collaborating to solve the nation’s intractable cybersecurity challenges - brian barrios
TRANSCRIPT
Collaborating to Solve the Nation’s Intractable Cybersecurity ChallengesHacker Halted 2015September 18, 2015
Brian Barrios@brianbarrios01
INCREASING CYBERSECURITY CHALLENGES
3
2015: THE YEAR OF THE HEALTHCARE HACK
4
5
Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to U.S. Department of Health and Human Services data reviewed by The Washington Post.
6
7
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) FY2014
NATIONAL CYBERSECURITY CENTER OF EXCELLENCE
9
STAKEHOLDERS
The White House
SPONSORSAdvise, assist, and facilitate the center’s strategic initiatives
TEAMCollaborate with innovators to provide real-world cybersecurity capabilities that address business needs
CUSTOMERSCollaborate with center on project-specific use cases that help our customer’s manage their cybersecurity priorities
National Institute of Standards
and Technology
U.S. Department
of Commerce
U.S.Congress
MontgomeryCounty
MarylandState
NCCoE Academia Project Specialists
National Cybersecurity
Excellence Partnership
(NCEP) PartnersGovernment Project-
SpecificCollaborators
Tech Firms
Industry
Business Sectors
Cybersecurity IT Community
Systems IntegratorsIndividuals
Academia
Government
National Cybersecurity
FFRDC*
*Sponsored by NIST, the National Cybersecurity Federally Funded Research & Development Center (FFRDC) is operated by the MITRE Corporation
10
NATIONAL CYBERSECURITY EXCELLENCE PARTNERS
11
VISION AND MISSION
GOAL 1PROVIDE PRACTICAL CYBERSECURITYHelp people secure their data and digital infrastructure by equipping them with practical ways to implement standards-based cybersecurity solutions that are modular, repeatable and scalable
VISIONADVANCE CYBERSECURITYA secure cyber infrastructure that inspires technological innovation and fosters economic growth
MISSIONACCELERATE ADOPTION OF SECURE TECHNOLOGIESCollaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs
GOAL 2INCREASE RATE OFADOPTIONEnable companies to rapidly deploy commercially available cybersecurity technologies by reducing technological, educational and economic barriers to adoption
GOAL 3ACCELERATE INNOVATIONEmpower innovators to creatively address businesses’ most pressing cybersecurity challenges in a state-of-the-art, collaborative environment
12
ENGAGEMENT & BUSINESS MODEL
DEFINE + ARTICULATEDescribe the business problem
ORGANIZE + ENGAGEPartner with innovators
IMPLEMENT + TESTBuild a usable reference design
TRANSFER + LEARNGuide users to stronger cybersecurity
Define business problems and project descriptions, refine into a
specific use case
Collaborate with partners from industry, government, academia
and the IT community on reference design
Practical, usable, repeatable reference design that addresses
the business problem
Set of all material necessary to implement and easily adopt the
reference design
13
ENGAGEMENT & BUSINESS MODEL
ORGANIZE + ENGAGEPartner with innovators
TRANSFER + LEARNGuide stronger practices
IMPLEMENT + TESTBuild a reference design
Identify and describe business problem
Conduct marketresearch
Vet projectand use case descriptions
Publish project use cases and solicit responses
Select partners andcollaborators
SignCRADA
Buildreference design
Testreference design
Identifygaps
Collectdocuments
Techtransfer
Document lessons learned
Define business problems and project descriptions, refine into specific use
case
Collaborate with partners from industry, government,
academia and the IT community on reference
design
Practical, usable, repeatable reference
design that addresses the business problem
Set of all material necessary to implement
and easily adopt the reference design
DEFINE + ARTICULATEDescribe the business problem
OUTCOME OUTCOME OUTCOME OUTCOME
ACTION ACTION ACTION ACTION
14
APPROACH
We seek problems that are:
‣Broadly relevant
‣Technology-based
‣Addressable with multiple commercially available technologies
15
TENETS
Standards-based
Modular
Usable
Repeatable
Open and transparent
Commercially available
16
NIST CYBERSECURITY PRACTICE GUIDES
Health IT Sector‣ Securing Electronic Health Records on Mobile Devices
Energy Sector‣ Identity and Access Management for Electric Utilities
Identity ‣ Coming soon: Attribute Based Access Control
Mobile‣ Coming soon: Mobile Device Security
HEALTH IT: ELECTRONIC HEALTH RECORDS
& MOBILE DEVICES
18
HEALTH IT CHALLENGE
‣Physician uses a mobile device application to send a referral to another physician.
‣Application sends the referral to a server running a certified EHR application.
