Transcript Homeland Security Perspectives: Security Scenarios and

Homeland Security
Perspectives:
Security Scenarios and
Their Impact
19 September 2012 – InfraGard Special Event
Columbus, Ohio
Bradford Willke, CISSP
Cyber Security Advisor, Mid-Atlantic Region
Office of Cyber Security & Communications
National Protection and Programs Directorate
[email protected]
Homeland
Security
CYBER SECURITY: TRENDS
AND ISSUES
Presenter’s Name
June 17, 2003
2
2
Growth of Cyber Threats
Flame
Stuxnet
High
Sophistication
of Available Tools
Growing
Sophistication
Required of Actors
Declining
Convergence
Staging
Duqu
“Stealth”/advanced
scanning
techniques
Cross site scripting / Phishing
Denial of Service
Distributed attack tools
Sophistication
Packet spoofing
www attacks
Sniffers
Automated probes/scans
Sweepers
Back doors
Disabling audits
Sophisticated C2
GUI
Network mngt. diagnostics
Hijacking sessions
Burglaries
Low
Exploiting known vulnerabilities
Password cracking
Self-replicating code
Password guessing
1980
1985
1990
1995
2000
Presenter’s Name
2012
June 17, 2003
3
3
2011 – The Year of the Hack
(1 of 2)
January
Canadian Gov’t reports major cyber intrusions at Finance Department and Treasury Board
February
HBGary and HBGary Federal were compromised through social engineering, SQL injection, and
other means. Over 50,000 emails of senior executives were released
March
Hackers penetrate French government computer networks in search of sensitive information on
upcoming G-20 meetings
March
Cryptography firm, RSA, suffered a massive network intrusion that resulted in the theft of
information related to its SecurID tokens (45 million)
April
Epsilon, handles email and market communications for more than 2,500 clients worldwide (7 of the
Fortune 10) - exposed millions of customer email addresses
April
Personal information of 102 million registered users of the Sony PlayStation Network and other
online gaming services was stolen
May
Lockheed Martin and other Defense Contractors networks were penetrated by attackers who used
RSA tokens (exploit from prior breach)
May
Citibank - 360,000 accounts hacked, exposing names, numbers, and contact information of bank
customers
June
Atlanta’s FBI InfraGard Chapter - usernames and passwords published online
Presenter’s Name
June 17, 2003
4
2011 – The Year of the Hack
(2 of 2)
June
CIA’s website is shutdown for two hours from a DDoS attack by LulzSec
July
Booz Allen Hamilton was hacked by AntiSec and they released a list of >90,000 military email
addresses and encrypted passwords and also deleted over 4 GB of source code
August
Operation Shady RAT was discovered by McAfee, more than 70 compromised parties were
identified spanning across global companies, governments, and non-profit organizations during
the last five years
August
Duqu, a trojan similar to Stuxnet, was discovered but may have originated in 2007. Duqu
breaches systems and systematically siphons out information
September
SpyEye Banking Trojan evolved to intercept two-factor authentication codes sent via SMS – the
first known version for Android
December
Iranian engineers allegedly hacked into the a US RQ-170 unmanned aircraft , dubbed the “Beast
of Kandahar”, and tricked the drone into landing in their territory
December
U.S. Chamber of Commerce uncovered an attack on its systems and China is suspected of carrying
out the attack
December
Anonymous hacked Strategic Forecasting Inc. (Stratfor) networks then released names,
addresses, and credit card details of the security firm’s clients
Summary
Over 50 highly publicized attacks occurred in 2011!!!
Presenter’s Name
June 17, 2003
5
Malware will continue to be a significant
problem in 2012
 Because more security features are being installed into operating systems,
hackers are increasingly likely to target hardware
 Malware authors will reuse past code and improve existing malware
 Similar to the ZeuS source code leak that led to a proliferation of ZeuS malware
2011, a similar phenomenon is expected in 2012
 Hackers will use legitimate, but compromised websites and target unpatched
web plugins to spread malware
 Experts predict that malware by spam will be delivered mainly by zipped
malware attachments or links to malicious websites and drive-by downloads
Presenter’s Name
6
June 17, 2003
Attacks on mobile devices will continue to
grow significantly
 While other operating systems will not be entirely overlooked, many
researchers expect mobile malware to heavily target the Android platform
 Many researchers expect malicious actors to focus on financial applications
for mobile devices as they represent the greatest potential for profit
 The increasing use of employee-owned devices in the workplace has led
some security experts to predict several significant organizational data
breaches due to a lack of security oversight on personal devices
Presenter’s Name
7
June 17, 2003
Hacktivism will continue to expand beyond
denial of service attacks
 Hacktivists will increasingly steal and release data on political targets,
especially private personal information
 It is likely that larger hacktivist groups, like Anonymous, will spin off
smaller elements based on more specific goals
 Among several likely goals for Anonymous-style groups will be greater
cooperation and coordination between hacktivists and physical protest
demonstrators
 Some security experts expect an off-shoot group to attempt more
hardline attacks, possibly against financial institutions and critical
infrastructure
www.familysecuritymatters.org
Presenter’s Name
8
June 17, 2003
Experts predict that country-sponsored advanced
persistent threats (APT) will be more numerous
 With the funding and resources that a country can offer, these attacks are
likely to be sophisticated and very difficult to detect and stop
 Experts predict that these attacks will target critical infrastructure systems
 Some experts do not predict outright cyber war in 2012. Instead, they
predict that countries will continue to develop and carry out Stuxnet-style
proof of concept attacks
Presenter’s Name
9
June 17, 2003
Attacks on cloud-based services are
inevitable
 Because of increasing usage and lower costs, more individuals and
organizations are moving data to the cloud
 Some experts even predict that the cloud will begin to take over traditional
infrastructure and become the primary computing environment
 As a result, the cloud will continue to be an attractive target for
cybercriminals who will continue attack and may succeed in penetrating
cloud security defenses; some experts predict a major breach in 2012
 As users continue to migrate data to the cloud, cloud providers will begin
to provide service management strategies
Presenter’s Name
10
June 17, 2003
Social media accounts are a major targets
for hackers
 Hijacked social media accounts will become valuable commodities on the
online black market
 A stolen account gives the thief access to personal information and a group
of friends who grant that account a higher level of trust than e-mail from
unknown persons
 A higher level of trust from a known contact will be increasingly leveraged
to create sophisticated targeted attacks
 Traditional attacks on social networks will still continue, such as “likejacking,” where scammers trick users into posting malicious links to their
social networking profiles using attention-catching headlines
Presenter’s Name
11
June 17, 2003
Web and Client Side Attacks
 Web and client side attacks are increasing
 Organizations tend to focus patching and vulnerability scanning on the
operating systems rather than web applications
 Over half of the total number of attacks occur on Web applications
 Capabilities of client side attacks are increasing (drag and drop)
 The three main types of web vulnerabilities
 SQL Injection: a vulnerability that allows a hacker to alter backend SQL
database statements by manipulating user input. Web applications accept user
input which is placed into a SQL statement.
 Cross Site Scripting: allows an attacker to send malicious code to another
user. Browsers don’t know which code is trusted so it executes the script,
allowing the attacker to compromise the browser.
 Buffer Overflows: occurs when a program writes data to a buffer, which
overwrites adjacent memory. They result in erratic program behavior.
Presenter’s Name
UNCLASSIFIED // FOR OFFICIAL USE ONLY
June 17, 2003
12
Other Cyber Security Trends
 Existing Threats Expanding into New Problems
 Malware, worms, and Trojan horses will continue to spread
 Botnets and zombies will piggyback on legitimate network communications
and continue to proliferate
 Scareware (fake/rogue security software)
 Attacks on client-side software
 Changing Technical Environments
 Attacks on social networking sites
 Virtual environment cross pollination
 Risks and vulnerabilities in cloud computing
Presenter’s Name
June 17, 2003
13
Attribution Challenges
 Web Proxy Services
attacker
 Onion Routers
`
 Botnets
 Compromised hosts
computers
 Foreign ISPs
 Encryption
Highlights collaboration with
Intelligence Community
victim
DHS CYBER INITIATIVES AND
CAPABILITIES
Presenter’s Name
June 17, 2003
15
15
CS&C Structure
CS&C discharges its responsibilities through four components:
Office of
Cybersecurity
and
Communications
Office of
Emergency
Communications
(OEC)
Supports the ability
of emergency
responders and
government officials
to continue to
communicate during
natural or man-made
disasters
National
Communication
System (NCS)
Ensures viable
national security and
emergency
Telecommunications
preparedness
(NCC)
communications
services and
infrastructure during
crises
National Cyber
Security Division
(NCSD)
Collaborates with
public and private
-Computer
sector and
international entities
to secure
(US –CERT)
cyberspace and
(ICSAmerica’s cyber and
communications
assets
National Cybersecurity
and Communications
Integration Center
(NCCIC)
Provides national
common operational
picture for
cybersecurity and
communications
across Federal, State,
local government,
intelligence and law
enforcement, and
private sector
communities
Presenter’s Name
June 17, 2003
16
OEC in Brief
The mission of the Office of
Emergency Communications (OEC)
is to unify and lead the nationwide
effort to improve emergency
communications capabilities across all
levels of government.
Responsibilities include:
 Accelerate and attain interoperable
and operable emergency
communications nationwide through
grants programs for funding and interoperability/operability public safety
standards development.
 Support interoperability assistance projects by identifying available spectrum,
collecting requirements, procuring equipment, addressing policy issues, and
collaborating agreements among Federal, State, and local agencies.
Presenter’s Name
June 17, 2003
17
NCS in Brief
The mission of the National
Communications System (NCS) is to enable
national security and emergency
preparedness (NS/EP) telecommunications
during crisis. NCS works through a
consortium of 24 Federal departments that
lease or own significant telecommunications
assets, facilities, and services.
Responsibilities include:
 Provide and coordinate Federal Government NS/EP communications at all
times – natural emergency, attack, recovery, and reconstitution.
 Lead emergency support communications preparedness and response.
 Manage the NS/EP communications services.
 Lead Communications Sector risk assessment and steady-state planning.
 Operate the National Coordinating Center for Telecommunications (NCC), a
joint industry/Government-staffed center that assesses damage, identifies
NS/EP requirements, and prioritizes restoration efforts.
Presenter’s Name
June 17, 2003
18
Select NCS Initiatives
Government
Emergency
Telecommunications
Service (GETS)
Provides emergency access and priority processing of telephone calls
on the public telephone network during emergencies and network
congestion.
Telecommunications
Service Priority
(TSP)
Authorizes NS/EP organizations for priority treatment for new or
restoration of voice and data circuits lost due to disasters to help with
recovery.
Wireless Priority
Service (WPS)
SHAred RESources
(SHARES) High
Frequency Radio
National Security
Telecommunications
Advisory Council
(NSTAC)
Enables priority transmission for emergency calls from cellular
telephones by command and control personnel who manage and
respond to NS/EP situations.
Enables NS/EP communications through a single Federal interagency
emergency message handling and frequency radio spectrum
management system. Participating radio stations accept and relay
messages until a receiving station is able to deliver the message to the
intended addressee.
Gives industry-based advice to the President of the United States on
the reliability and security of the information and communications
infrastructure critical to national security and commercial interests.
Presenter’s Name
June 17, 2003
19
NCSD in Brief
The mission of the National Cyber
Security Division (NCSD) is to work
collaboratively with public, private, and
international entities to secure
America’s information technology (IT)
assets.
Responsibilities include:
 Provide cyber threat and vulnerability
analysis, early warning, and incident
response assistance for public and
private sector constituents.
 Conduct risk assessments of and mitigate vulnerabilities and threats to IT
assets and activities affecting operation of Federal civilian government and
private sector critical IT infrastructure in collaboration with the private sector,
all levels of government, military, and intelligence stakeholders.
Presenter’s Name
June 17, 2003
20
Presenter’s Name
June 17, 2003
21
ICS-CERT
 The Industrial Control System – Computer Emergency Readiness Team
(ICS-CERT) provides a control system security focus, in collaboration with
US-CERT, to:
– Respond to and analyze control systems related incidents
– Conduct vulnerability & malware analysis
– Provide onsite support for incident response and forensic analysis
– Provide situational awareness in the form of actionable intelligence
– Coordinate the responsible disclosure of vulnerabilities/mitigations
– Share and coordinate vulnerability information & threat analysis through
information products and alerts
 ICS-CERT resources:
– Control Systems Advisories and Reports
– Monthly Monitor Newsletters
– Incident Reporting System
 Reference: http://www.us-cert.gov/control_systems/ics-cert/
Presenter’s Name
June 17, 2003
22
NCCIC in Brief
The mission of the National
Cybersecurity and Communications
Center (NCCIC) is to serve as a national
center for reporting of and mitigating
communications and cybersecurity
incidents.
Sponsored by NCS and NCSD, NCCIC
integrates communications and
cybersecurity operations.
Responsibilities include:
 Provide alerts, warnings, common operating picture on cyber and communications
incidents in real time to virtual and on-site partners.
 Work 24X7 with partners to mitigate incidents.
– On-site partners include the Department of Defense, Federal Bureau of
Investigation, Secret Service, Information Sharing and Analysis Centers
(ISACs) and DHS components such as Office of Industry and Analysis.
– Public and private sector partners share and receive information subject to
information sharing protocols.
Presenter’s Name
June 17, 2003
23
Select NCCIC Initiatives
Common
Operational Picture
24 x 7
Integrated
Operations and
Assistance
Initial Alerts,
Warnings, Analysis,
and Reports
Provides national common operating picture on cyber
and communications incidents to virtual and on-site
partners enabling all information to be known as it
becomes known.
Operates 24 x 7 and works with all levels of
government and private sector partners to diagnose,
analyze, and mitigate incidents.
Integrates communications and IT operations of USCERT, ICS-CERT, and NCC, resulting in more effective
and efficient responses to the convergence of those
two sectors to mitigate and thwart malicious activity.
Shares initial operational and intelligence analysis,
guidance and mitigation strategies, fused analysis of
reporting, latest developments and status of incidents
and threats.
Presenter’s Name
June 17, 2003
24
CS&C Partnerships
Partnerships are a force multiplier, facilitating more efficient and effective use of resources for all.
CS&C partnerships and collaborative initiatives include but are not limited to:
Cybersecurity Partners
Local Access Plan:
Provides security-cleared CI
owners and operators, State
technology and law
enforcement officials access
to secret-level cybersecurity
information via local fusion
centers.
Cross-Sector
Cybersecurity Working
Group:
Brings government and all
CI sectors together to
address risk across sectors.
Shares protective
measures, common
vulnerabilities, and expertise
in a comprehensive forum.
Communications ISAC:
Facilitates collaboration and
information sharing among
government and industry on
vulnerabilities, threats, and
intrusions, and performs
analysis with the goal of
averting or mitigating impact
on the telecommunications
infrastructure.
Industrial Controls
Systems Joint Working
Group:
Provides a vehicle for
communicating and
partnering across all CI
Sectors between Federal
agencies and private sector
owners/operators of industrial
control systems.
Presenter’s Name
June 17, 2003
25
Cyber Partnership Examples
 AMSC Cyber Sub-Committee (Pittsburgh)
 MS-ISAC (Multi-State Information Sharing and Analysis
Center)
 Philadelphia FBI Field Office – Computer Intrusion Threat
Analysis System (CITAS) Project
 VALGITE (Virginia Local Government IT Executives)
 VOICCE (Virginia’s Operational Integration Cyber Center of
Excellence
Presenter’s Name
June 17, 2003
26
Area Maritime Security
Committee: Cyber Sub-Committee
 DHS, USCG, CIKR, and Business Partnership
 Committee Premises:
 Incident response and continuity of operations still need work
 Partners need credible planning templates and test-able scenarios
 A SME database for cyber responders is useful and needed
 Organizations need a “411” system for information on where to voluntarily
report, request technical assistance, request non-technical incident handling,
request law enforcement responses, to cyber incidents
 Organizations would benefit from a local emergency management, “911-like,”
function that mobilizes regional and local cyber responses – and creates a
regional common operating picture
Presenter’s Name
June 17, 2003
27
CITAS Overview
 FBI, InfraGard, and DCIS Project (Philadelphia-Area)
 Project Premises:
 Create a honeynet / honeypot environment in the corporate DMZ
 Create “look and feel” but non-referencing system(s) as targets
 Take “what you know” and use it as a filter
 Find the intermediary victims and unique signatures of adversaries (not just
attacking systems)
 Project Successes:
 Notification to those already compromised
 Active investigations of real adversaries
 Improve signatures of known attacks
Presenter’s Name
June 17, 2003
28
MS-ISAC Overview
 State, Local, Territorial, and Tribal Partnership
 Operated by NY-based Center for Internet Security
 Operational Services:
 Incident coordination, handling, and response
 “Albert” services for threat monitoring, detection, and prevention
 Fee-for-Service model for vulnerability and “PEN” testing
 Low cost ($.75/student) for annual cyber security awareness & training
 FREE post-incident vulnerability and mitigation service
 Broad assistance with state and local incidents, much beyond cyber
Presenter’s Name
June 17, 2003
29
BUILDING CYBER
RESILIENCE
Presenter’s Name
June 17, 2003
30
30
Characteristics of Resilience
 Survivability (e.g., the capability of a system to fulfill its purpose in the
presence of attacks or failures)
 Disruption Tolerance (e.g., the ability for functions to continue to operate
when the supporting infrastructure is not operating at an optimum level)
 Being resilient may mean:
 Remaining accessible whenever possible
 Degrading gracefully when necessary
 Ensuring correctness of operation, even if performance is degraded
 Rapidly and automatically recovering from degradation
 Ensuring that everyone knows the plan of action and what to do and can
respond beyond their designated roles if necessary
 Resilience is much more than fault-tolerance, although it does
encompass fault tolerance
Presenter’s Name
June 17, 2003
Resilience Requirements
 Resilience requirement is a constraint that the organization places on the
productive capability of an asset to ensure that it remains viable and
sustainable when placed into production to support a service
 Three levels of resilience requirements:
 Enterprise (reflects enterprise-level needs, expectations, and constraints)
 Service (reflects resilience needs of a service in pursuit of its mission)
 Asset (set by the asset owners to establish the asset’s protection and
sustainment needs)
 Resilience requirements must reflect organization’s risk tolerances and
appetite, and forms the basis for asset protection and sustainment strategies
 Protection and sustainment strategies determine the type and level of
controls needed to satisfy resilience requirements (and thus, ensuring
operational resilience)
Presenter’s Name
June 17, 2003
Cyber Resilience Barriers
 Organizations may find it challenging to maintain cyber security operations in
times of stress
 Practices are not easily repeatable across the organization
 Performance requirements are likely to fail
 Key stakeholders are likely to lack situational awareness
 Organizations may not be resilient if key personnel…
 …are absent
 …fail to understand the cause, scope, and scale of the threat, event, or
incident
 …fail to apply the appropriate tools, knowledge, and skills as to how to
best prepare, respond, and recover
 During times of stress, organizations are likely to:
 Rely upon a high amount of interpersonal, yet informal, communication
 Depend on skills, expertise, experience, and abilities of one or few
people
 As employees vary over time, organizations may find it challenging to
maintain fidelity and institutional knowledge
Presenter’s Name
June 17, 2003
Improving Resilience
 Define, standardize, document, and stabilize processes to manage cyber
security through consistent, repeatable practices organization-wide
 This enables personnel to behave in a manner that leads to uniformity in practices
and effectiveness in decision-making over time and during times of stress,
regardless of which personnel are charged with performing the activity
 Process integration across cyber security domains (i.e., activities in one
domain align with, inform, feed, and use output from other domains)
 This enables personnel to leverage integrated standards, processes, and
procedures to maintain performance over time and during times of stress
 Define communication & notification channels to enable a common
understanding to facilitate an effective response
 This enables personnel & key stakeholders to have better situational awareness
 Examine security evaluation results to determine the best course of action
based on risk information specific to the operating environment
 However, the organization may find that given time, budget, and resource
constraints, existing activities and capabilities are performing at a level
commensurate with its current needs
Presenter’s Name
June 17, 2003
34
EVALUATING CYBER
RESILIENCE
Presenter’s Name
June 17, 2003
35
35
EXAMPLE #1:
CYBER RESILIENCE REVIEW
Presenter’s Name
June 17, 2003
36
Service-orientation Illustration
Critical Service
Critical Service
Critical Service
Organization
Mission
Business Processes
Service
Mission
Service
Mission
Service Mission
Assets in Production
people
Sustain
Protect
info
Sustain
Protect
tech
Sustain
Protect
facilities
Sustain
Protect
Operational risk can disrupt an asset, and lead to organizational disruption
Presenter’s Name
June 17, 2003
CRR Domains
Configuration and Change
Management
ensure the integrity of IT systems and networks
IM
identify, document, and manage assets during
their life cycle
Incident Management
SCM
CCM
AM
Asset Management
Controls Management
identify, analyze, and manage IT and security
controls
EXD
TRNG
identify, analyze, and mitigate risks to critical
service and IT assets
Vulnerability Management
identify, analyze, and manage vulnerabilities
Service Continuity Management
ensure the continuity of essential IT operations if a
disruption occurs
External Dependencies
Management
establish processes to manage an appropriate
level of IT, security, contractual, and
organizational controls that are dependent on the
actions of external entities
Training and Awareness
promote awareness and develop skills and
knowledge of people
Situational Awareness
SA
VM
CNTL
RISK
Risk Management
identify and analyze IT events, detect cyber
security incidents, and determine an
organizational response
actively discover and analyze information related
to immediate operational stability and security
Presenter’s Name
June 17, 2003
CRR Domain Goals
 The 10 CRR domains represent key areas that typically contribute to
an organization’s cyber security resilience
 The domains focus on practices an organization should have in place to
ensure the protection & sustainment of its critical service(s)
 Each domain seeks to discover the current state of cyber security
management practices by focusing on:
 Documentation in place, and periodically reviewed & updated
 Typically found in strategies, standards, policies, plans, processes, procedures,
etc.
