WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
HEMISPHERE SMB Case Study
1. Your Gateway to Cyber Risk Management
DFAR ANALYSIS
SMB Case Studies
Presented By: Carter Schoenberg
President & CEO
HEMISPHERE Cyber Risk Management
www.hemispherecyber.com
(703) 881-7785
2. About HEMISPHERE
Established in 2015
Offices in U.S. (Virginia)
Professional cyber risk management services
(Small & Mid-size Businesses, Law Firms, and Insurance Sectors)
Proprietary risk modeling
Your Gateway to Cyber Risk Management
3. Your Gateway to Cyber Risk Management
CUI IV&V Engagements
PoP: 15 engagements between July 2016 - Present
Company Sizes: Ranging from 35 to 416 employees
Geography: CONUS
Average Cost of Engagement: $29,515
Average Identified Savings from Recommendations: $58,724
4. Your Gateway to Cyber Risk Management
CUI IV&V Engagements
Challenges – Government Side
DFAR only evaluates what is deemed of interest to them
DoD has conveyed presumptions about what business owners “normally do” (e.g. having
policies and procedures in place to meet traditional -1 controls of NIST SP 800-53)
Communications about requirements has been limited
CUI vs. CDI vs. CTI
Consequences of failing to adopt are not clear
Oct 2017 conveys “30 days to adopt” whereas full implementation is hard stopped at
12/31/2017 (What does this mean for companies post January 1, 2018?)
Self Certification as an evaluation criteria or “Reps & Certs”?
Industry Day issues: Flow down for CSPs and adoption of 800-53 vs. 800-171
DoD Acquisition Workforce (background and expertise)
5. Your Gateway to Cyber Risk Management
Cyber Plans and SSPs
I don’t have time for this stuff!
Incident Response
80%
Challenges – Contractor Side (SMBs)
Lack of qualified staff
Little or no inputs from legal
“I have ISO 27000 Series, I am good” (40 controls do not align)
They believe liability ends with the solicitation’s requirements
6. Your Gateway to Cyber Risk Management
Ask The Audience
You be the Judge
Scenario: “ACME” - 8(a) firm in Virginia wins large
contract to support NAVY in San Diego, Pensacola, and
New London
ACME contacted by law enforcement agency about activity on their network associated
with a cyber incident
Analysis confirms malware propagated on core enterprise network of ACME (introduced
via smartphone plugged into contractor laptop)
Data supports that information has been exfiltrated that likely included staff PII
What do you do?
7. Your Gateway to Cyber Risk Management
Did You Know?
60% of small businesses close their doors after a cyber event
Most cyber events are internal
More money is spent on cyber defense
today than ever before
~ Small Business Trends, 2017
8. Your Gateway to Cyber Risk Management
Did You Know?
62% of all cyber insurance claims came from small businesses
Most coverages levels are inadequate
Duty to disclose before taking action
Courts are moving away from “if you were
breached” to “how well did you respond and
recover?”
POLICY VALUE
Incident Response
80%
9. Your Gateway to Cyber Risk Management
CUI IV&V Engagements
Our Approach
Review each organization (as a business)
Ascertain how many states may have purview in the event of a breach
Identify the language in existing contracts where the client must demonstrate adherence
to DFAR updates (NIST SP800-171 and Penetration Clauses)
Review any existing operational policies and procedures
Conduct technical scans of client’s environment (Nessus, Nmap, and Wireshark)
Conduct Operational and Physical Assessments
Analysis
Draft Report
Final Report with onsite formal debrief
10. Your Gateway to Cyber Risk Management
CUI IV&V Engagements
Findings
NIST SP 800-171 Adoption (110 Controls)
Averages:
Adopted:
Adopted with Limitations
Not Adopted:
29%
37%
34%
How many understood
how to reclaim these
costs?
11. Your Gateway to Cyber Risk Management
CUI IV&V Engagements
Findings
Beyond
800-171
CONTROL DESCRIPTION
AC-1 ACCESS CONTROL POLICY AND
PROCEDURES
AC-9 PREVIOUS LOGON
AC-10 CONCURRENT SESSIONS
AC-14 PERMITED ACTIONS WITHOUT ID &
AUTHENTICATION
AT-4 SECURITY TRAINING RECORDS
AU-10 NON-REPUDIATION
AU-13 MONITORING FOR INFORMATION
DISCLOSURE
CA-3 SYSTEM INTERCONNECTIONS
CA-6 SECURITY ASSESSMENT
CM-9 CHANGE MANAGEMENT PLAN
CP-2 CONTINGENCY PLAN
CP-4 CONTINGENCY PLAN TESTING
IA-3 DEVICE ID AND AUTHENTICATION
12. Your Gateway to Cyber Risk Management
CUI IV&V Engagements
Findings
Beyond
800-171
CONTROL DESCRIPTION
IA-8 ID AND AUTHENTICATION (NON ORG USERS)
IR-8 INCIDENT RESPONSE PLAN
IR-9 INFORMATION SPILLAGE
MP-1 MEDIA PROTECTION PLAN
PE-7 VISITOR CONTROL
PE-19 INFORMATION LEAKAGE
PL-4 RULES OF BEHAVIOR
PL-7 3RD PARTY PERSONNEL
PL-8 INFOSEC ARCHITECTURE
PS-6 ACCESS AGREEMENTS
PS-7 3RD PARTY PERSONNEL SCREEENING
PS-8 PERSONNEL SANCTIONS
13. Your Gateway to Cyber Risk Management
CUI IV&V Engagements
Findings
Access Control Plan
Media Protection Plan
Incident Response Plan
Configuration/Change Mgt. Plan
Ability to Continuously Monitor
Inventory of Assets
Multifactor Authentication
5 out of 15
4 out of 15
1 out of 15
0 out of 15
0 out of 15
2 out of 15
1
14. Your Gateway to Cyber Risk Management
Cyber Plan vs. SSP
Some entities require a System Security Plan (SSP). How is a SSP different from a “Cyber Plan”?
Incident Response
80%
Context and Visualization
Estimated time to complete in-house with
1) No outside assistance
2) No internal cybersec SME
6 months
15. Your Gateway to Cyber Risk Management
Corporate Cyber
and Incident Response Plans
It is not simply “your”
Business you need to worry about.
Incident Response
80%
63% of cyber breaches attributed to
a 3rd party.
~ Soha Security Survey 2016
16. Your Gateway to Cyber Risk Management
Corporate Cyber
and Incident Response Plans
Regulators and Plaintiffs
Incident Response
80%
What will be asked for?
Likely first items
Corporate Policies
Incident Response Plan
17. Your Gateway to Cyber Risk Management
Corporate Cyber
and Incident Response Plan
What to Do What Not to Do
Incident Response
Make it easily accessible
Actionable
Repeatable
Paper version stuck on a shelf
Very technical
Hard to enforce
18. Your Gateway to Cyber Risk Management
Government Contractor ISAO
“GovCon-ISAO”
Addresses 21 out of 110 Controls
Incident Response
More than just info-sharing
Takes the guess work out of what to share and why
Interactions with DHS enables early warning indicators
Benchmarking against peers
19. Your Gateway to Cyber Risk Management
Questions
Incident Response
Carter Schoenberg, President & CEO
Carter@hemispherecyber.com
(703) 881-7785 Office
SUBJECT: SSCA