Nassau County BOCES BUILDING AN INFORMATION SECURITY PROGRAM WITH - - PowerPoint PPT Presentation
Nassau County BOCES BUILDING AN INFORMATION SECURITY PROGRAM WITH CIS 20 AND NIST CSF MARCH 13, 2020 Adaptive Security AGENDA Introductions Presidio Cyber Security Practice Overview Why are we here? Common District Cyber
BUILDING AN INFORMATION SECURITY PROGRAM WITH CIS 20 AND NIST CSF
MARCH 13, 2020
Adaptive Security
AGENDA
PRESIDIO CYBER SECURITY TEAM
Engagement and Operations Management Infrastructure Security Technical Assessment Information Security
Pete Insall,
Managing Consultant, Architecture Practice
CISSP, SABSA Security Architect- Foundation, CCNP, PCNSE
About me: – 7+ years @ Presidio
– 12+ years as Security Engineer
– 6 years in the US Navy – Submariner
Technician (ELT)
PRESIDIO CYBER SECURITY TEAM
Engagement and Operations Management Infrastructure Security Technical Assessment Information Security
Dustin Harriman,
Managing Consultant, ISG/GRC Practice
CISSP, ISO/IEC 27001 LI, CPT, CEH, CNDA
About me: – 7+ years @ Presidio
– 8.5 years in Army
– InfraGuard Member
Adaptive Strategy
– HIPAA Security Rule – PCI DSS – CMMC / NIST 800-171 – SSAE 18 SOC II
Adaptive Testing
Testing
Adaptive SecOps
Implementation
Adaptive Architecture
– Security Architecture
▪ Cloud and IoT
– Firewall Analysis – Device Hardening – Segmentation Workshop – Active Directory Analysis – PKI Architecture Assessment
CYBER SECURITY CAPABILITIES
Adaptive Security
PRESIDIO CYBER FRAMEWORK SERVICES
❑ Security Program Assessment
framework
❑ NIST CSF Assessment
profile
❑ Security Architecture Analysis
configuration reviews verify some workshop findings. NIST CSF and CIS 20 controls are leveraged in the analysis.
❑ CIS 20 Assessment
for the particular organization. Includes interviews, reviews of documentation and policies, and spot validation of control state and maturity for a subset of sub-controls.
❑ Ransomware Defense Assessment
critical for ransomware defense. Includes sample vulnerability testing.
WHY ARE WE HERE?
at the forefront of protecting district technology assets, infrastructure, people, and students.
strongly recommends the CIS 20
– Applied as the mechanism for implementing controls within the IT organization
– Applied to address Privacy concerns and build a district wide security strategy and defensible security program
– Published January 31st in the State Register – SED will continue to work with workgroup and stakeholders to develop resources for implementation
TODAY’S CYBER SECURITY CHALLENGES IN EDUCATION Attack Vectors Disruption Technology Organization Issues
Board Issue Where do I start? Compliance
Everything is Digital!
Data Risks
Visibility
I Don’t Know What I Don’t Know Resource Shortage Culture Funding
COMMON CYBER ATTACK METHODOLOGY
increases chances of stopping attack
until data extraction or exfil occur
COMMON DISTRICT CHALLENGES & INFLUENCERS
– FERPA - Family Educations Rights and Privacy Act – CIPA – Children’s Internet Protection Act – COPPA – Children’s Online Privacy Protection Rule – PPRA – Protection of Pupil Rights Amendment – K-12 Cybersecurity Act of 2019 – Part 121 of the Regulations of the Commissioner – New York State Education Law 2-D
– People, Process, & Technology
– Administration, Staff, Faculty, Support Staff, etc. have access to SENSITIVE data
WHAT DATA ARE WE PROTECTING AGAINST?
– “Records, files, documents, and other materials maintained by an education agency or institution
institution…”
(PII) – Student’s First & Last Name – Parent’s Names – Date of Birth – Physical Addresses – Telephone Numbers – Student ID Number – Online contact info (i.e. email) – Persistent Identifiers (cookies, IP Addresses, device serial numbers, unique device identifier) – Digital Content containing child’s image/voice – Geological information that can be tied to an address
The below is a combination of what FERPA and COPPA determine to be Protected Information
WHAT ARE FRAMEWORKS?
program to manage organizational risk and known vulnerabilities.
resources to address security risks, and integrate security into all aspects of the organization
– ISO 27005 – NIST 800-30 – FAIR
– NIST 800-53 R4 – HIPAA Security Rule – PCI DSS 3.2 – GDPR – CCPA – NIST 800-171
– ISO/IEC 27000 Series (Internationally recognized in
– NIST Cybersecurity Framework (NIST CSF) – COBIT – COSO
– CIS 20 – HITRUST CSF – SSAE 18 SOC I & SOC II
CRITICAL SECURITY CONTROLS
– “The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and
actionable ways to stop today's most pervasive and dangerous attacks”. – Created in 2008 by the NSA to prioritize Cybersecurity controls based on attack methods and frequency
– As of the current version 7.1: there are 20 major controls, with 171 total sub-controls.
