24 June 2014 ISACA CSX Cybersecurity Webinar 20 Critical Controls for Cyber Defense Attendee Questions & Answers On 24 June 2014, Dr. Vilius Benetis, CISA, CRISC, cyber-security solutions architect, presented a 60minute webinar on 20 Critical Controls for Cyber Defense. It will be available on archive until June 2015; please visit http://www.isaca.org/cyber/Pages/Archived-CyberWebinars.aspx to access. Vilius has been able to respond to the many of questions that were asked by attendees. Below is a recap: # QUESTION The controls details pre-incident activity, where do I get information about an attack in progress, and how to get back to a good state? 1 2 3 4 5 6 7 Can the 20 critical controls used to assist in compliance management? If yes how in relation to COBIT 5? Is there a mapping of these top 20 controls mapped to NIST SP 800-53 rev 4 Critical controls only deal with technical controls I Have a question what is the best way to protect the cyber security at work place? We do have the firewall and all the security system however user still accessing the website which are not allowed. You mentioned that the NIST Cyber security framework doesn't attend to all controls, how much of cybersecurity controls does it cover? Here is the document for the mapping of 20 critical security controls to NIST Framework: ANSWER CC18 is about incident response, however it is very brief. So I would suggest looking at NIST SP 800-61, Rev. 2, for overall capability building. And for practical guidance what to do - if you already have CC in place, you have plenty of information to analyses from, especially if you have capable HIDS and forensic on host monitoring/recording capability. Finally, if attack is advanced - you might need to put new image on the system. There are quite some activity guidance on ISACA CSX publications/books I have presented www.isaca.org/cyber CCs provide technical capabilities and measurements to help prove compliance. Most probably, if compliance is about information security, the CCs will be relevant for that. Yes, http://www.counciloncybersecurity.org/criticalcontrols/tools/ has mapping, however only for critical controls 4.1, not updated to v5 yet - but the essence is the same. They are designed to deal with technical aspects practically what to do. In such way they assist any management framework. Most probably you should get Secure Web Gateway function, if you google for them as well include word "Gartner", you would get analysis document of what such function does, and what kind of vendors are players in the market. There are no direct overlap mapping, there is association mapping in the NIST framework itself, please have a look at the tables there. Yes, this is good document, just be aware that it is almost 3 years old, I would suggest to check from time to time for updated list of tools at 1 24 June 2014 ISACA CSX Cybersecurity Webinar 20 Critical Controls for Cyber Defense Attendee Questions & Answers 8 9 10 11 12 13 14 15 16 17 18 19 20 21 http://systemexperts.com/media/pdf/Sy stemExperts-SANS20-1.pdf (Page 3 onwards) Do you have any opinion on the use of VPNs to secure cyber activity? Can the controls also be used as a general best practice for IS What in your personal view would you consider to be the premier framework for cybersecurity? You did not give preference to any When will the cybersecurity fundamentals course be available globally apart from the conferences and where will they be offered? Is there a likelihood that those who create malware enjoy reading this information since it is open? Is there any material on the 20 CC for CD in combination with data protection/privacy legislation? what is your contact email It is suggested that one should study the three books that you can download to pass the soon to be release cyber exam? How important is Risk Management to Cyber Security Defense and what can be done from the Risk perspective towards Cybersecurity defense? The list of 20 critical security controls seems to come from the SANS Institute, but they were not mentioned. Is this an oversight? What was the source of the CSC questions? How can the controls framework contribute to an audit of Cybersecurity? Any more details on the certification yet? In your opinion, what are the most reliable vulnerability testing tools? http://www.counciloncybersecurity.org/criticalcontrols/tools/ VPNs provides layer of encapsulation for your traffic, however, for you should appropriately set the authentication, authorization and encryption in VPNs which covers quite a lot of things to do. yes Each framework is designed with particular need, target. Thus there is no single one "best". CCs are the most practical guidance on technical aspects, to my knowledge. Please contact ISACA HQ directly for this. Sure, but they know this information anyway. Not that I am aware direct mapping. There is good analysis of German/French privacy laws and cybersecurity equipment, done jointly by EMC/RSA and KPMG: http://www.kpmg.de/bescheinigungen/RequestReportL aw.aspx?37823 vb@nrd.no For sure they would help, but not sufficient. Certification information will be communicated for members according ISACA HQ plan. Risk Management identifies what are the unmitigated threats to your assets/business. If those are related to cybersecurity, CCs will definitely assist towards mitigating them. As I have briefly mentioned, critical controls were moved from SANS to Council On Cybersecurity, in order to better manage them (Council is not for profit). http://www.counciloncybersecurity.org/critical-controls Via measurement of metrics. No, please follow ISACA.org information. Depends on what you testing, I suggest to use several one and crosscheck them, which always helps. I would 2 24 June 2014 ISACA CSX Cybersecurity Webinar 20 Critical Controls for Cyber Defense Attendee Questions & Answers 22 23 24 25 26 27 28 29 30 31 For the automation metrics, reviewing reports daily falls into the same pitfall as the reviewing logs etc. How can we build logic into these automated reports? What tools (e.g. Splunk etc.) exist to provide a better view of these reports? Where can we go to look for some of these tools for logic building? BYOD question, since the future is to allow any device to be connected to enterprise network How can we allow any device to access enterprise data safely? Do you have any KRIs defined for monitoring risk Speaker is talking about control 8 but my presentation view is of control 5? I have probably missed something, but looking on the Council on Cyber Security website, I cannot find the document Vilius is referring to. Is it possible to provide a URL to the document? Most of the 20 controls seem to be present in COBIT 5 process DSS05 Manage Security Services. COBIT 5 also provides process goals which provide good measurement of effectiveness of this process and IT goals that this process supports. This can be used very effectively. Does compliance not drive assurance? Does CC on #6 mean Council of Cybersecurity? Does consulting function of audit (as oppose to assurance) helps to achieve compliance? I think you mean: "bake in" the security controls, as verse installation AFTER deployment (?) like to avoid endorsing any of the tools/vendors. Reports should be targeted for exception (=deviation from baseline) reporting, and should be send in short form daily by email. In that case you could easily review as your daily routine) You need to apply many techniques, and it depends on the data you are trying to protect and from whom. This talk was not focused on risk, thus I would not go this route here, sorry. Example was about malware defenses, #5 It is attached as well to the presentation – at additional materials. sure To particular extent, sure. In reality - compliance often is achieved via certification audits, and ends up being point in time assurance/compliance. Thus even often the PCIDSS compliant organizations are found non-compliant when the breach was accruing (according to VISA spokesman) No, it means - "Critical Control" Yes, it might be so. In reality it depends. "bake in" in the sense of "integrated into operations", "make it seamless 3 24 June 2014 ISACA CSX Cybersecurity Webinar 20 Critical Controls for Cyber Defense Attendee Questions & Answers 32 I am not a practitioner but I want to build a career in cybersecurity/ Information Security. Do you have any other webinars for beginners? BrightTALK information security channel could be good place to start, even though it is quite loaded with vendor marketing: https://www.brighttalk.com/channel/288 . Additionally please have a look at courses freely available online. ISACA offers cutting-edge thought leadership, research and advice on the current and emerging threat environment and how you can be better prepared to counter it. You can access them here: http://www.isaca.org/cyber/Pages/CyberWebinars.aspx 4