practical approaches to address government contracting problems
Practical approaches to address government contracting problemsPractical approaches to address government contracting problems
Practical approaches to address government contracting problems
John Gilligan
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
John Gilligan
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
John Gilligan
 
Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...
John Gilligan
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
John Gilligan
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous Monitoring
John Gilligan
 
Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...
John Gilligan
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 

More from John Gilligan (8)

Practical approaches to address government contracting problems
Practical approaches to address government contracting problemsPractical approaches to address government contracting problems
Practical approaches to address government contracting problems
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous Monitoring
 
Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 

Recently uploaded

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 

Recently uploaded (20)

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 

Cyber Security: Past and Future

  • 1. Cyber Security: Past and Future John M. Gilligan CERT’s 20th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009
  • 2. Topics • Historical Perspectives • Cyber Security Today--A National Crisis • Cyber Security Commission Recommendations • Near Term Opportunities • Longer-Term Game Changing Initiatives • Closing Thoughts
  • 3. Historical Perspectives • Computer Security in the Cold War Era • Security “Gurus”—Keepers of the Kingdom • The Internet changes the security landscape-- forever • The Age of Information Sharing • Omissions of the past are now our “Achilles Heel” Our Approaches To Providing Mission Enabling IT Are Stuck In The Past
  • 4. Cyber Security Today—A New “Ball Game” • Our way of life depends on a reliable cyberspace • Intellectual property is being downloaded at an alarming rate • Cyberspace is now a warfare domain • Attacks increasing at an exponential rate • Fundamental network and system vulnerabilities cannot be fixed quickly • Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National Security Crisis!
  • 5. Commission Cyber Security for the 44th Presidency: Key Recommendations • Create a comprehensive national security strategy for cyberspace • Lead from the White House • Reinvent public-private partnerships • Regulate cyberspace • Modernize authorities • Leverage government procurement • Build on recent progress with CNCI
  • 6. Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt the Consensus Audit Guidelines (CAG) • Update FISMA • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security
  • 7. Use Government IT Procurement • Cyber security needs to be reflected in our contractual requirements • Many “locked down” configuration defined • Use government-industry partnership to accelerate implementation of secure configurations • Get started now, improve configuration guidelines over time and leverage SCAP! Build on FDCC Successes and Lessons Learned
  • 8. Security Content Automation Protocol (SCAP) • What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security posture of every device in a network. • How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. • Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations
  • 9. Enhance Public-Private Partnerships • Most of our nation’s critical infrastructure is owned by the private sector • Much of our government-sponsored research intellectual property is “protected” by industry • Regulators need to guide/govern private sector efforts • Private and public sectors must act in cooperation – Defense Industrial Base (DIB): an excellent model Protecting Government and Military Systems Is Not Sufficient
  • 10. Implement Consensus Audit Guidelines (CAG) • Underlying Rationale – Let “Offense drive Defense” – Focus on most critical areas • CAG: Twenty security controls based on attack patterns • Emphasis on auditable controls and automated implementation/enforcement • Public comment period through March 25th • Pilots and standards for tools later this year
  • 11. Update FISMA • Emphasize evaluating effectiveness of controls vs. paper reviews • Enhance authority and accountability of CISO • Foster government leadership – Independent, expert reviews – Procurement standards – Dynamic sharing of lessons learned
  • 12. Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt Consensus Audit Guidelines (CAG) • Update FISMA • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security
  • 13. Longer-Term: IT Reliably Enabling Economy • Change the dialogue: Reliable, resilient IT is fundamental to future economic growth • New business model for software industry • Redesign the Internet • Get the “man out of the loop”—use automated tools (e.g., SCAP) • Develop professional cyberspace workforce • Foster new IT services models Need to Fundamentally “Change the Game” to Make Progress
  • 14. Closing Thoughts • Government and Industry need to treat cyber security as an urgent priority • Near-term actions important but need to fundamentally change the game to get ahead of threat • IT community needs to reorient the dialogue on cyber security—the objective is reliable and resilient information Cyber Security is Fundamentally a Leadership Issue!
  • 16. 16 Security Standards Efforts: Security Content Automation Protocol (SCAP) • CPE (Platforms)What IT systems do I have in my enterprise? • CVE (Vulnerabilities)What vulnerabilities do I need to worry about? • CVSS (Scoring System)What vulnerabilities do I need to worry about RIGHT NOW? • CCE (Configurations)How can I configure my systems more securely? • XCCDF (Configuration Checklists)How do I define a policy of secure configurations? • OVAL (Assessment Language)How can I be sure my systems conform to policy?
  • 17. Security Standards Efforts: Next Steps* 17 • CPE (Platforms)What IT systems do I have in my enterprise? • CVE (Vulnerabilities)What vulnerabilities do I need to worry about? • CVSS (Scoring System)What vulnerabilities do I need to worry about RIGHT NOW? • CCE (Configurations)How can I configure my systems more securely? • XCCDF (Configuration Checklists)How do I define a policy of secure configurations? • OVAL (Assessment Language) In ProgressHow can I be sure my systems conform to policy? • CWE (Weaknesses)What weaknesses in my software could be exploited? • CAPEC (Attack Patterns)What attacks can exploit which weaknesses? • CEE (Events)What should be logged, and how? • CRF (Results)How can I aggregate assessment results? • MAEC (Malware Attributes)How can we recognize malware? * Making Security Measurable – The MITRE Corporation