CSO Magazine Confab 2013 Atlanta - Cyber Security

  • View

  • Download

Embed Size (px)


CSO Magazine Confab 2013 Atlanta - Cyber Security

Text of CSO Magazine Confab 2013 Atlanta - Cyber Security

  • 1. The Executive Order Defining the Internet Security Ecosystem Phil Agcaoili April 2, 2013

2. 2Cyber what? Defining Cyber Cyber space is the connected Internet ecosystem Our daily life, economic vitality, and national security depend on a stable,safe, and resilient cyber space DHS defined 18 Critical Infrastructure Sectors (CIKR) Food and Agriculture Banking and Finance Chemical Commercial FacilitiesCommunicationsCritical Manufacturing Dams Defense Industrial Base Emergency Services Energy Government Facilities Healthcare and Public Health Information Technology National MonumentsNuclear Reactors, Materialsand Icons and Waste Postal and TransportationWater Shipping Systems Cyber intrusions and attacks have increased dramatically over the lastdecade, exposing sensitive personal and business information, disruptingcritical operations, and imposing high costs on the economy Cyber security is protecting our cyber space (critical infrastructure) fromattack, damage, misuse, and economic espionage 3. 3Our physical infrastructure has become intertwined and reliant onour cyber infrastructureSource: DHS, "Securing the Nations Critical Cyber Infrastructure 4. 4 5. 5Why the fear? Cyber Trends - Advanced StuxNet Duqu Gauss Mahdi Flame Wiper Shamoon - Saudi Aramco SCADA Network AttacksAdvanced attacks on critical infrastructure 6. 6Cyber Trends Not So Advanced Insulin pumps Pace makers Smart TVs Voting and elections US drone fleet SYMC RSA VRSN Bit9 SNE AMZN AAPL YHOO LNKD DoE 7. 7General Observations on Cyber Trends Phishing and Email Exploitable Links and Browsers Java, Flash, PDF, MS Office A/V Coverage Android, iOS, Windows, and MacOS Air Gaps and Removable Media Endpoint Security Security Awareness Security Basics 8. 8A SHIFTIts here 9. 9Expectations on Critical Infrastructure S. 21, Cybersecurity and American Cyber Competitiveness Act of 2013Senators Rockefeller (D-W.Va.), Carper (D-DE), Feinstein (D-CA), Levin (D-MI),Mikulski (D-MD), Whitehouse (D-RI), and Coons (D-DE) H.R. 624, Cyber Intelligence Sharing and Protection Act (CISPA), 2013Representative Rogers (R-MI) and 111 co-sponsors Its unlikely that these will pass in 2013 10. 10Fact Sheet: Executive Order on Cybersecurity / Presidential PolicyDirective on Critical Infrastructure Security and ResiliencePresidential Executive Order 13,636 New information sharing programs to provide both classified and unclassifiedthreat and attack information to U.S. companies The development of a Cybersecurity Framework Establishes a voluntary program to promote the adoption of the Framework Calls for a review of existing cybersecurity regulation Includes strong privacy and civil liberties protections based on the FairInformation Practice PrinciplesPresidential Policy Directive 21 (PPD-21) Directs the government to identify the functional relationships across thegovernment Directs the government to develop an efficient situational awarenesscapability Directs the government to address other information sharing priorities Calls for a comprehensive research and development plan for criticalinfrastructure http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical 11. 11Highlights of Down PaymentFebruary 12,2013Executive Order EO 13636 and PPD-21 Issued February 12, 2013 Defines Roadmap 240 Days Focus Areas for CIKR: October 10Draft of Information SharingUS Cybersecurity US Cybersecurity FrameworkFramework Standards Identifying Critical Infrastructure1 Year Supply ChainFebruary 12, Sector-Specific Agencies and Sector Coordinating Councils 2014Final US FBI and NCIJTFCybersecurityFramework3 YearSafe and Resilient Internet Agencies reporton criticalinfrastructure 12. 12Highlights of Down Payment Dont assume youre not in scope "Critical infrastructure" covers a lot of economic activity Covers a lot of technology Privacy concerns need to be addressed for informationsharing Department of Commerce, National Institutes of Standards andTechnology (NIST), and Cybersecurity Framework Reduce cyber risks to critical infrastructure within one year, Incorporate voluntary consensus standards and industry bestpractices to the fullest extent possible. Federal Supply Chain Partnerships and mandates Open standards Technology neutral Risk-based assessments 13. 13 14. 14 Keys to Cyber Security: Information Sharing 1. Balance with PrivacyOne Size Does Not Fit All 2. One step at a time Cybersecurity Framework 1. Common definitions 2. Dont assume youre not in scope(Think Ecosystem) 3. Sector specific, Risk-based Framework using Evidence with basic guidelines 5. Crawl, Walk, Run Supply Chain 1. Align with Cyber Framework 2. Provide Assurance Security is Everyones Responsibility. 15. 15Dont Assume Youre Not in Scope Everyone with Information Technology is in scope (CIKR) Security Basics Apply Evidence-based Security Model Statistics by Sector Exist Should Threat ModelThink Ecosystem. 