Mike Davis
[email protected]
ElectEngr/MSEE, CISSP & CISO SysEngr
ISSA / ISC2 / SOeC… AFCEA / NDIA… IEEE / INCOSE / et al
What “REALLY” matters in Cyber?
RE: Internet of things, privacy – security and beyond…
Circa 2015
Not sure HOW it can affect you (as it HAS already)?
AND… what is a “thing” – is that MORE we have to do???
COMPLEXITY
“easy button”
Bottom line - As in ALL things – it is mostly about the ‘value proposition!’
ISC2 with
IEEE Cyber
What’s Wrong With This Security?
The issues / gaps therein are where the cyber opportunities are!!!
The gates were fully locked, properly configured and validated.
I could not get through them. But....
Thus Cyber can be an illusion
…
When a capability is “invisible”, like IA, safety, reliability, etc, what you see is not the whole picture!
Cutting through the CyberSecurity Fog!
B.L.U.F. – Bottom Line Up Front
The threats are very real, and the news shows a small percentage
It does not just happen to the other guy – YOU WILL be / ARE affected.
Focus on business risk reduction and minimizing legal liabilities
Adequate cyber protections are but one part – so is cyber insurance.
You can not buy cyber security, you must manage cyber
– many parts.
The standard IA/Security suite is pretty good – IF maintained well in operation.
The “P6” principles still apply (being prepared) – with strategic partnerships.
Few can afford to go it alone – TEAM up & use a managed security service.
Don’t fix cracks in the cyber walls, while the barn door is open!
Keeping your cyber suite well maintained cuts incidents by 95%
OK, so what does matter in Cyber?
It’s NOT about expensive new cyber capabilities / “toys”
but more about the interoperability “glue” (distributed trust, resiliency, automation, profiles)
You can NOT buy cyber, so
do the cyber BASICS well
!!!
An achievable 90-95% reduction in security incidents – stabilize the environment!
CYBER is fundamentally all about
TRUST
and
DATA
( Identity, authentication, secure comms- -- provenance, quality, pedigree, assured)
90+% of security incidents are from lack of doing the basics!
USE effective Security Continuous Monitoring (SCM / SIEM) – a MUST DO!
With enforced: cyber hygiene, enterprise access control, & reduced complexity (APLs)
Shift from only protecting the network, to the DATA security itself – information centric view
Embrace your Risk Management Plan (RMP) – LIVE IT!
Have an enforceable security policy – what is allowed / not – train to it
KNOW your baseline - Protect the business from the unknown risks as well
So then, what MUST we DO?
(MY TOP TEN - Well, to at least the first / second order effect – 95% level!)
1 -
KNOW your baseline
– from several views / aspects:
You can NOT buy cyber, so
DO the cyber BASICS well
!
An achievable 90-95% reduction in security incidents – stabilize the environment!
Follow the SANS top 20 and NSA top 10 mitigations
AND map your security mitigations into the NIST SMB Security guide (TR 7621)
- keep track of your HW / SW assets and their versions / status, as you can't manage what you don't know. Document what your secure baseline is – then monitor it.
- maintain the cyber suite (hygiene, settings, patches, etc – automate where possible) and enforce strict access control (implement least privilege, use two factor authentication on key data / equipment (especially on sensitive data / critical cyber capabilities), two-person control on key assets, limit PC to PC / peer to peer comms, minimize privileged accounts, etc)
- make it hard for hackers to get in and get around – this is JOB ONE: effective firewall rules (deny all with exception – monitor traffic going in and out), segment the networks, tighten / lock down the bowser (where around 80% of all malware comes in and using SSL it bypasses your cyber suite too), and don’t allow users / non-admin to install anything on any end user device!
2 -
Encrypt
, encrypt, encrypt
So then, what MUST we DO?
4 - Effective SCM / SIEM / monitoring capability
- Watch for unusual behavior and keep track of key cyber settings, DNS, etc.
- And user actions too (humans when monitored always behave better).
You can NOT buy cyber, so
DO the cyber BASICS well
!
An achievable 90-95% reduction in security incidents – stabilize the environment!
3 - Use approved IA / cyber products
-
Only buy off the NIAP/NSA/DISA lists of Approved / Preferred items (APLs).
- Minimizes your product complexity ...and... they come with C&A / A&A / V&V
security pedigrees too!
5 - IDS/IPS (signatures) AND anomaly detection capability
- Watch for insider threats – while monitoring both incoming AND outgoing traffic.
- Whitelisting works and is not hard to do – put developers in an isolated sand box
6 - DLP /DRM /data tracking capability
So then, what MUST we DO?
7 - User awareness and education / training
- Make it personal, targeted (JIT) info to user types, even fun / make a game of it
You can NOT buy cyber, so
DO the cyber BASICS well
!
An achievable 90-95% reduction in security incidents – stabilize the environment!
All these capabilities exist, are sold by many vendors, and not hard to buy, use, and monitor To build your own effective defense-in-depth / breadth cyber ecosphere – see our plan too!
http://www.sciap.org/blog1/wp-content/uploads/executing-an-effective-security-plan.pdf
8 – Add in a little "OSI" too (open systems intelligence)
- Know who might be targeting you and the methods they would use against you
- Join your sector ISACs, etc to be aware of the threats.. common mitigations
9 – Risk Management Plan is essential
- RMP must integrate and support the business success factors / line managers!
- RM has many moving parts to account for – so write them down (see following slide)
10 – Get Cyber Insurance
Security Main Factors
Given ALL the NIST / NSA / DISA guidance (see back-ups) - What MUST WE DO?
• Implement the NIST “absolutely necessary
” elements – first and foremost to
protect your data (Encryption and back ups)
• Effective passwords
– still the bane of basic security… and policy is still poor!
(tokens / two-factor authentication should be used for critical data / processes)
• Securing the client, fortifying the browser
… buying trusted business apps,
services… where the browser / client is THE largest malware entry point!
• Minimal security suite
: antivirus, firewall, IDS, VPN, ISP / wireless security
• Monitoring tools… need to manage CM/hygiene, track users / data, provide
alerts (SCM/SIEM) supports preplanned SoPs / IRP / BCP / COOPs, etc
• Enforce a living security policy – quantify actual risks, strict need to know,
• DATA protection
- encryption, keys, and access control - minimize IP loss, DLP
• A robust and adaptive security strategy = risk management plan (RMP)
– to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc
8
The Integrated
Business RM
Approach
+ Making the Risk Management Plan (RMP) work! +
RMP
Company Vision
(business success factors)C&A / V&V
(effective / automated)Security Policy
(mobile, social media, etc)
Education / Training
(targeted, JIT, needs based)Known Baseline
(security architecture)
CMMI / Sustainment
(SoPs / processes)MSS / CISO
(3rdparty IV&V support)Data Centric Security
(DLP, reputation based methods)Insider Threat
Company Intel
(open source, FB, etc)
SCM / SIEM
(monitor / track / mitigate)Cyber insurance
(broker & legal council)Privacy by Design
(manage PII, HIPAA, compliance) )
Common Business RMP model
(re: RMF / COBIT & Risk IT)Complexity of Enterprise IT Systems is Increasing
AND so is the associated Cyber Security
– from sensor to cloud!
Follow the DATA… where is it… who has it – how sure are you?
So - what is ‘goodWhat’s new in cyber, and
what matters
?
RFID, Apps, MEMS, WSN, sensors, SCADA, PLC, ASIC, API, ETC, etc
Sensor + WiFi = device --- Things-> systems, machines, equipment, and devices— all connected to each other
Is all this stuff secure? How much is needed?
The “Internet of things (IoT)” is not really new…
IoT requires ALL the cyber protections we already know - and still need to implement!
COMPLEXITY is everywhere!
Where sensors dominate
Where / How does
Gartner's 2013 Hype Cycle for Emerging Technologies
Everything connected to everything
? Comms Secure ?
Automation = machines in control
? M2M Secure ?
Pervasive new technologies
? Built secure ?
“ALL” the technologies need built in security = secure data, comms & privacy!
How do we prove end-2-end security?
What is an ‘adequate’ / due
diligence level of security???
13
Cyber
space Characteristics
All of the warfighting - and related
business - domains intersect…
Cyberspace Domain is contained within and transcends the others
In relation to other mission areas… run by
different Communities Of Interest (COI)
cyberspace is a blend of exclusive and inclusive ties Frequently the COI boundaries / MOAs are implicit
These Venn connections / COIs are pervasive
Numerous, dynamic “COIs” dominate relationships - adding Complexity & Comms,
& Control overhead - causing
“cross domain / COI” DATA sharing effects
IA
SecurityC2
CIP / infrastructure Banking / retail Manufacturing CommunicationsWhat are KEY cyber elements?
(and what can we reasonably expect to influence / affect?)
14
Fundamental issues…. (givens?)
-
Threats
are illusive/morph – so plan/mitigate around
consequences
(
aka, a fault tree)
- KISS, as
complexity
is our enemy – do the basics well (hygiene, anonymity, etc)
- In a connected world, it’s the
shared vulnerabilities
that will get you / ALL of us
- “They” have an
asymmetrical advantage
, plan with it
(and they don’t follow the rules/laws)- WE ALL need common homogenous security protection in a heterogeneous world
Essential gaps / needs… (tenets?)
- Invest in the
OSD / NSA
R&D / S&T
“gap” capabilities
, as authoritative sources
- Apply trade-offs / assessments using a
common end-state
(an ‘open’ / ubiquitous world)- Using an enterprise risk management plan (
RMP
), and
FOCUS on proactive SCM!
- If you can’t integrate “it” into your IT/network environment, then “it” is useless
- Minimize “what you don’t know you don’t know’ “&” get
cyber insurance
If you don’t know where you’re headed, any blind alley will do
Where the bad actors continue to
count on US ALL not being in sync
Cyber requires enterprise integration
Things are only the ‘stuff’ – we need to accommodate all IT/IA aspects!
Systems / capabilities are characterized by their boundaries Where interfaces / controlling parameters / PPSM are key
“Things” must communicate
No. of paths = n(n-1) = exponential Are ALL using secure channels
?
Data protected? Adequate Authentication? No covert paths established?
10S of thousands of trillions
Of communication paths!
Securing low BW channels requires optimal cryptography algorithms
and adequate key management systems,
• Mobile devices … and wireless always predicted, yet proliferates in 2014
– Increasing Android Trojans, digital wallets, USER provided network services / access points! – Wireless security issues expand (besides 802.11 & WiMAX, to Zigbee, Z-Wave, ARM, etc.) …
– BYOD – many hidden costs, legalities and risks than it appears at first…
• Cyber crime: easy money, minimal downside and growing (ransomware, etc)
– Illicit cyber revenues has essentially equaled all illegal drug trafficking dollars
• The insider threat
is much more “impactful” than given credit for
– Considering compromised services and computing devices of all kinds (aka, supply chain security). With Improved social engineering attacks… and… stealth exfiltration techniques… etc…
17
Threat Vectors of Interest
(examples)
Mobile devices and cloud infrastructure hacking are two of the
biggest attack vectors in crime / terrorism in 2014 and beyond…
• Verizon Data Breach Report (2012) – MOST breaches avoidable
!
– 96% attacks not difficult; -85% took weeks to discover (average is 416 days); - 92% discovered by a third party; 85 - 97% data breaches / security incidents avoidable through simple or intermediate controls
• Forbes - The Biggest Cybersecurity Threats of 2013+
– Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; & Targeted Malware
Threat Vectors of Interest
(Cont.)
• SSL/XML/web (
HTML5)/browser
vulnerabilities will proliferate
– Browsers remain a major threat vector (80% - bypasses the IA suite) & ‘watering holes’ – JAVA / VM / active code MUST be strictly managed / controlled / under “CM”
• Convergence of data security and privacy regulation worldwide..
– Compliance gets pervasive (PCI DSS, HIPAA, etc) ... Shift focus to ‘”privacy by design”! – Data security goes to the cloud - where security due diligence is more than SLAs!
– IPv6 transition will provide threat opportunities… Data Loss Prevention (DLP) is still needed…
• Containment is the new prevention
(folks now get the "resilience" aspect...)18
MUCH to consider in the “threat” equation… and it’s always changing…
Hence why you must ALSO practice “consequence” risk management
• Nation-sponsored hacking: When APT meets industrialization
– More targeted custom malware (Stuxnet -> Duqu / and FLAME! Are only the beginning)
• Misanthropes and anti-socials / hacktivism morphs – ANYONE can do it now!
• Full time incident response needed: COOP, forensics, reporting, etc, etc…
– Monitoring and analysis capability increase, but not enough (re: near real-time forensics &“chain of custody” evidence)…. “continuous monitoring” is KEY… (re: SCM / SIEM)
Verizon Data Breach Investigations Report - DBIR (2014)
19
We have met the
cyber enemy
, and they are US(ers)
10 year series, 63,437 incidents, 1367 breaches, 95 countries
WHAT
- 92% incidents described by just nine patterns
- shift from geopolitical attacks to large-scale attacks on payment card system
Sectors
- Public (47, 479), Information (1132) and Finance (856)
Threats (%)
- POS intrusions
- 31
- Web App Attacks - 21
- Cyber espionage - 15
- Card Skimmers - 14
- Insider misuse - 8
- Crimeware
- 4
HYGIENE Factors
See also -PonemonInstitute’s cyber report
Key threats – from cost based activities
Malware, malicious insiders and web-based attacks
Forbes lists these: Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; &
Targeted Malware
A huge sample size! This includes YOUR business category too !!!
Mitigations
- restrict
remote access
- enforce
password
policies
-
Minimize “non” POS activity on those terminals
- Deploy
A/V
(everywhere, POS too)
- evaluate threats to prioritize treatments
- Look for suspicious network activity
- Use
two-factor authentication
Yes, It really is ALL about the
DATA
*
2020 Data Vision
(Courtesy of Dan Green / SPAWAR ):
Themes
and Memes
(Technologyvs Technology Adoption)Convergence
= Genomics, Robotics, Informatics, Nanotech (
each a $B+ market)
Meme: an idea, behavior, or style that spreads from person to person within a culture
It’s a data-centric world
; thus
we need Privacy by Design (PbD)
“
CBAD
” = Cloud, Big Data, Analytics, Data Science (
are you ‘all-in?”)
Telematics
= Sensing robotics, Cyber Physical Systems (
will kids need to learn to drive?)
Interactive 3D
= Augmented Reality, HTML 5, Three.js (
3D graphics for WebGL)
Embedded Computing
= eHPC, Tessel (
mCPU / Java), Programmable hardware
LBS
= Location Based Services, IPS, Beaconing, NFC
IoT
= Internet of Things, M2M, Quantified Self
Mobilization
= Preparation for Conflict/Competition, Autonomy, The Draft
STEM
= Science Technology Engineering Math , Generation NOW, Old Dogs (YOU)
A cyber end-state stresses encapsulation using secure communications
What’s a “simple” IA/Cyber
vision / end-state look like?
AND what are the “requirements”?
AND DATA - assured / pedigree / provenance? Privacy satisfied?
Cyber is ALL about TRUST,
Rules/MOAs & State
things
comms
IoT = things + comms
KEY C-I-A entities / touch points
“the cloud”
22
NSPD-54/HSPD-23: CNCI-1 ‘12 Initiatives’
(http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative )
Establish a front line of defense
Resolve to secure cyberspace / set conditions for long-term success
Shape future environment / secure U.S. advantage / address new threats
Focu
s
Area
2
Focu
s
Area
1
Focu
s
Area
3
TrustedInternet Connections Deploy Passive SensorsAcross Federal Systems Pursue Deployment of Intrusion Prevention Systems Coordinate and Redirect R&D Efforts Connect Current Centers to Enhance Situational Awareness Develop Gov’t-wide CounterintelligencePlan for Cyberspace
Increase Security of the Classified
Networks
Expand
Education
Define and Develop Enduring Lead Ahead
Technologies,
Strategies & Programs
Define and Develop Enduring Deterrence
Strategies & Programs
Manage Global
Supply Chain Risk
Define Federal Role for Cybersecurity in Critical InfrastructureDomains
Cyber efforts must synchronize with Federal Investments
The HARD part is implementing enterprise integration, interoperability
DoD Cyber Priority Steering Council (PSC)
S&T / R&D Roadmap
What matters?
Key Capability Gaps / Areas “4+1
”
Cy
ber
M&S and Ex
perim
entation
(C ros s Cu tt e r)Autonomous responses and C3 Tools
Environment is robust and self-healing
Mixed trust levels in heterogeneous space Support essential business success functions
Cyber PSC PA-Releasable Briefing
KEY Enabling Technology Areas
• Response and Cyber Maneuver
• Visualization and Decision Support
• Human Factors and Training • Malware/Forensics Analysis
and Reverse Engineering
• Resilient Infrastructure and Comms • Scientific Theory and Measures • Sensing and Data Fusion
• Software Pedigree and Provenance
• Distributed Trust
• Resilient Architectures
• Component Trust
• Detection and Autonomic Response
• Advanced Cross-Domain Solutions • Advanced Cryptography
• Quantum Computing, Comms, and Crypto
• Biometrics
• Code Verification and Compliance • Correct (Assured) by Construction
Software
• Deception and Information Hiding
• Recovery and Reconstitution
24
CYBER is fundamentally about
distributed trust / assured DATA / secure messaging!
high
med
low
Value / need25
Strategic Cyber Elements
(1) Collaborate on
common enterprise IA / cyber strategy and vision
policy mapped to prioritized capabilities with assigned resources = “good enough” / cyber sufficiency!
(2) Develop a common overall enterprise risk assessment (ERA)
approach
accounts for both significant threat vectors AND vulnerability consequences -> key mitigations
use the NIST “RMF” (Risk Management Framework (800-37)) weighted in the CNCI-2 12 focus areas
(3) Align and synchronize resources and cyber gaps / initiatives
across federal & commercial organizations and tier 1 – tier 3 architecture perspectives (IT & cyber are ONE)
(4) Address pervasive lack of basic cyber hygiene
enterprise wide
within the complete, life-cycle aspects of an organization’s people, processes and products (technology) enforce a scalable, global access control model, that preserves least privilege, “attenuated delegation” (ZBAC)
(5) Reduce complexity - Build a trusted cyber infrastructure
use APLs along within the existing IA/CND infrastructure, as an integrated “SoS” - with enforced CM thus optimize our overall cyber package and ensure synchronization and RESILIENCY!
(6)
Better integrate / leverage education and ‘proactive defense’ (and ‘IO’)
“stealth offense” best left to law enforcement, qualified federal entities (or escalation / retaliation will occur)
Top down approach to a balanced,
26
SO just what are were trying to orchestrate?
IA
&
CND
An integrated “Cyber Defense in Depth / Breadth (DiD)” EcoSphere
using dynamic lag and lead feedback,
establish proactive, dynamic CND / IA Defense
)
Red Teams
Defensive
assessments
forensic
feedback (lagging indicators)Upgrades
(developed & installed)“SA”
******
(
Sensors,
CNA/E inputs
OpSec,
Intel
,
etc…)
Users
& CoC
predictive
feedback (leading indicators)Cyber “I&W”
“Virtual
Storefront”
(takes days to months ) NMS / Security
Management tools
Change “soft”
settings (takes secs to mins)
threats
V&V / C&A
CERT / FBI
Incident results
I&W / SCM
“insider threats” IDS / IPS DLP / etc se n so rs (near real-time!)All “PbD” capabilities (including IoT) must be well integrated into the cyber ‘system’
With big data / predictive analytics / SIEM
27
WAN Router
Make IA / CND / Security a commodity:
Use & enforce IA building blocks = APLs/PPLs -> “NIAP”
Interoperability and Compose-ability are built in upfront and help dramatically reduce complexity and ambiguity
Thus….establishing known risks & pedigrees:
Reduces attack surface, risks & TOC = baseline for PbD & IoT!
Building a Trusted Cyber Infrastructure
“= an adequately assured, affordable, net-centric environment”
(built from disparate heterogeneous capabilities that we must integrate into a homogenous cyber ecosphere!)
IA Suite
Distribution Router
Core Router
PC
End user devices
Servers
SANS
NetworkDevices“Assured” IOS
Various EAL
EAL 4- 5
EAL 4 Focus on a few
core capabilities & devices = PC, routers, IA suite, Servers, &
SANS – all with access control
EAL 3 - 4
Secure OS TSM HBSS ZBAC
Standard IA/CND suite FW, A/V, IDS/IPS, CDS, VPN, Crypto, Key Mgmt, Security Policy
HW / FW
Secure OS kernel Secure Virtual Machine
Strict access / ZBAC ALL OSes (MS, Mac, Unix)
S e cu ri ty M o n ito r EA L 6 EAL 5 – 6
Data centric security Defensive I&W Strict access / ZBAC
Eval Assur Level (EAL): 3
2 4 5 6 7
All connections / communication paths need
Assured Identity, Authentication & Authorization
RFID, MEMS, WSN, sensors, ICS / SCADA, etc
28
IA / Cyber and DATA
must be built E2E!
Thus, the DATA, IA/cyber controls, interfaces and profiles in
each element / boundary must be quantified / agreed to upfront!
Enterprise Site Enclave Network SoS Apps / services HW/SW/FM “CCE”
Each sub-aggregation is responsible for the data / controls within their boundaries
and also inherit the controls of their environment, were we need to formalize the
reciprocity therein!
WE have a “natural” hierarchy in our enterprise IT/network environment,
where complexities arise in the numerous interfaces and many to many
communications paths typically involved in end-to-end (E2E) transactions
DATA
AND, People and processes TOO!
How does the DATA move and what are the privacy protections / controls at each layer?
“Notional”
Data Centric
Architecture (DCA)
iso the required privacy needs
DATA
Storage
Services
Apps
Host /
device
transport
IA / Security / cyber
(e.g., defense in depth (DiD))
IA controls / inheritance
Business logic Middleware
Behavior monitoring
Supports quality / assured data (with a pedigree / provenance)
Data is either at rest, being
processed OR in transit
Must account for the
“four ‘Vs’”
Volume, Variety, Velocity and Veracity
FW / IDS / IPS
SCM - Continuous monitoring
A PbD
Cyber Model translates the data 4V’s into privacy attributes and controls
What IA/security capabilities are needed for the DATA itself?
Cyber must be preserved in the full
dataAND capabilities life-cycle
OMG / DDS
How does the DATA move about?
