Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Practical Application of the NIST Cybersecurity Framework
1. From Boardroom to War Room:
Practical Application of the NIST
Cybersecurity Framework
2018 ISACA SECURITY & RISK CONFERENCE
29 OCTOBER 2018
2. Speaker Bio 2
Rob Samuel, CISSP
Chief Cybersecurity Officer
Province of Nova Scotia
Contact Information:
Robert.Samuel@novascotia.ca
(902) 222-6685
Experience
Communications and Electronics Engineering Officer (2001-2006)
Senior System Analyst (2006-2010)
Manager – Client Services (2010-2013)
Senior Advisor – Cyber and IT Security (2013-2016)
Chief Cybersecurity Officer (2016-Present)
Education
• Bachelor of Technology (Information Management) – Cape Breton University
• Computer Information Systems (Diploma) – Cape Breton University
• Canadian Forces School of Communications and Electronics
• Information Assurance and Security – University of Winnipeg
Boards and Affiliations
• National CIO Subcommittee on Information Protection (NCSIP) - Chair
• Microsoft Canadian Security Council - Member
9. ACRONYMS (WE NEED TO SPEAK THE SAME LANGUAGE)
9
What Doesn’t Work?
Source:
RSA Conference 2017
Briefing the Board: Lessons
Learned From CISOs and
Directors
12. SHOW HOW CYBERSECURITY HELPS MANAGE
BUSINESS RISKS ( IT’S NOT AN IT ISSUE)
12
Business Risks
Financial Risk
Operational Risk
Strategic Risk
Reputational Risk
Cybersecurity
Bad Outcomes &
Negative Impacts
A breach of information exposes a sensitive
strategic organizational priority.
A ransomware infection prevents access to
medical records and impacts the ability to
deliver services to patients.
A cyber attack prevents us from processing
financial transactions (lost employee
productivity, litigation) or manipulates staff
to send money to fake accounts (cyber-
enabled financial fraud).
Inadequate security causes a loss or
disclosure of private information resulting
in loss of public trust.
Confidentiality
Risks could hinder the organizations ability to achieve its priorities and objectives
Integrity
Availability
Third Party
Medical equipment is installed with
security weaknesses allowing threat actors
to alter drug dosing (potentially lethal
consequences).
Patient Safety Risk
18. 18Establishing a Common Lexicon
A framework is a foundational tool to communicate with stakeholders at all levels.
CISO Clients & Stakeholders
Common Language to help organizations understand, manage
and reduce cybersecurity risks
A framework helps your organization understand:
Where you are today?
How you are doing?
Where do you need to improve?
How do you measure progress?
Cybersecurity Framework
20. 20The Framework Has 5 Core Functions
Do We Understand Our Risks?
Do We Have Adequate Safeguards?
Can We Detect Anomalies and Incidents?
Can We Address Incidents?
Can We Effectively Restore Capabilities Post-Incident?
27. 27
Communicate Your Security Maturity
(Americas)
Initial Repeatable Defined Managed
Industry
Benchmark
Identify
Protect
Detect
Respond
Recover
Function
Targeted Maturity
by FY 20-21
Current
Maturity
World-Class
Benchmark
Optimized
28. 28
Initial Repeatable Defined Managed
Industry
Benchmark
Identify
Protect
Detect
Respond
Recover
Function
Targeted Maturity
by FY 20-21
Current
Maturity
World-Class
Benchmark
Optimized
Communicate Your Security Maturity
(APAC)
29. 29Build Your Security Program Roadmap
2018 2019Major Themes
Increase
Situational
Awareness
Endpoint
Protection
Incident
Response
Plans
Create Incident Response Playbooks
Identify
Protect
Detect
Respond
Recover
Function
Governance
Risk Assessment
Establish Cyber Risk Council
Network Monitoring
User Education
& Awareness
Procure & Deploy Tanium
Update Awareness Policy
Asset Inventory Identification & Prioritization
Define Incident Response Roles & Responsibilities
Windows XP UpgradeCore
Enhancements
Multi-Factor Authentication
Communications Plan & Process
Deploy Cofense
30. TACTICAL PLAN
ASSET INVENTORY
30
Work Status: Implementation Stage
Project Description:
Procure and implement an asset inventory suite.
Key Milestones/Tasks Date Status Comments
1. Obtain permanent O&M funding Complete
2. Convert existing services to new service Complete
3. Declare updated service operational Complete
4. Automate reporting and asset management In-Progress
Identify
Protect
Detect
Respond
Recover
Function
How Will We Measure Success
Key Metric Target
Hardware and software
automatically detected in real-time
100%
Identification of unauthorized
hardware and software
100%
Strategic Objectives Supported
• [Objective #1]: Drive efficiency and cost reduction
• [Objective #2]: Increase security
• [Objective #3]: Reduce client downtime
• [Objective #4):
• [Objective #5]: Improve situational awareness
• [Objective #4]:
Potential Issues / Implementation Risks
• [Issue #1]: No procurement vehicle in place
• [Issue #2]: Migrating to a new tool
• [Issue #3]: Subscription Service model
Resource Summary
• Team leader / Point of Contact: Rob Samuel
• Core team members:
• Vendor liaison:
Investment Status: Approved
Cost Estimates (Indicative)
Category Cost
Capital Procurement $
Implementation $
Sustainment (O&M) $
Sustainment (FTE)
31. TACTICAL PLAN
INCIDENT RESPONSE
31
Work Status: In Progress
Project Description:
Develop and implement security incident response playbooks.
Key Milestones/Tasks Date Status Comments
1 Not Started
2 1/28/2016 Not Started
3 2/3//2016 Not Started
4 2/8/2016 Not Started
Identify
Protect
Detect
Respond
Recover
Function
How Will We Measure Success
Key Metric Target
Strategic Objectives Supported
• [Objective #1]: Decrease time to resolve incidents
• [Objective #2]: Increase efficiencies
• [Objective #3]: Reduce client downtime
• [Objective #4):
• [Objective #5]:
Potential Issues / Implementation Risks
• [Issue #1]:
• [Issue #2]:
• [Issue #3]:
Resource Summary
• Team leader / Point of Contact:
• Core team members:
• Vendor liaison:
•
Investment Status: Pending Approval
Cost Estimates (Indicative)
Category Cost
Capital Procurement
Implementation
Sustainment (O&M)
Sustainment (FTE)
32. Map Your Plans and Requests to the Framework 32
Identify
Protect
Detect
Respond
Recover
Function
Increase Workforce Education and Awareness
Set a tone from the top in support of enterprise-wide cybersecurity improvements
Support the implementation of mandatory annual cybersecurity awareness training
Support internal phishing campaigns
Mitigation Plan
Overview
How You Can Help
Risk Status: Our employees and staff are largely unaware about cyber threats. Tricking
unexpecting people (social engineering) into opening fake emails or malicious documents/links
(phishing attacks) is the most common cause of cybersecurity incidents and data breaches.
Risk Velocity: We can’t block all phishing attacks, approximately X phony emails get past our
defences and are delivered to staff email inboxes each month and X% - X% of staff falling victim.
Implement an enterprise-wide cybersecurity awareness and education program
Improve the effectiveness of our existing secure email gateways (blocks fake emails)
Investigate alternative secure email gateway solutions
Implement modern anti-virus solutions to help protect users from malicious emails
Launch internal phishing campaigns to help users learn and reduce their susceptibility
33. Use Lessons Learned from Security Incidents
as Roadmap Updates 33
Lessons Learned Remediation Steps
Critical systems lack good controls hygiene, leaving
them vulnerable to known malware.
Work with IT to improve security controls hygiene
tracking on critical systems and create incentives for
better performance.
Incident response is hampered by a lack of pre-
defined communication channels.
Establish an incident response playbook and define
roles, responsibilities and communications channels
for all stakeholders.
These are inputs into our cybersecurity roadmap
Perform a series of table top exercises to practice
incident response and refine incident response
processes with stakeholders.
34. Apply Lessons Learned to Plan Improvements 34
Added Post
Breach
2018 2019Major Themes
Increase
Situational
Awareness
Endpoint
Protection
Incident
Response
Plans
Create Incident Response Playbooks
Identify
Protect
Detect
Respond
Recover
Function
Governance
Risk Assessment
Establish Cyber Risk Council
Network Monitoring
User Education
& Awareness
Procure & Deploy Tanium
Update Awareness Policy
Asset Inventory Identification & Prioritization
Define Incident Response Roles & Responsibilities
Windows XP UpgradeCore
Enhancements
Multi-Factor Authentication
Communications Plan & Process
Deploy Cofense
Establish Pre-Defined
Communication Channels
Identify Control Owners
Improve
Hygiene
Set Hygiene Goals
Measure & Report
Improvements
Table Top 1 Table Top 2
35. Explain How Cyber Incidents to
External Companies Relate to Your Organization 35
The attacker deliberately damaged the SCADA
system (servers and workstations) to delay the
restoration of power. Staff switched to ‘manual
mode’ and restore the system.
State-sponsored attacker gained access into the
power company’s SCADA using a known piece of
malware. Effective patching may have prevented
the attacker from gaining access to systems.
The attacker flooded call centers to disrupt customer
reports of power outages and launched a
coordinated DDoS attack on the company website.
Improved controls would have reduced the
impact of these attacks.
Ukraine Attack
Identify
Protect
Detect
Respond
Recover
Function Our Organization
We have the capability to switch to back-up, off-
line critical systems in the event of a disruption.
We are investing and will upgrade our DDoS
protection.
We continue to prioritize system patching as part
of our security controls hygiene.
37. Gather Information About Your Environment
(Provide Fact-Based Evidence)
37
• Technical & Administrative Details
• Business Units, Departments, Services,
• Governance, Assets, Processes, Architectures, Capabilities, etc.
• Historical Information Sources
• Cyber Insurance
• Organizational Risk Assessments
• Continuous Improvement Plans
• Audits or Independent Assessments
• Comparison to Industry Best Practices
• Center for Internet Security – Top 20 Critical Security Controls
• Communications Security Establishment – Top 10 IT Security Actions
• Australian Signals Directorate - Essential Eight Cybersecurity Incident Mitigation Strategies
• Gartner – IT Key Metrics Data
38. Perform Self Assessments
(Center for Internet Security – Critical Controls)
38
Source: Audit Scripts
CSC initial assessment tool v7
39. CENTER FOR INTERNET SECURITY –
CRITICAL SECURITY CONTROLS
39
Inventory and Control
of Hardware Assets
1
Inventory and Control
of Software Assets
2
Continuous
Vulnerability
Management
3
Controlled Use of
Administrative
Privileges
4
Secure Configuration for
Hardware and Software
on Mobiles, Laptops,
Workstaitons and Servers
5
Maintenance,
Monitoring and
Analysis of Audit Logs
6
Email and Web
Browser Protections
7
Malware Defences
8
Limitation and Control
of Network Ports,
Protocols and Services
9
Data Recovery
Capabilities
Secure Configuration for
Network Devices
(Firewalls, Routers,
Switches)
Boundary Defence
Data Protection
Controlled Access
Based on Need to
Know
Wireless Access
Control
Account Monitoring
and Control
Implement a Security
Awareness and
Training Program
Application Software
Security
Incident Response and
Management
Penetration Tests and
Red Team Exercises
10
11
12
13
14
15
16
17
18
19
20
Not Met
Partially Met
Implemented
Baseline Your Org Against Best Practices
(Center for Internet Security – Critical Controls)
41. • Mission
• Vision
• Mandate
• Principles
• CharterPurpose
• Current State / Gaps
• Strategic Plan
• Priorities
• Action Plan
• Roadmap
Strategy
• Organizational Structure
• Governance
• Authorities
• Business Processes
Organization
• Function, Category, Role
• Knowledge & Skills
• Strategic Intake Plan
• Succession Planning
• Talent Management
People
• IT Capabilities
• Budget Allocations
• HR Allocations
• Organizational Priority
Supports
• Outcomes
• Business Benefits
• KRI’s / KPI’s
• Security Maturity
• Annual Report
Results
Enterprise Cybersecurity Program Planning
42. 1. Understand Your Audience
• Articulate the Business Risks
2. Keep It Simple
• No Acronyms
• Easy to Understand Language
• Be Brief, Be Bright, Be Gone
3. Do Not Use Fear, Uncertainty and Doubt
• Provide Facts, Relevant to Your Industry / Organization
4. Map Topics Back to the Overall Strategy
Guiding Principles
Welcome everyone and thanks for coming to the session today
Also thanks to ISACA volunteers for putting the event together, great to see so many security professionals here
I see many familiar faces in the room but for those that don’t know me……..
Quick outline of my experience…..
