RCR 023: Cybersecurity Frameworks (Part II)

Feb 04, 2019

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS

Description:

Shon Gerber from ReduceCyberRisk.com reveals to you the steps and the cybersecurity training you need to grow your Information Security career while protecting your business and reduce your company’s cyber risk. Shon utilizes his expansive knowledge while providing superior training from his years of cybersecurity experience.

In this episode, Shon will talk about recent security news: NERC (CIP); Execs in Cybersecurity; Webstresers going to Jail.  In addition, Shon will be providing Part II of his training on the understanding of Cybersecurity Frameworks and their importance in protecting your business or for your CISSP certification.   Some of the content will include PCI-DSS, ISO 27001, Cybersecurity Framework, and so much more.

As always, utilize Shon’s cybersecurity training to help fulfill your Continuing Education credits for your CISSP or other security certification.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskRed...

Transcript:

welcome to the reduce cyber risk podcast for we provide you the training and tools you need for your cybersecurity career hi my name is Sean Gerber and I'm your host of the action-packed informative podcast join me each week and I provide you the information you need to grow your cybersecurity knowledge while taking practical and actionable steps to protect your business from the evil hacker horn welcome to reduce cyber risk podcast we are now February 4th 2019 and we got some great stuff heading into those New Year that's going to be happening and is a weed relates to reduce cyber risk our ultimate goal is to teach you around cybersecurity training Made Simple that's the ultimate goal but we provide the cool part about this is as if you are a cybersecurity professional looking for opportunities to learn where do cyber risk is a place for you if you're a business owner trying to understand this cybersecurity convoluted mess so where to get into it today's podcast we got a lot of good stuff coming on to you we have in the cyber-security news nerc nerc than November Echo Romeo Charlie finds utilities 10 million dollars execs remain weak Link in cyber security chain webstresser users face legal action and from a security training standpoint we're going to be getting into understanding cybersecurity framework sparked part 2 okay and the goal of all is one of the three do cyber risk in the podcast and the video train that we put out is to help cybersecurity professionals and businesses to understand cyber security training cybersecurity is general and the goal is to make it easy for you to understand the key nuances around it so that's kind of the purpose around the podcast and the video trainings now the first item of business around news is nerc finds utilities 10 million dollars and this is from Elizabethton her name but you can find her at security ledger.com I'm in also have the links and all the show notes as well that you'll have available to your at reduce cyber-risk. Com I have been screwed up I basically scrub a lot but case I really goofed up on what nerc actually stands for November Echo Romeo Charlie stands for the North American Electric reliability Corp yeah I've just totally butchered that on previous podcast over the years nuclear energy Regulatory Commission I got that wrong but the North American Electric reliability Corp they find her basically little regulating aspect it comes to critical infrastructure and there's critical infrastructure protection cybersecurity Riggs that they are holding people accountable to and they find 10 million dollars to a group of basically a power plants and energy companies around not doing good enough for not doing well enough in the cybersecurity space of your security professional I'm sorry I'm final bit of a cold so if it seems like I'm a Goofy on that regard that's the reason it seems that when it comes to cybersecurity and your security professional the cissp with your security analyst or whatever that might be in for this information is extremely valuable in the fact that in you need to understand how do these rags and how do they affect you cuz you may be an industry now or in the future where these Rags could be a big factor to you so these the size of the critical infrastructure protection Rags are out there and they have to comply with these Rags or what they came to find out was that there's a hundred and twenty-seven violations of sip this the critical infrastructure protection and of that they create a 250 page document to annotate into detail out what were the issues involved they have 13 findings that they considered of serious risk to the operation of bulk power bulk Energy power so obviously they're 13 things like that that's that's not good right from a serious risk standpoint two more of a moderate which basically bad as the other 13 that were considered serious risk whether this is really kind of bad news for the power grid in the fact that that we know that other outside entities have been targeted and their power grid for many many years now and working a previous life I know full well that the power grid and the past I'm sure they're better now we're not that well protected and they really didn't need to be and what it happened in many cases is that you have a power grid setup that was never designed for cyber and then somebody would put a web front-end on the front end of these these power plant to allow for remote access will that can cause some problems right it's come a long way since the first time I ever gotten into this from a previous life in the military however you can only imagine that this is going to continue to be a challenge right so the Director of National Intelligence Dan coats called hacks we have to take better precautions we have to basically put this as a a priority as a national priority and he called out the Ukraine hacks that happened in 2015 and 2016 where the Russians actually went out and attack the power grid of Ukraine causing massive cash that casually but just chaos right it just causes largest want to go how do I deal with this and what do I do and so if you want something demoralizes people that's a great way of doing it that's how you do it but it's psychological operations 101 the findings were this is that the failure to implement and document access controls of the big lead a big bleeding issue with the the 13 issue that they had so as a security professional one do you document your access control to your different to your area to do you have those those document controls in place this time and again they also talked about all electronic access points what are some other access points there out there where people could have access to so thoroughly understanding your environment where is compliance go sit at the critical infrastructure protection piece they had they find these companies and they've the company's then said that they would revisit their corporate it compliance program and they referred to as a reference back to the 2017 accident happened where the FBI and then. They had recommended the report they had that there is multiple third parties to the Russians were getting in through third parties now as a security professional you know third parties are one of your biggest risk and so this is no different in the critical infrastructure space and so therefore if you're glad you've got a business that's one of the things you need to be focused on is who are your third parties and how do they have access into your environment they also increased use of iot is concerning them it's possibly causing issues have a business or you are a professor QT professional that's maintaining the take the security for your business coyote is a significant risk to your organization so it's important that you architect it correctly especially going forward music execs Remain the weak Link in the cyber security chain Casey circus at LinkedIn the links will be there in the show The Bunker reports that exact are part of the problem okay so I've been in cybersecurity for many years now and I can tell you that executives are part of the problem also individuals work on the shop floor are part of the problem everybody is part of the problem when it comes right down to the executives are an easy target as it relates to cybersecurity hackers and social engineering standpoint so you need to educate these Executives on what to do they have the most influence within their organization and so therefore it's important that you become a partner with them now in this Lake and talked about how these individual hackers were targeting social media they would Target different pieces around them trying to get their financial information and trying to become man in the middle talking about the whole you need to wire money to this location so that's out there right little thing to consider around that is that from a previous life I would also Target their spouses and their kids and other things like that now the point of it is as if you can start messing with somebody's mind from a psychological standpoint and you go while I Know Where Your Children Are at Ryan or your wife is at and I know all these things that is bad juju right that's not good so therefore it's imperative that if you are an executive be very careful about what you post online be very careful with your spouse posts online he or she doesn't matter the point of it is that if you are an executive people are looking at you they consider you as a potential prime target usually highly compensated individual you also have influence environment important that whatever you do is make sure that you keep that stuff in mind now if you're the security professional it's in also important that what you do is you educate your senior Executives on how to best protect themselves and potentially their families as well while they're online now they said the executives have apathy and they say it's not my problem is I tease problem well I do with this happens. Just what exactly is but it happens with everybody so it's imperative as a security professional you work 2 to make changes in that you heart work to bridge that Gap last name educate educator educate you cannot help but do this you have to do more and more of this and you do you need to build a relationship we talked about and provide use cases on how these things could affect them and potentially their families and the business itself you also can't live your life that goes the boogeyman around every corner it's just being smart and living smart and in ensuring that everybody is educating has all the information they need to best protect themselves and the company the next one 250 webstresser users face legal action this from Brian Krebs at krebsonsecurity and you can he's got a really good blog post out there always does guys amazing but basically it comes down to this is that there was an online attack for hire site and there was about 250 customers that were of taking advantage of this site they would then go out and they would hire somebody to attack another site with individual scitor Corporation well it got busted and it happened in the Netherlands which is basically like the US has FBI largest law enforcement agencies in Europe 18 dealt with the FBI and UK and they went in and they took down this site and Suzanne April of 2018 151000 registered users that were part of the site so does that mean these people were registered and actually launching attacks no does that mean that they were just kind of maybe doing looky-loos possibly but there are 351 registered users well law enforcement when is going after all of them right whoever paid for an attack they're going after so something to be considering is that if you are a hacker or if you're a wannabe hacker be careful who you associate with simple fact of it is if you were trying to poke around and maybe you try to do something fun just to kind of attack your buddy or your brother just in a joking way well it could have ramifications that there's a crime and they will come after you well as a security professional it's imperative that you understand this stuff cuz you know what your network sometimes people within your environment could be utilizing your network to do these things so and eggs three men were charged with Booter sites not I had no idea what a Booter site was I understand I was like what but as I read what exactly talks about all that I made more sense right what it's using is using iot devices to do denial-of-service attacks and it comes down to is that if you have cameras now there's more more prolific cameras and video recorders that are out there that are connected to the internet why won't look at nest safe or any of these other home security systems all connected via your wife I will if they have vulnerabilities in them what ends up happening is his people will take advantage of that and then they stream the data to the targeted audience of the targeted individual and they basically denied denial-of-service attack attack on that individual or that site or that business because these video cameras produce so much data it ends up just taking me sites down so it's imperative that you don't you have yourself configured correctly but the end of the day that's what a Booter is they knocked out website bitten so therefore these guys are going to meet they're going to probably spend some jail time breaking big rocks into little rocks and not a good thing right now there's some other ones that have hit recently there's a Connecticut man that had 10 years for a Doss attack on a hospital she's getting 10 years jail for doing something with a computer on a hospital and why Wright people's lives were risk but this is so simple that you took did a Doss attack on some is going to get 10 years for it that's just not really it's crazy it's just absolutely crazy there's also a 20 year old who gets basically two years for a using analyzing the titanium stressor and what happened with the titanium stress or is that he would launch tax and people and people would buy this capability with a titanium suppressor and he made over $300,000 of income utilizing this tool now I guess I talked about this before there's lots of money to be Pros cons man the cons are a little bit steep unless you don't mind going to jail 2 years or 10 years you named it right so bottom line is it don't do it because what happens is it some of these people that utilize these tools are at like I mentioned before just kind of poking around a little bit just kind of playing around seeing hey that's something that we really want to do or not do that I don't know that's not a good choice. Rockstar giving out a get out of free jail card for individuals who was there quote unquote first offense so first time offenders in this is a quote from them skills and coding gaming computer program in cybersecurity and anything I T related are in high demand and therefore are many careers and opportunities available to use these wisely so back when I was a hacker for the government do it all legal to have a comment use your powers for good not for evil well these people decided to use their hours their power for a little bit of evil just to see what would be like bad idea now and another one's hey I guess it's okay you are able to obtain a get-out-of-jail-free card but most of their countries probably not so much the case so you have to decide make sure that professional make sure you educate your people again and you get smart on these things because it's imperative people don't be looking to you as the expert as a resource within your environment that needs to know this stuff here are some of the references around that I just talked about in the security news and all these out again they'll be in the show notes as well alright let's roll onto our training this is part 2 understanding cybersecurity framework since is part of the cissp supplement that we add as part of our broadcast last podcast that occur on a weekly basis alone individual training that'll provide through reduce cyber risk so we're looking at a case study this is called a cybersecurity framework and we had talked about in part 1 around pci-dss and they aspects that how it works within the governance and compliance piece of that pull up a framework that came out back in 2018 and it's called a cybersecurity framework it's designed Terry framework with potentially was with standard guidelines and best practices on what you should do to protect your environment now it's designed specifically to measure cybersecurity risk and no cost-effective Manner and it was put together in a way that originally came from the critical infrastructure framework that is used within the nuclear energy regulation compliance Energy Regulatory Commission but it came from the critical infrastructure framework and so they they morph it made some changes to it and they called the cybersecurity framework and this comes from nist National Institute of Standards and Technology it was published in 2018 and April 2018 and its really designed around the security framework around the critical infrastructure however it works really well with different types of security mechanisms and it's a really good product to help a business that is going to be put in implementing some level of security framework within the organization the part I like about it because it's very simple to the point it's not complicated and it makes a lot of sense however if you don't understand over there's a lot of really good information out there on that ever do cyber risk we're going to go over some Frameworks here in the future and how you can actually fill those out and work best for you a step-by-step on what are some key aspects you need to be aware of as you fill them out it is version 1.1 but version 1.0 is still viable and but that they've made some slight changes to it that took it to the next version not the background around this is that that executive order 13636 okay came into being and that was about basically improving the critical infrastructure of cyber security infrastructure cybersecurity in the purpose of it was was that they knew that they had issues there's electrical grids have been hacked there's other areas of that water supplies have been hacked and so they had they thought they needed to put some level of standardization around these environment and hence that's the reason for the cybersecurity framework the cool part about all this though is that anybody can use it and they can implement it within their organization and its not real hard to do and it wouldn't start off as a collaboration between industry and government on what to best way to secure their environment for my daddy to detecting to mitigating these risks and so forth and it created a set of Standards guidelines and practices basically to promote the protection of critical infrastructure but in reality it you can use it anywhere it doesn't have to be just typically an electrical power grid or on a water treatment facility so what it can do for you does it provides Clarity okay that's what I can do and directional may seem very daunting and confusing wrottesley provides that for you and it can reduce Supremes associated with cyber Insurance not look as different cyber insurance policies one of the big aspects that comes into this is a having a framework in place I think it's Ohio came up with a part of a cybersecurity legislation that basically states that if you follow a cybersecurity law or a framework of some kind then what ends up happening is the ability for someone to sue you is dramatically reduced and I think they call it a safe harbor but bottom line is there saying that if you do follower framework you implement practices in place to protect yourself they can't sue you from a civil standpoint now whether or not that actually happens or not it's hard to say but at the end of the day it can reduce your risk as a relates to your litigation case situation but it also in the case of us cybersecurity insurance they will ask you do you follow some level of a framework for your company for your business and so therefore there reduce their risk they know that if you're following a framework eyes are strong that you've been paying attention and therefore you will put practices in place to limit the risk to your organization so again these can reduce the premiums associate with cyber insurance lawyer insurance agent and we have but we have seen it in the past and I've dealt with it individually that it can happen I can't be a factor in a civil lawsuit again I come back to the fact that my lawyer okay having a solid security program in place has been noted as and we talked about this just recently with Ohio but it's been noted that if you have this when it comes to data breach you are in a much better position we talked about earlier Massachusetts in their security laws that are in place of data breach notification laws and peace it apart of this is that you have a documented security program well if you have a framework in place then that will help you with your security program and it'll allow you to have it be documented as well so there's a lot of good positive around this is what I can do for you now what it cannot do for you it's checklist on what to implement now it may seem a little bit prescriptive is if you look at this year in the future it may come across like wolf I just do this check but is this check but you can have to take a risk-based approach on what you put into place and what you don't put into place be a checklist because what's going to happen is you're going to do that you're going to put this checklist in place and then but you don't put any controls around it and if something bad happens while they're going to come after you so it's not just I'm going to go check these boxes and then move on it is something you're going to have to follow through with now it's not all encompassing right with all regulations somebody's regulations are still changing and it will not meet all of the regulations around it so is an example hitrust has varied as different regulations then ISO 27001 certifications do their they're not the same ones in the health industry one is not necessarily Health industry what's more of a broad-brush you could however you may actually end up adding a lot of extra waste because you to put all these things in place something to consider do you really need it and know that if it cybersecurity framework it will get you in a good spot that will meet a majority of his other Frameworks as well the hitrust the iso 27001 and so forth it will do a good to go along way to put you in a good position that's not an easy button that you just mash and you move on y'all guys so I hit this button I'm good to go now that I have a framework in place no you actually have to do the hard heavy work and heavy lifting and put something in place on paper and document it so again it's not it's just not this easy button that you have got this piece of paper protected is like a bulletproof through the bullet will go right through so you need to make sure that you do have something in place there will provide you guidance without idea what it basically means is that you can look through and go okay yeah I did that yeah I did that but the problem is if you don't have it support on this you could be setting yourself up and so that the point of that is is that I T as your subject matter experts need to be involved with you I need to know what you're putting in place while you're putting in place and what you're going to do to make sure it's mitigated now they may do the mitigations pieces for you but at the end of it the other ones that have to be involved with you as far as being orchestrated environment imagination we talked about this in the past but it will help reduce your risk around liability but it's not like okay I did it I knew can't touch me that's not the truth but it's just something to prove that in the event something bad does happen you have gone through the steps you needed to best protect your information your account your customers information and potentially depending upon where is that your company's information so you do really need to just make sure that you go through it and you follow it and you understand what you exactly you're doing so now what is a mapping some framework mapping this is various regulatory Frameworks and standards that are Global and what it does is it Maps against those so if you consider the high trust we talked about earlier or Koba Ark obit any of these other Frameworks that are out there's a big 5 happen is you're going to say will cybersecurity framework you do a b and c Nancy will map which will match up pretty well with b f and g on the I trust or it may work on a BNF on cobit right to the point of it is it's going to match going to how do they all tie together I'd like to be nice to say if I do one day covers them all the problem is each of them have different needs so if you did that it would be monstrously huge and it be hard to to maintain so again you have to decide what you how you want to handle that others have cybersecurity that category we talked about regulations and they're designed specifically for cybersecurity some Frameworks are like cybersecurity the CSS CSS cybersecurity framework but others are using it as a category and we talked about hitrust as an example what is just a piece of it but there's it's an aspen Co been so for now they cover various items based on the location and the industry that really depends upon the situation where you're at so yet one of them is called an information systems management information security management system or you got in those framework for policies and procedures or include illegal physical and Technical to control all of these different things that are in place with will vary from location and will vary in industry now it says example from a framework mapping standpoint you have ISO 27001 colon to 13th 2013 okay so then you have nist 800-53 and yet which is the base Brown CPAs there socket for cybersecurity you have HIPAA you have Chinese cyberlaw all of these together will map two different things I've looked at the Chinese Cyber Law on death and and there are pieces of that that fit him very very well with 853 an 853 will fit in good with the cybersecurity framework is pretty close on that $20,000 27001 is a lot more in-depth and because it's really more of a challenge however if you were to go and say you know what there's no requirement that says I have to do ISO 27001 they're recommending that I do ISO 27001 are you know what I've been working on 853 nist 800-53 security mapping 4Ever right we just move to 27001 well if you do that and you try to map those together you're going to be 80 90% there it's just something you need to consider as it relates to the different pieces around the Frameworks but again they all have a different type different spin on it but identities identity and you just have to find out how loud deep into the identity and access management you have to go so with a cybersecurity framework there's ID - am I okay so what this is it's it's in the identity aspect okay and it's around physical devices and systems within the organization are inventory now that's what it states so that's what this piece of the cybersecurity framework state ID a.m. - 1 security rule 45 CFR okay talks about the fact that you have to have a privacy aspects around individually identifiable health information okay now that will happen also the cybersecurity framework but it won't be specifically to that that wording is also a security rule which is the security standards for protection of electronic protected health information same things that are in their will match up with the ID - a.m. what is the point of that is is that they're going to be pieces of it that will that will coalesce or connect together so that would be the security rules of the privacy rules with Woodall tie into the ID it's also on the ID am-1 you have we talked about that briefly aicpa which is Trust Services criteria which basically is the suck for cybersecurity and you're probably going to what the heck is that well the CPA's you know a joke write this account right stands for what is CPA and so bottom line is you have the things that are decided in their own one example is an entity identify as a risk of achievement of its objectives Across The Entity and analyze the risk as a basis for determining how rich should be managed these risks a lot in there that use at Danielle out there however that one is so therefore they use that as a way to map against it assessing the criticality of those information forget to find Threat all that is tied into the cybersecurity framework as well not just a word of the same they're very differently worded but you have to understand that there are mapping products out there that will map u-22 what exactly the cybersecurity framework maps to as a relates to the aicpa Trust Services criteria orsag for cybersecurity all right so you're so the references that we put together for this part 2 of understanding cybersecurity framework it governance the nist cybersecurity framework security Trends in security framework adoption surveys PCI security standards and interactive application security testing will you have some more with catch you on the flip side see you next thanks so much for joining me today on my podcast if you like what you heard please leave a review on iTunes I would greatly appreciate any and all feedback also just search for Sean Gerber and you'll find out Lasley head to reduce cyber risk and look for the free stuff lots of free stuff and it's only available for our email subscribers is growing each and every day thanks again for listening

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.

Close

Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .