Leveraging Purchase Power and Standards to Improve Security in the IT Supply Chain
-
Upload
john-gilligan -
Category
Technology
-
view
64 -
download
0
Transcript of Leveraging Purchase Power and Standards to Improve Security in the IT Supply Chain
1
Leveraging Purchase Power and Standards to Improve Security in the IT Supply Chain
John M. GilliganGilligan Group, Inc.
May 5, 2009
Protecting the Resiliency of the Supply Chain
2
Topics
• Background• The “Good Old Days”—Status Quo• The “Aha” Moment• Standard Desktop becomes Federal Desktop• Next steps
– Cyber Security Commission Recommendation– Evolving Standards
• Summary
3
Relevant Background
• Air Force – 700,000 Unclassified Desktops– 60,000 Classified Desktops– IT Spending $7B; Security Spending of $700 M
• Federal Government– Approximately 4 million desktops– IT Spending $60B; Security spending of $5B
• National Institutes of Standards and Technology (NIST) Provides IT Security Standards/Guidance
4
Air Force CIO Observations Regarding Software Security
• Spending more to “patch and fix” software systems than to purchase them
• SW vendor contract terms—no warranties, no standards, and no legal precedents for remedy
• AF IT purchasing is ad hoc (and expensive)• Air Force is largest enterprise buyer for many
vendors
COTS software business model is fundamentally broken!
5From National Institute of Standards and Technology briefing--http://nvd.nist.gov/scap.cfm
NIST provides a lot of guidance in security—is it addressing the right problem?
6
The CIO’s Cyber Security Dilemma
• There are only so many resources available to be allocated against all IT priorities
• There is no such thing as perfect cyber security• Finding flaws in cyber security implementation is
a “target rich” environment
How much security is enough, and where should investments be applied?
7
How to Assess Effective Security
GAO Reports?Congressional FISMA Grades?
Percentage of
Systems Certified?Number of Systems with
Contingency Plans?
Agency Auditor Reports?
The threat is increasing! Are we focusing on the right things?
"Pentagon Shuts Down Systems After Cyber-Attack"
Malicious scans of DoD increase 300%!
8
An “Aha” Moment!
• Scene: 2002 briefing by NSA regarding latest penetration assessment of DoD systems
• Objective: Embarrass DoD CIOs for failure to provide adequate security.
• Subplot: If CIOs patch/fix current avenues of penetration, NSA would likely find others
• Realization: Let’s use NSA’s offensive capabilities to guide security investments
Let “Offense Inform Defense”!
9
AF Standard Desktop Concept• NSA “Offensive Team” briefings to Air Force on
attack patterns and vulnerabilities exploited• ~80% of vulnerabilities tied to incorrectly
configured COTS software• Joint effort by NSA, NIST, DISA, DHS, CIS,
Microsoft to create Standard Desktop Configuration (SDC) for Microsoft Windows/Office/IE
Address the source of the biggest problem—and do it in the supply chain!
10
Secure Desktop Configuration
• Defined ~ 600 security configuration settings for Windows XP and VISTA (out of 4477)– Leveraged prior work by MS, NIST, CIS, NSA, DISA
• Protocols and software tools to validate implementation – CVE/OVAL
• Phased Implementation (2005-2007)– Senior-level governance process
Software delivered from hardware vendors in “locked down” configuration
11
AF Standard Desktop Configuration Results
• Improved Security– Drop in security events– Reduced Patching time 57 days to 72 hours
• Reduced Costs of Operation and Ownership– Hundreds of millions saved to date*
• Improved System Performance• Common platform for COTS/GOTS applications
leads to more rapid development and testing
* SDC Linked with Enterprise License Agreement and Commodity Purchasing Efforts
12
Enterprise Client PC HardwareStep 1: USAF Quarterly Enterprise Buy (QEB) Standards – 700K purchased since
Aug 2003; $200M+ avoidance
Enterprise Licensing and ServicesStep 2: USAF Enterprise License Agreements – Implemented in
Jul – Sep 2004$100M+ savings by 2010
Enterprise Client, Server, and Active Directory Configurations
Step 3: USAF Standard Desktop Configuration – AF wide implementation in 2006; Servers 2008
Enterprise Configuration and Patch Management
Step 4: USAF Enterprise Configuration Management processes – Implementation 2006-2008
Comply and Connect
Enforcement
Step 5: USAF Comply, Connect and Remediate policy and processes – Incremental improvements 2006-2009
Security As Part of IT Commodity Life Cycle Management
Incremental Improvements in End Point and Server Capability and Security
12
13
AF Standard Desktop Configuration FDCC• Adopt AF-validated standard desktop concept• OMB mandate for Federal Desktop Core
Configuration (FDCC)—March 2007• Security Content Automation Protocol (SCAP)
– Validate configuration– Check/remediate patching– Asset management– Standard vulnerability list
Expanded across Federal government and extended automation support
14
Continued Evolution of “Aha” Realization:
The Consensus Audit Guidelines (CAG)
• Ensure that investments are focused to counter highest threats — pick a subset
• Leverage offense to inform defense – focus on high payoff areas
• Maximize use of automation to enforce security controls — negate human errors
• Use consensus process to ensure best ideas
Focus investments by letting cyber offense inform defense!
15
Next Steps--Cyber Security Commission Recommendation
• Mandate “Locked-down” configurations for all software delivered to the government
• Build on existing efforts (e.g., NIST, BITS, FERC, NIAP, CIS)– Public-private partnership to develop guidelines
• Self-certification by software vendors– Satisfy security guidelines– Do not “unlock” security of other software
Expand FDCC Concept to all Software Products
16
Security Content Automation Protocol (SCAP)• What is it: A set of open standards that allows for
the monitoring, positive control, and reporting of security and management properties of every device in a network.
• How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. (Enables tool interoperability)
• Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes.
SCAP Enables Automated Tools To Implement And Enforce Secure Operations
17
Security Standards Efforts:Security Content Automation Protocol (SCAP)
18
Security Standards Efforts: Next Steps*
* Making Security Measurable – The MITRE Corporation
19
Summary
• Need to fundamentally change business model for buying COTS software– Vendors deliver “secure” configuration of products– Use automated tools to validate security
• Integrate security with improved commodity supply chain management (planning, purchase, operations, disposal)
• Advancement of standards and related tools holds great promise for dramatic improvements to the IT Supply Chain
20
Contact Information
John [email protected]
703-503-3232www.gilligangroupinc.com
Making Security MeasurableBob Martin—MITRE Corporation