C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA CYBER MISSION ANDCYBER RESOURCES
GeorgeW.ReevesCybersecurityAdvisorRegionVI|SouthTexas&NewMexico
2
4
The Nation’sRisk Advisors
5
Significance of Critical Infrastructure
Americaremainsatriskfromavarietyofthreatsincluding:• ActsofTerrorism• CyberAttacks• ExtremeWeather• Pandemics• AccidentsorTechnicalFailures
CriticalInfrastructurereferstotheassets,systems,andnetworks,whetherphysicalorcyber,sovitaltotheNationthattheirincapacitationordestructionwouldhaveadebilitatingeffectonnationalsecurity,theeconomy,publichealthorsafety,andourwayoflife.
6
Critical Infrastructure SectorsCISAassiststhepublicandprivatesectorssecureitsnetworksandfocusesonorganizationsinthefollowing16criticalinfrastructuresectors.
7
Cybersecurity Advisors (CSAs)Toprovidedirectcoordination,outreach,andregionalsupportinordertoprotectcybercomponentsessentialtothesustainability,preparedness,andprotectionoftheNation’sCriticalInfrastructureandKeyResources(CIKR)andState,Local,Tribal,andTerritorial(SLTT)governments.
• Assess:Evaluatecriticalinfrastructurecyberrisk.• Promote:Encouragebestpracticesandriskmitigationstrategies.• Build:Initiate,developcapacity,andsupportcybercommunities-of-interestandworkinggroups.• Educate:Informandraiseawareness.• Listen:Collectstakeholderrequirements.• Coordinate:Bringtogetherincidentsupportandlessonslearned.
8
Critical Infrastructure Sectors
Cybersecurity Resources
9
Cybersecurity Resources and Assessments
RegionalResources:- CyberResilienceReview(CRR)- ExternalDependenciesManagement(EDM)- CyberInfrastructureSurvey(CIS)- Workshops(IncidentMgmt,Resilience)
NationalResources:- PhishingCampaignAssessment(PCA)- CyberTabletopExercises(CTTX)- VulnerabilityScanningService(CyHy)
- WebApplicationScanning(WAS)- ValidatedArchitectureDesignReview(VADR)- RedTeamAssessment(RTA)- Risk&VulnerabilityAssessment(RVA)/(RPT) TECHNICAL
(LOW-LEVEL)
10
Cyber Resilience Review (CRR)Purpose:TheCRRisanassessmentintendedtoevaluateanorganization’soperationalresilienceandcybersecuritypracticesofitscriticalservicesDelivery:TheCRRcanbe
• Facilitated• Self-administered
• Helpspublicandprivatesectorpartnersunderstandandmeasurecybersecuritycapabilitiesastheyrelatetooperationalresilienceandcyberrisk
• BasedontheCERT®ResilienceManagementModel(CERT®RMM)
11
External Dependency Management (EDM)Overview:In2016,DHSlaunchedtheExternalDependenciesManagement(EDM)Assessment,focusingspecificallyonensuringtheprotectionandsustainmentofservicesandassetsthataredependentontheactionsofthird-partyentities.Background:ExternalDependenciesManagementisadomaincoveredbytheCRR.However,EDMandassociatedissues(e.g.,supply-chainmanagement,vendormanagement)arenotaddressedatacomprehensivelevelwithintheCRR,resultinginthecreationofaseparateassessment.LinkagestoCRR:DespiteoperatingatamoregranularlevelthantheCRR,theEDMAssessmentborrowsheavilyfromtheCRR’smethodologicalarchitectureandscoringsystembutremainsaDHS-facilitatedassessment.
EDM process outlined in the External Dependencies Management Resource
Guide
12
Cybersecurity Infrastructure Survey (CIS)Structured,interviewbasedassessment(2½to4hours)ofessentialcybersecuritypracticesin-placeforcriticalserviceswithinyourorganization
Identifiesinterdependencies,capabilities,andtheemergingeffectsrelatedtocurrentcybersecurityposture
Focusesonprotectivemeasures,threatscenarios,andaservicebasedviewofcybersecurityincontextofthesurveyedtopics
BroadlyalignstotheNationalInstituteofStandardsandTechnology(NIST)CybersecurityFramework(CSF)
13
Workshops
CyberResilienceWorkshop• RaiseawarenesstogapsincybermanagementpracticesandtoprocessimprovementsforCIKRandSLTTcommunities.
• Introducesstakeholdersandpractitionerstocyberresilienceconceptsinkeyperformanceareasrelatedtocybersecurity,IToperations,andbusinesscontinuity.
• Reinforcecybersecuritybestpracticesandexamineresilienceconceptsandobjectives.
IncidentManagementWorkshop• Enhancecyberincidentresponseanddiscussfederalcoordinationforincidentnotification,containment,andrecovery.
• WillassistyouinengagingExecutivePersonnelinthecreationofpolicy(ies)necessaryforplandevelopment.
• Provideinsightandastartingpointforyoutocreateyourplan.
