SlideShare a Scribd company logo

Cybersecurity: Challenges, Initiatives, and Best Practices

Download as PPTX, PDF
J
John Gilligan

A keynote address delivered at the MCMS Annual Training Seminar (June 15, 2010)

Technology
1 of 29
Cybersecurity: Challenges, Initiatives, and Best Practices John M. Gilligan June 15, 2010 1
Topics • Current Situation • Top-level Strategy for Cybersecurity • Focused look at 20 Critical Controls and SCAP • Legislative Initiatives • Longer Term Directions • Closing thoughts 2
Historical Perspectives • Internet, software industry, (personal) computers—rooted in creativity not engineering • Security in the Cold War Era – Security “Gurus”—Keepers of the Kingdom • The World Wide Web changes the security landscape-- forever • Post Cold War: The Age of Information Sharing Legacy of the past is now our “Achilles Heel” 3
Cyber Security Threats Today--A New “Ball Game” • Our way of life depends on a reliable cyberspace • Intellectual property is being downloaded at an alarming rate • Cyberspace is now a warfare domain • Attacks increasing at an exponential rate • Fundamental network and system vulnerabilities cannot be fixed quickly • Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National and Economic Security Crisis! 4
Situation Assessment • Assessing cyber threats (and therefore risks) requires extensive experience and access to highly classified materials – It is unreasonable to expect most organizations to assess threats/risks. • The technical aspects of Cybersecurity are enormously complex: – Cybersecurity will require significant increase in levels of discipline in systems/enterprise management – Guidance must be simple and clearly stated. • The overall state of cybersecurity is so poor, that it cannot be solved quickly: – Near term objective should be to establish a foundation upon which we can build – Cannot do everything at once; we must prioritize/focus 5
Heartland Payment Systems Disclosure of intrusions--Jan 20, 2009 6Cybersecurity becoming a focus of CEOs, Boards of Directors and Shareholders
Obama Cyberspace Policy Review— “60 Day Review”--May 29, 2009 • The Nation is at a crossroads • Cyberspace risks pose some of most serious challenges to economic and national security • Need to begin national dialogue on cybersecurity • Solutions must involve partnership with private sector and international engagement • White House must lead the way 7
Recommended Near-Term Actions • White House Cybersecurity official and supporting organization—Howard Schmidt appointed Dec. 2009 • Prepare updated national strategy • Designate cybersecurity as Presidential priority • Initiate public awareness campaign and strengthen international partnerships • New policies regarding roles/responsibilities • Prepare cyber incident response plan • Develop research plan and vision for identity management Progress delayed pending Cyber Czar appointment-- Initial progress now underway. 8
(Recommended) Top Level Cybersecurity Strategy Sophisticated Unsophisticated MISSION/FUNCTION CRITICALITY Implement Comprehensive Baseline of Security THREAT Low High Deploy Targeted Advanced Security Controls Accept Risk 9
Comprehensive Baseline of Security = A Well-Managed Enterprise Characteristics of a Well Managed Enterprise 1. Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so 2. Increased operational effectiveness and greater security without increased cost 3. Integrated and automated enterprise management tools 10 Cyber Security Requires Comprehensive Application of “Good IT Hygiene”!
11 Emma Antunes <emma.antunes@nasa.gov > Twitter: @eantunes Unsophisticated MISSION/FUNCTION CRITICALITY Deploy Targeted Advanced Security Controls Accept Risk 11 Result: Blocks 85% of attacks and provides foundation to address remaining/new attacks (Ref: Dick Schaeffer, NSA/IAD) Sophisticated Comprehensive Baseline of Security (A “well managed” IT infrastructure) THREAT Low High TIC Training for Sys Admin 2-Factor Authentication 20 Critical Controls FDCC+ SCAP DNSSEC, S-BGPThreat/Vul Collaboration Top Level Cyber Security Strategy Einstein 3
20 Critical Controls* for Effective Cyber Defense-- An Effective Public-Private Partnership • Underlying Rationale – Let “Offense drive Defense” – Focus on most critical areas • CAG: Twenty security controls based on attack patterns • Government and Private Sector consensus • Emphasis on auditable controls and automated implementation/enforcement • Pilots and standards for tools ongoing * Also called the “Consensus Audit Guidelines” or “CAG” (http://www.sans.org/cag/) 12
Example--Critical Control #1 Inventory of Authorized and Unauthorized Devices • Attacker Exploit: Scan for new, unprotected systems • Control: – Quick Win: Automated asset inventory discovery tool – Visibility/Attribution: On line asset inventory of devices with net address, machine name, purpose, owner – Configuration/Hygiene: Develop inventory of information assets (incl. critical information and map to hardware devices) • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6 • Automated Support: Employ products available for asset inventories, inventory changes, network scanning against known configurations • Evaluation: Connect fully patched and hardened test machines to measure response from tools and staff. Control identifies and isolates new systems (Min--24 hours; best practice--less than 5 minutes) 13
20 Critical Controls—Implementation Recommendation Step 1 Accept CAG consensus threats as risk baseline for your organization Step 2 Implement 20 Critical Controls Step 3 Use organization specific risk assessment to select and implement additional controls from 800-53 – Focus on unique, mission critical capabilities and data Step 4 Use automated tools and periodic evaluations to continuously measure compliance (risk reduction) Step 5 Partner with senior management and auditors to motivate compliance improvement – Use examples and lessons learned from State Dept. and others 14
Security Content Automation Protocol (SCAP) • What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security posture of every device in a network. • How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. • Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations 15
Current SCAP Standards 16 CVE CVSS OVAL CCECPE XCCDF Software vulnerability management Configuration management Compliance management Asset management Identifies vulnerabilities Scores vulnerability severity Criteria to check presence of vulnerabilities, configurations, assets Identifies configuration controls Language to express configuration guidance for both automatic and manual vetting Identifies packages and platforms SCAP enables cross vendor interoperability and aggregation of data produced by separate tools to an enterprise level—leads to better enterprise management and cyber security!
FISMA 2002 Legislation Was Well Intended; What is Not Working? • Original intent was good: – Ensure effective controls – Improve oversight of security programs – Provide for independent evaluation • Implementation took us off course – Agencies unable to adequately assess cyber risks – (Lots of) NIST “guidance” became mandatory – No auditable basis for independent evaluation – Grading became overly focused on paperwork 17 Bottom Line: OMB mandates and paperwork debates has distracted CIOs/CISOs from achieving real security improvements
New Hope for Federal Cybersecurity • Progress – FISMA Reporting Instructions: April 21, 2010 • Continuously monitor • Use automated tools • Develop automated risk models – NIST Guidance (SP 800-53 and SP 800-37) – New Legislation in House and Senate • Cautions – FISMA Reporting Instructions reinforce “compliance mentality” – Risk assessment while logical is “a foundation of sand” Security must be based on knowledge of attacks and results focused! 18
Implications of Policy, Guidelines and Potential Legislation Changes on Industry • Implications for National Industrial Security Program Operating Manual (Feb 2006) – ‘Certification/Accreditation’ become ‘Security Authorization’ with continuous monitoring (SP 800-37) – Other updates to reflect new government-wide policies/guidance • New FISMA reporting process-April 21, 2010 – Contractor information systems that support the operations and assets of the agency (FISMA Reporting)—including IG audit • Potential Legislation Impacts – Expand new FISMA to all systems of government contractors/subcontractors – Requirements for reporting, testing, audits 19Apply requirements for government organizations to government contractors
Longer-Term Actions: IT Reliably Enabling Business • Change the dialogue: Reliable, resilient IT is fundamental to future National Security and Economic Growth • New business model for software industry – First step—self certified, locked-down configurations – Longer term—software with reliability warranties • Redesign the Internet to provide reliable attribution, increased security • Get the “man out of the loop”—use automated tools (e.g., SCAP) • Foster new IT services models – Assume insecure environment – Increased use of virtualization – Secure “cloud” • Evolve to a more effective public-private partnership (e.g., DIB) • Develop professional cyberspace workforce Need to Fundamentally “Change the Game” to Make Progress20
Closing Thoughts • Government and Industry need to treat cyber security as an urgent priority • A well managed enterprise (e.g., using 20 Critical controls and SCAP) is a harder target to attack and costs less to operate – the ultimate “no brainer” for a CIO • Near-term actions important but need to fundamentally change the game to get ahead of the growing threat Cyber Security is Fundamentally a Leadership Issue!21
Contact Information 22 John M. Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com
Top 20 Cyber Attacks and Related Control (not in priority order) Attack Control Summary Comments 1. Scan for unprotected systems on networks Maintain inventory of authorized and unauthorized devices on networks Find devices that can be exploited to gain access to other interconnected systems. 2. Scan for vulnerable versions of software Maintain inventory of authorized and unauthorized software Find software versions that are able to be exploited remotely to gain entry to other systems. 3. Scan for software with weak configurations Implement secure configurations for HW/SW computer devices Original configurations from vendors often have inadequate security controls enabled. 4. Scan for network devices with exploitable vulnerabilities Implement secure configurations for network devices (routers, switches, firewalls, etc.) Network devices often become less securely configured over time unless they are diligently maintained. 5. Attack boundary devices Implement multi-layered boundary defenses Attackers attempt to exploit boundary systems (e.g., DMZ or network perimeter) to gain access to network or interrelated networks 23
