copyright 2015 1

The Chicago School of Cybersecurity Thinking:

A Pragmatic Mid-Western Look at Cybersecurity Risk and Regulation

Dwight Koop

copyright 2015

About me

2

• Founder & EVP Chicago Board Options Exchange• Global head of data center operations & security at The Swiss Bank• COO of Bedouin, Inc• VP at Borland Software• COO of Signet Assurance• Managing Member of RabbitMQ (sold to VMWare in 2010)• Still a Native Chicagoan

Current Role

Dwight KoopCOO - Co-founder - Cohesive Networks

Previously

copyright 2015

Agenda• Priority Shifts: 2011=DR ~ Post Sonden = CyberSecurity

• Sustained Cyber-Siege: Fighting Last War with Last War’s Tools?

• Standards, Teaching, Testing, and Certifying

• The Fog of More

• Risk Based CyberSecurity Management

• DHS To The Rescue: Why, Who, What, and How

• Chicago School of CyberSecurity & Lessons Learned

3

Now Let’s Start with a Look at Where We Were

copyright 2015

• International Organization for Standardization ISO/IEC 27005:2011

•Electricity Sub-Sector Cybersecurity Risk Management Process (RMP) guideline

•Committee of Sponsoring Organizations (Accounting Orgs) (COSO)

• American Institute of CPA's (AICPA) SOC 2 & SAS70

•American Institute of CPA's (AICPA) - Generally Accepted Privacy PrinciplesGAPP (August 2009)

•Shared Assessments ORG Vendor Assessments (AUP v5.0 & SIG v6.0)

•FTC Children's Online Privacy Protection Rule (COPPA)

•European Union Agency for Network and Information Security (ENISA) IAF

• European Union Data Protection Directive 95/46/EC

•GSA's Federal Risk and Authorization Management Program (FedRAMP) Cloud Security Controls

•Family Educational and Privacy Rights Act (FERPA)

• Health Insurance Portability and Accountability Act (HIPAA)

•Health Information Technology for Economic and Clinical Health (HITECH) Act

•Dept. of State International Traffic in Arms Regulations ITAR

• UK Royal Mail - Jericho Forum on De-Perimeterisation

• and on and on…

4

Sample Pre-NIST Cybersecurity Frameworks

copyright 2015

The BIG 10:Pre-NIST Cybersecurity Frameworks

5

International Organization for Standardization ISO 31000:2009International Organization for Standardization ISO/IEC 27001 2013NIST Special Publication NIST 800-53r3 & r4 Payment Card Industry Security Standards Council Data Data Security Standard PCI DSS v3.0 International Society of Automation Industrial Automation And Controls ISA-IAC 62443-2-1:2009Information Systems Audit and Control Association (ISACA) COBIT 5Cloud Security Alliance - Enterprise Architecture & Guidance CSA EAG v3.0SANS Institute Council on Cybersecurity's Critical Security Controls for Effective Cyber Defense v5DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Cybersecurity Evaluation Tool (CSET®)Department of Energy (DOE) Cybersecurity Capability Maturity Model C2M2

copyright 2015

Stymied by The Fog of More

6

Software ToolsStandardsTraining ClassesCertification BadgesCertification, PenTest, & Audit ServicesVulnerability DatabasesGuidance & Best Practices

Catalogs of ControlsChecklistsVendor BenchmarksRecommendations, Regulations & RequirementsThreat Information FeedsRisk Management Frameworks

Competing Options, Priorities, Opinions, and Claims

Image credit: Pixabay

copyright 2015

Risk Based CyberSecirity Movement

7

Making Traditional Models and Standards Obsolete Traditional Risk-Based

Audit focus Business focusTransation-based Process-basedCompliance objective Customer focusPolicies & procedures focus Risk management focusMulti-year audit coverage Continual risk-reassessment coveragePolicy adherence Change facilitatorBudgeted cost center Accountability for performance

improvement resultsCareer auditors Diversified knowledge and experience

Methodology: Focus on policies, transactions, and compliance

Methodology: Focus on goals, strategies, and risk management processes

Requires Broad Tech and Business Expertise

copyright 2015 8

DHS Mandate:Organize and Coordinate

Executive Order 13636: Improving Critical Infrastructure Cybersecurity

• Increase Information Sharing• Protect Privacy & Civil Liberties• Consult with Everyone• Have Commerce / NIST Create Cybersecurity Framework• Voluntary Adoption Program w/ Incentives• Identify Greatest Risks• Determine Need for More Regulation

Image credit: Beldin

copyright 2015

WhyNIST CyberSecurity Framework

9

OrganizedOne Standard FormatCommon LanguageUnifying ProcessDefense in Breadth & DepthIncentivesRisk Management FocusedFree

Pros Cons

RedundantYet Another FrameworkEnforcement & PenaltiesSustained Cyber-SiegeNot TechnicalNot Designed for Small FirmsTechnology Debt?

copyright 2015

Who16 Critical Infrastructure Sectors

10

Nuclear Chemical Facilities CommsManufacturing Emergency Dams Defense

Financial Energy Agriculture Health Water IT Gov FacilitiesTransportation

Presidential Policy Directive 21: Critical Infrastructure Security and Resilience

Image credit: dhs.gov Multiply by 16

copyright 2015

• The Financial and Banking Information Infrastructure Committee (FBIIC)• American Council of State Savings Supervisors• Commodity Futures Trading Commission• Conference of State Bank Supervisors• Consumer Financial Protection Bureau• Department of the Treasury• Farm Credit Administration• Federal Deposit Insurance Corporation• Federal Housing Finance Agency• Federal Reserve Bank of Chicago• Federal Reserve Bank of New York• Federal Reserve Board• National Association of Insurance Commissioners• National Association of State Credit Union Supervisors• National Credit Union Administration• North American Securities Administrators Association• Office of the Comptroller of the Currency• Securities and Exchange Commission • Securities Investor Protection Corporation

11

Financial Sector Specific Agencies (SSAs)

Who’s Missin

g?

copyright 2015

The Alert Includes a Sample EXAM:• 8 Pages• 28 Sections• 86 Questions

Example Question: Section 5Identify any published cybersecurity risk management process, such as NIST . . . used to model security architecture.

12

SEC“Risk Alert: OCIE Cybersecurity Initiative”

Non-rule, non-regulation, non-statement & no enforcement.

copyright 2015

Volentary

13

Of 36,000 Firms the SEC Examined Just 109

And all 36,00 Jumped !

So What is the Nist CyberSecurity Framework?

copyright 2015

What - NIST Framework Core

14

copyright 2015

Just One Subcategory:

15

copyright 2015

Tier 1 Partial Risk management is ad hoc, with limited awareness of risks and no collaboration with others

Tier 2 Risk Informed

Risk-management processes and programs are in place but are not integrated enterprise-wide; collaboration is understood but

organization lacks formal capabilities

Tier 3 Repeatable Formal policies for risk-management processes and programs

Tier 4 Adaptive Risk-management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration

NIST Cybersecurity FrameworkTiers of Maturity

16

copyright 2015

How - NIST CyberSecurity Framework

17

Step 1: Prioritize and ScopeStep 2: OrientStep 3: Create a Current ProfileStep 4: Conduct a Risk AssessmentStep 5: Create a Target ProfileStep 6: Determine, Analyze, and Prioritize GapsStep 7: Implement Action Plan Repeat The Steps As Needed (Rinse and Repeat)

copyright 2015

Chicaga Style

18

Innovative

Driven by Chicago derivatives business thirst for technical edge

Pragmatic Driven by incredible leverage from using cash for trading not IT

Fearless Driven expertise tackling big, fast, complected technology

Tenacious Driven by Mid-Western work ethic

Creative Driven by willingness to build solutions rather than empires.

...CHICAGO SCHOOL of CYBERSECURITY

CHI ECTF

Lessons Learned

copyright 2015

Great Now What? DELEGATE!Roll Your Own NIST Manual

19

INTRODUCTION RISK MANAGEMENT STRATEGY STATEMENT Risk Management Process Integrated Risk Management Program External ParticipationSCOPE OF RISK MANAGEMENT PROGRAM Asset, Change, and Configuration Management Cybersecurity Program Management Supply Chain and External Dependencies Management Identity and Access Management Event and Incident Response, Continuity of Operations Information Sharing and Communications Risk Management Situational Awareness

Threat and Vulnerability Management Workforce ManagementINFRASTRUCTURE UPGRADE PRIORITIES Current CyberSecurity Profile Target Profile Technology DebtCYBERSECURITY ROADMAP & MILESTONES Appendix 1: REGISTRY OF PRIMARY CYBERSECURITY RISKS Appendix 2: REGISTRY OF STAKEHOLDERS AND USERS Etc.

Cybersecurity Risk Management & Network Operations Center Manual

Lessons Learned

copyright 2015

Conduct Application Specific Self-Evaluations

20

Self evaluations available including:

ISC-CERT or

Energy.Gov Just go download a template!

Lessons Learned

copyright 2015

15 Top-Paying Certifications5 are In CyberSecurity

21

1. Certified in Risk and Information Systems Control (CRISC)2. Certified Information Security Manager (CISM) 3. Certified Information Systems Security Professional (CISSP)5. Certified Information Systems Auditor (CISA) 13. Certified Ethical Hacker (CEH)

$119,227

$118,348

$110,603

$106,181

$95,155

Lessons Learned

From: Global Knowledge

copyright 2015

100s of Certifications to Buy

22

Class Test

The Investment that Beats Your 401k!

Lessons Learned

copyright 2015

Self-Test and Take-Aways

23

• NIST Framework Makes Everyone’s Job Less Complicated

• Shift from DR & Compliance -to- Risk Control & Cyber

• Compliance Creep – Yes Inevitable

• Holistic Knowledge (firm, business model, Industry, environment)

• Scramble for Standards Relevance — Map From not To

• De-Perimeterisation, One Function Per Server, & Segmentation

• Negligent Fiduciary Care – Half-Life of the Complacent

• NIST CyberSecurity Framework – One Ring to Map Them All

copyright 2015 24

Dwight KoopCohesive Networks

Dwight.Koop@Cohesive.Net@DwightKoop@CohesiveNet

Stay in touch