Title: National Cyber Security Division USCERT Overview
1National Cyber Security DivisionUS-CERT Overview
Department of Homeland Security National Cyber
Security Division US-CERT Operations February 24,
2006
2(No Transcript)
3Agenda
- US-CERT
- Strategic Operations
- GFIRST
- CISO Forum
- CNDSP
- Operations
- Programs
- Products
- National Cyber Alert System
- Situational Awareness
- Federal Situational Awareness Program
- Internet Awareness
4NCSD vs. US-CERT
- What is the difference?
- The National Cyber Security Division is a
division within the Department of Homeland
Security - Under Secretary Chertoffs recently proposed DHS
realignment plan, NCSD will report directly to a
newly created Assistant Secretary for Cyber
Telecom - US-CERT is
- A branch within NCSD
- The operational arm of the NCSD
- A partnership with the public and private sector
- Manifestation of the CSTARC referenced in the
Strategy to Secure Cyberspace
5US-CERT
- The United States Computer Emergency Readiness
Team (US-CERT) is a partnership between the
Department of Homeland Security and the public
and private sectors to protect the nation's
Internet infrastructure. - US-CERT coordinates defense against and responses
to cyber attacks across the nation. US-CERT - analyzes and reduces cyber threats and
vulnerabilities - disseminates cyber threat warning information
- coordinates incident response activities
- US-CERT interacts with federal agencies,
industry, the research community, state and local
governments, and others to disseminate reasoned
and actionable cyber security information to the
public.
6US-CERT Authorities
- National Strategy to Secure Cyber Space
- Federal Information Security Management Act
(FISMA) - Homeland Security Presidential Directive 7
- Homeland Security Act of 2002
- National Security Presidential Directive 38
Rapid identification, information exchange, and
remediation can often mitigate the damage caused
by malicious cyberspace activity. For those
activities to be effective at a national level,
the U.S. needs a partnership between government
and industry to perform analysis, issue warnings,
and coordinate response efforts. National
Strategy to Secure Cyberspace
7The National Strategy to Secure Cyberspace
provides a framework articulating priorities to
secure cyberspace
- National Cyberspace Security Response System
- National Cyberspace Threat and Vulnerability
Reduction Program - National Cyberspace Security Awareness and
Training Program - Securing Governments Cyberspace
- International Cyberspace Security Cooperation
8HSPD7 identifies DHS/NCSD as a focal point for
cyber security and as the lead for the cyber
component of the National Infrastructure
Protection Plan.
The DHS Secretary shall maintain an
organization to serve as a focal point for the
security of cyberspace. The organization will
facilitate interactions and collaborations
between and among Federal departments and
agencies, State and local governments, the
private sector, academia and international
organizations. The organization's mission
includes analysis, warning, information sharing,
vulnerability reduction, mitigation, and aiding
national recovery efforts for critical
infrastructure information systems.
9OMB Memorandum M-04-25 identifies US-CERT as the
Federal Information Security Incident Center, the
focal point for receipt of incident reporting
for the federal government agencies
3546. Federal information security incident
center (a) IN GENERAL.The Director shall
ensure the operation of a central Federal
information security incident center to (1)
provide timely technical assistance to operators
of agency information systems regarding security
incidents, including guidance on detecting and
handling information security incidents (2)
compile and analyze information about incidents
that threaten information security (3) inform
operators of agency information systems
about current and potential information security
threats, and vulnerabilities and (4) consult
with the National Institute of Standards
and Technology, agencies or offices operating or
exercising control of national security systems
(including the National Security Agency), and
such other agencies or offices in accordance
with law and as directed by the President
regarding information security incidents and
related matters. (b) NATIONAL SECURITY
SYSTEMS.Each agency operating or exercising
control of a national security system shall share
information about information security incidents,
threats, and vulnerabilities with the Federal
information security incident center to the
extent consistent with standards and guidelines
for national security systems, issued in
accordance with law and as directed by the
President.
10NCSD Organization Chart
NCRCG Strategic Planning Milestones Progress
Report Policy International Privacy Human
Resources Budget/Contracts Office
Management COOP PCII Office of Director
Operations Situational Awareness Strategic
Operations
CIP Cyber Security Control Systems Software
Assurance Training Education Exercise Planning
Coordination Standards Best Practices RD
Coordination
Outreach Awareness International Affairs and
Public Policy
Intel Requirements LE Coordination
11 Strategic Operations
- Government Forum of Incident Response Security
Teams (GFIRST) - Community of 50 federal agency Incident Response
Teams - Teams work together to secure federal government
- Collaborate during on-going cyber activities for
technical analysis and information sharing
amongst the government - Technical analysis aid in forcing vendors to
release critical patches much earlier than
vendors intend - Technical analysis have identified previously
unseen or unidentified cyber phenomenon on
multiple occasions - Held first annual conference in April 2005
second planned April 2006
12Strategic Operations (contd)
- Chief Information Security Officers (CISO) forum
- Community of 50 CISOs from small, medium, and
large Federal Departments/Agencies - Trusted venue to interact, discuss, and resolve
concerns - Share effective practices, initiatives,
capabilities - Meet quarterly and stands up separate working
groups on an as-needed basis - Initial working groups were focused on reporting,
response, and management - Recommend federal policy changes to CIO
Council/OMB
13Strategic Operations (contd)
- Computer Network Defense Service Provider (CNDSP)
Accreditation Program - Provides clear performance metrics consistency
across Federal Civilian Agencies Incident
Response Teams - Ensures mechanism to ensure adequate funding and
manpower needs to detect, report, and remediate
incidents - Program similar to DoD but focused specifically
for Federal Civilian Agency use
14Operations
Incident Handling
- 24x7x365 HSOC triage support to federal, public,
and private sectors - Monitors cyber security events available from
various sources - Compiles and coordinates US-CERT reports for
dissemination - Provides cyber situational awareness to the HSOC
Senior Watch Officer
Analysis
- Provide fused current and predictive cyber
analysis based on reporting - Correlates incident data from a myriad of
disparate reporting sources - Provides on-site Incident Response capabilities
to federal and state - Provides technical support to HSOC on all
on-going cyber incidents
Malware
- Provides behavior techniques for dynamic and
static analysis - Reviews malicious code for novel attacks i.e.
do we already know - Supports forensic investigations with cursive
analysis on artifacts - Provides on-site malware analytic and recovery
support - Provides technical support to HSOC on all
on-going cyber incidents
Information Services
- Provides operational output content, design, and
development - Overall design and implementation of US-CERT
public facing website - Provides support to NCSD with distribution of
divisional products - Develops and participates in national and
international level exercises - Interacts and provides operational international
support for US-CERT
15Operations
- Maintains a 24x7x365 Incident Handling capability
within the Homeland Security Operations Center
providing operational support for monitoring the
status of systems and networks and responding to
cyber incidents. - Provides the operations interface to National
Cyber Response Coordination Group (NCRCG), which
is part of the DHS Interagency Incident
Management Group (IIMG). - Conducts malicious code analysis on zero-day
code provides malware technical and fly away
support as needed and conducts cyber threat and
vulnerability analysis. - Utilizes a situational awareness program to
collect, correlate, analyze, and share computer
security information across the Federal civilian
government and an Internet Health and Status
service used by 50 government agency Computer
Security Incident Response Centers. - Manages programs for communication and
collaboration among public agencies and key
network defense service providers
16Operations BranchCurrent Challenges
- Inconsistent detection, analysis and information
sharing across the federal agencies - Manual reporting of cyber security information
between federal agencies and the US-CERT neither
timely nor accurate - No automated information sharing about cyber
attacks/method for determining targeting of or
the effect on Internet critical infrastructures - Experience with recent cyber attacks demand that
effective situational awareness and defenses
require automation
17(No Transcript)
18The Good Ole Days
19The New Net
20Cyberspace and physical space are becoming one
Critical Infrastructure Challenges
- Transportation
- 120,000 miles of railroad
- 590,000 highway bridges
- 2 million miles of pipeline
- 300 ports
- Banking and Finance
- 26,600 FDIC institutions
- Postal and Shipping
- 137M delivery sites
- Key Assets
- 5,800 historic buildings
- 104 nuclear power plants
- 80K dams
- 3,000 government facilities
- 460 skyscrapers
- Agriculture and Food
- 1.9 million farms
- 87,000 food processing plants
- Water
- 1,800 federal reservoirs
- 1,600 treatment plants
- Public Safety Health
- 5,800 registered hospitals
- 6,500 Emergency Operation Centers (911)
- Chemical Industry
- 66,000 chemical plants
- Telecomm
- 2 billion miles of cable
- Energy
- 2,800 power plants
- 300,000 production sites
21National Cyber Alert System
- The National Cyber Alert System is America's
first cohesive national cyber security system for
identifying, analyzing, and prioritizing emerging
vulnerabilities and threats. Managed by the
US-CERT, the system relays computer security
update and warning information to all users. - It provides all citizensfrom computer security
professionals to home computer users with basic
skillswith free, timely, actionable information
to better secure their computer systems. - www.us-cert.gov/cas
22Products
- Technical Alerts
- Non Technical Alerts
- Cyber Security Bulletins
- Cyber Security Tips
- Vulnerability Notes
- Federal Information Notices (Federal Agency
Notices) - Critical Infrastructure Information Notices
(Private Sector Notices) - Daily Quarterly Annual Trends and Analysis
Reports - Products of the National Cyber Alert System
23Federal Information Notices (FIN)
- Information on vulnerabilities, incidents and
malicious code specifically written to notify
the federal agencies - Offers explanations and insight of issues that
might not be significant enough, at that time, to
trigger a US-CERT Alert - Target audience includes federal agency
- Incident Response Teams (CSIRC/CERT)
- CISOs
- CIOs
- Security professionals
- System and network administrators
24Situational AwarenessInitiative for Building
Situational Awareness Across the Federal
Government
- US-CERT Einstein Program -- An automated process
for collecting, correlating, analyzing, and
sharing computer security information across the
Federal civilian government. - Allows the US-CERT to generate a
cross-governmental trends analysis. - Will help to identify configuration problems,
unauthorized network traffic, network backdoors,
routing anomalies, network scanning activities,
and baseline network traffic patterns. - Analysis will provide US-CERT with an accurate
and aggregate picture on the health of the
Federal Government (.gov) domain in near
real-time, and an aggregate comparison of the
health as compared to the Internet. - Allow US-CERT to accomplish mission as computer
incident manager for federal civilian agencies.
25Situational Awareness (contd)Internet
Situational Awareness
- US-CERT is also working to help determine scope
and impact of attacks occurring across the
Internet, not only targeting the US Critical
Infrastructure, but globally as well. - US-CERT is currently developing, evaluating, and
testing multiple products that not only provide
the current state of the Internet, but also
provide actionable information that Federal
agencies can operationally act upon.
26(No Transcript)
27Contact
- Technical comments or questions
- US-CERT Security Operations CenterEmail
soc_at_us-cert.govPGP/GPG key 0xADC4BCEDFingerprin
t 02FD 5294 A076 0ACE BEB1 929B 3730 09F3 ADC4
BCEDPhone 1 888-282-0870 - General questions or suggestions
- US-CERT Information RequestEmail
info_at_us-cert.govPGP/GPG key 0x0A1E0DF7Fingerpri
nt CFE4 9D1D 6897 44B3 9B85 B25A F575 177B 0A1E
0DF7Phone 1 703-235-5110 - Information available at http//www.us-cert.gov/
contact.html
28(No Transcript)