SlideShare a Scribd company logo

Federal Cybersecurity: The latest challenges, initiatives and best practices

Download as PPTX, PDF
J
John Gilligan

A presentation made on April 29, 2010 about federal cybersecurity best practices

Technology
1 of 25
Federal Cybersecurity: The latest challenges, initiatives and best practices John M. Gilligan April 29, 2010
Topics • Current Situation • FISMA Compliance: Today and Tomorrow • Top-level Strategy for Cyber Security • Focus on 20 Critical Controls and SCAP • Final thoughts 2
Cyber Security Threats Today--A New “Ball Game” • Our way of life depends on a reliable cyberspace • Intellectual property is being downloaded at an alarming rate • Cyberspace is now a warfare domain • Attacks increasing at an exponential rate • Fundamental network and system vulnerabilities cannot be fixed quickly • Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National and Economic Security Crisis!
Situation Assessment • Assessing cyber threats (and therefore risks) requires extensive experience and access to highly classified materials – It is unreasonable to expect most organizations to assess threats/risks. • The technical aspects of Cybersecurity are enormously complex: – Cybersecurity will require significant increase in levels of discipline in systems/enterprise management – Guidance must be simple and clearly stated. • The overall state of cybersecurity is so poor, that it cannot be solved quickly: – Near term objective should be to establish a foundation upon which we can build – Cannot do everything at once; we must prioritize/focus
FISMA Was Well Intended; What is Not Working?? • Original intent was good: – Ensure effective controls – Improve oversight of security programs – Provide for independent evaluation • Implementation took us off course – Agencies unable to adequately assess cyber risks – (Lots of) NIST “guidance” became mandatory – No auditable basis for independent evaluation – Grading became overly focused on paperwork 5 Bottom Line: OMB mandates and paperwork debates has distracted CIOs/CISOs from achieving real security improvements
New Hope for Federal Cyber Security • Progress – FISMA Reporting Instructions: April 21, 2010 • Continuously monitor • Use automated tools • Develop automated risk models – NIST Guidance (SP 800-53 and SP 800-37) • Cautions – FISMA Reporting Instructions reinforce “compliance mentality” – Risk assessment while logical is “a foundation of sand” Security must be based on knowledge of attacks and results focused!
Top Level Cybersecurity Strategy Sophisticated Unsophisticated MISSION/FUNCTION CRITICALITY Implement Comprehensive Baseline of Security THREAT Low High Deploy Targeted Advanced Security Controls Accept Risk
Comprehensive Baseline of Security = A Well-Managed Enterprise Characteristics of a Well Managed Enterprise 1. Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so 2. Increased operational effectiveness and greater security without increased cost 3. Integrated and automated enterprise management tools 8 Cyber Security Requires Comprehensive Application of “Good IT Hygiene”!
9 Emma Antunes <emma.antunes@nasa.gov > Twitter: @eantunes Unsophisticated MISSION/FUNCTION CRITICALITY Deploy Targeted Advanced Security Controls Accept Risk 9 Result: Blocks 85% of attacks and provides foundation to address remaining/new attacks (Ref: Dick Schaeffer, NSA/IAD) Sophisticated Comprehensive Baseline of Security (A “well managed” IT infrastructure) THREAT Low High TIC Training for Sys Admin 2-Factor Authentication 20 Critical Controls FDCC+ SCAP DNSSEC, S-BGPThreat/Vul Collaboration Top Level Cyber Security Strategy Einstein 3
“20 Critical Controls” or CAG: The Philosophy • Assess cyber attacks to inform cyber defense – focus on high risk technical areas first • Ensure that security investments are focused to counter highest threats — pick a subset • Maximize use of automation to enforce security controls — negate human errors • Define metrics for critical controls • Use consensus process to collect best ideas 10 Focus investments by letting cyber offense inform defense
Approach for Developing 20 Critical Controls • NSA “Offensive Guys” • NSA “Defensive Guys” • DoD Cyber Crime Center (DC3) • US-CERT (plus 3 agencies that were hit hard) • Top Commercial Pen Testers • Top Commercial Forensics Teams • JTF-GNO • AFOSI • Army Research Laboratory • DoE National Laboratories • FBI and IC-JTF 11  Identify top attacks—the critical risk areas  Prioritize controls to match successful attacks—mitigate critical risks  Identify automation/verification methods and measures  Engage CIOs, CISOs, Auditors, and oversight organizations  Map Critical Controls to NIST SP 800-53 P1 controls (proper subset)  Engage the best security experts: Result: Applying the 20 Critical Controls will address the majority of cyber attacks
Relevance of 20 Critical Controls to FISMA and NIST Guidelines FISMA and NIST 1. Assess cyber security risk in an organization 2. Implement security based on risk 3. Select controls from NIST SP 800-53 to mitigate risk areas 4. Objectively evaluate control effectiveness 20 Critical Controls 1. Based on government-wide (shared) risk assessment 2. Controls address top cyber risks 3. 20 Critical Controls are subset of 800-53 Priority 1 controls 4. Use automated tools and periodic evaluations to provide continuous monitoring 12 20 Critical Controls designed to help agencies comply with FISMA and NIST guidance!
20 Critical Controls—Implementation Recommendation Step 1 Accept CAG consensus threats as risk baseline for your organization Step 2 Implement 20 Critical Controls Step 3 Use organization specific risk assessment to select and implement additional controls from 800-53 – Focus on unique, mission critical capabilities and data Step 4 Use automated tools and periodic evaluations to continuously measure compliance (risk reduction) Step 5 Partner with senior management and auditors to motivate compliance improvement – Use examples and lessons learned from State Dept. and others 13
Security Content Automation Protocol (SCAP)— Helping Achieve Enterprise IT Management • Cost of poorly disciplined IT is growing rapidly (i.e., efficiency degraded) • High quality IT support requires effective enterprise management (i.e., effectiveness degraded) • Cyber attacks are exploiting weak enterprise management (i.e., security degraded) – The weakest link becomes the enterprise “Achilles Heel” – Cyber exploitation is an issue for every enterprise 14 SCAP can enable effective enterprise IT management and security
Current SCAP Standards 15 CVE CVSS OVAL CCECPE XCCDF Software vulnerability management Configuration management Compliance management Asset management Identifies vulnerabilities Scores vulnerability severity Criteria to check presence of vulnerabilities, configurations, assets Identifies configuration controls Language to express configuration guidance for both automatic and manual vetting Identifies packages and platforms SCAP enables cross vendor interoperability and aggregation of data produced by separate tools to an enterprise level—leads to better enterprise management and cyber security!
Final Thoughts • In the near-term, we must focus on known attacks and measure progress • Automation of security control implementation and continuous assessment is essential • A well managed enterprise (e.g., using SCAP) is a harder target to attack and costs less to operate – the ultimate “no brainer” for a CIO 16 Focused cyber efforts needed to ensure national and economic security!
Contact Information 17 John M. Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com
FISMA Original Intent • Framework to ensure effective information security controls • Recognize impact of highly networked environment • Provide for development and maintenance of minimum controls • Improved oversight of agency information security programs • Acknowledge potential of COTS capabilities • Selection of specific technical hardware and software information security solutions left to agencies • Provide independent evaluation of security program 18 However: FISMA has evolved to “grading” agencies based largely on secondary artifacts
Review of FISMA and NIST Guidelines • FISMA – Security protection is commensurate with risk – Develop and maintain minimum controls – Selection of specific security solutions left to agencies – Ensure independent testing and evaluation of controls • NIST Guidelines – Use risk assessment to categorize systems – Select controls based on risk – Assess security controls 19
20 NIST Guidance: 1200 pages of FIPS Pubs, Special Pubs, Security Bulletins, etc.
Top 20 Attack Patterns—the biggest risks* 1. Scan for unprotected systems on networks 2. Scan for vulnerable versions of software 3. Scan for software with weak configurations 4. Scan for network devices with exploitable vulnerabilities 5. Attack boundary devices 6. Attack without being detected and maintain long-term access due to weak audit logs 7. Attack web-based or other application software 8. Gain administrator privileges to control target machines 9. Gain access to sensitive data that is not adequately protected 10. Exploit newly discovered and un-patched vulnerabilities 11. Exploit inactive user accounts 12. Implement malware attacks 13. Exploit poorly configured network services 14. Exploit weak security of wireless devices 15. Steal sensitive data 16. Map networks looking for vulnerabilities 17. Attack networks and systems by exploiting vulnerabilities undiscovered by target system personnel 18. Attack systems or organizations that have no or poor attack response 19. Change system configurations and/or data so that organization cannot restore it properly 20. Exploit poorly trained or poorly skilled employees 21 * Developed as a part of developing 20 Critical Controls and not in priority order
Example--Critical Control #1 Inventory of Authorized and Unauthorized Devices • Attacker Exploit: Scan for new, unprotected systems • Control: – Quick Win: Automated asset inventory discovery tool – Visibility/Attribution: On line asset inventory of devices with net address, machine name, purpose, owner – Configuration/Hygiene: Develop inventory of information assets (incl. critical information and map to hardware devices) • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6 • Automated Support: Employ products available for asset inventories, inventory changes, network scanning against known configurations • Evaluation: Connect fully patched and hardened test machines to measure response from tools and staff. Control identifies and isolate new systems (Min--24 hours; best practice--less than 5 minutes) 22
Example--Critical Control #3 Secure Configurations for Hardware and Software on Laptops, Workstations and Servers • Attacker Exploit: Automated search for improperly configured systems • Control: – QW: Define controlled standard images that are hardened versions – QW: Negotiate contracts for secure images “out of the box” – Config/Hygiene: Tools enforce configurations; executive metrics with trends for systems meeting configuration guidelines • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6 • Automated Support: Employ SCAP compliant tools to monitor/validate HW/SW/Network configurations • Evaluation: Introduce improperly configured system to test response times/actions (Minimum--24 hours; best practice--less than 5 min) 23
20 Critical Controls for Effective Cyber Defense (1 of 2) Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention 24
20 Critical Controls for Effective Cyber Defense (2 of 2) Additional Critical Controls (partially supported by automated measurement and validation): 16. Secure Network Engineering 17. Penetration Tests and Red Team Exercises 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training to Fill Gaps 25 Federal CIO Observation: The 20 Critical Controls are nothing new; they are recognized elements of a well managed enterprise

Recommended

Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 

Recommended

Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmasterHafid CHEBRAOUI
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesJohn Gilligan
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...Intel IT Center
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 

More Related Content

What's hot

Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesJohn Gilligan
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 

What's hot (20)

Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspects
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Incident response
Incident responseIncident response
Incident response
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 

Viewers also liked

Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...Intel IT Center
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security pptLipsita Behera
 

Viewers also liked (8)

Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similar to Federal Cybersecurity: The latest challenges, initiatives and best practices

Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityJohn Gilligan
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsJohn Gilligan
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous MonitoringJohn Gilligan
 
Tech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingTech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingJisc
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimemuhammad awais
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management ProgramTripwire
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Jim Kaplan CIA CFE
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsRob Arnold
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 

Similar to Federal Cybersecurity: The latest challenges, initiatives and best practices (20)

Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous Monitoring
 
Tech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingTech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharing
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 

More from John Gilligan

Practical approaches to address government contracting problems
Practical approaches to address government contracting problemsPractical approaches to address government contracting problems
Practical approaches to address government contracting problemsJohn Gilligan
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy John Gilligan
 
Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...John Gilligan
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...John Gilligan
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsJohn Gilligan
 
Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesJohn Gilligan
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 

More from John Gilligan (9)

Practical approaches to address government contracting problems
Practical approaches to address government contracting problemsPractical approaches to address government contracting problems
Practical approaches to address government contracting problems
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and Challenges
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 

Recently uploaded

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Recently uploaded (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Federal Cybersecurity: The latest challenges, initiatives and best practices

  • 1. Federal Cybersecurity: The latest challenges, initiatives and best practices John M. Gilligan April 29, 2010
  • 2. Topics • Current Situation • FISMA Compliance: Today and Tomorrow • Top-level Strategy for Cyber Security • Focus on 20 Critical Controls and SCAP • Final thoughts 2
  • 3. Cyber Security Threats Today--A New “Ball Game” • Our way of life depends on a reliable cyberspace • Intellectual property is being downloaded at an alarming rate • Cyberspace is now a warfare domain • Attacks increasing at an exponential rate • Fundamental network and system vulnerabilities cannot be fixed quickly • Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National and Economic Security Crisis!
  • 4. Situation Assessment • Assessing cyber threats (and therefore risks) requires extensive experience and access to highly classified materials – It is unreasonable to expect most organizations to assess threats/risks. • The technical aspects of Cybersecurity are enormously complex: – Cybersecurity will require significant increase in levels of discipline in systems/enterprise management – Guidance must be simple and clearly stated. • The overall state of cybersecurity is so poor, that it cannot be solved quickly: – Near term objective should be to establish a foundation upon which we can build – Cannot do everything at once; we must prioritize/focus
  • 5. FISMA Was Well Intended; What is Not Working?? • Original intent was good: – Ensure effective controls – Improve oversight of security programs – Provide for independent evaluation • Implementation took us off course – Agencies unable to adequately assess cyber risks – (Lots of) NIST “guidance” became mandatory – No auditable basis for independent evaluation – Grading became overly focused on paperwork 5 Bottom Line: OMB mandates and paperwork debates has distracted CIOs/CISOs from achieving real security improvements
  • 6. New Hope for Federal Cyber Security • Progress – FISMA Reporting Instructions: April 21, 2010 • Continuously monitor • Use automated tools • Develop automated risk models – NIST Guidance (SP 800-53 and SP 800-37) • Cautions – FISMA Reporting Instructions reinforce “compliance mentality” – Risk assessment while logical is “a foundation of sand” Security must be based on knowledge of attacks and results focused!
  • 7. Top Level Cybersecurity Strategy Sophisticated Unsophisticated MISSION/FUNCTION CRITICALITY Implement Comprehensive Baseline of Security THREAT Low High Deploy Targeted Advanced Security Controls Accept Risk
  • 8. Comprehensive Baseline of Security = A Well-Managed Enterprise Characteristics of a Well Managed Enterprise 1. Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so 2. Increased operational effectiveness and greater security without increased cost 3. Integrated and automated enterprise management tools 8 Cyber Security Requires Comprehensive Application of “Good IT Hygiene”!
  • 9. 9 Emma Antunes <emma.antunes@nasa.gov > Twitter: @eantunes Unsophisticated MISSION/FUNCTION CRITICALITY Deploy Targeted Advanced Security Controls Accept Risk 9 Result: Blocks 85% of attacks and provides foundation to address remaining/new attacks (Ref: Dick Schaeffer, NSA/IAD) Sophisticated Comprehensive Baseline of Security (A “well managed” IT infrastructure) THREAT Low High TIC Training for Sys Admin 2-Factor Authentication 20 Critical Controls FDCC+ SCAP DNSSEC, S-BGPThreat/Vul Collaboration Top Level Cyber Security Strategy Einstein 3
  • 10. “20 Critical Controls” or CAG: The Philosophy • Assess cyber attacks to inform cyber defense – focus on high risk technical areas first • Ensure that security investments are focused to counter highest threats — pick a subset • Maximize use of automation to enforce security controls — negate human errors • Define metrics for critical controls • Use consensus process to collect best ideas 10 Focus investments by letting cyber offense inform defense
  • 11. Approach for Developing 20 Critical Controls • NSA “Offensive Guys” • NSA “Defensive Guys” • DoD Cyber Crime Center (DC3) • US-CERT (plus 3 agencies that were hit hard) • Top Commercial Pen Testers • Top Commercial Forensics Teams • JTF-GNO • AFOSI • Army Research Laboratory • DoE National Laboratories • FBI and IC-JTF 11  Identify top attacks—the critical risk areas  Prioritize controls to match successful attacks—mitigate critical risks  Identify automation/verification methods and measures  Engage CIOs, CISOs, Auditors, and oversight organizations  Map Critical Controls to NIST SP 800-53 P1 controls (proper subset)  Engage the best security experts: Result: Applying the 20 Critical Controls will address the majority of cyber attacks
  • 12. Relevance of 20 Critical Controls to FISMA and NIST Guidelines FISMA and NIST 1. Assess cyber security risk in an organization 2. Implement security based on risk 3. Select controls from NIST SP 800-53 to mitigate risk areas 4. Objectively evaluate control effectiveness 20 Critical Controls 1. Based on government-wide (shared) risk assessment 2. Controls address top cyber risks 3. 20 Critical Controls are subset of 800-53 Priority 1 controls 4. Use automated tools and periodic evaluations to provide continuous monitoring 12 20 Critical Controls designed to help agencies comply with FISMA and NIST guidance!
  • 13. 20 Critical Controls—Implementation Recommendation Step 1 Accept CAG consensus threats as risk baseline for your organization Step 2 Implement 20 Critical Controls Step 3 Use organization specific risk assessment to select and implement additional controls from 800-53 – Focus on unique, mission critical capabilities and data Step 4 Use automated tools and periodic evaluations to continuously measure compliance (risk reduction) Step 5 Partner with senior management and auditors to motivate compliance improvement – Use examples and lessons learned from State Dept. and others 13
  • 14. Security Content Automation Protocol (SCAP)— Helping Achieve Enterprise IT Management • Cost of poorly disciplined IT is growing rapidly (i.e., efficiency degraded) • High quality IT support requires effective enterprise management (i.e., effectiveness degraded) • Cyber attacks are exploiting weak enterprise management (i.e., security degraded) – The weakest link becomes the enterprise “Achilles Heel” – Cyber exploitation is an issue for every enterprise 14 SCAP can enable effective enterprise IT management and security
  • 15. Current SCAP Standards 15 CVE CVSS OVAL CCECPE XCCDF Software vulnerability management Configuration management Compliance management Asset management Identifies vulnerabilities Scores vulnerability severity Criteria to check presence of vulnerabilities, configurations, assets Identifies configuration controls Language to express configuration guidance for both automatic and manual vetting Identifies packages and platforms SCAP enables cross vendor interoperability and aggregation of data produced by separate tools to an enterprise level—leads to better enterprise management and cyber security!
  • 16. Final Thoughts • In the near-term, we must focus on known attacks and measure progress • Automation of security control implementation and continuous assessment is essential • A well managed enterprise (e.g., using SCAP) is a harder target to attack and costs less to operate – the ultimate “no brainer” for a CIO 16 Focused cyber efforts needed to ensure national and economic security!
  • 17. Contact Information 17 John M. Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com
  • 18. FISMA Original Intent • Framework to ensure effective information security controls • Recognize impact of highly networked environment • Provide for development and maintenance of minimum controls • Improved oversight of agency information security programs • Acknowledge potential of COTS capabilities • Selection of specific technical hardware and software information security solutions left to agencies • Provide independent evaluation of security program 18 However: FISMA has evolved to “grading” agencies based largely on secondary artifacts
  • 19. Review of FISMA and NIST Guidelines • FISMA – Security protection is commensurate with risk – Develop and maintain minimum controls – Selection of specific security solutions left to agencies – Ensure independent testing and evaluation of controls • NIST Guidelines – Use risk assessment to categorize systems – Select controls based on risk – Assess security controls 19
  • 20. 20 NIST Guidance: 1200 pages of FIPS Pubs, Special Pubs, Security Bulletins, etc.
  • 21. Top 20 Attack Patterns—the biggest risks* 1. Scan for unprotected systems on networks 2. Scan for vulnerable versions of software 3. Scan for software with weak configurations 4. Scan for network devices with exploitable vulnerabilities 5. Attack boundary devices 6. Attack without being detected and maintain long-term access due to weak audit logs 7. Attack web-based or other application software 8. Gain administrator privileges to control target machines 9. Gain access to sensitive data that is not adequately protected 10. Exploit newly discovered and un-patched vulnerabilities 11. Exploit inactive user accounts 12. Implement malware attacks 13. Exploit poorly configured network services 14. Exploit weak security of wireless devices 15. Steal sensitive data 16. Map networks looking for vulnerabilities 17. Attack networks and systems by exploiting vulnerabilities undiscovered by target system personnel 18. Attack systems or organizations that have no or poor attack response 19. Change system configurations and/or data so that organization cannot restore it properly 20. Exploit poorly trained or poorly skilled employees 21 * Developed as a part of developing 20 Critical Controls and not in priority order
  • 22. Example--Critical Control #1 Inventory of Authorized and Unauthorized Devices • Attacker Exploit: Scan for new, unprotected systems • Control: – Quick Win: Automated asset inventory discovery tool – Visibility/Attribution: On line asset inventory of devices with net address, machine name, purpose, owner – Configuration/Hygiene: Develop inventory of information assets (incl. critical information and map to hardware devices) • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6 • Automated Support: Employ products available for asset inventories, inventory changes, network scanning against known configurations • Evaluation: Connect fully patched and hardened test machines to measure response from tools and staff. Control identifies and isolate new systems (Min--24 hours; best practice--less than 5 minutes) 22
  • 23. Example--Critical Control #3 Secure Configurations for Hardware and Software on Laptops, Workstations and Servers • Attacker Exploit: Automated search for improperly configured systems • Control: – QW: Define controlled standard images that are hardened versions – QW: Negotiate contracts for secure images “out of the box” – Config/Hygiene: Tools enforce configurations; executive metrics with trends for systems meeting configuration guidelines • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6 • Automated Support: Employ SCAP compliant tools to monitor/validate HW/SW/Network configurations • Evaluation: Introduce improperly configured system to test response times/actions (Minimum--24 hours; best practice--less than 5 min) 23
  • 24. 20 Critical Controls for Effective Cyber Defense (1 of 2) Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention 24
  • 25. 20 Critical Controls for Effective Cyber Defense (2 of 2) Additional Critical Controls (partially supported by automated measurement and validation): 16. Secure Network Engineering 17. Penetration Tests and Red Team Exercises 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training to Fill Gaps 25 Federal CIO Observation: The 20 Critical Controls are nothing new; they are recognized elements of a well managed enterprise