US-CERT National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT March 10, th Federal Information Systems Security Educators’ Association

2 The National Cyber Security Division (NCSD) is the National focal point for addressing cyber security issues in the United States. Mission components include:1. Identifying, analyzing and reducing threats and vulnerabilities 2. Disseminating threat warning information 3. Coordinating incident response 4. Providing technical assistance in continuity of operations andrecovery 5. Serving as national focal point for the public and private sectorregarding cyber security issues …Implement the National Strategy… Mission

3 PRIORITYIMPLICATION National Cyberspace Security Response System Rapid identification, information exchange, and remediation can mitigate damage Response system will involve public and private institutions and cyber centers to perform analyses, conduct watch and warning, enable information exchange, and facilitate restoration efforts National Cyber Security Threat and Vulnerability Reduction Program Coordinated national efforts by government and private sector to identify and remediate serious cyber vulnerabilities through collaborative activities, such as sharing best practices and evaluating and implementing new technologies Raise awareness, increase criminal justice activities, and develop national security programs to deter cyber threats National Cyberspace Security Awareness and Training Program Promote comprehensive national awareness program to empower all Americans – businesses, workforce, and general population to secure their parts of cyberspace Foster adequate training and education programs for Nation’s cyber-security needs Promote private support for independent certification of cybersecurity professionals Securing Governments’ Cyberspace Federal, State and Local Governments’ systems protection and resilience Continuously assess threats and vulnerabilities to cyber systems International Cyberspace Security Cooperation Improve attack attribution and prevention capabilities International cooperation – Facilitate and promote global “culture of security” – Foster international watch-and-warning networks to detect emerging attacks The National Strategy’s Five Priorities

Homeland Security Presidential Directive 7 December 17, 2003 U.S. Department of Homeland Security Information Analysis and Infrastructure Protection Paragraph 16. The Secretary will continue to maintain an organization to serve as a focal point for the security of cyberspace. The organization will facilitate interactions and collaborations between and among Federal departments and agencies, State and local governments, the private sector, academia and international organizations. To the extent permitted by law, Federal departments and agencies with cyber expertise, including but not limited to the Departments of Justice, Commerce, the Treasury, Defense, Energy, and State, and the Central Intelligence Agency, will collaborate with and support the organization in accomplishing its mission. The organization's mission includes analysis, warning, information sharing, vulnerability reduction, mitigation, and aiding national recovery efforts for critical infrastructure information systems. The organization will support the Department of Justice and other law enforcement agencies in their continuing missions to investigate and prosecute threats to and attacks against cyberspace, to the extent permitted by law.

U.S. Department of Homeland Security Information Analysis and Infrastructure Protection Strategy, Policy, Programs: Support, Studies, Analysis, and Policy Leadership US-CERT: The National Cyber Preparedness and Response System FedCIRC: Securing Government’s Cyberspace NCSD’s Integrated Capability

6 US-CERT: Readiness The National Response System  National Level Watch and Incident Management —24/7 Watch Operations —Cyber Interagency Incident Management Group (C-IIMG) —Develop and practice capabilities: Livewire —Early warning initiatives and displays  Vulnerability Assessment and Remediation —Current and potential vulnerabilities & remediation mechanisms —Malware lab and analysis capability —Common vulnerabilities and exposures identification —Critical Infrastructure Program cyber review matrix —Internet infrastructure critical system matrix

Homeland Security Presidential Directive 7 December 17, 2003 U.S. Department of Homeland Security Information Analysis and Infrastructure Protection Paragraph 16. The Secretary will continue to maintain an organization to serve as a focal point for the security of cyberspace. The organization will facilitate interactions and collaborations between and among Federal departments and agencies, State and local governments, the private sector, academia and international organizations. To the extent permitted by law, Federal departments and agencies with cyber expertise, including but not limited to the Departments of Justice, Commerce, the Treasury, Defense, Energy, and State, and the Central Intelligence Agency, will collaborate with and support the organization in accomplishing its mission. The organization's mission includes analysis, warning, information sharing, vulnerability reduction, mitigation, and aiding national recovery efforts for critical infrastructure information systems. The organization will support the Department of Justice and other law enforcement agencies in their continuing missions to investigate and prosecute threats to and attacks against cyberspace, to the extent permitted by law.

8 US-CERT: Readiness (continued) Outreach: Public-Private Partnership  Information dissemination, alerting and information products –Secure Communications Infrastructure for collaboration and response  National Cyber Security Summit  Partnerships for awareness, exchange and response –Incident Responders (Federal Government, International, Law Enforcement, Other) –Critical infrastructure owners and operators –Service providers and backbone providers –Security product vendors and software industry

9 National Cyber Security Division Providing strategy and policy support and leadership  Software Assurance –Software development processes –Security enhancement through automated tools  International Collaboration  Intelligence community requirements  Economic analysis  Standards and best practices –NIAP review in conjunction with DoD and NIST, and others  Training and Education

10 Training and Education  Centers of Academic Excellence Program −Co-sponsor NSA Centers of Academic Excellence in Information Assurance Education and expand to National program  IT Security Professional Certification Effort −Work with DoD and Federal agencies to collect requirements for IT security professional certification −Define job functions, skills and knowledge required, and common body of knowledge  Scholarship for Service Program −Work with National Science Foundation and Federal CIO Council, Workforce Committee to promote Scholarship for Service Program among all Federal agencies  IT Security Awareness −Work with Department of Education and existing organizations such as EDUCAUSE and National Cyber Security Alliance to promote IT security training and education in universities and primary/secondary schools

11 FedCIRC Initiatives Securing Government ’ s Cyberspace  Security Analysis Program –Passive vulnerability discovery and analysis capability –Capability exists on existing systems, being deployed  Incident Management –Processes, incident support and correlation –Consolidated NIPC, FedCIRC and other watches  Security collaboration groups –CISO Forum, GFIRST, others

12 National Cyber Alert System Provides credible and timely information on cyber security issues to include: Cyber Security Tips Cyber Security Bulletin Cyber Security Alerts All information products are available on a free subscription basis and are delivered via . Sign up at

13 Vulnerabilities US-CERT has recently issued alerts on:  Multiple Vulnerabilities in MS ASN.1 Library  HTTP Parsing Vulnerabilities in Checkpoint FW-1  Multiple Vulnerabilities in MS Internet Explorer Actions taken may include release of standard and technical advisories, informational bulletins, and vulnerability notes; coordination with affected vendors; coordination of remediation efforts with the federal government and private industry; LE and IC contact

14 Recent Events Borne Viruses  Beagle/Bagle  Mydoom/Novarg/Doomjuice  Netsky  Blaster/Welchia/Nachi

15 Long-term needs Stronger foundations R&D investments in The “science” of information assurance –Well defined security properties of components –Security metrics –Component composition rules that preserve security properties Engineering practices that build-in (rather than bolt- on) security Protocols that limit damage from distributed attacks

16 Near to mid-term needs Education and Training organizations Undergraduate & Graduate programs Increased emphasis on secure development practices in CS & Engineering programs Executive education programs on risk management and information security Security training for IT staff

17 Near to mid-term needs Software Developers Dramatic reduction in the number of vulnerabilities Secure out-of-the-box configurations “Virus-proof” software Response Groups Global indications and warning systems with predictive capabilities

18 Lawrence Hale Deputy Director, NCSD, US-CERT