Cyber Security Readiness: The Boy Scout Motto, “Be Prepared,” is in Effect

Ft. Knox AFCEA

Charles Onstott VP, Cyber, Cloud and Data Science SAIC 24 September 2014

© SAIC. All rights reserved.

How to Improve Cyber Security Readiness • Define “Cyber Security Readiness” • Cyber Command Readiness Inspections: good. Unannounced CCRIs: even better • Cyber security readiness must include traditional security readiness • Cyber security readiness tools, processes • Lessons-Learned from CCRI • SAIC’s CyberSecurity Edge™ • Risk Management Framework: effects on day-to-day cyber security readiness

2

S A I C. co m © SAIC. All rights reserved.

What is “Cyber Security Readiness?” • Cybersecurity readiness is the ability to have critical information and tools rapidly available and in place in order to proactively assess your security posture, identify vulnerabilities, combat threats, deter attacks and to quickly remediate risks. • Cybersecurity readiness improves the organization’s overall operational readiness and security posture so you can perform your mission. Plus, your organization will remain compliant with policy, regulations, and the law.

3

S A I C. co m © SAIC. All rights reserved.

Ten Reasons To Welcome Unannounced CCRIs • Avoid system compromise • Decrease threat window of opportunity • Remain connected to GIG, no mission interruption or degradation • Improve security program effectiveness • Maintain system Integrity and availability • Assure data confidentiality • Identify improvement opportunities • Boost staff confidence • Promote awareness • Satisfy reporting requirements

4

S A I C. co m © SAIC. All rights reserved.

Score Yourself on 13 Traditional Security Checks Cyber security readiness rests on the foundation of traditional security readiness. That means maintaining an appropriate level of security in the key traditional security areas, which are also evaluated during a CCRI: • • • • •

5

S A I C. co m © SAIC. All rights reserved.

Physical Security Operational Security Administrative Security Procedural Controls Legal, Regulations, and Investigations and Compliance

“Stay Alert! Stay Alive!” SAIC Lessons Learned Maintain Cyber Readiness: Staying Alert May Mean Keeping Your Mission Alive

6

S A I C. co m

• Perform mock CCRIs to evaluate current security posture • Scan systems continuously. Remediate vulnerabilities • Train your team to be ever-ready: be alert, know appropriate actions, understand tools and their use • Ensure continuous monitoring and auditing throughout the system’s full lifecycle, beginning as soon as possible. • Update policies, procedures, and plans frequently • Secure web servers and workstations to avoid exploits • Ensure password policy is applicable and appropriate and that protections are properly applied and implemented • Invite a third party to perform pre-inspections • Address CTOs and security bulletins to maintain security awareness © SAIC. All rights reserved.

How One Site Failed CCRI After a Near Perfect Score A misconfigured scanner, an omitted HBSS setting, or a poor ACL can convert a near perfect CCRI grade into a failure.

• A Washington, DC, facility spent weeks preparing for its first CCRI.  Reps from another site performed physec inspections. Non-compliant doors, windows, and interior spaces were fixed before the CCRI.  Every plan, policy, and procedure was reviewed and updated, and staff ensured each was implemented. Documents were bound and indexed.  Boundary perimeter devices were updated and hardened.  Systems were scanned repeatedly; new vulnerabilities were remedied.  IA staff 8570 certifications were verified; training was scheduled; all was included in an IAWF document (adopted for future CCSRIs).  Mock interviews were performed.

• During the CCRI, the site had nearly a perfect score until…. • HBSS was evaluated. The site had not modified an HBSS setting to satisfy guidance issued days earlier. Result: automatic failure. • Reason: CyberSecurity readiness means continuous readiness. 7

S A I C. co m © SAIC. All rights reserved.

CCRI Team: NUWC Newport “One of the Best Inspected” • 70 days to CCRI: thousands of pre-assessment failures • SAIC team plan: Build on lessons learned in other CCRIs Review NUWC procedures, processes, plans. Fix problems. Scan network, hundreds of devices: Remediate vulnerabilities. Interview leadership, systems and network administrators, physec team, lab staff. Train on identified knowledge deficiencies.  Perform full four-day mock inspection. Catch critical shortfalls.  Perform final remediations for all findings from 36 checklists  Support actual CCRI event. Fix issues. Capture lessons learned.    

• Passing Score: 94.7%, dropped to 78.7% (for FRAG-O failure). • Assessors said NUWC Newport processes for physical security, documentation, IAVM and HBSS set the standard and should be shared with other commands. 8

S A I C. co m © SAIC. All rights reserved.

“Your assistance and sharing of your knowledge played a huge role in this success.” -NUWC Newport CIO Bob Bernardo

Successful CCRI With 21,000 Vulnerabilities? • SAIC’s first Data Center systems scans at a customer uncovered a highly vulnerable network: 18,389 vulnerabilities. • The customer embraced innovation: SAIC’s 3-phase Get Well plan • Inspect the site to identify all vulnerabilities (Discover) • Eliminate or mitigate all vulnerabilities using technical, procedural, or administrative methods (Mitigate). • Simultaneously protect against emerging threats and vulnerabilities. (Manage)

• With our get well plan, the customer eliminated or mitigated 18,000 initiation and 7,000 additional vulnerabilities. • With the new Phase 3 CCRI grading criteria, the customer achieved a dual (classified, unclassified) Excellent rating • The customer also realized cost savings. Implementing SAIC’s Security Management Plan enabled IA activities to be completed 40% faster, lowering overall project labor costs. 9

S A I C. co m © SAIC. All rights reserved.

Improved Cyber Readiness Just May Be “Tuning” • HBSS- monitoring at the host level • ACAS – system assessment solution • SPLUNK (insider threat)

10

S A I C. co m © SAIC. All rights reserved.

Process Foundations to Cyber Security Readiness Four processes, Continuous Monitoring, Configuration Management, Patch Management, and IA Vulnerability Management are foundations to cyber security readiness. When your software, hardware, applications, devices, and deployments all follow processes that guard against the introduction of vulnerabilities, you build a firm foundation on which to perform continuous monitoring. 11

Continuous Monitoring

Configuration Management

Patch Management

S A I C. co m © SAIC. All rights reserved.

IA Vulnerability Management

RMF Builds, Assesses Cyber Security Readiness What is the RMF? The Risk Management Framework (RMF) is the “common information security framework.” It streamlines process for easier interconnection and sharing of information and provides a single repository for controls using NIST SP 800-53 The 4 goals of the RMF are: • • • •

To improve information security To strengthen the risk management processes To encourage reciprocity among federal agencies Provide a control continuous monitoring service

Programs will be able to build, assess, and monitor their systems using RMF

12

S A I C. co m © SAIC. All rights reserved.

How RMF Will Help Your Day-to-Day Security Readiness • Risk Governance

Missile Defense Agency Example

• Risk Evaluation

MDA faced challenges under the previous DIACAP C&A process to get an accreditation approval. So before when using the DIACAP C&A process MDA needed the session lock control disabled for mission purposes in order for safety of life, this particular control was require and had to be applied in order to receive an accreditation when using the DIACAP C&A process.

• Risk Response

RMF will alleviate this particular issue by allowing organizations to tailor security control settings using the overlay to complement the security control baselines while still allowing organization to implement the necessary required level of security. 13

S A I C. co m © SAIC. All rights reserved.

CyberSecurity Edge: Common Process in CCRI Successes •

•

The 3-phase process, now known as “SAIC CyberSecurity Edge™ employs a proven methodology built on 20+ years of SAIC cyber experience. Highly trained and experienced IA analysts worked closely with MCEITS and NUWC and other sites to evaluate technical, administrative, physical, environmental, and personnel security.

Discover 14

•

CyberSecurity Edge™ is cybersecurity readiness: • • •

•

A Vulnerability Management Plan identifies and closes new vulnerabilities A Plan of Action and Milestones (POA&M) tracks vulnerabilities requiring research or special attention Tailored plans and processes support Incident Response, Continuity of Operations, and Disaster Recovery. Using CyberSecurity Edge, an organization can identify and mitigate vulnerabilities within seven days.

Mitigate

S A I C. co m © SAIC. All rights reserved.

Manage

Thanks! Questions? To learn how SAIC can help you maintain constant cyber security readiness or prepare for announced and unannounced Cyber Command Readiness Inspections (CCRIs), contact: Mary Mayonado, Cyber Service Line Director Tel: 301-862-6396 | Email: [email protected] For more details on SAIC’s CyberSecurity Edge™ Discovery, Mitigate, and Manage phases, and how they can yield greater cyber security readiness for your organization, contact: William Kaczor, Product Manager Cyber Security Edge™ Tel: 321-626-7576 | Email: [email protected]

15

S A I C. co m © SAIC. All rights reserved.