dwight koop's chicago ecft talk "the chicago school of cybersecurity thinking: a pragmatic...
TRANSCRIPT
copyright 2015 1
The Chicago School of Cybersecurity Thinking:
A Pragmatic Mid-Western Look at Cybersecurity Risk and Regulation
Dwight Koop
copyright 2015
About me
2
• Founder & EVP Chicago Board Options Exchange• Global head of data center operations & security at The Swiss Bank• COO of Bedouin, Inc• VP at Borland Software• COO of Signet Assurance• Managing Member of RabbitMQ (sold to VMWare in 2010)• Still a Native Chicagoan
Current Role
Dwight KoopCOO - Co-founder - Cohesive Networks
Previously
copyright 2015
Agenda• Priority Shifts: 2011=DR ~ Post Sonden = CyberSecurity
• Sustained Cyber-Siege: Fighting Last War with Last War’s Tools?
• Standards, Teaching, Testing, and Certifying
• The Fog of More
• Risk Based CyberSecurity Management
• DHS To The Rescue: Why, Who, What, and How
• Chicago School of CyberSecurity & Lessons Learned
3
Now Let’s Start with a Look at Where We Were
copyright 2015
• International Organization for Standardization ISO/IEC 27005:2011
•Electricity Sub-Sector Cybersecurity Risk Management Process (RMP) guideline
•Committee of Sponsoring Organizations (Accounting Orgs) (COSO)
• American Institute of CPA's (AICPA) SOC 2 & SAS70
•American Institute of CPA's (AICPA) - Generally Accepted Privacy PrinciplesGAPP (August 2009)
•Shared Assessments ORG Vendor Assessments (AUP v5.0 & SIG v6.0)
•FTC Children's Online Privacy Protection Rule (COPPA)
•European Union Agency for Network and Information Security (ENISA) IAF
• European Union Data Protection Directive 95/46/EC
•GSA's Federal Risk and Authorization Management Program (FedRAMP) Cloud Security Controls
•Family Educational and Privacy Rights Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
•Health Information Technology for Economic and Clinical Health (HITECH) Act
•Dept. of State International Traffic in Arms Regulations ITAR
• UK Royal Mail - Jericho Forum on De-Perimeterisation
• and on and on…
4
Sample Pre-NIST Cybersecurity Frameworks
copyright 2015
The BIG 10:Pre-NIST Cybersecurity Frameworks
5
International Organization for Standardization ISO 31000:2009International Organization for Standardization ISO/IEC 27001 2013NIST Special Publication NIST 800-53r3 & r4 Payment Card Industry Security Standards Council Data Data Security Standard PCI DSS v3.0 International Society of Automation Industrial Automation And Controls ISA-IAC 62443-2-1:2009Information Systems Audit and Control Association (ISACA) COBIT 5Cloud Security Alliance - Enterprise Architecture & Guidance CSA EAG v3.0SANS Institute Council on Cybersecurity's Critical Security Controls for Effective Cyber Defense v5DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Cybersecurity Evaluation Tool (CSET®)Department of Energy (DOE) Cybersecurity Capability Maturity Model C2M2
copyright 2015
Stymied by The Fog of More
6
Software ToolsStandardsTraining ClassesCertification BadgesCertification, PenTest, & Audit ServicesVulnerability DatabasesGuidance & Best Practices
Catalogs of ControlsChecklistsVendor BenchmarksRecommendations, Regulations & RequirementsThreat Information FeedsRisk Management Frameworks
Competing Options, Priorities, Opinions, and Claims
Image credit: Pixabay
copyright 2015
Risk Based CyberSecirity Movement
7
Making Traditional Models and Standards Obsolete Traditional Risk-Based
Audit focus Business focusTransation-based Process-basedCompliance objective Customer focusPolicies & procedures focus Risk management focusMulti-year audit coverage Continual risk-reassessment coveragePolicy adherence Change facilitatorBudgeted cost center Accountability for performance
improvement resultsCareer auditors Diversified knowledge and experience
Methodology: Focus on policies, transactions, and compliance
Methodology: Focus on goals, strategies, and risk management processes
Requires Broad Tech and Business Expertise
copyright 2015 8
DHS Mandate:Organize and Coordinate
Executive Order 13636: Improving Critical Infrastructure Cybersecurity
• Increase Information Sharing• Protect Privacy & Civil Liberties• Consult with Everyone• Have Commerce / NIST Create Cybersecurity Framework• Voluntary Adoption Program w/ Incentives• Identify Greatest Risks• Determine Need for More Regulation
Image credit: Beldin
copyright 2015
WhyNIST CyberSecurity Framework
9
OrganizedOne Standard FormatCommon LanguageUnifying ProcessDefense in Breadth & DepthIncentivesRisk Management FocusedFree
Pros Cons
RedundantYet Another FrameworkEnforcement & PenaltiesSustained Cyber-SiegeNot TechnicalNot Designed for Small FirmsTechnology Debt?
copyright 2015
Who16 Critical Infrastructure Sectors
10
Nuclear Chemical Facilities CommsManufacturing Emergency Dams Defense
Financial Energy Agriculture Health Water IT Gov FacilitiesTransportation
Presidential Policy Directive 21: Critical Infrastructure Security and Resilience
Image credit: dhs.gov Multiply by 16
copyright 2015
• The Financial and Banking Information Infrastructure Committee (FBIIC)• American Council of State Savings Supervisors• Commodity Futures Trading Commission• Conference of State Bank Supervisors• Consumer Financial Protection Bureau• Department of the Treasury• Farm Credit Administration• Federal Deposit Insurance Corporation• Federal Housing Finance Agency• Federal Reserve Bank of Chicago• Federal Reserve Bank of New York• Federal Reserve Board• National Association of Insurance Commissioners• National Association of State Credit Union Supervisors• National Credit Union Administration• North American Securities Administrators Association• Office of the Comptroller of the Currency• Securities and Exchange Commission • Securities Investor Protection Corporation
11
Financial Sector Specific Agencies (SSAs)
Who’s Missin
g?
copyright 2015
The Alert Includes a Sample EXAM:• 8 Pages• 28 Sections• 86 Questions
Example Question: Section 5Identify any published cybersecurity risk management process, such as NIST . . . used to model security architecture.
12
SEC“Risk Alert: OCIE Cybersecurity Initiative”
Non-rule, non-regulation, non-statement & no enforcement.
copyright 2015
Volentary
13
Of 36,000 Firms the SEC Examined Just 109
And all 36,00 Jumped !
So What is the Nist CyberSecurity Framework?
copyright 2015
Tier 1 Partial Risk management is ad hoc, with limited awareness of risks and no collaboration with others
Tier 2 Risk Informed
Risk-management processes and programs are in place but are not integrated enterprise-wide; collaboration is understood but
organization lacks formal capabilities
Tier 3 Repeatable Formal policies for risk-management processes and programs
Tier 4 Adaptive Risk-management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration
NIST Cybersecurity FrameworkTiers of Maturity
16
copyright 2015
How - NIST CyberSecurity Framework
17
Step 1: Prioritize and ScopeStep 2: OrientStep 3: Create a Current ProfileStep 4: Conduct a Risk AssessmentStep 5: Create a Target ProfileStep 6: Determine, Analyze, and Prioritize GapsStep 7: Implement Action Plan Repeat The Steps As Needed (Rinse and Repeat)
copyright 2015
Chicaga Style
18
Innovative
Driven by Chicago derivatives business thirst for technical edge
Pragmatic Driven by incredible leverage from using cash for trading not IT
Fearless Driven expertise tackling big, fast, complected technology
Tenacious Driven by Mid-Western work ethic
Creative Driven by willingness to build solutions rather than empires.
...CHICAGO SCHOOL of CYBERSECURITY
CHI ECTF
Lessons Learned
copyright 2015
Great Now What? DELEGATE!Roll Your Own NIST Manual
19
INTRODUCTION RISK MANAGEMENT STRATEGY STATEMENT Risk Management Process Integrated Risk Management Program External ParticipationSCOPE OF RISK MANAGEMENT PROGRAM Asset, Change, and Configuration Management Cybersecurity Program Management Supply Chain and External Dependencies Management Identity and Access Management Event and Incident Response, Continuity of Operations Information Sharing and Communications Risk Management Situational Awareness
Threat and Vulnerability Management Workforce ManagementINFRASTRUCTURE UPGRADE PRIORITIES Current CyberSecurity Profile Target Profile Technology DebtCYBERSECURITY ROADMAP & MILESTONES Appendix 1: REGISTRY OF PRIMARY CYBERSECURITY RISKS Appendix 2: REGISTRY OF STAKEHOLDERS AND USERS Etc.
Cybersecurity Risk Management & Network Operations Center Manual
Lessons Learned
copyright 2015
Conduct Application Specific Self-Evaluations
20
Self evaluations available including:
ISC-CERT or
Energy.Gov Just go download a template!
Lessons Learned
copyright 2015
15 Top-Paying Certifications5 are In CyberSecurity
21
1. Certified in Risk and Information Systems Control (CRISC)2. Certified Information Security Manager (CISM) 3. Certified Information Systems Security Professional (CISSP)5. Certified Information Systems Auditor (CISA) 13. Certified Ethical Hacker (CEH)
$119,227
$118,348
$110,603
$106,181
$95,155
Lessons Learned
From: Global Knowledge
copyright 2015
100s of Certifications to Buy
22
Class Test
The Investment that Beats Your 401k!
Lessons Learned
copyright 2015
Self-Test and Take-Aways
23
• NIST Framework Makes Everyone’s Job Less Complicated
• Shift from DR & Compliance -to- Risk Control & Cyber
• Compliance Creep – Yes Inevitable
• Holistic Knowledge (firm, business model, Industry, environment)
• Scramble for Standards Relevance — Map From not To
• De-Perimeterisation, One Function Per Server, & Segmentation
• Negligent Fiduciary Care – Half-Life of the Complacent
• NIST CyberSecurity Framework – One Ring to Map Them All
copyright 2015 24
Dwight KoopCohesive Networks
[email protected]@DwightKoop@CohesiveNet
Stay in touch