Embed Size (px)
Citation preview
CybersecurityA Common Sense Approach Leveraging
Frameworks
Weaver
Raveen Bhasin
• CISM, CISA, ITIL, CSM• Manager with Weaver’s IT Advisory Services
practice
• A decade of experience in IT risk advisory
services and attestation engagements
including two years each with Deloitte &
Touche and KPMG
• Extensive experience in software selection,
platform design and implementation reviews,
including SDLC process assessments focused on
Agile, Scrum, Kanban and traditional Waterfall
methodologies
Trip Hillman• CISSP, CISA, CEH, GPEN, GCFE, GSNA • Senior Manager with Weaver’s IT Advisory
Services practice
• Focused on Cyber Security
• Strategy and Transformation• Risk Assessments
• Gap Analysis
• Strategy Roadmaps
• Compliance (PCI, FISMA, HIPPA, EI3PA)
• Cyber Ops• Vulnerability Assessment
• Penetration Testing
• Social Engineering
• Incident Response
• The comments and statements in this presentation are the opinions of
the speakers and do not necessarily reflect the opinions or positions
of Weaver and Tidwell, LLP.
• This presentation is the property of Weaver and Tidwell, LLP. All rights
reserved. No part of this document may be reproduced, transmitted
or otherwise distributed in any form without written permission from
Weaver and Tidwell, LLP.
• Weaver and Tidwell, LLP expressly disclaims any liability in connection
with the use of this presentation or its contents by any third party.
Disclaimer
Some organizations will be a target
regardless of what they do,
but most become a target
because of what they do.
Background
The Other Security TriangleSecurity
UsabilityFunctionality
“The user’s going to pick dancing pigs over
security every time.
-Bruce Schneier
Depends on what information assets or systems you have. Could
be:
• Credentials for wire fraud
• Disruption of critical infrastructure
• Confidential information about your organization, your business
dealings, or your customers
• Exploitable consumer financial information
• Network access credentials
• Trade secrets and intellectual property
What do they want?
Question: What are the three
lines of defense?
• Operational Management
• Risk Management and Compliance Function
• Internal Audit
Three Lines of Defense
Question: What do IT Auditors do?
IT General Controls (ITGCs)
Governance
Policy & Procedure (P&P)
Access Control
Logical
Physical
Change Management
Monitoring
Backup & Recovery
Vendor Management
Plan
Scope
Test of Design
Test of Effectiveness
Findings / Observations
Reporting
Process Areas Phases
What if we add the word cyber?
Cyber Risk Assessment
Cyber Gap Assessment
Cyber Roadmap / Action Plan
Cyber Security Posture Evaluation
Vulnerability Assessment
Penetration Test (Red Team)
Social Engineering
Incident Response Table Top Exercise
Industrial Control Systems (ICS) Testing
OSINT / Dark Web Review
Mobile Device
PCI-DSS
ROC/AOC
SOC for Cyber
FFIEC
CSA STAR
FedRAMP / FISMA
Cyber Strategy and Transformation
Cyber ComplianceCyber Technical
Procedures
Question: What is cyber security and how is it different than information security?
• Information security is about securing
information
• Cyber security is about securing
information and communication
technologies (ICT)
– Some of those concerns are relating to
securing the information in ICT
– Some of those concerns relate to the
disruption of critical systems
– Other concerns could relate to misuse
of those systems
Information Security vs. Cyber Security
Adopt a cyber security framework
Ensure the program has the appropriate elements
Develop a roadmap of critical cyber security controls to
implement
Develop policies to support the implementation of controls
A method to evaluate the effectiveness of the cyber security
program
Requirements of a Cyber Security
Program
Frameworks
• ISO 27001:2013
• NIST SP 800-53
• COBIT 5 Security
• CIS Critical 20 CSC
• NIST-CSF
• DIR
Frameworks
• A.5: Information security policies
• A.6: Organization of information security
• A.7: Human resource security
• A.8: Asset management
• A.9: Access control
• A.10: Cryptography
• A.11: Physical and environmental security
• A.12: Operations security
• A.13: Communications security
• A.14: System acquisition, development and maintenance
• A.15: Supplier relationships
• A.16: Information security incident management
• A.17: Information security aspects of business continuity management
• A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws
ISO 27001:2013
NIST SP 800-53
COBIT 5 Security
CIS (SANS) Critical 20
NIST CSF
Texas DIR
https://dir.texas.gov/View-About-DIR/Information-Security/Landing.aspx
Implementation Roadmap
• Assess the current state of the organization
• Determine the objectives of the organization with
respect to cyber security
• Develop and appropriate timeline based on current
state, objectives and available resources for
implementing the cyber security program
– Some elements are more easily addressed with tools
– Some elements are more difficult because they require
someone to do something
– Some components of a cyber program are more
complicated to implement because they require the
organization to do things differently
Considerations for a Cyber
Roadmap
Risk Management &
Implementation
Cyber Security Risk Assessment
Gap Assessment
Maturity of the Cyber Security
Program
Policies
Cyber Security Policy
Policies – ISO 27001
The following list of relevant policies is illustrative and not exhaustive:
• Information security policy
• Access control policy
• Personnel information security policy
• Physical and environmental information security policy
• Incident management policy
• Business continuity and disaster recovery policy
• Asset management policy
• Rules of behavior (acceptable use)
• Information systems acquisition, software development and maintenance policy
• Vendor management policy
• Communications and operation management policy
• Compliance policy
• Risk management policy
Policies – COBIT 5
• The appearance and length of an information security policy varies greatly
amongst enterprises. Some enterprises consider a one-page overview to be a
sufficient information security policy. In this case, the policy could be
considered a directive statement, and it should clearly describe links to other
specific policies.
• Regardless of its size or degree of detail, the information security policy needs
a clearly defined scope. This involves:• A definition of information security for the enterprise
• The responsibilities associated with information security
• The vision regarding information security, accompanied by appropriate goals and metrics and an explanation of how the vision is supported by the information security culture and awareness
• Explanation of how the information security policy aligns with other high-level policies
• Elaboration on specific information security topics such as data management; information risk assessment; and compliance with legal, regulatory and contractual obligations
• Potentially, the information security life cycle budget and cost management. Information security strategic plans and portfolio management can be added as well.
Information Security Policy
• The access control policy should cover the
following topics, amongst others:
– Physical and logical access provisioning life cycle
– Least privilege/need to know
– Segregation of duties
– Emergency access
Access Control Policy
Who should we run background checks
on?
Question
• The personnel information security policy objective includes, amongst others,
the following goals:
• Execute regular background checks of all employees and people at key positions. This goal can be measured by counting the number of completed background checks for key personnel. This can be amplified with the number of overdue background check renewals based on a predetermined frequency.
• Acquire information about key personnel in information security positions. This can be followed up by counting the number of personnel in key positions that have not rotated according to a predefined frequency.
• Develop a succession plan for all key information security positions. A possible measure is to list all the critical information security positions that lack backup personnel.
• Verify whether all information security personnel have the necessary current and pertinent skills, and related certifications. A shortage in the number of critical information security positions with proper or qualified staffing could reflect the status of the goal.
Personnel Information Security
Policy
• The objective of this policy is to provide direction regarding:
• Securing physical locations
• Environmental controls that provide capabilities to support
operations
• The scope of the policy can include:
• Facility selection:
• Criteria for selection
• Construction attributes
• Environmental control standards
• Physical access control standards (employee, vendor, visitor)
• Information security monitoring and physical intrusion detection
Physical and Environmental
Information Security Policy
• The scope of this policy covers the need to respond to incidents in a timely manner to recover
business activities. The policy should include:
• A definition of an information security incident
• A statement of how incidents will be handled
• Requirements for the establishment of the incident response team, with organizational roles
and responsibilities
• Requirements for the creation of a tested incident response plan, which will provide
documented procedures and guidelines for:
• Criticality of incidents
• Reporting and escalation process
• Recovery (including):
• Recovery time objectives (RTOs) for return to the trusted state
• Investigation and preservation of process
• Testing and training
• Post-incident meetings to document root cause analysis and document enhancements
of information security practices to prevent future similar events
• Incident documentation and closing
Security Incident Response
Policy
• Policies should take into account the specific situation in which the
enterprise exists. The content of the enterprise policies will change
depending on the context of the organization and the environment
in which it operates. This specific situation is made up by factors such
as:
• Applicable regulations unique to the enterprise
• Business operational and functional requirements
• Intellectual property and competitive data protection needs
• Existing high-level policies and the corporate culture
• Unique IT enterprise architecture designs
• Governmental regulations such as the Federal Information Security
Management Act (FISMA) in the United States
• Industry standards (PCI DSS)
Considerations When Implementing
Cyber Security Policies
Policy Lifecycle
“If you want total security, go to
prison. There you're fed, clothed,
given medical care and so on. The
only thing lacking... is freedom. ”
Dwight D. Eisenhower
How long would it take you to produce
an inventory of all assets?
Question
Inventory
What do you have?
How do you inventory?
Types of Assessments
Risk Assessment & Security Governance
Policy & Procedure, Org & Training, Network Topology
Security Access Reviews
Infrastructure & Configuration – Review & Validation
Firewalls, Wireless Networks, Virtualized (Hypervisor),
Mobile Device Management, Application
Vulnerability Assessment (Scanning)
Penetration Test (Pen Test)
Social Engineering & Security Awareness Training
Caution! Proceed with Skepticism
Unstructured technical procedures masquerading as a security
assessment
What _____ (standard, framework, requirement, guidance, etc.)are
you basing this against?
“Proprietary technology”
Compliance = best practices?
Vulnerability Assessment vs Pentest
Vulnerability Mgmt.
Asset
Identification
Vulnerability
Scan
Assess
Risk
Remediate
&
Response
Patch
Mgmt.
Monitor for Release/
Advisory
Prioritize
&
Schedule
Create
&
Test
Confirm
Deployment
Document &
Update Standards
Security
Asmt.
Identify
Threats
Assess
Exploits
Establish
Controls
Corrective Action
Plan
Monitor &
Review
• Action Plan
• Risk Acceptance Approval
• Review & Follow-up
• Identify Active
Devices/In-Scope
• Identify Open
Ports & Services
• OS Fingerprinting
• Vulnerability
Identification
• Evaluate Vulnerability
• Determine Impact
Vulnerability Assessment
Vulnerability Scan vs Assessment?
What does the deliverable look
like?
Value is in Analysis and
Assessment of Results for
Applicable Business Risk
Vulnerability Assessment
Considerations
Perspective
Internal (on-site) vs External (remote)
Credentialed?
Timing?
Announced?
Entire network or sample? Sensitive systems?
Pro Tip: Setup a Line of Communication
Why do it?
Inform: Baselining & Inventory of Issues
Assess: Good Indicator of Security Posture and Patch Mgmt.
Penetration Test
What is it?
Methodology & Approach
Personnel - Contractor
Why do it?
Best way to test the locks is to try them
Verify: Blueprint from an attacker’s perspective
More accurate assessment of risk to organization
Also a test of Detection & Response
Should we do it?
Jump in vs ease in
Evaluate Dollar Spend
Pentest Considerations
Scope
What is being tested? Int/Ext
What is winning?
May not be domain admin
Availability may be enough
Pivot Attacks – How far is far enough?
Rules of Engagement
Authorization, Timing, Shunning
PoC – “Batphone”
Limitations
DoS – Oh, you want every thing?
Social Engineering
E-mail Phishing
Baiting (Media/USB Drops)
Phishing Calls (Vishing)
Tailgating (Physical Access)
Methods Allowed
Spear Phishing, prohibited premises / schemes
Sampling
Metrics
Data Capture, Storage, Retention
Table Top Exercises
Questions?
Trip Hillman,
CISSP, CISA, CEH, GPEN, GCFE, GSNA| Senior Manager, IT Advisory Services
972.448.9276| [email protected]
Raveen Bhasin
CISM, CISA, ITIL, CSM| Manager, IT Advisory Services
972.448.9243| [email protected]
