Instructor: Duane Dunston...2021/05/07 · •Associate Professor Cybersecurity (9 years) • Education Sector 1998 - 2001 • Federal Government & Contractor 2001-2012 • Working

Conducting Risk Assessments

Instructor:Duane Dunston

Duane Dunston

• Associate Professor Cybersecurity (9 years)• Education Sector 1998 - 2001• Federal Government & Contractor 2001-2012• Working on EdD at Northeastern University• Curriculum, Teaching, Learning, and Leadership

• Cognition and learning

Risk Defined

"Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization." - NIST 800-30

Everyone manages risk

● Executives must understand and support risk management■ Employees follow their leaders

● "Culture of Risk"● System Development Lifecycle

• Email• Mobile devices• Corporate website• Social media• Ecommerce systems• Online banking• BYOD and office policy• Network management• Backup and remote access

Complexity of modern businesses

Fron NIST: https://www.nist.gov/itl/smallbusinesscyber

Presenter

Presentation Notes

Take a moment to consider how complex a modern small business might be. Your grandparents or even your parent’s generation could successfully manage a business with little more than paper, possibly a computer and a telephone connection. Today, the expectations of a business, small or large, are far more complex. Just to get your business started, you created some form of technological presence, setting up email, websites, and ecommerce. You want it to be easy to purchase your goods or for customers to pay their bills, so you’ve likely set up online payment and banking systems. You’ve integrated them with customer data management systems and given some of your employees access to them. As your business grows, so does the data you are managing. Email records, employee information, customer data and sales systems (inventory, history), tax information, licensing and permits. Every small business has need to consider the various systems and devices they are managing, whether they intended to or not, that enable their business to run efficiently. You use email to communicate with employees and customers and vendors. What system will you use and how will you manage it? Will you give access to trusted employees? Your employees have phones and laptop computers, whether their own or company-provided. Can they use the office network or do you restrict access? Do you provide virtual private networks and remote access to systems? Who sets policy and decides what’s safe or who should have access and who shouldn’t? If an employee wanted to print a personal document, would you allow it? What security risk might accompany that simple act? Does your business have an online presence such as a website or social media accounts? Who manages the account and how do they secure it? Are they reusing passwords or accessing these accounts on insecure systems? Was the website originally designed with security in mind? Have you added capabilities such as online ordering or inventory management that could be attractive to criminals? Who has access to your company’s banking? Do you have policies in place to prevent malicious use via social engineering? Are your employees trained on how to recognize possible fraud? If someone sent an email on a Friday afternoon insisting on an emergency wire transfer of funds on your behalf, what mechanism do you have to identify a real request from a fake one? What is your backup policy for company data and your employee’s devices? Do you practice backing up and testing your backups? Are you utilizing cloud-based storage and services? How do you select your vendors and what questions do you ask about their cybersecurity practices? You can see this complex environment can’t be secured just by setting a policy or trying a one-size-fits-all approach. How to begin? Let’s begin understanding the key objectives to manage your cybersecurity risk and develop a plan.

MoreNIST Special Publication 800-12, revision 1An Introduction to Information Securitysection 1.4

Cybersecurity Objectives

Fron NIST: https://www.nist.gov/itl/smallbusinesscyber

Presenter

Presentation Notes

One definition of information security is “the protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. The careful implementation of information security controls is vital to protecting an organization’s information assets as well as its reputation, legal position, personnel, and other tangible or intangible assets.”* At NIST, the three tiers of Confidentiality, Integrity and Availability are addressed in more detail in our Special Publication “An Introduction to Information Security”. You will find a link to this document on the worksheet titled NIST Resources found at the NIST Small Business Corner. (url is also below) Looking at this three tier set of objectives, what do they mean. Confidentiality means that what is restricted information remains restricted and the controls to maintain that are upheld and secured. Integrity considerations include both data and system integrity and the need to guard against someone modifying or destroying them or causing concern about reliability. Availability considerations refer to the need for you to get to your data and information without disruption. Your business objectives are typically supported by a focus on all of these three areas but to differing degrees. (An e-commerce organization may be very focused on availability, a small healthcare organization focused more on confidentiality of patient info). *Resource: https://doi.org/10.6028/NIST.SP.800-12r1 “An Introduction to Information Security”

Data Backup

• Ensure you have a backup of your data• Ensure you test to be sure what you are

backing up is being backed up and is the latest version

• Keep your backups on a separate network or offline (and encrypted)

Activity

Who manages backups in your organization? If unsure, find out.Make a note to discuss the previous slides points with them.

1. Is data backed up2. Are backups tested and has latest version of documents3. Kept on separate network or offline, offsite and encrypted4. Has anyone tested to be sure it is encrypted?5. Explain the process and show the results.6. How often are the above procedures tested?

