SCAC Annual Conference. Cybersecurity Demystified

Size: px

Start display at page:

Download "SCAC Annual Conference. Cybersecurity Demystified"

Cornelius Nichols
8 years ago
Views:

1 SCAC Annual Conference Cybersecurity Demystified

2 Me Thomas Scott SC Deputy Chief Information Security Officer PMP, CISSP, CISA, GSLC, FEMA COOP Practitioner

4 What is Cyber Security?

5 SC Counties Overview

8 Its What You Don t See.

9 that is SCARY!!!.1%

13 Authority and Requirements (as Government) Public Law , Federal Information Security Management Act of 2002 (FISMA), [supersedes the Computer Security Act (1987)]enacted as part of, the E-Government Act of 2002, codifies the security requirements contained in Appendix III of OMB Circular A-130. In addition, it requires agency Inspector Generals to conduct independent audits of agency information security programs, through testing security controls on a subset of agency systems, and report the results to the OMB, which in turn reports the findings to Congress. FISMA charges NIST with special responsibilities to develop guidance to improve federal-wide information security planning, implementation, management, and operation. OMB Circular A-130, Management of Federal Information Resources (1985), establishes requirements for effective and efficient management of federal information resources. Appendix III, Security of Federal Automated Information Resources, establishes the requirements for agency security programs to safeguard the sensitive information they process. Public Law [40 USC Section 1401] (1996) Information Technology Management Reform Act (Clinger-Cohen Act) Grants authority to the head of each agency to acquire information technology (IT) resources and makes them responsible for effectively managing IT investments. Public Law , U.S. Code 532(a), the Privacy Act (1974), requires the U.S. Government to safeguard personal data processed by federal agency computer systems. It also requires the government to provide ways for individuals to determine what personal information is being recorded and to correct inaccurate information. Health Insurance Portability and Accountability Act (HIPAA), took effect on April 14, 2001 with a compliance deadline of April 14, It provides information security requirements to protect the security of health information. Homeland Security Presidential Directive/Hspd-7, (2003) establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.

In addition, it requires agency Inspector Generals to conduct independent audits of agency information security programs, through testing security controls on a subset of agency systems, and report

14 Authority and Requirements (as Business) The Privacy Act (1974) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry (PCI) IRS Pub 1075 Standard Gramm-Leach-Bliley Act (GLB) Sarbanes-Oxley Act Electronic Fund Transfer Act Children s Online Privacy Protection Act (COPPA) State Specific Data Breach Notification Laws

Standard Gramm-Leach-Bliley Act (GLB) Sarbanes-Oxley Act Electronic Fund Transfer Act

15 HIPAA CJIS PCI FTI

16 IT Security: What s in it for Me? Critical to your Mission Need to have a sound IT security program in place Want assurance your program effectively addresses the goals of IT Security: Preserve confidentiality Safeguard integrity Provide for timely and reliable availability

place Want assurance your program effectively addresses the goals of

17 Confidentiality CONFIDENTIALITY (protection from unauthorized access or disclosure, including privacy concerns) INTEGRITY (data is not corrupted) Integrity Availability AVAILABILITY (there when you want it) They are all equally important!

concerns) INTEGRITY (data is not corrupted) Integrity

18 Information Security is the process of minimizing the risk of threats to organizational information. This is accomplished by: Identifying Threats & Risk Managing the Risk of Threats Mitigating the Risk of Threats

This is accomplished by: Identifying Threats & Risk

19 Risk Potential for harm or loss

22 Peer to Peer Sharing Network Copy Machines & Faxes Cell Phones, I Phones & MP3 Suring the web & Wireless Router & Wireless Network Thumb drives, CD/DVD & Disk

24 Risk Management Process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk

25 Risk Assessment Risk assessment is the process of identifying threats to and vulnerabilities of an information system and the potential impact the loss of information or capabilities of a system would have on the agency s mission

26 Risk Management Strategies Risk Management is ongoing and adapting Schedule periodic re-assessing and mitigating to help manage risks Risk Assumption - Accept potential risk Risk Avoidance - Change how system is used or Remove vulnerability Risk Limitation - Architect system boundaries, detect and react Risk Transfer - Someone else pays (e.g., insurance)

28 Threats Natural or Human Deliberate or Accidental

29 Threats People Loss of Data Loss of Confidence Hacktivists Vandalism or mischief Hijacked connections Denial of service

31 Rise-and Fall-of Payment Breaches More Hackers will Target Cloud Data Persistent and Growing Threat of Healthcare Breaches Business Leaders Under Increased Scrutiny Employees Will Be Companies Biggest Threat Fresh Breach Surface via the Internet of Things

33 ARE YOU MISSING DATA?

34 Computer Crime Human Error 55% Hacker Attacks 3% Uncategorized 19% Viruses 4% Dishonest Employees 19%

35 What are they really after? Your Intellectual Property Your assets Your customer data Your personal data Your paycheck Your friends Your family

36 Could this happen to you?

38 38

39 Sooooo. What can we do about it

40 Take An Aggressive Security Posture

41 Critical Security Controls 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Access Control 8. Data Recovery Capability 9. Secure Skills Assessment and Appropriate Training to Fill Gaps 10. Secure Configuration for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Audit Logs 15. Controlled Access Based on the Need to Know 16. Account Monitoring and Control 17. Data Protection 18. Incident Response and Management 19. Secure Network Engineering 20. Penetration Tests and Red Team Exercises

42 System Security Plan Provides an overview of the security requirements of the system Describes the controls in place for meeting those requirements Delineates responsibilities and expected behavior of all individuals who access the system

43 What are YOUR plans? Would you tell me, please, which way I ought to go? I don t much care where. That depends a good deal on where you want to get to Then it doesn t matter which way you go.

44 Helpful Security Websites Staysafeonline.org Msisac.org Sans.org Infragard.org Dhs.org

45 Week 1: October 1-2, 2015 General Cybersecurity Awareness: Celebrating 5 Years of Stop.Think.Connect. Week 2: October 5-9, 2015 Creating a Culture of Cybersecurity at Work Week 3: October 12-16, 2015 Connected Communities: Staying Protected While Always Connected Week 4: October 19-23, 2015 Your Evolving Digital Life Week 5: October 26-30, 2015 Building the Next Generation of Cyber Professionals

48 Questions?

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of