Cyber Hygiene: A Baseline Set of Practices

Similar documents
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

The CERT Top 10 List for Winning the Battle Against Insider Threats

Components and Considerations in Building an Insider Threat Program

Defining Computer Security Incident Response Teams

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Information Security Is a Business

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

Cyber Threat Prioritization

NEN The Education Network

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Analyzing 24 Years of CVD

Julia Allen Principal Researcher, CERT Division

SEI/CMU Efforts on Assured Systems

External Supplier Control Obligations. Cyber Security

2013 US State of Cybercrime Survey

The Insider Threat Center: Thwarting the Evil Insider

Situational Awareness Metrics from Flow and Other Data Sources

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Cyber Security & Homeland Security:

Roles and Responsibilities on DevOps Adoption

Researching New Ways to Build a Cybersecurity Workforce

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

NISPOM Change 2: Considerations for Building an Effective Insider Threat Program

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Using CERT-RMM in a Software and System Assurance Context

Denial of Service Attacks

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Designing and Building a Cybersecurity Program

Education Network Security

Software Assurance Education Overview

K12 Cybersecurity Roadmap

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Information Security Controls Policy

Automating the Top 20 CIS Critical Security Controls

ACM Retreat - Today s Topics:

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Aligning with the Critical Security Controls to Achieve Quick Security Wins

NCSF Foundation Certification

Cyber Resilience. Think18. Felicity March IBM Corporation

Cybersecurity: Incident Response Short

Cybersecurity for Health Care Providers

Canada Life Cyber Security Statement 2018

Information Technology General Control Review

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

The Confluence of Physical and Cyber Security Management

Cyber Security Program

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

ARINC653 AADL Annex Update

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

The Common Controls Framework BY ADOBE

Checklist: Credit Union Information Security and Privacy Policies

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Security by Default: Enabling Transformation Through Cyber Resilience

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Why you should adopt the NIST Cybersecurity Framework

Business continuity management and cyber resiliency

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

FDIC InTREx What Documentation Are You Expected to Have?

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

The Need for Operational and Cyber Resilience in Transportation Systems

CISO as Change Agent: Getting to Yes

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

Cybersecurity Overview

NW NATURAL CYBER SECURITY 2016.JUNE.16

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

INFORMATION ASSURANCE DIRECTORATE

CCISO Blueprint v1. EC-Council

Sage Data Security Services Directory

Defensible Security DefSec 101

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

CS 356 Operating System Security. Fall 2013

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

University of Pittsburgh Security Assessment Questionnaire (v1.7)

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Heavy Vehicle Cyber Security Bulletin

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Information Security Continuous Monitoring (ISCM) Program Evaluation

Smart Grid Maturity Model

ANATOMY OF AN ATTACK!

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Rethinking Cybersecurity from the Inside Out

INFORMATION ASSURANCE DIRECTORATE

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

OA Cyber Security Plan FY 2018 (Abridged)

Information Security Policy

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

Design Pattern Recovery from Malware Binaries

CSIRT SERVICES. Service Categories

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Transcription:

[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Copyright 2017 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [DISTRIBUTION STATEMENT A] This material has been approved for public Please see Copyright notice for non-us Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon and CERT are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM17-0937 2

Cyber Hygiene A Baseline Set of Practices Cybersecurity hygiene is a set of practices for managing the most common and pervasive cybersecurity risks faced by organizations today. 1. Identify and prioritize key organizational services, products and their supporting assets. 2. Identify, prioritize, and respond to risks to the organization s key services and products. 3. Establish an incident response plan. 4. Conduct cybersecurity education and awareness activities. 5. Establish network security and monitoring. 6. Control access based on least privilege and maintain the user access accounts. 7. Manage technology changes and use standardized secure configurations. 8. Implement controls to protect and recover data. 9. Prevent and monitor malware exposures. 10. Manage cyber risks associated with suppliers and external dependencies. 11. Perform cyber threat and vulnerability monitoring and remediation. Sources: - 10 Steps to Cybersecurity, UK Government Communications Headquarters (GCHQ) - 20 Critical Security Controls, Center for Internet Security (CIS) aka SANS 20 - Cybersecurity Framework, National Institute of Standards and Technology (NIST) - Resilience Management Model, Carnegie Mellon University, Software Engineering Institute CERT Division - Review of Cyber Hygiene Practices, European Union Agency for Network & Information Security (ENISA) - Strategies to Mitigate Cyber Security Incidents, Australian Signals Directorate (ASD) 3

CERT-RMM Practices Associated with Cyber Hygiene 4

CERT Resilience Management Model (CERT-RMM) CERT-RMM and its resilience management methodologies help organizations consider resilience to be a foundational property of all policies, plans, processes, and procedures. CERT-RMM has more than 200 resilience management practices spread across 26 process areas, ranging from Asset Definition and Management, to External Dependencies Management, to Vulnerability Analysis and Resolution. Though all the CERT-RMM practices are important for an organization s viability and sustainability, they are a lot for an organization to absorb. That s why we ve introduced the 11 cyber hygiene areas, which comprise 41 CERT-RMM practices that are paramount to every organization s success. The following slides detail each of the 11 cyber hygiene areas. The CERT-RMM practice documentation includes practice goals, concepts, implementation guidance, work products, and suggestions on how to build and manage operational resilience. You can download the complete list of CERT-RMM practices from the SEI website. The practices are organized by Practice Area (e.g., Enterprise Focus - EF) with Specific Goals (SG) and Specific Practices (SP) that provide more detailed information and guidance. The information can be readily found in the CERT-RMM documentation by referring to the naming convention of Practice Area: Specific Goal: Specific Practice, for example, EF:SG1:SP1. 5

1. Identify and prioritize key organizational services, products, and their supporting assets. 1. Enterprise Focus EF:SG1.SP3 Establish Organizational Services 2. Asset Definition and Management ADM:SG1.SP1 Inventory Assets What are the organization s most important activities and assets the crown jewels? The first principle of risk management is to focus on the critical few: find out what is most important to the organization, figure out where it lives, and build the cybersecurity risk management strategy around it. 6

2. Identify, prioritize, and respond to risks to the organization s key services and products. 1. Risk Management RISK:SG2.SP2 Establish Risk Measurement Criteria 2. Risk Management RISK:SG3.SP2 Identify Service-Level Risks 3. Risk Management RISK:SG4.SP1 Evaluate Risks 4. Risk Management RISK:SG4.SP3 Develop Risk Disposition Strategy 5. External Dependency Management EXD:SG2.SP1 Identify and Assess Risks Due to External Dependencies What are the key cyber-risks faced by the organization, potential impacts if those risks are realized, and how should they be addressed? The organization must identify and assess the risks to its operations, assets, and individuals (including mission, functions, and reputation). The response to the identified risks typically includes mitigation or acceptance and monitoring to reduce the probability of occurrence and/or minimize impact. 7

3. Establish an incident response plan. 1. Incident Management and Control IMC:SG1.SP1 Plan for Incident Management Is there a plan in place for responding to significant cyber and physical disruptions? Document and exercise response procedures and plans that include escalation, personnel roles and responsibilities, and external partner coordination for handling disruptions. 8

4. Conduct cybersecurity education and awareness activities. 1. Organizational Training and Awareness OTA:SG1.SP1 Establish Awareness Needs 2. Organizational Training and Awareness OTA:SG2.SP1 Perform Awareness Activities 3. Organizational Training and Awareness OTA:SG3.SP1 Establish Training Needs 4. Organizational Training and Awareness OTA:SG4.SP1 Deliver Training Do employees, senior leaders, and partners have adequate cybersecurity skills and awareness? Personnel and partners are provided ongoing cybersecurity awareness education and are adequately trained to perform their informationsecurity-related duties and responsibilities. 9

5. Establish network security and monitoring. 1. Vulnerability Analysis and Resolution VAR:SG2.SP2 Discover Vulnerabilities 2. Vulnerability Analysis and Resolution VAR:SG2.SP3 Analyze Vulnerabilities 3. Technology Management TM:SG4.SP2 Perform Configuration Management 4. Technology Management TM:SG4.SP4 Perform Release Management 5. Monitoring MON:SG1.SP3 Establish Monitoring Requirements 6. Monitoring MON:SG2.SP2 Establish Collection Standards and Guidelines 7. Monitoring MON:SG2.SP3 Collect and Record Information Does the communications network have adequate protection and monitoring? Utilize leading practice network design principles when configuring perimeter and internal network segments, and ensure all network devices are configured consistently and appropriately. Filter all traffic at the network perimeter to limit traffic to what is required to support the organization, and monitor traffic for unusual or malicious incoming and outgoing activity that could indicate an exposure, attack, or attempted attack. Conduct regular testing of the network for potential vulnerabilities and exposures. 10

6. Control access based on least privilege and maintain the user access accounts. 1. Access Management AM:SG1.SP1 Enable Access 2. Access Management AM:SG1.SP3 Periodically Review and Maintain Access Privileges 3. Knowledge Information Management KIM:SG1.SP2 Categorize Information Assets 4. Knowledge Information Management KIM:SG4.SP2 Control Access to Information Assets Are controls in place to limit information access to only those need it? Limit access based on the classification level (e.g., confidential, secret, public) of information in documents or data stored on servers. Locate sensitive information in secure areas and on systems that limit access to only individuals who need it. Ensure user access information is current and accurate. 11

7. Manage technology changes and use standardized secure configurations. 1. Technology Management TM:SG4.SP2 Perform Configuration Management 2. Technology Management TM:SG4.SP3 Perform Change Control and Management 3. Technology Management TM:SG4.SP4 Perform Release Management Are change control and configuration management procedures utilized consistently? Ensure configuration and change control processes are in place and managed. Establish standard secure configurations for hardware, operating systems, and software applications. These configurations should be regularly validated and refreshed to update them in light of recent threats, vulnerabilities, and attack vectors. 12

8. Implement controls to protect and recover data. 1. Service Continuity SC:SG3.SP2 Develop and Document Service Continuity Plans 2. Service Continuity SC:SG5.SP1 Develop Testing Program and Standards 3. Service Continuity SC:SG5.SP3 Exercise Plans 4. Service Continuity SC:SG6.SP2 Measure the Effectiveness of the Plans in Operation 5. Knowledge Information Management KIM:SG4.SP2 Control Access to Information Assets 6. Knowledge Information Management KIM:SG5.SP1 Control Modification of Information Assets 7. Knowledge Information Management KIM:SG6.SP1 Perform Information Duplication and Retention 8. Technology Management TM:SG5.SP1 Perform Planning to Sustain Technology Assets 9. Technology Management TM:SG5.SP2 Manage Technology Asset Maintenance 13

8. Implement controls to protect and recover data. (con t) Have adequate cybersecurity controls and recovery solutions been implemented and tested? Information and records (data) are managed consistent with the organization s risk strategy to protect the confidentiality, integrity, and availability of information. Ensure that each system is automatically backed up at least weekly, more often for systems storing sensitive information. Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls. Regularly test/audit the efficacy of controls, backups, and continuity procedures to ensure they are functioning as intended. 14

9. Prevent and monitor malware exposures. 1. Incident Management and Control IMC:SG2.SP3 Collect, Document, and Preserve Event Evidence 2. Incident Management and Control IMC:SG2.SP4 Analyze and Triage Events 3. Technology Management TM:SG2.SP2 Establish and Implement Controls 4. Monitoring MON:SG1.SP3 Establish Monitoring Requirements 5. Monitoring MON:SG2.SP2 Establish Collection Standards and Guidelines Does the organization have processes established to prevent malware and manage those risks? Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and intrusion protection functionality. All malware detection events should be sent to enterprise and event log servers for analysis. 15

10. Manage cyber risks associated with suppliers and external dependencies. 1. External Dependencies Management EDM:SG1.SP1 Identify External Dependencies 2. External Dependencies Management EDM:SG1.SP2 Prioritize External Dependencies 3. External Dependencies Management EDM:SG3.SP2 Establish Resilience Specifications for External Dependencies 4. External Dependencies Management EDM:SG4.SP1 Monitor External Entity Performance Are cyber risks associated with suppliers, and are third-party dependencies identified and managed? Supplier and third-party dependencies are identified, prioritized and managed. The organization establishes processes to manage threats, vulnerabilities, and incidents that may result from supplier and third-party dependencies throughout the lifecycle of those relationships. Where possible and appropriate, collaborative cybersecurity risk management processes (e.g., information sharing and controls testing) should be utilized. 16

11. Perform cyber threat and vulnerability monitoring and remediation. 1. Vulnerability Analysis and Resolution VAR:SG2.SP1 Identify Sources of Vulnerability Information 2. Vulnerability Analysis and Resolution VAR:SG2.SP2 Discover Vulnerabilities 3. Vulnerability Analysis and Resolution VAR:SG2.SP3 Analyze Vulnerabilities 4. Vulnerability Analysis and Resolution VAR:SG3.SP1 Manage Exposure to Vulnerabilities Collect threat and vulnerability information from information sharing forums and sources. Establish a process to risk-rate threats and vulnerabilities based on their probability, exploitability, and potential impact. Mitigate the highest risk threats and vulnerabilities using leading practice controls. Establish expected controls implementation and patching timelines based on the risk rating level. 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback