How industry drives focus to determine and safeguard ISACA Sp 2016

5/19/2016

1

How industry drives focus to determine and safeguard our greatest cyber threat

Robin Basham, M.IT CISSP CISA CGEIT CRISC CRP VRP

Vice President Information Security Risk and Compliance

Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054

[email protected] https://www.linkedin.com/in/robinbasham cell (617) 947‐3405

5/19/2016 Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

Cybersecurity Mission: Resilience

•What are our critical assets?

•Who is responsible for them?

• Is everyone involved in cyber‐resilience?

• Do they have the knowledge and autonomy to make good decisions?

• Are we prepared for when there is a successful attack?

•Will there be a tried and tested process to follow or will cyber attack throw our organization into complete chaos?

2

Define

Establish

ImplementAnalyze Report

Respond

Review Update

Continuous Monitoring maps to risk tolerance,

adapts, actively involves

management


5/19/2016

2

We’ve been having a continuous compliance conversation

5/19/2016 3

Just FIX IT

(CIO)

Manage Risk –

Prioritize Drive FIX

(CSO)

IT Plan Integrates

FIX

(IT Ops)

Just tell me how to FIX

(Engineer)

Did you FIX it?

(Audit)

In the context of cyber security, is it better?

5/19/2016 4Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

5/19/2016

3

Compliance is a fabric that breaks down over time


There are many threads in compliance fabric

• Industry – health, finance, consumer, education, government – have different objectives and regulating

bodies who impose laws in response to the risks surrounding those objectives

• Audits, Examinations, Assessments – SOC 2, ISO27001, FFIEC Examination, SOX ITGCC,

HIPAA/HITECH compliance, PCI DSS ‐ (people show up, board gets reports, involves public disclosure, can result in criminal charges)

• Guidance or Guideline ‐ Documents that HELP, explains how to do it – in some cases, guidance

supports a policy so it determines “how” we comply.

• Frameworks – COSO, Cobit, ITIL, NIST 53, Cyber Security Framework, CIS CSC, gives us longitude,

latitude (frames how and what we govern)

• Standards – criteria based best practice, DISA STIGs, CIS Benchmark, SCAP

• Standard are accepted as best practices whereas framework are practices that are generally employed

• Standard are specific while framework are general


5/19/2016

4

And even more threads

• Mandates, Orders, Laws – You must comply (CFR)

• Families or Domains – people, technologies and processes that we generally consider related

• Universe – collection of processes associated to tests and controls, grouped by families or domains –

used to organize ASSESSMENTS

• Controls – are processes, what we do to enforce and govern, example “manage change”

• Tests – how we measure it happened. A test can have many sub‐items, but in aggregation the set of

measures tell us if the control process is effective. We tie Policy items to Tests. Tests are in Universe.

• Policies – what we tell people they must do – usually they are within ISO27002 ISMS, measured by the

ISO27001 assessment.

• Policy Items – (system policy) discrete configuration items


What do we want from a fabric?

•When its hot – let us breathe

•When its cold – add layers

• Last a long time – holding shape

• Tell the world our story and style – reporting, informing, aligning

• Shrink and Expand – agility, adaptability

• Provide protection – protect our assets, and us (our business, our reputation, our family)

Before we acquire a fabric, let’s examine what we need


5/19/2016

5

Need begins with (industry) risk

What are the industries where we see groups of specific types of risk?


Juggle much?

Energy nerc materials

iso iec

industrials

health (hipaa)

financial glba

info tech nist pci

consumer iso ansi

telecom

utilities

government(fisma)

education

5/19/2016 10

public (sox itgcc)

servicesoc 2

ffiec exampci disa stigs

(IAD)

csp(fedramp)

Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

5/19/2016

6

How do industries describe their risks & controls?

11

• Gramm‐Leach‐Bliley Act (GLBA)

• Sarbanes‐Oxley Act (SOX)

• Payment Card Industry Data Security Standard (PCI DSS)

• Fair and Accurate Credit Transactions Act

• Consumer Financial Protection Bureau (CFPB)

• Federal Deposit Insurance Commission (FDIC)

• The Fair and Accurate Credit Transaction Act of 2003 (FACTA)

• The Federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. (Pub. L. 108‐159, 111 Stat. 1952)

Financials

•SABSA

•ITIL

•FFIEC

•COBIT

•NIST

•DISA

•NSA

•TOGAF

•CSA

•ISO

•PCI

•ANSI .. At 2K more

Information Technology

•Health Insurance Portability and Accountability Act (HIPAA) Security Rule

•http://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐25/pdf/2013‐01073.pdf

•NIST SP 800‐66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

•http://www.nist.gov/customcf/get_pdf.cfm?pub_id=890098

•U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool Technical Safeguards

•http://www.healthit.gov/sites/default/files/20140320_sratool_content_‐_technical_volume_v1.docx

•Omnibus Rule

Health Care

•Critical Infrastructure Protection (CIP) cyber security reliability standards

•FERC, NERC

Energy Utilities

•The Global Standards Management Process (GSMP)

•Global Product Classification (GPC)

•United Nations Environment Program (UNEP),

•International Trade Centre (ITC)

•International Centre for Trade and Sustainable Development (ICTSD)

Materials Industrial –Goods, Services, Transport

•The Global Standards Management Process (GSMP)

•Global Product Classification (GPC)

Consumer Discretionary & Staples

•Federal Communications Commission (FCC)

•CTIA – The Wireless Association (CTIA)

•National Cable & Telecommunications Association (NCTA)

•National Association of Regulatory Utility Commissioners (regulators of individual states)(NARUC)

Telecommunication Services

•Freedom of Information Act

•The Information Assurance Directorate (IAD)

•NIST – DISA ‐ NSA

•FIPS – FedRamp ‐ FISMA

•DoD Information Assurance

•Certification and Accreditation Process (DIACAP).

Government


Predominantly, industries use NIST SP800‐37 Risk Management Framework –RMF


Just FIX IT

(CIO)

Manage Risk –

Prioritize Drive FIX

(CSO)IT Plan

Integrates FIX

(IT Ops)

Just tell me how to FIX

(Engineer)

Did you FIX it?

(Audit)

5/19/2016

7

Risk: What could go wrong?

• Reputation is a new target for cyber attacks – all industries

• Criminals value our information – financial, health, critical infrastructure, all industries

• Cyber risk is challenging to understand and address, regulation imposed by all industries

• The changing pace of technology increases unknown dependency on third parties and shadow IT

•We cannot trace or control our data

• The role of government and information custody is often misunderstood


Our markets, laws, technology and resources drive the heat beneath our risks –Exercise: Identify a risk that is not in your industry.

5/19/2016 14

Supply Chain Tampering

Technology adoption dramatically expands the threat landscape

The IoT leaks

Algorithms compromise integrity

Rogue governments use terrorist groups to launch cyberattacks

APT

Unmet board expectations

Researchers silenced to hide security vulnerabilities

Cyber insurance safety net is pulled away

Governments become increasingly interventionist

Regulations fragment the cloud

Criminal capabilities expand gaps in international policing

INJECTION

BROKEN AUTHENTICATION & SESSION MANAGEMENT

CROSS‐SITE SCRIPTING (XSS)

INSECURE DIRECT OBJECT REFERENCES

SECURITY MISCONFIGURATIONS

MISSING FUNCTION LEVEL ACCESS CONTROL

CROSS‐SITE REQUEST FORGERY (CSRF)

USING COMPONENTS WITH KNOWN VULNERABILITES

UNVALIDATED REQUESTS AND FORWARDS


5/19/2016

8

What behaviors provide most protection?

1. Control Administrative Privileges

2. Limiting Workstation‐to‐Workstation Communication

3. Antivirus File Reputation Services

4. Anti‐Exploitation

5. Host Intrusion Prevention (HIPS) Systems

6. Secure Baseline Configuration

7. Web Domain Name System (DNS)

Reputation

8. Take Advantage of Software Improvements

9. Segregate Networks and Functions

10. Application Whitelisting


What are the best tools and resources?

Turn in your business email to get links and downloads


5/19/2016

9

CSF provides a cyber security model

Identify

CMDB, People, Process,

Technology, relationships, alignment to controls

Protect

Architecture, Infrastructure, Monitoring

Detect

Defined Sources, Collection,

Interpretation, Reporting Methods

Respond

RCA, Corrective Action,

Management Meetings, Plans, Optimization

Targets

Recover

Configuration baselines,

response plans, lessons learned,

Wiki, documentation,

BIA


5/19/2016

Use: NIST Framework for Improving Critical Infrastructure Cybersecurity; Annex A

18Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054

[email protected] https://www.linkedin.com/in/robinbasham5/19/2016

5/19/2016

10

Download NIST Assessment Tool http://www.nist.gov/cyberframework/csf_reference_tool.cfm

20Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

5/19/2016

Cyber Security Evaluation Tool

• Download and install CSET https://www.us‐cert.gov/forms/csetiso


5/19/2016

11

HITRUST CSF 7.0 Resources – registration required

•Offers manual mapping of controls for implementation of controls assessment of HITECH / HIPAA security and privacy rule using multiple frameworks and standards https://hitrustalliance.net/hitrust‐csf/


Other Cyber Security Must Reads• International Organization for Standardization, Risk management – Principles and guidelines, ISO 31000:2009, 2009. http://www.iso.org/iso/home/standards/iso31000.htm

• International Organization for Standardization/International Electrotechnical Commission, Information technology – Security techniques – Information security risk management, ISO/IEC 27005:2011, 2011. http://www.iso.org/iso/catalogue_detail?csnumber=56742

• Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and Information System View, NIST Special Publication 800‐39, March 2011. http://csrc.nist.gov/publications/nistpubs/800‐39/SP800‐39‐final.pdf

• U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE‐0003, May 2012. http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20%20Final%20‐%20May%202012.pdf

• There are literally hundreds of resources.


5/19/2016

12

There’s an elephant in the room


CSF Process requires analysis of attack surface


5/19/2016

13

All of these industries require asset level cyber security

All industries expect us to provide:

• Board reports

• Boss reports

• Boss’s boss reports

• Decision support systems

• Security road map

• Enable business

• Drive IT Value


As an industry, our sensory system is overwhelmed


5/19/2016

14

5/19/2016 28Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054(This is the friendly lizard who was mistaken for a monster in the final episode of X‐Files from FOX – This is also some guy from google images covered in slime)

We need a fabric


5/19/2016

15

What creates the threads that we can assert?

Ten normative references that totally rock the compliance world1. Benchmark contains both descriptive

information and structural information

2. Group item that can hold other items

3. Item three types of items: <xccdf:Group>, <xccdf:Rule> and <xccdf:Value>

4. Model suggested scoring model for an <xccdf:Benchmark>

5. Profile element is a named tailoring for an <xccdf:Benchmark>

6. Rule the description for a single item of guidance or constraint.

<xccdf:Rule> elements form the basis for testing a target platform for benchmark compliance

7. Status acceptance status of an element with an optional date attribute, which signifies the date of the status change

8. Tailoring element holds one or more <xccdf:Profile> elements‐records additional benchmark tailoring

9. TestResult element encapsulates the results of a single application of an <xccdf:Benchmark> to a single target platform

10. Value a named parameter that can be substituted into properties of other elements within the <xccdf:Benchmark>


KEY IT Security and Risk resources

• SANS Top 20 Critical Security Controls V6. https://www.sans.org/critical‐security‐controls/

• NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.0. http://www.nist.gov/cyberframework/

• NIST 800‐53 V4. Security and Privacy Controls for Federal Information Systems and Organizations (Right)

• DISA Secure Technical Implementation Guides. http://iase.disa.mil/stigs/Pages/index.aspx

• ISO/IEC 27002:2013. Information Technology ‐ Security techniques ‐ Code of practice for information security controls. http://www.iso.org/iso/catalogue_detail?csnumber=54533

• COBIT V5. ISACA. http://www.isaca.org/cobit/pages/default.aspx

• Payment Card Industry Data Security Standard V3.1. https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v3‐1#pci_dss_v3‐1

5/19/2016 31

•Security Control Family (SP 800‐53)• Access Control• Audit & Accountability• Awareness & Training• Certification, Accreditation & Security Assessments• Configuration Management• Contingency Planning• Identification & Authentication• Incident Response• Maintenance• Media Protection• Personnel Security• Physical & Environmental Protection• Planning• Program Management• Risk Assessment• System & Communication Protection• System & Information Integrity• System & Services Acquisition


5/19/2016

16

Control Correlation Identifiers CCI• http://iase.disa.mil/stigs/cci/Pages/index.aspx • The Control Correlation Identifier (CCI) provides a standard

identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice.

• CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control.

• This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks.

• CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies.


Open Vulnerability and Assessment Language (OVAL)

5/19/2016 33

•OVAL® is an information security community effort to standardize how to assess and report machine state of computer systems.

• Tools and services that use OVAL for the three steps of system assessment —representing system information, expressing specific machine states, and reporting the results of an assessment — provide enterprises with accurate, consistent, and actionable information so they may improve their security.

OVAL in the Enterprise

•Vulnerability Assessment•Configuration Management•Patch Management•Policy Compliance

•Community Repositories of OVAL Content•Vulnerability Databases and Advisories•Benchmark Writing•Security Content Automation


5/19/2016

17

Most of us still lack an effective compliance fabric

• If we constantly fixate on having one standard as index to all standards, we waste time and are always doing wrong things wrong ways for wrong results

• We have to tie configuration guidelines to standards, and standards to risk scenarios + industry + time.

• All standards and risks have a shelf life. • We use our fabric to sense and avert danger – so when bad’s about to happen, we can get goosebumps


What if the elephant implemented unified best practices?

5/19/2016 36

• Security controls and best practices from NIST, the Defense Information Systems Agency (DISA) and International Organization for Standardization (ISO), the Control Objectives for Information and Related Technology (COBIT) framework, and Payment Card Industry Data Security Standards (PCI DSS).

• access control policy

• continuous monitoring

• boundary protection

• event auditing incident detection and reporting

• device authentication

• user authentication

• data encryption

• vulnerability scanning

• track and monitor all resources


5/19/2016

18

Audit Velocity increases Maturity

• Old approach: Find a flaw, fix a flaw

• Better approach: Find flaws and keep prioritized list

• Best approach: Align vulnerability metrics into a

continual service improvement model

• http://www.fedramp.net/continuous‐monitoring‐program

• Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.


Even if there must be an elephant in the room, it doesn’t have to be this elephant


5/19/2016

19

About Cavirin

Cavirin’s Automated Risk Analysis Platform (ARAP)manages the day‐to‐day challenges of implementing security best practices and assessing operational risk. Leveraging most major compliance and technology frameworks including those within PCI, CIS, HIPAA, ISO, NIST, DISA, SSAE 16 SOC 2 and more, ARAP offers compliance transparency and actionable reporting across the entire enterprise. Cavirin solution manages technology risk and compliance. It works in the data center as well as in the cloud, as a single end to end compliance fabric, applying same industry and risk policies to virtually every point in your information supply chain.

5/19/2016 42

Cavirin’s ARAP appliance continuously monitors and maps changes against operational and regulatory policies, elevating real time visibility from threats to informed risk decisions and a basis for remedial action. ARAP is easily configured to suit your business’ unique regulatory and cybersecurity needs.


About your speaker: Robin Basham, VP Information Security Risk and Compliance

Robin Basham, M.Ed, M.IT, CISSP, CISA, CGEIT, CRISC, serves as Cavirin’s Vice President Information Security Risk and Compliance, providing thought leadership to industries ranging from large enterprise to soaring SMB, delivering concrete programs that transform compliance burden to strategic advantage. Robin is a Certified Information Systems Security, Audit, Governance and Risk professional, earning multiple master’s degrees in Technology and Education. She is an Enterprise ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud and Virtualization. Industry experience includes program direction, architecting and management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense and High Tech. Robin has held positions in Technology as an Officer at State Street Bank, Lead Process Engineering for a major New England CLEC, and Sr. Director Enterprise Technology for multiple advisory firms. Robin has delivered more than 75 compliance engineering products, and run two governance software companies. Most recently she served as Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Robin’s expertise and knowledge are highly recognized in Boston, Mid Atlantic, Silicon Valley and East Bay, where she has served hundreds of clients and is a frequent speaker, educator, and board contributor.


5/19/2016

20

5/19/2016 44

Questions


How industry drives focus to determine and safeguard ISACA Sp 2016

Documents

Transcript of How industry drives focus to determine and safeguard ISACA Sp 2016