SlideShare a Scribd company logo

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf

J
JustinBrown267905

The document provides an overview of cybersecurity frameworks, fundamentals, and foundations. It discusses common cybersecurity terms like frameworks, controls, and standards. It also examines drivers for cybersecurity like laws, compliance, audits and data privacy. Key areas covered include asset inventory, risk assessment, threat modeling, security controls, frameworks like NIST CSF, and the importance of people/human factors. The document aims to help organizations strengthen their cybersecurity posture and navigation the complex landscape of improving security.

Technology
1 of 71
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Cybersecurity: Frameworks, Fundamentals, and Foundations A Journey towards Improved Security 02.09.2023
RoundTable Technology is a strategic partner who will work with your organization to help you leverage technology to fulfill your mission. We understand what it's like to be a nonprofit, working with limited resources, budget, and people. That's why we only hire personnel that are themselves driven by serving those who serve. We are currently supporting over 200 nonprofit clients and helping them get their technology under control.
Destiny Bowers vCISO Nice to meet you.
POLL #1 What brought you here today?
Foundations: Where to Start
A Little Jargon Framework: A framework is high level structure that outlines what your program looks like and is responsible for. Designed to create a common language for managing risk within a company Control: Cybersecurity controls are the countermeasures that companies implement to detect, prevent, reduce, or counteract security risks Standard: Collections of best practices created by experts to protect organizations from cyber threats and help improve their cybersecurity posture Regulations: Have a legal binding impact. The way they describe how something should be performed indicates government and public support for the rules and processes set forth in the regulation (HIPAA, GDPR)
What is Driving the Need for Cybersecurity? Laws: NYS SHIELD, GDPR, CCPA, TMRPA Compliance/Regulations: HIPAA, PCI Insurance Companies Auditors Data Privacy Partners Pandemics Oh, and cyber criminals!
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
Know What You Have
Threat Modeling Good security decisions begin with assessing your security posture. To start, ask yourself the following questions: 1. What do I want to protect? 2. Who do I want to protect it from? 3. How likely is it that I’ll need to protect it? 4. How bad are the consequences if I fail? 5. How much trouble am I willing to go through to try to prevent potential consequences? Source: https://ssd.eff.org/module/seven-steps-digital-security
Imagine if a hacker gained access to… the email account of a staff member with authority to direct other staff members, or communicate with a client or partner. Imagine your reputational damage if… your connections to other partners or customers was exploited leading to their breach. Imagine the disruption to your business… if all of your files and records disappeared suddenly and your systems used were inaccessible.
The Fork in the Road - Ambiguity
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
Fundamentals: Planning Your Route Cybersecurity is a garden of mostly low-hanging fruit.
5 Must Have Security Controls for Cyber Insurance These controls will help satisfy most of the Insurance requirements: 1. Multi-Factor Authentication (MFA) on all systems, Admin accounts and Remote Access 2. Backups 3. Endpoints Detection and Response (EDR) antivirus 4. Patch Management for Endpoints 5. Ongoing Cybersecurity Training for Staff
🍎 Setting and enforcing application controls (Control what applications can do) 🍎 Patching applications (Run updates and use current versions) 🍎 Configuring Microsoft Office Macro settings (keep Macros micro) 🍎 Hardening user applications (Control what web browsers can do) 🍎 Restricting administrative privileges (Keep regular and admin accounts separate) 🍎 Patching operating systems (Run updates and use current versions) 🍎 Using Multi-Factor Authentication (MFA all the way!) 🍎 Ensuring daily backups (including the SaaS and Cloud apps) Source: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model Ground Fruit 🐨
Frameworks: Hitting the Road
Your Map
Spin the Wheel, Pick a Cybersecurity Framework (CSF)
National Institute of Standards & Technology - Cybersecurity Framework (NIST CSF) Identify Protect Detect Respond Recover Organizations must identify and classify assets and develop an understanding of their environment, threats, and exposures in order to manage cybersecurity risk to systems, people, assets, data and capabilities. Organizations must develop and implement the appropriate safeguards to prevent, limit or contain impact from potential cybersecurity events. Organizations must implement appropriate measures to quickly identify cybersecurity events. Should a cyber incident occur, organizations must have the ability to contain the impact, implement an effective response, perform all required activities to remediate the incident. Organizations must develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event and incorporate lessons learned into revised response strategies.
NIST CSF Checklist Identify Protect Detect Respond Recover ● Asset Inventory ● Risk Assessment ● C/I/A ● Data Classification ● Regulatory Compliance ● Threat Modeling ● Defense in Depth ● Network Defense ● Endpoint Protection (EPP) ● SaaS Protection and Zero Trust ● Encryption ● Identity ● Human Layer ● People ● Endpoint Detection and Response (EDR) ● Monitoring and Alerts ● Honeypots ● Scanning (network, dark web, etc.) ● Managed Detection & Response (MDR) ● Extended Detection & Response (XDR) ● SOC/ NOC/ 3rd Party Responders ● Tabletops ● Incident Response Plan ● Cyber Liability Insurance ● Backups ● Business Continuity and Disaster Recovery (BCDR)
