NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and Adversaries February 22, 2007 Dr. Ron Ross Computer Security Division Information Technology Laboratory
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 Current State of Affairs Continuing serious attacks on federal information systems, large and small; targeting key federal operations and assets. Significant exfiltration of critical and sensitive information and implantation of malicious software. Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated. Adversaries: nation states, terrorist groups, hackers, criminals, and any individuals or groups with intentions of compromising a federal information system. Increasing number of trusted employees taking dangerous and imprudent actions with respect to organizational information systems.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3 Additional Threats to Security Connectivity Complexity
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4 U.S. Critical Infrastructures “...systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.” -- USA Patriot Act (P.L )
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5 U.S. Critical Infrastructures Energy (electrical, nuclear, gas and oil, dams) Transportation (air, road, rail, port, waterways) Public Health Systems / Emergency Services Information and Telecommunications Defense Industry Banking and Finance Postal and Shipping Agriculture / Food / Water Chemical
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6 Legislative and Policy Drivers Public Law (Title III) Federal Information Security Management Act of 2002 Homeland Security Presidential Directive #7 Critical Infrastructure Identification, Prioritization, and Protection OMB Circular A-130 (Appendix III) Security of Federal Automated Information Resources OMB Memorandum M Protection of Sensitive Information
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7 Rich target of opportunity for adversaries Large, federally sponsored research facilities that operate very substantial, interconnected networks of diverse resources including computers, information stores, and special instrumentation. Need to protect the critical/sensitive information in research facilities from unauthorized: Disclosure (confidentiality breach) Modification (integrity breach) Information Security Why is it Important in Research and Education?
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8 FISMA Strategic Vision We are building a solid foundation of information security across one of the largest information technology infrastructures in the world based on comprehensive security standards and technical guidance. We are institutionalizing a comprehensive Risk Management Framework that promotes flexible, cost-effective information security programs for federal agencies. We are establishing a fundamental level of “security due diligence” for federal agencies and their contractors based on minimum security requirements and security controls.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Key Players Authorizing Officials Mission / Information System Owners Chief Information Officers Chief Information Security Officers Inspectors General
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10 FISMA Characteristics The NIST Risk Management Framework and the associated security standards and guidance documents provide a process that is: Disciplined Flexible Extensible Repeatable Organized Structured “Building information security into the infrastructure of the organization… so that critical enterprise missions and business cases will be protected.”
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11 Managing Enterprise Risk Key activities in managing enterprise-level risk—risk to the enterprise and to other organizations resulting from the operation of an information system: Categorize the information system (criticality/sensitivity) Select and tailor baseline (minimum) security controls Supplement the security controls based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls for effectiveness Authorize information system operation based on mission risk Monitor security controls on a continuous basis
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12 Risk Management Framework Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements) SP A ASSESS Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness SP / SP A MONITOR Security Controls Document in the security plan, the security requirements for the information system and the security controls planned or in place SP DOCUMENT Security Controls SP AUTHORIZE Information System Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation SP / SP SUPPLEMENT Security Controls Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence FIPS 200 / SP SELECT Security Controls Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate Implement security controls; apply security configuration settings IMPLEMENT Security Controls SP Define criticality /sensitivity of information system according to potential impact of loss FIPS 199 / SP CATEGORIZE Information System Starting Point
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13 Information Security Program Adversaries attack the weakest link…where is yours? Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14 Information Security Strategy Successful FISMA implementation demands that organizations adopt an enterprise-wide security strategy. Metrics of a successful implementation: Cost-effective Consistent Comprehensive Effective
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15 Six Essential Activities FIPS 199 security categorizations Identification of common controls Application of tailoring guidance for FIPS 200 and SP security controls Effective strategies for continuous monitoring of security controls (assessments) Security controls in external environments Use restrictions
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16 Security Categorization FIPS 199 LOWMODERATEHIGH Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Example: An Enterprise Information System Mapping Information Types to FIPS 199 Security Categories SP
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17 Large and Complex Systems System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component Security assessment methods and procedures tailored for the security controls in each subsystem component and for the combined system-level controls Security certification performed on each subsystem component and on system-level controls not covered by subsystem certifications Security accreditation performed on the information system as a whole Accreditation Boundary Subsystem Component Local Area Network Alpha Subsystem Component System Guard Subsystem Component Local Area Network Bravo Agency General Support System
