Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

Transcription

1 Avoiding an Information Security Mismanagement Program through Fundamentals Bill Curtis, SynerComm Husband, father and grandfather 30+ years IT/IS: Army Allen Bradley/Rockwell Automation Bucyrus/Caterpillar SynerComm Michigan native living in Wisconsin by way of Indiana, Arizona and Georgia Anthem (2014) Community Health Systems (2014) Equifax (2017) Nuance (2017) 1

2 One of the largest health insurance providers in the US Health care data breach affecting 80 million customers Attackers stole credentials for privileged access to databases and stole data over a period of months Million Records Stolen Heartbleed patches not installed on firewalls One of the largest data breaches in history 143 million records (and counting) Attackers gained access multiple times Primary breach was an unpatched web server component 2

3 Cloud services provider for dictation and transcription of medical records Network completely shut down in Summer 2017 due to NotPetya ransomware Systems were affected through a combination of privileged access, segmentation, and patching errors There are APTs but they are only as sophisticated as they need to be China probably isn t going to use an iphone 0-day on you going on your family vacation to Disney World Penetration testers aren t usually using exploits either It s beyond the needs of most orgs All the threat intel in the world doesn t patch your boxes Threat intel can be good, but does it complicate your information security strategy? 3

4 1. Inventory and Control of Hardware Assets Count your devices 2. Inventory and Control of Software Assets Count the software and whitelist only what is needed 3. Continuous Vulnerability Management Patch everything, remediate other vulnerabilities in configuration 4. Controlled Use of Administrative Privileges Limit local administrator and privileged accounts in the network 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Establish a secure standard We talked about the Top 5, but there are 15 others CIS Top 20 is a prioritized control framework model based on real-world attacks The Top 5 provides an defense against the 85% of the most common cyber attacks 4

5 Recap of breach findings: Primary breach was an unpatched web server component Systems were affected through a combination of privileged access, segmentation, and patching errors Heartbleed patches not installed on firewalls Attackers stole credentials for privileged access to databases and stole data over a period of months It s a roadmap for where to start Actionable steps for implementation Maps to HIPAA, NIST, HITRUST, PCI Network Segmentation If you can t patch it, segment it Medical devices, old computers If you can patch it, segment it PCI cardholder data environment, accounting systems, management networks The Crown Jewels 5

6 Multi-factor Authentication Remote Access Privileged Access Other people s computers, follow their rules Be a thoughtful guest Identity and Access Management Identity is the primary perimeter you can control Just stop with public buckets Accountable to Senior-most leader MGMT <-> BIZ <-> Security What business initiative are you working to address? What problem are you trying to solve? IS Transitioning from "Department of No" to "Department of How" Inventory your controls SynerComm CIS Top 20 Tool Inventory Spreadsheet AuditScripts CIS Top 20 Tool 6

7 You cannot manage what you do not understand: Data Systems Processes Custodians/Owners/Users Compliance Requirements Single Page App Universal Data Included Phase 1 Launched in 2018 Two Phases Phase 1: SynerComm Audit Tool Phase 2: Self-hosted 7

8 Step 1: Establish Ranking Criteria Step 2: Determine Risk Assessment Scope Step 3: Identify Relevant Threats, Vulnerabilities, and Controls Step 4: Determine Initial Impact and Initial Risk Scores Step 5: Evaluate Control Effectiveness Step 6: Perform System and Zone Risk Assessment Step 7: Report on Risk Aligns to NIST SP Revision 1 Was built to conform with requirements such as: US Department of Health and Human Services Office of Civil Rights Guidance (HHS OCR) on Risk Analysis Requirements under the HIPAA Security Rule Payment Card Industry Data Security Standard (PCI DSS) Requirement 12.3 Consider commonly-used data types: ephi cardholder data (CHD/PCI) PII financial data IP Data types may also include qualities: single-point of failure large data store mobile data 8

9 As we set scope, SynerComm will work with the client to collect three fundamental characteristics for each asset: Asset role Web server Database server Application server Firewall Removable media Data type System and zone association Grouping of assets based on common data type and/or business purpose SynerComm will leverage common threat information: MITRE Corporation (MITRE) Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) model Other threat events, such as non-adversarial threats SynerComm will evaluate vulnerabilities: NIST National Vulnerability Database (NVD) Common Weakness Enumeration (CWE) Open Web Application Security Project (OWASP) Top 10 SynerComm will identify control types to mitigate threat events: Center for Internet Security (CIS) Top 20 Critical Security Controls (CSC) SynerComm assigns relevant threats, vulnerabilities, and control types based on asset role. The initial impact for a system or zone is the sum of the asset impact values for all assigned assets. SynerComm then uses the mean initial impact score of all systems as a baseline risk score for all systems in the risk assessment. The mean impact score becomes the highest risk threshold for risk values. 9

10 SynerComm uses the list of control types identified in Step 3 as a basis to begin collecting and evaluating client controls. SynerComm scores the control based on: the control implementation status (not implemented, outof-date, partially implemented, fully implemented), documentation of the control (not documented, out-ofdate, full documentation), control test performance (not tested, failed test, passed test), and control function (preventive, detective, corrective, or insurance). SynerComm uses the controls evaluated in Step 5 to derive the residual risk score. SynerComm classifies the residual risk score into risk levels. SynerComm will consider any additional threats, vulnerabilities, or controls relevant to the inscope assets. The reports generated through the process will highlight ineffective controls, inadequately controlled threats and vulnerabilities, and other high risks to the in-scope processing environments. 10

11 11