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
Know What You Have Do you know your TechStack? Windows 10 Windows 2008 Server Filemaker Pro Salesforce NPSP Google Workspace Email, calendars & some file sharing File sharing, Active Directory, QuickBooks, Volunteer DB Salesforce Nonprofit Starter Pack for Donor Management Most workstations running Windows 10. Mixed versions of MS Office. 2-8 years old - avg 5 years old. Volunteer Management database - custom built 10+ years ago Shadow IT Misc USB drives, DropBox and rogue Google Accounts
IDENTIFY ASSETS Tangible & Intangible IDENTIFY THREATS & VULNERABILITIES Internal & External ASSESS CURRENT STATE Processes Systems Roles EVALUATE RISKS Business Impact Probability and Impact Assessment Prioritize Risk Mitigation Steps ASSIGN OWNERSHIP Responsible Individual Risk Assessment
C - How bad would it be if the information was exposed? I - How bad would it be if the information was lost? A - How bad would it be if the information was not available? Low - Wouldn’t Care Medium - Not great, but not catastrophic High - Possibly catastrophic CIA Framework / Triad
Source: https://laconteconsulting.com/2018/12/02/calculate-impact-and-probability/ Qualitative Risk Assessment
Quantitative Assessment: The ALE you would prefer not to drink *Source: https://netdiligence.com/wp-content/uploads/2021/03/NetD_2020_Claims_Study_1.2.pdf ● Estimate cost of an incident - $77K* ● Estimate annual probability - 30% ● Calculate Super Simple ALE - 30% of $77K = $23,100 Annual Loss Expectancy - current state - $23,100 Takeaway: If we can reduce probability to 10% through improved cybersecurity, it’s worth over $15,000 in annual loss expectancy reduction.
POLL #2 What cybersecurity measures are you currently taking?
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
Swiss Cheese Defense-in-Depth for Cybersecurity Recognizing that no single intervention is sufficient to prevent harm Threat Modeling & Risk Assessment Training & Awareness Identity & Authentication Endpoint Protection Policies Testing & Monitoring Preparedness & Incident Response
The Human Layer
Training ● Social Engineering ● Phishing/Smishing/Vishing ● Policies ● Environmental Awareness ● Open Source Intelligence (OSINT) ● Security Culture ● Repeat
Password 123456 Password 45gg$5609932fc% Password I like to eat pickles 2 days a week. Password X9fg44!2 Weaker Stronger Easy to remember Easy to type ) Difficult to remember Difficult to type ● The average person has to logon to over 170+ sites/services and only has 3 to 19 passwords ● Lots of weak, shared passwords (or password patterns) ● Lots of passwords that are easy for adversaries to guess ● One compromise more easily leads to other compromises Think Passphrases - Not Passwords Source: How Secure Is My Password? | Password Strength Checker
Password Managers Allow you to create and easily use unique, strong, perfectly random passwords for each site/service ● Passwords made up by people tend to be guessable within the lifetime of the password, most within hours to days ● User created password needs to be 20-char or longer to be unguessable/uncrackable but a 12-character perfectly random password is unguessable/uncrackable ● Protect against phishing ● Audit your passwords ● Share passwords securely
Source: Multi-Factor Authentication - CyberProtex Multi-Factor Authentication (MFA)
The Technical Layer
Defense-in-Depth
Secure Data Access Model
Organizational Data Lifecycle Management
Device Checklist Antivirus / Anti-malware Current OS and Software Screen Lock Strong Device Password OS and Security Updates Hard drive and device Encryption Website Filters Camera Cover Good home Wifi security
Additional Checklist ❏ Web, Application, and Network Firewalls ❏ Mobile Device Management ❏ Proper Cloud/SaaS Application Configuration ❏ Patching and Updates ❏ Website Updates
POLL #3 When was the last time you provided measurable security awareness training to your staff?
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
Alerts MS365 Microsoft 365 alert policies - Microsoft Purview (compliance) Real-Time Alerting with Microsoft 365 Alert Policies - Office 365 Reports Google Workspace Configure alert center email notifications - Google Workspace Admin Help
Endpoint Detection & Response (EDR) /Managed Detection & Response (MDR)
Monitoring and Scanning Domain Doppelganger Firefox Monitor / Have I Been Pwned Sucuri SiteCheck Angry IP Scanner Changes in your network | runZero ❏ Identify Look-Alike Domains ❏ Email and Phone Data Breaches ❏ Website Vulnerabilities ❏ Network Scans ❏ Network Monitoring
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
● Risk Assessment ● Compliance Verification ● Penetration Testing ● Vulnerability Scanning ● Awareness Training ● Endpoint protection ● Firewalls ● IDS/IPS ● AV ● EDR ● WAFs ● Alerts ● Security Operations ● Remediation ● Incident Response & Triage ● Forensics ● Backups
Cyber Defense Matrix
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
What Is A Tabletop Exercise?
Tabletop Exercise - Objectives Create a safe space Identify gaps in crisis management Identify gaps in current practices
Why Is A Fire Drill Useful?
Have a Plan!
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
POLL #4 How protected do you feel?
