780 likes | 979 Vues
Defending the United States in the Digital Age A Risk Management Framework to Improve Information Security ISACA Denver Chapter Annual General Meeting April 19, 2012. Dr. Ron Ross Computer Security Division Information Technology Laboratory. Part 1 The Fundamentals.
E N D
Defending the United Statesin the Digital AgeA Risk Management Framework to Improve Information SecurityISACA Denver Chapter Annual General MeetingApril 19, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory
Information technology is our greatest strength and at the same time, our greatest weakness…
Explosive growth and aggressive use of information technology. Proliferation of information systems and networks with virtually unlimited connectivity. Increasing sophistication of threat including exponential growth rate in malware (malicious code). Resulting in an increasing number of penetrations of information systems in the public and private sectors… The Perfect Storm
Continuing serious cyber attacks on public and private sector information systems targeting key operations, assets, and individuals… Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated. Adversaries are nation states, terrorist groups, criminals, hackers, and individuals or groups with hostile intentions. Effective deployment of malware causing significant exfiltration of sensitive information (e.g., intellectual property). Potential for disruption of critical systems and services. The Threat Situation
Advanced Persistent Threat An adversary that — Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted organizations— To exfiltrate information. Undermine / impede critical aspects of a mission, program, or organization. Position itself to carry out these objectives in the future.
Unconventional Threats to Security Connectivity Culture Complexity
The Present We have our heads under the hood looking at every last detail in the engine compartment—that is, pursuing an endless number of information system vulnerabilities…
Instead of trying to figure out what type of car we need— that is, what level of information system resiliency is necessary to effectively support our core missions and business functions…
Active Cyber Defenses – The Future Develop risk-aware mission and business processes. Develop and implement enterprise architectures with embedded information security architectures that support organizational mission/business processes. Use information technology wisely considering current threat landscape (capabilities, intent, and targeting). Develop and implement robust continuous monitoring programs.
Cyber Defense VisionCore Principles Strong, resilient, penetration-resistant information systems supporting core missions / mission processes. Ongoing monitoring of the security state of information systems and environments of operation. Continuous improvement in security controls. Flexibility and agility in cyber security and risk management activities.
Core ConceptsIT Products and Systems Modularity. Layering. Monitoring. To achieve defense-in-depth and defense-in-breadth.
Boundary Protection Primary Consideration: Penetration Resistance Adversary Location: Outside the Defensive Perimeter Objective: Repelling the Attack Agile Defense Primary Consideration: Information System Resilience Adversary Location: Inside the Defensive Perimeter Objective: Operating while under Attack Dual Protection Strategies
Boundary protection is a necessary but not sufficient condition for Agile Defense Examples of Agile Defense measures: Compartmentalization and segregation of critical assets Targeted allocation of security controls Virtualization and obfuscation techniques Encryption of data at rest Limiting of privileges Routine reconstitution to known secure state Bottom Line: Limit damage of hostile attack while operating in a (potentially) degraded mode… Agile Defense
STRATEGIC RISK FOCUS TACTICAL RISK FOCUS Enterprise-Wide Risk Management • Multi-tiered Risk Management Approach • Implemented by the Risk Executive Function • Enterprise Architecture and SDLC Focus • Flexible and Agile Implementation TIER 1 Organization (Governance) TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information System (Environment of Operation)
Integrates information security more closely into the enterprise architecture and system life cycle. Promotes near real-time risk management and ongoing system authorization through the implementation of robust continuous monitoring processes. Provides senior leaders with necessary information to make risk-based decisions regarding information systems supporting their core missions and business functions. Characteristics of Risk-Based Approaches(1 of 2)
Links risk management activitiesat the organization, mission, and information system levels through a risk executive (function). Establishes responsibility and accountability for security controls deployed within information systems. Encourages the use of automation to increase consistency, effectiveness, and timeliness of security control implementation. Characteristics of Risk-Based Approaches(2 of 2)
Risk Management Process Risk Framing Risk Framing Risk Risk Framing Risk Framing
enterprise architecture (Reference Models, Segment Architecture, Solution Architecture) information security architecture (Security Requirement and Control Allocation) risk management strategy informs informs informs informs INFORMATION SYSTEM INFORMATION SYSTEM INFORMATION SYSTEM Architectural and Engineering Approach Organization Mission / Business Process Mission / Business Process Mission / Business Process Environments of Operation
Consolidation. Optimization. Standardization. Wise use of information technology… Build a leaner, more streamlined IT infrastructure that facilitates more effective deployment of security controls to organizational information systems and environments of operation. Enterprise Architecture
Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security Controls SELECT Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Security Life Cycle AUTHORIZE Information System IMPLEMENT Security Controls Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). Risk Management Framework
Defense-in-Depth Links in the Security Chain: Management, Operational, and Technical Controls • Risk assessment • Security planning, policies, procedures • Configuration management and control • Contingency planning • Incident response planning • Security awareness and training • Security in acquisitions • Physical security • Personnel security • Security assessments and authorization • Continuous monitoring • Access control mechanisms • Identification & authentication mechanisms (Biometrics, tokens, passwords) • Audit mechanisms • Encryption mechanisms • Boundary and network protection devices (Firewalls, guards, routers, gateways) • Intrusion protection/detection systems • Security configuration settings • Anti-viral, anti-spyware, anti-spam software • Smart cards Adversaries attack the weakest link…where is yours?
Determine effectiveness of risk mitigation measures. Identify changes to information systems and environments of operation. Verify compliance. Bottom Line: Increase situational awareness to help determine risk to organizational operations and assets, individuals, other organizations, and the Nation. Why Continuous Monitoring?
Assurance and Trustworthiness TRUSTWORTHINESS Information Systems Security Capability Prevent Attacks, Deter Attacks, Limit Harm from Attacks, Respond to Attacks, Recover from Attacks FUNCTIONALITY Security Features, Functions, Services, Mechanisms, Procedures ASSURANCE Measures of Confidence Security Strength Correctness, Completeness, Resistance to Tamper and Bypass Development Actions Operational Actions Security Evidence Development Artifacts, Test/Evaluation Results, Flaw Reports Enables Understanding of Security Capability
Unified Information Security Framework The Generalized Model Unique Information Security Requirements The “Delta” C N S S Intelligence Community Department of Defense Federal Civil Agencies Private Sector State/Local Govt • Foundational Set of Information Security Standards and Guidance • Risk management (organization, mission, information system) • Security categorization (information criticality/sensitivity) • Security controls (safeguards and countermeasures) • Security assessment procedures • Security authorization process Common Information Security Requirements National security and non national security information systems
Joint Task Force Transformation Initiative A Broad-Based Partnership — • National Institute of Standards and Technology • Department of Defense • Intelligence Community • Office of the Director of National Intelligence • 17 U.S. Intelligence Agencies • Committee on National Security Systems
Joint Task Force Transformation InitiativeCore Risk Management Publications • NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View • NIST Special Publication 800-37, Revision 1 Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach • NIST Special Publication 800-30, Revision 1 Guide for Conducting Risk Assessments Projected September 2011 (Public Draft) Completed Completed
Joint Task Force Transformation InitiativeCore Risk Management Publications • NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations • NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans Completed Completed
Risk Assessment Guideline Systems and Security Engineering Guideline Update to NIST Special Publication 800-53, Revision 4 Insider Threats Application Security Supply Chain Security Advanced Persistent Threats Industrial / Process Control Systems Mobile Devices, Cloud Computing Privacy Controls Focus Areas — 2012 and Beyond
Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security Controls SELECT Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Security Life Cycle AUTHORIZE Information System IMPLEMENT Security Controls Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). Risk Management Framework
Security Categorization Guidance for Mapping Types of Information and Information Systems to FIPS 199 Security Categories SP 800-60 Example: An Organizational Information System Baseline Security Controls for High Impact Systems
Security Controls • The management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. 34
Security Control Baselines(Appendix D) Master Security Control Catalog Complete Set of Security Controls and Control Enhancements Minimum Security Controls Low Impact Information Systems Minimum Security Controls Moderate Impact Information Systems Minimum Security Controls High Impact Information Systems Baseline #1 Baseline #2 Baseline #3 Selection of a subset of security controls from the master catalog—consisting of basic level controls Builds on low baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements Builds on moderate baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements
Tailoring Security ControlsScoping, Parameterization, and Compensating Controls Baseline Security Controls Low Impact Information Systems Baseline Security Controls Moderate Impact Information Systems Baseline Security Controls High Impact Information Systems Organization #1 Operational Environment #1 Organization #2 Operational Environment #2 Organization #3 Operational Environment #3 Low Baseline Moderate Baseline High Baseline Tailored Security Controls Tailored Security Controls Tailored Security Controls Cost effective, risk-based approach to achieving adequate information security…
Expanded Tailoring Guidance(1 of 2) Identifying and designating common controls in initial security control baselines. Applying scoping considerations to the remaining baseline security controls. Selecting compensating security controls, if needed. Assigning specific values to organization-defined security control parameters via explicit assignment and selection statements.
Expanded Tailoring Guidance(2 of 2) Supplementing baselines with additional security controls and control enhancements, if needed. Providing additional specification information for control implementation.
Document risk management decisions made during the tailoring process to provide information necessary for authorizing officials to make risk-based authorization decisions. Tailoring the Baseline
Common Risk Management Process • NIST Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • Developed by Joint Task Force Transformation Initiative Working Group • Office of the Director of National Intelligence • Department of Defense • Committee on National Security Systems • National Institute of Standards and Technology • Final Public Draft (November 2009) • Final Publication (February 2010)
Purpose • Provide guidelines for applying the Risk Management Framework to federal information systems— • To ensure that managing risk from information systems is consistent with mission/business objectives and the overall risk strategy established by the senior leadership through the risk executive (function). • To ensure that information security requirements, including necessary security controls, are integrated into the organization’s enterprise architecture and system development life cycle processes. • To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk-related information, and reciprocity of authorization results. • To achieve more secure information and information systems through the implementation of appropriate risk mitigation strategies.
Applicability • Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. • National security systems with the approval of federal officials exercising policy authority over such systems. State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.
Target Audience • Individuals with mission/business ownership responsibilities or fiduciary responsibilities. • Individuals with information system development and integration responsibilities. • Individuals with information system and/or security management/oversight responsibilities. • Individuals with information system and security control assessment and monitoring responsibilities. • Individuals with information security implementation and operational responsibilities.
Mainstreaming Information Security • Information security requirements must be considered first order requirements and are critical to mission and business success. • An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle.
System Development Life Cycle(1 of 2) • RMF steps are carried out within the five phases of the SDLC. • System Initiation Phase • System Development / Acquisition Phase • System Implementation Phase • System Operation / Maintenance Phase • System Disposal Phase • Flexibility on types of SDLC models employed by the organization (e.g., spiral, waterfall, agile development).
System Development Life Cycle(2 of 2) • Integrating information security requirements into the SDLC provides the most efficient and cost-effective method for an organization to ensure that: • Cost, schedule, and performance requirements are satisfied. • Missions and business operations supported by the information system are adequately protected. • Security-related activities are carried out as early as possible and not repeated unnecessarily. • Risk management activities are not isolated or decoupled from the management processes employed to develop, implement, operate, and maintain the information system.
SECURITY PLAN including updated Risk Assessment SECURITY ASSESSMENT REPORT PLAN OF ACTION AND MILESTONES INFORMATION SYSTEM CATEGORIZE Information System SELECT Security Controls MONITOR Security Controls AUTHORIZE Information System IMPLEMENT Security Controls ASSESS Security Controls Applying the Risk Management Framework to Information Systems Output from Automated Support Tools Near Real Time Security Status Information Risk Executive (Function) Inputs Authorization Package Risk Management Framework
Information System Boundaries • Define the scope of protection for information systems (i.e., what the organization agrees to protect under its direct control or within the scope of its responsibilities). • Include the people, processes, and technologies that are part of the systems supporting the organization’s missions and business processes. • Need to be established before information system security categorization and the development of security plans.
Large and Complex Systems • From a centralized development, implementation, and operations perspective— • The organization examines the purpose of the information system and considers the feasibility of decomposing the complex system into more manageable components, or subsystems. • From a distributed development, implementation, and operations perspective— • The organization recognizes that multiple entities, possibly operating under different policies, may be contributing to the development, implementation, and/or operations of the subsystems that comprise the overall information system.
Large and Complex Systems(Including System of Systems) organizational information system subsystem LAN ONE subsystem LAN TWO subsystem GUARD DYNAMIC SUBSYSTEM DYNAMIC SUBSYSTEM SUBSYSTEM GUARD / GATEWAY (Sub) System Boundary dynamic external subsystem Static external subsystem - Security plan reflects information system decomposition with security controls assigned to each subsystem component. - Security assessment procedures tailored for the security controls in each subsystem component and for the combined system level. - Security control assessment performed on each subsystem component and on system-level controls not covered by subsystem security control assessments. - Security authorization conducted on the information system as a whole.