480 likes | 594 Views
National Strategy to Secure Cyberspace. By Emily Fetchko 9/7/05. The Five W’s. Who? Federal government State and local governments Private companies and organizations Individual Americans What? Cyberspace, “the nervous system – the control system of our country”. The Five W’s, continued.
E N D
National Strategy to Secure Cyberspace By Emily Fetchko 9/7/05
The Five W’s • Who? • Federal government • State and local governments • Private companies and organizations • Individual Americans • What? • Cyberspace, “the nervous system – the control system of our country”
The Five W’s, continued • Where? • Within the government • Within this country • At every computer • All over the globe • When? • Starting in Fall 2002 • Why? • Three main objectives – see next slide
“New and Significant” • “New” because this is the first comprehensive policy document about cybersecurity • “Significant” because it’s a national policy document that affects numerous government organizations
Three Main Objectives • “Preventcyber attacks against America’s critical infrastructures” • “Reduce national vulnerability to cyber attacks” • “Minimize damage and recovery time from cyber attacks that do occur”
Guiding Principles • A National Effort • Share information with nongovernmental entities • Protect Privacy and Civil Liberties • Regulation and Market Forces • Avoid broad regulations • Accountability and Responsibility • Designate lead governmental agencies • Ensure flexibility • Multi-Year Planning
Agriculture Food Water Health Emergency services Government Defensive industrial base Information and telecommunications Energy Transportation Banking and finance Chemicals and hazardous materials Postal and shipping Critical Infrastructures
Department of Homeland Security Department of the Treasury Department of Health and Human Services Department of Energy Environmental Protection Agency Department of Agriculture Department of Defense Agriculture, Food Energy Information & Telecommunications, Transportation, Postal & Shipping, Emergency Services, Continuity of Government Water, Chemicals & Hazardous Materials Defense Industrial Base Public Health, Food Banking and Finance Lead Agencies
Office of Science and Technology Policy Office of Management and Budget Department of State Director of Central Intelligence Department of Justice and Federal Bureau of Investigation Coordinate research and development Oversee implementation of policies and budget Coordinate international outreach Assess foreign threat Investigate and prosecute cybercrime Coordinating Agencies
Cyber Attacks • What would someone accomplish with a cyber attack? • Espionage • Mapping US control systems • Finding key targets • Installing backdoors • Attacking critical infrastructures • Causing distrust in information systems
Five Levels of Vulnerability • Home User/Small Business • every computer, every network • Large companies • Common targets for attack (large networks) • Critical sectors/infrastructures • National • Software, hardware, protocols • Global • Worldwide Web
The Five Priorities • I. A National Cyberspace Security Response System • II. A National Cyberspace Security Threat and Vulnerability Reduction Program • III. A National Cyberspace Security Awareness and Training Program • IV. Securing Governments’ Cyberspace • V. National Security and International Cyberspace Security Cooperation
Priority I: A Security Response System • What does a security response system do? • Detect attacks • Perform analyses • Issue warnings • Coordinate response efforts • Restore lost services
Response System, continued • Difficulties • No central vantage point to view cyberspace • Must protect civil liberties • Attacks spread quickly • Cyberspace isn’t controlled by the government
Response System, continued • Four components to the Response System • Analysis • Warning • Incident Management • Response/Recovery • All of these are centered in the DHS
Response System, continued • Analysis • What kind of information to collect? • Nature of attack • Information compromised • Extent of damage • Intruder’s intentions • Tools used in attack • Vulnerabilities exploited • Types • Tactical (“specific”) • Strategic (“broader”, “long-term”) • Vulnerability assessment
Response System, continued • Warning (A/R 1-1 and 1-2) • Encourage industry to share information about internet health • Create a single point of contact for sharing this information with the federal government • Expand the Cyber Warning and Information Network (CWIN) to support DHS, • Link CWIN to private ISACs (information sharing and analysis centers)
Response System, continued • Incident Management • The biggest task in incident management is linking and coordinating all of the different organizations in the government. • DHS • DOJ • DOD • White House • Office of Science and Technology Policy • Office of Management and Budget • And more
Response System, continued • Response and Recovery (A/R 1-3 to 1-5) • All about contingency plans • Create a process to develop them • Exercise them • Find weaknesses and improve them • Encourage corporations to have them • Develop voluntary ones to restore the Internet
Response System, continued • Information Sharing • Companies may not share vulnerability information because: • Fear that the government will release confidential, proprietary or embarrassing information to the public • Fear that the competition will receive the information • Unsure of how to share the information
