send in the marines! - cajpa conference...sep 09, 2016 · cobit nist sp-800 53 itil pci - data...
TRANSCRIPT
SEPTEMBER 13-16, 2016 SOUTH LAKE TAHOE, CA
Send in the Marines!FEDERAL OVERSIGHT AND THE ALPHABET SOUP OF CYBER SECURITY
A State of (in)Security
A State of (in)Security
2015 topped the charts with the most data loss events reported in a single year, with over 4,200 publicly disclosed breaches.2016 is on pace to match it and has already exposed over 1.5B records.
Source: Cyber Risk Analytics, Risk Based Security
Everyone Has Something of Value! Set of business application account credentials in the
Brazilian Underground:$155 ‐ $193
Set of business application account credentials in the Brazilian Underground:
$155 ‐ $193
Set of entertainment site credentials in the Chinese Underground:
$325
Set of entertainment site credentials in the Chinese Underground:
$325
Set of credit card credentials in the Russian Underground:$4
Set of credit card credentials in the Russian Underground:$4
A combination of phone number, work email address and social media credentials:
Brazil: $1,931 China: $145 Russia: $200
A combination of phone number, work email address and social media credentials:
Brazil: $1,931 China: $145 Russia: $200
A State of (in)Security
Source: http://www.trendmicro.com/vinfo/us/security/special‐report/cybercriminal‐underground‐economy‐series/global‐black‐
A State of (in)Security
Source: VulnDB
A State of (in)Security
So many vulnerabilities, in fact, it’s difficult to keep up
Searching Shodan.io, there are 224,858 Internet connected systems still vulnerable to Heartbleed.
A State of (in)Security
Networks, systems and the methods we use to access them are growing in complexity, not shrinking
A State of (in)Security
Questionable coding and development practices, especially when it comes to emerging technologies
A State of (in)Security
Even the best security can’t always overcome basic human nature
A State of (in)Security
Bottom line: Security pros are being asked to “get it right” all day, every day. Hackers only need to be right
once to win
A State of Security
How do we shift the odds in our favor?___________________________________________
By focusing on how to best manage the risk through the use of formalized and systematic security standards and
frameworks
Standards
The Beauty of Standards is That There Are So Many to Choose From
A Closer Look At Security Frameworks
Tried and True:
HIPAA/HITECH Security Rules
FFIEC
ISO/IEC 27001/2
COBIT
NIST SP-800 53
ITIL
PCI - Data Security Standard
Fairly New:
NIST – Framework for Improving Critical Infrastructure (Introduced 2014)
CISA – Cybersecurity Information Sharing Act, Section 405 of Title IV, directing HHS to create best practices standards under HIPAA (Effective January 2016)
Information Security Frameworks
Descriptive Models Allow Discretion In
The Selected Controls
Prescriptive Models Detail Required
Mitigation
NIST Cybersecurity Framework
NIST Cybersecurity Framework
“Recognizing that the national and economic security of theUnited States depends on the reliable functioning of criticalinfrastructure, the President issued Executive Order (EO)13636, Improving Critical Infrastructure Cybersecurity, in February2013.
“The Order directed NIST to work with stakeholders to develop avoluntary framework – based on existing standards, guidelines,and practices ‐ for reducing cyber risks to critical infrastructure”
Source: http://www.nist.gov/cyberframework/
NIST Cybersecurity Framework
What, exactly, is “Critical Infrastructure”?
NIST Cybersecurity Framework
Does this apply to us?
Excellent question!
“The Executive Order tasked NIST to design the Framework for voluntary use by private sector organizations that are part of the
critical infrastructure”
NIST Cybersecurity Framework
Core • Activities & Outcomes
Tiers
• Degree of Adoption & Process Maturity
Profile
• Degree of Alignment With Objectives
NIST CyberSecurity Framework
Function • 5 Distinct Function Groups
Category • 22 Security Domains
Subcategory • 98 Objectives
Framework Core ‐ Functions
• Develop the organizational understanding to manage security risk to systems, assets, data and capabilitiesIdentify
• Develop & implement appropriate safeguards Protect• Develop & implement activities needed to identify a security eventDetect
• Taking action in response to a detected security eventRespond•Maintain plans for resilience and restore servicesRecover
Implementation Tiers
Applicable to the organization’s cyber risk strategy and risk mitigation processes
Framework Profile
Current Profile vs Target ProfileAligning Core items with business requirements, risk tolerance and available resources to create a roadmap toward reducing
information security risk
NIST Cybersecurity Framework
Details Worth Knowing
Entirely voluntary at this point, even if you’re a provider of Critical Infrastructure
The framework is intended to be a “living document”, to be updated and modified over time
There is no clear mechanism for sharing threat intelligence, but it is encouraged
Conformity assessments are also encouraged, but also no methodology established as yet
Why Should We Do This?
Survey Says? Best Practices Are IN!
PWC Global State of Information Security 2016 Study
Why Should We Do This?
The #1 BenefitShared Language For Talking About
Acceptable Risk!
Where Do We Start?
Best
Practic
es
Take Care Of The Security Basics!
Understand what are the most critical assets and how
they are at risk
Make sure everyone is on the same page with a
documented program
Have a plan should the worst happen
The Basics
When it comes to setting priorities for controls, the SANS 20 Critical Security
Controls for Effective Cyber Defense is an excellent
reference.
www.sans.org/critical‐security‐controls
The Basics
Security 101 – Taking Care of the Basics
Vulnerability Scans
◦ Routine testing of web applications, external and internal network to uncover overlooked weaknesses, missed patches and misconfigurations
◦ Like going to the doctor ‐ should be checked out every year
The Basics
Vulnerability Scan or Pen Test?
It’s the same thing, right?
Moving Beyond the Basics
No matter the framework or standard, the process must start with a risk assessment
Risk Assessment
IMPLEMENT THE PLAN!
Identify Residual Risk & Determine if Acceptable
Identify Controls to Mitigate the Risk
Assess The Impact
Identify Threats & Vulnerabilities
Identify & Value Assets
Risk Assessment Method
Risk Assessment
Why it matters
It provides the foundation for understanding:
• Which are the most critical assets;
• What is an acceptable level of risk to each asset;
and
• Evaluating recommended practices against the actual need for controls.
Document The Security Program
Getting Everyone On The Same PageMost frameworks require written polices
Should be established by leadershipCommunicated to everyone that needs to know
Regularly reviewed
What About Vendors?
Let’s outsource IT!
They promise great security!
What About Vendors?Recent Breaches atTechnology Service Providers
Oracle MICROS POS customer support portal 8/8/2016
Malicious code leads to unknown number of usernames and passwords compromised, possibly allowing remote access to customer POS systems
Ubuntu (open source cloud-based OS software) 7/15/2016
2M Forum account holders’ usernames, email addresses and IP addresses compromised by SQL injection
Automation Integrated LLC 7/12/2016
Details on internal security, surveillance and alarm systems for banks and OK Dept of Public Safety exposed due to database misconfiguration
PilotFish Technology 7/12/2016
“The Dark Overlord” offers up for sale source code, software signing keys and customer licensing database for Level Seven integration middleware
Datadog Inc 7/8/2016
Monitoring and analytics service resets credentials after unauthorized activity detected on servers, impacting the clients like Salesforce, Citrix and the New York Times
What About Vendors?
Using third party services doesn’t transfer the security burden, it changes it
We must demand better security from all of our vendors!
Take the time to evaluate software & services
◦ Define requirements in agreements◦ New features are great, but not at the expense of a breach◦ Vote with $$; select vendors that take security seriously
Incident Response
Developing a controlled approach to incident response is included in most ‘best practice’ frameworks
Incident Response
Benefits of Planning Ahead
A roadmap to follow in the midst chaos
It saves money in the long run
Can be used to identify trigger points for escalating the event AND help map to most critical insurance needs!
Incident Response
Event Response, Incident Response, Breach Response. It’s all the same thing, Right?
Incident Response
Security Incident Can be any event that impacts: • the availability of
critical data and systems;
• the integrity of data; or
• the confidentiality of non‐public information
Breach ResponseThe primary focus of most cyber insurance coverage offered by pools and insurers ;tends to refer more narrowly to unauthorized activity and compromise of personally identifiable information
Incident Response
Why It Matters
Verizon DBIR 2015 Report
Incident Response
Event• Something has occurred but handled automatically or not yet fully investigated
Vulnerability• Event was analyzed and a weakness discovered that COULD lead to a compromise or business impact
Incident• Reasonable probability data was exposed but risk‐of‐harm to individuals not likely or clear impact on business operations
Breach• Data has been exposed and there is a high potential for misuse and/or harm to persons is reasonably likely
Incident response planning starts with a process for evaluating security events
Got Cyber Cover? Time to report it!
Incident Response
A security incident management policy
A designated point person to lead the effort
Establishes who is a part of the incident response team
Includes a key contact list (internal and external)
Defines a communication plan (what, by whom, to whom, when & how)
Includes training for IRT members in roles and responsibilities
Conducting incident response exercises
Response Plans Should Include
Incident Response
A mature incident response process also includes a method for collecting event information in order to
learn and improve
Learn
ApplyImprove
Security Events and Threat Sharing
Looking Ahead
Cyber Security Information Sharing Act
Key Facts To Know:
A system for voluntary sharing of cyber security information between private entities and the federal government
Department of Homeland Security (DHS) will act as the central hub for information sharing
Requires the sharing of information in real time
Launched sharing portal on 3/176 companies currently enrolled
Cyber Security Information Sharing Act
Pros:It’s a start, and we need to start somewhere
Sharing can help identify where attackers came from and what their methods look like
cyber threat indicators (CTIs): the tactics, techniques, and procedures used by malicious actors to compromise the computer networks of their victims
Cyber Security Information Sharing Act
Cons:Can’t fix bad security practices
Won’t catch zero‐days ‐ or previously unknown malware
Protections may not be enough incentive to share the gory details of a security failure
High degree of sophistication needed to participate
Cyber Security Information Sharing Act
What can we take from CISA?
Pooling community is UNIQUE
Shared purposeShared constituencies
Many commonly used vendors, applications, services
A Lot, Actually
Some Observations From The Trenches
Regardless of how extensive the security program or number of controls, the best security programs share
seven traits.
A Program At Its Best Is:
1. An Integral Component of Organization Management
2. Comprehensive & Integrated Throughout the Business
3. Supports the Mission of the Business
4. Sensitive to Social Factors
5. Cost Effective Relative to the Risk
6. Responsibility and Accountability Is Explicit
7. Periodically Reassessed and Refined
A Program At Its Worst:
Likewise, there are some signs the program might fall short
1. Done to Check a Box
2. Not Including a Risk Assessment
3. Treating All Information Equally
4. Not Following Through
5. Taking On Too Much At Once
“Ultimately, security is about people –not technology.”
Foundations of Information Privacy and Data Protection
P. Swire & K. Ahmed, 2012