cybersecurity and information assurance - itea · definition: information assurance assurance -...
TRANSCRIPT
Cybersecurity and Information Assurance
An Introduction to the ITEA Short Courseto be held 11-12 June 2013
2 May 2013Instructor: John [email protected]
ITEA Professional Development Center4400 Fair Lakes Court (Suite 104)
Fairfax, VA 22033
Purpose of This Webinar
Discuss Cybersecurity and Information Assurance in the Professional Tester’s Context
Provide an Overview of the Short Course by this Name, Offered by ITEA
Give Participants Another View of Cybersecurity to Inform T&E Activities
Cybersecurity and Information Assurance 2
Objectives of The CourseThis two-day course has been designed for the system engineer, program manager, and IA manager. This course is positioned as a mid-level introduction to cybersecurity and information assurance, and it covers a variety of topics in these areas.
High-risk and labor-intensive processes such as security test & evaluation, and certification and accreditation procedures are covered in detail.
IA risk management is covered across the spectrum of system, C&A, program protection and platform risks, illustrating a useful method of aggregation for comprehensive understanding of IA risk.
The course concludes with a detailed exposition of secure network design and construction principles and techniques that can be applied immediately to existing and new networks and systems.
Cybersecurity and Information Assurance 3
Today's Agenda
0. Introduction and Definitions1. The Need for System Security2. Risk3. System Development and the DoD
Acquisition Process4. Controls and Compliance5. System Test Process6. Conclusion
Cybersecurity and Information Assurance 4
Defining Terms
Definition of CybersecurityFrom NIST IR 7298 rev 1, Glossary of Key Information Security Terms
Cybersecurity – The ability to protect or defend the use of cyberspace from cyber attacks. Cyberspace – A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
SOURCE: CNSSI-4009
Cybersecurity and Information Assurance 5
Intr
oduc
tion
Definition: Information Assurance
Assurance - Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
SOURCE: CNSSI-4009
Cybersecurity and Information Assurance 6
Core Documents – The Universe
Source: http://iac.dtic.mil/iatac/download/ia_policychart.pdfCybersecurity and Information Assurance 7
Intersection: IA and Cybersecurity
Access Control Systems and Methodology
Telecommunications and Network Security
Business Continuity Planning and Disaster Recovery Planning
Security Management Practices
Security Architecture and Models
Law, Investigation, and Ethics
Application and Systems Development Security
Cryptography
Computer Operations Security
Physical Security
Cybersecurity and Information Assurance 8
Cybersecurity: ability to protect and defend the use of cyberspace from cyber attacks.
Information Assurance: measures that protect and defend information and IS by ensuring Confidentiality-Integrity-Availability-Authentication-NonRepudiation, including restoration of info systems.
Activities Can Be Catalogued as Common Processes
• Cyber Security Policy• Access Control• Personnel Security• Physical and Environmental
Security• Cyber Security Awareness and
Training• Monitoring and Incident
Response• Disaster Recovery and Business
Continuity• System Development and
Acquisition• Configuration Management• Risk and Vulnerability
Management
Cybersecurity and Information Assurance 9
SOURCE: FEMA 2009 Cybersecurity Guidance
SOURCE: ISO 27002: 2005
Exa
mpl
e U
S G
over
nmen
t Pro
cess
esE
xample International S
tandard Processes
• Security Policy• Organization of Information
Security• Asset Management• Human Resources Security• Physical Security• Communications and Ops
Management• Access Control• Information Systems Acquisition,
Development, Maintenance• Information Security Incident
management• Business Continuity• Compliance
1 – The Need for Cybersecurity
Cybersecurity and Information Assurance 10
Cybersecurity Topics in the News
• IT Consumerization and BYOD• Supply Chain Security• Intelligent Threat Management• Application Security Threats• Cloud Security• Big Data & Protecting Your
Assets• Building Meaningful Talent
Pipelines• Effective Privacy Programs• Social Media and Other Tools
for Security Intelligence BUT…they’re waitingfor you out there…
Cybersecurity and Information Assurance 11
Recent News & Events
AP’s Twitter Account Used in Hoax – Affected Stock Market
Dutch Man Held, Charged with DDoS AttackLivingSocial Hack Exposed 50M Customer
AccountsLebanese Witness List in ex-Premier’s Death
Posted by HackersUS Chamber of Commerce Warns Against Data
Thefts Against US Firms in China
Cybersecurity and Information Assurance 12
The Latest Revelation
• APT Found at Qinetiq USA
• Intrusions may have begun in 2007
• Lack of follow-up and poor inter-incident communications could be contributing factors
Cybersecurity and Information Assurance 13
Source: http://www.theregister.co.uk/2013/05/02/china_us_hacking_qinetiq_apt/
A Catalog of (Recent) Common Attack Methods
•Denial of Service (DoS) / Distributed Denial of Service (DDoS) Attack•Attacker sends more data to target machine than it can handle, thereby limiting its ability to operate properly
•SQL Injection Attack•Attack the a badly designed website with specially-formatted SQL statements to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer
•Mobile code (Java/JavaScript/ActiveX)•Programming languages that let web developers write code that is executed by your web browser. Although the code is generally useful, it can be used by intruders to gather information (such as which web sites you visit) or to run malicious code on your computer.
