NIST - PowerPoint by Levone

VIEWS: 130 PAGES: 30

									   Next Generation Risk Management
Information Security Transformation for the Federal Government

                     Information System Security Association
                                Baltimore Chapter


                                        January 27, 2010

                                         Dr. Ron Ross
                               Computer Security Division
                           Information Technology Laboratory


       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY          1
                        The Threat Situation
Continuing serious cyber attacks on public and private
sector information systems, large and small; targeting key
operations and assets…
 Attacks are organized, disciplined, aggressive, and well
  resourced; many are extremely sophisticated.
 Adversaries are nation states, terrorist groups, criminals, hackers,
  and individuals or groups with intentions of compromising federal
  information systems.
 Effective deployment of malicious software causing significant
  exfiltration of sensitive information (including intellectual property)
  and potential for disruption of critical information systems/services.

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY               2
                              What is at Risk?
 Federal information systems supporting Defense, Civil, and
  Intelligence agencies within the federal government.
 Information systems supporting critical infrastructures within
  the United States (public and private sector) including:
       Energy (electrical, nuclear, gas and oil, dams)
       Transportation (air, road, rail, port, waterways)
       Public Health Systems / Emergency Services
       Information and Telecommunications
       Defense Industry
       Banking and Finance
       Postal and Shipping
       Agriculture / Food / Water / Chemical
 Private sector information systems supporting U.S. industry
  and businesses (intellectual capital).

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY            3
                           The Fundamentals
Combating 21st century cyber attacks requires 21st century
strategies, tactics, training, and technologies…
 Integration of information security into enterprise architectures and system life
  cycle processes.
 Common, shared information security standards for unified cyber command.
 Enterprise-wide, risk-based protection strategies.
 Flexible and agile selection / deployment of safeguards and countermeasures
  (maximum tactical advantage based on missions / environments of operation).
 More resilient, penetration-resistant information systems.
 Competent, capable cyber warriors.



         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                          4
                        Strategic Initiatives
                                    The Long-term View

 Build a unified information security framework for the
  federal government and support contractors.
 Integrate information security and privacy requirements
  into enterprise architectures.
 Work with industry to develop more secure information
  technology products.
 Employ systems and security engineering techniques
  to develop more secure (penetration-resistant)
  information systems.
      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY       5
   Federal Government Transformation
The newly emerging information security publications
begin an historic government-wide transformation for risk
management and information security driven by…
 Increasing sophistication and operations tempo of cyber attacks.
 Convergence of national and non-national security interests
  within the federal government.
 Convergence of national security and economic security
  interests across the Nation.
 Need for unified command in providing effective cyber defenses
  for the federal government and the Nation.

        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY             6
                          A Unified Framework
                                     For Information Security

                                        The Generalized Model
Unique
Information
Security             Intelligence         Department      Federal Civil      Private Sector
Requirements         Community            of Defense       Agencies       State and Local Govt

The “Delta”

Common                  Foundational Set of Information Security Standards and Guidance
Information                •   Standardized risk management process
Security                   •   Standardized security categorization (criticality/sensitivity)
Requirements               •   Standardized security controls (safeguards/countermeasures)
                           •   Standardized security assessment procedures
                           •   Standardized security authorization process



                         National security and non national security information systems

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                          7
               Enterprise-Wide Risk Management
   Multi-tiered Risk Management Approach                                             STRATEGIC RISK
   Implemented by the Risk Executive Function                                            FOCUS
   Enterprise Architecture and SDLC Focus
                                                            TIER 1
   Flexible and Agile Implementation
                                                       Organization
                                                         (Governance)


              NIST
            SP 800-39                                       TIER 2
                                           Mission / Business Process
                                         (Information Assets and Information Flows)
                                                                                      TACTICAL RISK
                                                                                         FOCUS
                                                            TIER 3
                                                 Information System
                                                  (Environment of Operation)




                   NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                            8
                Risk Management Hierarchy
                                                                 Risk Executive Function
                                                                    (Oversight and Governance)
              Risk Management Strategy                             Risk Assessment Methodologies
                                                                   Risk Mitigation Approaches
                                                     TIER 1        Risk Tolerance
                                               Organization        Risk Monitoring Approaches
                                                                   Linkage to ISO/IEC 27001
  NIST
SP 800-39
                                                    TIER 2
                                   Mission / Business Process


                                                     TIER 3
                                          Information System



            NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                       9
               Risk Management Hierarchy

               NIST
             SP 800-39
                                                    TIER 1
                                              Organization
                                                                  Mission / Business Processes
                                                                  Information Flows
Risk Management Strategy
                                                                  Information Categorization
                                                   TIER 2         Information Protection Strategy
                                  Mission / Business Process      Information Security Requirements
                                                                  Linkage to Enterprise Architecture


                                                    TIER 3
                                         Information System



           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                 10
                    Risk Management Hierarchy

                                                        TIER 1
                                                  Organization

          NIST
        SP 800-37                                      TIER 2
                                      Mission / Business Process
                                                                    Linkage to SDLC
                                                                    Information System Categorization
Risk Management Framework                               TIER 3      Selection of Security Controls
                                                                    Security Control Allocation
                                             Information System      and Implementation
                                                                    Security Control Assessment
                                                                    Risk Acceptance
                                                                    Continuous Monitoring
               NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                11
           Risk Management Framework
                                                    Starting Point
                                                 FIPS 199 / SP 800-60

                                                  CATEGORIZE
                                                Information System
       SP 800-37 / SP 800-53A                                                             FIPS 200 / SP 800-53
                                             Define criticality/sensitivity of
                                           information system according to
           MONITOR                           potential worst-case, adverse                    SELECT
         Security State                       impact to mission/business.                 Security Controls
Continuously track changes to the                                                  Select baseline security controls;
information system that may affect                                                   apply tailoring guidance and
  security controls and reassess                                                    supplement controls as needed
      control effectiveness.                Security Life Cycle                       based on risk assessment.

             SP 800-37                                 SP 800-39                               SP 800-70

         AUTHORIZE                                                                          IMPLEMENT
      Information System                                                                  Security Controls
   Determine risk to organizational                   SP 800-53A                    Implement security controls within
 operations and assets, individuals,                                               enterprise architecture using sound
other organizations, and the Nation;                  ASSESS                      systems engineering practices; apply
 if acceptable, authorize operation.             Security Controls                    security configuration settings.

                                       Determine security control effectiveness
                                         (i.e., controls implemented correctly,
                                       operating as intended, meeting security
                                        requirements for information system).

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                                  12
                                Defense-in-Depth

     Links in the Security Chain: Management, Operational, and Technical Controls
 Risk assessment                                     Access control mechanisms
 Security planning, policies, procedures             Identification & authentication mechanisms
 Configuration management and control                  (Biometrics, tokens, passwords)
 Contingency planning                                Audit mechanisms
 Incident response planning                          Encryption mechanisms
 Security awareness and training                     Boundary and network protection devices
 Security in acquisitions                              (Firewalls, guards, routers, gateways)
 Physical security                                   Intrusion protection/detection systems
 Personnel security                                  Security configuration settings
 Security assessments and authorization              Anti-viral, anti-spyware, anti-spam software
 Continuous monitoring                               Smart cards

         Adversaries attack the weakest link…where is yours?
             NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                           13
                  Unconventional Wisdom
NEW RULE: Boundary protection is no longer sufficient
against high-end threats capable of launching sophisticated
cyber attacks...
 Complexity of IT products and information systems.
 Insufficient penetration resistance (trustworthiness)
  in commercial IT products.
 Insufficient application of information system and
  security engineering practices.
 Undisciplined behavior and use of information
  technology and systems by individuals.


        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY    14
Applying the Risk Management Framework to Information Systems

                         Output from Automated                        Near Real Time Security
                             Support Tools                              Status Information


 Risk Executive             SECURITY PLAN            SECURITY             PLAN OF ACTION           Authorization
(Function) Inputs          including updated        ASSESSMENT                  AND
                                                      REPORT                MILESTONES               Package
                            Risk Assessment




                                           INFORMATION SYSTEM

                                                   CATEGORIZE
                                                 Information System
                        MONITOR                                                    SELECT
                     Security Controls         Risk Management                 Security Controls
                                                  Framework
                       AUTHORIZE                                                IMPLEMENT
                    Information System                                         Security Controls
                                                      ASSESS
                                                  Security Controls



             NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                    15
             Security Control Allocation
 Security controls are defined to be system-specific,
  hybrid, or common.
 Security controls are allocated to specific components
  of organizational information systems as system-
  specific, hybrid, or common controls.
 Security control allocations are consistent with the
  organization’s enterprise architecture and information
  security architecture.


      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY       16
                  Security Control Accountability
                                                                                   RISK EXECUTIVE FUNCTION
                                                                           Organization-wide Risk Governance and Oversight

                                                                                        Core Missions / Business Processes
                                                                                              Security Requirements




                                                                                                                                                                       Ongoing Authorization Decisions
                   Ongoing Authorization Decisions
                                                                                                 Policy Guidance
                                                        Security                                                                                         Security
                                                         Plan                                                                                             Plan
Strategic Risk                                                                                                                                                                                            Top Level Risk
                                                                               INFORMATION                     INFORMATION
Management                                             Security                   SYSTEM                          SYSTEM                                Security
                                                                                                                                                                                                          Management
    Focus                                             Assessment
                                                                               System-specific                 System-specific
                                                                                                                                                       Assessment                                        Strategy Informs
                                                        Report                                                                                           Report
                                                                                  Controls                        Controls

                                                     Plan of Action                                                                                   Plan of Action
                                                     and Milestones                                                                                   and Milestones




                                                                                   Hybrid Controls




                                                                                                                       Hybrid Controls
                                                                                                         RISK
                                                                                                     MANAGEMENT
                                                                                                     FRAMEWORK
                                                                                                        (RMF)

Tactical Risk                                                                                                                                                                                              Operational
Management                                                                                                                                                                                                  Elements
                                                                                         COMMON CONTROLS
   Focus                                                           Security Controls Inherited by Organizational Information Systems                                                                     Enterprise-Wide


                                                                                                       Security
                                                                        Security                                                 Plan of Action and
                                                                                                      Assessment
                                                                         Plan                                                       Milestones
                                                                                                        Report




                                                                                   Ongoing Authorization Decisions

                 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                                                                                                                 17
                     The Central Question
                                  From Two Perspectives


 Security Capability Perspective
  What security capability is needed to defend against a
  specific class of cyber threat, avoid adverse impacts,
  and achieve mission success? (REQUIREMENTS DEFINITION)
 Threat Capability Perspective
  Given a certain level of security capability, what class of
  cyber threat can be addressed and is that capability
  sufficient to avoid adverse impacts and achieve mission
  success? (GAP ANALYSIS)

       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY      18
               Security Control Selection
 STEP 1: Select Baseline Security Controls
  (NECESSARY TO COUNTER THREATS)

 STEP 2: Tailor Baseline Security Controls
  (NECESSARY TO COUNTER THREATS)

 STEP 3: Supplement Tailored Baseline
  (SUFFICIENT TO COUNTER THREATS)

                                     CATEGORIZE
                                   Information/System
           MONITOR                                          SELECT
        Security Controls                               Security Controls
                                   Risk Management
                                      Framework
         AUTHORIZE                                       IMPLEMENT
       Information System                               Security Controls
                                        ASSESS
                                    Security Controls



       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                       19
                              Cyber Preparedness
               HIGH            THREAT LEVEL 5                   CYBER PREP LEVEL 5   HIGH


                               THREAT LEVEL 4                   CYBER PREP LEVEL 4
 Adversary                                                                                  Defender
Capabilities                   THREAT LEVEL 3                   CYBER PREP LEVEL 3           Security
     and                                                                                    Capability
 Intentions
                               THREAT LEVEL 2                   CYBER PREP LEVEL 2

               LOW             THREAT LEVEL 1                   CYBER PREP LEVEL 1   LOW




        An increasingly sophisticated and motivated
        threat requires increasing preparedness…
               NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                     20
             Dual Protection Strategies
 Boundary Protection
  Primary Consideration: Penetration Resistance
  Adversary Location: Outside the Defensive Perimeter
  Objective: Repelling the Attack

 Agile Defense
  Primary Consideration: Information System Resilience
  Adversary Location: Inside the Defensive Perimeter
  Objective: Operating while under Attack


      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY     21
                                   Agile Defense
 Boundary protection is a necessary but not sufficient
  condition for Agile Defense
 Examples of Agile Defense measures:
        Compartmentalization and segregation of critical assets
        Targeted allocation of security controls
        Virtualization and obfuscation techniques
        Encryption of data at rest
        Limiting of privileges
        Routine reconstitution to known secure state
Bottom Line: Limit damage of hostile attack while operating in a (potentially)
degraded mode…

          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         22
                          Trust and Reciprocity
           Organization One                                               Organization Two
                                              Mission / Business
             INFORMATION                       Information Flow            INFORMATION
                SYSTEM                                                        SYSTEM


               Security Plan                                                 Security Plan

       Security Assessment Report             Risk Management         Security Assessment Report
                                                 Information
      Plan of Action and Milestones                                  Plan of Action and Milestones


 Determining risk to the organization’s                         Determining risk to the organization’s
operations and assets, individuals, other                      operations and assets, individuals, other
 organizations, and the Nation; and the                         organizations, and the Nation; and the
       acceptability of such risk.                                    acceptability of such risk.

The objective is to achieve transparency of prospective partner’s information security
programs and processes…establishing trust relationships based on common, shared
risk management principles.

            NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                 23
       Key Risk Management Publication
 NIST Special Publication 800-53, Revision 3
  Recommended Security Controls for Federal Information Systems and
  Organizations
  August 2009
      Updating all material from NIST Special Publication 800-53, Revision 2
      Incorporating security controls from Draft CNSS Instruction 1253
      Incorporating new security controls for advanced cyber threats
                                                                         NIST
      Incorporating information security program-level controls       SP 800-53

      Incorporating threat appendix for cyber preparedness
       (Separately vetted and added to SP 800-53, Revision 3 when completed)




        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                             24
       Key Risk Management Publication
 NIST Special Publication 800-37, Revision 1
  Guide for Applying the Risk Management Framework to Federal
  Information Systems
  Projected: February 2010
      Incorporating comments from Initial Public Draft                     NIST
      Implementing guideline for Risk Management Framework               SP 800-37

      Transforming previous certification and accreditation process
      Integrating Risk Management Framework into the SDLC
      Greater emphasis on monitoring of information system security state
      Ongoing security authorizations informed by risk executive function
      Greater accountability and assurances for common (inherited) controls
      Increased use of automated support tools


         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                               25
     Key Risk Management Publication
 NIST Special Publication 800-39
  Integrated Enterprise-wide Risk Management
  Organization, Mission, and Information Systems View
  Projected: June 2010
    Incorporating public comments from NIST Special Publication 800-39,
     Second Public Draft
    Incorporating three-tiered risk management approach: organization,
     mission/business process, and information system views
    Incorporating cyber preparedness information
    Providing ISO/IEC 27001 mapping to risk management           NIST
                                                                SP 800-39
     publications



        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                      26
     Key Risk Management Publication
 NIST Special Publication 800-53A, Revision 1
  Guide for Assessing the Security Controls in Federal Information
  Systems and Organizations
  Projected: April 2010
    Updating all assessment procedures to ensure consistency with NIST
     Special Publication 800-53, Revision 3
    Developing new assessment procedures for information security program
     management controls
    Updating web-based assessment cases for inventory of assessment
     procedures
                                                           NIST
                                                        SP 800-53A




       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                   27
     Key Risk Management Publication
 NIST Special Publication 800-30, Revision 1 (Initial Public Draft)
   Guide for Conducting Risk Assessments
   Projected: August 2010
     Down scoping current publication from risk management focus to risk
      assessment focus
     Providing guidance for conducting risk assessments at each step in the
      Risk Management Framework
     Incorporating threat information for cyber preparedness
                                                                   NIST
                                                                 SP 800-30




        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         28
          Transformation… Getting There
Current State                                               The Future
 Lack of reciprocity in authorization and                   Enabled reciprocity
  assessment results                                          and information sharing
 Resource intensive                                         Improve security postures
                                                              (architecture and information)
 Redundant and duplicative activities                       Streamline processes and improve
                                                              end-product quality
 Inconsistent policy and process
  implementation                                             Uniform set of policies and practices
 Lack of automation (for both workflow                      Consistent implementation and use
  and testing tools)                                          of automated tools
 Lack of standardized documentation and  More effective resource
  artifacts to facilitate informed decisions allocation; reduce costs

 Three-year “Paperwork Drill”                               Continuous monitoring

           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                             29
                 Contact Information
                       100 Bureau Drive Mailstop 8930
                       Gaithersburg, MD USA 20899-8930

Project Leader                                    Administrative Support
Dr. Ron Ross                                      Peggy Himes
(301) 975-5390                                    (301) 975-2489
ron.ross@nist.gov                                 peggy.himes@nist.gov

Senior Information Security Researchers and Technical Support
Marianne Swanson                                  Kelley Dempsey
(301) 975-3293                                    (301) 975-2827
marianne.swanson@nist.gov                         kelley.dempsey@nist.gov

Pat Toth                                          Arnold Johnson
(301) 975-5140                                    (301) 975-3247
patricia.toth@nist.gov                            arnold.johnson@nist.gov

Web: csrc.nist.gov/sec-cert                       Comments: sec-cert@nist.gov



 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                 30

								
To top