cybersecurity incident readiness - acuia.org 18 - session 7... · ©2018 cliftonlarsonallen llp •...
TRANSCRIPT
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
©20
18 C
lifto
nLar
sonA
llen
LLP
Cybersecurity Incident ReadinessOctober, 2018
©20
18 C
lifto
nLar
sonA
llen
LLP
About CliftonLarsonAllen
• A professional services firm with three distinct business lines
– Wealth Advisory– Outsourcing– Audit, Tax, and Consulting
• More than 4,500 employees• Offices coast to coast
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC.
2
©20
18 C
lifto
nLar
sonA
llen
LLP
Information Security ServicesInformation Security offered as specialized service offering for over 20 years
– Largest Credit Union Service Practice*Penetration Testing and Vulnerability AssessmentIT/Cyber security risk assessmentsIT audit and compliance (GLBA, FFIECI, PCI-DSS, etc…)Incident response and forensicsIndependent security consultingInternal audit support
3
*Callahan and Associates 2018 Guide to Credit Union CPA Auditors.
©20
18 C
lifto
nLar
sonA
llen
LLP
Raise Your Hand If…
4
©20
18 C
lifto
nLar
sonA
llen
LLP
Everything Can Talk to Everything….
5
• My product or system can talk to yours!
• They all have…
• How do we manage that???
©20
18 C
lifto
nLar
sonA
llen
LLP
Defensive Strategies to Minimize and Mitigate the Risk of Breaches
©20
18 C
lifto
nLar
sonA
llen
LLP
StrategiesOur information security strategy should have the following objectives:• Assume Breach Mentality• Defense in Depth – Protect the Crown
Jewels
• Networks that are hardened and resistant to malware and attacks
• Resilience Capabilities: Monitoring, Incident Response, Testing, and Validation
7
©20
18 C
lifto
nLar
sonA
llen
LLP
Assume Breach Approach
“You can’t prevent 100% of attacks…”
“Assume Breach” limits the trust placed in applications, services, identities and networks by treating them all, both internal and external, as not secure and possibly already compromised.
©20
18 C
lifto
nLar
sonA
llen
LLP
Old Model – Prevent Breach
• Focused on preventing a breach– Build the walls higher/thicker
• $$ went towards perimeter controls– “Next-gen” firewalls– Intrusion Detection and Prevention– Antivirus/Antimalware Software
©20
18 C
lifto
nLar
sonA
llen
LLP
Prevent Breach
• Firewall / Perimeter• Static Defense• “Set and Forget”• Code Review• Antivirus• Threat Modeling
Assume Breach
• Continuous Monitoring• Logical Defense• Awareness• Testing• Continual Improvement• Red Team Simulation
Approach Comparison
©20
18 C
lifto
nLar
sonA
llen
LLP
Security Evolution
• Preventing breaches is critical, but does not adequately address modern threats
• Practices must be continually tested and augmented to effectively address modern adversaries such as APTs, cyber criminals, etc.
©20
18 C
lifto
nLar
sonA
llen
LLP
Security Evolution
• Prepare for an “inevitable” breach
• Build and maintain robust, repeatable and thoroughly tested security response procedures (playbook)
©20
18 C
lifto
nLar
sonA
llen
LLP
Security Evolution
We do not expect firefighters to learn how to fight a fire when we call them!
We should NOT expect our IT staff to handle incidents without training or proper tools.
©20
18 C
lifto
nLar
sonA
llen
LLP
Defense in DepthSupported by Monitoring and Incident Response Capabilities
©20
18 C
lifto
nLar
sonA
llen
LLP
Policies People, Rules and Tools
– What do we expect to occur?– How do we conduct business?
Standards Based, Disciplined, Change Management, operating from a Governance or Compliance framework:– FFIEC– PCI – DSS– CIS Critical Controls
15
People Rules
`
Tools
©20
18 C
lifto
nLar
sonA
llen
LLP
PCI DSS – “Digital Dozen”• PCI – DSS version 3.2
16
©20
18 C
lifto
nLar
sonA
llen
LLP
CIS (SANS) Critical Controls
17
https://www.cisecurity.org/controls/
©20
18 C
lifto
nLar
sonA
llen
LLP
Defined Standards• Harden your systems and applications
Principal of Minimum Access and Least Privilege Turn off the services/components you do not need Change the defaults
• CIS offers vendor-neutral hardening resourceshttp://www.cisecurity.org/
• Microsoft Security Checklistshttp://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=truehttp://technet.microsoft.com/en-us/library/dd366061.aspx
• Software/Application Provider “Implementation Guide”
18
©20
18 C
lifto
nLar
sonA
llen
LLP
Operational Discipline• Disciplined Change Management
• Consistent Exception Control & Documentation– Should include risk evaluation and
acceptance of risk– Risk mitigation strategies– Expiration and re-analysis of risk
acceptance
19
©20
18 C
lifto
nLar
sonA
llen
LLPVulnerability and Patch Management
Standards• Define your standard
– Internet facing critical updates will be applied within ___ Days
– Internal system critical updates will be applied within ___ Days
• Manage to your standard
• Document and manage your exceptions
20
©20
18 C
lifto
nLar
sonA
llen
LLP
Vulnerability Management Monitoring• Monitoring
– System logs and application “functions”
– Accounts– Key system configurations– Critical data systems/files
• Scanning– Patch Tuesday and
vulnerability scanning– Rogue devices
21
©20
18 C
lifto
nLar
sonA
llen
LLPKnow Your Network
Know What “Normal” Looks Like
22
Alignment of centralized audit logging, analysis, and automated alerting capabilities (SIEM) & DLP
•Infrastructure•Servers & Applications•Data Flows•Archiving vs. Reviewing•External connections
• Business partners• Service providers
©20
18 C
lifto
nLar
sonA
llen
LLPRisk Assessment Baked into Daily
Operations and Strategic Planning
23
Assess the risks of planned and unplanned changes.
Two examples•New outsourced Loan
Origination System•New third party Managed
Security Services Provider (MSSP)
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
©20
18 C
lifto
nLar
sonA
llen
LLP
Incident Response Preparedness
©20
18 C
lifto
nLar
sonA
llen
LLP
Incident Response and Resilience• Your program
– Proactive components – The Boy Scouts Motto: Be Prepared– Protect and Detect
– Reactive components– NOT a chemistry experiment…– Respond and Remediate
25
©20
18 C
lifto
nLar
sonA
llen
LLP
Incident Response Life Cycle (NIST 800-61)
26
©20
18 C
lifto
nLar
sonA
llen
LLPThe Program
• Establish incident response program and policies– Org structure– Capabilities
• Create an incident response plan– Aligned with your Defense in Depth– Responding to intelligently protect
your “crown jewels”
27
©20
18 C
lifto
nLar
sonA
llen
LLP
Purpose• Prepare for unscheduled (computer) security
incidents
• Identify potential threats and vulnerabilities
• Develop best responses and reduce damage
• Apply critical thinking to solve problems
• Improve over time…
28
©20
18 C
lifto
nLar
sonA
llen
LLP
Purpose• Mitigate Risk
– Quick and focused response to incidents– Clearly defined roles and responsibilities– Enhanced understanding of
◊ Needed Skills◊ Needed Controls, Processes, and Technology
– Enhanced ability to respond to threats and remove risks
29
©20
18 C
lifto
nLar
sonA
llen
LLP
Proactive Incident Response Goals
• Protect network resources– Confidentiality– Integrity– Availability
• Tune your systems
• Audit (test)
• Improve
Plan
ProtectRemediate
Audit
Monitor
30
©20
18 C
lifto
nLar
sonA
llen
LLP
Know Your Network – What is “Normal?”
31
Alignment of centralized audit logging, analysis, and automated alerting capabilities (SIEM) & DLP•Infrastructure
•Servers & Applications
•Archiving vs. Reviewing
Know your: Network, Systems, DATA Monitor and review of service providers
©20
18 C
lifto
nLar
sonA
llen
LLP
Indicators of Compromise (IoC)Examples for definition of incidents• 15 indicators of compromise http://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/d/d-id/1140647
32
1. Unusual Outbound Network Traffic2. Anomalies In Privileged User Account
Activity3. Geographical Irregularities4. Other Log-In Red Flags5. Swells In Database Read Volume6. HTML Response Sizes7. Large Numbers Of Requests For The
Same File8. Mismatched Port-Application Traffic
9. Suspicious Registry Or System File Changes
10. DNS Request Anomalies11. Unexpected Patching Of Systems12. Mobile Device Profile Changes13. Bundles Of Data In The Wrong Places14. Web Traffic With Unhuman Behavior15. Signs Of DDoS Activity
©20
18 C
lifto
nLar
sonA
llen
LLP
Intrusion and Breach Time Lines
33
©20
18 C
lifto
nLar
sonA
llen
LLP
Anatomy of a Breach
34
©20
18 C
lifto
nLar
sonA
llen
LLP
Reactive Defense Strategy
35
Identify
Contain
EradicateRestore
Debrief
Plan
ProtectRemediate
Audit
Monitor
©20
18 C
lifto
nLar
sonA
llen
LLP
Communication Strategies• Internal
– Staff– Management– Board
• External– Service providers– Law enforcement– Examiners– Media
36
©20
18 C
lifto
nLar
sonA
llen
LLP
Fire Department/Team Paradigm
Concepts• Specialized gear• Specialized training• Tools are tested• Simple repeatable tasks• Fast response is expected• Communicate effectively
37
We do not expect firefighters to learn how to fight a fire when we call them!
We should NOT expect our IT staff to handle incidents without training or proper tools.
©20
18 C
lifto
nLar
sonA
llen
LLP
Boy Scouts – Be Prepared!• Documentation…
– Network Diagrams
– Critical information/data inventory
– Configuration files (routers/firewalls)
– System build/configuration standards
– Sources of key data (logs)
– System baselines/normal behavior
– Business partner/vendor inventory
38
©20
18 C
lifto
nLar
sonA
llen
LLP
Boy Scouts – Be Prepared!• Not IF, but WHEN…Practice, Practice, Practice…
Test incident response periodically (just like DRP testing) Table top exercises (NIST 800-61 is your friend!) Penetration testing (NOT vulnerability scanning) Red team/Blue team activities
• Feed results of testing back into improvement process
• Include general staff awareness training– How to recognize– Who to call
39
©20
18 C
lifto
nLar
sonA
llen
LLP
Protect Against Email Phishing
• Harden email gateway (spam filter)– Block potentially malicious file attachments (e.g.
ZIP, RAR, HTA, JAR)– Flag Office documents that contain Macros as
suspicious– Prevent your organization’s domain from being
spoofed◊ Sender Policy Framework (SPF)◊ Custom rule to evaluate SMTP Letter FROM field
– Flag emails that originate from the Internet◊ E.g. Modify subject line to say ‘External’
40
©20
18 C
lifto
nLar
sonA
llen
LLP
Monitor and Alert• Configure system auditing/logging
– Understand and document logging capabilities– Ensure all systems are configured to log important
information– Successful logins is just as important to log as failed logins– Retain logs for at least 1 year, longer is better
• Audit systems for default/weak passwords– Most systems have default passwords and they are all
documented online– Don’t overlook “simple” systems
◊ E.g. Printers, IP cameras, etc.
©20
18 C
lifto
nLar
sonA
llen
LLP
Test Your Systems
• Test backup systems– Periodically test backup systems to ensure you
can recover from ransomware– Have IT perform a full, bare-metal recovery of
main file share– Have IT document how long it takes to recover
various files or systems
PRACTICE
©20
18 C
lifto
nLar
sonA
llen
LLP
Test Your Systems
• Validate that your expectations are being met for cybersecurity – TEST systems and people– Penetration Testing
◊ Informed/White Box◊ Uninformed/Black Box
– Social Engineering Testing– True Breach Simulation
◊ Red Team/Blue Team
©20
18 C
lifto
nLar
sonA
llen
LLP
Questions?
44
twitter.com/CLAconnect
facebook.com/cliftonlarsonallen
linkedin.com/company/cliftonlarsonallen
©20
18 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
youtube.com/CliftonLarsonAllen
Randy Romes, CISSP, CRISC, MCP, PCI-QSAPrincipalInformation Security [email protected]
©20
18 C
lifto
nLar
sonA
llen
LLP
Incident Response ResourcesExamples and feedback from insurance industry• One example of “Insurance Top Ten”
46
©20
18 C
lifto
nLar
sonA
llen
LLP
Incident Response ResourcesExamples for definition of incidents• 15 indicators of compromise http://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/d/d-id/1140647
47
1. Unusual Outbound Network Traffic2. Anomalies In Privileged User Account
Activity3. Geographical Irregularities4. Other Log-In Red Flags5. Swells In Database Read Volume6. HTML Response Sizes7. Large Numbers Of Requests For The
Same File8. Mismatched Port-Application Traffic
9. Suspicious Registry Or System File Changes
10. DNS Request Anomalies11. Unexpected Patching Of Systems12. Mobile Device Profile Changes13. Bundles Of Data In The Wrong Places14. Web Traffic With Unhuman Behavior15. Signs Of DDoS Activity
©20
18 C
lifto
nLar
sonA
llen
LLP
Incident Response ResourcesExamples for table top exercise• Incident handling scenario questions• Incident handling table top examples• Eleven examples/samples in NIST 800-61
48
©20
18 C
lifto
nLar
sonA
llen
LLP
Resources – Hardening ChecklistsHardening checklists from vendors
• CIS offers vendor-neutral hardening resourceshttp://www.cisecurity.org/
• Microsoft Security Checklistshttp://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=truehttp://technet.microsoft.com/en-us/library/dd366061.aspx
Most of these will be from the “BIG” software and hardware providers
49
©20
18 C
lifto
nLar
sonA
llen
LLP
Sources for Standards and Guidelines• FFIEC IT Handbook
http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/other-policies,-standards-and-processes/incident-response.aspx
NIST 800-61: Computer Security Incident Handling Guide http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911736
• PCI Requirementshttps://www.pcisecuritystandards.org/documents/PFI_Program_Guide.pdf
• State laws:http://www.privacyrights.org/data-breach#10http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotification
Chart.pdf
50