Date post: | 02-Dec-2014 |
Category: |
Documents |
Upload: | phila-agcaoili |
View: | 1,010 times |
Download: | 2 times |
Phil Agcaoili
April 2, 2013
The Executive Order – Defining the Internet Security Ecosystem
CYBER SECURITY
Cyber what? Defining Cyber• Cyber space is the connected Internet ecosystem• Our daily life, economic vitality, and national security depend on a stable, safe,
and resilient cyber space
• DHS defined 18 Critical Infrastructure Sectors (CIKR)
• Cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy
• Cyber security is protecting our cyber space (critical infrastructure) from attack, damage, misuse, and economic espionage
Food and Agriculture Banking and Finance Chemical
Commercial Facilities Communications Critical Manufacturing
Dams Defense Industrial Base Emergency Services
Energy Government Facilities Healthcare and Public Health
Information Technology National Monuments Nuclear Reactors, Materialsand Icons and Waste
Postal and Transportation WaterShipping Systems
2
3
Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure
Our physical infrastructure has become intertwined and reliant on our cyber infrastructure
4
Why the fear? Cyber Trends - Advanced• StuxNet• Duqu• Gauss• Mahdi • Flame• Wiper• Shamoon - Saudi Aramco• SCADA Network Attacks
Advanced attacks on critical infrastructure
5
Cyber Trends – Not So Advanced
6
• Insulin pumps• Pace makers• Smart TVs• Voting and elections• US drone fleet• SYMC – RSA – VRSN – Bit9• SNE – AMZN – AAPL – YHOO – LNKD• DoE
General Observations on Cyber Trends• Phishing and Email• Exploitable Links and Browsers• Java, Flash, PDF, MS Office• A/V Coverage• Android, iOS, Windows, and MacOS• Air Gaps and Removable Media
• Endpoint Security• Security Awareness• Security Basics
7
A SHIFTIt’s here…
8
Expectations on Critical Infrastructure• S. 21, Cybersecurity and American Cyber
Competitiveness Act of 2013Senators Rockefeller (D-W.Va.), Carper (D-DE), Feinstein (D-CA), Levin (D-MI),
Mikulski (D-MD), Whitehouse (D-RI), and Coons (D-DE)
• H.R. 624, Cyber Intelligence Sharing and Protection Act (CISPA), 2013 Representative Rogers (R-MI) and 111 co-sponsors
It’s unlikely that these will pass in 2013…
9
Fact Sheet: Executive Order on Cybersecurity / Presidential Policy Directive on Critical Infrastructure Security and Resilience
Presidential Executive Order 13,636• New information sharing programs to provide both classified and unclassified
threat and attack information to U.S. companies• The development of a Cybersecurity Framework• Establishes a voluntary program to promote the adoption of the Framework• Calls for a review of existing cybersecurity regulation• Includes strong privacy and civil liberties protections based on the Fair
Information Practice Principles
Presidential Policy Directive 21 (PPD-21)• Directs the government to identify the functional relationships across the
government • Directs the government to develop an efficient situational awareness
capability • Directs the government to address other information sharing priorities• Calls for a comprehensive research and development plan for critical
infrastructure
10
http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical
Highlights of “Down Payment”• EO 13636 and PPD-21 Issued February 12, 2013• Defines Roadmap• Focus Areas for CIKR:
• Information Sharing• US Cybersecurity Framework
• Standards• Identifying Critical Infrastructure
• Supply Chain
• Sector-Specific Agencies and Sector Coordinating Councils • FBI and NCIJTF
11
February 12,
2013
Executive Order
240 Days
October 10
Draft of
US Cybersecurity
Framework
1 Year
February 12,
2014
Final US
Cybersecurity
Framework
3 Year
Agencies report
on critical
infrastructure
“Safe and Resilient Internet”
Highlights of “Down Payment”• “Don’t assume you’re not in scope”
• "Critical infrastructure" covers a lot of economic activity • Covers a lot of technology
• Privacy concerns need to be addressed for “information sharing”
• Department of Commerce, National Institutes of Standards and Technology (NIST), and Cybersecurity Framework• Reduce cyber risks to critical infrastructure within one year, • Incorporate “voluntary consensus standards and industry best practices
to the fullest extent possible.”• Federal Supply Chain
• Partnerships and mandates• Open standards• “Technology neutral”• Risk-based assessments
12
13
The Road Ahead
One Size Does Not Fit All…
Keys to Cyber Security:Information Sharing1. Balance with Privacy
2. One step at a time
Cybersecurity Framework1. Common definitions2. Don’t assume you’re not in scope
(Think Ecosystem)3. Sector specific, Risk-based Framework using Evidence with basic guidelines5. Crawl, Walk, Run
Supply Chain1. Align with Cyber Framework
2. Provide Assurance
14
Security is Everyone’s Responsibility.
Don’t Assume You’re Not in Scope• Everyone with Information Technology is in scope (CIKR)
• Security Basics• Apply Evidence-based Security Model
• Statistics by Sector Exist
• Should Threat Model
15
Think Ecosystem.
Threat ModelYour Role in the Cyber Space Ecosystem
16
Get the Point?
17
What standard are you following?
2012 Top 20 ISO 27001 Mitigating Controls
Ranking ControlNumber of Times Control Mapped to a Real-World Security Breach
1 A.10.9.1 447
2 A.10.9.2 447
3 A.10.9.3 447
4 A.8.2.2 184
5 A.7.2.1 94
6 A.7.2.2 94
7 A.8.1.1 90
8 A.8.1.2 90
9 A.8.1.3 90
10 A.8.2.1 90
11 A.8.3.2 90
12 A.8.3.3 90
13 A.9.2.5 87
14 A.11.7.1 87
15 A.11.7.2 87
16 A.9.1.1 50
17 A.9.1.2 50
18 A.9.2.1 50
19 A.10.8.4 16
20 A.10.8.3 15
Point Security Standards / Controls• PCI DSS
• Protects credit cards• 12 Requirements (Domains)• ~290 controls
• HIPAA / HITECH• Protects health information
• NERC CIP• CSA Cloud Controls Matrix / Open
Certification Framework• SANS 20 Critical Security
Controls / CAG• “International” security standards• 20 controls (Domains)• Mapped to ~150
NIST 800-53 controls
Holistic Security Standard Frameworks• ISO/IEC 27001:2005
• International security standards• 11 Domains• 133 controls
• FISMA• Includes NIST 800-53• US government standard• 22 Control Families (Domains)• ~ 850 controls
• COBIT 5
18
*Based on datalossdb.org andPrivacy Rights Clearinghouse
What Framework?
Consensus Audit Guidelines (CAG)Hardware asset management • Software white listing and asset
management • Vulnerability management • Configuration settings • Anti-virus
*Modified SANS 20 Critical Security Controls 2012 continuous monitoring policy issued by DHS
Simplify to Basic Security Guidelines Based on Evidence and RiskWe have developed the myth that technology can be an effective fortress
You cannot protect all your data
You cannot stop every attack
Therefore,• Don’t protect everything
• Protect most important data and ensure services• Increase focus on closing the detection and response gap
• Establish access norms and monitor for anomalies
• Reduce your attack surface • Don’t store/transmit what you don’t need
• Collapse to cores• Segregrate and protect your most critical data• Protect cores really, really well
• Treat all endpoints as hostile• Make small, targeted investments
• Pass the Red Face Test – Reduce Investments through integration• Antivirus - Forefront• Full Disk Encryption – Bitlocker
• Patch and harden configurations• Change default credentials and restrict/monitor privileged accounts• Secure development through application testing and code reviews• Increase awareness and change culture
• Social engineering and phishing• Destroy and don’t save what you don’t need
• Collect your own metrics and apply security as necessary with available industry evidence
19
Sector-based
Barriers to Implement Basics• 2012 FISMA Report
The top reported cybersecurity challenges were:- Funding the administration’s priority initiatives- Cultural challenges- Upgrading legacy technology- The current budget structure- Acquiring skilled personnel
• Define – Accountability (Vendors and Customers)• Customers are dependent on vendors• Vendors rely on customers
20
Advanced Persistent Threats
EmpoweredEmployees
Elastic Perimeter
Copyright 2012 Trend Micro Inc.
