In-class Exercise: Components of Cybersecurity Andreea Cotoranu, Vinnie Monaco, and Chuck Tappert Seidenberg School of CSIS, Pace University SUBTITLE 2015 GenCyber Cybersecurity Workshop Cybersecurity Fun Things for Students? Images: CanStockPhoto Images Images from Google Videos: CBS News - June 9, 2015 Courses: Coursera: Cybersecurity - Video Stanford: Computer Security Introduction to Cybersecurity – Video Cybersecurity 101 – YouTube Video 2015 GenCyber Cybersecurity Workshop Terminology: Information Security, Information Assurance, Cyber Security Cyber Security versus Information Security Gov Info Security: Cybersecurity Vs. Information Security Florida Tech: Cybersecurity vs. Information Security Cyber Security versus Information Assurance Which One is Right for You? Cybersecurity assurance Florida isn’t the same thing as information Tech: Cybersecurity vs. Information Assurance 2015 GenCyber Cybersecurity Workshop Biometrics and Cyber Security Obama’s cybersecurity adviser: Biometrics will replace passwords for safety’s sake Biometrics and Cyber Security White House Event Focuses on Cyber Security and Biometrics 2015 GenCyber Cybersecurity Workshop Wikipedia: Computer Security Computer security, also known as cybersecurity or IT security, is security applied to computing devices such as computers and smartphones, and private and public computer networks, including the whole Internet. It includes physical security to prevent theft of equipment and information security to protect the data on that equipment. Cybersecurity is the process of applying security measures to ensure confidentiality, integrity, and availability of data. Assure the protection of assets, which includes data, desktops, servers, buildings, and most importantly, humans. Protect data both in transit and at rest. Countermeasures can be put in place in order to increase the security of data. Some of these measures include access control, awareness training, audit and accountability, risk assessment, penetration testing, vulnerability management, and security assessment and authorization. 2015 GenCyber Cybersecurity Workshop WhatIs.com: Cybersecurity Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cybersecurity. According to a December 2010 analysis of U.S. spending plans, the federal government has allotted over $13 billion annually to cybersecurity over the next five years. 2015 GenCyber Cybersecurity Workshop UMUC: What is Cyber Security? Network outages, data compromised by hackers, computer viruses and other incidents affect our lives in ways that range from inconvenient to life-threatening. As the number of mobile users, digital applications and data networks increase, so do the opportunities for exploitation. Cyber security, also referred to as information technology security, focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction. 2015 GenCyber Cybersecurity Workshop Cyber Risk Management Framework Key Components 1. Protect valuable data: Organizations should identify their most valuable information assets, where these assets are located at any given time, and who has access to them. 2. Monitor for cyber risks: Traditional security monitoring approaches typically identify and react to cyber threats in isolation. Security tools are designed to identify specific unusual patterns or traffic types, and then alert operational teams to anomalous activity. Effective cyber-risk monitoring, on the other hand, focuses on building a sustainable and resilient approach to assess intelligence inputs from various functional teams and to correlate and dynamically adjust in real time the organization’s risk posture. 3. Understand your “cyber perimeter”: Today, a financial institution’s cyber perimeter extends to locations where data is stored, transmitted, and accessed—by internal employees and trusted partners. Organizations should ensure they have transparency into this expanded cybersecurity perimeter, because any weakness in the perimeter can become a security vulnerability. 4. Improve cyber intelligence: Most financial institutions’ threat-analysis efforts are scattered across several functions, physical locations, and systems. This disjointed nature and lack of a common methodology to leverage intelligence can be a significant barrier to robust cyber-risk intelligence. To close the gap, organizations should establish a robust threat-analysis capability that is built on shared intelligence, data, and research from internal and external sources. 5. Report and take action: A strong governing team with the right knowledge, expertise, and influence will be necessary to advance cybersecurity. An effective team can help ensure that monitoring systems are fluid and capable of precisely responding to cyber threats, and can empower management to appropriately react. Does a high school or university need an information security program? What’s next in your cybersecurity program’s evolution? We’d like to hear your thoughts and comments. 2015 GenCyber Cybersecurity Workshop Cyber Security Governance The Information Security Officer (ISO) facilitates the lifecycle of Security Operations, Risk Management and Security Architecture through a number of activities and repeatable processes. Information Security Strategic Planning Information Security Roadmap Development Information Security Resource Planning Establishment of Information Security Policies, Standards, Processes and Procedures Information Security Training, Education and Awareness Best practices for Information Governance is found in NIST SP 800-39 Managing Information Security Risk Organizational, Mission, and Information System View. 2015 GenCyber Cybersecurity Workshop Threat Identification The purpose of your Security Operations Center (SOC) is to identify threats to Information Security. As threats are identified, they should be provided to Risk Management for Analysis. Threats can be identified through a number of mechanisms including: Intrusion Detection & Prevention Technologies. Notices from organizations such as the Multi-State Information Sharing & Analysis Center. Best practice for identifying threats is found in Appendix D of NIST SP 800-30 Revision 1. 2015 GenCyber Cybersecurity Workshop Risk Management The purpose of your Risk Management Program is to quantify the Risks Identified by your Security Operations Center. The risks of threats can be managed through a number of strategies including: Cataloguing the Risk – Establish a Risk Register. Quantifying the Risk – Determine if vulnerabilities exist which can be exploited by the threats identified. Measuring the Risk – Identify the impacts of realized risks. Communicate the Risk – Convey prioritized risks to architects so that a solution can be established. NIST SP 800-37 “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” provides a best practice framework for facilitating this activity. 2015 GenCyber Cybersecurity Workshop Risk Mitigation Risks are provided to Security Architects who implement or configure security controls to mitigate the identified risks. The following are process steps that can be used to mitigate risk: Determine how the risk results in exploitation of a vulnerability. Determine if there are existing security controls which can mitigate exploitation. Implement or re-configure the security control to mitigate the risk. Develop a mechanism to identify if risk exploitation is occurring and solution for monitoring for this risk. NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations,” illustrates a catalogue of security controls that can be used to identify mitigation strategies. 2015 GenCyber Cybersecurity Workshop National Cybersecurity Workforce Framework The Framework establishes: A common taxonomy and lexicon for cybersecurity workers that organizes cybersecurity into 31 specialty areas within 7 categories. A baseline of tasks, specialty areas, and knowledge, skills and abilities (KSAs) associated with cybersecurity professionals. And assists with strategic human capital efforts, including: Workforce planning Recruitment and Selection Training and Development Succession Planning 2015 GenCyber Cybersecurity Workshop Copyright for Material Reuse Copyright© 2015 Charles Tappert (ctappert@pace.edu), Pace University. Please properly acknowledge the source for any reuse of the materials as below. Charles Tappert, 2015 GenCyber Cybersecurity Workshop, Pace University Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html. 2015 GenCyber Cybersecurity Workshop Acknowledgment The authors would like to acknowledge the support from the National Science Foundation under Grant No. 1027400 and from the GenCyber program in the National Security Agency. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation, the National Security Agency or the U.S. government. 2015 GenCyber Cybersecurity Workshop