Reviewing and summarization of university ranking system to.pptx
A guide to Sustainable Cyber Security
1. Ernest Staats MSIA, CISSP, CEH…
estaats@Networkpaladin.org
https://networkpaladin.org
https://tinyurl.com/y5jx76cw
2. LEGAL DISCLAIMER:
Nothing in this handout or presentation constitutes legal advice.
The information in this presentation was compiled from sources
believed to be reliable for informational purposes only. Any and
all information contained herein is not intended to constitute
legal advice. You should consult with your own attorneys when
developing programs and policies.
We do not guarantee the accuracy of this information or any
results and further assume no liability in connection with this
publication including any information, methods or safety
suggestions contained herein.
3. SUSTAINABLE
CYBERSECURIT
Y
Starts at Administration &
is:
Cultural not technical
Based on need not vendor
features
Iterative & Continuous
Built around accountability
Repeatable & scalable
Balanced – cost/risk vs
reward
Documented & auditable
4. DATA PROTECTION
STEERING
COMMITTEE
See TOR & Policy Templates
Treasury
Legal
Compliance
HR
Marketing
IT/InfoSec
Departments / Missions affected
Who will lead the security and the
privacy elements
5. 5
Reduce reliance
and burden on
people
Responsibilities Must
be understood
Policies Set the Framework to align People, Process and Technology
Processes
Reflect need of
People in relation to
policies
& Technology
SUSTAINABILITY RELIES ON:
Process
People
Technology
6. LESS IS MORE
50% of organizations use
anywhere from 6 to 20 security
vendors
Gaps in detections are largely
due to an "overabundance of
alerts”
Look for overlaps and eliminate
7.
8. CART BEFORE …
Rather than evaluating the
solution provided by vendors,
leaders should assess the value
of a product in relation to their
People, Process & Risk.
Build your list of needs /
requirements and evaluate all
venders based on your needs
not their special sauce
Prioritize security in the context
of Ministry enablement,
financial costs, & risk mitigation
to justify investments
9. NO BUSINESS VALUE = NO VALUE
• Know what business value
you have had in the last 6
months
• What have you done that has
impacted how a department
works
• Not Maintenance or security
value
10. A-I-C ORDER MATTERS
Availability a guarantee of reliable access
to the information by authorized people
Integritythe assurance that the information is
trustworthy and accurate
Confidentialitya set of rules that limits access to
information
11. THE
ANSWER
A Standard & Drills
(verification)
National Institute of Standards and Technology (NIST)
NIST Cybersecurity Framework, NIST Risk Management Framework
http://www.nist.gov/
1
Center for Internet Security (CIS)
CIS Critical Security Controls
http://www.cisecurity.org/
2
International Organization for Standardization (ISO)
ISO 27000-series publications
http://www.iso.org/
3
CySAFE
Combines NIST, CIS, and ISO taking best of each without duplication
Edits:
https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharin
g
4
12. YOUR
FRAMEWORK
Support Mission – Business Goals
Sufficient detail to support
regulation & compliance
requirements
Be implementable
Be measurable
Be documentable
Be defensible (auditable)
13. CIS FRIST 6
Prevent up to 90% of attacks
Control 1: Inventory and Control of
Hardware Assets
Control 2: Inventory and Control of
Software Assets
Control 3: Continuous Vulnerability
Management
Control 4: Controlled Use of
Administrative Privilege
Control 5: Secure Configuration for
Hardware and Software on Mobile Devices,
Laptops, Workstations, and Servers
Control 6: Maintenance, Monitoring and
Analysis of Audit Logs
14. SELF ASSESSMENT: “CYSAFE” OR CIS TOP 20
CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharing
CIS Top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh
15. RISK MANAGEMENT SHOULD:
• Support the strategic objectives
• Enhance institutional decision-making
• Create a “risk-aware” culture
• Reduce operational surprises and losses
• Assure greater business continuity
• Improve use of funding by aligning resources with objectives
• Bridge departmental silos
Observe:
Identify Risk
Orient:
Categorize &
Prioritize
Decide:
Select &
Implement
Controls
Act:
Manage,
Assess, &
Monitor
16. FACTORS THAT CAN CAUSE FAILURE
Complexity
(Overlapping Solutions)
Focus on Technology
(Bright Shiny Object Disease)
Lack of Understanding of Risk
(Fear vs Reality)
Lack of Cyber Security Staff
17. CONTROLS TO
BUILD YOUR
FRAMEWORD
• HAVE A Plan &
Document your plan
• Change Management
Example
https://tinyurl.com/yyq6feyz
• Freedcamp
• Reading ideas
“Phoenix Project”
“Extreme Ownership”
“Radical Candor”
18. 1. No business impact when determining courses of
action
2. Lack cross-organizational considerations
3. Limited data classification
4. Ill-defined processes (aka “pre-thought use cases”)
5. No defined step-by-step procedures
6. No defined event terminology between responders
7. No defined thresholds between events and incidents
8. No pre-determined (aka “pre-canned”) external
communications
9. Lack of exercise of “memory muscle”
Top Cyber Incident Pain Points
19. MY TYPICAL RECOMMENDATIONS
• Password / Privilege Access Management
• Train Users
• Monitor and Log Everything
• Pick a frame work (NIST OR CIS OR CySAFE)
• Check Firewall ports (Outgoing)
• Assess & Document your world
• Server Vulnerability (SVA) & a Network Vulnerability (NVA)
Assessments
• Know what is being leaked IoT & Shadow IT
https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar
ing
20. BETTER
LEADERSHIP
• Empower through
conversations
• Use mission terminology
• Define metrics
• Find Root (Toyota “5-Whys”)
• Tech is a TOOL, not a
purpose
• Try device-free meetings
• Control interruptions
• Find time to daydream
21. DELIVERABLES
Firewall & Network setups
https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=
sharing
Cloud security
https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp
=sharing
Protocols and ports that need attention
https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar
ing
Authentication best practices: https://drive.google.com/file/d/1TyMTbghiOSqtuZv7c-
CqmurPiqcPdRpV/view?usp=sharing
Server and network rights
https://drive.google.com/file/d/130tcLpGBPE2Q4aYjknG7xaiIkK0CJPsq/view?usp=sha
ring
Servers:
https://drive.google.com/file/d/197jsrcHo4Izx9pWw7nv3dj01BIf0LiNl/view?usp=shari
22. TOOL TIME:
Root Folder on G-Drive
https://drive.google.com/drive/folders/1t4zZbe3bZb7yuZFNRZnSYOpfru_uzHpP?usp=s
haring
Throughput Testing
https://drive.google.com/drive/folders/1qcGAwBGfRB8-BV34kZjY6uPE-
_gK9qL6?usp=sharing
Network Mapping resources
https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=s
haring
CySafe:
https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=
sharing
CIS top 20
https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh
3rd Party Vendor Vetting:
https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp=
23. PERSONAL DATA PRIVACY HANDOUT
https://tinyurl.com/DataPri
TIPS FOR HOTEL SECURITY
https://www.youtube.com/watch?v=M0GGHIjShh4
24. HOW TO LEAD LIKE A SUPERHERO
• Listen harder than normal people do
• Help people even if you do not know them
• Focus on the needs of others more than your own
• Be creative in your efforts to save the day
• Be relentlessly optimistic
• Maintain a great sense of urgency
• Never tolerate bullies
• Don't stop trying until the job is done
• Know your Achilles Heel
25. “LIVING OFF THE
LAND”
• “Living off the land”
• Windows 10 PowerShell,
WMI, the Windows
Scripting Host
• Microsoft Office
“macros”
31. DESIGN: DATA PRIVACY (1/2)
•Impact of GDPR on
financial services –
•PCI FAQ –
•Reading level
calculator – (also
MS Office tools)
Additional resourcesWhere should I go to understand critical regulation?
How can I check whether my disclosures work?
•Industry
•Local
•Multinational
•Ask them
•Reading level calculator
32. DATA PRIVACY (2/2)
What does “good” look like when it comes to data privacy?