Must accommodate BOTH in-house and
cloud
DCA
major elements
•Data-centric architecture (DCA) decouples designs and simplifies communication while
increasing capability and easing system evolution… DCA can link “systems of systems” into a coherent whole, using an open standard — OMG DDS… Transports, operating systems, and other location details do not need to be known, and allowing adaptation to performance, scalability, and fault-tolerance requirements
• Define and modularize DCA components = create specifications (capabilities and profiles) • DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets,
storage SW, middleware, services, ESB, etc… these all also have cyber security aspects built in
• Use OMG / DSS as a reference – AND - the data schema / tagging authoritative sources
DCA / DCS Overall Construct
(need to V&V that security is built in / adequate in services)
Web Services Event processing Database ESB Workflow engine Legacy Bridge
***
***
DATA bus (DDS middleware infrastructure) & DCS services)
+ Standard IA / CND / security suite = “IA devices” = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN
+ Network infrastructure = “CCE” = common core computing / network environment - with ‘IA – enabled’ devices
Other services / capabilities
Data to user authentication Signed / secure applications protected communications Authoritative / assured DBs
Virtual private data-stores (e.g., VPNs) Cryptographic boundaries for isolation Target Java and .NET for enterprise stacks
Data centric services and cloud evolution
ownership and security
32
On-premises
“Pre-cloud”
Y
ou
man
ag
e
Y
ou
man
ag
e
Application Data Middleware OS Virtualization CPU/Storage Networking Application Data Middleware OS Virtualization CPU/Storage Networking V endor m anagedY
ou
man
ag
e
Application Data Middleware OS Virtualization CPU/Storage NetworkingV
en
do
r
man
ag
ed
Application Data Middleware OS Virtualization CPU/Storage Networking V endor manage dInfrastructure
as a service
“Cloud v1”
P
latform
a
s
a S
ervice
“
Cloud v2
”
Software
as a service
PaaS objective for combined / hybrid environments (with premise and cloud)
Kerberos
PKI
Token
Digital Certificate
Thin Clients
Biometrics
HIPPA
VPN
IPSEC
SSL
Hardening
Cloud
XML Gateways
Secure Collaboration
Compliance
Secure Blades
H/W Crypto
SOX
DAC
RSBAC
FIPS 140-2
Trusted OS
Guards
Cyber Security
SaaS
Wireless
Cyber Security is Complex from a Technical Perspective
What factors must be addressed in PbD?
Which ones are inherent in the IA/CND/Cyber suite?
+++ Cyber Model for PbD +++
Standard IA / CND suite = “IA devices” = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN
Typical Network infrastructure
= “CCE” = common core computing environment
(with ‘IA – enabled’ devices properly set-up - operating systems , database management systems, network management systems and web browsers)
Monitoring, tracking, assessment = SCM / SIEM, DLP / RBS, R-T C&A/V&V, etc
Data Centric Security (DCS) enabling PbD
+
Data Encryption end2end – focused on services / applications (PaaS model)
+
Multi-factor authentication - add time, location, etc (re: RAdAC end-state)
+
Security Policy management – Automated, serve multiple ‘avatar’ levels in PbD
+
Application engineering - Common model for services, apps, phones, APIs, etc
“+” are added on top of the IA/CND/Security cyber suite
Use existing products in each “+” capability – we have several favorites…;-)) (AND an integrated “AI/smart” correlation / POA&M tool – mapped to NIST cybersecurity framework functions / tiers)
35
Key Tactical Thrusts to DO Now
• COMMON national cyber security approach / end-state
• Consequence based enterprise risk assessment
(don’t chase threats)
• Dynamic Cyber Enterprise Management
(enforced hygiene)
KEY capability – security continuous monitoring (SCM) (can’t manage what you can’t measure)
• Top-down enforcement of IA / Cyber architecture
– Secure enterprise access control / ENFORCE least privilege (re: ZBAC…) / Cyber IFF
– Common enterprise trust model
(and implement TPMs, etc)– Reduce complexity
- use APLs / VPLs / IA Building blocks with pedigrees
– USE SCM to manage your IA/cyber suite quasi real-time… with SME help
!
• Effective lifecycle education and training
– Targeted training – user awareness and IA/cyber SMEs (
who manage it all)
High impact activities get us all moving quickly
95%
security incident reductionYES!
“95+%”
YES!
“95+%”
36
What is Cyber Hygiene ?
(
and the HUGE percentage of security incidents caused by lack of it
)
National Security Agency (NSA) (
80-85%
)
NSA IAD director “ Just improving the “IA Management” aspects of security (aka,
hygiene factors) will reduce security incidents by over 80%
IA Management = CM, monitoring environment , follow SOPs
http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf http://www.sans.org/critical-security-controls/guidelines.php
Verizon (2012 Data Breach Investigations Report) (up to 97%)
Report covered 855 incidents, 174 million compromised records
--- Breaches almost entirely avoidable through simple or intermediate controls
Threats: 98% from external agents, 81% from hacking… 69 % used malware
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Navy
(our “red team” / NCDOC) (
over 90%
)
Poor “accountability” factors = willful misuse, lack of CM (& IAVA / patches) , not
having / following procedures, weak enforcement of policy, etc
They must spend all their time / resources fixing the “easy” vulnerabilities…
HYGIENE = Maintaining / monitoring your IA / Security / cyber equipment settings
Cyber Hygiene
–
the many faces of neglect
Our IA/CND/Security cyber suite is quite good – IF maintained!
Equipment settings
(FW, A/V, IDS, etc)
Monitor / enforce
Standard operating
procedures (SOPs)
USE / enforce them
Social media
Content & settings
Restrict sharing / privileges
Security Awareness
ALL levels – reinforce
Incentivize – good vs bad
Privacy and “PII”
Enforce policy (note -
“EU” is stricter)
Incident reporting
No incident too small
Notify USCERT / FBI
You cannot buy ‘cyber security”
(assuming you have an adequate IA/CND//Security/Cyber suite)
YOU must manage Cyber – actually DO and verify it!
Controlled Access
Enforce least privilege
Separate / rotate duties
Know your security baseline
AND employ SCM / SIEM
Maintain Cyber Suite
Patches, upgrades, etc
(compliance
==
security
Will lack of cyber hygiene
continue to put you at
Security Continuous monitoring (SCM)
38
- What is SCM anyway?
SCM is ongoing observance with intent to provide warning. A SCM capability is the ongoing observance and analysis of the operational states of systems to provide decision support regarding situational awareness and deviations from expectations
SCM is a risk management approach to Cybersecuritythat maintains a picture of an
organization’s security posture, provides visibility into assets, leverages use of automated data feeds, monitors effectiveness of security controls, and enables prioritization of remedies.
http://scap.nist.gov/events/2011/cm_workshop/presentations/pdf/DULANY%20-%20CM%20Brief16%20Mar.pdf
An Enterprise SCM technical reference model (based on Continuous Asset Evaluation, Situational Awareness and Risk Scoring Reference Architecture Report)
http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-NISTIR-7756_second-public-draft.pdf
- What good is it?
MANY ‘ROI” benefits: Real-time awareness of security posture, cyber benchmarking,
complements audit / compliance efforts, improves cyber performance, and reduces risk expose – simples risk management overall.. Third party IV&V monitors of “hygiene” “AND” potential new threats!
http://raw.rutgers.edu/docs/wcars/23wcars/presentations/Mike%20Cangemi-The_Benefits_of_Continuous_Monitoring_edited_final_8-11[1].pdf
- WHO does this now, where do I go for help?
DISA and DHS have efforts in play already (DHS is funding continuous monitoring as a service (CMaaS)). State department DID early SCM several years ago, reduced C&A costs over 90%
http://www.disa.mil/scm http://www.gao.gov/new.items/d11149.pdf
http://www.nextgov.com/cybersecurity/2013/01/dhs-pick-6-billion-tab-cyber-surveillance-systems-every-department/60445/
- SCM is mandated for government entities (
FISMA / DOD CIO / DHS / others)
SCM is a cyber / risk management tool and provides added due diligence
39
Mobile Security perspective
http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf
Key Issue / Risk Findings:
• Extensive use of mobile devices connecting to corporate networks
--89% have mobile devices such as smartphones or tablets connecting to corporate networks --Apple iOS is the most common mobile platform used to connect in corporate environments
• Personal mobile devices that connect to corporate networks are extensive and growing
--65% allow personal devices to connect to corporate networks
--78% have more than twice as many personal devices on corporate networks vs 2 years ago
• Security risks are on the rise because of mobile devices
--71% say mobile devices have contributed to increased security incidents
--The Android mobile platform is considered to introduce the greatest security risks
• Employee behavior impacts security of mobile data
--47% report customer data is stored on mobile devices
--Lack of employee awareness about security policies ranked as greatest impact on data security --72% say careless employees are a greater security threat than hackers
•. Contrast that 75%+ of users with personal devices with the percentage of employers who have a coordinated and comprehensive mobile security strategy in place (10%), and you see the problem…
*** NSA/CSS “Mobility Capability Package” = Architecture / Certification - a MUST DO ***
http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_2_3.pdf
Check Point’s global survey of 768 IT professionals conducted in the United States, Canada, United
Kingdom, Germany, and Japan. The survey gathered data about current mobile computing trends…
Mobile / wireless are HUGE threat entry points!
---40
GAO report on mobile vulnerabilities
KEY risks / concerns:
• Mobile devices often do not have passwords enabled.
• Two-factor authentication is not always used when conducting sensitive transactions. • Wireless transmissions are not always encrypted.
• Mobile devices may contain malware.
• Mobile devices often do not use security software. • Operating systems may be out-of-date.
• Software / patches on mobile devices may be out-of-date.
• Mobile devices often do not limit Internet connections. Many mobile devices do not have firewalls to limit connections.
• Mobile devices may have unauthorized modifications. (known as "jailbreaking" or "rooting") • Communication channels / Bluetooth may be poorly secured.
Major protection methods
:
Enable user authentication: Enable two-factor authentication for sensitive
transactions: Verify the authenticity of downloaded applications: Install
antimalware and a firewall: Install security updates: Remotely disable lost or
stolen devices:
Enable encryption
for data on any device or memory card:
Enable
whitelisting
(on phones too!) : Establish a mobile device
security policy
: Provide
mobile device security training: Establish a deployment plan:
Perform risk
assessments
:
Manage hygiene = configuration control and management:
http://www.networkworld.com/news/2012/091912-mobile-security-262581.html
---Cloud Security Factoids
Areas that will mature soon, enhancing enterprise risk management (re: Gartner): • Consensus on what constitutes the most significant risks,
• Cloud services certification standards,
• Virtual machine governance and control (orchestration), • Enterprise control over logging and investigation,
• Content-based control within SaaS and PaaS, and
• Cloud security gateways, security "add-ons" based in proxy services
We recommend following both the NIST and CSA cloud guidance:
https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf http://csrc.nist.gov/publications/PubsSPs.html
AND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP) The cloud security challenges are principally based on:
a. Trusting vendor's security model
b. Customer inability to respond to audit findings c. Obtaining support for investigations
d. Indirect administrator accountability
e. Proprietary implementations can't be examined f. Loss of physical control
Cloud Security Alliance (CSA) nine critical threats:
1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders
7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues
Shift from only protecting the
network, to the DATA itself!
(e.g., data centric security)
Cloud Security Summary
Security in the cloud is likely better than you have in-house
* Security is the SAME everywher
e
– ‘WHO does which’ IA controls changes
For more details see paper:
Cloud Security – What really matters?
At http://www.sciap.org/blog1/ (under Cyber Body of Knowledge )
* Don’t sell cloud – offer
security capabilities
instead
– end2end services
* Few are “all in” the cloud @ 100% - Hence TWO environments
to manage
* ALL must use the same cloud security standards
(and QA in SLA)
http://www.sciap.org/blog1/wp-content/uploads/Cloud-Security-Standards-SEP-20131.xlsx
* Implement SCM / SIEM – integrate cloud metrics / status (& QA the SLAs)
* Service Level Agreements (
SLA
) not sufficient – trust but verify (Orchestration SW ?)
* Encrypt
everywhere - Yes more key management, but risks greatly reduced
*
Data owners always accountable
for PII / privacy / compliance (& location)
* Update Risk management Plan (
RMP
) = Comms
, COOP…. with cloud R&R
http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf43
Integration, execution is everything
as if you can’t implement well, it costs you everywhere!!!
