Happy First Anniversary NIST Cyber Security Framework:

Transcription

1 Happy First Anniversary NIST Cyber Security Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA

2 Problem Statement Management has not been given the correct information to understand and act upon the risks, processes, and skill requirements needed to address cyber security risk in their organizations It is not management s fault.

3 Who is Your Organization on Cyber Security?

4 Questions Companies Should Be Asking Themselves How would you detect if you had a cyber security related exposure? How would you know if someone took, or shared with others, sensitive company specific information? What prevention measures do you have in place to protect against a cyber security attack? Given that some companies spend above $250 million per year on cyber security, what makes you feel as though your environment is protected?

5 Questions Companies Should Be Asking Themselves Cont. Do you know what you would do in the event an unauthorized person gained access to your network? What do you think is the value of information in your company? Information is not an asset on your financial statement; however, if it were stolen or shared outside the company, how could it affect your company s future financial performance?

6 Presentation Points Revisit the basics that we may understand, but executive management may not understand. Understand the NIST Framework as a tool for executive management conversation. Ponder current and future regulatory aspects of cyber security.

7 Anatomy of a Cyber Attack - 101

8 Types of Attacks 1. Phishing/Spear Phishing 2. Malware 3. Zero Day 4. APT - Advanced Persistent Threat 5. SQL Injection 6. Watering Hole / Drive-By 7. DOS/DDOS Denial of Service 8. Botnet

9 Anatomy of a Cyber Attack Investigate

10 Anatomy of a Cyber Attack Investigate Phishing / Watering Holes

11 Anatomy of a Cyber Attack Investigate Phishing / Watering Holes Vulnerabilities / Malware

12 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware

13 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Research / Gather Info

14 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Research / Gather Info Remove Info

15 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Research / Gather Info Remove Info Destroy Evidence/ Leave Backdoors

16 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Cyber Attacker Research / Gather Info Remove Info Destroy Evidence/ Leave Backdoors

17 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Cyber Attacker Research / Gather Info Remove Info Destroy Evidence/ Leave Backdoors You

18 Example Cyber Security Strategies and Tactics Prioritize and segment business systems into high, medium, and low criticality. Identify data and systems into criticality levels for a defense-in-depth strategy. Cyber security defense in depth is a strategy where attackers must go through defense layers of increasing magnitude in order to get to the most critical and valuable assets.

19 Are You spending security resources protecting everything?

20 Are Your Protection Mechanisms Really Working?

21 NIST, The Framework

22 NIST Cyber Security Risk Assessment Identify Recover NIST Cyber Security Framework Protect Respond Detect 2013 Hein & Associates LLP.

23 The Framework Structure 5 Functions (Entity Risk Areas) 22 Categories (Control Objectives) 98 Subcategories (Control Requirements)

24 CSX Respondent Results 75% of CISOs and CISMs had heard of the framework Benefits: Overall increase in awareness of cyber security threats, Better strategic alignment of security with enterprise objectives Greater support from senior management Sense of improved overall governance of cyber security 50 percent of those who are using the framework reported an increased overall level of cyber security governance in their organization

25 NIST, The Details

26 Technical Speak I used 256 Bit Diffie Helman with SHA 2 to send you an . HUH?

27 Layman Speak I sent you a secure that allows you to verify it came from me.

28 CSX Program Steps 1. Prioritize and Scope 2. Orient 3. Create a Current Profile 4. Conduct a Risk Assessment 5. Create a Target Profile 6. Determine, Analyze, and Prioritize Gaps 7. Implement Action Plans

29 Risk Assessment Approach Scope Areas: Function Category (Control Objective) Subcategory (Requirements) Scope Area (Systems) Example Questions Walkthrough Supporting Documentation Tier Assessment

30 Example Design Assessment Components

31 Identify (ID) Function IDENTIFY (ID) Category Asset Management (ID.AM) Business Environment (ID.BE) Governance (ID.GV): Risk Assessment (ID.RA) Risk Management Strategy (ID.RM) ID.AM: Understanding your hardware, software, Resources 6 Sub. ID.BE: Security Alignment with organization and stakeholders 5 Sub. ID.GV: Security Policies, process, and role definition and alignment 4 Sub. ID.RA: Threat and Vulnerability Assessment 6 Sub. ID.RA: Defining the organization s Risk Appetite 3 Sub. 24 Total Subcategories

32 Protect (PR) Function PROTECT (PR) Category Access Control (PR.AC) Awareness and Training Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) PR.AC: Access Management Process 5 Sub. PR.AT: Communicating Security Roles and Responsibilities/Awareness Training 5 Sub.

33 Protect (PR) Cont. Function PROTECT (PR) Category Access Control (PR.AC) Awareness and Training Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) PR.DS: Manage information to protect the confidentiality, integrity, and availability of information. 7 Sub. PR.IP: Security policies and procedures are used to manage information systems Sub. These categories are TOO NEBULOUS and try to cover too many bases!