Backups - Cover Your SaaS Your data on the cloud is vulnerable to loss and breaches due to these reasons: Human error: Everyday human errors account for up to 64% of data loss incidents according to Aberdeen research. Employees inevitably delete the wrong email, contacts, or critical configurations. Malicious insiders: Employee action is involved in up to 23% of all electronic crime events, according to the CERT Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute. Illegitimate deletion requests: SaaS providers will honor your deletion request without question. They have no way of knowing if it’s a hasty (or malicious) request and they are not responsible for any unexpected results Malware and viruses: Rogue software can spread mayhem with programmatic efficiency without an active attack from a hacker. Many malware programs and viruses emerge from existing code after hibernation, making them especially hard to defend against. Synchronization errors: Syncing or updating multiple SaaS applications, which is a common software scenario in organizations, is not always seamless and can cause loss of SaaS data. Hackers, Malware, Ransomware, Cryptomining, Phishing: There is an ever-growing list of malware types and scams. Social engineering which target employees with phishing and whaling attacks are proving to be incredibly successful as per Verizon’s data breach report. The damages due to such data breaches are devastating not only in terms of financial loss, but also damage the business’ reputation and cause loss of customers.
Cyber Insurance
Business Continuity and Disaster Recovery BCDR Inventory Example Information Description Location Recovery Point Objective (RPO) Recovery Time Objective (RTO) Recovery Level Objective (RLO) In-place Safeguards Comments What is this information called? Description Where is this information housed? The amount of data at risk. It's determined by the amount of time between backups and reflects the amount of data that potentially could be lost during a disaster recovery. The metric refers to the amount of time it takes to recover from a data loss event and how long it takes to return to service. RTO refers then to the amount of time the system's data is unavailable. This is the level of granularity required for restoration of the selected information. For example, is it sufficient to be able to restore only the entire database from a point in time, or do you require the ability to restore a specific record? What existing protections are in place for the backup and recovery of this data/service? Indicate any changes to be made or questions to investigate. Salesforce CRM database Salesforce (Cloud) 4 hours 24 hours Record level restore Basic Salesforce Retention Review restore options and consider backing up with Spanning Email All organizational email Gmail (G Suite for Nonprofits) 4 hours 4 hours Full single mailbox restore acceptable Spanning.com Satisfactory File Shares All organizational files File Server (in-house) 24 hours 24 hours Individual file restore USB Backup Drives (onsite) Look into offsite backup option with Crashplan or BackBlaze Voice Phone system Dialpad (Cloud) 24 hours 1 hour Full system restore acceptable None Document administrative accounts and authorized personnel Website Organization's website WordPress, hosted at BlueHost 24 hours 1 hour Full site restore acceptable Unknown Speak with BlueHost, gain understanding of backup/restore options and what is already in place
Your Co-Pilot CIS Controls
The CIS Framework was originally developed in 2008 to help small and mid-sized organizations manage complex cybersecurity requirements. This was a change to the discussion from “what should my enterprise do” to “what should we ALL be doing” to improve security. CIS Framework Controls are broken down into three categories. Basic controls, Foundational Controls, and Organizational Controls. CIS Controls are meant to apply easily to any industry or sector. Many CIS controls can be directly mapped back to both NIST and ISO. Center for Internet Security Controls v.8 Source: https://storage.pardot.com/799323/1638289699nZsVAZCD/CIS_Controls_v8_Mapping_to_NIST_CSF_FINAL_06_11_2021.xlsx
Center for Internet Security Controls v.8
CIS Implementation Groups The CIS Controls framework then goes even further to define three implementation groups. ● IG 1 is for organizations with limited resources and cybersecurity expertise. ● IG 2 is for organizations with moderate resources and cybersecurity expertise. ● IG 3 is for mature organizations with significant resources and cybersecurity expertise. Under each of the 18 controls, the CIS Controls framework provides a list of sub-controls, color-coded to indicate which implementation group should be using them. For example, CIS Control 1 “Inventory and Control of Hardware Assets” lists sub-control “Utilize an Active Discovery Tool” is appropriate for Implementation Groups 2 and 3 but considered too much of a burden for Group 1.
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
CIS Controls Self Assessment Tool (CIS CSAT) Source: https://csat.cisecurity.org/accounts/signup/
CIS Controls Self Assessment Tool (CIS CSAT) Source: https://csat.cisecurity.org/accounts/signup/
● ACSC publications ● Strategies to Mitigate Cyber Security Incidents | Cyber.gov.au ● The 18 CIS Critical Security Controls ● CIS Controls v8 Cloud Companion Guide ● https://learn.cisecurity.org/Establishing-Essential-Cyber-Hygiene ● Top 25 Cybersecurity Frameworks to Consider |… | SecurityScorecard ● Cybersecurity for Small Business | Federal Trade Commission ● CYBERSECURITY BASICS ● Cybersecurity Framework | NIST ● Canarytokens ● https://storage.pardot.com/799323/1638289699nZsVAZCD/CIS_Controls_v 8_Mapping_to_NIST_CSF_FINAL_06_11_2021.xlsx ● CIS Controls Self Assessment Tool (CIS CSAT) Public Resources
Takeaway ● Pick up that ground and low hanging fruit ● Inventory everything ● CIA it ● Threat Model it ● Apply your Framework ● Use your CIS Controls ● Grind away!
What Next? Go to NonprofitIT.com/cpa to Schedule a Discovery Call to learn about a Free Cybersecurity Posture Analysis Cybersecurity Posture Analysis 3rd party vulnerability scan ● Easy to understand report ● Identifies, tests, and highlights network vulnerabilities ● Typically costs $297
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
Thank You! @RoundTableIT RoundTable Technology @roundtabletechnology Stay Connected

More Related Content

PPTX
Cybersecurity Risk Management Tools and Techniques (1).pptx
ClintonKelvin
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
PPSX
Next-Gen security operation center
Muhammad Sahputra
 
PPTX
Security Operation Center - Design & Build
Sameer Paradia
 
PPTX
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
PPT
information security management
Gurpreetkaur838
 
PDF
Basics of Cyber Security
Nikunj Thakkar
 
PDF
Information security management system (isms) overview
Julia Urbina-Pineda
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
ClintonKelvin
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Next-Gen security operation center
Muhammad Sahputra
 
Security Operation Center - Design & Build
Sameer Paradia
 
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
information security management
Gurpreetkaur838
 
Basics of Cyber Security
Nikunj Thakkar
 
Information security management system (isms) overview
Julia Urbina-Pineda
 

What's hot (20)

PPT
Information security management
UMaine
 
PDF
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
PPTX
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
PDF
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
PPTX
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PPTX
Cybersecurity
ANGIEPAEZ304
 
PPTX
Introduction to cyber security
RaviPrashant5
 
PDF
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
PDF
Cyber Threat Intelligence
mohamed nasri
 
PPTX
Social Networking Security
S. M. Shakib Limon
 
PPTX
Security operation center
MuthuKumaran267
 
PDF
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
PPTX
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PDF
Strategy considerations for building a security operations center
CMR WORLD TECH
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PPTX
Cybersecurity Risk Management Framework Strategy Workshop
Life Cycle Engineering
 
PPTX
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Information security management
UMaine
 
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Cybersecurity
ANGIEPAEZ304
 
Introduction to cyber security
RaviPrashant5
 
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Cyber Threat Intelligence
mohamed nasri
 
