2. Topics
• Current Situation
• Top-level Strategy for Cybersecurity
• Focused look at 20 Critical Controls and SCAP
• Legislative Initiatives
• Longer Term Directions
• Closing thoughts
2
3. Historical Perspectives
• Internet, software industry, (personal)
computers—rooted in creativity not
engineering
• Security in the Cold War Era
– Security “Gurus”—Keepers of the Kingdom
• The World Wide Web changes the security
landscape-- forever
• Post Cold War: The Age of Information Sharing
Legacy of the past is now our “Achilles Heel”
3
4. Cyber Security Threats Today--A New “Ball Game”
• Our way of life depends on a reliable cyberspace
• Intellectual property is being downloaded at an
alarming rate
• Cyberspace is now a warfare domain
• Attacks increasing at an exponential rate
• Fundamental network and system vulnerabilities
cannot be fixed quickly
• Entire industries exist to “Band Aid” over
engineering and operational weaknesses
Cyber Security is a National and Economic Security Crisis!
4
5. Situation Assessment
• Assessing cyber threats (and therefore risks) requires
extensive experience and access to highly classified
materials
– It is unreasonable to expect most organizations to assess
threats/risks.
• The technical aspects of Cybersecurity are enormously
complex:
– Cybersecurity will require significant increase in levels of
discipline in systems/enterprise management
– Guidance must be simple and clearly stated.
• The overall state of cybersecurity is so poor, that it cannot
be solved quickly:
– Near term objective should be to establish a foundation upon
which we can build
– Cannot do everything at once; we must prioritize/focus
5
7. Obama Cyberspace Policy Review—
“60 Day Review”--May 29, 2009
• The Nation is at a crossroads
• Cyberspace risks pose some of most serious
challenges to economic and national security
• Need to begin national dialogue on
cybersecurity
• Solutions must involve partnership with
private sector and international engagement
• White House must lead the way
7
8. Recommended Near-Term Actions
• White House Cybersecurity official and supporting
organization—Howard Schmidt appointed Dec. 2009
• Prepare updated national strategy
• Designate cybersecurity as Presidential priority
• Initiate public awareness campaign and strengthen
international partnerships
• New policies regarding roles/responsibilities
• Prepare cyber incident response plan
• Develop research plan and vision for identity
management
Progress delayed pending Cyber Czar appointment--
Initial progress now underway. 8
9. (Recommended)
Top Level Cybersecurity Strategy
Sophisticated
Unsophisticated
MISSION/FUNCTION
CRITICALITY
Implement Comprehensive Baseline of Security
THREAT
Low High
Deploy Targeted
Advanced Security Controls
Accept Risk
9
10. Comprehensive Baseline of Security = A
Well-Managed Enterprise
Characteristics of a Well Managed Enterprise
1. Every device in an enterprise is known, actively
managed, and configured as securely as
necessary all the time, and the right people
know this is so or not so
2. Increased operational effectiveness and greater
security without increased cost
3. Integrated and automated enterprise
management tools
10
Cyber Security Requires Comprehensive Application of “Good IT Hygiene”!
11. 11
Emma Antunes <emma.antunes@nasa.gov >
Twitter: @eantunes
Unsophisticated
MISSION/FUNCTION
CRITICALITY
Deploy Targeted
Advanced Security
Controls
Accept Risk
11
Result: Blocks 85% of attacks and provides foundation to address remaining/new
attacks (Ref: Dick Schaeffer, NSA/IAD)
Sophisticated
Comprehensive Baseline of Security
(A “well managed” IT infrastructure)
THREAT
Low High
TIC
Training for
Sys Admin
2-Factor
Authentication
20 Critical
Controls
FDCC+
SCAP
DNSSEC, S-BGPThreat/Vul Collaboration
Top Level Cyber Security Strategy
Einstein 3
12. 20 Critical Controls* for Effective Cyber Defense--
An Effective Public-Private Partnership
• Underlying Rationale
– Let “Offense drive Defense”
– Focus on most critical areas
• CAG: Twenty security controls based on
attack patterns
• Government and Private Sector consensus
• Emphasis on auditable controls and
automated implementation/enforcement
• Pilots and standards for tools ongoing
* Also called the “Consensus Audit Guidelines” or “CAG” (http://www.sans.org/cag/) 12
13. Example--Critical Control #1
Inventory of Authorized and Unauthorized Devices
• Attacker Exploit: Scan for new, unprotected systems
• Control:
– Quick Win: Automated asset inventory discovery tool
– Visibility/Attribution: On line asset inventory of devices with net
address, machine name, purpose, owner
– Configuration/Hygiene: Develop inventory of information assets
(incl. critical information and map to hardware devices)
• Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
– CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6
• Automated Support: Employ products available for asset inventories,
inventory changes, network scanning against known configurations
• Evaluation: Connect fully patched and hardened test machines to
measure response from tools and staff. Control identifies and isolates
new systems (Min--24 hours; best practice--less than 5 minutes)
13
14. 20 Critical Controls—Implementation
Recommendation
Step 1 Accept CAG consensus threats as risk baseline for
your organization
Step 2 Implement 20 Critical Controls
Step 3 Use organization specific risk assessment to select
and implement additional controls from 800-53
– Focus on unique, mission critical capabilities and data
Step 4 Use automated tools and periodic evaluations to
continuously measure compliance (risk reduction)
Step 5 Partner with senior management and auditors to
motivate compliance improvement
– Use examples and lessons learned from State Dept. and others
14
15. Security Content Automation Protocol (SCAP)
• What is it: A set of open standards that allows for
the monitoring, positive control, and reporting of
security posture of every device in a network.
• How is it implemented: Commercial products
implement SCAP protocols to exchange and
enforce configuration, security policy, and
vulnerability information.
• Where is it going: Extensions in development to
address software design weaknesses, attack
patterns, and malware attributes.
SCAP Enables Automated Tools To Implement And Enforce Secure Operations
15
16. Current SCAP Standards
16
CVE
CVSS
OVAL
CCECPE
XCCDF
Software vulnerability management
Configuration
management
Compliance management
Asset
management
Identifies vulnerabilities
Scores vulnerability severity Criteria to check presence of
vulnerabilities, configurations, assets
Identifies configuration controls
Language to express configuration guidance
for both automatic and manual vetting
Identifies packages
and platforms
SCAP enables cross vendor interoperability and aggregation of data produced by separate
tools to an enterprise level—leads to better enterprise management and cyber security!
17. FISMA 2002 Legislation Was Well Intended;
What is Not Working?
• Original intent was good:
– Ensure effective controls
– Improve oversight of security programs
– Provide for independent evaluation
• Implementation took us off course
– Agencies unable to adequately assess cyber risks
– (Lots of) NIST “guidance” became mandatory
– No auditable basis for independent evaluation
– Grading became overly focused on paperwork
17
Bottom Line: OMB mandates and paperwork debates has distracted
CIOs/CISOs from achieving real security improvements
18. New Hope for Federal Cybersecurity
• Progress
– FISMA Reporting Instructions: April 21, 2010
• Continuously monitor
• Use automated tools
• Develop automated risk models
– NIST Guidance (SP 800-53 and SP 800-37)
– New Legislation in House and Senate
• Cautions
– FISMA Reporting Instructions reinforce “compliance
mentality”
– Risk assessment while logical is “a foundation of sand”
Security must be based on knowledge of attacks and results focused!
18
19. Implications of Policy, Guidelines and
Potential Legislation Changes on Industry
• Implications for National Industrial Security Program Operating
Manual (Feb 2006)
– ‘Certification/Accreditation’ become ‘Security Authorization’ with
continuous monitoring (SP 800-37)
– Other updates to reflect new government-wide policies/guidance
• New FISMA reporting process-April 21, 2010
– Contractor information systems that support the operations and
assets of the agency (FISMA Reporting)—including IG audit
• Potential Legislation Impacts
– Expand new FISMA to all systems of government
contractors/subcontractors
– Requirements for reporting, testing, audits
19Apply requirements for government organizations to government contractors
20. Longer-Term Actions:
IT Reliably Enabling Business
• Change the dialogue: Reliable, resilient IT is fundamental to future
National Security and Economic Growth
• New business model for software industry
– First step—self certified, locked-down configurations
– Longer term—software with reliability warranties
• Redesign the Internet to provide reliable attribution, increased security
• Get the “man out of the loop”—use automated tools (e.g., SCAP)
• Foster new IT services models
– Assume insecure environment
– Increased use of virtualization
– Secure “cloud”
• Evolve to a more effective public-private partnership (e.g., DIB)
• Develop professional cyberspace workforce
Need to Fundamentally “Change the Game” to Make Progress20
21. Closing Thoughts
• Government and Industry need to treat cyber
security as an urgent priority
• A well managed enterprise (e.g., using 20
Critical controls and SCAP) is a harder target to
attack and costs less to operate – the ultimate
“no brainer” for a CIO
• Near-term actions important but need to
fundamentally change the game to get ahead
of the growing threat
Cyber Security is Fundamentally a Leadership Issue!21
23. Top 20 Cyber Attacks and Related Control
(not in priority order)
Attack Control Summary Comments
1. Scan for unprotected
systems on networks
Maintain inventory of
authorized and unauthorized
devices on networks
Find devices that can be
exploited to gain access to
other interconnected systems.
2. Scan for vulnerable versions
of software
Maintain inventory of
authorized and unauthorized
software
Find software versions that are
able to be exploited remotely
to gain entry to other systems.
3. Scan for software with weak
configurations
Implement secure
configurations for HW/SW
computer devices
Original configurations from
vendors often have
inadequate security controls
enabled.
4. Scan for network devices
with exploitable vulnerabilities
Implement secure
configurations for network
devices (routers, switches,
firewalls, etc.)
Network devices often
become less securely
configured over time unless
they are diligently maintained.
5. Attack boundary devices Implement multi-layered
boundary defenses
Attackers attempt to exploit
boundary systems (e.g., DMZ
or network perimeter) to gain
access to network or
interrelated networks
23
24. Top 20 Cyber Attacks and Related Control (Continued)
(not in priority order)
Attack Control Summary Comments
6. Attack without being
detected and maintain
long-term access due to
weak audit logs
Maintain and monitor
audit logs
Weak protection of or
inadequate logging and
monitoring permits
attackers to hide actions
7. Attack web-based or
other application software
Robust security controls
and testing of application
software
Longstanding code
weaknesses (e.g., SQL
injection, buffer overflows)
can be exploited
8. Gain administrator
privileges to control target
machines
Implement controlled use
of administrator privileges
Attacks exploit weak
protection or control over
administrator privileges
9. Gain access to sensitive
data that is not adequately
protected
Implement controlled
access based on need to
know
Once inside a system,
attackers exploit weak
access controls
10. Exploit newly
discovered and unpatched
vulnerabilities
Continuous vulnerability
assessment and
remediation
Attackers exploit the time
between vulnerability
discovery and patching 24
25. Top 20 Cyber Attacks and Related Control (Continued)
(not in priority order)
Attack Control Summary Comments
11. Exploit inactive user
accounts
Monitor and control user
accounts
Legitimate but inactive or
accounts of former
employees are exploited
12. Implement malware
attacks
Implement up-to-date anti-
virus, anti-spyware, and
Intrusion Prevention
System controls
Malware attacks continue
to evolve leaving non-
updated systems exposed
13. Exploit poorly
configured network
services
Limit and control network
ports, protocols and
services
Attackers focus on
unprotected or unneeded
ports and protocols
14. Exploit weak security
of wireless devices
Implement controls for
wireless devices
Example attacks include
unauthorized access from
parking lots, exploiting
traveling employees, etc.
15. Steal sensitive data Implement controls to
detect and prevent
unauthorized exfiltration
Includes both electronic
and physical (i.e., stolen
laptops) attacks 25
26. Top 20 Cyber Attacks and Related Control (Continued)
(not in priority order)
Attack Control Summary Comments
16. Map networks looking for
vulnerabilities
Implement secure network
engineering
Look for unprotected (i.e.,
weak) links or weak
filtering/controls in network
17. Attack networks and
systems by exploiting
vulnerabilities undiscovered by
target system personnel
Conduct penetration tests to
evaluate and exercise defenses
Attack exploits social
engineering and inability of
system to respond to
automated attacks
18. Attack systems or
organizations that have no or
poor attack response
Implement effective cyber
incident response capabilities
True magnitude and impact of
attack can be masked by
inadequate response
19. Change system
configurations and/or data so
that organization cannot
restore it properly
Implement data and system
recovery procedures
Leave backdoors or data errors
that permit future attacks or
disrupt operations
20. Exploit poorly trained or
poorly skilled employees
Conduct skills assessment and
ensure adequate training
across the enterprise
Attacks focus on manipulating
end users, administrators,
security operators,
programmers, or even system
owners 26
27. Approach for Developing 20 Critical Controls
• NSA “Offensive Guys”
• NSA “Defensive Guys”
• DoD Cyber Crime Center (DC3)
• US-CERT (plus 3 agencies that were hit
hard)
• Top Commercial Pen Testers
• Top Commercial Forensics Teams
• JTF-GNO
• AFOSI
• Army Research Laboratory
• DoE National Laboratories
• FBI and IC-JTF
27
Identify top attacks—the critical risk areas
Prioritize controls to match successful attacks—mitigate critical
risks
Identify automation/verification methods and measures
Engage CIOs, CISOs, Auditors, and oversight organizations
Map Critical Controls to NIST SP 800-53 P1 controls (proper subset)
Engage the best security experts:
Result: Applying the 20 Critical Controls will address the majority of cyber attacks
28. Relevance of 20 Critical Controls to FISMA and
NIST Guidelines
FISMA and NIST
1. Assess cyber security risk in
an organization
2. Implement security based on
risk
3. Select controls from NIST SP
800-53 to mitigate risk areas
4. Objectively evaluate control
effectiveness
20 Critical Controls
1. Based on government-wide
(shared) risk assessment
2. Controls address top cyber
risks
3. 20 Critical Controls are subset
of 800-53 Priority 1 controls
4. Use automated tools and
periodic evaluations to provide
continuous monitoring
28
20 Critical Controls designed to help agencies comply with FISMA and
NIST guidance!