Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Cervone uof t - nist framework (1)

36 Aufrufe

Veröffentlicht am

Cybersecurity Symposium

  • If you want to enjoy the Good Life: making money in the comfort of your own home with just your laptop, then this is for YOU... ▲▲▲ https://bit.ly/2Ruzr8s
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Gehören Sie zu den Ersten, denen das gefällt!

Cervone uof t - nist framework (1)

  1. 1. Cybersecurity: Understanding Organizational Exposures Frank Cervone, PhD Executive Director for Information Services College Information Security Officer University of Illinois at Chicago School of Public Health June 11, 2019
  2. 2. The real underside Image courtesy of Alex Cornell (twitter.com/alexcornell)
  3. 3. Quick intros Who are you? Biggest security concern
  4. 4. Common misunderstandings I have antivirus software, so I’m good Security is the IT department‘s problem Security isn’t a problem with Macs https://support.apple.co m/en-us/HT201222 I don’t have anything on my computer anyone would want
  5. 5. Cybersecurity is not an “IT problem” It’s all about whether an organization can survive
  6. 6. This is what we are trying to avoid
  7. 7. It’s about managing risk
  8. 8. Risk varies depending on context
  9. 9. Any organization can be a target Image courtesy of CNN Money
  10. 10. Attacks are sophisticated https://thehackernews.com/2015/06/Stegosploit-malware.html
  11. 11. Greatest organizational exposures Where we think the exposures are • Cloud-based Systems • Network • Applications • Servers Where the greatest threats lie • E-Mail • Mobile devices • Internet of Things 2018 HIMSS Cybersecurity Survey
  12. 12. What is the greatest threat? We need to align security with the organizational culture and define acceptable working norms
  13. 13. Context of the threat environment Today’s threats are far more complex than most people realize
  14. 14. Why antivirus software? • Examines computer for infections • Monitors computer activity • Scans new files to ensure they do not have a virus • Clean, quarantine, delete
  15. 15. How does it work? • Static analysis • Match known virus patterns • Uses a virus scanning engine • Database of known virus signatures • Comparison of signature to file may indicate an infection
  16. 16. Why is it not enough? • If not in real time, malware can get through • Vendors must constantly search for new viruses • Vendors cannot keep up with the sheer number of new attacks • Signature files must be kept up to date • Most attacks today are not “virus” based
  17. 17. RAT (Remote Access Trojan)
  18. 18. Hoax system software
  19. 19. Fake browser updates
  20. 20. Fake virus cleaning software
  21. 21. Ransomware
  22. 22. Ransomware
  23. 23. Legal deception
  24. 24. Things are bad, but we’re here to help
  25. 25. Crypto-malware
  26. 26. IoT
  27. 27. IoT raises many issues • Many devices have no ability to be updated • Therefore, it is impossible to address security vulnerabilities • Often long gaps between security updates • Difficulty of applying security updates
  28. 28. Backdoors
  29. 29. Dumpster diving
  30. 30. Password fails • 123456 • 123456789 • qwerty • password • 111111 • 12345678 • abc123 • 1234567 • password1 • 12345 • Iloveyou • monkey • dragon • blink182
  31. 31. Security practice constantly is evolving 1. Work0923 2. Th1s1s3as1lyGu3223dPassw0rd 3. Zr9@c&cRw!Ac 4. Would you like to know a secret? 5. Brown marble black flecks ick
  32. 32. 2-Factor authentication Something you know Something you have Something you are
  33. 33. Security concepts have changed
  34. 34. VPN required for access
  35. 35. Zero-trust Role- based security Least- privileged access
  36. 36. Approaches to fighting ransomware • Removal of administrative privilege • Whitelisting applications • Offline backups • Scanned for signatures • Network penetration tests
  37. 37. NIST Cybersecurity Framework Basis for sound security practice
  38. 38. Voluntary Risk management NIST Cybersecurity Framework Standards Guidelines Best practices
  39. 39. NIST Cybersecurity Framework
  40. 40. Identify Asset Management (ID.AM) •The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. Business Environment (ID.BE) •The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. Governance (ID.GV) •The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. Risk Assessment (ID.RA) •The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Risk Management Strategy (ID.RM) •The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
  41. 41. Protect Access Control (PR.AC) • Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. Awareness and Training (PR.AT) • Personnel are provided cybersecurity education and are trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. Data Security (PR.DS) • Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Information Protection Processes and Procedures (PR.IP) • Security policies, processes, and procedures are maintained and used to manage protection of information systems and assets. Maintenance (PR.MA) • Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. Protective Technology (PR.PT) • Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
  42. 42. Detect Anomalies and Events (DE.AE) • Anomalous activity is detected in a timely manner and the potential impact of events is understood. Security Continuous Monitoring (DE.CM) • The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Detection Processes (DE.DP) • Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
  43. 43. Respond Response Planning (RS.RP) • Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. Communications (RS.CO) • Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Analysis (RS.AN) • Analysis is conducted to ensure adequate response and support recovery activities. Mitigation (RS.MI) • Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Improvements (RS.IM) • Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
  44. 44. Recover Recovery Planning (RC.RP) • Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. Improvements (RC.IM) • Recovery planning and processes are improved by incorporating lessons learned into future activities. Communications (RC.CO) • Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
  45. 45. Levels of adoption Tier 1 - Partial • Not formalized • Ad hoc • Often reactive • Limited awareness of cybersecurity risk management Tier 2 – Risk- Informed • Organizational- wide awareness of risk • Policies may exist • Handles risk as they happen Tier 3 – Repeatable • A formal organizational risk management process is followed by a defined security policy Tier 4 – Adaptable • Cybersecurity policy adapts based on lessons learned and analytics • Constant learning from the security events that occur • Information is shared with a larger network
  46. 46. Matrix of capability Tier Identify Protect Detect Respond Recover 1 PR.IP PR.PT DE.CM DE.DP RS.CO RS.MI RS.IM RC.IM RC.CO 2 ID.RA ID.RM PR.MA DE.AE RS.AN RS.RP RC.RP 3 ID.BE ID.GE PR.AT PR.DS 4 ID.AM PR.AC
  47. 47. Developing a cybersecurity program
  48. 48. Flow of security maturity Cybersecurity Risk Assessment Disaster Recovery Business Continuity Management
  49. 49. Risk Assessment Identify vulnerabilities and areas of concern Basis for developing policy
  50. 50. Risk management is multi-tiered Organization • Strategic risk management Mission/Business • Tactical approach to risk Information Systems • Focus on integrity and recovery
  51. 51. Threat assessment Malicious internal • Disgruntled employees Malicious external • Hacker groups – hactivists/cybercriminals Nonmalicious external • Errors of suppliers and vendors Nonmalicious internal • Human errors of commission and omission
  52. 52. Likelihood • More than 80% likely to occurDefinite • 60-80% chance of occurrenceLikely • Near 50/50 probability of occuringOccasional • Low probability of occurrence (10- 40%), cannot be ruled out completelySeldom • Rare and exceptional risks, less than 10% chanceUnlikely
  53. 53. Impact • Near negligible amount of damageInsignificant • The extent of damage is not too significant, unlikely to make much of a difference to overall operations Trivial • Not a great threat, but likely moderately disruptiveModerate • Significant consequences, significant loss, or disruptionCritical • Could completely shutdown operations or cause long-term disruptionCatastrophic
  54. 54. Risk analysis matrix 1 2 3 4 2 4 6 8 3 6 9 12 4 8 12 16 Insignificant (1) Trivial (2) Moderate (3) Critical (4) Catastrophic (5) 5 10 15 20 5 10 15 20 25 Impact Unlikely (1) Seldom (2) Occasional (3) Likely (4) Definite (5) Likelihood
  55. 55. Risk control matrix NAME OBJECTIVE REF/ID RISK RISK IMPACT RISK LIKELIHOOD TOTAL RISK SCORE 1. Someone receives a phishing e-mail and clicks on the link 2. Someone downloads unauthorized software 3. A server administrator does not use unique passwords for each server 4. An employee data file is accidently uploaded to a web server
  56. 56. How is risk addressed? • Senior management involvement? • IT understanding? • Knowing the baseline • Documenting the network • Aligned technology • Why is Xbox allowed on staff PCs? • What is the organizational culture? • High risk taking
  57. 57. Organizational culture is key
  58. 58. Comprehensive Incident Response and Continuity Planning How do we fix things when stuff goes wrong?
  59. 59. Disruption scenarios Damage to or breakdown of systems or equipment Physical damage to a building Interruption of the supply chain Restricted access to a site or building Utility outage
  60. 60. Response and continuity steps Prepare Identify Contain Eradicate Recover Review
  61. 61. Prepare Incident handling team should include security officers, system analysts and human resources personnel System backup plan should be in place Personnel involved should be trained at an appropriate level. • Basic business continuity principles Contact information should be defined, available as hard copy • Personnel that might assist in handling an incident • Key partners who may need to be notified • Business owners to make key business decisions • Outside support analysts with security expertise Supplies to assist the team in the event of an incident (jump bag) • An empty notebook • Boot media to analyze hard drives and recover passwords • Petty cash (food, cabs, batteries as needed)
  62. 62. Identify Issue identification can originate from many sources • Staff • End users • External partners Declare an adverse risk exists • Assemble the team and implement the plan • Save all key system files or records • Start detailed documentation as soon as possible Decide what the goals are in handling a particular incident • Immediate business recovery • Forensic examination
  63. 63. Contain Basic procedures can contain many incidents Specific procedures will depend on the nature of the incident Basic steps to consider include • Obtain and analyze as much system information as possible including key files and possibly a backup of the compromised machine for later forensic analysis • Powering off a machine might lose data and evidence. • Disconnecting the network cable/disable wireless to facilitate containment and forensic activity If one machine has been exploited, others are likely vulnerable • Download security patches from vendors • Update antivirus signatures • Close firewall ports • Disable compromised accounts • Change passwords as appropriate
  64. 64. Eradicate Will frequently depend on the nature of the incident Boot media should be used to access data on compromised machines • Rootkits might affect basic system level utilities If operating system has been compromised, it needs to be rebuilt Test any backups prior to restore and monitor for a new incident Document everything
  65. 65. Recover Goal is to return safely to production Specific actions depend on the nature of the incident Retest the system Consider timing of the return to production Discuss customer notification and their concerns Discuss media handling issues Continue to monitor for security incidents
  66. 66. Worst case scenario • Full data loss • Don’t just focus on recovery for the most obvious "disasters"
  67. 67. Review • To better handle future security incidents • A final report describing the incident and how it was handled • Suggestions for handling future incidents
  68. 68. Testing the plan Table-top exercise Occurs in a conference room with the team poring over the plan Looking for gaps and ensuring that all business units are represented therein Structured walk-through Each team member walks through his or her components of the plan with a specific disaster in mind Identify weaknesses Can incorporate drills and disaster role-playing into the structured walk-through. Weaknesses are identified, corrected, and plan is updated Disaster simulation testing Create an environment that simulates an actual disaster All equipment, supplies and personnel (including partners and vendors) who would be needed To determine if you can carry out critical business functions during the event
  69. 69. Table top exercise • Set a scenario for discussion • Developed in advance • Not super technical • Discuss vulnerabilities and possible scenarios • Has representation from all areas • Limit to about an hour
  70. 70. Effective Metrics
  71. 71. Typical KPIs • Computer patching policy compliance • Mean time to patch critical/urgent issues • User security awareness training engagement • Virus infection activity (real time notification) • Disaster recovery test results • Number of security policies and standards that have been fully implemented and adopted • Network probing attempts
  72. 72. Example security compliance report
  73. 73. Employee Awareness Campaign i.e., Security Training
  74. 74. Actually kind of controversial Security training is ineffective and a waste of time and money Security training is our best offense against a major incident that could easily be avoided
  75. 75. Required by law • Security awareness training requirements for all workforce members. New workforce member must be trained within a reasonable time period. Must include periodic security updates. HIPAA • Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members with instruction about computer security; train staff to properly dispose of customer information. Gramm-Leach-Bliley Act (GLBA) • Requires training focused on reasonably foreseeable risks to the security, confidentiality, and/or integrity of personal information. Must be ongoing and for permanent employees, temporary, and contract employees. Massachusetts’s Data Security Law • Requires federal agencies to establish a security awareness training program. Must include contractors and “other uses of information systems” that support the agency. Federal Information Security Management Act (FISMA)
  76. 76. Required by standards • Developed by the credit card industry’s PCI council. PCI-DSS12.6 requires that organizations implement a formal security awareness training program to make all personnel aware of the importance of cardholder data security. Personnel must be trained upon hire and at least annually. Payment Card Industry Data Security Standard (PCI-DSS) • Provides guidance on information security management in organizations. Contains requirement that all employees receive data security awareness training. ISO/IEC 27002 • Federal agencies look to NIST 800-53 to guide their rulemaking and enforcement. Security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. NIST Special Publication 800-53
  77. 77. Basic topics security training should cover Phishing Social engineering Malware Passwords Use of portable devices Physical access Data destruction Encryption Data breach
  78. 78. Make it fun
  79. 79. Catch people’s attention
  80. 80. Phish training
  81. 81. Resources for training HHS - http://irtsectraining.nih.gov/publicUser.aspx SANS CyberAces - http://www.cyberaces.org/courses/ FEMA - https://www.firstrespondertraining.gov/ntecatalog
  82. 82. Resources for cybersecurity and business continuity • Small Business Information Security: The Fundamentals • https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf • Baldrige Cybersecurity Excellence Builder (BCEB), Version 1.1 • https://www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative • Two very useful worksheets • BCEB Categories 1-7 Questions and Notes Only • BCEB Self-Analysis Worksheet • Professional Practices for Business Continuity Professionals • https://drii.org/resources/professionalpractices/EN
  83. 83. Web resource centers CERT http://www.cert.org/ Information on security vulnerabilities Incident Response Consortium https://www.incidentresponse.com/ Resource for creating security policies and planning for incident response IAPP https://www.iapp.org International Association of Privacy Professionals