Transcript Cybersecurity and the NIST Framework

Cybersecurity and the NIST
Framework
David Raucher
Director of IT Engineering
[email protected]
© CHR Solutions. All Rights Reserved.
How big is this issue of Cybersecurity?
• The days of Mathew Broderick in War Games hacking for fun are over (1983)
• Hacking is now big business – World Economic Forum’s 2016 Global Risks
Report estimates crimes in Cyberspace will cost the global economy $445
Billion in 2016
• According to a new report by Hewlett Packard and the U.S.-based Ponemon
Institute of Cyber Crime, hacking attacks cost the average American firm $15.4
million per year, double the global average of $7.7 million. – CNN Money
• March 2016 – National Bank of Bangladesh is hacked for $100 Million in a very
sophisticated operation
© CHR Solutions. All Rights Reserved.
One week of Cyber Attack Reports
ID
Date
Author
Target
Description
Attack
Target
Class
Attack
Class
Country
Link
Tags
Spotify
1
16/02/2016 ?
Spotify
Hundreds of Spotify Premium account details are compromised and Brute Force?
leaked online by an unknown hacker. A number of separate data
dumps containing email addresses, passwords, account types and
renewal dates appear online.
Industry: Music CC
Streaming
RU
http://www.ibtimes.co.uk/spotify-premiumhack-leaked-data-exposes-hundredscompromised-account-details-1544845
2
16/02/2016 ?
Kankakee Valley REMC
Kankakee Valley REMC falls victim to a possible breach, due to the
access of a storage device on the cooperative's network from a
foreign IP.`
Industry: Utility CC
US
http://www.chicagotribune.com/suburbs/post- Kankakee Valley REMC
tribune/news/ct-ptb-remc-computer-breach-st0217-20160216-story.html
3
16/02/2016 ?
4,000 confidential records of About 4,000 confidential records, the purported home addresses of Unknown
police officers, lawyers and police officers, lawyers, and judges, are published on the website
judges
PBSOTalk.com.
Law
Enforcement
CC
US
http://www.browardpalmbeach.com/news/hack PBSOTalk.com
ers-post-confidential-records-of-4-000-palmbeach-county-cops-prosecutors-and-judges7589158
31
29/02/2016 ?
Israeli Banks' Customers
Kaspersky Lab reveal the details of ATMZombie, a sophisticated
trojan targeting Israeli customers, characterized by the ability to
exploit a loophole in one of the bank’s online features; and later by
physically withdrawing money from the ATM,
Malware
Finance
CC
IL
https://securelist.com/blog/research/73866/at Kaspersky Labs, ATMZombie
mzombie-banking-trojan-in-israeli-waters/
32
29/02/2016 ?
Mate1.com
A hacker on the dark web forum Hell claims to have sold the email
addresses and plaintext passwords of over 27 million users of
dating site Mate1.com.
SQLi
Dating
CC
CA
http://motherboard.vice.com/read/hackerMate1.com
claims-to-have-sold-27m-dating-site-passwordsmate1-com-hell-forum
© CHR Solutions. All Rights Reserved.
Unknown
Infrastructure Risks
• March 9, 2016 - A new report gives a stark
warning that ransomware will “wreak havoc on
America’s critical infrastructure community” in
2016. The report published by the Institute for
Critical Infrastructure Technology (ICIT)
• March 9, 2016 – Clark County Water Reclamation
District - Multiple sources told the Las Vegas
Review Journal that the agency’s computers were
hit with ransomware.
© CHR Solutions. All Rights Reserved.
4
Ransom Costs
• The United States puts the average cost for
each lost or stolen record at $201, and the total
average 2014 cost paid by organizations at
$5.9 million for each data breach, up from $5.4
million in 2013
© CHR Solutions. All Rights Reserved.
5
Industry Insights
•
Through Cisco’s scanning and analysis, we found that 106,000
of the 115,000 devices had known vulnerabilities in the
software they were running. That means 92 percent of the
Cisco devices on the Internet in our sample are susceptible to
known vulnerabilities.
© CHR Solutions. All Rights Reserved.
•
Cisco discovered that many of the infrastructure devices we
analyzed had reached their last day of support (LDoS)—
meaning they cannot be updated and made more secure.
These devices are not even receiving patches for known
vulnerabilities.
6
Gauging Security Maturity
© CHR Solutions. All Rights Reserved.
7
A Look Forward
•
68% of the respondents to our study identified malware as
the top external security challenge that their organization
faces. Phishing and advanced persistent threats rounded
out the top three responses— at 54% and 43%,
respectively.
© CHR Solutions. All Rights Reserved.
•
As for internal security challenges, more than half (54%) of
our respondents cited malicious software downloads as the
top threat, followed by internal security breaches by
employees (47%), and hardware and software
vulnerabilities (46%).
8
GET STARTED NOW
We have to acknowledge in this current landscape everyone is vulnerable, every network is a
potential target; at the same time we have to acknowledge that time, money, and resources
are limited. How do we create a reasonable balance and how do we get started now?
© CHR Solutions. All Rights Reserved.
29
1. UNDERSTAND THE THREAT
To start addressing your network security the first step is to identify the threat
© CHR Solutions. All Rights Reserved.
29
Content Security
• Two main threat vectors into your network are:
1)
2)
Email – spam makes up 86% of all email traffic
Web – botnets and servers “serving” up malware
• Email Security: anti-spam, anti-virus, anti-phishing, encryption, etc.
• Web Security: URL/web filtering of gaming, porn, social networking,
DNS protection, etc.
© CHR Solutions. All Rights Reserved.
25
DDoS: Distributed Denial of Service
Impact
Botnet
Impact
Legit Traffic
DDoS Traffic
The Internet
Your Network
Your Customers
How much will
downtime cost
your business?
Three Types
of Attacks:
1. Volumetric
2. State Exhausting
3. Application
… or combination
Impact: (To You and Your Customers)
Availability of network and services.
Operational cost to mitigate attack.
Lost revenue and profitability.
Unwanted media attention and
tarnished brand/reputation.
 Fees/Fines.




Arbor Networks 10th Annual Worldwide Infrastructure Security Report
Leading Mitigation Providers are: Arbor, Radware, etc.
© CHR Solutions. All Rights Reserved.
27
Why Add Security at the DNS Layer?
91.3%
IP
DNS
IP
Recursive DNS
of malware use DNS • Options include: Zscaler,
Websense, and OpenDNS.
• Up to 91% of Command and
2016 Cisco Annuual
Control can be blocked at
Security Report
DNS layer
• Some Solutions can be
Implemented in 30 min
of organizations don’t
monitor it
68%
© CHR Solutions. All Rights Reserved.
30
Identity-Network Access Control
Baseline: RADIUS or TACACS for AAA (Authentication/Authorization/Accounting) and 802.1x
Guest Access
BYOD
Secure
Access
Intelligent Cyber Security policy and segmentation is
impractical without Real Threat Context in todays
Security Landscape
- Who are you?
 Barb
- What Device?
 BYOD or Corporate Endpoint
- Where are you?  Building 200, 1st Floor Lobby
- When?
- How ?
Wireless
VPN
 11:00 AM CST on April 10th
 Wired, Wireless, or VPN
Solutions include: Open Source, ForeScout, ISE, etc.
© CHR Solutions. All Rights Reserved.
Wired
Dynamic Segmentation Options:
VLANs, DACLs, etc.
28
The Problem with Legacy Firewalls and IPS
Focus on the Apps…
…but miss the threat
101 010011101 1100001110001110
1001 1101 1110011 011001
Basic IPS Signature not matched
01
1100001 1100 0111010011101 1100001110001110
1001 1101 1
Legacy FWs can reduce attack surface area but advanced malware, APT, Polymorphic attacks often evades security controls.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
2. ADDRESSING THE THREAT
How do we protect our networks?
© CHR Solutions. All Rights Reserved.
29
NGFW (Next Generation Firewall)
When choosing a NGFW vendor – look for high efficacy
WWW
Clustering &
High Availability
Network Firewall
Routing | Switching
© CHR Solutions. All Rights Reserved.
Intrusion
Prevention
(IPS)
Application
Visibility
& Control
Management
Analytics &
Automation
Advanced Threat
Protection – File
Visibility and
Control
URL Filtering
Built-in Network
Profiling
Identity-Policy
Control and
VPN
32
NGIPS (Intrusion Prevention System)
Deeper packet inspection vs header info.: decision upon applic. vs IP address or port.
Deny applications based on two roles: “user-defined” or “signature-based”.
Source: Cisco Live! BRKSEC-1030 San Diego 2015
© CHR Solutions. All Rights Reserved.
33
Visibility Through NetFlow
172.168.134.2
NetFlow provides
10.1.8.3
• Trace of every conversation in your network
• Ability to collect record everywhere in
your network (switch, router, or firewall)
• Network usage measurement
• An ability to find north-south as well as eastwest communication
• Light weight visibility compared to SPAN based
traffic analysis
• Indications of Compromise (IOC)
• Security Group Information
Flow Collector
• Gathers information on flows in your network
Benchmark, Track, and Investigate Flow
Anomalies
• Increased traffic flows are indications of breach
© CHR Solutions. All Rights Reserved.
Switches
Routers
Internet
Flow
Information
Packets
SOURCE ADDRESS
10.1.8.3
DESTINATION
ADDRESS
172.168.134.2
SOURCE PORT
47321
DESTINATION PORT
443
INTERFACE
Gi0/0/0
IP TOS
0x00
IP PROTOCOL
6
NEXT HOP
172.168.25.1
TCP FLAGS
0x1A
SOURCE SGT
100
APPLICATION NAME
NBAR SECUREHTTP
26
Advanced Threat
Retrospective: It’s all about “Visibility and Control”
All detection is less than 100%
One-to-One
Signature
Fuzzy
Finger-Printing
Machine
Learning
Advanced
Analytics
Dynamic
Analysis
Reputation Filtering and File Sandboxing
© CHR Solutions. All Rights Reserved.
34
Security as a Service (SECaaS)
Now that you have security expertise in house, have you considered offering SECaaS to
your customers?
• Managed: NGFW, NGIPS, VPN, …
• Hosted/Cloud: Virtual NGFW/IPS/VPN/Web/Email/ DDoS from your virtualized Data
Center
• Resale of others’ cloud offerings: NGFW, UTM, Cloud web/email, Recursive DNS, etc.
© CHR Solutions. All Rights Reserved.
35
3. HAVE A PLAN
How do we protect our networks?
© CHR Solutions. All Rights Reserved.
29
Cybersecurity Plan
•
•
•
•
•
Executive Summary
Assess Current Cybersecurity Posture
Measure Progress Toward Improvement
Assess Relative Risk
Focus Efforts on Most Important Areas of Improvement
© CHR Solutions. All Rights Reserved.
23
Cybersecurity Risk Determination
• Acceptable risk determination
– Executive
– IT Department
• Tier determination and gap analysis
© CHR Solutions. All Rights Reserved.
24
Cybersecurity Risk Determination
Example use of framework (areas in orange are recommended additions)
• Identify
– Asset Management
• ID.AM-1 (Physical devices and systems within the
organization are inventoried)
–
–
–
–
© CHR Solutions. All Rights Reserved.
Current Tier Assignment – 2
Target Tier Assignment – 3
Estimated dollars to address - $$
Priority Assignment – Priority 1
25
Cybersecurity Risk Determination
• Summary Report
– Weighted average score representing current cybersecurity posture
– Difference between weighted average current tier and target tier is your risk exposure
– Identify top issues being targeted or needing a remedy
© CHR Solutions. All Rights Reserved.
26
How do we get started (DIY)
• Five-step process to get started
– Assemble your Security team and analyze
the Framework
– Assess your current posture
– Define a Target Profile and Execute
– Implement the easy changes now which
include passwords, permissions, access,
firewalls, and social engineering
– Continuously monitor, communicate, and
collaborate
Assemble your
team
Continuously
monitor,
communicate,
& collaborate
Implement
easy changes
now
© CHR Solutions. All Rights Reserved.
Assess your
current
posture
Define a
Target Profile
and execute
27
How do we get started (Outside Help)
• Hire a consultant to help
– NIST Framework
– Cybersecurity Assessment
• Hire a Managed Services Security Provider to implement any changes
–
–
–
–
–
–
Patches
Anti-virus
Anti-malware
Hardware updates
Vulnerability Scans
Continuous security monitoring
© CHR Solutions. All Rights Reserved.
28
THE NIST FRAMEWORK
The NIST Framework is gaining popularity in the carrier market as a method to address these
areas.
© CHR Solutions. All Rights Reserved.
NIST Framework Industry Data
• By 2020, more than 50% of organizations will use the NIST Cybersecurity
Framework, up from the current 30% in 2015.
- Gartner
• The NIST Cybersecurity Framework represents a tipping point in the evolution of
cybersecurity, one in which the balance is shifting from reactive compliance to
proactive risk-management standards.
- PricewaterhouseCoopers
© CHR Solutions. All Rights Reserved.
30
NIST Framework
© CHR Solutions. All Rights Reserved.
31
NIST Cybersecurity Framework
• Executive Order 13636 (February 2013)
• NIST Framework (http://www.nist.gov/cyberframework/) (February 2014)
– Framework Core
• Identify, Protect, Detect, Respond, Recover
– Framework Implementation Tiers
• Tier 1 - 4
– Framework Profile
• Current and Target
– Framework Resources
© CHR Solutions. All Rights Reserved.
32
Resources
• NIST Framework (http://www.nist.gov/cyberframework/)
• FCC’s CSRIC IV Working Group 4
(https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_
031815.pdf )
© CHR Solutions. All Rights Reserved.
33
Critical Infrastructure Cybersecurity
Notes from the FCC
• EO 13636: Improving Critical
Infrastructure Cybersecurity
• NIST Framework for Improving
Critical Infrastructure
Cybersecurity
• CSRIC IV Final Report:
Cybersecurity Risk
Management and Best
Practices
© CHR Solutions. All Rights Reserved.
34
FCC Summary
• CSRIC IV’s final report contains a compelling set of recommendations for
cyber risk management throughout all segments of the communications
sector
• CSRIC’s core proposal is that members of the communications sector
volunteer to participate in individualized, face-to-face meetings with the
FCC to discuss each company’s cyber risk management priorities,
methods to address them, and the effectiveness of these methods
• Goal is that through these visible assurances, the FCC will gain
confidence that companies throughout the communications sector are
taking effective steps to manage cyber risk and increase their cyber
preparedness to attacks targeting their critical infrastructure
© CHR Solutions. All Rights Reserved.
35
Carrier NIST Experience
Asset
Inventory
Asset
Inventory
Organization & Relevant Process
Operating Unit/
Process Owner
OrganizationOwner
& Relevant Process
Function
(Department)
Operating
Unit/
Owner
Process Owner
Function
(Department)
Information Asset Details
Name of Asset
Name of Asset
Description of Asset
Description of Asset
Personal Data
Personal
Information
Asset DetailsSensitive
Sensitive
Personal Data Customer
Sensitive Data
(Y/N)
(Y/N)
Sensitive
Data Customer
Data
(Y/N)
Personal
Data
(Y/N)
(Y/N)
© CHR Solutions. All Rights Reserved.
Classification
Classification
Integrity
Integrity
(Y/N)
22
Availability
Availability
Carrier NIST Experience
Vulnerabilities Template
Device Type
Quantity Vulnerability
© CHR Solutions. All Rights Reserved.
External
Internal
Configuration Change Control
Configuration Backups
Validation Date
Response Plan
Protection Mechanism
23
Carrier NIST Experience
Function
Reference
NIST Framework Subcategory
SMB
Questions
Summary
Reference
IDENTIFY
ID.AM-1
Physical devices and systems within the
organization are inventoried
What
An inventory from the following dept. has been
completed: Field Ops, Network Operation Transport,
Network Operations Wireless, Technology Services
(Corporate), Technology Services (External), and the NOC
CSRIC-IV Cybersecurity Framework
Report –
IDENTIFY
ID.AM-2
Software platforms and applications within
the organization are inventoried
What
A complete inventory of the corporate software platforms
and applications have been identified
CSRIC-IV Cybersecurity Framework
Report – Appendix A-3 and A-3.1
IDENTIFY
ID.AM-5
Resources (e.g., hardware, devices, data
and software) are prioritized based on their
classification, criticality, and business
value
What
Yes, all resources have been identified and prioritized
based on their classification,
CSRIC-IV Cybersecurity Framework
Report – Appendix A
IDENTIFY
ID.AM-6
Cybersecurity roles and responsibilities for
the entire workforce and third‐party
stakeholders (e.g., suppliers, customers,
partners) are established
Who
The company provides training to all new hires as well as
annual training for all our employees regarding their
responsibilities in regards to cybersecurity and best
practices to help eliminate a threat from occurring. Along
with training we have a variety of policies and procedures
addressing employee responsibilities, information on who
to contact if a threat is suspected or has occurred as well
as the responsibilities of those assigned to handle the
situation.
Roles and responsibilities concerning our customers can
be found in our Dedicated Hosting and Colocation
Agreement – User
Employee:
Cybersecurity Plan – Employee
Responsibilities
Policy A-8 Identity Theft Red Flag
Policy
Policy A-10 CPNI
Policy A-11 HIPAA
Policy A-12 CJIS
Policy B-23 Internet Code of
Conduct
Policy B- 24 Email Code of
Conduct
Policy B-29 Social Media/Social
Networking Policy
© CHR Solutions. All Rights Reserved.
24
Communications Sector Cybersecurity
Framework Implementation Guidance
39
© CHR Solutions. All Rights Reserved.
Framework Implementation Guidance*
• CSRIC IV charged with providing
implementation guidance to
facilitate the use and adaptation of
the voluntary NIST Cybersecurity
Framework
• Comm Sector developed and
applied a variety of analytical tools
and methods that serve as a
primer for companies when
reviewing their own risk
management processes
• Report Appendices include
Communications Sector
Implementation Guidance and
Resources
*https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815pdf
© CHR Solutions. All Rights Reserved.
40
SMB Implementation Guidance and Resources
9.9 Small and Medium Business (SMB) report:
• Identifies what an SMB needs to protect, who has responsibility for a
given task, and how an SMB can protect its core network and critical
infrastructure
• Use cases from Broadcast and Cable/Wireless/Wireline segments to
illustrate steps taken by SMBs in using the NIST CSF
• Identifies highest priority NIST CSF subcategories for SMBs, for example:
© CHR Solutions. All Rights Reserved.
41
SMB Implementation Guidance and Resources (cont.)
9.9 Small and Medium Business (SMB) report (cont.):
• Use Cases
• Broadcast Industry
• Wireline, Wireless, and Cable:
•
•
Tailors NIST Cybersecurity
Framework to a small regional
communications provider serving
critical users within the community
Targeted cybersecurity attack
could impact delivery and/or
integrity of communications
services
© CHR Solutions. All Rights Reserved.
42
SMB Implementation Guidance and Resources (cont.)
9.9 Small and Medium Business (SMB) report (cont.):
• Identifies extensive list of tools, templates, reports, websites, etc., that
can assist SMBs with their cybersecurity efforts, for example:
© CHR Solutions. All Rights Reserved.
43
Additional Resources
• FCC’s Small Biz Cyber Planner
•
https://www.fcc.gov/cyberplanner
• DOE’s cybersecurity framework
guidance
•
*
http://energy.gov/oe/downloads/
energy-sector-cybersecurity-frameworkimplementation-guidance
© CHR Solutions. All Rights Reserved.
44
Questions to Take Home
•
•
•
•
Do you have a fully fleshed security plan? NIST.gov
Who is your risk manager?
How often are GM and Board briefed?
Do you have trained and certified security experts?
– Ex.: CISSP and CCNA/CCNP/CCIE Security tracks
• Who is the back-up on all cybersecurity solutions?
• NGFW? NGIPS? DNS? Advanced Threat – including endpoints? Email and Web? NAC?
DDoS? Network Flows?
• Need help with any of the above? Call a security VAR.
© CHR Solutions. All Rights Reserved.
36
Thank you
© CHR Solutions. All Rights Reserved.