SlideShare a Scribd company logo

Security initiatives here and down under

Download as PPTX, PDF
Roger Hagedorn
Roger Hagedorn

This is a presentation introducing the SANS Institute's 20 Security Controls and the Australian Government's Top 35 Mitigation Strategies that I gave to The Small Business Technology Consulting Group in St Paul MN on November 13, 2012

Technology
1 of 33
Cultivating Security, 2012 Roger Hagedorn, Cultivating Security Security Initiatives Here and Down Under
Cultivating Security, 2012 Quick Discussion Question: What do you think of when it comes to information security? [audience participation time]
Cultivating Security, 2012 One thing to keep in mind: In the world of information security, CIA = Confidentiality, Integrity and Availability Though sometimes it refers to a certain government agency.
Cultivating Security, 2012 What do we mean by Information Security? “the processes and methodologies designed to protect print, electronic, or any other forms of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modificatio n, or disruption.” SANS Institute “Preservation of confidentiality, integrity and availability of information.” ISO 27000
Cultivating Security, 2012 Are there any models or standards for Information Security that might be helpful? I thought you’d never ask. . .
Cultivating Security, 2012 • NIST 800-53 + National Institute of Standards and Tech. • FISMA = Federal Information Security Management Act • DIACAP = DoD Information Assurance Certification and Accreditation Process • SOX = Sarbanes-Oxley Act of 2002 • GLBA = or Gramm-Leach-Bliley Act • PCI-DSS = Payment Card Industry Data Security Standard • NERC = North American Electric Reliability Corporation • CIP = Certified IRBProfessional • ISO 27000 Series = Int’l Org. for Standardization • HITECH Act of 2009 There’s no shortage of standards to consider:
Cultivating Security, 2012 Confused? Overwhelmed? These standards are complex and difficult to implement. Nevertheless . . .
Cultivating Security, 2012 While there might not be consensus on the issue, there is an increasing recognition that every organization needs to have a strategy for defense. Organizations are learning to assess their information security risks, and then to implement appropriate information security controls based on their needs, and using guidance and suggestions where relevant.
Cultivating Security, 2012 With so many standards, where should a person begin?
Cultivating Security, 2012 “A lot of times, enterprises just don’t know where and how, or what to do. Where’s the next dollar best spent?” “This is about priority.” Tony Sager, former head of the NSA’s Systems & Network Attack Center, now with the SANS Institute
Cultivating Security, 2012 Here’s where our government, along with the Australian government, offer surprisingly helpful examples.
Cultivating Security, 2012 First, one more quick definition: Security controls are safeguards designed to avoid, counteract or minimize risks.
Cultivating Security, 2012 Recent Events in the History of Controls: Starting in 2008, the Office of the Secretary of Defense asked the NSA for help with its cybersecurity posture. NSA was brought in because of their understanding of how cyber attacks worked and because the DoD was interested in fending off actual attacks rather than developing a theoretical approach to security.
Cultivating Security, 2012 Since the early 2000s, the NSA had been working on a list of security controls that were most effective in stopping known attacks. The key: “no control should be made a priority unless it could be shown to stop or mitigate a known attack.”
Cultivating Security, 2012 The second key: NSA was already working on collaboration with two nonprofit organizations: The SANS Institute — a cooperative research and education organization, “the most trusted and by far the largest source of information security training and security certification in the world. The Center for Internet Security — “works on enhancing cyber security readiness and response of public and private sector entities.”
Cultivating Security, 2012 Eventually, more than 100 public and private organizations joined in, as well as a few companies involved in incident response, including McAfee and Mandiant. The two main elements: 1) The only justification for a control was actual attack information. 2) The feeling among the participants that they were active contributors to protecting the country.
Cultivating Security, 2012 The clear consensus: Just 20 Critical Controls could address the most prevalent attacks that government, industry, and the private sector face.
Cultivating Security, 2012 The test: The Department of State put the 20 Critical Controls up against the 3,085 attacks it underwent in 2009.
Cultivating Security, 2012 The Results: More than 88% reduction in attacks on vulnerabilities.
Cultivating Security, 2012 On Nov 05 of this year, a new international consortium was launched to help government agencies and the private sector prioritize security defenses. Called the Consortium for CyberSecurity Action (CCA), it bases its recommendations on the most recent update of the 20 Critical Controls.
Cultivating Security, 2012 Spoiler Alert: Most of these controls are standard procedure or “Best Practices” in network administration. Chances are that you’ve implemented many of them yourself. There really shouldn’t be any surprise here. OK then, here we go . . .
Cultivating Security, 2012 The Main Event: the 20 Critical Controls 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on all devices: mobile, laptops, workstatons, servers 4 Continuous Vulnerability Assessment and Remediation
Cultivating Security, 2012 5 Malware defenses 6 Application Software Security 7 Wireless Device Control 8 Data Recovery Capability 9 Security Skills Assessment and Training to Fill Gaps 10 Secure Configurations for Network Devices 11Limitation and Control of Network Ports, Protocols and Services
Cultivating Security, 2012 12 Controlled Use of Administrative Privileges 13 Boundary Defense 14 Maintenance, Monitoring and Analysis of Audit Logs 15 Controlled Access Based on Need-to-Know 16 Account Monitoring and Control 17 Data Loss Prevention
Cultivating Security, 2012 18 Incident Response and Management 19 Secure Network Engineering 20 Penetration Tests and Red Team Exercises
Cultivating Security, 2012 So what about Implementation? In a mature environment, chances are you already have most, if not all, of these 20 Critical Controls in place. But what about smaller organizations? You can make concrete, measurable steps in improving your networks by putting into place, over time, some or most (if not all) of these controls. Yes it takes time, but it pays off. Remember:
Cultivating Security, 2012 Keep your eye on the prize: The State Department saw a reduction of more than 88% in attacks on their systems in the first year.
Cultivating Security, 2012 So what about those Australians Down Under? Independently of the research we’ve discussed, the Australians developed a list of the Top 35 Mitigation Strategies that they present in order of overall effectiveness. Like the 20 Critical Controls, these rankings are based on DSD’s analysis of reported security incidents and detected vulnerabilities.
Cultivating Security, 2012 For the sake of time, let’s just consider the Top Four Controls or Mitigating Strategies: • Use application whitelisting to help prevent malicious software and other unapproved programs from running • Patch applications such as PDF readers, Java, and web browsers • Patch operating systems vulnerabilities • Minimize the number of users with administrative privileges
Cultivating Security, 2012 According to the DSD’s Strategies to Mitigate Targeted Cyber Intrusions, over 85% of cyber intrusions could be defeated if organizations implemented just the first four of these strategies.
Cultivating Security, 2012 These two initiatives provide clear examples of what’s meant by “Defense in Depth” Defense in depth is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack. SANS Institute
Cultivating Security, 2012 Thanks very much for your attention. Any questions or commnt? Q and A Roger Hagedorn Email: roger@cultivatingsecurity.com Blog: www.cultivatingsecurity.com
Cultivating Security, 2012 Resources The 20 Controls http://www.sans.org/critical-security-controls/ The Australian Government’s 35 Controls http://www.dsd.gov.au/infosec/top35mitigationstrateg ies.htm The Center for Internet Security http://www.cisecurity.org

Recommended

Mind the gap
Mind the gapMind the gap
Mind the gap
Roger Hagedorn
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
Roger Hagedorn
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofit
Roger Hagedorn
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
Coastal Pet Products, Inc.
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
Jason Luttrell, CISSP, CISM
 

Recommended

Mind the gap
Mind the gapMind the gap
Mind the gap
Roger Hagedorn
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
Roger Hagedorn
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofit
Roger Hagedorn
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
Coastal Pet Products, Inc.
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
Jason Luttrell, CISSP, CISM
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
Dell EMC World
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
centralohioissa
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
centralohioissa
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
centralohioissa
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaboration
centralohioissa
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
NetIQ
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougalNTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
North Texas Chapter of the ISSA
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
centralohioissa
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
Christian Have
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
Major Hayden
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
jxyz
 
Backups and Disaster Recovery for Nonprofits
Backups and Disaster Recovery for NonprofitsBackups and Disaster Recovery for Nonprofits
Backups and Disaster Recovery for Nonprofits
Community IT Innovators
 
Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky Clean
NetIQ
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
Ernest Staats
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
Peter Wood
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your security
Legal Services National Technology Assistance Project (LSNTAP)
 
Security Framework from SANS
Security Framework from SANSSecurity Framework from SANS
Security Framework from SANS
Jeffrey Reed
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 

More Related Content

What's hot

Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 

What's hot (20)

MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaboration
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougalNTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
 
Backups and Disaster Recovery for Nonprofits
Backups and Disaster Recovery for NonprofitsBackups and Disaster Recovery for Nonprofits
Backups and Disaster Recovery for Nonprofits
 
Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky Clean
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your security
 

Viewers also liked

Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
EnclaveSecurity
 

Viewers also liked (6)

Security Framework from SANS
Security Framework from SANSSecurity Framework from SANS
Security Framework from SANS
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 

Similar to Security initiatives here and down under

Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention
Digital Guardian
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Investorideas.com
 
Paper 1 According to the authors, privacy and security go han.docx
Paper 1 According to the authors, privacy and security go han.docxPaper 1 According to the authors, privacy and security go han.docx
Paper 1 According to the authors, privacy and security go han.docx
aman341480
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
Karina Elise
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
Patricia M Watson
 

Similar to Security initiatives here and down under (20)

IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber Security
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Cyber Security Lessons from the NSA
Cyber Security Lessons from the NSACyber Security Lessons from the NSA
Cyber Security Lessons from the NSA
 
Paper 1 According to the authors, privacy and security go han.docx
Paper 1 According to the authors, privacy and security go han.docxPaper 1 According to the authors, privacy and security go han.docx
Paper 1 According to the authors, privacy and security go han.docx
 
Mobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachMobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric Approach
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Sem 001 sem-001
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
 
trellix-dlp-buyers-guide.pdf
trellix-dlp-buyers-guide.pdftrellix-dlp-buyers-guide.pdf
trellix-dlp-buyers-guide.pdf
 
Security economics
Security economicsSecurity economics
Security economics
 
Secure by design
Secure by designSecure by design
Secure by design
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

