Upload
enterprisegrc-solutions-inc
View
283
Download
4
Embed Size (px)
Citation preview
5/19/2016
1
How industry drives focus to determine and safeguard our greatest cyber threat
Robin Basham, M.IT CISSP CISA CGEIT CRISC CRP VRP
Vice President Information Security Risk and Compliance
Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054
[email protected] https://www.linkedin.com/in/robinbasham cell (617) 947‐3405
5/19/2016 Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
Cybersecurity Mission: Resilience
•What are our critical assets?
•Who is responsible for them?
• Is everyone involved in cyber‐resilience?
• Do they have the knowledge and autonomy to make good decisions?
• Are we prepared for when there is a successful attack?
•Will there be a tried and tested process to follow or will cyber attack throw our organization into complete chaos?
2
Define
Establish
ImplementAnalyze Report
Respond
Review Update
Continuous Monitoring maps to risk tolerance,
adapts, actively involves
management
5/19/2016 Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
2
We’ve been having a continuous compliance conversation
5/19/2016 3
Just FIX IT
(CIO)
Manage Risk –
Prioritize Drive FIX
(CSO)
IT Plan Integrates
FIX
(IT Ops)
Just tell me how to FIX
(Engineer)
Did you FIX it?
(Audit)
In the context of cyber security, is it better?
5/19/2016 4Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
3
Compliance is a fabric that breaks down over time
5/19/2016 5Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
There are many threads in compliance fabric
• Industry – health, finance, consumer, education, government – have different objectives and regulating
bodies who impose laws in response to the risks surrounding those objectives
• Audits, Examinations, Assessments – SOC 2, ISO27001, FFIEC Examination, SOX ITGCC,
HIPAA/HITECH compliance, PCI DSS ‐ (people show up, board gets reports, involves public disclosure, can result in criminal charges)
• Guidance or Guideline ‐ Documents that HELP, explains how to do it – in some cases, guidance
supports a policy so it determines “how” we comply.
• Frameworks – COSO, Cobit, ITIL, NIST 53, Cyber Security Framework, CIS CSC, gives us longitude,
latitude (frames how and what we govern)
• Standards – criteria based best practice, DISA STIGs, CIS Benchmark, SCAP
• Standard are accepted as best practices whereas framework are practices that are generally employed
• Standard are specific while framework are general
5/19/2016 6Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
4
And even more threads
• Mandates, Orders, Laws – You must comply (CFR)
• Families or Domains – people, technologies and processes that we generally consider related
• Universe – collection of processes associated to tests and controls, grouped by families or domains –
used to organize ASSESSMENTS
• Controls – are processes, what we do to enforce and govern, example “manage change”
• Tests – how we measure it happened. A test can have many sub‐items, but in aggregation the set of
measures tell us if the control process is effective. We tie Policy items to Tests. Tests are in Universe.
• Policies – what we tell people they must do – usually they are within ISO27002 ISMS, measured by the
ISO27001 assessment.
• Policy Items – (system policy) discrete configuration items
5/19/2016 7Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
What do we want from a fabric?
•When its hot – let us breathe
•When its cold – add layers
• Last a long time – holding shape
• Tell the world our story and style – reporting, informing, aligning
• Shrink and Expand – agility, adaptability
• Provide protection – protect our assets, and us (our business, our reputation, our family)
Before we acquire a fabric, let’s examine what we need
5/19/2016 8Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
5
Need begins with (industry) risk
What are the industries where we see groups of specific types of risk?
5/19/2016 9Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
Juggle much?
Energy nerc materials
iso iec
industrials
health (hipaa)
financial glba
info tech nist pci
consumer iso ansi
telecom
utilities
government(fisma)
education
5/19/2016 10
public (sox itgcc)
servicesoc 2
ffiec exampci disa stigs
(IAD)
csp(fedramp)
Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
6
How do industries describe their risks & controls?
11
• Gramm‐Leach‐Bliley Act (GLBA)
• Sarbanes‐Oxley Act (SOX)
• Payment Card Industry Data Security Standard (PCI DSS)
• Fair and Accurate Credit Transactions Act
• Consumer Financial Protection Bureau (CFPB)
• Federal Deposit Insurance Commission (FDIC)
• The Fair and Accurate Credit Transaction Act of 2003 (FACTA)
• The Federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. (Pub. L. 108‐159, 111 Stat. 1952)
Financials
•SABSA
•ITIL
•FFIEC
•COBIT
•NIST
•DISA
•NSA
•TOGAF
•CSA
•ISO
•PCI
•ANSI .. At 2K more
Information Technology
•Health Insurance Portability and Accountability Act (HIPAA) Security Rule
•http://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐25/pdf/2013‐01073.pdf
•NIST SP 800‐66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
•http://www.nist.gov/customcf/get_pdf.cfm?pub_id=890098
•U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool Technical Safeguards
•http://www.healthit.gov/sites/default/files/20140320_sratool_content_‐_technical_volume_v1.docx
•Omnibus Rule
Health Care
•Critical Infrastructure Protection (CIP) cyber security reliability standards
•FERC, NERC
Energy Utilities
•The Global Standards Management Process (GSMP)
•Global Product Classification (GPC)
•United Nations Environment Program (UNEP),
•International Trade Centre (ITC)
•International Centre for Trade and Sustainable Development (ICTSD)
Materials Industrial –Goods, Services, Transport
•The Global Standards Management Process (GSMP)
•Global Product Classification (GPC)
Consumer Discretionary & Staples
•Federal Communications Commission (FCC)
•CTIA – The Wireless Association (CTIA)
•National Cable & Telecommunications Association (NCTA)
•National Association of Regulatory Utility Commissioners (regulators of individual states)(NARUC)
Telecommunication Services
•Freedom of Information Act
•The Information Assurance Directorate (IAD)
•NIST – DISA ‐ NSA
•FIPS – FedRamp ‐ FISMA
•DoD Information Assurance
•Certification and Accreditation Process (DIACAP).
Government
5/19/2016 Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
Predominantly, industries use NIST SP800‐37 Risk Management Framework –RMF
125/19/2016 Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
Just FIX IT
(CIO)
Manage Risk –
Prioritize Drive FIX
(CSO)IT Plan
Integrates FIX
(IT Ops)
Just tell me how to FIX
(Engineer)
Did you FIX it?
(Audit)
5/19/2016
7
Risk: What could go wrong?
• Reputation is a new target for cyber attacks – all industries
• Criminals value our information – financial, health, critical infrastructure, all industries
• Cyber risk is challenging to understand and address, regulation imposed by all industries
• The changing pace of technology increases unknown dependency on third parties and shadow IT
•We cannot trace or control our data
• The role of government and information custody is often misunderstood
5/19/2016 13Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
Our markets, laws, technology and resources drive the heat beneath our risks –Exercise: Identify a risk that is not in your industry.
5/19/2016 14
Supply Chain Tampering
Technology adoption dramatically expands the threat landscape
The IoT leaks
Algorithms compromise integrity
Rogue governments use terrorist groups to launch cyberattacks
APT
Unmet board expectations
Researchers silenced to hide security vulnerabilities
Cyber insurance safety net is pulled away
Governments become increasingly interventionist
Regulations fragment the cloud
Criminal capabilities expand gaps in international policing
INJECTION
BROKEN AUTHENTICATION & SESSION MANAGEMENT
CROSS‐SITE SCRIPTING (XSS)
INSECURE DIRECT OBJECT REFERENCES
SECURITY MISCONFIGURATIONS
MISSING FUNCTION LEVEL ACCESS CONTROL
CROSS‐SITE REQUEST FORGERY (CSRF)
USING COMPONENTS WITH KNOWN VULNERABILITES
UNVALIDATED REQUESTS AND FORWARDS
Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
8
What behaviors provide most protection?
1. Control Administrative Privileges
2. Limiting Workstation‐to‐Workstation Communication
3. Antivirus File Reputation Services
4. Anti‐Exploitation
5. Host Intrusion Prevention (HIPS) Systems
6. Secure Baseline Configuration
7. Web Domain Name System (DNS)
Reputation
8. Take Advantage of Software Improvements
9. Segregate Networks and Functions
10. Application Whitelisting
5/19/2016 15Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
What are the best tools and resources?
Turn in your business email to get links and downloads
5/19/2016 16Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
9
CSF provides a cyber security model
Identify
CMDB, People, Process,
Technology, relationships, alignment to controls
Protect
Architecture, Infrastructure, Monitoring
Detect
Defined Sources, Collection,
Interpretation, Reporting Methods
Respond
RCA, Corrective Action,
Management Meetings, Plans, Optimization
Targets
Recover
Configuration baselines,
response plans, lessons learned,
Wiki, documentation,
BIA
Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
Use: NIST Framework for Improving Critical Infrastructure Cybersecurity; Annex A
18Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054
[email protected] https://www.linkedin.com/in/robinbasham5/19/2016
5/19/2016
10
Download NIST Assessment Tool http://www.nist.gov/cyberframework/csf_reference_tool.cfm
20Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
Cyber Security Evaluation Tool
• Download and install CSET https://www.us‐cert.gov/forms/csetiso
5/19/2016 21Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
11
HITRUST CSF 7.0 Resources – registration required
•Offers manual mapping of controls for implementation of controls assessment of HITECH / HIPAA security and privacy rule using multiple frameworks and standards https://hitrustalliance.net/hitrust‐csf/
5/19/2016 22Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
Other Cyber Security Must Reads• International Organization for Standardization, Risk management – Principles and guidelines, ISO 31000:2009, 2009. http://www.iso.org/iso/home/standards/iso31000.htm
• International Organization for Standardization/International Electrotechnical Commission, Information technology – Security techniques – Information security risk management, ISO/IEC 27005:2011, 2011. http://www.iso.org/iso/catalogue_detail?csnumber=56742
• Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and Information System View, NIST Special Publication 800‐39, March 2011. http://csrc.nist.gov/publications/nistpubs/800‐39/SP800‐39‐final.pdf
• U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE‐0003, May 2012. http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20%20Final%20‐%20May%202012.pdf
• There are literally hundreds of resources.
235/19/2016 Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
12
There’s an elephant in the room
5/19/2016 24Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
CSF Process requires analysis of attack surface
5/19/2016 25Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
13
All of these industries require asset level cyber security
All industries expect us to provide:
• Board reports
• Boss reports
• Boss’s boss reports
• Decision support systems
• Security road map
• Enable business
• Drive IT Value
5/19/2016 26Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
As an industry, our sensory system is overwhelmed
5/19/2016 27Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
14
5/19/2016 28Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054(This is the friendly lizard who was mistaken for a monster in the final episode of X‐Files from FOX – This is also some guy from google images covered in slime)
We need a fabric
5/19/2016 29Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
15
What creates the threads that we can assert?
Ten normative references that totally rock the compliance world1. Benchmark contains both descriptive
information and structural information
2. Group item that can hold other items
3. Item three types of items: <xccdf:Group>, <xccdf:Rule> and <xccdf:Value>
4. Model suggested scoring model for an <xccdf:Benchmark>
5. Profile element is a named tailoring for an <xccdf:Benchmark>
6. Rule the description for a single item of guidance or constraint.
<xccdf:Rule> elements form the basis for testing a target platform for benchmark compliance
7. Status acceptance status of an element with an optional date attribute, which signifies the date of the status change
8. Tailoring element holds one or more <xccdf:Profile> elements‐records additional benchmark tailoring
9. TestResult element encapsulates the results of a single application of an <xccdf:Benchmark> to a single target platform
10. Value a named parameter that can be substituted into properties of other elements within the <xccdf:Benchmark>
5/19/2016 30Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
KEY IT Security and Risk resources
• SANS Top 20 Critical Security Controls V6. https://www.sans.org/critical‐security‐controls/
• NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.0. http://www.nist.gov/cyberframework/
• NIST 800‐53 V4. Security and Privacy Controls for Federal Information Systems and Organizations (Right)
• DISA Secure Technical Implementation Guides. http://iase.disa.mil/stigs/Pages/index.aspx
• ISO/IEC 27002:2013. Information Technology ‐ Security techniques ‐ Code of practice for information security controls. http://www.iso.org/iso/catalogue_detail?csnumber=54533
• COBIT V5. ISACA. http://www.isaca.org/cobit/pages/default.aspx
• Payment Card Industry Data Security Standard V3.1. https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v3‐1#pci_dss_v3‐1
5/19/2016 31
•Security Control Family (SP 800‐53)• Access Control• Audit & Accountability• Awareness & Training• Certification, Accreditation & Security Assessments• Configuration Management• Contingency Planning• Identification & Authentication• Incident Response• Maintenance• Media Protection• Personnel Security• Physical & Environmental Protection• Planning• Program Management• Risk Assessment• System & Communication Protection• System & Information Integrity• System & Services Acquisition
Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
16
Control Correlation Identifiers CCI• http://iase.disa.mil/stigs/cci/Pages/index.aspx • The Control Correlation Identifier (CCI) provides a standard
identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice.
• CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control.
• This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks.
• CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies.
5/19/2016 32Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
Open Vulnerability and Assessment Language (OVAL)
5/19/2016 33
•OVAL® is an information security community effort to standardize how to assess and report machine state of computer systems.
• Tools and services that use OVAL for the three steps of system assessment —representing system information, expressing specific machine states, and reporting the results of an assessment — provide enterprises with accurate, consistent, and actionable information so they may improve their security.
OVAL in the Enterprise
•Vulnerability Assessment•Configuration Management•Patch Management•Policy Compliance
•Community Repositories of OVAL Content•Vulnerability Databases and Advisories•Benchmark Writing•Security Content Automation
Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
17
Most of us still lack an effective compliance fabric
• If we constantly fixate on having one standard as index to all standards, we waste time and are always doing wrong things wrong ways for wrong results
• We have to tie configuration guidelines to standards, and standards to risk scenarios + industry + time.
• All standards and risks have a shelf life. • We use our fabric to sense and avert danger – so when bad’s about to happen, we can get goosebumps
5/19/2016 34Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
What if the elephant implemented unified best practices?
5/19/2016 36
• Security controls and best practices from NIST, the Defense Information Systems Agency (DISA) and International Organization for Standardization (ISO), the Control Objectives for Information and Related Technology (COBIT) framework, and Payment Card Industry Data Security Standards (PCI DSS).
• access control policy
• continuous monitoring
• boundary protection
• event auditing incident detection and reporting
• device authentication
• user authentication
• data encryption
• vulnerability scanning
• track and monitor all resources
Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
18
Audit Velocity increases Maturity
• Old approach: Find a flaw, fix a flaw
• Better approach: Find flaws and keep prioritized list
• Best approach: Align vulnerability metrics into a
continual service improvement model
• http://www.fedramp.net/continuous‐monitoring‐program
• Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
395/19/2016 Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
Even if there must be an elephant in the room, it doesn’t have to be this elephant
5/19/2016 41Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
19
About Cavirin
Cavirin’s Automated Risk Analysis Platform (ARAP)manages the day‐to‐day challenges of implementing security best practices and assessing operational risk. Leveraging most major compliance and technology frameworks including those within PCI, CIS, HIPAA, ISO, NIST, DISA, SSAE 16 SOC 2 and more, ARAP offers compliance transparency and actionable reporting across the entire enterprise. Cavirin solution manages technology risk and compliance. It works in the data center as well as in the cloud, as a single end to end compliance fabric, applying same industry and risk policies to virtually every point in your information supply chain.
5/19/2016 42
Cavirin’s ARAP appliance continuously monitors and maps changes against operational and regulatory policies, elevating real time visibility from threats to informed risk decisions and a basis for remedial action. ARAP is easily configured to suit your business’ unique regulatory and cybersecurity needs.
Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
About your speaker: Robin Basham, VP Information Security Risk and Compliance
Robin Basham, M.Ed, M.IT, CISSP, CISA, CGEIT, CRISC, serves as Cavirin’s Vice President Information Security Risk and Compliance, providing thought leadership to industries ranging from large enterprise to soaring SMB, delivering concrete programs that transform compliance burden to strategic advantage. Robin is a Certified Information Systems Security, Audit, Governance and Risk professional, earning multiple master’s degrees in Technology and Education. She is an Enterprise ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud and Virtualization. Industry experience includes program direction, architecting and management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense and High Tech. Robin has held positions in Technology as an Officer at State Street Bank, Lead Process Engineering for a major New England CLEC, and Sr. Director Enterprise Technology for multiple advisory firms. Robin has delivered more than 75 compliance engineering products, and run two governance software companies. Most recently she served as Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Robin’s expertise and knowledge are highly recognized in Boston, Mid Atlantic, Silicon Valley and East Bay, where she has served hundreds of clients and is a frequent speaker, educator, and board contributor.
5/19/2016 43Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
5/19/2016
20
5/19/2016 44
Questions
Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham