Jake Margolis, CISSPChief Information Security OfficerMetropolitan Water District of Southern California
Introduction
Threat and Risk Analysis
Implementing the Basics
Responding to Incident
The Basics in Ten Steps
Questions
Rule 1: There is no silver bullet
There is no single technology or stack that will defend your enterprise
Learn to understand and assess threat and then decide what you will do when cyber attacks occur
Rule 2: The only constant in Cybersecurity is Change
Cyberthreats evolve quickly
the ability to identify and respond to threats needs to be equally agile
Rule 3: You can’t fix stupid, but you have to try.
Users will always click on phishing links, bring in thumb drives not issued by the organization, try to connect personally owned devices to the network, carry around sensitive data on unencrypted storage, write down their passwords, etc.
You have to change culture through relevant awareness training
We need to change the conversation about Cybersecurity. This topic is usually given context as an Information Technology issue or problem. The reality is, Cybersecurity is a Public Safety issue and should be treated by all organizations accordingly.
The Office of Enterprise Cybersecurity will implement and maintain sufficient administrative and technical controls on a continuous basis to ensure adequate safeguards exist to mitigate threats to MWD Information and Operational Technology systems from inadvertent and/or deliberate harm.
Our Mission is accomplished through the following:People – Cyber Security Awareness Training (Provide online training and continuous education for MWD Employees)
Process – Policy, Practices, Plans and Procedures (develop cybersecurity governance and implement administrative guidance on access to and use of technology assets)
Technology – Technical Safeguard Innovation (continuously strive to improve technical safeguards to provide the greatest level of risk mitigation)
Validation – Cyber Resilience Reviews aka; Assessments, Audits and Testing to validate the effectiveness of Cyber Security Controls
EXAMPLE MISSION STATEMENT
Understand the Business
•Core Competency
•Business Processes
•Desired Outcomes
•Classification of Data
•Business Continuity Requirements
Understand the Potential Motivations for Bad Actors
•Disrupt Operations
•Theft of PII
•Ransom Sensitive Data and Vulnerable Systems
•Make a Political Statement
Who could the Bad Actors Be?
•Nation States
•Hacktivist
•Cybercriminals
TTPs the Bad Actor Will Use
•Phishing Campaigns
•APTs
•Social Engineering
•Web Site Defacement
What Outcomes are the Bad Actors Seeking
•Political Gain
•Notoriety
•Financial Gain
•Harassment
•Damage the Organizations Reputation
Assess
Risk
https://calcsic.org/?AspxAutoDetectCookieSupport=1
MS-ISAC Provided Anomali
Example: Anomali Threat Model
There are no wrong or right decision, there are only decisions based on assessment of risk or decisions based on lack of understanding of risks
Understand your organizations risk tolerance
DHS Cyber Resilience Review
• Asset Management
• Controls Management
• Change & Configuration Management
• Vulnerability Management
• Incident Management
• Service Continuity Management
• Risk Management
• External Dependencies Management
• Training & Awareness
• Situational Awareness
NIST Cyber Security Framework
• Identify
• Protect
• Detect
• Respond
• Recover
DHS CRR + NIST CSF = THE ABILITY TO MEASURE EXPOSURE
Ask, “Is it a Feeling or a Fact?” when identifying and assessing risks
Domains DescriptionsAsset Management Identify, document, and manage assets (people, information,
technology, facilities) during their life cycle to ensure sustained productivity to support critical services.
Control Management Identify, analyze, and manage controls in a critical service’s operating environment.
Configuration & Change Management
Establish processes to ensure the integrity of assets using change control and change control audits.
Vulnerability Management Identify, analyze, and manage vulnerabilities in a critical service’s operating environment.
Incident Management Establish processes to identify and analyze events, detect incidents, and determine an organizational response.
Service Continuity Management
Ensure the continuity of essential operations of services and their associated assets if a disruption occurs as a result of an
incident, disaster, or other disruptive event.
IT Risk Management Identify, analyze, and mitigate risks to critical service assets that could adversely affect the operation and delivery of services.
External Dependencies Management
Establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and
assets that are dependent on the actions of external entities.
IT Security Training & Awareness
Develop skills and promote awareness for people with roles that support the critical service.
Situational Awareness. Actively discover and analyze information related to immediate operational stability and security and to coordinate such
information across the enterprise to ensure that all organizational units are performing under a common operating
picture.
Internal Audit
Self AssessmentThird Party
Audit/Assessment
Self Assessment
The Assessment Program evaluates practices across a range of domains.
Assessment will need to become a continuous process for agencies. The process is kicked off by internal audit review, then followed by self assessment to ensure remediation of findings is on track, validated by third party audit services and refined by follow up self assessment to ensure the organization is improving
The assessments should measure existing agency resilience as well as provide a gap analysis for improvement based on recognized best practices and the agency adopted cybersecurity framework
Cyber Threat Intelligence and
Risk Assessment
People, Process,
Technology, and Culture
Cyber Incident Response and
Recovery
Assessing threats and identifying risks coupled with a clear understanding of how the organization will respond when attacks occur drives policy, process, design and procurement decisions
Zero Trust:based on the idea that nobody or nothing is automatically trusted regardless of logical location. Before gaining access to a given part of the enterprise the network, users, machines and apps must be authenticated through technologies that validate the authenticity of the user or thing accessing the network
Defense in Depth:In this approach, defensive technologies are layered in order to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack.
Reconnaissance
• WAF
• Cybersecurity Awareness Training
Weaponization
•Patch and Vulnerability Management
Delivery
• Secure Email Gateways
• Securing External Storage (USB)
Exploitation
• End Point Advanced Threat Protection
Installation
• Identity and Access Management and PAM
• MFA
Command & Control
• Web Proxy w/ Advanced Threat Protection / Secure DNS
• Next Gen Firewalls
Exfiltration or Actions
• SIEM
• Data Loss Prevention (DLP)
• AI / ML Network Monitoring
Recommended Practice Implementation Example
1 Eliminate Any Exposure of Equipment to External Networks ➢ Administrative “Jump” Host is required for management of IT/OT applications and systems
2 Implement Network Segmentation and Apply Firewalls ➢ Separate control zones (DMZs) are established➢ Policy Based segmentation➢ Network addressing is unique to business
systems, application servers, management VLANs, Domain Controllers, and OT networks
➢ VLAN Pruning and Router on a Stick
3 Use Secure Remote Access Methods ➢ Secure VPN is required for remote access➢ Require MFA for all remote connections➢ Use VDI and other EMM solutions
4 Establish Role-Based Access Controls and Implement System Logging
➢ Implementation of holistic Identity (role) Access Management system with MFA – Role Based Authentication
➢ Advanced System Logging is enabled
Recommended Practice Implementation Example
5 Use Only Strong Passwords, Change Default Passwords, and Consider Other Access Controls
➢ MFA implemented for systems access➢ Where MFA is not possible for frequent
password changes (90 days or less)➢ Where MFA is not feasible, use as complex
of a password as systems allow
6 Maintain Awareness of Vulnerabilities and Implement Necessary Patches and Update
➢ Implement an Enterprise level vulnerability scanner
➢ Monthly scans are conducted on all systems and networks
➢ Regular patch advisories are issued and executed
7 Develop and Enforce Policies on Mobile Devices ➢ Implement a mobile device management and/or BYOD policies
➢ Implement a holistic enterprise mobility management solution
➢ Require enrollment of mobile devices in EMM in order to gain access to resources
Recommended Practice Implementation Example
8 Implement an Employee Cybersecurity Training Program
➢ All employees are directed to complete online Cybersecurity Awareness Training
➢ All contractors / consultants requiring access to networks must complete online Cybersecurity Awareness Training
➢ Publish regular reminders and advisories to create a cybersecurity awareness culture
➢ Use internal phishing campaigns to build test training effectiveness
9 Involve Executives in Cybersecurity ➢ Quarterly security briefings for the non-IT executive leadership
➢ Monthly Security / Cybersecurity Governance meeting
10 Implement Measures for Detecting Compromises and Develop a Cybersecurity Incident Response Plan
➢ Implement Security Information and Event Monitoring (SIEM) technology
➢ Establish local Security Operations Center➢ Outsource or share responsibility with
Managed Security Service Provider➢ Establish Cyber Incident Response Plan