send in the marines! federal oversight and the alphabet ......send in the marines! federal oversight...

Send in the Marines! Federal Oversight and the Alphabet Soup of Cyber Security

Inga Goddijn, CIPP/US

Risk Based Security

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A State of (in)Security

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A State of (in)Security

2015 topped the

charts with the

most data loss

events reported in

a single year, with

over 4,000 publicly

disclosed breaches

Source: Cyber Risk Analytics, Risk Based Security

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A State of (in)Security

Everyone Has Something of Value!

Set of business application account credentials in the Brazilian Underground:

$155 - $193

Set of entertainment site credentials in the Chinese Underground:

$325

Set of credit card credentials in the Russian Underground:

$4

A combination of phone number, work email address and social media credentials:

Brazil: $1,931 China: $145 Russia: $200

Source: http://www.trendmicro.com/vinfo/us/security/special-report/cybercriminal-underground-economy-series/global-black-

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A State of (in)Security

Source: VulnDB

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A State of (in)Security

So many vulnerabilities, in fact, it’s difficult to

keep up

Searching Shodan.io, there are 224,858 Internet connected

systems still vulnerable to Heartbleed.

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A State of (in)Security

Networks,

systems and the

methods we use

to access them

are growing in

complexity, not

shrinking

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A State of (in)Security

Questionable

coding and

development

practices,

especially

when it comes

to emerging

technologies

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A State of (in)Security

Even the best security can’t always overcome

basic human nature

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A State of (in)Security

Bottom line: Security pros are being asked to

“get it right” all day, every day. Hackers only

need to be right once to win

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

How do we shift the odds in our favor?

By focusing on how to best manage the risk

through the use of formalized and systematic

security standards and frameworks

A State of Security

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Standards

The Beauty of Standards is That There Are So Many to Choose From

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A Closer Look At Security Frameworks

Some standards have been with us for many years:

HIPAA/HITECH Security Rules

FFIEC

ISO/IEC 27001/2

COBIT

NIST SP-800 53

ITIL

PCI - Data Security Standard

While some are very new:

NIST – Framework for Improving Critical Infrastructure (Introduced 2014)

CISA – Cybersecurity Information Sharing Act, Section 405 of Title IV, directing HHS to create best practices standards under HIPAA (Effective January 2016)

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Information Security Frameworks

Descriptive Models Allow Discretion In

The Selected Controls

Prescriptive Models Detail Required

Mitigation

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

NIST Cybersecurity Framework

NIST Cybersecurity Framework

“Recognizing that the national and economic security of theUnited States depends on the reliable functioning of criticalinfrastructure, the President issued Executive Order (EO)13636, Improving Critical Infrastructure Cybersecurity, inFebruary 2013.

“The Order directed NIST to work with stakeholders todevelop a voluntary framework – based on existing standards,guidelines, and practices - for reducing cyber risks to criticalinfrastructure”

Source: http://www.nist.gov/cyberframework/

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

NIST Cybersecurity Framework

What, exactly, is “Critical Infrastructure”?

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

NIST Cybersecurity Framework

Does this apply to our members?

Excellent question!

“The Executive Order tasked NIST to design

the Framework for voluntary use by private

sector organizations that are part of the critical

infrastructure”

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

NIST Cybersecurity Framework

Core• Activities &

Outcomes

Tiers

• Degree of Adoption & Process Maturity

Profile

• Degree of Alignment With Objectives

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

NIST CyberSecurity Framework

Function • 5 Distinct Function Groups

Category • 22 Security Domains

Subcategory • 98 Objectives

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Framework Core - Functions

• Develop the organizational understanding to manage security risk to systems, assets, data and capabilitiesIdentify

• Develop & implement appropriate safeguards Protect

• Develop & implement activities needed to identify a security eventDetect

• Taking action in response to a detected security eventRespond

• Maintain plans for resilience and restore servicesRecover

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Implementation Tiers

Applicable to the

organization’s cyber risk

strategy and risk mitigation

processes

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Framework Profile

Current Profile vs Target ProfileAligning Core items with business requirements, risk tolerance

and available resources to create a roadmap toward reducing

information security risk

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

NIST Cybersecurity Framework

Details Worth Knowing

Entirely voluntary at this point, even if you’re a provider of

Critical Infrastructure

The framework is intended to be a “living document”, to be

updated and modified over time

There is no clear mechanism for sharing threat intelligence,

but it is encouraged

Conformity assessments are also encouraged, but also no

methodology established as yet

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

ISO27001/2:2013

ISO27001/2:2013

Information Security Management System

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

ISO 27001/2:2013

Management of the Security System

Control Objectives & Corresponding Controls

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

ISO 27001/2:2013

Management Domains

Security in

Organizational ContextOperation

LeadershipRisk Treatment

Planning Performance Evaluation

Support Improvement

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

ISO27001/2:2013

Control Domains

Information Security Policies Operations Security

Organization of Information Security

Practices

Communications Security

Human Resources Security System Acquisition, Development and

Maintenance

Asset Management Supplier Relationships

Access Control Incident Management

Cryptography Business Continuity Management

Physical Security Compliance

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

ISO27001/2:2013

Principles

Policies

Controls

Process

How Do We Put This To Work for Us?

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Why Should We Do This?

Survey Says? Best Practices Are IN!

PWC Global State of Information Security 2016 Study

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Why Should We Do This?

The #1 Benefit

Shared Language For Talking About

Acceptable Risk!

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Where Do We Start?

Bes

t P

ract

ices

Take Care Of The Security Basics!

Understand what are the most critical assets and how

they are at risk

Make sure everyone is on the same page with a

documented program

Have a plan should the worst happen

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

The Basics

When it comes to setting priorities for controls, the SANS 20 Critical Security

Controls for Effective Cyber Defense is an

excellent reference.

www.sans.org/critical-security-controls

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

The Basics

Security 101 – Taking Care of the Basics

Vulnerability Scans

– Routine testing of web applications, external and

internal network to uncover overlooked

weaknesses, missed patches and

misconfigurations

– Like going to the doctor - should be checked

out every year

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

The Basics

Vulnerability Scan or Pen Test?

It’s the same thing, right?

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

No matter the framework or standard, the

process must start with a risk assessment

Moving Beyond the Basics

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Risk Assessment

IMPLEMENT THE PLAN!

Identify Residual Risk & Determine if Acceptable

Identify Controls to Mitigate the Risk

Assess The Impact

Identify Threats & Vulnerabilities

Identify & Value Assets

Risk Assessment Method

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Risk Assessment

Information Assets & Criticality

• Critical Network Hardware

• Applications

• Data Center

• Student Records

• HR Records / Payroll

• Contracts

Vulnerabilities & Likelihood

• Hackers

• Lost Equipment

• Outdated Systems

• No Redundancy

• Employee Error

• Power Outage

• Flood / Fire / Tornado

Severity x Probability = Risk Score

• Likelihood of the event (x) the severity of the damage if it happens = risk score

• Low

• Moderate

• High

• Scale of 1-10

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Risk Assessment

Why it matters

It provides the foundation for understanding:

• Which are the most critical assets;

• What is an acceptable level of risk to each asset;

and

• Evaluating recommended practices against the

actual need for controls.

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Document The Security Program

Getting Everyone On The Same Page

Most frameworks require written polices

Should be established by leadership

Communicated to everyone that needs to know

Regularly reviewed

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

What About Vendors?

Let’s outsource IT! They promise great

security!

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

What About Vendors?

Recent Breaches atTechnology Service Providers

Fortinet

firewall maker1/12/2016

hard-coded backdoor access discovered and

credentials for exploiting the weakness

published on line

Linode

cloud hosting service1/5/2016

usernames, emails addresses and hashed

passwords visible on external server

QS Unisolution

educational SaaS1/6/2016

Over 1,000 student PII exposed due to site

misconfiguration

NGP VAN

voter database management service

12/18/2015

A programming error allowed confidential

voter metrics belonging to the Clinton

campaign to be accessed by members of the

Sander campaign

WPEngine

website hosting service12/12/2015

A hacker exposes up to 150,000 user

passwords

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

What About Vendors?

Using third party services doesn’t transfer the security burden, it changes it

• We must demand better security from all of our vendors!

• Take the time to evaluate software & services

– Define requirements in agreements

– New features are great, but not at the expense of a breach

– Vote with $$; select vendors that take security seriously

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Incident Response

Developing a controlled approach to incident

response is included in most ‘best practice’

frameworks

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Incident Response

Benefits of Planning Ahead

• A roadmap to follow in the midst chaos

• It saves money in the long run

• Can be used to identify trigger points for

escalating the event AND help map to most

critical insurance needs!

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Incident Response

Event Response, Incident Response, Breach

Response. It’s all the same thing, Right?

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Incident Response

A “security incident” can be

any event that impacts:

the availability of critical data

and systems;

the integrity of data; or

the confidentiality of non-

public information

“Breach response”, the

primary focus of most cyber

insurance coverage offered

by pools and insurers, tends

to refer more narrowly to

unauthorized activity and

compromise of personally

identifiable information

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Incident Response

Why It Matters

Verizon DBIR 2015 Report

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Incident Response

Event

• Something has occurred but handled automatically or not yet fully investigated

Vulnerability

• Event was analyzed and a weakness discovered that COULD lead to a compromise or business impact

Incident

• Reasonable probability data was exposed but risk-of-harm to individuals not likely or clear impact on business operations

Breach

• Data has been exposed and there is a high potential for misuse and/or harm to persons is reasonably likely

Incident response planning starts with a process for evaluating security events

Got Cyber Cover? Time to report it!

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Incident Response

• A security incident management policy

• A designated point person to lead the effort

• Establishes who is a part of the incident response team

• Includes a key contact list (internal and external)

• Defines a communication plan (what, by whom, to whom,

when & how)

• Includes training for IRT members in roles and

responsibilities

• Conducting incident response exercises

Response Plans Should Include

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Incident Response

A mature incident response process also

includes a method for collecting event

information in order to learn and improve

Learn

ApplyImprove

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Incident Response

• Look for the root cause – not just the symptoms

• What actions would prevent recurrence?

• Follow-up at the end of the process to ensure

prevention plans have been fully implemented

• Review policies, procedures and possibly include

awareness training to reflect the lessons learned from

the investigation

• Did the plan work? Update the breach response plan to

improve the response process

Lessons Learned

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Security Events and Threat Sharing

Looking Ahead

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Cyber Security Information Sharing Act

Key Facts To Know:

A system for voluntary sharing of cyber security information between private entities and the federal government

Department of Homeland Security (DHS) will act as the central hub for information sharing

Requires the sharing of information in real time

Launched sharing portal on 3/17

6 companies currently enrolled

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Cyber Security Information Sharing Act

Pros:

It’s a start, and we need to start somewhere

Sharing can help identify where attackers came from and what their methods look like

cyber threat indicators (CTIs): the tactics, techniques, and procedures used by malicious actors to compromise the computer networks of their victims

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Cyber Security Information Sharing Act

Cons:

Can’t fix bad security practices

Won’t catch zero-days - or previously

unknown malware

Protections may not be enough incentive to

share the gory details of a security failure

High degree of sophistication needed to

participate

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Cyber Security Information Sharing Act

What can we take from CISA?

Pooling community is UNIQUE –

Shared purpose

Shared constituencies

Many commonly used vendors, applications,

services

A Lot, Actually

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

Some Observations From The Trenches

Regardless of how extensive the security

program or number of controls, the best

security programs share seven traits.

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A Program At Its Best Is:

1. An Integral Component of Organization Management

2. Comprehensive & Integrated Throughout the Business

3. Supports the Mission of the Business

4. Sensitive to Social Factors

5. Cost Effective Relative to the Risk

6. Responsibility and Accountability Is Explicit

7. Periodically Reassessed and Refined

N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y

A Program At Its Worst:

Likewise, there are some signs the program

might fall short

1. Done to Check a Box

2. Not Including a Risk Assessment

3. Treating All Information Equally

4. Not Following Through

5. Taking On Too Much At Once

“Ultimately, security is about people – not technology.”

Foundations of Information Privacy and Data Protection

P. Swire & K. Ahmed, 2012

Thank You!