Trend Micro evaluations find over 90% of enterprise networks contain active malicious malware!
Traditional Security is Insufficient
Risk-Based Approach Using Evidence22
The REAL Big Data for Infosec
First, Define Risk• Partnership for Critical Infrastructure Security (PCIS)
• Defined: Risk = Consequence (Impact ONLY!!!) NO!!!
• General Risk EquationRisk = Probability x Impact
• Factor Analysis of Information Risk (FAIR)Risk = The probable frequency and probable magnitude of future loss
• Many other definitions, let’s pick…
• Limitations of risk analysis• Risk analysis is never perfect • All risk analysis models are approximations of reality
• Reality is far too complex to ever model exactly
• Any analysis model will be limited
• Sometimes you have enough information to make an informed decision
~SIRA
• Define: Risk Appetite
23
Prediction is very difficult, especially about the future. ~Niels Bohr
Second, Apply Evidence-Based Security*Abridged Version of Moneysec
• Use industry data (Evidence)• “You’re not a beautiful snowflake.”
• Use with [Moneysec] metrics ~JPfost
• Don’t make emotional decisions• Recognize your bias
• Collect the “right” data• Look for correlations
• Set reasonable criteria for success• Don’t overspend
• You can measure anything! Even intangibles. ~Douglas Hubbard
• You don’t always need to be exact• Reducing uncertainty adds value• Having just some data can go a long way to help a decision maker
• Not all measures are equally important (80/20)• Track and trend performance over time• Benchmark performance vs. self (and peers)• All metrics are worthless – unless you do something with them
24
Mandiant M-Trends 2013 Threat Report25
Mandiant M-Trends 2013 Threat Report
26
27
2012 Verizon Data Breach Investigations Report (DBIR)
• 5th year of public releases– Starting in 2008– 7 total reports (mid-year
supplementals in 2008 and 2009)
• Dataset now contains:– 8 years of data
28
2012 Trustwave Global Security ReportIn those cases in which an external entity was necessary for detection, analysis found that attackers had an average of 173.5 days within the victim’s environment before detection occurred.Conversely, organizations that relied on self-detection were able to identify attackers within their systems an average of 43 days after initial compromise.
2012 Verizon Data Breach Investigations Report (DBIR)
29
2012 Verizon Data Breach Investigations Report (DBIR)
30
Trend - 2011 Verizon Data Breach Investigations Report (DBIR)
31
Who are the (external) bad guys?
• Eastern Europe takes a commanding lead
Trend - 2011 Verizon Data Breach Investigations Report (DBIR)
2012 Federal Information Security Management Act report• Over $13 Billion Spent on Personnel
• Of the $14.6B spent on cybersecurity in 2012, a whopping 90% went to personnel• An increase from 76% in 2011
• Cybersecurity Education Down• Training only accounted for 0.9% of the total spent on cybersecurity, almost 2% lower than 2011
• A Challenging YearThe top reported cybersecurity challenges were:- Funding the administration’s priority initiatives- Cultural challenges- Upgrading legacy technology- The current budget structure- Acquiring skilled personnel
• Top Three Government Cybersecurity SpendersThe organizations who spent the most in 2012 were:- Department of Defense: $12 billion- Department of Homeland Security: $615.5 million- Treasury Department: $404 million
• Security Incidents on the Rise• 49,000 security incidents were reported in 2012, up from 43,889 in 2011• Worth noting that the majority were the result of lost or stolen equipment and data, not unauthorized access
• 2012 FISMA report reflects the major concerns we’ve recently heard in the media: • An increase in successful cyberattacks• A shortage of trained cybersecurity professionals; and • An IT infrastructure too weak to repel sophisticated attacks
• This recent surge in cyberattacks on government systems is the new normal• However, the amount of successful attacks can and will decrease when agencies invest in security automation
IT, which will decrease personnel costs, freeing the resources needed to properly invest in a fully trained cybersecurity workforce
32
33
Connecting the Dots
Information Leakage• Ex-employees, partners, and customers• Over 1/3 due to negligence• Increasing loss from external collaboration
Percentage cause of data breach
Cost of Data Breach reportPonemon Institute 2010
Estimated sources of data breach
2010 CSOGlobal State of Information Security Survey
Ponemon Study finds:55% of SMBs were breached in 2012
Connecting the Dots
2012 Verizon DBIR
2012 Trustwave GSR
VERIS:(Vocabulary
for Event Recording
and Incident Sharing)
WhatHowWhoWhy
When
2013 Mandiant TR
Third, Add Threat Modeling Supports Risk ModelCyber Kill Chain Model
35
• Intrusions must be studied from the adversary’s perspective – analyzing the “kill chain” to inform actionable security intelligence
• An adversary must progress successfully through each stage of the chain before it can achieve its desired objective
• Just one mitigation disrupts the chain and the adversary
Recon
Weapon
Delivery
Exploi
t
Install
Command and
Control
Actions on Objective
s
Threat Modeling - Countermeasures
36
Recon
Weapo
n
Delivery
Exploi
t
Install
Command and
Control
Actions on Objective
s
• Moving detection and mitigation to earlier phases of the kill chain is essential in defending today’s networks
37
Bring it All Together - Trends in the EvidenceFix what’s broken• Hacks and compromise
• Fix what’s already been hacked at your company• Utilize Cyber Kill Chain Model to focus defense in depth strategy
• Understand security trends for your industry• Small and Medium Business beware• Banks – DDOS, fraud, botnets, and web authentication attacks• Hospitality – Credit cards, point of sale systems, Wifi, and admin accounts• DIB – RSA hack - Adobe/Microsoft 0days, remote access, and phishing• News – NYT/WSJ - phishing, Oracle Java 0days• Retail – Open Wifi, POS• LEA – 0day, social engineering and phishing• Credit card processors – Phishing and egress traffic• Websites – SNE (SQL Injection) and exclusion from core security
• Know your threat landscape to prioritize your treatment strategy based on risk
• In advertising, the best insights are often minor alterations in trends which occur over long periods of time (and take time to see due to their nuanced nature).~Neira Jones
MotivatingEvent
Somebody needs to thoroughly analyze the important industry data by sector.KNOW THE BIAS!!! Adjust from there.
Crawl, Walk, and then Run…• Agree on definitions at each step of this process• Agree on roles in cyber space ecosystem• Need to develop better understanding
• Cyber effect on way of life, economic vitality, and national security• Top threats by sector• Attackers/Adversaries by sector• Evidence of risks by sector
• Agree on countermeasures / controls
38
Inspiration• I’m my father’s son…
• It’s our time.
• <Video> https://www.youtube.com/watch?feature=player_embedded&v=Z2PloBdHeow
39
Conclusion• The time is now for cyber security• Agree on definitions as we proceed to each step• Security is Everyone’s Responsibility• Think Risk• Use the evidence we have
• There is a lot industry data that needs to be analyzed
• Proceed with care, methodically, and by sector• Agree on the basics
• Get it done. We can do it.
40
Cyber Space Ecosystem
41
Questions & Answers
Phil AgcaoiliCISO, Cox Communications, Inc.
Co-Chair, Communication Sector Coordinating Council (CSCC),
Cybersecurity Committee – Technology Sub-Committee
Co-Founder & Board Member, Southern CISO Security Council
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack,
Security, Trust and Assurance Registry (STAR), and
Open Certification Framework (OCF)
@hacksec
https://www.linkedin.com/in/philA