Cyber Threats and Awarenessmedia.govtech.net/GOVTECH_WEBSITE/EVENTS/... · Cyber Defense -...
51
Cyber Threats and Awareness Achieving an Effective Cyber Defense Maryland Digital Government Summit 6 June 2011 LTC (MD) Gary Stoneburner Deputy Director G6, Maryland Defense Force (MDDF) 1
Transcript of Cyber Threats and Awarenessmedia.govtech.net/GOVTECH_WEBSITE/EVENTS/... · Cyber Defense -...
Cyber Threats and AwarenessAchieving an Effective Cyber Defense
Maryland Digital Government Summit6 June 2011
LTC (MD) Gary Stoneburner
Deputy Director G6, Maryland Defense Force (MDDF)
1
Disclaimer/Credit
• Disclaimer: Informational presentation - Not an organizational position
• Thanks to Dr. Ron Ross of the National Institute of Standards and Technology (NIST) for permission to use material he presented at the Naval Post Graduate School in September and at the Digital Government Institute this last February
2
Information technology may be our greatest strength and at the same
time, potentially our greatest weakness…
3
We expend far too many resources on back-end security…(e.g., chasing the latest vulnerabilities and patching systems)
and far too few resources on front-end cyber defense…(e.g., risk-aware mission/business processes and wise use of technology)
4
Cyber Defense - Take-Away #1True Measure
• The true measure of an effective cyber defense is:– Will the mission succeed?– Are the citizens of Maryland protected?
Is that what we measure?Is there even a correlation between what we truly need to know and what we actually count, convert to stop-light
charts, and report?
5
Cyber Defense - Take-Away #2Fragile IT
• Typical workstation has on the order of 250,000 flaws– At least 50 mloc and 5 flaws per kloc– For flaw rates see, for example, Software Assessments, Benchmarks, and Best Practices; C. Jones,
Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA ©2000, ISBN:0-201-48542-7
• Recent research indicates that roughly 1% of flaws are security critical –meaning ~2,500 for your laptop.
– See Measuring, analyzing and predicting security vulnerabilities in software systems; 2006, http://www.cs.colostate.edu/~malaiya/635/09/com&security_darticle.pdf
• Vulnerabilities are addressed one-by-one
• Vulnerabilities are everywhere, even where they should never be:– National vulnerability database (nvd.nist.gov) has
• 217 font-related system vulnerabilities• 173 media player-related system vulnerabilities
We are depending on arguably undependable IT6
Cyber Defense - Take-Away #3Status Quo Doesn’t Work
• Can’t fix a problem due to flawed IT by adding flawed IT– We add security ‘features’, ‘mechanisms’– But what we add is built to same ‘quality’ levels as what it is supposed to
protect
• More vulnerabilities to chase than can ever hope to cover by doing so.– For every vulnerability “fixed”, thousands more remain– As we ‘fix’ vulnerabilities, we create more in doing so
• We spend 110% (on a good day) just playing catch-up with the adversaries; having no resources left to work toward truly getting ahead of them.
On ‘first principles’ the present approach can’t succeed. So doubling down and doing more of it is not helpful.
7
Cyber Defense - Take-Away #4IS Security is a Means, not the End
• Recognize that IS security is a means, not the end; and likely not even the major part of an effective cyber defense.
• Recognize the need for ‘adequately secure’ IS
– Understand that ‘adequate’ must be defined for your system.
– Understand that ‘adequate’ is whatever is needed to achieve the security requirements allocated from the mission/business process that the system is to accomplish
– Understand that this allocation must be brutally honest concerning what can realistically be achieved by the IS we can actually implement.
Think outside the box of defense by IS security
8
Cyber Defense - Take-Away #5Focus on the adversary
• Too much of what we call “security” is policy compliance
– Too often the only identified ‘adversary’ is the IG or the system approving authority
– Of course, comply with policy. But recognize that we cannot win in cyberspace by policy compliance.
Think outside the box of defense by policy.
9
Cyber Defense - Take-Away #6Focus on harm to us, not our IT
• Concern is harm through IT, not harm to IT.
• If adversary effects truly stay in cyberspace – then:Don’t care!
Our focus needs to be attacks through our IT (maybe in conjunction with attacks in kinetic space) to harm our
organization, individuals, other organizations, or even the Nation
10
Cyber Defense - Take-Away #7Multi-Tiered Risk Management
• Cyber Defense as part of a multi-tiered risk response:– Tier 1, Organizational level: Establish context/requirements for
actions at other levels and accomplish organization-wide actions.
– Tier 2, Mission/business process level: Implementing a risk-aware/risk-tolerant process; to include architecting a cyber defense capability and allocating this capability across Tier 2 actions and supporting Tier 3 information systems.
– Tier 3, IS level: Achieve “adequate security”; that is, achieve information system security that accomplishes the security requirements allocated to the system from Tier 2.
Winning in cyberspace is more than “IS security”
11
Cyber Defense - Take-Away #8Focus on the Mission
• Move focus from system to mission/business
• Move focus from security controls to protect a system to cyber defense capability to achieve mission/business success
Cyber defense is a mission process capability, not an information system function
12
Cyber Defense - Take-Away #9Keys to Success
• Realistic decisions– For example, our IT is what it is and expecting it to be something else is
quite convenient but wrong
• Explicit decisions– If implicit, then its not planning and management but serendipity– If implicit, then likely not verified and not reviewed when situation
changes
• Don’t over-simplify the challenge from high-end adversaries– “For every complex problem there is a solution that is simple, clear, and
wrong” H.L. Mencken
• Use resources wisely– Automate the simple stuff not as the “solution”, but to free up resources
for the hard stuff
13
The Threat
14
The Perfect Storm Explosive growth in dependence on fragile information
technology for mission/business success;
Leading to a proliferation of information systems and networks with virtually unlimited connectivity;
With clear evidence of adversaries motivated to cause us harm and capable of using our cyberspace in doing so; and
We appear to be measuring our cyber security by the activity we perform, not what we achieve
Net result: Adversary has a distinct advantage
15
Degree of threat compounded by:Connectivity
(access)
Complexity(vulnerabilities)
16
The Stuxnet WormTargeting critical infrastructure— Infected industrial control systems around the
world. Uploads payload to Programmable Logic
Controllers. Gives attacker control of the physical system. Provides back door to steal data and remotely and
secretly control critical plant operations. Found in Siemens Simatic Win CC software used to
control industrial manufacturing and utilities.
17
The Flash Drive IncidentTargeting U.S. Department of Defense— Malware on flash drive infected military laptop
computer at base in Middle East. Foreign intelligence agency was source of malware. Malware uploaded itself to Central Command
network. Code spread undetected to classified and unclassified
systems establishing digital beachhead. Rogue program poised to silently steal military
secrets.
18
What is at Risk? Organization – mission, assets, reputation Individuals – life, health, privacy, finances Nation – goals, objectives, sovereignty
Producing concerns ranging from the individual to the Nation
19
The Path to Solution
20
We have to do business in a dangerous world…
Effectively managing risk as we go.
21
Maryland Benefits from Federal Unified Risk Management Framework
The Generalized Model
Common Risk Management Requirements and Guidance
Unique Requirements
The “Delta”
Foundational Set of Risk Management Standards and Guidance
• Risk management (organization, mission, information system)• Security categorization (information criticality/sensitivity)• Security controls (safeguards and countermeasures)• Security assessment procedures• Security processes for risk management, risk assessment, and control selection
Intelligence Community
Department of Defense
Federal Civil Agencies
Private SectorState/Local Govt
CNSS
22
CNSS = Committee on National Security Systems
Joint NIST/DOD/DNI/CNSS GuidanceCore Risk Management Publications
NIST Special Publication 800-39Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View
NIST Special Publication 800-37, Revision 1Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach
NIST Special Publication 800-53, Revision 3Recommended Security Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53A, Revision 1Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
NIST Special Publication 800-30, Revision 1Guide for Conducting Risk AssessmentsProjected July 2011 (Public Draft)
23
Enterprise-Wide Risk Management (RM)NIST SP 800-39
TIER 3Information System
(Information system security)
TIER 2Mission / Business Process
(Risk-aware processes)
TIER 1Organization(Set the stage)
STRATEGIC RISK FOCUS
TACTICAL RISKFOCUS
Multi-tiered Risk Management Approach
Implemented by the Risk Executive Function
Enterprise Architecture and SDLC Focus
Flexible and Agile Implementation
24
Enterprise Risk ManagementTier 1 (Organization)
• The organization:– Frames (sets the stage for) organizational risk response;
e.g., organizational risk tolerance, risk response strategy– Ensures consistent, effective risk management decisions
and actions across the organization– Ensures that organizational risk management adequately
includes the perspective of risks being incurred by others due to the decisions and actions of the organization
– Performs organization-wide risk response actions– Receives feedback from all three tiers and maintains on-
going awareness of the risk posture of the organization
25
Enterprise Risk ManagementTier 2 (Process)
• The organization:
– Defines risk-aware mission/business processes that require no more protection/response than can actually be achieved and impose onto process components only those security requirements that the components are capable of achieving
– Determines information protection needs and designs cyber defense to achieve this protection
– Allocates cyber defense capability between tier 2 actions and system security requirements imposed from tier 2 onto supporting ISs at tier 3
– Performs process-wide risk response actions at tier 2
– Receives feedback from tier 3 and provides feedback to tier 1
– Maintains on-going awareness of the effectiveness of process cyber defense capability and of risk being incurred at the process level
26
Enterprise Risk ManagementTier 3 (System)
• The organization:– Architects, implements, and operates information systems
that achieve the security requirements allocated to the systems from tier 2; aka “adequate security”. (Pushing back on tier 2 when unable to achieve such requirements.)
– Maintains on-going awareness of the security capability of the tier 3 information systems
– Provides feedback to tiers 1 and 2
27
A Final Take-Away
So what do you do now?
28
Bottom Line for Effective RM –Wise Use
• Align expectation with reality - the is the key to near-term achievement of an effective cyber defense
• Our IT is what it is: Expect only what it can deliver.– Allocate to the IT only those security requirements for which that IT is
truly worthy of being trusted to achieve despite the threats you need to address (trustworthy IT).
– To make this allocation you must know the trustworthiness of your IT. That is, the security capability achieved and the ability to maintain capability despite threats (robustness) and to ‘fight through’ or restore capabilities if diminished (resilience).
29
Bottom line for Mission/Business Success:Explicit decision to depend on IT only to the degree that IT is dependable
Questions?
30
Additional Slides
31
The Threat SituationContinuing serious cyber attacks on public and privatesector information systems targeting key operations,assets, and individuals… Attacks are organized, disciplined, aggressive, and well
resourced; many are extremely sophisticated. Adversaries are nation states, terrorist groups, criminals,
hackers, and individuals or groups with hostile intentions. Effective deployment of malware causing significant
exfiltration of sensitive information (e.g., intellectual property).
Potential for disruption of critical systems and services.
32
Asymmetry of Cyber AttacksThe weapons of choice are— Laptop computers, hand-held devices, cell
phones. Sophisticated attack tools and techniques
downloadable from the Internet. World-wide telecommunication networks
including telephone networks, radio, and microwave.
Resulting in low-cost, highly destructive attack potential.
33
The Evolution of Risk and SecurityThe conventional wisdom has changed over four decades— Confidentiality Confidentiality, Integrity, Availability Information Protection Information Protection / Sharing Static, Point-in-Time Focus Dynamic, Continuous
Risk-aware Focus Government-Centric Solutions Commercial Solutions Risk Avoidance Risk Ignore Risk Management (RM)
(called it RM)
34
Need Broad-Based Security Solutions Over 90% of critical infrastructure
systems/applications owned andoperated by non-state entities.
Key sectors: Energy (electrical, nuclear, gas and oil, dams) Transportation (air, road, rail, port, waterways) Public Health Systems / Emergency Services Information and Telecommunications Banking and Finance Postal and Shipping Agriculture / Food / Water / Chemical
35
The FundamentalsCombating 21st century cyber attacks requires 21st centurystrategies, tactics, training, and technologies… Integration of information security into enterprise architectures and
system life cycle processes. Unified information security framework and common, shared security
standards and guidance. Enterprise-wide, risk-based protection strategies. Flexible and agile deployment of safeguards and countermeasures. More resilient, penetration-resistant information systems. Competent, capable cyber warriors.
36
Federal Government Transformation
An historic government-wide transformation for riskmanagement and information security driven by… Increasing sophistication and tempo of cyber attacks. Convergence of national and non-national security interests
within the federal government. Convergence of national security and economic security
interests across the Nation. Need unified approach in providing effective risk-based
cyber defenses for the federal government and the Nation.
37
Joint Task Force Transformation InitiativeA Broad-Based Partnership — National Institute of Standards and Technology Department of Defense Intelligence Community
Office of the Director of National Intelligence 16 U.S. Intelligence Agencies
Committee on National Security Systems
38
Risk Management Process
Respond
Monitor
Assess
Risk
39
Tier 1 of RM – Organization Governance Risk management strategy Investment strategy Risk tolerance Trust Transparency Culture Organization-wide risk response actions
40
Tier 2 of RM – Mission/Business Process Influenced by risk management decisions at Tier 1. Identification of risk-aware missions/business processes;
including definition of process cyber defense capability Determination of information types and flows. Identification of information protection needs and associated
security requirements. Development of enterprise architecture. Development of information security architecture and
allocation of requirements between Tier 2 and Tier 3. Process-wide risk response actions implemented at Tier 2.
41
Tier 3 of RM – Information System Influenced by risk management decisions at Tiers 1 & 2. Allocation of necessary and sufficient security controls to
information systems in order to achieve the security requirements allocated to the information system from Tier 2 (aka, “adequate security”)
Uses Risk Management Framework to guide process. Information security managed as part of the SDLC. Feedback to Tiers 1 & 2 for continuous improvement. Implementation and operations of ‘adequate’ information
system security (risk response actions at Tier 3)
42
Risk Management Framework (RMF)RM at Tier 3 – NIST SP 800-37 Rev 1
IS Security Life Cycle
Determine security control effectiveness.
ASSESSSecurity Controls
Determine potential worst-case, adverse
impacts.
CATEGORIZEInformation System
Starting Point
Monitor control effectiveness on an on-going basis.
MONITORSecurity Controls
AUTHORIZEInformation SystemDetermine risk and
if acceptable, authorize operation.
Implement security controls.
IMPLEMENTSecurity Controls
SELECTSecurity Controls
Select baseline security controls; tailor and
supplement as needed based on risk assessment.
43
The Central QuestionFrom Two Perspectives
Defense Capability PerspectiveWhat cyber defense capability is needed to defend against a specific class of cyber threat, adequately addressing the threat to achieve mission success? (REQUIREMENTS DEFINITION)
Threat Capability PerspectiveGiven a certain level of cyber defense capability, what class of cyber threat can be addressed and is addressing that class of cyber threat sufficient to achieve mission success? (GAP ANALYSIS)
44
An increasingly sophisticated and motivated adversary requires increasing defensive capabilities
Cyber Preparedness
THREAT LEVEL 5 CYBER PREP LEVEL 5
THREAT LEVEL 4 CYBER PREP LEVEL 4
THREAT LEVEL 3 CYBER PREP LEVEL 3
THREAT LEVEL 2 CYBER PREP LEVEL 2
THREAT LEVEL 1 CYBER PREP LEVEL 1
Adversary Capabilities
andMotivation
Defender Cyber
defenseCapability
HIGH
LOW
HIGH
LOW
Agile Defense Boundary protection is a necessary but not
sufficient condition for Agile Defense Examples of Agile Defense measures: Compartmentalization and segregation of critical assets Targeted allocation of security controls Virtualization and obfuscation techniques Encryption of data at rest Limiting of privileges Routine reconstitution to known secure state
Bottom Line: “Fight” through hostile attack to achieve mission/business success
46
Key Definitions
47
Risk
Risk is a measure of the extent to which an entity is threatened by a potential event, and typically a function of:
(i) the adverse impacts that would arise if the event occurs; and
(ii) the likelihood of occurrence.
48
Trustworthiness• Trustworthiness is measure of the ability of an entity (system, component,
individual, mission/business process, or organization) to achieve, maintain, and, if necessary, restore confidentiality, integrity, and availability despite a full range of threats. Trustworthiness is comprised of three elements:
(1) Capability: [Achieve] The capability implemented to achieve application-specific security requirements.
(2) Robustness: [Maintain] Degree to which an entity is able to maintain its security capability despite a full range of threats seeking to diminish that capability.
(3) Resilience: [Restore] Degree to which an entity is able to continue to provide essential operational capabilities despite diminished security capabilities and to restore security capabilities within established timelines in the event of diminished capability due to flaws, errors, natural events, or purposeful actions.
49
Trustworthy Trustworthy entities are those who truly are worthy of
being trusted to achieve the security requirements allocated to that entity despite: environmental disruptions human errors purposeful attacks
Trustworthy entities have sufficient trustworthiness for what they are being trusted to accomplish.
50
Assurance• Assurance (evidence) is objective grounds for
confidence that an entity’s trustworthiness level is accurately known.
• The assurance evidence includes both artifacts from the activities and actions that security control developers and implementers perform and results of the actions of security control assessors.
• Significant assurance evidence is typically required in order for the entity to be deemed trustworthy when a high level of trustworthiness is required.
51
