Cervone uof t - nist framework (1)

Cybersecurity: Understanding
Organizational Exposures
Frank Cervone, PhD
Executive Director for Information Services
College Information Security Officer
University of Illinois at Chicago
School of Public Health
June 11, 2019

The real underside
Image courtesy of Alex Cornell (twitter.com/alexcornell)

Quick intros
Who are you?
Biggest security
concern

Common misunderstandings
I have
antivirus
software, so
I’m good
Security is the IT
department‘s
problem
Security isn’t a problem
with Macs
https://support.apple.co
m/en-us/HT201222
I don’t have anything
on my computer
anyone would want

Cybersecurity is not an “IT problem”
It’s all about whether an organization can survive

This is what we are trying to avoid

Risk varies depending on context

Any organization can be a target
Image courtesy of CNN Money

Attacks are sophisticated
https://thehackernews.com/2015/06/Stegosploit-malware.html

Greatest organizational exposures
Where we think
the exposures
are
• Cloud-based Systems
• Network
• Applications
• Servers
Where the
greatest threats
lie
• E-Mail
• Mobile devices
• Internet of Things
2018 HIMSS Cybersecurity Survey

What is the greatest threat?
We need to align security with the organizational
culture and define acceptable working norms

Context of the threat
environment
Today’s threats are far more complex than most people realize

Cervone uof t - nist framework (1)

Why antivirus software?
• Examines computer for infections
• Monitors computer activity
• Scans new files to ensure they do not have a virus
• Clean, quarantine, delete

How does it work?
• Static analysis
• Match
known virus
patterns
• Uses a virus
scanning
engine
• Database of
known virus
signatures
• Comparison of
signature to
file may
indicate an
infection

Why is it not enough?
• If not in real time, malware can get through
• Vendors must constantly search for new viruses
• Vendors cannot keep up with the sheer number of new attacks
• Signature files must be kept up to date
• Most attacks today are not “virus” based

Things are bad, but we’re here to help

IoT raises many issues
• Many devices have no ability to be updated
• Therefore, it is impossible to address security
vulnerabilities
• Often long gaps between security updates
• Difficulty of applying security updates

Password fails
• 123456
• 123456789
• qwerty
• password
• 111111
• 12345678
• abc123
• 1234567
• password1
• 12345
• Iloveyou
• monkey
• dragon
• blink182

Security practice constantly is
evolving
1. Work0923
2. Th1s1s3as1lyGu3223dPassw0rd
3. Zr9@c&cRw!Ac
4. Would you like to know a secret?
5. Brown marble black flecks ick

2-Factor authentication
Something
you know
Something
you have
Something
you are

Security concepts have changed

Zero-trust
Role-
based
security
Least-
privileged
access

Approaches to fighting
ransomware
• Removal of
administrative
privilege
• Whitelisting
applications
• Offline backups
• Scanned for signatures
• Network penetration
tests

NIST Cybersecurity
Framework
Basis for sound security practice

Voluntary
Risk management
NIST Cybersecurity Framework
Standards
Guidelines
Best
practices

Identify
Asset Management
(ID.AM)
•The data, personnel, devices, systems, and facilities that enable the
organization to achieve business purposes are identified and managed
consistent with their relative importance to business objectives and
the organization’s risk strategy.
Business Environment
(ID.BE)
•The organization’s mission, objectives, stakeholders, and activities are
understood and prioritized; this information is used to inform
cybersecurity roles, responsibilities, and risk management decisions.
Governance (ID.GV)
•The policies, procedures, and processes to manage and monitor the
organization’s regulatory, legal, risk, environmental, and operational
requirements are understood and inform the management of
cybersecurity risk.
Risk Assessment (ID.RA)
•The organization understands the cybersecurity risk to organizational
operations (including mission, functions, image, or reputation),
organizational assets, and individuals.
Risk Management
Strategy (ID.RM)
•The organization’s priorities, constraints, risk tolerances, and
assumptions are established and used to support operational risk
decisions.
Develop the organizational understanding to manage cybersecurity risk to systems,
assets, data, and capabilities

Protect
Access Control
(PR.AC)
• Access to assets and associated facilities is limited to
authorized users, processes, or devices, and to authorized
activities and transactions.
Awareness and
Training (PR.AT)
• Personnel are provided cybersecurity education and are
trained to perform their information security-related duties
and responsibilities consistent with related policies,
procedures, and agreements.
Data Security
(PR.DS)
• Information and records (data) are managed consistent with
the organization’s risk strategy to protect the confidentiality,
integrity, and availability of information.
Information
Protection Processes
and Procedures
(PR.IP)
• Security policies, processes, and procedures are maintained
and used to manage protection of information systems and
assets.
Maintenance
(PR.MA)
• Maintenance and repairs of industrial control and
information system components is performed consistent with
policies and procedures.
Protective
Technology (PR.PT)
• Technical security solutions are managed to ensure the
security and resilience of systems and assets, consistent with
related policies, procedures, and agreements.
Develop and implement the appropriate safeguards to ensure delivery of critical
infrastructure services

Detect
Anomalies and
Events (DE.AE)
• Anomalous activity is detected in a timely manner
and the potential impact of events is understood.
Security
Continuous
Monitoring
(DE.CM)
• The information system and assets are monitored
at discrete intervals to identify cybersecurity
events and verify the effectiveness of protective
measures.
Detection
Processes
(DE.DP)
• Detection processes and procedures are
maintained and tested to ensure timely and
adequate awareness of anomalous events.
Develop and implement the appropriate activities to identify the occurrence of a
cybersecurity event

Respond
Response
Planning (RS.RP)
• Response processes and procedures are executed and
maintained, to ensure timely response to detected
cybersecurity events.
Communications
(RS.CO)
• Response activities are coordinated with internal and
external stakeholders, as appropriate, to include
external support from law enforcement agencies.
Analysis (RS.AN)
• Analysis is conducted to ensure adequate response
and support recovery activities.
Mitigation (RS.MI)
• Activities are performed to prevent expansion of an
event, mitigate its effects, and eradicate the incident.
Improvements
(RS.IM)
• Organizational response activities are improved by
incorporating lessons learned from current and
previous detection/response activities.
Develop and implement the appropriate activities to take action regarding a
detected cybersecurity event

Recover
Recovery
Planning (RC.RP)
• Recovery processes and procedures are executed
and maintained to ensure timely restoration of
systems or assets affected by cybersecurity events.
Improvements
(RC.IM)
• Recovery planning and processes are improved by
incorporating lessons learned into future activities.
Communications
(RC.CO)
• Restoration activities are coordinated with internal
and external parties, such as coordinating centers,
Internet Service Providers, owners of attacking
systems, victims, other CSIRTs, and vendors.
Develop and implement the appropriate activities to maintain plans for resilience
and to restore any capabilities or services that were impaired due to a
cybersecurity event

Levels of adoption
Tier 1 - Partial
• Not formalized
• Ad hoc
• Often reactive
• Limited
awareness of
cybersecurity risk
management
Tier 2 – Risk-
Informed
• Organizational-
wide awareness
of risk
• Policies may exist
• Handles risk as
they happen
Tier 3 –
Repeatable
• A formal
organizational risk
management
process is
followed by a
defined security
policy
Tier 4 –
Adaptable
• Cybersecurity
policy adapts
based on lessons
learned and
analytics
• Constant learning
from the security
events that occur
• Information is
shared with a
larger network

Matrix of capability
Tier Identify Protect Detect Respond Recover
1 PR.IP
PR.PT
DE.CM
DE.DP
RS.CO
RS.MI
RS.IM
RC.IM
RC.CO
2 ID.RA
ID.RM
PR.MA DE.AE RS.AN
RS.RP
RC.RP
3 ID.BE
ID.GE
PR.AT
PR.DS
4 ID.AM PR.AC

Developing a cybersecurity
program

Flow of security maturity
Cybersecurity
Risk Assessment
Disaster Recovery
Business
Continuity
Management

Risk Assessment
Identify vulnerabilities and areas of concern
Basis for developing policy

Risk management is multi-tiered
Organization
• Strategic risk management
Mission/Business
• Tactical approach to risk
Information Systems
• Focus on integrity and recovery

