cybersecurity: challenges, initiatives, and best practices
TRANSCRIPT
1
Cybersecurity: Challenges, Initiatives, and Best Practices
John M. Gilligan
June 15, 2010
Topics
• Current Situation• Top-level Strategy for Cybersecurity• Focused look at 20 Critical Controls and SCAP• Legislative Initiatives• Longer Term Directions• Closing thoughts
2
3
Historical Perspectives• Internet, software industry, (personal)
computers—rooted in creativity not engineering
• Security in the Cold War Era– Security “Gurus”—Keepers of the Kingdom
• The World Wide Web changes the security landscape-- forever
• Post Cold War: The Age of Information Sharing
Legacy of the past is now our “Achilles Heel”
4
Cyber Security Threats Today--A New “Ball Game”
• Our way of life depends on a reliable cyberspace• Intellectual property is being downloaded at an
alarming rate• Cyberspace is now a warfare domain• Attacks increasing at an exponential rate• Fundamental network and system vulnerabilities
cannot be fixed quickly• Entire industries exist to “Band Aid” over
engineering and operational weaknessesCyber Security is a National and Economic Security Crisis!
5
Situation Assessment
• Assessing cyber threats (and therefore risks) requires extensive experience and access to highly classified materials– It is unreasonable to expect most organizations to assess
threats/risks.• The technical aspects of Cybersecurity are enormously complex:
– Cybersecurity will require significant increase in levels of discipline in systems/enterprise management
– Guidance must be simple and clearly stated.• The overall state of cybersecurity is so poor, that it cannot be
solved quickly:– Near term objective should be to establish a foundation upon which
we can build– Cannot do everything at once; we must prioritize/focus
6
Heartland Payment SystemsDisclosure of intrusions--Jan 20, 2009
Cybersecurity becoming a focus of CEOs, Boards of Directors and Shareholders
7
Obama Cyberspace Policy Review—“60 Day Review”--May 29, 2009
• The Nation is at a crossroads• Cyberspace risks pose some of most serious
challenges to economic and national security• Need to begin national dialogue on
cybersecurity• Solutions must involve partnership with
private sector and international engagement• White House must lead the way
8
Recommended Near-Term Actions
• White House Cybersecurity official and supporting organization—Howard Schmidt appointed Dec. 2009
• Prepare updated national strategy• Designate cybersecurity as Presidential priority• Initiate public awareness campaign and strengthen
international partnerships• New policies regarding roles/responsibilities• Prepare cyber incident response plan• Develop research plan and vision for identity
managementProgress delayed pending Cyber Czar appointment--
Initial progress now underway.
9
(Recommended) Top Level Cybersecurity Strategy
Sophisticated
Unsophisticated
MISSION/FUNCTIONCRITICALITY
Implement Comprehensive Baseline of Security
THREAT
Low High
Deploy TargetedAdvanced Security Controls
Accept Risk
Comprehensive Baseline of Security = A Well-Managed Enterprise
Characteristics of a Well Managed Enterprise1. Every device in an enterprise is known, actively
managed, and configured as securely as necessary all the time, and the right people know this is so or not so
2. Increased operational effectiveness and greater security without increased cost
3. Integrated and automated enterprise management tools
10
Cyber Security Requires Comprehensive Application of “Good IT Hygiene”!
11
Emma Antunes <[email protected] >Twitter: @eantunes
Unsophisticated
MISSION/FUNCTIONCRITICALITY
Deploy TargetedAdvanced Security
Controls
Accept Risk
11Result: Blocks 85% of attacks and provides foundation to address remaining/new
attacks (Ref: Dick Schaeffer, NSA/IAD)
Sophisticated
Comprehensive Baseline of Security(A “well managed” IT infrastructure)
THREAT
Low High
TIC
Training for Sys Admin
2-FactorAuthentication
20 Critical Controls FDCC+
SCAP
DNSSEC, S-BGPThreat/Vul Collaboration
Top Level Cyber Security Strategy
Einstein 3
12
20 Critical Controls* for Effective Cyber Defense-- An Effective Public-Private Partnership
• Underlying Rationale– Let “Offense drive Defense”– Focus on most critical areas
• CAG: Twenty security controls based on attack patterns
• Government and Private Sector consensus• Emphasis on auditable controls and automated
implementation/enforcement• Pilots and standards for tools ongoing
* Also called the “Consensus Audit Guidelines” or “CAG” (http://www.sans.org/cag/)
Example--Critical Control #1 Inventory of Authorized and Unauthorized Devices• Attacker Exploit: Scan for new, unprotected systems• Control:
– Quick Win: Automated asset inventory discovery tool– Visibility/Attribution: On line asset inventory of devices with net
address, machine name, purpose, owner– Configuration/Hygiene: Develop inventory of information assets
(incl. critical information and map to hardware devices)• Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
– CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6• Automated Support: Employ products available for asset inventories,
inventory changes, network scanning against known configurations• Evaluation: Connect fully patched and hardened test machines to
measure response from tools and staff. Control identifies and isolates new systems (Min--24 hours; best practice--less than 5 minutes)
13
20 Critical Controls—Implementation Recommendation
Step 1 Accept CAG consensus threats as risk baseline for your organization
Step 2 Implement 20 Critical ControlsStep 3 Use organization specific risk assessment to select and
implement additional controls from 800-53– Focus on unique, mission critical capabilities and data
Step 4 Use automated tools and periodic evaluations to continuously measure compliance (risk reduction)
Step 5 Partner with senior management and auditors to motivate compliance improvement
– Use examples and lessons learned from State Dept. and others
14
15
Security Content Automation Protocol (SCAP)
• What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security posture of every device in a network.
• How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information.
• Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes.
SCAP Enables Automated Tools To Implement And Enforce Secure Operations
Current SCAP Standards
16
CVECVSS
OVAL
CCECPE
XCCDF
Software vulnerability management
Configurationmanagement
Compliance management
Assetmanagement
Identifies vulnerabilitiesScores vulnerability severity Criteria to check presence of
vulnerabilities, configurations, assets
Identifies configuration controls
Language to express configuration guidancefor both automatic and manual vetting
Identifies packages and platforms
SCAP enables cross vendor interoperability and aggregation of data produced by separate tools to an enterprise level—leads to better enterprise management and cyber security!
FISMA 2002 Legislation Was Well Intended; What is Not Working?
• Original intent was good: – Ensure effective controls– Improve oversight of security programs– Provide for independent evaluation
• Implementation took us off course– Agencies unable to adequately assess cyber risks– (Lots of) NIST “guidance” became mandatory– No auditable basis for independent evaluation– Grading became overly focused on paperwork
17
Bottom Line: OMB mandates and paperwork debates has distracted CIOs/CISOs from achieving real security improvements
18
New Hope for Federal Cybersecurity• Progress
– FISMA Reporting Instructions: April 21, 2010• Continuously monitor• Use automated tools• Develop automated risk models
– NIST Guidance (SP 800-53 and SP 800-37)– New Legislation in House and Senate
• Cautions– FISMA Reporting Instructions reinforce “compliance
mentality”– Risk assessment while logical is “a foundation of sand”
Security must be based on knowledge of attacks and results focused!
19
Implications of Policy, Guidelines and Potential Legislation Changes on Industry
• Implications for National Industrial Security Program Operating Manual (Feb 2006)– ‘Certification/Accreditation’ become ‘Security Authorization’ with
continuous monitoring (SP 800-37)– Other updates to reflect new government-wide policies/guidance
• New FISMA reporting process-April 21, 2010– Contractor information systems that support the operations and
assets of the agency (FISMA Reporting)—including IG audit• Potential Legislation Impacts
– Expand new FISMA to all systems of government contractors/subcontractors
– Requirements for reporting, testing, audits
Apply requirements for government organizations to government contractors
20
Longer-Term Actions: IT Reliably Enabling Business
• Change the dialogue: Reliable, resilient IT is fundamental to future National Security and Economic Growth
• New business model for software industry – First step—self certified, locked-down configurations– Longer term—software with reliability warranties
• Redesign the Internet to provide reliable attribution, increased security• Get the “man out of the loop”—use automated tools (e.g., SCAP)• Foster new IT services models
– Assume insecure environment– Increased use of virtualization– Secure “cloud”
• Evolve to a more effective public-private partnership (e.g., DIB)• Develop professional cyberspace workforce
Need to Fundamentally “Change the Game” to Make Progress
21
Closing Thoughts• Government and Industry need to treat cyber
security as an urgent priority• A well managed enterprise (e.g., using 20
Critical controls and SCAP) is a harder target to attack and costs less to operate – the ultimate “no brainer” for a CIO
• Near-term actions important but need to fundamentally change the game to get ahead of the growing threat
Cyber Security is Fundamentally a Leadership Issue!
Contact Information
22
John M. Gilligan
www.gilligangroupinc.com
23
Top 20 Cyber Attacks and Related Control(not in priority order)
Attack Control Summary Comments
1. Scan for unprotected systems on networks
Maintain inventory of authorized and unauthorized devices on networks
Find devices that can be exploited to gain access to other interconnected systems.
2. Scan for vulnerable versions of software
Maintain inventory of authorized and unauthorized software
Find software versions that are able to be exploited remotely to gain entry to other systems.
3. Scan for software with weak configurations
Implement secureconfigurations for HW/SW computer devices
Original configurations from vendors often have inadequate security controls enabled.
4. Scan for network devices with exploitable vulnerabilities
Implement secure configurations for network devices (routers, switches, firewalls, etc.)
Network devices often become less securely configured over time unless they are diligently maintained.
5. Attack boundary devices Implement multi-layered boundary defenses
Attackers attempt to exploit boundary systems (e.g., DMZ or network perimeter) to gain access to network or interrelated networks
24
Top 20 Cyber Attacks and Related Control (Continued)(not in priority order)
Attack Control Summary Comments
6. Attack without being detected and maintain long-term access due to weak audit logs
Maintain and monitor audit logs
Weak protection of or inadequate logging and monitoring permits attackers to hide actions
7. Attack web-based or other application software
Robust security controls and testing of application software
Longstanding code weaknesses (e.g., SQL injection, buffer overflows) can be exploited
8. Gain administrator privileges to control target machines
Implement controlled use of administrator privileges
Attacks exploit weak protection or control over administrator privileges
9. Gain access to sensitive data that is not adequately protected
Implement controlled access based on need to know
Once inside a system, attackers exploit weak access controls
10. Exploit newly discovered and unpatched vulnerabilities
Continuous vulnerability assessment and remediation
Attackers exploit the time between vulnerability discovery and patching
25
Top 20 Cyber Attacks and Related Control (Continued)(not in priority order)
Attack Control Summary Comments
11. Exploit inactive user accounts
Monitor and control user accounts
Legitimate but inactive or accounts of former employees are exploited
12. Implement malware attacks
Implement up-to-date anti-virus, anti-spyware, and Intrusion Prevention System controls
Malware attacks continue to evolve leaving non-updated systems exposed
13. Exploit poorly configured network services
Limit and control network ports, protocols and services
Attackers focus on unprotected or unneeded ports and protocols
14. Exploit weak security of wireless devices
Implement controls for wireless devices
Example attacks include unauthorized access from parking lots, exploiting traveling employees, etc.
15. Steal sensitive data Implement controls to detect and prevent unauthorized exfiltration
Includes both electronic and physical (i.e., stolen laptops) attacks
26
Top 20 Cyber Attacks and Related Control (Continued)(not in priority order)
Attack Control Summary Comments
16. Map networks looking for vulnerabilities
Implement secure network engineering
Look for unprotected (i.e., weak) links or weak filtering/controls in network
17. Attack networks and systems by exploiting vulnerabilities undiscovered by target system personnel
Conduct penetration tests to evaluate and exercise defenses
Attack exploits social engineering and inability of system to respond to automated attacks
18. Attack systems or organizations that have no or poor attack response
Implement effective cyber incident response capabilities
True magnitude and impact of attack can be masked by inadequate response
19. Change system configurations and/or data so that organization cannot restore it properly
Implement data and system recovery procedures
Leave backdoors or data errors that permit future attacks or disrupt operations
20. Exploit poorly trained or poorly skilled employees
Conduct skills assessment and ensure adequate training across the enterprise
Attacks focus on manipulating end users, administrators, security operators, programmers, or even system owners
Approach for Developing 20 Critical Controls
• NSA “Offensive Guys”• NSA “Defensive Guys”• DoD Cyber Crime Center (DC3)• US-CERT (plus 3 agencies that were hit
hard)• Top Commercial Pen Testers
• Top Commercial Forensics Teams• JTF-GNO• AFOSI• Army Research Laboratory• DoE National Laboratories• FBI and IC-JTF
27
Identify top attacks—the critical risk areas Prioritize controls to match successful attacks—mitigate critical
risks Identify automation/verification methods and measures Engage CIOs, CISOs, Auditors, and oversight organizations Map Critical Controls to NIST SP 800-53 P1 controls (proper subset)
Engage the best security experts:
Result: Applying the 20 Critical Controls will address the majority of cyber attacks
Relevance of 20 Critical Controls to FISMA and NIST Guidelines
FISMA and NIST
1. Assess cyber security risk in an organization
2. Implement security based on risk
3. Select controls from NIST SP 800-53 to mitigate risk areas
4. Objectively evaluate control effectiveness
20 Critical Controls
1. Based on government-wide (shared) risk assessment
2. Controls address top cyber risks
3. 20 Critical Controls are subset of 800-53 Priority 1 controls
4. Use automated tools and periodic evaluations to provide continuous monitoring
28
20 Critical Controls designed to help agencies comply with FISMA and NIST guidance!
29
NIST Guidance: 1200 pages of FIPS Pubs, Special Pubs, Security Bulletins, etc.