National Cyber Security Division USCERT Overview - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

National Cyber Security Division USCERT Overview

Description:

Reviews malicious code for 'novel' attacks; i.e. do we already know ... Conducts malicious code analysis on 'zero-day' code; provides malware technical ... – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 29
Provided by: seanmca
Category:

less

Transcript and Presenter's Notes

Title: National Cyber Security Division USCERT Overview


1
National Cyber Security DivisionUS-CERT Overview
Department of Homeland Security National Cyber
Security Division US-CERT Operations February 24,
2006
2
(No Transcript)
3
Agenda
  • US-CERT
  • Strategic Operations
  • GFIRST
  • CISO Forum
  • CNDSP
  • Operations
  • Programs
  • Products
  • National Cyber Alert System
  • Situational Awareness
  • Federal Situational Awareness Program
  • Internet Awareness

4
NCSD vs. US-CERT
  • What is the difference?
  • The National Cyber Security Division is a
    division within the Department of Homeland
    Security
  • Under Secretary Chertoffs recently proposed DHS
    realignment plan, NCSD will report directly to a
    newly created Assistant Secretary for Cyber
    Telecom
  • US-CERT is
  • A branch within NCSD
  • The operational arm of the NCSD
  • A partnership with the public and private sector
  • Manifestation of the CSTARC referenced in the
    Strategy to Secure Cyberspace

5
US-CERT
  • The United States Computer Emergency Readiness
    Team (US-CERT) is a partnership between the
    Department of Homeland Security and the public
    and private sectors to protect the nation's
    Internet infrastructure.
  • US-CERT coordinates defense against and responses
    to cyber attacks across the nation. US-CERT
  • analyzes and reduces cyber threats and
    vulnerabilities
  • disseminates cyber threat warning information
  • coordinates incident response activities
  • US-CERT interacts with federal agencies,
    industry, the research community, state and local
    governments, and others to disseminate reasoned
    and actionable cyber security information to the
    public.

6
US-CERT Authorities
  • National Strategy to Secure Cyber Space
  • Federal Information Security Management Act
    (FISMA)
  • Homeland Security Presidential Directive 7
  • Homeland Security Act of 2002
  • National Security Presidential Directive 38

Rapid identification, information exchange, and
remediation can often mitigate the damage caused
by malicious cyberspace activity. For those
activities to be effective at a national level,
the U.S. needs a partnership between government
and industry to perform analysis, issue warnings,
and coordinate response efforts. National
Strategy to Secure Cyberspace
7
The National Strategy to Secure Cyberspace
provides a framework articulating priorities to
secure cyberspace
  • National Cyberspace Security Response System
  • National Cyberspace Threat and Vulnerability
    Reduction Program
  • National Cyberspace Security Awareness and
    Training Program
  • Securing Governments Cyberspace
  • International Cyberspace Security Cooperation

8
HSPD7 identifies DHS/NCSD as a focal point for
cyber security and as the lead for the cyber
component of the National Infrastructure
Protection Plan.
The DHS Secretary shall maintain an
organization to serve as a focal point for the
security of cyberspace. The organization will
facilitate interactions and collaborations
between and among Federal departments and
agencies, State and local governments, the
private sector, academia and international
organizations. The organization's mission
includes analysis, warning, information sharing,
vulnerability reduction, mitigation, and aiding
national recovery efforts for critical
infrastructure information systems.
9
OMB Memorandum M-04-25 identifies US-CERT as the
Federal Information Security Incident Center, the
focal point for receipt of incident reporting
for the federal government agencies
3546. Federal information security incident
center (a) IN GENERAL.The Director shall
ensure the operation of a central Federal
information security incident center to (1)
provide timely technical assistance to operators
of agency information systems regarding security
incidents, including guidance on detecting and
handling information security incidents (2)
compile and analyze information about incidents
that threaten information security (3) inform
operators of agency information systems
about current and potential information security
threats, and vulnerabilities and (4) consult
with the National Institute of Standards
and Technology, agencies or offices operating or
exercising control of national security systems
(including the National Security Agency), and
such other agencies or offices in accordance
with law and as directed by the President
regarding information security incidents and
related matters. (b) NATIONAL SECURITY
SYSTEMS.Each agency operating or exercising
control of a national security system shall share
information about information security incidents,
threats, and vulnerabilities with the Federal
information security incident center to the
extent consistent with standards and guidelines
for national security systems, issued in
accordance with law and as directed by the
President.
10
NCSD Organization Chart
NCRCG Strategic Planning Milestones Progress
Report Policy International Privacy Human
Resources Budget/Contracts Office
Management COOP PCII Office of Director
Operations Situational Awareness Strategic
Operations
CIP Cyber Security Control Systems Software
Assurance Training Education Exercise Planning
Coordination Standards Best Practices RD
Coordination
Outreach Awareness International Affairs and
Public Policy
Intel Requirements LE Coordination
11
Strategic Operations
  • Government Forum of Incident Response Security
    Teams (GFIRST)
  • Community of 50 federal agency Incident Response
    Teams
  • Teams work together to secure federal government
  • Collaborate during on-going cyber activities for
    technical analysis and information sharing
    amongst the government
  • Technical analysis aid in forcing vendors to
    release critical patches much earlier than
    vendors intend
  • Technical analysis have identified previously
    unseen or unidentified cyber phenomenon on
    multiple occasions
  • Held first annual conference in April 2005
    second planned April 2006

12
Strategic Operations (contd)
  • Chief Information Security Officers (CISO) forum
  • Community of 50 CISOs from small, medium, and
    large Federal Departments/Agencies
  • Trusted venue to interact, discuss, and resolve
    concerns
  • Share effective practices, initiatives,
    capabilities
  • Meet quarterly and stands up separate working
    groups on an as-needed basis
  • Initial working groups were focused on reporting,
    response, and management
  • Recommend federal policy changes to CIO
    Council/OMB

13
Strategic Operations (contd)
  • Computer Network Defense Service Provider (CNDSP)
    Accreditation Program
  • Provides clear performance metrics consistency
    across Federal Civilian Agencies Incident
    Response Teams
  • Ensures mechanism to ensure adequate funding and
    manpower needs to detect, report, and remediate
    incidents
  • Program similar to DoD but focused specifically
    for Federal Civilian Agency use

14
Operations
Incident Handling
  • 24x7x365 HSOC triage support to federal, public,
    and private sectors
  • Monitors cyber security events available from
    various sources
  • Compiles and coordinates US-CERT reports for
    dissemination
  • Provides cyber situational awareness to the HSOC
    Senior Watch Officer

Analysis
  • Provide fused current and predictive cyber
    analysis based on reporting
  • Correlates incident data from a myriad of
    disparate reporting sources
  • Provides on-site Incident Response capabilities
    to federal and state
  • Provides technical support to HSOC on all
    on-going cyber incidents

Malware
  • Provides behavior techniques for dynamic and
    static analysis
  • Reviews malicious code for novel attacks i.e.
    do we already know
  • Supports forensic investigations with cursive
    analysis on artifacts
  • Provides on-site malware analytic and recovery
    support
  • Provides technical support to HSOC on all
    on-going cyber incidents

Information Services
  • Provides operational output content, design, and
    development
  • Overall design and implementation of US-CERT
    public facing website
  • Provides support to NCSD with distribution of
    divisional products
  • Develops and participates in national and
    international level exercises
  • Interacts and provides operational international
    support for US-CERT

15
Operations
  • Maintains a 24x7x365 Incident Handling capability
    within the Homeland Security Operations Center
    providing operational support for monitoring the
    status of systems and networks and responding to
    cyber incidents.
  • Provides the operations interface to National
    Cyber Response Coordination Group (NCRCG), which
    is part of the DHS Interagency Incident
    Management Group (IIMG).
  • Conducts malicious code analysis on zero-day
    code provides malware technical and fly away
    support as needed and conducts cyber threat and
    vulnerability analysis.
  • Utilizes a situational awareness program to
    collect, correlate, analyze, and share computer
    security information across the Federal civilian
    government and an Internet Health and Status
    service used by 50 government agency Computer
    Security Incident Response Centers.
  • Manages programs for communication and
    collaboration among public agencies and key
    network defense service providers

16
Operations BranchCurrent Challenges
  • Inconsistent detection, analysis and information
    sharing across the federal agencies
  • Manual reporting of cyber security information
    between federal agencies and the US-CERT neither
    timely nor accurate
  • No automated information sharing about cyber
    attacks/method for determining targeting of or
    the effect on Internet critical infrastructures
  • Experience with recent cyber attacks demand that
    effective situational awareness and defenses
    require automation

