Index > Cyber Risk and Resilience > 2021-08-30: Hurdles, State, and intro to Frameworks

2021-08-30: Hurdles, State, and intro to Frameworks

Cybersecurity Hurdles

Organizational Silos - they don’t often talk to each other, outside of incidents. There is a push for a “Chief Risk Officer” - who’s job is to break the boundaries between these silos.

Insufficient Business Involvement - csec isn’t a technological problem, it’s a business problem.

Over-reliance on training and communications - If you have the training, cyber insurance will cover you; but you can’t rely on just that.

“Cyber resilient organizations can contain attacks without relying solely on people as the way to mitigate risk.”

Talent Shortfalls - we just don’t have enough people.

The state of Cybersecurity

What’s out there?

Nation State Threats - These boys are big, and to assume they only attack govs is a mistake.

Organized Crime and hackers - The black market provides tools and even customer support.

Hacktivists - hacking for political or social causes. No matter what you’re doing, someone out there doesn’t like it.

Insider Threat - Employees, Vendors, Contractors; often approached by black market actors offering funds for info.

Substandard Products and Services - Not everything you interact with is as good as you are.

Frameworks

A framework is a checklist to make your auditors happy.

NIPP 2013

This started with critical infrastructure.

• Chemical
• Commercial favilities
• Communications
• Critical manuafacturing
• Dams defense industrial base
• Emergency services
• Energy
• Financial services
• Food and Agriculture
• Gov. Facilities
• Healthcare / public health
• Information Technology
• Nuclear reactors, materials, waste
• Transportation systems
• Water systems
• Wastewater systems

Evolving Threats to Critical Infrastructure:

• Pandemics
• Extreme Weather
• Accidents or Technical Failures
  • Solar flare?
• Cyber Threats
• Acts of Terrorism

ISO 27001

International Standards Organization publishes high-level “best practices”. It looks at:

• Physical and environmental security
  • “Gates, Guards, and Guns”
• Access control and access management
  • card swipes lmao
• IT security Practices
• Cryptography
  • Keep them credit cards on lock
• Communication Security
  • HTTPS
  • Shredders
• Incident Management and Compliance
  • PICERL

This framework suggests hundreds of potential controls.

How do you know your blinky lights are working? Evaluation is important.

COBIT-5

By the Information Systems Audit and Control Association (ISACA).

Another thick one. It’s expensive too.

PCI DSS

Payment Card Industry Data Security Standard.

If you want to interact with payment card gateways, you have to be in compliance with this.

“This is a smaller framework” - Prof. If this is small, I can’t imagine what the big ones are.

CIS Critical Security Controls

A set of recommended controls. A large group of volunteers maintains this set.

FISMA

Federal information Security Modernization Act.

NIST CSF

National Institute of Standards and Technology Cyber Security Framework.

The latest framework. Very popular. It’s made by NIST, free for everyone.

This is the one we’ll be focusing on for the rest of the course.

The 5 core areas:

• Identify
• Protect
• Detect
• Respond
• Recover

NIST CSF comes with mappings, to connect it to a ton of other frameworks.

Who uses the CSF?

• Senior Executives
  • How do we protect the company?
• Implementations / Operations
  • They do the technicals
• Specialists in Other Fields

A nist CSF Profile - what is this? It’s a profile of where an organization stands by the CSF’s standards. How does the org measure up?

The 7 step process

• Prioritize and Scope
  • What are our organizational goals?
• Orient
  • What are our assets?
• Create a Current Profile
  • Where am I?
• Conduct a Risk Assessment
  • Where should I go?
• Create a Target Profile
  • Where exactly do I want to go
• Determine, Analyze, Prioritize Gaps
  • What is the difference between here and there?
  • Which gap is the most important?
• Implementation Action Plan
  • LESSGOOOO

Homework

• Chapter 1 of The basics of Information Security
• Chapter 1 of Cybersecurity for Executives
• Other articles in MyCourses
• Homework Document
  • Will be posted soon

Some information will be coming out over slack in the next few days.