SD ISC2 SD IEEE Cutting through the fog of cybersecurity Preparing security operators for what REALLY matters in Cyber! Mike Davis, ElecEngr / MSEE, CISSP / CISO, MA Mgmt, SysEngr Cyber Security / Risk Management Consultant (enthusiast!) Mike.davis.sd@gmail.com easy button Doug Magedman MS Cybersecurity and IA, MS OA/HSI, BS-BME, SPAWAR HQ Technical Authority dougmagedman@hotmail.com Cyber Workforce Bottom Line: Small businesses are the backbone of USA they need security operators, not ninjas! Those with a Security+ / SSCP knowledge ands skills that minimize 95% of all incidents.
Cutting through the CyberSecurity Fog! B.L.U.F. Bottom Line Up Front The threats are very real, and the news shows a small percentage It does not just happen to the other guy YOU WILL be / ARE affected. You can not buy cyber security, you must manage cyber many parts. The standard IA/Security suite is pretty good IF maintained well in operation Focus on business risk reduction and minimizing legal liabilities Adequate cyber protections are but one part so is insurance P6 principles still applies as does strategic partnerships Few can afford to go it alone use a managed security service (MSS) Don t fix cracks in the cyber walls, while the barn door is open! Keeping your cyber suite well maintained cuts incidents by 95%
Cyber Workforce Chasm 1 - Companies say they can not find qualified cyber workers (e.g., a non specific request) 2 - Educational entities / institutions providing decent levels of degreed / certified people. So why is there a communication chasm between supply and demand? Any cyber educational effort must address three aspects of providing cyber skills: 1 Cyber qualified workers come in MANY types and levels - not one cyber guy (32 levels by NIST s NICE Cyber Ed framework (#) / and the volume need is at mid / entry level ) 2 - Fix the notion that people with degrees / certifications do not have useable skills 3 Cyber workforce conversant in risk management (impacts that their actions cause) Cyber education providers must educate the hiring managers to close the gap! # = NIST / NICE National Cybersecurity Workforce Framework http://niccs.us-cert.gov/sites/default/files/documents/files/draftnationalcybersecurityworkforceframeworkv2.xlsx
First, so what does matter in Cyber? CYBER is fundamentally all about TRUST and DATA ( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured) It s NOT about expensive new cyber capabilities / toys but more about the interoperability glue (distributed trust, resiliency, automation, profiles) 90+% of security incidents are from lack of doing the basics! USE effective Security Continuous Monitoring (SCM / SIEM) a MUST DO! With enforced: cyber hygiene, enterprise access control, & reduced complexity (APLs) Shift from only protecting the network, to the DATA security itself information centric view Embrace your Risk Management Plan (RMP) LIVE IT! Have an enforceable security policy what is allowed / not train to it KNOW your baseline - Protect the business from the unknown risks as well Employ a due diligence level of security then manage & transfer residual risks! You can NOT buy cyber, so do the cyber BASICS well!!! An achievable 90-95% reduction in security incidents stabilize the environment!
What MUST we do in Cyber? The BASICS at least manage the top NSA 10 / SANS 20 mitigations! (How about just DOING the Cyber Hygiene Campaign (*) top 5 actions!) (e.g., 1 &2 - Inventory SW & HW, 3 - Secure CM, 4 SCM/SIEM & 5 - enforce least privileges The toolkits available are: Count, Configure, Control, Patch and Repeat ) * * Close the cyber barn door first, versus fixing cracks in the wall! Follow the Hierarchy of Cyber needs mitigate, manage your way up RE: Enforce hygiene, effective access control, use APLs, proactive security policy etc. (*) https://www.cisecurity.org/about/cybercampaign2014.cfm ) * cyber cracks at most 5% Lack of cyber hygiene causes well over 90+% of all security incidents! 5
Cyber Security is Complex from a Technical Perspective What factors must be addressed in A Cyber Operator Course? What does it take to minimize the 95% of most security incidents! DAC HIPPA VPN SSL SOX IPSEC SaaS FIPS 140-2 Token Biometrics XML Gateways PKI Thin Clients H/W Crypto Kerberos Digital Certificate Trusted OS Wireless Cyber Security (From an IBM security brief) Compliance Secure Blades Cloud Guards Hardening Secure Collaboration RSBAC
IA/Security Axioms to consider / accommodate / educate Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Good security now is better than perfect security never. A false sense of security is worse than a true sense of insecurity. Your security is only as strong as your weakest link. It is best to concentrate on known, probable threats, first Work through all these in your Risk Management Plan! Security is an investment (insurance), not an expense with an RoI Security is directly related to the education and ethics of your users. Security is a people problem users stimulate problems, at all levels. Security through obscurity is weak & We can NOT always add security later Who says what we MUST DO? From a business DUE CARE / due diligence level Collectively: NIST NSA SANS etc - the following slides provide details http://www.avolio.com/papers/axioms.html 7
NIST s absolutely necessary Security activities NIST - National Institute of Standards and Technology Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, etc) Provide security for your Internet connection / ISP Install and activate software firewalls on all your business systems Patch your operating systems and applications Make backup copies of important business data/information Control physical access to your computers and network components Secure your wireless access point and networks Train your employees in basic security principles Require individual user accounts for each employee on business computers and for business applications Limit employee access to data and information, and limit authority to install software While these are the KEY cyber activates, there are more to accommodate in a due diligence cyber state. Integrated into the Key Hierarchy of needs activities 8
NIST s Highly Recommended Practices http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf Policy / practice for email attachments and requests for sensitive information Policy / practice for web links in email, instant messages, social media, or other means Policy / practice for popup windows and other hacker tricks Doing online business and secure banking Recommended personnel practices in hiring employees Security considerations for web surfing, prohibited sites Policy / practice for downloading software from the Internet How to get help with information security when you need it How to dispose of old computers, media and fax machines How to protect against Social Engineering, data loss prevention WHAT, more to do? YES, but most are related to standard IA/CND mitigations... Integrated into the Key Hierarchy of needs activities 9
NSA IAD top ten controls 1 - Application whitelisting - only run approved apps (that SysAdmin reviews) 2 - Control Administrative privileges - minimize escalation, enforce least privilege 3 Limit workstation-to-workstation communications thwart the pass-the-hash 4 Use Anti-virus File Reputation Services leverage cloud-based threat databases 5 Enable Anti-Exploitation Features - for example, MS Windows EMET 6 Implement Host Intrusion Prevention System Rules focus on threat behaviors 7 Set a Secure Baseline Configuration layered security, standard images, etc 8 Use Web Domain Name Service (DNS) Reputation Screen URLs, intrusion alerts 9 Use/Leverage Software improvements software / OS upgrade and patch policy 10 Segregate Networks and functions based on role, functionality monitor sections, then isolate when attacked Integrated into the Key Hierarchy of needs activities http://www.sans.org/security-resources/iad_top_10_info_assurance_mitigations.pdf 10
SANS top 20 controls (ver 3) 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5: Boundary Defense 6: Maintenance, Monitoring, and Analysis of Security Audit Logs 7: Application Software Security 8: Controlled Use of Administrative Privileges 9: Controlled Access Based on the Need to Know 10: Continuous Vulnerability Assessment and Remediation 11: Account Monitoring and Control 12: Malware Defenses 13: Limitation and Control of Network Ports, Protocols, and Services 14: Wireless Device Control 15: Data Loss Prevention 16: Secure Network Engineering 17: Penetration Tests and Red Team Exercises 18: Incident Response Capability Integrated into the Key Hierarchy of needs activities 19: Data Recovery Capability 20: Security Skills Assessment and Appropriate Training to Fill Gaps http://www.sans.org/critical-security-controls/ 11
Top 35 Mitigations At least 85% of the targeted cyber intrusions the Australian Signals Directorate responds to could be prevented by following the Top 4 mitigation strategies : use application whitelisting to help prevent malicious software and other unapproved programs from running patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers patch operating system vulnerabilities minimize the number of users with administrative privileges. Examples of Targeted Cyber Intrusions mitigation strategies : Disable local administrator accounts; Multi factor authentication; Network segmentation and segregation; Application based workstation firewall; Host based Intrusion Detection/Prevention System; Centralized and time synchronized logging; Whitelisted email content filtering; Web domain whitelisting for all domains; Workstation application security configuration hardening; User education; Computer configuration management ; Server application security configuration hardening; Antivirus software with up to date signatures; Enforce a strong passphrase policy; ETC; Etc; etc.. Integrated into the Key Hierarchy of needs activities http://www.asd.gov.au/infosec/top35mitigationstrategies.htm 12
