Ernest Staats, profile picture
Uploaded byErnest Staats
PPTX, PDF618 views

A guide to Sustainable Cyber Security

The document provides legal disclaimers and information about sustainable cybersecurity practices. It discusses starting cybersecurity at the administration level by making it cultural rather than technical, based on needs rather than vendor features, iterative and continuous. It also discusses establishing a data protection steering committee and reducing reliance on people by ensuring responsibilities are understood and policies and processes are documented. The document provides recommendations on cybersecurity frameworks, controls, and best practices.

Embed presentation

Downloaded 21 times
Ernest Staats MSIA, CISSP, CEH… estaats@Networkpaladin.org https://networkpaladin.org https://tinyurl.com/y5jx76cw
LEGAL DISCLAIMER: Nothing in this handout or presentation constitutes legal advice. The information in this presentation was compiled from sources believed to be reliable for informational purposes only. Any and all information contained herein is not intended to constitute legal advice. You should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication including any information, methods or safety suggestions contained herein.
SUSTAINABLE CYBERSECURIT Y Starts at Administration & is: Cultural not technical Based on need not vendor features Iterative & Continuous Built around accountability Repeatable & scalable Balanced – cost/risk vs reward Documented & auditable
DATA PROTECTION STEERING COMMITTEE See TOR & Policy Templates Treasury Legal Compliance HR Marketing IT/InfoSec Departments / Missions affected Who will lead the security and the privacy elements
5 Reduce reliance and burden on people Responsibilities Must be understood Policies Set the Framework to align People, Process and Technology Processes Reflect need of People in relation to policies & Technology SUSTAINABILITY RELIES ON: Process People Technology
LESS IS MORE 50% of organizations use anywhere from 6 to 20 security vendors Gaps in detections are largely due to an "overabundance of alerts” Look for overlaps and eliminate
CART BEFORE … Rather than evaluating the solution provided by vendors, leaders should assess the value of a product in relation to their People, Process & Risk. Build your list of needs / requirements and evaluate all venders based on your needs not their special sauce Prioritize security in the context of Ministry enablement, financial costs, & risk mitigation to justify investments
NO BUSINESS VALUE = NO VALUE • Know what business value you have had in the last 6 months • What have you done that has impacted how a department works • Not Maintenance or security value
A-I-C ORDER MATTERS Availability a guarantee of reliable access to the information by authorized people Integritythe assurance that the information is trustworthy and accurate Confidentialitya set of rules that limits access to information
THE ANSWER A Standard & Drills (verification) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework, NIST Risk Management Framework http://www.nist.gov/ 1 Center for Internet Security (CIS) CIS Critical Security Controls http://www.cisecurity.org/ 2 International Organization for Standardization (ISO) ISO 27000-series publications http://www.iso.org/ 3 CySAFE Combines NIST, CIS, and ISO taking best of each without duplication Edits: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharin g 4
YOUR FRAMEWORK Support Mission – Business Goals Sufficient detail to support regulation & compliance requirements Be implementable Be measurable Be documentable Be defensible (auditable)
CIS FRIST 6 Prevent up to 90% of attacks Control 1: Inventory and Control of Hardware Assets Control 2: Inventory and Control of Software Assets Control 3: Continuous Vulnerability Management Control 4: Controlled Use of Administrative Privilege Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Control 6: Maintenance, Monitoring and Analysis of Audit Logs
SELF ASSESSMENT: “CYSAFE” OR CIS TOP 20 CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharing CIS Top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh
RISK MANAGEMENT SHOULD: • Support the strategic objectives • Enhance institutional decision-making • Create a “risk-aware” culture • Reduce operational surprises and losses • Assure greater business continuity • Improve use of funding by aligning resources with objectives • Bridge departmental silos Observe: Identify Risk Orient: Categorize & Prioritize Decide: Select & Implement Controls Act: Manage, Assess, & Monitor
FACTORS THAT CAN CAUSE FAILURE Complexity (Overlapping Solutions) Focus on Technology (Bright Shiny Object Disease) Lack of Understanding of Risk (Fear vs Reality) Lack of Cyber Security Staff
CONTROLS TO BUILD YOUR FRAMEWORD • HAVE A Plan & Document your plan • Change Management Example https://tinyurl.com/yyq6feyz • Freedcamp • Reading ideas “Phoenix Project” “Extreme Ownership” “Radical Candor”
1. No business impact when determining courses of action 2. Lack cross-organizational considerations 3. Limited data classification 4. Ill-defined processes (aka “pre-thought use cases”) 5. No defined step-by-step procedures 6. No defined event terminology between responders 7. No defined thresholds between events and incidents 8. No pre-determined (aka “pre-canned”) external communications 9. Lack of exercise of “memory muscle” Top Cyber Incident Pain Points
MY TYPICAL RECOMMENDATIONS • Password / Privilege Access Management • Train Users • Monitor and Log Everything • Pick a frame work (NIST OR CIS OR CySAFE) • Check Firewall ports (Outgoing) • Assess & Document your world • Server Vulnerability (SVA) & a Network Vulnerability (NVA) Assessments • Know what is being leaked IoT & Shadow IT https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing
BETTER LEADERSHIP • Empower through conversations • Use mission terminology • Define metrics • Find Root (Toyota “5-Whys”) • Tech is a TOOL, not a purpose • Try device-free meetings • Control interruptions • Find time to daydream
DELIVERABLES Firewall & Network setups https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp= sharing Cloud security https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing Protocols and ports that need attention https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing Authentication best practices: https://drive.google.com/file/d/1TyMTbghiOSqtuZv7c- CqmurPiqcPdRpV/view?usp=sharing Server and network rights https://drive.google.com/file/d/130tcLpGBPE2Q4aYjknG7xaiIkK0CJPsq/view?usp=sha ring Servers: https://drive.google.com/file/d/197jsrcHo4Izx9pWw7nv3dj01BIf0LiNl/view?usp=shari
TOOL TIME: Root Folder on G-Drive https://drive.google.com/drive/folders/1t4zZbe3bZb7yuZFNRZnSYOpfru_uzHpP?usp=s haring Throughput Testing https://drive.google.com/drive/folders/1qcGAwBGfRB8-BV34kZjY6uPE- _gK9qL6?usp=sharing Network Mapping resources https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=s haring CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp= sharing CIS top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh 3rd Party Vendor Vetting: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp=
PERSONAL DATA PRIVACY HANDOUT https://tinyurl.com/DataPri TIPS FOR HOTEL SECURITY https://www.youtube.com/watch?v=M0GGHIjShh4
HOW TO LEAD LIKE A SUPERHERO • Listen harder than normal people do • Help people even if you do not know them • Focus on the needs of others more than your own • Be creative in your efforts to save the day • Be relentlessly optimistic • Maintain a great sense of urgency • Never tolerate bullies • Don't stop trying until the job is done • Know your Achilles Heel
“LIVING OFF THE LAND” • “Living off the land” • Windows 10 PowerShell, WMI, the Windows Scripting Host • Microsoft Office “macros”
2018 TRENDS TO KNOW
WHAT DO WE SEE • Stolen (reused bad passwords) • Phishing - Email is King • ADMINS to many
IOT HACKED DEVICES AND PORTS
FIGURE 1-1 COMPONENTS OF INFORMATION SECURITY
30 FOUNDATION FOR PROTECTING INFORMATION Security/Privacy Program Data Discovery / Classification Monitor & Breach Response
DESIGN: DATA PRIVACY (1/2) •Impact of GDPR on financial services – •PCI FAQ – •Reading level calculator – (also MS Office tools) Additional resourcesWhere should I go to understand critical regulation? How can I check whether my disclosures work? •Industry •Local •Multinational •Ask them •Reading level calculator
DATA PRIVACY (2/2) What does “good” look like when it comes to data privacy? Overall Best Practices Capture Usage Retention & Erasure Be extremely transparent People don’t typically read disclosures • Always obtain consent to access and use personal data • When obtaining consent, think of the people – easy to read, jargon- free, mobile friendly • Share how providing data helps the them – • High-level and detailed versions • Tell customers what data will be retained, for how long, and in what form: - De-identified vs. identified - Single data pull vs. ongoing feed - Physical vs. electronic Keep all data confidential Especially with personal data, maintaining confidentiality preserves trust • Check personal disclosures of data acquired from partners • Highlight confidentiality when acquiring data • Be particularly careful with identity • Proactively notify people when sharing their data with 3rd parties • Only use the data for its intended purpose – • Upon erasure, ensure data is completely deleted across where it’s stored – incl. with partners, redundant servers, etc. Let customers “own” their data Whether or not this is legally the case. To maintain their trust, act as if their data is their own • Where possible, allow people to opt-out of specific data access • Where possible, allow people to opt-out of specific data uses – • Have a process for people to request updates to, correction of, or erasure of their information • Have a process to withdraw consent Take, keep, and use only what’s valuable All data carries risk, • Don’t collect all data for all people – identify the pieces which drive the most value, and don’t collect the rest • Be particularly conscious of regulation when using sensitive classifications • “Sunshine test” • Set a retention policy for customer data – • Have a “what data should we keep” process
SOFTWARE SECURITY •OWASP Top 10 2017 •Balancing speed & security •Security 101 for startups •Security testing types •Security fatigue Additional resources How do I balance speed and security? What types of security testing should I be using? •Focus on the right level of technical security for your stage •See “Balancing Speed & Security” article  •Automated – before you deploy •Black box 2x/year •White box every 2years What are the most common & dangerous software security risks? •See OWASP Top 10 article 
INFRASTRUCTURE SECURITY (1/2) •Full Infrastructure Checklist •AWS security features and AWS security best practices whitepaper •Azure security features •Cisco Checklist •OWASP Top 10 2017 Additional resourcesIs outsourcing infrastructure or insourcing more secure? If I do outsource how can I ensure I’m protected? •Often, outsourcing will be best •Specific situations may change this •Cloud providers offer: -Logging and monitoring with controls -Identity & access management -Encryption of data at-rest •See the “AWS Security features” 
INFRASTRUCTURE SECURITY (2/2) What are some general best-practices for infrastructure security? General infrastructu re • Enable cloud infrastructure default security options • Back up data at minimum daily, but limit redundancies • Encrypt data while at rest and while in-transit • Periodically purge data • Have a BC/DR technology solution and plan • Implement patches for known vulnerabilities as soon as possible Passwords & network access • Use a password manager • Password reset • Tiered access levels • Require a secure VPN Scanning & monitoring • Implement a simple logging function • Include relevant data • Create lockout thresholds
PARTNER MANAGEMENT •Best practices to reduce third-party cybersecurity risk •Approaching data security in a fintech- friendly world •Steps to mitigate 3rd party cybersecurity threats Additional resourcesSteps for partner vetting •Pre-contract checks -What are their encryption practice? -Have they ever had a breach? -Service-level agreements (SLAs) -SLAs should be included in data policy -Ability to audit & request specific security standardsHow do I ensure my partner management is successful? •Learn from partners’ suggestions •Continuous monitoring & review Vendor Industry Templates: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing
CULTURE What does a best in class data protection culture look like? Key beliefs Practices to reinforce All of users need to be aware and careful of Security issues • Data protection newsletter – - Current events – share one article and how it relates to the company - Employee highlight – public recognition for those who surface issues • Accountable executive for data protection is not just responsible for technology - Have non-technical (i.e. not IT) people train employees on data protection Be open and transparent • Celebrate employees who surface issues – publicly recognize people • Don’t punish people Data protection is an ongoing effort • Blame-free post-mortems • Ongoing “security tracker” More sharing = more risk • Limit partner integrations
DATA MANAGEMENT •Security 101 for startups •What is social engineering? Additional resources What are some best practice processes for data protection? Development • Regular penetration testing (3-6mo black box, 12mo white box) • Security review as part of SDLC Hiring and firing • Do reference checks on developers and employees • Ensure digital “locks changed” when employees leave Reviews • Hold regular data protection reviews (quarterly) Miscellaneous • Do not use USB drives • Encourage auto-lock of laptops (after 5 minutes) • Have automatic locks on your office doors and server rooms • Train employees to not use risky websites
TRAINING What content should I include in my data protection trainings? All staff • Our data security culture - Why it’s important - Key processes to prevent + report issues - Key components of the data policy - Role-based guidelines - Initial data privacy training • Types of threats and how we mitigate • Key data elements • To be conducted on a regular basis • Regular trainings: • After a breach: - Cover post-mortem of breach's - Opportunity for Q&A Engineerin g, IT, Data science In addition to the above: • Legislative & regulatory environment • Communication & feedback loops • Where security sits in all processes • Roles & responsibilities • Monitoring and maintenance • Updates to data architecture and procedures • Changing Data security procedures • Legislative or regulatory changes ONBOARDING ONGOING
Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (1/3) •Data breaches 101 •Detailed guide for cybersecurity event recovery Additional resourcesWhat is a data security breach? What should be included in a security breach response plan? • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes Communication • Plan and execute communication to employees and external parties 21 4 3 •What is a Breach? •Can be done locally or remotely
Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (2/3) • Understand extent of breach - What personal data - What was the cause - How many people • Assess risks from breach - What potential for harm - Strategic & financial risks? - Legal or compliance risks? - Reputational risks? - Financial risks? • Form team to lead resolution - Who will be accountable - Employees needed? - How often will the team meet? • Contain breach, limit damage - Are we still vulnerable? - What systems changes? - What process changes - How to recover data? • Review causes of breach – “post- mortem” - Vulnerabilities enabled the breach - What other similar vulnerabilities? • Understand consequences - What consequences occurred • Make process, tech changes - Tech solutions or process changes - Need to modify our data policy - What training is needed? - What is the cost to make these changes • Initial identification of severity may be incomplete, so be thorough • Key people to include on team: - Executive - Legal counsel • Don’t limit evaluation and improvements • Blame-free post-mortems • Include people from across the What are best practices in each phase of a breach response? Best practices 21 3 Keyquesitons
BREACH RESPONSE (3/3) What communication is appropriate at each stage of breach response? External Intern al 4 Identification & Risk Assessment Containment & Resolution Evaluation & Improvement • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes • Notify groups who interact with external parties; • Include critical teams - C-Suite, Legal, Technology, PR (if applicable) - Board of directors • Communicate to employees • Provide regular updates to leadership, legal until issues are resolved • Post-mortem is non- punitive • Include description of what happened • Communicate about process and technology changes • Be careful about what you communicate • Speak to all relevant external parties • Always review with legal • When you communicate, include all key information - Data involved - Action taken - Specific and clear advice • Provide ongoing

More Related Content

PPTX
Bangladesh bank heist case study!
byMohammed Jaseem Tp
 
PDF
Fintech 2021: Overview and Applications
byAbdullah Mohammed Ahmed Ayedh
 
KEY
Introduction to bitcoin
byWolf McNally
 
PPTX
FinTech and the Future of Finance
byRobin Teigland
 
PDF
Student sub network book
byJonathan
 
PPTX
Blockchain and cryptocurrency
byazizded
 
PDF
Cryptocurrency for Dummies
byMiguel Duarte
 
PDF
Chargeback Mangement Solutions for Merchants
byChargeback
 
Bangladesh bank heist case study!
byMohammed Jaseem Tp
 
Fintech 2021: Overview and Applications
byAbdullah Mohammed Ahmed Ayedh
 
Introduction to bitcoin
byWolf McNally
 
FinTech and the Future of Finance
byRobin Teigland
 
Student sub network book
byJonathan
 
Blockchain and cryptocurrency
byazizded
 
Cryptocurrency for Dummies
byMiguel Duarte
 
Chargeback Mangement Solutions for Merchants
byChargeback
 

Similar to A guide to Sustainable Cyber Security

PPTX
Privacies are coming
byErnest Staats
 
PPTX
Privacies are Coming
byErnest Staats
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PDF
Scot Secure 2019 Edinburgh (Day 2)
byRay Bugg
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byveikkieymann
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
bybaruulisy
 
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
byhoang971
 
PPTX
IT Security Essentials
bySkoda Minotti
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byfoxyyhqlcu515
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byosikalopex47
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byeapysvt6956
 
PDF
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
PDF
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
PPTX
Defensible cybersecurity-jan-25th-
byIT Strategy Group
 
PDF
CyberSecurity Update Slides
byJim Kaplan CIA CFE
 
PPTX
Cybersecurity-Real World Approach FINAL 2-24-16
byJames Rutt
 
PPTX
Key Tables, Charts and Flows for SSCP _ CISSP.pptx
byDeepakChougule8
 
Privacies are coming
byErnest Staats
 
Privacies are Coming
byErnest Staats
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
Scot Secure 2019 Edinburgh (Day 2)
byRay Bugg
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
Secure Iowa Oct 2016
byLarry Slobodzian
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byveikkieymann
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
bybaruulisy
 
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
byhoang971
 
IT Security Essentials
bySkoda Minotti
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byfoxyyhqlcu515
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byosikalopex47
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byeapysvt6956
 
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
Defensible cybersecurity-jan-25th-
byIT Strategy Group
 
CyberSecurity Update Slides
byJim Kaplan CIA CFE
 
Cybersecurity-Real World Approach FINAL 2-24-16
byJames Rutt
 
Key Tables, Charts and Flows for SSCP _ CISSP.pptx
byDeepakChougule8
 

More from Ernest Staats

PPTX
Information security trends and steps for (OSAC) Middle East divsion
byErnest Staats
 
PPTX
Tsc2021 cyber-issues
byErnest Staats
 
DOCX
IT Staff NDA Template Employee Confidentiality Agreement
byErnest Staats
 
DOCX
Cy safe 2.0_workbook
byErnest Staats
 
PPTX
Parenting and the media challenge
byErnest Staats
 
PPTX
How to use technology in ministry & parenting
byErnest Staats
 
PPTX
Idwg bimonthly security exchange cyber only section
byErnest Staats
 
PDF
Data Detox Kit Optimized
byErnest Staats
 
PPTX
GDPR Benefits and a Technical Overview
byErnest Staats
 
PPTX
Compter Forensics Intro for Students
byErnest Staats
 
PPTX
Risk Management Approach to Cyber Security
byErnest Staats
 
DOCX
Why security is the kidney not the tail of the dog v3
byErnest Staats
 
DOCX
FBI & Secret Service- Business Email Compromise Workshop
byErnest Staats
 
DOCX
FBI & Secret Service- Business Email Compromise Workshop
byErnest Staats
 
PPTX
Harbin clinic iot-mobile-no-vid
byErnest Staats
 
PDF
Securely Erase your Device
byErnest Staats
 
PPTX
Border crossing mobile social media life-saving security tips
byErnest Staats
 
PPTX
Social & mobile security
byErnest Staats
 
PPT
Social mobile safety
byErnest Staats
 
PPT
Using social media to boost your ministrys online presence
byErnest Staats
 
Information security trends and steps for (OSAC) Middle East divsion
byErnest Staats
 
Tsc2021 cyber-issues
byErnest Staats
 
IT Staff NDA Template Employee Confidentiality Agreement
byErnest Staats
 
Cy safe 2.0_workbook
byErnest Staats
 
Parenting and the media challenge
byErnest Staats
 
How to use technology in ministry & parenting
byErnest Staats
 
Idwg bimonthly security exchange cyber only section
byErnest Staats
 
Data Detox Kit Optimized
byErnest Staats
 
GDPR Benefits and a Technical Overview
byErnest Staats
 
Compter Forensics Intro for Students
byErnest Staats
 
Risk Management Approach to Cyber Security
byErnest Staats
 
Why security is the kidney not the tail of the dog v3
byErnest Staats
 
FBI & Secret Service- Business Email Compromise Workshop
byErnest Staats
 
FBI & Secret Service- Business Email Compromise Workshop
byErnest Staats
 
Harbin clinic iot-mobile-no-vid
byErnest Staats
 
Securely Erase your Device
byErnest Staats
 
Border crossing mobile social media life-saving security tips
byErnest Staats
 
Social & mobile security
byErnest Staats
 
Social mobile safety
byErnest Staats
 
Using social media to boost your ministrys online presence
byErnest Staats
 

Recently uploaded

PDF
ANIn Ahmedabad 2026 | From Intent to Impact: Strengthening Clarity, Ownership...
byAgileNetwork
 
PPTX
Post Encounter Lesson 9-Conqueror-DMI.pptx
byJessaBejer1
 
PPTX
Agile Facilitation and Team Management for Software teams and more
bymedhateltoukhy
 
PDF
When Execution Gets Cheap, Decision Quality Becomes the Bottleneck.
byArman Kassym
 
PPTX
ISO 9001:2026 Quality Management System Implementation Guide for SMEs
byjurjgerritsen
 
PPTX
The Ripple Effect of a Negative Comment How Toxic Behavior Undermines Teams a...
byridwansassman
 
PDF
Unified Threat Informed Operation Model UTIOM Framework-latest-v1.0
byReZa AdineH
 
ANIn Ahmedabad 2026 | From Intent to Impact: Strengthening Clarity, Ownership...
byAgileNetwork
 
Post Encounter Lesson 9-Conqueror-DMI.pptx
byJessaBejer1
 
Agile Facilitation and Team Management for Software teams and more
bymedhateltoukhy
 
When Execution Gets Cheap, Decision Quality Becomes the Bottleneck.
byArman Kassym
 
ISO 9001:2026 Quality Management System Implementation Guide for SMEs
byjurjgerritsen
 
The Ripple Effect of a Negative Comment How Toxic Behavior Undermines Teams a...
byridwansassman
 
Unified Threat Informed Operation Model UTIOM Framework-latest-v1.0
byReZa AdineH
 

A guide to Sustainable Cyber Security

  • 1.
    Ernest Staats MSIA,CISSP, CEH… estaats@Networkpaladin.org https://networkpaladin.org https://tinyurl.com/y5jx76cw
  • 2.
    LEGAL DISCLAIMER: Nothing inthis handout or presentation constitutes legal advice. The information in this presentation was compiled from sources believed to be reliable for informational purposes only. Any and all information contained herein is not intended to constitute legal advice. You should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication including any information, methods or safety suggestions contained herein.
  • 3.
    SUSTAINABLE CYBERSECURIT Y Starts at Administration& is: Cultural not technical Based on need not vendor features Iterative & Continuous Built around accountability Repeatable & scalable Balanced – cost/risk vs reward Documented & auditable
  • 4.
    DATA PROTECTION STEERING COMMITTEE See TOR& Policy Templates Treasury Legal Compliance HR Marketing IT/InfoSec Departments / Missions affected Who will lead the security and the privacy elements
  • 5.
    5 Reduce reliance and burdenon people Responsibilities Must be understood Policies Set the Framework to align People, Process and Technology Processes Reflect need of People in relation to policies & Technology SUSTAINABILITY RELIES ON: Process People Technology
  • 6.
    LESS IS MORE 50%of organizations use anywhere from 6 to 20 security vendors Gaps in detections are largely due to an "overabundance of alerts” Look for overlaps and eliminate
  • 8.
    CART BEFORE … Ratherthan evaluating the solution provided by vendors, leaders should assess the value of a product in relation to their People, Process & Risk. Build your list of needs / requirements and evaluate all venders based on your needs not their special sauce Prioritize security in the context of Ministry enablement, financial costs, & risk mitigation to justify investments
  • 9.
    NO BUSINESS VALUE= NO VALUE • Know what business value you have had in the last 6 months • What have you done that has impacted how a department works • Not Maintenance or security value
  • 10.
    A-I-C ORDER MATTERS Availabilitya guarantee of reliable access to the information by authorized people Integritythe assurance that the information is trustworthy and accurate Confidentialitya set of rules that limits access to information
  • 11.
    THE ANSWER A Standard &Drills (verification) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework, NIST Risk Management Framework http://www.nist.gov/ 1 Center for Internet Security (CIS) CIS Critical Security Controls http://www.cisecurity.org/ 2 International Organization for Standardization (ISO) ISO 27000-series publications http://www.iso.org/ 3 CySAFE Combines NIST, CIS, and ISO taking best of each without duplication Edits: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharin g 4
  • 12.
    YOUR FRAMEWORK Support Mission –Business Goals Sufficient detail to support regulation & compliance requirements Be implementable Be measurable Be documentable Be defensible (auditable)
  • 13.
    CIS FRIST 6 Preventup to 90% of attacks Control 1: Inventory and Control of Hardware Assets Control 2: Inventory and Control of Software Assets Control 3: Continuous Vulnerability Management Control 4: Controlled Use of Administrative Privilege Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Control 6: Maintenance, Monitoring and Analysis of Audit Logs
  • 14.
    SELF ASSESSMENT: “CYSAFE”OR CIS TOP 20 CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharing CIS Top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh
  • 15.
    RISK MANAGEMENT SHOULD: •Support the strategic objectives • Enhance institutional decision-making • Create a “risk-aware” culture • Reduce operational surprises and losses • Assure greater business continuity • Improve use of funding by aligning resources with objectives • Bridge departmental silos Observe: Identify Risk Orient: Categorize & Prioritize Decide: Select & Implement Controls Act: Manage, Assess, & Monitor
  • 16.
    FACTORS THAT CANCAUSE FAILURE Complexity (Overlapping Solutions) Focus on Technology (Bright Shiny Object Disease) Lack of Understanding of Risk (Fear vs Reality) Lack of Cyber Security Staff
  • 17.
    CONTROLS TO BUILD YOUR FRAMEWORD •HAVE A Plan & Document your plan • Change Management Example https://tinyurl.com/yyq6feyz • Freedcamp • Reading ideas “Phoenix Project” “Extreme Ownership” “Radical Candor”
  • 18.
    1. No businessimpact when determining courses of action 2. Lack cross-organizational considerations 3. Limited data classification 4. Ill-defined processes (aka “pre-thought use cases”) 5. No defined step-by-step procedures 6. No defined event terminology between responders 7. No defined thresholds between events and incidents 8. No pre-determined (aka “pre-canned”) external communications 9. Lack of exercise of “memory muscle” Top Cyber Incident Pain Points
  • 19.
    MY TYPICAL RECOMMENDATIONS •Password / Privilege Access Management • Train Users • Monitor and Log Everything • Pick a frame work (NIST OR CIS OR CySAFE) • Check Firewall ports (Outgoing) • Assess & Document your world • Server Vulnerability (SVA) & a Network Vulnerability (NVA) Assessments • Know what is being leaked IoT & Shadow IT https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing
  • 20.
    BETTER LEADERSHIP • Empower through conversations •Use mission terminology • Define metrics • Find Root (Toyota “5-Whys”) • Tech is a TOOL, not a purpose • Try device-free meetings • Control interruptions • Find time to daydream
  • 21.
    DELIVERABLES Firewall & Networksetups https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp= sharing Cloud security https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing Protocols and ports that need attention https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing Authentication best practices: https://drive.google.com/file/d/1TyMTbghiOSqtuZv7c- CqmurPiqcPdRpV/view?usp=sharing Server and network rights https://drive.google.com/file/d/130tcLpGBPE2Q4aYjknG7xaiIkK0CJPsq/view?usp=sha ring Servers: https://drive.google.com/file/d/197jsrcHo4Izx9pWw7nv3dj01BIf0LiNl/view?usp=shari
  • 22.
    TOOL TIME: Root Folderon G-Drive https://drive.google.com/drive/folders/1t4zZbe3bZb7yuZFNRZnSYOpfru_uzHpP?usp=s haring Throughput Testing https://drive.google.com/drive/folders/1qcGAwBGfRB8-BV34kZjY6uPE- _gK9qL6?usp=sharing Network Mapping resources https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=s haring CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp= sharing CIS top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh 3rd Party Vendor Vetting: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp=
  • 23.
    PERSONAL DATA PRIVACYHANDOUT https://tinyurl.com/DataPri TIPS FOR HOTEL SECURITY https://www.youtube.com/watch?v=M0GGHIjShh4
  • 24.
    HOW TO LEADLIKE A SUPERHERO • Listen harder than normal people do • Help people even if you do not know them • Focus on the needs of others more than your own • Be creative in your efforts to save the day • Be relentlessly optimistic • Maintain a great sense of urgency • Never tolerate bullies • Don't stop trying until the job is done • Know your Achilles Heel
  • 25.
    “LIVING OFF THE LAND” •“Living off the land” • Windows 10 PowerShell, WMI, the Windows Scripting Host • Microsoft Office “macros”
  • 26.
  • 27.
    WHAT DO WESEE • Stolen (reused bad passwords) • Phishing - Email is King • ADMINS to many
  • 28.
  • 29.
    FIGURE 1-1 COMPONENTS OFINFORMATION SECURITY
  • 30.
    30 FOUNDATION FOR PROTECTING INFORMATION Security/PrivacyProgram Data Discovery / Classification Monitor & Breach Response
  • 31.
    DESIGN: DATA PRIVACY(1/2) •Impact of GDPR on financial services – •PCI FAQ – •Reading level calculator – (also MS Office tools) Additional resourcesWhere should I go to understand critical regulation? How can I check whether my disclosures work? •Industry •Local •Multinational •Ask them •Reading level calculator
  • 32.
    DATA PRIVACY (2/2) Whatdoes “good” look like when it comes to data privacy? Overall Best Practices Capture Usage Retention & Erasure Be extremely transparent People don’t typically read disclosures • Always obtain consent to access and use personal data • When obtaining consent, think of the people – easy to read, jargon- free, mobile friendly • Share how providing data helps the them – • High-level and detailed versions • Tell customers what data will be retained, for how long, and in what form: - De-identified vs. identified - Single data pull vs. ongoing feed - Physical vs. electronic Keep all data confidential Especially with personal data, maintaining confidentiality preserves trust • Check personal disclosures of data acquired from partners • Highlight confidentiality when acquiring data • Be particularly careful with identity • Proactively notify people when sharing their data with 3rd parties • Only use the data for its intended purpose – • Upon erasure, ensure data is completely deleted across where it’s stored – incl. with partners, redundant servers, etc. Let customers “own” their data Whether or not this is legally the case. To maintain their trust, act as if their data is their own • Where possible, allow people to opt-out of specific data access • Where possible, allow people to opt-out of specific data uses – • Have a process for people to request updates to, correction of, or erasure of their information • Have a process to withdraw consent Take, keep, and use only what’s valuable All data carries risk, • Don’t collect all data for all people – identify the pieces which drive the most value, and don’t collect the rest • Be particularly conscious of regulation when using sensitive classifications • “Sunshine test” • Set a retention policy for customer data – • Have a “what data should we keep” process
  • 33.
    SOFTWARE SECURITY •OWASP Top10 2017 •Balancing speed & security •Security 101 for startups •Security testing types •Security fatigue Additional resources How do I balance speed and security? What types of security testing should I be using? •Focus on the right level of technical security for your stage •See “Balancing Speed & Security” article  •Automated – before you deploy •Black box 2x/year •White box every 2years What are the most common & dangerous software security risks? •See OWASP Top 10 article 
  • 34.
    INFRASTRUCTURE SECURITY (1/2) •FullInfrastructure Checklist •AWS security features and AWS security best practices whitepaper •Azure security features •Cisco Checklist •OWASP Top 10 2017 Additional resourcesIs outsourcing infrastructure or insourcing more secure? If I do outsource how can I ensure I’m protected? •Often, outsourcing will be best •Specific situations may change this •Cloud providers offer: -Logging and monitoring with controls -Identity & access management -Encryption of data at-rest •See the “AWS Security features” 
  • 35.
    INFRASTRUCTURE SECURITY (2/2) Whatare some general best-practices for infrastructure security? General infrastructu re • Enable cloud infrastructure default security options • Back up data at minimum daily, but limit redundancies • Encrypt data while at rest and while in-transit • Periodically purge data • Have a BC/DR technology solution and plan • Implement patches for known vulnerabilities as soon as possible Passwords & network access • Use a password manager • Password reset • Tiered access levels • Require a secure VPN Scanning & monitoring • Implement a simple logging function • Include relevant data • Create lockout thresholds
  • 36.
    PARTNER MANAGEMENT •Best practicesto reduce third-party cybersecurity risk •Approaching data security in a fintech- friendly world •Steps to mitigate 3rd party cybersecurity threats Additional resourcesSteps for partner vetting •Pre-contract checks -What are their encryption practice? -Have they ever had a breach? -Service-level agreements (SLAs) -SLAs should be included in data policy -Ability to audit & request specific security standardsHow do I ensure my partner management is successful? •Learn from partners’ suggestions •Continuous monitoring & review Vendor Industry Templates: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing
  • 37.
    CULTURE What does abest in class data protection culture look like? Key beliefs Practices to reinforce All of users need to be aware and careful of Security issues • Data protection newsletter – - Current events – share one article and how it relates to the company - Employee highlight – public recognition for those who surface issues • Accountable executive for data protection is not just responsible for technology - Have non-technical (i.e. not IT) people train employees on data protection Be open and transparent • Celebrate employees who surface issues – publicly recognize people • Don’t punish people Data protection is an ongoing effort • Blame-free post-mortems • Ongoing “security tracker” More sharing = more risk • Limit partner integrations
  • 38.
    DATA MANAGEMENT •Security 101for startups •What is social engineering? Additional resources What are some best practice processes for data protection? Development • Regular penetration testing (3-6mo black box, 12mo white box) • Security review as part of SDLC Hiring and firing • Do reference checks on developers and employees • Ensure digital “locks changed” when employees leave Reviews • Hold regular data protection reviews (quarterly) Miscellaneous • Do not use USB drives • Encourage auto-lock of laptops (after 5 minutes) • Have automatic locks on your office doors and server rooms • Train employees to not use risky websites
  • 39.
    TRAINING What content shouldI include in my data protection trainings? All staff • Our data security culture - Why it’s important - Key processes to prevent + report issues - Key components of the data policy - Role-based guidelines - Initial data privacy training • Types of threats and how we mitigate • Key data elements • To be conducted on a regular basis • Regular trainings: • After a breach: - Cover post-mortem of breach's - Opportunity for Q&A Engineerin g, IT, Data science In addition to the above: • Legislative & regulatory environment • Communication & feedback loops • Where security sits in all processes • Roles & responsibilities • Monitoring and maintenance • Updates to data architecture and procedures • Changing Data security procedures • Legislative or regulatory changes ONBOARDING ONGOING
  • 40.
    Identification & Risk Assessment Containment& Resolution Evaluation & Improvement BREACH RESPONSE (1/3) •Data breaches 101 •Detailed guide for cybersecurity event recovery Additional resourcesWhat is a data security breach? What should be included in a security breach response plan? • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes Communication • Plan and execute communication to employees and external parties 21 4 3 •What is a Breach? •Can be done locally or remotely
  • 41.
    Identification & Risk Assessment Containment& Resolution Evaluation & Improvement BREACH RESPONSE (2/3) • Understand extent of breach - What personal data - What was the cause - How many people • Assess risks from breach - What potential for harm - Strategic & financial risks? - Legal or compliance risks? - Reputational risks? - Financial risks? • Form team to lead resolution - Who will be accountable - Employees needed? - How often will the team meet? • Contain breach, limit damage - Are we still vulnerable? - What systems changes? - What process changes - How to recover data? • Review causes of breach – “post- mortem” - Vulnerabilities enabled the breach - What other similar vulnerabilities? • Understand consequences - What consequences occurred • Make process, tech changes - Tech solutions or process changes - Need to modify our data policy - What training is needed? - What is the cost to make these changes • Initial identification of severity may be incomplete, so be thorough • Key people to include on team: - Executive - Legal counsel • Don’t limit evaluation and improvements • Blame-free post-mortems • Include people from across the What are best practices in each phase of a breach response? Best practices 21 3 Keyquesitons
  • 42.
    BREACH RESPONSE (3/3) Whatcommunication is appropriate at each stage of breach response? External Intern al 4 Identification & Risk Assessment Containment & Resolution Evaluation & Improvement • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes • Notify groups who interact with external parties; • Include critical teams - C-Suite, Legal, Technology, PR (if applicable) - Board of directors • Communicate to employees • Provide regular updates to leadership, legal until issues are resolved • Post-mortem is non- punitive • Include description of what happened • Communicate about process and technology changes • Be careful about what you communicate • Speak to all relevant external parties • Always review with legal • When you communicate, include all key information - Data involved - Action taken - Specific and clear advice • Provide ongoing