Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States...
Transcript of Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States...
![Page 1: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/1.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Protecting the Nation’s Critical Assets in the 21st Century
Dr. Ron RossComputer Security DivisionInformation Technology Laboratory
![Page 2: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/2.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
OPM.Anthem BCBS.
Ashley Madison.
![Page 3: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/3.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Houston, we have a problem.
![Page 4: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/4.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Complexity.
![Page 5: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/5.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
Sharks and glaciers.
SOFTWARE
FIRMWAREHARDWARE
SYSTEMS
![Page 6: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/6.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
The n+1 vulnerabilities problem.2013 Defense Science Board Studyhttp://www.acq.osd.mil/dsb/reports/2010s/ResilientMilitarySystemsCyberThreat.pdf
![Page 7: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/7.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
SystemHarden the
targetLimit damage to the target
Make the target survivable
Reducing susceptibility to cyber threats requires a multidimensional
systems engineering approach.Security Architecture
and Design
Achieving Trustworthiness and Resiliency
![Page 8: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/8.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
▪ Threat▪ Assets▪ Complexity▪ Integration▪ Trustworthiness
TACIT Security
MERRIAM-WEBSTER DICTIONARY
tac.it adjective : expressed or understood without being directly stated
![Page 9: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/9.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
Threat▪ Develop a better understanding of the modern
threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities.▪ Obtain threat data from as many sources as possible.▪ Include external and insider threat analysis.
![Page 10: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/10.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Assets▪ Conduct a comprehensive criticality analysis of
organizational assets including information and information systems.▪ Focus on mission/business impact.▪ Use triage concept to segregate assets by criticality.
![Page 11: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/11.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
Complexity▪ Reduce the complexity of the information technology
infrastructure including IT component products and information systems.▪ Employ enterprise architecture to consolidate, optimize,
and standardize the IT infrastructure.▪ Adopt cloud computing architectures to reduce the number
of IT assets through on-demand provisioning of services.
![Page 12: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/12.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
Integration▪ Integrate information security requirements and the
security expertise of individuals into organizational development and management processes.▪ Embed security personnel into enterprise architecture,
systems engineering, SDLC, and acquisition processes.▪ Coordinate security requirements with mission/business
owners; become key stakeholders.
![Page 13: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/13.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Trustworthiness▪ Invest in more trustworthy and resilient information
systems supporting organizational missions and business functions.▪ Isolate critical assets into separate enclaves.▪ Implement security design concepts (e.g., modular design,
layered defenses, component isolation, least functionality, least privilege).
![Page 14: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/14.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Risk assessment.
![Page 15: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/15.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Assets and consequences.Criticality Analysis.
Identification of High Value Assets.
![Page 16: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/16.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Engineer up.
![Page 17: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/17.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
▪ Conduct threat and vulnerability assessments.▪ United States Computer Emergency Readiness Team▪ https://www.us-cert.gov
▪ Conduct criticality analysis of information assets.▪ FIPS Publication 199▪ http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
▪ Reduce complexity of IT infrastructure.▪ Federal Enterprise Architecture Initiative▪ https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/co
mmon_approach_to_federal_ea.pdf
▪ Invest in trustworthy IT components and systems.▪ DHS Software and Supply Chain Assurance▪ https://buildsecurityin.us-cert.gov/swa
Immediate Action Plan and Resources
![Page 18: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/18.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
▪ Cybersecurity Framework▪ NIST Special Publication 800-53, Revision 5
Security and Privacy Controls for Information Systems and Organizations
▪ NIST Special Publication 800-37, Revision 2Risk Management Framework for Information Systems and OrganizationsA System Life Cycle Approach for Security and Privacy
▪ NIST Special Publication 800-160Systems Security EngineeringConsiderations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
▪ NIST Special Publication 800-171Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Important NIST Security and Privacy Pubs
![Page 19: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/19.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
Some final thoughts.
![Page 20: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/20.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Institutionalize.
The ultimate objective for security.
Operationalize.
![Page 21: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/21.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Leadership.Governance.
Accountability.
![Page 22: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/22.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
Security is a team sport.
Industry
Government Academia
![Page 23: Assets in the 21st Century Protecting the Nation’s Critical Ross Presentation.pdfUnited States Computer Emergency Readiness Team ... NIST Special Publication 800-171 Protecting Controlled](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed84ae2724c4f68db600027/html5/thumbnails/23.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
Ron Ross100 Bureau Drive Mailstop 7730
Gaithersburg, MD USA 20899-7730
Email [email protected] (301) 651.5083
LinkedIn Twitterwww.linkedin.com/in/ronross-cybersecurity @ronrossecure
Web Commentscsrc.nist.gov [email protected]
We are here to help you be more secure…