•Cross-site scripting•A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser.
•Spear phishing•Pinpoint attack against some subset of people (users of a website or product, employees of a company, members of an organization) to attempt to penetrate that company or organization.
Cybersecurity and Information Assurance 14
Verizon Report Findings
Cybersecurity and Information Assurance 15
Source: Verizon Report 2013
2 – Risk
Cybersecurity and Information Assurance 16
RMF: A Structured Approach to Risk
NIST SP 800-30/37/39 series provides a structured, yet flexible approach for managing risk that is supported by other NIST security standards and guidelines. This publication discusses the basic concepts of risk management as four components: How organizations frame risk, and the context in which risk-
based decisions are made;
How organizations assess risk within that context;
How organizations respond to risk after assessment is made; and
How organizations monitor risk over time.
Source: NIST 800-30 Rev1Cybersecurity and Information Assurance 17
Tiered Risk ApproachNIST SP800-30 introduces a three-
tiered risk management approach that allows organizations to establish an enterprise-wide risk management strategy as part of a mature governance structure, involving senior leaders and executives, and including a risk executive (function). The three-tiered approach addresses risk at: The organization level; The mission/business process
level; and The information system level.
Source: NIST 800-30 Rev1Cybersecurity and Information Assurance 18
Risk Management Process
Risk Management ProcessFrame the risk
Establish context within which to make risk-based decisionsGenerates risk
management strategyAddress the risk
Assessing the riskResponding to the riskMonitoring the risk
Source: NIST 800-30 Rev1Cybersecurity and Information Assurance 19
3 – System Development and the DoD Acquisition Process
Requirements Development When developing system
requirements, have user define operational context of system
Include security as part of the system functional and non-functional requirements
Consider how user processes will interact with system, and how system will change user processes – and iterate
Map user processes to use cases AND test cases
Consider user modes, define constraints Consider security needs, define restraints
Match system functions to user needs for mission
Cybersecurity and Information Assurance 20
Figure Source: OpenGroup.org
Cybersecurity and Information Assurance 21
System Development Process
Source: DoDI 5000.02
The Acquisition
Process
Cybersecurity and Information Assurance 22
DoD acquisition, governedby the DoDD 5000.01process, and by DoDI5000.02 requirements.
4 – Controls and Compliance
Governing US GovernmentGuidance: NIST Special Publication 800-53 rev 4
“The selection and implementation of security controls for information systems and organizations are important tasks that can have major implications on the operations and assets of organizations as well as the welfare of individuals and the Nation. Security controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to: (i) protect the confidentiality, integrity, and availability of information that is processed,stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements.”
Cybersecurity and Information Assurance 23
New Document Paths
• SP800-18r1 (2/06) Guide for Developing Security Plans for Federal IS• SP800-23 (08/00) Guidelines to Federal Organizations on Security Assurance and
Acquisition/Use of Tested/Evaluated Products• SP800-34r1 (05/10) Contingency Planning Guide for Federal IS• SP800-35 (10/03) Guide to IT Security Services• SP800-36 (10/03) Guide to Selecting IT Security Products• SP800-40r3 (09/012) Guide to Enterprise Patch and Vulnerability Mgmt Technologies• SP800-41r1 (09/09) Guidelines on Firewalls and Firewall Policy• SP800-44r2 (09/07) Guidelines on Security Public Web Servers• SP800-45r2 (02/07) Guidelines on Electronic Mail Security• SP800-48r1 (07/08) Guide to Securing Legacy IEEE 802.11 Wireless Networks• SP800-50 (10/03) Building an IT Security Awareness and Training Program• SP800-55r1 (07/08) Performance Measurement Guide for InfoSec• SP800-61r2 (08/12) Computer Security Incident Handling Guide• SP800-64r2 (10/08) Security Considerations in the SDLC• SP800-65r1 (07/09) Integrating IT Security in CPIC Process• SP800-82 (06/11) Guide to ICS Security• SP800-83r1 (07/12) Guide to Malware Incident Prevention and Handling• SP800-92 (09/06) Guide to Computer Security Log Mgmt• SP800-94 (07/12) Guide to Intrusion Detection and Prevention Systems (IDPS)• SP800-123 (07/08) Guide to General Server Security• SP800-128 (08/11) Guide for Security-Focused Conf Mgmt of IS• SP800-137 (09/11) ISCM for Federal IS and Organizations• SP800-144 (12/11) Guidelines on Security and Privacy in Public Cloud Computing• SP800-145 (09/11) NIST Definition of Cloud Computing 24
DoDI 8500.01
(cybersecurity)
DoDI 8510.01 (Risk Mgmt Framework)
CNSSI 1253 (categorization)
FIPS 199 (categorization)
FIPS 200 (min rqmts)NIST SP800-
53r4 (catalog)
NIST SP800-53A
(measurements)
DoD side
Federal sideNIST SP800-
39 (IS Risk)
NIST SP800-37r1 (applying
RMF)NIST SP800-
30 (risk assessments)
DoDI 5200.40
(TSN)NIST SP800-
137 (Continuous Monitoring)
CNSSP 22 (NSS Policy)
Cybersecurity and Information Assurance
Common
5 – System Test Process
Cybersecurity and Information Assurance 25
• IA Cannot Be Tested – But System Quality CanBe Tested
• IA-Related Testing Must Occur With Functional Test• System security considerations (status quo)• System maintenance and upkeep requirements that
periodically verify security status• Networked environment depends on all segments
• If a system is incapable of supporting and maintaining its secure status in the network milieu, it cannot be considered as making a positive mission impact
• Not all systems deserve to be networked
An Ideal View of Activity Relationships
Cybersecurity and Information Assurance 26
Controls RelationshipsActivities to Controls to Critical Control Sets
Cybersecurity and Information Assurance 27
Controls RelationshipsActivities to Controls to Critical Control Sets to Attacks
Cybersecurity and Information Assurance 28
Testing Across the Acquisition Life Cycle
Cybersecurity and Information Assurance 29Source: JTEM PM’s Handbook for Testing in a Joint Environment, Apr 2009
Protect• Are information systems and their information protected against attacks
through the application of security services distributed among multiple locations and address multiple defensive areas, including networks and infrastructures, enclave boundaries and local computing environments?
Cybersecurity and Information Assurance 30
• Attack vectors• Weakness
categories exploited• Numbers of
attempts (tried / allowed)
• Numbers of targets• Time of attack
injection / penetration
• Attack results• System impacts
• “Crown Jewels” (opposition objectives and targets)
• Classification of network / component
• Network areas targeted
• Class of attack• Adversary skill level
required for attacks• Exploitation methods
Source: DOT&E Core Metrics Manual, 2009
Detect
• Is continuous monitoring of connected networks and users effective in detecting attacks, and does monitoring include both passive (audit logs of access, patches and configuration changes) and active (device scanning) mechanisms to accurately determine the status of assets?• Nodes and components monitored• Monitoring mechanisms employed• Personnel available for monitoring• Baseline configurations and assumptions
Cybersecurity and Information Assurance 31Source: DOT&E Core Metrics Manual, 2009
React
• Is accurate analysis conducted to determine if unauthorized activity is occurring or imminent, how widespread it is or likely to be, and what the potential impact is if defensive response actions are not executed? • Incidents and reportable events• Observed impacts of events• Coordination during events • Reporting procedures
Cybersecurity and Information Assurance 32Source: DOT&E Core Metrics Manual, 2009
Restore
• Can systems be effectively restored, which includes the coordination and direction necessary to implement courses of action, including the development, implementation and monitoring of solutions and their effectiveness?• Eradication and recovery operations• Data restoration• Final reporting
Cybersecurity and Information Assurance 33Source: DOT&E Core Metrics Manual, 2009
6 - ConclusionsAn hour for this topic is just enough to whet the
appetite for more. Risk assessment, management and control must
flow from planning, through design, into implementation, for measurement in test processes.
Any system that connects to other systems – by any means – is vulnerable, and that’s why we use risk and vulnerability assessment methods.
Testing CAN and MUST make the final difference in a system’s life cycle.
Cybersecurity and Information Assurance 34
Questions?
Instructor: John [email protected]
James GaidryDirector, ITEA4400 Fair Lakes Court, Suite 104Fairfax, VA [email protected]
Cybersecurity and Information Assurance 35