Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) •...
Transcript of Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) •...
![Page 1: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/1.jpg)
Conducting Risk Assessments
Instructor:Duane Dunston
![Page 2: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/2.jpg)
Duane Dunston
• Associate Professor Cybersecurity (9 years)• Education Sector 1998 - 2001• Federal Government & Contractor 2001-2012• Working on EdD at Northeastern University• Curriculum, Teaching, Learning, and Leadership
• Cognition and learning
![Page 3: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/3.jpg)
Risk Defined
"Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization." - NIST 800-30
![Page 4: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/4.jpg)
Everyone manages risk
● Executives must understand and support risk management■ Employees follow their leaders
● "Culture of Risk"● System Development Lifecycle
![Page 5: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/5.jpg)
• Email• Mobile devices• Corporate website• Social media• Ecommerce systems• Online banking• BYOD and office policy• Network management• Backup and remote access
Complexity of modern businesses
Fron NIST: https://www.nist.gov/itl/smallbusinesscyber
![Page 6: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/6.jpg)
MoreNIST Special Publication 800-12, revision 1An Introduction to Information Securitysection 1.4
Cybersecurity Objectives
Fron NIST: https://www.nist.gov/itl/smallbusinesscyber
![Page 7: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/7.jpg)
Data Backup
• Ensure you have a backup of your data• Ensure you test to be sure what you are
backing up is being backed up and is the latest version
• Keep your backups on a separate network or offline (and encrypted)
![Page 8: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/8.jpg)
Activity
Who manages backups in your organization? If unsure, find out.Make a note to discuss the previous slides points with them.
1. Is data backed up2. Are backups tested and has latest version of documents3. Kept on separate network or offline, offsite and encrypted4. Has anyone tested to be sure it is encrypted?5. Explain the process and show the results.6. How often are the above procedures tested?
![Page 9: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/9.jpg)
• Fun• Opportunistic• Malicious• Financial• Springboard to attack others• Nation State• Hacktivism• Identity Theft
Hacking Motivations
![Page 10: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/10.jpg)
![Page 11: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/11.jpg)
System Boundary
Purpose: Identify information assets which are a part of the organization and where are they located (physical and geolocation).
Who is involved?
Executives, IT Managers, system and network administrators, head or key person in each department, Employee awareness
![Page 12: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/12.jpg)
System Interconnections
Purpose: Identify network connections with organizations outside of the organization’s responsibility (contractors, remote support, cloud service)
Who is involved?
Executives, IT Managers, system and network administrators, head or key person in each department
![Page 13: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/13.jpg)
Software Inventory
Purpose: Identify all software installed on all operating systems and devices
“Living Document”
Who is involved?
IT Managers, system and network administrators, head or key person in each department, employees
![Page 14: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/14.jpg)
Self-reflection
Make a note to determine if you know if your organization has the items below and identify who is responsible for maintaining each:
1. Network diagrama. Routinely updated and how often it is reviewed.
2. System Boundary well-defineda. Routinely updated and how often it is reviewed.
3. System Interconnections documenteda. Routinely updated and how often it is reviewed.
4. Software Inventorya. Routinely updated and how often it is reviewed.
![Page 15: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/15.jpg)
![Page 16: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/16.jpg)
Categorize System
Determine the impact to the organization
Confidentiality, Integrity, and Availability
Must Identify Information Types, it drives determining adverse impacts
Who is involved?
IT Managers, system and network administrators, head or key person in each department
![Page 17: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/17.jpg)
Categorize System
Guiding Documents
NIST 800-60 Volumes I and II.
![Page 18: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/18.jpg)
Walk-Through
Spreadsheet based on NIST 800-60 Volume I & 2:
https://tinyurl.com/4ucywrum
Review the spreadsheet and the tabs that have the information types
![Page 19: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/19.jpg)
![Page 20: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/20.jpg)
Select Controls
Based on the risk identified from the Categorization phase and identifying risks.
Who is involved?
Legal department, IT managers, executives, human resources, financial department, system, security, and network administrators
![Page 21: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/21.jpg)
Select Controls
Security Controls Best Practices:
● NIST 800-171■ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
171r2.pdf● CIS Critical Security Controls● Payment Card Industry (May require hardware and information compliance)
![Page 22: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/22.jpg)
Select Controls
● Regulatory compliance may drive security control selection○ eg. CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS)
● https://tinyurl.com/9z2h7y72● Cybersecurity resources public and some require registration
○ https://www.cisa.gov/cybersecurity● Read industry-specific regulations carefully because all facilities my not fit the
specific requirement: https://tinyurl.com/9z2h7y72
![Page 23: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/23.jpg)
Select Controls
Security Controls Best Practices:
● NIST 800-171■ https://tinyurl.com/wxpf45j2
Starting point for securing the enterprise
Family of security controls
![Page 24: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/24.jpg)
CIS Critical Security Controls
● Contributed by the public● Can help mitigate the most common and well-known threats● Can be used in the Prepare stage to determine current security posture
https://www.cisecurity.org/controls/
![Page 25: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/25.jpg)
Walk-through
CIS Critical Security Controls Questionnaire:
https://tinyurl.com/8adcx5kh
![Page 26: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/26.jpg)
Payment Card Industry (PCI)
Payment Card Industry (May require hardware and information compliance)
https://tinyurl.com/3z62xw2n PCI FAQ
Often forgotten requirement if you process, transmit, or store cardholder data (including paper information)
![Page 27: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/27.jpg)
Compliance != Secure
● Compliance != Secure● Complacent
![Page 28: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/28.jpg)
![Page 29: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/29.jpg)
Implement Controls
● Document what has been done to implement the control● Include all stakeholders● Systematically deploy controls● Could break production processes● Document the actual implementation
![Page 30: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/30.jpg)
Implement Controls
● Vulnerability scans● Scan a minimum of 95% of systems● Ties into the system and software inventory● If this is new, systematically scan small segments
![Page 31: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/31.jpg)
Walk-through
● System Security Plan (SSP)● “Living Document”● NIST provides a template for creating a System Security Plan
○ https://tinyurl.com/yu6834td
![Page 32: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/32.jpg)
![Page 33: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/33.jpg)
Assess Controls
Check to be sure controls are performing as expected.
● Wifi is not allowed in our organization○ Turn on a phone, tablet, or PC with wifi to see if there are strong signals○ Move around the organization to pinpoint the location
● Is allowed○ Test for authentication○ Try to access internal organizational resources○ Review event logs to determine if alerts are being generated when someone connects
Document all of the above and add to security plan document
![Page 34: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/34.jpg)
![Page 35: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/35.jpg)
![Page 36: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/36.jpg)
Monitoring
The forgotten control
The documentation on implementing and assessing the controls guides the monitoring
● Finding alerts, creating test users, talking to personnel should be performed periodically
Step through the controls in the security plan and assess periodically
Organizations and processes change
![Page 37: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/37.jpg)
Risk Assessment
● Cyclical and continuous process● Examines the risk to the organization mission, processes, and assets● NIST 800-30 rev 1 -
○ Guide to conducting Risk Assessments○ https://tinyurl.com/wmb7vnsy
● Evaluates the entire RMF process and its outputs● Results of interviews, vulnerability scans, control testing
![Page 38: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/38.jpg)
Before starting the Risk Assessment
● Social skills● Remind you are there to assist and be another set of eyes● Do not blame or point fingers● Restrain non-verbal cues● Know what you do not know● Write down what you do not know and get back to them
![Page 39: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/39.jpg)
Business Impact Analysis
● Document that examines the impact to the organizations mission and processes
● Provides steps for recovery○ https://www.ready.gov/business-impact-analysis
● NIST Special Publication 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems○ https://tinyurl.com/2a5ydtkj○ APPENDIX B B-1 BIA Template
![Page 40: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/40.jpg)
Walk-through
Business Impact Analysis template this word document from the NIST website:
https://tinyurl.com/376xzmtv
![Page 41: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/41.jpg)
Risk Assessment Walk-through
● NIST 800-30 rev 1 Guide to conducting Risk Assessments○ https://tinyurl.com/wmb7vnsy
![Page 42: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/42.jpg)
Brief Walk-through
● Conducting the Risk Assessment NIST 800-171A
https://tinyurl.com/4ucywrum
Spreadsheet
Assessing Security Requirements for Controlled Unclassified Information
OPTIONAL: Same spreadsheet, but has a macro to select multiple Event Sources
https://tinyurl.com/5c8k96ea
![Page 43: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/43.jpg)
Risk Assessment Essay
https://tinyurl.com/4seruzkp
![Page 44: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/44.jpg)
Plan of Action & Milestones
● “Living document”● Document the weaknesses from the Risk Assessment● Updated during the monitoring and control assessment process
![Page 45: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/45.jpg)
Walk-through
Template for Plan of Action & Milestones
● https://tinyurl.com/23h6pak8
![Page 46: Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working](https://reader035.fdocuments.us/reader035/viewer/2022071513/6133e973dfd10f4dd73b64fe/html5/thumbnails/46.jpg)
Conclusion
• A thorough RMF can become the baseline of a cyclical process that does not require all of these steps on a yearly basis.
• Configuration Management and Control monitoring allows frequent reviews of documentation, controls, and processes
• Effectively, those allow frequent mini RAs• The POA&M allows frequent documentation for managing
identified risks• Test your incident Response capability even if it is just a
tabletop exercise so everyone knows what to do