DHS Cybersecurity Services and Resources

Transcription

1 DHS Cybersecurity Services and Resources September 18 th, 2018 Harley D. Rinerson Chief of Operations Central U.S. Cyber Advisor Program Cybersecurity Advisor Program Department of

2 Agenda Cyber Advisor Program Cyber Framework DHS Cyber Service Offerings 2

3 Scary Bedtime Story's Ransomware-as-a-Service (RaaS) Non-technical users create campaigns Recent one- MacRansom -.25 bitcoin about $700 Bad actors are using behavioral analysis Start of the business day Thursdays spike for malware Wednesday then the rest of the week 3

4 Lack of Confidence 4

5 Types of Delivery 5

6 Are you in the Top Five? 6

7 Cybersecurity Advisors Mission Mission: To provide direct coordination, outreach, and regional support and assistance in the protection of cyber components essential to the Nation s Critical Infrastructure. Secure.gov Reduce Cyber Risk Focus Areas: Build Strategic Partnerships Develop Cyber Talent Ensure Emergency Communications

8 Cybersecurity Advisor (CSA) Program In service of this mission, CSAs are guided by the following goals: Assess: Assess critical infrastructure cyber risk. Promote: Promote best practices and risk mitigation strategies. Build: Initiate, build capacity, and support cyber communities-ofinterest and working groups. Educate: Educate and raise awareness. Listen: Collect stakeholder requirements. Coordinate: Coordinate incident support and lessons-learned.

9 Serving Critical Infrastructure and Government

10 CSA Locations

11 Cybersecurity and Resilience 11

12 What Is Resilience? the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents - Presidential Policy Directive PPD 21 February 12, 2013 Protect () Perform (Capability) Sustain (Continuity) Repeat (Maturity)

13 An Approach to Cyber Resilience Have a philosophy, framework, or general approach to cyber resilience, and follow it. This is one successful approach: Identify Services Identify and prioritize services Create Asset Inventory Identify assets, align assets to services, and inventory assets Protect & Sustain Assets Establish risk management, resilience requirements, control objectives, and controls Disruption Management Establish continuity requirements for assets and develop service continuity plans Evaluate & Improve Define objectives and standards, measure against those standards, evaluate and identify areas for improvement. Process Management and Improvement

14 Do the Basics, More Consistently Attackers are simply getting better than most defenders. But often, neglecting to do the basics is what leads to a breach. You have a responsibility to appropriately manage risk and serve your customers. Your best effort is within your control. Don t let paralysis by analysis take hold. 1.Measure your program against established standards. 2.Manage improvements and work on operational resilience.

15 Key Questions How do you know if your cybersecurity efforts are going well? Do you plan your cybersecurity activities? Do you adhere to a cybersecurity standard of practice? What s at risk? Have you identified the potential consequences if your systems are compromised or unavailable? Have you planned for cyber incident management and exercised that plan? Can you sustain operations of critical processes following a significant cyber incident?

16 NIST Cybersecurity Framework The cybersecurity framework (CSF) establishes a common perspective and vernacular, is broadly applicable and developed by private and public organizations, provides risk-based guidelines, is collaboration oriented, and is internationally recognized.

17 Cybersecurity Services - CYBER RESILIENCE REVIEW - EXTERNAL DEPENDENCIES MANAGEMENT - CYBER INFRASTRUCTURE SURVEY - CYBERSECURITY EVALUATIONS TOOL - PHISHING CAMPAIGN ASSESSMENT - VULNERABILITY SCANNING/ HYGIENE - VALIDATED ARCHITECTURE DESIGN REVIEW - RISK AND VULNERABILITY ASSESSMENT STRATEGIC (HIGH-LEVEL) TECHNICAL (LOW-LEVEL)

18 Vulnerability Scanning Assess Internet accessible systems for known vulnerabilities and configuration errors. Work with organization to proactively mitigate threats and risks to systems. Activities include: Network Mapping Identify public IP address space Identify hosts that are active on IP address space Determine the O/S and Services running Re-run scans to determine any changes Graphically represent address space on a map Network Vulnerability & Configuration Scanning Identify network vulnerabilities and weakness

19 Phishing Campaign Assessment (PCA) Objectives: Increase cybersecurity awareness within stakeholder organizations Decrease risk of successful malicious phishing attacks, limit exposure, reduce rates of exploitation Benefits: Receive actionable metrics Highlight need for improved security Scope: Training 6-week engagement period Phishing s capture click-rate only, no payloads will be used Varying Levels of Complexity -- Levels 1-6 (Easy to Difficult) 19

20 Phishing Campaign Assessment Sample Reports Week Campaign Date Sent Complexity User Click # s Level Rate Sent 1 Please Help! 3/18/ % Reveal Your Past 3/31/ % Password Expire Alert 4/6/ % Severe Weather Checklist 4/15/ % Federal Employee Survey 4/20/ % Salary Guidelines 4/27/ % 402

21 Validated Architecture Design Review Description The Validated Architecture Design Review (VADR) is a voluntary, no-cost assessment based on standards, guidelines, and best practices. The assessment encompasses architecture and design review, system configuration, and log file review, and sophisticated analysis of network traffic to develop a detailed representation of the communications, flows, and relationships between devices and most importantly to identify anomalous (and potentially suspicious) communication flows. This offering provides a sophisticated analysis of the asset owner s network. Outcomes After the review, the NCCIC will provide an in-depth VADR Report that includes key discoveries and practical recommendations for improving an organization s operational maturity and enhancing their cybersecurity posture. Assessment Logistics Execution of the DHS assessment agreement and submission of pre-requisite customer information (to include a network diagram) Pre Assessment Activities: two weeks Time needed to complete assessment: one week Personnel required to perform assessment: customer point of contact responsible for coordinating all customer activity and IT staff to answer system and network related questions Timeframe for return of assessment results: six weeks

22 Cyber Evaluation Tool Description The Cyber Evaluation Tool (CSET ) is a no-cost, voluntary desktop stand-alone application that guides asset owners and operators through a systematic process to evaluate their operational technology (OT) and information technology (IT) network security practices. Using the tool organizations are able to evaluate their cybersecurity posture against recognized standards and best practice recommendations in a systematic, disciplined, and repeatable manner. Outcomes At the end of the evaluation, NCCIC will provide reports that present the assessment results in both summary and detailed form. Users are easily able to filter content or drill down to look at information that is more granular. Assessment Logistics - Download the Tool The CSET is immediately available for download upon request - Select Standards Users select one or more government and industry-recognized cybersecurity standards. CSET then generates questions that are specific to those requirements. - Determine Assurance Level The security assurance level (SAL) is determined by responses to questions relating to the potential consequences of a successful cyber-attack on an organization, facility, system, or subsystem. It can be selected or calculated and provides a recommended level of cybersecurity rigor necessary to protect against a worst-case event. - Answer the Questions CSET then generates questions using the network topology, selected security standards, and SAL as its basis.

23 Cyber Evaluation Tool (CSET ) R Stand-alone software application Self-assessment using recognized standards Tool for integrating cybersecurity into existing corporate risk management strategy CSET Download: 23

24 Cyber Resilience Review Purpose: The CRR is an assessment intended to evaluate an organization s operational resilience and cybersecurity practices of its critical services Delivery: The CRR can be facilitated self-administered CRR Self-Assessment Package is available on the C-Cubed Voluntary Program website. Helps public and private sector partners understand and measure cyber security capabilities as they relate to operational resilience and cyber risk Based on the CERT Resilience Management Model (CERT RMM)) CRR Question Set & Guidance The CRR provides organizations with a no-cost method to assess their cybersecurity postures and measure against the NIST CSF.

25 Cyber Resilience Review Domains Asset Management Know your assets being protected & their requirements, e.g., CIA Configuration and Change Management Manage asset configurations and changes Controls Management Manage and monitor controls to ensure they are meeting your objectives External Dependencies Management Know who your most important external entities are and manage the risks they pose to essential services Incident Management Be able to detect and respond to incidents Risk Management Know your biggest risks and address them in a manner that considers cost and your risk tolerances Service Continuity Management Ensure workable plans are in place to manage disruptions Situational Awareness Actively discover and analyze information related to immediate operational stability and security Training and Awareness Ensure your people are trained on and aware of cybersecurity risks and practices Vulnerability Management Know your vulnerabilities and manage those that pose the most risk For more information:

26 CSF Summary in the CRR

27 Why is all this effort important? UNCLASSIFIED

28 Incident Management While roughly 70% of organizations perform event detection 50% of organizations have a plan for managing incidents 55% have a process to declare incidents only 37% have developed incident declaration criteria to guide their staff

29 Service Continuity Management Less than 50% of organizations have documented service continuity plans and only 42% specify recovery time and recovery point objectives in their plans.

30 Sector Performance: Top Tier

31 Sector Performance: Bottom Tier

32 CRR Resource Guides CRR Domains: The CRR methodology is based on 10 domains, each representing a capability area foundational to an organization s cyber resilience. Resource Guides: In 2016, DHS released a set of CRR Resource Guides to assist organizations in enhancing their resilience in specific CRR domains. Scope of Content: While the guides were developed for organizations to utilize after conducting a CRR, these publications provide content useful for all organizations with cybersecurity equities. Flexibility in Use: Moreover, the guides can be utilized as a full set or as individual components, depending on organizational preference and/or need. CRR Resource Guide Asset Management CRR Resource Guides provide organizations with a tool to develop their capabilities in security management areas moving organizations from initial to well-defined capability. For more information, please visit:

33 EDM Assessment Overview: In 2016, DHS launched the External Dependencies Management (EDM) Assessment, focusing specifically on ensuring the protection and sustainment of services and assets that are dependent on the actions of third-party entities. Background: External Dependencies Management is a domain covered by the CRR. However, EDM and associated issues (e.g., supply-chain management, vendor management) are not addressed at a comprehensive level within the CRR, resulting in the creation of a separate assessment. Linkages to CRR: Despite operating at a more granular level than the CRR, the EDM Assessment borrows heavily from the CRR s methodological architecture and scoring system but remains a DHS-facilitated assessment. EDM process outlined in the External Dependencies Management Resource Guide The EDM Assessment provides stakeholders with a more in-depth examination of risks associated with their third-party entities.

34 EDM Assessment Report Each EDM report includes: Performance summary of existing capability managing external dependencies Sub-domain performance of existing capability managing external dependencies and options for consideration for all responses comparison data with other EDM participants

35 CIS Highlights

36 CIS Dashboard - Comparison Shows the low, median, and high performers Compares your organization to the aggregate

37 A lot of Information Water ISAC Information Center Cybersecurity Resource Guide NIST , Guide to Industrial Controls Systems (ICS)

38 Cyber Exercises and Planning The NCCIC s National Cyber Exercise and Planning Program (NCEPP) develops, conducts and evaluates cyber-exercises and planning activities for state, local, tribal and territorial governments as well as public and private sector critical infrastructure organizations. Cyber Storm Exercise DHS s flagship national-level biennial exercise Exercise Planning and Conduct Cyber Exercise Consulting and SME Support Cyber Planning Support Off-the-Shelf Resources

39 The Foundation for our Nation s Cyber Workforce The National Cybersecurity Workforce Framework is a collection of definitions that describe types of cybersecurity work and skills requires to perform it. When used nationally, the definitions can help establish universallyapplicable cybersecurity skills, training/development, and curricula 7 Categories, 30+ Specialty Areas Baselines knowledge, skills, and abilities & tasks Operate & Maintain Securely Provision Analyze Collect & Operate Oversight & Development Protect & Defend Investigate

40 NCCIC in Brief Responsibilities include: The mission of the National Cybersecurity and Communications Integration Center (NCCIC) is to reduce the likelihood and severity of incidents that may significantly compromise the security and resilience of the Nation s critical information technology and communications networks. Provide alerts, warnings, common operating picture on cyber and communications incidents in real time to virtual and on-site partners Work 24X7 with partners to mitigate incidents: On-site partners include the Department of Defense, Federal Bureau of Investigation, Secret Service, Information Sharing and Analysis Centers (ISACs) and DHS components such as Office of Industry and Analysis Public and private sector partners share and receive information subject to information sharing protocols 40

41 Incident Reporting NCCIC provides real-time threat analysis and incident reporting capabilities 24x7 contact: or tps://forms.us-cert.gov/report/ Malware When to Submission Report: Process: If there is a suspected or confirmed cyber attack or incident that: -Affects Please core send government all submissions or critical to AMAC infrastructure functions; -Results at: submit@malware.us-cert.gov in the loss of data, system availability; or control of systems; -Indicates Must be malicious provided software in password-protected is present on critical systems zip files using password infected Web-submission: FOUO / UNCLASS 41

42 DHS Cybersecurity Services- In Summary Preparedness Activities Information / Threat Indicator Sharing Cybersecurity Training and Awareness Cyber Exercises and Playbooks National Cyber Awareness System Vulnerability Notes Database Information Products and Recommended Practices Industrial Control Systems Evaluations Other Cyber Evaluations Cyber Resilience Reviews (CRR ) Cyber Infrastructure Surveys Vulnerability Scanning Network Risk and Vulnerability Assessments (aka Pen Tests) External Dependency Management Reviews Cyber Evaluation Tool (CSET ) Validated Architecture Design Review (VADR) NCCIC Response Assistance Remote / On-Site Assistance Malware Analysis Hunt and Incident Response Teams Incident Coordination Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Advisors Protective Advisors

43 Contact Information General Inquiries C3VP: us-cert.gov/ccubedvp DHS Contact Information Department of National Protection and Programs Directorate Office of Cybersecurity and Communications Rick Gardner Cybersecurity Advisor Kenny Longfritz Protective Advisor Harley D. Rinerson Chief of Operations Central Untied States