100 likes | 239 Views
The State of Cybersecurity “A View From Inside the Beltway”. Robert Y. Bigman* Chief, Information Assurance Group Central Intelligence Agency. *The opinions contained herein are mine and not necessarily shared by the CIA. State of Cybersecurity. Recent High Profile Breaches
E N D
The State of Cybersecurity “A View From Inside the Beltway” Robert Y. Bigman*Chief, Information Assurance Group Central Intelligence Agency *The opinions contained herein are mine and not necessarily shared by the CIA.
State of Cybersecurity • Recent High Profile Breaches • JTF Strike Fighter design drawings stolen • Classified data on the President’s helicopter accidentally leaked over P2P file sharing network • Chinese reportedly penetrate U.S. electric grid, also infect 1,200 government computers in 103 countries • Heartland Payment Systems resulted in expenses and accruals of $12.6 million • Hannaford Brothers exposed 4.2 million credit and debit card numbers • UC Berkley loses 160,000 health and personal records
State of Cybersecurity • Worse of All • The Agent.BTZ Story • The Chinese • The Global Criminal Element • The Global Hacker with a Habit
State of Cybersecurity • Security/Privacy on the Internet • “It’s as if everyone was driving in a new city without license plates.” • “It’s the Wild Wild West without even local sheriffs.” • “For most users it is as if they landed on another planet with only water and oxygen in common.”
State of Cybersecurity • So Why is This Happening? • The value (to global organized crime and state/non-state actors) far outweighs the risks • Global legal remedies not even a discussion topic • Where are the boundaries on the Internet? • The ease of remote access • The vulnerabilities inherent in commercial IT products • The shocking lack of competent IA talent • The shocking lack of organizational commitment to implementing basic IA capabilities and procedures
State of Cybersecurity • “Inside The Beltway” Solutions to The Problem • Lets pass laws • Lets regulate the internet • Lets appoint a Cyberczar • Lets create a Cyber-command
State of Cybersecurity • What’s Missing • While some new laws and regulations are needed, developing a meaningful public-private partnership is more important • Cybersecurity literacy requires investment • We have to value secure software like we current value feature-rich software • We need a trusted identity for all internet users
State of Cybersecurity • Common Sense Procedural Measures • Limit users ability to transfer data to only those trained and certified • Train and certify system administrators • Have all users trained and sign a memorandum of information assurance responsibilities • Install IA into all IT configuration management boards and practices
State of Cybersecurity • Common Sense Technical Measures • Implementing NIST, NSA, and DISA Stig Configuration Guides • NIST SP800-53 - Twenty critical controls • Two-Factor Authentication • Patching • DEP • IPSEC • DNSSEC • Device Locking/DLP • Host Intrusion Detection • Source Code Testing