Telling the InfoSec Story EDWARD MARCHEWKA, CISSP

h t t p : / / b i t . l y / m a r c h e w ka

e d w a r d @ m a rc h e w ka . o rg

Some Quotes… oU.S. Director of National Intelligence, James Clapper, identified cyber attacks and cyber espionage as

the nation’s biggest threat, passing that of terrorism. At the top of the list of threats, cyber security risks our infrastructure, national security, information, and Internet governance.

oWorldwide Threat Assessment, 12 Mar 2013

o“…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…"

oTHE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS OFFICE OF THE CHAIRMAN JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE

o“It is the kind of capability that can basically take down a power grid, take down a water system, take

down a transportation system, take down a financial system. We are now in a world in which countries are developing the capability to engage in the kind of attacks that can virtually paralyze a country. The whole point of this is that we simply don’t just sit back and wait for a goddamn crisis to happen. In this country we tend to do that, and that’s a concern.”

oDefense Secretary Leon Panetta, 12 Oct 2012

Disclaimers o Everything stated in this message is to be considered my own opinion, and not an official representation of Chicago Public Schools (CPS) or any other CPS employees.

oThere may be bad jokes for which I do not apologize. (like this one)

oJust a couple extras… Actual mileage may vary. Price does not include tax, title, and license. Some assembly required. Each sold separately. Batteries not included. Objects in mirror are closer than they appear. If conditions persist, contact a physician. Keep out of reach of children. Avoid prolonged exposure to direct sunlight. Keep in a cool dark place.

oAny spelling and grammar mistakes in this presentation are all entirely my fault and on purpose.

oCitation: Merriam-Webster's collegiate dictionary (10th ed.). (1993). Springfield, MA: Merriam-Webster.

Some interesting notes...

o If CPS were Fortune rated, it would sit in the Fortune 500, about 454. (up from 2013)

o CPS serves approx. 440,000 end users (staff and students). This doesn’t include parents and guardians. o The population of Wyoming is roughly 563,000. o The population of The Bahamas is roughly 368,000

o If CPS were a country, it would be the 174th most populous out of 242, and rank 151st by GDP.

What we’ll do… o What to Measure

o Metrics

o Aggregation

oPresenting your Results

o Risk and Effort

How you know it is all working? o The story you tell

o But to tell a better story you need: oMeasures oMetrics o and Business Outcomes

Why…?

What to measure? o Use NIST 800-55r1 – Jul. 2008

NIST 800-55r1, pg. A-3

What to measure? o Use NIST 800-55r1 – Jul. 2008

o 20 Critical Security Controls v5.0 - 2014 (http://www.sans.org/critical-security-controls/)

SANS CSC 20v5 1, pgs. 10, 11 http://www.sans.org/critical-security-controls/

Patch Latency – Server OS

# of APs with WEP

# infected machines/total machines

Incident Response and Mgmt.

% Complete Awareness Training

# Vuln. In Web Apps Scan

CCS

ESS

NW

InfoSec

Training

Apps

How well is the A/V solution handling things on its own?

Unpatched systems – Top 10 attack vector

WEP can be cracked in ~10 sec. – how susceptible are you?

Once you are breached, are you ready?

Compliance… Liability Reduction…

… Follow-up metric, how is remediation coming along?

Aggregation

IT Training Zone LTD – www. ITILtrainingzone.com Service Design – Lesson 5

Confidentiality

Availability Integrity

What CIA Means to Me… o Confidentiality – FERPA Compliance, roughly $3B

o Integrity – State Reporting and Funding, roughly $3B

o Availability – Educational and Employee Access

Operational (Tactical)

Group (Team)

Business Confidentiality (Score)

Server

Patching Image Age

Network

APs Pen Test

Confidentiality ▪ Strategy items: Government, Community, and Threats ▪ Relates to: FERPA Compliance ▪ Data Loss Measurement ▪ Score: 82/92 ▪ Of the 36/36 metrics that are available in this category 4/36 are reporting amber % of devices with McAfee agent, % of devices checking in are up-to-date, % of APs with WEP, # of threat

events not remediated/# of threat events 1/36 are reporting red % of unauthorized APs/rogue APs remediated

CIA Roll-Up o Let’s take a look at how these can roll up and be presented to have a discussion o Summary slides with descriptors (just saw this) o BRAG Chart – provides the details o Run chart – great for the Board o Quick summary but also shows a forecast o Helps ask for funding

oMagic Quadrant Chart – Cost vs. Efficiency

o How do you know which way to present and how do you want to receive the information? o Pick one… oMinto method oOr… just ask!

Summary – Run Chart

Magic Quadrant - Example

Risk and Effort Ratings – Example

How does this help? o Now you have had a better conversation with your CISO or CIO and the Executive Team.

o You have shed light onto the security operations and given the executive team the opportunity to ask questions.

o If the executive team knows that company IP, brand reputation, and revenue streams are at risk, maybe they will give you some funding to lower that risk.

o Solicit feedback, You have to ask! o Find out what else the exec team wants to know o Have clear discussion with your CISO or CIO of what you want o Find out how to make it clearer o Remember it is evolving

What we did… o What to Measure

o Metrics

o Aggregation

oPresenting your Results

o Risk and Effort

Questions

Edward Marchewka

@ejmarchewka

http://bit.ly/marchewka

edward@marchewka.org