telling the infosec story
TRANSCRIPT
![Page 1: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/1.jpg)
Telling the InfoSec Story EDWARD MARCHEWKA, CISSP
h t t p : / / b i t . l y / m a r c h e w ka
e d w a r d @ m a rc h e w ka . o rg
![Page 2: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/2.jpg)
Some Quotes… oU.S. Director of National Intelligence, James Clapper, identified cyber attacks and cyber espionage as
the nation’s biggest threat, passing that of terrorism. At the top of the list of threats, cyber security risks our infrastructure, national security, information, and Internet governance.
oWorldwide Threat Assessment, 12 Mar 2013
o“…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…"
oTHE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS OFFICE OF THE CHAIRMAN JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE
o“It is the kind of capability that can basically take down a power grid, take down a water system, take
down a transportation system, take down a financial system. We are now in a world in which countries are developing the capability to engage in the kind of attacks that can virtually paralyze a country. The whole point of this is that we simply don’t just sit back and wait for a goddamn crisis to happen. In this country we tend to do that, and that’s a concern.”
oDefense Secretary Leon Panetta, 12 Oct 2012
![Page 3: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/3.jpg)
Disclaimers o Everything stated in this message is to be considered my own opinion, and not an official representation of Chicago Public Schools (CPS) or any other CPS employees.
oThere may be bad jokes for which I do not apologize. (like this one)
oJust a couple extras… Actual mileage may vary. Price does not include tax, title, and license. Some assembly required. Each sold separately. Batteries not included. Objects in mirror are closer than they appear. If conditions persist, contact a physician. Keep out of reach of children. Avoid prolonged exposure to direct sunlight. Keep in a cool dark place.
oAny spelling and grammar mistakes in this presentation are all entirely my fault and on purpose.
oCitation: Merriam-Webster's collegiate dictionary (10th ed.). (1993). Springfield, MA: Merriam-Webster.
![Page 4: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/4.jpg)
Some interesting notes...
o If CPS were Fortune rated, it would sit in the Fortune 500, about 454. (up from 2013)
o CPS serves approx. 440,000 end users (staff and students). This doesn’t include parents and guardians. o The population of Wyoming is roughly 563,000. o The population of The Bahamas is roughly 368,000
o If CPS were a country, it would be the 174th most populous out of 242, and rank 151st by GDP.
![Page 5: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/5.jpg)
What we’ll do… o What to Measure
o Metrics
o Aggregation
oPresenting your Results
o Risk and Effort
![Page 6: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/6.jpg)
How you know it is all working? o The story you tell
o But to tell a better story you need: oMeasures oMetrics o and Business Outcomes
![Page 7: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/7.jpg)
Why…?
![Page 8: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/8.jpg)
What to measure? o Use NIST 800-55r1 – Jul. 2008
![Page 9: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/9.jpg)
NIST 800-55r1, pg. A-3
![Page 10: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/10.jpg)
What to measure? o Use NIST 800-55r1 – Jul. 2008
o 20 Critical Security Controls v5.0 - 2014 (http://www.sans.org/critical-security-controls/)
![Page 11: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/11.jpg)
SANS CSC 20v5 1, pgs. 10, 11 http://www.sans.org/critical-security-controls/
![Page 12: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/12.jpg)
Patch Latency – Server OS
# of APs with WEP
# infected machines/total machines
Incident Response and Mgmt.
% Complete Awareness Training
# Vuln. In Web Apps Scan
CCS
ESS
NW
InfoSec
Training
Apps
How well is the A/V solution handling things on its own?
Unpatched systems – Top 10 attack vector
WEP can be cracked in ~10 sec. – how susceptible are you?
Once you are breached, are you ready?
Compliance… Liability Reduction…
… Follow-up metric, how is remediation coming along?
![Page 13: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/13.jpg)
Aggregation
IT Training Zone LTD – www. ITILtrainingzone.com Service Design – Lesson 5
![Page 14: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/14.jpg)
Confidentiality
Availability Integrity
![Page 15: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/15.jpg)
What CIA Means to Me… o Confidentiality – FERPA Compliance, roughly $3B
o Integrity – State Reporting and Funding, roughly $3B
o Availability – Educational and Employee Access
![Page 16: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/16.jpg)
Operational (Tactical)
Group (Team)
Business Confidentiality (Score)
Server
Patching Image Age
Network
APs Pen Test
![Page 17: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/17.jpg)
Confidentiality ▪ Strategy items: Government, Community, and Threats ▪ Relates to: FERPA Compliance ▪ Data Loss Measurement ▪ Score: 82/92 ▪ Of the 36/36 metrics that are available in this category 4/36 are reporting amber % of devices with McAfee agent, % of devices checking in are up-to-date, % of APs with WEP, # of threat
events not remediated/# of threat events 1/36 are reporting red % of unauthorized APs/rogue APs remediated
![Page 18: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/18.jpg)
CIA Roll-Up o Let’s take a look at how these can roll up and be presented to have a discussion o Summary slides with descriptors (just saw this) o BRAG Chart – provides the details o Run chart – great for the Board o Quick summary but also shows a forecast o Helps ask for funding
oMagic Quadrant Chart – Cost vs. Efficiency
o How do you know which way to present and how do you want to receive the information? o Pick one… oMinto method oOr… just ask!
![Page 19: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/19.jpg)
![Page 20: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/20.jpg)
Summary – Run Chart
![Page 21: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/21.jpg)
Magic Quadrant - Example
![Page 22: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/22.jpg)
Risk and Effort Ratings – Example
![Page 23: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/23.jpg)
How does this help? o Now you have had a better conversation with your CISO or CIO and the Executive Team.
o You have shed light onto the security operations and given the executive team the opportunity to ask questions.
o If the executive team knows that company IP, brand reputation, and revenue streams are at risk, maybe they will give you some funding to lower that risk.
o Solicit feedback, You have to ask! o Find out what else the exec team wants to know o Have clear discussion with your CISO or CIO of what you want o Find out how to make it clearer o Remember it is evolving
![Page 24: Telling the InfoSec Story](https://reader030.vdocuments.site/reader030/viewer/2022020208/55b89bfebb61ebf9068b4571/html5/thumbnails/24.jpg)
What we did… o What to Measure
o Metrics
o Aggregation
oPresenting your Results
o Risk and Effort