K12 Cybersecurity Roadmap

Transcription

1 K12 Cybersecurity Roadmap

2 Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, 2

3 Agenda 3 Why Use the Critical Security Controls? The Five Critical Tenets Foundational Cyber Hygiene Pulling it Altogether Where Do I Go Next?

4 Fog of More 4 Compliance Encryption Logs Multifactor Authentication 802.1x Security Benchmarks Risk Management Framework Secure Coding End User Training Mobile Device Management Firewall Policies, Standards and Procedures Anti-Virus Data Loss Prevention SIEM

5 Why Use the CSC? 5 Controls are developed by actual attacks and effective defenses Laid out based on priority 20 control categories with 4 14 sub-controls All are technical controls The Critical Security Controls (CSC) can be supplemented by other frameworks

6 The Five Critical Tenets

7 What Are They? 7 1. Offense Informs Defense 2. Prioritize 3. Metrics 4. Continuous Diagnostic and Mitigation 5. Automation

8 #1: Offense Informs Defense 8 Attackers - Offense What are they doing? How are the doing it? Is it successful? You Defense What was put in place to stop it? How was it implemented? Was it successful?

9 #2: Prioritize 9 Review the 20 Critical Security Controls Perform gap analysis What is the biggest pay off for your environment? Put a plan together for the bigger projects

10 20 CSC 10 Account Monitoring and Control Inventory of Authorized and Unauthorized Devices Application Software Security Inventory of Authorized and Unauthorized Software Boundary Defense Continuous Vulnerability Assessment and Remediation Controlled Access Based on the Need to Know Controlled Use of Administrative Privileges Data Protection Data Recovery Capability and Web Browser Protections Incident Response and Management Limitation and Control of Network Ports, Protocols and Services Maintenance, Monitoring and Analysis Malware Defenses Penetration Tests and Red Team Exercises Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Secure Configurations for Network Devices such as Firewalls, Routers and Switches Security Skills Assessment and Appropriate Training to Fill Gaps Wireless Access Control

11 Question #1 11 Penetration Testing Vulnerability Scanning

12 Question #2 12 Antivirus and Web Browser Protections

13 20 CSC 13 #1 Inventory of Authorized and Unauthorized Devices #2 Inventory of Authorized and Unauthorized Software #11 Secure Configurations for Network Devices such as Firewalls, Routers and Switches #12 - Boundary Defense #3 Secure Configurations for Hardware and #13 Data Protection Software on Mobile Devices, Laptops, Workstations and Servers #4 Continuous Vulnerability Assessment and Remediation #14 Controlled Access Based on the Need to Know #5 Controlled Use of Administrative Privileges #15 Wireless Access Control #6 Maintenance, Monitoring and Analysis #16 Account Monitoring and Control #7 and Web Browser Protections #17 Security Skills Assessment and Appropriate Training to Fill Gaps #8 Malware Defenses #18 Application Software Security #9 Limitation and Control of Network Ports, Protocols and Services #19 Incident Response and Management #10 Data Recovery Capability #20 Penetration Tests and Red Team Exercises

14 #3: Metrics 14 Provide established common metrics for executives, IT staff, auditors and security officials What type of metrics should be reported on? Do metrics make sense? Should established metrics be reassessed? Use SMART metrics Specific - target a specific area for improvement Measurable - quantify or at least suggest an indicator for success Assignable - specify who will do it Realistic - state what results are realisticlly achieved, given resources Time-related - Specify when the results can be achieved

15 Measurement Companion for CSC 15

16 CSC Percentage Based Metrics 16

17 #4: Continuous Diagnostics and Mitigation 17 Continuous measurement to test and validate the effectiveness of current security measures How well are your firewalls configured? Are all your IT resources logging? Did you follow up on the IPS alerts? These help drive the priority of next steps Plan, Do, Check, Act

18 #5: Automation 18 Automate as much as possible Configuration Management Vulnerability Scanning Patch Management Reporting and Alerting Manual checks do not scale However they are required in some instances

19 Foundational Cyber Hygiene

20 Foundational Cyber Hygiene 20 The essential first steps to a successful cyber security program 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations of Hardware and Software on Mobile Devices, Laptops, Workstations and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Controlled Use of Administrative Privileges

21 CSC #1 21 Inventory of Authorized and Unauthorized Devices Deploy an automated asset management tool Log DHCP addresses that have been assigned Detect unknown systems in DHCP logs Deploy 802.1x authentication Use client based certificates for system authentication

22 CSC #2 22 Inventory of Authorized and Unauthorized Software Maintain a list of authorized software deployed on systems Use application white listing Deploy a software inventory system Use virtual machines and air gapped systems for highly sensitive information

23 CSC #3 23 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Establish secure configurations for operating systems and software applications Build secure a secure image and keep it safe. Reimage systems if compromised. Store secure images in a safe location, use integrity checks to validate and strict change management should be used Perform remote administration through secure communication Use Active Directory or Puppet to ensure configuration settings

24 CSC #4 24 Continuous Vulnerability Assessment and Remediation When exploits are released, the race begins between you and the attacker Who will win? How do I solve this? Automated vulnerability scans against all resources Use authenticated scans Deploy automated patch management tools Rate vulnerability risks within environment DMZ Internal Servers vs desktops

25 Evaluating Vulnerabilities 25 Common Vulnerabilities and Exposures (CVE) CVE ID Description Public advisories or references Common Vulnerability Scoring System (CVSS) Provided by NIST An open framework for communicating the impacts of IT vulnerabilities Rating Score Patch High Within 30 days Moderate Within 60 days Low Within 90 days

26 CSC #5 26 Controlled Use of Administrative Privileges Only use administrative accounts when required Use automated tools to inventory all administrative accounts Change system default passwords Use multifactor authentication for all administrative access Use a dedicated machine for all administrative tasks

27 Double Up on Controls! 27 Store hardware, software and data classification in one system CSC1 Inventory authorized and unauthorized hardware CSC2 Inventory authorized and unauthorized software CSC13 Data Protection CSC15 Wireless Access Control Utilize same site for IT resource benchmarks CSC3 Secure configurations for laptops, servers, mobile devices CSC11 Secure configurations for network and firewall equipment Log, monitor, and alert from one SIEM or Log Management System CSC6 Maintenance, monitoring and analysis CSC16 Account monitoring and control

28 Supplemental Documents 28 Excel Spreadsheet document with controls Center for Internet Security Companion Guides Internet of Things Mobile Security Privacy Impact Measurement

29 Where Do I Go Next?

30 Where Do I Go From Here? 30

31 Framework Core 31 Functions Categories Subcategories Informative References Identify (ID) Asset Management (ID.AM) Physical devices and systems within the organization are inventoried (ID.AM-1) NIST SP CM-8 ISO 27001:2013 A.8.1.1, A Software platforms and applications within the organization are inventoried (ID.AM-2) Protect (PR) Access Control (PR.AC) Detect (DE) Respond (RS) Recover (RC)

32 Framework Tiers 32 Tiers based upon risk management processes Tier 1: Partial Risk management is ad hoc implemented on case-by-case basis Organization has limited awareness of cybersecurity risk Tier 2: Risk Informed Risk management is approved by management, not established by policy Organization is aware of risk, no formal approach has been established Tier 3: Repeatable Org. risk management practices are approved and expressed as policy Tier 4: Adaptive Risk management is adaptive change based upon current threats and posture

33 Framework Profile 33 Two parts can be more Current state profile Future state profile Assess present security posture to develop a current profile Alignment of functions, categories, and subcategories with business requirements, risk tolerance and resources Develop a plan of action and milestone (POA&M) document to achieve yearly initiatives and goals

34 CIS CSC to NIST CSF 34

35 Roadmap 35 Next week Download the CIS benchmarks and controls documentation for review Over the next 3 months Download the CIS-CAT Lite tool set and begin scanning a few systems within the environment Over the next 6 month Purchase the full suite, giving you access to all the scanning tools and hardened OS images

36 General Discussion and Questions

37 Oakbrook Drive Suite 200 Ann Arbor, Michigan Thank You