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18 Common Security Controls Security controls that can be applied to one or more agency information systems and have the following properties: The development, implementation, and assessment of common security controls can be assigned to responsible officials or organizational elements (other than the information system owner); and The results from the assessment of the common security controls can be reused in security certifications and accreditations of agency information systems where those controls have been applied.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19 Security Control Baselines Minimum Security Controls Low Impact Information Systems Minimum Security Controls High Impact Information Systems Minimum Security Controls Moderate Impact Information Systems Master Security Control Catalog Complete Set of Security Controls and Control Enhancements Baseline #1 Selection of a subset of security controls from the master catalog— consisting of basic level controls Baseline #2 Builds on low baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements Baseline #3 Builds on moderate baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20 Tailoring Guidance FIPS 200 and SP provide significant flexibility in the security control selection and specification process—if organizations choose to use it. Includes: Scoping guidance; Compensating security controls; and Organization-defined security control parameters.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21 Tailoring Security Controls Scoping, Parameterization, and Compensating Controls Minimum Security Controls Low Impact Information Systems Minimum Security Controls High Impact Information Systems Minimum Security Controls Moderate Impact Information Systems Tailored Security Controls Low Baseline Moderate Baseline High Baseline Enterprise #1 Operational Environment #1 Enterprise #2 Operational Environment #2 Enterprise #3 Operational Environment #3 Cost effective, risk-based approach to achieving adequate information security…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22 Continuous Monitoring Transforming certification and accreditation from a static to a dynamic process. Strategy for monitoring selected security controls; which controls selected and how often assessed. Control selection driven by volatility and Plan of Action and Milestones (POAM). Facilitates annual FISMA reporting requirements.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23 External Service Providers Organizations are becoming increasingly reliant on information system services provided by external service providers to carry out important missions and functions. External information system services are services that are implemented outside of the system’s accreditation boundary (i.e., services that are used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24 External Service Providers Organizations have varying degrees of control over external service providers. Organizations must establish trust relationships with external service providers to ensure the necessary security controls are in place and are effective in their application. Where control of external service providers is limited or infeasible, the organization factors that situation into its risk assessment.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25 Information System Use Restrictions A method to reduce or mitigate risk, for example, when: Security controls cannot be implemented within technology and resource constraints; or Security controls lack reasonable expectation of effectiveness against identified threat sources. Restrictions on the use of an information system are sometimes the only prudent or practical course of action to enable mission accomplishment in the face of determined adversaries.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26 Compliance Schedule NIST Security Standards and Guidelines For legacy information systems, agencies are expected to be in compliance with NIST security standards and guidelines within one year of the publication date unless otherwise directed by OMB or NIST.* For information systems under development, agencies are expected to be in compliance with NIST security standards and guidelines immediately upon deployment of the system. The one-year compliance date for revisions to NIST Special Publications applies only to the new and/or updated material in the publications resulting from the periodic revision process. Agencies are expected to be in compliance with previous versions of NIST Special Publications within one year of the publication date of the previous versions. *
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27 Some Final Thoughts Your adversaries don’t care about FISMA compliance—they just want to compromise your information systems. FISMA is not just a paperwork exercise; it is the application of real security controls to federal information systems that are supporting critical federal missions.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28 Some Final Thoughts The most dangerous person to an enterprise is an uninformed authorizing official. FISMA security standards and guidance should not drive the mission; rather the standards and guidance should support the mission.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29 Some Final Thoughts FISMA is about the application of common sense security—it is not dogma to be followed blindly. The only mandatory requirement under the FISMA security standards and guidance is the application of the NIST Risk Management Framework— everything else is negotiable.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30 Some Final Thoughts Policies and procedures are not just FISMA paperwork—they are a corporate statement of commitment to protecting critical enterprise information and information systems and the necessary details describing how to do it.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31 Some Final Thoughts If the successful accomplishment of enterprise missions depends on information systems, including the information processed, stored, and transmitted by those systems, the systems must be dependable. To be dependable in the face of serious threats, the systems must be appropriately protected.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32 Some Final Thoughts Never underestimate the capabilities of your adversaries. Never overestimate the ability of your organization and your personnel to protect critical enterprise missions. Information technology—if you can’t protect it, don’t deploy it.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33 Quick Tips To help combat particularly nasty adversaries Reexamine FIPS 199 security categorizations. Remove critical information systems and applications from the network, whenever possible. Change the information system architecture; obfuscate network entry paths and employ additional subnets. Use two-factor authentication, especially at key network locations. Employ secondary storage disk encryption.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34 The Desired End State Security Visibility Among Business/Mission Partners Organization One Information System Plan of Action and Milestones Security Assessment Report System Security Plan Determining the risk to the first organization’s operations and assets and the acceptability of such risk Business / Mission Information Flow The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence and trust. Determining the risk to the second organization’s operations and assets and the acceptability of such risk Organization Two Information System Plan of Action and Milestones Security Assessment Report System Security Plan Security Information
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35 Key Standards and Guidelines FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication (Security Planning) NIST Special Publication (Risk Management) NIST Special Publication (Certification & Accreditation) NIST Special Publication (Recommended Security Controls) NIST Special Publication A (Security Control Assessment) NIST Special Publication (National Security Systems) NIST Special Publication (Security Category Mapping) Many other FIPS and NIST Special Publications provide security standards and guidance supporting the FISMA legislation…
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 36 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Project LeaderAdministrative Support Dr. Ron RossPeggy Himes (301) (301) Senior Information Security Researchers and Technical Support Marianne Swanson Dr. Stu Katzke (301) (301) Pat TothArnold Johnson (301) (301) Matt SchollInformation and Feedback (301) Web: csrc.nist.gov/sec-cert Comments: