Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA www.gilligangroupinc.com March 10, 2009.

Slides:



Advertisements
Similar presentations
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
Advertisements

Steps towards E-Government in Syria
AFCEA DC Cyber Security Symposium Military Joint Cyber Command Panel Harry Raduege Lieutenant General, USAF (Ret) Chairman, Center for Network Innovation.
Tony Rutkowski Yaana Technologies Georgia Tech Q.4/17 Rapporteur
Homeland Security at the FCC July 10, FCCs Homeland Security Focus Interagency Partnerships Industry Partnerships Infrastructure Protection Communications.
The Military Challenge of Cyber AOC Talk on Cyber, EW and IO Dr Gary Waters, 17 April 2012.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
THE STRATEGIC COUNCIL LEADERSHIP TRUST AND ENGAGEMENT NEW FUNDING SOURCES AND NEW DELIVERY VEHICLES Appendix 1 NEW FUNDING SERVOURCES AND NEW DELIVERY.
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
Private Sector Perspectives on Federal Financial Systems Modernization and Shared Services.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
David A. Brown Chief Information Security Officer State of Ohio
The U.S. Coast Guard’s Role in Cybersecurity
Cyber Security R&D Challenges: A Homeland Security Perspective Simon Szykman, Ph.D. Director, Cyber Security R&D
DHS, National Cyber Security Division Overview
Distribution Statement A: Approved for Public Release; Distribution is unlimited. 1 Electronic Warfare Information Operations 29 MAR 2011 Val O’Brien.
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.
SECR 5140-FL Critical Infrastructure Protection Dr. Barry S. Hess Spring 2 Semester Week 3: 1 April 2006.
Cyber Security: Threats and Needed Actions John M. Gilligan Research Board September 17, 2009.
Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan National Summit on.
(Geneva, Switzerland, September 2014)
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited You’re Not Done (Yet) Turning Securable.
NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011.
Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.
Bill Newhouse Program Lead National Initiative for Cybersecurity Education Cybersecurity R&D Coordination National Institute of Standards and Technology.
US-CERT National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire.
Jeju, 13 – 16 May 2013Standards for Shared ICT CYBERSECURITY-RELATED STANDARDS ACTIVITY IN THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION Eric Barnhart, Fellow.
Translating Knowledge to On-the-Ground Results Henry L. Green, Hon. AIA National Institute of Building Sciences Congressional.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Federal Cyber Policy and Assurance Issues Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004.
Internet Drivers License CSS411/BIS421 Computing Technology & Public Policy Mark Kochanski Spring 2010.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
AIAA’s Publications Business Publications New Initiatives Subcommittee Wednesday, 9 January 2008 Rodger Williams.
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.
Introducing ITAA Advancing the U.S. IT Industry The Information Technology Association of America.
© BITS BITS and FSSCC R&D Efforts John Carlson Senior Vice President of BITS Panel on Data Breaches in Payments Systems-- Roles and Best Practices.
NATO Advanced Research Workshop “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework” Scenario for Discussion.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Jerry Cochran Principal Security Strategist Trustworthy Computing Group Microsoft Corporation.
Information Security: It’s Everyone’s Business September 16, 2003 Greg Garcia, Vice President, Information Security ITAA.
Understanding Technology Stakeholders: Their Progress and Challenges John M. Gilligan Software Assurance Forum November 4, 2009.
CYBERWARFARE LAW AND POLICY PROPOSALS FOR U.S. AND GLOBAL GOVERNANCE By Stuart S. Malawer, J.D., Ph.D. Distinguished Service Professor of Law & International.
Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.
ITU CoE/ARB 11 th Annual Meeting of the Arab Network for Human Resources 16 – 18 December 2003; Khartoum - Sudan 1 The content is based on New OECD Guidelines.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Enterprise Cybersecurity Strategy
NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.
Government and Industry IT: one vision, one community Vice Chairs April Meeting Agenda Welcome and Introductions GAPs welcome meeting with ACT Board (John.
Part 1: Corporate Operational benefits, Non-technical information for FSOs and ISSMs/ISSOs Part 2: Technical Tips on how to conduct a better audit review.
CNCI-SCRM STANDARDIZATION Discussion Globalization Task Force OASD-NII / DoD CIO Unclassified / FOUO.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
Lessons Learned in Managing IT Risk
Dimitra Liveri | NIS Expert CSA CEE Summit 2017|Ljubljana - 9 March
Compliance with hardening standards
8 Building Blocks of National Cyber Strategies
John Carlson Senior Director, BITS
Presentation transcript:

Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009

Topics Historical Perspectives Cyber Security Today--A National Crisis Cyber Security Commission Recommendations Near Term Opportunities Longer-Term Game Changing Initiatives Closing Thoughts 2

Historical Perspectives Computer Security in the Cold War Era Security “Gurus”—Keepers of the Kingdom The Internet changes the security landscape-- forever The Age of Information Sharing Omissions of the past are now our “Achilles Heel” Our Approaches To Providing Mission Enabling IT Are Stuck In The Past 3

Cyber Security Today—A New “Ball Game” Our way of life depends on a reliable cyberspace Intellectual property is being downloaded at an alarming rate Cyberspace is now a warfare domain Attacks increasing at an exponential rate Fundamental network and system vulnerabilities cannot be fixed quickly Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National Security Crisis! 4

Commission Cyber Security for the 44 th Presidency: Key Recommendations Create a comprehensive national security strategy for cyberspace Lead from the White House Reinvent public-private partnerships Regulate cyberspace Modernize authorities Leverage government procurement Build on recent progress with CNCI 5

Near-Term Opportunities Use government IT acquisitions to change IT business model Enhance public-private partnerships Adopt the Consensus Audit Guidelines (CAG) Update FISMA Implement more secure Internet protocols Implement comprehensive, federated authentication strategy Leverage Stimulus Package to improve cyber security 6

Use Government IT Procurement Cyber security needs to be reflected in our contractual requirements Many “locked down” configuration defined Use government-industry partnership to accelerate implementation of secure configurations Get started now, improve configuration guidelines over time and leverage SCAP! Build on FDCC Successes and Lessons Learned 7

Security Content Automation Protocol (SCAP) What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security posture of every device in a network. How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations 8

Enhance Public-Private Partnerships Most of our nation’s critical infrastructure is owned by the private sector Much of our government-sponsored research intellectual property is “protected” by industry Regulators need to guide/govern private sector efforts Private and public sectors must act in cooperation – Defense Industrial Base (DIB): an excellent model Protecting Government and Military Systems Is Not Sufficient 9

Implement Consensus Audit Guidelines (CAG) Underlying Rationale – Let “Offense drive Defense” – Focus on most critical areas CAG: Twenty security controls based on attack patterns Emphasis on auditable controls and automated implementation/enforcement Public comment period through March 25 th Pilots and standards for tools later this year 10

Update FISMA Emphasize evaluating effectiveness of controls vs. paper reviews Enhance authority and accountability of CISO Foster government leadership – Independent, expert reviews – Procurement standards – Dynamic sharing of lessons learned 11

Near-Term Opportunities Use government IT acquisitions to change IT business model Enhance public-private partnerships Adopt Consensus Audit Guidelines (CAG) Update FISMA Implement more secure Internet protocols Implement comprehensive, federated authentication strategy Leverage Stimulus Package to improve cyber security 12

Longer-Term: IT Reliably Enabling Economy Change the dialogue: Reliable, resilient IT is fundamental to future economic growth New business model for software industry Redesign the Internet Get the “man out of the loop”—use automated tools (e.g., SCAP) Develop professional cyberspace workforce Foster new IT services models Need to Fundamentally “Change the Game” to Make Progress 13

Closing Thoughts Government and Industry need to treat cyber security as an urgent priority Near-term actions important but need to fundamentally change the game to get ahead of threat IT community needs to reorient the dialogue on cyber security—the objective is reliable and resilient information Cyber Security is Fundamentally a Leadership Issue! 14

Contact Information John M. Gilligan 15

16 Security Standards Efforts: Security Content Automation Protocol (SCAP) CPE (Platforms) What IT systems do I have in my enterprise? CVE (Vulnerabilities) What vulnerabilities do I need to worry about? CVSS (Scoring System) What vulnerabilities do I need to worry about RIGHT NOW? CCE (Configurations) How can I configure my systems more securely? XCCDF (Configuration Checklists) How do I define a policy of secure configurations? OVAL (Assessment Language) How can I be sure my systems conform to policy?

Security Standards Efforts: Next Steps* 17 CPE (Platforms) What IT systems do I have in my enterprise? CVE (Vulnerabilities) What vulnerabilities do I need to worry about? CVSS (Scoring System) What vulnerabilities do I need to worry about RIGHT NOW? CCE (Configurations) How can I configure my systems more securely? XCCDF (Configuration Checklists) How do I define a policy of secure configurations? OVAL (Assessment Language) In Progress How can I be sure my systems conform to policy? CWE (Weaknesses) What weaknesses in my software could be exploited? CAPEC (Attack Patterns) What attacks can exploit which weaknesses? CEE (Events) What should be logged, and how? CRF (Results) How can I aggregate assessment results? MAEC (Malware Attributes) How can we recognize malware? * Making Security Measurable – The MITRE Corporation