14
Critical Infrastructure Sectors
National Cyber Resources
15
Validated Architecture Design Review (VADR)
AnassessmentbasedonFederalandindustrystandards,guidelines,andbestpractices.AssessmentscanbeconductedonInformationTechnology(IT)orOperationalTechnology(OT)infrastructures(ICS-SCADA).
• ReducerisktotheNation’sCriticalInfrastructurecomponents• Analyzesystemsbasedonstandards,guidelines,andbestpractices
• Ensureeffectivedefense-in-depthstrategies• Providefindingsandpracticalmitigationsforimprovingoperationalmaturityandenhancingcybersecurityposture
16
Vulnerability Scanning Service (CyHy)AssessInternetaccessiblesystemsforknownvulnerabilitiesandconfigurationerrors
Workwithorganizationtoproactivelymitigatethreatsandriskstosystems
Activitiesinclude:• NetworkMapping
Ø IdentifypublicIPaddressspaceØ IdentifyhoststhatareactiveonIPaddressspaceØ DeterminetheO/SandServicesrunningØ Re-runscanstodetermineanychangesØ Graphicallyrepresentaddressspaceonamap
• NetworkVulnerability&ConfigurationScanningØ Identifynetworkvulnerabilitiesandweakness
17
Web Application Scanning (WAS)AnInternetbasedscanningservicetoassessthe“health”ofyourpubliclyaccessiblewebapplicationsbycheckingforknownvulnerabilitiesandweakconfigurations.
SCANNINGOBJECTIVES•Maintainenterpriseawarenessofyourpubliclyaccessibleweb-basedassets•Provideinsightintohowsystemsandinfrastructureappeartopotentialattackers•Driveproactivemitigationofvulnerabilitiestohelpreduceoverallrisk
SCANNINGPHASES•DiscoveryScanning:Identifyactive,internet-facingwebapplications•VulnerabilityScanning:Initiatenon-intrusivecheckstoidentifypotentialvulnerabilitiesandconfigurationweaknesses
18
Phishing Campaign Assessment (PCA)Objectives:• Increasecybersecurityawarenesswithinstakeholderorganizations• Decreaseriskofsuccessfulmaliciousphishingattacks,limitexposure,reduceratesofexploitation
Benefits:Ø ReceiveactionablemetricsØ Highlightneedforimprovedsecurity
Training
Scope:Ø 6-weekengagementperiodØ Phishingemailscaptureclick-rateonly,nopayloadswillbeusedØ VaryingLevelsofComplexity-- Levels1- 6(EasytoDifficult)
19
Red Team Assessment (RTA)
AcomprehensiveevaluationofanITenvironment.SimulationofAdvancedPersistentThreats(APT),canassiststakeholdersindeterminingtheirsecurityposturebytestingtheeffectivenessofresponsecapabilitiestoadeterminedadversarialpresence.RTAsarecraftedspecificallytotestthepeople,processes,andtechnologiesdefendinganetwork.
• Teststakeholder’snetworksusingrealworldAPTattackermethodologies
• Evaluatepeople,processes,andtechnologiesresponsiblefordefendingthestakeholder’snetwork
• Providestakeholderexecutivesactionableinsighttotheircybersecuritypostureandpracticaltrainingfortechnicalpersonnel
20
Risk and Vulnerability Assessment (RVA)Apenetrationtest,ortheshortformpentest,isanattackonacomputersystemwiththeintentionoffindingsecurityweaknesses,potentiallygainingaccesstoit,itsfunctionalityanddata.• Involvesidentifyingthetargetsystemsandthegoal,thenreviewingtheinformationavailableandundertakingavailablemeanstoattainthegoal
• Apenetrationtesttargetmaybeawhitebox(whereallbackgroundandsysteminformationisprovided)orblackbox(whereonlybasicornoinformationisprovidedexceptthecompanyname)
• Apenetrationtestwilladviseifasystemisvulnerabletoattack,ifthedefensesweresufficientandwhichdefenses(ifany)weredefeatedinthepenetrationtest
21
Remote Penetration Test (RPT)Utilizesadedicatedremoteteamtoassessandidentifyvulnerabilitiesandworkwithcustomerstoeliminateexploitablepathways.
Ø Focusesonexternallyaccessiblesystems
SCENARIOS:Ø ExternalPenetrationTest:Verifyingifthestakeholdernetworkisaccessiblefromthepublicdomainbyanunauthorizeduserbyassessingopenports,protocols,andservices.
Ø ExternalWebApplicationTest:Evaluatingwebapplicationsforpotentialexploitablevulnerabilities;thetestcanincludeautomatedscanning,manualtesting,oracombinationofbothmethods.
Ø PhishingAssessment:Testingthroughcarefullycraftedphishingemailscontainingavarietyofmaliciouspayloadstothetrustedpointofcontact.
