Packet Hacking Village - Security to Make the CFO Happy
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 335 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/48747 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
ComputersicherheitComputersicherheitMetrisches SystemFundamentalsatz der AlgebraBitSelbst organisierendes SystemTaskProzess <Informatik>ZahlenbereichGüte der AnpassungComputeranimation
00:59
Formale SpracheSoftwareentwicklerDesign by ContractGanze FunktionSelbst organisierendes SystemStandardabweichungTermComputersicherheitGruppenoperationGamecontrollerGeradeCMM <Software Engineering>WellenpaketInformationZahlenbereichDigitales ZertifikatComputeranimation
02:14
PrimidealKette <Mathematik>Ganze FunktionHackerEndliche ModelltheorieGanze FunktionKette <Mathematik>Computeranimation
02:46
KreisringProgrammVektorpotenzialMotion CapturingSoftwareentwicklerDesign by ContractDatenverwaltungSoftwareentwicklungStandardabweichungFunktionalComputeranimation
03:22
Selbst organisierendes SystemVektor <Datentyp>PunktComputersicherheitFormale SpracheTelekommunikationBildschirmmaskeVektorraumInformationMailing-ListeSchreib-Lese-KopfPhysikalisches SystemTropfenSchedulingDigitales ZertifikatService providerFunktionalDienst <Informatik>SoftwareentwicklungFormale SpracheComputersicherheitTelekommunikationBefehl <Informatik>Design by ContractSystemaufrufMAPMultiplikationsoperatorTermKlassische PhysikGamecontrollerPunktSelbst organisierendes SystemProjektive EbeneNational Institute of Standards and TechnologyAutomatische DifferentiationRechter WinkelDatenflussOffice-PaketComputeranimation
05:28
Prozess <Informatik>StandardabweichungMultiplikationsoperatorSelbst organisierendes SystemComputersicherheitÜberlagerung <Mathematik>BildschirmmaskeComputeranimation
06:16
ComputersicherheitComputerspielTeilbarkeitSelbst organisierendes SystemGruppenoperationGüte der AnpassungWellenpaketProzess <Informatik>Computeranimation
06:35
KommandospracheSichtenkonzeptTeilbarkeitComputersicherheitWellenpaketPunktAutorisierungDigitales ZertifikatComputeranimation
07:10
ComputersicherheitVorzeichen <Mathematik>CMM <Software Engineering>National Institute of Standards and TechnologyCybersexKontextbezogenes SystemMathematikMAPKurvenanpassungSchedulingCMM <Software Engineering>ComputersicherheitZahlenbereichDigitales ZertifikatWeb SitePhysikalisches SystemComputeranimation
08:31
DrehfeldProzess <Informatik>Digitales ZertifikatGeradeVierzigMatrizenrechnungQuaderComputersicherheitSoftwarePunktGleitendes MittelGruppenoperationInformationUmwandlungsenthalpieComputeranimation
09:38
MultiplikationsoperatorDesign by ContractComputersicherheitGeradeSchedulingProjektive EbeneGamecontrollerBenutzerbeteiligungWellenpaketMAPSoftwareentwicklungRechter WinkelServerTaskComputeranimation
11:16
EINKAUF <Programm>WellenpaketSoftwareGruppenoperationSoftwareentwicklungEntscheidungstheorieEINKAUF <Programm>SchlüsselverwaltungTermSoftwareschwachstelleMAPE-MailSimulationDatenverwaltungMultiplikationsoperatorRechter WinkelCASE <Informatik>Computeranimation
12:28
VererbungshierarchieDatenverwaltungKette <Mathematik>SoftwareentwicklungPunktAutomatische HandlungsplanungKette <Mathematik>BitDatenverwaltungEINKAUF <Programm>Güte der AnpassungComputeranimation
12:58
DifferenteKeller <Informatik>GruppenoperationComputeranimation
13:13
ComputersicherheitKraftVollständiger VerbandMetrisches SystemDatenverwaltungEreignishorizontInformationComputersicherheitMAPSimulationSystemplattformFokalpunktCMM <Software Engineering>WellenpaketTermMetrisches SystemGruppenoperationComputeranimation
13:58
CybersexComputersicherheitE-MailDatenbankMultiplikationsoperatorWellenpaketSystemaufrufFigurierte ZahlRechter WinkelCybersexTouchscreenQuick-SortInklusion <Mathematik>ThreadComputeranimation
15:05
ComputersicherheitGruppenoperationComputersicherheitMultiplikationsoperatorGüte der AnpassungProzess <Informatik>Computeranimation
15:48
SoftwareentwicklungLeistung <Physik>InformationAuthentifikationDatenverwaltungAnalytische FortsetzungRechenschieberMultiplikationsoperatorIdentitätsverwaltungFormation <Mathematik>StandardabweichungKette <Mathematik>ComputersicherheitFormale SpracheGamecontrollerGüte der AnpassungDesign by ContractMereologieWiederherstellung <Informatik>TeilbarkeitMatrizenrechnungNational Institute of Standards and TechnologyPhysikalisches SystemBitVierzigWürfelNichtlinearer OperatorTermComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
And we are back. And now it is my pleasure to introduce you to Adam. Thanks, mate. Hey, good afternoon, everyone. All right, this is on. Good afternoon, everyone. This talk is about how we as engineers can reach out
00:20
to a number of colleagues in a traditional federal defense contractor to really help wrangle compliance in a reasonable manner. It's a daunting task. We'll work on a war on two fronts, at least. But what we'll see is that a lot of organizations already have the fundamentals already in place.
00:41
Once that's understood across the organization, I think some documentation, a little bit of process improvement here and there, and metrics can exceed compliance and even make security a business enabler. It's security to make the CFO happy.
01:01
I don't think it would be a DEFCON talk without some colorful language. So I'm going to hit you right up front. There it is. So just by quick show, yeah, look at that. That is some raunchy technical gibberish there. So real quick, I'm sure most of you
01:21
are familiar with some of these terms. But line by line, so basically the top one security controls. The next one is DOD standards for training. The next one is how organizations are supposed to protect controlled unclassified information. The next one is how the Department of Defense has so many DEFCON groups that they go
01:41
with entire phone numbers, just not the trunk. Just kidding, that DFARS clause is what folks in our contracting departments, or maybe even legal, are gonna use to trace when standards actually go into contracts as they go out to the federal contractors. And then lastly, we have two maturity models from the origin is the Software Engineering Institute
02:03
in Pittsburgh, Pennsylvania. They are the Capability Maturity Model Integrated, and then the Cybersecurity Maturity Model Certification, which is currently in development. So whose ears are burning? Who'd be offended by that technical gibberish? Well, it's the entire DOD supply chain, for starters,
02:23
and as you can see, that's quite a few companies. We're here at Hacker Summer Camp, so... Oh, so folks that live and breathe business efficiency in companies, to them, the Department of Defense is the advanced persistent threat,
02:41
and they are a tough and determined enemy. It's Hacker Summer Camp, so let's do some threat modeling. And we'll start out with our targets, or maybe our potential victims, subjects to attacks from this APT. So, business side, we're gonna see business development folks, so these are the capture leads
03:02
trying to capture new business and new customers, and then there's program managers who execute existing contracts. On the internal support functions for a company, we're gonna have finance, quality assurance, IT managers that are gonna be targeted by these new standards and things.
03:23
All right, so threat vectors. What forms do the threats come in? So, for the business side, we're gonna look at data calls which are from other companies that wanna partner on efforts. We've got requests for information or requests for proposals coming in from customers,
03:42
and we've got statements at work and supplier statements at work. On the organization side, we have certifications that they may choose to go out and try to get approval for. And then audits from folks like the Defense Contract Management Agency. The third one is kind of a catch-all, and it can hit both the support functions
04:01
and the business, and that's the questionnaire. So, why is it so scary for these company leaders, so these department heads and business directors? Why would it make the CFO unhappy? And these are a list of pain points. So, poor communication, possibly from business project
04:22
to business project, as well as poor communication between the customer, so the DOD customer, and the business. The reason for that is it simply, a lot of times it's a flow-down issue from the DOD to departments and agencies and so forth down to our program office, and they really don't know how to communicate
04:41
that to the contractor. The second thing is the security language. I think literacy is a big issue when we look at the security controls in the NISP special publications and kind of map that to what we do to provide services and systems to the government.
05:01
Security that comes in at the end, I would argue is the classic example of unplanned work, if you're familiar with that term from DevOps practices. And lastly, a lot of these mandates and requirements, they kind of run counter to traditional contract execution where cost schedule and performance count, but there's no real way to measure
05:22
how well you did security, right? So they tend to get dropped. And fortunately, that security is changing with this CMMC, which we'll cover again. So we've seen some potential victims in our organization. We know what the threats are.
05:40
So what can we do to help out? Well, first of all, this is supposed to be a picture of, we're gonna teach the victims how to outswim the shark, for one. So how do we do security in our process faster and more efficiently, right? Because that's how we know how to do business is to do things on time and on budget. It's just familiarity.
06:01
Secondly, I would argue that really wrangling the compliance, not just taking the standards at face value with written form, but finding out how they apply to us and how we can tailor them to our processes that we have already, how we do things. So to be a good lifeguard in your business,
06:21
you have to enjoy working with other people across the organization, especially if there's few security folks in your group. But swimming, preferred, but not necessary for this job. We've got a lifeboat. So training is a factor in this talk.
06:40
One point that I wanted to make is this is kind of the view of security right now to a lot of people. You get this one piece of paper or this authority-operated certificate, and people think you're done, and then you move on and forget about security. So if it's not clear by now, we kind of need to train up to these business leaders to say this milestone that we're gonna have
07:02
is a compliance fire drill. That's not the end of the day. We want to do this easier the next time and get better and better at it. So there are many maturity models. This one is mine. There is no settled on cyber security maturity model yet
07:22
for the CMMC. There are some out there, but this one's mine. So I'll argue that level one is awareness. Security is the thing, and I think most people achieve that because they're afraid of it. Number two is the literacy, so really understanding the documents. Once we understand it, we can engage both tactically with our customer
07:41
and really help them understand because sometimes we may be ahead of the curve in kind of knowing it's our systems, the things that we build. We should know how to put security in there the right way and then strategic, so interacting with things that are ongoing like the cyber security maturity model certification, which I think we all just missed a listening session
08:02
hosted by NIST on Thursday. So there's another three or four sessions. If you look at the CMMC website, you'll see their schedule they have where they started this summer. Lastly, for our purposes, security needs to be a measurable cost, and this is to play off the CMMC.
08:20
Their kind of bumper sticker is security, they want to make security an allowable cost, which is a change from the past. So I say we make it a measurable cost. A history lesson, we are not gonna be the first techies to have to work across the company to kind of satisfy process improvement or certification.
08:42
And just a quick reference, this is the information assurance baseline. When we look at the 8570, 8140, this is a matrix of various technical and managerial roles and security specific roles. I put this up here, one to show that while general certifications get a bad rap,
09:04
if you don't have a well-defined security group yet, the general certifications give you a lot of bang for your buck to kind of start wrangling compliance. One in particular, the CISSP, I'm not endorsing that one, I'm just saying it's in a lot of boxes.
09:20
Next to that you have security plus, and I'll also point out real quick if you can see anyone of the security plus, network plus, you also have the CE, that's for compute element. So the point there is that technical proficiency matters, and as we go to 8140, it seems like it's gonna matter more.
09:40
So how do we get the best value out of our training dollars? So we've been talking about roles in our company, and they tend to be senior, at least senior to me, a mid-level engineer, in triaging security control traceability to various projects. I like to line up what I call compliance dominoes.
10:03
So if we know the milestones that our customer expects, and we kind of go to the higher ups, the business directors who have visibility across the company, let's line up these milestone dates that the customer has with our existing program schedules, right? Too many times I've seen security come in at the end,
10:21
and it's kind of like getting T-boned in a car accident. The schedules are orthogonal, they're not in lockstep. Once we do that, we're definitely gonna be more efficient in executing on these security tasks, whether it's a technical hardening effort to fix a web server, or to answer a questionnaire or something like that.
10:42
The next bullet, maximizing existing contracts. I would say that's both maximizing the resource that we have from our customer. We may have to pull on them rather strongly, maybe even reach through the customer to their next level up, but they're gonna provide valuable guidance
11:02
whether they know it or not on how we can do things efficiently. Secondly, there's our vendor relationships, and that brings me to some of the relationships we'll see on the ground in our company. So the first one is purchasing. So I know in my case,
11:21
initially purchasing one of the people that maybe I make a purchase request for some software, and maybe I have to wait a long time and eventually it gets approved. And then when I go install the software that I just got approved for, I get to a certain point and ask for a license key, and then I have to go back to that person too because they got the email with the license key. So the purchasing folks are more than that.
11:42
They have the contact with our vendors. They're gonna help us maximize that relationship to get the most out of our sim or our vulnerability management vendor in terms of training and technical support and things like that.
12:02
They're also gonna have visibility on what other programs or what other groups are actually using the same software, right? Because they've got basically higher level visibility into all the purchases in the company. That's gonna save us from making painful decisions about buying a new or opening a new account
12:21
where we can just get maybe an entitlement with an existing account that we already have. And one last thing about purchasing. It is a central point of having good supply chain risk management plan. So I would argue that the purchasing folks, a lot of successful SCRM,
12:41
which is really about what the CMMC and some of these standard BOWs protecting the supply chain, a good program is gonna ride on their backs and those folks are already doing some good work. It's just a matter of them maybe adding a little bit there. But they're gonna help us a lot. The second relationship, it should be pretty obvious,
13:03
but engineering and IT, that's two technical groups, should be working together. We might have different tech stacks, but otherwise this relationship should make sense. And the security focus of it, I would say if we can focus on getting together
13:21
for some SIM training for that vendor we haven't really maximized that relationship, that's a really good idea. Because one, we're gonna have more folks to consult on when we're troubleshooting problems with our SIMs. And the other thing that's gonna buy us, if we don't have a SIM yet, and we don't really do metrics really well, the SIM is gonna be that data aggregation platform
13:43
to get metrics. And frankly, as an engineering group, if we don't have that yet, it's gonna help us up a little to like a level in terms of the capability and maturity to like a level four, if we're at a level two or three previously. The third relationship is human resources.
14:01
I think there's plenty of ways that this one could go. For me personally, what I saw was this kind of value thread here, which is up on the screen now. I had a situation at work where a data call came in from another partner. The senior business director saw it. He kind of put out an email with HR
14:22
and some of the cyber people. And HR could kind of figure out who had the right cyber certs or experience. It's kind of like a company resume, to be frank. HR now has that. They can develop some kind of talent database so the next time the next data call comes in,
14:41
it doesn't have to be an email exercise. They can also start tweaking their education reimbursement policies to include cyber training. That's a win for HR because now they have one more perk to attract new talent. And it's a win for us because it's a way for us to basically, with new talent, we get new allies. And if you're the one engineer that was doing security,
15:01
now you have folks that can help you with that. Just a quick summary. The CFOs, they're about, I would say, time is money, that old cliche. I would say that security literacy saves time. Security, especially organizational security,
15:22
is gonna be team effort. Don't throw the baby out with the bathwater. So our existing groups are probably already doing a decent job. It's just about documenting that and maybe refining it to the engineering process that we're already doing. And then lastly, where you want to get to is that security enables quality. It's not just security for its own sake,
15:42
but there are many practices, good security practices, that are gonna make your engineering process stronger. And that's it. So like they say, you really do zip through the slides fast and live. So open up to questions now.
16:05
Any relationships that people want to work on a little bit more? Not personal relationships. That's good, yeah.
16:21
So physical security. So when I'm doing security controls, like the NIST 800-53, when I say disaster recovery and business continuity, that might be the CISSP term. But you know what I mean? To me, that says facilities, right? And in facilities, it's gonna work with IT because if power goes out,
16:41
what kind of ops are they running and stuff like that? So yeah, that's definitely a relationship that's gonna extend out. And then with the supply chain, well, on the extending relationship, manufacturing or shipping and receiving is definitely gonna factor in a supply chain relationship.
17:26
Say the last part. So one thing I think disambiguing IAM is information assurance manager,
17:41
not identity authentication management. I hope that was maybe not clear. Does that make sense? So one thing I have to admit as a security-minded person, sometimes it helps to be just being aware and literate of the security requirements as they come down the pipe or these compliance things. You know, it's something to show like,
18:01
hey, you know, we have programs A, B, C, and D, and we know that we have engineers that touch the systems that require those kind of certs. So one is showing that official compliance. Now, you know, if you wanna hear a weird thing about those DOD 8570, that baseline matrix comes from that, but the new standard is 8140,
18:22
which is not quite done, but they just relabeled 8570 cubed to cover 8140. So dealing with those lags sometimes, that's why I say those DFARS clauses matter, because that's when the rubber hits the road for when you actually see new security language in like contract documents.
18:47
Well, that's it. Thanks, everybody, for coming. I appreciate your time.