Cyber Security Activities at The
Content
Cyber Security Activities at the National Institute of Standards & Technology (NIST)
Fran Nielsen, Deputy Chief Computer Security Division (CSD) Information Technology Lab/NIST
Presentation Outline
• • • • • • • The Need for Cyber Security About NIST and ITL CSD Mission and Responsibilities Key Themes Types of Deliverables and Products Major Areas of Work Example Activities
The Need
• More dependence on information technology • More complex systems and more reliance on internetworking • Increased frequency of computer security incidents • September 11 •
National Institute of Standards and Technology
NIST strengthens the U.S. economy and improves the quality of life by working with industry to develop and apply technology, measurements, and standards.
NIST Assets Include:
lNational
measurement standards: NIST Laboratories. technical staff. guest researchers.
l1,500 l1,600 l$430
million FY 2001 Laboratory budget.
l$83
million in measurement and research contracts to about 20 other agencies.
lUnique
measurement facilities.
lOther
programs: Advanced Technology Program, Manufacturing Extension Partnership, Baldrige National Quality Program.
ITL Organization and Program
ITL Organization
DIRECTOR WILLIAM MEHURON
ASSISTANT DIRECTOR FOR BOULDER CATHY NICOLETTI, ACTING COMPUTING SECURITY OPERATIONS ROB GLENN
DEPUTY DIRECTOR SUSAN ZEVIN
LABORATORY STAFF KAMIE ROBERTS SENIOR MANAGEMENT ADVISOR KENDRA COLE CIO OFFICE BRUCE ROSEN
MATH
NETWORKING
COMPUTER SECURITY
INFORMATION ACCESS
CONVERGENT INFORMATION SYSTEMS
INFORMATION SERVICES
SOFTWARE TESTING
STATISTICS
RON BOISVERT
DAVID SU (Acting)
ED ROBACK
MARTY HERMAN
VICTOR MCCRARY
RAY HOFFMANN
MARK SKALL
NELL SEDRANSK
Computer Security Division
NIST Mandate for IT Security
• Develop standards and guidelines for the Federal government for sensitive (unclassified) systems • • Contribute to improving the security of commercial IT products and strengthening the security of users’ systems and infrastructures
• •
Key Statutory Responsibilities
• Develop technical, management, physical and administrative cost-effective standards and guidelines for federal computer systems;
• Develop validation procedures for, and evaluate the effectiveness of, standards and guidelines;
• Perform research and conduct studies to determine the nature and extent of the vulnerabilities of sensitive systems; • • Devise techniques for the cost-effective security and privacy of sensitive information systems; • • Provide the staff services necessary to assist the Computer System Security and Privacy Board in carrying out its functions; and • • Assist the private sector, upon request, in using and applying the results of programs and activities.
Computer Security Act of 1987 and IT Management Reform Act of 1996, reinforced in OMB Circular A-130, App. III
Computer Security Division Mission
To improve information systems security by: • •raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies; • • researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems; • • developing standards, metrics, tests and validation programs: to promote, measure, and validate security in systems and services; to educate consumers; and to establish minimum security requirements for Federal systems; and • • developing guidance to increase secure IT planning, implementation, management and operation.
Key Themes
• • • Security is important to sound and efficient functioning of the economy and government; Agency / OMB / Congress have high expectations of NIST re our Federal role;
– Reflected in bills such as HR 1259; H.R. 3394; HR 3316;
• •
Security of commercial products in the marketplace is inadequate – Standards help -- NIST’s role in helping to develop specifications (to drive the market) helps our customers – both Federal and industry users know what to specify; Federal ones used as procurement specs. – Testing helps -- NIST’s role in testing helps users know they are getting what they think they are buying; Also adds legitimacy to vendors’ claims. Product evaluation (e.g., OpSys) is difficult / time consuming at best – needs rigor and standardizable testing – a long term challenge Longer term challenge: security and composablility
–
•
Types of Deliverables
• Security Outreach / Awareness • Standards and Specifications / Leadership – FIPS (e.g., AES) – Forum – Voluntary Industry CSSPAB – Consensus Standards – ICCC – Ad hoc specifications – CIO Security Committee – CC MRA • Guidelines – CSRC – ITL Bulletins – Press articles – Special Publications – ITL Bulletins – FPKI TWG – NIST Recommendations • Research • Testing programs/services – Mobile Agents – CMVP – Intrusion detection – NIAP – Security administration – IPSec – Testing methods – PKI
Customers/Constituents – Categories / Examples
• Federal Community
– – – – – – – – – OMB Treasury Federal PKI Steering Committee FDIC NSA Federal Computer Security Program Managers’ Forum GSA CIO Council & CIO Security Committee HHS
• IT Industry Producers/ Consortia
– – – – – – – – – – Intel IETF PKI Forum Microsoft RSA Counterpane Systems IBM Motorola Entrust Certicom
• IT Industry Users / Consortia
– – – – – – Banking (ANSI X9) Smart Card Consortia Healthcare Open Systems and Trials (HOST) Telecom Security Forum Boeing
Many, many organizations ask for our participation / assistance…
Examples:
Wide Community Engagement
• • • • • • • • • • • Executive Branch Information Systems Security CMVP Conference International Common Criteria Conference RSA Conference 2001/2002 Key Management Workshop Information Assurance Technical Framework Forum Univ. of Tulsa Telecommunications Security Conference Federal Information Assurance Conference Regional Security Awareness Seminars Other Homeland Defense & CIP Committees
• • • • • • • • • • • • • • •
ANSI IETF Federal PKI Steering Committee ISO CIS USG-OECD Network Security Information Exchange Critical Infrastructure Groups IEEE Federal Computer Security Program Managers’ Forum CIO Council Security Committee Federal Information Systems Security Educators Association CC Mutual Recognition Management Committee Committee for National Security Systems
Wide engagement keeps us in touch with our customers and their needs.
Key Focus Areas of NIST’s Computer Security Program
• • • • • Cryptographic Standards and Applications Exploring New Security Technologies Management and Assistance Security Testing Outreach
Cryptographic Standards and Applications
Work with industry and government to develop cryptographic-based standards
– Cryptographic Standards Toolkit
• AES setting new baseline • Need for lightweight standards
– Public Key Infrastructure
1/02
1. Cryptographic Standards and Applications
Goals Establish secure cryptographic standards for storage and communications & enable cryptographic security services in applications through the development of: PKI, key management protocols and secure application standards Technical Areas •Secure encryption, authentication, non-repudiation, key establishment, & random number generation algorithms. •PKI standards for protocols, standards and formats •PKI interoperability, assurance & scalability Impacts •Strong cryptography used in COTS IT products •Standardized PKI & cryptography improves interoperability •Availability of secure applications through crypto & PKI
Collaborators Industry: ANSI X9, IETF PKIX, AES submitters, Baltimore Technologies, CertCo, Certicom, Cylink, Digital Signature Trust, RSA Labs, Entrust Technologies, E-Lock Technologies, Getronics, IBM, ID Certify, Mastercard, Microsoft, Motorola, Netscape, Spyrus, Network Associates, VeriSign, Verizon, Visa, World Talk Federal: Department of Treasury, Agencies participating in Federal PKI Steering Committee and Bridge CA Project, FDIC, NSA
Projects •Cryptographic Standards •Cryptographic Standards Toolkit •Advanced Encryption Standard (AES) •Public Key Infrastructure & Applications • •Industry and Federal Security Standards •PKI and Client Security Assurance •Promoting PKI Deployment
Cryptographic Standards
Security Requirements for Cryptographic Modules FIPS 140-2
Symmetric Alg.
* DES (FIPS 46-3) * 3DES (FIPS 46-3, ANSI X9.52) * AES (FIPS 197) •Modes of operation - DES (FIPS 81) - Recommendation for Block Cipher Modes of Operation (Encryption)Methods and Techniques (800-38A) •Message Authentication Code for Block Ciphers (800-38B)
Asymmetric Algs.