Top 20 Cyber Attacks and Related Control (Continued) (not in priority order) Attack Control Summary Comments 6. Attack without being detected and maintain long-term access due to weak audit logs Maintain and monitor audit logs Weak protection of or inadequate logging and monitoring permits attackers to hide actions 7. Attack web-based or other application software Robust security controls and testing of application software Longstanding code weaknesses (e.g., SQL injection, buffer overflows) can be exploited 8. Gain administrator privileges to control target machines Implement controlled use of administrator privileges Attacks exploit weak protection or control over administrator privileges 9. Gain access to sensitive data that is not adequately protected Implement controlled access based on need to know Once inside a system, attackers exploit weak access controls 10. Exploit newly discovered and unpatched vulnerabilities Continuous vulnerability assessment and remediation Attackers exploit the time between vulnerability discovery and patching 24
Top 20 Cyber Attacks and Related Control (Continued) (not in priority order) Attack Control Summary Comments 11. Exploit inactive user accounts Monitor and control user accounts Legitimate but inactive or accounts of former employees are exploited 12. Implement malware attacks Implement up-to-date anti- virus, anti-spyware, and Intrusion Prevention System controls Malware attacks continue to evolve leaving non- updated systems exposed 13. Exploit poorly configured network services Limit and control network ports, protocols and services Attackers focus on unprotected or unneeded ports and protocols 14. Exploit weak security of wireless devices Implement controls for wireless devices Example attacks include unauthorized access from parking lots, exploiting traveling employees, etc. 15. Steal sensitive data Implement controls to detect and prevent unauthorized exfiltration Includes both electronic and physical (i.e., stolen laptops) attacks 25
Top 20 Cyber Attacks and Related Control (Continued) (not in priority order) Attack Control Summary Comments 16. Map networks looking for vulnerabilities Implement secure network engineering Look for unprotected (i.e., weak) links or weak filtering/controls in network 17. Attack networks and systems by exploiting vulnerabilities undiscovered by target system personnel Conduct penetration tests to evaluate and exercise defenses Attack exploits social engineering and inability of system to respond to automated attacks 18. Attack systems or organizations that have no or poor attack response Implement effective cyber incident response capabilities True magnitude and impact of attack can be masked by inadequate response 19. Change system configurations and/or data so that organization cannot restore it properly Implement data and system recovery procedures Leave backdoors or data errors that permit future attacks or disrupt operations 20. Exploit poorly trained or poorly skilled employees Conduct skills assessment and ensure adequate training across the enterprise Attacks focus on manipulating end users, administrators, security operators, programmers, or even system owners 26
Approach for Developing 20 Critical Controls • NSA “Offensive Guys” • NSA “Defensive Guys” • DoD Cyber Crime Center (DC3) • US-CERT (plus 3 agencies that were hit hard) • Top Commercial Pen Testers • Top Commercial Forensics Teams • JTF-GNO • AFOSI • Army Research Laboratory • DoE National Laboratories • FBI and IC-JTF 27  Identify top attacks—the critical risk areas  Prioritize controls to match successful attacks—mitigate critical risks  Identify automation/verification methods and measures  Engage CIOs, CISOs, Auditors, and oversight organizations  Map Critical Controls to NIST SP 800-53 P1 controls (proper subset)  Engage the best security experts: Result: Applying the 20 Critical Controls will address the majority of cyber attacks
Relevance of 20 Critical Controls to FISMA and NIST Guidelines FISMA and NIST 1. Assess cyber security risk in an organization 2. Implement security based on risk 3. Select controls from NIST SP 800-53 to mitigate risk areas 4. Objectively evaluate control effectiveness 20 Critical Controls 1. Based on government-wide (shared) risk assessment 2. Controls address top cyber risks 3. 20 Critical Controls are subset of 800-53 Priority 1 controls 4. Use automated tools and periodic evaluations to provide continuous monitoring 28 20 Critical Controls designed to help agencies comply with FISMA and NIST guidance!
29 NIST Guidance: 1200 pages of FIPS Pubs, Special Pubs, Security Bulletins, etc.

Recommended

Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesJohn Gilligan
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesJohn Gilligan
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 
Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology StakeholdersJohn Gilligan
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityJohn Gilligan
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 

Recommended

Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesJohn Gilligan
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesJohn Gilligan
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 
Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology StakeholdersJohn Gilligan
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityJohn Gilligan
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology ExpoTony DeGonia (LION)
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsJohn Gilligan
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentResilient Systems
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure ProtectionPriyanka Aash
 
Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Smart Grid Interoperability Panel
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 
CSAAC BDP
CSAAC BDPCSAAC BDP
CSAAC BDPJohn Eubank IV
 
How to upload a video in the v card builder
How to upload a video in the v card builderHow to upload a video in the v card builder
How to upload a video in the v card builderShane Carter
 

More Related Content

What's hot

SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsJohn Gilligan
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentResilient Systems
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure ProtectionPriyanka Aash
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 

What's hot (20)

Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The Incident
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure Protection
 
Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
 

Viewers also liked

How to upload a video in the v card builder
How to upload a video in the v card builderHow to upload a video in the v card builder
How to upload a video in the v card builderShane Carter
 
How to delete a page
How to delete a pageHow to delete a page
How to delete a pageShane Carter
 
Presentation FORUM Sambrienne ONLINE 2016
Presentation FORUM Sambrienne ONLINE 2016Presentation FORUM Sambrienne ONLINE 2016
Presentation FORUM Sambrienne ONLINE 2016Fabrice Jacqmin
 
Anything’ music video pitch
Anything’ music video pitchAnything’ music video pitch
Anything’ music video pitchemmasnow14
 
Viacheslav Rudenko - Case Study: How 4 university friends battled US Mobile M...
Viacheslav Rudenko - Case Study: How 4 university friends battled US Mobile M...Viacheslav Rudenko - Case Study: How 4 university friends battled US Mobile M...
Viacheslav Rudenko - Case Study: How 4 university friends battled US Mobile M...SeniorDevOnly
 
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...Red Hat Developers
 
Cyber Commandant Presentation: TechNet Augusta 2015
Cyber Commandant Presentation: TechNet Augusta 2015Cyber Commandant Presentation: TechNet Augusta 2015
Cyber Commandant Presentation: TechNet Augusta 2015AFCEA International
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Polo Ralph Lauren Retail Company Audit
Polo Ralph Lauren Retail Company AuditPolo Ralph Lauren Retail Company Audit
Polo Ralph Lauren Retail Company Auditbjgerman
 
Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015
Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015
Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015AFCEA International
 
Soutenance thèse "Dimension socio-affective en formation ouverte et à distance"
Soutenance thèse "Dimension socio-affective en formation ouverte et à distance"Soutenance thèse "Dimension socio-affective en formation ouverte et à distance"
Soutenance thèse "Dimension socio-affective en formation ouverte et à distance"Clément Dussarps
 
Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015
Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015
Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015AFCEA International
 

Viewers also liked (20)

CSAAC BDP
CSAAC BDPCSAAC BDP
CSAAC BDP
 
How to upload a video in the v card builder
How to upload a video in the v card builderHow to upload a video in the v card builder
How to upload a video in the v card builder
 
Thiago 7
Thiago 7Thiago 7
Thiago 7
 
Thiago 3
Thiago 3Thiago 3
Thiago 3
 
Signup steps
Signup stepsSignup steps
Signup steps
 
Blogger
Blogger Blogger
Blogger
 
How to delete a page
How to delete a pageHow to delete a page
How to delete a page
 
Presentation FORUM Sambrienne ONLINE 2016
Presentation FORUM Sambrienne ONLINE 2016Presentation FORUM Sambrienne ONLINE 2016
Presentation FORUM Sambrienne ONLINE 2016
 
Anything’ music video pitch
Anything’ music video pitchAnything’ music video pitch
Anything’ music video pitch
 
Viacheslav Rudenko - Case Study: How 4 university friends battled US Mobile M...
Viacheslav Rudenko - Case Study: How 4 university friends battled US Mobile M...Viacheslav Rudenko - Case Study: How 4 university friends battled US Mobile M...
Viacheslav Rudenko - Case Study: How 4 university friends battled US Mobile M...
 
Mobbing
MobbingMobbing
Mobbing
 
Font trials
Font trialsFont trials
Font trials
 
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
Putting The 'M' In MBaaS—Red Hat Mobile Client Development Platform (Jay Balu...
 
Cyber Commandant Presentation: TechNet Augusta 2015
Cyber Commandant Presentation: TechNet Augusta 2015Cyber Commandant Presentation: TechNet Augusta 2015
Cyber Commandant Presentation: TechNet Augusta 2015
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
Polo Ralph Lauren Retail Company Audit
Polo Ralph Lauren Retail Company AuditPolo Ralph Lauren Retail Company Audit
Polo Ralph Lauren Retail Company Audit
 
Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015
Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015
Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015
 
Soutenance thèse "Dimension socio-affective en formation ouverte et à distance"
Soutenance thèse "Dimension socio-affective en formation ouverte et à distance"Soutenance thèse "Dimension socio-affective en formation ouverte et à distance"
Soutenance thèse "Dimension socio-affective en formation ouverte et à distance"
 
Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015
Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015
Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015
 

Similar to Cybersecurity: Challenges, Initiatives, and Best Practices

Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsJohn Gilligan
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools SolarWinds
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?BalaBit
 
Webinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWindsWebinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWindsSolarWinds
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Automating Enterprise IT Management
Automating Enterprise IT ManagementAutomating Enterprise IT Management
Automating Enterprise IT ManagementJohn Gilligan
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis Belsis MPhil/MRes/BSc
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Resolver Inc.
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous MonitoringJohn Gilligan
 
Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...John Gilligan
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Jim Kaplan CIA CFE
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsRob Arnold
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 

Similar to Cybersecurity: Challenges, Initiatives, and Best Practices (20)

Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?
 
Webinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWindsWebinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWinds
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Automating Enterprise IT Management
Automating Enterprise IT ManagementAutomating Enterprise IT Management
Automating Enterprise IT Management
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous Monitoring
 
Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Cybersecurity: Challenges, Initiatives, and Best Practices

  • 1. Cybersecurity: Challenges, Initiatives, and Best Practices John M. Gilligan June 15, 2010 1
  • 2. Topics • Current Situation • Top-level Strategy for Cybersecurity • Focused look at 20 Critical Controls and SCAP • Legislative Initiatives • Longer Term Directions • Closing thoughts 2
  • 3. Historical Perspectives • Internet, software industry, (personal) computers—rooted in creativity not engineering • Security in the Cold War Era – Security “Gurus”—Keepers of the Kingdom • The World Wide Web changes the security landscape-- forever • Post Cold War: The Age of Information Sharing Legacy of the past is now our “Achilles Heel” 3
  • 4. Cyber Security Threats Today--A New “Ball Game” • Our way of life depends on a reliable cyberspace • Intellectual property is being downloaded at an alarming rate • Cyberspace is now a warfare domain • Attacks increasing at an exponential rate • Fundamental network and system vulnerabilities cannot be fixed quickly • Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National and Economic Security Crisis! 4
  • 5. Situation Assessment • Assessing cyber threats (and therefore risks) requires extensive experience and access to highly classified materials – It is unreasonable to expect most organizations to assess threats/risks. • The technical aspects of Cybersecurity are enormously complex: – Cybersecurity will require significant increase in levels of discipline in systems/enterprise management – Guidance must be simple and clearly stated. • The overall state of cybersecurity is so poor, that it cannot be solved quickly: – Near term objective should be to establish a foundation upon which we can build – Cannot do everything at once; we must prioritize/focus 5
  • 6. Heartland Payment Systems Disclosure of intrusions--Jan 20, 2009 6Cybersecurity becoming a focus of CEOs, Boards of Directors and Shareholders
  • 7. Obama Cyberspace Policy Review— “60 Day Review”--May 29, 2009 • The Nation is at a crossroads • Cyberspace risks pose some of most serious challenges to economic and national security • Need to begin national dialogue on cybersecurity • Solutions must involve partnership with private sector and international engagement • White House must lead the way 7
  • 8. Recommended Near-Term Actions • White House Cybersecurity official and supporting organization—Howard Schmidt appointed Dec. 2009 • Prepare updated national strategy • Designate cybersecurity as Presidential priority • Initiate public awareness campaign and strengthen international partnerships • New policies regarding roles/responsibilities • Prepare cyber incident response plan • Develop research plan and vision for identity management Progress delayed pending Cyber Czar appointment-- Initial progress now underway. 8
  • 9. (Recommended) Top Level Cybersecurity Strategy Sophisticated Unsophisticated MISSION/FUNCTION CRITICALITY Implement Comprehensive Baseline of Security THREAT Low High Deploy Targeted Advanced Security Controls Accept Risk 9
  • 10. Comprehensive Baseline of Security = A Well-Managed Enterprise Characteristics of a Well Managed Enterprise 1. Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so 2. Increased operational effectiveness and greater security without increased cost 3. Integrated and automated enterprise management tools 10 Cyber Security Requires Comprehensive Application of “Good IT Hygiene”!
  • 11. 11 Emma Antunes <emma.antunes@nasa.gov > Twitter: @eantunes Unsophisticated MISSION/FUNCTION CRITICALITY Deploy Targeted Advanced Security Controls Accept Risk 11 Result: Blocks 85% of attacks and provides foundation to address remaining/new attacks (Ref: Dick Schaeffer, NSA/IAD) Sophisticated Comprehensive Baseline of Security (A “well managed” IT infrastructure) THREAT Low High TIC Training for Sys Admin 2-Factor Authentication 20 Critical Controls FDCC+ SCAP DNSSEC, S-BGPThreat/Vul Collaboration Top Level Cyber Security Strategy Einstein 3
  • 12. 20 Critical Controls* for Effective Cyber Defense-- An Effective Public-Private Partnership • Underlying Rationale – Let “Offense drive Defense” – Focus on most critical areas • CAG: Twenty security controls based on attack patterns • Government and Private Sector consensus • Emphasis on auditable controls and automated implementation/enforcement • Pilots and standards for tools ongoing * Also called the “Consensus Audit Guidelines” or “CAG” (http://www.sans.org/cag/) 12
  • 13. Example--Critical Control #1 Inventory of Authorized and Unauthorized Devices • Attacker Exploit: Scan for new, unprotected systems • Control: – Quick Win: Automated asset inventory discovery tool – Visibility/Attribution: On line asset inventory of devices with net address, machine name, purpose, owner – Configuration/Hygiene: Develop inventory of information assets (incl. critical information and map to hardware devices) • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6 • Automated Support: Employ products available for asset inventories, inventory changes, network scanning against known configurations • Evaluation: Connect fully patched and hardened test machines to measure response from tools and staff. Control identifies and isolates new systems (Min--24 hours; best practice--less than 5 minutes) 13
  • 14. 20 Critical Controls—Implementation Recommendation Step 1 Accept CAG consensus threats as risk baseline for your organization Step 2 Implement 20 Critical Controls Step 3 Use organization specific risk assessment to select and implement additional controls from 800-53 – Focus on unique, mission critical capabilities and data Step 4 Use automated tools and periodic evaluations to continuously measure compliance (risk reduction) Step 5 Partner with senior management and auditors to motivate compliance improvement – Use examples and lessons learned from State Dept. and others 14
  • 15. Security Content Automation Protocol (SCAP) • What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security posture of every device in a network. • How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. • Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations 15
  • 16. Current SCAP Standards 16 CVE CVSS OVAL CCECPE XCCDF Software vulnerability management Configuration management Compliance management Asset management Identifies vulnerabilities Scores vulnerability severity Criteria to check presence of vulnerabilities, configurations, assets Identifies configuration controls Language to express configuration guidance for both automatic and manual vetting Identifies packages and platforms SCAP enables cross vendor interoperability and aggregation of data produced by separate tools to an enterprise level—leads to better enterprise management and cyber security!
  • 17. FISMA 2002 Legislation Was Well Intended; What is Not Working? • Original intent was good: – Ensure effective controls – Improve oversight of security programs – Provide for independent evaluation • Implementation took us off course – Agencies unable to adequately assess cyber risks – (Lots of) NIST “guidance” became mandatory – No auditable basis for independent evaluation – Grading became overly focused on paperwork 17 Bottom Line: OMB mandates and paperwork debates has distracted CIOs/CISOs from achieving real security improvements
  • 18. New Hope for Federal Cybersecurity • Progress – FISMA Reporting Instructions: April 21, 2010 • Continuously monitor • Use automated tools • Develop automated risk models – NIST Guidance (SP 800-53 and SP 800-37) – New Legislation in House and Senate • Cautions – FISMA Reporting Instructions reinforce “compliance mentality” – Risk assessment while logical is “a foundation of sand” Security must be based on knowledge of attacks and results focused! 18
  • 19. Implications of Policy, Guidelines and Potential Legislation Changes on Industry • Implications for National Industrial Security Program Operating Manual (Feb 2006) – ‘Certification/Accreditation’ become ‘Security Authorization’ with continuous monitoring (SP 800-37) – Other updates to reflect new government-wide policies/guidance • New FISMA reporting process-April 21, 2010 – Contractor information systems that support the operations and assets of the agency (FISMA Reporting)—including IG audit • Potential Legislation Impacts – Expand new FISMA to all systems of government contractors/subcontractors – Requirements for reporting, testing, audits 19Apply requirements for government organizations to government contractors
  • 20. Longer-Term Actions: IT Reliably Enabling Business • Change the dialogue: Reliable, resilient IT is fundamental to future National Security and Economic Growth • New business model for software industry – First step—self certified, locked-down configurations – Longer term—software with reliability warranties • Redesign the Internet to provide reliable attribution, increased security • Get the “man out of the loop”—use automated tools (e.g., SCAP) • Foster new IT services models – Assume insecure environment – Increased use of virtualization – Secure “cloud” • Evolve to a more effective public-private partnership (e.g., DIB) • Develop professional cyberspace workforce Need to Fundamentally “Change the Game” to Make Progress20
  • 21. Closing Thoughts • Government and Industry need to treat cyber security as an urgent priority • A well managed enterprise (e.g., using 20 Critical controls and SCAP) is a harder target to attack and costs less to operate – the ultimate “no brainer” for a CIO • Near-term actions important but need to fundamentally change the game to get ahead of the growing threat Cyber Security is Fundamentally a Leadership Issue!21
  • 22. Contact Information 22 John M. Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com
  • 23. Top 20 Cyber Attacks and Related Control (not in priority order) Attack Control Summary Comments 1. Scan for unprotected systems on networks Maintain inventory of authorized and unauthorized devices on networks Find devices that can be exploited to gain access to other interconnected systems. 2. Scan for vulnerable versions of software Maintain inventory of authorized and unauthorized software Find software versions that are able to be exploited remotely to gain entry to other systems. 3. Scan for software with weak configurations Implement secure configurations for HW/SW computer devices Original configurations from vendors often have inadequate security controls enabled. 4. Scan for network devices with exploitable vulnerabilities Implement secure configurations for network devices (routers, switches, firewalls, etc.) Network devices often become less securely configured over time unless they are diligently maintained. 5. Attack boundary devices Implement multi-layered boundary defenses Attackers attempt to exploit boundary systems (e.g., DMZ or network perimeter) to gain access to network or interrelated networks 23
  • 24. Top 20 Cyber Attacks and Related Control (Continued) (not in priority order) Attack Control Summary Comments 6. Attack without being detected and maintain long-term access due to weak audit logs Maintain and monitor audit logs Weak protection of or inadequate logging and monitoring permits attackers to hide actions 7. Attack web-based or other application software Robust security controls and testing of application software Longstanding code weaknesses (e.g., SQL injection, buffer overflows) can be exploited 8. Gain administrator privileges to control target machines Implement controlled use of administrator privileges Attacks exploit weak protection or control over administrator privileges 9. Gain access to sensitive data that is not adequately protected Implement controlled access based on need to know Once inside a system, attackers exploit weak access controls 10. Exploit newly discovered and unpatched vulnerabilities Continuous vulnerability assessment and remediation Attackers exploit the time between vulnerability discovery and patching 24
  • 25. Top 20 Cyber Attacks and Related Control (Continued) (not in priority order) Attack Control Summary Comments 11. Exploit inactive user accounts Monitor and control user accounts Legitimate but inactive or accounts of former employees are exploited 12. Implement malware attacks Implement up-to-date anti- virus, anti-spyware, and Intrusion Prevention System controls Malware attacks continue to evolve leaving non- updated systems exposed 13. Exploit poorly configured network services Limit and control network ports, protocols and services Attackers focus on unprotected or unneeded ports and protocols 14. Exploit weak security of wireless devices Implement controls for wireless devices Example attacks include unauthorized access from parking lots, exploiting traveling employees, etc. 15. Steal sensitive data Implement controls to detect and prevent unauthorized exfiltration Includes both electronic and physical (i.e., stolen laptops) attacks 25
  • 26. Top 20 Cyber Attacks and Related Control (Continued) (not in priority order) Attack Control Summary Comments 16. Map networks looking for vulnerabilities Implement secure network engineering Look for unprotected (i.e., weak) links or weak filtering/controls in network 17. Attack networks and systems by exploiting vulnerabilities undiscovered by target system personnel Conduct penetration tests to evaluate and exercise defenses Attack exploits social engineering and inability of system to respond to automated attacks 18. Attack systems or organizations that have no or poor attack response Implement effective cyber incident response capabilities True magnitude and impact of attack can be masked by inadequate response 19. Change system configurations and/or data so that organization cannot restore it properly Implement data and system recovery procedures Leave backdoors or data errors that permit future attacks or disrupt operations 20. Exploit poorly trained or poorly skilled employees Conduct skills assessment and ensure adequate training across the enterprise Attacks focus on manipulating end users, administrators, security operators, programmers, or even system owners 26
  • 27. Approach for Developing 20 Critical Controls • NSA “Offensive Guys” • NSA “Defensive Guys” • DoD Cyber Crime Center (DC3) • US-CERT (plus 3 agencies that were hit hard) • Top Commercial Pen Testers • Top Commercial Forensics Teams • JTF-GNO • AFOSI • Army Research Laboratory • DoE National Laboratories • FBI and IC-JTF 27  Identify top attacks—the critical risk areas  Prioritize controls to match successful attacks—mitigate critical risks  Identify automation/verification methods and measures  Engage CIOs, CISOs, Auditors, and oversight organizations  Map Critical Controls to NIST SP 800-53 P1 controls (proper subset)  Engage the best security experts: Result: Applying the 20 Critical Controls will address the majority of cyber attacks
  • 28. Relevance of 20 Critical Controls to FISMA and NIST Guidelines FISMA and NIST 1. Assess cyber security risk in an organization 2. Implement security based on risk 3. Select controls from NIST SP 800-53 to mitigate risk areas 4. Objectively evaluate control effectiveness 20 Critical Controls 1. Based on government-wide (shared) risk assessment 2. Controls address top cyber risks 3. 20 Critical Controls are subset of 800-53 Priority 1 controls 4. Use automated tools and periodic evaluations to provide continuous monitoring 28 20 Critical Controls designed to help agencies comply with FISMA and NIST guidance!
  • 29. 29 NIST Guidance: 1200 pages of FIPS Pubs, Special Pubs, Security Bulletins, etc.