crafting a cybersecurity strategy that works
play

Crafting a Cybersecurity Strategy that Works Texas Association of - PowerPoint PPT Presentation

Jul 11, 2023 •123 likes •692 views

Crafting a Cybersecurity Strategy that Works Texas Association of Broadcasters August 2016 Chris Homer PBS Technology & Operations Cybersecurity Strategy for Broadcasters Summary Broadcast Industry Challenges Understanding

  1. Crafting a Cybersecurity Strategy that Works Texas Association of Broadcasters August 2016 Chris Homer PBS Technology & Operations

  2. Cybersecurity Strategy for Broadcasters • Summary – Broadcast Industry Challenges – Understanding Risk – NIST Framework – How to establish a Cybersecurity Strategy

  3. Broadcast Industry Challenges • Broadcast Networks – Emergency Alert Systems – News & Weather, Production, Graphics – Traffic & Scheduling – Playout & Automation Systems – STL transport & Broadcast (spokes & hubs)

  4. • EAS Equipment – Common Alerting Protocol • September 30 2011 FEMA • eXtensible Markup Language (XML) standard – May be tied to local, state & FEMA Networks

  5. News Weather Production & Graphics • News Room Computer Systems NRCS • Non-Linear Editing Systems NLEs • Graphics Systems • Wire Services, Pool Feeds, Bonded Cellular • Closed Captioning via IP

  6. Traffic & Scheduling • Sales Tools • Traffic Scheduling • Schedule Import • Programming • BXF Export to Automation

  7. Playout & Automation Systems • Playout Servers • Storage Area Networks (Channel in a Box) (SAN/NAS) • Automation Systems • Library Systems (Disk, Tape, Cloud) • IP Playout

  8. STL or Spoke & Hub • IP over Microwave • Network Spoke & Hub Connectivity

  9. Broadcast Industry Challenges • Networks (Enterprise or Corporate) – Enterprise Resource Planning (ERP) – Finance – Sales – Research – Intranet/Extranet – Human Resources/Community Service

  10. Finance & Accounting Systems • Finance • Accounting – Accounts Payable – Accounts Receivable • Purchasing

  11. Broadcast Industry Challenges – News Data – Finance & Sales – Traffic & Scheduling – File Based Workflow – Viewer Data – Social Media Data

  12. News • Laptops & • Non-Linear Thumb Editing drives Systems • Wire Services • NRCS Rundowns

  13. Finance Sales & Admin • Human Resources/Employee Data • ERP Financial Data • Email

  14. Traffic & Scheduling • Contracts & Deals • Programming Grids • Schedules

  15. File Based Workflow • Media • Graphics • Meta Data/RDS • Marketing Content (Posters, Ads) • Web Based Content

  16. Community Services/Viewer Data • Local Events Charities • Nielsen Data • Viewer Data • Social Media Content

  17. Cybersecurity Journey • Understanding the Risks • Cyber Attack Chain Model • FCC CSRIC IV Report • NIST Cybersecurity Framework

  18. Understanding the Risks • Dead Air • Impact to Resources • Loss of Revenue • Embarrassment • Potential liability • Breach of employee, viewer or advertiser data

  19. Types of Attacks 7 of 10 Type Definition Web App Attack Attack the vulnerabilities and authentication of a web application layer such as invalidated redirects, cross site forgery, cross site scripting and others. Point-of-Sale Remote attacks against the environments where card transactions are conducted. Insider Misuse Internal or partner misuse of resources. Physical Theft & Loss of information asset whereas the data is more valuable than the asset. Loss Crimeware Use of malware followed by ramsomeware Cyber-espionage Access to state or corporate sensitive data. Denial of Service Any attack to compromise network or system availability. *2016 Data Breach Investigation Report-Verizon

  20. A Cyber Attack Chain Model Step Description Reconnaissance Find Target & Probing Harvest information (email, conference listings, public lists, etc.) Delivery & Attack Place delivery mechanism online Use social engineering to induce target to access malware or other exploits Installation & Exploit vulnerabilities on target systems to acquire access Exploitation Elevate user privileges and install additional “tools” Compromise & Exfiltration of data Expansion Use compromised systems to exploit additional systems

  21. Local Broadcast TV Station

  22. Local Broadcast Radio Station

  23. Central Broadcast TV Hub

  24. Model for Hardened Station General Traffic DAM Traditional IT (ERP, HR, Programming, Research) Users Scheduling Enterprise Network STL or WAN Public Web Station Editing Extra/Intra NRCS File Ingest Sites Playout to Hub Graphics Net Internal Internet Firewall

  25. FCC CSRIC IV Working Group 4 • FCC CSRIC IV Working Group 4 Report on Cybersecurity for the Telecommunication Industry • https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Rep ort_031815.pdf • Roadmap for Telecommunication Industry • Encourage Voluntary Action • The Communications Security, Reliability and Interoperability Council IV Working Group 4 March 2015

  26. FCC CSRIC IV Working Group 4 • Segment Analysis – Broadcasting – Cable – Wireless – Wireline – Satellite

  27. FCC CSRIC IV Working Group 4 • Feeder Segments – Cyber Ecosystem and Dependencies – Top Threats and Vectors – Framework Requirements and Barriers – Small and Medium Business – Measurements

  28. FCC CSRIC IV Working Group 4 • Small/Medium Business – Identifies what an SMB needs to protect, who has responsibility for a given task, and how an SMB can protect its critical infrastructure. – Use cases from various segments. – Identifies highest priority NIST Cybersecurity Framework subcategories for SMBs.

  29. NIST Cybersecurity Framework • Framework Core • Framework Tiers • Framework Profiles • Link • http://www.nist.gov/cyberframework/upload /cybersecurity-framework-021214.pdf

  30. NIST Cybersecurity Framework • Framework Core – Each item designed for desired outcome – Function – Category – Sub-category – Informative Reference

  31. Framework Core Functions • Identify • Protect • Detect • Respond • Recover

  32. *Framework for Improving Critical Infrastructure Cybersecurity NIST-2014

  33. *Framework for Improving Critical Infrastructure Cybersecurity NIST-2014

  34. Identify • Asset Management • Business Environment • Governance • Risk Assessment • Risk Management Strategy

  35. Protect • Access Control • Awareness and Training • Data Security • Maintenance • Protective Technology • Information Protection Processes/Procedures

  36. Detect • Security Monitoring • Anomalies & Events • SIEM • Detection Processes

  37. Respond • Response Planning • Communications • Analysis • Mitigation • Improvements

  38. Recover • Recovery Planning • Improvements • Communications

  39. Framework Tiers • Tier 1-Partial • Tier 2-Risk Informed • Tier 3-Repeatable • Tier 4-Adaptive

  40. Tier 1-Partial • Lack of formal process • Lack of awareness • Unable to collaborate outside of organization

  41. Tier 2-Risk Informed • Formal process may exist within parts of the organization • Some awareness but not organization wide • May understand role but not formalized

  42. Tier 3-Repeatable • Formal process has become policy • Organization wide approach • Understands dependencies

  43. Tier 4-Adaptive • Continuous improvement • Organization wide and has become part of the culture • Has become a great partner outside the organization

  44. Cyber Risk Management • Executive • Business Process • Operations/Implementation

  45. Executive • Successful Implementation – Required support at the highest level – Buy-in from all stake holders – Continuous improvement – Governance

  46. Business Process • Process to include – Risk Planning – Recovery Planning – Communication & Training

  47. Operations/Implementation • Operations and Engineering – Asset Management – Change Management – Incident Management – Respond & Recover

  48. Steps to Establish a Cybersecurity Program • Prioritize & Orient • Create Current Profile • Perform Risk Assessment • Create Target Profile • Perform Gap Analysis • Create Action Plan

  49. Prioritize & Orient • Prioritize – Determine the scope of systems and assets that support the business. • Orient – Identifies assets, regulatory requirements, and overall risk approach.

  50. Create Current Profile • Create Curent Profile – Current categories/sub-categories – e.g. Asset Management, User Control

  51. Perform Risk Assessment • Guided by Risk Management Process • Analyze current environment • Use pertinent and emerging data

  52. Create Target Profile • Create Target Profile – Desired categories and sub-categories – e.g. Security policy, monitoring service – Customer and stakeholder requirements

  53. Analyze & Prioritize Gaps • Perform Gap Analysis • Differences between current profile and target profile • e.g. Lack of Governance, Process, Monitoring

  54. Action Plan/Execute • Create Action Plan • Cost analysis • Execute • Repeat

  55. Organizational Changes • Governance • Communication • Culture • Response

  56. Conclusion • Cybersecurity is: – A Change of mindset & culture – Supported at the highest level in organization – Everyone’s responsibility – Doable through use of process & technology – Ongoing

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Single Sales Apportionment: Crafting a Multi State Strategy Crafting a Multi State Strategy

Single Sales Apportionment: Crafting a Multi State Strategy Crafting a Multi State Strategy

Presenting a live 110 minute teleconference with interactive Q&A Single Sales Apportionment: Crafting a Multi State Strategy Crafting a Multi State Strategy Meeting Tax Compliance and Planning Demands Amid Significant Changes in

652 views • 39 slides
Crafting Learning Outcomes & Identifying Common Ground: A Strategy for Faculty

Crafting Learning Outcomes & Identifying Common Ground: A Strategy for Faculty

Crafting Learning Outcomes & Identifying Common Ground: A Strategy for Faculty Consensus-building Cynthia Bair Van Dam, Jessica Waters, & Brad Knight Session outline 1. Context 2. Generalizability 3. Case Study 4. Group Activity 5.

547 views • 38 slides
Practical Strategy: Crafting a Plan, Not a Paperweight Ron Whitehead, City Manager, The Town of

Practical Strategy: Crafting a Plan, Not a Paperweight Ron Whitehead, City Manager, The Town of

Practical Strategy: Crafting a Plan, Not a Paperweight Ron Whitehead, City Manager, The Town of Addison With Rick Robinson, SDi Consulting, LLC ICMA Conference Presenters Who we are Why are we here? What we will accomplish? What can

721 views • 48 slides
CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the economy Agenda The actual situation Strategy of the ministry Risk management a common language Some good practice examples 2 The

427 views • 21 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Raising Cybersecurity Awareness at a Small Agency, What Works for Me, Will it Work for You???

Raising Cybersecurity Awareness at a Small Agency, What Works for Me, Will it Work for You???

Raising Cybersecurity Awareness at a Small Agency, What Works for Me, Will it Work for You??? Ralph Mosios Federal Housing Finance Agency Chief Information Security Officer March 16, 2016 AGENDA Who is FHFA? The FHFA Security Awareness

360 views • 17 slides
Crafting Presentation Part Deux The Guiding Principles We must support both popcorn

Crafting Presentation Part Deux The Guiding Principles We must support both popcorn

Crafting Presentation Part Deux The Guiding Principles We must support both popcorn crafting (simple crafting/repairing) as well as a full -time crafter class We MUST create a vibrant economy that ensures that the crafter class

473 views • 32 slides
CRAFTING CRAFTING WINNING WINNING LFPP LFPP/FMPP FMPP PR PROPOS OPOSALS ALS A National

CRAFTING CRAFTING WINNING WINNING LFPP LFPP/FMPP FMPP PR PROPOS OPOSALS ALS A National

CRAFTING CRAFTING WINNING WINNING LFPP LFPP/FMPP FMPP PR PROPOS OPOSALS ALS A National Good Food Network Webinar April 12 th , 2018 Web ebinar Over inar Overview view Welcome & Intros Webinar Tech Dawn Thilmany and Becca

921 views • 69 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based

National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based

National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based security technologies Harry Perper Chief Engineer National Cybersecurity FFRDC The MITRE Corporation 18 January, 2017 STRATEGY VISION

774 views • 9 slides
Upcoming Guide on Being Strategic about Cybersecurity BDT Efforts to Assist Member States

Upcoming Guide on Being Strategic about Cybersecurity BDT Efforts to Assist Member States

Upcoming Guide on Being Strategic about Cybersecurity BDT Efforts to Assist Member States in Producing a National Cybersecurity Strategy 1 National Cybersecurity Strategies Developing a Reference Guide to help Member States produce a

399 views • 14 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance

A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance

A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance Michael Gutsche, Cybersecurity Strategy Peter Bronson, Cybersecurity Strategy #MicroFocusCyberSummit This document contains forward looking

245 views • 21 slides
Whats New at Ontario Works The Social Assistance Service Modernization Strategy, initiated

Whats New at Ontario Works The Social Assistance Service Modernization Strategy, initiated

Whats New at Ontario Works The Social Assistance Service Modernization Strategy, initiated by the Ontario Government, has called on Ontario Works providers to modernize practices. This will provide clients with improved services and

395 views • 27 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2019 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

212 views • 19 slides
Summit Link Transit Battery Electric Projects Todd Daniel, Maintenance and Technology Manager

Summit Link Transit Battery Electric Projects Todd Daniel, Maintenance and Technology Manager

Green Transportation Summit Link Transit Battery Electric Projects Todd Daniel, Maintenance and Technology Manager LINKS HISTORY WITH BATTERY ELECTRIC PROJECTS EBUS BATTERY ELECTRIC TROLLEYS 2009 awarded TIGGER Grant for 5 Opportunity

842 views • 23 slides
Liberating energy innovators Data, AI, IOT, Blockchain are critical uncertainties for NZ energy

Liberating energy innovators Data, AI, IOT, Blockchain are critical uncertainties for NZ energy

Liberating energy innovators Data, AI, IOT, Blockchain are critical uncertainties for NZ energy sector in 2018 Significant variation in R&D investment StatsNZ, 15 of the 40+ industries and sub-industries shown Domestic industries 40%

445 views • 15 slides
Motion generation for humanoid robots aiming at industrial applications June 21-22 th 2017,

Motion generation for humanoid robots aiming at industrial applications June 21-22 th 2017,

LAAS-CNRS Laboratoire conventionn avec lUniversit Fdrale de T oulouse Midi-Pyrnes Motion generation for humanoid robots aiming at industrial applications June 21-22 th 2017, Robotex, TechDays 2017, Clermont-Ferrand O. Stasse,

436 views • 31 slides
First Quarter 2009 - A Good Start 1Q 2009 Results Presentation - 29 April 2009 Agenda 1Q 2009

First Quarter 2009 - A Good Start 1Q 2009 Results Presentation - 29 April 2009 Agenda 1Q 2009

First Quarter 2009 - A Good Start 1Q 2009 Results Presentation - 29 April 2009 Agenda 1Q 2009 Results Back Up Commenting 1Q 2009 Results Strong trend with 60k net adds Customer Base Growth Significant improvement vs 4Q 2008

573 views • 16 slides
Suicide Risk Assessments in Hospitals Using Systematic Expert Risk Assessment for Suicide (SERAS)

Suicide Risk Assessments in Hospitals Using Systematic Expert Risk Assessment for Suicide (SERAS)

The heart and science of medicine. UVMHealth.org/MedicalGroup Suicide Risk Assessments in Hospitals Using Systematic Expert Risk Assessment for Suicide (SERAS) Robert R. Althoff, MD, PhD Associate Professor of Psychiatry, Pediatrics, &

491 views • 25 slides
i Piano: Inertial Proximal Algorithm for Non-convex Optimization Thomas Pock Institute for

i Piano: Inertial Proximal Algorithm for Non-convex Optimization Thomas Pock Institute for

i Piano: Inertial Proximal Algorithm for Non-convex Optimization Thomas Pock Institute for Computer Graphics and Vision Graz University of Technology MOBIS Workshop, University of Graz, July 5th, 2014 Graz University of Technology Joint work

976 views • 68 slides
Emergent Complexity via Multi-agent Competition Bansal et al. 2017 CS330 Student Presentation

Emergent Complexity via Multi-agent Competition Bansal et al. 2017 CS330 Student Presentation

Emergent Complexity via Multi-agent Competition Bansal et al. 2017 CS330 Student Presentation Motivation Source of complexity: environment vs. agent Multi-agent environment trained with self-play Simple environment, but extremely

759 views • 29 slides
WELCOME/BIENVENUE Welcome to #ACPA16 in Montreal! We are glad you are here! Bienvenue Montr

WELCOME/BIENVENUE Welcome to #ACPA16 in Montreal! We are glad you are here! Bienvenue Montr

WELCOME/BIENVENUE Welcome to #ACPA16 in Montreal! We are glad you are here! Bienvenue Montr al, nous sommes heureux que vous soyez l ! CONSIDER : #ACPA16 provides an opportunity to discus global concepts in higher, post-secondary, and

528 views • 29 slides

More recommend