Our stuff keeps your stuff from becoming their stuff CI ... ... Our stuff keeps your stuff from...

download Our stuff keeps your stuff from becoming their stuff CI ... ... Our stuff keeps your stuff from becoming

of 23

  • date post

    03-Jun-2020
  • Category

    Documents

  • view

    2
  • download

    0

Embed Size (px)

Transcript of Our stuff keeps your stuff from becoming their stuff CI ... ... Our stuff keeps your stuff from...

  • CI Security Mike Hamilton Founder and CISO

    Our stuff keeps your stuff from becoming their stuff

  • The Cyber Maturity Model Certification:

    Time To Get Serious

    Critical Infrastructure Risk Management

    March 5, 2019

    • 2

  • • Founder, CI Security

    • Policy Advisor, Washington State

    • CISO, City of Seattle

    • Managing Consultant, VeriSign

    • Senior Principal Consultant, Guardent

    • Independent Security Consultant

    • Founder, Network Commerce, Inc.

    • Ocean Scientist, NASA/JPL

    Your Presenter

  • IR Plan Top Table

    Exercise

    Incident Response

    Plan

    Policy, Process &

    Procedure Development

    Internal & External

    Vulnerability Assessment

    Focused Security

    Assessment

    About CI Security Professional Services, Continuous Vulnerability Identification (CVI), and Log Management

    Continuous Vulnerability Identification

    Managed Detection & Response

    Penetration Testing

    Log Management

    Ongoing / Periodic:

    Focused Security Assessment

    Periodic/Annual Information

    Security Maintenance

    Activities

    Annual Policy Review

    Annual Penetration Testing

    Regular IR Plan TTEs

    Firewall Rule Review

    4For Gartner Use Only

  • Why Are We Here? Report: Hackers target defense contractors, telecoms

    Hacking groups with ties to Iran spent much of their time

    targeting the defense and government sectors in the U.S.

    and elsewhere, and the firm said it tracked a noticeable shift

    in emphasis to the United States in the latter half of 2019.

    This targeting of U.S. entities began picking up around the

    same time as the 2019 Gulf of Oman incident, when three oil

    tankers and a bunkering ship were damaged with

    explosives, with U.S. officials blaming Iran.

    https://defensesystems.com/articles/2020/03/04/crowdstrike-report-cyber-johnson.aspx?m=1

    https://defensesystems.com/articles/2020/03/04/crowdstrike-report-cyber-johnson.aspx?m=1

  • - Records Disclosure: ~$150/record

    - Theft: $75K-$1.2M in our region,

    millions elsewhere (and rising)

    - Disruption: Loss of business

    continuity or operating capacity, loss

    of life for certain critical service

    outages

    Outcomes to Avoid, Financial Impacts

    And NOW – You’re a Threat to Business Partners

  • The Third Party Microscope

  • Saw This One Coming

    • Market forces versus regulatory

    requirements to address security –

    long, ongoing discussion

    • The show-your-papers business

    climate was predictable

    • Differentiate your business and get

    more business based on your

    security – there’s an actual ROI

    there

  • What is a Capability Maturity Model?

  • And What is the CMMC? • The CMMC will review and combine various cybersecurity standards

    and best practices and map these controls and processes across

    several maturity levels that range from basic cyber hygiene to

    advanced. For a given CMMC level, the associated controls and

    processes, when implemented, will reduce risk against a specific set

    of cyber threats.

    • The CMMC effort builds upon existing regulation (DFARS 252.204-

    7012) that is based on trust by adding a verification component

    with respect to cybersecurity requirements.

    • The goal is for CMMC to be cost-effective and affordable for

    small businesses to implement at the lower CMMC levels.

    • The intent is for certified independent 3rd party organizations to

    conduct audits and inform risk.

  • History • Intended to protect Controlled Unclassified Information

    (CUI)

    • Still in its development stages

    • DFARS regulation required assessment against NIST

    800-171

    • No one did that

    • New capability maturity model adopted, with

    certification requirement

    • Now at version 0.7

    • Practices measure technical activities and processes

    measure the maturity of processes.

  • What Are Those Practices? The Moving Parts of NIST 800-171

    Access Control (3.1)

    Awareness & Training (3.2)

    Audit & Accountability (3.3)

    Configuration Management (3.4)

    Identification & Authentication (3.5)

    Incident Response (3.6)

    Maintenance (3.7)

    Media Protection (3.8)

    Personnel Security (3.9)

    Physical Protection (3.10)

    Risk Assessment (3.11)

    Security Assessment (3.12)

    System & Communications Protection (3.13)

    System & Information Integrity (3.14)

  • • ISO 27001/2

    • Payment Card Industry Data

    Security Standard

    • NIST Cybersecurity Framework

    • Information Security Forum

    Standard of Good Practice

    • Criminal Justice Information

    Standard

    • HIPAA Security Rule

    • FFIEC Audit Handbook

    • NERC CIPs

    Standards of Practice: The

    ingredients are the same…

    …But the packaging is a little different

  • CMMC Levels

    14https://ci.security/

    New (Additional) Total (Cumulative)

    CMMC Level Description Practices Processes Practices Processes*

    1 Basic Cyber Hygiene with Performed Processes 17 0 17 0

    2 Intermediate Cyber Hygiene with Documented Processes 55 51 72 51

    3 Good Cyber Hygiene with Managed Processes 59 34 131 85

    4 Proactive Cybersecurity Program with Reviewed Processes 26 34 157 119

    5 Advanced / Progressive Cybersecurity Program with

    Optimized Processes 16 34 173 153

  • CMMC Levels

    15https://ci.security/

    •Level 1 – “Basic Cyber Hygiene” – In order to pass an audit for this level, the DoD

    contractor will need to implement 17 controls of NIST 800-171 rev1.

    •Level 2 – “Intermediate Cyber Hygiene” – In order to pass an audit for this level, the

    DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus

    7 new “Other” controls.

    •Level 3 – “Good Cyber Hygiene” – In order to pass an audit for this level, the DoD

    contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 14

    new “Other” controls.

    •Level 4 – “Proactive” – In order to pass an audit for this level, the DoD contractor

    will need to implement 13 controls of NIST 800-171 RevB plus 13 new “Other” controls

    •Level 5 – “Advanced / Progressive” – In order to pass an audit for this level, the DoD

    contractor will need to implement the final 5 controls in NIST 800-171 RevB. plus 11

    new “Other” controls

  • Getting Ready

    16https://ci.security/

    • Self-Assess, using the NIST

    Handbook – OR hire a

    qualified assessor

    • Work down your corrective

    action plan

    • When certification firms

    become accredited, hire one

  • Status Today

    • October 3rd 2019 DoD issued an RFI to solicit

    accreditation bodies for CMMC

    • By end of year, certification will become a no-nonsense

    requirement

    • The contracts you may bid on are dependent on your

    certification level.

    • Must meet certification requirements at the time of award

    • Phase 1 only applies to contractor networks, and not

    products

    • CMMC validation by a third party is expected to be

    requested in RFIs starting in June of 2020 and in RFPs

    starting in the fall of 2020

  • The Value of Managed Security Services

    • The upper levels will be extremely hard to meet for any

    but the largest companies

    • Requirements for documented and repeatable

    processes are expensive and time-consuming to put in

    place

    • Monitoring, detection of aberrational network events,

    investigation, response and recovery

    • Continuing compliance responsibilities are best handled by

    point-in-time consulting engagements

    • A Virtual CISO is an economical alternative to hiring

  • Detection & Response is a gap Most organizations suffer deal with the fallout

    average days until

    compromised asset detected

    of victims are notified by a

    third party such as the FBI of victims were not compliant

    with regulatory requirements

    205 89%69%

    https://ci.security/ 19

  • Page 20 www.criticalinformatics.com March 10, 2020

    Ongoing Compliance Responsibilities Key Performance Requirements – Information Security Officer

    Weekly Monthly Quarterly Annually

    Weekly Report Conduct vulnerability Assessment Access

    authorization

    management

    reviews

    Penetration test

    Incident Management Review vulnerability assessment

    results, assign disposition and

    delegate

    Conduct Risk

    Governance

    Committee meeting

    Risk Assessment

    Recordkeeping (e.g.

    security testing results for

    products)