 Communication & notification to all those who need to know
 Execution/Implementation & analysis in a consistent, repeatable
manner
 Alignment of goals and practices within & across CRR domains
 Participants will be asked to identify capacities & capabilities in
performing, planning, managing, measuring, and defining cyber
security practices and behaviors in each domain
Presenter’s Name
June 17, 2003
Sector Capability Levels
2009 - 2011
25
Number of Assessments
20
15
10
5
0
HIGH
MED
LOW
Presenter’s Name
June 17, 2003
CRR Architecture
10
Domains
Focused Activity
Required
(What to do to achieve
the capability)
Expected
(How to accomplish
the goal)
Domain
Goals
Domain
Practice
Questions
Process
Activities
What to Do
4
MIL Levels
[per Domain]
13
MIL Questions
[per Domain]
Process
Institutionalization
Elements
Making it Stick
Presenter’s Name
June 17, 2003
41
Objectives and Controls
42
Vulnerability Management
Purpose of Vulnerability Management
To identify, analyze, and manage vulnerabilities in a critical service’s operating
environment
Identify
•
•
•
•
Evaluate
Reduce/Mitigate
Document
Monitor
Goal 1 – Conduct preparation for vulnerability analysis and resolution
activities
Goal 2 – Establish and maintain a process for identifying and analyzing
vulnerabilities
Goal 3 – Manage exposure to identified vulnerabilities
Goal 4 – Address the root causes of vulnerabilities
Vulnerability Lifecycle
PULL INFORMATION
PUSHED INFORMATION
Presenter’s Name
June 17, 2003
Incident Management
Purpose of Incident Management
To establish processes to identify and analyze IT events, detect cyber security incidents,
and determine an organizational response
Detected/
Notified
Analyze
Respond
- root-cause
- personnel
- tools/training
- authority
Security
Event(s)
•
•
•
•
•
Evaluation
Criteria
Recover
Monitor
- post-mortem review
- lessons learned
Security
Incident
Declared
Execute Incident
Management Plan
Goal 1 – Establish a process for identifying, analyzing, responding to, and learning
from incidents
Goal 2 – Establish a process for detecting, reporting, triaging, and analyzing
events
Goal 3 – Declare and analyze incidents
Goal 4 – Establish a process for responding to and recovering from incidents
Goal 5 – Translate post-incident lessons learned into improvement strategies
Presenter’s Name
June 17, 2003
Examples of External Dependences
Hardware
Software
Telecom
DR/BC
Public
Services
Dell
Microsoft
Quest
HotSIteX
Water
Cisco
McAfee
Verizon
Iron
Mountain
Fire Dept.
RIM
Linux
AirCard
Police
Apple
Adobe
 Identify & assess risks due to external dependencies
– What would happen if one of your dependencies “went away”?
– Are there agreements/contracts in place with all dependencies?
– Do they require facility access, remote access, administrator rights?
 Managing your dependencies
– Vendor contact list
perhaps in the DR/BCP?
National Cyber Security Division
Sources of Threats and Vulnerabilities
US-CERT National Cyber Alert System
http://www.us-cert.gov/cas/alldocs.html
SANS Internet Storm Center
http://isc.sans.edu/xml.html
Common Vulnerabilities and
Exposures
http://cve.mitre.org/
Local InfraGard Chapter
www.infragard.com
State IT Department
Multi-State ISAC
http://msisac.cisecurity.org
Sector Specific ISACs
Federal Bureau of Investigations
http://www.fbi.gov/aboutus/investigate/cyber/cyber
DHS’ National Cybersecurity and
Communications Integration Center
http://www.dhs.gov/files/programs/nccic.shtm
United State Secret Service (USSS)
Electronic Crimes Task Force
http://www.secretservice.gov/ectf.shtml
46
Maturity Not Just Capability
 A MIL (Maturity Indicator Level) measures process institutionalization,
and describes attributes indicative of mature capabilities.
MIL Level 5 – Defined
All practices are performed (MIL-1); planned (MIL-2); managed (MIL-3); measured (MIL-4); and consistent across all
internal constituencies who have a vested interest— processes/practices are defined by the organization and tailored by
organizational units for their use, and supported by improvement information shared amongst organizational units.
MIL Level 4 – Measured
All practices are performed (MIL-1); planned (MIL-2); managed (MIL-3); and periodically evaluated for effectiveness,
monitored & controlled, evaluated against its practice description & plan, and reviewed with higher-level management.
MIL Level 3 – Managed
All practices are performed (MIL-1); planned (MIL-2); and governed by the organization, appropriately staffed/funded,
assigned to staff who are responsible/accountable & adequately trained, produces expected work products, placed under
appropriate configuration control, and managed for risk.
MIL Level 2 – Planned
All practices are performed (MIL-1); and established, planned, supported by stakeholders, standards and guidelines.
MIL Level 1 – Performed
All practices are performed, and there is sufficient and substantial support for the existence of the practices.
MIL Level 0 – Incomplete
Practices are not being performed, or incompletely performed.
Homeland
Security
47
EXAMPLE #2:
NATIONWIDE CYBER SECURITY
REVIEW
Presenter’s Name
June 17, 2003
48
Methodology: Overview
 The 2011 NCSR utilized a Control Maturity Model (CMM) to
measure how effective the State and Local government’s risk
management programs are at deploying a given cyber security
control based on risk management processes.
 This system uses key milestones and benchmarks for measuring
the effectiveness of control placement based on risk
management processes. At the top-levels of the State or local
governments, this is important since:
 Controls are certain to be both "in place" and "not in place" depending on
entity risk, adoption, security governance, and many other factors;
 Centralized control and security management processes may not be
supported by State or local government security governance models.
Consequently, measuring the effectiveness or maturity of "process" may not
be possible.
Presenter’s Name
June 17, 2003
49
NCSR Maturity Model
Level
Ad-Hoc
Control Maturity Level Description
Activities for this control are one or more of the following:
- Not performed
- Performed but undocumented / unstructured
- Performed and documented, but not approved by management
Documented
Policy
The control is documented in a policy that has been approved by management and is
communicated to all relevant parties.
Documented
Standards /
Procedures
The control meets the requirements for Documented Policy and satisfies all of the following:
- A full suite of documented standards and procedures that help guide implementation and
management of the enterprise-wide policy
- Communicated to all relevant parties
Risk Measured
The control meets the requirements for Documented Standards / Procedures and satisfies all of
the following:
- Control is at least partially assessed to determine risk
- Management is aware of the risks
Risk Treated
The control meets the requirements for Risk Measured and satisfies all of the following:
- A risk assessment has been conducted
- Management makes formal risk-based decisions based on the results of the risk assessment to
determine the need for the control
- The control is deployed in those areas where justified by risk, but is not deployed where not
justified by risk
Risk Validated
The control meets the requirements for Risk Treated and satisfies all of the following:
- If the control is deployed (in those areas where justified by risk), the effectiveness of the
control has been externally audited/tested to validate that the control operates as intended
- If the control is not deployed (in those areas where not justified by risk), management’s
decision to not implement the control was determined to be sound
Presenter’s Name
June 17, 2003
50
Methodology: Assessed Control Areas
 The 2011 NCSR examined 12 cyber security control areas:

Security Program

Risk Management

Physical Access Controls

Logical Access Controls

Security Within Technology Lifecycles

Information Disposition

Malicious Code

Monitoring and Audit Trails

Incident Management

Business Continuity

Security Testing
Presenter’s Name
June 17, 2003
51
NCSR Tool
 CSEP built and deployed a tool capable of conducting reviews of
State and local governments.
 The tool is housed on the US-CERT Secure Portal and allows State and local
government representatives to conduct the assessment on their schedules.
 All information provided through the tool was protected from disclosure by
Protected Critical Infrastructure Information (PCII).
 The tool is versatile and can be used for a variety of future
reviews.
 The tool can be deployed for future reviews with minimal changes required
and allow for baseline comparisons year-after-year.
 Or, review questions and guidance text can be easily altered to create new or
tailored reviews for any audience.
Presenter’s Name
June 17, 2003
52
Nationwide Results: Control Areas
Rank
Process Area
Ad-Hoc
Documented Policy Documented Standards
and Procedures
Risk Measured Risk Validated
1
Malicious Code
12%
36%
52%
2
Physical Access Control
16%
39%
46%
3
Logical Access Control
18%
40%
42%
4
Security Testing
42%
22%
36%
5
Incident Management
32%
38%
31%
6
Business Continuity
33%
36%
31%
7
Personnel and Contracts
29%
41%
30%
8
Security Program
30%
40%
30%
9
Information Disposition
27%
44%
29%
10
Security within Technology Lifecycle
36%
35%
29%
11
Risk Management
45%
26%
29%
12
Monitoring and Audit Trails
46%
27%
28%
Presenter’s Name
June 17, 2003
53
Nationwide: Key Findings
 On average States are more risk acknowledged in their cyber security
controls than Local governments. Where possible, local governments
should look to utilize State developed controls and processes.
 In each control area, a majority of respondents had document policies
and standards in place. Organizations that do not have approved and
documented policies of each of the controls are encouraged to adopt
Federal or information security industry guidance.
 The majority of respondents have Information Security and Disaster
Recovery Plans that have been updated within the past five years.
However, a smaller number of organizations have conducted recent
contingency exercises.
 It is recommended that all organizations regularly develop and execute a contingency
exercise to test their Information Security and Disaster Recovery Plans.
Presenter’s Name
June 17, 2003
54
EXAMPLE #3:
CYBER SECURITY EVALUATION
TOOL
Presenter’s Name
June 17, 2003
55
Cyber Security Evaluation Tool (CSET )
TM
 Stand-alone software application
 Self-assessment using recognized standards
 Tool for integrating cybersecurity into existing
corporate risk management strategy
CSET Download:
www.us-cert.gov/control_systems/csetdownload.html
56
CSET Standards
Requirements Derived from Widely Recognized Standards
NIST Special Publication 800-53
Recommended Security Controls for Federal Information Systems
Rev 3 and with Appendix I, ICS Controls
ISO/IEC 15408
Common Criteria for Information Technology Security Evaluation,
Revision 3.1
NERC Critical Infrastructure
Protection (CIP)
Reliability Standards CIP-002 through CIP-009, Revisions 2 and 3
DoD Instruction 8500.2
Information Assurance Implementation, February 6, 2003
NIST Special Publication 800-82
Guide to Industrial Control Systems (ICS) Security, June, 2011
NRC Reg. Guide 5.71
Cyber Security Programs for Nuclear Facilities, January 2010
CFATS RBPS 8- Cyber
Chemical Facilities Anti-Terrorism Standard, Risk-Based
Performance Standards Guidance 8 – Cyber, 6 CFR Part 27
DHS Catalog of
Recommendations
DHS Catalog of Control Systems Security, Recommendations for
Standards Developers, Versions 6 and 7
57
Asset Diagram
58
Asset Questions
59
Microsoft Visio Integration
60
Ranked Question and Areas
61
FINAL THOUGHTS
62
62
Resilience Starts with Good Hygiene
Review Layers of Defense:
• Human:
• Applications:
• Operating Systems:
• Networks:
• Physical:
Policies, Procedures, Training
Control Systems, Databases
Patch Management, Setup
Firewalls, Detection Systems
Guards, Gates, Surveillance, Lighting
• Review Critical Assets and Important Services
• Identify Security and Business Continuity Requirements
• Map Requirements to Security Standards
• Apply Risk-Based Solutions
• Monitor, Monitor, Monitor… (Lather, Rinse, Repeat…)
• Work with your community-of-interest and other resources
Presenter’s Name
June 17, 2003
63
Coordination is the Key
 The vast and interconnected landscape of the nation’s
critical infrastructure is subject to risks from cyber attacks
 A secure and resilient national infrastructure can only be
achieved through a coordinated effort between
government and private stakeholders across all sectors
 Awareness, information sharing, and leveraging the
success of others is essential to the coordination strategy
Presenter’s Name
June 17, 2003
64
Plan for Resilience: EMA Example
Service Name:
Considerations:
Emergency Management
(Agency) Operations
Service
Service Mission:
Management of essential EM
records and information
necessary to execute
command, control, and
communications
Assets
Resilience
Requirements
What is the strategic importance of the service?
Operational control and tactical support of first responder and recovery
resources during emergencies, contingencies, and high-security conditions.
Which asset could be disrupted, and how? Loss of availability of IT
systems holding command and control (C&C) records, especially during
periods of EM operations, affected by network attack, insider threats, etc.
What is the impact on the service mission if the asset were disrupted?
Loss of situational awareness during command and control operations
What consequences would the organization experience?
Life, safety, and health of customers (community); delayed restoration and
recovery of critical infrastructure and community services
Technology:
Information:
People:
Facilities:
WebEOC / Knowledge
Center-type systems
EMA C&C information
(i.e., status of events,
resources, response)
IT security manager,
IT ops manager,
continuity planner, …
Data center, wiring
closets, clinical areas
with IT systems, …
Confidentiality:
Integrity:
Availability:
EMA C&C
information
viewable, by role,
only by authorized
EMA, responder,
and CI personnel
EMA C&C data
can be altered
only by
authorized
EMA or trusted
personnel
EMA C&C data
must be
available on
demand 24x7 to
authorized
personnel
Continuity:
In emergencies,
portions of EMA
data must be
available for
critical / life safety
operations
Presenter’s Name
Recovery:
RPO = No more
than 20 minutes
worth of data
loss / RTO =
Within ½ hour
of system failure
June 17, 2003
Contact Information
Bradford Willke ([email protected])
Cyber Security Advisor, Mid-Atlantic Region
National Cyber Security Division
Office: +1 412-375-4069
Cyber Security Evaluations Email: [email protected]
Homeland
Security