What is Cybersecurity Office of Information Technology Security & Compliance Think Security and Do Good Things! Elizabeth Cole-Walker (Information Security Specialist, Information Security Risk & Assurance)
What is Cybersecurity? Technology Facilities People Business Cybersecurity involves protecting an entire ecosystem People Physical Space Technology Operations It integrates the security and business layers of an organization to make balanced risk-based decisions about technology use It is an integrated approach to protect, respond, and recover from an attack or adverse event that increases the solvency of the business. We are an interconnected world, more then ever in history. Our refrigerators are part of cyberspace today. The internet (cyberspace) serves as a backbone for data exchange and use. All the ingress/egress points, i.e., people, facilities, data and related assets, technology, etc. need to be factored into how best to protect an organization. IT has transitioned as just a tool to help business meet mission to a integral part of the business. Cyber security is more then IT and although there is IT security, not all IT resources are for security, have been developed to be secure, or have knowledge of security.
Importance of People & Operations Data drives the business and people use the data Business must focus more on the processes and use of people A risk based approach, where people understand the role they play in security is vital for success Security controls need to be assessed against real risks and risk tolerance to meet mission People are a business greatest asset and also greatest vulnerability. It is now necessary for a cybersecurity practitioner to understand business, operations, the big picture and IT and security!
Security Career Tracks Information Security – Less Technical/Non-Technical (i.e., risk, assurance, policy, governance, or regulatory compliance, etc.) Hardware, Services, and Infrastructure IT Management and Strategy Storage and Data Web and Mobile Information Security – Technical (i.e., security analyst, architect, tester, engineer, or administrator, etc.) Software Development and Business Analysist Training Auditing and Assessment Network and Cloud Technologies
Functional Roles in Cybersecurity Executive Management and Senior Leadership Visible advocate for cybersecurity program Promotes and demands accountability Promotes policy and governance Directs assessments If the top is not bought into cybersecurity program and the policy and strategy it will fail It is important to learn how to communicate Up, Down, and Sideways.
Functional Roles in Cybersecurity Human Resources Knows the people and types of data used Key in identifying insider threat indications Develops and implements policy and procedures Understands many laws and regulations HR is the central place to integrate policy, processes, strategy that involve the People part of cybersecurity.
Functional Roles in Cybersecurity Legal Counsel Reviews/advises on policy (i.e., data collection, data use, cyber investigations, etc.) Supports compliance with regulations, rules, laws Finance Knowledge of financial assets, data use Knowledge of risk and impacts Finance and Legal are big players in cybersecurity.
Functional Roles in Cybersecurity Information Technology Builds operates and maintains data collection solutions Represents expertise in computer systems engineering, system and database administration, interface design, and algorithms development for using data Understanding of software and hardware and user interface Knowledge of operations that support business It is important to understand what IT support is needed, not a one size fits all.
Functional Roles in Cybersecurity Works with all elements of the organizations to secure assets (people, facilities, data, etc.) Represents industrial, IT, information assurance, auditing, physical, personal, and operational security Training and awareness Logging, monitoring, investigations Understands the operational functions and people Security is the glue that holds everything together!
Protection of Critical Assets Cybersecurity is really asset and risk management You can not protect what you don’t know you have. An asset can be “Tangible” (physical in nature or measurable) or “Intangible” (not physical in nature and is often difficult to determine a value) Requires documentation and continual review, testing, and improving First thing that a company needs to do when establishing a security program is to conduct an asset inventory, include representatives from all core functional areas, and rank them. You can’t protect what you do not know you have or know what is important to you!
The Treat Landscape Nation States Organized Crime Hackers Espionage The lines are blurring They are all bad guys and email is the most likely attack method! It really does not matter what the adversary is, they are all bad guys. We are all targets, will be victimizes, so make it frustrating for the bad guy. Make him/her work for it. Often if it is requires effort they move on to the other guy. Email is the place that makes an organization or person vulnerable. User awareness is key to stopping all types of attacks because most likely that is the method of entry.
What is NIST Cybersecurity Framework Cybersecurity is more than just IT/technical controls, but also includes all the people and processes that are used to do your business. It is important to understand what vital functions are necessary for a mature cybersecurity program Think about all the roles that are involved in each of the puzzle pieces that make up the framework. Cybersecurity profession is so rich and dynamic; don’t box yourself in! Identify - involves Asset Management, Business Environment, Governance, Risk Assessment, Risk Management, and Supply Chain Risk Management Protect - involves Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Process and Procedures, Maintenance, Protective Technology Detect - involves Anomalies and Events, Security Continuous Monitoring, Detection Processes Respond - involves Response Planning, Communications, Analysis, Mitigation, Improvement Recover - Recovery Planning, Improvements, Communication
Data Life-cycle and CIA Triad Cybersecurity community uses a data protection methodology that is called the CIA Triad. It stands for Confidentiality, Integrity, and Availability. Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] Integrity - Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C., SEC. 3542] Availability - Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]
Risk Factors Strategic - Affects the ability to carry out goals and objectives Reputational - Affects reputation, public perception, political issues, etc. Financial - Effects loss of (or ability to acquire) assets, technology, etc. Operational - Effects ongoing management processes and procedures Compliance - Affects compliance with laws and regulations; student, faculty, staff & visitor safety; environmental issues; litigation; conflicts of interest; privacy; and so forth. Hazard - Affects ongoing operation of a business by man-made, natural or other negative events This is important when attempting to determine the ranking or critical nature of an asset. Often intangible assets are most difficult to determine or are often overlooked as being critical assets.
Impact Scale NIST ranks impact as to how the company would be affected by an attack or unauthorized disclosure or loss of an asset. It is defined on a scale from Low, Moderate, and High Understanding the impact that loss or unauthorized disclosure has on an asset for each risk factor is key to developing a strategic cyber program
Identifying Critical Assets Determining the Impact that loss or compromise of assets would mean Low. Moderate. High Impact IP Code Website Strategic Reputational Financial Operational Compliance Risk Factors Clean Room
Cybersecurity Career References CompTIA IT Certification Roadmap Cyber Security Degrees & Careers – How to Work in Cyber Security Getting Started in Cybersecurity with a Non-Technical Background Which non-technical skills are most important to a career in security? IT careers for non-technical people ISACA Certification: IT Audit, Security, Governance and Risk NIST Cybersecurity Framework CIA Triad Model