Cutting through the fog of cybersecurity
|
|
- Belinda McCarthy
- 8 years ago
- Views:
Transcription
1 SD ISC2 SD IEEE Cutting through the fog of cybersecurity Preparing security operators for what REALLY matters in Cyber! Mike Davis, ElecEngr / MSEE, CISSP / CISO, MA Mgmt, SysEngr Cyber Security / Risk Management Consultant (enthusiast!) Mike.davis.sd@gmail.com easy button COMPLEXITY Doug Magedman MS Cybersecurity and IA, MS OA/HSI, BS-BME, SPAWAR HQ Technical Authority dougmagedman@hotmail.com Cyber Workforce Bottom Line: Small businesses are the backbone of USA they need security operators, not ninjas! Those with a Security+ / SSCP knowledge ands skills that minimize 95% of all incidents.
2 Cutting through the CyberSecurity Fog! B.L.U.F. Bottom Line Up Front The threats are very real, and the news shows a small percentage It does not just happen to the other guy YOU WILL be / ARE affected. You can not buy cyber security, you must manage cyber many parts. The standard IA/Security suite is pretty good IF maintained well in operation Focus on business risk reduction and minimizing legal liabilities Adequate cyber protections are but one part so is insurance P6 principles still applies as does strategic partnerships Few can afford to go it alone use a managed security service (MSS) Don t fix cracks in the cyber walls, while the barn door is open! Keeping your cyber suite well maintained cuts incidents by 95%
3 Cyber Workforce Chasm 1 - Companies say they can not find qualified cyber workers (e.g., a non specific request) 2 - Educational entities / institutions providing decent levels of degreed / certified people. So why is there a communication chasm between supply and demand? Any cyber educational effort must address three aspects of providing cyber skills: 1 Cyber qualified workers come in MANY types and levels - not one cyber guy (32 levels by NIST s NICE Cyber Ed framework (#) / and the volume need is at mid / entry level ) 2 - Fix the notion that people with degrees / certifications do not have useable skills 3 Cyber workforce conversant in risk management (impacts that their actions cause) Cyber education providers must educate the hiring managers to close the gap! # = NIST / NICE National Cybersecurity Workforce Framework
4 First, so what does matter in Cyber? CYBER is fundamentally all about TRUST and DATA ( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured) It s NOT about expensive new cyber capabilities / toys but more about the interoperability glue (distributed trust, resiliency, automation, profiles) 90+% of security incidents are from lack of doing the basics! USE effective Security Continuous Monitoring (SCM / SIEM) a MUST DO! With enforced: cyber hygiene, enterprise access control, & reduced complexity (APLs) Shift from only protecting the network, to the DATA security itself information centric view Embrace your Risk Management Plan (RMP) LIVE IT! Have an enforceable security policy what is allowed / not train to it KNOW your baseline - Protect the business from the unknown risks as well Employ a due diligence level of security then manage & transfer residual risks! You can NOT buy cyber, so do the cyber BASICS well!!! An achievable 90-95% reduction in security incidents stabilize the environment!