‣Server routes the referral to the referred physician.‣Referred physician uses mobile device to receive
the referral.
19
SECURING EHRS ON MOBILE DEVICES
Benefits
‣ Improve security: Help organizations better secure patient data accessed through mobile devices
‣ Reduce costs. Medical identity theft costs billions of dollars each year, and a cyber-crime can cripple operations and the ability to care for patients.
‣ Reduce risk. Continuous risk management is critical to continued operation, success of the organization, and patient safety. Altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions.
20
ARCHITECTURE
21
SECURITY WALKTHROUGH
1. Login Username/password
User Devices Access Point Identity Svr. MDM EHR Server
STOP
2. Device MAC
STOP
MAC address filtering
3. Start EAP-TLS
Pass device credentialSTOP
STOP
4. Compliance check
Return StatusAccess allowed
802.1X EAP-TLSAuthentication/
authorization
Open EMR:User/password/HTTPS encrypted
Check credential
STOP
5. Connect to OpenEMR Using HTTPS
22
COLLABORATING VENDORS: EHRS ON MOBILE
ENERGY SECTOR: IDENTITY AND ACCESS MANAGEMENT
25
UTILITY CHALLENGE
‣ Most utilities separate information technology and operational technology, leading to decentralized access control across many departments.
‣ Consequences include:
‣ Increased risk of attack and service disruption
‣ Inability to identify potential sources of a problem or attack
‣ Lack of overall traceability and accountability regarding who has access to both critical and noncritical assets
26
IDENTITY & ACCESS MANAGEMENT FOR UTILITIES
Benefits
‣ Improve security by tracking and auditing access requests and other IdAM activity across all networks
‣ Reduce the risk of malicious or untrained people gaining unauthorized access to critical infrastructure components and interfering with their operation, thereby lowering overall business risk
‣ Improve efficiencies‣ Allow rapid provisioning and de-provisioning of
access from a centralized platform‣ Improve speed of delivery of services ‣ Support oversight of resources, including
information technology, personnel, and data
27
OVERVIEW: ENERGY SECTOR IDAM USE CASE
28
COLLABORATING VENDORS: ENERGY IDAM
SECURING LAW ENFORCEMENT VEHICLES
31
32
33
34
35
36
AUTOMOTIVE CHALLENGE
‣ IoT is no longer just your thermostat or home security system.
‣ Law enforcement vehicle security, provided by Virginia State Patrol:
‣ Public-private working group to explore the technology needed to safeguard Virginia’s citizens and public safety agencies from cybersecurity attacks targeting automobiles
37
VA STATE PATROL CAR SECURITY
Goals
‣ Identify technology that can assist law enforcement officers in determining if/when a vehicle has fallen victim to a cyber attack.
‣ Develop strategies for citizens and public safety personnel to identify and prevent cybersecurity threats targeting vehicles and other consumer devices.
38
EVENT
Cybersecurity Technology Showcase
‣ Cyber assessment and demo with Virginia State Patrol vehicles
‣ Date: September 30, 2015 ‣ Location: Chester, VA‣ http://vus.virginia.gov/registration/
ADDITIONAL CYBERSECURITY PROJECTS
40
ATTRIBUTE BASED ACCESS CONTROL
‣ Businesses face the challenge of growing diversity in both the types of users and their access needs. As this diversity grows, traditional access control mechanisms become increasingly difficult to manage and audit.
‣ ABAC does not bucket employees, but rather employee access decisions are made based on a set of attributes assigned to a user’s digital identity.
‣ ABAC allows for the use of environmental attributes, such as time of day, IP address, or threat level to be defined and implemented in access control policies.
41
MOBILE DEVICE SECURITY
‣ Faced with a rapidly changing array of mobile platforms, corporations must ensure that the cell phones, tablets and other devices connected to their enterprise systems can be trusted to protect sensitive corporate data.
‣ Employees increasingly want to use both corporate-issued and personally owned mobile devices to access corporate enterprise services, data, and resources to perform work-related activities.
WORK WITH US
43
FIND US: UPCOMING EVENTS & PROJECTS
‣ Passcode (CSM) Event on Cybersecurity Research‣ October 8, 2015 in Washington, DC ‣ No cost to attend
‣ Retail projects (including Point of Sale)‣ Transportation (automotive, air, maritime, rail, etc.)
projects
44
SOLVE PRESSING CHALLENGES
‣ Comment on our projects‣ Brief us on your products/technology‣ Use our guides‣ Join our Communities of Interest
‣ Energy
‣ Financial Services
‣ Health IT
‣ Transportation