Proud Cape Bretoner
Most of my experience was as federal public servant, starting as a communications engineering officer in the Canadian Forces then out of uniform in a variety of technical and leadership roles
In 2016 I assumed the CISO role for the Province of Nova Scotia
Concurrently serve as the chair of NCSIP, a pan Canadian group of Federal, Provincial, Territorial and Municipal leads for cybersecurity
Also invited to participate in the MS Canadian Security Council (if I only had time!!)
In 2016, I moved back to Nova Scotia to assume the CISO role and started to build the cybersecurity program
This represented both home for me (back to the foggy mornings!) but also the work environment
Our scope was government and health environments (60K+ clients) but had limited understanding or visibility into the environments, risks, vulnerabilities
Continuous improvement program was in place (but it was highly technical……………focused on IT……….e.g. we have x number of unsupported versions of y)
ISO (checklist) based approach was used (our maturity didn’t match the ISO self-assessment score)
This caused a bit of a false sense of security (e.g. policies and standards in place…….check……but are policies and standards being followed…???)
What we needed to do was to paint a clear picture of risks, to identify where we were from a current state perspective,
Understand our risks, gaps, potential impacts
Communicate these to various stakeholders across government and health and
Create a strategy and action plan to reduce our risks (gain support to pursue these improvements)
And report back on progress
Sounds easy right???
What we see and say is often much different than what our audience understands
What does the sign say? To us it’s clear…….to others……..Awesome waves? Great surfing here??
Our job as security professionals (or as board members or other employees) is to ensure we’re all on the same page
(and to remove complexity)
The outcomes of poor communication?
The audience or stakeholders won’t understand what the problem is (what their risks are)………
You won’t gain the support and traction needed to improve security…...and you could ultimately suffer from more incidents and breaches
There are some days that this feels like the norm!
But………it doesn’t convey confidence
Another common tactic is to use the latest news headlines……..
Everyone sees these types of headlines every day………..from all industries and sectors……….
We need to convey information as it relates to us……..not the “if it can happen to them it can happen to us”
This is an example from RSA…….
it’s only one and I’m just as guilty as anyone talking about (IPS, IDS, IOC’s, AV, Botnets, PAM and SPAM………)
The good old pew pew map of recorded attacks………
We’ve admired the problem long enough……….
You need to make it very clear that cybersecurity is a business risk, and risk is a business decision.
You need to provide actual examples for your industry, sector and potential outcomes.
Another key message to give your stakeholders…………regardless of the model you choose:
Organizations need a way to measure their cybersecurity maturity
Organizations that are not mature (for example technology-focused) are reactive to security issues.
There is a direct relationship between maturity and risk in that higher maturity leads to lower risk.
The NIST Cybersecurity Framework is voluntary, so there is no ‘right’ or ‘wrong’ way to do it.
It’s meant to be adaptable and adjustable. How I use it could be different than your usage.
It’s color blind friendly!
Based on best practices for organizations to better manage and reduce cybersecurity risk.
It was designed to enable communications amongst both internal and external organizational stakeholders.
I’m not covering it all, it’s freely available online…….i want to show you how I use it and what’s worked for me
The Core functions are concurrent and continuous
Help you understand and answer these questions…..
Each core function is broken down into a category for each
Each category has a reference ID
this doesn’t need to be a self-assessment
You could have an external entity perform an assessment on your behalf
Note our assessment model hasn’t been updated to NIST CSF v1.1
0. No control of any kind.
Initial: Control is not a priority; Unstable environment leads to dependency on heroics
2. Repeatable: Process established and repeating; reliance on people continues -- Controls documentation lacking
3. Defined: Policies, process and standards defined and institutionalized
4. Managed: Risks managed quantitatively, enterprise-wide
5. Optimized: Continuously improving controls enterprise-wide
0. No control of any kind.
Initial: Control is not a priority; Unstable environment leads to dependency on heroics
2. Repeatable: Process established and repeating; reliance on people continues -- Controls documentation lacking
3. Defined: Policies, process and standards defined and institutionalized
4. Managed: Risks managed quantitatively, enterprise-wide
5. Optimized: Continuously improving controls enterprise-wide
See how the tactical plan always relates back to the core function?
Easy for your audience to follow……..regardless of topic
Here’s an example of an approach I’ve used to explain employee awareness and email security activities……..
Showing your stakeholders how you’ve updated your plan based on lessons learned
Don’t say it “could happen to us”
Show your organization the true delta between what happened and your org
You should also show weaknesses on the organization, and again show how you plan on addressing these in the roadmap