Cybersecurity Frameworks and You: The Perfect Match
Denunciar
Compartilhar
•2 gostaram•940 visualizações
Cybersecurity Frameworks and You: The Perfect Match
•2 gostaram•940 visualizações
Denunciar
Compartilhar
Baixar para ler offline
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados(20)
![[Round table] zeroing in on zero trust architecture](https://cdn.slidesharecdn.com/ss_thumbnails/roundtablezeroinginonzerotrustarchitecture-200323112004-thumbnail.jpg?width=768&fit=bounds)
Destaque
Destaque(9)
Similar a Cybersecurity Frameworks and You: The Perfect Match
Similar a Cybersecurity Frameworks and You: The Perfect Match(20)
Mais de McKonly & Asbury, LLP
Mais de McKonly & Asbury, LLP(20)
Último
Último(20)
Cybersecurity Frameworks and You: The Perfect Match
- 1. Cybersecurity Frameworks and You The Perfect Match
- 2. Building Successful Employee Relationships A Cornerstone to Fraud Prevention and Risk Management
- 3. Building Successful Employee Relationships A Cornerstone to Fraud Prevention and Risk Management
- 4. Cybersecurity Frameworks and You The Perfect Match
- 5. Introductions Sam BowerCraft • Senior Manager in Internal Audit and Management Consulting Group • Certified Information Systems Auditor (CISA) • Security Consultant related to financial data, information systems, and assets. • M.S. Information Systems David Hammarberg • Principal of Forensic Accounting • Certified Fraud Examiner (CFE) • Director of Information Technology • CPA, MCSE, CISSP, CISA • 16+ years of experience
- 6. Objectives • Understanding the importance of using a framework in your organization. • How a framework can benefit an organization. • NIST Cybersecurity Framework: • The basic requirements for any organization.
- 8. An Exercise • List all the areas of information technology and security that are important for your organization to consider and address.
- 9. Framework Benefits • Structure • Building from a pre-existing foundation • Identify vulnerabilities • Analyze or evaluate the risk associated with that vulnerability. • Determine appropriate ways to eliminate or control the vulnerability. • Efficiency: Cost Savings (time and dollars) • Effectiveness • Support
- 10. Framework Drawbacks • While structure is good, understanding is better. • Limitations: • The framework versus your environment. • “No battle plan survives contact with the enemy.” - Helmuth von Moltke the Elder • Clarity of Responsibility: you and the framework
- 11. Best Practices NOT… • An automated security mechanism or setting. • A business practice. • A theory or possibility. It is in place. • The one best practice; it is not the best of all. • A human practice or method to perform a process. • Security related, helping to protect information, resources, or operations. • Effective as shown by experience and results. • Among the most effective practices used to perform this process.
- 12. Best Practices From Worst to Best: Chevron says: • Good Idea: Unproven. Intuitively makes sense, could be successful… requires analysis. • Good Practice: Has improved results; supported by data and analysis. • Local Best Practice: Best approach for large parts of the organization based on analysis of performance internally and some external review. • Industry Best Practice: Best approach for large parts of the organization based on analysis of performance internally and externally.
- 13. Standard Operating Procedures • Facilitate Communication • Provide consistency • Increase productivity • Provide for cross training • Help ensure things are done right.
- 15. Writing Things Down • How is your memory? • How long can you focus on one thing? • Written goals result in more achievement. • Reminders help focus… and keep track. • Unburden your brain; de-clutter with a list / framework. • Clearer thinking and being able to review… and communicate. • Identify what needs your focus.
- 16. Security Risk Assessment • Identify the potential inherent security risks. • Assess the likelihood and significance of occurrence of the identified security risks (ranking of risks). • Evaluate which users and departments are most likely to have a significant security event and identify the methods they are likely to use. • Identify and map existing preventive and detective controls to the relevant security risks (framework). • Evaluate whether the identified controls are operating effectively and efficiently. • Identify and evaluate residual security risks resulting from ineffective or nonexistent controls. • Respond to residual security risks.
- 17. Approach Comparisons Proscriptive • Scope the environment. • Do these things. • Evaluate control responses. • Design • Operation • Remediate/update controls. • Repeat. Risk Based • Scope the environment. • Evaluate vulnerabilities. • Rank risks. • Evaluate control responses. • Design • Operation • Remediate/update controls. • Repeat.
- 18. After the Risk Assessment • The Risk Assessment may reveal certain residual risks that have not been adequately mitigated due to lack of, or non-compliance with, appropriate preventive and detective controls. • The security professional works with the client to develop mitigation strategies for any residual risks with an unacceptably high likelihood or significance of occurrence. • Responses should be evaluated in terms of their costs versus benefits and in light of the organization's level of risk tolerance.
- 19. Cybercrime Cybercrime, is simply a crime that involves a computer and a network.
- 20. Types of Cybercrime • Hacking • Theft • Cyber Stalking • Identity Theft • Malicious Software • Child Soliciting and Abuse
- 21. Categories of Cybercrime • Individual: This type of cyber crime can be in the form of cyber stalking, distributing pornography, trafficking and “grooming.” • Property: In this case, they can steal a person’s bank details and siphon off money; misuse the credit card to make numerous purchases online; run a scam to get naïve people to part with their hard earned money; use malicious software to gain access to an organizations website or disrupt the systems of the organization. • Government: Crimes against a government are referred to as cyber terrorism. If successful, this category can wreak havoc and cause panic amongst the civilian population.
- 22. Combating Cybercrimes • Security Hardware • Security Software • Security Awareness • Working along side other businesses • Working with government agencies
- 23. Query • Are you willing to operate your information technology environment in an ad hoc and informal manner given the risks in the world today related to cybersecurity?
- 24. Query • Do you want to reinvent the wheel?
- 26. Cybersecurity - Basics • IT Environment Inventory • What do you need to protect? • What data does it house? • Risk Assessment • What risks do you face? • What vulnerabilities do you have? • Structure • Framework/roadmap • Checklist • Continuous Improvement
- 27. Risk Assessment – NIST Style 800-60
- 28. NIST Cybersecurity Framework • What is the framework? • 2013, President Obama issued Executive Order 13636, which directed NIST to work with stakeholders in developing a voluntary framework-based on existing standards, guidelines, and practices, for reducing cyber risks... (not just for government agencies)
- 29. NIST Cybersecurity Framework • https://www.nist.gov/cyberframework
- 36. NIST Cybersecurity Controls • ID.AM-1: Physical devices and systems within the organization are inventoried. • ID.AM-4: External information systems are catalogued. • ID.GV-1: Organizational information security policy is established. • ID.RA-1: Asset vulnerabilities are identified and documented. • ID.RA-4: Potential business impacts and likelihoods are identified. • ID.RA-6: Risk responses are identified and prioritized. • ID.AM-1: Physical devices and systems within the organization are inventoried. • ID.AM-4: ExternaPR.AC-1: Identities and credentials are managed for authorized devices and users. • PR.AC-3: Remote access is managed. • PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties. • PR.AT-1: All users are informed and trained. • PR.AT-2: Privileged users understand roles & responsibilities. • PR.IP-6: Data is destroyed according to policy. • PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.*THIS IS A SAMPLE
- 37. SANS Top-20 Critical Controls 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Device Control 8. Data Recovery Capability (validated manually) 9. Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually) 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Security Audit Logs 15. Controlled Access Based on the Need to Know 16. Account Monitoring and Control 17. Data Loss Prevention 18. Incident Response Capability (validated manually) 19. Secure Network Engineering (validated manually) 20. Penetration Tests and Red Team Exercises (validated manually)
- 38. NIST – Assess & Review • External Vulnerability Assessments • Network Architecture Reviews • VPN Security Reviews • Host/OS Configuration Reviews • Internal Vulnerability Assessments • Wireless Security Reviews • Firewall Security Reviews • Active Directory Reviews
- 39. Cyber Maturity
- 40. NIST Measuring Maturity One way management can assess and improve.
- 41. Documents • https://www.nist.gov/cyberframework • NIST Cybersecurity Framework website • http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf • Maturity model • https://www.sans.org/media/critical-security-controls/critical-controls- poster-2016.pdf • SANS Top 20 Critical Security Controls
- 42. Questions? Sam BowerCraft • Senior Manager in Internal Audit and Management Consulting Group • Certified Information Systems Auditor (CISA) • M.S. Information Systems • SBowerCraft@macpas.com David Hammarberg • Principal of Forensic Accounting • Certified Fraud Examiner (CFE) • Director of Information Technology • CPA, MCSE, CISSP, CISA • DHammarberg@macpas.com
- 43. Building Successful Employee Relationships A Cornerstone to Fraud Prevention and Risk Management
- 44. Questions? • Documents: • https://www.nist.gov/cyberframework • NIST Cybersecurity Framework website • http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf • Maturity model • https://www.sans.org/media/critical-security-controls/critical-controls- poster-2016.pdf • SANS Top 20 Critical Security Controls
- 45. Questions? Sam BowerCraft • Senior Manager in Internal Audit and Management Consulting Group • Certified Information Systems Auditor (CISA) • M.S. Information Systems • SBowerCraft@macpas.com David Hammarberg • Principal of Forensic Accounting • Certified Fraud Examiner (CFE) • Director of Information Technology • CPA, MCSE, CISSP, CISA • DHammarberg@macpas.com