SEPTEMBER 13-16, 2016 SOUTH LAKE TAHOE, CA

Send in the Marines!FEDERAL OVERSIGHT AND THE ALPHABET SOUP OF CYBER SECURITY

A State of (in)Security

A State of (in)Security

2015 topped the charts with the most data loss events reported in a single year, with over 4,200 publicly disclosed breaches.2016 is on pace to match it and has already exposed over 1.5B records.

Source: Cyber Risk Analytics, Risk Based Security

Everyone Has Something of Value! Set of business application account credentials in the 

Brazilian Underground:$155 ‐ $193 

Set of business application account credentials in the Brazilian Underground:

$155 ‐ $193 

Set of entertainment site credentials in the Chinese Underground:

$325

Set of entertainment site credentials in the Chinese Underground:

$325

Set of credit card credentials in the Russian Underground:$4

Set of credit card credentials in the Russian Underground:$4

A combination of phone number, work email address and social media credentials:

Brazil: $1,931 China: $145 Russia: $200

A combination of phone number, work email address and social media credentials:

Brazil: $1,931 China: $145 Russia: $200

A State of (in)Security

Source: http://www.trendmicro.com/vinfo/us/security/special‐report/cybercriminal‐underground‐economy‐series/global‐black‐

A State of (in)Security

Source: VulnDB

A State of (in)Security

So many vulnerabilities, in fact, it’s difficult to keep up

Searching Shodan.io, there are 224,858 Internet connected systems still vulnerable to Heartbleed. 

A State of (in)Security

Networks, systems and the methods we use to access them are growing in complexity, not shrinking

A State of (in)Security

Questionable coding and development practices, especially when it comes to emerging technologies 

A State of (in)Security

Even the best security can’t always overcome basic human nature

A State of (in)Security

Bottom line:  Security pros are being asked to “get it right” all day, every day. Hackers only need to be right 

once to win

A State of Security

How do we shift the odds in our favor?___________________________________________

By focusing on how to best manage the risk through the use of formalized and systematic security standards and 

frameworks

Standards

The Beauty of Standards is That There Are So Many to Choose From

A Closer Look At Security Frameworks

Tried and True:

HIPAA/HITECH Security Rules

FFIEC

ISO/IEC 27001/2

COBIT

NIST SP-800 53

ITIL

PCI - Data Security Standard

Fairly New:

NIST – Framework for Improving Critical Infrastructure (Introduced 2014)

CISA – Cybersecurity Information Sharing Act, Section 405 of Title IV, directing HHS to create best practices standards under HIPAA (Effective January 2016)

Information Security Frameworks 

Descriptive Models Allow Discretion In 

The Selected Controls 

Prescriptive Models Detail Required 

Mitigation 

NIST Cybersecurity Framework

NIST Cybersecurity Framework

“Recognizing that the national and economic security of theUnited States depends on the reliable functioning of criticalinfrastructure, the President issued Executive Order (EO)13636, Improving Critical Infrastructure Cybersecurity, in February2013.

“The Order directed NIST to work with stakeholders to develop avoluntary framework – based on existing standards, guidelines,and practices ‐ for reducing cyber risks to critical infrastructure”

Source: http://www.nist.gov/cyberframework/ 

NIST Cybersecurity Framework

What, exactly, is “Critical Infrastructure”?

NIST Cybersecurity Framework

Does this apply to us?

Excellent question!  

“The Executive Order tasked NIST to design the Framework for voluntary use by private sector organizations that are part of the 

critical infrastructure”

NIST Cybersecurity Framework

Core • Activities & Outcomes

Tiers

• Degree of Adoption & Process Maturity

Profile

• Degree of Alignment With Objectives

NIST CyberSecurity Framework

Function • 5 Distinct Function Groups

Category • 22 Security Domains

Subcategory • 98 Objectives

Framework Core ‐ Functions

• Develop the organizational understanding to manage security risk to systems, assets, data and capabilitiesIdentify

• Develop & implement appropriate safeguards Protect• Develop & implement activities needed to identify a security eventDetect

• Taking action in response to a detected security eventRespond•Maintain plans for resilience and restore servicesRecover

Implementation Tiers

Applicable to the organization’s cyber risk strategy and risk mitigation processes

Framework Profile

Current Profile vs Target ProfileAligning Core items with business requirements, risk tolerance and available resources to create a roadmap toward reducing 

information security risk

NIST Cybersecurity Framework

Details Worth Knowing

Entirely voluntary at this point, even if you’re a provider of Critical Infrastructure

The framework is intended to be a “living document”, to be  updated and modified over time

There is no clear mechanism for sharing threat intelligence, but it is encouraged 

Conformity assessments are also encouraged, but also no methodology established as yet

Why Should We Do This?

Survey Says? Best Practices Are IN!

PWC Global State of Information Security 2016 Study

Why Should We Do This?

The #1 BenefitShared Language For Talking About 

Acceptable Risk!

Where Do We Start?

Best 

Practic

es

Take Care Of The Security Basics!

Understand what are the most critical assets and how 

they are at risk

Make sure everyone is on the same page with a 

documented program

Have a plan should the worst happen

The Basics

When it comes to setting priorities for controls, the SANS 20 Critical Security 

Controls for Effective Cyber Defense is an excellent 

reference.

www.sans.org/critical‐security‐controls

The Basics

Security 101 – Taking Care of the Basics

Vulnerability Scans

◦ Routine testing of web applications, external and internal network to uncover overlooked weaknesses, missed patches and misconfigurations

◦ Like going to the doctor ‐ should be checked out every year

The Basics

Vulnerability Scan or Pen Test?

It’s the same thing, right?

Moving Beyond the Basics

No matter the framework or standard, the process must start with a risk assessment

Risk Assessment

IMPLEMENT THE PLAN!

Identify Residual Risk & Determine if Acceptable

Identify Controls to Mitigate the Risk

Assess The Impact

Identify Threats & Vulnerabilities

Identify & Value Assets

Risk Assessment Method

Risk Assessment 

Why it matters

It provides the foundation for understanding:

• Which are the most critical assets;

• What is an acceptable level of risk to each asset;

and

• Evaluating recommended practices against the actual need for controls.

Document The Security Program

Getting Everyone On The Same PageMost frameworks require written polices

Should be established by leadershipCommunicated to everyone that needs to know

Regularly reviewed

What About Vendors?

Let’s outsource IT! 

They promise great security!

What About Vendors?Recent Breaches atTechnology Service Providers

Oracle MICROS POS customer support portal 8/8/2016

Malicious code leads to unknown number of usernames and passwords compromised, possibly allowing remote access to customer POS systems

Ubuntu (open source cloud-based OS software) 7/15/2016

2M Forum account holders’ usernames, email addresses and IP addresses compromised by SQL injection

Automation Integrated LLC 7/12/2016

Details on internal security, surveillance and alarm systems for banks and OK Dept of Public Safety exposed due to database misconfiguration

PilotFish Technology 7/12/2016

“The Dark Overlord” offers up for sale source code, software signing keys and customer licensing database for Level Seven integration middleware

Datadog Inc 7/8/2016

Monitoring and analytics service resets credentials after unauthorized activity detected on servers, impacting the clients like Salesforce, Citrix and the New York Times

What About Vendors?

Using third party services doesn’t transfer the security burden, it changes it

We must demand better security from all of our vendors!

Take the time to evaluate software & services

◦ Define requirements in agreements◦ New features are great, but not at the expense of a breach◦ Vote with $$; select vendors that take security seriously

Incident Response

Developing a controlled approach to incident response is included in most ‘best practice’ frameworks

Incident Response

Benefits of Planning Ahead

A roadmap to follow in the midst chaos

It saves money in the long run 

Can be used to identify trigger points for escalating the event AND help map to most critical insurance needs! 

Incident Response

Event Response, Incident Response, Breach Response. It’s all the same thing, Right?

Incident Response

Security Incident Can be any event that impacts: • the availability of 

critical data and systems; 

• the integrity of data; or

• the confidentiality of non‐public information

Breach ResponseThe primary focus of most cyber insurance coverage offered by pools and insurers ;tends to refer more narrowly to unauthorized activity and compromise of personally identifiable information

Incident Response

Why It Matters

Verizon DBIR 2015 Report

Incident Response

Event• Something has occurred but handled automatically or not yet fully investigated 

Vulnerability• Event was analyzed and a weakness discovered that COULD lead to a compromise or business impact

Incident• Reasonable probability data was exposed but risk‐of‐harm to individuals not likely or clear impact on business operations

Breach• Data has been exposed and there is a high potential for misuse and/or harm to persons is reasonably likely

Incident response planning starts with a process for evaluating security events

Got Cyber Cover? Time to report it!

Incident Response 

A security incident management policy

A designated point person to lead the effort

Establishes who is a part of the incident response team

Includes a key contact list (internal and external)

Defines a communication plan (what, by whom, to whom, when & how)

Includes training for IRT members in roles and responsibilities

Conducting incident response exercises

Response Plans Should Include

Incident Response

A mature incident response process also includes a method for collecting event information in order to 

learn and improve

Learn

ApplyImprove

Security Events and Threat Sharing

Looking Ahead

Cyber Security Information Sharing Act 

Key Facts To Know:

A system for voluntary sharing of cyber security information between private entities and the federal government

Department of Homeland Security (DHS) will act as the central hub for information sharing

Requires the sharing of information in real time

Launched sharing portal on 3/176 companies currently enrolled

Cyber Security Information Sharing Act 

Pros:It’s a start, and we need to start somewhere

Sharing can help identify where attackers came from and what their methods look like

cyber threat indicators (CTIs): the tactics, techniques, and procedures used by malicious actors to compromise the computer networks of their victims

Cyber Security Information Sharing Act 

Cons:Can’t fix bad security practices

Won’t catch zero‐days ‐ or previously unknown malware

Protections may not be enough incentive to share the gory details of a security failure

High degree of sophistication needed to participate

Cyber Security Information Sharing Act 

What can we take from CISA?

Pooling community is UNIQUE 

Shared purposeShared constituencies

Many commonly used vendors, applications, services

A Lot, Actually

Some Observations From The Trenches

Regardless of how extensive the security program or number of controls, the best security programs share 

seven traits.

A Program At Its Best Is: 

1. An Integral Component of Organization Management

2. Comprehensive & Integrated Throughout the Business

3. Supports the Mission of the Business

4. Sensitive to Social Factors

5. Cost Effective Relative to the Risk

6. Responsibility and Accountability Is Explicit 

7. Periodically Reassessed and Refined

A Program At Its Worst:  

Likewise, there are some signs the program might fall short

1. Done to Check a Box

2. Not Including a Risk Assessment

3. Treating All Information Equally

4. Not Following Through

5. Taking On Too Much At Once

“Ultimately, security is about people –not technology.”

Foundations of Information Privacy and Data Protection

P. Swire & K. Ahmed, 2012

Inga GoddijnInga@riskbasedsecurity.com@AnalogGirl11

Thank You For 

Attending The Session!