Post on 16-May-2020
K12 Cybersecurity Roadmap
Introduction
2
Jason Brown, CISSPChief Information Security OfficerMerit Network, Inc
jbrown@merit.edu@jasonbrown17https://linkedin.com/in/jasonbrown17
Agenda
• Why Use the Critical Security Controls?
• The Five Critical Tenets
• Foundational Cyber Hygiene
• Pulling it Altogether
• Where Do I Go Next?
3
Fog of More 4
Compliance
Firewall
Data Loss Prevention
Risk Management Framework
Policies, Standards and Procedures
SIEM
Logs
802.1x
Multifactor Authentication
Anti-Virus
Encryption
End User Training
Security Benchmarks
Secure Coding
Mobile Device Management
Why Use the CSC?
• Controls are developed by actual attacks and effective defenses
• Laid out based on priority
• 20 control categories with 4 – 14 sub-controls
• All are technical controls
• The Critical Security Controls (CSC) can be supplemented by other frameworks
5
The Five Critical Tenets
What Are They?
1. Offense Informs Defense
2. Prioritize
3. Metrics
4. Continuous Diagnostic and Mitigation
5. Automation
7
#1: Offense Informs Defense
• Attackers - Offense• What are they doing?• How are the doing it?• Is it successful?
• You – Defense• What was put in place to stop it?• How was it implemented?• Was it successful?
8
#2: Prioritize 9
• Review the 20 Critical Security Controls
• Perform gap analysis
• What is the biggest pay off for your environment?
• Put a plan together for the bigger projects
20 CSCAccount Monitoring and Control Inventory of Authorized and Unauthorized Devices
Application Software Security Inventory of Authorized and Unauthorized Software
Boundary Defense Limitation and Control of Network Ports, Protocols and Services
Continuous Vulnerability Assessment and Remediation
Maintenance, Monitoring and Analysis
Controlled Access Based on the Need to Know Malware Defenses
Controlled Use of Administrative Privileges Penetration Tests and Red Team Exercises
Data Protection Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Data Recovery Capability Secure Configurations for Network Devices such as Firewalls, Routers and Switches
Email and Web Browser Protections Security Skills Assessment and Appropriate Training to Fill Gaps
Incident Response and Management Wireless Access Control
10
Question #1 11
Penetration Testing Vulnerability Scanning
Question #2 12
Antivirus Email and Web Browser Protections
20 CSC
#1 – Inventory of Authorized and Unauthorized Devices
#11 – Secure Configurations for Network Devices such as Firewalls, Routers and Switches
#2 – Inventory of Authorized and Unauthorized Software
#12 - Boundary Defense
#3 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
#13 – Data Protection
#4 – Continuous Vulnerability Assessment and Remediation
#14 – Controlled Access Based on the Need to Know
#5 – Controlled Use of Administrative Privileges #15 – Wireless Access Control
#6 – Maintenance, Monitoring and Analysis #16 – Account Monitoring and Control
#7 – Email and Web Browser Protections #17 – Security Skills Assessment and Appropriate Training to Fill Gaps
#8 – Malware Defenses #18 – Application Software Security
#9 – Limitation and Control of Network Ports, Protocols and Services
#19 – Incident Response and Management
#10 – Data Recovery Capability #20 – Penetration Tests and Red Team Exercises
13
#3: Metrics 14
• Provide established common metrics for executives, IT staff, auditors and security officials
• What type of metrics should be reported on?
• Do metrics make sense? Should established metrics be reassessed?
• Use SMART metrics
• Specific - target a specific area for improvement
• Measurable - quantify or at least suggest an indicator for success
• Assignable - specify who will do it
• Realistic - state what results are realisticlly achieved, given resources
• Time-related - Specify when the results can be achieved
Measurement Companion for CSC 15
CSC Percentage Based Metrics 16
#4: Continuous Diagnostics and Mitigation 17
• Continuous measurement to test and validate the effectiveness of current security measures
• How well are your firewalls configured?• Are all your IT resources logging?• Did you follow up on the IPS alerts?
• These help drive the priority of next steps• Plan, Do, Check, Act
#5: Automation 18
• Automate as much as possible• Configuration Management• Vulnerability Scanning• Patch Management• Reporting and Alerting
• Manual checks do not scale• However they are required in some instances
Foundational Cyber Hygiene
Foundational Cyber Hygiene
The essential first steps to a successful cyber security program
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations of Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privileges
20
CSC #1
Inventory of Authorized and Unauthorized Devices
•Deploy an automated asset management tool
•Log DHCP addresses that have been assigned
•Detect unknown systems in DHCP logs
•Deploy 802.1x authentication
•Use client based certificates for system authentication
21
CSC #2
Inventory of Authorized and Unauthorized Software
•Maintain a list of authorized software deployed on systems
•Use application white listing
•Deploy a software inventory system
•Use virtual machines and air gapped systems for highly sensitive information
22
CSC #3
Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
•Establish secure configurations for operating systems and software applications
•Build secure a secure image and keep it safe. Reimage systems if compromised.
•Store secure images in a safe location, use integrity checks to validate and strict change management should be used
•Perform remote administration through secure communication
•Use Active Directory or Puppet to ensure configuration settings
23
CSC #4
Continuous Vulnerability Assessment and Remediation
•When exploits are released, the race begins between you and the attacker
• Who will win?
•How do I solve this?• Automated vulnerability scans against all resources• Use authenticated scans • Deploy automated patch management tools• Rate vulnerability risks within environment
• DMZ• Internal• Servers vs desktops
24
Evaluating Vulnerabilities
• Common Vulnerabilities and Exposures (CVE)• CVE ID• Description• Public advisories or references
•Common Vulnerability Scoring System (CVSS)• Provided by NIST• An open framework for communicating the impacts of IT vulnerabilities
25
Rating Score PatchHigh 7.0 – 10.0 Within 30 daysModerate 4.0 – 6.9 Within 60 daysLow 0.0 – 3.9 Within 90 days
CSC #5
Controlled Use of Administrative Privileges
•Only use administrative accounts when required
•Use automated tools to inventory all administrative accounts
•Change system default passwords
•Use multifactor authentication for all administrative access
•Use a dedicated machine for all administrative tasks
26
Double Up on Controls!
• Store hardware, software and data classification in one system• CSC1 – Inventory authorized and unauthorized hardware• CSC2 – Inventory authorized and unauthorized software• CSC13 – Data Protection• CSC15 – Wireless Access Control
• Utilize same site for IT resource benchmarks• CSC3 – Secure configurations for laptops, servers, mobile devices• CSC11 – Secure configurations for network and firewall equipment
• Log, monitor, and alert from one SIEM or Log Management System• CSC6 – Maintenance, monitoring and analysis• CSC16 – Account monitoring and control
27
Supplemental Documents
• Excel Spreadsheet document with controls
• Center for Internet Security Companion Guides• Internet of Things• Mobile Security• Privacy Impact• Measurement
28
Where Do I Go Next?
Where Do I Go From Here? 30
Framework Core
Functions – Categories – Subcategories – Informative References
• Identify (ID)• Asset Management (ID.AM)
• Physical devices and systems within the organization are inventoried (ID.AM-1)• NIST SP 800-53 CM-8
• ISO 27001:2013 A.8.1.1, A.8.1.2
• Software platforms and applications within the organization are inventoried (ID.AM-2)
• Protect (PR)• Access Control (PR.AC)
• Detect (DE)
• Respond (RS)
• Recover (RC)
31
Framework Tiers
Tiers based upon risk management processes
Tier 1: Partial• Risk management is ad hoc – implemented on case-by-case basis• Organization has limited awareness of cybersecurity risk
Tier 2: Risk Informed• Risk management is approved by management, not established by policy• Organization is aware of risk, no formal approach has been established
Tier 3: Repeatable• Org. risk management practices are approved and expressed as policy
Tier 4: Adaptive• Risk management is adaptive – change based upon current threats and posture
32
Framework Profile
• Two parts – can be more• Current state profile• Future state profile
• Assess present security posture to develop a current profile
• Alignment of functions, categories, and subcategories with business requirements, risk tolerance and resources
• Develop a plan of action and milestone (POA&M) document to achieve yearly initiatives and goals
33
CIS CSC to NIST CSF 34
Roadmap
• Next week
• Download the CIS benchmarks and controls documentation for review
• Over the next 3 months
• Download the CIS-CAT Lite tool set and begin scanning a few systems within the environment
• https://www.cisecurity.org/cybersecurity-tools/
• Over the next 6 month
• Purchase the full suite, giving you access to all the scanning tools and hardened OS images
35
General Discussion and Questions
www.merit.edu734.527.5700
1000 Oakbrook DriveSuite 200Ann Arbor, Michigan48104-6794
Thank You
37