click to edit master title style security challenges · click to edit master title style click to...
TRANSCRIPT
CLICK TO EDIT MASTER TITLE STYLEClick to edit Master text styles
9/19/2019 1
Click to edit Master title style
1
Security ChallengesDeveloping a Cybersecurity Framework
APTAtech: Transportation Technology Conference
September 15-18, 2019 / Columbus, Ohio
Alameda-Contra Costa Transit District
September 16, 2019
Agenda
• Intro to Alameda-Contra Costa Transit
• Rapidly Changing Public Transit Domain
• Assessing the Agency Core Mission and Technology Landscape
• Actions • Third party audit to identify threat vectors
• Quick strategy – socialize
• Identify improvements/upgrades – short + mid + long
• Define a Roadmap to Get There
• Framework Adoption
• Concluding Thoughts
AC Transit at a glance
• Serve 13 cities and 8 unincorporated areas
• Directly elected Board
• Alameda and Contra Costa Counties
• Facilities:3 – Oakland1 – Emeryville1 – Hayward1 – Richmond
• Service across 3 Bay Area bridgesDumbartonSF–Oakland San Mateo
All about numbers
Daily
169,000
Daily service hours
5,800(weekday)
16 other bus systems
25 BART stations
6 Amtrak stations
3 ferry terminalsAnnual
52,300,000
Paratransit
771,000(annual)
RIDERSHIP
Bus lines
160
SERVICE
Bus stops
5,500(approximately)
Annual service miles
20.4 million
CONNECT WITH
Transbay daily
14,500
Public Transit Domain
• Disruptions => Automation – Electrification – Connectivity
• 5G is REAL - High-speed and reliable connectivity is expected
• Media rich applications are becoming norm with real-time video, voice, maps and images
• Situation awareness is a key requirement for quick decision making
• Digital Framework to support IoT Connectivity
Electrification
Automation
Technology Landscape
Private ad Public
Clouds
Servers
Switches
Voice Gateways
Firewalls
Routers
Platforms
Storage
Origami RISK PMWeb Citrix G2 Solutions DMV EPN Tableau AutoCAD LT NextBUS
Office365 NICE HASTUS DAILY Apollo Video GIS Zoom Camtasia GFI
Dragon SQL ELLIPSE Kantech PEOPLESOFT CAD/AVL Xerox
Desktops Computers
Laptop Computers
Mobile
Tablets
Smartphones Desk PhonesPush to Talk
Radios
Conference Phones
MiFi UnitsPresentation
Systems
Satellite Phones
TVM/Clipper Machines
Software Applications
2300+
Employees
1.6M
Customers
Security Landscape
• Global ransomware damage costs exceeded $5B in 2017 (a 15X increase in two years)
• Cyber-crime damage costs to hit $6 trillion annually by 2021
42%IGNORE ALERTSA significant number of security alerts are ignored due to sheer volume. According to 42% of polled cybersecurity professions. **
24%RESOURCE CONSTRAINED24% of cyber teams do not have the ability to investigate or prioritize security alerts in a timely manner. **
38%BURNED OUT38% of cyber staff are citing burnout. **
201DAYSAverage time to detect a breach: 201 days.*
* Ponemon Institute, 2017 Cost of a Data Breach Study
** According to the ISSA & ESG recent research
Activities
• Third Party Cybersecurity Audit• External Penetration Testing• Internal Penetration Testing• Security Audit
• Socialize the Outcome with Key Stakeholders• Quick Plan of Action – Prioritize Risks + Cost + Timelines
• High Level Roadmap – Tools + People + Process
Security Audit
11
• Integrated Control Framework• 14 Domains utilized for various risk assessments and
maturity assessments• National Institute of Standards and Technology (NIST)• International Organization for Standardization (ISO)
• Capability Maturity Model • Forrester’s IT Service Management Maturity Model• Systems Security Engineering Capability Maturity Model ®
Leve
l 0 Nonexistent
Leve
l 1 Ad-Hoc
Leve
l 2 Repeatable
Leve
l 3 Defined
Leve
l 4 Measured
Leve
l 5 Optimized•Not
understood
•Unaware of
need
•Occasional
•Reactive
•Unplanned
•Disorganized
•Planned
•Consistent
•Verified
•Responsive
•Documented
•Understood
•Predictable
•Collaborated
•Evaluated
•Reported
•Metrics
•Progressive
• Improvement
•Efficient
•Proactive
•Automated
Understanding Maturity
IT Security DomainLevel 0
NonexistentLevel 1Ad-Hoc
Level 2Repeatable
Level 3Defined
Level 4 Measured
Level 5Optimized
Third Party Management
Data Protection
Employee Management
Physical Security
Logical Security
Threat & Vuln. Management
Logging & Monitoring
Sec Config. Management
Sec Change Management
Compliance
Business Continuity
IT Operations
Secure SDLC
Overall Maturity
Legend
Current Rating
Change since 2016
New rating for 2018
2016 Rating
Target Maturity
Defining a Framework
• Understand the Current State of the Cybersecurity Program Holistically
• Identify Improvements/Upgrades
• Define a Roadmap to Get There
• Frame Current Risks
Security Operations Center
Asset Discovery & Inventory
Vulnerability Assessment
Intrusion Detection
Behavioral Monitoring
SIEM & Log Management
24x7 Security Operations
Adopting a FrameworkCYBERSECURITY DOMAINS
POLICIES AND
PROCEDURES
❑ Information Security
Program
❑Standard Operating
Procedures
❑Administrative Standards
ROLES AND
RESPONSIBILITIES
❑Organizational Structure
❑ Information Security Officer
❑Security Responsibilities
OVERSIGHT AND STRATEGY
IT RISK MANAGEMENT
❑ IT Risk Definition
❑Risk Appetite / Tolerance
❑Risk and Control Universe
❑Risk Assessment
❑Risk Treatment
❑Communication Plan
❑Risk Monitoring
DATA PROTECTION
❑Encryption
❑Data Classification
❑Data Protection Technologies
THREAT AND VULNERABILITY
MANAGEMENT
❑Vulnerability Scanning
❑Patch Management
❑Anti-Malware Technologies
PHYSICAL SECURITY
❑Standards
❑Physical Storage
❑Monitoring & Testing
SECURE DEVELOPMENT
❑Secure Development
Standards
❑Secure Development Testing
LOGICAL SECURITY
❑Authentication Standards
❑Administrative Access
❑Access Management
❑Access Review
❑Remote Access
LOGGING AND MONITORING
❑Centralization & Aggregation
❑Alerts
❑Activity Baseline
IT OPERATIONS
❑ IT Asset Management
❑Data Flows
❑Software Authorization
IT COMPLIANCE
❑PCI Compliance
❑Evaluation
❑Oversight & Coordination
EMPLOYEE MANAGEMENT
❑Security Awareness
❑Human Resources
❑Acceptable Use
SECURITY CONFIGURATION
MANAGEMENT
❑Approved Infrastructure
❑Build & Hardening
Procedures
❑Configuration Management
SECURITY CHANGE
MANAGEMENT
❑Change Management
❑Maintenance
BUSINESS CONTINUITY
MANAGEMENT
❑Business Impact Analysis
❑Business Continuity
Planning
❑Disaster Recovery
❑Resiliency
❑ Incident Response
THIRD PARTY RISK
MANAGEMENT
❑Vendor Inventory
❑Due Diligence &
Assessment
❑Performance Monitoring
❑Contractual Terms
❑Vendor Access
CYBERSECURITY
GOVERNANCE
Concluding Thoughts
• Build a Roadmap based on Risk Priority
• Parallel Work on People, Process, and Tools
• Take Security Seriously – But Share the Stress
• Build It In the Culture
• Watch your Supply Chain
• Don’t overlook Physical Security
• Customize Framework There is no such thing as "perfect protection"