Nice framework что это
The National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology (NIST), is a partnership between government, academia and the private sector which works to promote cybersecurity education, training and workforce development.
NICE published Special Publication 800-181 with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, which serves as a reference structure that describes the interdisciplinary nature of the cybersecurity work — regardless of where, or for whom, the job is performed. The NICE Cybersecurity Workforce Framework (NCWF) describes cybersecurity work and provides a standard way of defining roles in the field by knowledge, skills and abilities, as well as categories and specialties.
The document provides a great way for employers, human resources personnel and employees to define jobs in the field, speak a common language and identify training needs, career paths and position requirements, as well as agree on proper ways for measuring and assessing abilities.
NICE Framework applied
The NICE Framework has evolved with further engagement between the government, private sector and academia that came together to provide a common understanding of cybersecurity work.
National Institute of Standards and Technology (NIST) introduced CyberSeek , “an interactive online tool designed to make it easier for cybersecurity job seekers to find openings and for employers to identify the skilled workers they need”, in an effort to narrow the cybersecurity employment gap. Rodney Petersen, director of the National Initiative for Cybersecurity Education (NICE), explains how “[it] will assist its users — students, employees, employers, policy makers, training providers and guidance counselors — to explore opportunities they may have never considered.”
CyberSeek’s interactive map helps the user to view information about cybersecurity supply and demand by state or metro area. What’s more, it highlights career pathways that incorporate job categories from the NICE Cybersecurity Workforce Framework and “features information on common job titles, salaries, online job openings, in-demand skills, education and certifications” related to the field.
The U.S. Office of Personnel Management (OPM) works with its partners across government to categorize cyber positions through coding to fully align with the NICE Framework. Since 2013, the OPM role has had federal agencies assign government-wide cybersecurity data standard codes to their positions with cybersecurity functions, as outlined within the Federal Cybersecurity Workforce Assessment Act . “In accordance with the Act, agencies are required to identify and code Federal positions performing information technology, cybersecurity or other cyber-related functions.” As a result, agencies are now able to better identify, recruit, assess, and hire the best candidates with specific cyber-related knowledge, skills and abilities (KSAs).
Why does the NCWF matter?
With a need for standardization, in terms of how cybersecurity work is defined, described and how the workforce is trained, the NICE Framework serves as the foundation for all cyber workforce development activities, says the National Initiative for Cybersecurity Careers & Studies (NICCS). The Workforce Framework provides a common language to talk about cyber roles and jobs and can be referenced by those who wish to define professional requirements in cybersecurity.
The NICE Framework matters because it allows the identification of all roles needed within a company cybersecurity structure as well as the proper certifications, knowledge and skills each role should develop and demonstrate, so as to have a team as complete and efficient as possible. The framework provides guidance on which roles to implement in the organization in order to accomplish all needed cybersecurity tasks and also ways to identify the proper talents by formulating proper position descriptions that correctly identify the right qualifications and duties that can be assigned to each role. It also provides a blueprint of how to further develop employees and provide more focused training opportunities.
The document is also very important for certification and training providers that can bank on the information provided to tailor their courses, as well as provide more meaningful assessment based on each role’s characteristics.
The publication, then, can be pivotal in the shaping of a cybersecurity workforce that meets the needs of today’s organizations. But it also provides a standard guidance to prevent improvisation and approximation in the shaping of specialized professionals.
Collect and Operate
Provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence.
Specialty Areas
Executes collection using appropriate strategies and within the priorities established through the collection management process.
Performs in-depth joint targeting and cybersecurity planning process. Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operational-level planning across the full range of operations for integrated information and cyberspace operations.
Performs activities to gather evidence on criminal or foreign intelligence entities to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities.
Protect and Defend
Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks.
Specialty Areas
Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network to protect information, information systems, and networks from threats.
Tests, implements, deploys, maintains, reviews, and administers the infrastructure hardware and software that are required to effectively manage the computer network defense service provider network and resources. Monitors network to actively remediate unauthorized activities.
Responds to crises or urgent situations within the pertinent domain to mitigate immediate and potential threats. Uses mitigation, preparedness, and response and recovery approaches, as needed, to maximize survival of life, preservation of property, and information security. Investigates and analyzes all relevant response activities.
Conducts assessments of threats and vulnerabilities; determines deviations from acceptable configurations, enterprise or local policy; assesses the level of risk; and develops and/or recommends appropriate mitigation countermeasures in operational and nonoperational situations.
NCWF development: How it’s structured
The NCWF has several components. The first layer is seven categories; each encompasses a number of Specialty Areas (33 total) that go into detail on specific cybersecurity functions. For example, the Strategic Planning and Policy (SPP) specialty listed under the Oversee and Govern (OV) category refers to the development of policies and plans, as well as the needed changes as organization mission changes or when new initiatives require them.
Each specialty includes a number of work roles ( fifty-two work roles to be precise) with the specific attributes needed to perform them in the form of knowledge, skills and abilities (KSAs) and tasks.
Here’s what lies within the NICE Framework components …
The framework clearly defines a relationship between categories of work to identify specific specialty areas and job roles within them and pinpointing the KSAs needed for each. But how does a position fit the NICE Cybersecurity Workforce Framework? A Mapping Tool , launched in 2018, does just that by enabling users to enter information about a cyber position and generating reports.
Investigate
Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.
Specialty Areas
Applies tactics, techniques, and procedures for a full range of investigative tools and processes to include, but not limited to, interview and interrogation techniques, surveillance, counter surveillance, and surveillance detection, and appropriately balances the benefits of prosecution versus intelligence gathering.
Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability mitigation and/or criminal, fraud, counterintelligence, or law enforcement investigations.
Categories
Analyze
Performs highly-specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.
Specialty Areas
Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications.
Analyzes collected information to identify vulnerabilities and potential for exploitation.
Applies language, cultural, and technical expertise to support information collection, analysis, and other cybersecurity activities.
Applies current knowledge of one or more regions, countries, non-state entities, and/or technologies.
Identifies and assesses the capabilities and activities of cybersecurity criminals or foreign intelligence entities; produces findings to help initialize or support law enforcement and counterintelligence investigations or activities.
Securely Provision
Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.
Specialty Areas
Oversees, evaluates, and supports the documentation, validation, assessment, and authorization processes necessary to assure that existing and new information technology (IT) systems meet the organization's cybersecurity and risk requirements. Ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives.
Develops and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs following software assurance best practices.
Develops system concepts and works on the capabilities phases of the systems development life cycle; translates technology and environmental conditions (e.g., law and regulation) into system and security designs and processes.
Works on the development phases of the systems development life cycle.
Consults with customers to gather and evaluate functional requirements and translates these requirements into technical solutions. Provides guidance to customers about applicability of information systems to meet business needs.
Conducts technology assessment and integration processes; provides and supports a prototype capability and/or evaluates its utility.
Develops and conducts tests of systems to evaluate compliance with specifications and requirements by applying principles and methods for cost-effective planning, evaluating, verifying, and validating of technical, functional, and performance characteristics (including interoperability) of systems or elements of systems incorporating IT.
This tool is based on the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NIST Special Publication 800-181, August 2017) and revisions published in late 2020 renaming the framework as the Workforce Framework for Cybersecurity (NIST Special Publication 800-181 Rev. 1, November 2020) . Please visit the NICE Framework Resource Center for more information, as well as the latest updates.
Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation (CNSSI 4009).
Security Control Assessor
Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).
Software Developer
Develops, creates, maintains, and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs.
Secure Software Assessor
Analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results.
Enterprise Architect
Develops and maintains business, systems, and information processes to support enterprise mission needs; develops information technology (IT) rules and requirements that describe baseline and target architectures.
Security Architect
Designs enterprise and systems security throughout the development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into security designs and processes.
Research & Development Specialist
Conducts software and systems engineering and software systems research in order to develop new capabilities, ensuring cybersecurity is fully integrated. Conducts comprehensive technology research to evaluate potential vulnerabilities in cyberspace systems.
Systems Requirements Planning
Requirements Planner
Consults with customers to evaluate functional requirements and translate functional requirements into technical solutions.
Test and Evaluation
Testing and Evaluation Specialist
Plans, prepares, and executes tests of systems to evaluate results against specifications and requirements as well as analyze/report test results.
Information Systems Security Developer
Designs, develops, tests, and evaluates information system security throughout the systems development lifecycle.
Systems Developer
Designs, develops, tests, and evaluates information systems throughout the systems development lifecycle.
Operate and Maintain
Database Administrator
Administers databases and/or data management systems that allow for the storage, query, and utilization of data.
Data Analyst
Examines data from multiple disparate sources with the goal of providing new insight. Designs and implements custom algorithms, flow processes and layouts for complex, enterprise-scale data sets used for modeling, data mining, and research purposes.
Knowledge Manager
Responsible for the management and administration of processes and tools that enable the organization to identify, document, and access intellectual capital and information content.
Customer Service and Technical Support
Technical Support Specialist
Provides technical support to customers who need assistance utilizing client level hardware and software in accordance with established or approved organizational process components. (i.e., Master Incident Management Plan, when applicable).
Network Operations Specialist
Plans, implements, and operates network services/systems, to include hardware and virtual environments.
System Administrator
Installs, configures, troubleshoots, and maintains hardware, software, and administers system accounts.
Systems Security Analyst
Responsible for the analysis and development of the integration, testing, operations, and maintenance of systems security.
Oversee and Govern
Legal Advice and Advocacy
Cyber Legal Advisor
Provides legal advice and recommendations on relevant topics related to cyber law.
Privacy Compliance Manager
Develops and oversees privacy compliance program and privacy program staff, supporting privacy compliance needs of privacy and security executives and their teams.
Training, Education, and Awareness
Cyber Instructional Curriculum Developer
Develops, plans, coordinates, and evaluates cyber training/education courses, methods, and techniques based on instructional needs.
Cyber Instructor
Develops and conducts training or education of personnel within cyber domain.
Information Systems Security Manager
Responsible for the cybersecurity of a program, organization, system, or enclave.
COMSEC Manager
Manages the Communications Security (COMSEC) resources of an organization (CNSSI No. 4009).
Strategic Planning and Policy
Cyber Workforce Developer and Manager
Develop cyberspace workforce plans, strategies and guidance to support cyberspace workforce manpower, personnel, training and education requirements and to address changes to cyberspace policy, doctrine, materiel, force structure, and education and training requirements.
Cyber Policy and Strategy Planner
Develops cyberspace plans, strategy and policy to support and align with organizational cyberspace missions and initiatives.
Executive Cyber Leadership
Executive Cyber Leadership
Executes decision making authorities and establishes vision and direction for an organization's cyber and cyber-related resources and/or operations.
Acquisition and Program/Project Management
Program Manager
Leads, coordinates, communicates, integrates and is accountable for the overall success of the program, ensuring alignment with critical agency priorities.
IT Project Manager
Directly manages information technology projects to provide a unique service or product.
Product Support Manager
Manages the package of support functions required to field and maintain the readiness and operational capability of systems and components.
IT Investment/Portfolio Manager
Manages a portfolio of IT capabilities that align with the overall needs of mission and business enterprise priorities.
IT Program Auditor
Conducts evaluations of an IT program or its individual components, to determine compliance with published standards.
Protect and Defend
Cyber Defense Analysis
Cyber Defense Analyst
Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs) to analyze events that occur within their environments for the purposes of mitigating threats.
Cyber Defense Infrastructure
Cyber Defense Infrastructure Support Specialist
Tests, implements, deploys, maintains, and administers the infrastructure hardware and software.
Cyber Defense Incident Responder
Investigates, analyzes, and responds to cyber incidents within the network environment or enclave.
Vulnerability Assessment and Management
Vulnerability Analyst
Performs assessments of systems and networks within the network environment or enclave and identifies where those systems/networks deviate from acceptable configurations, enclave policy, or local policy. Measures effectiveness of defense-in-depth architecture against known vulnerabilities.
Warnings Analyst
Develops unique cyber indicators to maintain constant awareness of the status of the highly dynamic operating environment. Collects, processes, analyzes, and disseminates cyber warning assessments.
Exploitation Analyst
Collaborates to identify access and collection gaps that can be satisfied through cyber collection and/or preparation activities. Leverages all authorized resources and analytic techniques to penetrate targeted networks.
All-Source Analyst
Analyzes data/information from one or multiple sources to conduct preparation of the environment, respond to requests for information, and submit intelligence collection and production requirements in support of planning and operations.
Mission Assessment Specialist
Develops assessment plans and measures of performance/effectiveness. Conducts strategic and operational effectiveness assessments as required for cyber events. Determines whether systems performed as expected and provides input to the determination of operational effectiveness.
Target Developer
Performs target system analysis, builds and/or maintains electronic target folders to include inputs from environment preparation, and/or internal or external intelligence sources. Coordinates with partner target activities and intelligence organizations, and presents candidate targets for vetting and validation.
Target Analyst
Conducts advanced analysis of collection and open-source data to ensure target continuity; to profile targets and their activities; and develop techniques to gain more target information. Determines how targets communicate, move, operate and live based on knowledge of target technologies, digital networks and the applications on them.
Language Analyst
Applies language and culture expertise with target/threat and technical knowledge to process, analyze, and/or disseminate intelligence information derived from language, voice and/or graphic material. Creates, and maintains language specific databases and working aids to support cyber action execution and ensure critical knowledge sharing. Provides subject matter expertise in foreign language-intensive or interdisciplinary projects.
Operate and Collect
All Source-Collection Manager
Identifies collection authorities and environment; incorporates priority information requirements into collection management; develops concepts to meet leadership's intent. Determines capabilities of available collection assets, identifies new collection capabilities; and constructs and disseminates collection plans. Monitors execution of tasked collection to ensure effective execution of the collection plan.
All Source-Collection Requirements Evaluation Manager
Evaluates collection operations and develops effects-based collection requirements strategies using available sources and methods to improve collection. Develops, processes, validates, and coordinates submission of collection requirements. Evaluates performance of collection assets and collection operations.
Cyber Operational Planning
Cyber Intel Planner
Develops detailed intelligence plans to satisfy cyber operations requirements. Collaborates with cyber operations planners to identify, validate, and levy requirements for collection and analysis. Participates in targeting selection, validation, synchronization, and execution of cyber actions. Synchronizes intelligence activities to support organization objectives in cyberspace.
Cyber Operations Planner
Develops detailed plans for the conduct or support of the applicable range of cyber operations through collaboration with other planners, operators and/or analysts. Participates in targeting selection, validation, synchronization, and enables integration during the execution of cyber actions.
Partner Integration Planner
Works to advance cooperation across organizational or national borders between cyber operations partners. Aids the integration of partner cyber teams by providing guidance, resources, and collaboration to develop best practices and facilitate organizational support for achieving objectives in integrated cyber actions.
Cyber Operator
Conducts collection, processing, and/or geolocation of systems in order to exploit, locate, and/or track targets of interest. Performs network navigation, tactical forensic analysis, and, when directed, executing on-net operations.
Cyber Crime Investigator
Identifies, collects, examines, and preserves evidence using controlled and documented analytical and investigative techniques.
Forensics Analyst
Conducts deep-dive investigations on computer-based crimes establishing documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents.
Cyber Defense Forensics Analyst
Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.
Нас, представителей рынка ИБ, легко обвинить в идеализме. Когда мы рассказываем про то, как важно для безопасности делать «так» и «эдак», в воздухе повисает вопрос: а где взять всех этих прекрасных людей, которые выстроят безопасный контур, пропатчат все дыры, закупят и настроят всё ПО, обучат сотрудников и приведут в порядок документы? Кто их учит? Как правильно составить вакансию, чтобы отыскать этих гениев? А если ты сам тот специалист, который должен всё это делать – как найти себе место в необъятном ИБ, понимать свою силу и ограничения?
Этим постом мы хотим начать серию публикаций перевода полезного фреймворка NICE, созданного Национальным институтом стандартов и технологий (NIST, подразделение Управления по технологиям США, одного из агентств Министерства торговли США).
Откуда идея переводить иностранный стандарт? На идею натолкнули коллеги. С одной стороны в России есть «свой путь» и свои стандарты(например Специалист по защите информации в телекоммуникационных системах и сетях, Специалист по автоматизации информационно-аналитической деятельности в сфере ИБ и так далее). Но, это разрозненные документы, написанные на языке, который неподготовленный человек не осилит. Поэтому есть ощущение, что необходимо подвести всё к общему знаменателю, «смапить» компетенции.
С другой стороны, не секрет, что в ВУЗе не даётся «образование под ключ». Дополнительные знания нужно брать самостоятельно. Но как понять студенту, в какую сторону копать? Поэтому при локализации фреймворка хотелось расширить его конкретными ссылками на курсы\тренажёры\площадки, где он сможет прокачивать выбранные навыки.
Как нам кажется, фреймворк хорош для решения обозначенных проблем. Им удобно пользоваться и работодателям, и сотрудникам, и преподавателям, чтобы сориентироваться куда вообще движется ИБ-знание. Особенно для студентов, потому что, сдаётся мне, учат их по российским стандартам, а спрашивать будут – по международным.
Что ж, посмотрим, что в нем. NICE предлагает разделить ИБ-специалистов на семь групп, в соответствии с их функциями:
сбор данных и операции;
операции и поддержка;
защита и отражение атак;
архитектура и разработка инфраструктуры.
В них сотрудники делятся по специализациям, которых всего 33, а кроме того, каждый выполняет определенную роль (одну из 52 возможных). Для каждой роли указаны необходимые базовые навыки и умения (компетенции), задачи, а также расписаны «индикаторы возможностей», что можно, пожалуй, перевести как уровни «продвинутости» знаний (базовый, средний и передовой).
Для дополнительного удобства NICE подразделяет компетенции на технические, операционные, профессиональные и лидерские. Список компетенций регулярно обновляется в соответствии с потребностями работодателей. Так что стандарт NICE кажется хоть и не «серебряной пулей», но возможностью создать общую картину мира ИБ-профессий для преподавателей, работодателей и самих будущих профессионалов.
Документ необъятный, поэтому пока решили, что будем идти по алфавиту. Тем более, что на «А» милая душе «Аналитика». По каждому разделу решили пока углубляться до раздела «специализация». Зайдет вам – продолжим «бурение» до ролей и дальше.
Затягивать с делом не будем, первую «главу» выпустим уже скоро.
А пока будем рады комментариям с развивающей обратной связью и предложением помощи – тогда осилим перевод быстрее (пишите в личку или в комментарии). Тем более, что Habr уже знает примеры удачных проектов по крауд-переводам.
Представляем интервью с ведущими экспертами в области безопасности: Владимиром Кочетковым (руководителем отдела исследований анализа защищенности приложений в Positive Technologies) и Михаилом Щербаковым (независимым разработчиком и консультантом в области информационной безопасности).
О чем эта статья? Процитирую одну из реплик Михаила:
«Разработка защищенного приложения – это частный случай разработки приложения, не содержащего ошибок вообще. Кроме этого, ваше приложение использует сторонние библиотеки, защищенность которых тоже не гарантируется, далее оно выполняется на ОС и железе. Часто мы даже не можем сказать, на какой именно ОС и на каком железе. И все это со временем изменяется!»
На DotNext 2017 Moscow приезжает с докладом «Побеждая инъекции».
Владимир: Это зависит, прежде всего, от того, кем является злоумышленник и атаку какого рода он проводит. В случае автоматизированной массовой атаки целью может являться, к примеру, захват управления как можно большим числом сетевых хостов. Соответственно, в этом случае наугад атакуются свежие уязвимости платформы, популярных фреймворков, движков и библиотек, а также осуществляется подбор учетных данных для известных точек входа по небольшому словарю.
— Может ли знание основных типов атак помочь разрабатывать защищенные приложения, и если да, то каким образом?
Владимир: Если говорить о принципе «hack-yourself-first», то он попросту не работает. Для того чтобы разработчик мог эффективно защищать приложение, мысля категориями атакующего, он должен быть настолько же профессионален в этом плане, насколько профессиональным является хотя бы среднестатистический предполагаемый атакующий. Для разработчиков это фактически означает получение второй специализации. Борьба с атаками – не их зона ответственности. Основной задачей этапа разработки, с точки зрения обеспечения защищенности приложения, является борьба с недостатками – неэффективной реализацией контролей предметной области защищенности приложений, приводящая к возникновению уязвимостей к атакам различного рода. Достаточно подробно эта тема раскрывалась на встрече сообщества CodeFreeze в Москве, в апреле прошлого года. Там же рассматривались несколько примеров того, как борьба разработчиков с атаками вместо недостатков может привести к появлению уязвимостей в их приложениях.
Михаил: Для разработчика это, прежде всего, валидация всех входных данных, санитизация выходных данных. Про валидацию входных данных говорят еще со школы. Все, что приходит от пользователя, должно быть проверено на соответствие требованиям (в том числе и требованиям модели безопасности). И главное – делать это правильно: использовать проверку по «белым» спискам там, где это возможно, правильно описывать грамматику формата входных данных (это я к тому, что не надо парсить XML или HTML регулярными выражениями). Это и следование всем приевшимся принципам Secure by Design/Default/Deployment.
б) Семантическую валидацию всех типизированных внешних данных. В идеале, необходимо определить инварианты для каждой сущности и обеспечить их соблюдение средствами контрактного программирования, такими как CodeContracts или PostSharp Contracts.
Михаил: По моему опыту проведения security review веб-проектов – это всевозможные инъекции «в широком смысле слова»: XSS, SQLi, XXE, Path Traversal и проблемы конфигурации приложений. Это же подтверждают данные, на основе которых составлен известный рейтинг OWASP Top 10 этого года и отчеты ИБ компаний.
Инъекции возможны только при недостаточной валидации входных данных и неправильной санитизации выходных, я про это говорил выше. Ошибки в конфигурации решаются следованием лучшим практикам и использованием сканеров уязвимостей.
Михаил: Обычно цель любого производителя ПО — это не борьба с атаками, а разработка защищенных приложений, гарантия конфиденциальности пользовательских данных. Поэтому к безопасности нужно подходить с точки зрения защиты, а не атаки.
Разработка защищенных приложений — это, в первую очередь, продуманный риск-менеджмент. Нельзя разработать максимально защищенное приложение «случайно», только благодаря квалификации разработчиков. Уровень защищенности каждого компонента приложения — это такое же требование, на выполнение которого необходимы ресурсы как на этапе разработки, так и на этапе тестирования. Необходимо понимать цену риска атаки на каждый компонент и исходя из этого принимать решение, сколько усилий тратить на предотвращение этого риска. И в любом случае иметь план действий, если риск был реализован, т.е. ваше приложение было успешно атаковано.
Если вы все-таки готовы к дополнительным затратам, то тут важен системный подход. Необходимо планомерно внедрять техники Secure Development Lifecycle (SDL) в процесс разработки, совершенствовать культуру разработки в компании: добавить этап security review в процесс выпуска продукта, разработать и внедрить best practices по написанию защищенных приложений, заниматься обучением разработчиков в компании, уделять внимание безопасности на этапе тестирования, проводить тесты на проникновение (как внутренние, так и внешние), постоянно использовать «white box» и «black box» сканеры, чтобы максимально автоматизировать процесс поиска уязвимостей, принимать превентивные меры защиты, например, использовать Web Application Firewall (WAF).
- встраивание SSDL (Secure Software Developent Lifecycle) в общий цикл разработки ПО;
- акцентирование разработчиков на борьбу с недостатками в коде;
- использование межсетевых экранов уровня приложения на этапе эксплуатации.
