Alex Malin
ABSTRACT
Continuous monitoring represents a potentially significant paradigm shift for cyber security as practiced throughout the US Federal Government. With continuous monitoring, rather than test a system once every three years during certification and accreditation, the security controls that are most vital and most volatile in a computer system are tested continuously to assure a high level of system security. A key goal is to provide near-real time security status-related information to organizational officials so they may take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding the operation of the information systems.
Continuous monitoring implementation has initially focused on desktop computer systems. Designing a solution to continuously monitor servers will be considerably more complex and challenging. The challenge will be even greater for computers used for scientific instrumentation and experimentation. This paper describes the challenges of adapting and applying the new cyber paradigm of continuous monitoring for supercomputing. It describes research at Los Alamos National Laboratory intended to develop an approach to continuous monitoring appropriate for supercomputers.
- CHAOS. Linux distribution for high performance computing. http://code.google.com/p/chaos-release/wiki/CHAOSDescription=:Google Scholar
- DHS. Draft technical requirements. https://www.fbo.gov/utils/view?id=ae650dd0661deab13c6805f94a54Google Scholar
- NIST. Frequently asked questions continuous monitoring. http://csrc.nist.gov/groups/SMA/fisma/documents/faq-continuous-monitoring.pdf.Google Scholar
- NIST. Fy 2012 reporting instructions for the federal information security management act and agencyprivacy management. http://www.whitehouse.gov/sites/default/files/omb/memoranda/20112-20.pdf.Google Scholar
- NIST. Guide for applying the risk management framework to federal information systems. http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.Google Scholar
- NIST. Security content automation protocol.scap.nist.gov/use-case/cyberscope//.Google Scholar
- NIST. Specification for the extensible configuration checklist description format (xccdf) version 1.2. http://csrc.nist.gov/publications/nistir/ir7275-rev4/NISTIR-7275r4.pdf.Google Scholar
- NIST. The united states government configuration baseline (usgbc). http://usgcb.nist.gov/.Google Scholar
- O. of Management and Budget. Fy 2011 reporting instructions for the federal information security management act and agency privacy management. http://www.whitehouse.gov/sites/default/files/omb/memoranda/20133.pdf.Google Scholar
- F. N. Radio. Dhs hones dynamic approach to securing agency computer networks. http://www.federalnewsradio.com/473/2922072/DHS-hones-dynamic-approach-to-securing-agency-computer-networks.Google Scholar
- scap.org. Open scap.http://open-scap.org/page/MainP age:Google Scholar
Index Terms
- Continuous monitoring and cyber security for high performance computing
Recommendations
Continuous Monitoring and Assessment of Cybersecurity Risks in Large Computing Infrastructures
HPCC-CSS-ICESS '15: Proceedings of the 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conf on Embedded Software and SystemsThe dynamic and increasingly stealthy techniques used by cyber criminals to target critical computing infrastructure of an organization requires appropriate response mechanism on the part of the organization. Government agencies and regulatory bodies ...
Government regulations in cyber security: Framework, standards and recommendations
AbstractCyber security refers to the protection of Internet-connected systems, such as hardware, software as well as data (information) from cyber attacks (adversaries). A cyber security regulation is needed in order to protect information ...
Highlights- We list and discuss the cyber attacks, security requirements and measures. We then discuss the cyber security incident management framework and its various ...
Reviews
Massimiliano Masi
In this paper, the authors introduce readers to the topic of continuous monitoring for compliance with US standards. They describe what continuous monitoring is, apply the related concepts to the Los Alamos high-performance computing (HPC) laboratory, and then analyze the results and discuss lessons learned. With continuous monitoring, vital security controls are continuously tested (proactive security). This represents a big improvement over the plain certification approach, where a system's security is tested for certification purposes every one to three years. In particular, in the US cyber security governance model, continuous monitoring is positioned as a key component of the risk management framework that agencies and organizations need to follow. The authors analyze the use of commercial off-the-shelf (COTS) components available for Red Hat Enterprise Linux servers running a Linux distribution used widely in the Los Alamos HPC center. This analysis covers the main areas identified by the Department of Homeland Security (DHS): hardware inventory, software inventory, configuration management, vulnerability management, and antivirus protection. These areas mainly focus on desktop computer security environments rather than highly managed environments such as the HPC center. This suggests that no solution fits all cases, so the DHS areas need to be adapted to specific application contexts because requirements differ. The authors conclude with the observation that, while continuous monitoring has the potential to reduce costs for compliance, it will create new requirements that could actually increase rather than reduce costs in some agencies and organizations. Information technology (IT) security managers interested in productive solutions for HPC environments that need to adhere to the US cyber security governance model would particularly benefit from reading this paper. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments