1

Leveraging Purchase Power and Standards to Improve Security in the IT Supply Chain

John M. GilliganGilligan Group, Inc.

May 5, 2009

Protecting the Resiliency of the Supply Chain

2

Topics

• Background• The “Good Old Days”—Status Quo• The “Aha” Moment• Standard Desktop becomes Federal Desktop• Next steps

– Cyber Security Commission Recommendation– Evolving Standards

• Summary

3

Relevant Background

• Air Force – 700,000 Unclassified Desktops– 60,000 Classified Desktops– IT Spending $7B; Security Spending of $700 M

• Federal Government– Approximately 4 million desktops– IT Spending $60B; Security spending of $5B

• National Institutes of Standards and Technology (NIST) Provides IT Security Standards/Guidance

4

Air Force CIO Observations Regarding Software Security

• Spending more to “patch and fix” software systems than to purchase them

• SW vendor contract terms—no warranties, no standards, and no legal precedents for remedy

• AF IT purchasing is ad hoc (and expensive)• Air Force is largest enterprise buyer for many

vendors

COTS software business model is fundamentally broken!

5From National Institute of Standards and Technology briefing--http://nvd.nist.gov/scap.cfm

NIST provides a lot of guidance in security—is it addressing the right problem?

6

The CIO’s Cyber Security Dilemma

• There are only so many resources available to be allocated against all IT priorities

• There is no such thing as perfect cyber security• Finding flaws in cyber security implementation is

a “target rich” environment

How much security is enough, and where should investments be applied?

7

How to Assess Effective Security

GAO Reports?Congressional FISMA Grades?

Percentage of

Systems Certified?Number of Systems with

Contingency Plans?

Agency Auditor Reports?

The threat is increasing! Are we focusing on the right things?

"Pentagon Shuts Down Systems After Cyber-Attack"

Malicious scans of DoD increase 300%!

8

An “Aha” Moment!

• Scene: 2002 briefing by NSA regarding latest penetration assessment of DoD systems

• Objective: Embarrass DoD CIOs for failure to provide adequate security.

• Subplot: If CIOs patch/fix current avenues of penetration, NSA would likely find others

• Realization: Let’s use NSA’s offensive capabilities to guide security investments

Let “Offense Inform Defense”!

9

AF Standard Desktop Concept• NSA “Offensive Team” briefings to Air Force on

attack patterns and vulnerabilities exploited• ~80% of vulnerabilities tied to incorrectly

configured COTS software• Joint effort by NSA, NIST, DISA, DHS, CIS,

Microsoft to create Standard Desktop Configuration (SDC) for Microsoft Windows/Office/IE

Address the source of the biggest problem—and do it in the supply chain!

10

Secure Desktop Configuration

• Defined ~ 600 security configuration settings for Windows XP and VISTA (out of 4477)– Leveraged prior work by MS, NIST, CIS, NSA, DISA

• Protocols and software tools to validate implementation – CVE/OVAL

• Phased Implementation (2005-2007)– Senior-level governance process

Software delivered from hardware vendors in “locked down” configuration

11

AF Standard Desktop Configuration Results

• Improved Security– Drop in security events– Reduced Patching time 57 days to 72 hours

• Reduced Costs of Operation and Ownership– Hundreds of millions saved to date*

• Improved System Performance• Common platform for COTS/GOTS applications

leads to more rapid development and testing

* SDC Linked with Enterprise License Agreement and Commodity Purchasing Efforts

12

Enterprise Client PC HardwareStep 1: USAF Quarterly Enterprise Buy (QEB) Standards – 700K purchased since

Aug 2003; $200M+ avoidance

Enterprise Licensing and ServicesStep 2: USAF Enterprise License Agreements – Implemented in

Jul – Sep 2004$100M+ savings by 2010

Enterprise Client, Server, and Active Directory Configurations

Step 3: USAF Standard Desktop Configuration – AF wide implementation in 2006; Servers 2008

Enterprise Configuration and Patch Management

Step 4: USAF Enterprise Configuration Management processes – Implementation 2006-2008

Comply and Connect

Enforcement

Step 5: USAF Comply, Connect and Remediate policy and processes – Incremental improvements 2006-2009

Security As Part of IT Commodity Life Cycle Management

Incremental Improvements in End Point and Server Capability and Security

12

13

AF Standard Desktop Configuration FDCC• Adopt AF-validated standard desktop concept• OMB mandate for Federal Desktop Core

Configuration (FDCC)—March 2007• Security Content Automation Protocol (SCAP)

– Validate configuration– Check/remediate patching– Asset management– Standard vulnerability list

Expanded across Federal government and extended automation support

14

Continued Evolution of “Aha” Realization:

The Consensus Audit Guidelines (CAG)

• Ensure that investments are focused to counter highest threats — pick a subset

• Leverage offense to inform defense – focus on high payoff areas

• Maximize use of automation to enforce security controls — negate human errors

• Use consensus process to ensure best ideas

Focus investments by letting cyber offense inform defense!

15

Next Steps--Cyber Security Commission Recommendation

• Mandate “Locked-down” configurations for all software delivered to the government

• Build on existing efforts (e.g., NIST, BITS, FERC, NIAP, CIS)– Public-private partnership to develop guidelines

• Self-certification by software vendors– Satisfy security guidelines– Do not “unlock” security of other software

Expand FDCC Concept to all Software Products

16

Security Content Automation Protocol (SCAP)• What is it: A set of open standards that allows for

the monitoring, positive control, and reporting of security and management properties of every device in a network.

• How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. (Enables tool interoperability)

• Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes.

SCAP Enables Automated Tools To Implement And Enforce Secure Operations

17

Security Standards Efforts:Security Content Automation Protocol (SCAP)

18

Security Standards Efforts: Next Steps*

* Making Security Measurable – The MITRE Corporation

19

Summary

• Need to fundamentally change business model for buying COTS software– Vendors deliver “secure” configuration of products– Use automated tools to validate security

• Integrate security with improved commodity supply chain management (planning, purchase, operations, disposal)

• Advancement of standards and related tools holds great promise for dramatic improvements to the IT Supply Chain

20

Contact Information

John Gilliganjgilligan@gilligangroupinc.com

703-503-3232www.gilligangroupinc.com

Making Security MeasurableBob Martin—MITRE Corporation

rmartin@mitre.org