Top 25 SW development errors [1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] Missing Authentication for Critical Function [6] Missing Authorization [7] Use of Hard-coded Credentials [8] Missing Encryption of Sensitive Data [9] Unrestricted Upload of File with Dangerous Type [10] Reliance on Untrusted Inputs in a Security Decision [11]Execution with Unnecessary Privileges [12]Cross-Site Request Forgery (CSRF) [13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [14] Download of Code Without Integrity Check [15] Incorrect Authorization [16] Inclusion of Functionality from Untrusted Control Sphere [17]Incorrect Permission Assignment for Critical Resource [18] Use of Potentially Dangerous Function [19] Use of a Broken or Risky Cryptographic Algorithm [20]Incorrect Calculation of Buffer Size [21] Improper Restriction of Excessive Authentication Attempts [22] URL Redirection to Untrusted Site ('Open Redirect') [23] Uncontrolled Format String [24] Integer Overflow or Wraparound [25] Use of a One-Way Hash without a Salt Must BUILD IA IN This starts with SW.. AND Applies to Apps / Services http://cwe.mitre.org/top25/ Integrated into the Key Hierarchy of needs activities 13
Cyber PROCESS Where s your data? Who has it? Is it safe? Recent Symantec Threat Report states that 82% of data that was either lost or stolen could have been avoided if the business followed a simple cyber security plan. The Verizon data breach report stated that 87% of all security incidents could have been easily prevented by implementing known patches/controls published over 6 months earlier Where the security basics are fairly well known, but not implemented well, OR verified 1 Use Strong Passwords and Change Them Regularly Be very aware that - POOR PASSWORDS GIVE A FALSE SENSE OF SECURITY!!! 5 Remove Unused Software and User Accounts; Delete / securely wipe everything on replaced equipment (yes, faxes / copiers too!) 6 Establish Physical Access Controls for KEY Computer Equipment / rooms 7 Create Backups for Important Files, Folders, and Software also store off-site Enforce the Principle of Least Privilege - strict access controls, need to know Develop and use a data centric security approach DLP is good, but more is needed Ensure all staff receive basic online security training and instruction in your policies Take security breaches seriously isolate any compromised systems from the network and involve an IT security professional if necessary to ensure the malware is fully removed Integrated into the Key Hierarchy of needs activities # = Top 12 SMB security recommendations from US Chamber of Commerce Cyber guide 14
Cyber POLICY What s your legal, statutory liability? Can you be sued? 2 Be vigilant opening E-Mail Attachments and Internet Downloads (scan / DMZ?) 10 Access to Sensitive and Confidential Data.. and limit authority to install software 11 Establish and Follow a Security Financial Risk Management Plan (RMP); Maintain Adequate Insurance Coverage 12 Get Technical Expertise and Outside Help When You Need It Make Security Policies a clear, well communicated and enforced priority Ensure all compliance aspects are supported by policy, tools, users and management, as it s more that just an audit process (PCI, SOX, HIPAA, etc) Decide whether computers, laptops and software are to be supplied by your company, or by your staff and reflect these decisions in your policies, purchasing and processes Document a simple acceptable-use policy for any computer that is used for company business or media that is used to store or transport company data Create an acceptable password-strength policy and ensure that all computers and other IT equipment are password protected Require that all security incidents are promptly reported and managed to a business stakeholder and formal CERT entity There is a legal perspective of minimal level of security wrt due diligence Integrated into the Key Hierarchy of needs activities 15
Cyber Hygiene the many faces of neglect Our IA/CND/Security cyber suite is quite good IF maintained! Equipment settings (FW, A/V, IDS, etc) Monitor / enforce Social media Content & settings Restrict sharing / privileges Incident reporting No incident too small Notify USCERT / FBI Controlled Access Enforce least privilege Separate / rotate duties Security Education ALL levels reinforce Incentivize good vs bad Will lack of cyber hygiene continue to put you at MUCH greater risk? Maintain Cyber Suite Patches, upgrades, etc (compliance == security Standard operating procedures (SOPs) USE / enforce them Know your security baseline AND employ SCM / SIEM Privacy and PII Enforce policy (note - EU is stricter) Forbes top threats for 2013: MOST threats / vulnerabilities have CM / hygiene AND / or access control issues Social Engineering; APTs; Internal Threats; BYOD / mobile malware; HTML5; Botnets; CLOUD infrastructure, & Precision Targeted Malware Integrated into the Key Hierarchy of needs activities
Security Main Factors Wow Given ALL these guides - What MUST WE DO? Implement the NIST absolutely necessary elements first and foremost to protect your data (Encryption and back ups) Effective passwords still the bane of basic security and policy is still poor! (tokens / two-factor IA&A should be used for critical data / processes) Securing the client, fortifying the browser buying trusted business apps, services the browser / client is THE largest malware entry point! Minimal security suite: antivirus, firewall, IDS, VPN, connection security Monitoring tools need to manage CM/hygiene, track users / data, provide alerts (SCM/SIEM) supports preplanned SoPs / COOPs, etc Enforce a living security policy quantify actual risks, strict need to know, DATA protection - encryption and access control - minimize IP loss, data loss prevention A robust and adaptive security strategy = risk management plan (RMP) to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc Our Cyber Security operator course collates all these guides and maps Integrated into the Key Hierarchy of needs activities 17
Enterprise Risk Management (RM) Focus! + Cyber enabling the RMP make it work effectively + Company Vision (business success factors) Security Policy (mobile, social media, etc) C&A / V&V (effective / automated) Known Baseline (security architecture) CMMI / Sustainment (SoPs / processes) Privacy by Design (manage PII, HIPAA, compliance) ) RM Plan Insider Threat Company Intel (open source, FB, etc) SCM / SIEM (monitor / track / mitigate) MSS / CISO (3 rd party IV&V support) Data Centric Security (DLP, reputation based methods) Cyber insurance (broker & legal council) Education / Training (targeted, JIT, needs / KSA based) Common Business RMP model (re: RMF / COBIT & Risk IT) +++ THIS is the top-level organizational risk focus / support that is KEY +++
sensors SO just what are were trying to orchestrate? An integrated Cyber Defense in Depth / Breadth (DiD) EcoSphere using dynamic lag and lead feedback, establish proactive, dynamic CND / IA Defense) Cyber I&W Virtual Storefront NMS / Security Management tools insider threats Defensive assessments Incident results SA ****** (Sensors, CNA/E inputs OpSec, Intel, etc ) Users & CoC threats IA & CND IDS / IPS DLP / etc V&V / C&A I&W / SCM CERT / FBI Red Teams predictive feedback (leading indicators) Change soft settings (takes secs to mins) Upgrades (developed & installed) With big data / predictive analytics / SIEM (near real-time!) (takes days to months ) forensic feedback (lagging indicators) 19 All Security & Privacy capabilities (including IoT) must be well integrated into the cyber system
Security Monitor Building a Trusted Cyber Infrastructure an adequately assured, affordable, net-centric environment (built from disparate heterogeneous capabilities that we must integrate into a homogenous cyber ecosphere!) EAL 6 Focus on a few core capabilities & devices = PC, routers, IA suite, Servers, & SANS all with access control Standard IA/CND suite FW, A/V, IDS/IPS, CDS,, etc Treat as a SoS : with high EAL WAN Router IA Suite All connections / communication paths need Assured Identity, Authentication & Authorization Core Router EAL 4-5 Assured IOS Various EAL EAL 4 HW / FW Secure OS kernel Secure Virtual Machine Strict access / ZBAC Servers Distribution Router ALL OSes (MS, Mac, Unix) SANS EAL 5 6 Data centric security Defensive I&W Strict access / ZBAC Network Devices PC End user devices Make IA / CND / security a commodity: Use IA building blocks = APLs/PPLs -> NIAP Interoperability and Compose-ability are built in upfront and help dramatically reduce complexity and ambiguity Thus.establishing known risks & pedigrees: Reduces attack surface, risks / impacts & TOC RFID, MEMS, WSN, sensors, ICS / SCADA, etc EAL 3-4 Secure OS TSM HBSS ZBAC Eval Assur Level (EAL): 2 3 4 5 6 7 20
Vision Course Purpose and Intent Provide the framework / resource for Applied Cybersecurity at the technical level Mission Provide introductory education to promote Cyber Awareness Create a San Diego area consortium for Applied Cybersecurity Education Objectives Seek Industry and Government endorsement (IEEE, ISSA/ISC2, NICE, etc..) Develop a Standard Cyber needs training template / syllabus for ALL to use Community Outreach Develop Targeted Curriculum for Initial Cybersecurity Introduction for SO/HO Develop Targeted Curriculum for Applied Cyber security (Security + level education) Develop Target Curriculum for Advanced Cybersecurity Topics ACMEcyber Applied Cybersecurity Methodologies and Education (ACME) Cyber Solutions 21
Why Technical Level Application? IT Professionals lack applied cyber skills Certs and degrees but no practical experience Small/medium sized businesses have needs but no idea of scope or how to get the level of Cyber SME they need Raise awareness for getting basics covered = 95% of problems Availability and cost of training Boot Camp education and certification = book read vs KSAs SANS conference training is out-of-town and costly (sample) SANS Boot Camp for Cyber Essentials - Austin, Tx ($4,895) Where are the local Cybersecurity education resources? UCSD, National University, SDSU Not applied cyber curriculums
What are trying to accomplish? Develop urgency for generating professional demand Seed the entry level needs, & know when to call a consultant Establish and create a basic weeklong curriculum Addresses all the basics of Cybersecurity Provides at least the 90-95 percent defense level Closing the Cyber Barn Door Foster interest in development of Cyber Professionals in SD Teach how to think critically about Cybersecurity Create chefs rather than cooks following recipes
Our Cyber Ed Approach Modular Don t have to spend inordinate amount of time searching Just in time training Leverages existing information on Internet Focuses on key considerations (chef) Directs operators to the source of the recipes (cook) Alleviates outdating of material and develops self-sufficiency Cuts Through the Cybersecurity Fog alleviating confusion Fosters understanding rather than procedure Promotes self-efficacy and self -reliance
Cyber Education triangle clarifying the fog of cyber security through targeted training Curriculum & Resources Linked / leveraged (on-line, companies, colleges, etc) MS / BS Cyber CISSP / GISP / CISO / etc forensics / ethical hacker / etc Firewall / cloud security/ Crypto & Key mgmt / * Education levels Advanced Targeted Expands the pool for advanced education Small business security course & practicum Security+ and Skills development Awareness Education STEM (grades 7-12) (KEY break point is providing cyber operators!) Foundational ( * = IDS/IPS, anti-virus, wireless, application development, cloud, web/mobile code, mobile, etc )
NICE CyberSecurity Workforce Framework 2.0 (lists 30+ types of SMEs!) NSA CAE Accreditation Focus areas NIST SPs & must do requirements SANS top 20 Top 35 Mitigations OWASP top 10 Top 25 SW errors Notional Cyber education roadmap (Authoritative sources, categorized, mapped to CSF) Customer Awareness AND Demand CERT areas / KSAs Grouped & aligned Support key IA needs Align Needs / Areas Clarify / map certs to specific demand areas Target environment Curriculum MAP Objectives Quantified KSAs Cyber Needs Paper Center & align KSAs with security needs to also educate leaders Targeted / focused Trained / proven KSA Cyber Operator NIST / Whitehouse Cybersecurity framework (CSF) foundation Inputs / factors Key artifacts outcome
Cyber capabilities KSA decomposition (Objective = Support Business Risk Management prioritized vulnerability reductions) Overall Cyber Security Factors people Main functional Areas / buckets processes products policy (1) Provision Analyze O&M / support Collect Investigate Protect & defend + From NICE framework = (1) functions (2) cyber skills (KSAs) (2) requirements analysis Assessment C&A Security testing Pen testing Security design KEY capabilities / products / processes / methods = KSAs Compliance IA/CND & crypto/key mgmt IA&A Mobile / wireless Tools Policy Network (client / server / router) SW/apps services Web / active code Data O&M/support Sys Admin & CM/hygiene Threats C&A (V&V) RISK Assessment ALL geared to specific positions / types (manager, project lead, Cyber SME / ISSE) And with some aspect of technical level (apprentice, journeyman, master)
Hierarchy of Cyber Needs (i.e.. Maslow Triangle and operational / management view) Where if you don t take care of the level before the one you are operating in, focusing on, then your efforts are for the most part mute, as you are in a higher risk status until the earlier level is satisfied! Master Optimized Value 5 Cyber actualization - compliance / assessment / analytics + V&V / TE&C / C&A formal proof -> residual risks -> cyber value proposition + KEY compliance activities PII, PCI, HIPAA, etc + Forensics / ethical hacker + Big data / predictive analytics (integrate SCM / SIEM, IA/CND reports, etc l) + Pen / security testing (of all cyber capabilities, backup, PW, etc) NSA IAD top 10 factors Top 20 security controls Top 35 mitigations Journeyman Operations Apprentice BASICs 4 Applied cyber security (IA / CND / security capabilities best practices) Given the below best practices, cyber protections approach, then distill the key attributes for each IA/CND capability, while following and tailoring for the company s environment the install instructions of the products specific equipment settings for secure sustainment / operations = Firewall, A/V suite, IDS/IPS, Crypto, Key mgmt., Mobile, wireless, Network, apps, data security, etc 3 Cyber Maintenance - security Hygiene / CM / SoPs + Manage Policy - social media - content & settings restrict sharing / privileges = proactive monitoring + Maintain Cyber Security Suite patches, upgrades, etc.. control system settings & dashboard! + Standard operating procedures (SOPs).. USE / enforce them + Security training / education awareness ALL levels reinforce / Incentivize pos & neg 2 Cyber foundation + Access control (PW, CAC, enforce least privilege, separate / rotate duties, etc) + Layered Defense - IA/CND strategy WHAT capabilities are needed + Security Policy (privacy, social media, PII, etc) - enforcement aspects too + Monitoring / Know your baseline SCM / SIEM.. + Tools selection and integration + Business Risk Management / Assessment (RMF / COBIT) / requirements analysis with an AoA 1 Resiliency - Survival / recovery + Secure backup (Types / methods, various sites / levels) + Incident responses (company processes, comms with LE / FBI, etc) + Recovery Plan - COOP / BCP (phases of recovery, hot / mirror site, etc) KSA / practicum based on small business security
Execution View of Topics Resiliency Secure Back-up / Processes and Configuration Disaster Recovery Planning Incident Response Contingency Planning Ethics, Laws and Operating Limitations Policy, Guidance and Training Policy Guidance and SOPs Training Cybersecurity Strategy Layered Defense (Defense-in-Depth/ Breadth) Privacy by Design / Data-Centric Security Concept Cybersecurity Toolkit Windows based toolsets Linux Kali Backtrack Installation Command Line Operations Network Mapping Tools and Demos Documenting and Storage Tools Anti-Malware/Antivirus Vulnerability Scanning Nessus Scanner Retina Scanner Identification and Access Management Passwords / implement least privilege Access Control System Implementation Encryption - data at rest, in processing and transit VPN overview / Set-up O/S Hardening Microsoft Windows 7 & 8 Linux Updating and Patching Automatic Updating Test Environment Network Hardening Firewalls Routers IDS/IPS SCM / SIEMs Cloud Security Auditing Risk Management
Module Components Description of module topic and intended educational objective Threat / Implication of not taking appropriate action within module Key Considerations that are the essential concepts to understand Implementation aspects that must be accommodated for success Best Practices sanctioned by National or Industry guidance Demonstration material or websites that can be used in training National/Industry websites to be used as official reference sources References that can be used for furthering education Modules are tailored into slides for that course and sector focus Using SCORM methods and a LMS to tie all materials together
Not everyone needs, nor can afford, a cyber ninja! The Cyber Integrated ED Package Bottom up / needs approach to effective cyber SKILLS training (practicum)!
Security+ Cert prerequisite Mike.Davis.SD@gmail.com Cyber Essentials Course for SMB Developing security operators to fill the critical skills void. (Key skills to mitigate top 10/20/35 mitigations, with a Security + / SSCP Cert knowledge level) 1600 Resiliency Foundations Operations & Maintenance Applied Return to office 1200 Lunch Lunch Lunch Lunch 1100 0800 Cyber Overview Foundations Foundations Applied Actualization & Review & skills test Mon Tue Wed Thu Fri SMB needs cyber operators! High volume & greatest need (Operations & Maintenance) Also have a MSS, then manage the 95% vulnerabilities on site & know when to ask for help!
Cyber Security Opportunities (Cyber can both protect your business AND enhance the bottom line!) IT / Cyber Global Strengths user pull World-wide B2B Trust / cloud / sharing TRUST Distributed / MLS IoT / M2M Automation / Sensors Consumerization of IT Phones / wireless / apps GAPS / Needs / Weaknesses (from the Federal cyber priority council S&T gaps) Resiliency SW / apps / APIs / services Agile operations BE the vanguard / integration Privacy / Data IP / PII / compliance Effective missions Business success factors CM / Hygiene patching / settings SIEM / SCM QA hygiene / sensors ESA / simple tools! Vulnerabilities / Threats (Verizon BDR, Forbes, etc threat reports - what ails us most) Access control Authentication is key Mobile Security Poor apps / IOS weak billions users = volume Top security mitigations Whitelist, patch, limit access, etc Future Opportunities Mitigate Obsolescence Minimize patching, legacy vulnerabilities Education / OA / modularity / APIs & SCRM Risk Mgmt Adhoc / not global Effective Business Risk Management (BRM) = cybersecurity framework (CMMI / FAR) Focus on reducing business risk Managed security services (MSS) & cyber insurance Data Security Predictive analytics Privacy by design