Presentation on theme: "Stevens Institute of Technology Security Systems Engineering"— Presentation transcript:
1Stevens Institute of Technology Security Systems Engineering Jennifer BayukCybersecurity Program DirectorSchool of Systems and Enterprises3/27/2017
2Stevens Institute Security Research National Center for Secure and Resilient Maritime CommerceNaval Security Infrastructure Technology LaboratoryCenter for the Advancement of Secure Systems and Information AssuranceNational Cybersecurity Center of Excellence in Information Assurance EducationNational Cybersecurity Center of Excellence in Information Assurance ResearchLeader of the DoD University Affiliated Research Center for Systems Engineering Systems Security Core Research TopicWhy new focus on Systems Engineering Security?
3Isolate and Harden Servers Key ManagementIdentityMgmtEXTERNAL THREATSSecure StorageUser TerminalPersonal ComputersVPhysical Perimeter::::::FirewallCertificateAuthorityAntiVirusMgmtProcedureMultiplexorLANUser WorkstationWirelessVPNModemModemMainframeRemote Access ServerVPNIsolate and Harden Servers::::::FirewallToken AdminPolicy ServersSIM::::::FirewallTime Sharing or Bulletin Board ServiceOnline Services and Outsourcing ArrangementsProxyServerContentFiltersExternal ServersServerServer FarmIPSAll rights reserved.IDSWeb ServersRouterInternetWAFWRouterThe ProblemCurrent attacker path to data
4SERC Security Engineering Research RoadmapDefine systems securityMeasure systems securityDevise system security frameworksImprove the proficiency of the security engineering workforce
51. Define systems security Security Roadmap1. Define systems securityReassess periphery modelsFocus on whole systemsExamine interfaces and interactionsUnderstand similarities and differences across domains
62. Measure systems security Security Roadmap2. Measure systems securityAchievable and comparable security attributesOutcome-based rather than vulnerability-basedIdentify systemic value of currently available control standardsIdentify and measure trade-offs with respect to security features
73. Devise systems security frameworks Security Roadmap3. Devise systems security frameworksInclude policy, process and technologyProvide basis for evaluationNew classes of system-level solutionsSecurity-receptive architectures
84. Improve the proficiency of the security engineering workforce Security Roadmap4. Improve the proficiency of the security engineering workforceEncourage and educate workforceOperational security requirementsCommunity force multipliersEngage stakeholders
9Example: Systemic Security Systemigram software from: Boardman and Sauser, Systems Thinking: Coping with 21st century problems, Taylor & Francis, 2008.
122 4 3 1 5 Discovery ISO 27005:2008 Security Risk Assessment Task Order:1. Identification of assets2. Identification of threats3. Identification of existing controls4. Identification of vulnerabilities5. Identification of consequences5