Cyber Preparedness Department of Homeland Security National Cyber Security Division Overview

1
Cyber PreparednessDepartment of Homeland
SecurityNational Cyber Security Division
Overview

• June 7, 2006
• CISSE Colloquium

2
Table of Contents

• Introduction
• Mission
• Priority I National Cyberspace Response System
• Priority II Cyber Risk Management

3
Cyber - Physical Interdependencies
Critical Infrastructure / Key Resources
Cyber Infrastructure
Farms Food Processing Plants

• Internet
• Domain Name System
• Web Hosting
• IP Protocol
• E-Mail

Agriculture and Food
Power Plants Production Sites
Energy
Railroad Tracks Highway Bridges Pipelines Ports
Transportation

• Hardware
• Servers
• Desktops
• Networking Equipment

Chemical Industry
Chemical Plants
Postal and Shipping
Delivery Sites
Reservoirs Treatment Plants

• Software
• Operating Systems
• System Utilities
• Program Applications

Water
Public Health
Hospitals
Cable Fiber
Telecommunications

• Control Systems
• SCADA
• PCS
• DCS

Banking and Finance
FDIC institutions
Nuclear Power Plants Government facilities Dams
Key Assets
4
Public and private partnerships are essential to
cyber security

• Represent the foundation of our critical
  infrastructure protection and cyber security
  initiatives
• Work together to mitigate the risk associated
  with cyber consequences, vulnerabilities and
  threats
• Build global situational awareness through
  outreach, collaboration, and engagement

5
Government plays key cyber security roles
6
Table of Contents

• Introduction
• Mission
• Priority I National Cyber Security Response
  System
• Priority II Cyber Risk Management

7
Cyber Preparedness
The National Cyber Security Divisions (NCSD)
mission is to work collaboratively with public,
private, and international entities to secure
cyberspace and Americas cyber assets.
Overarching Priorities
II. Cyber Risk Management
I. National Cyber Security Response System
8
Table of Contents

• Introduction
• Mission
• Priority I National Cyber Security Response
  System
• Priority II Cyber Risk Management

9

Priority I National Cyber Security Response
System

• Situational Awareness
• Analysis
• Response
• Recovery

10
Table of Contents

• Introduction
• Mission
• Priority I National Cyber Security Response
  System
• Priority II Cyber Risk Management

11
Priority II Cyber Risk Management

• National Infrastructure Protection Plan (NIPP)
• Risk Mitigation Programs
• Outreach Awareness
• Standards and Best Practices
• Research and Development
• Training and Education
• Exercises

12
Priority II Cyber Risk Management

• Training and Education
• National Centers of Academic Excellence in
  Information Assurance Education Program
• Scholarship for Service Program
• IT Security Professional Certification Initiative

13
Priority II Cyber Risk Management

• Exercises
• National Cyber Exercise Cyber Storm ? February
  6-10, 2006
• Purpose Assess communications, coordination and
  partnerships in response to a cyber incident of
  national significance
• Campaign-level cyber attack against government IT
  infrastructure, electric, and air transportation
  sectors
• State Players Michigan, Montana, New York
• International Players Australia, Canada, New
  Zealand, UK
• Private Sector Seven major IT firms, two
  airlines, five utilities, and telcom
  representation
• Regional Exercises Pacific Northwest, Greater
  New Orleans, Chicago, and New York
• National Collegiate Cyber Defense Competition

14
Table of Contents

• Introduction
• Mission
• Priority I National Cyber Security Response
  System
• Priority II Cyber Risk Management

15
Contact us

• Technical comments or questions
• US-CERT Security Operations CenterEmail
  soc_at_us-cert.govPGP/GPG key 0xADC4BCEDFingerprin
  t 02FD 5294 A076 0ACE BEB1 929B 3730 09F3 ADC4
  BCEDPhone 1 888-282-0870
• General questions or suggestions
• US-CERT Information RequestEmail
  info_at_us-cert.govPGP/GPG key 0x0A1E0DF7Fingerpri
  nt CFE4 9D1D 6897 44B3 9B85 B25A F575 177B 0A1E
  0DF7Phone 1 703-235-5110
• Information available at http//www.us-cert.gov/
  contact.html

16
(No Transcript)
17
National Statutory/Plan Framework
18
Overview US-CERT Operations

• Maintains a 24x7x365 watch and warning capability
  providing operational support for monitoring the
  status of systems and networks and responding to
  cyber incidents
• Provides the operations interface to National
  Cyber Response Coordination Group (NCRCG)
• Conducts malicious code analysis, provides
  malware technical support, and conducts cyber
  threat and vulnerability analysis
• Manages a situational awareness program and an
  Internet Health and Status service used by 50
  government agency computer security incident
  response teams
• Manages programs for communication and
  collaboration among public agencies and key
  network defense service providers

19
US-CERT Operations Branch

• Strategic Operations
• Situational Awareness
• Analysis
• Incident Handling
• Production

20
US-CERT Operations Branch

• Strategic Operations
• Government Forum of Incident Response Security
  Teams (GFIRST)
• Community of 50 federal agency Incident Response
  Teams
• Teams work together to secure federal government
• Collaborated on 25 occasions during first year
  of inception released critical patches much
  earlier than vendors intended
• for technical analysis during on-going cyber
  activities
• Technical analysis aided in forcing vendors to
  Technical analysis identified previously
  unseen/unidentified cyber phenomenon on at least
  4 separate occasions
• Held first annual meeting, April 2005 second
  planned April 2006

21
US-CERT Operations Branch

• Strategic Operations (contd)
• Chief Information Security Officers (CISO) Forum
• Community of 50 CISOs from small, medium, and
  large Federal Departments/Agencies
• Trusted venue to interact, discuss, and resolve
  concerns
• Shares effective practices, initiatives,
  capabilities
• Meets quarterly and stands up separate working
  groups on an as-needed basis
• Initial working groups were focused on reporting,
  response, and management
• Recommends federal policy changes to CIO
  Council/OMB

22
US-CERT Operations Branch

• Strategic Operations (contd)
• Computer Network Defense Service Provider (CNDSP)
  Accreditation Program
• Provides clear performance metrics consistency
  across Federal Civilian Agencies Incident
  Response Teams
• Ensures mechanism to ensure adequate funding and
  manpower needs to detect, report, and remediate
  incidents
• Program similar to DoD but focused specifically
  for Federal Civilian Agency use

23
US-CERT Operations Branch

• Situational Awareness Federal Government
• US-CERT Einstein Program -- An automated process
  for collecting, correlating, analyzing, and
  sharing computer security information across the
  Federal civilian government
• Allows the US-CERT to generate a
  cross-governmental trends analysis
• Will help to identify configuration problems,
  unauthorized network traffic, network backdoors,
  routing anomalies, network scanning activities,
  and baseline network traffic patterns
• Analysis will provide US-CERT with an accurate
  and aggregate picture on the health of the
  Federal Government (.gov) domain in near
  real-time, and an aggregate comparison of the
  health as compared to the Internet
• Allow US-CERT to accomplish mission as computer
  incident manager for federal civilian agencies

24
US-CERT Operations Branch

• Situational Awareness Internet
• US-CERT is also working to help determine scope
  and impact of attacks occurring across the
  Internet, not only targeting the US Critical
  Infrastructure, but globally as well
• US-CERT is currently developing, evaluating, and
  testing multiple products that not only provide
  the current state of the Internet, but also
  provide actionable information to Federal
  agencies

25
US-CERT Operations Branch

• Analysis
• Provides fused current and predictive cyber
  analysis based on reporting
• Correlates incident data from a myriad of
  disparate reporting sources
• Provides on-site Incident Response capabilities
  to federal and state
• Supports ongoing federal law enforcement
  investigations
• Malware Lab
• Provides behavior techniques for dynamic and
  static analysis
• Reviews malicious code for novel attacks i.e.
  do we already know
• Supports forensic investigations with cursive
  analysis on artifacts
• Provides on-site malware analytic and recovery
  support
• Malicious code submission and collection program

26
US-CERT Operations Branch

• Incident Handling
• Provides 24x7x365 triage support to federal,
  public, and private sectors
• Monitors cyber security events available from
  various sources
• Compiles and coordinates US-CERT reports for
  dissemination
• Follows up with appropriate sources to ensure
  proper mitigation

