Designing and Building a Cybersecurity Program Crown Jewels Program Applications Family OProgram Networks

  • View
    0

  • Download
    0

Embed Size (px)

Text of Designing and Building a Cybersecurity Program Crown Jewels Program Applications Family OProgram...

  • Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF)

    Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016

  • Agenda  Part 1: The Threat Situation

     Part 2: The Risk Equation

     Part 3: Protecting the Assets

     Part 4: The Program Deliverables

    Designing & Building a Cybersecurity Program

    2

  • Part 1: The Threat Situation

    3

  • Data is the New Oil

    4

  • The Problem: Data is Everywhere

    Growing attack surface Consumerization of IT Public, private, hybrid cloud …

    Mobile applications Privileged accounts Internet of Things….…

    5

    http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAQQjRw&url=http://securityaffairs.co/wordpress/31062/cyber-crime/internet-of-things.html&ei=e0DvVP7VO8nGsQSap4HABA&bvm=bv.86956481,d.cWc&psig=AFQjCNG_ETm_G05HH6x8QbQ_kuleZ2QA0Q&ust=1425052156032764

  • 7

    The Challenges: Business, Technology, Compliance, Skills

    The Key Business Challenges The Key Technology Challenges

    The Key Workforce Challenges Legal, Regulatory, Compliance Challenges

    6

  • Cyber Attacks Could Put Humans and Infrastructure at Risk

    The Possible Consequences

    7

  • We have executive attention ….. Now What?

    8

    http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=OQ5ZK3JTeXhqDM&tbnid=9toFKH2kq9UkgM:&ved=0CAcQjRw&url=http://www.wptv.com/news/national/target-data-breach-fazio-mechanical-services-pennsylvania-vendor-was-possible-backdoor-to-data&ei=psc3VLTiMZPgsASnpYKQCg&bvm=bv.77161500,d.aWw&psig=AFQjCNHe7mGN0i4i-ZqkGE7Rvv9jvFaNKg&ust=1413028125463561 https://dridrive.files.wordpress.com/2014/12/sony-logo-banner.jpg https://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRxqFQoTCNvT5o-PisYCFbZIjAodTh0AKg&url=https://grahamcluley.com/2015/06/kaspersky-hacked/&ei=Y8t6VZuWKbaRsQTOuoDQAg&bvm=bv.95515949,d.cWc&psig=AFQjCNFlEKaCjRdViA1gZp0mNpFmtMMDpw&ust=1434197203081013 http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRxqFQoTCK6fgaTUkcYCFaMljAodBDQGzA&url=http://www.ciphercloud.com/blog/federal-office-of-personnel-management-opm-agency-hacked-again/&ei=br9-Va6wEKPLsASE6JjgDA&bvm=bv.95515949,d.cWc&psig=AFQjCNGTuOISDM29evVGuB5KZKJIqAbWJQ&ust=1434456290635888

  • X

    The UMASS Cybersecurity Program Approach

    Industry Standard Controls

    Network Diagrams / Data Flow Diagrams Asset Inventory, Configuration, Vulnerabilities  Endpoints Devices  Data Center Systems (Servers, Databases)  Network Devices  Key Business Applications  Confidential Data Inventory

    List of Users with Administrative Accounts

    Network Technologies • Firewalls, IPS, URL Filtering, Wireless, NAC • Vulnerability Management • Directory Service

    Endpoint / Server / Database Technologies

    • Hardware / Software / Configuration Management • Security Incident & Event Management (SIEM) • Anti-Virus, Data Loss Protection, etc.

    Application Security

    • Web App Scanning, Web App Firewall

    The Security Technologies

    Current & Target Security Profile

    The Asset Inventory

    1

    4

    2

    Critical Security Controls

    Sc or

    e

    Target Score

    Current Profile

    Critical Security Controls

    Sc or

    e

    Target Score

    Target Profile Roadmap

    3

    9

  • Part 2: The Risk Equation

    10

  • Calculating Risk

    How do we calculate risk?  Risk is based on the likelihood and impact of a cyber-security incident or data breach

     Threats involve the potential attack against IT resources and information assets

     Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat

     Asset Value is based on criticality of IT resources and information assets

     Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities

     Managed assets = strong controls; unmanaged assets = weak controls

    11

    Risk

    Threats

    =

    Asset Value Vulnerabilities X X

    Strong Controls

    +

    Managed Assets

    Threats Asset Value Vulnerabilities X X

    Weak Controls

    Unmanaged Assets

  • Unmanaged vs. Managed Assets

    Our Managed Assets ARE protected

    Our managed assets  We need to understand why security breaches occur  And the steps to take to prevent them  And build a portfolio of managed assets

    Our unmanaged assets  There are undetected problems – not seen, not reported  Our unmanaged assets become easy targets  Which lead to a breach from missing or ineffective controls

    12

    Our Unmanaged Assets ARE NOT protected

  • The Asset Families The Systems Family

    Endpoints, mobile, workstations, servers, etc.

    The Networks Family

    Switches, routers, firewalls, etc.

    The Applications Family

    Applications, databases , etc.

    The Critical Assets

    Critical Information Assets Privileged User Access

    13

  • The NIST Cybersecurity Framework

    14

    Functions Ca te

    go rie

    s

    Su bc

    at eg

    or ie

    s

    In fo

    rm at

    iv e

    Re

    fe re

    nc es

    IDENTIFY

    Control-1

    Control-2

    Control-3

    Control-4

    PROTECT

    Control-5

    Control-6

    Control-7

    Control-8

    DETECT

    Control-9

    Control-10

    Control-11

    Control-12

    RESPOND

    Control-13

    Control-14

    Control-15

    Control-16

    RECOVER

    Control-17

    Control-18

    Control-19

    Control-20

    Framework Core

    Tier 1: Partial  Ad hoc risk management  Limited cybersecurity risk awareness  Low external participation

    Tier 2: Risk Informed  Some risk management practices  Increased awareness, no program  Informal external participation

    Tier 3: Repeatable  Formalized risk management  Organization-wide program  Receives external partner info

    Tier 4: Adaptive  Adaptive risk management practice  Cultural, risk-informed program  Actively shares information

    Framework Tiers

    Current Profile Current state of alignment between core elements and organizational requirements, risk tolerance, & resources Where am I today relative to the Framework?

    Target Profile Desired state of alignment between core elements and organizational requirements, risk tolerance, & resources Where do I aspire to be relative to the Framework?

    Roadmap

    Framework Profile Weak Controls

    Strong Controls

  • The Critical Security Controls

    15

    CSC 1.0 Inventory of Authorized & Unauthorized Devices (6 Controls)

    CSC 2.0 Inventory of Authorized & Unauthorized Software (4 Controls)

    CSC 3.0 Secure Configurations for Mobile Devices, Laptops, Workstations, and Servers (7 Controls)

    CSC 4.0 Continuous Vulnerability Assessment & Remediation (8 Controls)

    CSC 5.0 Controlled Use of Administration Privileges (9 Controls)

    CSC 6.0 Maintenance, Monitoring & Analysis of Audit Logs (6 Controls)

    CSC 7.0 Email & Web Browser Protection (8 Controls)

    CSC 8.0 Malware Defenses (6 Controls)

    CSC 9.0 Limitation and Control of Network Ports, Protocols, Services (6 Controls)

    CSC 10.0 Data Recovery Capability (4 Controls)

    CSC 11.0 Secure Configurations for Network Devices (Firewalls, Routers, Switches) (7 Controls)

    CSC 12.0 Boundary Defense (10 Controls)

    CSC 13.0 Data Protection (9 Controls)

    CSC 14.0 Controlled Access Based on the Need to Know (7 Controls)

    CSC 15.0 Wireless Access Control (9 Controls)

    CSC 16.0 Account Monitoring & Control (14 Controls)

    CSC 17.0 Security Skills Assessment & Training to Fill Gaps (5 Controls)

    CSC 18.0 Application Software Security (9 Controls)

    CSC 19.0 Incident Response and Management (7 Controls)

    CSC 20.0 Penetration Tests and Red Team Exercises (8 Controls)

    The 20 Critical Security Controls

  • How the Controls Work (Part 1) They map to the Assets

    CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software

    CSC 3: Secure Configuration of Endpoints, Servers, Workstations CSC 4: Continuous Vulnerability Assessment and Remediation

    Security Technology

    Managed Assets

    A