Security initiatives here and down under

  • 1. Cultivating Security, 2012 Roger Hagedorn, Cultivating Security Security Initiatives Here and Down Under
  • 2. Cultivating Security, 2012 Quick Discussion Question: What do you think of when it comes to information security? [audience participation time]
  • 3. Cultivating Security, 2012 One thing to keep in mind: In the world of information security, CIA = Confidentiality, Integrity and Availability Though sometimes it refers to a certain government agency.
  • 4. Cultivating Security, 2012 What do we mean by Information Security? “the processes and methodologies designed to protect print, electronic, or any other forms of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modificatio n, or disruption.” SANS Institute “Preservation of confidentiality, integrity and availability of information.” ISO 27000
  • 5. Cultivating Security, 2012 Are there any models or standards for Information Security that might be helpful? I thought you’d never ask. . .
  • 6. Cultivating Security, 2012 • NIST 800-53 + National Institute of Standards and Tech. • FISMA = Federal Information Security Management Act • DIACAP = DoD Information Assurance Certification and Accreditation Process • SOX = Sarbanes-Oxley Act of 2002 • GLBA = or Gramm-Leach-Bliley Act • PCI-DSS = Payment Card Industry Data Security Standard • NERC = North American Electric Reliability Corporation • CIP = Certified IRBProfessional • ISO 27000 Series = Int’l Org. for Standardization • HITECH Act of 2009 There’s no shortage of standards to consider:
  • 7. Cultivating Security, 2012 Confused? Overwhelmed? These standards are complex and difficult to implement. Nevertheless . . .
  • 8. Cultivating Security, 2012 While there might not be consensus on the issue, there is an increasing recognition that every organization needs to have a strategy for defense. Organizations are learning to assess their information security risks, and then to implement appropriate information security controls based on their needs, and using guidance and suggestions where relevant.
  • 9. Cultivating Security, 2012 With so many standards, where should a person begin?
  • 10. Cultivating Security, 2012 “A lot of times, enterprises just don’t know where and how, or what to do. Where’s the next dollar best spent?” “This is about priority.” Tony Sager, former head of the NSA’s Systems & Network Attack Center, now with the SANS Institute
  • 11. Cultivating Security, 2012 Here’s where our government, along with the Australian government, offer surprisingly helpful examples.
  • 12. Cultivating Security, 2012 First, one more quick definition: Security controls are safeguards designed to avoid, counteract or minimize risks.
  • 13. Cultivating Security, 2012 Recent Events in the History of Controls: Starting in 2008, the Office of the Secretary of Defense asked the NSA for help with its cybersecurity posture. NSA was brought in because of their understanding of how cyber attacks worked and because the DoD was interested in fending off actual attacks rather than developing a theoretical approach to security.
  • 14. Cultivating Security, 2012 Since the early 2000s, the NSA had been working on a list of security controls that were most effective in stopping known attacks. The key: “no control should be made a priority unless it could be shown to stop or mitigate a known attack.”
  • 15. Cultivating Security, 2012 The second key: NSA was already working on collaboration with two nonprofit organizations: The SANS Institute — a cooperative research and education organization, “the most trusted and by far the largest source of information security training and security certification in the world. The Center for Internet Security — “works on enhancing cyber security readiness and response of public and private sector entities.”
  • 16. Cultivating Security, 2012 Eventually, more than 100 public and private organizations joined in, as well as a few companies involved in incident response, including McAfee and Mandiant. The two main elements: 1) The only justification for a control was actual attack information. 2) The feeling among the participants that they were active contributors to protecting the country.
  • 17. Cultivating Security, 2012 The clear consensus: Just 20 Critical Controls could address the most prevalent attacks that government, industry, and the private sector face.
  • 18. Cultivating Security, 2012 The test: The Department of State put the 20 Critical Controls up against the 3,085 attacks it underwent in 2009.
  • 19. Cultivating Security, 2012 The Results: More than 88% reduction in attacks on vulnerabilities.
  • 20. Cultivating Security, 2012 On Nov 05 of this year, a new international consortium was launched to help government agencies and the private sector prioritize security defenses. Called the Consortium for CyberSecurity Action (CCA), it bases its recommendations on the most recent update of the 20 Critical Controls.
  • 21. Cultivating Security, 2012 Spoiler Alert: Most of these controls are standard procedure or “Best Practices” in network administration. Chances are that you’ve implemented many of them yourself. There really shouldn’t be any surprise here. OK then, here we go . . .
  • 22. Cultivating Security, 2012 The Main Event: the 20 Critical Controls 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on all devices: mobile, laptops, workstatons, servers 4 Continuous Vulnerability Assessment and Remediation
  • 23. Cultivating Security, 2012 5 Malware defenses 6 Application Software Security 7 Wireless Device Control 8 Data Recovery Capability 9 Security Skills Assessment and Training to Fill Gaps 10 Secure Configurations for Network Devices 11Limitation and Control of Network Ports, Protocols and Services
  • 24. Cultivating Security, 2012 12 Controlled Use of Administrative Privileges 13 Boundary Defense 14 Maintenance, Monitoring and Analysis of Audit Logs 15 Controlled Access Based on Need-to-Know 16 Account Monitoring and Control 17 Data Loss Prevention
  • 25. Cultivating Security, 2012 18 Incident Response and Management 19 Secure Network Engineering 20 Penetration Tests and Red Team Exercises
  • 26. Cultivating Security, 2012 So what about Implementation? In a mature environment, chances are you already have most, if not all, of these 20 Critical Controls in place. But what about smaller organizations? You can make concrete, measurable steps in improving your networks by putting into place, over time, some or most (if not all) of these controls. Yes it takes time, but it pays off. Remember:
  • 27. Cultivating Security, 2012 Keep your eye on the prize: The State Department saw a reduction of more than 88% in attacks on their systems in the first year.
  • 28. Cultivating Security, 2012 So what about those Australians Down Under? Independently of the research we’ve discussed, the Australians developed a list of the Top 35 Mitigation Strategies that they present in order of overall effectiveness. Like the 20 Critical Controls, these rankings are based on DSD’s analysis of reported security incidents and detected vulnerabilities.
  • 29. Cultivating Security, 2012 For the sake of time, let’s just consider the Top Four Controls or Mitigating Strategies: • Use application whitelisting to help prevent malicious software and other unapproved programs from running • Patch applications such as PDF readers, Java, and web browsers • Patch operating systems vulnerabilities • Minimize the number of users with administrative privileges
  • 30. Cultivating Security, 2012 According to the DSD’s Strategies to Mitigate Targeted Cyber Intrusions, over 85% of cyber intrusions could be defeated if organizations implemented just the first four of these strategies.
  • 31. Cultivating Security, 2012 These two initiatives provide clear examples of what’s meant by “Defense in Depth” Defense in depth is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack. SANS Institute
  • 32. Cultivating Security, 2012 Thanks very much for your attention. Any questions or commnt? Q and A Roger Hagedorn Email: roger@cultivatingsecurity.com Blog: www.cultivatingsecurity.com
  • 33. Cultivating Security, 2012 Resources The 20 Controls http://www.sans.org/critical-security-controls/ The Australian Government’s 35 Controls http://www.dsd.gov.au/infosec/top35mitigationstrateg ies.htm The Center for Internet Security http://www.cisecurity.org

Editor's Notes

  1. FISMA and ISO = the Fed GovtSOX = publicly traded companiesGLBA = regulates banks and investment co.sNERC = the power gridCIP = committees charged with determining if a research project conforms to ethical principleCobit is largely used by the audit community
  2. Speaking of guidance and suggestions…
  3. Tony Sager is the retired chief operation officer of NSA’s Information Assurance Directorage and he now heads up the CCA, the Consortium for CyberSecurity Action, just founded days ago.
  4. The rest of this presentation will focus on controls
  5. Dod = Department of Defense
  6. The CIA’s Tom Donahue, who worked with the White House cyber policy team, made this remark
  7. In other words, use knowledge of actual attacks that have compromised systems to provide the foundation to build effective defenses.
  8. There was some tweaking, they implemented automated capabilities to enforce the controls
  9. There was some tweaking, they implemented automated capabilities to enforce the controls, continuous monitoring: auditing so that adjustments can be made / implemented quickly2011: Department of Homeland Security mandated the implementation of these controls across the governmentAlso in 2011, the UK’s Center for the Protection of NaitonalInfrastrutureannouned that all government agencies would adopt these controls as their framework for securing their infrastructure.
  10. Maintain an asset inventory, watch for unknown and unauthorized devicesMaintain a white list of approved software. This helps in maintaining/patching the software and eliminates attack vectors based on unused/unmaintained softwareBuild a secure image and maintain it. If anything becomes compromised, reimage it. Standardized images = hardened versions of OS and the apps installed. See NIST, NSA, and CIS for examplesSubscribe to vulnerability inelligence services to stay on top of security patches and exposed vulnerabilities and patch ASAP. Run automated vulnerability scans, keep and correlate event logs
  11. 5 implement anti-malware solution that auto-updates and auto-scans, scan everything—email—at the gatewayProtect web apps by using web application firewalls that inspect all traffic; explicit error checking; source code checking. Lock down, remove all unused code or scriptsWPA2 with AES encryption, Wireless intrusion detection systems to identify rogue devices, do a site surveyProper backups, and off-site backups Automation, encryptionThink end-users and social engineering, spear-phishing attacks on sysadmins and CEOs, Develop Security Awareness programsFirewalls, switches and routers (the earlier control was about endpoints)Think FTP—who uses it today? Lock it down. Use firewalls on all endpoints, perform port scanning regularly Remove any unnecssary services
  12. Inventory all administrative accounts. For anyone who should had admin privliges, use 2 accounts. Complex passwords for all admin accounts. No default passwords on anything. Use access control lists to ensure that admin accounts are only used for admin duties (no web surfing, no gmail )Multi-layered boundary defenses, using firewalls, proxies, DMZ, and IPS and IDS. Filter outbound traffic as well as in-bound Everybody’s favorite, but without it, hackers can hide their location, software and activities Classify your data according to sensitivity and segment your network accordingly. Audit access. VLANs Watch for legit but inactive accounts. Review all accounts, disable anything not associated with a business process and owner, audit for terms and us contractors; auto-log off anyone after period of inactivity Use hard drive encryption, watch for exfiltration, scan for PII, lock down use of USB devices
  13. The time to put together an incident response plan is BEFORE any incident has happened. Identify key players and their roles. Develop written incident response procedures Hackers, once inside, will map networks looking for unneeded connections between systems, weak filtering, and a lack of network separation. Don’t give them anything to find: design a 3-tier network (DMZ, middleware, private network) Any system accessible from the Internet should be on the DMZ but DMZ systems should never contain any sensitive information—use an application proxy to get from DMZ inside Set up an internal DNS server. Have separate trust zones inside your network Say yes to pen tests and vulnerability scanning.
  14. At the Coop, it’s taken me more than a year.
  15. DSD = Australian Government’s Defense Signals Directorate, a part of their Department of Defense Intelligence and Security
  16. Surprisingly similar to the 20 critical controls, though with a heavier focus on application whitelisting, using app locker or 3rd part solutions