27
US-CERT Operations Branch

• Production
• Provides operational output content, design, and
  development
• Overall design and implementation of US-CERT
  public facing website
• Provides support to NCSD with distribution of
  divisional products
• Develops and participates in national and
  international level exercises
• Interacts and provides operational international
  support for US-CERT

28
US-CERT Operations Branch

• Products
• Technical Alerts
• Non Technical Alerts
• Cyber Security Bulletins
• Cyber Security Tips
• Current Activity Report
• Vulnerability Notes
• FINS (Federal Information Notices)
• ISAC Incident Reports (Private Sector Notices)

Part of the National Cyber Alert System
29
US-CERT Operations Branch

• National Cyber Alert System
• The National Cyber Alert System is America's
  first cohesive national cyber security system for
  identifying, analyzing, and prioritizing emerging
  vulnerabilities and threats. Managed by the
  US-CERT, the system relays computer security
  update and warning information to all users
• It provides all citizensfrom computer security
  professionals to home computer users with basic
  skillswith free, timely, actionable information
  to better secure their computer systems
• www.us-cert.gov/cas

30
(No Transcript)
31
Priority II Cyber Risk Management

• NIPP Cyber
• Implements the NIPP Risk Management Framework to
  secure the cyber infrastructure across all the 17
  critical infrastructure/key resource sectors
• Assess and prioritize risk mitigation based on
  threat, vulnerabilities, and consequences
• Requires coordination among agencies and between
  government and private sector
• Cyber Components
• IT Sector risk management/Sector Specific Plan
• Cyber guidance across all sectors

32
Priority II Cyber Risk Management

• Risk Mitigation Programs
• Internet Disruption Working Group
• Control Systems Security Program
• Software Assurance Program

33
Priority II Cyber Risk Management

• Internet Disruption Working Group
• Purpose To promote resiliency of the Internet
• Partnership with National Communications System
  (NCS) and private sector participation to
  address
• Sectors functional dependency on Internet
• Stakeholder identification in preventing
  disruption and reconstitution efforts
• Surge capabilities
• Affected key assets
• Short-term protective measures

34
Priority II Cyber Risk Management

• Control Systems Security Program
• Purpose Reduce control system cyber
  vulnerabilities in critical infrastructure
  through
• Risk reduction and security assessments
• Systems evaluation
• Partnerships with control systems
  owners/operators and vendors
• Coordination of cyber security efforts among
  federal, state, and local governments, and
  control system owners, operators, and vendors

35
Priority II Cyber Risk Management

• Software Assurance Program
• Purpose Mitigate risk through the creation of
  more secure software
• Reduce software vulnerabilities
• Minimize exploitation
• Improve capabilities to develop and deploy
  trustworthy software products

Build Security In https//buildsecurityin.us-cer
t.gov/
36
Priority II Cyber Risk Management

• Outreach and Awareness
• Promote cyber security awareness among the
  general public and within key communities
  including international and private sector
• Establish and maintain relationships with
• Government cyber security professionals
• Industry
• Awareness Organizations
• National Cyber Security Awareness Month - October

www.OnguardOnline.gov www.StaySafeOneline.org
37
Priority II Cyber Risk Management

• Standards and Best Practices
• Cyber Security Guidance and Best Practices
• IT Technology Standards Development
• InterNational Committee for Information
  Technology Standards (INCITS)
• Vulnerability Naming Standards
• Common Vulnerabilities and Exposures (CVE)
• Open Vulnerability Assessment Language (OVAL)
  standards
• Common Malware Enumeration (CME) naming standard

38
Priority II Cyber Risk Management

• Research and Development
• Identify cyber security RD requirements in
  conjunction with National Communications System
• Co-chair multi-agency Cyber Security and
  Information Assurance Interagency Working Group
• Developing Federal Plan for cyber security and
  information assurance RD

39
Cyber security is a shared responsibility

• Report cyber incidents and vulnerabilities
• soc_at_uscert.gov
• 888-282-0870
• Sign up for cyber alerts
• www.uscert.gov
• Learn about the Protected Critical Infrastructure
  Information Program
• www.dhs.gov/pcii