Post on 08-Jun-2020
Send in the Marines! Federal Oversight and the Alphabet Soup of Cyber Security
Inga Goddijn, CIPP/US
Risk Based Security
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A State of (in)Security
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A State of (in)Security
2015 topped the
charts with the
most data loss
events reported in
a single year, with
over 4,000 publicly
disclosed breaches
Source: Cyber Risk Analytics, Risk Based Security
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A State of (in)Security
Everyone Has Something of Value!
Set of business application account credentials in the Brazilian Underground:
$155 - $193
Set of entertainment site credentials in the Chinese Underground:
$325
Set of credit card credentials in the Russian Underground:
$4
A combination of phone number, work email address and social media credentials:
Brazil: $1,931 China: $145 Russia: $200
Source: http://www.trendmicro.com/vinfo/us/security/special-report/cybercriminal-underground-economy-series/global-black-
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A State of (in)Security
Source: VulnDB
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A State of (in)Security
So many vulnerabilities, in fact, it’s difficult to
keep up
Searching Shodan.io, there are 224,858 Internet connected
systems still vulnerable to Heartbleed.
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A State of (in)Security
Networks,
systems and the
methods we use
to access them
are growing in
complexity, not
shrinking
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A State of (in)Security
Questionable
coding and
development
practices,
especially
when it comes
to emerging
technologies
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A State of (in)Security
Even the best security can’t always overcome
basic human nature
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A State of (in)Security
Bottom line: Security pros are being asked to
“get it right” all day, every day. Hackers only
need to be right once to win
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
How do we shift the odds in our favor?
By focusing on how to best manage the risk
through the use of formalized and systematic
security standards and frameworks
A State of Security
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Standards
The Beauty of Standards is That There Are So Many to Choose From
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A Closer Look At Security Frameworks
Some standards have been with us for many years:
HIPAA/HITECH Security Rules
FFIEC
ISO/IEC 27001/2
COBIT
NIST SP-800 53
ITIL
PCI - Data Security Standard
While some are very new:
NIST – Framework for Improving Critical Infrastructure (Introduced 2014)
CISA – Cybersecurity Information Sharing Act, Section 405 of Title IV, directing HHS to create best practices standards under HIPAA (Effective January 2016)
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Information Security Frameworks
Descriptive Models Allow Discretion In
The Selected Controls
Prescriptive Models Detail Required
Mitigation
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
NIST Cybersecurity Framework
NIST Cybersecurity Framework
“Recognizing that the national and economic security of theUnited States depends on the reliable functioning of criticalinfrastructure, the President issued Executive Order (EO)13636, Improving Critical Infrastructure Cybersecurity, inFebruary 2013.
“The Order directed NIST to work with stakeholders todevelop a voluntary framework – based on existing standards,guidelines, and practices - for reducing cyber risks to criticalinfrastructure”
Source: http://www.nist.gov/cyberframework/
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
NIST Cybersecurity Framework
What, exactly, is “Critical Infrastructure”?
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
NIST Cybersecurity Framework
Does this apply to our members?
Excellent question!
“The Executive Order tasked NIST to design
the Framework for voluntary use by private
sector organizations that are part of the critical
infrastructure”
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
NIST Cybersecurity Framework
Core• Activities &
Outcomes
Tiers
• Degree of Adoption & Process Maturity
Profile
• Degree of Alignment With Objectives
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
NIST CyberSecurity Framework
Function • 5 Distinct Function Groups
Category • 22 Security Domains
Subcategory • 98 Objectives
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Framework Core - Functions
• Develop the organizational understanding to manage security risk to systems, assets, data and capabilitiesIdentify
• Develop & implement appropriate safeguards Protect
• Develop & implement activities needed to identify a security eventDetect
• Taking action in response to a detected security eventRespond
• Maintain plans for resilience and restore servicesRecover
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Implementation Tiers
Applicable to the
organization’s cyber risk
strategy and risk mitigation
processes
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Framework Profile
Current Profile vs Target ProfileAligning Core items with business requirements, risk tolerance
and available resources to create a roadmap toward reducing
information security risk
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
NIST Cybersecurity Framework
Details Worth Knowing
Entirely voluntary at this point, even if you’re a provider of
Critical Infrastructure
The framework is intended to be a “living document”, to be
updated and modified over time
There is no clear mechanism for sharing threat intelligence,
but it is encouraged
Conformity assessments are also encouraged, but also no
methodology established as yet
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
ISO27001/2:2013
ISO27001/2:2013
Information Security Management System
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
ISO 27001/2:2013
Management of the Security System
Control Objectives & Corresponding Controls
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
ISO 27001/2:2013
Management Domains
Security in
Organizational ContextOperation
LeadershipRisk Treatment
Planning Performance Evaluation
Support Improvement
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
ISO27001/2:2013
Control Domains
Information Security Policies Operations Security
Organization of Information Security
Practices
Communications Security
Human Resources Security System Acquisition, Development and
Maintenance
Asset Management Supplier Relationships
Access Control Incident Management
Cryptography Business Continuity Management
Physical Security Compliance
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
ISO27001/2:2013
Principles
Policies
Controls
Process
How Do We Put This To Work for Us?
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Why Should We Do This?
Survey Says? Best Practices Are IN!
PWC Global State of Information Security 2016 Study
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Why Should We Do This?
The #1 Benefit
Shared Language For Talking About
Acceptable Risk!
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Where Do We Start?
Bes
t P
ract
ices
Take Care Of The Security Basics!
Understand what are the most critical assets and how
they are at risk
Make sure everyone is on the same page with a
documented program
Have a plan should the worst happen
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
The Basics
When it comes to setting priorities for controls, the SANS 20 Critical Security
Controls for Effective Cyber Defense is an
excellent reference.
www.sans.org/critical-security-controls
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
The Basics
Security 101 – Taking Care of the Basics
Vulnerability Scans
– Routine testing of web applications, external and
internal network to uncover overlooked
weaknesses, missed patches and
misconfigurations
– Like going to the doctor - should be checked
out every year
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
The Basics
Vulnerability Scan or Pen Test?
It’s the same thing, right?
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
No matter the framework or standard, the
process must start with a risk assessment
Moving Beyond the Basics
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Risk Assessment
IMPLEMENT THE PLAN!
Identify Residual Risk & Determine if Acceptable
Identify Controls to Mitigate the Risk
Assess The Impact
Identify Threats & Vulnerabilities
Identify & Value Assets
Risk Assessment Method
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Risk Assessment
Information Assets & Criticality
• Critical Network Hardware
• Applications
• Data Center
• Student Records
• HR Records / Payroll
• Contracts
Vulnerabilities & Likelihood
• Hackers
• Lost Equipment
• Outdated Systems
• No Redundancy
• Employee Error
• Power Outage
• Flood / Fire / Tornado
Severity x Probability = Risk Score
• Likelihood of the event (x) the severity of the damage if it happens = risk score
• Low
• Moderate
• High
• Scale of 1-10
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Risk Assessment
Why it matters
It provides the foundation for understanding:
• Which are the most critical assets;
• What is an acceptable level of risk to each asset;
and
• Evaluating recommended practices against the
actual need for controls.
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Document The Security Program
Getting Everyone On The Same Page
Most frameworks require written polices
Should be established by leadership
Communicated to everyone that needs to know
Regularly reviewed
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
What About Vendors?
Let’s outsource IT! They promise great
security!
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
What About Vendors?
Recent Breaches atTechnology Service Providers
Fortinet
firewall maker1/12/2016
hard-coded backdoor access discovered and
credentials for exploiting the weakness
published on line
Linode
cloud hosting service1/5/2016
usernames, emails addresses and hashed
passwords visible on external server
QS Unisolution
educational SaaS1/6/2016
Over 1,000 student PII exposed due to site
misconfiguration
NGP VAN
voter database management service
12/18/2015
A programming error allowed confidential
voter metrics belonging to the Clinton
campaign to be accessed by members of the
Sander campaign
WPEngine
website hosting service12/12/2015
A hacker exposes up to 150,000 user
passwords
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
What About Vendors?
Using third party services doesn’t transfer the security burden, it changes it
• We must demand better security from all of our vendors!
• Take the time to evaluate software & services
– Define requirements in agreements
– New features are great, but not at the expense of a breach
– Vote with $$; select vendors that take security seriously
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Incident Response
Developing a controlled approach to incident
response is included in most ‘best practice’
frameworks
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Incident Response
Benefits of Planning Ahead
• A roadmap to follow in the midst chaos
• It saves money in the long run
• Can be used to identify trigger points for
escalating the event AND help map to most
critical insurance needs!
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Incident Response
Event Response, Incident Response, Breach
Response. It’s all the same thing, Right?
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Incident Response
A “security incident” can be
any event that impacts:
the availability of critical data
and systems;
the integrity of data; or
the confidentiality of non-
public information
“Breach response”, the
primary focus of most cyber
insurance coverage offered
by pools and insurers, tends
to refer more narrowly to
unauthorized activity and
compromise of personally
identifiable information
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Incident Response
Why It Matters
Verizon DBIR 2015 Report
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Incident Response
Event
• Something has occurred but handled automatically or not yet fully investigated
Vulnerability
• Event was analyzed and a weakness discovered that COULD lead to a compromise or business impact
Incident
• Reasonable probability data was exposed but risk-of-harm to individuals not likely or clear impact on business operations
Breach
• Data has been exposed and there is a high potential for misuse and/or harm to persons is reasonably likely
Incident response planning starts with a process for evaluating security events
Got Cyber Cover? Time to report it!
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Incident Response
• A security incident management policy
• A designated point person to lead the effort
• Establishes who is a part of the incident response team
• Includes a key contact list (internal and external)
• Defines a communication plan (what, by whom, to whom,
when & how)
• Includes training for IRT members in roles and
responsibilities
• Conducting incident response exercises
Response Plans Should Include
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Incident Response
A mature incident response process also
includes a method for collecting event
information in order to learn and improve
Learn
ApplyImprove
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Incident Response
• Look for the root cause – not just the symptoms
• What actions would prevent recurrence?
• Follow-up at the end of the process to ensure
prevention plans have been fully implemented
• Review policies, procedures and possibly include
awareness training to reflect the lessons learned from
the investigation
• Did the plan work? Update the breach response plan to
improve the response process
Lessons Learned
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Security Events and Threat Sharing
Looking Ahead
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Cyber Security Information Sharing Act
Key Facts To Know:
A system for voluntary sharing of cyber security information between private entities and the federal government
Department of Homeland Security (DHS) will act as the central hub for information sharing
Requires the sharing of information in real time
Launched sharing portal on 3/17
6 companies currently enrolled
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Cyber Security Information Sharing Act
Pros:
It’s a start, and we need to start somewhere
Sharing can help identify where attackers came from and what their methods look like
cyber threat indicators (CTIs): the tactics, techniques, and procedures used by malicious actors to compromise the computer networks of their victims
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Cyber Security Information Sharing Act
Cons:
Can’t fix bad security practices
Won’t catch zero-days - or previously
unknown malware
Protections may not be enough incentive to
share the gory details of a security failure
High degree of sophistication needed to
participate
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Cyber Security Information Sharing Act
What can we take from CISA?
Pooling community is UNIQUE –
Shared purpose
Shared constituencies
Many commonly used vendors, applications,
services
A Lot, Actually
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
Some Observations From The Trenches
Regardless of how extensive the security
program or number of controls, the best
security programs share seven traits.
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A Program At Its Best Is:
1. An Integral Component of Organization Management
2. Comprehensive & Integrated Throughout the Business
3. Supports the Mission of the Business
4. Sensitive to Social Factors
5. Cost Effective Relative to the Risk
6. Responsibility and Accountability Is Explicit
7. Periodically Reassessed and Refined
N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y
A Program At Its Worst:
Likewise, there are some signs the program
might fall short
1. Done to Check a Box
2. Not Including a Risk Assessment
3. Treating All Information Equally
4. Not Following Through
5. Taking On Too Much At Once
“Ultimately, security is about people – not technology.”
Foundations of Information Privacy and Data Protection
P. Swire & K. Ahmed, 2012
Thank You!