17
(No Transcript)
18
The Good Ole Days
19
The New Net
20
Cyberspace and physical space are becoming one
Critical Infrastructure Challenges
  • Transportation
  • 120,000 miles of railroad
  • 590,000 highway bridges
  • 2 million miles of pipeline
  • 300 ports
  • Banking and Finance
  • 26,600 FDIC institutions
  • Postal and Shipping
  • 137M delivery sites
  • Key Assets
  • 5,800 historic buildings
  • 104 nuclear power plants
  • 80K dams
  • 3,000 government facilities
  • 460 skyscrapers
  • Agriculture and Food
  • 1.9 million farms
  • 87,000 food processing plants
  • Water
  • 1,800 federal reservoirs
  • 1,600 treatment plants
  • Public Safety Health
  • 5,800 registered hospitals
  • 6,500 Emergency Operation Centers (911)
  • Chemical Industry
  • 66,000 chemical plants
  • Telecomm
  • 2 billion miles of cable
  • Energy
  • 2,800 power plants
  • 300,000 production sites

21
National Cyber Alert System
  • The National Cyber Alert System is America's
    first cohesive national cyber security system for
    identifying, analyzing, and prioritizing emerging
    vulnerabilities and threats. Managed by the
    US-CERT, the system relays computer security
    update and warning information to all users.
  • It provides all citizensfrom computer security
    professionals to home computer users with basic
    skillswith free, timely, actionable information
    to better secure their computer systems.
  • www.us-cert.gov/cas

22
Products
  • Technical Alerts
  • Non Technical Alerts
  • Cyber Security Bulletins
  • Cyber Security Tips
  • Vulnerability Notes
  • Federal Information Notices (Federal Agency
    Notices)
  • Critical Infrastructure Information Notices
    (Private Sector Notices)
  • Daily Quarterly Annual Trends and Analysis
    Reports
  • Products of the National Cyber Alert System

23
Federal Information Notices (FIN)
  • Information on vulnerabilities, incidents and
    malicious code specifically written to notify
    the federal agencies
  • Offers explanations and insight of issues that
    might not be significant enough, at that time, to
    trigger a US-CERT Alert
  • Target audience includes federal agency
  • Incident Response Teams (CSIRC/CERT)
  • CISOs
  • CIOs
  • Security professionals
  • System and network administrators

24
Situational AwarenessInitiative for Building
Situational Awareness Across the Federal
Government
  • US-CERT Einstein Program -- An automated process
    for collecting, correlating, analyzing, and
    sharing computer security information across the
    Federal civilian government.
  • Allows the US-CERT to generate a
    cross-governmental trends analysis.
  • Will help to identify configuration problems,
    unauthorized network traffic, network backdoors,
    routing anomalies, network scanning activities,
    and baseline network traffic patterns.
  • Analysis will provide US-CERT with an accurate
    and aggregate picture on the health of the
    Federal Government (.gov) domain in near
    real-time, and an aggregate comparison of the
    health as compared to the Internet.
  • Allow US-CERT to accomplish mission as computer
    incident manager for federal civilian agencies.

25
Situational Awareness (contd)Internet
Situational Awareness
  • US-CERT is also working to help determine scope
    and impact of attacks occurring across the
    Internet, not only targeting the US Critical
    Infrastructure, but globally as well.
  • US-CERT is currently developing, evaluating, and
    testing multiple products that not only provide
    the current state of the Internet, but also
    provide actionable information that Federal
    agencies can operationally act upon.

26
(No Transcript)
27
Contact
  • Technical comments or questions
  • US-CERT Security Operations CenterEmail
    soc_at_us-cert.govPGP/GPG key 0xADC4BCEDFingerprin
    t 02FD 5294 A076 0ACE BEB1 929B 3730 09F3 ADC4
    BCEDPhone 1 888-282-0870
  • General questions or suggestions
  • US-CERT Information RequestEmail
    info_at_us-cert.govPGP/GPG key 0x0A1E0DF7Fingerpri
    nt CFE4 9D1D 6897 44B3 9B85 B25A F575 177B 0A1E
    0DF7Phone 1 703-235-5110
  • Information available at http//www.us-cert.gov/
    contact.html

28
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com