Defending Against Data Beaches: Internal Controls for Cybersecurity

Similar documents
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Session 57 L, Cyber Risks: Risk Management and Insurance. Moderator: Mike Porier. Presenters: Elisabeth Case, ARM Ray Farmer Mike Porier

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Practical Steps To Securing Process Control Networks

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Critical Security Controls

Looking at the SANS 20 Critical Security Controls

THE TOP 4 CONTROLS.

Jumpstarting Your Security Awareness Program

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense

Critical Controls for Cyber Security.

Protecting Your Organisation from Targeted Cyber Intrusion

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Enterprise Cybersecurity: Building an Effective Defense

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

The Protection Mission a constant endeavor

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Cybersecurity: What CFO s Need to Know

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

SECURITY. Risk & Compliance Services

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Top 20 Critical Security Controls

Enterprise Cybersecurity: Building an Effective Defense

Information Security and Risk Management

Security Management. Keeping the IT Security Administrator Busy

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

External Supplier Control Requirements

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

The Role of Security Monitoring & SIEM in Risk Management

Defending Against Cyber Attacks with SessionLevel Network Security

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Assessing the Effectiveness of a Cybersecurity Program

Italy. EY s Global Information Security Survey 2013

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Click to edit Master title style

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

SPEAR PHISHING UNDERSTANDING THE THREAT

Advanced Threats: The New World Order

Data Breach Lessons Learned. June 11, 2015

Ovation Security Center Data Sheet

Section 12 MUST BE COMPLETED BY: 4/22

Cybersecurity and internal audit. August 15, 2014

Incident Response. Proactive Incident Management. Sean Curran Director

Protecting Organizations from Cyber Attack

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

White Paper: Consensus Audit Guidelines and Symantec RAS

Evaluation Report. Office of Inspector General

Perspectives on Cybersecurity in Healthcare June 2015

End-user Security Analytics Strengthens Protection with ArcSight

Cisco Security Optimization Service

Defence Cyber Protection Partnership Cyber Risks Profile Requirements

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

The Four-Step Guide to Understanding Cyber Risk

Network Incident Report

I N T E L L I G E N C E A S S E S S M E N T

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Data Breach Response Planning: Laying the Right Foundation

Securing OS Legacy Systems Alexander Rau

How are we keeping Hackers away from our UCD networks and computer systems?

Developing Secure Software in the Age of Advanced Persistent Threats

Payment Card Industry Data Security Standard

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Cybersecurity. Are you prepared?

Advanced Threat Protection with Dell SecureWorks Security Services

Protecting critical infrastructure from Cyber-attack

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Cybersecurity Health Check At A Glance

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Attachment A. Identification of Risks/Cybersecurity Governance

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Evolution Of Cyber Threats & Defense Approaches

Cybersecurity Awareness. Part 1

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Verve Security Center

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Data Security and Healthcare

Common Cyber Threats. Common cyber threats include:

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

The Critical Security Controls: What s NAC Got to Do with IT?

900 Walt Whitman Road, Suite 304 Melville, NY Office:

Executive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

Cisco Advanced Services for Network Security

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

5 Steps to Advanced Threat Protection

Transcription:

Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office

Agenda Defining Cybersecurity Priorities for Cybersecurity NIST Cybersecurity Framework The Cyber Kill Chain Attack, Defense and Internal Controls Defensive Enhancements and Audits 2

Defining Cybersecurity

Evolution of Cybersecurity Definition Original Definition Stop cyber threats from getting into our environment. Old Definition Try to stop cyber threats from getting into our environment and detect systems that get infected with viruses and/or malware. Current Definition Threats continually navigate through our environment. Ultimately we need to be able to Prevent Detect Respond 4

Cybersecurity Threats Methods and Countermeasures Data is increasingly getting digitized and internet is being used to save, access and retrieve vital information. Protecting this information is not just a priority, but has become a necessity for most companies and government agencies around the world. Types of Cyber Threats Methods Security Measures for Protection Information Warfare Spam Identity theft Personal Security Legal Compliance Cracking Hactivisim Cyber Threats Cyber Espionage Cyber Crime Malicious code such as Viruses, Worm, Trojan Horse Phishing attacks Spyware Incident Reporting Continuity Planning System Protection Physical & Environmental Protection Cyber Terror Denial-of-service attacks Packet spoofing Communications Protection Access Controls Sources: Secondary Research 5

Cybersecurity Trends

The Cyber/Data Breach Landscape 2014 2000 Number of Breaches 700m Records compromised $400m Financial losses >200 days The average time from breach until discovery >60% 60% 40% Companies learn they have been breached from a third party (customer, partner, vendor etc.) Cases where hackers were able to compromise an organization within minutes. Controls determined to be most effective fall into the quick win category. Source: Verizon, 2015 Data Breach Investigations Report Most recorded attacks stem from external threat actors but internal threat actors are on the rise. Breaches increasingly from unknown unknowns almost every breached organization had up-to-date antivirus. 7

