How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have privacy and breach reporting laws, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network Configs,
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
WordPress Websites for Engineers: Elevate Your Brand
Privacies are Coming
1. THE PRIVACIES ARE COMING!
THE PRIVACIES ARE COMING!
Ernest Staats MSIA, CISSP, CEH…
estaats@Networkpaladin.org
https://networkpaladin.org
2. LEGAL DISCLAIMER:
Nothing in this handout or presentation constitutes legal advice.
The information in this presentation was compiled from sources
believed to be reliable for informational purposes only. Any and
all information contained herein is not intended to constitute
legal advice. You should consult with your own attorneys when
developing programs and policies.
We do not guarantee the accuracy of this information or any
results and further assume no liability in connection with this
publication including any information, methods or safety
suggestions contained herein.
3. RETHINK CYBERSECURITY
• Check List Compliance & Security
Doesn't Work
• Attacks are cross departmental
• Can not protect what you do no know
• (DATA MAP- Where is personal
data?)
• Without Active Ownership and
Management Cyber Security is a joke
• If not Culture -- it inculcates
company to true Cyber Risk
CIS /SANS first 5 controls will give you 85%
reduction in risk
4. “LIVING OFF THE
LAND”
• “Living off the land”
• Windows 10 PowerShell,
WMI, the Windows
Scripting Host
• Microsoft Office
“macros”
6. 1. Non business impact when determining courses of
action
2. Lack cross-organizational considerations and buy-in
3. Limited data classification
4. Ill-defined processes (aka “pre-thought use cases”)
5. Lack of defined checklists or step-by-step procedures,
6. Ill-defined event and incident taxonomy between
responders
7. No defined thresholds between events and incidents
8. No pre-determined (aka “pre-canned”) external
communications
Top Cyber Incident Pain Points
8. THE ANSWER
Leverage Industry Best
Practices
National Institute of Standards and Technology (NIST)
NIST Cybersecurity Framework, NIST Risk Management Framework
http://www.nist.gov/
1
Center for Internet Security (CIS)
CIS Critical Security Controls
http://www.cisecurity.org/
2
International Organization for Standardization (ISO)
ISO 27000-series publications
http://www.iso.org/
3
CySAFE
Combines NIST, CIS, and ISO taking best of each without duplication
Edits:
https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharin
g
4
9. RISK MANAGEMENT SHOULD:
• Support the strategic objectives
• Enhance institutional decision-making
• Create a “risk-aware” culture
• Reduce operational surprises and losses
• Assure greater business continuity
• Improve use of funding by aligning resources with objectives
• Bridge departmental silos
Observe:
Identify Risk
Orient:
Categorize &
Prioritize
Decide:
Select &
Implement
Controls
Act:
Manage,
Assess, &
Monitor
10. MY TYPICAL RECOMMENDATIONS
• Know what is being leaked IoT Shadow IT
• Train Users
• Monitor and Log Everything
• Pick a frame work (NIST OR CIS OR CySAFE)
• Check Firewall ports (Outgoing)
• Assess & Document your world
https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar
ing
11. MORE EFFECTIVE IT
• Empower IT through
conversations
• Use partner and leader
terminology
• Define contribution metrics
• Find Root (Toyota “5-Whys”)
• Technology is a tool, not a
purpose
• Create a wall of pride
• Try device-free meetings
• Control interruptions
• Find time to daydream
12. SELF ASSESSMENT: “CYSAFE” OR CIS TOP 20
CySafe:
https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=s
haring
CIS Top 20:
https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh?usp=sh
aring
13. DESIGN: DATA PRIVACY (1/2)
•Impact of GDPR on
financial services –
•PCI FAQ –
•Reading level
calculator – (also
MS Office tools)
Additional resourcesWhere should I go to understand critical regulation?
How can I check whether my disclosures work?
•Industry
•Local
•Multinational
•Ask them
•Reading level calculator
14. DATA PRIVACY (2/2)
What does “good” look like when it comes to data privacy?
Overall Best
Practices
Capture Usage Retention & Erasure
Be extremely transparent
People don’t typically read
disclosures
• Always obtain consent to access
and use personal data
• When obtaining consent, think of
the people – easy to read, jargon-
free, mobile friendly
• Share how providing data helps
the them –
• High-level and detailed versions
• Tell customers what data will be
retained, for how long, and in
what form:
- De-identified vs. identified
- Single data pull vs. ongoing
feed
- Physical vs. electronic
Keep all data confidential
Especially with personal data,
maintaining confidentiality
preserves trust
• Check personal disclosures of
data acquired from partners
• Highlight confidentiality when
acquiring data
• Be particularly careful with identity
• Proactively notify people when
sharing their data with 3rd parties
• Only use the data for its intended
purpose –
• Upon erasure, ensure data is
completely deleted across where
it’s stored – incl. with partners,
redundant servers, etc.
Let customers “own” their data
Whether or not this is legally
the case. To maintain their
trust, act as if their data is
their own
• Where possible, allow people to
opt-out of specific data access
• Where possible, allow people to
opt-out of specific data uses –
• Have a process for people to
request updates to, correction of,
or erasure of their information
• Have a process to withdraw
consent
Take, keep, and use only
what’s valuable
All data carries risk,
• Don’t collect all data for all people
– identify the pieces which drive
the most value, and don’t collect
the rest
• Be particularly conscious of
regulation when using sensitive
classifications
• “Sunshine test”
• Set a retention policy for customer
data –
• Have a “what data should we
keep” process
15. SOFTWARE SECURITY
•OWASP Top 10 2017
•Balancing speed &
security
•Security 101 for
startups
•Security testing types
•Security fatigue
Additional resources
How do I balance speed and security?
What types of security testing should I be
using?
•Focus on the right level of technical security for
your stage
•See “Balancing Speed & Security” article
•Automated – before you deploy
•Black box 2x/year
•White box every 2years
What are the most common & dangerous software
security risks?
•See OWASP Top 10 article
16. INFRASTRUCTURE SECURITY (1/2)
•Full Infrastructure
Checklist
•AWS security features
and AWS security
best practices
whitepaper
•Azure security
features
•Cisco Checklist
•OWASP Top 10 2017
Additional resourcesIs outsourcing infrastructure or insourcing
more secure?
If I do outsource how can I ensure I’m
protected?
•Often, outsourcing will be best
•Specific situations may change this
•Cloud providers offer:
-Logging and monitoring with controls
-Identity & access management
-Encryption of data at-rest
•See the “AWS Security features”
17. INFRASTRUCTURE SECURITY (2/2)
What are some general best-practices for infrastructure security?
General
infrastructu
re
• Enable cloud infrastructure default security options
• Back up data at minimum daily, but limit redundancies
• Encrypt data while at rest and while in-transit
• Periodically purge data
• Have a BC/DR technology solution and plan
• Implement patches for known vulnerabilities as soon as possible
Passwords
& network
access
• Use a password manager
• Password reset
• Tiered access levels
• Require a secure VPN
Scanning &
monitoring
• Implement a simple logging function
• Include relevant data
• Create lockout thresholds
18. PARTNER MANAGEMENT
•Best practices to reduce
third-party cybersecurity
risk
•Approaching data
security in a fintech-
friendly world
•Steps to mitigate 3rd
party cybersecurity
threats
Additional resourcesSteps for partner vetting
•Pre-contract checks
-What are their encryption practice?
-Have they ever had a breach?
-Service-level agreements (SLAs)
-SLAs should be included in data policy
-Ability to audit & request specific security
standardsHow do I ensure my partner management is
successful?
•Learn from partners’ suggestions
•Continuous monitoring & review
Vendor Industry Templates:
https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp
=sharing
19. CULTURE
What does a best in class data protection culture look like?
Key beliefs Practices to reinforce
All of users need to
be aware and
careful of Security
issues
• Data protection newsletter –
- Current events – share one article and how it relates to the
company
- Employee highlight – public recognition for those who surface
issues
• Accountable executive for data protection is not just responsible for
technology
- Have non-technical (i.e. not IT) people train employees on data
protection
Be open and
transparent
• Celebrate employees who surface issues – publicly recognize people
• Don’t punish people
Data protection is
an ongoing effort
• Blame-free post-mortems
• Ongoing “security tracker”
More sharing =
more risk
• Limit partner integrations
20. DATA MANAGEMENT
•Security 101 for
startups
•What is social
engineering?
Additional resources
What are some best practice processes for data
protection?
Development • Regular penetration testing (3-6mo black
box, 12mo white box)
• Security review as part of SDLC
Hiring and
firing
• Do reference checks on developers and
employees
• Ensure digital “locks changed” when
employees leave
Reviews • Hold regular data protection reviews
(quarterly)
Miscellaneous • Do not use USB drives
• Encourage auto-lock of laptops (after 5
minutes)
• Have automatic locks on your office doors
and server rooms
• Train employees to not use risky websites
21. TRAINING
What content should I include in my data protection trainings?
All staff
• Our data security culture
- Why it’s important
- Key processes to prevent + report
issues
- Key components of the data policy
- Role-based guidelines
- Initial data privacy training
• Types of threats and how we mitigate
• Key data elements
• To be conducted on a regular basis
• Regular trainings:
• After a breach:
- Cover post-mortem of breach's
- Opportunity for Q&A
Engineerin
g, IT, Data
science
In addition to the above:
• Legislative & regulatory environment
• Communication & feedback loops
• Where security sits in all processes
• Roles & responsibilities
• Monitoring and maintenance
• Updates to data architecture and
procedures
• Changing Data security procedures
• Legislative or regulatory changes
ONBOARDING ONGOING
22. Identification &
Risk Assessment
Containment &
Resolution
Evaluation &
Improvement
BREACH RESPONSE (1/3)
•Data breaches 101
•Detailed guide for
cybersecurity event
recovery
Additional resourcesWhat is a data security breach?
What should be included in a security breach response
plan?
• Understand
extent of breach
• Assess risks from
breach
• Form team to lead
resolution
• Contain breach,
limit damage
• Review causes of
breach
• Understand
consequences
• Make process,
tech changes
Communication
• Plan and execute communication to employees and external
parties
21
4
3
•What is a Breach?
•Can be done locally or remotely
23. Identification &
Risk Assessment
Containment & Resolution Evaluation & Improvement
BREACH RESPONSE (2/3)
• Understand extent of
breach
- What personal data
- What was the cause
- How many people
• Assess risks from breach
- What potential for
harm
- Strategic & financial
risks?
- Legal or compliance
risks?
- Reputational risks?
- Financial risks?
• Form team to lead resolution
- Who will be accountable
- Employees needed?
- How often will the team
meet?
• Contain breach, limit
damage
- Are we still vulnerable?
- What systems changes?
- What process changes
- How to recover data?
• Review causes of breach – “post-
mortem”
- Vulnerabilities enabled the breach
- What other similar vulnerabilities?
• Understand consequences
- What consequences occurred
• Make process, tech changes
- Tech solutions or process changes
- Need to modify our data policy
- What training is needed?
- What is the cost to make these
changes
• Initial identification of
severity may be
incomplete, so be
thorough
• Key people to include on
team:
- Executive
- Legal counsel
• Don’t limit evaluation and
improvements
• Blame-free post-mortems
• Include people from across the
What are best practices in each phase of a breach response?
Best
practices
21 3
Keyquesitons
24. BREACH RESPONSE (3/3)
What communication is appropriate at each stage of breach response?
External
Intern
al
4
Identification &
Risk Assessment
Containment & Resolution Evaluation & Improvement
• Understand extent of
breach
• Assess risks from breach
• Form team to lead
resolution
• Contain breach, limit
damage
• Review causes of breach
• Understand consequences
• Make process, tech changes
• Notify groups who interact
with external parties;
• Include critical teams
- C-Suite, Legal,
Technology, PR (if
applicable)
- Board of directors
• Communicate to employees
• Provide regular updates to
leadership, legal until
issues are resolved
• Post-mortem is non-
punitive
• Include description of what
happened
• Communicate about
process and technology
changes
• Be careful about what you
communicate
• Speak to all relevant
external parties
• Always review with legal
• When you communicate,
include all key information
- Data involved
- Action taken
- Specific and clear advice
• Provide ongoing
25. FACTORS THAT CAN CAUSE FAILURE
Complexity
(Overlapping Solutions)
Focus on Technology
(Bright Shiny Object Disease)
Lack of Understanding of Risk
(Fear vs Reality)
Lack of Cyber Security Staff
26. DELIVERABLES
Firewall & Network setups
https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=
sharing
Cloud security
https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp
=sharing
Protocols and ports that need attention
https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar
ing
Authentication best practices: https://drive.google.com/file/d/1TyMTbghiOSqtuZv7c-
CqmurPiqcPdRpV/view?usp=sharing
Server and network rights
https://drive.google.com/file/d/130tcLpGBPE2Q4aYjknG7xaiIkK0CJPsq/view?usp=sha
ring
Servers:
https://drive.google.com/file/d/197jsrcHo4Izx9pWw7nv3dj01BIf0LiNl/view?usp=shari
27. TOOL TIME:
Root Folder on G-Drive
https://drive.google.com/drive/folders/1t4zZbe3bZb7yuZFNRZnSYOpfru_uzHpP?usp=s
haring
Throughput Testing
https://drive.google.com/drive/folders/1qcGAwBGfRB8-BV34kZjY6uPE-
_gK9qL6?usp=sharing
Network Mapping resources
https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=s
haring
CySafe:
https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=
sharing
CIS top 20
https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh?usp=s
haring
3rd Party Vendor Vetting:
28. MORE EFFECTIVE IT
• Empower IT through
conversations
• Use partner and leader
terminology
• Define contribution metrics
• Find Root (Toyota “5-Whys”)
• Technology is a tool, not a
purpose
• Create a wall of pride
• Try device-free meetings
• Control interruptions
• Find time to daydream
29. MY TYPICAL RECOMMENDATIONS
• Know what is being leaked IoT Shadow IT
• Train Users
• Monitor and Log Everything
• Pick a frame work (NIST OR CIS OR CySAFE)
• Check Firewall ports (Outgoing)
• Assess & Document your world
https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar
ing