5 What MUST we do in Cyber? The BASICS at least manage the top NSA 10 / SANS 20 mitigations! (How about just DOING the Cyber Hygiene Campaign (*) top 5 actions!) (e.g., 1 &2 - Inventory SW & HW, 3 - Secure CM, 4 SCM/SIEM & 5 - enforce least privileges ) * * Close the cyber barn door first, versus fixing cracks in the wall! Follow the Hierarchy of Cyber needs mitigate, manage your way up RE: Enforce hygiene, effective access control, use APLs, proactive security policy etc. (*) ) * cyber cracks at most 5% Lack of cyber hygiene causes well over 90+% of all security incidents! 5
6 Cyber Security is Complex from a Technical Perspective What factors must be addressed in A Cyber Operator Course? What does it take to minimize the 95% of most security incidents! DAC HIPPA VPN SSL SOX IPSEC SaaS FIPS Token Biometrics XML Gateways PKI Thin Clients H/W Crypto Kerberos Digital Certificate Trusted OS Wireless Cyber Security (From an IBM security brief) Compliance Secure Blades Cloud Guards Hardening Secure Collaboration RSBAC
7 IA/Security Axioms to consider / accommodate / educate Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Good security now is better than perfect security never. A false sense of security is worse than a true sense of insecurity. Your security is only as strong as your weakest link. It is best to concentrate on known, probable threats, first Work through all these in your Risk Management Plan! Security is an investment (insurance), not an expense with an RoI Security is directly related to the education and ethics of your users. Security is a people problem users stimulate problems, at all levels. Security through obscurity is weak & We can NOT always add security later Who says what we MUST DO? From a business DUE CARE / due diligence level Collectively: NIST NSA SANS etc - the following slides provide details 7
8 NIST s absolutely necessary Security activities NIST - National Institute of Standards and Technology Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, etc) Provide security for your Internet connection / ISP Install and activate software firewalls on all your business systems Patch your operating systems and applications Make backup copies of important business data/information Control physical access to your computers and network components Secure your wireless access point and networks Train your employees in basic security principles Require individual user accounts for each employee on business computers and for business applications Limit employee access to data and information, and limit authority to install software While these are the KEY cyber activates, there are more to accommodate in a due diligence cyber state. Key Hierarchy of needs activities 8
9 NIST s Highly Recommended Practices Policy / practice for attachments and requests for sensitive information Policy / practice for web links in , instant messages, social media, or other means Policy / practice for popup windows and other hacker tricks Doing online business and secure banking Recommended personnel practices in hiring employees Security considerations for web surfing, prohibited sites Policy / practice for downloading software from the Internet How to get help with information security when you need it How to dispose of old computers, media and fax machines How to protect against Social Engineering, data loss prevention WHAT, more to do? YES, but most are related to standard IA/CND mitigations... 9 Key Hierarchy of needs activities
10 NSA IAD top ten controls 1 - Application whitelisting - only run approved apps (that SysAdmin reviews) 2 - Control Administrative privileges - minimize escalation, enforce least privilege 3 Limit workstation-to-workstation communications thwart the pass-the-hash 4 Use Anti-virus File Reputation Services leverage cloud-based threat databases 5 Enable Anti-Exploitation Features - for example, MS Windows EMET 6 Implement Host Intrusion Prevention System Rules focus on threat behaviors 7 Set a Secure Baseline Configuration layered security, standard images, etc 8 Use Web Domain Name Service (DNS) Reputation Screen URLs, intrusion alerts 9 Use/Leverage Software improvements software / OS upgrade and patch policy 10 Segregate Networks and functions based on role, functionality monitor sections, then isolate when attacked Key Hierarchy of needs activities 10
11 SANS top 20 controls (ver 3) 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5: Boundary Defense 6: Maintenance, Monitoring, and Analysis of Security Audit Logs 7: Application Software Security 8: Controlled Use of Administrative Privileges 9: Controlled Access Based on the Need to Know 10: Continuous Vulnerability Assessment and Remediation 11: Account Monitoring and Control 12: Malware Defenses 13: Limitation and Control of Network Ports, Protocols, and Services 14: Wireless Device Control 15: Data Loss Prevention 16: Secure Network Engineering 17: Penetration Tests and Red Team Exercises 18: Incident Response Capability 19: Data Recovery Capability 20: Security Skills Assessment and Appropriate Training to Fill Gaps Key Hierarchy of needs activities 11
