SlideShare ist ein Scribd-Unternehmen logo

Defense In Depth Using NIST 800-30

Kevin M. Moker, CFE, CISSP, ISSMP, CISM
Kevin M. Moker, CFE, CISSP, ISSMP, CISM

This is a presentation I delivered to Western Connecticut State University\'s Information Assurance class on September 30, 2010.

1 von 36
A Simple Strategy to Combat Many Security Issues Kevin M. Moker, CISSP-ISSMP, CISM, ACP Manager, Information Security Risk Management Services
What is Risk Management What is Defense In Depth Questions & Answer Session
What is Risk? Risk is the potential loss from a threat-source attacking a vulnerability. Example: Joe Cracker (threat-source) knows that an online banking company has not patched (vulnerability) their backend databases. Joe Cracker exploits (loss) the system and steals money.
Target Audience Senior Management Middle Management Technology Management
Risk Integration into the SDLC Risk Assessment Identifying risk Risk Mitigation Figuring out how to control the risk Controls Evaluation Control recommendations – what should be used to control the risk
Systems Development Life-Cycle (SDLC) Normal phases of SDLC Initiation Build or Acquire Implementation Operation and Maintenance Disposal or End-of-Life
Phase 1 – Initiation Phase Characteristics The need for an IT system is expressed and the purpose and scope of the IT system is documented Support from Risk Management Activities Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy)
Phase 2 – Build or Acquire Phase Characteristics The IT system is designed, purchased, programmed, developed, or otherwise constructed Support from Risk Management Activities The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development
Phase 3 – Implementation Phase Characteristics The system security features should be configured, enabled, tested, and verified Support from Risk Management Activities The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation
Phase 4 – Operation & Maintenance Phase Characteristics The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures Support from Risk Management Activities Risk management activities are performed for periodic system reauthorization or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces)
Phase 5 – Disposal or End-of-Life Phase Characteristics This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software Support from Risk Management Activities Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization
Step 1: System Characterization Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Likelihood Determination Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendation Step 9: Results Documentation
System Characterization Inputs What type of hardware will be used? What software will be used? What other software will this software “talk” to or interface with? What type of data/information will be housed in the software? Who will use this software/hardware? What’s the mission of this software/hardware? Outputs Scope: What the software will include and not include Function: What business process the software will support Data Criticality: The importance of the information Data Sensitivity: The sensitivity of the information
Threat Identification Inputs Is there a history of system attacks? Is there an incident database to leverage? Is there any data from media sources or government sources? Are there known threat areas from known popular software sources? (e.g., Microsoft) Outputs General threat statements E.g., Windows 7 has 120 known threats. Media sources indicate that 4 of the known threats have zero-day exploits. Furthermore, internal incident management databases have revealed malicious code outbreak.
Vulnerability Identification Inputs Are there any vulnerabilities discovered from past risk assessments? Are there any audit reports that reveal potential vulnerabilities? What are the security requirements for the proposed software? (e.g., access control, encryption) Did the security test results result in any potential vulnerabilities? Outputs List of Potential Vulnerabilities (e.g., Weak access control system, 56 bit DES encryption used.
Control Analysis Inputs What are the current controls for the software compared to the internal policy controls? What are the planned controls for those controls not adequately documented in current policy? Outputs List of current controls List of planned controls
Likelihood Determination Inputs What would be the motivation for a malicious person to attack this software? What is the capacity of the malicious actor? E.g., time, money, support How easy is it to exploit the vulnerability? E.g, ease of exploiting the vulnerability Outputs Likelihood rating High Risk Moderate Risk Low Risk
Impact Anlaysis Inputs Is there a business continuity plan that discusses the mission impact analysis? Is there an asset criticality documented in the business continuity plan? What is the data criticality? What is the data sensitivity? Outputs Impact Rating High Impact Moderate Impact Low Impact
Risk Determination Inputs What is the likelihood of the threat exploitation? If the threat did exploit the vulnerability, what would be the impact? Are the current controls adequate (tested by audit or self-assessment)? Outputs List of risks and associated risk levels
Control Recommendations Recommended controls E.g, encryption, strong password controls
Results Documentation Risk Assessment Report
Let’s look at a practical approach of how to implement this “stuff”
Let’s explore the defense-in-depth strategy to understand where risk should be addressed.
Information Security/Assurance is a tricky game. It is by no-means perfect and you can NEVER reduce risk to zero. This Defense-In-Depth strategy will help an organization reduce risk a an acceptable level if management is committed to the strategy.
Crucial for any Information Security Program Necessary in most of today’s markets Being compliant does not mean secure Being secure does not mean compliant
Information Security Policies Staff Responsibility Definitions (RACI) Security Standards and Guidelines Security Training Awareness Communications Policy Enforcement Security Monitoring Tools (Physical & Logical)
Vendor Management Penetration Testing Vulnerability Scanning Access Control Management
Data Center Hardening Physical Access Control Management Critical Building Hardening (non-data center) Internal Physical Security Officers Hostile Environment Prevention Program External Media Protection Program Paper-based Protection Program
Network Intrusion Prevention Program Virtual Networks Physical Compartmentalizing Penetration Testing Access Control Management
Patch Management Program Access Control Management Internal Scanning Program Encryption
Code Review Program Information Security Readiness Review Penetration Testing Program Vulnerability Testing Program
Data Classification User Access Encryption
This is not a perfect process. Information Security mixes science and art. Risk management and defense in depth is part science and part art. The goal is to try to reduce the impacts and likelihood of certain threats. Things WILL happen, but this program will make the best effort to minimize threats and impacts.
What did you get from this presentation? Do you think that this information is useful? Do you think you could apply this to your life and not just systems?

Empfohlen

IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.Avishek Priyadarshi
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 

Empfohlen

IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.Avishek Priyadarshi
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNorth Texas Chapter of the ISSA
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Cyber Security: The Strategic View
Cyber Security: The Strategic ViewCyber Security: The Strategic View
Cyber Security: The Strategic ViewCisco Canada
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalManageEngine EventLog Analyzer
 
Cyber Threat Management
Cyber Threat Management Cyber Threat Management
Cyber Threat Management Rishi Kant
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Defense in Depth – Your Security Castle
Defense in Depth – Your Security CastleDefense in Depth – Your Security Castle
Defense in Depth – Your Security CastleCoastal Pet Products, Inc.
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Cyber Security: The Strategic View
Cyber Security: The Strategic ViewCyber Security: The Strategic View
Cyber Security: The Strategic ViewCisco Canada
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Cyber Threat Management
Cyber Threat Management Cyber Threat Management
Cyber Threat Management Rishi Kant
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 

Was ist angesagt? (20)

Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in Depth
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
Incident Response
Incident Response Incident Response
Incident Response
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
 
Cyber Security: The Strategic View
Cyber Security: The Strategic ViewCyber Security: The Strategic View
Cyber Security: The Strategic View
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
Cyber Threat Management
Cyber Threat Management Cyber Threat Management
Cyber Threat Management
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 

Andere mochten auch

Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
RSA 2010 Francis De Souza
RSA 2010 Francis De SouzaRSA 2010 Francis De Souza
RSA 2010 Francis De SouzaSymantec
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Updated Use Case Narratives
Updated Use Case NarrativesUpdated Use Case Narratives
Updated Use Case NarrativesJhoy Pedreza
 
Information Security Committee Presentation Sample
Information Security Committee Presentation SampleInformation Security Committee Presentation Sample
Information Security Committee Presentation Sampleoaes2006
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Donald E. Hester
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010Donald E. Hester
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Bill Annibell
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at CitrixPerforce
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
 

Andere mochten auch (20)

Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Defense in Depth – Your Security Castle
Defense in Depth – Your Security CastleDefense in Depth – Your Security Castle
Defense in Depth – Your Security Castle
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
RSA 2010 Francis De Souza
RSA 2010 Francis De SouzaRSA 2010 Francis De Souza
RSA 2010 Francis De Souza
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
Updated Use Case Narratives
Updated Use Case NarrativesUpdated Use Case Narratives
Updated Use Case Narratives
 
Acitivity diagram
Acitivity diagramAcitivity diagram
Acitivity diagram
 
Information Security Committee Presentation Sample
Information Security Committee Presentation SampleInformation Security Committee Presentation Sample
Information Security Committee Presentation Sample
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
OSI Layer Security
OSI Layer SecurityOSI Layer Security
OSI Layer Security
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at Citrix
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
 

Ähnlich wie Defense In Depth Using NIST 800-30

A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgJohn M. Kennedy
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsLumension
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testingjatniwalafizza786
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information SecuritySARJERAO Sarju
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesFrédéric Sagez
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityKaran Patel
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 

Ähnlich wie Defense In Depth Using NIST 800-30 (20)

Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Risk Assessment Methodologies
Risk Assessment MethodologiesRisk Assessment Methodologies
Risk Assessment Methodologies
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwg
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Dj24712716
Dj24712716Dj24712716
Dj24712716
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testing
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devices
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber Security
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 

Defense In Depth Using NIST 800-30

  • 1. A Simple Strategy to Combat Many Security Issues Kevin M. Moker, CISSP-ISSMP, CISM, ACP Manager, Information Security Risk Management Services
  • 2. What is Risk Management What is Defense In Depth Questions & Answer Session
  • 3. What is Risk? Risk is the potential loss from a threat-source attacking a vulnerability. Example: Joe Cracker (threat-source) knows that an online banking company has not patched (vulnerability) their backend databases. Joe Cracker exploits (loss) the system and steals money.
  • 4. Target Audience Senior Management Middle Management Technology Management
  • 5. Risk Integration into the SDLC Risk Assessment Identifying risk Risk Mitigation Figuring out how to control the risk Controls Evaluation Control recommendations – what should be used to control the risk
  • 6. Systems Development Life-Cycle (SDLC) Normal phases of SDLC Initiation Build or Acquire Implementation Operation and Maintenance Disposal or End-of-Life
  • 7. Phase 1 – Initiation Phase Characteristics The need for an IT system is expressed and the purpose and scope of the IT system is documented Support from Risk Management Activities Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy)
  • 8. Phase 2 – Build or Acquire Phase Characteristics The IT system is designed, purchased, programmed, developed, or otherwise constructed Support from Risk Management Activities The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development
  • 9. Phase 3 – Implementation Phase Characteristics The system security features should be configured, enabled, tested, and verified Support from Risk Management Activities The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation
  • 10. Phase 4 – Operation & Maintenance Phase Characteristics The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures Support from Risk Management Activities Risk management activities are performed for periodic system reauthorization or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces)
  • 11. Phase 5 – Disposal or End-of-Life Phase Characteristics This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software Support from Risk Management Activities Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner
  • 12. Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization
  • 13. Step 1: System Characterization Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Likelihood Determination Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendation Step 9: Results Documentation
  • 14. System Characterization Inputs What type of hardware will be used? What software will be used? What other software will this software “talk” to or interface with? What type of data/information will be housed in the software? Who will use this software/hardware? What’s the mission of this software/hardware? Outputs Scope: What the software will include and not include Function: What business process the software will support Data Criticality: The importance of the information Data Sensitivity: The sensitivity of the information
  • 15. Threat Identification Inputs Is there a history of system attacks? Is there an incident database to leverage? Is there any data from media sources or government sources? Are there known threat areas from known popular software sources? (e.g., Microsoft) Outputs General threat statements E.g., Windows 7 has 120 known threats. Media sources indicate that 4 of the known threats have zero-day exploits. Furthermore, internal incident management databases have revealed malicious code outbreak.
  • 16. Vulnerability Identification Inputs Are there any vulnerabilities discovered from past risk assessments? Are there any audit reports that reveal potential vulnerabilities? What are the security requirements for the proposed software? (e.g., access control, encryption) Did the security test results result in any potential vulnerabilities? Outputs List of Potential Vulnerabilities (e.g., Weak access control system, 56 bit DES encryption used.
  • 17. Control Analysis Inputs What are the current controls for the software compared to the internal policy controls? What are the planned controls for those controls not adequately documented in current policy? Outputs List of current controls List of planned controls
  • 18. Likelihood Determination Inputs What would be the motivation for a malicious person to attack this software? What is the capacity of the malicious actor? E.g., time, money, support How easy is it to exploit the vulnerability? E.g, ease of exploiting the vulnerability Outputs Likelihood rating High Risk Moderate Risk Low Risk
  • 19. Impact Anlaysis Inputs Is there a business continuity plan that discusses the mission impact analysis? Is there an asset criticality documented in the business continuity plan? What is the data criticality? What is the data sensitivity? Outputs Impact Rating High Impact Moderate Impact Low Impact
  • 20. Risk Determination Inputs What is the likelihood of the threat exploitation? If the threat did exploit the vulnerability, what would be the impact? Are the current controls adequate (tested by audit or self-assessment)? Outputs List of risks and associated risk levels
  • 21. Control Recommendations Recommended controls E.g, encryption, strong password controls
  • 22. Results Documentation Risk Assessment Report
  • 23. Let’s look at a practical approach of how to implement this “stuff”
  • 24. Let’s explore the defense-in-depth strategy to understand where risk should be addressed.
  • 25.
  • 26. Information Security/Assurance is a tricky game. It is by no-means perfect and you can NEVER reduce risk to zero. This Defense-In-Depth strategy will help an organization reduce risk a an acceptable level if management is committed to the strategy.
  • 27. Crucial for any Information Security Program Necessary in most of today’s markets Being compliant does not mean secure Being secure does not mean compliant
  • 28. Information Security Policies Staff Responsibility Definitions (RACI) Security Standards and Guidelines Security Training Awareness Communications Policy Enforcement Security Monitoring Tools (Physical & Logical)
  • 29. Vendor Management Penetration Testing Vulnerability Scanning Access Control Management
  • 30. Data Center Hardening Physical Access Control Management Critical Building Hardening (non-data center) Internal Physical Security Officers Hostile Environment Prevention Program External Media Protection Program Paper-based Protection Program
  • 31. Network Intrusion Prevention Program Virtual Networks Physical Compartmentalizing Penetration Testing Access Control Management
  • 33. Code Review Program Information Security Readiness Review Penetration Testing Program Vulnerability Testing Program
  • 35. This is not a perfect process. Information Security mixes science and art. Risk management and defense in depth is part science and part art. The goal is to try to reduce the impacts and likelihood of certain threats. Things WILL happen, but this program will make the best effort to minimize threats and impacts.
  • 36. What did you get from this presentation? Do you think that this information is useful? Do you think you could apply this to your life and not just systems?