1 / 23

Secure Enough

Secure Enough. DAU Cybersecurity Enterprise Team Vinny Lamolinara Defense Acquisition University Mid-Atlantic Region vincent.lamolinara@dau.mil 240-895-7382w 301-974-2525c. (some of) Murphy's Cyber Laws. A subtle vulnerability ( vul ) will masquerade as some other problem.

dlenoir
Download Presentation

Secure Enough

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Enough DAU Cybersecurity Enterprise Team Vinny Lamolinara Defense Acquisition University Mid-Atlantic Region vincent.lamolinara@dau.mil 240-895-7382w 301-974-2525c

  2. (some of) Murphy's Cyber Laws • A subtle vulnerability (vul) will masquerade as some other problem. • A secure program is one that has only unobserved vuls. • Probability of virus infection is proportional to the amount of damage it does. • A patch is a piece of SW which replaces old vuls with new vuls. • The best way past a pesky security feature is a 13-year-old. • Antivirus systems only work after a given virus has passed its prime. • The most destructive virus is that which you do not know is already there. http://www.murphys-laws.com/murphy/murphy-computer.html What can go wrong will go wrong!

  3. Secure Enough Thoughts / COAs • COA : Conventional • Heavy Armor (Flying Tanks / Diminishing Returns) • Balance Performance & Survivability Engineering • Don’t Ignore Technological Change What do failures tell us?

  4. Secure Enough Thoughts / COAs • COA: Offense vs Defense • Maneuverability Metric • Ps=V(T-D)/W • Red / Blue Teaming- Exercises with Humans! What do successes tell us?

  5. Secure Enough Thoughts / COAs • COA: Emergent Technology • Artificial Intelligence / Auto-Patch / Auto-Attack • Cyber Grand Challenge • Think Outside the Box: Netflix Simian Army What is the future?

  6. Secure Enough: DSB says Don’t try to Secure Everything • DoD Red Teams succeed using open source tools • Networks are inherently insecure architectures • Inadequate intel of threats targeting DoD systems • Not possible to prevent all high tier cyber attacks! • Response Priority: • Deterrence • Intelligence • Offensive Cyber • Defensive Cyber • Workforce Most Effort is Here http://www.dtic.mil/docs/citations/ADA569975

  7. Too much Security in the Wrong Place? • GAO Audit: DHS $6 Billion “Einstein” IDS May Not Be Effective • Does not scan for 94 percent of commonly known vulnerabilities or check web traffic for malicious content • AFRL Avionics Cyber Hardening and Resiliency Manual • Evaluating protections: “Could the protection add a vulnerability by adding features with unknown susceptibilities that an adversary could exploit or by causing the protection to trigger falsely?”

  8. Cybersecurity Survivability Balanced Survivability • System Survivability KPP (CJCS) • SS KPP = Kinetic, EW & Cyber • Cyber Survivability Endorsement (CSE) v1.01a, JCS Guide JROCM 009-17, 27 Jan 2017 EW Cyber Kinetic 3 Pillars of Cybersecurity Survivability Prevent – design principles that protect system’s mission functions from most likely cyber threats Mitigate – design principles to detect and respond to cyber-attacks; enable the mission system to survive attacks and complete the mission Recover – design principles to enable recovery from cyber-attacks and prepare mission systems for the next fight

  9. How Much Cyber Survivability? Resilience vs Perfect Design Airborne Unmanned Sensor System (GAUSS) Cyber Resilience Demo - Georgia Tech, UVA & FAA High-Assurance Cyber Military Systems (HACMS) - DARPA ADVANCED RESEARCHERS • Triple Diverse Dynamic Redundancy • 3 different computer boards • 3 separate operating systems • 3 versions of the security software • Scientifically Proven Secure Code • 6 years in Development • Only Critical Control Systems • Only 1000’s SLOC Survive Every Attempted or Successful Hacking Attempt! At a great Cost / Schedule!

  10. Security Policy…(More Than) Enough DoDI 5000.02 Change 2 Defense Acquisition DFARS 252.204-7012 Covered Defense Information & Incident Reporting DoDI 8500.01 Cybersecurity DoDI 5200.39 Critical Program Information DoDI 5200.44 Protection of Mission Critical Functions DoDI 8510.01 Risk Management Framework JROCM 009-17 System Survivability KPP SECNAV 5239.22 CYBERSAFE

  11. Kung Fu In the real West, “Kung Fu” may have dodged a bullet or two… …but got taken out by a Colt .45 on the 3rd shot Cybersecurity Engineering re-framed as Cyber Warfare Engineering Offense (Test) & Defense - must be Balanced Continuous Red Teaming & Cyber Range Practice Balanced … Enough! … Netflix Simian Army!

  12. German proverb: “das Kind mitdem Bade ausschütten” Risk Assessment is a NIST Security Control! Cyber Risk Assessments / Table Tops Prioritize Vulnerabilities Criticality Analysis tells you What is Enough for the MISSION Test, Monitoring and Incident Response Practice Reinforce what’s adequate People & Processes: Wetware, Logistics and Support Equipment – More critical due to Cyber Technology Practical … Enough Security without Prioritization is Never Enough

  13. How to Start to Identify Secure Enough: Cyber Table Top (CTT) • User Reps / Focused Mission Areas Reporting Post Exercise Analysis Exercise Execution ~ 7-60 days ~ 14-60 days ~ 3-5 days Exercise Preparation Develop Mission Plan Describe Effects Develop Mitigations Color Code Operational (Blue) Team OPFOR (Red ) Team Execute Attacks Define Access Paths *Facilitator Training Available via Ms. Standard, Sarah M CIV OSD OUSD ATL (US), sarah.m.standard.civ@mail.mil

  14. Enough Security Controls: Control Applicability Assessment (CAA) • NAVAIR Initial Controls Applicability Assessment (CAA) Effort • All 922 controls assessed for applicability in five NAVAIR contexts • 5 Aviation Overlays Examined: Manned / Unmanned Aircraft, UAS Control, Support Eqpt., Ship Installed Eqpt. • Graded on applicability and difficultyto apply to legacy systems 922 controls reduced to 117 med & 46 high value controls reasonable for legacy systems

  15. Stand up Integrated Cyber Warfare Engineering Group / SSEWG Testers, SwA, Logistics, IT, Intel, EW, Users and most all Hackers Immediately conduct regular Risk Assessments Build team a Lab were they can Attack systems and Learn Develop some basic requirements like: “Survive a zero day attack on my mission computer” Invite Red Teams from day one Reward cost-wise solutions vs expensive state of the art Best Practices: If I were a (Rich Man) PM A rich man is nothing but a poor man with money – W. C. Fields

  16. Integrated Cyber Warfare / System Security Engineering System Critical Program Information • Anti-tamper Mission Critical Components & Functions • TSN / SCRM Cybersecurity • Resilience • Survivability • RMF • Red Team • HW / SW Assurance • Phys/Op/Info/Pers/ComSEC Security Engineering Do the Engineering, But THINK LIKE A HACKER!

  17. Finally, Who Gets To Judge … What’s Enough? DoD / CJCS / Combatant CDRS Milestone Decision Authority PM DOT&E AO / SCA The Supremes USER NSA CIO

  18. BACKUP DAU Cybersecurity Enterprise Team Vinny Lamolinara Defense Acquisition University Mid-Atlantic Region vincent.lamolinara@dau.mil 240-895-7382w 301-974-2525c

  19. Compliance… Enough • Cyber workers… “crippled by every piece of control under the NIST cybersecurity framework, because they haven’t been told that they can think innovatively”… • Peter Kim, USAF CISO • …”You’ve got to do some of the basic things, but it’s OK if you can’t get to the 800 controls, it’s OK if you miss a patch, it’s OK if you don’t have the server STIG-ed to the ultimate way that the Defense Information Systems Agency wants you to do. It’s good enough. Slap it on a network and let the warfighter conduct mission.” Compliance with traditional cybersecurity policy has proven “insufficient” for DoD fielded systems

  20. Cybersecurity Survivability Balanced Survivability • System Survivability KPP • SS KPP = Kinetic, EW & Cyber • Cyber Survivability Endorsement (CSE) v1.01a, 10 CSAs, JCS Guide JROCM 009-17, 27 Jan 2017 • Three pillars: EW Cyber Kinetic Prevent – design principles that protect system’s mission functions from most likely cyber threats Mitigate – design principles to detect and respond to cyber-attacks; enable the mission system to survive attacks and complete the mission Recover – design principles to enable recovery from cyber-attacks and prepare mission systems for the next fight

  21. Unified RMF, Cybersecurity, Systems Engineering & Test RMF Test Sys Eng Cybersecurity System Survivability KPP Determine Authorization Boundary 6. Continuous Monitoring Cybersecurity Stakeholders Trusted Systems / Supply Chain Risk (TSN/SCRM) 1. Categorize System Cyber in the RFP 5. System Authorization Decision Red Team / Threat Representative Testing Cyber Table Top (CTT) 2. Select Security Controls Blue Team / Vulnerability Assessments Security Architecture and Design Cyber Table Top (CTT) 3. Implement Security Controls 4. Assess Security Controls Secure Coding Practices Cyber Risk Assessment (CRA Ref: ISO/IEC/IEEE 15288, Systems and Software Engineering- System Lifecycle Processes, 15 May 15

  22. Prioritize Risk to Know What is Secure Enough Probability Impact Risk 23

  23. Cyber Resilience Anticipate Recover Evolve Withstand Goals: * December 13, 2013 Cyber Resiliency: Post by Deborah Bodeau, MITRE CORP

More Related