USCERT National Cyber Security Division U S Computer

US-CERT National Cyber Security Division/ U. S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT March 10, 2004 17 th Federal Information Systems Security Educators’ Association www. us-cert. gov

Mission The National Cyber Security Division (NCSD) is the National focal point for addressing cyber security issues in the United States. Mission components include: 1. 2. 3. 4. Identifying, analyzing and reducing threats and vulnerabilities Disseminating threat warning information Coordinating incident response Providing technical assistance in continuity of operations and recovery 5. Serving as national focal point for the public and private sector regarding cyber security issues …Implement the National Strategy… 2

The National Strategy’s Five Priorities PRIORITY IMPLICATION • National Cyberspace Security Response System • Rapid identification, information exchange, and remediation can mitigate damage • Response system will involve public and private institutions and cyber centers to perform analyses, conduct watch and warning, enable information exchange, and facilitate restoration efforts • National Cyber Security Threat and Vulnerability Reduction Program • Coordinated national efforts by government and private sector to identify and remediate serious cyber vulnerabilities through collaborative activities, such as sharing best practices and evaluating and implementing new technologies • Raise awareness, increase criminal justice activities, and develop national security programs to deter cyber threats • National Cyberspace Security Awareness and Training Program • Promote comprehensive national awareness program to empower all Americans – businesses, workforce, and general population to secure their parts of cyberspace • Foster adequate training and education programs for Nation’s cyber-security needs • Promote private support for independent certification of cybersecurity professionals • Securing Governments’ Cyberspace • Federal, State and Local Governments’ systems protection and resilience • Continuously assess threats and vulnerabilities to cyber systems • International Cyberspace Security Cooperation • Improve attack attribution and prevention capabilities • International cooperation – Facilitate and promote global “culture of security” – Foster international watch-and-warning networks to detect emerging attacks 3

Homeland Security Presidential Directive 7 December 17, 2003 Paragraph 16. The Secretary will continue to maintain an organization to serve as a focal point for the security of cyberspace. The organization will facilitate interactions and collaborations between and among Federal departments and agencies, State and local governments, the private sector, academia and international organizations. To the extent permitted by law, Federal departments and agencies with cyber expertise, including but not limited to the Departments of Justice, Commerce, the Treasury, Defense, Energy, and State, and the Central Intelligence Agency, will collaborate with and support the organization in accomplishing its mission. The organization's mission includes analysis, warning, information sharing, vulnerability reduction, mitigation, and aiding national recovery efforts for critical infrastructure information systems. The organization will support the Department of Justice and other law enforcement agencies in their continuing missions to investigate and prosecute threats to and attacks against cyberspace, to the extent permitted by law. U. S. Department of Homeland Security Information Analysis and Infrastructure Protection

NCSD’s Integrated Capability Strategy, Policy, Programs: Support, Studies, Analysis, and Policy Leadership Fed. CIRC: US-CERT: Securing Government’s Cyberspace The National Cyber Preparedness and Response System U. S. Department of Homeland Security Information Analysis and Infrastructure Protection

US-CERT: Readiness The National Response System § National Level Watch and Incident Management — 24/7 Watch Operations — Cyber Interagency Incident Management Group (C-IIMG) — Develop and practice capabilities: Livewire — Early warning initiatives and displays § Vulnerability Assessment and Remediation — Current and potential vulnerabilities & remediation mechanisms — Malware lab and analysis capability — Common vulnerabilities and exposures identification — Critical Infrastructure Program cyber review matrix — Internet infrastructure critical system matrix 6

Homeland Security Presidential Directive 7 December 17, 2003 Paragraph 16. The Secretary will continue to maintain an organization to serve as a focal point for the security of cyberspace. The organization will facilitate interactions and collaborations between and among Federal departments and agencies, State and local governments, the private sector, academia and international organizations. To the extent permitted by law, Federal departments and agencies with cyber expertise, including but not limited to the Departments of Justice, Commerce, the Treasury, Defense, Energy, and State, and the Central Intelligence Agency, will collaborate with and support the organization in accomplishing its mission. The organization's mission includes analysis, warning, information sharing, vulnerability reduction, mitigation, and aiding national recovery efforts for critical infrastructure information systems. The organization will support the Department of Justice and other law enforcement agencies in their continuing missions to investigate and prosecute threats to and attacks against cyberspace, to the extent permitted by law. U. S. Department of Homeland Security Information Analysis and Infrastructure Protection

US-CERT: Readiness (continued) Outreach: Public-Private Partnership § Information dissemination, alerting and information products – Secure Communications Infrastructure for collaboration and response § National Cyber Security Summit § Partnerships for awareness, exchange and response – Incident Responders (Federal Government, International, Law Enforcement, Other) – Critical infrastructure owners and operators – Service providers and backbone providers – Security product vendors and software industry 8

National Cyber Security Division Providing strategy and policy support and leadership § Software Assurance – Software development processes – Security enhancement through automated tools § § International Collaboration Intelligence community requirements Economic analysis Standards and best practices – NIAP review in conjunction with Do. D and NIST, and others § Training and Education 9

Training and Education §Centers of Academic Excellence Program − Co-sponsor NSA Centers of Academic Excellence in Information Assurance Education and expand to National program §IT Security Professional Certification Effort − Work with Do. D and Federal agencies to collect requirements for IT security professional certification − Define job functions, skills and knowledge required, and common body of knowledge §Scholarship for Service Program − Work with National Science Foundation and Federal CIO Council, Workforce Committee to promote Scholarship for Service Program among all Federal agencies §IT Security Awareness − Work with Department of Education and existing organizations such as EDUCAUSE and National Cyber Security Alliance to promote IT security training and education in universities and primary/secondary schools 10

Fed. CIRC Initiatives Securing Government’s Cyberspace § Security Analysis Program – Passive vulnerability discovery and analysis capability – Capability exists on existing systems, being deployed § Incident Management – Processes, incident support and correlation – Consolidated NIPC, Fed. CIRC and other watches § Security collaboration groups – CISO Forum, GFIRST, others 11

National Cyber Alert System Provides credible and timely information on cyber security issues to include: • Cyber Security Tips • Cyber Security Bulletin • Cyber Security Alerts All information products are available on a free subscription basis and are delivered via email. Sign up at www. us-cert. gov 12

Vulnerabilities US-CERT has recently issued alerts on: § Multiple Vulnerabilities in MS ASN. 1 Library § HTTP Parsing Vulnerabilities in Checkpoint FW-1 § Multiple Vulnerabilities in MS Internet Explorer Actions taken may include release of standard and technical advisories, informational bulletins, and vulnerability notes; coordination with affected vendors; coordination of remediation efforts with the federal government and private industry; LE and IC contact 13

Recent Events E-mail Borne Viruses § Beagle/Bagle § Mydoom/Novarg/Doomjuice § Netsky § Blaster/Welchia/Nachi 14

Long-term needs Stronger foundations • R&D investments in • The “science” of information assurance – Well defined security properties of components – Security metrics – Component composition rules that preserve security properties • Engineering practices that build-in (rather than bolton) security • Protocols that limit damage from distributed attacks 15

Near to mid-term needs Education and Training organizations • Undergraduate & Graduate programs • Increased emphasis on secure development practices in CS & Engineering programs • Executive education programs on risk management and information security • Security training for IT staff 16

Near to mid-term needs Software Developers • Dramatic reduction in the number of vulnerabilities • Secure out-of-the-box configurations • “Virus-proof” software Response Groups • Global indications and warning systems with predictive capabilities 17

Lawrence Hale Deputy Director, NCSD, US-CERT 202 708 -7000 18