As a senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST), Ron Ross is an expert on the growing number of cybersecurity threats facing the public and private sector. A strong cybersecurity program, however, not only helps protect information but also ultimately improves an organization's business capability, Ross says.
In this four-part SearchCompliance webcast, Ross joins Theresa M. Grafenstine, inspector general of the U.S. House of Representatives, to discuss cyber-risk and effective security controls companies can implement to protect corporate data. Here in part one, they discuss common cybersecurity threats facing modern organizations.
Theresa Grafenstine: Ron, can you first give our audience a sense of what NIST is and the role NIST plays in computer security and U.S. government?
Ron Ross: NIST, the National Institute of Standards and Technology, is part of the Department of Commerce. We have a unique role: We're actually part of the Information Technology Laboratory. We've got about six or seven laboratories at NIST, and within the Information Technology Laboratory, our mission is information security or computer security.
Our portfolio spans a fairly wide range of things we do. A lot of it is driven by the legislation under the Federal Information Security Management Act of 2003. We develop security standards and guidelines for the federal government. We look at new technologies. We have a national cybereducation program. There is identity management work going on and a brand new Cyber Security Center of Excellence where we work with industry to try to come up with new and innovative solutions that our customers can use. It's a fairly large portfolio of things. We're very busy with all the different emphases on cyberattacks and all the threats that are ongoing at the federal level and also in the private sector.
Grafenstine: Can you tell us a little bit about the NIST Special Publication 800 series to get our audience a little more familiarized?
Companies have to be competing globally today, and when you're losing intellectual property in a very competitive world, that's not a good thing for any of our great companies.
Ross: We actually have several different types of publications that we produce. In addition to the 800 series, we started out with our security standards. Those are the Federal Information Processing Standards, or FIPS. Those FIPS range from cryptographic standards to standards for minimum security requirements for our federal systems and categorization standards to make sure you have the ability to categorize your data with regard to criticality or sensitivity.
One step down is our 800 series publications. Those are guidance documents that are mandatory based on OMB [Office of Management and Budget] policy. They range from defining good security controls for information systems to developing good contingency plans and cryptographic guidance. There's just a range of issues that transcend the management, operational and technical aspects of what it means to build a good cybersecurity program.
Grafenstine: In today's high-tech world, there are so many things we have to worry about in the world of cyberthreats. What do we need to be thinking about? What should we be worrying about?
Ross: First of all, today's world, as the first slide indicated, is a fairly dangerous world in cyberspace. In our 800-30 publication, which is our risk assessment guideline published in September 2012, we talk about threat sources. These are the four different types of threats that people have to worry about today. The ones that get the most attention, obviously, are the hostile cyberattacks. Those are the ones you read about on the front page of the paper every day.
But then we also have things like natural disasters, like Hurricane Sandy, where a hurricane will hit the East Coast and it will take out some of the computer capacity of an organization. We also have the good old-fashioned structural failures where the device or your system just stops working. Then, we have a very large and increasing concern about what we call "human errors of omission and commission." Those are basically the errors that we build into the hardware and the software by the coding practices that we either use or fail to use.
We have a very sophisticated threat space, and when you operate a business either in the private sector or within a federal agency you have very critical operations and missions that you have to carry out. The [cyberthreats] threats are getting more sophisticated. The ability for adversaries to place malware deep inside your systems is a growing concern. If the adversary owns your system, they can basically own your identity, they can own your intellectual property, they can own your business. When they own all of that, you basically have lost your freedom.
This whole area of cybersecurity is much deeper than just deploying controls into one system or another. It goes to the fundamental things that really go back to our Constitution -- security and privacy are two of those very core values that go back to the Founding Fathers.
Grafenstine: When we talk about sophisticated adversaries, one that we frequently hear about is this term called advanced persistent threat. Can we talk a little bit about that and give our audience basically a definition? Also, how pervasive is this, and what do we need to do to address that?
Ross: An advanced persistent threat is the threat that causes us the most concern. I guess the thing that's really noteworthy here is a lot of the adversaries out there have significant capability. A lot of times, they have bad intentions toward whoever they're targeting.
When you have an advanced persistent threat, and that threat is actually exploiting vulnerabilities within your organization, the adversary can actually take control of the organization by owning the information system. Once they own that system at the very basic level, they can really do almost anything they want. They can bring down your capability. If you've got malware in an air traffic control system, for example, and you could actually shut down the air traffic control system, that's a significant loss of critical capability. The other side of that coin is they can also steal stuff from you. Once that malware is placed within the information system, then your intellectual property can be exfiltrated in a manner that goes undetected by the average organization.
I think when you talk about the severity of the advanced persistent threat and the deep penetration that many of these organizations have made into both our public and our private-sector organizations, this then explains why this issue is on the president's radar at such a high level. This is one of the top priorities of the administration, of all federal agencies. In the long term, you can't sustain this exfiltration over a long period of time. It starts to get into both national security issues as well as economic security issues.
Companies have to be competing globally today, and when you're losing intellectual property in a very competitive world, that's not a good thing for any of our great companies. Having the ability to take down significant capabilities within the critical infrastructure -- for example, a power plant going down in the city of Chicago and you don't have power for three, four, five months -- those are the things that really keep us up at night. That's why we're working so hard to help our customers build stronger information security programs.
Grafenstine: We've covered conventional threats and advanced persistent threats, but there are other things that are unconventional threats. What are the things that we haven't thought about? What are some of the unconventional [cyberthreats] that we need to start thinking about?
Ross: This is always a tough issue, because most folks who deal with cybersecurity are looking at firewalls, encryption, two-factor authentication, all the traditional stuff. But if you're building a good cybersecurity program, in the long term it's a lot more than good housekeeping, where you understand how many boxes are on your network, how those boxes are configured, and make sure all your components are patched in a timely fashion. That's just basic good hygiene.
More U.S. cybersecurity
That's certainly a part of the problem, but there are things that are systemic within organizations that can prevent you from fully realizing the best and most effective cybersecurity program that you can build. I call these the three Cs, because the complexity, connectivity and cultural issues are things that you're not going to find on the top 10 list of either the DHS [Department of Homeland Security] or NSA [National Security Agency] when they look at the threat space.
To me, complexity is the No. 1 issue today. IT is relatively inexpensive and it's getting more powerful every day. You look at the new tablets and the smartphones that are being developed with great capabilities -- these are all new endpoints that are on the infrastructure part of our systems. That complexity keeps growing. The more complex these systems become, the harder it is for our information security professionals to understand how to protect what we have.
One thing we have to do to be healthy long term is to start to manage and reduce that complexity. We have lots of great ways to do that through enterprise architecture and cloud computing where we consolidate, we optimize and we standardize the infrastructure. That translates to having less stuff to manage. When you have less stuff to manage, you can focus on deploying your safeguards and your countermeasures at the right place and at the right time within the enterprise.
Connectivity is a continuing issue. The more endpoints we bring into our systems environment and our IT infrastructure through all these new tablets and smartphones, it results in everything being connected to everything else. We can start to exploit things in systems where those vulnerabilities were never there before. So, the connectivity is an issue that we have to, again, manage.
Of course, culture is the way every organization does business. Some put cybersecurity at the top of the pecking order as far as its priority list. Other organizations view cybersecurity as a drag on the operation. It's a cost to the organization, and it's more of a negative connotation. The best organizations consider cybersecurity as a way to improve the organization's mission and business capability. Integrating that security into every aspect of the organization not only saves money and creates a leaner and meaner IT infrastructure, but the services that you end up providing your customers are more efficient and more effective. It all works together. The culture really drives how this whole story's going to turn out.
Please visit SearchCompliance.com to view the next segment in this webcast on cyber threats and how the U.S. government is addressing top cybersecurity challenges.