Systems Engineering Seems to Show a Path - mccright/FCCSCybersecurityInput GitHub Wiki

What might that kind of systems engineering look like?

Strategic Cyber Resiliency Design Principles [page 17]

  • Focus on common critical assets.
  • Support agility and architect for adaptability.
  • Reduce attack surfaces.
  • Assume compromised resources.
  • Expect adversaries to evolve.

Structural Design Principles for Cyber Resiliency [page 22]

  • Limit the need for trust
    • Don't trust input ('all input is evil')
  • Control visibility and use
  • Contain and exclude behaviors
  • Layer and partition defenses
  • Plan and manage diversity
  • Maintain redundancy
  • Make resources location-versatile
  • Leverage health and status data
  • Maintain situational awareness
  • Manage resources (risk-) adaptively
  • Maximize transience; minimize persistence
  • Determine ongoing trustworthiness
  • Change or disrupt the attack surface
  • Make unpredictability and deception user-transparent

Cyber Resiliency Design Principles.

Cyber Resiliency Goals [page 62]

  • Anticipate
  • Withstand
  • Recovery
  • Evolve

Cyber Resiliency Objectives [page 62]

  • Understand
  • Prepare
  • Prevent / Avoid
  • Continue
  • Constrain
  • Reconstitute
  • Transform
  • Re-architect

Cyber Resiliency Techniques [page 62]

The ISO 27000 includes a model for thinking about cybersecurity:

QUOTE:
Organizations of all types and sizes:
a) collect, process, store, and transmit information;
b) recognize that information, and related processes, systems, networks and people are important assets for achieving organization objectives;
c) face a range of risks that can affect the functioning of assets; and
d) address their perceived risk exposure by implementing information security controls.

All information held and processed by an organization is subject to threats of attack, error, nature (for example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information security is generally based on information being considered as an asset which has a value requiring appropriate protection, for example, against the loss of availability, confidentiality and integrity there are lots of candidate ilities. Enabling accurate and complete information to be available in a timely manner to those with an authorized need is a catalyst for business efficiency.
Protecting information assets through defining, achieving, maintaining, and improving information security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal compliance and image. These coordinated activities directing the implementation of suitable controls and treating unacceptable information security risks are generally known as elements of information security management.
As information security risks and the effectiveness of controls change depending on shifting circumstances, organizations need to:
a) monitor and evaluate the effectiveness of implemented controls and procedures;
b) identify emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed.

To interrelate and coordinate such information security activities, each organization needs to establish its policy and objectives for information security and achieve those objectives effectively by using a management system. END QUOTE:
From: ISO 27000 Overview & Vocabulary 5th ed. 2018-02., page 11.
https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_2018_E.zip

And a now-ancient Common Criteria

"Introduction and general model - Common Criteria." Version 3.1, Rev 4 (93 pages, Sept 2012)
https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4.pdf
"Common Criteria Part 2: Security functional requirements" Version 3.1, Rev 2. (324 pages, 2007)
https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R2.pdf
"Common Criteria Part 3: Security assurance components" Version 3.1, Rev 4 (233 pages, Sept 2012)
https://www.commoncriteriaportal.org/files/ccfiles/ccpart3v3.1r4.pdf

None of us are likely to be in the 'risk elimination' business.

That is not an economic goal.
Instead, we implement processes to identify risks and processes/tools to modify risks.
We might chose to:
β€” avoid a risk by deciding not to start or continue with the activity that gives rise to the risk;
β€” take or increase our risk in order to pursue a given opportunity;
β€” remove a risk source;
β€” alter the likelihood of a given risk;
β€” modify the consequences of a given risk;
β€” share the risk with another party or parties (think contracts and risk underwriting/insurance);
β€” assume the risk (ensuring that decision-makers are making an informed choice).
From: ISO 27000 Overview & Vocabulary 5th ed. 2018-02., page 10.
https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_2018_E.zip

A Short List of Candidate Anti-Requirements

  1. The system must not send hostile inputs in HTTP responses.
    a. The system must not enable unauthorized introduction of executable code as inputs.
    b. The system must not include unauthorized executable code in HTTP responses.
    c. The system must not support the execution of user-submitted SQL.
  2. The system must not permit anonymous user activities [i.e., hold every user unambiguously accountable for their actions].
  3. The system must not allow users to exceed their authorized access.
  4. The system must not reveal sensitive information in response to error conditions.
  5. The system must not omit error information from its logging
    a. The system must not write executable code to logs.
    b. The system must not write confidential content to any log unless verified and enforced access controls limit access to formally authorized parties.
  6. The system must not permit passing non-public information in clear text across non-company networks.
    a. The system must not store or transmit passwords or PINs in clear text.
  7. The system must not permit unauthorized modification of application data.
    a. The system must not permit unauthorized modification of application code.
  8. The system must not permit activities by any user who authenticated as another person (a hostile party using credentials that were not assigned to them).

Metrics

Interesting related quote about metrics:

 "...measured data does not need to be perfect, 
  provided that it contains the information required, 
  is adequately correct and practically measurable."

From β€œRisk-Driven Security Metrics in Agile Software Development.” R.M.Savola, S.Fruhwirth, & A.Pietikainen, 06-28-2012, p. 1682, Journal of Universal Computer Science. http://www.jucs.org/jucs_18_12/risk_driven_security_metrics/jucs_18_12_1679_1702_savola.pdf

Also from the same paper/same page, a table of key security metric concepts:

 +------------------------+---------------------------------------------+
 |Security Objective (SO) | High-level statements of intent to counter  |
 |                        | identified threats and/or satisfy identified|
 |                        | security policies and/or assumptions.       |
 +------------------------+---------------------------------------------+
 |Security Requirement    | Requirement, stated in a standardized       |
 |(SR)                    | language, that is meant to contribute to    |
 |                        | achieving the SOs.                          |
 +------------------------+---------------------------------------------+
 |Security Control (SC)   | Means of managing risk, which can be        |
 |                        | administrative, technical, management, or   |
 |                        | legal in nature.                            |
 +------------------------+---------------------------------------------+
 |Security Correctness    | Assurance that security controls have been  |
 |                        | correctly implemented in the SuI, and the   |
 |                        | system, its components, interfaces, and the |
 |                        | processed data meet the sec. requirements.  |
 +------------------------+---------------------------------------------+
 |Security Effectiveness  | Assurance that the stated SOs are met in the|
 |                        | SuI and the expectations for resiliency in  |
 |                        | the use environment are satisfied in the    |
 |                        | presence of actual security risks.          |
 +------------------------+---------------------------------------------+
 |Security Efficiency     | Assurance that the adequate security quality|
 |                        | has been achieved in the SuI, meeting the   |
 |                        | resource, time and cost constraints.        |
 +------------------------+---------------------------------------------+
 "SuI" (System under Investigation)

What might be some metrics relevant to your environments?

LEARNER Resources:

"Secure by Design" -- Every technology provider must take ownership at the executive level to ensure their products are both secure by design and secure by default. https://www.cisa.gov/securebydesign
"CISA Cybersecurity Best Practices." https://www.cisa.gov/topics/cybersecurity-best-practices
"NIST SP 800-160 Vol. 1." Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. Date Originally Published: November 2016 (Last updated 3/21/2018) By Ron Ross (NIST), Michael McEvilley (MITRE), Janet Oren (Legg Mason)
Volume 1 addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems. https://csrc.nist.gov/publications/detail/sp/800-160/vol-1/final
"NIST SP 800-160 Vol. 2." Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems. Date Published: November 2019
By Ron Ross (NIST), Richard Graubart (MITRE), Deborah Bodeau (MITRE), Rosalie McQuaid (MITRE)
Volume 2 addresses cyber resiliency considerations for two important, yet distinct communities of interest:
Organizations conducting new development of IT component products, systems, and services; and
Organizations with legacy systems (installed base) currently carrying out day-to-day missions and business functions.
https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final
"SEEDLabs Hands-on Labs for Security Education." Roughly 30 labs that cover a wide range of topics in computer and information security, including software security, network security, web security, operating system security and mobile app security. Used by educators across the globe. https://seedsecuritylabs.org/index.html
Self-Review Questionnaire: Security and Privacy by the W3C Technical Architecture Group https://w3ctag.github.io/security-questionnaire/
Some of the Engineering Principles in English and Latin for fun and reuse https://github.com/mccright/rand-notes/blob/master/En-n-Latin-Principles-for-Cyber-Resiliency.md
Cybersecurity Maturity Model Certification (CMMC) Version 1.0, 2020 January 30 https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf The CMMC model measures cybersecurity maturity with five levels. Each of these levels, in turn, consists of a set of processes and practices which are characterized below"

 +--------+-----------------+---------------------------+
 |LEVEL   | PROCESSES       | PRACTICES                 |
 +--------+-----------------+---------------------------+
 |Level 5 | Optimizing      | Advanced/Progressive      |
 +--------+-----------------+---------------------------+
 |Level 4 | Reviewed        | Proactive                 |
 +--------+-----------------+---------------------------+
 |Level 3 | Managed         | Good Cyber Hygiene        |
 +--------+-----------------+---------------------------+
 |Level 2 | Documented      | Intermediate Cyber Hygiene|
 +--------+-----------------+---------------------------+
 |Level 1 | Performed       | Basic Cyber Hygiene       |
 +--------+-----------------+---------------------------+