ebook img

A CISO’s Guide to Bolstering Cybersecurity Posture PDF

31 Pages·2018·1.37 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview A CISO’s Guide to Bolstering Cybersecurity Posture

A CISO’s Guide to Bolstering Cybersecurity Posture By Sean Atkinson, CISO, CIS A CISO’s Guide to Bolstering Cybersecurity Posture Contents Contents ................................................................................................................... i Introduction ............................................................................................................ 1 CHAPTER 1: APPROACHES TO CYBERSECURITY ............................................... 2 Breaking the Divide Between Governance and Operational Cybersecurity ........ 2 The Fox and the Hedgehog: Strategic Cybersecurity Response Planning ............ 3 CHAPTER 2: RISK .................................................................................................... 5 The Risk Conversation ........................................................................................................ 5 Where Risks Meet Controls ............................................................................................... 6 The One Equation You Need to Calculate Risk-Reduction ROI ............................... 7 Fault Trees and Risk Forests .............................................................................................. 9 Creating Event Trees to Help Measure Control Effectiveness ................................ 11 CHAPTER 3: DATA PRIVACY AND PROTECTION ............................................. 14 Response Planning and Data Privacy ........................................................................... 14 GDPR and Data Privacy ..................................................................................................... 15 Using CIS Control 13 to Create a Data Protection Plan ........................................... 17 CHAPTER 4: STRENGTHENING CYBERSECURITY POSTURE ........................... 19 How Security Controls Can Improve Your Cybersecurity Posture ......................... 19 Compliance in Multifaceted Environments ................................................................ 20 Cloud Compliance – How to Stay Secure on an Intangible Infrastructure ......... 21 Discovering Security Gaps with Vulnerability Management Controls ................. 24 Implementing Secure Configurations with Remediation Kits ............................... 25 Keep Your Employees Interested in Cybersecurity Awareness Training with these Tips ............................................................................................................................. 26 Additional Information ...................................................................................... 28 Resources ............................................................................................................................. 28 About the Author .............................................................................................................. 28 About CIS ............................................................................................................................. 29 i A CISO’s Guide to Bolstering Cybersecurity Posture Introduction The CISO blog launched on the CIS website in January 2018. Since then it has provided guidance on a number of cybersecurity topics with a special focus on the importance and implementation of the CIS Controls™, a collaboratively developed, prioritized set of actions to protect your organization and data from known cyber attack vectors. This book is a compilation of some of the blog posts in one place for easy reference. It begins with an introduction to cybersecurity approaches and then moves into identifying and calculating risk. In today’s world, risk and data protection go hand- in-hand; that’s the third section of the book. Finally, we conclude with some cybersecurity implementation strategies. The book is organized so that you can easily jump to the section that most interests you. Some of the original posts have been edited for content and length. If you find this book valuable, you may wish to read the original and future CISO blog posts at https://www.cisecurity.org/. 1 A CISO’s Guide to Bolstering Cybersecurity Posture CHAPTER 1: APPROACHES TO CYBERSECURITY Breaking the Divide Between Governance and Operational Cybersecurity Governance in cybersecurity Governance describes the policies and processes that determine how organizations detect, prevent, and respond to cyber incidents. Many organizations have a division between governance and management. Those who work in governance tend to emphasize strategic planning, whereas operational management deals with the day-to-day Governance operationalized approach to security. Sometimes this strategic planning results in different leadership perspectives. Operational Making the organizational move from a divided Management hierarchy to one in which strategy informs operation day-to-day approach (and operation informs strategy) is a difficult challenge. Communication is key to effectively managing expectations, messaging, and security posture throughout the process. Detect, prioritize, and control Operational controls – the real-life response to a cybersecurity incident – should be the focus of any security program. Managing these controls and reporting to a governance structure may not require the knowledge of operationalization. Instead, it may rely on an agreed-upon level of risk management involving both governance and operational leadership. Operational controls managers should measure their security posture against a framework or baseline such as the CIS Controls or NIST Cyber Security Framework. Understanding your organization’s compliance levels is key to finding weaknesses in the organizational controls as well as the prioritization of investment for strengthening controls. With clearer reporting and analysis of risk reduction, we can bridge the gap between governance and operational security, leading to better strategic decision making and a more unified approach to the cyber threat landscape. 2 A CISO’s Guide to Bolstering Cybersecurity Posture The Fox and the Hedgehog: Strategic Cybersecurity Response Planning Risk managers can use security controls to implement processes to limit the vulnerabilities, risks, and threats that abound in the physical and cyber space. Let’s define the strategic plan of the implementation of such a systematic approach. The fox and the hedgehog A singular vision of the end goal must be in place for any plan of action to be effective. A plan of control and measurement should define risk mitigation and provide evidence that security controls are in place. In the security world, there are two popular approaches: the fox and the hedgehog. Where a “hedgehog” approach tends to take a singular view of security, the “fox” will review security situations from multiple perspectives. The strategic planning work of Isaiah Berlin, for example, follows the hedgehog style. In order to develop policy ideas into a singular vision, try implementing a document framework. I prefer to utilize a three-tiered framework based on: • Policy • Standard • Procedure Start with a singular “control” and a single document that details the information security policy which defines that security control. Next, document the details of how to implement that control. Ensure you take into account multiple cybersecurity approaches and concepts such as access control and data protection for a multi-layered, defense-in-depth methodology. By taking a single idea and approaching it from multiple views, the “fox” style comes back into play. Breaking down the tenets of cybersecurity Many organizations implement multiple security standards and controls. The CIS Controls, for example, provide 20 security best practices. Each best practice has its own connotations for implementing and measuring compliance to a specific task. 3 A CISO’s Guide to Bolstering Cybersecurity Posture Implement controls by breaking the standards down further into a procedure. In most cases, each security procedure you plan should have a singular implementation strategy and control. Role-based access control (RBAC) is one popular and effective way to implement controls, ensuring that only authorized individuals can access control systems. RBAC is based on the user’s role within the organization to implement specific security controls. Hedgehog, fox, or both? It’s interesting to note that one must play both roles – hedgehog and fox – at particular points throughout cybersecurity assessments and audits. The hedgehog approach comes into play when working with a singular vision and “the one important thing” (a particular security control). However, the multitude of ways to implement a particular control requires a multi-disciplined fox approach. Put simply, to achieve the singular you must know and understand multiple concepts. Both approaches are required to build a strong cyber defense. 4 A CISO’s Guide to Bolstering Cybersecurity Posture CHAPTER 2: RISK The Risk Conversation Our day-to-day business activities often don’t involve a specific focus on information security and making good decisions based on risk and controls. The spectrum of risk management duties often falls through the hierarchy based on a top-down process. As this happens, the roles and responsibilities that make up risk management may slip through the cracks. It is here that we must identify the stakeholders of risk management. We must also consider those within business processes who can make a big difference between a foiled attack and a catastrophic security incident. Risk and the organizational culture Risk elicitation (or risk gathering) at only the senior level of an organization is a common mistake. A better solution is to implement a collaborative intake process to identify risks throughout all levels of the organization. Without this view, it’s likely that some risks may not be uncovered until a security assessment or penetration test identifies them – or worse, a breach occurs. Regularly poll internal stakeholders for their opinions about risk or use scenario- based discussions to identify risk. The CIS Controls can also be used to discover gaps in security that could be articulated as risks. Start a conversation with those responsible to implement those controls technically, operationally, and/or physically. Getting to the scenario response Intake of risk analysis can take many forms, from simply asking: • How is our network at risk? • What is the biggest risk you see to the network? • How would this particular risk occur? • Can we stop a malware outbreak and what is our response time? • If we were to download a malicious file, what is our mean time to detection, response, and eradication? The aim here is to ask questions that require a scenario response. This leads to a deeper dive into an answer rather than just “yes” or “no.” Fault tree review, discussed later, is a technique using a starting scenario and an engaged audience 5 A CISO’s Guide to Bolstering Cybersecurity Posture to lead to uncovering and discovering risks across business processes, technical functions, and operational controls. The process of risk management can be intimidating at first. By asking a few questions, you can begin to develop a baseline and understand the threats facing your organization. View the CIS Cybersecurity Threats page Where Risks Meet Controls Using the CIS Controls to define and identify risk The CIS Controls are a set of prioritized set of actions to protect your organization and data from known cyber attack vectors. They are developed and maintained by a global community of cybersecurity experts. Aligning an organization’s internal security controls to a consensus-based collection of cyber-risk mitigation strategies like the CIS Controls can help improve cybersecurity posture. The integration of a risk management program with the CIS Controls can define how a company identifies risk and how it can be treated. Treatment strategies come in the form of remediation steps to lower exposure to risk from vulnerabilities and threats to computer systems and business processes. How the CIS Controls can help CIS Controls Version 7, released in 2018, contains a total of 20 Controls. How each CIS Control is implemented will vary by organization. To define the need for a Control, a risk that needs to be treated must be present. Identification of these risks may go undetected by many organizations, and so the CIS Controls can provide a helpful starting point of evaluation. Your organization can gain major insights into its risk identification and management by turning each of the CIS Controls into a question and analyzing your answers to each. Start by reviewing CIS Control 1 – Inventory and Control of Hardware Assets – as part of a risk identification exercise: Question: Can your organization define and detail all its hardware assets? Be sure to include laptops, bring-your-own-device (BYOD) mobile devices, and printers. 6 A CISO’s Guide to Bolstering Cybersecurity Posture Asking this question can generate additional scenarios to identify risk: • Are there any connected assets which are not authorized to be on your network? • Are all assets configured securely? • What role does each asset play in your organization’s processes? • What data is stored on each asset? These are high-level ideas to start the conversation in regards to risk and its identification. The use of the CIS Controls can generate questions that identify gaps and weaknesses. Use them to implement a level of risk management and respective control over your organization’s assets, data and systems. Download the CIS Controls The One Equation You Need to Calculate Risk- Reduction ROI Evaluating internal systems and services is a key component to understanding your organization’s security posture. One methodology is measuring your risk against the CIS Controls to determine the strength and weaknesses of risk treatment. Put simply, once you understand your risks, you’ll have a better idea of what it will take to proactively address them. Inevitably there will be gaps – not just in your security processes and implementations, but also in the measurement of control effectiveness. These gaps should be identified and managed as action items to improve the overall security posture of your organization. The determining factor for many organizations is where to focus effort. Start by asking, “What will have the greatest effect on reducing risk?” Calculating risk-reduction ROI With any security decision, implementing new solutions and controls will likely require a monetary expense. This is where you’ll benefit from the ability to determine the cost of a potential risk versus the cost of the control. Here’s one way to calculate return on investment (ROI) to account for the cost of risk vs the cost of control: 7 A CISO’s Guide to Bolstering Cybersecurity Posture ROI example Let’s use phishing attacks as an example. Say your organization expects to get phished 5 times per year, at an estimated cost of $35,000 per successful attack. The cost to train employees to spot and avoid phishing emails is expected to be $25,000. Here’s what the security ROI would look like: In this example, it makes monetary sense to invest the $25,000 in training to help reduce the risk of a successful phishing attack. Remember that each organization is different, and determining these variables will be based on circumstance and risk 8

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.