SEEING THE ENTIRE ELEPHANT: Or, you’re not secure if you’re not secure
Dan Shoemaker Center for Cyber Security University of Detroit Mercy
SIX BLIND MEN AND AN ELEPHANT • Cybersecurity suffers from the “Six Blind Men and the Elephant” syndrome. • In that old story six blind men are asked to describe an elephant based on what they are touching. • So to one, it’s a snake, another, a wall, and to another tree, etcetera. • But… In the end, • “Though each was partly in the right, all were entirely wrong”.
SIX BLIND MEN AND AN ELEPHANT • We have the same problem with the profession. • There are established elements of the field that know how to secure the part of the elephant that they touch. • But until we are able to amalgamate that knowledge into one coordinated approach to security we can’t realistically say we are protected.
THE NERDS AND MR. SNOWDON • The U.S. National Security Agency is a good example of what I am talking about. • The NSA sees all and knows all when it comes to electronic security. • But they were unable to prevent a relatively low level analyst from tucking a bunch of vital secrets into a black bag and skipping off to Moscow. • You might have read about that over the past couple of years.
THE NERDS AND MR. SNOWDON • Nevertheless, NSA’s failure is understandable when you consider that their entire culture revolves around electronic security • While, the things you need to do to secure people are part of the elephant that they don’t touch. • If we are ever going to be secure we need a watertight solution
HOLISTIC: SECURING THE ENTIRE ELEPHANT • The term “holistic” has been used to describe what has to happen in order for the security solution to be watertight. • There are a number of systemic and cultural challenges that have to be made before we can begin to properly apply that solution.
HOLISTIC: SECURING THE ENTIRE ELEPHANT • First most of our current crop of professionals specializes in some vertical aspect of the field. • And they are not going to simply drop what they have been doing for their entire career and start approaching things holistically. • So, somebody will have to provide a roadmap to help the next generation build defenses without cracks in them.
CYBERSECURITY AND THE DISTRIBUTED ELEPHANT • Worse, all evidence points to the fact that whatever we should be doing is cross-cutting. • In essence, elements of the protection scheme can involve professions as diverse as engineering, business, and law. • Those diverse fields don’t play well with each other.
CHARACTERIZING THE ENTIRE ELEPHANT • So, a new body of knowledge is required, one with the breadth and scope to encompass the whole problem. • That body of knowledge should categorize the job requirements of the entire field and then define the requisite knowledge skills and abilities to effectively perform that work • In addition it should relate those job roles in some credible way to the areas of practical application within the field
CHARACTERIZING THE ENTIRE ELEPHANT • The issues associated with cybersecurity can be dated to the advent of the commercial internet in the mid-1990s. • Accordingly, the entire profession has a less than twenty year lifespan. • In that time cyber-crime, cyber-espionage and even cyber-warfare have become visions with real consequences.
CHARACTERIZING THE ENTIRE ELEPHANT • Yet, even with its newfound national prominence, there is still a lot of disagreement about what legitimately constitutes the right set of actions to prevent harmful, or adversarial actions. • That disagreement was captured in the 2013 report sponsored by the National Academy of the Sciences (Bishop, 2013). • The report asserts that cybersecurity is at best an ill-defined field, which is subject to a range of interpretation by numerous special interest groups.
CHARACTERIZING THE ENTIRE ELEPHANT • In simple, operational terms, the cybersecurity process involves nothing more than deploying and then ensuring a coherent set of best practices to protect all assets of value to a particular company. • The problem lies in the term “best practice. “ As we saw with the elephant, everybody has their own definition of what constitutes best practice. • So , the actions that one group might view as appropriate to secure an asset may not be seen quite as appropriate to another group.
CHARACTERIZING THE ENTIRE ELEPHANT • Therefore, it is essential to adopt a complete and commonly accepted framework of correct practice as a point of reference to guide any actions that an organization might take. • The ideal would be to have that framework authorized and endorsed by a universally recognized and legitimate third party. • In the case of cybersecurity, the best practice framework ought to encompass all of the legitimate actions necessary to ensure a reasonable state of reliable long-term security.
CHARACTERIZING THE ENTIRE ELEPHANT • It can be assumed that, if all of these practices are executed properly then the organization has met its legal and ethical obligations for information protection. • Many other professions, such as the law, or medicine, have a commonly agreed on definition of what it takes to meet the minimum standard of due care. • Those help set the boundaries of ethical practice as well as guide the correctness of actions within those boundaries.
CHARACTERIZING THE ENTIRE ELEPHANT • Up to this point however, the problem for cybersecurity professionals is that that generally accepted framework didn’t exist. • The lack of an acceptable model of the field has been an obvious roadblock to success for a very long time. • As a result, the National Institute of Standards and Technology (NIST), was tasked to create a conceptual model that could serve as the single definition of the specialty areas, roles and job tasks of the field.
CHARACTERIZING THE ENTIRE ELEPHANT •
During the period 2011 to 2014, the project was authorized and executed as the National Initiative for Cybersecurity Education (NICE) Initiative.
•
Besides NIST’s involvement, the project was staffed and jointly executed by personnel from the Department of Homeland Security (DHS) and the Office of Personnel Management (OPM).
•
The National Initiative for Cybersecurity Education (NICE) workforce framework defines the complete set of roles that might reasonably be necessary to identify and mitigate all emerging threats in cyberspace.
•
In essence, the NICE framework defines the field of “cybersecurity.”
THE ROADMAP TO A NICE ELEPHANT • The NICE Framework is based on “Categories”, “Specialty Areas” and the requisite Knowledge Skills and Abilities for each specialty area • Each of the types of cybersecurity work is placed into one of seven overall categories. • The categories, serve as an overarching structure for the field • These were used as an organizing construct to group similar types of work.
THE ROADMAP TO A NICE ELEPHANT • The intention of the NICE Framework is to describe cybersecurity work regardless of organizational structures, job titles, or other potentially idiosyncratic conventions. • The categories group related specialty areas together. • The NICE Framework lists and defines 32 specialty areas of cybersecurity work and provides a description of each. • In essence, specialty areas in a given category are typically more similar to one another than to specialty areas in other categories.
THE ROADMAP TO A NICE ELEPHANT •
Typical tasks and knowledge, skills, and abilities (KSAs) are provided within each specialty area,.
•
The Workforce Framework also identifies common tasks and knowledge, skills, and abilities (KSA's) associated with each specialty area.
•
OPM has mandated that the Workforce Framework will be used as guidance to the federal government,
•
It will also be made available to the private, public, and academic sectors for describing cybersecurity work and related education, training, and professional development.
A QUICK TOUR OF THE ELEPHANT • Securely Provision - Specialty areas responsible for conceptualizing, designing, and building secure information technology (IT) systems (i.e., responsible for some aspect of systems development).
• Secure Acquisition – Typical roles in this area include (NIST, 2014) •
Chief Information Security Officer (CISO)
•
Contracting Officer (CO)
•
Contracting Officer Technical Representative (COTR)
•
Information Technology (IT) Director
A QUICK TOUR OF THE ELEPHANT •
•
Systems Security Architecture - Typical job roles within this specialty area include: •
Information Security Architect
•
Information Systems Security Engineer
•
Network Security Analyst
•
Systems Engineer
•
Systems Security Analyst
Technology Research and Development – Typical job titles include: •
Capabilities and Development Specialist
•
Chief Engineer
•
Research & Development Engineer
A QUICK TOUR OF THE ELEPHANT •
•
Systems Requirements Planning – Roles in this specialty area include: •
Business Process Analyst
•
Computer Systems Analyst
•
Requirements Analyst
•
Solutions Architect
•
Systems Engineer
Test and Evaluation – Job roles in this category include: •
Application Security Tester
•
Quality Assurance (QA) Tester
•
Software Quality Assurance (QA) Engineer
•
Testing and Evaluation Specialist
A QUICK TOUR OF THE ELEPHANT • Systems Development – Typical Roles are: •
Firewall Engineer
•
Information Assurance (IA) Developer
•
Information Assurance (IA) Engineer
•
Information Assurance (IA) Software Engineer
•
Information Systems Security Engineer
•
Program Developer
•
Security Engineer
•
Systems Engineer
•
Systems Security Engineer
A QUICK TOUR OF THE ELEPHANT • Operate and Maintain - Specialty areas responsible for providing
support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.
• Data Administration – Job roles within this specialty area reflect that development and oversight responsibility: •
Data Architect
•
Data Manager
•
Database Administrator
•
Database Developer
•
Database Engineer/Architect
A QUICK TOUR OF THE ELEPHANT • Customer Service and Technical Support –Typical jobs are: •
Computer Support Specialist
•
Help Desk Representative
•
Systems Administrator
•
User Support Specialist
• Network Services –Typical jobs are: •
Cabling Technician
•
Network Administrator
•
Network Analyst
•
Network Designer
•
Network Engineer
A QUICK TOUR OF THE ELEPHANT • System Administration – Typical roles are. •
Local Area Network (LAN) Administrator
•
Security Administrator
•
System Operations Personnel
• Systems Security Analysis – Jobs in this specialty area include: •
Information Security Analyst/Administrator
•
Information Systems Security Engineer
•
Information Systems Security Manager (ISSM)
•
Security Analyst
•
Security Control Assessor
A QUICK TOUR OF THE ELEPHANT • Protect and Defend - Specialty areas responsible for identification,
analysis, and mitigation of threats to internal information technology (IT) systems or networks.
• Enterprise Network Defense (END) Analysis – Typical jobs
•
•
Computer Network Defense (CND) Analyst (Cryptologic)
•
Cybersecurity Intelligence Analyst
•
Incident Analyst
•
Network Defense Technician
•
Network Security Engineer
A QUICK TOUR OF THE ELEPHANT • Incident Response – Job roles include: •
Incident Responder
•
Incident Response Analyst
•
Incident Response Coordinator
•
Intrusion Analyst
• Enterprise Network Defense (END) Infrastructure Support – roles •
Information Systems Security Engineer
•
Intrusion Detection System (IDS) Engineer
•
Network Administrator
•
Network Analyst
•
Network Security Engineer
include:
A QUICK TOUR OF THE ELEPHANT •
Vulnerability Assessment and Management –Job roles are: •
Certified TEMPEST1 Professional
•
Computer Network Defense (CND) Auditor
•
Compliance Manager
•
Ethical Hacker
•
Information Security Engineer
•
Internal Enterprise Auditor
•
Penetration Tester
•
Risk/Vulnerability Analyst
•
Vulnerability Manager
A QUICK TOUR OF THE ELEPHANT • Investigate - Specialty areas responsible for investigation of cyber events and/or crimes of IT systems, networks, and digital evidence.
• Digital Forensics –Typical roles in this specialty area include: •
Computer Forensic Analyst
•
Digital Forensic Examiner
•
Digital Media Collector
•
Forensic Analyst (Cryptologic)
•
Network Forensic Examiner
A QUICK TOUR OF THE ELEPHANT • Cyber Investigation – job roles include: •
Computer Crime Investigator
•
Special Agent
A QUICK TOUR OF THE ELEPHANT • Collect and operate - Specialty areas responsible for specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence
• Collection Operations – Typical job roles include: •
Intelligence Collector/Documenter
•
Intelligence Analyst
•
Intelligence Information Integrator
•
Documenter/Briefer
A QUICK TOUR OF THE ELEPHANT • Cyber Operations – The job roles are: •
Counter-espionage analyst
•
Intelligence analyst
•
Malware analyst
•
OPSEC Analyst
• Cyber Operations Planning – job roles include: •
Cyber operations planner
•
HUMINT Information gatherer (spy)
•
Mission debriefer/reporter
•
OPSEC planner
A QUICK TOUR OF THE ELEPHANT • Analyze - Specialty areas responsible for highly specialized review and
evaluation of incoming cybersecurity information to determine its usefulness for intelligence
• Threat Analysis – Job roles in this specialty area include: •
Briefer
•
Intelligence Analyst
•
Intelligence Collection Agent
•
Intelligence Integration Manager
A QUICK TOUR OF THE ELEPHANT • All Source Intelligence – job roles are: •
Data Miner/Aggregator
•
Documentation Writer/Briefer
•
Intelligence Analyst
•
Interpreter/Subject Matter Expert
• Targets – Job roles that fall within these parameters include: •
Intelligence Analyst
•
Malware Analyst
•
Threat and Vulnerability Analyst
•
Mission Planner/Briefer
A QUICK TOUR OF THE ELEPHANT • Oversight and Development - Specialty areas providing leadership, management, direction, and/or development and advocacy so that individuals and organizations may effectively conduct cybersecurity work.
• Legal Advice and Advocacy – Typical jobs are. •
Legal Advisor/Staff Judge Advocate (SJA)
•
Paralegal
• Strategic Planning and Policy Development – Typical jobs are: •
Chief Information Officer (CIO)
•
Information Security Policy Manager/Analyst
•
Policy Writer and Strategist
A QUICK TOUR OF THE ELEPHANT • Education and Training – Typical jobs are: •
Cyber Trainer
•
Information Security Trainer
•
Security Training Coordinator
• Information Systems Security Operations – Typical jobs are. •
Contracting Officer (CO)
•
Contracting Officer Technical Representative (COTR)
•
Information Assurance (IA) Program Manager
•
Information Security Program Manager
•
Information Systems Security Officer (ISSO)
A QUICK TOUR OF THE ELEPHANT • Security Program Management - Typical Jobs are. •
Chief Information Security Officer (CISO)
•
Enterprise Security Officer
•
Facility Security Officer
•
Information Systems Security Manager (ISSM)
•
Information Technology (IT) Director
•
Principal Security Architect
•
Risk Executive
•
Security Domain Specialist
•
Senior Agency Information Security (SAIS) Officer
A QUICK TOUR OF THE ELEPHANT • Risk Management - Job roles may include; •
Accreditor
•
Analyst/Manager
•
Auditor
•
Authorizing Official Designated Representative
•
Certification Agent
•
Compliance Manager
•
Designated Accrediting Authority
•
Risk/Vulnerability Analyst
•
Security Control Assessor
•
Systems Analyst
A QUICK TOUR OF THE ELEPHANT • Knowledge Management – job titles are •
Business Analyst
•
Business Intelligence Manager
•
Content Administrator
•
Document Steward
•
Freedom of Information Act Official
•
Information Manager
•
Information Owner
•
Information Resources Manager
TAKEAWAYS • The Cybersecurity (IA) process has many facets • Systems and Information constitute both an invisible and dynamic resource • The Cybersecurity process has to be coordinated to be effective • Coordination involves deploying and then maintaining an appropriate set of technical and managerial controls • Standard models are important roadmaps for organizations to follow • The NICE Framework is a national level model for Cybersecurity. • The NICE Framework outlines the workforce roles for the entire field
THANK YOU FOR YOUR ATTENTION
Dan Shoemaker dan.shoemaker@att.net Professor Center for Cyber Security and Intelligence Studies (CCIS) University of Detroit Mercy