May 4, 2009 1 06/26/22 1 tevens Institute of Technology ecurity Systems Engineering Jennifer Bayuk Cybersecurity Program Director School of Systems and Enterprises [email protected]
Mar 27, 2015
May 4, 2009 1
04/10/23 1
Stevens Institute of TechnologySecurity Systems Engineering
Jennifer BayukCybersecurity Program DirectorSchool of Systems and [email protected]
May 4, 2009 2
Stevens Institute Security Research
National Center for Secure and Resilient Maritime Commerce Naval Security Infrastructure Technology Laboratory Center for the Advancement of Secure Systems and
Information Assurance National Cybersecurity Center of Excellence in Information
Assurance Education National Cybersecurity Center of Excellence in Information
Assurance Research Leader of the DoD University Affiliated Research Center for
Systems Engineering Systems Security Core Research Topic
Why new focus on Systems Engineering Security?
May 4, 2009 3
»3
VPN
Remote Access Server
Policy Servers
CertificateAuthority
AntiVirus
Mgmt
Personal Computers
User Workstation
User Terminal
Mainframe
LAN
Multiplexor
Time Sharing or Bulletin Board Service
»Modem
Internet
Router
External ServersRouter
Physical Perimeter
Email Server
Server Farm
::::::
Firewall
Web Servers
»Modem
Procedure
V
Proxy
Server
IDS
IDS
IPS
IPSIsolate and Harden Servers
::::::Firewall
SIM
WAFW
Content
Filters
EXTERNAL THREATS
Wireless
Token Admin
VPN
Secure Storage
Key Management
Online Services and Outsourcing Arrangements
::::::
Firewall
Current attacker
path to data
The Problem
IdentityMgmt
SERC Security EngineeringResearch Roadmap
1. Define systems security2. Measure systems security3. Devise system security
frameworks 4. Improve the proficiency of the
security engineering workforce
1. Define systems security
Reassess periphery models Focus on whole systems Examine interfaces and
interactions Understand similarities and
differences across domains
Security Roadmap
2. Measure systems security
Achievable and comparable security attributes
Outcome-based rather than vulnerability-based
Identify systemic value of currently available control standards
Identify and measure trade-offs with respect to security features
Security Roadmap
3. Devise systems security frameworks
Include policy, process and technology
Provide basis for evaluation New classes of system-level
solutions Security-receptive
architectures
Security Roadmap
4. Improve the proficiency of the security
engineering workforce Encourage and educate
workforce Operational security
requirements Community force multipliers Engage stakeholders
Security Roadmap
Systemigram software from: Boardman and Sauser, Systems Thinking: Coping with 21st century problems, Taylor & Francis, 2008.
Example:
Systemic Security
::::::
Example System
Metaphorical Construct
Discovery
ISO 27005:2008Security Risk AssessmentTask Order:1. Identification of assets2. Identification of threats3. Identification of existing controls4. Identification of vulnerabilities5. Identification of consequences
1
2
3
4
5