Nassau County BOCES BUILDING AN INFORMATION SECURITY PROGRAM WITH CIS 20 AND NIST CSF MARCH 13, 2020 Adaptive Security
AGENDA • Introductions • Presidio Cyber Security Practice Overview • Why are we here? • Common District Cyber Challenges • Framework Overview • Critical Security Controls – CIS 20 • NIST Cyber Security Framework • Relationship of CIS 20 to NIST CSF • Adoption Plan and Recommendations
PRESIDIO CYBER SECURITY TEAM Information Security Pete Insall, Managing Consultant, Architecture Practice CISSP, SABSA Security Architect- Foundation, CCNP, PCNSE Technical Assessment About me: – 7+ years @ Presidio Infrastructure Security • Security Architect • Sr. Security Solutions Architect – 12+ years as Security Engineer • Insurance • Business Process Outsourcing Engagement and Operations Management • High-Tech – 6 years in the US Navy – Submariner • Radiation Protection and Nuclear Chemistry Technician (ELT)
PRESIDIO CYBER SECURITY TEAM Information Security Dustin Harriman , Managing Consultant, ISG/GRC Practice CISSP, ISO/IEC 27001 LI, CPT, CEH, CNDA Technical Assessment About me: – 7+ years @ Presidio Infrastructure Security • Penetration Testing • Governance Risk and Compliance – 8.5 years in Army • 5.5 years in Artillery Engagement and Operations Management • 3 years IT / Army Red Team – InfraGuard Member
CYBER SECURITY CAPABILITIES Adaptive Security Adaptive Adaptive Adaptive Adaptive SecOps Strategy Architecture Testing • Baseline Assessments • Security Strategy • Engagement Management • Architecture Consulting • Penetration Testing • Compliance & Gap Analysis • Reporting – Security Architecture • Red Team – HIPAA Security Rule • Managed Security Services ▪ Cloud and IoT • Red/Blue (Purple) – PCI DSS • Remediation Services – Firewall Analysis • Application Security Assessment – CMMC / NIST 800-171 • Security Controls – Device Hardening • Mobile Application Assessment Implementation – SSAE 18 SOC II – Segmentation Workshop • Staff Augmentation • On-Demand and Quarterly • Policy and Standards Dev – Active Directory Analysis Testing • Incident Response • GDPR, CCPA, State Privacy – PKI Architecture • Social Engineering Assessment • NIST CSF/800-53 • Security Analysis • Architecture Design • ISO 27001 Program Dev • M&A Testing • Architecture Implementation • IR/IH Program Dev & TTX • CIS 20 Controls
PRESIDIO CYBER FRAMEWORK SERVICES ❑ Security Program Assessment • Looks at the structure and enforcement of the information security management program, and evaluates it for both the maturity of the process and the risk to the organization. Presidio will map these levels using the NIST CSF (or other customer defined framework ❑ NIST CSF Assessment • Analyzes an organization’s alignment with the NIST CSF Framework: Framework Core, Implementation Tiers and Framework profile ❑ Security Architecture Analysis • A series of workshops with key stakeholders to review current IT initiatives and overall security architecture elements. Spot configuration reviews verify some workshop findings. NIST CSF and CIS 20 controls are leveraged in the analysis. ❑ CIS 20 Assessment • An assessment of an organization’s implementation of the CIS controls based on the appropriate Implementation Group level for the particular organization. Includes interviews, reviews of documentation and policies, and spot validation of control state and maturity for a subset of sub-controls. ❑ Ransomware Defense Assessment • Analyzes an organization’s ability to prevent, detect, respond and recover from Ransomware attacks based on (10) key areas critical for ransomware defense. Includes sample vulnerability testing.
