Cutting through the fog of cybersecurity

Transcription

1 SD ISC2 SD IEEE Cutting through the fog of cybersecurity Preparing security operators for what REALLY matters in Cyber! Mike Davis, ElecEngr / MSEE, CISSP / CISO, MA Mgmt, SysEngr Cyber Security / Risk Management Consultant (enthusiast!) Mike.davis.sd@gmail.com easy button COMPLEXITY Doug Magedman MS Cybersecurity and IA, MS OA/HSI, BS-BME, SPAWAR HQ Technical Authority dougmagedman@hotmail.com Cyber Workforce Bottom Line: Small businesses are the backbone of USA they need security operators, not ninjas! Those with a Security+ / SSCP knowledge ands skills that minimize 95% of all incidents.

2 Cutting through the CyberSecurity Fog! B.L.U.F. Bottom Line Up Front The threats are very real, and the news shows a small percentage It does not just happen to the other guy YOU WILL be / ARE affected. You can not buy cyber security, you must manage cyber many parts. The standard IA/Security suite is pretty good IF maintained well in operation Focus on business risk reduction and minimizing legal liabilities Adequate cyber protections are but one part so is insurance P6 principles still applies as does strategic partnerships Few can afford to go it alone use a managed security service (MSS) Don t fix cracks in the cyber walls, while the barn door is open! Keeping your cyber suite well maintained cuts incidents by 95%

3 Cyber Workforce Chasm 1 - Companies say they can not find qualified cyber workers (e.g., a non specific request) 2 - Educational entities / institutions providing decent levels of degreed / certified people. So why is there a communication chasm between supply and demand? Any cyber educational effort must address three aspects of providing cyber skills: 1 Cyber qualified workers come in MANY types and levels - not one cyber guy (32 levels by NIST s NICE Cyber Ed framework (#) / and the volume need is at mid / entry level ) 2 - Fix the notion that people with degrees / certifications do not have useable skills 3 Cyber workforce conversant in risk management (impacts that their actions cause) Cyber education providers must educate the hiring managers to close the gap! # = NIST / NICE National Cybersecurity Workforce Framework

4 First, so what does matter in Cyber? CYBER is fundamentally all about TRUST and DATA ( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured) It s NOT about expensive new cyber capabilities / toys but more about the interoperability glue (distributed trust, resiliency, automation, profiles) 90+% of security incidents are from lack of doing the basics! USE effective Security Continuous Monitoring (SCM / SIEM) a MUST DO! With enforced: cyber hygiene, enterprise access control, & reduced complexity (APLs) Shift from only protecting the network, to the DATA security itself information centric view Embrace your Risk Management Plan (RMP) LIVE IT! Have an enforceable security policy what is allowed / not train to it KNOW your baseline - Protect the business from the unknown risks as well Employ a due diligence level of security then manage & transfer residual risks! You can NOT buy cyber, so do the cyber BASICS well!!! An achievable 90-95% reduction in security incidents stabilize the environment!

5 What MUST we do in Cyber? The BASICS at least manage the top NSA 10 / SANS 20 mitigations! (How about just DOING the Cyber Hygiene Campaign (*) top 5 actions!) (e.g., 1 &2 - Inventory SW & HW, 3 - Secure CM, 4 SCM/SIEM & 5 - enforce least privileges ) * * Close the cyber barn door first, versus fixing cracks in the wall! Follow the Hierarchy of Cyber needs mitigate, manage your way up RE: Enforce hygiene, effective access control, use APLs, proactive security policy etc. (*) ) * cyber cracks at most 5% Lack of cyber hygiene causes well over 90+% of all security incidents! 5

6 Cyber Security is Complex from a Technical Perspective What factors must be addressed in A Cyber Operator Course? What does it take to minimize the 95% of most security incidents! DAC HIPPA VPN SSL SOX IPSEC SaaS FIPS Token Biometrics XML Gateways PKI Thin Clients H/W Crypto Kerberos Digital Certificate Trusted OS Wireless Cyber Security (From an IBM security brief) Compliance Secure Blades Cloud Guards Hardening Secure Collaboration RSBAC