34 Tips to Attack Nebulousness Organization size Resource availability What information needs to be protected Supporting system(s) Protection capabilities Risk appetite Information criticality

35 Protect (PR) Cont. Function PROTECT (PR) Category Access Control (PR.AC) Awareness and Training Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) PR.MA: Maintenance, Repair and Patching of Systems - 2 Sub. PR.PT: Protecting Systems, Logs, Media, and Networks using least privilege - 4 Sub. 35 Total Subcategories

36 Detect (DE) Function DETECT (DE) Category Anomalies and Events (DE.AE) Security Continuous Monitoring (DE.CM) Detection Processes (DE.DP) DE.AE: Event Triggers and Impacts- 5 Sub. DE.CM: Event Detection Measures- 8 Sub. DE.DP: Event Identification Processes - 5 Sub. 18 Total Subcategories

37 Respond (RS) Function RESPOND (RS) Category Response Planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) RS.RP: Response Procedure Development/Performance - 1 Sub. RS.CO: Roles, Reporting, Coordination- 5 Sub. RS.AN: Incident investigation and impact analysis- 4 Sub. RS.MI: Minimize the impact of an incident - 3 Sub. RS.IM: Continuous improvement of response plans and strategies - 2 Sub. 15 Total Subcategories

38 Recover Function RECOVER (RC) Category Recovery Planning (RC.RP) Improvements (RC.IM) Communications (RC.CO) RC.RP: Recovery Plan Development and Execution- 1 Sub. RC.IM: Strategies and Lessons Learned - 2 Sub. RC.CO: Restoration of confidence and cleanup - 3 Sub. 6 Total Subcategories

39 Framework Tiers Tier Risk Management Process Integrated Risk Management Program External Participation Tier 1 Adhoc and Reactive Limited Communication & Activity Limited or No Activities Performed Tier 2 Informal Processes Active Communication, Adequate Staff, and Process Understands Role Externally as a Customer & a Vendor Formal Policies and Procedures Changes based on Lessons Learned and Predictive Indicators Tier 3 Organization Wide Approach, Consistency Tier 4 Cyber security risk management is a part of the culture. Understands Dependencies and Partners as Customer & a Vendor Actively shares risk information as Customer & a Vendor

40 Tier Scoring Assessed Score Function IDENTIFY (ID) Category Risk Management Integrated Risk Management Program External Participation Assessed Score Desired Score Asset Management (ID.AM) Business Environment (ID.BE) Governance (ID.GV): Risk Assessment (ID.RA) Risk Management Strategy (ID.RM) Average Scores Access Control (PR.AC) Awareness and Training (PR.AT) Data Security (PR.DS) PROTECT (PR) DETECT (DE) RESPOND (RS) RECOVER (RC) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) Average Scores Anomalies and Events (DE.AE) Security Continuous Monitoring (DE.CM) Detection Processes (DE.DP) Average Scores Response Planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) Average Scores Recovery Planning (RC.RP) Improvements (RC.IM) Communications (RC.CO) Average Scores

41 Tier Scoring Summary Function Desired Score Assessed Score IDENTIFY (ID) PROTECT (PR) DETECT (DE) RESPOND (RS) RECOVER (RC) Cyber Security Process Tier Maturity IDENTIFY (ID) PROTECT (PR) DETECT (DE) RESPOND (RS) RECOVER (RC) Desired Score Assessed Score

42 Hein s FREE Online Security Announcing.. Questionnaire Hein s Cyber Security Questionnaire Perform your own assessment online. Hein will provide you with the results within 24 hours of the assessment. If requested, we would be happy to perform the assessment with you offline.

43 Cyber Security Value Propositions Cyber Security Management Partner Vulnerability / Penetration Assessments Cyber Security Tuning System Hardening / Cyber Security Audits Incident Response / Recovery Plan Development Cyber Security Process Management External Third Party Assessments Free External Scans

44 NIST, The Regulation?

45 Downfalls Unclear Privacy Requirements Confusing Tiers/Maturity Model Framework does not: Educate executive management Provide clear guidance Does not encourage the sharing of threat information Is not tied to any regulation

46 Why not being widely adopted? SOC Reports Cyber-Liability Insurance No regulatory requirement Executive education Skilled Staff Required Sarbanes Oxley There s a NIST Cyber Security Framework?

47 How does the Framework Align to SOX? 98 total subcategories 22 Can be traced to Sarbanes Oxley testing 11 Clearly map to Sarbanes Oxley 11 Have a partial mapping to Sarbanes Oxley SOX Aligned Partially SOX Alligned DE.AE 1 ID.AM 3 DE.CM 4 PR.PT 1 PR.AC 1 ID.AM 4 ID.GV 2 PR.PT 2 PR.AC 2 ID.GV 1 PR.AC 3 PR.PT 3 PR.AC 4 PR.IP 3 PR.AT 3 PR.PT 4 PR.AT 2 PR.IP 4 PR.DS 2 PR.DS 6 PR.DS 7 PR.IP 11

48 Should Cyber Security be Regulated? Regardless of industry, which element of legal and regulatory requirements are all industries subject to: A. Sarbanes Oxley B. HIPAA C. Due Care D. Privacy Act E. PCI

49 Regulatory Notes July 2002 Sarbanes Oxley Act November 2002 Homeland Security Act November 2002 Federal Information Security Management Act (FISMA) November Cyber Security Research and Development Act Required NIST to establish cyber security research programs. There have been no MAJOR cyber security related regulations since November 2002.

50 Why Regulation May Not Work Military tactics are at work. There are no rules and regulations followed by enemies in cyber warfare. Strategies and tactics must be devised, but must be changed, adapted, and updated to address emerging threats. If you prescribe a strategy and tactics, your enemies will circumvent the prescription.

51 To Regulate or Not to Regulate

52 NIST Take-Aways People, Process and Technology Organizations Must Own incident response Invest in experts for protection and detection Take ownership of the risk Inventory systems and critical data

53 NIST Take-Aways (Cont.) Framework context Think organizational risk Derive risk appetite Control efficiency The NIST framework must be improved upon

54 Food for Thought When thinking about cyber security, risk does not create an issue, but an issue can create risk. However, we must address the issue of assessing cyber security risk.

55 Contact Information Chad Stowe, CISSP, CISA, MBA Managing Consultant, Cyber Risk Service Leader Office (303)