Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
5. Introductions
Sam BowerCraft
• Senior Manager in Internal Audit and Management Consulting Group
• Certified Information Systems Auditor (CISA)
• Security Consultant related to financial data, information systems, and
assets.
• M.S. Information Systems
David Hammarberg
• Principal of Forensic Accounting
• Certified Fraud Examiner (CFE)
• Director of Information Technology
• CPA, MCSE, CISSP, CISA
• 16+ years of experience
6. Objectives
• Understanding the importance of using a framework in your organization.
• How a framework can benefit an organization.
• NIST Cybersecurity Framework:
• The basic requirements for any organization.
8. An Exercise
• List all the areas of information technology and security that are
important for your organization to consider and address.
9. Framework Benefits
• Structure
• Building from a pre-existing foundation
• Identify vulnerabilities
• Analyze or evaluate the risk associated with that vulnerability.
• Determine appropriate ways to eliminate or control the vulnerability.
• Efficiency: Cost Savings (time and dollars)
• Effectiveness
• Support
10. Framework Drawbacks
• While structure is good, understanding is better.
• Limitations:
• The framework versus your environment.
• “No battle plan survives contact with the enemy.”
- Helmuth von Moltke the Elder
• Clarity of Responsibility: you and the framework
11. Best Practices
NOT…
• An automated security
mechanism or setting.
• A business practice.
• A theory or possibility. It is in
place.
• The one best practice; it is not
the best of all.
• A human practice or method to
perform a process.
• Security related, helping to
protect information, resources,
or operations.
• Effective as shown by experience
and results.
• Among the most effective
practices used to perform this
process.
12. Best Practices
From Worst to Best: Chevron says:
• Good Idea: Unproven. Intuitively makes sense, could be successful…
requires analysis.
• Good Practice: Has improved results; supported by data and analysis.
• Local Best Practice: Best approach for large parts of the organization
based on analysis of performance internally and some external
review.
• Industry Best Practice: Best approach for large parts of the
organization based on analysis of performance internally and
externally.
13. Standard Operating Procedures
• Facilitate Communication
• Provide consistency
• Increase productivity
• Provide for cross training
• Help ensure things are done right.
15. Writing Things Down
• How is your memory?
• How long can you focus on one thing?
• Written goals result in more achievement.
• Reminders help focus… and keep track.
• Unburden your brain; de-clutter with a list / framework.
• Clearer thinking and being able to review…
and communicate.
• Identify what needs your focus.
16. Security Risk Assessment
• Identify the potential inherent security risks.
• Assess the likelihood and significance of occurrence of the identified
security risks (ranking of risks).
• Evaluate which users and departments are most likely to have a significant
security event and identify the methods they are likely to use.
• Identify and map existing preventive and detective controls to the relevant
security risks (framework).
• Evaluate whether the identified controls are operating effectively and
efficiently.
• Identify and evaluate residual security risks resulting from ineffective or
nonexistent controls.
• Respond to residual security risks.
17. Approach Comparisons
Proscriptive
• Scope the environment.
• Do these things.
• Evaluate control responses.
• Design
• Operation
• Remediate/update controls.
• Repeat.
Risk Based
• Scope the environment.
• Evaluate vulnerabilities.
• Rank risks.
• Evaluate control responses.
• Design
• Operation
• Remediate/update controls.
• Repeat.
18. After the Risk Assessment
• The Risk Assessment may reveal certain residual risks that have not
been adequately mitigated due to lack of, or non-compliance with,
appropriate preventive and detective controls.
• The security professional works with the client to develop mitigation
strategies for any residual risks with an unacceptably high likelihood
or significance of occurrence.
• Responses should be evaluated in terms of their costs versus
benefits and in light of the organization's level of risk tolerance.
21. Categories of Cybercrime
• Individual: This type of cyber crime can be in the form of cyber
stalking, distributing pornography, trafficking and “grooming.”
• Property: In this case, they can steal a person’s bank details and
siphon off money; misuse the credit card to make numerous
purchases online; run a scam to get naïve people to part with their
hard earned money; use malicious software to gain access to an
organizations website or disrupt the systems of the organization.
• Government: Crimes against a government are referred to as cyber
terrorism. If successful, this category can wreak havoc and cause
panic amongst the civilian population.
22. Combating Cybercrimes
• Security Hardware
• Security Software
• Security Awareness
• Working along side other businesses
• Working with government agencies
23. Query
• Are you willing to operate your information technology
environment in an ad hoc and informal manner given the
risks in the world today related to cybersecurity?
26. Cybersecurity - Basics
• IT Environment Inventory
• What do you need to protect?
• What data does it house?
• Risk Assessment
• What risks do you face?
• What vulnerabilities do you have?
• Structure
• Framework/roadmap
• Checklist
• Continuous Improvement
28. NIST Cybersecurity Framework
• What is the framework?
• 2013, President Obama issued Executive Order 13636,
which directed NIST to work with stakeholders in
developing a voluntary framework-based on existing
standards, guidelines, and practices, for reducing cyber
risks... (not just for government agencies)
36. NIST Cybersecurity Controls
• ID.AM-1: Physical devices and systems within
the organization are inventoried.
• ID.AM-4: External information systems are
catalogued.
• ID.GV-1: Organizational information security
policy is established.
• ID.RA-1: Asset vulnerabilities are identified
and documented.
• ID.RA-4: Potential business impacts and
likelihoods are identified.
• ID.RA-6: Risk responses are identified and
prioritized.
• ID.AM-1: Physical devices and systems within the
organization are inventoried.
• ID.AM-4: ExternaPR.AC-1: Identities and credentials
are managed for authorized devices and users.
• PR.AC-3: Remote access is managed.
• PR.AC-4: Access permissions are managed,
incorporating the principles of least privilege and
separation of duties.
• PR.AT-1: All users are informed and trained.
• PR.AT-2: Privileged users understand roles &
responsibilities.
• PR.IP-6: Data is destroyed according to policy.
• PR.IP-9: Response plans (Incident Response and
Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery) are in place and
managed.*THIS IS A SAMPLE
37. SANS Top-20 Critical Controls
1. Inventory of Authorized and Unauthorized
Devices
2. Inventory of Authorized and Unauthorized
Software
3. Secure Configurations for Hardware and Software
on Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and
Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability (validated manually)
9. Security Skills Assessment and Appropriate
Training to Fill Gaps (validated manually)
10. Secure Configurations for Network Devices such
as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports,
Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Security
Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Loss Prevention
18. Incident Response Capability (validated manually)
19. Secure Network Engineering (validated manually)
20. Penetration Tests and Red Team Exercises
(validated manually)
41. Documents
• https://www.nist.gov/cyberframework
• NIST Cybersecurity Framework website
• http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf
• Maturity model
• https://www.sans.org/media/critical-security-controls/critical-controls-
poster-2016.pdf
• SANS Top 20 Critical Security Controls
42. Questions?
Sam BowerCraft
• Senior Manager in Internal Audit and Management Consulting Group
• Certified Information Systems Auditor (CISA)
• M.S. Information Systems
• SBowerCraft@macpas.com
David Hammarberg
• Principal of Forensic Accounting
• Certified Fraud Examiner (CFE)
• Director of Information Technology
• CPA, MCSE, CISSP, CISA
• DHammarberg@macpas.com
44. Questions?
• Documents:
• https://www.nist.gov/cyberframework
• NIST Cybersecurity Framework website
• http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf
• Maturity model
• https://www.sans.org/media/critical-security-controls/critical-controls-
poster-2016.pdf
• SANS Top 20 Critical Security Controls
45. Questions?
Sam BowerCraft
• Senior Manager in Internal Audit and Management Consulting Group
• Certified Information Systems Auditor (CISA)
• M.S. Information Systems
• SBowerCraft@macpas.com
David Hammarberg
• Principal of Forensic Accounting
• Certified Fraud Examiner (CFE)
• Director of Information Technology
• CPA, MCSE, CISSP, CISA
• DHammarberg@macpas.com