Critical Lessons From Cyber Security History
All the cyber security risks we face today on a daily basis are actually not new. In fact, they were all addressed as early as the 1980's by the U.S. Department of Defense (DOD). With the 1985 publication of the Trusted Computer System Evaluation Criteria, (the "Orange Book") the DOD articulated a foundation for designing security into (vice on top of) computer systems. To accomplish this, the authors considered all possible risks including, unauthorized access, misuse, malware, data loss, software/firmware integrity and even supply chain. Indeed, U.S. computer manufacturers built over twenty systems that included the principles described in the Orange Book. The most secure of systems (level A1) were mathematically proven to be fully "trustable."
While almost everyone of these systems failed to become commercial successes, the concepts (that died with them) provide critical insights into how we should address cyber security risks today.
This presentation will describe both the risks addressed by the authors and the, often creative, ways they remedied them. They indeed provide excellent insights into how we should both consider risks and design security into contemporary computer systems.
Robert Bigman recently retired from Central Intelligence Agency (CIA), after serving a thirty year distinguished career. Recognized as a pioneer in the field of classified information protection, Mr. Bigman developed technical measures and procedures to manage the nation’s most sensitive secrets. As an information security trailblazer, Mr. Bigman participated in developing security measures for government computers well before commercial industry found the Internet. He then developed creative solutions to allow the CIA to use the Internet to further its mission without exposure. With twenty-five years of experience, Mr. Bigman worked in every area of information and data security, the last fifteen years as the Agency's Chief Information Security Officer (CISO). As the Agency CISO, Mr. Bigman managed a large organization of technical and program officers responsible for the protection of all Agency information. As the CISO, his responsibilities included cryptography, information security policy/processes, standards and requirements, testing and network defense/response. Mr. Bigman also served as the Agency's designated officer for all discussions with the information security industry and its commercial partners. Mr. Bigman has contributed to almost every Intelligence Community information security policy/technical standard and has provided numerous briefings to the National Security Council, Congress and presidential commissions. In recognition of his expertise and contributions, Mr. Bigman has received numerous CIA and Director of National Intelligence awards. Mr. Bigman is now an independent cyber security consultant and president of 2BSecure in Bethesda, Maryland. He works with Governments and Fortune 50 corporations to help them build productive information security programs and resist sophisticated nation-state and cyber criminal penetration efforts. Mr. Bigman also provides cyber security program and technical training to global government and private organizations. His training activities include cyber awareness programs for board of directors, cyber threats/vulnerabilities and secure design requirements briefings for IT system architects/engineers, cyber security policy training for IT security professionals and general cyber security training for all employee levels/types within an organization. Mr. Bigman is also the author of a comprehensive course entitled: “Building a High Performance Cyber Security Program.”
Selected Recent Engagements (2014-2015):
-Performed comprehensive cyber security assessment of major port authority organization.
-Performed network (layers 2-3) security assessment of a major financial institution
-Performed cyber security “needs” assessment for a fortune 50 company to provide a road-map for a new-hire CISO
-Currently assisting a major financial institution implementing the NIST cyber security assessment 2
-Briefed critical infrastructure corporate board on nation-state hacking programs and appropriate defensive measures
-Working with a federal agency to establish technical security requirements for a next generation mixed local and cloud based processing environment.