K12 Cybersecurity Roadmap -...

37
K12 Cybersecurity Roadmap

Transcript of K12 Cybersecurity Roadmap -...

Page 1: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

K12 Cybersecurity Roadmap

Page 2: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Introduction

2

Jason Brown, CISSPChief Information Security OfficerMerit Network, Inc

[email protected]@jasonbrown17https://linkedin.com/in/jasonbrown17

Page 3: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Agenda

• Why Use the Critical Security Controls?

• The Five Critical Tenets

• Foundational Cyber Hygiene

• Pulling it Altogether

• Where Do I Go Next?

3

Page 4: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Fog of More 4

Compliance

Firewall

Data Loss Prevention

Risk Management Framework

Policies, Standards and Procedures

SIEM

Logs

802.1x

Multifactor Authentication

Anti-Virus

Encryption

End User Training

Security Benchmarks

Secure Coding

Mobile Device Management

Page 5: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Why Use the CSC?

• Controls are developed by actual attacks and effective defenses

• Laid out based on priority

• 20 control categories with 4 – 14 sub-controls

• All are technical controls

• The Critical Security Controls (CSC) can be supplemented by other frameworks

5

Page 6: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

The Five Critical Tenets

Page 7: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

What Are They?

1. Offense Informs Defense

2. Prioritize

3. Metrics

4. Continuous Diagnostic and Mitigation

5. Automation

7

Page 8: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

#1: Offense Informs Defense

• Attackers - Offense• What are they doing?• How are the doing it?• Is it successful?

• You – Defense• What was put in place to stop it?• How was it implemented?• Was it successful?

8

Page 9: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

#2: Prioritize 9

• Review the 20 Critical Security Controls

• Perform gap analysis

• What is the biggest pay off for your environment?

• Put a plan together for the bigger projects

Page 10: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

20 CSCAccount Monitoring and Control Inventory of Authorized and Unauthorized Devices

Application Software Security Inventory of Authorized and Unauthorized Software

Boundary Defense Limitation and Control of Network Ports, Protocols and Services

Continuous Vulnerability Assessment and Remediation

Maintenance, Monitoring and Analysis

Controlled Access Based on the Need to Know Malware Defenses

Controlled Use of Administrative Privileges Penetration Tests and Red Team Exercises

Data Protection Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Data Recovery Capability Secure Configurations for Network Devices such as Firewalls, Routers and Switches

Email and Web Browser Protections Security Skills Assessment and Appropriate Training to Fill Gaps

Incident Response and Management Wireless Access Control

10

Page 11: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Question #1 11

Penetration Testing Vulnerability Scanning

Page 12: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Question #2 12

Antivirus Email and Web Browser Protections

Page 13: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

20 CSC

#1 – Inventory of Authorized and Unauthorized Devices

#11 – Secure Configurations for Network Devices such as Firewalls, Routers and Switches

#2 – Inventory of Authorized and Unauthorized Software

#12 - Boundary Defense

#3 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

#13 – Data Protection

#4 – Continuous Vulnerability Assessment and Remediation

#14 – Controlled Access Based on the Need to Know

#5 – Controlled Use of Administrative Privileges #15 – Wireless Access Control

#6 – Maintenance, Monitoring and Analysis #16 – Account Monitoring and Control

#7 – Email and Web Browser Protections #17 – Security Skills Assessment and Appropriate Training to Fill Gaps

#8 – Malware Defenses #18 – Application Software Security

#9 – Limitation and Control of Network Ports, Protocols and Services

#19 – Incident Response and Management

#10 – Data Recovery Capability #20 – Penetration Tests and Red Team Exercises

13

Page 14: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

#3: Metrics 14

• Provide established common metrics for executives, IT staff, auditors and security officials

• What type of metrics should be reported on?

• Do metrics make sense? Should established metrics be reassessed?

• Use SMART metrics

• Specific - target a specific area for improvement

• Measurable - quantify or at least suggest an indicator for success

• Assignable - specify who will do it

• Realistic - state what results are realisticlly achieved, given resources

• Time-related - Specify when the results can be achieved

Page 15: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Measurement Companion for CSC 15

Page 16: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

CSC Percentage Based Metrics 16

Page 17: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

#4: Continuous Diagnostics and Mitigation 17

• Continuous measurement to test and validate the effectiveness of current security measures

• How well are your firewalls configured?• Are all your IT resources logging?• Did you follow up on the IPS alerts?

• These help drive the priority of next steps• Plan, Do, Check, Act

Page 18: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

#5: Automation 18

• Automate as much as possible• Configuration Management• Vulnerability Scanning• Patch Management• Reporting and Alerting

• Manual checks do not scale• However they are required in some instances

Page 19: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Foundational Cyber Hygiene

Page 20: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Foundational Cyber Hygiene

The essential first steps to a successful cyber security program

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations of Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Controlled Use of Administrative Privileges

20

Page 21: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

CSC #1

Inventory of Authorized and Unauthorized Devices

•Deploy an automated asset management tool

•Log DHCP addresses that have been assigned

•Detect unknown systems in DHCP logs

•Deploy 802.1x authentication

•Use client based certificates for system authentication

21

Page 22: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

CSC #2

Inventory of Authorized and Unauthorized Software

•Maintain a list of authorized software deployed on systems

•Use application white listing

•Deploy a software inventory system

•Use virtual machines and air gapped systems for highly sensitive information

22

Page 23: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

CSC #3

Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

•Establish secure configurations for operating systems and software applications

•Build secure a secure image and keep it safe. Reimage systems if compromised.

•Store secure images in a safe location, use integrity checks to validate and strict change management should be used

•Perform remote administration through secure communication

•Use Active Directory or Puppet to ensure configuration settings

23

Page 24: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

CSC #4

Continuous Vulnerability Assessment and Remediation

•When exploits are released, the race begins between you and the attacker

• Who will win?

•How do I solve this?• Automated vulnerability scans against all resources• Use authenticated scans • Deploy automated patch management tools• Rate vulnerability risks within environment

• DMZ• Internal• Servers vs desktops

24

Page 25: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Evaluating Vulnerabilities

• Common Vulnerabilities and Exposures (CVE)• CVE ID• Description• Public advisories or references

•Common Vulnerability Scoring System (CVSS)• Provided by NIST• An open framework for communicating the impacts of IT vulnerabilities

25

Rating Score PatchHigh 7.0 – 10.0 Within 30 daysModerate 4.0 – 6.9 Within 60 daysLow 0.0 – 3.9 Within 90 days

Page 26: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

CSC #5

Controlled Use of Administrative Privileges

•Only use administrative accounts when required

•Use automated tools to inventory all administrative accounts

•Change system default passwords

•Use multifactor authentication for all administrative access

•Use a dedicated machine for all administrative tasks

26

Page 27: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Double Up on Controls!

• Store hardware, software and data classification in one system• CSC1 – Inventory authorized and unauthorized hardware• CSC2 – Inventory authorized and unauthorized software• CSC13 – Data Protection• CSC15 – Wireless Access Control

• Utilize same site for IT resource benchmarks• CSC3 – Secure configurations for laptops, servers, mobile devices• CSC11 – Secure configurations for network and firewall equipment

• Log, monitor, and alert from one SIEM or Log Management System• CSC6 – Maintenance, monitoring and analysis• CSC16 – Account monitoring and control

27

Page 28: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Supplemental Documents

• Excel Spreadsheet document with controls

• Center for Internet Security Companion Guides• Internet of Things• Mobile Security• Privacy Impact• Measurement

28

Page 29: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Where Do I Go Next?

Page 30: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Where Do I Go From Here? 30

Page 31: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Framework Core

Functions – Categories – Subcategories – Informative References

• Identify (ID)• Asset Management (ID.AM)

• Physical devices and systems within the organization are inventoried (ID.AM-1)• NIST SP 800-53 CM-8

• ISO 27001:2013 A.8.1.1, A.8.1.2

• Software platforms and applications within the organization are inventoried (ID.AM-2)

• Protect (PR)• Access Control (PR.AC)

• Detect (DE)

• Respond (RS)

• Recover (RC)

31

Page 32: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Framework Tiers

Tiers based upon risk management processes

Tier 1: Partial• Risk management is ad hoc – implemented on case-by-case basis• Organization has limited awareness of cybersecurity risk

Tier 2: Risk Informed• Risk management is approved by management, not established by policy• Organization is aware of risk, no formal approach has been established

Tier 3: Repeatable• Org. risk management practices are approved and expressed as policy

Tier 4: Adaptive• Risk management is adaptive – change based upon current threats and posture

32

Page 33: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Framework Profile

• Two parts – can be more• Current state profile• Future state profile

• Assess present security posture to develop a current profile

• Alignment of functions, categories, and subcategories with business requirements, risk tolerance and resources

• Develop a plan of action and milestone (POA&M) document to achieve yearly initiatives and goals

33

Page 34: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

CIS CSC to NIST CSF 34

Page 35: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

Roadmap

• Next week

• Download the CIS benchmarks and controls documentation for review

• Over the next 3 months

• Download the CIS-CAT Lite tool set and begin scanning a few systems within the environment

• https://www.cisecurity.org/cybersecurity-tools/

• Over the next 6 month

• Purchase the full suite, giving you access to all the scanning tools and hardened OS images

35

Page 36: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

General Discussion and Questions

Page 37: K12 Cybersecurity Roadmap - KINBERCONkinbercon.org/wp-content/uploads/2018/04/k12-Cybersecurity-Roadmap.pdfK12 Cybersecurity Roadmap. Introduction 2 Jason Brown, CISSP Chief Information

www.merit.edu734.527.5700

1000 Oakbrook DriveSuite 200Ann Arbor, Michigan48104-6794

Thank You

37