Are You Putting A Steel Door On A Styrofoam House?

By Jeff Erlichman, Editor, On The FrontLines
 

The more security is proactively “baked in”, the more “secure information sharing” will occur.

Future cybersecurity solutions have to ensure the power of mass collaboration and sharing information with unanticipated users according to Dave Wennergren, DCIO at the Office of Secretary of Defense.

“If you could use terminology like ‘secure information sharing’, you are actually defining security solutions. This provides huge business opportunities, but it has to be different than the reactive security practices of the past.”

So, how do you become proactive, not reactive?

Is Your Security Intrinsic?

Reactive security is when a problem is identified and a product is deployed to solve it. This leads to better firewall, antivirus and intrusion protection products, but against a threat that has already been identified or is signature-based.

“The problem is that many threats are not signature-based, but are zero- day threats, said Sam Visner, Vice President in charge of Computer Sciences Corporation’s (CSC) cyber strategy, in a recent interview. “So if you are trying to react, by the time you do, it may be too late, the damage may be done.”

A signature-based threat is one that has been detected and characterized so cyber defenders can look for a signature (pattern) and prevent that from getting through into the enterprise. And if it does get through the effects are known. A zero-day threat has never seen before. It’s the first time.

Being proactive takes doing a couple of things right said Visner.

“First look at the architecture of your enterprise and ask: Was it designed properly from the get go?” Or, “if you are redesigning, recapitalizing or modernizing your infrastructure, is that process using good architectural and engineering principles, so that your enterprise is intrinsically secure?”

Translation: “Are you building the house properly—which is being proactive? Or are you trying to put a steel door on a Styrofoam building—which is reactive? So, no matter how fast you work you are always behind the power curve,” explained Visner.

That doesn’t mean patch management is going away. What Visner advocates is “baking in” the security solutions into the infrastructure and sharing more information about architecture and design.

“We have built a set of architecture and design principles called ‘intrinsically secure architecture’ to make sure any architecture and any enterprise solution that CSC implements are intrinsically secure,” he said.

Public/Private Partnering

“The real question is whether the government can add the private sector information to its own and build a knowledge base of information that is sufficient,” said Visner. “I think people are talking actively about what public/private partnerships can do (e.g. Google & NSA) to better defenses and share threat information faster.”

Another example is DOD is putting together a Defense Industrial Base (DIB) pilot program with a set of framework agreements.

Visner explained that this allows DOD to learn about threats on the parts of the CSC infrastructure where DOD information is processed and thinks the DIB model should be considered as a template for other parts of the private sector to share information with the government. 

What’s Your Role?

What’s Your Responsibility?

Where the intersection of FISMA, OMB’s ISS LOB and NIST SP 800-16 cross is the concept of security role-based training.

FISMA states that agency-wide Information Security programs are required and shall include “security awareness training”. OMB’s Information Systems Security Lines of Business (ISS LOB) talks about common suites of ISS training products and training services for the federal government.

Because the current IT environment is so complex, a person’s role and responsibility may not match exactly. Everyone has some responsibility from the executives right on down to the end user. But what exactly is that responsibility and what training is needed to fulfill that role?

Using roles—and the responsibility that comes with it—not titles allow for fine tuning. Plus a person may have more than one role in maintaining security. So, there are roles—and responsibilities—for executives, IT staff, program managers and so on.

It sounds so simple.

In fact, the concept is spelled out in NIST SP 800-16 and there is a “NIST Model” which features a Learning Continuum and divides role-based training into: 6 functional specialties; 3 fundamental training content categories; 26 job functions (roles); 46 training matrix cells; and 12 body of knowledge topics and concepts.

So why is it still an enigma?

“Effective role-based training continues to be a major puzzle for federal agencies,” explained Captain Cheryl Seaman from the NIH Information Security and Awareness Office in a recent interview.

Captain Seaman said that while the goal is to have a staff that is adequately prepared to protect information assets within our dangerously shifting cyber threat frontier, the path to that goal is not straightforward.

“Who needs training and what do they need is not standard throughout the federal government, thus it remains an enigma,” said Captain Seaman.

Great Conference Theme

Captain Seaman is also the chair of the 23rd annual FISSEA (Federal Information Systems Security Educators’ Association) Conference held March 23-25 at the Natcher Conference Center on the NIH Campus in Bethesda, MD.

This year’s theme: “Unraveling the Enigma of Role-Based Training”.

According to Seaman, while many already have a handle on security awareness, “role-based is hard to get your arms around; especially when you think of training and resources and how do you make do with the resources you have; what is your strategy for your own agency?”

Seaman is hoping to have a candid exchange of ideas on some of the different paths agencies are taking to solve the enigma, some of which meet federal cross-training workforce development initiatives.

“Look at the different approaches. OPM is developing competencies; what are DHS and DOD doing? What about the NIST way? VA has its own. So let’s look at harmonization efforts to find common ground and approaches.”

For more information on FISSEA, please view the website at www.fissea.org.

### 

Wanted: Trained Cyber Defenders

DHS is hiring 1,000 new cyber defenders. When they need training, they can get it from The Defense Cyber Investigations Training Academy. 
 

Enabling Cyber Defenders

Government relies on a wide variety of approaches and tools to keep the bad bits out and let the good bits in. Here are three examples. 
 

Cyber Implementers

As threats rise, so do the efforts of industry to provide the cyber solutions government—and the rest of us—need. More

Published In Partnership With