* Dig. Sig. Std. (FIPS 186-2) DSA (ANSI X9.30) RSA (ANSI X9.31) ECDSA (ANSI X9.62) * Key Management - Diffie-Hellman -ANSI X9.42 - RSA - ANSI X9.44 - Elliptic Curves -ANSI X9.63 - Key wrapping
Secure Hash
* SHA-1 (FIPS 180-1) * Expand to include: SHA-256, SHA-384 SHA-512
Advanced Encryption Standard (AES)
Goals •Develop a new, royalty-free encryption standard that can be used by government and business to protect information for 30-50 years. • Technical Areas •Clear specification of the AES algorithm and NIST’s requirements for its implementation. •Cryptographic test suite development for testing and validation of the conformance of AES implementations with the standard. Impacts •Secure e-commerce and data protection through highly secure encryption that keeps pace with rapid advances in technology. •Validation that COTS products comply with the AES standard. •Banking and international standards communities are looking to adopt the AES, which will promote its use outside of government
Collaborators Federal: Industry: National Security Agency (NSA) Protonworld International (Belgium), IBM, RSA Security & Counterpane Systems participated in AES finalists; many companies provided extensive comments and papers on the AES selection & spec. Academia: Katholieke Univ. (Belgium), MIT, Technicon, Cambridge Univ., & Univ. of Bergen faculty participated in finalist submissions; many others helped in analysis Global: ISO JTC1/SC27
FY 2001 •Selected the Rijndael algorithm as the AES •Developed draft AES FIPS & completed public comment. •Developed Draft AES Basic Modes of Operation •Hold Modes Workshop (4Q) •Issue NIST Recommendation on Basic Modes of Operation (4Q) FY 2002 •Announced Secretary’s approval of AES •Complete AES validation tests and software •Publish AES Validation Guideline; begin testing AES products. •Develop “Phase 2” AES Modes of Operation
Cryptographic Standards Toolkit
Goals •Improve information security and facilitate electronic commerce by developing and standardizing strong cryptographic algorithms •Provide guidance for the use of cryptography Technical Areas •Secure cryptographic algorithms for encryption, authentication, nonrepudiation, key establishment, and random number generation.
Industry:
ANSI X9, RSA Security, Certco, Certicom, Chase Manhattan Bank, Cybersafe, Cygnacom, Deloitte &B Touche Security Services, IBM, Entrust, BBN, Booz-Allen, Ernst & Young, First Data Corp., First Union Corp., IDA, KPMG, Motorola, Gemplus, Jones Futurex, Mastercard, Merrill Lynch, GTE Cyber Trust, Pitney Bowes, PNC Bank, Price Waterhouse Coopers, TecSec, Spyrus, Verifone, VeriSign, Visa, Xcert, AES submitters and commenters Federal: NSA, BXA, Federal Reserve, CSE, Treasury First impact: Near-Term (Immediate to 2 years)
C T R o Y ol ki P t T O
Impacts •Worldwide government and industry use of strong cryptography •Guidance and education available in the use of cryptography. •Secure interoperability achieved through standard algorithms •Secure electronic commerce enabled through cryptography •
Collaborators
FY 2001 •Prepared draft AES and HMAC FIPS and completed public reviews •AES and HMAC FIPS approval by SoC (4Q) •Public Review of revised SHA with new algorithms (FIPS 180-2) •Revision and public review of DSS (FIPS 186-3) •Draft NIST basic AES Modes of Operation Recommendation (4Q) •Modes Workshop (4Q) •First Draft of Key Mgmt. Schemes & Guidance documents (4Q) FY 2002 •FIPS 180-2 and FIPS 186-3 approval by SoC •Validation tests for: AES modes, DSA, SHA, HMAC, ANSI X9.42 •Key Management Workshop •Complete Key Establishment Scheme & Guidance Documents •Develop phase 2 Modes of Operation recommendation •Develop a Random Number Generation standard (ANSI X9.82) •
1/02
Promoting PKI Deployment
Goals •Promote development of an interoperable PKI to support security services for Internet systems and applications. Establish baseline PKI security policies and procedures. Assist federal agencies in the deployment of PKI infrastructure and applications through guidance and consultation. Technical Areas •Bridge certification authorities •Certificate Policies (CP) and Certification Practice Statements (CPS) •Certification and accreditation of CAs •X.500 and LDAP directory servers Impacts •Federal Bridge CA links agency PKIs to form a federal PKI and promotes development of private sector bridge CAs •Accelerate federal agency PKI deployment •Chained X.500 directories
US Federal
Collaborators Federal: Federal PKI Policy Authority, Federal PKI Steering Committee, General Services Administration, General Accounting Office, National Security Agency, FDIC, Treasury FMS, Army Corps of Engineers, Office of Management and Budget EduCause (1,800 universities, colleges, and educational institutions) Illinois, Washington
Academia: State:
FY 2002 •Federal PKI Technical Working Group -Federal Bridge CA cross certifications - FBCA Certificate, CRL, and Directory Profiles •PKI Policy Development Tools -Generic Certificate Policies -Certification Practice Statement templates •Federal PKI Guidance Document (1Q) •PKI directory guidance document •High-Level PKI Services API Draft •Federal Deposit Insurance Corporation PKI Deployment (OG) •Army Corps of Engineers PKI consultation •Treasury FMS PKI application development •
Exploring New Security Technologies
• Identify and use emerging technologies, especially infrastructure niches • Develop models, reference implementations, and demonstrations • Transition new technology and tools to public & private sectors • Advise Federal agencies to facilitate planning for secure use
1/02
Emerging Technologies and Testing
Goals
•Identify & exploit emerging technologies especially infrastructure niches •Develop prototypes, reference implementations, and demonstrations •Transition new technology and tools to public & private sectors •Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing
Technical Areas
•Authorization Management, Access Control, System Management •Vulnerability Analysis, Intrusion Detection, Attack Signatures •Mobile Code, Agents, Aglets, Java, PDAs, Wireless, Telecomm/IP •Models, Cost-models, Prototyping, Reference Implementations •Automated Testing, Security Specification
Impacts
•Better cheaper and more intuitive methods of authorization management •Creating internal competence in emerging technologies (i.e. mobile code, etc.) •Developed world class vulnerability search engine •IPSec/web Interface testing widely used & referenced •Significant support & funding especially in RBAC and Wireless Device Security •
Collaborators
Industry: IBM, Microsoft, SUN, Boeing, Intel, GTE, VDG, SCC, Sybase, SAIC, SUN, Lincoln Labs, Lucent, Trident, ISS, Symantec, MIT, 3Com, Interlink, Ford, BBN, CISCO, Lucent, Checkpoint, MCI, Oracle, Mitre, Mitretek, Intel, SAIC University of Maryland, Ohio State, University of Tulsa, George Mason, Rutgers University, Univ of Pittsburgh, Purdue University, Univ of Washington NSA, DoD, NRL, DARPA
Major Projects •Access Control & Authorization Management •ICAT Vulnerability/Patch Search Tool •National Smart Card Infrastructure •Intrusion Detection •Mobile Agents •Wireless/Device Security •IPSec/web interface testing •Quantum Computing Support •CIP Grants •Automated Testing
Academic:
Federal:
•
1/02
Technical Security Guidance
Goals •Guide Federal Agencies in using new technology •Assist industry and small business •Present recent findings in security research • Technical Areas •Firewalls and Network Security •Intrusion Detection •Incident Handling •Security Testing •Web and downloadable content security • Impacts •ITL Security Bulletins extremely popular and widely read •Agencies rely on technical guidance from NIST •NIST publications frequently cited and reused in industry literature Milestones Proposed Collaborators Industry: MIS Training Institute, Booz Allen Hamilton, Microsoft, I4 Federal: NIST, NSA, OMB, GSA Academic: University of Maryland, Purdue University FY2001 •Intrusion Detection •Active Content & Mobile Code •Firewall Policy •Network Security Testing & Incident Handling •Telecommuting/Broadband Security •PKI •IT Security Engineering Principles & IT Security Models • FY 2002 •Public Web Server & E-Mail Server •Wireless & Device Security •Microsoft Windows 2000 Security Guidance •Smart Card guidance and Security Patches •Interconnecting Systems and Contingency Planning •Procurement of products/services
Technical Security Guidance
Technical Lead: Tim Grance
1/02
ICAT
ICAT Metabase
A standards based searchable index of virtually all known computer vulnerabilities Technical Lead: Peter Mell
http://icat.nist.gov
“Your dedication to making ICAT into one of the premier databases is admirable” (Internet Security Systems) Collaborators Educational: SANS Institute (sponsor) Military: NSA, DISA Academia: Purdue/CERIAS Industry: TrustWave, SecuritySaint.com, CyberCopsEurope.com, IpNSA, Securityinfos.com, Hideaway.net, VISC Software and Security, SOC GmbH
Goals Provide the IT community a fine grained searchable index of all known computer vulnerabilities using a standard naming scheme linking users to publicly available vulnerability databases. Technical Areas • Developing classification schemes for vulnerabilities • Collecting and evaluating vulnerability information • Measuring the characteristics of vulnerabilities Impacts • ICAT enables system administrators to identify flawed systems and to find the patches • Provides the security community with a free standards based index of all vulnerabilities • Complementary and non-competitive with industry • ICAT has received praise in over 12 news articles
Milestones • FY 2001 •ICAT web hits have increased by a factor of 17 in one year •Analyzed over 2000 vulnerabilities for ICAT •Started a vulnerability mailing list that now has 1600 subscribers •Integrated ICAT into the SANS/FBI top 20 vulnerability list •Helped mirror ICAT on the NSA network •Enable organizations to integrate their products into ICAT •Began offering an off-line version of ICAT •Vulnerability notification system developed by Purdue •Provided top ten vulnerability service •Joined the CVE vulnerability standard’s editorial board • FY 2002 •Analyze over 1000 vulnerabilities •Transition ICAT into being a more timely vulnerability service
Awarded Commerce Department Bronze Medal Averaging 50,000 hits per month Over 100,000 hits in November 2001
1/02
Internet Protocol Security
Goals
Work with world-wide industry leaders to promote the development of IP security standards, technology, and tests. This will ensure early, reliable and interoperable deployment of IPsec, the technology that is used to build VPNs and to protect the next generation Internet infrastructure and applications. •
Technical Areas
IPSec Project
Technical Lead: Sheila Frankel
•International standardization of Internet security protocols •WWW-based Interoperability Testing •Reference implementations of next generation network and security technology •
Impacts
•Developed reference implementation of the IETF IPSec and IKE standards - used for education, experimentation, testing •Web-based IPSec interoperability test facility http:ipsec-wit.antd.nist.gov •Over 250 organizations have used NIST’s interoperability tester •Over 650 organizations have requested NIST’s IPSec reference implementation
Collaborators
Federal: NIST Internetworking Division, NSA
NIST IPSec Product Users
Industry: Bay Networks, BBN, Cabletron, Cisco, Compaq, CyberGuard, Digital, Frontiertech, Gartner Group, GTE Internetworking,Hewlett Packard, IBM, Intel, Interlink, Lucent Technologies, MCI, MIT, Microsoft, Routerware, SAIC, S-Cubed, Secure Computing, Spyrus, SUN, TIS, 3Com and many others GSA, NRL, Oak Ridge National Labs and others
FY 2001 •Added dynamic certificate request and transmissions capability to PlutoPlus •Updated AES Internet Draft to reflect AES selection •Wrote Internet Drafts on the use of SHA-256 and AES-XCBCMAC with IPsec and IKE •Wrote NIST Security Bulletin on IPsec Status/Issues/Security •Incorporated AES Algorithm (& other finalists) into PlutoPlus •Published Book, “Demystifying the IPsec Puzzle” •Presented invited talks and tutorial on IPsec FY 2002 •Add PKI Interaction to IPsec-WIT •Implement Version 2 of IKE •Add IKE Version 2 to IPsec-WIT •Publish guidance on the use of PKI within IPsec and IKE
Milestones
Government:
1/02
Government Smart Card Program
Goal
GSC
Government Smart Card Program
Technical Lead: Jim Dray
Create a ubiquitous Smart Card Infrastructure to foster widespread use of smart card technology, improving the security of information systems within the U.S. Technical Areas •Develop technical guidance required by Federal contracting vehicles for procurement of standard smart card products •In conjunction with the Government and vendor communities, develop interoperability specifications and standards •Develop reference implementations, prototype conformance test suites, security testing criteria, and architectural models Impacts •Increased overall security of U.S. information systems •Reduced cost of smart card system integration •Simplification of user access control processes •Enable development of consistent conformance test methodologies for smart card products and systems
Milestones Collaborators Industry: EDS,Northrup/Grumann, MAXIMUS, KPMG, eEurope, British Telecom, W3C, RSA Labs, Australian National Office of the Information Economy Federal: NIST, GSA, DoD, State Dept, USPS, SSA, VA, IRS, DoJ, DoT FY 2001 •NIST designated lead agency for GSC conformance test development •Establish GSC testbed at NIST •Develop GSC Interoperability Conformance Test Program •Develop GSC automated test suite • FY 2002 •NIST publications on smart card technolgoy and GSC interoperability framework •Java smart card collaboration (prototype implementation) •Establish a Smart Card security test program; coalesce with Common Criteria methodology •International standards coordination •GSC developer workshops and implementation guidance •Identify and execute relevant R&D projects to promote smart card interoperability and standards
Assistance and Guidance / Outreach
• Assist U.S. Government agencies and other users with technical security and management issues • Assist in development of security infrastructures • Develop or point to cost-effective security guidance • Assist agencies in using security technology guidance • Support agencies on specific security projects on a costreimbursable basis • Expanding use of recently-developed “NIST Recommendations” series to complement existing publication methods • Raise awareness of our programs, value of evaluated products, and need for security
1/02
3. Security Management and Guidance
Goals •Provide computer security guidance to ensure sensitive government information technology systems and networks are sufficiently secure to meet the needs of government agencies and the general public •Serve as focal point for Division outreach activities •Facilitate exchange of security information among Federal government agencies Technical Areas •Computer security policy/management guidance •Computer Security Expert Assist Team (CSEAT) security support to Federal agencies •Outreach to government, industry, academia, citizens Impacts •Agencies use standard, interoperable solutions •Increased federal agency computer security programs •Reduced costs to agencies from reduction of duplication of efforts •Use of “Best Security Practices” among federal agencies
Collaborators Federal: All Federal Agencies Federal Computer Security Program Managers’ Forum OMB GSA NSA CIOs Industry: Security Product Vendors Academia:Major Universities with Computer Security curricula
Major Projects •Computer security expert assist team (CSEAT) •Federal computer security program managers forum •Computer system security and privacy advisory board (CSSPAB) •Computer security resource center (CSRC) •Computer security conferences •Risk management guidance •Federal IT Security Self-Assessment Tool •NIST Security Program Manager’s Handbook •Contingency Planning Guidance •Small and Medium Businesses Outreach
CSRC Redesigned 7/00
1/02
Computer Security Expert Assist Team
Goals •Increase Federal agency IT security •Help protect against economic loss or injury due to disruption of critical Federal systems/services •Improve Federal agency Critical Infrastructure Protection (CIP) planning and implementation efforts Technical Areas •Security assistance to federal agencies computer security well-being •Security assistance to high risk federal computer security programs •Development of computer security lessons learned •Computer security risks and vulnerabilities Impacts •Lessons learned available to the federal IT security community •Agencies understand how to maintain computer system security •Agencies plan and budget appropriately for computer security •New guidance development efforts directed at identified need areas •Improved Federal IT security FY 2001 •CSEAT methodology established •Received multiple requests from agencies •Review of FEMA completed (Q4) FY 2002 •First high-risk program review of Indian Trust Management initiated •Methodology provided on web site •Initiate cost-reimbursable model if funding for administrative costs received •Develop sanitized case studies •Initiate development of CSEAT review methodology guideline
Collaborators Federal: All Federal Agencies OMB
1/02
Small and Medium Sized Business Regional Security Meetings
Goals •Inform small businesses (< 500 employees) of useful security mechanisms •Provide computer security training that is practical and cost-effective •Help small businesses become more educated consumers •Form NIST-SBA_InfraGard Resource Group, connecting small business owners to local IS resources. Technical Areas •Small business viable computer security solutions •Low-cost computer security methodologies •Computer security training for the novice •Business-relevant computer security tools Impacts •Improved small and medium sized business security •Small and medium sized businesses become more aware of information security
Collaborators Federal: Small Business Administration National Infrastructure Protection Center – InfraGard Program Manufacturing Extension Partnership Security Product Vendors Regional business consortia Selected business partners
FY 2001 •Plan for conducting regional meetings completed (Q4) •Meeting educational material developed (Q4) FY 2002 •First 2 regional meetings conducted •Third regional meeting scheduled for February •Build community of small business owners, IT professionals, and researchers •Generate a plan to provide web based IT security information in areas of specific importance to small businesses FY 2003 •Continue conducting regional meetings •Train local trainers, members of local chapters of industrial associations, or other small business resources
Industry:
Security Testing
• Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing • Raising user confidence • Lead conformance and evaluation programs • Supporting security testing industry
1/02
4. Security Testing and Metrics
User Securit y Needs
Goals •Improve the security and quality of IT products •Foster development of test methods, tools, techniques, assurance metrics, and security requirements •Promote the development and use of tested and validated IT products •Champion the development and use of national/international IT security standards Technical Areas •Provide Federal agencies, industry, and the public with a proven set of IT security testing methodologies and test metrics •Promote joint work between NIST, the American National Standard Institute (ANSI) and the international standards community Impacts •Timely, cost-effective IT security testing •Increased security in IT systems through availability of tested products •Creates business opportunities for vendors of security products, testing laboratories, and security consultants
Produc t Validat ion
IT Security
Testing and Evalua tion
Collaborators
Standa rds and Metric s
Federal: Industry:
NVLAP, State Dept., DoC, DoD, GSA, NASA, NIST, NSA, DoE, OMB American National Standards Institute (ANSI), InfoGard Laboratories Inc., CygnaCom Solutions, DOMUS IT Security Laboratory, COACT, Inc. CAFÉ Lab, Atlan Laboratories, EWA,CORSEC Security Inc., Oracle, CISCO, HewlettPackard, Lucent, SAIC, Microsoft, Computer Sciences Corp., IBM, EDS, VISA, MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun Microsystems, Network Assoc., BoozAllen, Seculab Inc., Entrust, Silicon Graphics, Arca United Kingdom, France, Germany, Japan, Korea, Canada, Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, Norway, Greece, Israel, ECMA, JCB, Europay, Mondex
Major Projects •Cryptographic Security Testing •Cryptographic Module Validation Program •National Information Assurance Partnership •Common Criteria Evaluation and Validation Program •International Recognition Arrangements •Laboratory Accreditation •Automated Security Testing and Test Suite Development •Assessment program for system certifications •Protection profile development effort with government/industry •Industry Forums •Testing, Education, Outreach Programs, Conferences and Workshops •
Global:
1/02
Cryptographic Module Validation Program
•Improve the security and quality of cryptographic products •Provide U.S. and Canadian Federal agencies with a security metric to use in procuring cryptographic equipment •Promote the use of tested and validated cryptographic algorithms, modules, and products •Development of Implementation Guidance, metrics and test methods •Validation of test results •Accreditation of testing laboratories •Joint work between NIST, ANSI and international standards bodies • •Provide Federal agencies with confidence that a validated cryptographic product meets a claimed level of security •Supply a documented methodology for conformance testing •Create business opportunities for vendors of cryptographic products, testing laboratories, and security consultants
Goals
Technical Areas
Impacts
Collaborators Federal: Industry:
National Voluntary Laboratory Accreditation Program American National Standards Institute (ANSI) InfoGard Laboratories Inc. CygnaCom Solutions DOMUS IT Security Laboratory, a Division of LGS COACT, Inc. CAFÉ Lab Atlan Laboratories EWA-Canada LTD, IT Security Evaluation Facility CORSEC Security Inc.
§Finalized
FY 2001
FIPS 140-2: Security Requirements for Cryptographic Modules §Implemented Cost Recovery Plan as of February 15, 2001 §Developed FIPS 140-2 Derived Test Requirements and Automated Tool (Q4) §Validated 45 crypto modules and 46 crypto algorithm implementations §Coordinated ANSI X9.42-2001: Key Agreements Using Diffie-Hellam and MQV §Finalized SD-012 Guideline for Validating Implementations Conforming to ANSI Standards §Completed Cryptographic Module Reference Implementation (Q4)
§Revise
Global:
Communication Security Establishment (CSE) of the Government of Canada
Cryptographic Module Testing (CMT) laboratory accreditation process, NVLAP Handbook 150-17 §Accredit 2-3 additional CMT Laboratories, including international §Expand the agreement with CSE to include additional countries §Conduct second Cryptographic Module Validation Program Workshop/Conference §Develop Validation Test Suites for new algorithms/protocols
FY 2002
1/02
National Information Assurance Partnership
§Promote the development and use of evaluated and validated IT products §Champion the development and use of national/international IT security standards §Develop state-of the-art test methods, tools, techniques and assurance metrics §Support a framework for international recognition of testing results §Foster development of IT security requirements in key technology areas §Development of implementation guidance, requirements, metrics and test methods §Validation of test results and accreditation of testing laboratories §Joint work among NIST, NSA and international partners §More timely, cost-effective IT security evaluations with greater consistency §Less duplication of security testing globally §New test methods for specific information technologies §Increased security in IT systems and networks through greater availability of evaluated and validated products §Greater availability of common security requirements and specifications for key technologies and sectors
Goals
Technical Areas
Impacts
Building More Secure Systems for the New Millennium (sm)
Collaborators Federal: Industry:
State Dept., DoC, DoD, GSA, NIST, NSA, DoE, OMB Oracle, CISCO, Hewlett-Packard, Lucent, SAIC, Microsoft, Computer Sciences Corp., Cygnacom, Arca, IBM, EDS, VISA, MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun Microsystems, Network Assoc., Booz-Allen, Seculab, Entrust, Silicon Graphics, COACT
FY 2001
§Accredited 5 Common Criteria (CC) Testing Laboratories §Expanded CC Recognition Arrangement to 14 nations adding Israel §Hosted national-level Government-Industry IT Security Forum §Conducted international IT security outreach training for Japan and Israel §Developed comprehensive operations manual for CC Recognition Arrangement §Completed smart card protection profile and corresponding evaluation §Initiated new security requirements forum for process control systems §Validated 4 security products and 4 protection profiles
Global:
United Kingdom, France, Germany, Japan, Korea, Canada, The Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, Norway, Greece, Israel, Russia, ECMA, JCB, Europay, Mondex
FY 2002
§Accredit 1-2 additional CC Testing Laboratories §Expand CC Recognition Arrangement by 1-2 nations §Develop technology-based lab accreditation program with smart card prototype §Initiate cooperative protection profile development effort with government/industry §Develop guidance, procedures and assessment program for system certifications §Enhance outreach program and activities
Forums:
Card, Insurance
Healthcare, Information Assurance, Process Control, Smart
Common Criteria
What the standard is – • Common structure and language for expressing product/system IT security and assurance requirements How the standard is used – • Develop protection profiles and security targets • Evaluate products and systems against known and understood IT security requirements
Defining IT Security Requirements for Federal Systems and Networks
Key Technology Areas
PP-3 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 Smart Cards PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1
Levels
Threat
PP-2 PP-1
Operating Database PKI Systems Systems
Biometrics Firewall Wireless Web Apps Devices s & Browsers
Families of Protection Protection Profiles
Intrusio Virtual n Private Detectio Networks n Systems
International Standards-Based Common Criteria Protection Profiles
Beyond IT product testing…
• Homeland Security/Cybersecurity needs demand attention beyond just security evaluation of IT products • Complementing the current NIAP focus on product evaluation, NIST plans to use its unique position to focus on Federal system certifications by:
ü Developing unified Federal procedures and guidelines for system certification (NIST Special Publication 800-37) ü Developing test methods traceable to 800-37 to ensure competent and consistent application of the certification procedures ü Developing a certification program with network of NVLAPaccredited assessment organizations capable of conducting system and network certifications for Federal agencies (and also available for use by to State/Local governments and private sector).
Organization
As of 12-01
Division Budget Trends
FY-02 Other figure is as of 12/01.
http://csrc.nist.gov
• http://csrc.nist.gov/cryptval - CMVP • http://niap.nist.gov - NIAP • http://csrc.nist.gov/pki - PKI • http://icat.nist.gov - ICAT • http://fasp.nist.gov – agency practices •
Summary & Conclusions
Impacts from NIST work:
• •Improved security, availability, integrity, operation, and effectiveness of IT •Enhanced IT security through wider availability of products that meet security • standards •Increased global market for U.S. IT products •Achieved cost savings and security via public-private collaboration and information sharing
•
Multiple opportunities exist for collaboration:
•Cryptographic standards development •Public Key Infrastructure •Product security validation/evaluation •Review of guidance •Visiting “guest researchships” at NIST •Cooperative research
•
Further Information
• NIST Computer Security Resource Center – http://csrc.nist.gov • Points of Contact
– General and Guest Researchships
• Ed Roback [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
– Cryptographic standards & PKI
• Bill Burr
– Security Testing
• Ray Snouffer • Anabelle Lee • Ron Ross
– Cryptographic Module Validation Program – National Information Assurance Partnership – Security Research
• Tim Grance
– Security Management
• Joan Hash • •
Questions?
