NIST Computer Security Efforts - PowerPoint PPT Presentation

About This Presentation
Title:

NIST Computer Security Efforts

Description:

... for Interconnecting Information Technology Systems, September 2002 ... Building an Information Technology Security Awareness and Training Program, July 2002 ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 43
Provided by: lbka
Category:

less

Transcript and Presenter's Notes

Title: NIST Computer Security Efforts


1
NIST Computer Security Efforts
  • Kathy Lyons-Burke, (301) 975-4611
  • kathy.lyons-burke_at_nist.gov
  • Information Technology Laboratory
  • National Institute of Standards and Technology

2
(No Transcript)
3
NIST Mandate for IT Security
  • Develop standards and guidelines for the Federal
    government for sensitive (unclassified) systems
  • Contribute to improving the security of
    commercial IT products and strengthening the
    security of users systems and infrastructures

4
Specific Focus Areas of NISTs Cybersecurity
Program
  • Cryptographic Standards and Applications
  • Exploring New Security Technologies
  • Security Testing
  • Management and Assistance

5
Cryptographic Standards and Applications
  • Cryptographic mechanisms provide vital
    underpinning for IT security
  • Home-grown cryptography is notoriously insecure
  • Most users do not have the necessary skills to
    determine cryptographic strength - no BW tests
  • A multiplicity of cryptographic techniques
    hinders interoperability and security analysis
  • Formal voluntary standards bodies are inclusive
    in standardizing on multiple techniques ? many
    techniques inadequately studied/analyzed
  • Exploitation of flawed cryptographic methods via
    kiddie scripts

http//csrc.nist.gov/focus_areas.htmlcryptographi
c
6
NIST Raising the Security Bar across Federal
Crypto Standards
http//csrc.nist.gov/publications/fips/index.html
7
Exploring New Security Technologies
  • Identify and use emerging technologies,
    especially infrastructure niches
  • Develop models, reference implementations, and
    demonstrations
  • Transition new technology and tools to public
    private sectors
  • Advise Federal agencies to facilitate planning
    for secure use

http//csrc.nist.gov/focus_areas.htmlresearch
8
Efforts in New Security Technologies
  • Process Control Security Requirements Forum
    (PCSRF)
  • Wireless Systems
  • Biometrics
  • ICAT
  • IPsec

9
Process Control Security Requirements Forum
(PCSRF)
In support of the National effort to secure
cyberspace
Goal Increase the security of industrial process
control systems through the definition and
application of a common set of information
security requirements for these systems (based on
ISO15408).
  • Participants (partial list)
  • Industry and Consortia Texaco, Maximum Control
    Technologies, Georgia-Pacific, ExxonMobil,
    Unilever, Rockwell, Honeywell, EPRI, ISA,
    American Chemistry Council, National Center for
    Manufacturing Sciences, Association of
    Metropolitan Water Agencies, The Open Group, KEMA
    Consulting, American Gas Association/IGT...
  • Government NIST (lead), NIAP/NSA, DOE,
    Communications Security Establishment (Canada)...
  • Process Control System Characteristics
  • Provide local and remote control of industrial
  • equipment in electric power, water, oil gas,
  • chemicals, pharmaceuticals, food
  • beverage, metals, durable goods industries
  • Time critical sensitive to delays and
  • variability
  • Designed to maximize performance,
  • reliability, flexibility, safety
  • Security has not been a significant
  • consideration

10
NIST Guiding Safe Deployment of Wireless Systems
  • Risks posed by development of wireless technology
    are substantial
  • Potential eavesdropping
  • Potential intrusions
  • Benefits (cost, flexibility, and mobility) are
    enormous
  • Industrial (manufacturing)
  • Widespread use in business
  • Wireless systems are being deployed regardless of
    the security risks
  • SP 800-48 Wireless Network Security 802.11,
    Bluetooth, and Handheld Devices,November 2002

11
NIST Role in Biometrics for Homeland Defense
  • Many proprietary solutions and standards for
    biometrics devices inhibits interoperability and
    deployment
  • Vendor evaluations of performance need third
    party verification
  • USA Patriot Act (PL 107-56)
  • Work with Justice and State Departments to
    certify a technology standard to verify persons
    applying for visas and persons entering the U.S.
    using visas
  • Certify the accuracy of biometric systems
  • Fingerprint, face
  • For integrated system design and procurements of
    biometrics products

12
NISTs ICAT CVE-compatible Searchable
Vulnerability Index
  • Fine-grained searchable index of vulnerabilities
  • Provides links to vulnerability and patch
    information

13
ICAT - CVE-compatible Searchable Vulnerability
Index
14
ICAT Metabase Home Page http//icat.nist.gov
15
IPsec
http//csrc.nist.gov/ipsec/
  • Provides authentication, integrity, and
    confidentiality security services at the Internet
    (IP) Layer
  • Current IP protocol (IPv4)
  • Next generation IP protocol (IPv6)
  • Implementing IPsec requires modifications to the
    system's communications routines and a new
    systems process that conducts secret key
    negotiations
  • NIST developed testing tools
  • NIST Cerberus, An IPsec reference implementation
    for Linux adds IP communications security to the
    system
  • PlutoPlus, An IKE reference implementation for
    Linux conducts secret key negotiations and
    management
  • IPsec-WIT, An interactive Web-based
    interoperability tester that uses Cerberus and
    PlutoPlus to enable developers and users to test
    the interoperability of their systems or to
    demonstrate IPsec's functionality

16
IPsec-WIT Architecture
17
Selected Technical Publications
18
Security Testing
  • Cryptographic Module Validation Program (CMVP)
  • National Information Assurance Partnership (NIAP)

http//csrc.nist.gov/focus_areas.htmltesting
19
NISTs Cryptographic Module Validation Program
  • Validation testing for cryptographic modules and
    algorithms
  • 164 Cryptographic Modules Surveyed (during
    testing)
  • 80 (48.8) Security Flaws discovered
  • 158 (96.3) Documentation Errors
  • 332 Algorithm Validations (during testing) (DES,
    Triple-DES, DSA and SHA-1)
  • 88 (26.5) Security Flaws
  • 216 (65.1) Documentation Errors

20
National Information Assurance Partnership
  • Collaboration between NIST and the National
    Security Agency (NSA) to meet IT security testing
    needs
  • Increase the level of trust in systems and
    networks through cost-effective
  • Testing,
  • Evaluation
  • Validation programs

21
IT SECURITY
Security Products
Protocols
Systems
Firewalls
Operating Systems
NIAP
IPSEC
DBMS
Other Products
FIPS 140-2 Crypto Modules
Encryption
Hashing
Authentication
Signature
Key Mgt.
DES
SHA-1
DSA
RSA
SHA-256
CMVP
3DES
ECDSA
DSA2
SHA-384
Skipjack
RSA2
AES
SHA-512
ECDSA2
Future Standard, Specification or Recommendation
Standard in Progress
Existing Standard Test Development in Progress
Standard and Testing Available
Existing Standard no Testing
Industry Standard, Specification or Recommendation
22
Management and Assistance
  • Assist U.S. Government agencies and other users
    with technical security and management issues
  • Assist in development of security infrastructures
  • Develop or point to cost-effective security
    guidance
  • Assist agencies in using security technology
    guidance
  • Support agencies on specific security projects on
    a cost-reimbursable basis

23
Management and Assistance
  • Small Business Computer Security Workshops
  • Computer Security Management Guidance
  • Computer Security Expert Assist Team (CSEAT)

http//csrc.nist.gov/focus_areas.htmlmanagement
24
Small Business Computer Security Workshops
  • NIST, the Small Business Administration, and the
    National Infrastructure Protection Center conduct
    a series of workshops on information security
    threats and solutions
  • Workshops especially designed for small
    businesses and not-for-profit organizations
  • Attendees have the opportunity to explore
    practical tools and techniques that can help them
    to assess, enhance, and maintain the security of
    their systems.

http//csrc.nist.gov/securebiz/index.html
25
Selected Recent Computer Security Management
Guidance Publications
26
Computer Security Expert Assist Team (CSEAT)
  • Assist agencies/programs in improving the
    security of Federal IT systems
  • Strengthen security of critical computer
    system/services
  • Identify security program issues and provide
    specific remedies
  • Prepare for future security threats
  • Improve federal agency/program Critical
    Infrastructure Protection (CIP) planning and
    implementation efforts
  • Identify and develop appropriate computer
    security guidance

27
Why NIST?
  • NIST provides consistent, comparable, and neutral
    perspective
  • As a result of the review process, NIST obtains
    better understanding of Federal agency/program
    needs for guidance
  • Effort helps NIST meet statutory responsibilities
  • Provide technical assistance in implementing
    standards and guidelines, including
  • Case studies
  • Lessons learned
  • Quick references
  • Checklists

28
CSEAT Complements Existing Efforts
  • Government
  • NIST standards and guidelines
  • Federal Computer Incident Response Capability
    (FedCIRC) /Computer Emergency Response Teams
    (CERTs)
  • National Infrastructure Protection Center (NIPC)
  • Critical Infrastructure Assurance Office (CIAO)
  • NSA security evaluations
  • GSAs security contract vehicles
  • Industry
  • Information Sharing and Analysis Centers (ISACs)

29
CSEAT Review Types
2 types of reviews
  • Agency requested review of automated information
    security programs
  • Agency program and OMB requested high-risk IT
    program security reviews
  • Both existing and planned programs
  • E.g. child welfare, disaster relief, Indian trust
    management

30
CSEAT Review
  • CSEAT security control objectives abstracted
    directly from long-standing requirements from
  • Federal government regulations
  • Statutes
  • Policies
  • Guidance
  • CSEAT provides an independent review of an
    agencys IT security program or high risk program
  • Agency requested - not an audit
  • Assesses the state of maturity of the agencys or
    programs IT security policy and procedure
    implementation and overall integration
  • Restricted to unclassified information/systems

31
CSEAT Review Maturity Levels
Integration
Test
Implementation
Procedures
Policy
32
CSEAT Review Topic Areas
Computer security management and culture
Computer security plans
Security awareness, training, and education
Budget and resources
Life cycle management
Incident and emergency response
Operational security controls
Physical security
IT security controls
33
CSEAT Agency/Program Review Process
CSEAT presents recommendations
CSEAT conducts interviews
34
Proposed Review Timeline
  • Agency/program provides
  • Documentation
  • Response to questions
  • Key personnel information (within 1 week)
  • CSEAT
  • Reviews documentation and responses to questions
  • Schedules interviews
  • CSEAT
  • Conducts interviews
  • Request additional information
  • CSEAT
  • Writes draft review report

Review Kickoff
3 weeks
4 weeks
2 weeks
3 weeks
Agency/program provides comments on draft 30
days after receipt of draft CSEAT provides final
review report 14 days after receipt of comments
Timeline phase duration is dependent upon
completion of previous phase.
35
CSEAT Review Report
  • CSEAT overview
  • Agency or program overview
  • Agency or program status
  • Recommendations to improve agency or program
    computer security
  • Summary and conclusions
  • Prioritized, implementable action plan

36
Agency or Program IT Security Status
(Sample)
37
Issue Identification with Corrective Actions
Issue Information and systems are endangered
due to a failure to manage access rights and
accounts for agency employees.
  • Discussion
  • User accounts are not removed immediately upon
    user termination.
  • Reassigned personnel still retain account access
    for previous position.
  • Corrective Actions
  • Implement a process to provide accountability for
    user account creation, deactivation, activation,
    and termination on all systems in a timely
    manner.
  • Cost Minimal
  • Time to Complete Short-term
  • Recurring Cost Minimal
  • Recurring Time to Complete Short-term

(Sample)
38
Prioritized Action Plan
  • Action priority and topic area
  • Issue
  • Suggested corrective action
  • How long to complete initial action
  • Short Term less than 6 months
  • Intermediate Term between 6 months and 2 years
  • Long Term more than 2 years
  • Cost to complete initial action
  • Minimal Less than 100,000
  • Moderate Between 100,000 and 500,000
  • High Greater than 500,000
  • Recurring action time and cost to complete

39
Change in Computer Security Posture after 2
Million Action Plan
CSEAT Review Areas 1. Computer Security
Management and Culture 2. Computer Security
Plans 3. Security Awareness, Training, and
Education 4. Budget and Resources 5. Life Cycle
Management 6. Incident and Emergency Response 7.
Operational Security Controls 8. Physical
Security 9. IT Security Controls
(Sample)
2 M Invested
Computer Security Enhancements - Complete
policies - Complete procedures - Increase
documentation - Develop and implement capital
planning process - Augment employee training -
Implement computer security plans - Develop risk
assessment methodology - Develop performance
metrics
Current Status
40
CSEAT Uses Report to Develop Guidance
NIST Guidance
Sanitized Case Study
CSEAT Review Report with Recommendations
41
Summary
NIST is improving security by
  • Raising awareness of the need for cost-effective
    security
  • Engaging in important security issues/challenges
  • Addressing needs for standards and guidelines
  • Technical, Policy, Management, and Operations
  • Federal Agency Security practices
  • Cryptographic security
  • Biometrics
  • Increasing security quality of and user
    confidence in COTS IT products via third party
    testing
  • Cryptographic Module Validation Program
  • National Information Assurance Partnership

42
More Information
  • http//csrc.nist.gov/
  • http//cseat.nist.gov/
  • CSEAT Email cseat_at_nist.gov

Receive immediate e-mail notification when new
NIST computer security publications or news are
available by subscribing to the NIST computer
security publications e-mail list. To subscribe
to this list send e-mail to listproc_at_nist.gov.
In the body of the e-mail message
type subscribe compsecpubs your first and last
name
Write a Comment
User Comments (0)
About PowerShow.com