TIPS FOR AUDITING CYBERSECURITY

Similar documents
K12 Cybersecurity Roadmap

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Designing and Building a Cybersecurity Program

Cyber Protections: First Step, Risk Assessment

WHO AM I? Been working in IT Security since 1992

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Automating the Top 20 CIS Critical Security Controls

CyberSecurity: Top 20 Controls

How to Develop Key Performance Indicators for Security

ISE North America Leadership Summit and Awards

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Tech TV Series. Lisa Niles CISSP, Chief Solution Architect

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Les joies et les peines de la transformation numérique

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

CISO as Change Agent: Getting to Yes

VIVOTEK. Security Hardening Guide

ETSI TR V1.1.1 ( )

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Building Secure Systems

Cyber Hygiene: A Baseline Set of Practices

NEN The Education Network

ACM Retreat - Today s Topics:

Back to Basics: Basic CIS Controls

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Cybersecurity Today Avoid Becoming a News Headline

CompTIA Cybersecurity Analyst+

Ingram Micro Cyber Security Portfolio

How Breaches Really Happen

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Putting the 20 Critical Controls into Action: Real World Use Cases. Lawrence Wilson, UMass, CSO Wolfgang Kandek, Qualys, CTO

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Compliance Audit Readiness. Bob Kral Tenable Network Security

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CIT 480: Securing Computer Systems. Putting It All Together

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Google Cloud & the General Data Protection Regulation (GDPR)

Cyber Resilience. Think18. Felicity March IBM Corporation

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Training + Information Sharing: Pillars of enhancing cybersecurity posture

Department of Management Services REQUEST FOR INFORMATION

Total Security Management PCI DSS Compliance Guide

Education Network Security

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Building Resilience in a Digital Enterprise

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

SYSTEMS ASSET MANAGEMENT POLICY

IoT & SCADA Cyber Security Services

ISACA Arizona May 2016 Chapter Meeting

Building a Resilient Security Posture for Effective Breach Prevention

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Introducing Cyber Observer

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Mitigation Controls on. 13-Dec-16 1

Sage Data Security Services Directory

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Tips for Passing an Audit or Assessment

Information Security Controls Policy

CIS Controls Measures and Metrics for Version 7

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

MIS Week 9 Host Hardening

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

AUTHORITY FOR ELECTRICITY REGULATION

Practical Guide to Securing the SDLC

Art of Performing Risk Assessments

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

CYBERSECURITY MATURITY ASSESSMENT

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

CYBERSECURITY RESILIENCE

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Security Survey Executive Summary October 2008

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Information Security Architecture Gap Assessment and Prioritization

CISA Course. Course Details: iathena.com, a Navitus Education Venture

Assurance over Cybersecurity using COBIT 5

TEL2813/IS2820 Security Management

Cloud Customer Architecture for Securing Workloads on Cloud Services

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Transcription:

TIPS FOR AUDITING CYBERSECURITY Dr. Vilius Benetis, ISACA Lithuania Chapter, NRD CS 18 October 2016

TODAY S SPEAKER Dr. Vilius Benetis Cybersecurity Practice Leader Norway Registers Development (NRD Cybersecurity) ISACA Lithuania Chapter 2

AGENDA Tip #0 on please enable personal account strong authentication: google, Facebook, Evernote, office365, dropbox,.. Read more: https://twofactorauth.org/ Tip #1 on Clarification on Cybersecurity Domain Tip #2 on Auditing Process and Cybersecurity Tip #3 on CIS Critical Security Controls Tip #4 on Auditing Cybersecurity Skills 3

#1 ON CLARIFICATION ON CYBERSECURITY DOMAIN 4

GOOGLE IT: CYBERSECURITY DEFINITION Where do we start? Let s ground the terms 5

GOOGLE IT: CYBERSECURITY DEFINITION Where do we start? Let s ground the terms 6

7

ISO 27032: 8

ISO 27032: 9

ISO 27032 (& ): SECURITY CONCEPTS AND TECHNIQUES 10

#1 ON CLARIFICATION ON CYBERSECURITY DOMAIN 1. Are you sure you want to limit with Cybersecurity? And not e-information Security? 2. Please adjust terms as fits your organisation 11

#2 ON AUDITING PROCESS AND CYBERSECURITY 12

Automation of business functions Ex. Assess org./is resilience to cyber threats From ISACA publication: Information Systems Auditing: Tools and Techniques Creating Audit Programs 13

#3 ON CIS CRITICAL SECURITY CONTROLS 14

CIS CRITICAL SECURITY CONTROLS (V6.1) 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Controlled Use of Administrative Privileges (12) 6: Maintenance, Monitoring, and Analysis of Audit Logs (14) 7: Email and Web Browser Protections (new) 8: Malware Defenses (5) 9: Limitation and Control of Network Ports, Protocols, and Services (11) 10: Data Recovery Capability (8) 10: Data Recovery Capability (8) 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches (10) 12: Boundary Defense (13) 13: Data Protection (17) 14: Controlled Access Based on the Need to Know (15) 15: Wireless Access Control (7) 16: Account Monitoring and Control (16) 17: Security Skills Assessment and Appropriate Training to Fill Gaps (9) 18: Application Software Security (6) 19: Incident Response and Management (18) 20: Penetration Tests and Red Team Exercises (20) 15

THE FIVE CRITICAL TENETS OF CYBER DEFENSE: 1. Offense informs defense 2. Prioritization 3. Metrics 4. Continuous diagnostics and mitigation 5. Automation 16

CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES Actively manage (inventory, track, and correct) all hardware devices on the network so that: only authorized devices are given access, and unauthorized and unmanaged devices are: found and prevented from gaining access. 17

CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES 1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization s public and private network(s). Both active tools that scan through IPv4 or IPv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed. 1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown systems. 1.3 Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network. 18

CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES 1.4 Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization s network. 1.5 Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems. 19

CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES 20

CSC 1: INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES ID Metric 1.1 How many unauthorized devices are presently on the organization's network (by business unit)? 1.2 How long, on average, does it take to remove unauthorized devices from the organization's network (by business unit)? 1.3 What is the percentage of systems on the organization's network that are not utilizing Network Level Authentication (NLA) to authenticate to the organization's network (by business unit)? 1.5 How long does it take to detect new devices added to the organization's network (time in minutes - by business unit)? 1.6 How long does it take to isolate/remove unauthorized devices from the organization's network (time in minutes - by business unit)? Lower Risk Threshold Moderate Risk Threshold Higher Risk Threshold Less that 1% 1%-4% 5%-10% 60 Minutes 1,440 Minutes (1 Day) 10,080 Minutes (1 Week) Less that 1% 1%-4% 5%-10% 60 Minutes 60 Minutes 1,440 Minutes (1 Day) 1,440 Minutes (1 Day) 10,080 Minutes (1 Week) 10,080 Minutes (1 Week) 21

Relationship to COBIT processes 22

#4 ON AUDITING CYBERSECURITY SKILLS 23

Should we include skills audit? 1) Risk: Lack of skilled people 2) Skills required to assess Methodologies (NICE, CSC, e- CF, SFIA) Automation of business functions Ex. Assess org/is resilience to cyber threats 24

CYBERSECURITY/ICT SKILLS MODELS 1. NIST NICE - United States 2. e-cf - European Union / Dutch 3. SFIA6 UK 25

ADDITIONAL REASONS FOR SKILLS AUDIT HR: Re-organization preparation. What skillsets we need to plan? What skillset to hire? CISO office: Information security should be handled better. What skills are missing? Career planning: What should I focus for my cybersecurity career? 26

HOW TO RUN SKILLS AUDIT? Simplest: Ask: what skills are missing to reach the goals? Medium: Inventory/assess existing skills via questionnaires (list competences, ask to self-assess) Sophisticated: Run serious tests to assess 27

OUTPUT OF SKILLS AUDIT Simplest: List of skills/competences and who covers them Items without people missing competences Medium: Skills/competences with required levels, and fulfilled levels Gap is visible Sophisticated: Detail report of professional skills assessors 28

SUMMARY Tip #1 on Clarification on Cybersecurity Domain Tip #2 on Auditing Process and Cybersecurity Tip #3 on CIS Critical Security Controls Tip #4 on Auditing Cybersecurity Skills & Tip #0 on please enable personal accounts strong authentication 29

RELEVANT RESOURCES: 1. SFIA: https://www.sfia-online.org 2. NIST NICE: http://csrc.nist.gov/nice/ 3. CIS CSC: https://www.cisecurity.org/critical-controls/ 4. ISO 27032: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_det ail.htm?csnumber=44375 5. http://www.isaca.org/knowledge- Center/Research/ResearchDeliverables/Pages/Information- Systems-Auditing-Tools-and-Techniques-Creating-Audit- Programs.aspx 30

Questions? 31

THIS TRAINING CONTENT ( CONTENT ) IS PROVIDED TO YOU WITHOUT WARRANTY, AS IS AND WITH ALL FAULTS. ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON- INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED. YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE APPROPRIATE PROCEDURES, TESTS, OR CONTROLS. Copyright 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise). 32

THANK YOU FOR ATTENDING THIS WEBINAR

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback