Presentation by Ben Boyd during the 2018 Northwest Arkansas Community College Cyber Security Awareness Symposium.
Building a Cyber Security program is more than just technology or architecture. Managing Cyber Risk is the duty of anyone with a digital asset.
8. Public Data Flow
Internet
Internet
Routers
Perimeter
Firewalls
Load
Balancers
Web/App
Servers
Logic/Processing
Servers
Database
Servers
Storage
Servers
Securing Public Facing Data
Presentation
Tier
Application
Tier
Data
Tier
Data in Motion Data in Use Data at Rest
Unsecure!
(Cloud and/or Datacenter)
Interior
Firewalls
(virtual)
DNS
DDoS
IDP
Encryption
PAM
Encryption
PAM
Secure Domain Routing
Threat Detection Tools
Certificate Mgmt
Virtualization
Containerization
Sec Dev
Virtualization
Containerization
Sec Dev
WAF
Encryption
People = Public
Processes = Data in & Out
(Banks, FB, & Google)
Segmentation
App-FW
App-FW
Anti-Malware
Threat Prevention
9. Internal Data Flow
WiFi
Access
Switch
Load
Balancers
Web/App
Servers
Logic/Processing
Servers
Database
Servers
Storage
Servers
Securing Internal Data
Presentation
Tier
Application
Tier
Data
Tier
Data in Motion Data in Use Data at Rest
Interior
Firewalls
(virtual)
Encryption
PAM
Encryption
PAM
IAM
Secure Domain Routing
Threat Detection Tools
Virtualization
Containerization
Sec Dev
Virtualization
Containerization
Sec Dev
WAF
Encryption
People = Employees / Contractors
Processes = Business Needs
Corporate
Firewalls
Corporate
Routers
Data at Rest
IDP
User-FW
App-FW
Anti-Malware
Threat Prevention
DLP
E-mail Security
Anti-Malware
10. Cloud Data Flow
WiFi
Access
Switch
Securing Cloud-Based Data
Data in Motion Data at Rest
Secure Domain Routing
Threat Detection Tools
Encryption
People = Employees / Contractors
Processes = Business Needs
Corporate
Firewalls
Internet
Routers
Data at Rest
IDP
User-FW
App-FW
Anti-Malware
Threat Prevention
Internet
The “Cloud”
SaaS PaaS IaaS
Salesforce Google App Engine Digital Ocean
Office 365. AWS Beanstalk AWS
Gsuite SQL in Azure Azure
Concur Heroku
Salary.com
Workday
Webex
DNS
CASB
IAM
Virtual FW
E-mail Security
Caching
DLP
DLP
E-mail Security
Anti-Malware
11. The end of the CISO
Cybersecurity is Everyone’s Job
• Make Risk-Based Decisions!
• If I leave X insecure, what is the impact to the organization?
• Application Developers
• Patched Libraries
• No backdoors
• No hardcoded credentials
• System Admins
• No “root” users
• Patched Systems and Apps
• Business Users
• No “workarounds” and shadow IT
12. Continuous Diagnostics & Mitigation
What the Feds are doing…
Executive Order on Cybersecurity
Accountability, Vulnerabilities, Modernization, Transparency
13. Story Time
• The Traffic Also Rises
• Chinese and Russian traffic on bank teller machine.
• To kill a high power bill
• Cryptocurrency mining by internal resource
• Lord of the 10gig link
• Compromised machines torrenting
• For Whom the SQL Tolls
• SQL Injection on major website
• One Flew Over the VPN
• TOR traffic
• Hola VPN traffic
Just a few failures I’ve come across
Compromised on Inside
Insider Attack
Insiders, Shadow IT, Compromised
External Hackers
Insiders, Shadow IT, Compromised
Cyber Security is the use of various technologies and processes to protect networks, computers, programs and data from attack, damage or unauthorized access.
PEOPLE (Everyone)
Make security a cultural focus of the organization !!
Ensure Senior Management buy-in and commitment.
Without this you will fail.
Employ the right people with the right attitude, experience and qualifications.
Train your people and test them periodically
Rewards and recognition to reinforce behavior
PROCESS (Bake Security in!)
Build these first and then select the Technology
Clearly communicate the established processes within the organization
Train the People on the Processes and get their buy-in to see 'what's in it for them‘
The processes should be aligned to the organizations risk tolerance and business objectives
TECHNOLOGY (Anything digital)
Understand how the technology works and the exposure it creates
Monitor changes in technology and deploy effective tools
Ensure software patches and updates are done on a timely fashion
Continuously monitor the log files against an established baseline
Information Security is protecting information from unauthorized access, use, disruption, modification or destruction regardless of how the information is stored – electronic or physical
Data at Rest
Data is at rest when it is stored on a hard drive. In this relatively secure state, information is primarily protected by conventional perimeter-based defenses such as firewalls and anti-virus programs. However, these barriers are not impenetrable. Organizations need additional layers of defense to protect sensitive data from intruders in the event that the network is compromised.
Encrypting hard drives is one of the best ways to ensure the security of data at rest. Other steps can also help, such as storing individual data elements in separate locations to decrease the likelihood of attackers gaining enough information to commit fraud or other crimes.
Data in Use
Data in use is more vulnerable than data at rest because, by definition, it must be accessible to those who need it. Of course, the more people and devices that have access to the data, the greater the risk that it will end up in the wrong hands at some point. The keys to securing data in use are to control access as tightly as possible and to incorporate some type of authentication to ensure that users aren’t hiding behind stolen identities.
Organizations also need to be able to track and report relevant information so they can detect suspicious activity, diagnose potential threats, and proactively improve security. For example, an account being disabled due to a certain number of failed login attempts could be a warning sign that a system is under attack.
