National Policy Something
Download
Report
Transcript National Policy Something
National Strategy to Secure
Cyberspace
By Emily Fetchko
9/7/05
The Five W’s
• Who?
– Federal government
– State and local governments
– Private companies and organizations
– Individual Americans
• What?
– Cyberspace, “the nervous system – the
control system of our country”
The Five W’s, continued
• Where?
– Within the government
– Within this country
– At every computer
– All over the globe
• When?
– Starting in Fall 2002
• Why?
– Three main objectives – see next slide
“New and Significant”
• “New” because this is the first
comprehensive policy document about
cybersecurity
• “Significant” because it’s a national policy
document that affects numerous
government organizations
Three Main Objectives
• “Prevent cyber attacks against America’s
critical infrastructures”
• “Reduce national vulnerability to cyber
attacks”
• “Minimize damage and recovery time
from cyber attacks that do occur”
Guiding Principles
• A National Effort
– Share information with nongovernmental
entities
• Protect Privacy and Civil Liberties
• Regulation and Market Forces
– Avoid broad regulations
• Accountability and Responsibility
– Designate lead governmental agencies
• Ensure flexibility
• Multi-Year Planning
Critical Infrastructures
•
•
•
•
•
•
•
Agriculture
Food
Water
Health
Emergency services
Government
Defensive industrial
base
• Information and
telecommunications
• Energy
• Transportation
• Banking and finance
• Chemicals and
hazardous materials
• Postal and shipping
Lead Agencies
• Department of Homeland
Security
• Department of the
Treasury
• Department of Health and
Human Services
• Department of Energy
• Environmental Protection
Agency
• Department of Agriculture
• Department of Defense
• Agriculture, Food
• Energy
• Information &
Telecommunications,
Transportation, Postal &
Shipping, Emergency
Services, Continuity of
Government
• Water, Chemicals &
Hazardous Materials
• Defense Industrial Base
• Public Health, Food
• Banking and Finance
Coordinating Agencies
• Office of Science and
Technology Policy
• Office of Management
and Budget
• Department of State
• Director of Central
Intelligence
• Department of Justice
and Federal Bureau of
Investigation
• Coordinate research and
development
• Oversee implementation
of policies and budget
• Coordinate international
outreach
• Assess foreign threat
• Investigate and prosecute
cybercrime
Cyber Attacks
• What would someone accomplish with a
cyber attack?
– Espionage
– Mapping US control systems
– Finding key targets
– Installing backdoors
– Attacking critical infrastructures
– Causing distrust in information systems
Five Levels of Vulnerability
• Home User/Small Business
– every computer, every network
• Large companies
– Common targets for attack (large networks)
• Critical sectors/infrastructures
• National
– Software, hardware, protocols
• Global
– Worldwide Web
Increasing Threats
The Five Priorities
• I. A National Cyberspace Security
Response System
• II. A National Cyberspace Security Threat
and Vulnerability Reduction Program
• III. A National Cyberspace Security
Awareness and Training Program
• IV. Securing Governments’ Cyberspace
• V. National Security and International
Cyberspace Security Cooperation
Priority I: A Security Response
System
• What does a security response system
do?
– Detect attacks
– Perform analyses
– Issue warnings
– Coordinate response efforts
– Restore lost services
Response System, continued
• Difficulties
– No central vantage point to view cyberspace
– Must protect civil liberties
– Attacks spread quickly
– Cyberspace isn’t controlled by the
government
Response System, continued
• Four components to the Response System
– Analysis
– Warning
– Incident Management
– Response/Recovery
– All of these are centered in the DHS
Response System, continued
– Analysis
• What kind of information to collect?
–
–
–
–
–
–
Nature of attack
Information compromised
Extent of damage
Intruder’s intentions
Tools used in attack
Vulnerabilities exploited
• Types
– Tactical (“specific”)
– Strategic (“broader”, “long-term”)
– Vulnerability assessment
Response System, continued
• Warning (A/R 1-1 and 1-2)
– Encourage industry to share information
about internet health
– Create a single point of contact for sharing
this information with the federal government
– Expand the Cyber Warning and Information
Network (CWIN) to support DHS,
– Link CWIN to private ISACs (information
sharing and analysis centers)
Response System, continued
• Incident Management
– The biggest task in incident management is
linking and coordinating all of the different
organizations in the government.
•
•
•
•
•
•
•
DHS
DOJ
DOD
White House
Office of Science and Technology Policy
Office of Management and Budget
And more
Response System, continued
• Response and Recovery (A/R 1-3 to 1-5)
– All about contingency plans
– Create a process to develop them
– Exercise them
– Find weaknesses and improve them
– Encourage corporations to have them
– Develop voluntary ones to restore the Internet
Response System, continued
• Information Sharing
– Companies may not share vulnerability
information because:
• Fear that the government will release confidential,
proprietary or embarrassing information to the
public
• Fear that the competition will receive the
information
• Unsure of how to share the information
Response System, continued
• Information Sharing (A/R 1-6 & 1-7)
– Coordinate a two-way information flow
between government and corporations
• collect information from companies
• sanitize
• release
– Have corporations and colleges form
information sharing groups
– Colleges and universities should team with
ISPs and law enforcement
Priority II: Threat and Vulnerability
Reduction Program
• Three part effort
– Reduce threats and deter malicious actors
through effective programs to identify and
punish them
– Identify and remediate those existing
vulnerabilities that could create the most
damage to critical systems if exploited
– Develop new systems with less vulnerabilities
and assess emerging technologies for
vulnerabilities
Vulnerability Reduction, continued
• Reduce Threats and Deter Malicious
Actors (A/R 2-1)
– DOJ will reduce cyber threats and attacks by:
• Sharing information between federal, state and
local law enforcement
• Providing investigative and forensic resources and
training
• Developing data about victims of cybercrime and
intrusions
Vulnerability Reduction, continued
• Reduce Threats and Deter Malicious
Actors (A/R 2-2)
– DHS will develop a national threat
assessment including:
• Red teaming (“performing a penetration test
without the knowledge of the IT staff but with full
knowledge and permission from upper
management”)
• Blue teaming (“performing a penetration test with
the knowledge and consent of the IT staff”)
• And other methods
Vulnerability Reduction, continued
• Identify and Remediate Existing
Vulnerabilities
– Four major components
• Internet
• Digital Control Systems/Supervisory Control and
Data Acquisition Systems (DCS/SCADA)
• Software and Hardware
• Physical Infrastructure and Interdependency
Vulnerability Reduction, continued
• Identify and Remediate Existing
Vulnerabilities -Internet (A/R 2-4)
– Improve three main protocols
• IP - Investigate the issues related to IPv6 (A/R 2-3)
• DNS - Make attacks more difficult and less
effective
• BGP - Promote secure forms
– Promote improved internet routing to counter
DoS attacks
• Address verification
• Out-of-band management
– A “code of good conduct” for ISPs
Vulnerability Reduction, continued
• DCS/SCADA
– Computer-based systems to remotely control
sensitive processes and physical functions
– Used in water, transportation, chemicals, energy,
manufacturing and more
– Use the Internet to transfer data
– Typically small and self-contained units with limited
power supplies
• (A/R 2-5) To secure, DHS will
– Develop best practices and new technology
– Determine the most critical sites
– Develop a prioritized plan for short-term
improvements
Vulnerability Reduction, continued
• Reduce and Remediate Software
Vulnerabilities (A/R 2-6, 2-7, 2-8)
– Develop a mechanism for vulnerability
disclosure
– Implement patch clearinghouses and share
the results
– Encourage industry to make out-of-the-box
software more secure
• How?
Vulnerability Reduction, continued
• Understand Infrastructure
Interdependency and Improve Physical
Security (A/R 2-9 & 2-10)
– Interdependencies
• Identify them
• Develop plans to reduce them
• Model the impact of them
– Physical security
• Support efforts by owners/operators to secure and
limit access to networking centers
Vulnerability Reduction, continued
• Prioritize the Federal Research and
Development Agenda (A/R 2-11 & 2-12)
– Coordinate and update on an annual basis a
development agenda for near-term (1-3
years), mid-term (3-5 years) and later (5 years
out and longer) IT security research
– Ensure adequate mechanisms exist for
coordination of research between academia,
industry and government
Vulnerability Reduction, continued
– Ensure Future Systems are Secure
• Encourage the private sector to research secure
operating systems in the near-term (A/R 2-13)
• Promote best practices and methodologies for
integrity, security and reliability in code
development (A/R 2-14)
– Assess and Secure Emerging Systems
• Ensure emerging technologies are periodically
reviewed by the appropriate body within the
National Science and Technology Council (A/R 215)
Priority III: Security Awareness and
Training Program
• Three main components:
– Promote a national awareness program to
empower all Americans to secure their own
parts of cyberspace
– Foster adequate training and education
programs
– Promote well-coordinated, widely recognized
professional cybersecurity certifications
Awareness and Training, continued
• Awareness for All Levels of Vulnerability
(A/R 3-1 & 3-2)
– Comprehensive awareness program
– Expand the StaySafeOnline campaign
– Develop awards for those in industry who
make significant contributions to security
Develop of programs and guidelines for
primary and secondary students
Awareness and Training, continued
– Specific to home users/small businesses (A/R
3-3)
• Encourage them to secure their systems
• Make it easier for them to secure their systems
– Large enterprises (A/R 3-4)
• Conduct audits regularly
• Develop continuity plans for offsite staff &
equipment
• Participate in industrywide information sharing
Awareness and Training, continued
– Colleges & Universities (A/R 3-5)
•
•
•
•
Form ISACs
Empower Chief Information Officers
Use best practices for IT security
Develop user awareness programs
– Private sector (A/R 3-6)
• Find the gap between private and government
R&D
• Share research
• Develop best practices
– State and local governments are encouraged
to invest in information security measures.
