Security Perspectives: Partnerships and Measurement...

Unclassified // For Unlimited Distribution

BradfordWillkeCyberSecurityAdvisor,Mid‐AtlanticRegion

NationalCyberSecurityDivision(NCSD)

OfficeofCybersecurityandCommunications(CS&C)

U.S.DepartmentofHomelandSecurity(DHS)

HomelandSecurityPerspectives:CyberSecurityPartnershipsand

MeasurementActivities

16Oct2012

Presenter’s Name June 17, 2003Unclassified // For Unlimited Distribution

2

GrowthofCyberThreats

1980 1985 1990 1995 2000 2012

Password guessingSelf-replicating code

Password crackingExploiting known vulnerabilities

Disabling audits

Burglaries

Back doors

Hijacking sessions

Sweepers

Sniffers

Packet spoofing

Network mngt. diagnostics

GUIAutomated probes/scans

Staging

www attacks

“Stealth”/advanced scanning techniques

Distributed attack toolsCross site scripting / PhishingDenial of Service

Sophisticated C2

Convergence

Estonia DoSRussia invades Georgia

SophisticationRequired of Actors

Declining

Sophisticationof Available Tools

Growing

Soph

istic

atio

n

Low

High

Stuxnet

DNS exploits


CyberPartnershipExamples

AMSCCyberSub‐Committee(Pittsburgh) MS‐ISAC(Multi‐StateInformationSharingandAnalysisCenter) OhioStatewideCyberSecurityStrategy VALGITE(VirginiaLocalGovernmentITExecutives) VOICCE(Virginia’sOperationalIntegrationCyberCenterofExcellence

3


AreaMaritimeSecurityCommittee:CyberSub‐Committee DHS,USCG,CIKR,andBusinessPartnership CommitteePremises:

• Incidentresponseandcontinuityofoperationsstill needwork• Partnersneedcredibleplanningtemplatesandtest‐ablescenarios• ASMEdatabaseforcyberrespondersisusefulandneeded• Organizationsneeda“411”systemforinformationonwheretovoluntarily

report,requesttechnicalassistance,requestnon‐technicalincidenthandling,requestlawenforcementresponses,tocyberincidents

• Organizationswouldbenefitfromalocalemergencymanagement,“911‐like,”functionthatmobilizesregionalandlocalcyberresponses– andcreatesaregionalcommonoperatingpicture

4


MS‐ISACOverview State,Local,Territorial,andTribalPartnership OperatedbyNY‐basedCenterforInternetSecurity OperationalServices:

• Incidentcoordination,handling,andresponse• “Albert”servicesforthreatmonitoring,detection,andprevention• Fee‐for‐Servicemodelforvulnerabilityand“PEN”testing• Lowcost($.75/student)forannualcybersecurityawareness&training• FREE post‐incidentvulnerabilityandmitigationservice• Broadassistancewithstateandlocalincidents,muchbeyondcyber

5


OhioStatewideCyberStrategy Developedin2011;adoptedin2012 LedbyOhioHomelandSecurityAdvisoryCouncil– CyberWorkingGroup

• DirecttiestoOhioStrategicAnalysisandInformationCenter(SAIC)• Co‐chairedbyOhioChiefInformationSecurityOfficerandOhioOfficeof

HomelandSecurity Organizesbothinternal,state‐focusedandexternal,partner–focused(i.e.,

academia,privatesector,publicsector)activities Createsatwelve‐month,renewableactionplan,withfiveinitiatives:

• Initiative1:Sharecybersecuritythreatinformationacrossthehomelandsecurityenterprise

• Initiative2:Createacybersecuritycultureinstateandlocalgovernment• Initiative3:Partnerwiththepublicandprivatesectorstosupporttheircyber

securityefforts• Initiative4:Identifycyberresources(humanandequipment)toleveragefor

creatingcyberincidentresponseteams• Initiative5:RaisecybersecurityawarenessacrossOhio

6

NATIONWIDE CYBER SECURITY REVIEW (NCSR)

7

Unclassified // For Unlimited Distribution8

NCSRMethodology TheNCSRmethodologyleveragedanexistingcybersecurity

controlsframeworkdevelopedbytheMS‐ISAC• The2011NCSRutilizedaControlMaturityModel(CMM)to

measurehoweffectivetheStateandLocalgovernments’riskmanagementprogramsareatdeployingagivencybersecuritycontrolbasedonriskmanagementprocesses

• Thismethodologyuseskeymilestonesandbenchmarksformeasuringtheeffectivenessofsecuritycontrolplacementbasedonriskmanagementprocesses


NCSRMaturityModelLevel ControlMaturityLevelDescription

Ad‐HocActivitiesforthiscontrolareoneormoreofthefollowing:‐ Notperformed‐ Performedbutundocumented/unstructured‐ Performedanddocumented,butnotapprovedbymanagement

DocumentedPolicy

Thecontrolisdocumentedinapolicythathasbeenapprovedbymanagementandiscommunicatedtoallrelevantparties.

DocumentedStandards /Procedures

ThecontrolmeetstherequirementsforDocumentedPolicyandsatisfiesallofthefollowing:‐ Afullsuiteofdocumentedstandardsandproceduresthathelpguideimplementationandmanagementoftheenterprise‐widepolicy‐ Communicatedtoallrelevantparties

Risk MeasuredThecontrolmeetstherequirementsforDocumentedStandards/Proceduresandsatisfiesallofthefollowing:‐ Controlisatleastpartiallyassessedtodeterminerisk‐ Managementisawareoftherisks

RiskTreated

ThecontrolmeetstherequirementsforRiskMeasuredandsatisfiesallofthefollowing:‐ Ariskassessmenthasbeenconducted‐ Managementmakesformalrisk‐baseddecisionsbasedontheresultsoftheriskassessmenttodeterminetheneedforthecontrol‐ Thecontrolisdeployedinthoseareaswherejustifiedbyrisk,butisnotdeployedwherenotjustifiedbyrisk

RiskValidated

ThecontrolmeetstherequirementsforRiskTreatedandsatisfiesallofthefollowing:‐ Ifthecontrolisdeployed(inthoseareaswherejustifiedbyrisk),theeffectivenessofthecontrolhasbeenexternallyaudited/testedtovalidatethatthecontroloperatesasintended‐ Ifthecontrolisnotdeployed(inthoseareaswherenotjustifiedbyrisk),management’sdecisiontonotimplementthecontrolwasdeterminedtobesound


Methodology:AssessedControlAreas

10

The2011NCSRexamined12cybersecuritycontrolareas: SecurityProgram RiskManagement PhysicalAccessControls LogicalAccessControls SecurityWithinTechnologyLifecycles InformationDisposition MaliciousCode MonitoringandAuditTrails IncidentManagement BusinessContinuity SecurityTesting


IndividualReport

Everyrespondentreceivedareportimmediatelyaftertheycompletedthereview.TheIndividualReportincluded:

• DetailsontheReportingmethodology;• Afulllistofthequestionsasked;• Howtherespondentansweredeachquestion,and;• Highleveloptionsforconsiderationbasedonanswers.

TheIndividualReportwasprotectedasPCII,andwasonlydisseminatedviatheSecureUS‐CERTPortal.


SummaryReportTheNCSRSummaryReportwasreleasedtorespondentsonMarch16,2012.TheSummaryReporthighlightedkeyfindingsfromthe2011ReviewincludingidentifiablegapsandrecommendationsonhowStatesandLocalgovernmentscanincreasetheirriskawareness.TheSummaryReportwillnotbeattributabletospecificrespondentsororganizations.TheSummaryReportwillallowrespondentstocomparetheiranswersagainstthenationalaveragesanddeterminetheirindividualstrengths&weaknesses.


ComparisonofResults

13


Results:SecurityControlAreas

Rank Process Area Ad‐Hoc

DocumentedPolicy‐DocumentedStandardsandProcedures

RiskMeasured ‐RiskValidated

1 MaliciousCode 12% 36% 52%2 PhysicalAccessControl 16% 39% 46%3 LogicalAccessControl 18% 40% 42%4 SecurityTesting 42% 22% 36%5 IncidentManagement 32% 38% 31%6 BusinessContinuity 33% 36% 31%7 PersonnelandContracts 29% 41% 30%8 SecurityProgram 30% 40% 30%9 InformationDisposition 27% 44% 29%10 SecuritywithinTechnologyLifecycle 36% 35% 29%11 RiskManagement 45% 26% 29%12 MonitoringandAuditTrails 46% 27% 28%

These results are based on the 162 responses


KeyFindings:CapabilitiesandGaps

Strengths:• 52%haveimplementedand/orvalidated

protectivemeasuresforthedetectionandremovalofmaliciouscode

• 81%ofallrespondentshaveadoptedcybersecuritycontrolframeworksand/orsecuritymethodologies

• 42%haveimplementedand/orvalidatedlogicalaccesscontrols(e.g.,termination/transferprocedures,ACLs,remoteaccess)

15

Weaknesses: 42%ofrespondentsstatedtheydonothave

independenttestingand/orauditprogramestablished

45%ofrespondentsstatedtheyhavenotimplementedaformalriskmanagementprogram(e.g.,riskassessments,securitycategorization)

46%ofrespondentsstatedtheyhavenotimplementedMonitoringandAuditTrailswhichisimportanttodetermineifanincidentisoccurringorhasoccurred.

31%ofallrespondentshaveneverperformedacontingencyexercise

67%ofallrespondentsstatedithasbeenatleasttwoyearssincetheyupdatedtheirInformationSecurityPlan

66%ofallrespondentsstatedithasbeenatleasttwoyearssincetheyupdatedtheirDisasterRecoveryPlans


2011NationwideCyberSecurityReview‐ RegisteredRespondents

Range Frequency

0 11 142‐3 164‐9 1610‐20 6

Respondents

Total 206

16

ADDITIONAL DHS-LED CYBER SECURITY REVIEWS

17

HomelandSecurity


Key Resilience DomainsAM

AssetManagementidentify,document,andmanageassetsduringtheirlifecycle IM

IncidentManagementidentifyandanalyzeITevents,detectcybersecurityincidents,anddetermineanorganizationalresponse

CCM

ConfigurationandChangeManagementensuretheintegrityofITsystemsandnetworks SC

M

ServiceContinuityManagementensurethecontinuityofessentialIToperationsifadisruptionoccurs

RISK

RiskManagementidentify,analyze,andmitigateriskstocriticalserviceandITassets

EXD

ExternalDependenciesManagementestablishprocessestomanageanappropriatelevelofIT,security,contractual,andorganizationalcontrolsthataredependentontheactionsofexternalentities

CNTL

ControlsManagementidentify,analyze,andmanageITandsecuritycontrols TR

NG TrainingandAwareness

promoteawarenessanddevelopskillsandknowledgeofpeople

VM

VulnerabilityManagementidentify,analyze,andmanagevulnerabilities SA

SituationalAwarenessactivelydiscoverandanalyzeinformationrelatedtoimmediateoperationalstabilityandsecurity

18

HomelandSecurity


MaturityNotJustCapability AMIL(MaturityIndicatorLevel)measuresprocessinstitutionalization,

anddescribesattributesindicativeofmaturecapabilities.

MILLevel5– DefinedAllpracticesareperformed(MIL‐1);planned(MIL‐2);managed(MIL‐3);measured(MIL‐4);andconsistentacrossallinternalconstituencieswhohaveavestedinterest— processes/practicesaredefinedbytheorganizationandtailoredbyorganizationalunitsfortheiruse,andsupportedbyimprovementinformationsharedamongstorganizationalunits.

MILLevel4– MeasuredAllpracticesareperformed(MIL‐1);planned(MIL‐2);managed(MIL‐3);andperiodicallyevaluatedforeffectiveness,monitored&controlled,evaluatedagainstitspracticedescription&plan,andreviewedwithhigher‐levelmanagement.

MILLevel3– ManagedAllpracticesareperformed(MIL‐1);planned(MIL‐2);andgovernedbytheorganization,appropriatelystaffed/funded,assignedtostaffwhoareresponsible/accountable&adequatelytrained,producesexpectedworkproducts,placedunderappropriateconfigurationcontrol,andmanagedforrisk.

MILLevel2– PlannedAllpracticesareperformed(MIL‐1);andestablished,planned,supportedbystakeholders,standardsandguidelines.

MILLevel1– PerformedAllpracticesareperformed,andthereissufficientandsubstantialsupportfortheexistenceofthepractices.

MILLevel0– IncompletePracticesarenotbeingperformed,orincompletelyperformed.

19

Presenter’s Name June 17, 2003Unclassified // For Unlimited Distribution

DepartmentofHomelandSecurityNationalProtectionandProgramsDirectorate

CyberSecurityandCommunications

20

Contact InformationBradford Willke [email protected]

Date post:	16-Feb-2019
Category:	Documents
Upload:	vuhuong
View:	215 times
Download:	0 times

Security Perspectives: Partnerships and Measurement...

Documents