• Fun• Opportunistic• Malicious• Financial• Springboard to attack others• Nation State• Hacktivism• Identity Theft

Hacking Motivations

Presenter

Presentation Notes

Although the term hacking has connotations for good, here we will focus on the malicious forms of hacking. When someone stages an attack on your network or the systems you use, we can call this hacking. Typically the hacking attack will occur without anyone ever setting foot in your office or on your property. They will utilize access via the internet or on your own network to go after some aspect of your environment. A DDOS or distributed denial of service attack often means they will overwhelm your website or web address with internet traffic, blocking legitimate traffic and taking your website down. The attack is shared across multiple attack points, hence the word “distributed” in the name. The attackers may be using a botnet, or network of infected computers acting upon their command to stage their flow of traffic against you. DDOS attacks are common and impact business, governments large and small and individuals. As our business environments increase in complexity, we also need to guard against previously protected systems and devices that have added network capabilities. Consider the increasing popularity of the Internet of Things with network connected refrigerators, thermostats, even lightbulbs. Every advantage these devices provide us carries an additional cost in needing protection from cybersecurity risks. Can you update these devices and how do you control who can send those update messages? Could a hacker communicate with your thermostat via your own wireless network? What about your office printer and fax machine? Do they store the images they’ve sent and could someone access that information without permission? Hacking can also occur when a trusted employee or visitor to our physical environment abuses that trust to illegally access other areas of the business. We must safeguard our systems by using controls such as passwords and checking access records to ensure our systems are protected both from within and without.

System Boundary

Purpose: Identify information assets which are a part of the organization and where are they located (physical and geolocation).

Who is involved?

Executives, IT Managers, system and network administrators, head or key person in each department, Employee awareness

Presenter

Presentation Notes

Link to System Boundary Document

System Interconnections

Purpose: Identify network connections with organizations outside of the organization’s responsibility (contractors, remote support, cloud service)

Who is involved?

Executives, IT Managers, system and network administrators, head or key person in each department

Software Inventory

Purpose: Identify all software installed on all operating systems and devices

“Living Document”

Who is involved?

IT Managers, system and network administrators, head or key person in each department, employees

Presenter

Presentation Notes

Executives and IT Managers are essential because a push for a consolidation or removal of software will have production impacts.

Self-reflection

Make a note to determine if you know if your organization has the items below and identify who is responsible for maintaining each:

1. Network diagrama. Routinely updated and how often it is reviewed.

2. System Boundary well-defineda. Routinely updated and how often it is reviewed.

3. System Interconnections documenteda. Routinely updated and how often it is reviewed.

4. Software Inventorya. Routinely updated and how often it is reviewed.

Presenter

Presentation Notes

Automated tools can be used to query software iVanti Look for software inventory managers that support your organizations devices as closely as possible

Categorize System

Determine the impact to the organization

Confidentiality, Integrity, and Availability

Must Identify Information Types, it drives determining adverse impacts

Who is involved?

IT Managers, system and network administrators, head or key person in each department

Categorize System

Guiding Documents

NIST 800-60 Volumes I and II.

Walk-Through

Spreadsheet based on NIST 800-60 Volume I & 2:

https://tinyurl.com/4ucywrum

Review the spreadsheet and the tabs that have the information types


Select Controls

Based on the risk identified from the Categorization phase and identifying risks.

Who is involved?

Legal department, IT managers, executives, human resources, financial department, system, security, and network administrators

Select Controls

Security Controls Best Practices:

● NIST 800-171■ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-

171r2.pdf● CIS Critical Security Controls● Payment Card Industry (May require hardware and information compliance)

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

https://www.cisecurity.org/controls/

https://www.pcisecuritystandards.org/

Select Controls

● Regulatory compliance may drive security control selection○ eg. CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS)

● https://tinyurl.com/9z2h7y72● Cybersecurity resources public and some require registration

○ https://www.cisa.gov/cybersecurity● Read industry-specific regulations carefully because all facilities my not fit the

specific requirement: https://tinyurl.com/9z2h7y72

https://tinyurl.com/9z2h7y72

https://www.cisa.gov/cybersecurity

https://tinyurl.com/9z2h7y72

Select Controls

Security Controls Best Practices:

● NIST 800-171■ https://tinyurl.com/wxpf45j2

Starting point for securing the enterprise

Family of security controls

Presenter

Presentation Notes

Page 7 Lists the families of controls Page 14 Wireless for example. If your organization doesn’t use wireless, this control should still be monitored and is an easy assessment.

https://tinyurl.com/wxpf45j2

CIS Critical Security Controls

● Contributed by the public● Can help mitigate the most common and well-known threats● Can be used in the Prepare stage to determine current security posture



Walk-through

CIS Critical Security Controls Questionnaire:

https://tinyurl.com/8adcx5kh

https://tinyurl.com/8adcx5kh

Payment Card Industry (PCI)

Payment Card Industry (May require hardware and information compliance)

https://tinyurl.com/3z62xw2n PCI FAQ

Often forgotten requirement if you process, transmit, or store cardholder data (including paper information)

https://www.pcisecuritystandards.org/

https://tinyurl.com/3z62xw2n

Compliance != Secure

● Compliance != Secure● Complacent

Implement Controls

● Document what has been done to implement the control● Include all stakeholders● Systematically deploy controls● Could break production processes● Document the actual implementation

Implement Controls

● Vulnerability scans● Scan a minimum of 95% of systems● Ties into the system and software inventory● If this is new, systematically scan small segments

Presenter

Presentation Notes

iVanti Secunia Ninite Chocolatey

Walk-through

● System Security Plan (SSP)● “Living Document”● NIST provides a template for creating a System Security Plan

○ https://tinyurl.com/yu6834td

Presenter

Presentation Notes

Needs to be well-protected because it contains the real implementation. Don’t share with third-parties

https://tinyurl.com/yu6834td

Assess Controls

Check to be sure controls are performing as expected.

● Wifi is not allowed in our organization○ Turn on a phone, tablet, or PC with wifi to see if there are strong signals○ Move around the organization to pinpoint the location

● Is allowed○ Test for authentication○ Try to access internal organizational resources○ Review event logs to determine if alerts are being generated when someone connects

Document all of the above and add to security plan document

Monitoring

The forgotten control

The documentation on implementing and assessing the controls guides the monitoring

● Finding alerts, creating test users, talking to personnel should be performed periodically

Step through the controls in the security plan and assess periodically

Organizations and processes change

Risk Assessment

● Cyclical and continuous process● Examines the risk to the organization mission, processes, and assets● NIST 800-30 rev 1 -

○ Guide to conducting Risk Assessments○ https://tinyurl.com/wmb7vnsy

● Evaluates the entire RMF process and its outputs● Results of interviews, vulnerability scans, control testing

Presenter

Presentation Notes

Page 23 of NIST HB 162 for Wireless

https://tinyurl.com/wmb7vnsy

Before starting the Risk Assessment

● Social skills● Remind you are there to assist and be another set of eyes● Do not blame or point fingers● Restrain non-verbal cues● Know what you do not know● Write down what you do not know and get back to them

Business Impact Analysis

● Document that examines the impact to the organizations mission and processes

● Provides steps for recovery○ https://www.ready.gov/business-impact-analysis

● NIST Special Publication 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems○ https://tinyurl.com/2a5ydtkj○ APPENDIX B B-1 BIA Template

Presenter

Presentation Notes


https://www.ready.gov/business-impact-analysis

https://tinyurl.com/2a5ydtkj

Walk-through

Business Impact Analysis template this word document from the NIST website:

https://tinyurl.com/376xzmtv

Presenter

Presentation Notes

APPENDIX B B-1

https://tinyurl.com/376xzmtv

Risk Assessment Walk-through

● NIST 800-30 rev 1 Guide to conducting Risk Assessments○ https://tinyurl.com/wmb7vnsy

Presenter

Presentation Notes


https://tinyurl.com/wmb7vnsy

Brief Walk-through

● Conducting the Risk Assessment NIST 800-171A


Spreadsheet

Assessing Security Requirements for Controlled Unclassified Information

OPTIONAL: Same spreadsheet, but has a macro to select multiple Event Sources

https://tinyurl.com/5c8k96ea

Presenter

Presentation Notes

Page 15 of Assessing Security Requirements for Controlled Unclassified Information has wifi 3.1.16


https://tinyurl.com/5c8k96ea

Risk Assessment Essay

https://tinyurl.com/4seruzkp

Presenter

Presentation Notes

Page 15 of Assessing Security Requirements for Controlled Unclassified Information has wifi 3.1.16

https://tinyurl.com/4seruzkp

Plan of Action & Milestones

● “Living document”● Document the weaknesses from the Risk Assessment● Updated during the monitoring and control assessment process

Walk-through

Template for Plan of Action & Milestones

● https://tinyurl.com/23h6pak8

https://tinyurl.com/23h6pak8

Conclusion

• A thorough RMF can become the baseline of a cyclical process that does not require all of these steps on a yearly basis.

• Configuration Management and Control monitoring allows frequent reviews of documentation, controls, and processes

• Effectively, those allow frequent mini RAs• The POA&M allows frequent documentation for managing

identified risks• Test your incident Response capability even if it is just a

tabletop exercise so everyone knows what to do

Thank you

Duane Dunston

[email protected]

**Test your backups**

mailto:[email protected]