NIST Computer Security Efforts

1
NIST Computer Security Efforts

• Kathy Lyons-Burke, (301) 975-4611
• kathy.lyons-burke_at_nist.gov
• Information Technology Laboratory
• National Institute of Standards and Technology

2
(No Transcript)
3
NIST Mandate for IT Security

• Develop standards and guidelines for the Federal
  government for sensitive (unclassified) systems
• Contribute to improving the security of
  commercial IT products and strengthening the
  security of users systems and infrastructures

4
Specific Focus Areas of NISTs Cybersecurity
Program

• Cryptographic Standards and Applications
• Exploring New Security Technologies
• Security Testing
• Management and Assistance

5
Cryptographic Standards and Applications

• Cryptographic mechanisms provide vital
  underpinning for IT security
• Home-grown cryptography is notoriously insecure
• Most users do not have the necessary skills to
  determine cryptographic strength - no BW tests
• A multiplicity of cryptographic techniques
  hinders interoperability and security analysis
• Formal voluntary standards bodies are inclusive
  in standardizing on multiple techniques ? many
  techniques inadequately studied/analyzed
• Exploitation of flawed cryptographic methods via
  kiddie scripts

http//csrc.nist.gov/focus_areas.htmlcryptographi
c
6
NIST Raising the Security Bar across Federal
Crypto Standards
http//csrc.nist.gov/publications/fips/index.html
7
Exploring New Security Technologies

• Identify and use emerging technologies,
  especially infrastructure niches
• Develop models, reference implementations, and
  demonstrations
• Transition new technology and tools to public
  private sectors
• Advise Federal agencies to facilitate planning
  for secure use

http//csrc.nist.gov/focus_areas.htmlresearch
8
Efforts in New Security Technologies

• Process Control Security Requirements Forum
  (PCSRF)
• Wireless Systems
• Biometrics
• ICAT
• IPsec

9
Process Control Security Requirements Forum
(PCSRF)
In support of the National effort to secure
cyberspace
Goal Increase the security of industrial process
control systems through the definition and
application of a common set of information
security requirements for these systems (based on
ISO15408).

• Participants (partial list)
• Industry and Consortia Texaco, Maximum Control
  Technologies, Georgia-Pacific, ExxonMobil,
  Unilever, Rockwell, Honeywell, EPRI, ISA,
  American Chemistry Council, National Center for
  Manufacturing Sciences, Association of
  Metropolitan Water Agencies, The Open Group, KEMA
  Consulting, American Gas Association/IGT...
• Government NIST (lead), NIAP/NSA, DOE,
  Communications Security Establishment (Canada)...

• Process Control System Characteristics
• Provide local and remote control of industrial
• equipment in electric power, water, oil gas,
  
• chemicals, pharmaceuticals, food
• beverage, metals, durable goods industries
• Time critical sensitive to delays and
• variability
• Designed to maximize performance,
• reliability, flexibility, safety
• Security has not been a significant
• consideration

10
NIST Guiding Safe Deployment of Wireless Systems

• Risks posed by development of wireless technology
  are substantial
• Potential eavesdropping
• Potential intrusions
• Benefits (cost, flexibility, and mobility) are
  enormous
• Industrial (manufacturing)
• Widespread use in business
• Wireless systems are being deployed regardless of
  the security risks
• SP 800-48 Wireless Network Security 802.11,
  Bluetooth, and Handheld Devices,November 2002

11
NIST Role in Biometrics for Homeland Defense

• Many proprietary solutions and standards for
  biometrics devices inhibits interoperability and
  deployment
• Vendor evaluations of performance need third
  party verification
• USA Patriot Act (PL 107-56)
• Work with Justice and State Departments to
  certify a technology standard to verify persons
  applying for visas and persons entering the U.S.
  using visas
• Certify the accuracy of biometric systems
• Fingerprint, face
• For integrated system design and procurements of
  biometrics products

12
NISTs ICAT CVE-compatible Searchable
Vulnerability Index

• Fine-grained searchable index of vulnerabilities
• Provides links to vulnerability and patch
  information

13
ICAT - CVE-compatible Searchable Vulnerability
Index
14
ICAT Metabase Home Page http//icat.nist.gov
15
IPsec
http//csrc.nist.gov/ipsec/

• Provides authentication, integrity, and
  confidentiality security services at the Internet
  (IP) Layer
• Current IP protocol (IPv4)
• Next generation IP protocol (IPv6)
• Implementing IPsec requires modifications to the
  system's communications routines and a new
  systems process that conducts secret key
  negotiations
• NIST developed testing tools
• NIST Cerberus, An IPsec reference implementation
  for Linux adds IP communications security to the
  system
• PlutoPlus, An IKE reference implementation for
  Linux conducts secret key negotiations and
  management
• IPsec-WIT, An interactive Web-based
  interoperability tester that uses Cerberus and
  PlutoPlus to enable developers and users to test
  the interoperability of their systems or to
  demonstrate IPsec's functionality

16
IPsec-WIT Architecture
17
Selected Technical Publications
18
Security Testing

• Cryptographic Module Validation Program (CMVP)
• National Information Assurance Partnership (NIAP)

http//csrc.nist.gov/focus_areas.htmltesting
19
NISTs Cryptographic Module Validation Program

• Validation testing for cryptographic modules and
  algorithms
• 164 Cryptographic Modules Surveyed (during
  testing)
• 80 (48.8) Security Flaws discovered
• 158 (96.3) Documentation Errors
• 332 Algorithm Validations (during testing) (DES,
  Triple-DES, DSA and SHA-1)
• 88 (26.5) Security Flaws
• 216 (65.1) Documentation Errors

20
National Information Assurance Partnership

• Collaboration between NIST and the National
  Security Agency (NSA) to meet IT security testing
  needs
• Increase the level of trust in systems and
  networks through cost-effective
• Testing,
• Evaluation
• Validation programs

21
IT SECURITY
Security Products
Protocols
Systems
Firewalls
Operating Systems
NIAP
IPSEC
DBMS
Other Products
FIPS 140-2 Crypto Modules
Encryption
Hashing
Authentication
Signature
Key Mgt.
DES
SHA-1
DSA
RSA
SHA-256
CMVP
3DES
ECDSA
DSA2
SHA-384
Skipjack
RSA2
AES
SHA-512
ECDSA2
Future Standard, Specification or Recommendation
Standard in Progress
Existing Standard Test Development in Progress
Standard and Testing Available
Existing Standard no Testing
Industry Standard, Specification or Recommendation
22
Management and Assistance

• Assist U.S. Government agencies and other users
  with technical security and management issues
• Assist in development of security infrastructures
• Develop or point to cost-effective security
  guidance
• Assist agencies in using security technology
  guidance
• Support agencies on specific security projects on
  a cost-reimbursable basis

23
Management and Assistance

• Small Business Computer Security Workshops
• Computer Security Management Guidance
• Computer Security Expert Assist Team (CSEAT)

http//csrc.nist.gov/focus_areas.htmlmanagement
24
Small Business Computer Security Workshops

• NIST, the Small Business Administration, and the
  National Infrastructure Protection Center conduct
  a series of workshops on information security
  threats and solutions
• Workshops especially designed for small
  businesses and not-for-profit organizations
• Attendees have the opportunity to explore
  practical tools and techniques that can help them
  to assess, enhance, and maintain the security of
  their systems.

http//csrc.nist.gov/securebiz/index.html
25
Selected Recent Computer Security Management
Guidance Publications
26
Computer Security Expert Assist Team (CSEAT)

• Assist agencies/programs in improving the
  security of Federal IT systems
• Strengthen security of critical computer
  system/services
• Identify security program issues and provide
  specific remedies
• Prepare for future security threats
• Improve federal agency/program Critical
  Infrastructure Protection (CIP) planning and
  implementation efforts
• Identify and develop appropriate computer
  security guidance

27
Why NIST?

• NIST provides consistent, comparable, and neutral
  perspective
• As a result of the review process, NIST obtains
  better understanding of Federal agency/program
  needs for guidance
• Effort helps NIST meet statutory responsibilities
• Provide technical assistance in implementing
  standards and guidelines, including
• Case studies
• Lessons learned
• Quick references
• Checklists

28
CSEAT Complements Existing Efforts

• Government
• NIST standards and guidelines
• Federal Computer Incident Response Capability
  (FedCIRC) /Computer Emergency Response Teams
  (CERTs)
• National Infrastructure Protection Center (NIPC)
• Critical Infrastructure Assurance Office (CIAO)
• NSA security evaluations
• GSAs security contract vehicles
• Industry
• Information Sharing and Analysis Centers (ISACs)

29
CSEAT Review Types
2 types of reviews

• Agency requested review of automated information
  security programs
• Agency program and OMB requested high-risk IT
  program security reviews
• Both existing and planned programs
• E.g. child welfare, disaster relief, Indian trust
  management

30
CSEAT Review

• CSEAT security control objectives abstracted
  directly from long-standing requirements from
• Federal government regulations
• Statutes
• Policies
• Guidance
• CSEAT provides an independent review of an
  agencys IT security program or high risk program
• Agency requested - not an audit
• Assesses the state of maturity of the agencys or
  programs IT security policy and procedure
  implementation and overall integration
• Restricted to unclassified information/systems

31
CSEAT Review Maturity Levels
Integration
Test
Implementation
Procedures
Policy
32
CSEAT Review Topic Areas
Computer security management and culture
Computer security plans
Security awareness, training, and education
Budget and resources
Life cycle management
Incident and emergency response
Operational security controls
Physical security
IT security controls
33
CSEAT Agency/Program Review Process
CSEAT presents recommendations
CSEAT conducts interviews
34
Proposed Review Timeline

• Agency/program provides
• Documentation
• Response to questions
• Key personnel information (within 1 week)

• CSEAT
• Reviews documentation and responses to questions
• Schedules interviews

• CSEAT
• Conducts interviews
• Request additional information

• CSEAT
• Writes draft review report

Review Kickoff
3 weeks
4 weeks
2 weeks
3 weeks
Agency/program provides comments on draft 30
days after receipt of draft CSEAT provides final
review report 14 days after receipt of comments
Timeline phase duration is dependent upon
completion of previous phase.
35
CSEAT Review Report

• CSEAT overview
• Agency or program overview
• Agency or program status
• Recommendations to improve agency or program
  computer security
• Summary and conclusions
• Prioritized, implementable action plan

36
Agency or Program IT Security Status
(Sample)
37
Issue Identification with Corrective Actions
Issue Information and systems are endangered
due to a failure to manage access rights and
accounts for agency employees.

• Discussion
• User accounts are not removed immediately upon
  user termination.
• Reassigned personnel still retain account access
  for previous position.

• Corrective Actions
• Implement a process to provide accountability for
  user account creation, deactivation, activation,
  and termination on all systems in a timely
  manner.
• Cost Minimal
• Time to Complete Short-term
• Recurring Cost Minimal
• Recurring Time to Complete Short-term

(Sample)
38
Prioritized Action Plan

• Action priority and topic area
• Issue
• Suggested corrective action
• How long to complete initial action
• Short Term less than 6 months
• Intermediate Term between 6 months and 2 years
• Long Term more than 2 years
• Cost to complete initial action
• Minimal Less than 100,000
• Moderate Between 100,000 and 500,000
• High Greater than 500,000
• Recurring action time and cost to complete

39
Change in Computer Security Posture after 2
Million Action Plan
CSEAT Review Areas 1. Computer Security
Management and Culture 2. Computer Security
Plans 3. Security Awareness, Training, and
Education 4. Budget and Resources 5. Life Cycle
Management 6. Incident and Emergency Response 7.
Operational Security Controls 8. Physical
Security 9. IT Security Controls
(Sample)
2 M Invested
Computer Security Enhancements - Complete
policies - Complete procedures - Increase
documentation - Develop and implement capital
planning process - Augment employee training -
Implement computer security plans - Develop risk
assessment methodology - Develop performance
metrics
Current Status
40
CSEAT Uses Report to Develop Guidance
NIST Guidance
Sanitized Case Study
CSEAT Review Report with Recommendations
41
Summary
NIST is improving security by

• Raising awareness of the need for cost-effective
  security
• Engaging in important security issues/challenges
• Addressing needs for standards and guidelines
• Technical, Policy, Management, and Operations
• Federal Agency Security practices
• Cryptographic security
• Biometrics
• Increasing security quality of and user
  confidence in COTS IT products via third party
  testing
• Cryptographic Module Validation Program
• National Information Assurance Partnership

42
More Information

• http//csrc.nist.gov/
• http//cseat.nist.gov/
• CSEAT Email cseat_at_nist.gov

Receive immediate e-mail notification when new
NIST computer security publications or news are
available by subscribing to the NIST computer
security publications e-mail list. To subscribe
to this list send e-mail to listproc_at_nist.gov.
In the body of the e-mail message
type subscribe compsecpubs your first and last
name