480 likes | 489 Views
Learn about the basic concepts, threats, and best practices associated with cybersecurity in the Department of Defense (DoD). Understand the policies and principles that support cybersecurity for DoD Information Technology (IT) and the major components of the Risk Management Framework (RMF) for DoD IT.
E N D
Today we will learn to: • Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD. • Identify the policies and principles that support cybersecurity for DoD Information Technology (IT) • Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT) • Identify the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT) Cybersecurity
Lesson Plan Cybersecurity Concepts Cybersecurity in the DoD The Risk Management Framework (RMF) for DoD Information Technology (IT) RMF Steps Exercise Cybersecurity
What is Information Assurance/ Cybersecurity? Information Assurance (IA)—Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Department of Defense Directive (DoDD) 8500.01E, April 23, 2007 Cybersecurity—Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. Department of Defense Instruction (DoDI) 8500.01, March 14, 2014 Cybersecurity
5 Aspects (Pillars) of Cybersecurity Definitions above taken from CNSS Instruction No. 4009, National Information Assurance Glossary, 26 April 2010 Cybersecurity
The Importance of Cybersecurity • We Depend on Communication Superiority for Combat Effectiveness • Cybersecurity Enables Communication Superiority in a Net-Centric Environment The job of Cybersecurityis to protect and enable the user. Cybersecurity
Cyber: A National Vulnerability “A cyber attack perpetrated by nation states or extremists groups could be as destructive as the terrorist attack on 9/11.” Leon E. Panetta, Former Secretary of Defense “Cyber attack and cyber defense are here to stay. We as a nation are ill prepared for it, as is every other nation.” General Peter Pace, USMC (Ret), former Chairman of the Joint Chiefs of Staff • “Current DoD actions, though numerous are fragmented. Thus DoD is not prepared to defend against this threat.” • “DoD Red teams, using cyber attack tools which can be downloaded from the internet, are very successful at defeating our systems” • “With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks.” Source: DoD Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat. (January 2013) Cybersecurity
What is the Biggest Threat to your Organization? Threats can come from: Cyber Terrorists, Espionage, Social Engineering, E-mail viruses, Employee Error, Natural Disasters, Portable Memory Devices, Fired Employees, Botnets, Rootkits, Wireless Internet Access, … Cybersecurity
Cyber Incidents and Origins Source: Akamai – Q2 2014 Source: US CERT, Selected incident report categories Cybersecurity
Attack Sophistication vs. Intruder Technical Knowledge Sources: Carnegie Mellon University, 2002 and Idaho National Laboratory, 2005 Cybersecurity
Types of System Threats To protect against adversarial threats (as well as known natural threats), it is necessary to create a defense-in-depth strategy. (NIST SP 800-82) Cybersecurity • Passive threats Interception—unauthorized party gains access to an asset. (attack on part of confidentiality) • Active threats Interruption—the system asset becomes unavailable or unusable (attack on availability) Modification—unauthorized party gains access and modifies the asset (attack on confidentiality and integrity) Fabrication—unauthorized party inserts counterfeit assets into the system (attack on part of confidentiality: authenticity and integrity)
Stuxnet and Duqu Stuxnet Discovered in June of 2010, true intent was discovered in 2011 Mission was to spread as a worm until it found Siemens SCADA systems Variants of Stuxnet got into five different Iranian facilities used to make uranium rods. Worm got into facilities even though networks had no outside connections for the worm to travel through Slightly altered the rotation of centrifuges in order to botch the enrichment process Subtle changes were impossible to measure because of altered activity logs. Duqu Masqueraded as Microsoft Word document. Had specific targets in eight Middle Eastern countries Shared some code with Stuxnet Ultimate goal is either unknown or unreleased Cybersecurity
Insider Threat Best Practices From Common Sense Guide to Mitigation Insider Threats 4th Edition—December 2012, Software Engineering Institute , Carnegie Melon Cybersecurity Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce policies and controls. Incorporate insider threat awareness into periodic security training for all employees. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. Anticipate and manage negative issues in the work environment. Know your assets. Implement strict password and account management policies and practices. Enforce separation of duties and least privilege. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities. Institute stringent access controls and monitoring policies on privileged users.
Insider Threat Best Practices(Continued) • Institutionalize system change controls. • Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions. • Monitor and control remote access from all end points, including mobile devices. • Develop a comprehensive employee termination procedure. • Implement secure backup and recovery processes. • Develop a formalized insider threat program. • Establish a baseline of normal network device behavior. • Be especially vigilant regarding social media. • Close the doors to unauthorized data exfiltration. From Common Sense Guide to Mitigation Insider Threats 4th Edition—December 2012, Software Engineering Institute , Carnegie Melon Cybersecurity
Lesson Plan Status Cybersecurity Concepts Cybersecurity in the DoD The Risk Management Framework (RMF) for DoD Information Technology (IT) RMF Steps Exercise Cybersecurity
Defense in Depth Department of Defense Directive 8500.01 (Purpose Statement) • DoD will implement a multi-tiered cybersecurity risk management process to protect U.S. interests, DoD operational capabilities, and DoD individuals, organizations, and assets from the DoD Information Enterprise level, through the DoD Component level, down to the IS level as described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39 and Committee on National Security Systems (CNSS) Policy (CNSSP) 22 Definition of Defense in Depth • Information Security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. CNSSI 4009—IA Glossary Cybersecurity
Defense in Depth—A Closer Look Cybersecurity
Defense in DepthCommon Security Tactics Cryptography • Simply put, hiding information. Includes secret and public key cryptography and hash functions. Firewalls • Often prevents unauthorized access into private networks. Can be hardware, software or a combination of both. Network traffic monitoring • Examines/analyzes network traffic and usage trends. Identifies anomalies in network traffic. Vulnerability testing • Exhaustive examination of targeted areas of network infrastructure. Should be done regularly. Network Intrusion Detection and Prevention • Reads incoming packets of information to find suspicious patterns. Prevention reacts in real-time to block traffic. Common Access Card (CAC) • Enables encrypting of email and facilitates the use of PKI. Cybersecurity
DoD Cybersecurity Legislation, Policy and Guidance • US Code Title 40 (Clinger-Cohen) • Federal Information Processing Standards • DoD Directive 8570.01, Information Assurance Training, Certification, and Workforce Management • DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program • The National Institute of Standards and Technology (NIST) Special Publication (SP) 800 Series (Computer Security) • Subchapter III of Chapter 35 of title 44, United States Code, “Federal Information Security Management Act (FISMA) of 2002” • DoD Instruction 8500.01, Cybersecurity • DoD Instruction 8510.01, Risk Management Framework for DoD Information Technology Cybersecurity
Federal Information Security Management Act (FISMA)—2002 The RMF must satisfy the requirements of subchapter III of chapter 35 of Title 44, United States Code (U.S.C.), also known as the “Federal Information Security Management Act (FISMA) of 2002”–DoDI 8510.01, March 12, 2014 Cybersecurity The National Institute of Standards and Technology (NIST) outlines nine steps toward compliance with FISMA: Categorize the information to be protected. Select minimum baseline controls. Refine controls using a risk assessment procedure. Document the controls in the system security plan. Implement security controls in appropriate information systems. Assess the effectiveness of the security controls once they have been implemented. Determine agency-level risk to the mission or business case. Authorize the information system for processing. Monitor the security controls on a continuous basis.
DoDCybersecurity Policy • DoD Instruction 8500.01,Cybersecurity, Signed March 14, 2014 • Cancels or supersedes 11 DoD Directives, Instructions, or Memorandums. • References a total of 132 policy documents • 12 National Institute of Standards and Technology (NIST) Special Publications • 9 Committee on National Security Systems (CNSS) Instructions or Policies • Adopts the term “cybersecurity” to be used throughout the DoD instead of the term “information assurance (IA).” Cybersecurity
RMF - Operational Resilience, Integration, and Interoperability Operational Resilience Information and computing services are available to authorized users whenever and wherever needed Security posture is sensed, correlated, and made visible to mission owners, network operators, and to the DoD Information Enterprise Hardware and software have the ability to reconfigure, optimize, self-defend, and recover with little or no human intervention Integration and Interoperability Cybersecurity must be fully integrated into system life cycles and will be a visible element of IT portfolios. Interoperability will be achieved through adherence to DoD architecture principles All interconnections of DoD IT will be managed to minimize shared risk Cybersecurity
RMF and Cybersecurity Reciprocity • Definition: Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information. • If applied appropriately, reciprocity will reduce: • Redundant testing • Redundant assessment & documentation • Overall costs in time and resources • Cybersecurity reciprocity is best achieved through transparency (DoDI 8500.01, March 14, 2014) Cybersecurity
RMF and Continuous Monitoring Information System Continuous Monitoring— maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Continuous monitoring capabilities will be implemented to the greatest extent possible. Cybersecurity
Lesson Plan Status Cybersecurity Concepts Cybersecurity in the DoD The Risk Management Framework (RMF) for DoD Information Technology (IT) RMF Steps Exercise Cybersecurity
Risk Management Framework (RMF) for DoD Information Technology (IT) • DoD Instruction 8510.01 • Risk Management Framework (RMF) for DoD Information Technology (IT) • Signed March 12, 2014 • More consistent with established disciplines and best practices for effective systems engineering, systems security engineering, and program protection planning outlined in DoDI 5000.02 • Leverages and builds upon numerous existing federal policies and standards so we have less DoD policy to write and maintain. DoD participates in CNSS and NIST policy development as a vested stakeholder with the goals of a more synchronized cybersecurity landscape and to protect the unique requirements of DoD Missions and warfighters Cybersecurity
Key RMF Documents • NIST Special Publications (SP) • 800-37—Guide for Applying the RMF • 800-39—Managing Information Security Risks • 800-53—Security and Privacy Controls • 800-53A—Guide for Assessing the Security Controls • 800-60—Guide for Mapping Types of Information and Information Systems to Security Categories • 800-137—Information Security Continuous Monitoring • Committee on National Security Systems (CNSS) • Instruction 1253—Security Categorization and Control Selection for National Security Systems • Instruction 4009—Information Assurance Glossary • Policy 11—National Policy Governing the Acquisition of IA and IA-Enabled IT Products Cybersecurity
Applicability (8510.01) All DoD-owned IT or DoD-controlled IT that receive, process, store, display, or transmit DoD information. These technologies are broadly grouped as DoD IS, platform IT (PIT), IT services, and products. This includes IT supporting research, development, test and evaluation (T&E), and DoD-controlled IT operated by a contractor or other entity on behalf of the DoD Cybersecurity
Risk Management and the RMF • Multi-tiered Risk Management • DoD will implement a multi-tiered cybersecurity risk management process to protect U.S. interests, DoD operational capabilities, and DoD individuals, organizations, and assets from the DoD Information Enterprise level, through the DoD Component level, down to the IS level Defined in NIST SP-800-39 Cybersecurity
NIST SP 800-39—Risk Management Process Applied Across the Tiers Cybersecurity
RMF and the Acquisition Life Cycle Cybersecurity requirements must be identified and included throughout the lifecycle of systems to include acquisition, design, development, developmental testing, operational testing, integration, implementation, operation, upgrade, or replacement of all DoD IT supporting DoD tasks and missions. Integration. Cybersecurity must be fully integrated into system life cycles so that it will be a visible element of organizational, joint, and DoD Component architectures, capability identification and development processes, integrated testing, information technology portfolios, acquisition, operational readiness assessments, supply chain risk management, System Security Engineering, and operations and maintenance activities. Cybersecurity
NIST SP 800-53 Security and Privacy Controls The answers to these questions are not given in isolation but rather in the context of an effective risk management process for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks arising from its information and information systems. Cybersecurity • Security controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to: • Protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and • Satisfy a set of defined security requirements • Key questions • What security controls are needed to satisfy the security requirements and to adequately mitigate risk incurred by using information and information systems in the execution of organizational missions and business functions? • Have the security controls been implemented, or is there an implementation plan in place? • What is the desired or required level of assurance that the selected security controls, as implemented, are effective in their application?
NIST SP 800-53 Security and Privacy Controls Security Control Structure • Each family contains security controls related to the general security topic of the family • There are 18 security control families and over 900 controls included in NIST SP 800-53 Security Control Identifiers and Family Names Cybersecurity
NIST SP 800-53 Security and Privacy Controls (An Example) Access Control—AC-6—Least Privilege • Control: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. • Supplemental Guidance: Organizations employ least privilege for specific duties and information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2. • Control Enhancements: • (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS • The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. • Supplemental Guidance: Security functions include, … • (Enhancements 2–9 not shown) • (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS • References: None. • Priority and Baseline Allocation: Cybersecurity
NIST SP 800-53 Security and Privacy Controls(continued) Security Control Designations • There are three distinct types of designations related to the security controls listed. These designations include: • Common Controls • Security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems. • System-Specific Controls • The primary responsibility of information system owners and their respective authorizing officials. • Hybrid Controls • One part of the control is common and another part of the control is system-specific. Cybersecurity
Assessing Security Controls Example Procedures Cybersecurity
Summary of Changes to Cybersecurity Roles & Responsibilities Cybersecurity
RMF Governance Cybersecurity
RMF Knowledge Service Risk Management Framework Knowledge Service https://rmfks.osd.mil/rmf://rmfks.osd.mil/rmf This site requires CAC registration Cybersecurity The Risk Management Framework (RMF) Knowledge Service (KS) is DoD's official site for enterprise RMF policy and implementation guidelines.
Lesson Plan Status Cybersecurity Concepts Cybersecurity in the DoD The Risk Management Framework (RMF) for DoD Information Technology (IT) RMF Steps Exercise Cybersecurity
RMF—6 Step Process This process parallels the system life cycle, with the RMF activities being initiated at program or system inception Cybersecurity
RMF—Steps 1 and 2 • Step 1—Categorize System • Categorize the system in accordance with CNSSI 1253 and document the results in the security plan. • Describe the system (including system boundary) and document the description in the security plan. • Register the system with the DoD Component Cybersecurity Program • Assign qualified personnel to RMF roles. • Step 2—Select Security Controls • Common Control Identification - Common controls are selected as “common” and provided via the Knowledge Service based on risk assessments conducted by these entities at the Tier 1 and Tier 2 levels • Security Control Baseline and Overlay Selection - Identify the security control baseline for the system • Monitoring Strategy—Develop and document a system-level strategy for the continuous monitoring of the effectiveness of security controls Cybersecurity
RMF—Steps 3 and 4 • Step 3—Implement Security Controls • Implement /document security controls specified in the security plan • Security controls that are available for inheritance by IS and PIT systems will be identified and have associated compliance status provided by hosting or connected systems • Step 4—Assess Security Controls • Develop, review, and approve a plan to assess security controls. • Assess the security controls in accordance with the security assessment plan and DoD assessment procedures • Prepare Security Assessment Report and document the issues, findings, & recommendations from security control assessment • Conduct remediation actions on non-compliant security controls based on the findings and recommendations of the SAR Cybersecurity
RMF—Steps 5 and 6 • Step 5—Authorize System • Prepare the Plan of Actions and Milestones (POA&M) based on the vulnerabilities identified during the security control assessment • Assemble the security authorization package and submit the package to the AO for adjudication. • Determine the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation • Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable • Step 6—Monitor Security Controls • Determine the security impact of proposed or actual changes to the IS or PIT system and its environment of operation • Assess a subset of the security controls employed within and inherited by the IS or PIT system • Conduct remediation actions • Implement a system decommissioning strategy, when needed. Cybersecurity
Summary • Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD. • Identify the policies and principles that support cybersecurity for DoD Information Technology (IT) • Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT) • Identify the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT) Cybersecurity
Lesson Plan Status Cybersecurity Concepts Cybersecurity in the DoD The Risk Management Framework (RMF) for DoD Information Technology (IT) RMF Steps Exercise Cybersecurity
Exercise • Read the highlighted portions of the 2 articles. • ‘Information Assurance and Acquisition’ starting on page 10 of the IATAC Newsletter • Cybersecurity The Road Ahead for Defense Acquisition • Address the following for your team’s assigned section. • Summarize and explain the topic/ recommendation • How critical to Cybersecurity and overall DoD IT success do you believe this topic is? • Identify how well the topic area is emphasized in DODI 8500.01 and 8510.01 • Identify how well the recommendations in the articles address the Cyber challenges you are experiencing in your organizations. • Identify additional recommendations in your focus area • Team Focus areas: • Team 1: Greater involvement of Cybersecurity professionals throughout the acquisition life cycle • Team 2: Enhanced leadership commitment and understanding of Cybersecurity and the Cybersecurity process • Team 3: Further integration of Cybersecurity into the systems engineering and contracting process • Team 4: Moving beyond Cybersecurity awareness for IT users to prevention and detection • Team 5: Increased focus on software assurance Cybersecurity