Contact Information
[email protected] 301/975-3669
Fran Nielsen, Deputy Chief Computer Security Division (CSD) Information Technology Lab/NIST
Presentation Outline
• • • • • • • The Need for Cyber Security About NIST and ITL CSD Mission and Responsibilities Key Themes Types of Deliverables and Products Major Areas of Work Example Activities
The Need
• More dependence on information technology • More complex systems and more reliance on internetworking • Increased frequency of computer security incidents • September 11 •
National Institute of Standards and Technology
NIST strengthens the U.S. economy and improves the quality of life by working with industry to develop and apply technology, measurements, and standards.
NIST Assets Include:
lNational
measurement standards: NIST Laboratories. technical staff. guest researchers.
l1,500 l1,600 l$430
million FY 2001 Laboratory budget.
l$83
million in measurement and research contracts to about 20 other agencies.
lUnique
measurement facilities.
lOther
programs: Advanced Technology Program, Manufacturing Extension Partnership, Baldrige National Quality Program.
ITL Organization and Program
ITL Organization
DIRECTOR WILLIAM MEHURON
ASSISTANT DIRECTOR FOR BOULDER CATHY NICOLETTI, ACTING COMPUTING SECURITY OPERATIONS ROB GLENN
DEPUTY DIRECTOR SUSAN ZEVIN
LABORATORY STAFF KAMIE ROBERTS SENIOR MANAGEMENT ADVISOR KENDRA COLE CIO OFFICE BRUCE ROSEN
MATH
NETWORKING
COMPUTER SECURITY
INFORMATION ACCESS
CONVERGENT INFORMATION SYSTEMS
INFORMATION SERVICES
SOFTWARE TESTING
STATISTICS
RON BOISVERT
DAVID SU (Acting)
ED ROBACK
MARTY HERMAN
VICTOR MCCRARY
RAY HOFFMANN
MARK SKALL
NELL SEDRANSK
Computer Security Division
NIST Mandate for IT Security
• Develop standards and guidelines for the Federal government for sensitive (unclassified) systems • • Contribute to improving the security of commercial IT products and strengthening the security of users’ systems and infrastructures
• •
Key Statutory Responsibilities
• Develop technical, management, physical and administrative cost-effective standards and guidelines for federal computer systems;
• Develop validation procedures for, and evaluate the effectiveness of, standards and guidelines;
• Perform research and conduct studies to determine the nature and extent of the vulnerabilities of sensitive systems; • • Devise techniques for the cost-effective security and privacy of sensitive information systems; • • Provide the staff services necessary to assist the Computer System Security and Privacy Board in carrying out its functions; and • • Assist the private sector, upon request, in using and applying the results of programs and activities.
Computer Security Act of 1987 and IT Management Reform Act of 1996, reinforced in OMB Circular A-130, App. III
Computer Security Division Mission
To improve information systems security by: • •raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies; • • researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems; • • developing standards, metrics, tests and validation programs: to promote, measure, and validate security in systems and services; to educate consumers; and to establish minimum security requirements for Federal systems; and • • developing guidance to increase secure IT planning, implementation, management and operation.
Key Themes
• • • Security is important to sound and efficient functioning of the economy and government; Agency / OMB / Congress have high expectations of NIST re our Federal role;
– Reflected in bills such as HR 1259; H.R. 3394; HR 3316;
• •
Security of commercial products in the marketplace is inadequate – Standards help -- NIST’s role in helping to develop specifications (to drive the market) helps our customers – both Federal and industry users know what to specify; Federal ones used as procurement specs. – Testing helps -- NIST’s role in testing helps users know they are getting what they think they are buying; Also adds legitimacy to vendors’ claims. Product evaluation (e.g., OpSys) is difficult / time consuming at best – needs rigor and standardizable testing – a long term challenge Longer term challenge: security and composablility
–
•
Types of Deliverables
• Security Outreach / Awareness • Standards and Specifications / Leadership – FIPS (e.g., AES) – Forum – Voluntary Industry CSSPAB – Consensus Standards – ICCC – Ad hoc specifications – CIO Security Committee – CC MRA • Guidelines – CSRC – ITL Bulletins – Press articles – Special Publications – ITL Bulletins – FPKI TWG – NIST Recommendations • Research • Testing programs/services – Mobile Agents – CMVP – Intrusion detection – NIAP – Security administration – IPSec – Testing methods – PKI
Customers/Constituents – Categories / Examples
• Federal Community
– – – – – – – – – OMB Treasury Federal PKI Steering Committee FDIC NSA Federal Computer Security Program Managers’ Forum GSA CIO Council & CIO Security Committee HHS
• IT Industry Producers/ Consortia
– – – – – – – – – – Intel IETF PKI Forum Microsoft RSA Counterpane Systems IBM Motorola Entrust Certicom
• IT Industry Users / Consortia
– – – – – – Banking (ANSI X9) Smart Card Consortia Healthcare Open Systems and Trials (HOST) Telecom Security Forum Boeing
Many, many organizations ask for our participation / assistance…
Examples:
Wide Community Engagement
• • • • • • • • • • • Executive Branch Information Systems Security CMVP Conference International Common Criteria Conference RSA Conference 2001/2002 Key Management Workshop Information Assurance Technical Framework Forum Univ. of Tulsa Telecommunications Security Conference Federal Information Assurance Conference Regional Security Awareness Seminars Other Homeland Defense & CIP Committees
• • • • • • • • • • • • • • •
ANSI IETF Federal PKI Steering Committee ISO CIS USG-OECD Network Security Information Exchange Critical Infrastructure Groups IEEE Federal Computer Security Program Managers’ Forum CIO Council Security Committee Federal Information Systems Security Educators Association CC Mutual Recognition Management Committee Committee for National Security Systems
Wide engagement keeps us in touch with our customers and their needs.
Key Focus Areas of NIST’s Computer Security Program
• • • • • Cryptographic Standards and Applications Exploring New Security Technologies Management and Assistance Security Testing Outreach
Cryptographic Standards and Applications
Work with industry and government to develop cryptographic-based standards
– Cryptographic Standards Toolkit
• AES setting new baseline • Need for lightweight standards
– Public Key Infrastructure
1/02
1. Cryptographic Standards and Applications
Goals Establish secure cryptographic standards for storage and communications & enable cryptographic security services in applications through the development of: PKI, key management protocols and secure application standards Technical Areas •Secure encryption, authentication, non-repudiation, key establishment, & random number generation algorithms. •PKI standards for protocols, standards and formats •PKI interoperability, assurance & scalability Impacts •Strong cryptography used in COTS IT products •Standardized PKI & cryptography improves interoperability •Availability of secure applications through crypto & PKI
Collaborators Industry: ANSI X9, IETF PKIX, AES submitters, Baltimore Technologies, CertCo, Certicom, Cylink, Digital Signature Trust, RSA Labs, Entrust Technologies, E-Lock Technologies, Getronics, IBM, ID Certify, Mastercard, Microsoft, Motorola, Netscape, Spyrus, Network Associates, VeriSign, Verizon, Visa, World Talk Federal: Department of Treasury, Agencies participating in Federal PKI Steering Committee and Bridge CA Project, FDIC, NSA
Projects •Cryptographic Standards •Cryptographic Standards Toolkit •Advanced Encryption Standard (AES) •Public Key Infrastructure & Applications • •Industry and Federal Security Standards •PKI and Client Security Assurance •Promoting PKI Deployment
Cryptographic Standards
Security Requirements for Cryptographic Modules FIPS 140-2
Symmetric Alg.
* DES (FIPS 46-3) * 3DES (FIPS 46-3, ANSI X9.52) * AES (FIPS 197) •Modes of operation - DES (FIPS 81) - Recommendation for Block Cipher Modes of Operation (Encryption)Methods and Techniques (800-38A) •Message Authentication Code for Block Ciphers (800-38B)
Asymmetric Algs.
* Dig. Sig. Std. (FIPS 186-2) DSA (ANSI X9.30) RSA (ANSI X9.31) ECDSA (ANSI X9.62) * Key Management - Diffie-Hellman -ANSI X9.42 - RSA - ANSI X9.44 - Elliptic Curves -ANSI X9.63 - Key wrapping
Secure Hash
* SHA-1 (FIPS 180-1) * Expand to include: SHA-256, SHA-384 SHA-512
Advanced Encryption Standard (AES)
Goals •Develop a new, royalty-free encryption standard that can be used by government and business to protect information for 30-50 years. • Technical Areas •Clear specification of the AES algorithm and NIST’s requirements for its implementation. •Cryptographic test suite development for testing and validation of the conformance of AES implementations with the standard. Impacts •Secure e-commerce and data protection through highly secure encryption that keeps pace with rapid advances in technology. •Validation that COTS products comply with the AES standard. •Banking and international standards communities are looking to adopt the AES, which will promote its use outside of government
Collaborators Federal: Industry: National Security Agency (NSA) Protonworld International (Belgium), IBM, RSA Security & Counterpane Systems participated in AES finalists; many companies provided extensive comments and papers on the AES selection & spec. Academia: Katholieke Univ. (Belgium), MIT, Technicon, Cambridge Univ., & Univ. of Bergen faculty participated in finalist submissions; many others helped in analysis Global: ISO JTC1/SC27
FY 2001 •Selected the Rijndael algorithm as the AES •Developed draft AES FIPS & completed public comment. •Developed Draft AES Basic Modes of Operation •Hold Modes Workshop (4Q) •Issue NIST Recommendation on Basic Modes of Operation (4Q) FY 2002 •Announced Secretary’s approval of AES •Complete AES validation tests and software •Publish AES Validation Guideline; begin testing AES products. •Develop “Phase 2” AES Modes of Operation
Cryptographic Standards Toolkit
Goals •Improve information security and facilitate electronic commerce by developing and standardizing strong cryptographic algorithms •Provide guidance for the use of cryptography Technical Areas •Secure cryptographic algorithms for encryption, authentication, nonrepudiation, key establishment, and random number generation.
Industry:
ANSI X9, RSA Security, Certco, Certicom, Chase Manhattan Bank, Cybersafe, Cygnacom, Deloitte &B Touche Security Services, IBM, Entrust, BBN, Booz-Allen, Ernst & Young, First Data Corp., First Union Corp., IDA, KPMG, Motorola, Gemplus, Jones Futurex, Mastercard, Merrill Lynch, GTE Cyber Trust, Pitney Bowes, PNC Bank, Price Waterhouse Coopers, TecSec, Spyrus, Verifone, VeriSign, Visa, Xcert, AES submitters and commenters Federal: NSA, BXA, Federal Reserve, CSE, Treasury First impact: Near-Term (Immediate to 2 years)
C T R o Y ol ki P t T O
Impacts •Worldwide government and industry use of strong cryptography •Guidance and education available in the use of cryptography. •Secure interoperability achieved through standard algorithms •Secure electronic commerce enabled through cryptography •
Collaborators
FY 2001 •Prepared draft AES and HMAC FIPS and completed public reviews •AES and HMAC FIPS approval by SoC (4Q) •Public Review of revised SHA with new algorithms (FIPS 180-2) •Revision and public review of DSS (FIPS 186-3) •Draft NIST basic AES Modes of Operation Recommendation (4Q) •Modes Workshop (4Q) •First Draft of Key Mgmt. Schemes & Guidance documents (4Q) FY 2002 •FIPS 180-2 and FIPS 186-3 approval by SoC •Validation tests for: AES modes, DSA, SHA, HMAC, ANSI X9.42 •Key Management Workshop •Complete Key Establishment Scheme & Guidance Documents •Develop phase 2 Modes of Operation recommendation •Develop a Random Number Generation standard (ANSI X9.82) •
1/02
Promoting PKI Deployment
Goals •Promote development of an interoperable PKI to support security services for Internet systems and applications. Establish baseline PKI security policies and procedures. Assist federal agencies in the deployment of PKI infrastructure and applications through guidance and consultation. Technical Areas •Bridge certification authorities •Certificate Policies (CP) and Certification Practice Statements (CPS) •Certification and accreditation of CAs •X.500 and LDAP directory servers Impacts •Federal Bridge CA links agency PKIs to form a federal PKI and promotes development of private sector bridge CAs •Accelerate federal agency PKI deployment •Chained X.500 directories
US Federal
Collaborators Federal: Federal PKI Policy Authority, Federal PKI Steering Committee, General Services Administration, General Accounting Office, National Security Agency, FDIC, Treasury FMS, Army Corps of Engineers, Office of Management and Budget EduCause (1,800 universities, colleges, and educational institutions) Illinois, Washington
Academia: State:
FY 2002 •Federal PKI Technical Working Group -Federal Bridge CA cross certifications - FBCA Certificate, CRL, and Directory Profiles •PKI Policy Development Tools -Generic Certificate Policies -Certification Practice Statement templates •Federal PKI Guidance Document (1Q) •PKI directory guidance document •High-Level PKI Services API Draft •Federal Deposit Insurance Corporation PKI Deployment (OG) •Army Corps of Engineers PKI consultation •Treasury FMS PKI application development •
Exploring New Security Technologies
• Identify and use emerging technologies, especially infrastructure niches • Develop models, reference implementations, and demonstrations • Transition new technology and tools to public & private sectors • Advise Federal agencies to facilitate planning for secure use
1/02
Emerging Technologies and Testing
Goals
•Identify & exploit emerging technologies especially infrastructure niches •Develop prototypes, reference implementations, and demonstrations •Transition new technology and tools to public & private sectors •Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing
Technical Areas
•Authorization Management, Access Control, System Management •Vulnerability Analysis, Intrusion Detection, Attack Signatures •Mobile Code, Agents, Aglets, Java, PDAs, Wireless, Telecomm/IP •Models, Cost-models, Prototyping, Reference Implementations •Automated Testing, Security Specification
Impacts
•Better cheaper and more intuitive methods of authorization management •Creating internal competence in emerging technologies (i.e. mobile code, etc.) •Developed world class vulnerability search engine •IPSec/web Interface testing widely used & referenced •Significant support & funding especially in RBAC and Wireless Device Security •
Collaborators
Industry: IBM, Microsoft, SUN, Boeing, Intel, GTE, VDG, SCC, Sybase, SAIC, SUN, Lincoln Labs, Lucent, Trident, ISS, Symantec, MIT, 3Com, Interlink, Ford, BBN, CISCO, Lucent, Checkpoint, MCI, Oracle, Mitre, Mitretek, Intel, SAIC University of Maryland, Ohio State, University of Tulsa, George Mason, Rutgers University, Univ of Pittsburgh, Purdue University, Univ of Washington NSA, DoD, NRL, DARPA
Major Projects •Access Control & Authorization Management •ICAT Vulnerability/Patch Search Tool •National Smart Card Infrastructure •Intrusion Detection •Mobile Agents •Wireless/Device Security •IPSec/web interface testing •Quantum Computing Support •CIP Grants •Automated Testing
Academic:
Federal:
•
1/02
Technical Security Guidance
Goals •Guide Federal Agencies in using new technology •Assist industry and small business •Present recent findings in security research • Technical Areas •Firewalls and Network Security •Intrusion Detection •Incident Handling •Security Testing •Web and downloadable content security • Impacts •ITL Security Bulletins extremely popular and widely read •Agencies rely on technical guidance from NIST •NIST publications frequently cited and reused in industry literature Milestones Proposed Collaborators Industry: MIS Training Institute, Booz Allen Hamilton, Microsoft, I4 Federal: NIST, NSA, OMB, GSA Academic: University of Maryland, Purdue University FY2001 •Intrusion Detection •Active Content & Mobile Code •Firewall Policy •Network Security Testing & Incident Handling •Telecommuting/Broadband Security •PKI •IT Security Engineering Principles & IT Security Models • FY 2002 •Public Web Server & E-Mail Server •Wireless & Device Security •Microsoft Windows 2000 Security Guidance •Smart Card guidance and Security Patches •Interconnecting Systems and Contingency Planning •Procurement of products/services
Technical Security Guidance
Technical Lead: Tim Grance
1/02
ICAT
ICAT Metabase
A standards based searchable index of virtually all known computer vulnerabilities Technical Lead: Peter Mell
http://icat.nist.gov
“Your dedication to making ICAT into one of the premier databases is admirable” (Internet Security Systems) Collaborators Educational: SANS Institute (sponsor) Military: NSA, DISA Academia: Purdue/CERIAS Industry: TrustWave, SecuritySaint.com, CyberCopsEurope.com, IpNSA, Securityinfos.com, Hideaway.net, VISC Software and Security, SOC GmbH
Goals Provide the IT community a fine grained searchable index of all known computer vulnerabilities using a standard naming scheme linking users to publicly available vulnerability databases. Technical Areas • Developing classification schemes for vulnerabilities • Collecting and evaluating vulnerability information • Measuring the characteristics of vulnerabilities Impacts • ICAT enables system administrators to identify flawed systems and to find the patches • Provides the security community with a free standards based index of all vulnerabilities • Complementary and non-competitive with industry • ICAT has received praise in over 12 news articles
Milestones • FY 2001 •ICAT web hits have increased by a factor of 17 in one year •Analyzed over 2000 vulnerabilities for ICAT •Started a vulnerability mailing list that now has 1600 subscribers •Integrated ICAT into the SANS/FBI top 20 vulnerability list •Helped mirror ICAT on the NSA network •Enable organizations to integrate their products into ICAT •Began offering an off-line version of ICAT •Vulnerability notification system developed by Purdue •Provided top ten vulnerability service •Joined the CVE vulnerability standard’s editorial board • FY 2002 •Analyze over 1000 vulnerabilities •Transition ICAT into being a more timely vulnerability service
Awarded Commerce Department Bronze Medal Averaging 50,000 hits per month Over 100,000 hits in November 2001
1/02
Internet Protocol Security
Goals
Work with world-wide industry leaders to promote the development of IP security standards, technology, and tests. This will ensure early, reliable and interoperable deployment of IPsec, the technology that is used to build VPNs and to protect the next generation Internet infrastructure and applications. •
Technical Areas
IPSec Project
Technical Lead: Sheila Frankel
•International standardization of Internet security protocols •WWW-based Interoperability Testing •Reference implementations of next generation network and security technology •
Impacts
•Developed reference implementation of the IETF IPSec and IKE standards - used for education, experimentation, testing •Web-based IPSec interoperability test facility http:ipsec-wit.antd.nist.gov •Over 250 organizations have used NIST’s interoperability tester •Over 650 organizations have requested NIST’s IPSec reference implementation
Collaborators
Federal: NIST Internetworking Division, NSA
NIST IPSec Product Users
Industry: Bay Networks, BBN, Cabletron, Cisco, Compaq, CyberGuard, Digital, Frontiertech, Gartner Group, GTE Internetworking,Hewlett Packard, IBM, Intel, Interlink, Lucent Technologies, MCI, MIT, Microsoft, Routerware, SAIC, S-Cubed, Secure Computing, Spyrus, SUN, TIS, 3Com and many others GSA, NRL, Oak Ridge National Labs and others
FY 2001 •Added dynamic certificate request and transmissions capability to PlutoPlus •Updated AES Internet Draft to reflect AES selection •Wrote Internet Drafts on the use of SHA-256 and AES-XCBCMAC with IPsec and IKE •Wrote NIST Security Bulletin on IPsec Status/Issues/Security •Incorporated AES Algorithm (& other finalists) into PlutoPlus •Published Book, “Demystifying the IPsec Puzzle” •Presented invited talks and tutorial on IPsec FY 2002 •Add PKI Interaction to IPsec-WIT •Implement Version 2 of IKE •Add IKE Version 2 to IPsec-WIT •Publish guidance on the use of PKI within IPsec and IKE
Milestones
Government:
1/02
Government Smart Card Program
Goal
GSC
Government Smart Card Program
Technical Lead: Jim Dray
Create a ubiquitous Smart Card Infrastructure to foster widespread use of smart card technology, improving the security of information systems within the U.S. Technical Areas •Develop technical guidance required by Federal contracting vehicles for procurement of standard smart card products •In conjunction with the Government and vendor communities, develop interoperability specifications and standards •Develop reference implementations, prototype conformance test suites, security testing criteria, and architectural models Impacts •Increased overall security of U.S. information systems •Reduced cost of smart card system integration •Simplification of user access control processes •Enable development of consistent conformance test methodologies for smart card products and systems
Milestones Collaborators Industry: EDS,Northrup/Grumann, MAXIMUS, KPMG, eEurope, British Telecom, W3C, RSA Labs, Australian National Office of the Information Economy Federal: NIST, GSA, DoD, State Dept, USPS, SSA, VA, IRS, DoJ, DoT FY 2001 •NIST designated lead agency for GSC conformance test development •Establish GSC testbed at NIST •Develop GSC Interoperability Conformance Test Program •Develop GSC automated test suite • FY 2002 •NIST publications on smart card technolgoy and GSC interoperability framework •Java smart card collaboration (prototype implementation) •Establish a Smart Card security test program; coalesce with Common Criteria methodology •International standards coordination •GSC developer workshops and implementation guidance •Identify and execute relevant R&D projects to promote smart card interoperability and standards
Assistance and Guidance / Outreach
• Assist U.S. Government agencies and other users with technical security and management issues • Assist in development of security infrastructures • Develop or point to cost-effective security guidance • Assist agencies in using security technology guidance • Support agencies on specific security projects on a costreimbursable basis • Expanding use of recently-developed “NIST Recommendations” series to complement existing publication methods • Raise awareness of our programs, value of evaluated products, and need for security
1/02
3. Security Management and Guidance
Goals •Provide computer security guidance to ensure sensitive government information technology systems and networks are sufficiently secure to meet the needs of government agencies and the general public •Serve as focal point for Division outreach activities •Facilitate exchange of security information among Federal government agencies Technical Areas •Computer security policy/management guidance •Computer Security Expert Assist Team (CSEAT) security support to Federal agencies •Outreach to government, industry, academia, citizens Impacts •Agencies use standard, interoperable solutions •Increased federal agency computer security programs •Reduced costs to agencies from reduction of duplication of efforts •Use of “Best Security Practices” among federal agencies
Collaborators Federal: All Federal Agencies Federal Computer Security Program Managers’ Forum OMB GSA NSA CIOs Industry: Security Product Vendors Academia:Major Universities with Computer Security curricula
Major Projects •Computer security expert assist team (CSEAT) •Federal computer security program managers forum •Computer system security and privacy advisory board (CSSPAB) •Computer security resource center (CSRC) •Computer security conferences •Risk management guidance •Federal IT Security Self-Assessment Tool •NIST Security Program Manager’s Handbook •Contingency Planning Guidance •Small and Medium Businesses Outreach
CSRC Redesigned 7/00
1/02
Computer Security Expert Assist Team
Goals •Increase Federal agency IT security •Help protect against economic loss or injury due to disruption of critical Federal systems/services •Improve Federal agency Critical Infrastructure Protection (CIP) planning and implementation efforts Technical Areas •Security assistance to federal agencies computer security well-being •Security assistance to high risk federal computer security programs •Development of computer security lessons learned •Computer security risks and vulnerabilities Impacts •Lessons learned available to the federal IT security community •Agencies understand how to maintain computer system security •Agencies plan and budget appropriately for computer security •New guidance development efforts directed at identified need areas •Improved Federal IT security FY 2001 •CSEAT methodology established •Received multiple requests from agencies •Review of FEMA completed (Q4) FY 2002 •First high-risk program review of Indian Trust Management initiated •Methodology provided on web site •Initiate cost-reimbursable model if funding for administrative costs received •Develop sanitized case studies •Initiate development of CSEAT review methodology guideline
Collaborators Federal: All Federal Agencies OMB
1/02
Small and Medium Sized Business Regional Security Meetings
Goals •Inform small businesses (< 500 employees) of useful security mechanisms •Provide computer security training that is practical and cost-effective •Help small businesses become more educated consumers •Form NIST-SBA_InfraGard Resource Group, connecting small business owners to local IS resources. Technical Areas •Small business viable computer security solutions •Low-cost computer security methodologies •Computer security training for the novice •Business-relevant computer security tools Impacts •Improved small and medium sized business security •Small and medium sized businesses become more aware of information security
Collaborators Federal: Small Business Administration National Infrastructure Protection Center – InfraGard Program Manufacturing Extension Partnership Security Product Vendors Regional business consortia Selected business partners
FY 2001 •Plan for conducting regional meetings completed (Q4) •Meeting educational material developed (Q4) FY 2002 •First 2 regional meetings conducted •Third regional meeting scheduled for February •Build community of small business owners, IT professionals, and researchers •Generate a plan to provide web based IT security information in areas of specific importance to small businesses FY 2003 •Continue conducting regional meetings •Train local trainers, members of local chapters of industrial associations, or other small business resources
Industry:
Security Testing
• Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing • Raising user confidence • Lead conformance and evaluation programs • Supporting security testing industry
1/02
4. Security Testing and Metrics
User Securit y Needs
Goals •Improve the security and quality of IT products •Foster development of test methods, tools, techniques, assurance metrics, and security requirements •Promote the development and use of tested and validated IT products •Champion the development and use of national/international IT security standards Technical Areas •Provide Federal agencies, industry, and the public with a proven set of IT security testing methodologies and test metrics •Promote joint work between NIST, the American National Standard Institute (ANSI) and the international standards community Impacts •Timely, cost-effective IT security testing •Increased security in IT systems through availability of tested products •Creates business opportunities for vendors of security products, testing laboratories, and security consultants
Produc t Validat ion
IT Security
Testing and Evalua tion
Collaborators
Standa rds and Metric s
Federal: Industry:
NVLAP, State Dept., DoC, DoD, GSA, NASA, NIST, NSA, DoE, OMB American National Standards Institute (ANSI), InfoGard Laboratories Inc., CygnaCom Solutions, DOMUS IT Security Laboratory, COACT, Inc. CAFÉ Lab, Atlan Laboratories, EWA,CORSEC Security Inc., Oracle, CISCO, HewlettPackard, Lucent, SAIC, Microsoft, Computer Sciences Corp., IBM, EDS, VISA, MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun Microsystems, Network Assoc., BoozAllen, Seculab Inc., Entrust, Silicon Graphics, Arca United Kingdom, France, Germany, Japan, Korea, Canada, Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, Norway, Greece, Israel, ECMA, JCB, Europay, Mondex
Major Projects •Cryptographic Security Testing •Cryptographic Module Validation Program •National Information Assurance Partnership •Common Criteria Evaluation and Validation Program •International Recognition Arrangements •Laboratory Accreditation •Automated Security Testing and Test Suite Development •Assessment program for system certifications •Protection profile development effort with government/industry •Industry Forums •Testing, Education, Outreach Programs, Conferences and Workshops •
Global:
1/02
Cryptographic Module Validation Program
•Improve the security and quality of cryptographic products •Provide U.S. and Canadian Federal agencies with a security metric to use in procuring cryptographic equipment •Promote the use of tested and validated cryptographic algorithms, modules, and products •Development of Implementation Guidance, metrics and test methods •Validation of test results •Accreditation of testing laboratories •Joint work between NIST, ANSI and international standards bodies • •Provide Federal agencies with confidence that a validated cryptographic product meets a claimed level of security •Supply a documented methodology for conformance testing •Create business opportunities for vendors of cryptographic products, testing laboratories, and security consultants
Goals
Technical Areas
Impacts
Collaborators Federal: Industry:
National Voluntary Laboratory Accreditation Program American National Standards Institute (ANSI) InfoGard Laboratories Inc. CygnaCom Solutions DOMUS IT Security Laboratory, a Division of LGS COACT, Inc. CAFÉ Lab Atlan Laboratories EWA-Canada LTD, IT Security Evaluation Facility CORSEC Security Inc.
§Finalized
FY 2001
FIPS 140-2: Security Requirements for Cryptographic Modules §Implemented Cost Recovery Plan as of February 15, 2001 §Developed FIPS 140-2 Derived Test Requirements and Automated Tool (Q4) §Validated 45 crypto modules and 46 crypto algorithm implementations §Coordinated ANSI X9.42-2001: Key Agreements Using Diffie-Hellam and MQV §Finalized SD-012 Guideline for Validating Implementations Conforming to ANSI Standards §Completed Cryptographic Module Reference Implementation (Q4)
§Revise
Global:
Communication Security Establishment (CSE) of the Government of Canada
Cryptographic Module Testing (CMT) laboratory accreditation process, NVLAP Handbook 150-17 §Accredit 2-3 additional CMT Laboratories, including international §Expand the agreement with CSE to include additional countries §Conduct second Cryptographic Module Validation Program Workshop/Conference §Develop Validation Test Suites for new algorithms/protocols
FY 2002
1/02
National Information Assurance Partnership
§Promote the development and use of evaluated and validated IT products §Champion the development and use of national/international IT security standards §Develop state-of the-art test methods, tools, techniques and assurance metrics §Support a framework for international recognition of testing results §Foster development of IT security requirements in key technology areas §Development of implementation guidance, requirements, metrics and test methods §Validation of test results and accreditation of testing laboratories §Joint work among NIST, NSA and international partners §More timely, cost-effective IT security evaluations with greater consistency §Less duplication of security testing globally §New test methods for specific information technologies §Increased security in IT systems and networks through greater availability of evaluated and validated products §Greater availability of common security requirements and specifications for key technologies and sectors
Goals
Technical Areas
Impacts
Building More Secure Systems for the New Millennium (sm)
Collaborators Federal: Industry:
State Dept., DoC, DoD, GSA, NIST, NSA, DoE, OMB Oracle, CISCO, Hewlett-Packard, Lucent, SAIC, Microsoft, Computer Sciences Corp., Cygnacom, Arca, IBM, EDS, VISA, MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun Microsystems, Network Assoc., Booz-Allen, Seculab, Entrust, Silicon Graphics, COACT
FY 2001
§Accredited 5 Common Criteria (CC) Testing Laboratories §Expanded CC Recognition Arrangement to 14 nations adding Israel §Hosted national-level Government-Industry IT Security Forum §Conducted international IT security outreach training for Japan and Israel §Developed comprehensive operations manual for CC Recognition Arrangement §Completed smart card protection profile and corresponding evaluation §Initiated new security requirements forum for process control systems §Validated 4 security products and 4 protection profiles
Global:
United Kingdom, France, Germany, Japan, Korea, Canada, The Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, Norway, Greece, Israel, Russia, ECMA, JCB, Europay, Mondex
FY 2002
§Accredit 1-2 additional CC Testing Laboratories §Expand CC Recognition Arrangement by 1-2 nations §Develop technology-based lab accreditation program with smart card prototype §Initiate cooperative protection profile development effort with government/industry §Develop guidance, procedures and assessment program for system certifications §Enhance outreach program and activities
Forums:
Card, Insurance
Healthcare, Information Assurance, Process Control, Smart
Common Criteria
What the standard is – • Common structure and language for expressing product/system IT security and assurance requirements How the standard is used – • Develop protection profiles and security targets • Evaluate products and systems against known and understood IT security requirements
Defining IT Security Requirements for Federal Systems and Networks
Key Technology Areas
PP-3 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 Smart Cards PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1 PP-3 PP-2 PP-1
Levels
Threat
PP-2 PP-1
Operating Database PKI Systems Systems
Biometrics Firewall Wireless Web Apps Devices s & Browsers
Families of Protection Protection Profiles
Intrusio Virtual n Private Detectio Networks n Systems
International Standards-Based Common Criteria Protection Profiles
Beyond IT product testing…
• Homeland Security/Cybersecurity needs demand attention beyond just security evaluation of IT products • Complementing the current NIAP focus on product evaluation, NIST plans to use its unique position to focus on Federal system certifications by:
ü Developing unified Federal procedures and guidelines for system certification (NIST Special Publication 800-37) ü Developing test methods traceable to 800-37 to ensure competent and consistent application of the certification procedures ü Developing a certification program with network of NVLAPaccredited assessment organizations capable of conducting system and network certifications for Federal agencies (and also available for use by to State/Local governments and private sector).
Organization
As of 12-01
Division Budget Trends
FY-02 Other figure is as of 12/01.
http://csrc.nist.gov
• http://csrc.nist.gov/cryptval - CMVP • http://niap.nist.gov - NIAP • http://csrc.nist.gov/pki - PKI • http://icat.nist.gov - ICAT • http://fasp.nist.gov – agency practices •
Summary & Conclusions
Impacts from NIST work:
• •Improved security, availability, integrity, operation, and effectiveness of IT •Enhanced IT security through wider availability of products that meet security • standards •Increased global market for U.S. IT products •Achieved cost savings and security via public-private collaboration and information sharing
•
Multiple opportunities exist for collaboration:
•Cryptographic standards development •Public Key Infrastructure •Product security validation/evaluation •Review of guidance •Visiting “guest researchships” at NIST •Cooperative research
•
Further Information
• NIST Computer Security Resource Center – http://csrc.nist.gov • Points of Contact
– General and Guest Researchships
• Ed Roback [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
– Cryptographic standards & PKI
• Bill Burr
– Security Testing
• Ray Snouffer • Anabelle Lee • Ron Ross
– Cryptographic Module Validation Program – National Information Assurance Partnership – Security Research
• Tim Grance
– Security Management
• Joan Hash • •
Questions?
Contact Information
[email protected] 301/975-3669
