Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Protecting Your Toll System:
RFP Survey Findings
By Michael Bertram, CISSP
Sr. Tolls Analyst
08 September 2017 1
Goals of the Presentation
• Introduction of NIST CyberSecurityFramework (CSF)
• Understand the Weaknesses and Gaps Present in Existing RFPs
• * No Directly Attributable Information Is Revealed
• Importance of Adopting a Structured and Lifecycle-Based Security Strategy in Toll System RFP development process
• Rethinking security goals
08 September 2017 2
Takeaways
NIST CSF Overview
08 September 2017
3
Foundation
NIST Guidelines
SABSA
ISO
Industry
APTA Recommended Practices
NAP “Primer”
PCI
NERC CIP
Organization
Internal policies, standards, practices,
guidelines, architecture patterns,
etc…
CSF
NIST CSF Overview
08 September 2017 4
NIST CSF Overview
08 September 2017 5
NIST CSF – Matching RFP Requirements
08 September 2017 6
010203040506070
Scoring Compliance
# possible # actual
11% !
18%
18%
Best
Represented
NIST CSF – Matching RFP Requirements
08 September 2017 7
020406080
100120140
Scoring Compliance
# possible # actual
21% !
34%
NIST CSF – Matching RFP Requirements
08 September 2017 8
0
10
20
30
40
50
60
70
80
90
Anomalies &Events
* Security Cont.Monit.
DetectionProcesses
Scoring Compliance
# possible # actual
17% !23%
NIST CSF – Matching RFP Requirements
08 September 2017 9
0
10
20
30
40
50
60
Scoring Compliance
# possible # actual
23% !
23%
NIST CSF – Matching RFP Requirements
08 September 2017 10
0
5
10
15
20
25
30
35
* RecoveryPlanning
Improvements Communications
Scoring Compliance
# possible # actual
19% !35%
Core Functions in RFP
08 September 2017 11
0%
5%
10%
15%
20%
25%
Identify Protect Detect Respond Recover
Scoring Compliance
Percentage
18% !23%
Importance of Structured Approach to
Requirements Development in RFPs
“AD accounts with complex passwords means I am protected”
• Widespread AD Mismanagement exposes 90% of organizations
• 70% of orgs with AD fail to utilize MF Authentication
• 22% Utilize “Domain Admin” Accounts for Common Tasks
• Red Teams report nearly 100% Success rate in breaching org. AD Infrastructure
❖ Source: information security magazine 10 May 2017
“Firewall, IPS and AV protection means my Host servers are protected”
• NSS Labs research (2013) showed that only 3% of NGFW, IPS and End-Point-Protection (i.e. AV/AM) software could detect and block known exploits used in testing *Source: NSS Labs 23 May 2013
• Many products have been found to have fundamental security issues including built-in backdoors –Wikileaks, etc…
08 September 2017 12
Start With The Right Goals
Problematic Goals
• Never get hacked!
• Be “…..” Compliant
• Security as a single “checked off” delivery
• System-wide requirements
Results in incomplete or wrong security requirements
08 September 2017 13
Improved Goals
• Expect to be hacked but expect to reduce the frequency and impact
• Security that encompasses compliance but not pinpointed on it
• Security adapts to changes
• Strategy that varies with product features, risk levels, and available or desired mitigation controls
Minimizes gaps and mistakes in requirements
08 September 2017 14
Effective Cybersecurity Strategy
08 September 2017
14
Foundation
NIST Guidelines
SABSA
ISO
Industry
APTA Recommended
NAP “Primer”
PCI
NERC CIP
Organization
Internal policies, standards, practices,
guidelines, architecture
patterns, etc…
Security Architecture Continuum
Thank You
Michael Bertram
www.atkinsglobal.com
Atkins North America, Senior Tolls Analyst
CISSP, TOGAF (EA), SABSA (ESA)
IT Sector Chief, San Diego Chapter Infragard
08 September 2017 15