– Derived from the most common attack patterns in leading threat reports and vetted across a very broad community of government and industry security practitioners for most effective defenses.
– They prioritize and focus a smaller number of actions for improved Cybersecurity posture.
http://cissecurity.org/critical-security-controls/
From the California Breach Report 2016: https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf
WHO’S USING THE CIS CONTROLS?
framework such as NIST CSF
“I have found the CIS Implementation Groups (IG) to be very helpful when explaining to school officials and municipal leaders the steps or controls that need to be implemented to raise their security posture….Cybersecurity can be an overwhelming undertaking for organizations that lack the staff or knowledge. The CIS Controls take the guesswork out of what steps to implement. The Implementation Groups take an overwhelming list of controls and essentially turns them into a checklist that is very easy to understand.” Neal Richardson - CISSP, GCCC, GMOB, GCIH, GCIA, GSEC, Director of Technology New Hampshire Hillsboro-Deering School District
CIS 20 CONTROL OVERVIEW
Controls 1-16 are more technical focused Controls 17 – 20 focus more on people and processes.
CIS 20 IMPLEMENTATION GROUPS
– Starting with CIS 20 v7.1 Implementation Groups were created. – IG’s provide a realistic and achievable starting point for
– The (43) CIS Sub-Controls in IG1 represent basic "Cyber Hygiene"
1. The sensitivity of data residing within the organization 2. The level of technical expertise of staff or individuals on contract 3. Availability of resources dedicated to cybersecurity activities
– Each implementation group builds on the other – Not all sub-controls of a given IG are applicable or reasonable for an organization to implement. – Higher level IG sub-controls may or should be implemented by an
CIS 20 CONTROL OVERVIEW (1-6)
are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation
minimize the window of opportunity for attackers.
administrative privileges on computers, networks, and applications.
laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Workstations and Servers
Common Findings
network
software
activities
benchmarks being followed for hardening consistently.
log analytics
CIS 20 CONTROL OVERVIEW (7 - 11)
though their interaction with web browsers and email systems.
while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
networked devices in order to minimize windows of vulnerability available to attackers.
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
and Switches
Common Findings
not hardened
defenses not deployed
to date anti-malware
to standard hardening benchmark
place
CIS 20 CONTROL OVERVIEW (12 - 16)
a focus on security-damaging data.
and ensure the privacy and integrity of sensitive information.
(e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
area networks (WLANs), access points, and wireless client systems.
Actively manage the life cycle of system and application accounts - their creation, use, dormancy, deletion - in order to minimize opportunities for attackers to leverage them.
Common Findings
capabilities
information
devices not fully configured
segmentation
control
authentication/encryption in use
existent or limited in use
CIS 20 CONTROL OVERVIEW (ORGANIZATIONAL)
and its security), identify the specific knowledge, skills and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
to prevent, detect, and correct security weaknesses.
implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
the people) by simulating the objectives and actions of an attacker.
Common Findings
social engineering testing not taking place
training limited
dynamic testing not being used
playbooks incomplete
performed or with any regularity
CIS CONTROLS™ SELF-ASSESSMENT TOOL (CSAT)
track and prioritize implementation of the CIS Controls
implementation groups.
each CIS sub-control across (4) areas
as those from NIST 800-53 and compliance requirements from the PCI DSS
Excel, PPT
https://csat.cisecurity.org/
CIS SECURE SUITE MEMBERSHIP
resources including: – CIS-CAT Pro configuration assessment tool – Full-format CIS Benchmarks™ - best practices for the secure configuration of a particular system (Over 140 benchmarks available). – Build Kits (Active Directory GPOs, Linux scripts, and more) for rapidly implementing CIS Benchmark recommendations
Tribal, and Territorial (SLTT) government entities and U.S. public academic institutions. https://www.cisecurity.org/cis-securesuite/
CIS CONTROL COMPANION GUIDES
guidance in the following areas: – Cloud
– Mobile Devices
– Internet of Things (IoT) https://workbench.cisecurity.org/dashboard
NIST CYBER SECURITY FRAMEWORK
Order 13636 Improving Critical Infrastructure Cybersecurity released in 2013.
made, Supply Chain Risk Management was one of the most significant net- new additions as a sub-category in the Identify function.
applicable references
▪ What are we doing today? ▪ How are we doing? ▪ Where do we want to go? ▪ When do we want to get there?
regulatory body. Solely based on existing standards, guidelines, and best practices to better manage and reduce cyber security risk.