12 Top 35 Mitigations At least 85% of the targeted cyber intrusions the Australian Signals Directorate responds to could be prevented by following the Top 4 mitigation strategies : use application whitelisting to help prevent malicious software and other unapproved programs from running patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers patch operating system vulnerabilities minimize the number of users with administrative privileges. Examples of Targeted Cyber Intrusions mitigation strategies : Disable local administrator accounts; Multi factor authentication; Network segmentation and segregation; Application based workstation firewall; Host based Intrusion Detection/Prevention System; Centralized and time synchronized logging; Whitelisted content filtering; Web domain whitelisting for all domains; Workstation application security configuration hardening; User education; Computer configuration management ; Server application security configuration hardening; Antivirus software with up to date signatures; Enforce a strong passphrase policy; ETC; Etc; etc.. Key Hierarchy of needs activities 12
13 Top 25 SW development errors [1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] Missing Authentication for Critical Function [6] Missing Authorization [7] Use of Hard-coded Credentials [8] Missing Encryption of Sensitive Data [9] Unrestricted Upload of File with Dangerous Type [10] Reliance on Untrusted Inputs in a Security Decision [11]Execution with Unnecessary Privileges [12]Cross-Site Request Forgery (CSRF) [13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [14] Download of Code Without Integrity Check [15] Incorrect Authorization [16] Inclusion of Functionality from Untrusted Control Sphere [17]Incorrect Permission Assignment for Critical Resource [18] Use of Potentially Dangerous Function [19] Use of a Broken or Risky Cryptographic Algorithm [20]Incorrect Calculation of Buffer Size [21] Improper Restriction of Excessive Authentication Attempts [22] URL Redirection to Untrusted Site ('Open Redirect') [23] Uncontrolled Format String [24] Integer Overflow or Wraparound [25] Use of a One-Way Hash without a Salt Key Hierarchy of needs activities Must BUILD IA IN This starts with SW.. AND Applies to Apps / Services 13
14 Cyber Hygiene the many faces of neglect Our IA/CND/Security cyber suite is quite good IF maintained! Equipment settings (FW, A/V, IDS, etc) Monitor / enforce Social media Content & settings Restrict sharing / privileges Incident reporting No incident too small Notify USCERT / FBI Controlled Access Enforce least privilege Separate / rotate duties Security Education ALL levels reinforce Incentivize good vs bad Will lack of cyber hygiene continue to put you at MUCH greater risk? Maintain Cyber Suite Patches, upgrades, etc (compliance == security Standard operating procedures (SOPs) USE / enforce them Know your security baseline AND employ SCM / SIEM Privacy and PII Enforce policy (note - EU is stricter) Forbes top threats for 2013: MOST have CM / hygiene AND / or access control aspects Social Engineering; APTs; Internal Threats; BYOD / mobile malware; HTML5; Botnets; CLOUD infrastructure, & Precision Targeted Malware Key Hierarchy of needs activities
15 Security Main Factors Wow Given ALL these guides - What MUST WE DO? Implement the NIST absolutely necessary elements first and foremost to protect your data (Encryption and back ups) Effective passwords still the bane of basic security and policy is still poor! (tokens / two-factor IA&A should be used for critical data / processes) Securing the client, fortifying the browser buying trusted business apps, services the browser / client is THE largest malware entry point! Minimal security suite: antivirus, firewall, IDS, VPN, connection security Monitoring tools need to manage CM/hygiene, track users / data, provide alerts (SCM/SIEM) supports preplanned SoPs / COOPs, etc Enforce a living security policy quantify actual risks, strict need to know, DATA protection - encryption and access control - minimize IP loss, data loss prevention A robust and adaptive security strategy = risk management plan (RMP) to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc Our Cyber Security operator course collates all these guides and maps Key Hierarchy of needs activities 15
16 Our Cyber Ed Approach Modular Don t have to spend inordinate amount of time searching Just in time training Leverages existing information on Internet Focuses on key considerations (chef) Directs operators to the source of the recipes (cook) Alleviates outdating of material and develops self-sufficiency Cuts Through the Cybersecurity Fog alleviating confusion Fosters understanding rather than procedure Promotes self-efficacy and self -reliance
17 Cyber Education triangle clarifying the fog of cyber security through targeted training Curriculum & Resources Linked / leveraged (on-line, companies, colleges, etc) MS / BS Cyber CISSP / GISP / CISO / etc forensics / ethical hacker / etc Firewall / cloud security/ Crypto & Key mgmt / * Education levels Advanced Targeted Expands the pool for advanced education Small business security course & practicum Security+ and Skills development Awareness Education STEM (grades 7-12) (KEY break point is providing cyber operators!) Foundational ( * = IDS/IPS, anti-virus, wireless, application development, cloud, web/mobile code, mobile, etc )
18 NICE CyberSecurity Workforce Framework 2.0 (lists 30+ types of SMEs!) NSA CAE Accreditation Focus areas NIST SPs & must do requirements SANS top 20 Top 35 Mitigations OWASP top 10 Top 25 SW errors Notional Cyber education roadmap (Authoritative sources, categorized, mapped to CSF) Customer Awareness AND Demand CERT areas / KSAs Grouped & aligned Support key IA needs Align Needs / Areas Clarify / map certs to specific demand areas Target environment Curriculum MAP Objectives Quantified KSAs Cyber Needs Paper Center & align KSAs with security needs to also educate leaders Targeted / focused Trained / proven KSA Cyber Operator NIST / Whitehouse Cybersecurity framework (CSF) foundation Inputs / factors Key artifacts outcome
19 Cyber capabilities KSA decomposition (Objective = Support Business Risk Management prioritized vulnerability reductions) Overall Cyber Security Factors people Main functional Areas / buckets processes products policy (1) Provision Analyze O&M / support Collect Investigate Protect & defend + From NICE framework = (1) functions (2) cyber skills (KSAs) (2) requirements analysis Assessment C&A Security testing Pen testing Security design KEY capabilities / products / processes / methods = KSAs Compliance IA/CND & crypto/key mgmt IA&A Mobile / wireless Tools Policy Network (client / server / router) SW/apps services Web / active code Data O&M/support Sys Admin & CM/hygiene Threats C&A (V&V) RISK Assessment ALL geared to specific positions / types (manager, project lead, Cyber SME / ISSE) And with some aspect of technical level (apprentice, journeyman, master)
20 Hierarchy of Cyber Needs (i.e.. Maslow Triangle ) Where if you don t take care of the level before the one you are operating in, focusing on, then your efforts are for the most part mute, as you are in a higher risk status until the earlier level is satisfied! Master Optimized Value 5 Cyber actualization - compliance / assessment / analytics + V&V / TE&C / C&A formal proof -> residual risks -> cyber value proposition + KEY compliance activities PII, PCI, HIPAA, etc + Forensics / ethical hacker + Big data / predictive analytics (integrate SCM / SIEM, IA/CND reports, etc l) + Pen / security testing (of all cyber capabilities, backup, PW, etc) NSA IAD top 10 factors Top 20 security controls Top 35 mitigations Journeyman Operations Apprentice BASICs 4 Applied cyber security (IA / CND / security capabilities best practices) Given the below best practices, cyber protections approach, then distill the key attributes for each IA/CND capability, while following and tailoring for the company s environment the install instructions of the products specific equipment settings for secure sustainment / operations = Firewall, A/V suite, IDS/IPS, Crypto, Key mgmt., Mobile, wireless, Network, apps, data security, etc 3 Cyber Maintenance - security Hygiene / CM / SoPs + Manage Policy - social media - content & settings restrict sharing / privileges = proactive monitoring + Maintain Cyber Security Suite patches, upgrades, etc.. control system settings & dashboard! + Standard operating procedures (SOPs).. USE / enforce them + Security training / education awareness ALL levels reinforce / Incentivize pos & neg 2 Cyber foundation + Access control (PW, CAC, enforce least privilege, separate / rotate duties, etc) + Layered Defense - IA/CND strategy WHAT capabilities are needed + Security Policy (privacy, social media, PII, etc) - enforcement aspects too + Monitoring / Know your baseline SCM / SIEM.. + Tools selection and integration + Business Risk Management / Assessment (RMF / COBIT) / requirements analysis with an AoA 1 Resiliency - Survival / recovery + Secure backup (Types / methods, various sites / levels) + Incident responses (company processes, comms with LE / FBI, etc) + Recovery Plan - COOP / BCP (phases of recovery, hot / mirror site, etc) KSA / practicum based on small business security
21 Not everyone needs, nor can afford, a cyber ninja! The Cyber Integrated ED Package Bottom up / needs approach to effective cyber SKILLS training (practicum)!
22 Module Components Description of module topic and intended educational objective Threat / Implication of not taking appropriate action within module Key Considerations that are the essential concepts to understand Implementation aspects that must be accommodated for success Best Practices sanctioned by National or Industry guidance Demonstration material or websites that can be used in training National/Industry websites to be used as official reference sources References that can be used for furthering education Modules are tailored into slides for that course and sector focus Using SCORM methods and a LMS to tie all materials together
23 Security+ Cert prerequisite Cyber Essentials Course for SMB Developing security operators to fill the critical skills void. (Key skills to mitigate top 10/20/35 mitigations, with a Security + SSCp Cert knowledge level) 1600 Resiliency Foundations Operations & Maintenance Applied Return to office 1200 Lunch Lunch Lunch Lunch Cyber Overview Foundations Foundations Applied Actualization & Review & skills test Mon Tue Wed Thu Fri SMB needs cyber operators! High volume & greatest need (Operations & Maintenance) Also have a MSS, then manage the 95% vulnerabilities on site & know when to ask for help!
Cyber Education triangle clarifying the fog of cyber security through targeted training
Cyber Education triangle clarifying the fog of cyber security through targeted training Curriculum & Resources Linked / leveraged (on-line, companies, colleges, etc) MS / BS Cyber CISSP / GISP / CISO /
More informationCutting through the fog of cybersecurity
SD ISC2 SD IEEE Cutting through the fog of cybersecurity Preparing security operators for what REALLY matters in Cyber! Mike Davis, ElecEngr / MSEE, CISSP / CISO, MA Mgmt, SysEngr Cyber Security / Risk
More informationWhat REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond!
What REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond! HOW to best integrate security into the office AND the cloud? And what is a thing is that MORE we have
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationCompTIA Security+ (Exam SY0-410)
CompTIA Security+ (Exam SY0-410) Length: Location: Language(s): Audience(s): Level: Vendor: Type: Delivery Method: 5 Days 182, Broadway, Newmarket, Auckland English, Entry Level IT Professionals Intermediate
More informationApplication White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off
Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off Times have Changed & A/V Executives Agree An A/V product as your sole endpoint protection solution isn t enough.
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationStrategies to Mitigate Targeted Cyber Intrusions Mitigation Details
CYBER SECURITY OPERATIONS CENTRE 13/2011 21 July 2011 Strategies to Mitigate Targeted Cyber Intrusions Mitigation Details INTRODUCTION 1. This document provides further information regarding DSD s list
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationDevelopment. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More information5 Steps to Advanced Threat Protection
5 Steps to Advanced Threat Protection Agenda Endpoint Protection Gap Profile of Advanced Threats Consensus Audit Guidelines 5 Steps to Advanced Threat Protection Resources 20 Years of Chasing Malicious
More informationThe Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security
The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense Tony Sager The Center for Internet Security Classic Risk Equation Risk = { Vulnerability, Threat, Consequence } countermeasures
More informationWasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute
Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationUnified Threat Management, Managed Security, and the Cloud Services Model
Unified Threat Management, Managed Security, and the Cloud Services Model Kurtis E. Minder CISSP Global Account Manager - Service Provider Group Fortinet, Inc. Introduction Kurtis E. Minder, Technical
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More information1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
REQUIREMENT 1 Install and Maintain a Firewall Configuration to Protect Cardholder Data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationIntroduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec
Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationExternal Supplier Control Requirements
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationSeven Strategies to Defend ICSs
INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationEleventh Hour Security+
Eleventh Hour Security+ Exam SYO-201 Study Guide I do Dubrawsky Technical Editor Michael Cross AMSTERDAM BOSTON HEIDELBERG LONDON NEWYORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO SYNGRESS.
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationThe Role of Security Monitoring & SIEM in Risk Management
The Role of Security Monitoring & SIEM in Risk Management Jeff Kopec, MS, CISSP Cyber Security Architect Oakwood Healthcare Jeff Bell, CISSP, GSLC, CPHIMS, ACHE Director, IT Security & Risk Services CareTech
More informationSecurity + Certification (ITSY 1076) Syllabus
Security + Certification (ITSY 1076) Syllabus Course: ITSY 1076 Security+ 40 hours Course Description: This course is targeted toward an Information Technology (IT) professional who has networking and
More informationCyber R &D Research Roundtable
Cyber R &D Research Roundtable 2 May 2013 N A T I O N A L S E C U R I T Y E N E R G Y & E N V I R O N M E N T H E A L T H C Y B E R S E C U R I T Y Changing Environment Rapidly Evolving Threat Changes
More informationData Security and Healthcare
Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationCybersecurity Definitions and Academic Landscape
Cybersecurity Definitions and Academic Landscape Balkrishnan Dasarathy, PhD Program Director, Information Assurance Graduate School University of Maryland University College (UMUC) Email: Balakrishnan.Dasarathy@umuc.edu
More informationAdministrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation
The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI
More informationlocuz.com Professional Services Security Audit Services
locuz.com Professional Services Security Audit Services Today s Security Landscape Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System layer.
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationIntroduction to Cyber Security / Information Security
Introduction to Cyber Security / Information Security Syllabus for Introduction to Cyber Security / Information Security program * for students of University of Pune is given below. The program will be
More informationJort Kollerie SonicWALL
Jort Kollerie Cloud 85% of businesses said their organizations will use cloud tools moderately to extensively in the next 3 years. 68% of spend in private cloud solutions. - Bain and Dell 3 Confidential
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationEUCIP - IT Administrator. Module 5 IT Security. Version 2.0
EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single
More informationThe Electronic Arms Race of Cyber Security 4.2 Lecture 7
The Electronic Arms Race of Cyber Security 4.2 Lecture 7 ISIMA Clermont-Ferrand / 04-February 2011 Copyright 2011 Dr. Juergen Hirte List of Content Why Process Automation Security? Security Awareness Issues
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationby New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document
Avitage IT Infrastructure Security Document The purpose of this document is to detail the IT infrastructure security policies that are in place for the software and services that are hosted by Avitage.
More informationSolving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense
Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan Information systems Security Association National Capital Chapter January 19, 2010 1 Topics Background
More informationTemplate for PFI Final Incident Report for Remote Investigations
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report for Remote Investigations Template for PFI Final Incident Report for Remote Investigations Version 1.1 February 2015 Document
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationGE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance
GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security
More informationPayment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.0.
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report Template for PFI Final Incident Report Version 1.0 August 2014 Document Changes Date Version Description August 2014 1.0 To
More informationSECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationSplunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationCourse Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)
Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationTHE AUSTRALIAN SIGNALS DIRECTORATE (ASD) STRATEGIES TO MITIGATE TARGETED CYBER INTRUSIONS
THE AUSTRALIAN SIGNALS DIRECTORATE (ASD) STRATEGIES TO MITIGATE TARGETED CYBER INTRUSIONS BeyondTrust Solution Overview October 2014 Table of Contents Introduction... 3 BeyondTrust Solutions... 6 The BeyondInsight
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationFear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!
Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured! Presented by: Kristen Zarcadoolas, Jim Soenksen, and Ed Sale PART 2: plan, act, repeat (from the look, plan,
More information900 Walt Whitman Road, Suite 304 Melville, NY 11747 Office: 631-230-5100
W E P R O V I D E Cyber Safe Solutions was designed and built from the ground up to help organizations across multiple verticals to defend against modern day attacks. Unlike other security vendors that
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationWindows Server 2003 End of Support. What does it mean? What are my options?
Windows Server 2003 End of Support What does it mean? What are my options? Windows Server 2003 End of Life- Why Care? The next big vulnerability (Heartbleed/Shellshock) is looming No more patches from
More informationWhy The Security You Bought Yesterday, Won t Save You Today
9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About
More information10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011
10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection September 2011 10 Potential Risks Facing Your IT Department: Multi-layered Security & Network Protection 2 It s
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationChapter 4 Application, Data and Host Security
Chapter 4 Application, Data and Host Security 4.1 Application Security Chapter 4 Application Security Concepts Concepts include fuzzing, secure coding, cross-site scripting prevention, crosssite request
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationSoftware Development: The Next Security Frontier
James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization
More information