22
Critical Infrastructure Sectors
Information Sharing
23
Automated Indicator Sharing (AIS)
• Automated Indicator Sharing (AIS): Rapid and wide sharing of machine-readable cyber threat indicators and defensive measures at machine-speed for network defense purposes
• AIS is about volume and velocity of sharing indicators, not human validation.
24
Homeland Security Information Network (HSIN)The Homeland Security Information Network (HSIN) provides you with a central, online location for information sharing and collaboration.
A network designed by users, for users
A trusted, secure, virtual platform to work withhomeland security partners in real-time
A platform that supports daily operations, plannedevents and exercises, and incident response
Access HSIN 24x7 through your:
Use HSIN if you want to:q Utilize a trusted, secure network to get information about incidents, plan security for large-
scale events or conduct daily operationsq Share information with trusted colleagues and partners for mission supportq Use geospatial tools to map materials, resources and intelligence informationq Chat securely during emergencies or training exercisesq Send alerts and notifications to your qualified colleagues
For more information, contact the HSIN Outreach Team [email protected] or visit our website at www.dhs.gov/hsin.
25
Critical Infrastructure Sectors
Additional Cyber Resources
26
Enhanced Cybersecurity Services (ECS)AnintrusionpreventioncapabilitythathelpsU.S.-basedcompaniesprotecttheirnetworksagainstunauthorizedaccess,exploitation,anddataexfiltration.
DHSsharessensitiveandclassifiedcyberthreatinformationwithaccreditedCommercialServiceProviders,whousethatinformationtoblockcertaintypesofmalicioustrafficfromenteringtheircustomers’networks.
ECSismeanttoaugment,butnotreplace,yourexistingcybersecuritycapabilities.
Currentlyoffersthefollowingservices:• DNSSinkholing:whichblocksaccesstospecificmaliciousdomains• Email(SMTP)Filtering:whichblocksemailwithspecifiedmaliciouscriteria• Netflow Analysis:whichusespassivedetectiontoidentifythreats
Ifyou’reinterested,contactoneofouraccreditedCommercialServiceProviders:AT&T,CenturyLink,orVerizon.
27
National Cyber Exercise & Planning Program NCEPPdesigns,develops,conducts,andevaluatescyberexercisesrangingfromsmall-scale,limitedscope,discussion-basedexercisestolarge-scale,internationally-scoped,operations-basedexercises.
NCEPPoffersthefollowingservicesatno-costonanas-neededandas-availablebasis:• CyberStormExercise(DHS’sflagshipnationallevelcyberexercise)• CyberGuardPrelude• End-to-EndCyberExercisePlanning• CyberExerciseConsulting• CyberPlanningSupport• Exercise-In-A-Box
28
ICS Training OpportunitiesICS-CERT Virtual Learning Portal (VLP)• Virtual&InstructorLedTraining• NoCostCourses:• IntroductiontoControlSystems
Cybersecurity(101)- 8hrs• IntermediateCybersecurityfor
IndustrialControlSystems(201)- 8hrs• IntermediateCybersecurityfor
IndustrialControlSystems(202)- 8hrs• ICSCybersecurity(301)- 5days• ICSCybersecurity(401)- 5days
https://ics-cert-training.inl.gov/learn
29
Cyber Assessment Qualification Initiative (CQI)
QualifiesteamstoconductassessmentsfollowingCISAstandardsandmethodologies.
CQIisafour-daycoursethatenablesorganizationalteamstolearnandapplyofferedCISAassessmentmethodologiesusingtheCERTSimulated,Training,andExercisePlatform.
CQIwillinitiallyfocusonCISA’sRiskandVulnerabilityAssessments(RVAs).
CQIOBJECTIVES• Qualifyteamstoconductassessmentsinaconsistentmanner.• ProvideCISAwithnon-attributabledatathatwillaideininformingthe
creationandimprovementofcybersecuritypoliciesthroughdata-drivendecision-making.
• StandardizeCISA-offeredassessmentsacrossitsstakeholdersforthird-partyandself-assessmentimplementation.
30
Critical Infrastructure Sectors
Incident Reporting
31
Incident Reporting / Malware Analysis24x7 contact number: 888-282-0870 | [email protected]
Where/How/WhentoReport:https://www.us-cert.gov/forms/report• Ifthereisasuspectedorconfirmedcyberattackorincidentthat:• Affectscoregovernmentorcriticalinfrastructurefunctions;• Resultsinthelossofdata,systemavailability;orcontrolofsystems;• Indicatesmalicioussoftwareispresentoncriticalsystems
AdvancedMalwareAnalysisCenter:• Provides24x7dynamicanalysesofmaliciouscode.Stakeholderssubmitsamplesviaanonlinewebsiteandreceiveatechnicaldocumentoutliningtheresultsoftheanalysis.Expertswilldetailrecommendationsformalwareremovalandrecoveryactivities.
• WebSubmission:https://malware.us-cert.gov
32
Hunt & Incident Response Team (HIRT)
33
GeorgeW.ReevesCybersecurityAdvisor,RegionVISouthTexas&NewMexicoRegionsEmail:[email protected]:(281)714-1259