Presentation is loading. Please wait.

Presentation is loading. Please wait.

COL (R) Michael F. Brown Director, Information Systems Security Cyber Security: An Educator’s Challenge.

Similar presentations


Presentation on theme: "COL (R) Michael F. Brown Director, Information Systems Security Cyber Security: An Educator’s Challenge."— Presentation transcript:

1 COL (R) Michael F. Brown Director, Information Systems Security Cyber Security: An Educator’s Challenge

2 2 TSD REPLAY, SEPTEMBER 11, 2001 Prepared By: Air Traffic Tactical Operations LOWER 48 STATES

3 3 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

4 4 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

5 5 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

6 6 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

7 7 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

8 8 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

9 9 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

10 10 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

11 11 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

12 12 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

13 13 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

14 14 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

15 15 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

16 16 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

17 17 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

18 18 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

19 19 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

20 20 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

21 21 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

22 22 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

23 23 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

24 24 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

25 25 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

26 26 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

27 27 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

28 28 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

29 29 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

30 30 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

31 31 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

32 32 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

33 33 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

34 34 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

35 35 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

36 36 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

37 37 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

38 38 LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

39 39 MENU LOWER 48 STATES 1230Z TO 1530Z ATCSCC Actions: 1306Z ZNY GS 1311Z ZBW GS 1326Z GS all centers 1345Z All centers to land airborne traffic ASAP FLIGHT KEY: MILITARY OTHER U.S. TRAFFIC

40 40 PMA FISMA FISMA Sarbains Oxley Business Requirements Business Strategy National Cyber Strategy “CALL TO ACTION” Federal Regulations Customer Requirements Strategy

41 41 WELCOME TO THE EXCITING WORLD OF HPVACHACKINGPHREAKINGVIRIANARCHYCARDING/CELLULAR

42 42 HACKED WWW HOMEPAGES CIA HOMEPAGE DOJ HOMEPAGE USAF HOMEPAGE

43 43 The mission of the Information Security department is to protect the information assets, the information systems, and the networks that deliver the information from damage resulting from failures of confidentiality, integrity, and availability. Security’s objective is to enhance the productivity of the business by reducing probability of loss through the design and implementation of policy, standards, procedures, and guidelines that enhance the protection of business assets. Defining the Role “ Departmentally” Specific …… Business Objective ……

44 44 Resources NationalCyberSecurityStrategy Requirements Strategy Determines Requirements and Requirements Drive Resources TOA StrategyStrategyOperationalRequirements Mission Needs The Business Plan The Flight Plan Goals Objectives Sub-Objectives Prioritized Tasks FAA Cyber Security Strategy Federal Information Security Management Act LOB Participation and Influence External Internal Drivers

45 45 Prioritizing Constrained Resources Boundary Protection Vulnerability Scanning Insider/Outsider Threat Intrusion Detection and Prevention System Certification Transport/Application Layer VPNs Firewalls Anti-viral

46 46 A Case Study The FAA Information Systems Security Program

47 47 System of Systems Internet Access Points Messaging Systems Finance and Budget Personnel and Payroll Asset Management Flight Procedures Security Inspection Safety Analysis Accident / Incident Investigation

48 48 Manage more than 30,000 commercial flights to move 2,000,000 passengers safely each day Support more than 35,000 general aviation flights on a daily basis Regulate and certify the people and aircraft that use our airspace FAA’s Job National Airspace System (NAS)

49 49 The Evolving Landscape of Cyber Security

50 50 The Evolving Landscape of Cyber Security

51 51 The Evolving Landscape of Cyber Security

52 52 The Evolving Landscape of Cyber Security Standardized Certification

53 53 A New Look at Cyber Defense The “Android” Approach

54 54 The “Android” Cyber Defense – Emulates the most resilient system in the world

55 55 Enterprise Architecture As Is To Be Finance Services Reduction in applications and interfaces Improved connectivity Simplified architecture Reduced potential vulnerabilities

56 56 The “Android” Cyber Defense – Emulates the most resilient system in the world

57 57 Element Hardening and Boundary Protection Element Hardening –96% of IT systems certified and authorized –Vulnerability scanning of public facing and internal servers on a regular basis –Patch management to facilitate timely remediation of discovered vulnerabilities Boundary Protection –Security a major component of Federal Telecommunications Infrastructure, IAPs limited to 8 and hardened, post offices reduced from 850 to 12 and hardened –Defense in-depth approach—firewalls, encryption, virtual private networks, and anti-viral software

58 58 The “Android” Cyber Defense – Emulates the most resilient system in the world

59 59 Computer Security Incident Response Center (CSIRC)

60 60 Cyber Fusion Center

61 61 The Keystone to Making this all Work is a Trained and Ready Workforce

62 62 Purpose of Awareness and Training The two goals of the ISS Awareness and Training Program are: To make all users aware of FAA ISS responsibilities To provide each line of business (LOB) and staff office (SO) with the training necessary to obtain the knowledge, skills, and abilities required to maintain information systems, implement ISS policies, and offer training opportunities to named key personnel.

63 63 Awareness and Training Program The Federal Information Security Management Act of 2002 (FISMA) Requires each federal agency to “provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved in the management, use or operation of each federal computer system within or under the supervision of that agency.” Requires training under OMB, A130, Appendix III, and in accordance with guidelines co-developed by NIST.

64 64 Awareness and Training Program In support of FISMA, the Office of Information Systems Security (AIS) Training Program shall: Establish an ISS awareness and training program Provide awareness refresher briefings Provide training to those who design, implement, or maintain information systems Provide specialized training to key personnel who have been designated by their LOB/SO

65 65 Awareness The purpose of the FAA Awareness Program is: - To focus attention on security - To create sensitivity to the threats and vulnerabilities of information systems - To recognize the need to protect data, information and systems

66 66 Awareness Methods -Broadcast Messages -Web-based activity: Security Awareness Virtual Initiative (SAVI) -Warning Banners -Information Security Newsletters -Awareness Events (briefings, conferences, expositions) -Meetings/Lectures related to ISS topics -Interactive Kiosk

67 67 Training Develop relevant and needed skills that map to defined responsibilities for each role. Methods of Training –Instructor-led training or face-to-face communications is the most personal method of training. The type of training is the most effective in the FAA. –Computer Based Training (CBT) is offered at the FAA. CBT is utilized by a small percentage of FAA employees. –System Administrator Simulation Training

68 68 Training As part of the Training Program the FAA’s 2005 IT/ISS Conference was held February 28 through March 4 in San Diego, California. Technical Training Sessions Held: –Patch Management –Public Key Infrastructure –FAA Telecommunications Infrastructure –Enterprise License Agreement –Web Security –Vulnerability The training classes were video taped to be provided as a learning tool for those key personnel who were unable to attend. The tapes will be taken to each Region and used in conjunction with other training.

69 69 Outreach Program Technology is accelerating and changing complexity daily To keep up with technology FAA must: -Seek new talent through colleges and universities -Use the Scholarship for Students Program sponsored by OPM -FAA (AIS) will utilize internship programs -FAA will leverage research and development efforts at colleges and universities that can be adapted to FAA’s ISS program goals and objectives

70 70 Academia Outreach Program Roles and Responsibilities -Ensure success of overall ISS efforts and promote the exchange of information with colleges and universities. -FAA will use academia in the area of research and development. Program Goals for Work with institutions of higher learning who have been designated as Academic Centers of Excellence by the National Science Foundation that are participants in the Scholarship for Services Program. -Leverage knowledge students have gained and place them in the information security field.

71 71 Federal Efforts The National Strategy to Secure Cyberspace –Need to build foundations for the development of security certification programs that will be broadly accepted by the public and private sectors. DHS and other federal agencies can aid these efforts by effectively articulating the needs of the federal IT security community.

72 72 Current IT Security Professional Certification Environment: Challenge:  Need to identify highly qualified people to develop, maintain, and secure our information systems and networks  No nationally recognized certification for IT security professionals

73 73 IT Security Professional Certification -Goal: Set up nationally recognized, privately administered certifications at appropriate levels -Scope: Vendor-neutral certifications -Product: Industry led IT Security Professional Certification structure/ process in place -Outcome: National IT security professional certifications

74 74 Notional IT Security Professional Certification Process 1

75 75 Expected Outcomes -Standard position categories -Standard position levels -How many -Nomenclature (e.g., I, II, III; entry, intermediate, advanced) -Standard functions within categories and levels -Nomenclature (what are the functions; what are they called) -Skill Standards -By category and level: performance standards that delineate what a person must know and be able to do in order to successfully perform roles related to a specific job, an occupational cluster or across an industry sector

76 76 Certification Related Issues -Governance structure Stakeholder participation -Common body of knowledge & standards Job task analysis, competencies -Training, testing & accreditation Adjudication: evaluation and feedback -Continuing education -Mapping current IT security certifications and transitioning current certificate holders -Business Models

77 77 Status and Next Steps -Working with Government and private sectors to leverage ongoing efforts -Working with the Federal CIO Council, Workforce and Human Capital Committee to leverage existing structure -Exploring options for setting up nationally recognized, privately administered IT security professional certifications at appropriate levels -Others?

78 78 AN OPPORTUNITY TO DO “ISS” RIGHT Who says trains can’t fly?


Download ppt "COL (R) Michael F. Brown Director, Information Systems Security Cyber Security: An Educator’s Challenge."

Similar presentations


Ads by Google