Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

20-Critical-Controls-for-Cyber-Defense-QA

advertisement 
24 June 2014 ISACA CSX Cybersecurity Webinar
20 Critical Controls for Cyber Defense
Attendee Questions & Answers
On 24 June 2014, Dr. Vilius Benetis, CISA, CRISC, cyber-security solutions architect, presented a 60minute webinar on 20 Critical Controls for Cyber Defense. It will be available on archive until June 2015;
please visit http://www.isaca.org/cyber/Pages/Archived-CyberWebinars.aspx to access.
Vilius has been able to respond to the many of questions that were asked by attendees. Below is a
recap:
#
QUESTION
The controls details pre-incident activity,
where do I get information about an
attack in progress, and how to get back
to a good state?
1
2
3
4
5
6
7
Can the 20 critical controls used to assist
in compliance management? If yes how
in relation to COBIT 5?
Is there a mapping of these top 20
controls mapped to NIST SP 800-53 rev 4
Critical controls only deal with technical
controls
I Have a question what is the best way
to protect the cyber security at work
place?
We do have the firewall and all the
security system however user still
accessing the website which are not
allowed.
You mentioned that the NIST Cyber
security framework doesn't attend to all
controls, how much of cybersecurity
controls does it cover?
Here is the document for the mapping of
20 critical security controls to NIST
Framework:
ANSWER
CC18 is about incident response, however it is very brief.
So I would suggest looking at NIST SP 800-61, Rev. 2, for
overall capability building. And for practical guidance what to do - if you already have CC in place, you have
plenty of information to analyses from, especially if you
have capable HIDS and forensic on host
monitoring/recording capability. Finally, if attack is
advanced - you might need to put new image on the
system. There are quite some activity guidance on ISACA
CSX publications/books I have presented www.isaca.org/cyber
CCs provide technical capabilities and measurements to
help prove compliance. Most probably, if compliance is
about information security, the CCs will be relevant for
that.
Yes, http://www.counciloncybersecurity.org/criticalcontrols/tools/ has mapping, however only for critical
controls 4.1, not updated to v5 yet - but the essence is
the same.
They are designed to deal with technical aspects practically what to do. In such way they assist any
management framework.
Most probably you should get Secure Web Gateway
function, if you google for them as well include word
"Gartner", you would get analysis document of what
such function does, and what kind of vendors are players
in the market.
There are no direct overlap mapping, there is association
mapping in the NIST framework itself, please have a look
at the tables there.
Yes, this is good document, just be aware that it is
almost 3 years old, I would suggest to check from time to
time for updated list of tools at
1
24 June 2014 ISACA CSX Cybersecurity Webinar
20 Critical Controls for Cyber Defense
Attendee Questions & Answers
8
9
10
11
12
13
14
15
16
17
18
19
20
21
http://systemexperts.com/media/pdf/Sy
stemExperts-SANS20-1.pdf (Page 3
onwards)
Do you have any opinion on the use of
VPNs to secure cyber activity?
Can the controls also be used as a
general best practice for IS
What in your personal view would you
consider to be the premier framework
for cybersecurity? You did not give
preference to any
When will the cybersecurity
fundamentals course be available
globally apart from the conferences and
where will they be offered?
Is there a likelihood that those who
create malware enjoy reading this
information since it is open?
Is there any material on the 20 CC for CD
in combination with data
protection/privacy legislation?
what is your contact email
It is suggested that one should study the
three books that you can download to
pass the soon to be release cyber exam?
How important is Risk Management to
Cyber Security Defense and what can be
done from the Risk perspective towards
Cybersecurity defense?
The list of 20 critical security controls
seems to come from the SANS Institute,
but they were not mentioned. Is this an
oversight?
What was the source of the CSC
questions?
How can the controls framework
contribute to an audit of Cybersecurity?
Any more details on the certification
yet?
In your opinion, what are the most
reliable vulnerability testing tools?
http://www.counciloncybersecurity.org/criticalcontrols/tools/
VPNs provides layer of encapsulation for your traffic,
however, for you should appropriately set the
authentication, authorization and encryption in VPNs which covers quite a lot of things to do.
yes
Each framework is designed with particular need, target.
Thus there is no single one "best". CCs are the most
practical guidance on technical aspects, to my
knowledge.
Please contact ISACA HQ directly for this.
Sure, but they know this information anyway.
Not that I am aware direct mapping. There is good
analysis of German/French privacy laws and
cybersecurity equipment, done jointly by EMC/RSA and
KPMG:
http://www.kpmg.de/bescheinigungen/RequestReportL
aw.aspx?37823
vb@nrd.no
For sure they would help, but not sufficient. Certification
information will be communicated for members
according ISACA HQ plan.
Risk Management identifies what are the unmitigated
threats to your assets/business. If those are related to
cybersecurity, CCs will definitely assist towards
mitigating them.
As I have briefly mentioned, critical controls were moved
from SANS to Council On Cybersecurity, in order to
better manage them (Council is not for profit).
http://www.counciloncybersecurity.org/critical-controls
Via measurement of metrics.
No, please follow ISACA.org information.
Depends on what you testing, I suggest to use several
one and crosscheck them, which always helps. I would
2
24 June 2014 ISACA CSX Cybersecurity Webinar
20 Critical Controls for Cyber Defense
Attendee Questions & Answers
22
23
24
25
26
27
28
29
30
31
For the automation metrics, reviewing
reports daily falls into the same pitfall as
the reviewing logs etc.
How can we build logic into these
automated reports?
What tools (e.g. Splunk etc.) exist to
provide a better view of these reports?
Where can we go to look for some of
these tools for logic building?
BYOD question, since the future is to
allow any device to be connected to
enterprise network
How can we allow any device to access
enterprise data safely?
Do you have any KRIs defined for
monitoring risk
Speaker is talking about control 8 but
my presentation view is of control 5?
I have probably missed something, but
looking on the Council on Cyber Security
website, I cannot find the document
Vilius is referring to. Is it possible to
provide a URL to the document?
Most of the 20 controls seem to be
present in COBIT 5 process DSS05 Manage Security Services. COBIT 5 also
provides process goals which provide
good measurement of effectiveness of
this process and IT goals that this
process supports. This can be used very
effectively.
Does compliance not drive assurance?
Does CC on #6 mean Council of
Cybersecurity?
Does consulting function of audit (as
oppose to assurance) helps to achieve
compliance?
I think you mean: "bake in" the security
controls, as verse installation AFTER
deployment (?)
like to avoid endorsing any of the tools/vendors.
Reports should be targeted for exception (=deviation
from baseline) reporting, and should be send in short
form daily by email. In that case you could easily review
as your daily routine)
You need to apply many techniques, and it depends on
the data you are trying to protect and from whom.
This talk was not focused on risk, thus I would not go this
route here, sorry.
Example was about malware defenses, #5
It is attached as well to the presentation – at additional
materials.
sure
To particular extent, sure. In reality - compliance often is
achieved via certification audits, and ends up being point
in time assurance/compliance. Thus even often the PCIDSS compliant organizations are found non-compliant
when the breach was accruing (according to VISA
spokesman)
No, it means - "Critical Control"
Yes, it might be so. In reality it depends.
"bake in" in the sense of "integrated into operations",
"make it seamless
3
24 June 2014 ISACA CSX Cybersecurity Webinar
20 Critical Controls for Cyber Defense
Attendee Questions & Answers
32
I am not a practitioner but I want to
build a career in cybersecurity/
Information Security. Do you have any
other webinars for beginners?
BrightTALK information security channel could be good
place to start, even though it is quite loaded with vendor
marketing: https://www.brighttalk.com/channel/288 .
Additionally please have a look at courses freely
available online.
ISACA offers cutting-edge thought leadership, research
and advice on the current and emerging threat
environment and how you can be better prepared to
counter it. You can access them here:
http://www.isaca.org/cyber/Pages/CyberWebinars.aspx
4
Related documents
Cyber-Security Awareness PowerPoint
Cyber-Security Awareness PowerPoint
Joining the Cybersecurity Revolution: What it means, where the jobs
Joining the Cybersecurity Revolution: What it means, where the jobs
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Read Key Cybersecurity`s full description of
Read Key Cybersecurity`s full description of
Cybersecurity Risk - Financial Executives International
Cybersecurity Risk - Financial Executives International
The Political Economy of Cybersecurity
The Political Economy of Cybersecurity
BroadBand Building Future Skills for National Security and Business
BroadBand Building Future Skills for National Security and Business
Improving Critical Infastructure Cybersecurity
Improving Critical Infastructure Cybersecurity
May 2015
May 2015
Download
advertisement