Security In The Supply Chain
Download as PPT, PDF2 likes705 views
The document discusses the current challenges and opportunities in improving cybersecurity within the IT supply chain, particularly for the U.S. Air Force, highlighting the need for standardized security configurations for commercial off-the-shelf software. It emphasizes the importance of leveraging buying power and established security standards to enhance security measures, reduce costs, and improve efficiency. Recommendations include mandatory 'locked-down' configurations for all software and integrating security with commodity supply chain management to achieve better outcomes.
![Contact Information John Gilligan [email_address] 703-503-3232 www.gilligangroupinc.com Making Security Measurable Bob Martin—MITRE Corporation [email_address] (c) 2008, All Rights Reserved. Gilligan Group Inc.](https://image.slidesharecdn.com/security-in-the-supply-chain121008-final-1228949522941428-1/85/Security-In-The-Supply-Chain-18-320.jpg)
Security In The Supply Chain
- 1. Leveraging Purchase Power and Standards to Improve Security in the IT Supply Chain John M. Gilligan Gilligan Group, Inc. December 10, 2008
- 2. Topics Background The “Good Old Days”—Status Quo The “Aha” Moment Standard Desktop becomes Federal Desktop Next steps Cyber Security Commission Recommendation Evolving Standards Summary (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 3. Relevant Background Air Force 700,000 Unclassified Desktops 60,000 Classified Desktops IT Spending $7B; Security Spending of $700 M Federal Government Approximately 4 million desktops IT Spending $60B; Security spending of $5B National Institutes of Standards and Technology (NIST) Provides IT Security Standards/Guidance (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 4. Air Force CIO Observations Regarding Software Security Spending more to “patch and fix” software systems than to purchase them SW vendor contract terms—no warranties, no standards, and no legal precedents for remedy AF IT purchasing is ad hoc (and expensive) Air Force is largest enterprise buyer for many vendors COTS software business model is fundamentally broken! (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 5. From National Institute of Standards and Technology briefing--http://nvd.nist.gov/scap.cfm NIST provides a lot of guidance in security—is it addressing the right problem? (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 6. The Cyber Security Dilemma There are only so many resources available to be allocated against all IT priorities There is no such thing as perfect cyber security Finding flaws in cyber security implementation is a “target rich” environment How much security is enough, and where should investments be applied? (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 7. How to Assess Effective Security GAO Reports? Congressional FISMA Grades? Percentage of Systems Certified? Number of Systems with Contingency Plans? Agency Auditor Reports? The threat is increasing! Are we focusing on the right things? "Pentagon Shuts Down Systems After Cyber - Attack " Malicious scans of DoD increase 300%! (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 8. An “Aha” Moment! Scene : 2002 briefing by NSA regarding latest penetration assessment of DoD systems Objective: Embarrass DoD CIOs for failure to provide adequate security. Subplot : If CIOs patch/fix current avenues of penetration, NSA would likely find others Realization : Let’s use NSA’s offensive capabilities to guide security investments Let “Offense Inform Defense”! (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 9. AF Standard Desktop Concept NSA “Offensive Team” briefings to Air Force on attack patterns and vulnerabilities exploited ~80% of vulnerabilities tied to incorrectly configured COTS software Joint effort by NSA, NIST, DISA, DHS, CIS, Microsoft to create Standard Desktop Configuration (SDC) for Microsoft Windows/Office/IE Address the source of the biggest problem—and do it in the supply chain! (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 10. Secure Desktop Configuration Defined ~ 600 security configuration settings for Windows XP and VISTA (out of 4477) Leveraged prior work by MS, NIST, CIS, NSA, DISA Protocols and software tools to validate implementation – CVE/OVAL Phased Implementation (2005-2007) Senior-level governance process Software delivered from hardware vendors in “locked down” configuration (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 11. AF Standard Desktop Configuration Results Improved Security Drop in security events Reduced Patching time 57 days to 72 hours Reduced Costs of Operation and Ownership Hundreds of millions saved to date* Improved System Performance Common platform for COTS/GOTS applications * SDC Linked with Enterprise License Agreement and Commodity Purchasing Efforts (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 12. Security As Part of IT Commodity Life Cycle Management Enterprise Client PC Hardware Step 1: USAF Quarterly Enterprise Buy (QEB) Standards – 700K purchased since Aug 2003; $200M+ avoidance Enterprise Licensing and Services Step 2: USAF Enterprise License Agreements – Implemented in Jul – Sep 2004 $100M+ savings by 2010 Enterprise Client, Server, and Active Directory Configurations Step 3: USAF Standard Desktop Configuration – AF wide implementation in 2006; Servers 2008 Enterprise Configuration and Patch Management Step 4: USAF Enterprise Configuration Management processes – Implementation 2006-2008 Comply and Connect Enforcement Step 5: USAF Comply, Connect and Remediate policy and processes – Incremental improvements 2006-2009 (c) 2008, All Rights Reserved. Gilligan Group Inc. Incremental Improvements in End Point and Server Capability and Security
- 13. AF Standard Desktop Configuration FDCC Adopt AF-validated standard desktop concept OMB mandate for Federal Desktop Core Configuration (FDCC)—March 2007 Security Content Automation Protocol (SCAP) Validate configuration Check/remediate patching Asset management Standard vulnerability list Expanded across Federal government and extended automation support (c) 2008, All Rights Reserved. Gilligan Group Inc. ( XCCDF-CCE-OVAL) (CVE-OVAL) ( CPE) (NVD-CVE-CVSS)
- 14. Next Steps--Cyber Security Commission Recommendation Mandate “Locked-down” configurations for all software delivered to the government Build on existing efforts (e.g., NIST, BITS, FERC, NIAP, CIS) Public-private partnership to develop guidelines Self-certification by software vendors Satisfy security guidelines Do not “unlock” security of other software Expand FDCC Concept to all Software Products (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 15. Security Standards Efforts: Security Content Automation Protocol (SCAP) (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 16. Security Standards Efforts: Next Steps* * Making Security Measurable – The MITRE Corporation (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 17. Summary Need to fundamentally change business model for buying COTS software Vendors deliver “secure” configuration of products Use automated tools to validate security Integrate security with improved commodity supply chain management (planning, purchase, operations, disposal) Advancement of Standards and related Tools holds great promise for dramatic improvements to the IT Supply Chain (c) 2008, All Rights Reserved. Gilligan Group Inc.
- 18. Contact Information John Gilligan [email_address] 703-503-3232 www.gilligangroupinc.com Making Security Measurable Bob Martin—MITRE Corporation [email_address] (c) 2008, All Rights Reserved. Gilligan Group Inc.