WHO AM I? Been working in IT Security since 1992

Similar documents
K12 Cybersecurity Roadmap

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Designing and Building a Cybersecurity Program

ECKLER FS TECHNOLOGY APPLICATIONS SECURITY CONTROLS. General Security Controls for Products & Services (Updated )

CyberSecurity: Top 20 Controls

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

TIPS FOR AUDITING CYBERSECURITY

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Aligning with the Critical Security Controls to Achieve Quick Security Wins

How Breaches Really Happen

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

NEN The Education Network

Lessons Learned From Real World CISOs

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

ISO27001 Preparing your business with Snare

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cyber Protections: First Step, Risk Assessment

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Automating the Top 20 CIS Critical Security Controls

Cybersecurity Today Avoid Becoming a News Headline

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

ISE North America Leadership Summit and Awards

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

AUTHORITY FOR ELECTRICITY REGULATION

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CSC - DRAFT - VER6c FOR PUBLIC COMMENT ONLY

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Information Security Office. Server Vulnerability Management Standards

Total Security Management PCI DSS Compliance Guide

Building Secure Systems

SecureTrack. Supporting SANS 20 Critical Security Controls. March

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

CyberArk Privileged Threat Analytics

CCISO Blueprint v1. EC-Council

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

How to Develop Key Performance Indicators for Security

ACM Retreat - Today s Topics:

External Supplier Control Obligations. Cyber Security

Personal Physical Security

Education Network Security

Cyber security tips and self-assessment for business

Client Computing Security Standard (CCSS)

Standard: Event Monitoring

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

The Common Controls Framework BY ADOBE

ICS Cybersecurity. SANS Top 20 Critical Controls for ICS. David Van Crout

Cyber Security Program

Gujarat Forensic Sciences University

CERT Development EFFECTIVE RESPONSE

Department of Management Services REQUEST FOR INFORMATION

10 FOCUS AREAS FOR BREACH PREVENTION

Table of Contents. Policy Patch Management Version Control

Protecting productivity with Industrial Security Services

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

White Paper April McAfee Protection-in-Depth. The Risk Management Lifecycle Protecting Critical Business Assets.

Information Technology Procedure IT 3.4 IT Configuration Management

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Ransomware A case study of the impact, recovery and remediation events

7.16 INFORMATION TECHNOLOGY SECURITY

BYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013

CIS Controls Measures and Metrics for Version 7

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

RSA NetWitness Suite Respond in Minutes, Not Months

Vulnerability Management Policy

CNIT 50: Network Security Monitoring. 9 NSM Operations

Standard for Security of Information Technology Resources

CIS Controls Measures and Metrics for Version 7

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

CYBERSECURITY RISK LOWERING CHECKLIST

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Cyber Hygiene: A Baseline Set of Practices

VIVOTEK. Security Hardening Guide

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Help Your Security Team Sleep at Night

Information Security Controls Policy

Exposing The Misuse of The Foundation of Online Security

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

CISO as Change Agent: Getting to Yes

The Future Is SECURITY THAT MAKES A DIFFERENCE. Implementing the 20 Critical Controls

CND Exam Blueprint v2.0

2015 HFMA What Healthcare Can Learn from the Banking Industry

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Juniper Vendor Security Requirements

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Reinvent Your 2013 Security Management Strategy

Back to Basics: Basic CIS Controls

Transcription:

(C) MARCHANY 2011 1

WHO AM I? Been working in IT Security since 1992 CISO at VA Tech 35+K node network. dual stack IPV4, IPV6 network since 2006 Multi-national Main campus (Blacksburg, VA), Remote campuses (Arlington, Norfolk, VA), Swiss, Indian, Egyptian campuses My IT Security Philosophy All Security is Local Empower the local IT staff The Business Process trumps the Security Process Learn the business process before imposing security requirements Restrictive security practices cause worse problems overall (C) MARCHANY 2011 2

VA TECH IT SECURITY STRATEGY Based on ISO 27002, NIST 800-53 Standards Protect sensitive data regardless of location Business process defines and trumps the security process if there is a conflict IT and Business processes must adapt to new situation All security is local Empower the local departmental sysadmins with information Don t care what comes in the net. Worry about what leaves the net. (C) MARCHANY 2011 3

IMPLEMENTING THE 20 CRITICAL CONTROLS STRATEGY Quick wins Focus on the most common and damaging threats Consistent implementation Metrics to justify acquisitions Interfere with Attackers getting in Attackers staying in Attackers causing damage Focus on what leaves the net rather than what comes in (C) MARCHANY 2011 4

(C) MARCHANY 2011 5

WHY 20 CRITICAL CONTROLS? Subset of the Priority 1 items in NIST 800-53 Mapping of 27002->800-53->20 Critical Controls http://www.systemexperts.com/assets/tutors/systemexperts-sans20-1.pdf Technical controls only, not operational controls Have to start somewhere Based on NSA Attack Mitigation Scores Stop Attacks early Stop Many Attacks Mitigate Impact of Attacks Focus is ASSURANCE not compliance! (C) MARCHANY 2011 6

THE 20 CRITICAL CONTROLS: 1-3 1. Inventory of authorized and unauthorized devices Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an up-to-date inventory 2. Inventory of authorized and unauthorized software Identify vulnerable or malicious software to mitigate or root out attacks: Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches) 3. Secure configurations for hardware and software on laptops, workstations, and servers Prevent attackers from exploiting services and settings that allow easy access through networks and browsers: Build a secure image that is used for all new systems deployed to the enterprise (C) MARCHANY 2011 7

THE 20 CRITICAL CONTROLS: 4-5 4. Continuous Vulnerability Assessment and Remediation Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities 5. Malware Defenses Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading (C) MARCHANY 2011 8

THE 20 CRITICAL CONTROLS: 6-10 6. Application Software Security Neutralize vulnerabilities in web-based and other application software: 7. Wireless Device Control Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if it matches an authorized configuration and security profile and has a documented owner and defined business need. 8. Data Recovery Capability (validated manually) 9. Security Skills Assessment and Appropriate Training To Fill Gaps (validated manually) 10. Secure configurations for network devices such as firewalls, routers, and switches Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. (C) MARCHANY 2011 9

THE 20 CRITICAL CONTROLS: 11-13 11. Limitation and Control of Network Ports, Protocols, and Services Allow remote access only to legitimate users and services: Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed 12. Controlled Use of Administrative Privileges Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: 13. Boundary Defense Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines: (C) MARCHANY 2011 10

THE 20 CRITICAL CONTROLS: 14-15 14. Maintenance, Monitoring and Analysis of Audit Logs Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines:. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies. 15. Controlled Access Based On Need to Know Prevent attackers from gaining access to highly sensitive data: Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to nonpublic data and files. (C) MARCHANY 2011 11

THE 20 CRITICAL CONTROLS: 16-20 16. Account Monitoring and Control Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner. 17. Data Loss Prevention Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers. 18. Incident Response Capability (validated manually) 19. Secure Network Engineering (validated manually) Keep poor network design from enabling attackers: Use a robust, secure network engineering process to prevent security controls from being circumvented. Allow rapid deployment of new access controls to quickly deflect attacks. 20. Penetration Tests and Red Team Exercises (validated manually) (C) MARCHANY 2011 12

IMPLEMENTATION TIPS Secure upper management backing Do a 20 Critical Controls Gap Analysis Find out who at your school has the information needed by a particular control Get access to the info Pick 2-4 controls at a time, Rinse, lather and repeat This is a 3-5 year project. (C) MARCHANY 2011 13

YOU HAVE THE ANSWERS ALREADY 1. Inventory of authorized and unauthorized device Obtain from your network management group 2. Inventory of authorized and unauthorized software Obtain from software purchasing group 3. Secure configurations for hardware and software on laptops, workstations, and servers Policy 4. Continuous Vulnerability Assessment and Remediation IT Security Office runs weekly scans against critical servers 5. Malware Defense IT Security Office (C) MARCHANY 2011 14

YOU HAVE THE ANSWERS ALREADY 6. Application Software Security Security Questionnaires 7. Wireless Device Control Network management group 8. Data Recovery Capability (validated manually) Network Backup service, departmental backup process 9. Security Skills Assessment & Appropriate Training To Fill Gaps (validate manually) Secure the Human 10. Secure configurations for network devices such as firewalls, routers, and switches Network Management Group (C) MARCHANY 2011 15

YOU HAVE THE ANSWERS ALREADY 11. Limitation and Control of Network Ports, Protocols, and Services Policy, Standards, Individual Departmental guidelines 12. Controlled Use of Administrative Privileges Policy, Standards, Individual Departmental guidelines 13. Boundary Defense Policy, Standards, define the boundary! 14. Maintenance, Monitoring and Analysis of Audit Logs Standard Sysadmin practice, SIEM, Syslog server 15. Controlled Access Based On Need to Know Business process rules, Identity Mgt process (C) MARCHANY 2011 16

YOU HAVE THE ANSWERS ALREADY 16. Account Monitoring and Control HR Policies/process, Identity Mgt process 17. Data Loss Prevention Sensitive Data protection policy/standards, network forensics 18. Incident Response Capability (validated manually) IT Security Office, Upper Mgt approval 19. Secure Network Engineering (validated manually) Network mgt group configuration rules 20. Penetration Tests and Red Team Exercises (validated manually) (C) MARCHANY 2011 17

CONTROL ENTITY RELATIONSHIP DIAGRAM (ERD) #1

CONTROL ENTITY RELATIONSHIP DIAGRAM (ERD) #14

(C) MARCHANY 2011 20

(C) MARCHANY 2011 21

(C) MARCHANY 2011 22

THE CHALLENGES Getting upper management (Board, President, CIO, VP) support Getting the data Internal IT groups may not have the info in a format you want Internal IT groups may not want to give you the data Departmental groups may not want to give you the info Performing the Gap analysis Building the 20 Critical Implementation plan Just doing it! (C) MARCHANY 2011 23

JUST DO IT You probably rolled your eyes when you read the controls We can t do that! It s too complicated Just do it We have not made significant strides in overall organizational IT security in the past 20 years Same vectors in the 1990s are causing problems in the 2010s It s time to change the paradigm Just do it a few steps at a time (C) MARCHANY 2011 24

QUESTIONS? Contact Information Randy Marchany University IT Security Officer VA Tech IT Security Office & Lab 1300 Torgersen Hall Blacksburg, VA 24061 540-231-9523 (office) 540-231-1688(lab) marchany@vt.edu Twitter: @randymarchany Blog: randymarchany.blogspot.com (C) MARCHANY 2011 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback