telling the infosec story

Click here to load reader

Post on 29-Jul-2015




1 download

Embed Size (px)


1. Telling the InfoSec Story EDWARD MARCHEWKA, CISSP [email protected] 2. Some Quotes oU.S. Director of National Intelligence, James Clapper, identified cyber attacks and cyber espionage as the nations biggest threat, passing that of terrorism. At the top of the list of threats, cyber security risks our infrastructure, national security, information, and Internet governance. oWorldwide Threat Assessment, 12 Mar 2013 oLeaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain" oTHE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS OFFICE OF THE CHAIRMAN JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE oIt is the kind of capability that can basically take down a power grid, take down a water system, take down a transportation system, take down a financial system. We are now in a world in which countries are developing the capability to engage in the kind of attacks that can virtually paralyze a country. The whole point of this is that we simply dont just sit back and wait for a goddamn crisis to happen. In this country we tend to do that, and thats a concern. oDefense Secretary Leon Panetta, 12 Oct 2012 3. Disclaimers o Everything stated in this message is to be considered my own opinion, and not an official representation of Chicago Public Schools (CPS) or any other CPS employees. oThere may be bad jokes for which I do not apologize. (like this one) oJust a couple extras Actual mileage may vary. Price does not include tax, title, and license. Some assembly required. Each sold separately. Batteries not included. Objects in mirror are closer than they appear. If conditions persist, contact a physician. Keep out of reach of children. Avoid prolonged exposure to direct sunlight. Keep in a cool dark place. oAny spelling and grammar mistakes in this presentation are all entirely my fault and on purpose. oCitation: Merriam-Webster's collegiate dictionary (10th ed.). (1993). Springfield, MA: Merriam-Webster. 4. Some interesting notes... o If CPS were Fortune rated, it would sit in the Fortune 500, about 454. (up from 2013) o CPS serves approx. 440,000 end users (staff and students). This doesnt include parents and guardians. o The population of Wyoming is roughly 563,000. o The population of The Bahamas is roughly 368,000 o If CPS were a country, it would be the 174th most populous out of 242, and rank 151st by GDP. 5. What well do o What to Measure o Metrics o Aggregation oPresenting your Results o Risk and Effort 6. How you know it is all working? o The story you tell o But to tell a better story you need: o Measures o Metrics o and Business Outcomes 7. Why? 8. What to measure? o Use NIST 800-55r1 Jul. 2008 9. NIST 800-55r1, pg. A-3 10. What to measure? o Use NIST 800-55r1 Jul. 2008 o 20 Critical Security Controls v5.0 - 2014 ( security-controls/) 11. SANS CSC 20v5 1, pgs. 10, 11 12. Patch Latency Server OS # of APs with WEP # infected machines/total machines Incident Response and Mgmt. % Complete Awareness Training # Vuln. In Web Apps Scan CCS ESS NW InfoSec Training Apps How well is the A/V solution handling things on its own? Unpatched systems Top 10 attack vector WEP can be cracked in ~10 sec. how susceptible are you? Once you are breached, are you ready? Compliance Liability Reduction Follow-up metric, how is remediation coming along? 13. Aggregation IT Training Zone LTD www. Service Design Lesson 5 14. Confidentiality AvailabilityIntegrity 15. What CIA Means to Me o Confidentiality FERPA Compliance, roughly $3B o Integrity State Reporting and Funding, roughly $3B o Availability Educational and Employee Access 16. Operational (Tactical) Group (Team) Business Confidentiality (Score) Server Patching Image Age Network APs Pen Test 17. Confidentiality Strategy items: Government, Community, and Threats Relates to: FERPA Compliance Data Loss Measurement Score: 82/92 Of the 36/36 metrics that are available in this category 4/36 are reporting amber % of devices with McAfee agent, % of devices checking in are up-to-date, % of APs with WEP, # of threat events not remediated/# of threat events 1/36 are reporting red % of unauthorized APs/rogue APs remediated 18. CIA Roll-Up o Lets take a look at how these can roll up and be presented to have a discussion o Summary slides with descriptors (just saw this) o BRAG Chart provides the details o Run chart great for the Board o Quick summary but also shows a forecast o Helps ask for funding o Magic Quadrant Chart Cost vs. Efficiency o How do you know which way to present and how do you want to receive the information? o Pick one o Minto method o Or just ask! 19. Summary Run Chart 20. Magic Quadrant - Example 21. Risk and Effort Ratings Example 22. How does this help? o Now you have had a better conversation with your CISO or CIO and the Executive Team. o You have shed light onto the security operations and given the executive team the opportunity to ask questions. o If the executive team knows that company IP, brand reputation, and revenue streams are at risk, maybe they will give you some funding to lower that risk. o Solicit feedback, You have to ask! o Find out what else the exec team wants to know o Have clear discussion with your CISO or CIO of what you want o Find out how to make it clearer o Remember it is evolving 23. What we did o What to Measure o Metrics o Aggregation oPresenting your Results o Risk and Effort 24. Questions Edward Marchewka @ejmarchewka [email protected]