The quantitative benefits of systems integration and interoperability (
I&I
) are:
1. Shorter/reduced steps in business processes
2. Time taken to process one application/record
3. Less complaints from members of the public
4. No. of applications/records processed over a period
5. Less complaints from end- users
6. Reduced number of errors
7. Reduced software development time/effort
8. Reduced maintenance
9. Reduced no. of IT personnel
The qualitative benefits of I&I are:
1. Improved working procedures
2. Better communication with other related organizations
3. Job satisfaction
4. Redefine job specification
5. Improved data accessibility
6. One-stop service
7. More friendly public service
The best capability means little, if it stays in the box
Until the user is happy using
& benefitting from the new
capability, it has no value
Buying stuff is “easy”
getting it to work in your
environment is hard…
Plan for “I&I”
-then double it
SO… what MUST WE ALL DO???
NIST’s “absolutely necessary”
Security Protections
NIST - National Institute of Standards and Technology - NISTR 7621
• Protect information/systems/networks from damage by viruses,
spyware, and other malicious code. (
IA suite, A/V, encryption, etc
)
• Provide security for your Internet connection / ISP
• Install and
activate software firewalls
on all your business systems
• Patch
your operating systems & applications (
and now “things” too
!
)
• Make backup copies of important business data/information
• Control physical
access
to your computers and network components
• Secure your
wireless
access point and networks
• Train your employees in basic security principles
• Require individual
user accounts
for each employee on business
computers and for business applications
• Limit employee
access
to data and information, and limit authority
to install software
44
MUST DO tasks – consider this your
‘due diligence’
list
Where ALL have “CM / hygiene” aspects
Cyber Security “Best Practices” Overview
(Best practices are not a panacea – just a guide = to DO the basics)
– Quantify your business protection needs– do you have an asset inventory?
– Determine
what is “good enough”
or minimally acceptable for your business
– Quantify your environment’s threats and vulnerabilities
–
Have a security policy that’s useful, complete, CEO/leadership endorsed
– Run
self-assessments
on security measures (use accepted tests, STIGs,
PenTests, etc) and compliance (HIPAA, PCI, CFR, SOX, etc)
– Training and awareness programs – much needed, but not a guarantee
45
As, you can somewhat control what you plan,
but you usually ONLY get what you enforce!
– TEST
your BCP, COOP, recovery plans, backup – have you ever restored?
– Encrypt where you can
- asses where / how you need it : IM, e-mail, file
transfer, storage, backup, etc)
– Be familiar with / USE the “NIST” IA/Security series – they are very good!
– DO / check / enforce the cyber basics
(re:
hygiene, access control, simplify & SCM
)
– Reduce complexity
– use only
approved / preferred products lists
(A/PPLs)
– A risk management plan (RMP) -
using both threats AND consequences
46
What can you
DO right now
?
Ready for immediate implementation =
95+% incident reduction
1- Install tools/scripts to catch
USERS mistakes
.. lock down the end devices,
(only allow root admin to install anything..) Use effective access control (enforce least privilege!)2 – Manage the
browser as THE threat vector...
(80% of malware comes through here) Have ONE secure browser version (IE9), use the ‘guest’ account (force downloads to one folder), and manage a specific settings profile (to manage active code / Java, etc)Implement a ‘deny all’ access approach, allow URLs using only a controlled white list (no this is NOT hard to do!)
Cyber continues to be about “US ALL” doing the basics
3 - Run tools / application firewalls to minimize zero-day problems, and
enforce
CM/hygiene
, along with
"defensive I&W" monitoring tools
(re: SCM / SIEM - #5)4 –
KISS /
reduce IA complexity
… only buy cyber products off APLs/PPLs (
they have pedigrees / C&A already!)… And USE their security features … like TPM!!
5 – USE a
security continuous monitor (SCM)
firm for real-time scans for both
current vulnerabilities (
SQL injection, et al) and new threats... (
where the firm has feeds/data from US CERT, etc, so they are always current on new threats / zero day problems)
6 – If you make IT stuff, build IA/security in, there are lots of simple guides
http://www.sans.org/critical-security-controls/guidelines.php http://www.sans.org/top25-software-errors/
“Overall Way Forward”
(given all the unknowns, variables… this is “one” approximately correct path…;-))
• Company Vision embedded in Cyber Plans/RMP…
– know where you are going, where the passion is /what the USER values
– Hope is Not a Strategy -re: 2012 Annual DDoS Attack and Impact Survey!
47
SO… Quit admiring the “cyber problem / threat” and
start DOING something!
• Risk Management Plan… RMP
– Use NIST’s RMF (or COBIT)!
Have a dynamic, realistic RMP supporting your
business success metrics… as you ARE betting your livelihood on cyber!
• Effective, enforced Policy…
– Embedded in core business success factors, rules to enforce statutory, legal
mandates, key processes, to enforce behavior (pos & neg incentives)
• The
Basics, basics, basics…
– New toys matter little, if your environment(s) are not managed (
SCM / SIEM
!)
Cyber Security opportunities
(Cyber can both protect your business AND enhance the bottom line!)
IT / Cyber Global factors – user pull
World-wide B2B
Trust / cloud / sharing
IoT / M2M
Automation / Sensors
Consumerization of IT
Phones / wireless / apps
Privacy / Data
IP / PII / compliance
GAPS / Needs
(from the Federal cyber priority council S&T gaps)
TRUST
Distributed / MLS
Resiliency
SW / apps / APIs / services
Agile operations
BE the vanguard / integration
Effective missions
Business success factors
Vulnerabilities / Threats
(Verizon BDR, Forbes, etc threat reports - what ails us most)
CM / Hygiene
patching / settings
Access control
Authentication is key
Top security mitigations
Whitelist, patch, limit access, etc…
Risk Mgmt
Adhoc / not global
Future Opportunities
SIEM / SCM
QA hygiene / sensors “ESA” / simple tools!
Mobile Security
Poor apps / IOS weakbillions users = volume
Mitigate Obsolescence
Minimize patching, legacy vulnerabilities
OA / modularity / APIs & SCRM
Data Security
Predictive analytics
Privacy by design
Effective Business Risk Management (BRM)
= cybersecurity framework (CMMI / FAR)49
SUMMARY
SO…. What “really” matters in Cyber?
DO the cyber BASICS well, for things, people AND processes
invest in select new capabilities, protect privacy and follow your RMP!!!
Take ACTION NOW: (1) security assessment, (2) SCM/SIEM, & (3) Cyber insurance!
• OSD / federal S&T activities
• Distributed Trust • Resilient Architectures
• Response and Cyber Maneuver • Visualization and Decision Support • Dynamic policy management (RaDaC ) • Detection and Autonomic Response • Recovery and Reconstitution
• NSA / agency S&T activities
• Mobility, wireless, & secure mobile services • Platform integrity / compliance assurance • End client security
• Cyber indications and warning (I&W) • Mitigation engineering (affordability) • Massive data – (date centric security) • Advanced technology…. (targeted) • Virtualization – secure capabilities
Doing
the BASICS
:
(1) enforced
cyber hygiene
,
(2) effective
access control
,
(3)
reduced complexity
in IA /
cyber
(APLs / NIAP / approved products),
(4)
IA / Cyber “SCM / CDM / SIEM”
(ongoing diagnostics AND mitigations = CDM)It’s all about TRUST and DATA
***
***
[email protected]
It’s NOT all about expensive new “cyber capabilities”
51
Cyber security URLs / links of interest..
Major cyber / IA sites
https://infosec.navy.mil http://www.doncio.navy.mil/TagResults.aspx?ID=28 http://iase.disa.mil/Pages/index.aspx http://csrc.nist.gov/publications/PubsSPs.html http://www.nsa.gov/ia/index.shtml https://cve.mitre.org/ http://www.cisecurity.org/ http://www.cert.org/ http://www.commoncriteriaportal.org/ https://www.thecsiac.com/resources/all http://www.dhs.gov/topic/cybersecurity http://iase.disa.mil/stigs/Pages/index.aspx http://niccs.us-cert.gov/ https://www.sans.org/programs/ http://www.cerias.purdue.edu/ https://www.cccure.org/ http://www.rmf.org/ http://nvd.nist.gov/ Others of interest https://www.cool.navy.mil http://www.threatstop.com/ http://www.darkreading.com/ http://www-03.ibm.com/security/xforce/ http://www.iso27001security.com/ http://iac.dtic.mil/csiac/ia_policychart.html http://www.nascio.org/
some training sites:
http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.aide.html
http://iase.disa.mil/eta/online-catalog.html#fsotools http://iase.disa.mil/eta/cyberchallenge/launchPage.htm http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html http://www.microsoft.com/security/sdl/default.aspx
52
IA/Security Axioms
to consider / accommodate / educate
• Security and complexity are often inversely proportional.
• Security and usability are often inversely proportional.
• Good security now is better than perfect security never.
• A false sense of security is worse than a true sense of insecurity.
• Your security is only as strong as your weakest link.
• It is best to concentrate on known, probable threats, first
• Security is an investment (insurance), not an expense with an RoI
• Security is directly related to the education and ethics of your users.
• Security is a people problem – users stimulate problems, at all levels.
• Security through obscurity is weak & We can NOT always add security later
http://www.avolio.com/papers/axioms.html
Work through all these in your “Risk Management Plan!”
Who says what we MUST DO?
From a business DUE CARE / due diligence level
NIST’s “
Highly Recommended
” Practices
http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf• Policy / practice
for email attachments
and requests for sensitive
information
• Policy / practice for
web links in email
, instant messages, social
media, or other means
• Policy / practice for popup windows and other hacker tricks
• Doing
online business and secure banking
• Recommended personnel practices in hiring employees
• Security considerations for web surfing,
prohibited sites
• Policy / practice for downloading software from the Internet
• How to
get help with information security
when you need it
• How to dispose of old computers, media and
fax machines
• How to protect against
Social Engineering
, data loss prevention
53
WHAT, “more to do?”
NSA IAD top ten controls
54
1 - Application whitelisting - only run approved apps (that SysAdmin reviews)
2 - Control Administrative privileges - minimize escalation, enforce least privilege
3 – Limit workstation-to-workstation communications– thwart the “pass-the-hash”
4 – Use Anti-virus File Reputation Services – leverage cloud-based threat databases
5 – Enable Anti-Exploitation Features - for example, MS Windows EMET
6 – Implement Host Intrusion Prevention System Rules – focus on threat behaviors
7 – Set a Secure Baseline Configuration – layered security, standard images, etc
8 – Use Web Domain Name Service (DNS) Reputation – Screen URLs, intrusion
alerts
9 – Use/Leverage Software improvements – software / OS upgrade and patch policy
10 – Segregate Networks and functions – based on role, functionality – monitor
sections, then isolate when attacked
SANS top 20 controls (ver 3)
55
1:
Inventory
of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3:
Secure Configurations
for Hardware and Software on Laptops, Workstations, and Servers
4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5:
Boundary Defense
6: Maintenance, Monitoring, and Analysis of
Security Audit Logs
7:
Application Software Security
8: Controlled Use of
Administrative Privileges
9:
Controlled Access Based on the Need to Know
10: Continuous
Vulnerability Assessment and Remediation
11
: Account Monitoring
and Control
12:
Malware Defenses
13: Limitation and
Control of Network
Ports, Protocols, and Services
14:
Wireless
Device Control
15:
Data Loss
Prevention
16:
Secure Network Engineering
17:
Penetration Tests
and Red Team Exercises
18:
Incident Response
Capability
19:
Data Recovery
Capability
20: Security Skills Assessment and Appropriate
Training
to Fill Gaps
Top 35 Mitigations
56 http://www.asd.gov.au/infosec/top35mitigationstrategies.htm