Threat assessment
Malicious internal
• Disgruntled employees
Malicious external
• Hacker groups –
hactivists/cybercriminals
Nonmalicious
external
• Errors of suppliers and
vendors
Nonmalicious
internal
• Human errors of
commission and omission

Likelihood
• More than 80% likely to occurDefinite
• 60-80% chance of occurrenceLikely
• Near 50/50 probability of occuringOccasional
• Low probability of occurrence (10-
40%), cannot be ruled out completelySeldom
• Rare and exceptional risks, less than
10% chanceUnlikely

Impact
• Near negligible amount of damageInsignificant
• The extent of damage is not too significant,
unlikely to make much of a difference to overall
operations
Trivial
• Not a great threat, but likely moderately
disruptiveModerate
• Significant consequences, significant loss, or
disruptionCritical
• Could completely shutdown operations or
cause long-term disruptionCatastrophic

Risk analysis matrix
1 2 3 4
2 4 6 8
3 6 9 12
4 8 12 16
Insignificant
(1)
Trivial
(2)
Moderate
(3)
Critical
(4)
Catastrophic
(5)
5
10
15
20
5 10 15 20 25
Impact
Unlikely
(1)
Seldom
(2)
Occasional
(3)
Likely
(4)
Definite
(5)
Likelihood

Risk control matrix
NAME OBJECTIVE
REF/ID RISK RISK IMPACT
RISK
LIKELIHOOD
TOTAL RISK
SCORE
1. Someone receives a phishing e-mail and clicks on the link
2. Someone downloads unauthorized software
3. A server administrator does not use unique passwords for
each server
4. An employee data file is accidently uploaded to a web server

How is risk addressed?
• Senior management involvement?
• IT understanding?
• Knowing the baseline
• Documenting the network
• Aligned technology
• Why is Xbox allowed on staff PCs?
• What is the organizational culture?
• High risk taking

Comprehensive Incident
Response and Continuity
Planning
How do we fix things when stuff goes wrong?

Disruption scenarios
Damage to or breakdown of
systems or equipment
Physical damage to a
building
Interruption of the
supply chain
Restricted access to a
site or building
Utility outage

Response and continuity steps
Prepare
Identify
Contain
Eradicate
Recover
Review

Prepare
Incident handling team should include security officers, system analysts and human
resources personnel
System backup plan should be in place
Personnel involved should be trained at an appropriate level.
• Basic business continuity principles
Contact information should be defined, available as hard copy
• Personnel that might assist in handling an incident
• Key partners who may need to be notified
• Business owners to make key business decisions
• Outside support analysts with security expertise
Supplies to assist the team in the event of an incident (jump bag)
• An empty notebook
• Boot media to analyze hard drives and recover passwords
• Petty cash (food, cabs, batteries as needed)

Identify
Issue identification can originate from many sources
• Staff
• End users
• External partners
Declare an adverse risk exists
• Assemble the team and implement the plan
• Save all key system files or records
• Start detailed documentation as soon as possible
Decide what the goals are in handling a particular incident
• Immediate business recovery
• Forensic examination

Contain
Basic procedures can contain many incidents
Specific procedures will depend on the nature of the incident
Basic steps to consider include
• Obtain and analyze as much system information as possible including key files and
possibly a backup of the compromised machine for later forensic analysis
• Powering off a machine might lose data and evidence.
• Disconnecting the network cable/disable wireless to facilitate containment and forensic
activity
If one machine has been exploited, others are likely vulnerable
• Download security patches from vendors
• Update antivirus signatures
• Close firewall ports
• Disable compromised accounts
• Change passwords as appropriate

Eradicate
Will frequently depend on the nature of the incident
Boot media should be used to access data on compromised machines
• Rootkits might affect basic system level utilities
If operating system has been compromised, it needs to be rebuilt
Test any backups prior to restore and monitor for a new incident
Document everything

Recover
Goal is to return safely to production
Specific actions depend on the nature of the incident
Retest the system
Consider timing of the return to production
Discuss customer notification and their concerns
Discuss media handling issues
Continue to monitor for security incidents

Worst case scenario
• Full data loss
• Don’t just focus on
recovery for the most
obvious "disasters"

Review
• To better handle future security incidents
• A final report describing the incident and how it
was handled
• Suggestions for handling future incidents

Testing the plan
Table-top exercise
Occurs in a conference room with
the team poring over the plan
Looking for gaps and ensuring that
all business units are represented
therein
Structured walk-through
Each team member walks through
his or her components of the plan
with a specific disaster in mind
Identify weaknesses
Can incorporate drills and disaster
role-playing into the structured
walk-through.
Weaknesses are identified,
corrected, and plan is updated
Disaster simulation testing
Create an environment that
simulates an actual disaster
All equipment, supplies and
personnel (including partners and
vendors) who would be needed
To determine if you can carry out
critical business functions during
the event

Table top exercise
• Set a scenario for discussion
• Developed in advance
• Not super technical
• Discuss vulnerabilities and possible scenarios
• Has representation from all areas
• Limit to about an hour

Typical KPIs
• Computer patching policy compliance
• Mean time to patch critical/urgent issues
• User security awareness training engagement
• Virus infection activity (real time notification)
• Disaster recovery test results
• Number of security policies
and standards that have been
fully implemented and adopted
• Network probing attempts

Example security compliance
report

Employee Awareness
Campaign
i.e., Security Training

Actually kind of controversial
Security training is
ineffective and a
waste of time and
money
Security training is
our best offense
against a major
incident that could
easily be avoided

Required by law
• Security awareness training requirements for all
workforce members. New workforce member must be
trained within a reasonable time period. Must include
periodic security updates.
HIPAA
• Train staff to recognize and respond to schemes to
commit fraud or identity theft, such as guarding against
pretext calling; Provide staff members with instruction
about computer security; train staff to properly dispose of
customer information.
Gramm-Leach-Bliley
Act (GLBA)
• Requires training focused on reasonably foreseeable risks
to the security, confidentiality, and/or integrity of
personal information. Must be ongoing and for
permanent employees, temporary, and contract
employees.
Massachusetts’s Data
Security Law
• Requires federal agencies to establish a security
awareness training program. Must include contractors
and “other uses of information systems” that support the
agency.
Federal Information
Security Management
Act (FISMA)

Required by standards
• Developed by the credit card industry’s PCI council. PCI-DSS12.6
requires that organizations implement a formal security awareness
training program to make all personnel aware of the importance of
cardholder data security. Personnel must be trained upon hire and at
least annually.
Payment Card Industry
Data Security Standard
(PCI-DSS)
• Provides guidance on information security management in
organizations. Contains requirement that all employees receive data
security awareness training.
ISO/IEC 27002
• Federal agencies look to NIST 800-53 to guide their rulemaking and
enforcement. Security awareness training and security awareness
techniques based on the specific organizational requirements and the
information systems to which personnel have authorized access.
NIST Special
Publication 800-53

Basic topics security training
should cover
Phishing
Social
engineering
Malware
Passwords
Use of portable
devices
Physical access
Data destruction Encryption Data breach

Resources for training
HHS - http://irtsectraining.nih.gov/publicUser.aspx
SANS CyberAces -
http://www.cyberaces.org/courses/
FEMA -
https://www.firstrespondertraining.gov/ntecatalog

Resources for cybersecurity and
business continuity
• Small Business Information Security: The
Fundamentals
• https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
• Baldrige Cybersecurity Excellence Builder (BCEB),
Version 1.1
• https://www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative
• Two very useful worksheets
• BCEB Categories 1-7 Questions and Notes Only
• BCEB Self-Analysis Worksheet
• Professional Practices for Business Continuity
Professionals
• https://drii.org/resources/professionalpractices/EN

Web resource centers
CERT
http://www.cert.org/
Information on security vulnerabilities
Incident Response Consortium
https://www.incidentresponse.com/
Resource for creating security policies and
planning for incident response
IAPP
https://www.iapp.org
International Association of Privacy
Professionals

Cervone uof t - nist framework (1)

More Related Content

What's hot (20)

Similar to Cervone uof t - nist framework (1) (20)

More from Stephen Abram (20)

Recently uploaded (20)

Cervone uof t - nist framework (1)