May 4, 2009 1

04/10/23 1

Stevens Institute of TechnologySecurity Systems Engineering

Jennifer BayukCybersecurity Program DirectorSchool of Systems and Enterprisesjennifer.bayuk@stevens.edu

May 4, 2009 2

Stevens Institute Security Research

National Center for Secure and Resilient Maritime Commerce Naval Security Infrastructure Technology Laboratory Center for the Advancement of Secure Systems and

Information Assurance National Cybersecurity Center of Excellence in Information

Assurance Education National Cybersecurity Center of Excellence in Information

Assurance Research Leader of the DoD University Affiliated Research Center for

Systems Engineering Systems Security Core Research Topic

Why new focus on Systems Engineering Security?

May 4, 2009 3

»3

VPN

Remote Access Server

Policy Servers

CertificateAuthority

AntiVirus

Mgmt

Personal Computers

User Workstation

User Terminal

Mainframe

LAN

Multiplexor

Time Sharing or Bulletin Board Service

»Modem

Internet

Router

External ServersRouter

Physical Perimeter

Email Server

Server Farm

::::::

Firewall

Web Servers

»Modem

Procedure

V

Proxy

Server

IDS

IDS

IPS

IPSIsolate and Harden Servers

::::::Firewall

SIM

WAFW

Content

Filters

EXTERNAL THREATS

Wireless

Token Admin

VPN

Secure Storage

Key Management

Online Services and Outsourcing Arrangements

::::::

Firewall

Current attacker

path to data

The Problem

IdentityMgmt

SERC Security EngineeringResearch Roadmap

1. Define systems security2. Measure systems security3. Devise system security

frameworks 4. Improve the proficiency of the

security engineering workforce

1. Define systems security

Reassess periphery models Focus on whole systems Examine interfaces and

interactions Understand similarities and

differences across domains

Security Roadmap

2. Measure systems security

Achievable and comparable security attributes

Outcome-based rather than vulnerability-based

Identify systemic value of currently available control standards

Identify and measure trade-offs with respect to security features

Security Roadmap

3. Devise systems security frameworks

Include policy, process and technology

Provide basis for evaluation New classes of system-level

solutions Security-receptive

architectures

Security Roadmap

4. Improve the proficiency of the security

engineering workforce Encourage and educate

workforce Operational security

requirements Community force multipliers Engage stakeholders

Security Roadmap

Systemigram software from: Boardman and Sauser, Systems Thinking: Coping with 21st century problems, Taylor & Francis, 2008.

Example:

Systemic Security

::::::

Example System

Metaphorical Construct

Discovery

ISO 27005:2008Security Risk AssessmentTask Order:1. Identification of assets2. Identification of threats3. Identification of existing controls4. Identification of vulnerabilities5. Identification of consequences

1

2

3

4

5

May 4, 2009 13

Questions? Discussion?

Follow-up:jennifer.bayuk@stevens.edu