SlideShare a Scribd company logo

Cervone uof t - nist framework (1)

Stephen Abram
Stephen Abram

This document discusses cybersecurity risks facing organizations and approaches to managing those risks. It begins by outlining common misunderstandings about cybersecurity. It then explains that cybersecurity is a risk that affects the entire organization, not just IT, and discusses how attacks are becoming more sophisticated. The document identifies the greatest threats as email, mobile devices, and the internet of things. It advocates adopting the NIST Cybersecurity Framework as a basis for sound security practices. Finally, it discusses developing a cybersecurity program through risk assessment, incident response planning, security metrics, employee awareness training, and testing security plans.

Government & Nonprofit
1 of 87
Download to read offline
Cybersecurity: Understanding Organizational Exposures Frank Cervone, PhD Executive Director for Information Services College Information Security Officer University of Illinois at Chicago School of Public Health June 11, 2019
The real underside Image courtesy of Alex Cornell (twitter.com/alexcornell)
Quick intros Who are you? Biggest security concern
Common misunderstandings I have antivirus software, so I’m good Security is the IT department‘s problem Security isn’t a problem with Macs https://support.apple.co m/en-us/HT201222 I don’t have anything on my computer anyone would want
Cybersecurity is not an “IT problem” It’s all about whether an organization can survive
This is what we are trying to avoid
It’s about managing risk
Risk varies depending on context
Any organization can be a target Image courtesy of CNN Money
Attacks are sophisticated https://thehackernews.com/2015/06/Stegosploit-malware.html
Greatest organizational exposures Where we think the exposures are • Cloud-based Systems • Network • Applications • Servers Where the greatest threats lie • E-Mail • Mobile devices • Internet of Things 2018 HIMSS Cybersecurity Survey
What is the greatest threat? We need to align security with the organizational culture and define acceptable working norms
Context of the threat environment Today’s threats are far more complex than most people realize
Why antivirus software? • Examines computer for infections • Monitors computer activity • Scans new files to ensure they do not have a virus • Clean, quarantine, delete
How does it work? • Static analysis • Match known virus patterns • Uses a virus scanning engine • Database of known virus signatures • Comparison of signature to file may indicate an infection
Why is it not enough? • If not in real time, malware can get through • Vendors must constantly search for new viruses • Vendors cannot keep up with the sheer number of new attacks • Signature files must be kept up to date • Most attacks today are not “virus” based
RAT (Remote Access Trojan)
Hoax system software
Fake browser updates
Fake virus cleaning software
Ransomware
Ransomware
Legal deception
Things are bad, but we’re here to help
Crypto-malware
IoT
IoT raises many issues • Many devices have no ability to be updated • Therefore, it is impossible to address security vulnerabilities • Often long gaps between security updates • Difficulty of applying security updates
Backdoors
Dumpster diving
Password fails • 123456 • 123456789 • qwerty • password • 111111 • 12345678 • abc123 • 1234567 • password1 • 12345 • Iloveyou • monkey • dragon • blink182
Security practice constantly is evolving 1. Work0923 2. Th1s1s3as1lyGu3223dPassw0rd 3. Zr9@c&cRw!Ac 4. Would you like to know a secret? 5. Brown marble black flecks ick
2-Factor authentication Something you know Something you have Something you are
Security concepts have changed
VPN required for access
Zero-trust Role- based security Least- privileged access
Approaches to fighting ransomware • Removal of administrative privilege • Whitelisting applications • Offline backups • Scanned for signatures • Network penetration tests
NIST Cybersecurity Framework Basis for sound security practice
Voluntary Risk management NIST Cybersecurity Framework Standards Guidelines Best practices
NIST Cybersecurity Framework
Identify Asset Management (ID.AM) •The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. Business Environment (ID.BE) •The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. Governance (ID.GV) •The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. Risk Assessment (ID.RA) •The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Risk Management Strategy (ID.RM) •The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
Protect Access Control (PR.AC) • Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. Awareness and Training (PR.AT) • Personnel are provided cybersecurity education and are trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. Data Security (PR.DS) • Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Information Protection Processes and Procedures (PR.IP) • Security policies, processes, and procedures are maintained and used to manage protection of information systems and assets. Maintenance (PR.MA) • Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. Protective Technology (PR.PT) • Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
Detect Anomalies and Events (DE.AE) • Anomalous activity is detected in a timely manner and the potential impact of events is understood. Security Continuous Monitoring (DE.CM) • The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Detection Processes (DE.DP) • Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
Respond Response Planning (RS.RP) • Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. Communications (RS.CO) • Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Analysis (RS.AN) • Analysis is conducted to ensure adequate response and support recovery activities. Mitigation (RS.MI) • Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Improvements (RS.IM) • Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
Recover Recovery Planning (RC.RP) • Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. Improvements (RC.IM) • Recovery planning and processes are improved by incorporating lessons learned into future activities. Communications (RC.CO) • Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
Levels of adoption Tier 1 - Partial • Not formalized • Ad hoc • Often reactive • Limited awareness of cybersecurity risk management Tier 2 – Risk- Informed • Organizational- wide awareness of risk • Policies may exist • Handles risk as they happen Tier 3 – Repeatable • A formal organizational risk management process is followed by a defined security policy Tier 4 – Adaptable • Cybersecurity policy adapts based on lessons learned and analytics • Constant learning from the security events that occur • Information is shared with a larger network
Matrix of capability Tier Identify Protect Detect Respond Recover 1 PR.IP PR.PT DE.CM DE.DP RS.CO RS.MI RS.IM RC.IM RC.CO 2 ID.RA ID.RM PR.MA DE.AE RS.AN RS.RP RC.RP 3 ID.BE ID.GE PR.AT PR.DS 4 ID.AM PR.AC
Developing a cybersecurity program
Flow of security maturity Cybersecurity Risk Assessment Disaster Recovery Business Continuity Management
Risk Assessment Identify vulnerabilities and areas of concern Basis for developing policy
Risk management is multi-tiered Organization • Strategic risk management Mission/Business • Tactical approach to risk Information Systems • Focus on integrity and recovery
Threat assessment Malicious internal • Disgruntled employees Malicious external • Hacker groups – hactivists/cybercriminals Nonmalicious external • Errors of suppliers and vendors Nonmalicious internal • Human errors of commission and omission
Likelihood • More than 80% likely to occurDefinite • 60-80% chance of occurrenceLikely • Near 50/50 probability of occuringOccasional • Low probability of occurrence (10- 40%), cannot be ruled out completelySeldom • Rare and exceptional risks, less than 10% chanceUnlikely
Impact • Near negligible amount of damageInsignificant • The extent of damage is not too significant, unlikely to make much of a difference to overall operations Trivial • Not a great threat, but likely moderately disruptiveModerate • Significant consequences, significant loss, or disruptionCritical • Could completely shutdown operations or cause long-term disruptionCatastrophic
Risk analysis matrix 1 2 3 4 2 4 6 8 3 6 9 12 4 8 12 16 Insignificant (1) Trivial (2) Moderate (3) Critical (4) Catastrophic (5) 5 10 15 20 5 10 15 20 25 Impact Unlikely (1) Seldom (2) Occasional (3) Likely (4) Definite (5) Likelihood
Risk control matrix NAME OBJECTIVE REF/ID RISK RISK IMPACT RISK LIKELIHOOD TOTAL RISK SCORE 1. Someone receives a phishing e-mail and clicks on the link 2. Someone downloads unauthorized software 3. A server administrator does not use unique passwords for each server 4. An employee data file is accidently uploaded to a web server
How is risk addressed? • Senior management involvement? • IT understanding? • Knowing the baseline • Documenting the network • Aligned technology • Why is Xbox allowed on staff PCs? • What is the organizational culture? • High risk taking
Organizational culture is key
Comprehensive Incident Response and Continuity Planning How do we fix things when stuff goes wrong?
Disruption scenarios Damage to or breakdown of systems or equipment Physical damage to a building Interruption of the supply chain Restricted access to a site or building Utility outage
Response and continuity steps Prepare Identify Contain Eradicate Recover Review
Prepare Incident handling team should include security officers, system analysts and human resources personnel System backup plan should be in place Personnel involved should be trained at an appropriate level. • Basic business continuity principles Contact information should be defined, available as hard copy • Personnel that might assist in handling an incident • Key partners who may need to be notified • Business owners to make key business decisions • Outside support analysts with security expertise Supplies to assist the team in the event of an incident (jump bag) • An empty notebook • Boot media to analyze hard drives and recover passwords • Petty cash (food, cabs, batteries as needed)
Identify Issue identification can originate from many sources • Staff • End users • External partners Declare an adverse risk exists • Assemble the team and implement the plan • Save all key system files or records • Start detailed documentation as soon as possible Decide what the goals are in handling a particular incident • Immediate business recovery • Forensic examination
Contain Basic procedures can contain many incidents Specific procedures will depend on the nature of the incident Basic steps to consider include • Obtain and analyze as much system information as possible including key files and possibly a backup of the compromised machine for later forensic analysis • Powering off a machine might lose data and evidence. • Disconnecting the network cable/disable wireless to facilitate containment and forensic activity If one machine has been exploited, others are likely vulnerable • Download security patches from vendors • Update antivirus signatures • Close firewall ports • Disable compromised accounts • Change passwords as appropriate
Eradicate Will frequently depend on the nature of the incident Boot media should be used to access data on compromised machines • Rootkits might affect basic system level utilities If operating system has been compromised, it needs to be rebuilt Test any backups prior to restore and monitor for a new incident Document everything
Recover Goal is to return safely to production Specific actions depend on the nature of the incident Retest the system Consider timing of the return to production Discuss customer notification and their concerns Discuss media handling issues Continue to monitor for security incidents
Worst case scenario • Full data loss • Don’t just focus on recovery for the most obvious "disasters"
Review • To better handle future security incidents • A final report describing the incident and how it was handled • Suggestions for handling future incidents
Testing the plan Table-top exercise Occurs in a conference room with the team poring over the plan Looking for gaps and ensuring that all business units are represented therein Structured walk-through Each team member walks through his or her components of the plan with a specific disaster in mind Identify weaknesses Can incorporate drills and disaster role-playing into the structured walk-through. Weaknesses are identified, corrected, and plan is updated Disaster simulation testing Create an environment that simulates an actual disaster All equipment, supplies and personnel (including partners and vendors) who would be needed To determine if you can carry out critical business functions during the event
Table top exercise • Set a scenario for discussion • Developed in advance • Not super technical • Discuss vulnerabilities and possible scenarios • Has representation from all areas • Limit to about an hour
Effective Metrics
Typical KPIs • Computer patching policy compliance • Mean time to patch critical/urgent issues • User security awareness training engagement • Virus infection activity (real time notification) • Disaster recovery test results • Number of security policies and standards that have been fully implemented and adopted • Network probing attempts
Example security compliance report
Employee Awareness Campaign i.e., Security Training
Actually kind of controversial Security training is ineffective and a waste of time and money Security training is our best offense against a major incident that could easily be avoided
Required by law • Security awareness training requirements for all workforce members. New workforce member must be trained within a reasonable time period. Must include periodic security updates. HIPAA • Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members with instruction about computer security; train staff to properly dispose of customer information. Gramm-Leach-Bliley Act (GLBA) • Requires training focused on reasonably foreseeable risks to the security, confidentiality, and/or integrity of personal information. Must be ongoing and for permanent employees, temporary, and contract employees. Massachusetts’s Data Security Law • Requires federal agencies to establish a security awareness training program. Must include contractors and “other uses of information systems” that support the agency. Federal Information Security Management Act (FISMA)
Required by standards • Developed by the credit card industry’s PCI council. PCI-DSS12.6 requires that organizations implement a formal security awareness training program to make all personnel aware of the importance of cardholder data security. Personnel must be trained upon hire and at least annually. Payment Card Industry Data Security Standard (PCI-DSS) • Provides guidance on information security management in organizations. Contains requirement that all employees receive data security awareness training. ISO/IEC 27002 • Federal agencies look to NIST 800-53 to guide their rulemaking and enforcement. Security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. NIST Special Publication 800-53
Basic topics security training should cover Phishing Social engineering Malware Passwords Use of portable devices Physical access Data destruction Encryption Data breach
Make it fun
Catch people’s attention
Phish training
Resources for training HHS - http://irtsectraining.nih.gov/publicUser.aspx SANS CyberAces - http://www.cyberaces.org/courses/ FEMA - https://www.firstrespondertraining.gov/ntecatalog
Resources for cybersecurity and business continuity • Small Business Information Security: The Fundamentals • https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf • Baldrige Cybersecurity Excellence Builder (BCEB), Version 1.1 • https://www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative • Two very useful worksheets • BCEB Categories 1-7 Questions and Notes Only • BCEB Self-Analysis Worksheet • Professional Practices for Business Continuity Professionals • https://drii.org/resources/professionalpractices/EN
Web resource centers CERT http://www.cert.org/ Information on security vulnerabilities Incident Response Consortium https://www.incidentresponse.com/ Resource for creating security policies and planning for incident response IAPP https://www.iapp.org International Association of Privacy Professionals

Recommended

Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
John Gilligan
 
The red book
The red book The red book
The red book
habiba Elmasry
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
John Gilligan
 

Recommended

Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
John Gilligan
 
The red book
The red book The red book
The red book
habiba Elmasry
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
John Gilligan
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
John Gilligan
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Information security
Information security Information security
Information security
razendar79
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
IGN MANTRA
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
12 security policies
12 security policies12 security policies
12 security policies
Saqib Raza
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 
IT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoIT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John Lado
Mark John Lado, MIT
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
UK Defence Cyber School
 
Computing safety
Computing safetyComputing safety
Computing safety
titoferrus
 
Internet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wallInternet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wall
Commonwealth Telecommunications Organisation
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
KATHEESKUMAR S
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
TikdiPatel
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
ssuserf98dd4
 

More Related Content

What's hot

Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
John Gilligan
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Information security
Information security Information security
Information security
razendar79
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
IGN MANTRA
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
12 security policies
12 security policies12 security policies
12 security policies
Saqib Raza
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 
IT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoIT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John Lado
Mark John Lado, MIT
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
UK Defence Cyber School
 
Computing safety
Computing safetyComputing safety
Computing safety
titoferrus
 
Internet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wallInternet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wall
Commonwealth Telecommunications Organisation
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
KATHEESKUMAR S
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 

What's hot (20)

Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Information security
Information security Information security
Information security
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security Attacks
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
12 security policies
12 security policies12 security policies
12 security policies
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
IT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoIT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John Lado
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
 
Computing safety
Computing safetyComputing safety
Computing safety
 
Internet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wallInternet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wall
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 

Similar to Cervone uof t - nist framework (1)

Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
TikdiPatel
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
ssuserf98dd4
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
bakhtinasiriav
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
James Anderson
 
Technology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity StrategiesTechnology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity Strategies
Jack Pringle
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
SHIVA101531
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)
Kirti Ahirrao
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
BilalMehmood44
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
Information Security
Information Security Information Security
Information Security
Alok Katiyar
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Jack Shaffer
 
1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
Rackspace
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
ThavaselviMunusamy1
 

Similar to Cervone uof t - nist framework (1) (20)

Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
Technology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity StrategiesTechnology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity Strategies
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Information Security
Information Security Information Security
Information Security
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 

More from Stephen Abram

Hub Design Inspiration Graphics May 24 2024.pdf
Hub Design Inspiration Graphics May 24 2024.pdfHub Design Inspiration Graphics May 24 2024.pdf
Hub Design Inspiration Graphics May 24 2024.pdf
Stephen Abram
 
Honeycomb for The Hive Design Inspirations
Honeycomb for The Hive Design InspirationsHoneycomb for The Hive Design Inspirations
Honeycomb for The Hive Design Inspirations
Stephen Abram
 
CrossWalksInspirations for Brockville***
CrossWalksInspirations for Brockville***CrossWalksInspirations for Brockville***
CrossWalksInspirations for Brockville***
Stephen Abram
 
Hub Design Inspirations for B-Hive Zone
Hub Design Inspirations for B-Hive ZoneHub Design Inspirations for B-Hive Zone
Hub Design Inspirations for B-Hive Zone
Stephen Abram
 
Passive Interactive Programming and Surveys 2.pptx
Passive Interactive Programming and Surveys 2.pptxPassive Interactive Programming and Surveys 2.pptx
Passive Interactive Programming and Surveys 2.pptx
Stephen Abram
 
Hub Design Inspiration Graphics for inspiration
Hub Design Inspiration Graphics for inspirationHub Design Inspiration Graphics for inspiration
Hub Design Inspiration Graphics for inspiration
Stephen Abram
 
Hub Design Inspiration Graphics for Community Hubs
Hub Design Inspiration Graphics for Community HubsHub Design Inspiration Graphics for Community Hubs
Hub Design Inspiration Graphics for Community Hubs
Stephen Abram
 
Passive Interactive Programming and Surveys 2.pptx
Passive Interactive Programming and Surveys 2.pptxPassive Interactive Programming and Surveys 2.pptx
Passive Interactive Programming and Surveys 2.pptx
Stephen Abram
 
Hub Design Inspiration Graphics for Brockville Hub
Hub Design Inspiration Graphics for Brockville HubHub Design Inspiration Graphics for Brockville Hub
Hub Design Inspiration Graphics for Brockville Hub
Stephen Abram
 
Hub Design Inspiration Graphics second draft
Hub Design Inspiration Graphics second draftHub Design Inspiration Graphics second draft
Hub Design Inspiration Graphics second draft
Stephen Abram
 
Brockville-Active-Transportation-Full-Plan.pdf
Brockville-Active-Transportation-Full-Plan.pdfBrockville-Active-Transportation-Full-Plan.pdf
Brockville-Active-Transportation-Full-Plan.pdf
Stephen Abram
 
Draft Employment Lands 140530 L&G Front Cover.pdf
Draft Employment Lands 140530 L&G Front Cover.pdfDraft Employment Lands 140530 L&G Front Cover.pdf
Draft Employment Lands 140530 L&G Front Cover.pdf
Stephen Abram
 
BrockvilleHubDesignInspirationGraphics.pptx
BrockvilleHubDesignInspirationGraphics.pptxBrockvilleHubDesignInspirationGraphics.pptx
BrockvilleHubDesignInspirationGraphics.pptx
Stephen Abram
 
Caregiver Presentation and Product Inspirations Sep 2023 PDF.pdf
Caregiver Presentation and Product Inspirations Sep 2023 PDF.pdfCaregiver Presentation and Product Inspirations Sep 2023 PDF.pdf
Caregiver Presentation and Product Inspirations Sep 2023 PDF.pdf
Stephen Abram
 
Caregiver Presentation and Product Inspirations Sep 2023 PPT.pptx
Caregiver Presentation and Product Inspirations Sep 2023 PPT.pptxCaregiver Presentation and Product Inspirations Sep 2023 PPT.pptx
Caregiver Presentation and Product Inspirations Sep 2023 PPT.pptx
Stephen Abram
 
CEEED May 24 2023.pdf
CEEED May 24 2023.pdfCEEED May 24 2023.pdf
CEEED May 24 2023.pdf
Stephen Abram
 
CEEED May 24 2023.pptx
CEEED May 24 2023.pptxCEEED May 24 2023.pptx
CEEED May 24 2023.pptx
Stephen Abram
 
CEED Mindfulness in a time of Turbulence.pdf
CEED Mindfulness in a time of Turbulence.pdfCEED Mindfulness in a time of Turbulence.pdf
CEED Mindfulness in a time of Turbulence.pdf
Stephen Abram
 
CEEED Webinar June 22.pdf
CEEED Webinar June 22.pdfCEEED Webinar June 22.pdf
CEEED Webinar June 22.pdf
Stephen Abram
 
CIL Stats Workshop April1 2022 Abram Silk.pdf
CIL Stats Workshop April1 2022 Abram Silk.pdfCIL Stats Workshop April1 2022 Abram Silk.pdf
CIL Stats Workshop April1 2022 Abram Silk.pdf
Stephen Abram
 

More from Stephen Abram (20)

Hub Design Inspiration Graphics May 24 2024.pdf
Hub Design Inspiration Graphics May 24 2024.pdfHub Design Inspiration Graphics May 24 2024.pdf
Hub Design Inspiration Graphics May 24 2024.pdf
 
Honeycomb for The Hive Design Inspirations
Honeycomb for The Hive Design InspirationsHoneycomb for The Hive Design Inspirations
Honeycomb for The Hive Design Inspirations
 
CrossWalksInspirations for Brockville***
CrossWalksInspirations for Brockville***CrossWalksInspirations for Brockville***
CrossWalksInspirations for Brockville***
 
Hub Design Inspirations for B-Hive Zone
Hub Design Inspirations for B-Hive ZoneHub Design Inspirations for B-Hive Zone
Hub Design Inspirations for B-Hive Zone
 
Passive Interactive Programming and Surveys 2.pptx
Passive Interactive Programming and Surveys 2.pptxPassive Interactive Programming and Surveys 2.pptx
Passive Interactive Programming and Surveys 2.pptx
 
Hub Design Inspiration Graphics for inspiration
Hub Design Inspiration Graphics for inspirationHub Design Inspiration Graphics for inspiration
Hub Design Inspiration Graphics for inspiration
 
Hub Design Inspiration Graphics for Community Hubs
Hub Design Inspiration Graphics for Community HubsHub Design Inspiration Graphics for Community Hubs
Hub Design Inspiration Graphics for Community Hubs
 
Passive Interactive Programming and Surveys 2.pptx
Passive Interactive Programming and Surveys 2.pptxPassive Interactive Programming and Surveys 2.pptx
Passive Interactive Programming and Surveys 2.pptx
 
Hub Design Inspiration Graphics for Brockville Hub
Hub Design Inspiration Graphics for Brockville HubHub Design Inspiration Graphics for Brockville Hub
Hub Design Inspiration Graphics for Brockville Hub
 
Hub Design Inspiration Graphics second draft
Hub Design Inspiration Graphics second draftHub Design Inspiration Graphics second draft
Hub Design Inspiration Graphics second draft
 
Brockville-Active-Transportation-Full-Plan.pdf
Brockville-Active-Transportation-Full-Plan.pdfBrockville-Active-Transportation-Full-Plan.pdf
Brockville-Active-Transportation-Full-Plan.pdf
 
Draft Employment Lands 140530 L&G Front Cover.pdf
Draft Employment Lands 140530 L&G Front Cover.pdfDraft Employment Lands 140530 L&G Front Cover.pdf
Draft Employment Lands 140530 L&G Front Cover.pdf
 
BrockvilleHubDesignInspirationGraphics.pptx
BrockvilleHubDesignInspirationGraphics.pptxBrockvilleHubDesignInspirationGraphics.pptx
BrockvilleHubDesignInspirationGraphics.pptx
 
Caregiver Presentation and Product Inspirations Sep 2023 PDF.pdf
Caregiver Presentation and Product Inspirations Sep 2023 PDF.pdfCaregiver Presentation and Product Inspirations Sep 2023 PDF.pdf
Caregiver Presentation and Product Inspirations Sep 2023 PDF.pdf
 
Caregiver Presentation and Product Inspirations Sep 2023 PPT.pptx
Caregiver Presentation and Product Inspirations Sep 2023 PPT.pptxCaregiver Presentation and Product Inspirations Sep 2023 PPT.pptx
Caregiver Presentation and Product Inspirations Sep 2023 PPT.pptx
 
CEEED May 24 2023.pdf
CEEED May 24 2023.pdfCEEED May 24 2023.pdf
CEEED May 24 2023.pdf
 
CEEED May 24 2023.pptx
CEEED May 24 2023.pptxCEEED May 24 2023.pptx
CEEED May 24 2023.pptx
 
CEED Mindfulness in a time of Turbulence.pdf
CEED Mindfulness in a time of Turbulence.pdfCEED Mindfulness in a time of Turbulence.pdf
CEED Mindfulness in a time of Turbulence.pdf
 
CEEED Webinar June 22.pdf
CEEED Webinar June 22.pdfCEEED Webinar June 22.pdf
CEEED Webinar June 22.pdf
 
CIL Stats Workshop April1 2022 Abram Silk.pdf
CIL Stats Workshop April1 2022 Abram Silk.pdfCIL Stats Workshop April1 2022 Abram Silk.pdf
CIL Stats Workshop April1 2022 Abram Silk.pdf
 

Recently uploaded

A proposed request for information on LIHTC
A proposed request for information on LIHTCA proposed request for information on LIHTC
A proposed request for information on LIHTC
Roger Valdez
 
Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200
GrantManagementInsti
 
State crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public financesState crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public finances
ResolutionFoundation
 
NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
AjayVejendla3
 
2024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 382024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 38
JSchaus & Associates
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
JSchaus & Associates
 
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
johnmarimigallon
 
kupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptxkupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptx
viderakai
 
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
850fcj96
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Congressional Budget Office
 
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdfPNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
ClaudioTebaldi2
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
ARCResearch
 
Get Government Grants and Assistance Program
Get Government Grants and Assistance ProgramGet Government Grants and Assistance Program
Get Government Grants and Assistance Program
Get Government Grants
 
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
OECDregions
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
Saeed Al Dhaheri
 
Donate to charity during this holiday season
Donate to charity during this holiday seasonDonate to charity during this holiday season
Donate to charity during this holiday season
SERUDS INDIA
 
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
Congressional Budget Office
 
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
850fcj96
 
Transit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group MeetingTransit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group Meeting
Cuyahoga County Planning Commission
 
2024: The FAR - Federal Acquisition Regulations, Part 39
2024: The FAR - Federal Acquisition Regulations, Part 392024: The FAR - Federal Acquisition Regulations, Part 39
2024: The FAR - Federal Acquisition Regulations, Part 39
JSchaus & Associates
 

Recently uploaded (20)

A proposed request for information on LIHTC
A proposed request for information on LIHTCA proposed request for information on LIHTC
A proposed request for information on LIHTC
 
Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200
 
State crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public financesState crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public finances
 
NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
 
2024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 382024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 38
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
 
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
 
kupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptxkupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptx
 
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
 
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdfPNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
 
Get Government Grants and Assistance Program
Get Government Grants and Assistance ProgramGet Government Grants and Assistance Program
Get Government Grants and Assistance Program
 
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
 
Donate to charity during this holiday season
Donate to charity during this holiday seasonDonate to charity during this holiday season
Donate to charity during this holiday season
 
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
 
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
 
Transit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group MeetingTransit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group Meeting
 
2024: The FAR - Federal Acquisition Regulations, Part 39
2024: The FAR - Federal Acquisition Regulations, Part 392024: The FAR - Federal Acquisition Regulations, Part 39
2024: The FAR - Federal Acquisition Regulations, Part 39
 

Cervone uof t - nist framework (1)

  • 1. Cybersecurity: Understanding Organizational Exposures Frank Cervone, PhD Executive Director for Information Services College Information Security Officer University of Illinois at Chicago School of Public Health June 11, 2019
  • 2. The real underside Image courtesy of Alex Cornell (twitter.com/alexcornell)
  • 3. Quick intros Who are you? Biggest security concern
  • 4. Common misunderstandings I have antivirus software, so I’m good Security is the IT department‘s problem Security isn’t a problem with Macs https://support.apple.co m/en-us/HT201222 I don’t have anything on my computer anyone would want
  • 5. Cybersecurity is not an “IT problem” It’s all about whether an organization can survive
  • 6. This is what we are trying to avoid
  • 9. Any organization can be a target Image courtesy of CNN Money
  • 11. Greatest organizational exposures Where we think the exposures are • Cloud-based Systems • Network • Applications • Servers Where the greatest threats lie • E-Mail • Mobile devices • Internet of Things 2018 HIMSS Cybersecurity Survey
  • 12. What is the greatest threat? We need to align security with the organizational culture and define acceptable working norms
  • 13. Context of the threat environment Today’s threats are far more complex than most people realize
  • 14.
  • 15. Why antivirus software? • Examines computer for infections • Monitors computer activity • Scans new files to ensure they do not have a virus • Clean, quarantine, delete
  • 16. How does it work? • Static analysis • Match known virus patterns • Uses a virus scanning engine • Database of known virus signatures • Comparison of signature to file may indicate an infection
  • 17. Why is it not enough? • If not in real time, malware can get through • Vendors must constantly search for new viruses • Vendors cannot keep up with the sheer number of new attacks • Signature files must be kept up to date • Most attacks today are not “virus” based
  • 25. Things are bad, but we’re here to help
  • 27. IoT
  • 28. IoT raises many issues • Many devices have no ability to be updated • Therefore, it is impossible to address security vulnerabilities • Often long gaps between security updates • Difficulty of applying security updates
  • 31. Password fails • 123456 • 123456789 • qwerty • password • 111111 • 12345678 • abc123 • 1234567 • password1 • 12345 • Iloveyou • monkey • dragon • blink182
  • 32. Security practice constantly is evolving 1. Work0923 2. Th1s1s3as1lyGu3223dPassw0rd 3. Zr9@c&cRw!Ac 4. Would you like to know a secret? 5. Brown marble black flecks ick
  • 34.
  • 35.
  • 36.
  • 40. Approaches to fighting ransomware • Removal of administrative privilege • Whitelisting applications • Offline backups • Scanned for signatures • Network penetration tests
  • 41. NIST Cybersecurity Framework Basis for sound security practice
  • 42. Voluntary Risk management NIST Cybersecurity Framework Standards Guidelines Best practices
  • 44. Identify Asset Management (ID.AM) •The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. Business Environment (ID.BE) •The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. Governance (ID.GV) •The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. Risk Assessment (ID.RA) •The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Risk Management Strategy (ID.RM) •The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
  • 45. Protect Access Control (PR.AC) • Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. Awareness and Training (PR.AT) • Personnel are provided cybersecurity education and are trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. Data Security (PR.DS) • Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Information Protection Processes and Procedures (PR.IP) • Security policies, processes, and procedures are maintained and used to manage protection of information systems and assets. Maintenance (PR.MA) • Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. Protective Technology (PR.PT) • Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
  • 46. Detect Anomalies and Events (DE.AE) • Anomalous activity is detected in a timely manner and the potential impact of events is understood. Security Continuous Monitoring (DE.CM) • The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Detection Processes (DE.DP) • Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
  • 47. Respond Response Planning (RS.RP) • Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. Communications (RS.CO) • Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Analysis (RS.AN) • Analysis is conducted to ensure adequate response and support recovery activities. Mitigation (RS.MI) • Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Improvements (RS.IM) • Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
  • 48. Recover Recovery Planning (RC.RP) • Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. Improvements (RC.IM) • Recovery planning and processes are improved by incorporating lessons learned into future activities. Communications (RC.CO) • Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
  • 49. Levels of adoption Tier 1 - Partial • Not formalized • Ad hoc • Often reactive • Limited awareness of cybersecurity risk management Tier 2 – Risk- Informed • Organizational- wide awareness of risk • Policies may exist • Handles risk as they happen Tier 3 – Repeatable • A formal organizational risk management process is followed by a defined security policy Tier 4 – Adaptable • Cybersecurity policy adapts based on lessons learned and analytics • Constant learning from the security events that occur • Information is shared with a larger network
  • 50. Matrix of capability Tier Identify Protect Detect Respond Recover 1 PR.IP PR.PT DE.CM DE.DP RS.CO RS.MI RS.IM RC.IM RC.CO 2 ID.RA ID.RM PR.MA DE.AE RS.AN RS.RP RC.RP 3 ID.BE ID.GE PR.AT PR.DS 4 ID.AM PR.AC
  • 52. Flow of security maturity Cybersecurity Risk Assessment Disaster Recovery Business Continuity Management
  • 53. Risk Assessment Identify vulnerabilities and areas of concern Basis for developing policy
  • 54. Risk management is multi-tiered Organization • Strategic risk management Mission/Business • Tactical approach to risk Information Systems • Focus on integrity and recovery
  • 55. Threat assessment Malicious internal • Disgruntled employees Malicious external • Hacker groups – hactivists/cybercriminals Nonmalicious external • Errors of suppliers and vendors Nonmalicious internal • Human errors of commission and omission
  • 56. Likelihood • More than 80% likely to occurDefinite • 60-80% chance of occurrenceLikely • Near 50/50 probability of occuringOccasional • Low probability of occurrence (10- 40%), cannot be ruled out completelySeldom • Rare and exceptional risks, less than 10% chanceUnlikely
  • 57. Impact • Near negligible amount of damageInsignificant • The extent of damage is not too significant, unlikely to make much of a difference to overall operations Trivial • Not a great threat, but likely moderately disruptiveModerate • Significant consequences, significant loss, or disruptionCritical • Could completely shutdown operations or cause long-term disruptionCatastrophic
  • 58. Risk analysis matrix 1 2 3 4 2 4 6 8 3 6 9 12 4 8 12 16 Insignificant (1) Trivial (2) Moderate (3) Critical (4) Catastrophic (5) 5 10 15 20 5 10 15 20 25 Impact Unlikely (1) Seldom (2) Occasional (3) Likely (4) Definite (5) Likelihood
  • 59. Risk control matrix NAME OBJECTIVE REF/ID RISK RISK IMPACT RISK LIKELIHOOD TOTAL RISK SCORE 1. Someone receives a phishing e-mail and clicks on the link 2. Someone downloads unauthorized software 3. A server administrator does not use unique passwords for each server 4. An employee data file is accidently uploaded to a web server
  • 60. How is risk addressed? • Senior management involvement? • IT understanding? • Knowing the baseline • Documenting the network • Aligned technology • Why is Xbox allowed on staff PCs? • What is the organizational culture? • High risk taking
  • 62. Comprehensive Incident Response and Continuity Planning How do we fix things when stuff goes wrong?
  • 63. Disruption scenarios Damage to or breakdown of systems or equipment Physical damage to a building Interruption of the supply chain Restricted access to a site or building Utility outage
  • 64. Response and continuity steps Prepare Identify Contain Eradicate Recover Review
  • 65. Prepare Incident handling team should include security officers, system analysts and human resources personnel System backup plan should be in place Personnel involved should be trained at an appropriate level. • Basic business continuity principles Contact information should be defined, available as hard copy • Personnel that might assist in handling an incident • Key partners who may need to be notified • Business owners to make key business decisions • Outside support analysts with security expertise Supplies to assist the team in the event of an incident (jump bag) • An empty notebook • Boot media to analyze hard drives and recover passwords • Petty cash (food, cabs, batteries as needed)
  • 66. Identify Issue identification can originate from many sources • Staff • End users • External partners Declare an adverse risk exists • Assemble the team and implement the plan • Save all key system files or records • Start detailed documentation as soon as possible Decide what the goals are in handling a particular incident • Immediate business recovery • Forensic examination
  • 67. Contain Basic procedures can contain many incidents Specific procedures will depend on the nature of the incident Basic steps to consider include • Obtain and analyze as much system information as possible including key files and possibly a backup of the compromised machine for later forensic analysis • Powering off a machine might lose data and evidence. • Disconnecting the network cable/disable wireless to facilitate containment and forensic activity If one machine has been exploited, others are likely vulnerable • Download security patches from vendors • Update antivirus signatures • Close firewall ports • Disable compromised accounts • Change passwords as appropriate
  • 68. Eradicate Will frequently depend on the nature of the incident Boot media should be used to access data on compromised machines • Rootkits might affect basic system level utilities If operating system has been compromised, it needs to be rebuilt Test any backups prior to restore and monitor for a new incident Document everything
  • 69. Recover Goal is to return safely to production Specific actions depend on the nature of the incident Retest the system Consider timing of the return to production Discuss customer notification and their concerns Discuss media handling issues Continue to monitor for security incidents
  • 70. Worst case scenario • Full data loss • Don’t just focus on recovery for the most obvious "disasters"
  • 71. Review • To better handle future security incidents • A final report describing the incident and how it was handled • Suggestions for handling future incidents
  • 72. Testing the plan Table-top exercise Occurs in a conference room with the team poring over the plan Looking for gaps and ensuring that all business units are represented therein Structured walk-through Each team member walks through his or her components of the plan with a specific disaster in mind Identify weaknesses Can incorporate drills and disaster role-playing into the structured walk-through. Weaknesses are identified, corrected, and plan is updated Disaster simulation testing Create an environment that simulates an actual disaster All equipment, supplies and personnel (including partners and vendors) who would be needed To determine if you can carry out critical business functions during the event
  • 73. Table top exercise • Set a scenario for discussion • Developed in advance • Not super technical • Discuss vulnerabilities and possible scenarios • Has representation from all areas • Limit to about an hour
  • 75. Typical KPIs • Computer patching policy compliance • Mean time to patch critical/urgent issues • User security awareness training engagement • Virus infection activity (real time notification) • Disaster recovery test results • Number of security policies and standards that have been fully implemented and adopted • Network probing attempts
  • 78. Actually kind of controversial Security training is ineffective and a waste of time and money Security training is our best offense against a major incident that could easily be avoided
  • 79. Required by law • Security awareness training requirements for all workforce members. New workforce member must be trained within a reasonable time period. Must include periodic security updates. HIPAA • Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members with instruction about computer security; train staff to properly dispose of customer information. Gramm-Leach-Bliley Act (GLBA) • Requires training focused on reasonably foreseeable risks to the security, confidentiality, and/or integrity of personal information. Must be ongoing and for permanent employees, temporary, and contract employees. Massachusetts’s Data Security Law • Requires federal agencies to establish a security awareness training program. Must include contractors and “other uses of information systems” that support the agency. Federal Information Security Management Act (FISMA)
  • 80. Required by standards • Developed by the credit card industry’s PCI council. PCI-DSS12.6 requires that organizations implement a formal security awareness training program to make all personnel aware of the importance of cardholder data security. Personnel must be trained upon hire and at least annually. Payment Card Industry Data Security Standard (PCI-DSS) • Provides guidance on information security management in organizations. Contains requirement that all employees receive data security awareness training. ISO/IEC 27002 • Federal agencies look to NIST 800-53 to guide their rulemaking and enforcement. Security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. NIST Special Publication 800-53
  • 81. Basic topics security training should cover Phishing Social engineering Malware Passwords Use of portable devices Physical access Data destruction Encryption Data breach
  • 85. Resources for training HHS - http://irtsectraining.nih.gov/publicUser.aspx SANS CyberAces - http://www.cyberaces.org/courses/ FEMA - https://www.firstrespondertraining.gov/ntecatalog
  • 86. Resources for cybersecurity and business continuity • Small Business Information Security: The Fundamentals • https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf • Baldrige Cybersecurity Excellence Builder (BCEB), Version 1.1 • https://www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative • Two very useful worksheets • BCEB Categories 1-7 Questions and Notes Only • BCEB Self-Analysis Worksheet • Professional Practices for Business Continuity Professionals • https://drii.org/resources/professionalpractices/EN
  • 87. Web resource centers CERT http://www.cert.org/ Information on security vulnerabilities Incident Response Consortium https://www.incidentresponse.com/ Resource for creating security policies and planning for incident response IAPP https://www.iapp.org International Association of Privacy Professionals