1 / 17

Cyber Security: Past and Future

Cyber Security: Past and Future. John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA www.gilligangroupinc.com March 10, 2009. Topics. Historical Perspectives Cyber Security Today--A National Crisis Cyber Security Commission Recommendations

maeko
Download Presentation

Cyber Security: Past and Future

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security: Past and Future John M. Gilligan CERT’s 20th Anniversary Technical Symposium Pittsburgh, PA www.gilligangroupinc.com March 10, 2009

  2. Topics • Historical Perspectives • Cyber Security Today--A National Crisis • Cyber Security Commission Recommendations • Near Term Opportunities • Longer-Term Game Changing Initiatives • Closing Thoughts

  3. Historical Perspectives • Computer Security in the Cold War Era • Security “Gurus”—Keepers of the Kingdom • The Internet changes the security landscape-- forever • The Age of Information Sharing • Omissions of the past are now our “Achilles Heel” Our Approaches To Providing Mission Enabling IT Are Stuck In The Past

  4. Cyber Security Today—A New “Ball Game” • Our way of life depends on a reliable cyberspace • Intellectual property is being downloaded at an alarming rate • Cyberspace is now a warfare domain • Attacks increasing at an exponential rate • Fundamental network and system vulnerabilities cannot be fixed quickly • Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National Security Crisis!

  5. Commission Cyber Security for the 44th Presidency:Key Recommendations • Create a comprehensive national security strategy for cyberspace • Lead from the White House • Reinvent public-private partnerships • Regulate cyberspace • Modernize authorities • Leverage government procurement • Build on recent progress with CNCI

  6. Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt the Consensus Audit Guidelines (CAG) • Update FISMA • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security

  7. Use Government IT Procurement • Cyber security needs to be reflected in our contractual requirements • Many “locked down” configuration defined • Use government-industry partnership to accelerate implementation of secure configurations • Get started now, improve configuration guidelines over time and leverage SCAP! Build on FDCC Successes and Lessons Learned

  8. Security Content Automation Protocol (SCAP) • What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security posture of every device in a network. • How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. • Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations

  9. Enhance Public-Private Partnerships • Most of our nation’s critical infrastructure is owned by the private sector • Much of our government-sponsored research intellectual property is “protected” by industry • Regulators need to guide/govern private sector efforts • Private and public sectors must act in cooperation • Defense Industrial Base (DIB): an excellent model Protecting Government and Military Systems Is Not Sufficient

  10. Implement Consensus Audit Guidelines (CAG) • Underlying Rationale • Let “Offense drive Defense” • Focus on most critical areas • CAG: Twenty security controls based on attack patterns • Emphasis on auditable controls and automated implementation/enforcement • Public comment period through March 25th • Pilots and standards for tools later this year

  11. Update FISMA • Emphasize evaluating effectiveness of controls vs. paper reviews • Enhance authority and accountability of CISO • Foster government leadership • Independent, expert reviews • Procurement standards • Dynamic sharing of lessons learned

  12. Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt Consensus Audit Guidelines (CAG) • Update FISMA • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security

  13. Longer-Term: IT Reliably Enabling Economy • Change the dialogue: Reliable, resilient IT is fundamental to future economic growth • New business model for software industry • Redesign the Internet • Get the “man out of the loop”—use automated tools (e.g., SCAP) • Develop professional cyberspace workforce • Foster new IT services models Need to Fundamentally “Change the Game” to Make Progress

  14. Closing Thoughts • Government and Industry need to treat cyber security as an urgent priority • Near-term actions important but need to fundamentally change the game to get ahead of threat • IT community needs to reorient the dialogue on cyber security—the objective is reliable and resilient information Cyber Security is Fundamentally a Leadership Issue!

  15. Contact Information jgilligan@gilligangroupinc.com www.gilligangroupinc.com John M. Gilligan

  16. Security Standards Efforts:Security Content Automation Protocol (SCAP)

  17. Security Standards Efforts: Next Steps* * Making Security Measurable – The MITRE Corporation

More Related