16. 16Threat ModelYour Role in the Cyber Space Ecosystem 17. 17Get the Point? 18. 182012 Top 20 ISO 27001 Mitigating ControlsWhat standard are Number of Times Control MappedRanking 1ControlA.10.9.1 to a Real-World Security Breach447What Framework?you following? 2 3A.10.9.2A.10.9.3447447Point Security Standards / Controls4A.8.2.2 184 5A.7.2.1 94 PCI DSS 6A.7.2.2 94 Protects credit cards 7A.8.1.1 90 12 Requirements (Domains) 8A.8.1.2 90 ~290 controls 9A.8.1.3 90 HIPAA / HITECH 10 A.8.2.1 90 Protects health information11 A.8.3.2 90 NERC CIP 12 A.8.3.3 90 CSA Cloud Controls Matrix / Open 13 A.9.2.5 87 14 A.11.7.187Certification Framework 15 A.11.7.287 SANS 20 Critical Security Controls / 16 A.9.1.1 50CAG17 A.9.1.2 50 International security standards 18 A.9.2.1 50 20 controls (Domains) 19 A.10.8.416 Mapped to ~15020 A.10.8.315 NIST 800-53 controls *Based on datalossdb.org andPrivacy Rights ClearinghouseHolistic Security StandardFrameworks ISO/IEC 27001:2005 International security standards 11 DomainsConsensus Audit Guidelines (CAG) 133 controlsHardware asset management FISMA Software white listing and asset Includes NIST 800-53 management Vulnerability management US government standard Configuration settings 22 Control Families (Domains) Anti-virus ~ 850 controls *Modified SANS 20 Critical Security Controls 2012 COBIT 5continuous monitoring policy issued by DHS 19. 19Simplify to Basic Security Guidelines Based on Evidence and Risk We have developed the myth that technology can be an effective fortressYou cannot protect all your dataYou cannot stop every attackTherefore, Dont protect everything Protect most important data and ensure services Increase focus on closing the detection and response gap Establish access norms and monitor for anomalies Reduce your attack surface Dont store/transmit what you dont need Collapse to cores Segregrate and protect your most critical data Protect cores really, really well Treat all endpoints as hostile Make small, targeted investments Pass the Red Face Test Reduce Investments through integration Antivirus - Forefront Full Disk Encryption Bitlocker Sector-based Patch and harden configurations Change default credentials and restrict/monitor privileged accounts Secure development through application testing and code reviews Increase awareness and change culture Social engineering and phishing Destroy and dont save what you dont need Collect your own metrics and apply security as necessary with available industry evidence 20. 20Barriers to Implement Basics 2012 FISMA ReportThe top reported cybersecuritychallenges were:- Funding the administrationspriority initiatives- Cultural challenges- Upgrading legacy technology- The current budget structure- Acquiring skilled personnel Define Accountability (Vendors and Customers) Customers are dependent on vendors Vendors rely on customers 21. Traditional Security isInsufficientAdvancedEmpowered ElasticPersistent Threats Employees PerimeterTrend Micro evaluations find over 90%of enterprise networks contain activemalicious malware!Copyright 2012 Trend Micro Inc. 22. 22Risk-Based Approach Using Evidence The REAL Big Data for Infosec 23. 23First, Define Risk Partnership for Critical Infrastructure Security (PCIS) Defined: Risk = Consequence (Impact ONLY!!!) NO!!! General Risk Equation Risk = Probability x Impact Factor Analysis of Information Risk (FAIR) Risk = The probable frequency and probable magnitude of future loss Many other definitions, lets pick Limitations of risk analysis Risk analysis is never perfect All risk analysis models are approximations of reality Reality is far too complex to ever model exactly Any analysis model will be limited Sometimes you have enough information to make an informed decision ~SIRAPrediction is very difficult, Define: Risk Appetite especially about the future.~Niels Bohr 24. 24Second, Apply Evidence-Based Security*Abridged Version of Moneysec Use industry data (Evidence) Youre not a beautiful snowflake. Use with [Moneysec] metrics ~JPfost Dont make emotional decisions Recognize your bias Collect the right data Look for correlations Set reasonable criteria for success Dont overspend You can measure anything! Even intangibles. ~Douglas Hubbard You dont always need to be exact Reducing uncertainty adds value Having just some data can go a long way to help a decision maker Not all measures are equally important (80/20) Track and trend performance over time Benchmark performance vs. self (and peers) All metrics are worthless unless you do something with them 25. 25Mandiant M-Trends 2013 Threat Report 26. 26Mandiant M-Trends 2013 Threat Report 27. 27 2012 Verizon Data Breach Investigations Report (DBIR) 5th year of public releases Starting in 2008 7 total reports (mid-year supplementals in 2008 and 2009) Dataset now contains: 8 years of data 28. 282012 Verizon Data Breach Investigations Report (DBIR) 2012 Trustwave Global Security ReportIn tho