Таким образом, даже после изменения паролей пострадавших пользователей, у атакующего остались на руках рабочие токены аутентификации, используя которые он мог беспрепятственно входить под этими пользователями и в дальнейшем. Для того чтобы сделать невалидными все имеющиеся у него токены, нам пришлось изменить machine key, используемый для шифрования билетов аутентификации, что привело в негодность абсолютно все ранее выданные токены и стало причиной принудительной массовой реаутентификации всех пользователей сайта.
Михаил: Нет. Невозможно сделать на 100% защищенное приложение на любой платформе. Все даже еще хуже, если вы при помощи магии и сделки с дьяволом создадите 100% защищенное приложение, вы не сможете доказать, что оно на 100% защищено! Теоретически невозможно верифицировать любой нетривиальный алгоритм за адекватное время, в том числе на требования защищенности.
Разработка защищенного приложения – это частный случай разработки приложения, не содержащего ошибок вообще. Думаю, каждый разработчик интуитивно понимает, что это недостижимый идеальный результат, к которому мы все бесконечно стремимся. Кроме этого, ваше приложение использует сторонние библиотеки, защищенность которых тоже не гарантируется, далее оно выполняется на ОС и железе.
Часто мы даже не можем сказать, на какой именно ОС и на каком железе. И все это со временем изменяется! Я думаю, любая попытка достичь 100% обречена на провал при таком количестве неизвестных.
Владимир: Давайте чуть-чуть пофантазируем и представим, что это действительно возможно. Иными словами, мы допускаем, что существует некоторое конечное множество правил, следуя которым разработчик гарантированно получит на выходе безопасное приложение. Что из себя представляет каждое такое правило? Это некий алгоритм, пошагово описывающий действия разработчика для создания им безопасного приложения. Как мы уже условились, множество всех таких алгоритмов конечно, а, следовательно, перечислимо и разрешимо. Рассмотрим дополнение этого множества, т.е. множество всех остальных теоретически возможных алгоритмов, не влияющих на безопасность приложения. Очевидно, что оно бесконечно и включает в себя алгоритмы по признаку наличия у них вполне конкретного нетривиального и инвариантного свойства. А это значит, что по теореме Райса оно является неразрешимым. Но, поскольку оно неразрешимо, то его дополнение (т.е. то самое множество правил разработки безопасного приложения) по следствию из теоремы Поста не является перечислимым. А следовательно, быть конечным, ну никак не может.
Михаил: Я бы хотел видеть более прозрачный для разработчика процесс санитизации данных, чтобы программист не думал о контексте, куда эти данные будут вставлены. Частично это можно реализовать при текущем подходе. Например, парсер cshtml страниц знает про контекст, в который будут вставлены данные, а именно, знает все вложенные грамматики текущей ноды в дереве разбора. Значит, он может полностью корректно санитизировать данные в этом контексте, чтобы избежать даже теоретической возможности инъекции. Сейчас об этом нужно заботиться программисту и выбирать правильный алгоритм санитизации, т.е. верный вызов encoder’а или последовательность вызовов.
Who uses the NCWF and for what?
The publication for the NICE Framework serves as a fundamental reference for many. So, who should use it?
- Employers : The Framework allows them to better shape their workforce by identifying gaps whether it is in work roles or skills or knowledge needed. It can also help them write more focused and meaningful position descriptions that allow HR professionals to focus their hiring efforts, as well as provide better guidance to current employees on what is really expected from them in terms of knowledge and competencies to hone.
“The NICE Framework will allow employers to use focused, consistent language in professional development programs, in their use of industry certifications and academic credentials, and in their selection of relevant training opportunities for their workforce,” writes the NIST Special Publication 800-181.
- Current and future cybersecurity workers : The Framework can guide all cybersecurity professionals in any stages of their career to help explore tasks and work roles and understand the KSAs that are being valued by employers for in-demand cybersecurity positions. The NICE Framework’s common lexicon is used to provide clear and consistent descriptions of the cybersecurity tasks and training that are needed for those work roles.
The document provides guidance for professionals looking for positions that better fit for their current knowledge and experience and can provide an idea of a progression for young practitioners just starting in the field.
- Academic advisors and staffing specialists : To help support students and job seekers in designing their career path towards a job in cybersecurity. The Framework is a compass that provides objective information that any advisors can use in designing specific plans for their customers.
- Training and certification providers : To help current and future members of the cybersecurity workforce gain and demonstrate the KSAs to perform tasks in a work role.
Note: NICE encourages anyone offering training and certifications to make sure their offerings are included in the DHS Education and Training Catalog , with all courses aligned to the specialty areas of the National Cybersecurity Workforce Framework.) See: How to Align Training With the NICE Framework .
- Education providers : To help develop curriculum, courses, certificates or degree programs, seminars and research aligned to NICE Framework KSAs and tasks described.
- Technology providers : To help identify cybersecurity work roles and specific tasks and KSAs associated with services and hardware or software products they supply.
The following two webinars clearly explain the reasons and efforts behind the creation of the NICE Framework and show success stories derived from its use.
- Discover how the NICE Framework can be used to develop, improve, and retain a cybersecurity workforce
Oversee and Govern
Provides leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work.
Specialty Areas
Oversees the cybersecurity program of an information system or network, including managing information security implications within the organization, specific program, or other area of responsibility, to include strategic, personnel, infrastructure, requirements, policy enforcement, emergency planning, security awareness, and other resources.
Supervises, manages, and/or leads work and workers performing cyber and cyber-related and/or cyber operations work.
Provides legally sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain. Advocates legal and policy changes, and makes a case on behalf of client via a wide range of written and oral work products, including legal briefs and proceedings.
Applies knowledge of data, information, processes, organizational interactions, skills, and analytical expertise, as well as systems, networks, and information exchange capabilities to manage acquisition programs. Executes duties governing hardware, software, and information system acquisition programs and other program management policies. Provides direct support for acquisitions that use information technology (IT) (including National Security Systems), applying IT-related laws and policies, and provides IT-related guidance throughout the total acquisition life cycle.
Develops policies and plans and/or advocates for changes in policy that support organizational cyberspace initiatives or required changes/enhancements.
Conducts training of personnel within pertinent subject domain. Develops, plans, coordinates, delivers and/or evaluates training courses, methods, and techniques as appropriate.
Operate and Maintain
Provides the support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.
Specialty Areas
Addresses problems; installs, configures, troubleshoots, and provides maintenance and training in response to customer requirements or inquiries (e.g., tiered-level customer support). Typically provides initial incident information to the Incident Response (IR) Specialty.
Develops and administers databases and/or data management systems that allow for the storage, query, protection, and utilization of data.
Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content.
Installs, configures, tests, operates, maintains, and manages networks and their firewalls, including hardware (e.g., hubs, bridges, switches, multiplexers, routers, cables, proxy servers, and protective distributor systems) and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems.
Installs, configures, troubleshoots, and maintains server configurations (hardware and software) to ensure their confidentiality, integrity, and availability. Manages accounts, firewalls, and patches. Responsible for access control, passwords, and account creation and administration.
Studies an organization's current computer systems and procedures, and designs information systems solutions to help the organization operate more securely, efficiently, and effectively. Brings business and information technology (IT) together by understanding the needs and limitations of both.
Conclusion
In 2014, the NICE Cybersecurity Workforce Framework (NCWF) was made available to expedite the recruitment of highly qualified personnel for information technology and cybersecurity roles. The goal of the NICE Framework, in fact, is to align cyber work, a job or position, as described by relevant KSAs, once work roles and tasks are identified.
The NICE Framework, NIST Special Publication 800-181 is a national-focused resource that categorizes and describes cybersecurity work. It is intended to be a living document for organizations to systematically build their workforce and have continuous readiness.
The NICE Framework is comprised of the following components:
- Categories (7) – A high-level grouping of common cybersecurity functions
- Specialty Areas (33) – Distinct areas of cybersecurity work
- Work Roles (52) – The most detailed groupings of cybersecurity work comprised of specific knowledge, skills, and abilities (KSAs) required to perform tasks in a Work Role
To explore the NICE Framework, click on the Categories and Specialty Areas below or use the links above to search within the NICE Framework components or by keyword. Review the Using the NICE Framework PDF to learn more.
Читайте также: