Cybersecurity Frameworks and You: The Perfect Match

transcript

CybersecurityFrameworks and You

The Perfect Match

Building SuccessfulEmployee Relationships

A Cornerstone to Fraud Prevention

and Risk Management

CybersecurityFrameworks and You

The Perfect Match

IntroductionsSam BowerCraft

• Senior Manager in Internal Audit and Management Consulting Group

• Certified Information Systems Auditor (CISA)

• Security Consultant related to financial data, information systems, and assets.

• M.S. Information Systems

David Hammarberg• Principal of Forensic Accounting

• Certified Fraud Examiner (CFE)

• Director of Information Technology

• CPA, MCSE, CISSP, CISA

• 16+ years of experience

Objectives

• Understanding the importance of using a framework in your organization.

• How a framework can benefit an organization.

• NIST Cybersecurity Framework: • The basic requirements for any organization.

Frameworks &Their Importance

An Exercise

• List all the areas of information technology and security that are important for your organization to consider and address.

Framework Benefits

• Structure

• Building from a pre-existing foundation• Identify vulnerabilities

• Analyze or evaluate the risk associated with that vulnerability.

• Determine appropriate ways to eliminate or control the vulnerability.

• Efficiency: Cost Savings (time and dollars)

• Effectiveness

• Support

Framework Drawbacks

• While structure is good, understanding is better.

• Limitations: • The framework versus your environment.

• “No battle plan survives contact with the enemy.”

- Helmuth von Moltke the Elder

• Clarity of Responsibility: you and the framework

Best Practices

NOT…

• An automated security mechanism or setting.

• A business practice.

• A theory or possibility. It is in place.

• The one best practice; it is not the best of all.

• A human practice or method to perform a process.

• Security related, helping to protect information, resources, or operations.

• Effective as shown by experience and results.

• Among the most effective practices used to perform this process.

Best Practices

From Worst to Best: Chevron says:

• Good Idea: Unproven. Intuitively makes sense, could be successful… requires analysis.

• Good Practice: Has improved results; supported by data and analysis.

• Local Best Practice: Best approach for large parts of the organization based on analysis of performance internally and some external review.

• Industry Best Practice: Best approach for large parts of the organization based on analysis of performance internally and externally.

Standard Operating Procedures

• Facilitate Communication

• Provide consistency

• Increase productivity

• Provide for cross training

• Help ensure things are done right.

Reviewing Your World

Writing Things Down

• How is your memory?

• How long can you focus on one thing?

• Written goals result in more achievement.

• Reminders help focus… and keep track.

• Unburden your brain; de-clutter with a list / framework.

• Clearer thinking and being able to review… and communicate.

• Identify what needs your focus.

Security Risk Assessment

• Identify the potential inherent security risks.

• Assess the likelihood and significance of occurrence of the identified security risks (ranking of risks).

• Evaluate which users and departments are most likely to have a significant security event and identify the methods they are likely to use.

• Identify and map existing preventive and detective controls to the relevant security risks (framework).

• Evaluate whether the identified controls are operating effectively and efficiently.

• Identify and evaluate residual security risks resulting from ineffective or nonexistent controls.

• Respond to residual security risks.

Approach Comparisons

Proscriptive

• Scope the environment.

• Do these things.

• Evaluate control responses.• Design

• Operation

• Remediate/update controls.

• Repeat.

Risk Based

• Scope the environment.

• Evaluate vulnerabilities.

• Rank risks.

• Evaluate control responses.• Design

• Operation

• Remediate/update controls.

• Repeat.

After the Risk Assessment

• The Risk Assessment may reveal certain residual risks that have not been adequately mitigated due to lack of, or non-compliance with, appropriate preventive and detective controls.

• The security professional works with the client to develop mitigation strategies for any residual risks with an unacceptably high likelihood or significance of occurrence.

• Responses should be evaluated in terms of their costs versus benefits and in light of the organization's level of risk tolerance.

Cybercrime

Cybercrime, is simply a crime that involves a computer and a network.

Types of Cybercrime

• Hacking

• Theft

• Cyber Stalking

• Identity Theft

• Malicious Software

• Child Soliciting and Abuse

Categories of Cybercrime

• Individual: This type of cyber crime can be in the form of cyber stalking, distributing pornography, trafficking and “grooming.”

• Property: In this case, they can steal a person’s bank details and siphon off money; misuse the credit card to make numerous purchases online; run a scam to get naïve people to part with their hard earned money; use malicious software to gain access to an organizations website or disrupt the systems of the organization.

• Government: Crimes against a government are referred to as cyber terrorism. If successful, this category can wreak havoc and cause panic amongst the civilian population.

Combating Cybercrimes

• Security Hardware

• Security Software

• Security Awareness

• Working along side other businesses

• Working with government agencies

• Are you willing to operate your information technology environment in an ad hoc and informal manner given the risks in the world today related to cybersecurity?

• Do you want to reinvent the wheel?

CybersecurityBasic Requirements

Cybersecurity - Basics

• IT Environment Inventory• What do you need to protect?• What data does it house?

• Risk Assessment• What risks do you face?• What vulnerabilities do you have?

• Structure• Framework/roadmap• Checklist

• Continuous Improvement

Risk Assessment – NIST Style 800-60

NIST Cybersecurity Framework

• What is the framework?

• 2013, President Obama issued Executive Order 13636, which directed NIST to work with stakeholders in developing a voluntary framework-based on existing standards, guidelines, and practices, for reducing cyber risks... (not just for government agencies)

NIST Cybersecurity Framework

• https://www.nist.gov/cyberframework

NIST Cybersecurity Controls

• ID.AM-1: Physical devices and systems within the organization are inventoried.

• ID.AM-4: External information systems are catalogued.

• ID.GV-1: Organizational information security policy is established.

• ID.RA-1: Asset vulnerabilities are identified and documented.

• ID.RA-4: Potential business impacts and likelihoods are identified.

• ID.RA-6: Risk responses are identified and prioritized.

• ID.AM-1: Physical devices and systems within the organization are inventoried.

• ID.AM-4: ExternaPR.AC-1: Identities and credentials are managed for authorized devices and users.

• PR.AC-3: Remote access is managed.

• PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties.

• PR.AT-1: All users are informed and trained.

• PR.AT-2: Privileged users understand roles & responsibilities.

• PR.IP-6: Data is destroyed according to policy.

• PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.*THIS IS A SAMPLE

SANS Top-20 Critical Controls

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defenses

6. Application Software Security

7. Wireless Device Control

8. Data Recovery Capability (validated manually)

9. Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually)

10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11. Limitation and Control of Network Ports, Protocols, and Services

12. Controlled Use of Administrative Privileges

13. Boundary Defense

14. Maintenance, Monitoring, and Analysis of Security Audit Logs

15. Controlled Access Based on the Need to Know

16. Account Monitoring and Control

17. Data Loss Prevention

18. Incident Response Capability (validated manually)

19. Secure Network Engineering (validated manually)

20. Penetration Tests and Red Team Exercises (validated manually)

NIST – Assess & Review

• External Vulnerability Assessments

• Network Architecture Reviews

• VPN Security Reviews

• Host/OS Configuration Reviews

• Internal Vulnerability Assessments

• Wireless Security Reviews

• Firewall Security Reviews

• Active Directory Reviews

Cyber Maturity

NIST Measuring Maturity

One way management can assess and improve.

Documents

• https://www.nist.gov/cyberframework• NIST Cybersecurity Framework website

• http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf• Maturity model

• https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf• SANS Top 20 Critical Security Controls

Questions?Sam BowerCraft

• SBowerCraft@macpas.com

• DHammarberg@macpas.com

and Risk Management

Questions?

• Documents:• https://www.nist.gov/cyberframework

• NIST Cybersecurity Framework website

• http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf• Maturity model

• https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf• SANS Top 20 Critical Security Controls

Questions?Sam BowerCraft

• SBowerCraft@macpas.com

• DHammarberg@macpas.com