Data in Motion
Data is at its most vulnerable when it is in motion, and protecting information in this state requires specialized capabilities. Our expectation of immediacy dictates that a growing volume of sensitive data be transmitted digitally— forcing many organizations to replace couriers, faxes, and conventional mail service with faster options such as email. Today, more than 100 million business emails are sent every day.1
When you send an email, it typically takes a long and winding journey through the electronic infrastructure at universities, government facilities, and other network locations. Anyone with the right tools can intercept your email as it moves along this path. However, there are effective ways to make email more secure.
The best way to ensure that your messages and attachments remain confidential is to transmit them through an encryption platform that integrates with your existing systems and workflows.
Optimally, users should be able to send and receive encrypted messages directly from their standard email service. More than 90% of organizations that currently use email encryption report that they have this capability.2
Looking ahead, it will also become increasingly important for the encryption service your organization uses to cover mobile email applications. The Radicati Group1 predicts that 80% of email users will access their accounts via mobile devices by 2018, but more than 35% of organizations currently using email encryption say their users currently lack the ability to send secure messages from their mobile email client.2
Following from an introduction of the C.I.A. Triangle another triangle is used to help explain the relationship between the concepts of security, functionality and ease of use. The use of a triangle is because an increase or decrease in any one of the factors will have an impact on the presence of the other two.
As an example, increasing the amount of functionality in an application will also increase the surface area that a malicious user can attack when attempting to find an exploitable weakness.
The trade-off between security and ease of use is commonly encountered in the real world, and often causes friction between users and those responsible for maintaining security.
The numerous incidents of defeating security measures prompts my cynical slogan: The more secure you make something, the less secure it becomes.
Why? Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds that defeat the security. Hence the prevalence of doors propped open by bricks and wastebaskets, of passwords pasted on the fronts of monitors or hidden under the keyboard or in the drawer, of home keys hidden under the mat or above the doorframe or under fake rocks that can be purchased for this purpose.
1. Least Privilege
Users should be allowed only the minimum necessary access needed to perform their job and nothing more . And system components should be allowed only the minimum necessary function needed to perform their purpose and nothing more .
If a least privilege environment has not been effectively implemented and users are provided with higher levels of access then they need, attackers can steal these credentials (user name and password) and gain broad access to systems .
For example, in the Target and Sony breaches, attackers were able to gain administrative-level privileges .
2. Micro-segmentation
The whole IT environment should be divided into small parts to make it more manageable to protect and to contain the damage if one part gets compromised (see sidebar) .
If micro-segmentation has not been effectively implemented, attackers can break into one part of the network and then easily move around to other parts .
For example, in the Target breach, after an initial intrusion into the HVAC system, the attackers were able to move around to the payment network system . In the Sony breach, the attackers were also able to move around from one part of the network to another . In the case of the OPM breach, the attackers obtained access to OPM’s local area network and then pivoted to the Interior Department’s data center .
3. Encryption
For critical business processes, all data should be encrypted, while stored or transmitted . In the event of a data breach, stealing critical files should only result in obtaining unreadable data .
If encryption has not been effectively implemented, attackers can exfiltrate data in readable form .
For example, after a data breach at Royal & Sun Alliance Insurance PLC, government investigators determined that the company had not adequately encrypted the data .
4. Multi-factor Authentication
The identity of users and system components should be verified using
multiple factors (not just simple passwords) and be commensurate with the risk of the requested access or function .
If multi-factor authentication (MFA) is not effectively implemented, attackers can obtain passwords and use them to access systems .
For example, in the OPM breach, if the contractor logons had been enforced with a risk appropriate level of MFA it would have limited the ability of the attackers to use the stolen credentials of the government contractor . In the case of the breach at LinkedIn, the hack exposed inadequately protected passwords of 100 million users . Since consumers often use passwords on multiple sites, MFA would have reduced the risk
5. Patching
Systems should be kept up to date and consistently maintained . Any critical system that is out of date is a meaningful security risk .
If patching is not effectively implemented, attackers can exploit open holes in systems .
For example, the WannaCry ransomware exploited a known software vulnerability for which a patch was available . Organizations that fell victim had failed to effectively patch .
Why internal data?
Because we need jobs!
We work tickets, write emails, have meetings, plan things, deploy things, do slide presentations, do spreadsheets, input numbers. This is all data that needs to be secured.
Why cloud data?
Because most of the work we do today is done on “web apps”. This data needs to be secured as well!
The term layer 8 is often used pejoratively by IT professionals to refer to employees’ lack of awareness and a weak overall cybersecurity culture. While organizations continue to purchase and deploy technical controls, not much has been done to focus on the human side of cybersecurity. Today, it is just as important to secure human assets — layer 8 — as it to secure layers 1 through 7.
Don’t fall into a false sense of comfort thinking that your technical controls alone can keep you safe. According to Gartner, “Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms.” So how do we bring humans back into the security loop?
How should a culture of cybersecurity be developed and fostered? According to The Wall Street Journal, IT teams should undertake four key efforts with support from the very top levels of the organization:
Embed cybersecurity throughout business processes instead of restricting it to one function.
Encourage collaboration between different departments and areas of the business.
Promote shared responsibility.
Empower employees to learn and develop.
Antivirus company Avast outlined some advice to help organizations improve their cybersecurity culture. One recommendation is to ensure adequate focus on individual responsibility and spread awareness about the vital role everyone plays in cybersecurity.
To create a culture of security, companies must address the need to:
Educate employees on how the cybersecurity dots are connected to the organization’s ability to achieve its business objectives and avoid fines, loss of business, loss of brand reputation and possibly layoffs.
Form security awareness allies, including supporters from across the organization, not just the security team.
Empower employees to own their efforts in protecting data within the organization.