Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Conducting Risk Assessments
Instructor:Duane Dunston
Duane Dunston
• Associate Professor Cybersecurity (9 years)• Education Sector 1998 - 2001• Federal Government & Contractor 2001-2012• Working on EdD at Northeastern University• Curriculum, Teaching, Learning, and Leadership
• Cognition and learning
Risk Defined
"Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization." - NIST 800-30
Everyone manages risk
● Executives must understand and support risk management■ Employees follow their leaders
● "Culture of Risk"● System Development Lifecycle
• Email• Mobile devices• Corporate website• Social media• Ecommerce systems• Online banking• BYOD and office policy• Network management• Backup and remote access
Complexity of modern businesses
Fron NIST: https://www.nist.gov/itl/smallbusinesscyber
MoreNIST Special Publication 800-12, revision 1An Introduction to Information Securitysection 1.4
Cybersecurity Objectives
Fron NIST: https://www.nist.gov/itl/smallbusinesscyber
Data Backup
• Ensure you have a backup of your data• Ensure you test to be sure what you are
backing up is being backed up and is the latest version
• Keep your backups on a separate network or offline (and encrypted)
Activity
Who manages backups in your organization? If unsure, find out.Make a note to discuss the previous slides points with them.
1. Is data backed up2. Are backups tested and has latest version of documents3. Kept on separate network or offline, offsite and encrypted4. Has anyone tested to be sure it is encrypted?5. Explain the process and show the results.6. How often are the above procedures tested?
• Fun• Opportunistic• Malicious• Financial• Springboard to attack others• Nation State• Hacktivism• Identity Theft
Hacking Motivations
System Boundary
Purpose: Identify information assets which are a part of the organization and where are they located (physical and geolocation).
Who is involved?
Executives, IT Managers, system and network administrators, head or key person in each department, Employee awareness
System Interconnections
Purpose: Identify network connections with organizations outside of the organization’s responsibility (contractors, remote support, cloud service)
Who is involved?
Executives, IT Managers, system and network administrators, head or key person in each department
Software Inventory
Purpose: Identify all software installed on all operating systems and devices
“Living Document”
Who is involved?
IT Managers, system and network administrators, head or key person in each department, employees
Self-reflection
Make a note to determine if you know if your organization has the items below and identify who is responsible for maintaining each:
1. Network diagrama. Routinely updated and how often it is reviewed.
2. System Boundary well-defineda. Routinely updated and how often it is reviewed.
3. System Interconnections documenteda. Routinely updated and how often it is reviewed.
4. Software Inventorya. Routinely updated and how often it is reviewed.
Categorize System
Determine the impact to the organization
Confidentiality, Integrity, and Availability
Must Identify Information Types, it drives determining adverse impacts
Who is involved?
IT Managers, system and network administrators, head or key person in each department
Categorize System
Guiding Documents
NIST 800-60 Volumes I and II.
Walk-Through
Spreadsheet based on NIST 800-60 Volume I & 2:
https://tinyurl.com/4ucywrum
Review the spreadsheet and the tabs that have the information types
Select Controls
Based on the risk identified from the Categorization phase and identifying risks.
Who is involved?
Legal department, IT managers, executives, human resources, financial department, system, security, and network administrators
Select Controls
Security Controls Best Practices:
● NIST 800-171■ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
171r2.pdf● CIS Critical Security Controls● Payment Card Industry (May require hardware and information compliance)
Select Controls
● Regulatory compliance may drive security control selection○ eg. CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS)
● https://tinyurl.com/9z2h7y72● Cybersecurity resources public and some require registration
○ https://www.cisa.gov/cybersecurity● Read industry-specific regulations carefully because all facilities my not fit the
specific requirement: https://tinyurl.com/9z2h7y72
Select Controls
Security Controls Best Practices:
● NIST 800-171■ https://tinyurl.com/wxpf45j2
Starting point for securing the enterprise
Family of security controls
CIS Critical Security Controls
● Contributed by the public● Can help mitigate the most common and well-known threats● Can be used in the Prepare stage to determine current security posture
https://www.cisecurity.org/controls/
Walk-through
CIS Critical Security Controls Questionnaire:
https://tinyurl.com/8adcx5kh
Payment Card Industry (PCI)
Payment Card Industry (May require hardware and information compliance)
https://tinyurl.com/3z62xw2n PCI FAQ
Often forgotten requirement if you process, transmit, or store cardholder data (including paper information)
Compliance != Secure
● Compliance != Secure● Complacent
Implement Controls
● Document what has been done to implement the control● Include all stakeholders● Systematically deploy controls● Could break production processes● Document the actual implementation
Implement Controls
● Vulnerability scans● Scan a minimum of 95% of systems● Ties into the system and software inventory● If this is new, systematically scan small segments
Walk-through
● System Security Plan (SSP)● “Living Document”● NIST provides a template for creating a System Security Plan
○ https://tinyurl.com/yu6834td
Assess Controls
Check to be sure controls are performing as expected.
● Wifi is not allowed in our organization○ Turn on a phone, tablet, or PC with wifi to see if there are strong signals○ Move around the organization to pinpoint the location
● Is allowed○ Test for authentication○ Try to access internal organizational resources○ Review event logs to determine if alerts are being generated when someone connects
Document all of the above and add to security plan document
Monitoring
The forgotten control
The documentation on implementing and assessing the controls guides the monitoring
● Finding alerts, creating test users, talking to personnel should be performed periodically
Step through the controls in the security plan and assess periodically
Organizations and processes change
Risk Assessment
● Cyclical and continuous process● Examines the risk to the organization mission, processes, and assets● NIST 800-30 rev 1 -
○ Guide to conducting Risk Assessments○ https://tinyurl.com/wmb7vnsy
● Evaluates the entire RMF process and its outputs● Results of interviews, vulnerability scans, control testing
Before starting the Risk Assessment
● Social skills● Remind you are there to assist and be another set of eyes● Do not blame or point fingers● Restrain non-verbal cues● Know what you do not know● Write down what you do not know and get back to them
Business Impact Analysis
● Document that examines the impact to the organizations mission and processes
● Provides steps for recovery○ https://www.ready.gov/business-impact-analysis
● NIST Special Publication 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems○ https://tinyurl.com/2a5ydtkj○ APPENDIX B B-1 BIA Template
Walk-through
Business Impact Analysis template this word document from the NIST website:
https://tinyurl.com/376xzmtv
Risk Assessment Walk-through
● NIST 800-30 rev 1 Guide to conducting Risk Assessments○ https://tinyurl.com/wmb7vnsy
Brief Walk-through
● Conducting the Risk Assessment NIST 800-171A
https://tinyurl.com/4ucywrum
Spreadsheet
Assessing Security Requirements for Controlled Unclassified Information
OPTIONAL: Same spreadsheet, but has a macro to select multiple Event Sources
https://tinyurl.com/5c8k96ea
Risk Assessment Essay
https://tinyurl.com/4seruzkp
Plan of Action & Milestones
● “Living document”● Document the weaknesses from the Risk Assessment● Updated during the monitoring and control assessment process
Walk-through
Template for Plan of Action & Milestones
● https://tinyurl.com/23h6pak8
Conclusion
• A thorough RMF can become the baseline of a cyclical process that does not require all of these steps on a yearly basis.
• Configuration Management and Control monitoring allows frequent reviews of documentation, controls, and processes
• Effectively, those allow frequent mini RAs• The POA&M allows frequent documentation for managing
identified risks• Test your incident Response capability even if it is just a
tabletop exercise so everyone knows what to do