Overall Best
Practices
Capture Usage Retention & Erasure
Be extremely transparent
People don’t typically read
disclosures
• Always obtain consent to access
and use personal data
• When obtaining consent, think of
the people – easy to read, jargon-
free, mobile friendly
• Share how providing data helps
the them –
• High-level and detailed versions
• Tell customers what data will be
retained, for how long, and in
what form:
- De-identified vs. identified
- Single data pull vs. ongoing
feed
- Physical vs. electronic
Keep all data confidential
Especially with personal data,
maintaining confidentiality
preserves trust
• Check personal disclosures of
data acquired from partners
• Highlight confidentiality when
acquiring data
• Be particularly careful with identity
• Proactively notify people when
sharing their data with 3rd parties
• Only use the data for its intended
purpose –
• Upon erasure, ensure data is
completely deleted across where
it’s stored – incl. with partners,
redundant servers, etc.
Let customers “own” their data
Whether or not this is legally
the case. To maintain their
trust, act as if their data is
their own
• Where possible, allow people to
opt-out of specific data access
• Where possible, allow people to
opt-out of specific data uses –
• Have a process for people to
request updates to, correction of,
or erasure of their information
• Have a process to withdraw
consent
Take, keep, and use only
what’s valuable
All data carries risk,
• Don’t collect all data for all people
– identify the pieces which drive
the most value, and don’t collect
the rest
• Be particularly conscious of
regulation when using sensitive
classifications
• “Sunshine test”
• Set a retention policy for customer
data –
• Have a “what data should we
keep” process
33. SOFTWARE SECURITY
•OWASP Top 10 2017
•Balancing speed &
security
•Security 101 for
startups
•Security testing types
•Security fatigue
Additional resources
How do I balance speed and security?
What types of security testing should I be
using?
•Focus on the right level of technical security for
your stage
•See “Balancing Speed & Security” article
•Automated – before you deploy
•Black box 2x/year
•White box every 2years
What are the most common & dangerous software
security risks?
•See OWASP Top 10 article
34. INFRASTRUCTURE SECURITY (1/2)
•Full Infrastructure
Checklist
•AWS security features
and AWS security
best practices
whitepaper
•Azure security
features
•Cisco Checklist
•OWASP Top 10 2017
Additional resourcesIs outsourcing infrastructure or insourcing
more secure?
If I do outsource how can I ensure I’m
protected?
•Often, outsourcing will be best
•Specific situations may change this
•Cloud providers offer:
-Logging and monitoring with controls
-Identity & access management
-Encryption of data at-rest
•See the “AWS Security features”
35. INFRASTRUCTURE SECURITY (2/2)
What are some general best-practices for infrastructure security?
General
infrastructu
re
• Enable cloud infrastructure default security options
• Back up data at minimum daily, but limit redundancies
• Encrypt data while at rest and while in-transit
• Periodically purge data
• Have a BC/DR technology solution and plan
• Implement patches for known vulnerabilities as soon as possible
Passwords
& network
access
• Use a password manager
• Password reset
• Tiered access levels
• Require a secure VPN
Scanning &
monitoring
• Implement a simple logging function
• Include relevant data
• Create lockout thresholds
36. PARTNER MANAGEMENT
•Best practices to reduce
third-party cybersecurity
risk
•Approaching data
security in a fintech-
friendly world
•Steps to mitigate 3rd
party cybersecurity
threats
Additional resourcesSteps for partner vetting
•Pre-contract checks
-What are their encryption practice?
-Have they ever had a breach?
-Service-level agreements (SLAs)
-SLAs should be included in data policy
-Ability to audit & request specific security
standardsHow do I ensure my partner management is
successful?
•Learn from partners’ suggestions
•Continuous monitoring & review
Vendor Industry Templates:
https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp
=sharing
37. CULTURE
What does a best in class data protection culture look like?
Key beliefs Practices to reinforce
All of users need to
be aware and
careful of Security
issues
• Data protection newsletter –
- Current events – share one article and how it relates to the
company
- Employee highlight – public recognition for those who surface
issues
• Accountable executive for data protection is not just responsible for
technology
- Have non-technical (i.e. not IT) people train employees on data
protection
Be open and
transparent
• Celebrate employees who surface issues – publicly recognize people
• Don’t punish people
Data protection is
an ongoing effort
• Blame-free post-mortems
• Ongoing “security tracker”
More sharing =
more risk
• Limit partner integrations
38. DATA MANAGEMENT
•Security 101 for
startups
•What is social
engineering?
Additional resources
What are some best practice processes for data
protection?
Development • Regular penetration testing (3-6mo black
box, 12mo white box)
• Security review as part of SDLC
Hiring and
firing
• Do reference checks on developers and
employees
• Ensure digital “locks changed” when
employees leave
Reviews • Hold regular data protection reviews
(quarterly)
Miscellaneous • Do not use USB drives
• Encourage auto-lock of laptops (after 5
minutes)
• Have automatic locks on your office doors
and server rooms
• Train employees to not use risky websites
39. TRAINING
What content should I include in my data protection trainings?
All staff
• Our data security culture
- Why it’s important
- Key processes to prevent + report
issues
- Key components of the data policy
- Role-based guidelines
- Initial data privacy training
• Types of threats and how we mitigate
• Key data elements
• To be conducted on a regular basis
• Regular trainings:
• After a breach:
- Cover post-mortem of breach's
- Opportunity for Q&A
Engineerin
g, IT, Data
science
In addition to the above:
• Legislative & regulatory environment
• Communication & feedback loops
• Where security sits in all processes
• Roles & responsibilities
• Monitoring and maintenance
• Updates to data architecture and
procedures
• Changing Data security procedures
• Legislative or regulatory changes
ONBOARDING ONGOING
40. Identification &
Risk Assessment
Containment &
Resolution
Evaluation &
Improvement
BREACH RESPONSE (1/3)
•Data breaches 101
•Detailed guide for
cybersecurity event
recovery
Additional resourcesWhat is a data security breach?
What should be included in a security breach response
plan?
• Understand
extent of breach
• Assess risks from
breach
• Form team to lead
resolution
• Contain breach,
limit damage
• Review causes of
breach
• Understand
consequences
• Make process,
tech changes
Communication
• Plan and execute communication to employees and external
parties
21
4
3
•What is a Breach?
•Can be done locally or remotely
41. Identification &
Risk Assessment
Containment & Resolution Evaluation & Improvement
BREACH RESPONSE (2/3)
• Understand extent of
breach
- What personal data
- What was the cause
- How many people
• Assess risks from breach
- What potential for
harm
- Strategic & financial
risks?
- Legal or compliance
risks?
- Reputational risks?
- Financial risks?
• Form team to lead resolution
- Who will be accountable
- Employees needed?
- How often will the team
meet?
• Contain breach, limit
damage
- Are we still vulnerable?
- What systems changes?
- What process changes
- How to recover data?
• Review causes of breach – “post-
mortem”
- Vulnerabilities enabled the breach
- What other similar vulnerabilities?
• Understand consequences
- What consequences occurred
• Make process, tech changes
- Tech solutions or process changes
- Need to modify our data policy
- What training is needed?
- What is the cost to make these
changes
• Initial identification of
severity may be
incomplete, so be
thorough
• Key people to include on
team:
- Executive
- Legal counsel
• Don’t limit evaluation and
improvements
• Blame-free post-mortems
• Include people from across the
What are best practices in each phase of a breach response?
Best
practices
21 3
Keyquesitons
42. BREACH RESPONSE (3/3)
What communication is appropriate at each stage of breach response?
External
Intern
al
4
Identification &
Risk Assessment
Containment & Resolution Evaluation & Improvement
• Understand extent of
breach
• Assess risks from breach
• Form team to lead
resolution
• Contain breach, limit
damage
• Review causes of breach
• Understand consequences
• Make process, tech changes
• Notify groups who interact
with external parties;
• Include critical teams
- C-Suite, Legal,
Technology, PR (if
applicable)
- Board of directors
• Communicate to employees
• Provide regular updates to
leadership, legal until
issues are resolved
• Post-mortem is non-
punitive
• Include description of what
happened
• Communicate about
process and technology
changes
• Be careful about what you
communicate
• Speak to all relevant
external parties
• Always review with legal
• When you communicate,
include all key information
- Data involved
- Action taken
- Specific and clear advice
• Provide ongoing