This document discusses why corporate security professionals should care about information security. It begins by explaining how physical and logical security systems are now interconnected, meaning threats can affect physical security without a physical presence. It then gives an example of the 2016 Mirai botnet attack, which took down major websites by overloading them with traffic from compromised IoT devices. The document recommends that organizations use a risk management framework to inventory and classify assets, scan for vulnerabilities, remediate issues, and create an incident response plan. Coordination is needed between IT, security, and other teams to effectively manage cybersecurity risks.
4. Hello!
I am David Ksiazek
Security Services Director at Alliance Technology
Group
david.ksiazek@alliance-it.com
5. My Background
▪ System Administration
▪ SQL Development
▪ IT and Internal Audit, 2003-2010
▪ IT Security, 2008 – Present
▪ Worked on team that wrote FedRAMP HIGH
Baseline
7. Agenda
▪ Impact of Physical Security Threats and How They
Affect Information Security
▪ Build and Use Cybersecurity RMF to Drive to
Informed Decision Making
9. Why Should Corporate Security Professionals Care about
Information Security?
▪ Obvious: Data is valuable
▪ Obvious: IT assets are valuable
10. “Interconnectedness
between physical and logical systems means the
ability to affect physical security on an organization’s
premises no longer requires a physical presence on
said premises. “
12. Interconnectedness
▪ Physical assets increasingly connected to
logical systems: Internet of Things (IOT)
▪ Systems that protect these assets are
controlled by or at least connected to
Information Technology (IT) systems
13. Interconnectedness
▪ Operational Technology (OT) systems that control
physical assets are likely to be connected and
integrated into IT systems
▪ Compromising these systems is a major goal of
malicious actors
14. Interconnectedness
▪ Internet of Things (IOT) connected devices can be
used as data sources to direct Distributed Denial
of Service (DDOS) levels of data against the
intended target
▪ These same levels of data can also overwhelm the
network on which the infected devices exist;
rendering the devices useless to the owning
organization
16. Mirai Overview
▪ October 2016, Mirai botnet was used to DDOS DYN a
webhosting company
▪ a botnet is a collection of internet-connected computers, a
sort of hacked-together supercomputer can be use for
malicious purposes
▪ The DDOS came from re-routing the information from
compromised IOT devices, particularly IP cameras
17. Mirai Result
▪ Attack on DYN took down Twitter, the Guardian, Netflix,
Reddit, CNN
▪ DYN lost about 14,500 domain customers, about 12% of
total customers
▪ More than doubled the bandwidth usage for the 600,000
infected devices over the 77 hours of the attack
18. Loss of Control
“infected devices caused a degraded user experience for the
device owner, as devices that are involved in attacks can
interfere with the owner’s use of both the device and the
network to which it is connected”
- Berkeley School of Information Report
19. Mirai Means “Future”
▪ October 2017, massive new Botnet called Reaper forms
▪ Check Point has found that fully 60 percent of the networks
it tracks have been infected with the Reaper malware
▪ An estimated million organizations have already been
scanned with an unknown amount actually infected
▪ Recruiting IoT devices such as IP Wireless Cameras
▪ Check Point Researchers discovered ‘IoTroop’, evolving and
recruiting IoT devices at a far greater pace and with more
potential damage than the Mirai botnet of 2016.
21. Share and Share Alike
▪ Get your IT, OT, Physical Security and Risk Management
teams together
▪ Your IT group knows all about the technology side of
security, but they have little expertise in translating it into
business risk
▪ The parties need to understand one another and have
coordinated responses
23. Organize Your Efforts
▪ Determine what information security standard applies to your
industry and base your cybersecurity framework on its practices
▪ We use and recommend National Institute of Standards and
Technology (NIST)’s:
▪ Framework for Improving Critical Infrastructure Cybersecurity
▪ SP 800-53 Recommended Security Controls for Federal Information
Systems
▪ Review your insurance coverage to ensure that at least one policy
(cyber, crime, property, or liability,) will respond to any successful
cyber attack
24. Use a Risk Management Framework
▪ Organizations often need to comply with more
than one framework based on any number of the
following requirements:
• Statutory (Sarbanes-Oxley-Sox, FISMA, NY-DFS,
GDPR)
• Regulatory (PII, HIPPA)
• Contractual (PCI, CUI)
25. Use a Risk Management Framework
▪ Frameworks often overlap coverage of control
areas
▪ Can be mapped to one another so compliance
once can be credited multiple times
26. Risk Management Framework - Policies
▪ Start with Policies
▪ Policies should be implemented that require
compliance with the relevant portions of the
identified RMFs
o Policies should be adopted and promoted at the
highest levels of the organization:
o Compel compliance efforts, and…
o Justify budget to enable compliance
27. Inventory
▪ You first have to know what you are securing
Show of hands, who knows whether they have a complete
asset and configuration inventory?
28. It’s Classified
▪ Inventory your Assets, including Data
▪ And then Classify that data based on business criticality, as
well as on sensitivity/confidentiality of data
▪ NIST standard:
➢ C – Criticality
➢ I – Integrity
➢ A – Availability
➢ LOW
➢ MODERATE
➢ HIGH
29. It’s Classified
▪ The highest level of the three attributes (C-I-A) determines
the level of compliance required
▪ Low has a low level of controls required
▪ Moderate has more controls required
▪ High adds controls that generally automate the Moderate
controls
30. Inventory
▪ Identify critical assets (Physical and Logical) and network
access points at your facilities (both physical and logical)
▪ Determine how access is controlled
▪ Prioritize actions to improve access control where needed
31. Scan
▪ Assess assets regularly
▪ Scan for compliance with an approved baseline
configuration
▪ Scan to identify critical or vulnerable assets and scan them
for known vulnerabilities
32. Remediate
▪ Patch identified vulnerabilities
▪ High/Critical – As quickly as possible
▪ Moderate – Within 7-10 days
▪ Low – Within 30 days
▪ Scales vary, and can take asset criticality and exploitability
into account
▪ Update or re-image servers or workstations that are out of
compliance with approved baseline
▪ Use micro-segmentation or Software Defined Networking to
isolate assets
33. Incident Response
▪ Create a documented incident-response plan to prepare
employees to respond accordingly during cyber events
▪ Plans need to be part of a complete risk management
program, not just a document
▪ Test the plan. Tabletop simulation exercises can be a very
effective means of testing the adequacy of a plan and
restoration time windows