Awareness and Training, continued
• Training
– DHS will implement and encourage programs
to train cybersecurity professionals including
scholarships, fellowship and traineeship
programs created by the Cyber Security
Research and Development Act. (A/R 3-7)
– DHS will develop a coordination mechanism
linking federal cybersecurity and computer
forensics training programs. (A/R 3-8)
Awareness and Training, continued
• Certification
– Encourage efforts needed to develop security
certification programs that will be broadly
accepted by the public and private sectors.
DHS and other agencies can aid by
articulating the needs of the federal IT security
community. (A/R 3-9)
Priority IV: Securing Governments’
Cyberspace
• In the Federal Government
– Continuously Assess Threats and
Vulnerabilities to Federal Cyber Systems
• OMB found serious weaknesses including:
–
–
–
–
lack of senior management attention to security
lack of performance measurement
failure to detect and report information on vulnerabilities
poor security education
– Continuously Assess Threats and
Vulnerabilities Within Agencies
• Use automated tools to do security assessment
(A/R 4-1)
Securing Government, continued
– Authenticate and Maintain Authorization for
Users of Federal Systems (A/R 4-2)
• E-Authentication initiative
• Review the need for stronger access control
• Explore the extent to which all departments can
employ the same physical and logical control tools
and authentication mechanisms
– Secure Federal Wireless Local Area Networks
• Consider installing systems to monitor for
unauthorized connections. Also consider the use
of strong encryption, bi-directional authentication,
shielding standards and other security
mechanisms. (A/R 4-3)
Securing Government, continued
– Improve Security in Government Outsourcing
and Procurement
• Conduct an extensive review of NIAP, the National
Information Assurance Partnership to determine
the extent to which it is adequately addressing the
problem of security flaws in commercial software
products. (A/R 4-4)
• When available, always use DOD-evaluated
products
– Develop Specific Criteria for Independent
Security Reviews
• Investigate if private sector security service
providers need to be certified as meeting certain
minimum capabilities. (A/R 4-5)
Securing Government, continued
• In State and Local Governments
– Many state and local functions are tied to IT
• Payments to welfare recipients
• Access to criminal records
• Operating state and local utility and transportation
– State and local governments are encouraged
to establish IT security programs including
awareness, audits and standards and to
participate in ISACs. (A/R 4-6)
Priority V: National Security and
International Cyberspace Security
Cooperation
• Securing America from Outside Threats
– Small-scale attacks have already taken place
– Need to understand who has the capacity for
larger attacks and to what extent
– Can we ever be secure from terrorists?
National Security, continued
• Associated Recommendations:
– Strengthen Counterintelligence Efforts in
Cyberspace (A/R 5-1)
– Improve Attack Attribution and Prevention
(A/R 5-2)
– Improve Interagency Coordination in Criminal
Matters (A/R 5-3)
– Reserve the Right to Respond in an
Appropriate Manner (A/R 5-4)
National Security, continued
• International Cooperation
– Promote a Global “Culture of Security” (A/R 55)
– Develop Secure Networks
– Promote North American Cyberspace Security
(A/R 5-6)
• Work with Canada and Mexico to make a “Safe
Cyber Zone” and secure common critical networks
– Encourage Other Nations to Accede to the
Council of Europe Convention on Cybercrime
(A/R 5-10)
National Security, continued
– National and International Watch-andWarning Networks (A/R 5-8, 5-9)
• Each nation should:
– Appoint a centralized point of contract for cybersecurity
efforts
– Develop a watch-and-warning network
• The US will facilitate a real time network to receive,
assess and disseminate this informational globally.
• The US encourages regional organizations (like
the EU) to designate a committee for
cybersecurity.
Conclusion
• Extends from the home user to the global
Worldwide Web
• Emphasizes the public-private partnership
• Long-term plan in the process of being
implemented
• Most responsibility falls on DHS, but also
affects many other government agencies
• Where are we now?
References
• The National Strategy to Secure
Cyberspace
(http://www.whitehouse.gov/pcipb/)
• Guideline on Network Security Testing
(http://csrc.nist.gov/publications/nistpubs/8
00-42/NIST-SP800-42.pdf)