COL (R) Michael F. Brown Director, Information Systems Security Cyber Security: An Educator’s Challenge

COL (R) Michael F. Brown

Director, Information Systems Security

Cyber Security:

An Educator’s Challenge

2

TSD REPLAY, SEPTEMBER 11, 2001TSD REPLAY, SEPTEMBER 11, 2001

Prepared By: Prepared By:

Air Traffic Tactical OperationsAir Traffic Tactical Operations

LOWER 48 STATESLOWER 48 STATES

3

LOWER 48 STATES 1230Z TO 1530Z

ATCSCC Actions:1306Z ZNY GS1311Z ZBW GS1326Z GS all centers1345Z All centers to land airborne traffic ASAP

FLIGHT KEY:

MILITARY OTHER U.S. TRAFFIC

4



FLIGHT KEY:


5



FLIGHT KEY:


6



FLIGHT KEY:


7



FLIGHT KEY:


8



FLIGHT KEY:


9



FLIGHT KEY:


10



FLIGHT KEY:


11



FLIGHT KEY:


12



FLIGHT KEY:


13



FLIGHT KEY:


14



FLIGHT KEY:


15



FLIGHT KEY:


16



FLIGHT KEY:


17



FLIGHT KEY:


18



FLIGHT KEY:


19



FLIGHT KEY:


20



FLIGHT KEY:


21



FLIGHT KEY:


22



FLIGHT KEY:


23



FLIGHT KEY:


24



FLIGHT KEY:


25



FLIGHT KEY:


26



FLIGHT KEY:


27



FLIGHT KEY:


28



FLIGHT KEY:


29



FLIGHT KEY:


30



FLIGHT KEY:


31



FLIGHT KEY:


32



FLIGHT KEY:


33



FLIGHT KEY:


34



FLIGHT KEY:


35



FLIGHT KEY:


36



FLIGHT KEY:


37



FLIGHT KEY:


38



FLIGHT KEY:


39MENU



FLIGHT KEY:


40

PMAPMA

FISMAFISMA

Sarbains OxleySarbains Oxley

Business RequirementsBusiness Requirements

Business StrategyBusiness Strategy

National Cyber Strategy

“CALL TO ACTION”

•Federal Regulations

•Customer Requirements

•Strategy

41

WELCOME TO THE EXCITING WORLD OF HPVAC

HACKINGHACKINGPHREAKINGPHREAKING

VIRIVIRIANARCHYANARCHYCARDING/CARDING/CELLULARCELLULAR

42

HACKED WWW HOMEPAGES

CIA HOMEPAGE

DOJ HOMEPAGE

USAF HOMEPAGE

43

The mission of the Information Security department is to protect the information assets, the information systems, and the networks that deliver theinformation from damage resulting from failures of confidentiality, integrity, andavailability.

Security’s objective is to enhance the productivity of the business by reducingprobability of loss through the design and implementation of policy, standards,procedures, and guidelines that enhance the protection of business assets.

Defining the Role

“Departmentally” Specific ……

Business Objective ……

44

Resou

rces

Resou

rces

NationalNational

CyberCyber

SecuritySecurity

StrategyStrategyRequirements

Requirements

Strategy Determines Requirements and

Requirements Drive Resources

TOA

Strategy

StrategyStrategyStrategy

OperationalOperational

RequirementsRequirements

Mission NeedsMission Needs

The Business PlanThe Business Plan

The Flight Plan The Flight Plan GoalsGoals

ObjectivesObjectives

Sub-ObjectivesSub-Objectives

Prioritized TasksPrioritized Tasks

FA

A C

ybe r S

ec urit y

FA

A C

yber S

e cur ity

Str ate g

yS

t rat egy

Fed

era l Info

r ma tio

nF

e de ral In

form

ati on

Sec u

r ity Man

agem

ent A

c tS

e curity M

a na g

emen

t Act

LOB Participation and Influence

ExternalInternalDrivers

45

Prioritizing Constrained Resources

BoundaryProtection

Vulnerability Scanning

Insider/Outsider ThreatIntrusion Detection

and Prevention

SystemCertification

Transport/Application LayerVPNs

Firewalls

Anti-viral

46

A Case Study

The FAA Information

Systems Security

Program

47

System of Systems

Internet Access Points

Messaging

Systems

Finance

and Budget

Personnel and PayrollAsset Management

Flight Procedures

Security

Inspection

Safety

Analysis

Accident / Incident Investigation

48

• Manage more than 30,000 commercial flights to move 2,000,000 passengers safely each day

• Support more than 35,000 general aviation flights on a daily basis

• Regulate and certify the people and aircraft that use our airspace

FAA’s Job

National Airspace System (NAS)

49

The Evolving Landscape of Cyber Security

50


51


52


•Standardized Certification

53

A New Look at Cyber Defense

The “Android” Approach

54

The “Android” Cyber Defense –Emulates the most resilient system in the world

55

Enterprise Architecture

Admin Equip.

PPIMS

Admin Equip.

LIS

Admin Equip.

USD

Admin Equip.

MVS2000-AWP

Contracts

FAST

Contracts

ACQUIRE

Finance

Retirement

Finance

DTF

Finance

DAFIS-MIR

Finance

SPMA

Finance

TAS

Finance

FIRS-AWP

Finance

FAMIS

Finance

NPIAS

Finance

OPS FMS

Finance

AUTOGEN

Finance

ACE-MIR

Finance

ACT

Finance

RTP

Finance

MRPFinance

FED/MIL

Finance

REGIS

Finance

ATS

Finance

FEBMS

Finance

FIRS

Finance

RPMMSFinance

DAFIS

Finance

FIRS-ASW

Finance

BPCY-PCS

Finance

JF-SLH

Finance

LEASES

Finance

CHECKTRAC

Finance

PB-ICE

Finance

OIG32-9F

Finance

TRANVOUC

Finance

FEDEX

Finance

ORB-FIN

Finance

FECA

Finance

ORL

Finance

LDR

Finance

VFADMS

Finance

RED-MAR

Finance

PA

Finance

FRAN

Finance

FECS

Finance

FEDTRIP

Finance

CTS

Finance

FMS

Finance

IFAS

Finance

RPMMS-ASW

Finance

FIMS

Finance

BOSS

Finance

SPIRE

Finance

TMS

Finance

NATS

Finance

T-SERVE

Finance

OARMIS

Finance

BFM

Finance

CAS

Finance

DAFIS-ASW

Finance

MED BILL

Finance

CUPS

Finance

GTR

Finance

FMS-AHR

Finance

FAIM

Finance

DARTS

Finance

BXM

Finance

BAS

Finance

BAM

Finance

ABS

Finance

MM-SDG

Finance

WT-TVT

Finance

NACCS

Finance

C

FETS-ASO

Finance

C

MSEXCEL-FIN

Finance

C

MSWORD-FIN

Finance

CFACTS-

FIGURES

Finance

CQUICKEN-FIN-

TOOL

Finance

C

CUFF-FIN

Finance

C

CUPS-AWP

Finance

C

DAFIS-AWP

Finance

C

BU-SBP

Finance

C

QB-SAP

Finance

C

FETS-ASW

Finance

E

HHS

Finance

E

IRS

Finance

EBank ofAmerica

Finance

E

NFC

Finance

E

SSA

Finance

E

ATA

Finance

E

Treasury

Finance

E

OPM

HR

CPMIS

HR

SSAS

HR

IPPS

HR

CTTMS

HR

EE

HR

C

CUPS-LOCAL

IT Services

NASPAS

IT Services

TIMS

Assets

PMSRS

Assets

PMMS

Assets

FSEP

Av. Training

A/C TRAINING

Space

LIMS

Space

ESIS

Space

REMS

Finance Services

As Is To Be

Finance Services

• Reduction in applications and interfaces• Improved connectivity• Simplified architecture• Reduced potential vulnerabilities

56


57

Element Hardening and Boundary Protection

Element Hardening

– 96% of IT systems certified and authorized

– Vulnerability scanning of public facing and internal servers on a regular basis

– Patch management to facilitate timely remediation of discovered vulnerabilities

Boundary Protection

– Security a major component of Federal Telecommunications Infrastructure, IAPs limited to 8 and hardened, e-mail post offices reduced from 850 to 12 and hardened

– Defense in-depth approach—firewalls, encryption, virtual private networks, and anti-viral software

58


59

Computer Security Incident Response Center (CSIRC)

60

Cyber Fusion Center

61

The Keystone to Making this all Work is a Trained

and Ready Workforce

62

Purpose of Awareness and Training

The two goals of the ISS Awareness and Training Program are:

• To make all users aware of FAA ISS responsibilities

• To provide each line of business (LOB) and staff office (SO) with the training necessary to obtain the knowledge, skills, and abilities required to maintain information systems, implement ISS policies, and offer training opportunities to named key personnel.

63

Awareness and Training Program

The Federal Information Security Management Act of 2002 (FISMA)

• Requires each federal agency to “provide for the

mandatory periodic training in computer security

awareness and accepted computer practices of all

employees who are involved in the management, use or operation of each federal computer system

within or under the supervision of that agency.”

• Requires training under OMB, A130, Appendix III, and in accordance with guidelines co-developed by NIST.

64

Awareness and Training Program

In support of FISMA, the Office of Information Systems Security (AIS) Training Program shall:

• Establish an ISS awareness and training program• Provide awareness refresher briefings• Provide training to those who design, implement, or

maintain information systems• Provide specialized training to key personnel who have

been designated by their LOB/SO

65

Awareness

The purpose of the FAA Awareness Program is:

- To focus attention on security

- To create sensitivity to the threats and vulnerabilities of

information systems

- To recognize the need to protect data, information and systems

66

Awareness Methods

- Broadcast Email Messages

- Web-based activity: Security Awareness Virtual Initiative (SAVI)

- Warning Banners

- Information Security Newsletters

- Awareness Events (briefings, conferences, expositions)

- Meetings/Lectures related to ISS topics

- Interactive Kiosk

67

Training

Develop relevant and needed skills that map to defined responsibilities for each role.

Methods of Training

– Instructor-led training or face-to-face communications is the most personal method of training. The type of training is the most effective in the FAA.

– Computer Based Training (CBT) is offered at the FAA. CBT is utilized by a small percentage of FAA employees.

– System Administrator Simulation Training

68

Training

As part of the Training Program the FAA’s 2005 IT/ISS Conference was held February 28 through March 4 in San Diego, California.

Technical Training Sessions Held:

– Patch Management– Public Key Infrastructure– FAA Telecommunications Infrastructure– Enterprise License Agreement– Web Security– Vulnerability

The training classes were video taped to be provided as a learning tool for

those key personnel who were unable to attend. The tapes will be taken to

each Region and used in conjunction with other training.

69

Outreach Program

Technology is accelerating and changing complexity daily

To keep up with technology FAA must:

- Seek new talent through colleges and universities

- Use the Scholarship for Students Program sponsored

by OPM

- FAA (AIS) will utilize internship programs

- FAA will leverage research and development efforts at

colleges and universities that can be adapted to FAA’s

ISS program goals and objectives

70

Academia Outreach

Program Roles and Responsibilities

- Ensure success of overall ISS efforts and promote the exchange of information with colleges and universities.

- FAA will use academia in the area of research and development.

Program Goals for 2005

- Work with institutions of higher learning who have been designated as Academic Centers of Excellence by the National Science Foundation that are participants in the Scholarship for Services Program.

- Leverage knowledge students have gained and place them in the information security field.

71

Federal Efforts

The National Strategy to Secure Cyberspace

– Need to build foundations for the development of security certification programs that will be broadly accepted by the public and private sectors. DHS and other federal agencies can aid these efforts by effectively articulating the needs of the federal IT security community.

72

Current IT Security ProfessionalCertification Environment:

Challenge:

Need to identify highly qualified people to develop, maintain, and secure our information systems and networks

No nationally recognized certification for IT security professionals

73

IT Security Professional Certification

- Goal: Set up nationally recognized, privately administered certifications at appropriate levels

- Scope: Vendor-neutral certifications

- Product: Industry led IT Security Professional Certification structure/ process in place

- Outcome: National IT security professional certifications

74

Notional IT Security Professional Certification Process

1

75

Expected Outcomes

- Standard position categories

- Standard position levels- How many- Nomenclature (e.g., I, II, III; entry, intermediate,

advanced)

- Standard functions within categories and levels- Nomenclature (what are the functions; what are they

called)

- Skill Standards- By category and level: performance standards that

delineate what a person must know and be able to do in order to successfully perform roles related to a specific job, an occupational cluster or across an industry sector

76

Certification Related Issues

- Governance structure Stakeholder participation

- Common body of knowledge & standardsJob task analysis, competencies

- Training, testing & accreditationAdjudication: evaluation and feedback

- Continuing education

- Mapping current IT security certifications and transitioning current certificate holders

- Business Models

77

Status and Next Steps

- Working with Government and private sectors to leverage ongoing efforts

- Working with the Federal CIO Council, Workforce and Human Capital Committee to leverage existing structure

- Exploring options for setting up nationally recognized, privately administered IT security professional certifications at appropriate levels

- Others?

78

AN OPPORTUNITY TO DO “ISS” RIGHT

Who says trains can’t fly?

Documents

COL (R) Michael F. Brown Director, Information Systems Security Cyber Security: An Educator’s Challenge