NIST CYBER SECURITY FRAMEWORK (CSF) OVERVIEW
Complimentary Framework
into security program not replacement 3 Core Components 1. Implementation Tiers 2. Framework Core 3. Profiles Technology Neutral 5 Core Functions
Supply Chain Risk Management added as a category in NIST CSF v1.1 in April of 2018
WHAT NIST CSF IS NOT
a Silver Bullet:
“I am convinced that there are only two types of
companies: those that have been hacked and those that will
companies that have been hacked and will be hacked again.”
CYBER SECURITY FRAMEWORK (CSF) CONTROLS
Naming Conventions: ID.BE-1 Core Function Category Sub- Category
PEOPLE, PROCESS, & TECHNOLOGY
framework categories focus on technology
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
UNDERSTANDING IMPLEMENTATION TIERS
to view and understand the characteristics
security risk.
but should not be seen as maturity levels.
potentially for individual business units within a larger organization.
and for the organization’s requirements is a fundamental component of appropriately aligning cyber security to the business.
Tier Title Characteristics 1 Partial UNDERSTANDING FRAMEWORK PROFILES
District needs that have been pre-selected by stakeholders
alignment of policies, standards, guidelines, and practices to the Framework Core.
types: – Current Profile: “as-is” state – Target Profile: “to-be” state
prioritization and program measurement
– KPIs, KRIs, & KCIs should also be created and used for program measurement
Current Profile Target Profile Asset Management (ID.AM): Risk Informed Repeatable Business Environment (ID.BE): Risk Informed Repeatable Governance (ID.GV): Risk Informed Repeatable Risk Assessment (ID.RA): Partial Risk Informed Risk Management Strategy (ID.RM): Partial Repeatable Supply Chain Risk Management (ID.SC): None Risk Informed Current Profile Target Profile Access Control (PR.AC): Risk Informed Repeatable Awareness and Training (PR.AT): Risk Informed Repeatable Data Security (PR.DS): Risk Informed Repeatable Information Protection Processes and Procedures (PR.IP): Partial Risk Informed Maintenance (PR.MA): Partial Repeatable Protective Technology (PR.PT): Risk Informed Repeatable Current Profile Target Profile Anamolies and Events (DE.AE): Partial Risk Informed Security Continuous Monitoring (DE.CM): Risk Informed Repeatable Detection Processes (DE.DP): Partial Risk Informed Current Profile Target Profile Response Planning (RS.RP): Repeatable Adaptive Communications (RS.CO): Risk Informed Repeatable Analysis (RS.AN): Partial Risk Informed Mitigation (RS.MI): Risk Informed Repeatable Improvements (RS.IM): Partial Repeatable Current Profile Target Profile Recovery Planning (RC.RP): Risk Informed Repeatable Improvements (RC.IM): Risk Informed Repeatable Communications (RC.CO): Repeatable Adaptive DETECT RESPOND RECOVER IDENTIFY PROTECT CYBERSECURITY MATURITY LEVELS
control maturity is a critical component to consider and take into account when performing a cyber security risk assessment under the Cyber Security Framework.
Model Index (CMMI)
Level Title Maturity Definitions None The organization’s security program element does not exist in the area being evaluated. 1 Ad-Hoc The organization’s security program element is undocumented and in a state of dynamic change, with a tendency to be driven in an ad-hoc, uncontrolled, and reactive manner. 2 Repeatable The organization’s security program element has formalized some repeatable processes, with the potential for consistent results. Program discipline is unlikely to be rigorous, but where it exists it may help to ensure that the program element satisfies requirements. 3 Defined The organization’s security program element has established a set of defined and documented standard processes that are subject to some degree of improvement over time. These standard processes are in place and used to establish consistency of program element performance across the organization. 4 Managed The organization’s security program element has established a set of defined and documented processes with capabilities that enable management to effectively control the program element. 5 Optimized The organization’s security program element has established a set of defined and documented processes that continually improve process performance through incremental and innovative changes.
NIST CSF FRAMEWORK VS. CIS 20 CONTROLS
**Do not expect there to be direct 1:1 relationships and or mappings between the two frameworks** **There are going to be gaps between the two frameworks – cue NIST 800-53 r4**
CIS Level CIS 20 Controls v7.1 Critical Security Control #1: Inventory of Authorized and Unauthorized Devices Critical Security Control #2: Inventory of Authorized and Unauthorized Software Critical Security Control #3: Continuous Vulnerability Assessment and Remediation Critical Security Control #4: Controlled Use of Administrative Privileges Critical Security Control #5: Secure Configurations for Hardware and Software Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs Critical Security Control #7: Email and Web Browser Protections Critical Security Control #8: Malware Defenses Critical Security Control #9: Limitation and Control of Network Ports Critical Security Control #10: Data Recovery Capabilities Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches Critical Security Control #12: Boundary Defense Critical Security Control #13: Data Protection Critical Security Control #14: Controlled Access Based on the Need to Know Critical Security Control #15: Wireless Access Control Critical Security Control #16: Account Monitoring and Control Critical Security Control #17: Implement a Security Awareness and Training Program Critical Security Control #18: Application Software Security Critical Security Control #19: Incident Response and Management Critical Security Control #20: Penetration Tests and Red Team Exercises Foundational Organizational Basic
Function Category CIS 20 IDENTIFY (ID) Asset Management (ID.AM)
CIS 1.4,2.1-2.5,11.2,12.1-2,13.1,15.1,17.3
Business Environment (ID.BE) Governance (ID.GV)
CIS 19.2
Risk Assessment (ID.RA)
CIS 3.1,3.7
Risk Management Strategy (ID.RM) Supply Chain Risk Management (ID.SC)
CIS 19.5
PROTECT (PR) Identity Management, Authentication and Access Control (PR.AC)
CIS 1.7-8,4.1-4.5,11,12.12,14,15,16,20.8
Awareness and Training (PR.AT)
CIS 17
Data Security (PR.DS)
CIS 1,2,6,13,14,15,18
Information Protection Processes and Procedures (PR.IP)
CIS 5,7,8,9,10,11,12,15,19
Maintenance (PR.MA)
CIS 12.12
Protective Technology (PR.PT)
CIS 4,6,8,10,13
DETECT (DE) Anomalies and Events (DE.AE)
CIS 6,7,8,15
Security Continuous Monitoring (DE.CM)
CIS 1,2,3,5,7,8,9,11,12,13,15,16
Detection Processes (DE.DP)
CIS 19
RESPOND (RS) Response Planning (RS.RP) Communications (RS.CO)
CIS 19
Analysis (RS.AN)
CIS 6,18,19
Mitigation (RS.MI)
CIS 3.7
Improvements (RS.IM) RECOVER (RC) Recovery Planning (RC.RP) Improvements (RC.IM) Communications (RC.CO)
CIS 20 AS A STARTING POINT FOR NIST CSF
controls and sub-controls will not address all categories of NIST CSF
subcategories do not map to all CIS 20 sub-controls
FILLING THE GAP WITH NIST 800-53 R4
No mention of CIS 20 Controls in the Informative References When a CIS 20 control does not map to the NIST CSF sub-category you will need to reference NIST 800- 53 Low-Impact Controls to address the control gap Priority and Baseline Allocation:
“control enhancement (2).
“control enhancement (2).
FILLING THE GAP WITH NIST 800-53 R4
NIST 800-53 R4 QUICK GLANCE
– Low Impact – This should be the starting point for K-12 – Moderate Impact – High Impact
NIST CSF sub-categories
ID Family ID Family AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment and Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management
– Over 1,000 Controls – 115 controls for Low Impact
WHERE DO WE GO NOW?
Risk Prioritization & Treatment.
NIST CSF Gap Analysis.
Implementation **A risk assessment can be bundled and conducted in parallel if desired**
Information Security Policy Development and Implementation.
CIS 20 Assessment.
Strategic Risk Committee.
Security Strategy and Charter.
mission & objectives
03 02 04
05 06
01
– Obtain Executive commitment & sponsorship for building the security program – Understanding of the District’s vision, mission, objectives, & priorities – Develop & Assign Information Security Roles, Responsibilities, and Authorities
– Develop a District-wide aggregate list of Security Requirements
Continuous Program Monitoring.
district needs, address the evolving threat landscape, and align to NIST CSF/CIS 20
SECURE DESIGN PRINCIPLES – LEVERAGING NIST CSF
– Identify all the elements which compose your system(s), so your defensive measures provide maximum visibility
– Design your system so you can spot suspicious activity as it happens and take necessary action
– An attacker can only target the parts of a system they can reach. Make your system as difficult to penetrate as possible
– Design a system that is resilient to denial of service attacks and usage spikes
– If an attacker succeeds in gaining a foothold, they will then move to exploit your system. Make this as difficult as possible
ADDITIONAL RESOURCES & FREE TOOLS
– https://www.nist.gov/cyberframework
– https://www.us-cert.gov/resources/academia
– https://www.cosn.org/cybersecurity – https://www.cosn.org/sites/default/files/2017%20Cybersecurity%20rubric.pdf
– https://www.us-cert.gov/resources/ncats
– https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for- cisos.pdf/view
– https://k12cybersecure.com/
– https://www.ic3.gov/default.aspx
– https://www.fbi.gov/investigate/cyber
– https://staysafeonline.org/stay-safe-online/
– https://www.dhs.gov/topic/cybersecurity
| @presidio | youtube.com/presidio | fb.com/PresidioIT | linkedin.com/company/presidio
THREAT GROUPS: AT A GLANCE
Nation State Hacktivists Organized Crime Cyber Terrorists Insider Threat Script Kiddie
TOP CYBER INCIDENTS AND THREATS AFFECTING K-12
1. Data Breaches – Unauthorized disclosure:
– Unauthorized access:
2. Ransomware – 5 + school districts around country close doors – Pay ransom? – Re-build, re-architect, refresh? 3. Email origin threats – Phishing Campaigns – Business Email Compromise (BEC)
60% of breaches included student data 46% of breaches included data about
current and former staff
K-12 PUBLIC CYBER SECURITY INCIDENTS
2016
breaches, disclosure of personal information, etc.
resulting in unauthorized information disclosure
EDUCATION TECHNOLOGY RISKS FBI: “The US school systems’ rapid growth of education technologies (EdTech) and widespread collection of student data could have privacy and safety implications if compromised or exploited.”
“Malicious use of this sensitive data could
result in:
– Social engineering, bullying, tracking, identity theft, or other means for targeting children”
47 SOCIAL ENGINEERING: THE ART OF MANIPULATING PEOPLE TO GIVE UP INFORMATION
48Only amateurs attack machines; professionals target people
SOCIAL ENGINEERING AND SOCIAL MEDIA
– Stolen passwords, simple passwords
– 15% of Americans use social media to report when they have left the home*
49 LET’S GO PHISHING !
multiple industries that have also spread to education, with 91 percent of cyberattacks starting with a phishing email.
may also come from social media or SMS. Attackers will send an email that appears to be from an authoritative source, or from someone the user knows personally, asking users to send along sensitive information or to enter their login credentials on a fake
targets, and 12 percent of those users click on the malicious attachment.”
BUSINESS EMAIL COMPROMISE (BEC)
– Phishing email designed to redirect large payments from legitimate school contractors/partners to a criminal account. – This has resulted in the theft of millions of tax payer dollars – The largest theft recorded for K-12 occurred in 2018
– An important observation is that about 60% of BEC attacks do not involve a link in an email: – Attack is typically a plain text email intended to fool the recipient to commit a wire transfer or send sensitive information. – Difficult for existing email security systems to detect
– $375 million in 2016 – $675 million in 2017 – $1 billion estimated in 2018
RANSOMWARE
a user’s important files and document (including network files) making them unreadable, until a ransom is paid
businesses, education and individuals.
for weeks!
bitcoin for anonymity
– Decision to pay ransom seldom the right choice
– $325 million in 2015. – $5 billion in damages for 2017. – $7.5 billion estimated in 2019
BASIC INFORMATION SECURITY HYGIENE
for personal as business.
BASIC INFORMATION SECURITY HYGIENE
User Awareness Training
Patching and Maintenance
software Backup and Recovery
backed up regularly
Strengthen Authentication
and/or public-facing systems Account Permissions / Active Directory Security
Secure Configurations
(ex. CIS)
BASIC INFORMATION SECURITY HYGIENE
Perimeter Security – ”Next Generation Firewall”
Perimeter Security – Email Security
Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM)
Endpoint Security
threats Network Segmentation
users to critical systems Monitoring
events, ideally automate response actions
NIST CSF ADOPTION ACTION PLAN
➢ Report on written policy adherence, control implementation, level of automation (measuring and implementing) and reporting
➢ Map CIS 20 implementation against NIST CSF ➢ Identify gaps