7 IA/Security Axioms to consider / accommodate / educate Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Good security now is better than perfect security never. A false sense of security is worse than a true sense of insecurity. Your security is only as strong as your weakest link. It is best to concentrate on known, probable threats, first Work through all these in your Risk Management Plan! Security is an investment (insurance), not an expense with an RoI Security is directly related to the education and ethics of your users. Security is a people problem users stimulate problems, at all levels. Security through obscurity is weak & We can NOT always add security later Who says what we MUST DO? From a business DUE CARE / due diligence level Collectively: NIST NSA SANS etc - the following slides provide details 7

8 NIST s absolutely necessary Security activities NIST - National Institute of Standards and Technology Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, etc) Provide security for your Internet connection / ISP Install and activate software firewalls on all your business systems Patch your operating systems and applications Make backup copies of important business data/information Control physical access to your computers and network components Secure your wireless access point and networks Train your employees in basic security principles Require individual user accounts for each employee on business computers and for business applications Limit employee access to data and information, and limit authority to install software While these are the KEY cyber activates, there are more to accommodate in a due diligence cyber state. Key Hierarchy of needs activities 8

9 NIST s Highly Recommended Practices Policy / practice for attachments and requests for sensitive information Policy / practice for web links in , instant messages, social media, or other means Policy / practice for popup windows and other hacker tricks Doing online business and secure banking Recommended personnel practices in hiring employees Security considerations for web surfing, prohibited sites Policy / practice for downloading software from the Internet How to get help with information security when you need it How to dispose of old computers, media and fax machines How to protect against Social Engineering, data loss prevention WHAT, more to do? YES, but most are related to standard IA/CND mitigations... 9 Key Hierarchy of needs activities

10 NSA IAD top ten controls 1 - Application whitelisting - only run approved apps (that SysAdmin reviews) 2 - Control Administrative privileges - minimize escalation, enforce least privilege 3 Limit workstation-to-workstation communications thwart the pass-the-hash 4 Use Anti-virus File Reputation Services leverage cloud-based threat databases 5 Enable Anti-Exploitation Features - for example, MS Windows EMET 6 Implement Host Intrusion Prevention System Rules focus on threat behaviors 7 Set a Secure Baseline Configuration layered security, standard images, etc 8 Use Web Domain Name Service (DNS) Reputation Screen URLs, intrusion alerts 9 Use/Leverage Software improvements software / OS upgrade and patch policy 10 Segregate Networks and functions based on role, functionality monitor sections, then isolate when attacked Key Hierarchy of needs activities 10

11 SANS top 20 controls (ver 3) 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5: Boundary Defense 6: Maintenance, Monitoring, and Analysis of Security Audit Logs 7: Application Software Security 8: Controlled Use of Administrative Privileges 9: Controlled Access Based on the Need to Know 10: Continuous Vulnerability Assessment and Remediation 11: Account Monitoring and Control 12: Malware Defenses 13: Limitation and Control of Network Ports, Protocols, and Services 14: Wireless Device Control 15: Data Loss Prevention 16: Secure Network Engineering 17: Penetration Tests and Red Team Exercises 18: Incident Response Capability 19: Data Recovery Capability 20: Security Skills Assessment and Appropriate Training to Fill Gaps Key Hierarchy of needs activities 11

12 Top 35 Mitigations At least 85% of the targeted cyber intrusions the Australian Signals Directorate responds to could be prevented by following the Top 4 mitigation strategies : use application whitelisting to help prevent malicious software and other unapproved programs from running patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers patch operating system vulnerabilities minimize the number of users with administrative privileges. Examples of Targeted Cyber Intrusions mitigation strategies : Disable local administrator accounts; Multi factor authentication; Network segmentation and segregation; Application based workstation firewall; Host based Intrusion Detection/Prevention System; Centralized and time synchronized logging; Whitelisted content filtering; Web domain whitelisting for all domains; Workstation application security configuration hardening; User education; Computer configuration management ; Server application security configuration hardening; Antivirus software with up to date signatures; Enforce a strong passphrase policy; ETC; Etc; etc.. Key Hierarchy of needs activities 12

13 Top 25 SW development errors [1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] Missing Authentication for Critical Function [6] Missing Authorization [7] Use of Hard-coded Credentials [8] Missing Encryption of Sensitive Data [9] Unrestricted Upload of File with Dangerous Type [10] Reliance on Untrusted Inputs in a Security Decision [11]Execution with Unnecessary Privileges [12]Cross-Site Request Forgery (CSRF) [13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [14] Download of Code Without Integrity Check [15] Incorrect Authorization [16] Inclusion of Functionality from Untrusted Control Sphere [17]Incorrect Permission Assignment for Critical Resource [18] Use of Potentially Dangerous Function [19] Use of a Broken or Risky Cryptographic Algorithm [20]Incorrect Calculation of Buffer Size [21] Improper Restriction of Excessive Authentication Attempts [22] URL Redirection to Untrusted Site ('Open Redirect') [23] Uncontrolled Format String [24] Integer Overflow or Wraparound [25] Use of a One-Way Hash without a Salt Key Hierarchy of needs activities Must BUILD IA IN This starts with SW.. AND Applies to Apps / Services 13

14 Cyber Hygiene the many faces of neglect Our IA/CND/Security cyber suite is quite good IF maintained! Equipment settings (FW, A/V, IDS, etc) Monitor / enforce Social media Content & settings Restrict sharing / privileges Incident reporting No incident too small Notify USCERT / FBI Controlled Access Enforce least privilege Separate / rotate duties Security Education ALL levels reinforce Incentivize good vs bad Will lack of cyber hygiene continue to put you at MUCH greater risk? Maintain Cyber Suite Patches, upgrades, etc (compliance == security Standard operating procedures (SOPs) USE / enforce them Know your security baseline AND employ SCM / SIEM Privacy and PII Enforce policy (note - EU is stricter) Forbes top threats for 2013: MOST have CM / hygiene AND / or access control aspects Social Engineering; APTs; Internal Threats; BYOD / mobile malware; HTML5; Botnets; CLOUD infrastructure, & Precision Targeted Malware Key Hierarchy of needs activities

15 Security Main Factors Wow Given ALL these guides - What MUST WE DO? Implement the NIST absolutely necessary elements first and foremost to protect your data (Encryption and back ups) Effective passwords still the bane of basic security and policy is still poor! (tokens / two-factor IA&A should be used for critical data / processes) Securing the client, fortifying the browser buying trusted business apps, services the browser / client is THE largest malware entry point! Minimal security suite: antivirus, firewall, IDS, VPN, connection security Monitoring tools need to manage CM/hygiene, track users / data, provide alerts (SCM/SIEM) supports preplanned SoPs / COOPs, etc Enforce a living security policy quantify actual risks, strict need to know, DATA protection - encryption and access control - minimize IP loss, data loss prevention A robust and adaptive security strategy = risk management plan (RMP) to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc Our Cyber Security operator course collates all these guides and maps Key Hierarchy of needs activities 15

16 Our Cyber Ed Approach Modular Don t have to spend inordinate amount of time searching Just in time training Leverages existing information on Internet Focuses on key considerations (chef) Directs operators to the source of the recipes (cook) Alleviates outdating of material and develops self-sufficiency Cuts Through the Cybersecurity Fog alleviating confusion Fosters understanding rather than procedure Promotes self-efficacy and self -reliance

17 Cyber Education triangle clarifying the fog of cyber security through targeted training Curriculum & Resources Linked / leveraged (on-line, companies, colleges, etc) MS / BS Cyber CISSP / GISP / CISO / etc forensics / ethical hacker / etc Firewall / cloud security/ Crypto & Key mgmt / * Education levels Advanced Targeted Expands the pool for advanced education Small business security course & practicum Security+ and Skills development Awareness Education STEM (grades 7-12) (KEY break point is providing cyber operators!) Foundational ( * = IDS/IPS, anti-virus, wireless, application development, cloud, web/mobile code, mobile, etc )

18 NICE CyberSecurity Workforce Framework 2.0 (lists 30+ types of SMEs!) NSA CAE Accreditation Focus areas NIST SPs & must do requirements SANS top 20 Top 35 Mitigations OWASP top 10 Top 25 SW errors Notional Cyber education roadmap (Authoritative sources, categorized, mapped to CSF) Customer Awareness AND Demand CERT areas / KSAs Grouped & aligned Support key IA needs Align Needs / Areas Clarify / map certs to specific demand areas Target environment Curriculum MAP Objectives Quantified KSAs Cyber Needs Paper Center & align KSAs with security needs to also educate leaders Targeted / focused Trained / proven KSA Cyber Operator NIST / Whitehouse Cybersecurity framework (CSF) foundation Inputs / factors Key artifacts outcome

19 Cyber capabilities KSA decomposition (Objective = Support Business Risk Management prioritized vulnerability reductions) Overall Cyber Security Factors people Main functional Areas / buckets processes products policy (1) Provision Analyze O&M / support Collect Investigate Protect & defend + From NICE framework = (1) functions (2) cyber skills (KSAs) (2) requirements analysis Assessment C&A Security testing Pen testing Security design KEY capabilities / products / processes / methods = KSAs Compliance IA/CND & crypto/key mgmt IA&A Mobile / wireless Tools Policy Network (client / server / router) SW/apps services Web / active code Data O&M/support Sys Admin & CM/hygiene Threats C&A (V&V) RISK Assessment ALL geared to specific positions / types (manager, project lead, Cyber SME / ISSE) And with some aspect of technical level (apprentice, journeyman, master)

20 Hierarchy of Cyber Needs (i.e.. Maslow Triangle ) Where if you don t take care of the level before the one you are operating in, focusing on, then your efforts are for the most part mute, as you are in a higher risk status until the earlier level is satisfied! Master Optimized Value 5 Cyber actualization - compliance / assessment / analytics + V&V / TE&C / C&A formal proof -> residual risks -> cyber value proposition + KEY compliance activities PII, PCI, HIPAA, etc + Forensics / ethical hacker + Big data / predictive analytics (integrate SCM / SIEM, IA/CND reports, etc l) + Pen / security testing (of all cyber capabilities, backup, PW, etc) NSA IAD top 10 factors Top 20 security controls Top 35 mitigations Journeyman Operations Apprentice BASICs 4 Applied cyber security (IA / CND / security capabilities best practices) Given the below best practices, cyber protections approach, then distill the key attributes for each IA/CND capability, while following and tailoring for the company s environment the install instructions of the products specific equipment settings for secure sustainment / operations = Firewall, A/V suite, IDS/IPS, Crypto, Key mgmt., Mobile, wireless, Network, apps, data security, etc 3 Cyber Maintenance - security Hygiene / CM / SoPs + Manage Policy - social media - content & settings restrict sharing / privileges = proactive monitoring + Maintain Cyber Security Suite patches, upgrades, etc.. control system settings & dashboard! + Standard operating procedures (SOPs).. USE / enforce them + Security training / education awareness ALL levels reinforce / Incentivize pos & neg 2 Cyber foundation + Access control (PW, CAC, enforce least privilege, separate / rotate duties, etc) + Layered Defense - IA/CND strategy WHAT capabilities are needed + Security Policy (privacy, social media, PII, etc) - enforcement aspects too + Monitoring / Know your baseline SCM / SIEM.. + Tools selection and integration + Business Risk Management / Assessment (RMF / COBIT) / requirements analysis with an AoA 1 Resiliency - Survival / recovery + Secure backup (Types / methods, various sites / levels) + Incident responses (company processes, comms with LE / FBI, etc) + Recovery Plan - COOP / BCP (phases of recovery, hot / mirror site, etc) KSA / practicum based on small business security

21 Not everyone needs, nor can afford, a cyber ninja! The Cyber Integrated ED Package Bottom up / needs approach to effective cyber SKILLS training (practicum)!

22 Module Components Description of module topic and intended educational objective Threat / Implication of not taking appropriate action within module Key Considerations that are the essential concepts to understand Implementation aspects that must be accommodated for success Best Practices sanctioned by National or Industry guidance Demonstration material or websites that can be used in training National/Industry websites to be used as official reference sources References that can be used for furthering education Modules are tailored into slides for that course and sector focus Using SCORM methods and a LMS to tie all materials together

23 Security+ Cert prerequisite Cyber Essentials Course for SMB Developing security operators to fill the critical skills void. (Key skills to mitigate top 10/20/35 mitigations, with a Security + SSCp Cert knowledge level) 1600 Resiliency Foundations Operations & Maintenance Applied Return to office 1200 Lunch Lunch Lunch Lunch Cyber Overview Foundations Foundations Applied Actualization & Review & skills test Mon Tue Wed Thu Fri SMB needs cyber operators! High volume & greatest need (Operations & Maintenance) Also have a MSS, then manage the 95% vulnerabilities on site & know when to ask for help!