Response System, continued • Information Sharing (A/R 1-6 & 1-7) • Coordinate a two-way information flow between government and corporations • collect information from companies • sanitize • release • Have corporations and colleges form information sharing groups • Colleges and universities should team with ISPs and law enforcement
Priority II: Threat and Vulnerability Reduction Program • Three part effort • Reduce threats and deter malicious actors through effective programs to identify and punish them • Identify and remediate those existing vulnerabilities that could create the most damage to critical systems if exploited • Develop new systems with less vulnerabilities and assess emerging technologies for vulnerabilities
Vulnerability Reduction, continued • Reduce Threats and Deter Malicious Actors (A/R 2-1) • DOJ will reduce cyber threats and attacks by: • Sharing information between federal, state and local law enforcement • Providing investigative and forensic resources and training • Developing data about victims of cybercrime and intrusions
Vulnerability Reduction, continued • Reduce Threats and Deter Malicious Actors (A/R 2-2) • DHS will develop a national threat assessment including: • Red teaming (“performing a penetration test without the knowledge of the IT staff but with full knowledge and permission from upper management”) • Blue teaming (“performing a penetration test with the knowledge and consent of the IT staff”) • And other methods
Vulnerability Reduction, continued • Identify and Remediate Existing Vulnerabilities • Four major components • Internet • Digital Control Systems/Supervisory Control and Data Acquisition Systems (DCS/SCADA) • Software and Hardware • Physical Infrastructure and Interdependency
Vulnerability Reduction, continued • Identify and Remediate Existing Vulnerabilities -Internet (A/R 2-4) • Improve three main protocols • IP - Investigate the issues related to IPv6 (A/R 2-3) • DNS - Make attacks more difficult and less effective • BGP - Promote secure forms • Promote improved internet routing to counter DoS attacks • Address verification • Out-of-band management • A “code of good conduct” for ISPs
Vulnerability Reduction, continued • DCS/SCADA • Computer-based systems to remotely control sensitive processes and physical functions • Used in water, transportation, chemicals, energy, manufacturing and more • Use the Internet to transfer data • Typically small and self-contained units with limited power supplies • (A/R 2-5) To secure, DHS will • Develop best practices and new technology • Determine the most critical sites • Develop a prioritized plan for short-term improvements
Vulnerability Reduction, continued • Reduce and Remediate Software Vulnerabilities (A/R 2-6, 2-7, 2-8) • Develop a mechanism for vulnerability disclosure • Implement patch clearinghouses and share the results • Encourage industry to make out-of-the-box software more secure • How?
Vulnerability Reduction, continued • Understand Infrastructure Interdependency and Improve Physical Security (A/R 2-9 & 2-10) • Interdependencies • Identify them • Develop plans to reduce them • Model the impact of them • Physical security • Support efforts by owners/operators to secure and limit access to networking centers
Vulnerability Reduction, continued • Prioritize the Federal Research and Development Agenda (A/R 2-11 & 2-12) • Coordinate and update on an annual basis a development agenda for near-term (1-3 years), mid-term (3-5 years) and later (5 years out and longer) IT security research • Ensure adequate mechanisms exist for coordination of research between academia, industry and government
Vulnerability Reduction, continued • Ensure Future Systems are Secure • Encourage the private sector to research secure operating systems in the near-term (A/R 2-13) • Promote best practices and methodologies for integrity, security and reliability in code development (A/R 2-14) • Assess and Secure Emerging Systems • Ensure emerging technologies are periodically reviewed by the appropriate body within the National Science and Technology Council (A/R 2-15)
Priority III: Security Awareness and Training Program • Three main components: • Promote a national awareness program to empower all Americans to secure their own parts of cyberspace • Foster adequate training and education programs • Promote well-coordinated, widely recognized professional cybersecurity certifications
Awareness and Training, continued • Awareness for All Levels of Vulnerability (A/R 3-1 & 3-2) • Comprehensive awareness program • Expand the StaySafeOnline campaign • Develop awards for those in industry who make significant contributions to security Develop of programs and guidelines for primary and secondary students
Awareness and Training, continued • Specific to home users/small businesses (A/R 3-3) • Encourage them to secure their systems • Make it easier for them to secure their systems • Large enterprises (A/R 3-4) • Conduct audits regularly • Develop continuity plans for offsite staff & equipment • Participate in industrywide information sharing
Awareness and Training, continued • Colleges & Universities (A/R 3-5) • Form ISACs • Empower Chief Information Officers • Use best practices for IT security • Develop user awareness programs • Private sector (A/R 3-6) • Find the gap between private and government R&D • Share research • Develop best practices • State and local governments are encouraged to invest in information security measures.
