42
Or, you’re not secure if you’re not secure Dan Shoemaker Center for Cyber Security University of Detroit Mercy SEEING THE ENTIRE ELEPHANT:
| Date post: | 22-Jul-2016 |
| Category: |
Documents |
| Upload: | isc2-detroit-chapter |
| View: | 225 times |
| Download: | 0 times |
Or, you’re not secure if you’re not secure
Dan ShoemakerCenter for Cyber Security
University of Detroit Mercy
SEEING THE ENTIRE ELEPHANT:
SIX BLIND MEN AND AN ELEPHANT
• Cybersecurity suffers from the “Six Blind Men and the Elephant” syndrome.
• In that old story six blind men are asked to describe an elephant based on what they are touching. • So to one, it’s a snake, another, a wall, and to another tree, etcetera.
• But… In the end, • “Though each was partly in the right, all were entirely wrong”.
SIX BLIND MEN AND AN ELEPHANT• We have the same problem with the profession.
• There are established elements of the field that know how to secure the part of the elephant that they touch.
• But until we are able to amalgamate that knowledge into one coordinated approach to security we can’t realistically say we are protected.
THE NERDS AND MR. SNOWDON• The U.S. National Security Agency is a good example of what I am talking
about.
• The NSA sees all and knows all when it comes to electronic security.
• But they were unable to prevent a relatively low level analyst from tucking a bunch of vital secrets into a black bag and skipping off to Moscow.
• You might have read about that over the past couple of years.
THE NERDS AND MR. SNOWDON• Nevertheless, NSA’s failure is understandable when you consider that their
entire culture revolves around electronic security
• While, the things you need to do to secure people are part of the elephant that they don’t touch.
• If we are ever going to be secure we need a watertight solution
HOLISTIC: SECURING THE ENTIRE ELEPHANT• The term “holistic” has been used to describe what has to happen in order for
the security solution to be watertight.
• There are a number of systemic and cultural challenges that have to be made before we can begin to properly apply that solution.
HOLISTIC: SECURING THE ENTIRE ELEPHANT• First most of our current crop of professionals specializes in some vertical
aspect of the field.
• And they are not going to simply drop what they have been doing for their entire career and start approaching things holistically.
• So, somebody will have to provide a roadmap to help the next generation build defenses without cracks in them.
CYBERSECURITY AND THE DISTRIBUTED ELEPHANT• Worse, all evidence points to the fact that whatever we should be doing is
cross-cutting.
• In essence, elements of the protection scheme can involve professions as diverse as engineering, business, and law.
• Those diverse fields don’t play well with each other.
CHARACTERIZING THE ENTIRE ELEPHANT• So, a new body of knowledge is required, one with the breadth and scope to
encompass the whole problem.
• That body of knowledge should categorize the job requirements of the entire field and then define the requisite knowledge skills and abilities to effectively perform that work
• In addition it should relate those job roles in some credible way to the areas of practical application within the field
CHARACTERIZING THE ENTIRE ELEPHANT• The issues associated with cybersecurity can be dated to the advent of the
commercial internet in the mid-1990s.
• Accordingly, the entire profession has a less than twenty year lifespan.
• In that time cyber-crime, cyber-espionage and even cyber-warfare have become visions with real consequences.
CHARACTERIZING THE ENTIRE ELEPHANT• Yet, even with its newfound national prominence, there is still a lot of
disagreement about what legitimately constitutes the right set of actions to prevent harmful, or adversarial actions.
• That disagreement was captured in the 2013 report sponsored by the National Academy of the Sciences (Bishop, 2013).
• The report asserts that cybersecurity is at best an ill-defined field, which is subject to a range of interpretation by numerous special interest groups.
CHARACTERIZING THE ENTIRE ELEPHANT• In simple, operational terms, the cybersecurity process involves nothing
more than deploying and then ensuring a coherent set of best practices to protect all assets of value to a particular company.
• The problem lies in the term “best practice. “ As we saw with the elephant, everybody has their own definition of what constitutes best practice.
• So , the actions that one group might view as appropriate to secure an asset may not be seen quite as appropriate to another group.
CHARACTERIZING THE ENTIRE ELEPHANT• Therefore, it is essential to adopt a complete and commonly accepted
framework of correct practice as a point of reference to guide any actions that an organization might take.
• The ideal would be to have that framework authorized and endorsed by a universally recognized and legitimate third party.
• In the case of cybersecurity, the best practice framework ought to encompass all of the legitimate actions necessary to ensure a reasonable state of reliable long-term security.
CHARACTERIZING THE ENTIRE ELEPHANT• It can be assumed that, if all of these practices are executed properly then
the organization has met its legal and ethical obligations for information protection.
• Many other professions, such as the law, or medicine, have a commonly agreed on definition of what it takes to meet the minimum standard of due care.
• Those help set the boundaries of ethical practice as well as guide the correctness of actions within those boundaries.
CHARACTERIZING THE ENTIRE ELEPHANT• Up to this point however, the problem for cybersecurity professionals is that
that generally accepted framework didn’t exist.
• The lack of an acceptable model of the field has been an obvious roadblock to success for a very long time.
• As a result, the National Institute of Standards and Technology (NIST), was tasked to create a conceptual model that could serve as the single definition of the specialty areas, roles and job tasks of the field.
CHARACTERIZING THE ENTIRE ELEPHANT• During the period 2011 to 2014, the project was authorized and executed as the
National Initiative for Cybersecurity Education (NICE) Initiative.
• Besides NIST’s involvement, the project was staffed and jointly executed by personnel from the Department of Homeland Security (DHS) and the Office of Personnel Management (OPM).
• The National Initiative for Cybersecurity Education (NICE) workforce framework defines the complete set of roles that might reasonably be necessary to identify and mitigate all emerging threats in cyberspace.
• In essence, the NICE framework defines the field of “cybersecurity.”
THE ROADMAP TO A NICE ELEPHANT• The NICE Framework is based on “Categories”, “Specialty Areas” and the
requisite Knowledge Skills and Abilities for each specialty area
• Each of the types of cybersecurity work is placed into one of seven overall categories.
• The categories, serve as an overarching structure for the field
• These were used as an organizing construct to group similar types of work.
THE ROADMAP TO A NICE ELEPHANT• The intention of the NICE Framework is to describe cybersecurity work
regardless of organizational structures, job titles, or other potentially idiosyncratic conventions.
• The categories group related specialty areas together.
• The NICE Framework lists and defines 32 specialty areas of cybersecurity work and provides a description of each.
• In essence, specialty areas in a given category are typically more similar to one another than to specialty areas in other categories.
THE ROADMAP TO A NICE ELEPHANT• Typical tasks and knowledge, skills, and abilities (KSAs) are provided within each
specialty area,.
• The Workforce Framework also identifies common tasks and knowledge, skills, and abilities (KSA's) associated with each specialty area.
• OPM has mandated that the Workforce Framework will be used as guidance to the federal government,
• It will also be made available to the private, public, and academic sectors for describing cybersecurity work and related education, training, and professional development.
A QUICK TOUR OF THE ELEPHANT• Securely Provision - Specialty areas responsible for conceptualizing,
designing, and building secure information technology (IT) systems (i.e., responsible for some aspect of systems development).
• Secure Acquisition – Typical roles in this area include (NIST, 2014) • Chief Information Security Officer (CISO)
• Contracting Officer (CO)
• Contracting Officer Technical Representative (COTR)
• Information Technology (IT) Director
A QUICK TOUR OF THE ELEPHANT• Systems Security Architecture - Typical job roles within this specialty area include:
• Information Security Architect
• Information Systems Security Engineer
• Network Security Analyst
• Systems Engineer
• Systems Security Analyst
• Technology Research and Development – Typical job titles include:
• Capabilities and Development Specialist
• Chief Engineer
• Research & Development Engineer
A QUICK TOUR OF THE ELEPHANT• Systems Requirements Planning – Roles in this specialty area include:
• Business Process Analyst
• Computer Systems Analyst
• Requirements Analyst
• Solutions Architect
• Systems Engineer
• Test and Evaluation – Job roles in this category include:• Application Security Tester
• Quality Assurance (QA) Tester
• Software Quality Assurance (QA) Engineer
• Testing and Evaluation Specialist
A QUICK TOUR OF THE ELEPHANT• Systems Development – Typical Roles are:
• Firewall Engineer
• Information Assurance (IA) Developer
• Information Assurance (IA) Engineer
• Information Assurance (IA) Software Engineer
• Information Systems Security Engineer
• Program Developer
• Security Engineer
• Systems Engineer
• Systems Security Engineer
A QUICK TOUR OF THE ELEPHANT• Operate and Maintain - Specialty areas responsible for providing
support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.
• Data Administration – Job roles within this specialty area reflect that development and oversight responsibility:
• Data Architect
• Data Manager
• Database Administrator
• Database Developer
• Database Engineer/Architect
A QUICK TOUR OF THE ELEPHANT• Customer Service and Technical Support –Typical jobs are:
• Computer Support Specialist
• Help Desk Representative
• Systems Administrator
• User Support Specialist
• Network Services –Typical jobs are:• Cabling Technician
• Network Administrator
• Network Analyst
• Network Designer
• Network Engineer
A QUICK TOUR OF THE ELEPHANT• System Administration – Typical roles are.
• Local Area Network (LAN) Administrator
• Security Administrator
• System Operations Personnel
• Systems Security Analysis – Jobs in this specialty area include:• Information Security Analyst/Administrator
• Information Systems Security Engineer
• Information Systems Security Manager (ISSM)
• Security Analyst
• Security Control Assessor
A QUICK TOUR OF THE ELEPHANT• Protect and Defend - Specialty areas responsible for identification,
analysis, and mitigation of threats to internal information technology (IT) systems or networks.
• Enterprise Network Defense (END) Analysis – Typical jobs• Computer Network Defense (CND) Analyst (Cryptologic)
• Cybersecurity Intelligence Analyst
• Incident Analyst
• Network Defense Technician
• Network Security Engineer
•
A QUICK TOUR OF THE ELEPHANT• Incident Response – Job roles include:
• Incident Responder
• Incident Response Analyst
• Incident Response Coordinator
• Intrusion Analyst
• Enterprise Network Defense (END) Infrastructure Support – roles include:
• Information Systems Security Engineer
• Intrusion Detection System (IDS) Engineer
• Network Administrator
• Network Analyst
• Network Security Engineer
A QUICK TOUR OF THE ELEPHANT• Vulnerability Assessment and Management –Job roles are:
• Certified TEMPEST1 Professional
• Computer Network Defense (CND) Auditor
• Compliance Manager
• Ethical Hacker
• Information Security Engineer
• Internal Enterprise Auditor
• Penetration Tester
• Risk/Vulnerability Analyst
• Vulnerability Manager
A QUICK TOUR OF THE ELEPHANT• Investigate - Specialty areas responsible for investigation of cyber events
and/or crimes of IT systems, networks, and digital evidence.
• Digital Forensics –Typical roles in this specialty area include:• Computer Forensic Analyst
• Digital Forensic Examiner
• Digital Media Collector
• Forensic Analyst (Cryptologic)
• Network Forensic Examiner
A QUICK TOUR OF THE ELEPHANT• Cyber Investigation – job roles include:
• Computer Crime Investigator
• Special Agent
A QUICK TOUR OF THE ELEPHANT• Collect and operate - Specialty areas responsible for specialized denial
and deception operations and collection of cybersecurity information that may be used to develop intelligence
• Collection Operations – Typical job roles include:• Intelligence Collector/Documenter
• Intelligence Analyst
• Intelligence Information Integrator
• Documenter/Briefer
A QUICK TOUR OF THE ELEPHANT• Cyber Operations – The job roles are:
• Counter-espionage analyst
• Intelligence analyst
• Malware analyst
• OPSEC Analyst
• Cyber Operations Planning – job roles include:• Cyber operations planner
• HUMINT Information gatherer (spy)
• Mission debriefer/reporter
• OPSEC planner
A QUICK TOUR OF THE ELEPHANT• Analyze - Specialty areas responsible for highly specialized review and
evaluation of incoming cybersecurity information to determine its usefulness for intelligence
• Threat Analysis – Job roles in this specialty area include:• Briefer
• Intelligence Analyst
• Intelligence Collection Agent
• Intelligence Integration Manager
A QUICK TOUR OF THE ELEPHANT• All Source Intelligence – job roles are:
• Data Miner/Aggregator
• Documentation Writer/Briefer
• Intelligence Analyst
• Interpreter/Subject Matter Expert
• Targets – Job roles that fall within these parameters include:• Intelligence Analyst
• Malware Analyst
• Threat and Vulnerability Analyst
• Mission Planner/Briefer
A QUICK TOUR OF THE ELEPHANT• Oversight and Development - Specialty areas providing leadership,
management, direction, and/or development and advocacy so that individuals and organizations may effectively conduct cybersecurity work.
• Legal Advice and Advocacy – Typical jobs are.• Legal Advisor/Staff Judge Advocate (SJA)
• Paralegal
• Strategic Planning and Policy Development – Typical jobs are:• Chief Information Officer (CIO)
• Information Security Policy Manager/Analyst
• Policy Writer and Strategist
A QUICK TOUR OF THE ELEPHANT• Education and Training – Typical jobs are:
• Cyber Trainer
• Information Security Trainer
• Security Training Coordinator
• Information Systems Security Operations – Typical jobs are.• Contracting Officer (CO)
• Contracting Officer Technical Representative (COTR)
• Information Assurance (IA) Program Manager
• Information Security Program Manager
• Information Systems Security Officer (ISSO)
A QUICK TOUR OF THE ELEPHANT• Security Program Management - Typical Jobs are.
• Chief Information Security Officer (CISO)
• Enterprise Security Officer
• Facility Security Officer
• Information Systems Security Manager (ISSM)
• Information Technology (IT) Director
• Principal Security Architect
• Risk Executive
• Security Domain Specialist
• Senior Agency Information Security (SAIS) Officer
A QUICK TOUR OF THE ELEPHANT• Risk Management - Job roles may include;
• Accreditor
• Analyst/Manager
• Auditor
• Authorizing Official Designated Representative
• Certification Agent
• Compliance Manager
• Designated Accrediting Authority
• Risk/Vulnerability Analyst
• Security Control Assessor
• Systems Analyst
A QUICK TOUR OF THE ELEPHANT• Knowledge Management – job titles are
• Business Analyst
• Business Intelligence Manager
• Content Administrator
• Document Steward
• Freedom of Information Act Official
• Information Manager
• Information Owner
• Information Resources Manager
TAKEAWAYS• The Cybersecurity (IA) process has many facets• Systems and Information constitute both an invisible and dynamic resource• The Cybersecurity process has to be coordinated to be effective• Coordination involves deploying and then maintaining an appropriate set of
technical and managerial controls• Standard models are important roadmaps for organizations to follow • The NICE Framework is a national level model for Cybersecurity.• The NICE Framework outlines the workforce roles for the entire field
THANK YOU FOR YOUR ATTENTION
Dan Shoemaker [email protected]
Professor
Center for Cyber Security and Intelligence Studies (CCIS)
University of Detroit Mercy
