2015 GenCyber Cybersecurity Workshop

advertisement
In-class Exercise:
Components of Cybersecurity
Andreea Cotoranu, Vinnie Monaco, and Chuck Tappert
Seidenberg School of CSIS, Pace University
SUBTITLE
2015 GenCyber Cybersecurity Workshop
Cybersecurity
Fun Things for Students?


Images:

CanStockPhoto Images

Images from Google
Videos:


CBS News - June 9, 2015
Courses:

Coursera: Cybersecurity - Video

Stanford: Computer Security

Introduction to Cybersecurity – Video

Cybersecurity 101 – YouTube Video
2015 GenCyber Cybersecurity Workshop
Terminology: Information Security,
Information Assurance, Cyber Security

Cyber Security versus Information Security
 Gov
Info Security: Cybersecurity Vs. Information Security
 Florida

Tech: Cybersecurity vs. Information Security
Cyber Security versus Information Assurance
 Which
One is Right for You?
 Cybersecurity
assurance
 Florida
isn’t the same thing as information
Tech: Cybersecurity vs. Information Assurance
2015 GenCyber Cybersecurity Workshop
Biometrics and Cyber Security
 Obama’s
cybersecurity adviser: Biometrics
will replace passwords for safety’s sake
 Biometrics
and Cyber Security
 White
House Event Focuses on Cyber
Security and Biometrics
2015 GenCyber Cybersecurity Workshop
Wikipedia: Computer Security

Computer security, also known as cybersecurity or IT security, is security
applied to computing devices such as computers and smartphones, and
private and public computer networks, including the whole Internet.


It includes physical security to prevent theft of equipment and information
security to protect the data on that equipment.
Cybersecurity is the process of applying security measures to ensure
confidentiality, integrity, and availability of data.
 Assure the protection of assets, which includes data, desktops, servers,
buildings, and most importantly, humans.
 Protect data both in transit and at rest. Countermeasures can be put
in place in order to increase the security of data. Some of these
measures include access control, awareness training, audit and
accountability, risk assessment, penetration testing, vulnerability
management, and security assessment and authorization.
2015 GenCyber Cybersecurity Workshop
WhatIs.com: Cybersecurity
Cybersecurity is the body of technologies, processes and
practices designed to protect networks, computers,
programs and data from attack, damage or
unauthorized access.
 In a computing context, the term security implies
cybersecurity.
 According to a December 2010 analysis of U.S. spending
plans, the federal government has allotted over $13
billion annually to cybersecurity over the next five years.

2015 GenCyber Cybersecurity Workshop
UMUC: What is Cyber Security?

Network outages, data compromised by hackers,
computer viruses and other incidents affect our lives in
ways that range from inconvenient to life-threatening.
As the number of mobile users, digital applications and
data networks increase, so do the opportunities for
exploitation.

Cyber security, also referred to as information
technology security, focuses on protecting computers,
networks, programs and data from unintended or
unauthorized access, change or destruction.
2015 GenCyber Cybersecurity Workshop
Cyber Risk Management Framework
Key Components

1. Protect valuable data: Organizations should identify their most valuable information assets, where these assets
are located at any given time, and who has access to them.

2. Monitor for cyber risks: Traditional security monitoring approaches typically identify and react to cyber threats
in isolation. Security tools are designed to identify specific unusual patterns or traffic types, and then alert
operational teams to anomalous activity. Effective cyber-risk monitoring, on the other hand, focuses on building
a sustainable and resilient approach to assess intelligence inputs from various functional teams and to correlate
and dynamically adjust in real time the organization’s risk posture.

3. Understand your “cyber perimeter”: Today, a financial institution’s cyber perimeter extends to locations where
data is stored, transmitted, and accessed—by internal employees and trusted partners. Organizations should
ensure they have transparency into this expanded cybersecurity perimeter, because any weakness in the
perimeter can become a security vulnerability.

4. Improve cyber intelligence: Most financial institutions’ threat-analysis efforts are scattered across several
functions, physical locations, and systems. This disjointed nature and lack of a common methodology to
leverage intelligence can be a significant barrier to robust cyber-risk intelligence. To close the gap, organizations
should establish a robust threat-analysis capability that is built on shared intelligence, data, and research from
internal and external sources.

5. Report and take action: A strong governing team with the right knowledge, expertise, and influence will be
necessary to advance cybersecurity. An effective team can help ensure that monitoring systems are fluid and
capable of precisely responding to cyber threats, and can empower management to appropriately react.

Does a high school or university need an information security program? What’s next in your
cybersecurity program’s evolution? We’d like to hear your thoughts and comments.
2015 GenCyber Cybersecurity Workshop
Cyber Security Governance


The Information Security Officer (ISO) facilitates the lifecycle of Security
Operations, Risk Management and Security Architecture through a number of
activities and repeatable processes.

Information Security Strategic Planning

Information Security Roadmap Development

Information Security Resource Planning

Establishment of Information Security Policies, Standards, Processes and Procedures

Information Security Training, Education and Awareness
Best practices for Information Governance is found in NIST SP 800-39 Managing
Information Security Risk Organizational, Mission, and Information System View.
2015 GenCyber Cybersecurity Workshop
Threat Identification


The purpose of your Security Operations Center (SOC) is to
identify threats to Information Security. As threats are
identified, they should be provided to Risk Management for
Analysis. Threats can be identified through a number of
mechanisms including:

Intrusion Detection & Prevention Technologies.

Notices from organizations such as the Multi-State Information Sharing
& Analysis Center.
Best practice for identifying threats is found in Appendix D of
NIST SP 800-30 Revision 1.
2015 GenCyber Cybersecurity Workshop
Risk Management


The purpose of your Risk Management Program is to quantify the
Risks Identified by your Security Operations Center. The risks of
threats can be managed through a number of strategies including:

Cataloguing the Risk – Establish a Risk Register.

Quantifying the Risk – Determine if vulnerabilities exist which can be exploited by the
threats identified.

Measuring the Risk – Identify the impacts of realized risks.

Communicate the Risk – Convey prioritized risks to architects so that a solution can be
established.
NIST SP 800-37 “Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Life Cycle
Approach,” provides a best practice framework for facilitating this
activity.
2015 GenCyber Cybersecurity Workshop
Risk Mitigation


Risks are provided to Security Architects who implement or
configure security controls to mitigate the identified risks. The
following are process steps that can be used to mitigate risk:

Determine how the risk results in exploitation of a vulnerability.

Determine if there are existing security controls which can mitigate exploitation.

Implement or re-configure the security control to mitigate the risk.

Develop a mechanism to identify if risk exploitation is occurring and solution for
monitoring for this risk.
NIST SP 800-53 “Security and Privacy Controls for Federal Information
Systems and Organizations,” illustrates a catalogue of security
controls that can be used to identify mitigation strategies.
2015 GenCyber Cybersecurity Workshop
National Cybersecurity Workforce
Framework


The Framework establishes:

A common taxonomy and lexicon for cybersecurity workers that
organizes cybersecurity into 31 specialty areas within 7 categories.

A baseline of tasks, specialty areas, and knowledge, skills and abilities
(KSAs) associated with cybersecurity professionals.
And assists with strategic human capital efforts, including:

Workforce planning

Recruitment and Selection

Training and Development

Succession Planning
2015 GenCyber Cybersecurity Workshop
Copyright for Material Reuse

Copyright© 2015 Charles Tappert (ctappert@pace.edu), Pace
University. Please properly acknowledge the source for any reuse of
the materials as below.


Charles Tappert, 2015 GenCyber Cybersecurity Workshop, Pace
University
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
License, Version 1.3 or any later version published by the Free
Software Foundation. A copy of the license is available at
http://www.gnu.org/copyleft/fdl.html.
2015 GenCyber Cybersecurity Workshop
Acknowledgment

The authors would like to acknowledge the support from the
National Science Foundation under Grant No. 1027400 and from the
GenCyber program in the National Security Agency. Any opinions,
findings, and conclusions or recommendations expressed in this
material are those of the author(s) and do not necessarily reflect the
views of the National Science Foundation, the National Security
Agency or the U.S. government.
2015 GenCyber Cybersecurity Workshop
Download