Awareness and Training, continued • Training • DHS will implement and encourage programs to train cybersecurity professionals including scholarships, fellowship and traineeship programs created by the Cyber Security Research and Development Act. (A/R 3-7) • DHS will develop a coordination mechanism linking federal cybersecurity and computer forensics training programs. (A/R 3-8)
Awareness and Training, continued • Certification • Encourage efforts needed to develop security certification programs that will be broadly accepted by the public and private sectors. DHS and other agencies can aid by articulating the needs of the federal IT security community. (A/R 3-9)
Priority IV: Securing Governments’ Cyberspace • In the Federal Government • Continuously Assess Threats and Vulnerabilities to Federal Cyber Systems • OMB found serious weaknesses including: • lack of senior management attention to security • lack of performance measurement • failure to detect and report information on vulnerabilities • poor security education • Continuously Assess Threats and Vulnerabilities Within Agencies • Use automated tools to do security assessment (A/R 4-1)
Securing Government, continued • Authenticate and Maintain Authorization for Users of Federal Systems (A/R 4-2) • E-Authentication initiative • Review the need for stronger access control • Explore the extent to which all departments can employ the same physical and logical control tools and authentication mechanisms • Secure Federal Wireless Local Area Networks • Consider installing systems to monitor for unauthorized connections. Also consider the use of strong encryption, bi-directional authentication, shielding standards and other security mechanisms. (A/R 4-3)
Securing Government, continued • Improve Security in Government Outsourcing and Procurement • Conduct an extensive review of NIAP, the National Information Assurance Partnership to determine the extent to which it is adequately addressing the problem of security flaws in commercial software products. (A/R 4-4) • When available, always use DOD-evaluated products • Develop Specific Criteria for Independent Security Reviews • Investigate if private sector security service providers need to be certified as meeting certain minimum capabilities. (A/R 4-5)
Securing Government, continued • In State and Local Governments • Many state and local functions are tied to IT • Payments to welfare recipients • Access to criminal records • Operating state and local utility and transportation • State and local governments are encouraged to establish IT security programs including awareness, audits and standards and to participate in ISACs. (A/R 4-6)
Priority V: National Security and International Cyberspace Security Cooperation • Securing America from Outside Threats • Small-scale attacks have already taken place • Need to understand who has the capacity for larger attacks and to what extent • Can we ever be secure from terrorists?
National Security, continued • Associated Recommendations: • Strengthen Counterintelligence Efforts in Cyberspace (A/R 5-1) • Improve Attack Attribution and Prevention (A/R 5-2) • Improve Interagency Coordination in Criminal Matters (A/R 5-3) • Reserve the Right to Respond in an Appropriate Manner (A/R 5-4)
National Security, continued • International Cooperation • Promote a Global “Culture of Security” (A/R 5-5) • Develop Secure Networks • Promote North American Cyberspace Security (A/R 5-6) • Work with Canada and Mexico to make a “Safe Cyber Zone” and secure common critical networks • Encourage Other Nations to Accede to the Council of Europe Convention on Cybercrime (A/R 5-10)
National Security, continued • National and International Watch-and-Warning Networks (A/R 5-8, 5-9) • Each nation should: • Appoint a centralized point of contract for cybersecurity efforts • Develop a watch-and-warning network • The US will facilitate a real time network to receive, assess and disseminate this informational globally. • The US encourages regional organizations (like the EU) to designate a committee for cybersecurity.
Conclusion • Extends from the home user to the global Worldwide Web • Emphasizes the public-private partnership • Long-term plan in the process of being implemented • Most responsibility falls on DHS, but also affects many other government agencies • Where are we now?
References • The National Strategy to Secure Cyberspace (http://www.whitehouse.gov/pcipb/) • Guideline on Network Security Testing (http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf)