Michele Moss, Booz Allen Hamilton - Build Security In
Michele Moss, Booz Allen Hamilton - Build Security In
Michele Moss, Booz Allen Hamilton - Build Security In
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>In</strong>ternational Standards Efforts Help<br />
Address Challenges in Today’s Global<br />
Market Place<br />
Facilitator:<br />
<strong>Michele</strong> <strong>Moss</strong>, <strong>Booz</strong> <strong>Allen</strong> <strong>Hamilton</strong>
National <strong>Security</strong> Perspective
Critical <strong>In</strong>frastructure Perspective
Business Perspective<br />
INCIDENT:<br />
Telvent Canada, a company that provides industrial<br />
automation technology to agencies managing the energy<br />
industry, was the target of a malicious software attack.<br />
Telvent stated someone installed the software and stole<br />
files pertaining to control software for their electric grid<br />
management. The malware used in the attack is believed<br />
to be associated with a Chinese hacker group called<br />
“Comment Group.” Comment Group has a history of<br />
spying and hacking into important Western infrastructure<br />
systems and databases.<br />
IMPACT:<br />
Files associated with the firm’s Supervisory Control and Data<br />
Acquisition (SCADA) were stolen. The firm does not believe<br />
the intruder stole any information that would enable them to<br />
gain access to a customer system. The CEO of Digital Bond<br />
believes the hackers are specifically targeting the industrial<br />
control system sector.<br />
Loss of <strong>In</strong>tellectual Property<br />
MITIGATION:<br />
As a precautionary measure the company indefinitely<br />
terminated any customer system access by Telvent.<br />
Telvent is actively working with law enforcement, security<br />
specialists, and customers to ensure the breach has been<br />
contained. Two days after the breach, Telvent partnered<br />
with a security firm named <strong>In</strong>dustrial Defender in order to<br />
expand its cybersecurity capabilities.<br />
Source: Don Davidson, DOD-CIO Trusted Mission Systems and Networks<br />
• http://www.mnn.com/earth-matters/energy/stories/smart-gridcompany-telvent-struck-by-chinese-hackers<br />
• http://news.cnet.com/8301-1009_3-57521049-83/maker-ofsmart-grid-software-discloses-hack/
Mandiant APT 1 Report – February 2012
Communicating and sharing supply chain risk-related<br />
Cyber <strong>Security</strong> Executive Order: Section. 7. Baseline Framework to<br />
Reduce Cyber Risk to Critical <strong>In</strong>frastructure<br />
• The Cybersecurity Framework shall<br />
incorporate voluntary consensus standards<br />
and industry best practices to the fullest extent<br />
possible.<br />
• The Cybersecurity Framework shall focus on<br />
identifying cross-sector security standards and<br />
guidelines applicable to critical infrastructure.<br />
• Recommendations on the feasibility, security<br />
benefits, and relative merits of incorporating<br />
security standards into acquisition planning<br />
and contract administration.<br />
• The report shall address what steps can be<br />
taken to harmonize and make consistent<br />
existing procurement requirements related to<br />
cybersecurity.
Success <strong>In</strong>volves Multiple Standards<br />
• A set of foundational standards is needed to create the common elements of<br />
the framework<br />
• A robust pool of standards that can be combined to meet unique environment<br />
and mission requirements
Public Private Collaboration
Panel Members<br />
• Nadya Bartol, Utilities Telecom Council (UTC)<br />
• Jed Pickel, Microsoft<br />
• Mike Grimm, Microsoft<br />
• Andras Szakal, The Open Group
Panel Members<br />
• Nadya Bartol, Utilities Telecom Council (UTC) - is a US technical<br />
expert working on the ISO/IEC 27000 series standards and Project<br />
Editor for ISO/IEC 27036. <strong>In</strong> her role at UTC, she is responsible for<br />
creating a cybersecurity information sharing platform for the utilities<br />
industry to deliver practical solutions to emerging cyber challenges.
ISO/IEC 27036 – <strong>In</strong>formation<br />
<strong>Security</strong> for Supplier<br />
Relationships<br />
© 2012 Utilities Telecom Council
Why Standards<br />
• <strong>In</strong>teroperability<br />
• Competitive advantage for countries and companies<br />
• Common language for acquirers and suppliers<br />
ISO standards: global applicability and acceptance<br />
3/11/2013 12<br />
© 2012 Utilities Telecom Council
Standards Landscape<br />
3/11/2013 13<br />
Source: <strong>Booz</strong> <strong>Allen</strong> <strong>Hamilton</strong> and DoD<br />
© 2012 Utilities Telecom Council
ISO Cybersecurity Standards<br />
ISO<br />
IEC<br />
JTC1<br />
SC27<br />
WG1: <strong>In</strong>formation<br />
<strong>Security</strong> Management<br />
Systems<br />
WG2: Cryptography and<br />
<strong>Security</strong> Mechanisms<br />
WG3: <strong>Security</strong><br />
Evaluation Criteria<br />
WG4: <strong>Security</strong> Controls<br />
and Services<br />
WG5: Identity<br />
Management and<br />
Privacy Technologies<br />
3/11/2013 14<br />
© 2012 Utilities Telecom Council
ISO has over 90 existing cyber security standards and is<br />
currently developing or revising over 45 standards<br />
• <strong>In</strong>formation <strong>Security</strong> Management System<br />
• <strong>Security</strong> Controls<br />
• <strong>In</strong>formation <strong>Security</strong> Risk Management<br />
• <strong>In</strong>formation <strong>Security</strong> Measurement<br />
• Disaster Recovery<br />
• Vulnerability Management<br />
• Network <strong>Security</strong><br />
• <strong>In</strong>trusion Detection System<br />
• <strong>In</strong>cident Management<br />
• Application <strong>Security</strong><br />
• Identity Management<br />
• Authentication Assurance<br />
• Trusted Platform Module<br />
• Cryptographic Techniques<br />
• Key Management<br />
• Authentication Protocols<br />
• <strong>In</strong>formation <strong>Security</strong> Governance<br />
And Many More…<br />
• Sector-Specific Guidance (Telecom, Financial<br />
Services)<br />
• Biometric Techniques<br />
• Privacy Technologies<br />
• Access control and management<br />
• Entity Authentication<br />
• Hash Functions<br />
• Authenticated Encryption<br />
• Random Bit Generation<br />
• ICT Readiness for Business Continuity<br />
• Common Criteria<br />
• <strong>Security</strong> Engineering<br />
• <strong>Security</strong> Assurance<br />
• <strong>Security</strong> of Outsourcing<br />
• ICT Supply Chain <strong>Security</strong><br />
• Economics of <strong>In</strong>formation <strong>Security</strong><br />
• Forensic <strong>In</strong>vestigation<br />
• Cyber <strong>Security</strong><br />
3/11/2013 15<br />
Source: <strong>Booz</strong> <strong>Allen</strong> <strong>Hamilton</strong> and DOD<br />
© 2012 Utilities Telecom Council
Guidelines<br />
Requirements<br />
Terminology<br />
Governance<br />
ISO/IEC <strong>In</strong>formation <strong>Security</strong> Management System (ISMS)<br />
Family of Standards<br />
ISO/IEC 27000 – Overview and Vocabulary<br />
ISO/IEC 27001 –<br />
ISMS Requirements<br />
ISO/IEC 27006 –<br />
Audit & Certification Requirements<br />
ISO/IEC 27002 –<br />
Code of Practice<br />
ISO/IEC 27003 –<br />
ISMS Guidelines<br />
ISO/IEC 27007 –<br />
Audit<br />
Guidelines<br />
ISO/IEC 27008 –<br />
Guidance for auditors<br />
on ISMS controls<br />
ISO/IEC 27004 –<br />
Measurement<br />
ISO/IEC 27005 –<br />
Risk Management<br />
ISO/IEC 270XX (concept) –<br />
ISO/IEC 2700X (concept) –<br />
Sector-Specific Guidelines<br />
Sector-Specific Guidelines<br />
ISO/IEC 27017 (concept) – ISO/IEC<br />
27017 - ISMS – Code of practice<br />
for information security controls<br />
for cloud computing services<br />
<strong>Security</strong> Engineering<br />
Tamper Protection<br />
Study Period<br />
ISO/IEC 15408 -<br />
Common Criteria<br />
ISO/IEC 21913 – Secure<br />
System Engineering<br />
Principles and Techniques<br />
ISO/IEC 20004-Secure software development and<br />
evaluation under ISO/IEC 15408 and ISO/IEC 18405<br />
Implementation<br />
ISO/IEC 27034–<br />
Application <strong>Security</strong><br />
ISO/IEC 27036–<br />
Supplier Relationships<br />
ISO/IEC 27033–<br />
Network <strong>Security</strong><br />
3/11/2013 16<br />
Source: <strong>Booz</strong> <strong>Allen</strong> <strong>Hamilton</strong><br />
© 2012 Utilities Telecom Council
Why Use ISO/IEC 27001<br />
• <strong>In</strong>tegrate security governance into business and IT<br />
processes<br />
Plan<br />
– Standardize security processes and controls<br />
– Establish a common approach to risk management<br />
– Reduce the likelihood, severity, duration and cost of<br />
incidents<br />
Establish<br />
• Establish risk-based control selection as a standard<br />
for risk management<br />
– Focus resources only on your organization’s risks<br />
– Facilitate identification and elimination (or minimal<br />
retention) of non-critical data<br />
Do<br />
Implement and<br />
operate<br />
Maintain and<br />
improve<br />
Act<br />
– Ensure costs reflect the risk’ appetite<br />
• Use ISMS processes to improve overall asset<br />
management capabilities<br />
– Identify and eliminate redundant, duplicate and obsolete<br />
assets<br />
– Enable simplified cost determination for new or revised<br />
control deployments<br />
Monitor and<br />
review<br />
Check<br />
– Provide risk reference point for both operations and<br />
management<br />
Source: <strong>Booz</strong> <strong>Allen</strong> <strong>Hamilton</strong> and DoD<br />
© 2012 Utilities Telecom Council
Draft ISO/IEC 27002:2013 <strong>Security</strong> Controls<br />
• <strong>Security</strong> Policies<br />
• Organization of information security<br />
• Human resource security<br />
• Asset Management<br />
• Access Control<br />
• Cryptography<br />
• Physical and Environmental <strong>Security</strong><br />
• Operations <strong>Security</strong><br />
• Communications <strong>Security</strong><br />
• System Acquisition, Development, and Maintenance<br />
• Supplier Relationships<br />
• <strong>In</strong>formation <strong>Security</strong> <strong>In</strong>cident Management<br />
• <strong>In</strong>formation <strong>Security</strong> Aspects of Business Continuity Management<br />
• Compliance<br />
3/11/2013 18<br />
Source: <strong>Booz</strong> <strong>Allen</strong> <strong>Hamilton</strong> and DoD<br />
© 2012 Utilities Telecom Council
Existing and Emerging Practices<br />
ISO/IEC 27036, <strong>In</strong>formation Technology – <strong>Security</strong> Techniques –<br />
<strong>In</strong>formation <strong>Security</strong> for Supplier Relationships<br />
• Addresses Acquirer and Supplier<br />
practices<br />
• Applies to all types of organizations<br />
e.g., commercial, public sector,<br />
non-profit and all types of supplier<br />
relationships that may have security<br />
implications<br />
• Harmonized with ISO standards for<br />
system/software engineering and<br />
information security<br />
• Parts 1-3 are currently Draft<br />
<strong>In</strong>ternational Standard, Part 4 is<br />
Working Draft<br />
Part 1 – Overview and Concepts<br />
Part 3 –<br />
Guidelines for<br />
ICT Supply<br />
Chain <strong>Security</strong><br />
Part 2 –Requirements<br />
Part 4 –<br />
Guidelines for<br />
<strong>Security</strong> of<br />
Cloud Services<br />
19<br />
© 2012 Utilities Telecom Council
Processes and<br />
Techniques<br />
Overview<br />
Requirements<br />
Guidance<br />
ISO/IEC 27036 Dependencies and <strong>In</strong>fluences<br />
ISO/IEC 27036-1 –<br />
Overview and<br />
Concepts<br />
ISO/IEC 27000 –<br />
Overview and<br />
Vocabulary<br />
ISO/IEC 27001 – <strong>In</strong>formation<br />
<strong>Security</strong> Management<br />
Systems<br />
ISO/IEC 27036-2 – <strong>In</strong>formation <strong>Security</strong> for<br />
Supplier Relationships - Requirements<br />
ISO/IEC 15288/12207 –<br />
Systems and Software<br />
Lifecycle Processes<br />
ISO/IEC 27036-3 - <strong>In</strong>formation<br />
<strong>Security</strong> for Supplier<br />
Relationships – ICT SCRM<br />
ISO/IEC 27002 – Code of<br />
Practice for <strong>In</strong>formation<br />
<strong>Security</strong> Controls<br />
• ISO/IEC 15026 – Software Assurance<br />
• ISO/IEC 27034 – Application <strong>Security</strong><br />
• <strong>Security</strong> Engineering and Design techniques<br />
• NASPO and other Anti -Counterfeiting techniques<br />
• Microsoft Secure Development Lifecycle (SDL)<br />
• SAFECode<br />
• OWASP<br />
• BSIMM<br />
• Common Criteria – ISO/IEC 15408<br />
• OMG KDM BPMN, RIF, XMI, RDF<br />
• OWASP Top 10<br />
• SANS TOP 25<br />
• Secure Content Automation Protocol (SCAP)<br />
• Secure Coding Checklists<br />
• Encryption<br />
• Software Asset Tagging<br />
• Trusted Platform Module (TPM)<br />
Source: <strong>Booz</strong> <strong>Allen</strong> <strong>Hamilton</strong> and DoD<br />
© 2012 Utilities Telecom Council
Using ISO/IEC 27036 with other SC27 Standards<br />
Certify against ISMS and…<br />
…general requirements<br />
for supplier relationships<br />
ISO/IEC 27036-2 – <strong>In</strong>formation<br />
<strong>Security</strong> for Supplier Relationships -<br />
Requirements<br />
…ICT SCRM guidance<br />
ISO/IEC 27036-ICT Supply -<br />
<strong>In</strong>formation <strong>Security</strong> for Supplier<br />
Relationships – ICT Supply Chain<br />
<strong>Security</strong><br />
…Cloud-specific guidance<br />
ISO/IEC 27036-4 - <strong>In</strong>formation<br />
<strong>Security</strong> for Supplier Relationships –<br />
Cloud Services<br />
ISO/IEC 27001 –<br />
<strong>In</strong>formation <strong>Security</strong><br />
Management Systems<br />
…27002 controls<br />
ISO/IEC 27002 – Code of Practice for<br />
<strong>In</strong>formation <strong>Security</strong> Controls<br />
…27017 Cloud Controls<br />
ISO/IEC 27017 - ISMS – Code of<br />
practice for information security<br />
controls for cloud computing<br />
services<br />
Source: <strong>Booz</strong> <strong>Allen</strong> <strong>Hamilton</strong> and DoD<br />
© 2012 Utilities Telecom Council
Timeline for Parts 1-3<br />
Timeframe<br />
November 2009 – October 2010<br />
October 2010 – May 2012<br />
May 2012<br />
October 2012<br />
October 2012-<br />
April 2013<br />
October 2013<br />
Outcomes<br />
Built consensus through Study Period<br />
Developed Working Drafts<br />
Progressed to Committee Draft<br />
Progressed to Draft <strong>In</strong>ternational Standard<br />
Ready for Publication<br />
Another Draft <strong>In</strong>ternational Standard<br />
Ready to publish<br />
© 2012 Utilities Telecom Council
Contact <strong>In</strong>formation<br />
• Nadya Bartol<br />
Utilities Telecom Council<br />
202-833-6809<br />
nadya.bartol@utc.org<br />
23<br />
© 2012 Utilities Telecom Council
Panel Members<br />
• Jed Pickel, Microsoft - is a senior security program manager in<br />
Microsoft’s Trustworthy Computing (TwC) group. Jed is focused on<br />
alignment of Microsoft’s <strong>Security</strong> Development Lifecycle (SDL) with<br />
international security standards and sharing Microsoft SDL best<br />
practices with the software development ecosystem.
Panel Members<br />
• Mike Grimm, Microsoft - is a senior program manager at Microsoft,<br />
currently focused on assurance and evaluation strategy. He manages<br />
security evaluations for Windows and has contributed to the<br />
development of Microsoft products and services since Windows 95.
Panel Members<br />
• Andras Szakal, The Open Group - vice president and chief<br />
technology officer IBM U.S. Federal. He is a chair of the Open Group<br />
Trusted Technology Forum and leads the development of the Open<br />
Trusted Technology Provider Framework.
Questions