WHY ARE WE HERE? • The Public Education Sector (K-12) Threat Landscape is evolving rapidly and security efforts need to be at the forefront of protecting district technology assets, infrastructure, people, and students. • Mandatory Education Law 2-D Requirements Enforcement • NY State Office of Information Technology Services strongly recommends the CIS 20 – Applied as the mechanism for implementing controls within the IT organization • NY State Privacy Office recommends NIST CSF – Applied to address Privacy concerns and build a district wide security strategy and defensible security program • Proposed Part 121 Updates Published January 31 st in the State Register – – SED will continue to work with workgroup and stakeholders to develop resources for implementation
TODAY’S CYBER SECURITY CHALLENGES IN EDUCATION Attack Vectors Disruption Technology Organization Issues Board Funding Issue Resource Where do Shortage Risks Data I start? Compliance Culture Visibility I Don’t Know What I Don’t Know Everything is Digital!
COMMON CYBER ATTACK METHODOLOGY • More commonly referred as the Cyber Kill Chain • Concept was derived from the military • 7 Core Phases • Blue team goal = Detect and disrupt • Early detection is critical • Implement Defense in Depth • NOT a linear model • Ability to break one link in the overall chain increases chances of stopping attack • Majority of organizations don’t detect compromise until data extraction or exfil occur
COMMON DISTRICT CHALLENGES & INFLUENCERS • Federal, State, Local, & Contractual Requirements – FERPA - Family Educations Rights and Privacy Act – CIPA – Children’s Internet Protection Act – COPPA – Children’s Online Privacy Protection Rule – PPRA – Protection of Pupil Rights Amendment – K-12 Cybersecurity Act of 2019 – Part 121 of the Regulations of the Commissioner – New York State Education Law 2-D • Tradition Education Culture = Security not a Primary Focus • Lack of budget dedicated to security resources – People, Process, & Technology • Antiquated infrastructure & devices • Poor Security Awareness & Education – Administration, Staff, Faculty, Support Staff, etc. have access to SENSITIVE data
WHAT DATA ARE WE PROTECTING AGAINST? The below is a combination of what FERPA and COPPA determine to be Protected Information • • Educational Information Directory Information / Personally Identifiable Information (PII) – “Records, files, documents, and other materials – Student’s First & Last Name maintained by an education agency or institution or by a person acting for such agency or – Parent’s Names institution…” – Date of Birth • Student Transcripts – Physical Addresses • GPA – Telephone Numbers • Grades – Student ID Number • Social Security Numbers – Online contact info (i.e. email) • Academic Evaluations – Persistent Identifiers (cookies, IP Addresses, device serial • Psychological Evaluations numbers, unique device identifier) – Digital Content containing child’s image/voice – Geological information that can be tied to an address • Ex: Latitude & Longitude
Security Frameworks
WHAT ARE FRAMEWORKS? • Security Frameworks are designed to act as an organizational blueprint for building a defensible information security program to manage organizational risk and known vulnerabilities. • Frameworks enable organizations to align security requirements to business goals and objectives, define and prioritize resources to address security risks, and integrate security into all aspects of the organization • • Examples of Risk Management Frameworks : Examples of common Security Program Frameworks : – ISO 27005 – ISO/IEC 27000 Series (Internationally recognized in – NIST 800-30 over 160+ countries) – FAIR – NIST Cybersecurity Framework (NIST CSF) – COBIT • Examples of Standards, Compliance, Privacy – COSO – NIST 800-53 R4 – HIPAA Security Rule – • PCI DSS 3.2 Examples of Control Frameworks : – GDPR – CIS 20 – CCPA – HITRUST CSF – NIST 800-171 – SSAE 18 SOC I & SOC II
CRITICAL SECURITY CONTROLS • What are the Critical Security Controls? – “ The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks” . – Created in 2008 by the NSA to prioritize Cybersecurity controls based on attack methods and frequency • How many are there? – As of the current version 7.1: there are 20 major controls, with 171 total sub-controls. • What are they based on? – Derived from the most common attack patterns in leading threat reports and vetted across a very broad community of government and industry security practitioners for most effective defenses. • Why use them? – They prioritize and focus a smaller number of actions for improved Cybersecurity posture. From the California Breach Report 2016 : https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf http://cissecurity.org/critical-security-controls /
Recommend
More recommend
