Protecting Your Toll System:

RFP Survey Findings

By Michael Bertram, CISSP

Sr. Tolls Analyst

08 September 2017 1

Goals of the Presentation

• Introduction of NIST CyberSecurityFramework (CSF)

• Understand the Weaknesses and Gaps Present in Existing RFPs

• * No Directly Attributable Information Is Revealed

• Importance of Adopting a Structured and Lifecycle-Based Security Strategy in Toll System RFP development process

• Rethinking security goals

08 September 2017 2

Takeaways

NIST CSF Overview

08 September 2017

3

Foundation

NIST Guidelines

SABSA

ISO

Industry

APTA Recommended Practices

NAP “Primer”

PCI

NERC CIP

Organization

Internal policies, standards, practices,

guidelines, architecture patterns,

etc…

CSF

NIST CSF Overview

08 September 2017 4

NIST CSF Overview

08 September 2017 5

NIST CSF – Matching RFP Requirements

08 September 2017 6

010203040506070

Scoring Compliance

# possible # actual

11% !

18%

18%

Best

Represented

NIST CSF – Matching RFP Requirements

08 September 2017 7

020406080

100120140

Scoring Compliance

# possible # actual

21% !

34%

NIST CSF – Matching RFP Requirements

08 September 2017 8

0

10

20

30

40

50

60

70

80

90

Anomalies &Events

* Security Cont.Monit.

DetectionProcesses

Scoring Compliance

# possible # actual

17% !23%

NIST CSF – Matching RFP Requirements

08 September 2017 9

0

10

20

30

40

50

60

Scoring Compliance

# possible # actual

23% !

23%

NIST CSF – Matching RFP Requirements

08 September 2017 10

0

5

10

15

20

25

30

35

* RecoveryPlanning

Improvements Communications

Scoring Compliance

# possible # actual

19% !35%

Core Functions in RFP

08 September 2017 11

0%

5%

10%

15%

20%

25%

Identify Protect Detect Respond Recover

Scoring Compliance

Percentage

18% !23%

Importance of Structured Approach to

Requirements Development in RFPs

“AD accounts with complex passwords means I am protected”

• Widespread AD Mismanagement exposes 90% of organizations

• 70% of orgs with AD fail to utilize MF Authentication

• 22% Utilize “Domain Admin” Accounts for Common Tasks

• Red Teams report nearly 100% Success rate in breaching org. AD Infrastructure

❖ Source: information security magazine 10 May 2017

“Firewall, IPS and AV protection means my Host servers are protected”

• NSS Labs research (2013) showed that only 3% of NGFW, IPS and End-Point-Protection (i.e. AV/AM) software could detect and block known exploits used in testing *Source: NSS Labs 23 May 2013

• Many products have been found to have fundamental security issues including built-in backdoors –Wikileaks, etc…

08 September 2017 12

Start With The Right Goals

Problematic Goals

• Never get hacked!

• Be “…..” Compliant

• Security as a single “checked off” delivery

• System-wide requirements

Results in incomplete or wrong security requirements

08 September 2017 13

Improved Goals

• Expect to be hacked but expect to reduce the frequency and impact

• Security that encompasses compliance but not pinpointed on it

• Security adapts to changes

• Strategy that varies with product features, risk levels, and available or desired mitigation controls

Minimizes gaps and mistakes in requirements

08 September 2017 14

Effective Cybersecurity Strategy

08 September 2017

14

Foundation

NIST Guidelines

SABSA

ISO

Industry

APTA Recommended

NAP “Primer”

PCI

NERC CIP

Organization

Internal policies, standards, practices,

guidelines, architecture

patterns, etc…

Security Architecture Continuum

Thank You

Michael Bertram

Michael.Bertram@atkinsglobal.com

www.atkinsglobal.com

Atkins North America, Senior Tolls Analyst

CISSP, TOGAF (EA), SABSA (ESA)

IT Sector Chief, San Diego Chapter Infragard

08 September 2017 15