Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Building and Measuring a Cybersecurity Program
Michael Miranda
Michael Miranda
• Assistant Professor, Information Security, UH West Oahu
• Principal Consultant, SPARTIX
• Director of Information Security, Hawaiian Telcom
• Program Manager – Cybersecurity, Referentia
• Cybersecurity, Programmer – Northrop Grumman, Verizon – DoD Contractor
• Attorney
• GCFA, GSNA, GCIA, GREM
• Gonzaga U., UH Manoa, U of Central Florida
• Maryknoll Grad
Step 1
• Focus on YOU
• Don’t chase threats…yet
• YOU means YOU, whatever your current position in the organization is and wherever you have influence
• You do not need to wait for some other voice above to start executing the basics of cybersecurity
A cybersecurity program is the sum of all the efforts of all the stakeholders in the organization.
Management
and Admin
Planning,
Design and
Engineering
Operations
and Field
Policy,
Procedure
and Risk
Management
Plan and
Design with
Security from
the Start
Always
execute using
cybersecurity
best practices
There is no
magic here.
No need to
reinvent the
wheel.
Step 2
• Leverage Published Standards
• There is security guidance for nearly every aspect of cybersecurity.
Management and Admin
• NIST Cybersecurity Framework• Identify
• Protect
• Detect
• Respond
• Recover
• Center for Internet Security• Top 20 Controls
Operations and Field
• NIST Computer Security Incident Handling Guide
• MITRE Ten Strategies of a World-Class Cybersecurity Operations Center
• Cyber Incident Handling Program – Chairman of the Joint Chiefs of Staff Manual
• Cybersecurity Technical Training is For All• SANS
• Offensive Security
Planning, Design and Engineering
• Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies
• Secure network design of a critical infrastructure network
• Center for Internet Security• Benchmarks – secure configuration guidelines for
various technology (e.g. workstations, servers, operating systems, applications)
• Account Policies
• Local Policies
• Security Options
• Accounts, Audit, DCOM, Devices
• Domain Controller, Domain
Member, Microsoft Network
Client, Microsoft Network Server,
Network Access, Network
Security, Recovery Console,
Shutdown, System Cryptography,
System Objects, System
Settings, User Account Control
• Event Log
• Restricted Groups
• System Services
• Registry
• File System
• Wired Network Policies
• Windows Firewall with Advanced
Security
• Network List Manager Policies, etc.
“If you can’t measure it, you can’t improve it.”
-- Peter Drucker
Step 3
• Measure your activities
• SMART Milestones• Specific
• Measurable (percentage, YES/NO)
• Assignable (accountable)
• Realistic
• Time-related
• Goal is to ascertain overall risk
Which Models for
Metrics?
Everyone has ideas…
CIS Controls V7Measures & Metrics
• Active Device Discovery System
• Anti-Spam Gateway
• Application Aware Firewall
• Asset Inventory System
• Backup / Recovery System
• Data Inventory / Classification System
• Dedicated Administration Systems
• DNS Domain Filtering System
• Endpoint Protection System
• Host Based Data Loss Prevention (DLP) System
• Host Based Firewall
• Identity & Access Management System
• Incident Management Plans
• Log Management System / SIEM
• Multi-Factor Authentication System
• Network Based Data Loss Prevention (DLP) System
• Network Based Intrusion Detection System (NIDS)
• Network Based Intrusion Prevention System (IPS)
• Network Device Management System
• Network Firewall / Access Control System
• Network Level Authentication (NLA)
• Network Packet Capture System
• Network Time Protocol (NTP) Systems
• Network URL Filtering System
• Passive Device Discovery System
• Patch Management System
• Penetration Testing Plans
• Privileged Account Management System
• Public Key Infrastructure (PKI)
• SCAP Based Vulnerability Management System
• Secure Coding Standards
• Software Application Inventory
• Software Vulnerability Scanning Tool
• Software Whitelisting System
• System Configuration Baselines & Images
• System Configuration Enforcement System
• Training / Awareness Education Plans
• Web Application Firewall (WAF)
• Whole Disk Encryption System
• Wireless Intrusion Detection System (WIDS)
CIS Controls V7Measures & Metrics
What percentage of the organization's unauthorized assets have not been removed from the network, quarantined or added to the inventory in a timely manner?
• Inventory all assets (physical and on the network)
• Process for identifying authorized devices
• Process for removing, isolating or adding to the official inventory
• Determination based on risk on how long it should take for the activity occur
• Who does each activity enumerated above?
CIS Controls V7 Measures & Metrics
CIS Controls V7 Measures & Metrics
Summary
1. Focus on YOU and your sphere of influence and control• Management and Administration
• Planning, Design and Engineering
• Operations and Field
2. Leverage published standards and to implement cybersecurity
3. Measure your activities
IF YOU DON’T HAVE A CISO, YOU CAN STILL DO THIS TO PROTECT OUR WATER SYSTEMS