Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Leveraging Standards to Improve IT Supply Chain Security
1. 1
Leveraging Purchase Power and
Standards to Improve Security in
the IT Supply Chain
John M. Gilligan
Gilligan Group, Inc.
May 5, 2009
Protecting the Resiliency of the Supply Chain
2. 2
Topics
• Background
• The “Good Old Days”—Status Quo
• The “Aha” Moment
• Standard Desktop becomes Federal Desktop
• Next steps
– Cyber Security Commission Recommendation
– Evolving Standards
• Summary
3. 3
Relevant Background
• Air Force
– 700,000 Unclassified Desktops
– 60,000 Classified Desktops
– IT Spending $7B; Security Spending of $700 M
• Federal Government
– Approximately 4 million desktops
– IT Spending $60B; Security spending of $5B
• National Institutes of Standards and Technology
(NIST) Provides IT Security Standards/Guidance
4. 4
Air Force CIO Observations
Regarding Software Security
• Spending more to “patch and fix” software
systems than to purchase them
• SW vendor contract terms—no warranties, no
standards, and no legal precedents for remedy
• AF IT purchasing is ad hoc (and expensive)
• Air Force is largest enterprise buyer for many
vendors
COTS software business model is fundamentally broken!
5. 5From National Institute of Standards and Technology briefing--http://nvd.nist.gov/scap.cfm
NIST provides a lot of guidance in security—is it addressing the right problem?
6. 6
The CIO’s Cyber Security Dilemma
• There are only so many resources available to
be allocated against all IT priorities
• There is no such thing as perfect cyber security
• Finding flaws in cyber security implementation is
a “target rich” environment
How much security is enough, and where should investments
be applied?
7. 7
How to Assess Effective Security
GAO Reports?
Congressional FISMAGrades?
Percentage of
Systems Certified?
Number of Systems with
Contingency Plans?
Agency
Auditor
reports?
The threat is increasing! Are we focusing on the right things?
"Pentagon Shuts Down Systems After Cyber-
Attack"
Malicious scans of DoD
increase 300%!
8. 8
An “Aha” Moment!
• Scene: 2002 briefing by NSA regarding latest
penetration assessment of DoD systems
• Objective: Embarrass DoD CIOs for failure to
provide adequate security.
• Subplot: If CIOs patch/fix current avenues of
penetration, NSA would likely find others
• Realization: Let’s use NSA’s offensive
capabilities to guide security investments
Let “Offense Inform Defense”!
9. 9
AF Standard Desktop Concept
• NSA “Offensive Team” briefings to Air Force on
attack patterns and vulnerabilities exploited
• ~80% of vulnerabilities tied to incorrectly
configured COTS software
• Joint effort by NSA, NIST, DISA, DHS, CIS,
Microsoft to create Standard Desktop
Configuration (SDC) for Microsoft
Windows/Office/IE
Address the source of the biggest problem—and do it
in the supply chain!
10. 10
Secure Desktop Configuration
• Defined ~ 600 security configuration settings for
Windows XP and VISTA (out of 4477)
– Leveraged prior work by MS, NIST, CIS, NSA, DISA
• Protocols and software tools to validate
implementation – CVE/OVAL
• Phased Implementation (2005-2007)
– Senior-level governance process
Software delivered from hardware vendors in “locked down” configuration
11. 11
AF Standard Desktop Configuration
Results
• Improved Security
– Drop in security events
– Reduced Patching time 57 days to 72 hours
• Reduced Costs of Operation and Ownership
– Hundreds of millions saved to date*
• Improved System Performance
• Common platform for COTS/GOTS applications
leads to more rapid development and testing
* SDC Linked with Enterprise License Agreement and Commodity Purchasing Efforts
12. 12
Enterprise Client PC Hardware
Step 1: USAF Quarterly Enterprise Buy
(QEB) Standards – 700K purchased since
Aug 2003; $200M+ avoidance
Enterprise Licensing and Services
Step 2: USAF Enterprise License Agreements – Implemented in
Jul – Sep 2004
$100M+ savings by 2010
Enterprise Client, Server, and
Active Directory Configurations
Step 3: USAF Standard Desktop Configuration –
AF wide implementation in 2006; Servers 2008
Enterprise Configuration and
Patch Management
Step 4: USAF Enterprise Configuration Management
processes – Implementation 2006-2008
Comply and
Connect
Enforcement
Step 5: USAF Comply, Connect and Remediate policy
and processes – Incremental improvements 2006-2009
Security As Part of IT Commodity Life Cycle
Management
Incremental Improvements in End Point and Server Capability and Security
12
13. 13
AF Standard Desktop Configuration
FDCC
• Adopt AF-validated standard desktop concept
• OMB mandate for Federal Desktop Core
Configuration (FDCC)—March 2007
• Security Content Automation Protocol (SCAP)
– Validate configuration
– Check/remediate patching
– Asset management
– Standard vulnerability list
Expanded across Federal government and extended automation support
14. 14
Continued Evolution of “Aha” Realization:
The Consensus Audit Guidelines (CAG)
• Ensure that investments are focused to counter
highest threats — pick a subset
• Leverage offense to inform defense – focus on
high payoff areas
• Maximize use of automation to enforce security
controls — negate human errors
• Use consensus process to ensure best ideas
Focus investments by letting cyber offense inform
defense!
15. 15
Next Steps--Cyber Security
Commission Recommendation
• Mandate “Locked-down” configurations for all
software delivered to the government
• Build on existing efforts (e.g., NIST, BITS,
FERC, NIAP, CIS)
– Public-private partnership to develop guidelines
• Self-certification by software vendors
– Satisfy security guidelines
– Do not “unlock” security of other software
Expand FDCC Concept to all Software Products
16. 16
Security Content Automation
Protocol (SCAP)
• What is it: A set of open standards that allows for
the monitoring, positive control, and reporting of
security and management properties of every device
in a network.
• How is it implemented: Commercial products
implement SCAP protocols to exchange and enforce
configuration, security policy, and vulnerability
information. (Enables tool interoperability)
• Where is it going: Extensions in development to
address software design weaknesses, attack
patterns, and malware attributes.
SCAP Enables Automated Tools To Implement And Enforce Secure Operations
19. 19
Summary
• Need to fundamentally change business model
for buying COTS software
– Vendors deliver “secure” configuration of products
– Use automated tools to validate security
• Integrate security with improved commodity
supply chain management (planning, purchase,
operations, disposal)
• Advancement of standards and related tools
holds great promise for dramatic improvements
to the IT Supply Chain