Mr' Richard C' Dick Schaeffer, Jr'

1
(No Transcript)
2
Mr. Richard C.(Dick) Schaeffer, Jr.
Information Assurance Director National Security
Agency
3
Information Assurance UK and US Government
Strategies to Defend Against the Cyber Threat
Mr. Richard C. (Dick) Schaeffer, Jr. Information
Assurance Director National Security Agency 18
June 2008
This Briefing is Unclassified
4
Observations

• Critical applications and functions are
  increasingly executed in the network
• Networks increasingly provide the foundation for
  critical operations in business and government
• No single government body has cognizance over the
  end-to-end architecture
• The private sector is driving the architecture
  and security
• Commercial-off-the-shelf technology is innovating
  rapidly (e.g. Moores Law and Metcalfes Law)
  with exposure and loss of intellectual property
  following suit

5
Trends

• User devices are increasingly inexpensive,
  powerful, portable, and versatile enough to
  incorporate many operating systems and programs
  thus making them more vulnerable to attack
• Virtually everything we buy contains foreign
  components
• Processing that is done on the machine today is
  moving onto the network
• Specifications and standards are targeted at
  narrow slices of the technical architecture

6
Transform the Information Assurance Mission

• Improve the security of Commercial Technology
• Influence all stakeholders
• Practitioners, Buyers, Users, Suppliers,
  Authorities
• Increase partnership
• Build a Knowledge vs. Product Business
• Bring a dynamic, operational focus

7
To Gain Assurance, We Must

• Organize the data generators
• Standardize the raw data
• Translate into something useful upstream
• Link to other business areas
• e.g., network management, compliance

8
Secure The Desktop

• Over the past 18 months, two major initiatives
  have changed the landscape of the Secure Desktop
• Federal Desktop Core Configuration (FDCC)
• Security Content Automation Protocol (SCAP)
• In addition, OMB directed all Federal Departments
  and Agencies to
• Adopt standard security configurations for the
  desktop
• Implement automated enforcement of the
  configurations

9
FDCC

• Defines standard security Configurations for
  Windows XP and Vista, Internet Explorer (IE 7),
  and firewall settings
• Based on work by NSA, DISA, DHS, NIST, Army,
  Navy, Air Force, Marines, and Microsoft beginning
  in 2005 (XP) and Nov 2006 (Vista)
• Windows XP and IE 7 now in use by the Air Force
• Windows Vista and IE 7 configuration, based on
  FDDC, presented to the DoD CIO Executive Board on
  April 12, 2007now in testing by all Services
• Adopted by OMB as Federal-wide standard
• Includes security, performance, power management,
  feature, compatibility and usability
  configuration settings
• Platforms being acquired pre-configured and
  pre-tested
• Configurations can be validated AND enforced
  through automated network policies

10
DoD FDCC

• Joint Service and Agency initiative NSA,
  DISA, Army, Navy, Air Force, Marine Corps
• In collaboration with industry!
• gt 5,000 man-hours invested to arrive at consensus
• Individual Services performed operational testing
  on standard configuration to validate
  recommendations
• Currently, over 250,000 desktops deployed
• Number grows every day

11
FDCC Benefits

• Implements proven Best Practices,
  enterprise-wide
• Consistent settings for security, performance,
  power management, etc.
• Consistent platform for purchased or developed
  software
• Supports Federal policies and regulations
• Enables automated SCAP compliance
• Government and industry supported
• Balances security and usability
• Minimizes support calls to already overworked
  help desks

12
DoD Specific Benefits

• Implements proven Best Practices,
  enterprise-wide
• Consistent settings for security, performance,
  power management, etc.
• Restricted system access privileges
• IE 7 runs in protected mode on Vistareally a
  security update to XP
• Windows Services Hardening and Memory
  Randomization
• Firewall (inbound and outbound) that can be
  controlled through a group policy
• 600 new group policy settings controllable by
  network operators
• BitLocker disk drive encryption
• Improved Power Management and management of
  installation and use of devices

13
Additional Information
14
Security Content Automation Protocol (SCAP)

• Standardizing what we communicate Protocol
• Standardizing the information we communicate
  Content
• Leveraging existing Federal Content
• NISTs Security Configuration Checklists Program
• National Vulnerability Database

15
What is SCAP?
What Standardizing the Information we
communicate
How Standardizing the format by which we
communicate
Content
Protocol

• http//nvd.nist.gov
• 20 new vulnerabilities per day
• Mis-Configuration cross references
• Reconciles software flaws from U.S.
• CERT and Mitre repositories
• Produces XML feed for NVD content
• 50 million hits per year

16
SCAP (Continued)?

• ... to automate compliance, manage
  vulnerabilities and perform security measurement

UNCLASSIFIED
17
Standardization
Cisco, Qualys,Symantec, Carnegie Mellon
University
18
Integrating IT and Security Through SCAP
Vulnerability Management
Common Vulnerability Enumeration Common Platform
Enumeration Common Configuration
Enumeration eXtensible Checklist Configuration
Description Format Open Vulnerability and
Assessment Language Common Vulnerability Scoring
System
Configuration Management
Asset Management
Compliance Management
19
Existing Federal Content
Standardizing What We Communicate

• In response to NIST being named in the Cyber
  Security RD Act of 2002
• Encourages vendor development and maintenance of
  security guidance
• Currently hosts 112 separate guidance documents
  for over 125 IT products
• Translating this backlog of checklists into the
  Security Content Automation Protocol (SCAP)
• Participating organizations DISA, NSA, NIST,
  Hewlett-Packard, CIS, ITAA, Oracle, Sun, Apple,
  Microsoft, Citadel, LJK, Secure Elements,
  ThreatGuard, MITRE Corporation, G2, Verisign,
  Verizon Federal, Kyocera, Hewlett-Packard,
  ConfigureSoft, McAfee, etc.

• Over 4 million hits per month
• About 20 new vulnerabilities per day
• Mis-configuration cross references to
• NIST SP 800-53 Security Controls
• DoD IA Controls
• DISA VMS Vulnerability IDs
• Gold Disk VIDs
• DISA VMS PDI IDs
• NSA References
• DCID
• ISO 17799
• Reconciles software flaws from
• US CERT Technical Alerts
• US CERT Vulnerability Alerts (CERTCC)
• MITRE OVAL Software Flaw Checks
• MITRE CVE Dictionary
• Produces XML feed for NVD content

20
Govt Contributors
SCAP Infrastructure, Beta tests, Use Cases, and
Early Adopters
DHS
OMB
IC
OSD
DISA
DOJ
EPA
Army
NIST
DOS
NSA
21
Industry Contributors
Ai Metrix
Product Teams and Content Contributors
22
Information Assurancein the News
23
Keys to Govt Private Partnership

• Bring content
• and good people to the conversation
• Equip and organize the stakeholders
• esp. the Buyers
• Abstract the interfaces

24
Summary

• Dramatic progress in address long standing
  challengesclose collaboration between government
  and industry
• Need to implement, develop lessons learned,
  improve best practices, update
• Still a LONG way to go!!

25
To learn more...

• NSA Security Guidance
• http//www.nsa.gov/snac/
• The Security Content Automation Program
• http//nvd.nist.gov/scap/scap.cfm
• Common Vulnerability Exposures
• http//cve.mitre.org
• The Center for Internet Security
• http//cisecurity.org

26
(No Transcript)
27
(No Transcript)