A Sample of World's Biggest Data Breaches Source: http://www.informationisbeautiful.net/ 8

Boards of Directors Attention Boards of Directors are increasingly inquiring about cybersecurity as they see news of breaches, hear about increased regulatory scrutiny, and grow more concerned about cybersecurity risks. NACD Guidance The National Association of Corporate Directors (NACD) recently released guidance encouraging the full Board (not just the audit committee) to receive regular briefings on information security and provided five principles for Board involvement. Source: NACD Cyber-Risk Oversight Handbook. 9

Cybersecurity Responsibilities Responsibilities Include: Board of Directors Commitment of resources Policy approval Monitoring Metrics Trend Analysis Risk Assessment and Business Impact Analysis Due care (governance) Oversight Executive Management Implement directives of the board Regulatory compliance CISO will usually perform information security on behalf of executive management Cybersecurity Manager / CISO Cybersecurity strategy development Overseeing the security program and initiatives Coordinating with business process owners for ongoing alignment of cybersecurity with business objectives Ensure RA and BIA are done Developing risk mitigation strategies Enforcing policy and regulatory compliance Monitoring the utilization and effectiveness of security resources Developing and implementing monitoring and metrics Directing and monitoring security activities Managing cybersecurity incidents and their remediation, as well as incorporating lessons learned 10

What Are Organizations Doing? Evaluating security risks from key vendors and partners Employing tools to help answer the questions are we already breached? and how would we know if a breach occurs? Identifying critical data (the crown jewels ) and how it is being controlled Assessing internal and external vulnerabilities and performing periodic penetration tests Training and awareness to raise education of employees Evaluating the Breach Kill Chain Developing (and testing) breach response plans Wrapping all of this into a holistic security program continuous and on-going 11

Priorities for Cybersecurity

5 Quick Wins (SANS 20 Critical Security Controls) The SANS Institute is an American Cyber Security training company. 1. Application Whitelisting (CSC2) 2. Use Common, Secure Configurations (CSC3) 3. Patch Applications (CSC4) 4. Patch Systems (CSC4) 5. Reduce the Number of Users with Administrative Privileges (CSC3, CSC12) 13

SANS 20 Critical Security Control Catalogue 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Access Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 14

SANS 20 Critical Security Control Catalogue (cont.) 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Protection 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises 15

NIST Cybersecurity Framework

NIST Cybersecurity Framework (CSF) Background In February 2013, President Barack Obama signed an Executive Order launching the development of a Cybersecurity Framework Individuals and organizations around the world provided their thoughts on the kinds of standards, best practices, and guidelines that would meaningfully improve critical infrastructure cybersecurity. NIST published it on February 12 th, 2014. The Framework leverages ISO 2700X, CoBIT, ISO 31000, ISO 27005 and FISMA (NIST 800-53). Major differences include: Benefits The inclusion of a maturity model definition to express security readiness. The intention to outline an organization s current state of security maturity as well as a desired state. A framework to compare/contrast an organization s security maturity to other organizations. For organizations that don t know where to start, the Framework provides a road map. For organizations with more advanced cybersecurity, the Framework offers a way to better communicate their cyber risks internally and externally. 17

Cybersecurity Framework (CSF) Functions and Categories The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions that provide a high-level view of an organization s management of cyber risks. Identify Protect Detect Respond Recover Asset Management Business Environment Access Control Awareness and Training Data Security Anomalies and Events Response Planning Communications Recovery Planning Governance Risk Assessment Risk Management Strategy Information Protection Processes and Procedures Maintenance Protective Technology Security Continuous Monitoring Detection Processes Analysis Mitigation Improvements Improvements Communications 18

Cyber Kill Chain Attack, Defense and Internal Controls

Cyber Kill Chain Attack, Defense and Internal Controlslivery Cyber Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Action on Objectives The attack can be disrupted at any point in the kill chain. Ideally, a company will have controls at each point to create a defense in depth strategy. Cyber kill chain model shows, cyber attacks can and do incorporate a broad range of malevolent actions, from spear phishing and espionage to malware and data exfiltration that may persist undetected for an indefinite period. 20

Cyber Kill Chain Attack, Defense and Internal Controls Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Action on Objectives Attacker Steps Defender Countermeasures & Internal Controls Harvest information about the target (email addresses, IP addresses, system information, applications used, etc.) Pairing an exploit or exploits with a payload that will grant access Sending the exploit to the target through one or more means Security Logging & Monitoring Malware Detection Boundary Defense Security Outside the Firewall 21

Cyber Kill Chain Attack, Defense and Internal Controls Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Action on Objectives Attacker Steps Defender Countermeasures & Internal Controls Attacker performs actual exploit of vulnerable target systems Malicious software / malware is installed on the exploited systems, establishing a foothold System Hardening and Patch Management File Integrity Monitoring Application Whitelisting Host-based Intrusion Detection & Prevention Security Logging & Monitoring 22

Cyber Kill Chain Attack, Defense and Internal Controls Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Action on Objectives Attacker Steps Establish communications channel between compromised systems and the attacker s systems Strengthen footholds, establish additional backdoors into target network Defender Countermeasures & Internal Controls Intrusion Detection Systems Anti-malware devices and software Egress Filtering Obtain sensitive data, exfiltrate it from the target 23

Defensive Enhancements and Audits

Defensive Enhancements and Audits Engage Executive Leadership through reporting and visibility Governance Review Ensure Security is aligned to the business Establishing a strong control environment as well as decision-making authorities and accountabilities Are we doing the right things? Are we getting the benefits? Are we doing them the right way? Are we doing them well? 25

Defensive Enhancements and Audits Cybersecurity Audits Server Configuration Reviews Do we have a defined (and documented) standard for all of the servers in our environment? Are we running the appropriate security software? Are all of our systems up to date? (Not just the Operating System) Network Architecture Reviews Attackers don t win unless they get your data out of your network. Are we enforcing strong egress/outbound filtering? Do we have internal segmentation of systems that store, process and transmit sensitive data? Are there any back doors into the network? (e.g. Rogue Wireless) Can we see what s happening on the network? 26

Defensive Enhancements and Audits Cybersecurity Audits Application Configuration Reviews and Whitelisting What you don t know can kill you Only execute what you know is good. Requires detailed partnership with IT, but results can prevent many types of attacks particularly malware and custom malware. Do we effectively manage compliance with Privacy choices we give our consumers, even if not required by regulation? Accounts and Privileges Audit What is our organization s policy on access and need-to-know? Have we appropriately restricted access to powerful credentials? Are administrators in the organization sharing accounts and passwords? Don t forget those local user accounts! 27

Defensive Enhancements and Audits Review Logging and Monitoring Capabilities Logging Device Configuration Review Most straight-forward method to testing Log input sources Filters / monitoring settings Alerting capabilities Validation of reports / data Completeness testing Technical Considerations Lots of manual activities Can be burdensome for technicians May require training / knowledge of the tools reviewed Specific configuration settings may not be obvious Recommendations may not be meaningful without detailed analysis 28

Defensive Enhancements and Audits Review Logging and Monitoring Capabilities SIEM Pre/Post Implementation Review Did we define goals / did we accomplish goals: Verify use cases with technicians and end users? Assess log sources successfully added to SIEM? Are reporting and alerting configured and functioning? Are supporting processes in place? Technical Considerations Involves both technical and non-technical team members. Potentially challenging to perform post implementation if goals were not defined up front. Reporting Considerations May outline steps that were missed during the implementation. Helps to refine processes and enforce completeness of implementation. 29

Defensive Enhancements and Audits Incident Response Testing and Training Tabletop Testing Can be executed quickly Testing requires a low technical impact Suite of technical tools (automated and manual tools) are not required Quality of the testing depends on attendance / participation of the tabletop exercise Recommendations tend to focus on process improvement Technical Testing May require more coordination with IT, Information Security and other departments Testing requires more technical impact and involvement Suite of technical tools (automated and manual tools) are required Quality of the testing depends on attendance / participation of the tabletop exercise Recommendations tend to focus on technical improvement 30

Defensive Enhancements and Audits Awareness Training Program Review How much awareness training does your average employee receive annually? Does the program include techniques for both Prevention and Detection? We can t properly respond if we don t know we are being attacked. Enhancements through gamification of security training. Periodic testing through social engineering campaigns. 31

Thank You Michael Walter Managing Director, Protiviti Atlanta, GA 303.898.9145 michael.walter@protiviti.com Chris Manning Associate Director, Protiviti Atlanta, GA 770.363,4897 chris.manning@protiviti.com 32

Rethinking our Strategy

Rethinking our Strategy 1. Most Cybersecurity Controls are Preventative in Nature Preventative Controls Firewalls / Next-Gen Firewalls Intrusion Prevention Systems (IPS) Antivirus / Antimalware Internet Proxy Web Content Filter Data Loss Prevention Network Admission Control (NAC) Detective Controls Intrusion Detection Systems (IDS) Security Monitoring and Response 34

Rethinking our Strategy 2. Cybersecurity is still a people problem Organizations must focus on high impact vulnerabilities and high likelihood risks Security is not Fire and Forget Preventative controls are not 100% effective. When they fail, we need a detective control in place We can't respond to attacks we don't see coming 35

Rethinking our Strategy 3. Prevention is ideal but detection is a must If the Time we can Protect our assets and/or environments is greater than the time it takes to Detect and Respond to threats, then life is good. Otherwise, life is bad. Pt > Dt + Rt = Pt < Dt + Rt = Source: Time Based Security by Winn Schwartau 36

Rethinking our Strategy 4. Shift focus from preventing attacks to preventing attacker success Moving to a goal-oriented defense strategy Assess your risk / know your environment and know what attackers are after Detect attackers moving toward their goals and execute a rapid response Increase Threat Intelligence (know your enemy) Leverage security methodologies to your advantage 37

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information