Social Networking Security
S. M. Shakib Limon
 
Security operation center
MuthuKumaran267
 
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Strategy considerations for building a security operations center
CMR WORLD TECH
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity Risk Management Framework Strategy Workshop
Life Cycle Engineering
 
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Ad

Similar to For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf (20)

PDF
Weakest links of an organization's Cybersecurity chain
Sanjay Chadha, CPA, CA
 
PDF
Cyber presentation spet 2019 v8sentfor upload
savassociates1
 
PDF
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
 
PDF
Simple Safe Steps to Cyber Security
Hudson Valley Public Relations
 
PPTX
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
PDF
The Small Business Cyber Security Best Practice Guide
Inspiring Women
 
PDF
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Aujas
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PPT
Network Security
United Nations Development Program
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
PDF
Webinar - Reducing Your Cybersecurity Risk
WPICPE
 
PDF
Risk Management
ijtsrd
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
PPTX
5 Steps to an Effective Vulnerability Management Program
Tripwire
 
PDF
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
PDF
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
 
DOCX
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
yoroflowproduct
 
PDF
200606_NWC_Strategic Security
Chad Korosec
 
PDF
Symantec cyber-resilience
Symantec
 
Weakest links of an organization's Cybersecurity chain
Sanjay Chadha, CPA, CA
 
Cyber presentation spet 2019 v8sentfor upload
savassociates1
 
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
 
Simple Safe Steps to Cyber Security
Hudson Valley Public Relations
 
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
The Small Business Cyber Security Best Practice Guide
Inspiring Women
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Aujas
 
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Anil
 
Network Security
United Nations Development Program
 
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
Webinar - Reducing Your Cybersecurity Risk
WPICPE
 
Risk Management
ijtsrd
 
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
5 Steps to an Effective Vulnerability Management Program
Tripwire
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
 
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
yoroflowproduct
 
200606_NWC_Strategic Security
Chad Korosec
 
Symantec cyber-resilience
Symantec
 
Ad

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Cloud computing and distributed systems.
kkkkkhan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
KodekX | Application Modernization Development
KodekX
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Approach and Philosophy of On baking technology
30anthuong17
 
Teaching material agriculture food technology
LiaRayya
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf

  • 1. Cybersecurity: Frameworks, Fundamentals, and Foundations A Journey towards Improved Security 02.09.2023
  • 2. RoundTable Technology is a strategic partner who will work with your organization to help you leverage technology to fulfill your mission. We understand what it's like to be a nonprofit, working with limited resources, budget, and people. That's why we only hire personnel that are themselves driven by serving those who serve. We are currently supporting over 200 nonprofit clients and helping them get their technology under control.
  • 4. POLL #1 What brought you here today?
  • 6. A Little Jargon Framework: A framework is high level structure that outlines what your program looks like and is responsible for. Designed to create a common language for managing risk within a company Control: Cybersecurity controls are the countermeasures that companies implement to detect, prevent, reduce, or counteract security risks Standard: Collections of best practices created by experts to protect organizations from cyber threats and help improve their cybersecurity posture Regulations: Have a legal binding impact. The way they describe how something should be performed indicates government and public support for the rules and processes set forth in the regulation (HIPAA, GDPR)
  • 7. What is Driving the Need for Cybersecurity? Laws: NYS SHIELD, GDPR, CCPA, TMRPA Compliance/Regulations: HIPAA, PCI Insurance Companies Auditors Data Privacy Partners Pandemics Oh, and cyber criminals!
  • 10. Threat Modeling Good security decisions begin with assessing your security posture. To start, ask yourself the following questions: 1. What do I want to protect? 2. Who do I want to protect it from? 3. How likely is it that I’ll need to protect it? 4. How bad are the consequences if I fail? 5. How much trouble am I willing to go through to try to prevent potential consequences? Source: https://ssd.eff.org/module/seven-steps-digital-security
  • 11. Imagine if a hacker gained access to… the email account of a staff member with authority to direct other staff members, or communicate with a client or partner. Imagine your reputational damage if… your connections to other partners or customers was exploited leading to their breach. Imagine the disruption to your business… if all of your files and records disappeared suddenly and your systems used were inaccessible.
  • 12. The Fork in the Road - Ambiguity
  • 14. Fundamentals: Planning Your Route Cybersecurity is a garden of mostly low-hanging fruit.
  • 15. 5 Must Have Security Controls for Cyber Insurance These controls will help satisfy most of the Insurance requirements: 1. Multi-Factor Authentication (MFA) on all systems, Admin accounts and Remote Access 2. Backups 3. Endpoints Detection and Response (EDR) antivirus 4. Patch Management for Endpoints 5. Ongoing Cybersecurity Training for Staff
  • 16. 🍎 Setting and enforcing application controls (Control what applications can do) 🍎 Patching applications (Run updates and use current versions) 🍎 Configuring Microsoft Office Macro settings (keep Macros micro) 🍎 Hardening user applications (Control what web browsers can do) 🍎 Restricting administrative privileges (Keep regular and admin accounts separate) 🍎 Patching operating systems (Run updates and use current versions) 🍎 Using Multi-Factor Authentication (MFA all the way!) 🍎 Ensuring daily backups (including the SaaS and Cloud apps) Source: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model Ground Fruit 🐨
  • 19. Spin the Wheel, Pick a Cybersecurity Framework (CSF)
  • 20. National Institute of Standards & Technology - Cybersecurity Framework (NIST CSF) Identify Protect Detect Respond Recover Organizations must identify and classify assets and develop an understanding of their environment, threats, and exposures in order to manage cybersecurity risk to systems, people, assets, data and capabilities. Organizations must develop and implement the appropriate safeguards to prevent, limit or contain impact from potential cybersecurity events. Organizations must implement appropriate measures to quickly identify cybersecurity events. Should a cyber incident occur, organizations must have the ability to contain the impact, implement an effective response, perform all required activities to remediate the incident. Organizations must develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event and incorporate lessons learned into revised response strategies.
  • 21. NIST CSF Checklist Identify Protect Detect Respond Recover ● Asset Inventory ● Risk Assessment ● C/I/A ● Data Classification ● Regulatory Compliance ● Threat Modeling ● Defense in Depth ● Network Defense ● Endpoint Protection (EPP) ● SaaS Protection and Zero Trust ● Encryption ● Identity ● Human Layer ● People ● Endpoint Detection and Response (EDR) ● Monitoring and Alerts ● Honeypots ● Scanning (network, dark web, etc.) ● Managed Detection & Response (MDR) ● Extended Detection & Response (XDR) ● SOC/ NOC/ 3rd Party Responders ● Tabletops ● Incident Response Plan ● Cyber Liability Insurance ● Backups ● Business Continuity and Disaster Recovery (BCDR)
  • 23. Know What You Have Do you know your TechStack? Windows 10 Windows 2008 Server Filemaker Pro Salesforce NPSP Google Workspace Email, calendars & some file sharing File sharing, Active Directory, QuickBooks, Volunteer DB Salesforce Nonprofit Starter Pack for Donor Management Most workstations running Windows 10. Mixed versions of MS Office. 2-8 years old - avg 5 years old. Volunteer Management database - custom built 10+ years ago Shadow IT Misc USB drives, DropBox and rogue Google Accounts
  • 24. IDENTIFY ASSETS Tangible & Intangible IDENTIFY THREATS & VULNERABILITIES Internal & External ASSESS CURRENT STATE Processes Systems Roles EVALUATE RISKS Business Impact Probability and Impact Assessment Prioritize Risk Mitigation Steps ASSIGN OWNERSHIP Responsible Individual Risk Assessment
  • 25. C - How bad would it be if the information was exposed? I - How bad would it be if the information was lost? A - How bad would it be if the information was not available? Low - Wouldn’t Care Medium - Not great, but not catastrophic High - Possibly catastrophic CIA Framework / Triad
  • 27. Quantitative Assessment: The ALE you would prefer not to drink *Source: https://netdiligence.com/wp-content/uploads/2021/03/NetD_2020_Claims_Study_1.2.pdf ● Estimate cost of an incident - $77K* ● Estimate annual probability - 30% ● Calculate Super Simple ALE - 30% of $77K = $23,100 Annual Loss Expectancy - current state - $23,100 Takeaway: If we can reduce probability to 10% through improved cybersecurity, it’s worth over $15,000 in annual loss expectancy reduction.
  • 28. POLL #2 What cybersecurity measures are you currently taking?
  • 30. Swiss Cheese Defense-in-Depth for Cybersecurity Recognizing that no single intervention is sufficient to prevent harm Threat Modeling & Risk Assessment Training & Awareness Identity & Authentication Endpoint Protection Policies Testing & Monitoring Preparedness & Incident Response
  • 32. Training ● Social Engineering ● Phishing/Smishing/Vishing ● Policies ● Environmental Awareness ● Open Source Intelligence (OSINT) ● Security Culture ● Repeat
  • 33. Password 123456 Password 45gg$5609932fc% Password I like to eat pickles 2 days a week. Password X9fg44!2 Weaker Stronger Easy to remember Easy to type ) Difficult to remember Difficult to type ● The average person has to logon to over 170+ sites/services and only has 3 to 19 passwords ● Lots of weak, shared passwords (or password patterns) ● Lots of passwords that are easy for adversaries to guess ● One compromise more easily leads to other compromises Think Passphrases - Not Passwords Source: How Secure Is My Password? | Password Strength Checker
  • 34. Password Managers Allow you to create and easily use unique, strong, perfectly random passwords for each site/service ● Passwords made up by people tend to be guessable within the lifetime of the password, most within hours to days ● User created password needs to be 20-char or longer to be unguessable/uncrackable but a 12-character perfectly random password is unguessable/uncrackable ● Protect against phishing ● Audit your passwords ● Share passwords securely
  • 35. Source: Multi-Factor Authentication - CyberProtex Multi-Factor Authentication (MFA)
  • 40. Device Checklist Antivirus / Anti-malware Current OS and Software Screen Lock Strong Device Password OS and Security Updates Hard drive and device Encryption Website Filters Camera Cover Good home Wifi security
  • 41. Additional Checklist ❏ Web, Application, and Network Firewalls ❏ Mobile Device Management ❏ Proper Cloud/SaaS Application Configuration ❏ Patching and Updates ❏ Website Updates
  • 42. POLL #3 When was the last time you provided measurable security awareness training to your staff?
  • 44. Alerts MS365 Microsoft 365 alert policies - Microsoft Purview (compliance) Real-Time Alerting with Microsoft 365 Alert Policies - Office 365 Reports Google Workspace Configure alert center email notifications - Google Workspace Admin Help
  • 45. Endpoint Detection & Response (EDR) /Managed Detection & Response (MDR)
  • 46. Monitoring and Scanning Domain Doppelganger Firefox Monitor / Have I Been Pwned Sucuri SiteCheck Angry IP Scanner Changes in your network | runZero ❏ Identify Look-Alike Domains ❏ Email and Phone Data Breaches ❏ Website Vulnerabilities ❏ Network Scans ❏ Network Monitoring
  • 48. ● Risk Assessment ● Compliance Verification ● Penetration Testing ● Vulnerability Scanning ● Awareness Training ● Endpoint protection ● Firewalls ● IDS/IPS ● AV ● EDR ● WAFs ● Alerts ● Security Operations ● Remediation ● Incident Response & Triage ● Forensics ● Backups
  • 51. What Is A Tabletop Exercise?
  • 52. Tabletop Exercise - Objectives Create a safe space Identify gaps in crisis management Identify gaps in current practices
  • 53. Why Is A Fire Drill Useful?
  • 56. POLL #4 How protected do you feel?
  • 57. Backups - Cover Your SaaS Your data on the cloud is vulnerable to loss and breaches due to these reasons: Human error: Everyday human errors account for up to 64% of data loss incidents according to Aberdeen research. Employees inevitably delete the wrong email, contacts, or critical configurations. Malicious insiders: Employee action is involved in up to 23% of all electronic crime events, according to the CERT Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute. Illegitimate deletion requests: SaaS providers will honor your deletion request without question. They have no way of knowing if it’s a hasty (or malicious) request and they are not responsible for any unexpected results Malware and viruses: Rogue software can spread mayhem with programmatic efficiency without an active attack from a hacker. Many malware programs and viruses emerge from existing code after hibernation, making them especially hard to defend against. Synchronization errors: Syncing or updating multiple SaaS applications, which is a common software scenario in organizations, is not always seamless and can cause loss of SaaS data. Hackers, Malware, Ransomware, Cryptomining, Phishing: There is an ever-growing list of malware types and scams. Social engineering which target employees with phishing and whaling attacks are proving to be incredibly successful as per Verizon’s data breach report. The damages due to such data breaches are devastating not only in terms of financial loss, but also damage the business’ reputation and cause loss of customers.
  • 59. Business Continuity and Disaster Recovery BCDR Inventory Example Information Description Location Recovery Point Objective (RPO) Recovery Time Objective (RTO) Recovery Level Objective (RLO) In-place Safeguards Comments What is this information called? Description Where is this information housed? The amount of data at risk. It's determined by the amount of time between backups and reflects the amount of data that potentially could be lost during a disaster recovery. The metric refers to the amount of time it takes to recover from a data loss event and how long it takes to return to service. RTO refers then to the amount of time the system's data is unavailable. This is the level of granularity required for restoration of the selected information. For example, is it sufficient to be able to restore only the entire database from a point in time, or do you require the ability to restore a specific record? What existing protections are in place for the backup and recovery of this data/service? Indicate any changes to be made or questions to investigate. Salesforce CRM database Salesforce (Cloud) 4 hours 24 hours Record level restore Basic Salesforce Retention Review restore options and consider backing up with Spanning Email All organizational email Gmail (G Suite for Nonprofits) 4 hours 4 hours Full single mailbox restore acceptable Spanning.com Satisfactory File Shares All organizational files File Server (in-house) 24 hours 24 hours Individual file restore USB Backup Drives (onsite) Look into offsite backup option with Crashplan or BackBlaze Voice Phone system Dialpad (Cloud) 24 hours 1 hour Full system restore acceptable None Document administrative accounts and authorized personnel Website Organization's website WordPress, hosted at BlueHost 24 hours 1 hour Full site restore acceptable Unknown Speak with BlueHost, gain understanding of backup/restore options and what is already in place
  • 61. The CIS Framework was originally developed in 2008 to help small and mid-sized organizations manage complex cybersecurity requirements. This was a change to the discussion from “what should my enterprise do” to “what should we ALL be doing” to improve security. CIS Framework Controls are broken down into three categories. Basic controls, Foundational Controls, and Organizational Controls. CIS Controls are meant to apply easily to any industry or sector. Many CIS controls can be directly mapped back to both NIST and ISO. Center for Internet Security Controls v.8 Source: https://storage.pardot.com/799323/1638289699nZsVAZCD/CIS_Controls_v8_Mapping_to_NIST_CSF_FINAL_06_11_2021.xlsx
  • 62. Center for Internet Security Controls v.8
  • 63. CIS Implementation Groups The CIS Controls framework then goes even further to define three implementation groups. ● IG 1 is for organizations with limited resources and cybersecurity expertise. ● IG 2 is for organizations with moderate resources and cybersecurity expertise. ● IG 3 is for mature organizations with significant resources and cybersecurity expertise. Under each of the 18 controls, the CIS Controls framework provides a list of sub-controls, color-coded to indicate which implementation group should be using them. For example, CIS Control 1 “Inventory and Control of Hardware Assets” lists sub-control “Utilize an Active Discovery Tool” is appropriate for Implementation Groups 2 and 3 but considered too much of a burden for Group 1.
  • 65. CIS Controls Self Assessment Tool (CIS CSAT) Source: https://csat.cisecurity.org/accounts/signup/
  • 66. CIS Controls Self Assessment Tool (CIS CSAT) Source: https://csat.cisecurity.org/accounts/signup/
  • 67. ● ACSC publications ● Strategies to Mitigate Cyber Security Incidents | Cyber.gov.au ● The 18 CIS Critical Security Controls ● CIS Controls v8 Cloud Companion Guide ● https://learn.cisecurity.org/Establishing-Essential-Cyber-Hygiene ● Top 25 Cybersecurity Frameworks to Consider |… | SecurityScorecard ● Cybersecurity for Small Business | Federal Trade Commission ● CYBERSECURITY BASICS ● Cybersecurity Framework | NIST ● Canarytokens ● https://storage.pardot.com/799323/1638289699nZsVAZCD/CIS_Controls_v 8_Mapping_to_NIST_CSF_FINAL_06_11_2021.xlsx ● CIS Controls Self Assessment Tool (CIS CSAT) Public Resources
  • 68. Takeaway ● Pick up that ground and low hanging fruit ● Inventory everything ● CIA it ● Threat Model it ● Apply your Framework ● Use your CIS Controls ● Grind away!
  • 69. What Next? Go to NonprofitIT.com/cpa to Schedule a Discovery Call to learn about a Free Cybersecurity Posture Analysis Cybersecurity Posture Analysis 3rd party vulnerability scan ● Easy to understand report ● Identifies, tests, and highlights network vulnerabilities ● Typically costs $297
  • 71. Thank You! @RoundTableIT RoundTable Technology @roundtabletechnology Stay Connected