Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Crafting a Cybersecurity Strategy that Works
Texas Association of Broadcasters August 2016
Chris Homer
PBS Technology & Operations
Cybersecurity Strategy for Broadcasters
• Summary
– Broadcast Industry Challenges
– Understanding Risk
– NIST Framework
– How to establish a Cybersecurity Strategy
Broadcast Industry Challenges • Broadcast Networks
– Emergency Alert Systems
– News & Weather, Production, Graphics
– Traffic & Scheduling
– Playout & Automation Systems
– STL transport & Broadcast (spokes & hubs)
• EAS Equipment
– Common Alerting Protocol
• September 30 2011 FEMA
• eXtensible Markup Language (XML) standard
– May be tied to local, state & FEMA Networks
News Weather Production & Graphics • News Room Computer
Systems NRCS
• Non-Linear Editing Systems NLEs
• Graphics Systems
• Wire Services, Pool Feeds, Bonded Cellular
• Closed Captioning via IP
Traffic & Scheduling
• Sales Tools
• Traffic Scheduling
• Schedule Import
• Programming
• BXF Export to Automation
Playout & Automation Systems
• Playout Servers (Channel in a Box)
• Automation Systems
• IP Playout
• Storage Area Networks (SAN/NAS)
• Library Systems (Disk, Tape, Cloud)
STL or Spoke & Hub
• IP over Microwave
• Network Spoke & Hub Connectivity
Broadcast Industry Challenges • Networks (Enterprise or Corporate)
– Enterprise Resource Planning (ERP)
– Finance
– Sales
– Research
– Intranet/Extranet
– Human Resources/Community Service
Finance & Accounting Systems
• Finance
• Accounting
– Accounts Payable
– Accounts Receivable
• Purchasing
Broadcast Industry Challenges
– News Data
– Finance & Sales
– Traffic & Scheduling
– File Based Workflow
– Viewer Data
– Social Media Data
News
• Laptops & Thumb drives
• NRCS Rundowns
• Non-Linear Editing Systems
• Wire Services
Finance Sales & Admin
• Human Resources/Employee Data
• ERP Financial Data
Traffic & Scheduling
• Contracts & Deals
• Programming Grids
• Schedules
File Based Workflow
• Media
• Graphics
• Meta Data/RDS
• Marketing Content (Posters, Ads)
• Web Based Content
Community Services/Viewer Data
• Local Events Charities
• Nielsen Data
• Viewer Data
• Social Media Content
Cybersecurity Journey
• Understanding the Risks
• Cyber Attack Chain Model
• FCC CSRIC IV Report
• NIST Cybersecurity Framework
Understanding the Risks
• Dead Air
• Impact to Resources
• Loss of Revenue
• Embarrassment
• Potential liability
• Breach of employee, viewer or advertiser data
Types of Attacks 7 of 10 Type Definition
Web App Attack Attack the vulnerabilities and authentication of a web application layer such as invalidated redirects, cross site forgery, cross site scripting and others.
Point-of-Sale Remote attacks against the environments where card transactions are conducted.
Insider Misuse Internal or partner misuse of resources.
Physical Theft & Loss
Loss of information asset whereas the data is more valuable than the asset.
Crimeware Use of malware followed by ramsomeware
Cyber-espionage Access to state or corporate sensitive data.
Denial of Service Any attack to compromise network or system availability.
*2016 Data Breach Investigation Report-Verizon
A Cyber Attack Chain Model Step Description
Reconnaissance & Probing
Find Target
Harvest information (email, conference listings, public lists, etc.)
Delivery & Attack Place delivery mechanism online
Use social engineering to induce target to access malware or other exploits
Installation & Exploitation
Exploit vulnerabilities on target systems to acquire access
Elevate user privileges and install additional “tools”
Compromise & Expansion
Exfiltration of data
Use compromised systems to exploit additional systems
Local Broadcast TV Station
Local Broadcast Radio Station
Central Broadcast TV Hub
Model for Hardened Station
DAM
Extra/Intra Net
Traditional IT (ERP, HR, Programming, Research)
File Ingest
Enterprise Network
Public Web Sites
Internet
NRCS
Internal
Firewall
Station Playout
STL or WAN to Hub
General Users
Traffic Scheduling
Editing Graphics
FCC CSRIC IV Working Group 4
• FCC CSRIC IV Working Group 4 Report on Cybersecurity for the Telecommunication Industry
• https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf
• Roadmap for Telecommunication Industry
• Encourage Voluntary Action • The Communications Security, Reliability and Interoperability Council IV Working Group 4 March 2015
• Segment Analysis
– Broadcasting
– Cable
– Wireless
– Wireline
– Satellite
FCC CSRIC IV Working Group 4
FCC CSRIC IV Working Group 4
• Feeder Segments
– Cyber Ecosystem and Dependencies
– Top Threats and Vectors
– Framework Requirements and Barriers
– Small and Medium Business
– Measurements
FCC CSRIC IV Working Group 4
• Small/Medium Business
– Identifies what an SMB needs to protect, who has responsibility for a given task, and how an SMB can protect its critical infrastructure.
– Use cases from various segments.
– Identifies highest priority NIST Cybersecurity Framework subcategories for SMBs.
NIST Cybersecurity Framework
• Framework Core
• Framework Tiers
• Framework Profiles
• Link
• http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
NIST Cybersecurity Framework
• Framework Core
– Each item designed for desired outcome
– Function
– Category
– Sub-category
– Informative Reference
Framework Core Functions
• Identify
• Protect
• Detect
• Respond
• Recover
*Framework for Improving Critical Infrastructure Cybersecurity NIST-2014
*Framework for Improving Critical Infrastructure Cybersecurity NIST-2014
Identify
• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management Strategy
Protect
• Access Control
• Awareness and Training
• Data Security
• Maintenance
• Protective Technology
• Information Protection Processes/Procedures
Detect
• Anomalies & Events
• Detection Processes
• Security Monitoring
• SIEM
Respond
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
Recover • Recovery Planning • Improvements • Communications
Framework Tiers
• Tier 1-Partial
• Tier 2-Risk Informed
• Tier 3-Repeatable
• Tier 4-Adaptive
Tier 1-Partial
• Lack of formal process
• Lack of awareness
• Unable to collaborate outside of organization
Tier 2-Risk Informed
• Formal process may exist within parts of the organization
• Some awareness but not organization wide
• May understand role but not formalized
Tier 3-Repeatable
• Formal process has become policy
• Organization wide approach
• Understands dependencies
Tier 4-Adaptive
• Continuous improvement
• Organization wide and has become part of the culture
• Has become a great partner outside the organization
Cyber Risk Management
• Executive
• Business Process
• Operations/Implementation
Executive
• Successful Implementation
– Required support at the highest level
– Buy-in from all stake holders
– Continuous improvement
– Governance
Business Process
• Process to include
– Risk Planning
– Recovery Planning
– Communication & Training
Operations/Implementation
• Operations and Engineering
– Asset Management
– Change Management
– Incident Management
– Respond & Recover
Steps to Establish a Cybersecurity Program
• Prioritize & Orient
• Create Current Profile
• Perform Risk Assessment
• Create Target Profile
• Perform Gap Analysis
• Create Action Plan
Prioritize & Orient
• Prioritize
– Determine the scope of systems and assets that support the business.
• Orient
– Identifies assets, regulatory requirements, and overall risk approach.
Create Current Profile
• Create Curent Profile
– Current categories/sub-categories
– e.g. Asset Management, User Control
Perform Risk Assessment
• Guided by Risk Management Process
• Analyze current environment
• Use pertinent and emerging data
Create Target Profile
• Create Target Profile
– Desired categories and sub-categories
– e.g. Security policy, monitoring service
– Customer and stakeholder requirements
Analyze & Prioritize Gaps
• Perform Gap Analysis
• Differences between current profile and target profile
• e.g. Lack of Governance, Process, Monitoring
Action Plan/Execute
• Create Action Plan
• Cost analysis
• Execute
• Repeat
Organizational Changes
• Governance
• Communication
• Culture
• Response
Conclusion
• Cybersecurity is:
– A Change of mindset & culture
– Supported at the highest level in organization
– Everyone’s responsibility
– Doable through use of process & technology
– Ongoing