Cybersecurity & Risks Analysis
|
|
- Megan Eaton
- 6 years ago
- Views:
Transcription
1 Working Together to Build Confidence Cybersecurity & Risks Analysis Djenana Campara Chief Executive Officer Member, Object Management Group Board of Directors Co-Chair, System Assurance Task Force
2 Cyber Security Trust in System s ability to Execute Trusted Behavior Only and to Prevent Malicious Attacks with objective to Protect Information, Assets & Services Against Compromise 12/6/2016 (c) KDM Analytics Inc. 2
3 OMG Security Community Focus Systematic Threat Risk & Vulnerability Analysis (TRV) Unique, cost-effective approach Automated analysis Supported by integrated tools 12/6/2016 (c) KDM Analytics Inc. 3
4 Threat, Risk and Vulnerability Analysis (TRV) It Starts by Understanding Goal: Risk Assessment Methodology within the RMF that is systematic, objective and allows automation and that can answer a tough question: How do we know that all threats have been addressed How system can be attacked? Risk What are the Vulnerabilities that are exploited by successful attacks? What is the impact of successful attacks? 12/6/2016 (c) KDM Analytics Inc. 4
5 Failing to understand ALL threats Not enough to trust credentials Firewall is no longer sufficient protection Ignorance MUST NOT be an option Organized Crime Smart and knowledge sharing Hackers Effective threat mitigation can only be achieved through identifying, analyzing, classifying and understanding the threat and related risk: Cause & Effect 12/6/2016 (c) KDM Analytics Inc. 5
6 The Challenge: Where are the Vulnerabilities The researcher successfully hacked the principal system on-boards like ADS- B and ACAR POSTED IN SCADA / ICS SECURITY ON APRIL 8, 2014 The point of entry to the system is the individual user The actual security perimeter is often much larger than anticipated Stakeholders often accept risk that they are not aware of 05/12/2016 (c) KDM Analytics Inc. 6
7 Undiscovered Vulnerabilities can Result in Massive Losses STUXNET - Sophisticated, multilevel targeted attack on SCADA system resulted in modification of system s behavior layered attack against three different systems initially exploiting four zero-day vulnerabilities within Windows systems and using it as spring board to install itself on PLC devices unnoticed with aim to periodically modify the frequency and thus affects the operation of the connected motors by changing their rotational speed and leading to destruction of centrifuges A cyberattack against Polish flagship carrier LOT grounded more than 1,400 passengers at Warsaw s Frederic Chopin Airport (June 2015) The airline said in a statement on its website that the IT attack meant it was unable to create flight plans and flights were not able to depart from Warsaw. The International Civil Aviation Organization (ICAO) last year highlighted long-known vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them Researchers have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controller 12/6/2016 (c) KDM Analytics Inc. 7
8 Overcoming the Challenge COMPREHENSIVE AND SYSTEMATIC RISK ANALYSIS 12/6/2016 (c) KDM Analytics Inc. 8
9 Examining Existing Risk Management Methodologies: Providing Assurance & Automation? ISO/IEC ISO/IEC ISO/IEC ISO/IEC CRAMM (UK) EBIOS (France) Mehari (France) Magerit (Spain) HTRA (Canada) NIST SP (US) Octave (SEI CMU) RiskAn (Czech Rep) Microsoft Threat Analysis Methodology Open Group FAIR & others Challenges: 1) no interoperability (an issue in a coalition context) 2) few approaches deal with discernable concepts to be automatable 3) few approaches are systematic enough to provide assurance 12/6/2016 (c) KDM Analytics Inc. 9
10 Ingredients of risk (ISO 15408) 12/6/2016 (c) KDM Analytics Inc. 10
11 Assurance through vulnerability detection 12/6/2016 (c) KDM Analytics Inc. 11
12 Assurance through asset protection 12/6/2016 (c) KDM Analytics Inc. 12
13 Assurance through standard controls 12/6/2016 (c) KDM Analytics Inc. 13
14 Each step can be a reasonable starting point Understand how system can be attacked Understand impact of vulnerabilities Understand entry points Identify vulnerabilities in system 12/6/2016 (c) KDM Analytics Inc. 14
15 Goal: Justifiable Risk Management Justifiable risk management = end-to-end risk mitigation assurance 12/6/2016 (c) KDM Analytics Inc. 15
16 Justifiable Risk Management: FORSA Methodology Influenced by Standard Efforts Achieving justifiable risk management requires a methodology that Is systematic (can enumerate all threats) Deals with discernable concepts Considers assurance (can provide confidence and justification) We selected most suitable methodologies, combined them and further enhanced to Fully support assurance Support import of structured Enterprise operational views (e.g. DoDAF/UAF) Support automation of the methodology steps Including multi-stage attack identification FORSA: - Fact Oriented - Repeatable - Security - Assurance 12/6/2016 (c) KDM Analytics Inc. 16
17 Methodology describes the sequence of steps Who cares? Owners and criteria sensitivity To what? Assets and Targets Identified Risks By who? and Why? Threat Sources What to do about it? Controls, mitigation options How? Attack scenarios Likelihood So what? Undesired events, Operational Impact severity 12/6/2016 (c) KDM Analytics Inc. 17
18 The corresponding FORSA steps FORSA STEPS 1. Operational Context Identification 2. System Facts 3. Asset Identification 4. Undesired Event Identification 5. Attack Group Identification 6. Threat Scenario Analysis 7. Safeguard Identification 8. Vulnerability Analysis 9. Risk Identification 10. Risk Analysis Enterprise Architecture What? Analysis of valuables, sensitivities and Impacts => severity How? Analysis of targets, Entries and attacks => likelihood Risk The sequence of steps is designed to increase confidence, and therefore increase assurance 12/6/2016 (c) KDM Analytics Inc. 18
19 Results of Justifiable Risk Analysis R01 R02 R03 R04 R05 R06 R07 Hacker gains access to confidential assets by information gathering on stored files Targeted virus or timebomb affects integrity or availability of network by attacking programmable node Hacker subverts node by remote attack exploiting vulnerabilities in programmable node s code Hacker subverts programmable node by remote attack exploiting vulnerabilities in system software on programmable node Criminal learns about forensic activity by attacking software on programmable node Targeted virus or timebomb affects availability of other assets by attacking software on programmable node Malicious user subverts programmable node by locally attacking node s code Level ID Description Severity Likelihood Residual Confidence high high high low 80% high high high low 80% high medium high low 80% high medium medium low 80% medium high medium low 80% medium high medium low 80% medium low medium low 70% 12/6/2016 (c) KDM Analytics Inc. 19
20 Risk Assessment Methodology Driven by the Assurance Case System Facts e.g. operational facts from DoDAF/UAF System Facts are evidence to the Assurance Case Assurance Case Assurance Process delivers evidence Risk Metamodel describes evidence Assurance Case is structured according to the Risk Metamodel Risk Metamodel Assurance Case provides guidance on how to collect evidence Assurance Process Risk Metamodel describes evidence Supported by inference rules, Uses generic taxonomies Integrating System Assurance into Risk Assessment Methodology Utilizing Assurance Case to deliver Risk Assessment Automating end-to-end process 12/6/2016 (c) KDM Analytics Inc. 20
21 Unique Approach Influenced by Standard Efforts CONOPS KDM Blade Cybersecurity Knowledge National Vulnerability Database Compliance Specifications Fault Patterns Code Security Defects Threat-Risk Analysis models Software System Collection of facts A top-down, operational risk analysis producing a quantitative risk report, including risk distribution by component, business assets and threats; associated vulnerability characteristics Threat Risk Analysis Reports threat scenarios undesired events system vulnerabilities safeguards prioritized risk Effective measurement, prioritization and mediation of the assurance risks posed by system vulnerabilities 12/6/2016 (c) KDM Analytics Inc. A bottom-up, targeted vulnerability analysis producing a quantitative residual risk focused on deep analysis of the riskiest components identified/prioritized in the top-down risk report 21
22 SFPM/SFP SCAP/CVE Note: SFPs are created using SBVR standard Ecosystem Foundation: Common Fact Model Data Fusion & Semantic Integration Risk Analysis OTRM (Situational awareness) ISO SACM GSN/CEA UPDM/UAF SysML KDM/ISO KDM/ISO Tools integration possible only through standards 12/6/2016 (c) KDM Analytics Inc. 22
23 Top Down Operational Risk Analysis Enterprise Architecture 1 DoDAF/UAF Blade Risk Manager 2 3 DoDAF Analytics Automatically extracted facts 4 6 GUI score & feedback Risk Manager Engine 5 Manual Adjustments or Manual Input 7 Risk Assessment Report Risk Knowledge Base Risk Analyst in a box Risk Report includes: Constructed risk statements & calculated risk Constructed risk distribution by components, business assets, and threats Identified associated vulnerability characteristics 12/6/2016 1a Manual Input option if no structured data available (c) KDM Analytics Inc. 23
24 Multiple vulnerability detection tools Raw data TOIF Tools Output Integration Framework Bottom Up Vulnerability Analysis: Cost-effective, Targeted Normalized data TOIF normalized data Increased coverage overlaps=confidence Low level of abstraction & overload, esp on binary code 12/6/2016 Evidence & counterevidence to risk statements Stronger evidence & counterevidence TOIF associated with risks through SFP & operational context TOIF associated with entry points and attack vectors Risk statements obtained from top down risk analysis Manually validated findings Because of the filtering may apply noisier tools for better coverage and assurance (c) KDM Analytics Inc. 24
25 Lockheed Martin Case Study Identified standards and Frameworks are supported by tools Lockheed Martin s performed evaluations Structured Assurance Models Bring structured order to chaos Interrelated Claims Arguments Evidence between various sources of evidence System Risk Manager Analysis of DoDAF model Operation, System, Views Automated Gap Assessments in Models Threat Risk Assessment capability on DoDAF models Tools Output Integration Framework (TOIF) and Risk Analyzer tools have demonstrated Significant improvement in Software Flaw and Vulnerability assessments Lower labor costs Significantly lower tool costs OMG System Assurance Modeling Tools can Reduce Security Engineering Lifecycle costs 20-50%. 12/6/2016 (c) KDM Analytics Inc. 25
26 Thank you 12/6/2016 (c) KDM Analytics Inc. 26
Cyber Risk and Related OMG Standards
Cyber Risk and Related OMG Standards Dr. Ben Calloni, P.E. SwE, CISSP, CEH, OCRES Lockheed Martin Fellow, Software Security Lockheed Martin Representative to OMG OMG Board of Directors Co-chair OMG System
More informationSystem Assurance and Related Standards
System Assurance and Related Standards Dr. Ben Calloni, P.E., CISSP, OCRES Lockheed Martin Fellow, Cybersecurity Lockheed Martin Representative to OMG OMG Board of Directors Co-chair OMG System Assurance
More informationSystem Assurance. Beyond Detecting. Vulnerabilities. Djenana Campara. Nikolai Mansourov
System Assurance Beyond Detecting Vulnerabilities Nikolai Mansourov Djenana Campara ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SYDNEY TOKYO Morgan Kaufmann
More informationThe Software Assurance Ecosystem: OMG s Approach to Systems & Software Assurance
The Software Assurance Ecosystem: OMG s Approach to Systems & Software Assurance Dr. Richard Mark Soley Chairman and CEO Object Management Group, Inc. With thanks to the OMG Systems Assurance Domain Task
More informationCybersecurity, safety and resilience - Airline perspective
Arab Civil Aviation Commission - ACAC/ICAO MID GNSS Workshop Cybersecurity, safety and resilience - Airline perspective Rabat, November, 2017 Presented by Adlen LOUKIL, Ph.D CEO, Resys-consultants Advisory,
More informationCYBER SECURITY AIR TRANSPORT IT SUMMIT
CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationNebraska CERT Conference
Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology
More informationOctave Method Component. CobIT Method Component. NIST Risk Management Framework. Generic Security Design Model. Design Theory: Governance
Outline Security Methodology Richard Baskerville Security Method Design Theories Security Method Adaptation Basic Design Theory in Secure Information Systems Methodology TFO Assumed in Many Security Method
More informationConverged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products
Converged security Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products Increased risk and wasted resources Gartner estimates more than $1B in
More informationTHE EVOLUTION OF SIEM
THE EVOLUTION OF SIEM Why it is critical to move beyond logs BUSINESS-DRIVEN SECURITY SOLUTIONS THE EVOLUTION OF SIEM Why it is critical to move beyond logs Despite increasing investments in security,
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationCertification Requirements for High Assurance Systems
for High Assurance Systems Gordon M. Uchenick Senior Mentor/Principal Engineer Objective Interface Systems, Inc. and W. Mark Vanfleet Senior Cryptologic Mathematician/ Senior INFOSEC Analyst National Security
More informationAdvanced Security Tester Course Outline
Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationCybersecurity program & best practices
Cybersecurity program & best practices How Gogo Business Aviation secures its airborne networks and inflight internet systems Live Webinar Thursday, September 28, 2017 Welcome & housekeeping notes Webinar
More informationSoftware Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group
Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group Defence Research and Development Canada Recherche et développement pour la défense Canada Canada Agenda
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationSecurity Methodology
Security Methodology Richard Baskerville Georgia State University 1 Outline PSecurity Method Design Theories PSecurity Method Adaptation 2 Basic Design Theory in Secure Information Systems Methodology
More informationForensics and Active Protection
Forensics and Active Protection Computer and Network Forensics Research Project 2003 Work Update Yanet Manzano Florida State University manzano@cs.fsu.edu manzano@cs.fsu.edu 1 Outline CNF Project Goal
More informationGUIDELINES ON MARITIME CYBER RISK MANAGEMENT
E 4 ALBERT EMBANKMENT LONDON SE1 7SR Telephone: +44 (0)20 7735 7611 Fax: +44 (0)20 7587 3210 GUIDELINES ON MARITIME CYBER RISK MANAGEMENT MSC-FAL.1/Circ.3 5 July 2017 1 The Facilitation Committee, at its
More informationExpress Monitoring 2019
Express Monitoring 2019 WHY CHOOSE PT EXPRESS MONITORING PT Express Monitoring provides a quick evaluation of the current signaling network protection level. This service helps to discover critical vulnerabilities
More informationInformation Assurance 101
BUILT FOR SECURITY Information Assurance 101 Barbara Wert, Regulatory Compliance Specialist FoxGuard Solutions, Inc. The value of an organization lies within its information its security is critical for
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationS1.1: RESEARCH AND DEVELOPMENT IN EUROPE FOR COMPETITIVE MANUFACTURING. Competitiveness of Industry by means of Cross Fertilisation
S1.1: RESEARCH AND DEVELOPMENT IN EUROPE FOR COMPETITIVE MANUFACTURING Competitiveness of Industry by means of Cross Fertilisation STORYLINE: FOCUS ON KEY ENABLERS FOR DISTRIBUTED INDUSTRIALS SYSTEMS HOW
More informationSage Data Security Services Directory
Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time
More informationNIST Risk Assessment for Part 11 Compliance: Evaluation of a GXP Case Study
NIST Risk Assessment for Part 11 Compliance: Evaluation of a GXP Case Study Monica Fanjoy* 109 Fairground Road, Holly Springs, NC 27540, USA Summary Current guidance for compliance with 21 Code of Federal
More informationCyber Security Requirements for Supply Chain. June 17, 2015
Cyber Security Requirements for Supply Chain June 17, 2015 Topics Cyber Threat Legislation and Regulation Nuts and Bolts of NEI 08-09 Nuclear Procurement EPRI Methodology for Procurement Something to think
More informationSoftware & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management
Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply
More informationCyber risk management into the ISM Code
Building trust. Shaping Safety No. Subject: Cyber risk management into the ISM Code To: insb auditors/managing companies IMO Resolution incorporates maritime cyber risk management into the ISM Code making
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationPredstavenie štandardu ISO/IEC 27005
PERFORMANCE & TECHNOLOGY - IT ADVISORY Predstavenie štandardu ISO/IEC 27005 ISMS Risk Management 16.02.2011 ADVISORY KPMG details KPMG is a global network of professional services firms providing audit,
More informationSOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE
SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE SECURE AIRBORNE CONNECTIVITY: OVERVIEW Gogo Business Aviation realizes the ever-pressing need to be vigilant in staying ahead of potential
More informationIntroduction to TOIF. Dr. Nikolai Mansourov CTO, KDM Analytics Liaison to OASIS. November 8, 2017 Copyright 2017 OMG. All rights reserved.
Introduction to TOIF Dr. Nikolai Mansourov CTO, KDM Analytics Liaison to OASIS November 8, 2017 Copyright 2017 OMG. All rights reserved. 1 Who Is OMG? Object Management Group (OMG) factlets: Founded in
More informationCYBER SECURITY AND MITIGATING RISKS
CYBER SECURITY AND MITIGATING RISKS 01 WHO Tom Stewart Associate Director Technology Consulting Chicago Technical Security Leader Protiviti Slides PRESENTATION AGENDA 3 START HACKING DEFINITION BRIEF HISTORY
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27005 Risk Manager www.pecb.com The objective of the PECB Certified ISO/IEC 27005 Risk Manager examination is to ensure that the candidate
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationEXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.
EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT An Insight Cyber White Paper Copyright Insight Cyber 2018. All rights reserved. The Need for Expert Monitoring Digitization and external connectivity
More informationIC32E - Pre-Instructional Survey
Name: Date: 1. What is the primary function of a firewall? a. Block all internet traffic b. Detect network intrusions c. Filter network traffic d. Authenticate users 2. A system that monitors traffic into
More informationSupply Chain (In)Security
Supply Chain (In)Security IEEE Cybersecurity Speaker Chris Webb Partner, Security Practice Orange County, California 20+ years of experience developing, securing, and managing enterprise systems. Specializes
More informationAdvanced IT Risk, Security management and Cybercrime Prevention
Advanced IT Risk, Security management and Cybercrime Prevention Course Goal and Objectives Information technology has created a new category of criminality, as cybercrime offers hackers and other tech-savvy
More information2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat
2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat Faye Francy Aviation ISAC February 2015 Company Organization Corporate Defense, Space & Security Boeing Capital Corporation
More informationCOST OF CYBER CRIME STUDY INSIGHTS ON THE SECURITY INVESTMENTS THAT MAKE A DIFFERENCE
2017 COST OF CYBER CRIME STUDY INSIGHTS ON THE SECURITY INVESTMENTS THAT MAKE A DIFFERENCE NUMBER OF SECURITY BREACHES IS RISING AND SO IS SPEND Average number of security breaches each year 130 Average
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationChapter 5: Vulnerability Analysis
Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we
More informationStandard: Risk Assessment Program
Standard: Risk Assessment Program Page 1 Executive Summary San Jose State University (SJSU) is highly diversified in the information that it collects and maintains on its community members. It is the university
More informationSoftware Architectural Risk Analysis (SARA): SSAI Roadmap
Software Architectural Risk Analysis (SARA): SSAI Roadmap Frédéric Painchaud DRDC Valcartier / Systems of Systems November 2010 Agenda Introduction Software Architectural Risk Analysis Linking to SSAI
More informationABB Process Automation, September 2014
ABB Process Automation, September 2014 ABB Process Automation Services Services that add life to your products, systems and processes September 26, 2014 Slide 1 1 ABB Process Automation Services A proven
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationwith Advanced Protection
with Advanced Email Protection OVERVIEW Today s sophisticated threats are changing. They re multiplying. They re morphing into new variants. And they re targeting people, not just technology. As organizations
More informationCyber Security on Commercial Airplanes
Cyber Security on Commercial Airplanes John Craig Chief Engineer Cabin and Network Systems The Boeing Company October 2014 1 Top ten tips Richard A. Clarke 1. Don t be in denial 2. Don t underestimate
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationDHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017
DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.
More informationCybersecurity and Commercial Aviation
Cybersecurity and Commercial Aviation Pascal ANDREI Chief Security Officer Airbus Group Jim Vasatka Director, Aviation Security Boeing Commercial Airplanes Agenda Aviation Cybersecurity External Drivers
More informationMoving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification
A CLOSER LOOK Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationSimulation of Workflow and Threat Characteristics for Cyber Security Incident Response Teams
Simulation of Workflow and Threat Characteristics for Cyber Security Incident Response Teams Theodore Reed, Robert G. Abbott, Benjamin Anderson, Kevin Nauer & Chris Forsythe Sandia National Laboratories
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationCyber Hygiene: A Baseline Set of Practices
[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright
More informationSecuring Your Data ATA Spec 42. Regan Brossard - The Boeing Company June 2017
Securing Your Data ATA Spec 42 Regan Brossard - The Boeing Company June 2017 Agenda PKI - Use in the Aviation Industry and why is it necessary Guidance for Transitioning to Connected Airplanes Choosing
More informationST. VINCENT AND THE GRENADINES
ST. VINCENT AND THE GRENADINES MARITIME ADMINISTRATION CIRCULAR N ISM 014 MARITIME CYBER RISK MANAGEMENT MSC.1/CIRC.1526, MSC-FAL.1/CIRC.3, RESOLUTION MSC.428 (98) TO: APPLICABLE TO: SHIPOWNERS, SHIPS
More informationThe Open Group. Cybersecurity Risk Management
The Open Group Cybersecurity Risk Management About The Open Group Leading international standards organization, with over 400 members worldwide, and tens of thousands of participants, UNIX, TOGAF, EA Jim
More informationCYBER RESILIENCE & INCIDENT RESPONSE
CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable
More informationSafeguarding unclassified controlled technical information (UCTI)
Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationBuilding Successful Threat Intelligence Programs
Threat Intelligence-Driven Security Building Successful Threat Intelligence Programs Allan Thomson, LookingGlass CTO June 2017 Intelligence-Driven Security Threat Intelligence evidence-based knowledge
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationCYSE 411/AIT 681 Secure Software Engineering Topic #3. Risk Management
CYSE 411/AIT 681 Secure Software Engineering Topic #3. Risk Management Instructor: Dr. Kun Sun Outline 1. Risk management 2. Standards on Evaluating Secure System 3. Security Analysis using Security Metrics
More informationNew Guidance on Privacy Controls for the Federal Government
New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,
More informationCopyright 2016 EMC Corporation. All rights reserved.
1 BUILDING BUSINESS RESILIENCY Isolated Recovery Services NAZIR VELLANI (ERNST & YOUNG) & DAVID EDBORG (EMC GLOBAL SERVICES) 2 PRESENTERS Nazir Vellani (EY) Senior Manager Tel: +1 214 596 8985 Email: nazir.vellani@ey.com
More informationFramework for Improving Critical Infrastructure Cybersecurity. and Risk Approach
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov Executive Order: Improving Critical Infrastructure
More informationThe Importance of Cybersecurity Threat Detection for Utilities
The Importance of Cybersecurity Threat Detection for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive
More informationSecurity by Default: Enabling Transformation Through Cyber Resilience
Security by Default: Enabling Transformation Through Cyber Resilience FIVE Steps TO Better Security Hygiene Solution Guide Introduction Government is undergoing a transformation. The global economic condition,
More informationCyber Semantic Landscape Ontology and Taxonomy
The Cyber Semantic Landscape Ontology and Taxonomy (CSLOT) provides a structured approach to the dynamic needs of the Cyber security concepts, theories, standards, and compliance issues facing the 21st
More informationCyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013
Cyber COBIT Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM December 2013 1 Agenda 1. Background & Definitions 2. Applying COBIT5 to Cybersecurity Governance 3. Cybersecurity Management 4. Cybersecurity
More informationASSURANCE PENETRATION TESTING
ASSURANCE PENETRATION TESTING Datasheet 1:300 1 Assurance testing February 2017 WHAT IS PENETRATION TESTING? Penetration testing goes beyond that which is covered within a vulnerability assessment. Vulnerability
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationProtecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities
Cybersecurity Basics For Energy Managers Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities Michael Mylrea Manager, Cybersecurity & Energy Technology Pacific
More informationThe University of Queensland
UQ Cyber Security Strategy 2017-2020 NAME: UQ Cyber Security Strategy DATE: 21/07/2017 RELEASE:0.2 Final AUTHOR: OWNER: CLIENT: Marc Blum Chief Information Officer Strategic Information Technology Council
More informationDr. Stephanie Carter CISM, CISSP, CISA
Dr. Stephanie Carter CISM, CISSP, CISA Learning Objectives (LO) LO1 Will learn the theological and practitioner definition of cybersecurity LO2 Will learn the dependency between physical and cyber security
More informationCybersecurity in Government
Cybersecurity in Government Executive Development Course: Digital Government Ng Lup Houh, Principal Cybersecurity Specialist Cybersecurity Group 03 April 2018 Agenda Cyber Threats & Vulnerabilities Cyber
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationCYBERSECURITY MATURITY ASSESSMENT
CYBERSECURITY MATURITY ASSESSMENT ANTICIPATE. IMPROVE. PREPARE. The CrowdStrike Cybersecurity Maturity Assessment (CSMA) is unique in the security assessment arena. Rather than focusing solely on compliance
More informationSecuring strategic advantage
Securing strategic advantage Protecting industrial control systems Cyber Supplier to UK Government Plan Design Enable In delivering our vision to be the best infrastructure company in the world, we pride
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More information2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT
2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT THYCOTIC 2018 GLOBAL CHANNEL PARTNER SURVEY Channel Partner survey highlights client cybersecurity concerns and opportunities for
More information