Continuous monitoring, maintenance needed to maintain cybersecurityDate: Nov 25, 2013
In this four-part SearchCompliance webcast, Dr. Ron Ross, a senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST), joins Theresa M. Grafenstine, inspector general of the U.S. House of Representatives, to discuss cybersecurity strategy best practices for both the public and private sector. In the concluding segment, Grafenstine and Ross continue their discussion on cybersecurity controls and provide additional tips to mitigate cyber-risk.
Theresa Grafenstine: So, we relied on our organizations to focus more on strategic risk, we built our risk management framework, we deployed a defense-in-depth strategy. What's next?
Ron Ross: Well, that's a lot of work to get to that point. But after you do that, we come into what gets a lot of publicity today: continuous monitoring.
After we build it, we want to implement continuous monitoring of what we've built to make sure that it remains in a good state. I think there are three areas that most organizations should focus on when we talk about continuous monitoring. The first one we've talked about: You deploy a set of controls, then look at how effective those controls are over time. A month from now, go back and look at the kinds of cyberattacks that you might have experienced in your own organization or ones that your neighbor's organization experienced. You need to understand what types of attacks have occurred, and where controls were not effective.
This is an opportunity for us to rise up and work with our great private sector to really develop the kind of long-term cybersecurity solutions that will protect the nation.
You also want to keep going back and have something we call continuous improvement. We want to be able to manage change, identifying changes to the system or the environment of operations. You put in a new service pack. You do some patching. You bring on some new people into your organization. You move to a new facility. The threat space is changing, and all of these changes will continue to happen at a fairly rapid pace. We've got to be able to assess the extent of that change and how it impacts our current deployment of controls to understand if what we did yesterday is good enough today and if it will be good enough tomorrow.
Then, of course, there's no shortage of legislation, executive orders, directives and all of the things that we have to comply with, from FISMA to HIPAA to Gramm-Leach to executive orders. That's the third piece of why we complete continuous monitoring. You've got to do all of these things together to get an understanding of what the situational awareness is with regard to security. That's a pretty important question for everybody to ask.
Grafenstine: Let's face it -- many of us aren't there yet. We have resource constraints. It may take a while for some of us to get there. Is all lost? Do we give up? What are things that we could be doing? What are some of the important stopgap actions that we can work on to help us until we get all the way there?
Ross: I think the first thing that I would do is go back and do what I call a spring house cleaning and try to reduce the number of IT assets that you own by using cloud computing. You don't have to turn to a public cloud for everything. You can do a triage and say, 'The stuff that is low impact or moderate impact, I'm going to send that to the public cloud.' You can reduce your footprint by 5% percent to 40% very quickly. Then you could build a private cloud for all the stuff that remains within your organization that you want to maintain greater control over, and develop risk tolerance that is appropriate for more critical information.
I would also focus on building a great contingency plan. Even if you stop 85% of cyberattacks, what do you do with the 15% that get through? You've got to be able to operate while under attack. That means absorbing that cyberattack, being able to limit the damage that that attack [did] to your infrastructure, to your mission, and [being] able to survive to fight the next day. That's really critical, especially for high-end things like weapons systems, command and control, the intelligence community, and even some of our businesses out there that have their intellectual property at the core of their operations.
Thin out the inventory, complete a contingency plan and then make sure you understand all the mobile devices in play. What are all the new endpoints you're bringing into your enterprise? What kind of controls are on those mobile devices, and what kind of attack vectors are you promoting or allowing because of failure to deploy a sufficient number of controls on those mobile devices?
Those are three quick things I think you can do to make sure that you're as safe as you can be and as secure as you can be.
Grafenstine: I want to hit three more things. If we can talk about the Special Publication 800-53 Revision 4 [and] after that, the unified security framework, and then touch on President Obama's recent executive order.
Ross: Okay. We'll move quickly through these. Those are all very important things. They're all related in some way. Special Publication 800-53 Revision 4 is the most fundamental change we've made to our security and control catalog in the last seven or eight years. We've got three specific families where we've really focused on building new controls that allow us to work with industry to strengthen information systems and the components that go into those systems.
In the acquisition family, you'll see lots of controls that relate to good design, good development techniques for software, firmware components, and how to conduct better testing and evaluation. All of those things relate to building stronger, more penetration-resistant components and systems. That's really the focus of Revision 4, along with being able to develop specialized security plans.
We talked about the determining overlays so you don't have to deal with 800 controls -- you can deal only with the necessary controls. Everything's been driven by the threat landscape. Attacks are getting more sophisticated. We're seeing adversaries now attack firmware, the basic [I/O] system. The lower the adversary gets in this stack -- from applications to middleware to operating system to firmware to hardware -- the more control they have. Every step of the way, we provide defensive mechanisms to counter those attacks.
The unified framework we've built over the past four years with our Department of Defense and our intelligence community partners represents five publications.
Grafenstine: That's part of the joint task force, right?
Ross: That's part of the joint task force. We've unified our security controls, our risk management process, the risk assessment process, the risk management framework. All five publications are now being adopted across the entire federal government. We're working off the same playbook. We found that we had 95% of what we do in common, yet we're still able to diverge where we have to. So, when the Department of Defense or the intelligence community has to have specialized requirements, they do that in separate publications. But the vast majority of everything we're doing now is common. That's great news for our federal agencies. It's great news for our contractors and industry that are supporting us.
Grafenstine: It gets rid of a lot of the red tape because we're all speaking the same language. It's easier to support, and there's less risk that we're going to make mistakes because we're using different terminology.
Ross: Exactly right. I think we have a slide with the five publications in the slide deck. You can look at these at your leisure. These are all on our NIST website. You can download them free of charge. You can also call us up anytime. Our contact information is available. We work for you. You're our customers, and we're glad to help out any time we can.
Terry mentioned the executive order that the president signed. NIST has a very important role in one of the parts of the executive order. We're going to bring industry together through all of the critical infrastructure sectors to understand how they do their business with regard to cybersecurity. We have an RFI out -- a request for information -- where we're soliciting information to understand how the critical sectors protect their critical systems. We will assimilate all the information and try to work with industry so the private sector can develop their own framework for how they're going to protect their critical systems and operations going forward.
Again, when you look at these issues from a macro level with regard to the national security and economic security, we're all in the same boat. We all use the same technology. There's nothing more powerful than the public-private partnership. Everything we've done as a nation -- all the great things we've done over the years have always been part of the public-private partnership. This, again, is an opportunity for us to rise up and work with our great private sector in this partnership to really develop the kind of long-term cybersecurity solutions that will protect the nation.
That goes back to my initial point. If you allow adversaries to be deep into your system, then they own that system. Then they will at some point own your intellectual property. They'll own all of your business and mission operations. They'll own your identity at some point. When that situation happens, in my mind, you've lost your freedom. The stakes are really high.
Grafenstine: Interestingly enough, one of our listeners today actually went to the Washington, D.C., ISACA event that you and I were both at, and they mentioned that one of the speakers there noted that eight out of ten Android handsets are already compromised by Chinese-based malware because of the underlying code vulnerabilities used to make the apps. With that in mind, how does that impact the government's approach to bring your own device, BYOD?
Ross: I think BYOD is going to give us many challenges for the government. We have to be very careful because these great new mobile device technologies -- the smartphones and the tablets -- are very compelling. They make us more productive. But at the same time, if we don't apply the same controls on those very powerful mobile devices -- those are all endpoints on our networks now -- then we're giving the adversary a clear path right to the heart of the corporate assets, some of our most sensitive and critical assets.
I think before you start a BYOD policy, you have to consider it very carefully. Maybe there are creative ways you can do BYOD. You can limit the type of access that individuals can have, based on where they're accessing the data from. You can limit the type of accounts they can log into, maybe creating privileged versus nonprivileged accounts. BYOD may be coming very quickly, but we have to be cautious in how we implement it.
Grafenstine: The next question is in regards to reports of a hacker being able to get into the avionics of an aircraft using a mobile device. Will airlines go through a hardening process to the avionics of an aircraft?
Ross: We're seeing this [in] not just the aviation sector, but the nuclear power industry as well. More of our nuclear power plants are going from analog to digital components, and they're hooking those components up within that IT infrastructure. This is going to be a problem for lots of different sectors.
More from this cybersecurity webcast
Part 1: Controls to help face modern online security threats
Part 2: Use controls, strategy to address cybersecurity challenges
Part 3: Simplify, specialize and integrate controls to alleviate cyber-risk
The airline industry is just another one of those sectors. As you bring in all this new capability for passengers, those networks really need to be isolated from the avionics system so there's absolutely no possibility of having people transmit information or be able to give commands to the avionics system.
Grafenstine: SCADA [supervisory control and data acquisition] systems have become something you hear more and more about. What are the strategic programs to address the advanced persistent threat malwares for SCADA systems?
Ross: There's so much going on. A more generic term would be industrial control systems. We have ICSes in so many different areas, including manufacturing plants, chemical plants and power plants around the country. We're in the process of modifying them. We have a major revision to our 800-82 Special Publication, which is our [ICS] security guideline.
In addition, the 800-53 Revision 4 has a lot of new controls that can be applied to industrial control systems using this new construct we call overlay. You pick the kind of controls that really would be able to harden some of these industrial control systems.
Grafenstine: We get kind of used to different terminology, but not everybody necessarily knows what it is. Malware is a term commonly thrown around in the security community, but can you just give us a quick explanation of malware?
Ross: That's a whole other show, probably, but the term malware is short for malicious code. There are lots of different types of malicious code. There are Trojan horses, viruses, worms. Each one of these has different characteristics on how the code can be transmitted through the system and what it can actually do.
We kind of use the term malicious code because you want to be able to have your defenses be able to stop all different types of exponential growth rate of malware today. A lot of our great companies in the security area are coming up with different types of strategies now to go beyond just signature-based detection.
Grafenstine: One last quick question: Can you comment on things to consider when determining whether or not a cloud solution would be the best choice to reduce complexity in your environment?
Ross: I think cloud is a very, very good choice for reducing complexity because you go through your information asset inventory. Decide what is critical to the organization, and maybe you keep that within the organization by building yourself a private cloud. Everything else that's not quite that important, where you feel the risk is less, you can send that to the public cloud. The cloud, along with enterprise architecture, is a great way to reduce that complexity.