HEMISPHERE SMB Case Study
Download as PPTX, PDF1 like190 views
The document presents a comprehensive overview of cyber risk management focused on small and mid-sized businesses and government contractors. It discusses the challenges faced in compliance with Defense Federal Acquisition Regulation (DFAR) and NIST SP 800-171, along with statistics on cyber incidents affecting small businesses. Additionally, it outlines best practices for incident response and the significance of having proper cyber plans to manage and mitigate risks.
HEMISPHERE SMB Case Study
- 1. Your Gateway to Cyber Risk Management DFAR ANALYSIS SMB Case Studies Presented By: Carter Schoenberg President & CEO HEMISPHERE Cyber Risk Management www.hemispherecyber.com (703) 881-7785
- 2. About HEMISPHERE Established in 2015 Offices in U.S. (Virginia) Professional cyber risk management services (Small & Mid-size Businesses, Law Firms, and Insurance Sectors) Proprietary risk modeling Your Gateway to Cyber Risk Management
- 3. Your Gateway to Cyber Risk Management CUI IV&V Engagements PoP: 15 engagements between July 2016 - Present Company Sizes: Ranging from 35 to 416 employees Geography: CONUS Average Cost of Engagement: $29,515 Average Identified Savings from Recommendations: $58,724
- 4. Your Gateway to Cyber Risk Management CUI IV&V Engagements Challenges – Government Side DFAR only evaluates what is deemed of interest to them DoD has conveyed presumptions about what business owners “normally do” (e.g. having policies and procedures in place to meet traditional -1 controls of NIST SP 800-53) Communications about requirements has been limited CUI vs. CDI vs. CTI Consequences of failing to adopt are not clear Oct 2017 conveys “30 days to adopt” whereas full implementation is hard stopped at 12/31/2017 (What does this mean for companies post January 1, 2018?) Self Certification as an evaluation criteria or “Reps & Certs”? Industry Day issues: Flow down for CSPs and adoption of 800-53 vs. 800-171 DoD Acquisition Workforce (background and expertise)
- 5. Your Gateway to Cyber Risk Management Cyber Plans and SSPs I don’t have time for this stuff! Incident Response 80% Challenges – Contractor Side (SMBs) Lack of qualified staff Little or no inputs from legal “I have ISO 27000 Series, I am good” (40 controls do not align) They believe liability ends with the solicitation’s requirements
- 6. Your Gateway to Cyber Risk Management Ask The Audience You be the Judge Scenario: “ACME” - 8(a) firm in Virginia wins large contract to support NAVY in San Diego, Pensacola, and New London ACME contacted by law enforcement agency about activity on their network associated with a cyber incident Analysis confirms malware propagated on core enterprise network of ACME (introduced via smartphone plugged into contractor laptop) Data supports that information has been exfiltrated that likely included staff PII What do you do?
- 7. Your Gateway to Cyber Risk Management Did You Know? 60% of small businesses close their doors after a cyber event Most cyber events are internal More money is spent on cyber defense today than ever before ~ Small Business Trends, 2017
- 8. Your Gateway to Cyber Risk Management Did You Know? 62% of all cyber insurance claims came from small businesses Most coverages levels are inadequate Duty to disclose before taking action Courts are moving away from “if you were breached” to “how well did you respond and recover?” POLICY VALUE Incident Response 80%
- 9. Your Gateway to Cyber Risk Management CUI IV&V Engagements Our Approach Review each organization (as a business) Ascertain how many states may have purview in the event of a breach Identify the language in existing contracts where the client must demonstrate adherence to DFAR updates (NIST SP800-171 and Penetration Clauses) Review any existing operational policies and procedures Conduct technical scans of client’s environment (Nessus, Nmap, and Wireshark) Conduct Operational and Physical Assessments Analysis Draft Report Final Report with onsite formal debrief
- 10. Your Gateway to Cyber Risk Management CUI IV&V Engagements Findings NIST SP 800-171 Adoption (110 Controls) Averages: Adopted: Adopted with Limitations Not Adopted: 29% 37% 34% How many understood how to reclaim these costs?
- 11. Your Gateway to Cyber Risk Management CUI IV&V Engagements Findings Beyond 800-171 CONTROL DESCRIPTION AC-1 ACCESS CONTROL POLICY AND PROCEDURES AC-9 PREVIOUS LOGON AC-10 CONCURRENT SESSIONS AC-14 PERMITED ACTIONS WITHOUT ID & AUTHENTICATION AT-4 SECURITY TRAINING RECORDS AU-10 NON-REPUDIATION AU-13 MONITORING FOR INFORMATION DISCLOSURE CA-3 SYSTEM INTERCONNECTIONS CA-6 SECURITY ASSESSMENT CM-9 CHANGE MANAGEMENT PLAN CP-2 CONTINGENCY PLAN CP-4 CONTINGENCY PLAN TESTING IA-3 DEVICE ID AND AUTHENTICATION
- 12. Your Gateway to Cyber Risk Management CUI IV&V Engagements Findings Beyond 800-171 CONTROL DESCRIPTION IA-8 ID AND AUTHENTICATION (NON ORG USERS) IR-8 INCIDENT RESPONSE PLAN IR-9 INFORMATION SPILLAGE MP-1 MEDIA PROTECTION PLAN PE-7 VISITOR CONTROL PE-19 INFORMATION LEAKAGE PL-4 RULES OF BEHAVIOR PL-7 3RD PARTY PERSONNEL PL-8 INFOSEC ARCHITECTURE PS-6 ACCESS AGREEMENTS PS-7 3RD PARTY PERSONNEL SCREEENING PS-8 PERSONNEL SANCTIONS
- 13. Your Gateway to Cyber Risk Management CUI IV&V Engagements Findings Access Control Plan Media Protection Plan Incident Response Plan Configuration/Change Mgt. Plan Ability to Continuously Monitor Inventory of Assets Multifactor Authentication 5 out of 15 4 out of 15 1 out of 15 0 out of 15 0 out of 15 2 out of 15 1
- 14. Your Gateway to Cyber Risk Management Cyber Plan vs. SSP Some entities require a System Security Plan (SSP). How is a SSP different from a “Cyber Plan”? Incident Response 80% Context and Visualization Estimated time to complete in-house with 1) No outside assistance 2) No internal cybersec SME 6 months
- 15. Your Gateway to Cyber Risk Management Corporate Cyber and Incident Response Plans It is not simply “your” Business you need to worry about. Incident Response 80% 63% of cyber breaches attributed to a 3rd party. ~ Soha Security Survey 2016
- 16. Your Gateway to Cyber Risk Management Corporate Cyber and Incident Response Plans Regulators and Plaintiffs Incident Response 80% What will be asked for? Likely first items Corporate Policies Incident Response Plan
- 17. Your Gateway to Cyber Risk Management Corporate Cyber and Incident Response Plan What to Do What Not to Do Incident Response Make it easily accessible Actionable Repeatable Paper version stuck on a shelf Very technical Hard to enforce
- 18. Your Gateway to Cyber Risk Management Government Contractor ISAO “GovCon-ISAO” Addresses 21 out of 110 Controls Incident Response More than just info-sharing Takes the guess work out of what to share and why Interactions with DHS enables early warning indicators Benchmarking against peers
- 19. Your Gateway to Cyber Risk Management Questions Incident Response Carter Schoenberg, President & CEO Carter@hemispherecyber.com (703) 881-7785 Office SUBJECT: SSCA