digital self-defense & preparation · 2 days ago · saas tools: bia on-demand, bcm one,...

Richard Long, Senior Advisory ConsultantMHA Consulting / August 11, 2021

Digital Self-Defense & Preparation

Company Background

A simple mission: Ensure

the continuous operations

of our clients’ critical

processes.

A 20-year proven track

record of applying industry

standards and best

practices across a diverse

pedigree of clients.

We seek to partner with

clients who have a

commitment to BCM versus

a check the box mentality.

SaaS Tools: BIA On-

Demand, BCM One,

Compliance Confidence,

Residual Risk.

20Years in

operation.

20Average years

industry experience.

CAPABLEComprehensive suite of services.

GLOBALDiverse, global

client base.

SAASCompliance and

risk tools.

K E Y F A C T S

Michael A. Herrera, CBCP Chief Executive OfficerPhoenix, Arizona www.mha-it.comwww.bcmmetrics.com

SENIOR LEADERSHIP

© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 2

Richard LongPractice Leader & Senior Advisory ConsultantPhoenix, Arizona www.mha-it.comwww.bcmmetrics.com

SENIOR LEADERSHIP

http://www.mha-it.com/

http://www.bcmmetrics.com/

http://www.mha-it.com/

http://www.bcmmetrics.com/

Unique or Competitive Advantage

Healthcare Financial InstitutionsServices & Technology Education

Consumer Products Government/Utility


Insurance Travel & Entertainment

Robust Suite of Services

EXERCISES CONTINUOUS IMPROVEMENT

ASSESS CURRENT ENVIRONMENT

CONTINUITY STRATEGIES &

SOLUTIONS

RESPONSE & RECOVERY PLANS

• Mock Disaster Exercises

• Plan Functional Walkthroughs

• Alternate Worksite Exercises

• Component, Full and Business Process Failovers

• Coordinated Third Party Exercises

• Business Continuity Strategies & Solutions

• IT Services Continuity Strategies & Solutions

• Supply Chain Continuity Strategies & Solutions

• Crisis Management

• Business Recovery

• IT Disaster Recovery

• Supply Chain Recovery

• Current State

• Policy & Standards

• Business Impact Analysis

• Threat & Risk Assessment

• On-going Training & Awareness Programs

• Post-Exercise Improvement Programs

• Refresh Current State Assessment

• Update BIAs & Threat Assessment

• Third Party Assessments

• Monitor & Measure Resilience Improvement


Cyber Defense

Definition

… proactive planning, training, monitoring and implementing

defensive tools to oppose and minimize impact to a breach of an

organization’s data and processing network. It includes both

preventative and reactive planning.

“It’s not if, but when…”


Data/Network Security Preparedness or Cyber Self Defense

The Session

Prevention

Employee training & development

File sharing protocols & limitations

Spam filters, firewalls & file scanning

Software & server patching

Migration from unsupported environments

Preparation

Security response plan

Developing manual work arounds

Backups & data protection

Testing the recovery process

Capability to isolate compromised devices

Capability to shutdown the environment


Trends and the Future

Few organizations are fully protected

Little to no emphasis on training/exercises

Belief we are “just as smart” as the threat actors

Little functional documentation – rely on reaction

Don’t incorporate external agencies and partners

People are the biggest risk

No standardized Incident Management process

The Next Evolutionof Protections

Risk based access

Zero Trust Model

Third Party Risk Management

Biometrics access

Physical Security Control

Increased awareness training

Protections for remote workers

Trends ImpactingNetwork/Data Security Planning


Incident Priorities & Objectives

Business Restoration

Asset Preservation

Incident Stabilization

Data Protection


AssessWhat is the current situation?A

Plan What steps are needed to address the current situation?P

ImplementWhat resources do we need to assign to execute steps to address the current situation?

I

Evaluate How well did we execute to plan and what needs to be addressed?E

Use the Assess, Plan,

Implement and Evaluate

approach to size up the

incident and define a plan of

action. A.P.I.E. consists of:


Prevention


Employee Training & DevelopmentPeople are the biggest risk.

90% of breaches are due to human error.

Security Awareness Training Good formal programs exist

Social Engineering Tests More than just phishing

Phishing Tests Use multiple levels to keep people sharp and

meet their abilities

Physical Access Tests Unknown people accessing locations

they should not


Technology

Technology Governance

Considerations

Multi-factor authentication

Spam filtering

Updated and robust firewall rules

Device Management

File scanning upon downloads Encryption

Strong and changing passwords

Ensure service accounts included

Biometric Log monitoring or SIM (Security

Information Management)

Privileged accounts Unsupported environments

Segregated networking

Considerations

Cyber Policy

Computer use Data sharing Scope Hierarchical

Perform a Risk Assessment

Penetration testing

Cyber Steering Committee

Cross departmental Third-Party Controls & Assessment

Remote work polices & oversight

Physical access policies

Patching polices & oversight


Prevention Thoughts


People Insider threats

Sensitive access

Repeated simulation failures

Continual & changing education

3rdParty

Ensure their readiness

Risk to your organization

Technology providers

Service providers

Pipeline outage

Assess Recent cyber events

Historical events

Your industry

Third-party access

Access Zero trust

Access granted at each stage

Cultural change Physical access to

devices

Plug in flash drive

Preparation


Security Response Plan

WHAT IT IS NOT DOCUMENTATION ACTIONS

What it is not:

Policy and summary description of what you will do

Description of roles and responsibilities

Narrative of the definition of security response, why it is important, etc.

command. ESTABLISH

ASSESS the risks.

COMMUNICATE to whom and when.

EXECUTE your approach to address risks.

3rd Parties who will assist and how.


Security Response Plan

WHAT IT IS DOCUMENTATION ACTIONS

Notification/coordination of response team.

Functional checklist/action plan for execution How will analysis be performed How will network or devices be

isolated Communication tasks

Template for communications When to contact outside

stakeholders When to contact internal

stakeholders Pre-determined decisions

Criteria will shutdown occur When to contact forensics,

insurance, law enforcement


Third party integration tasks Tasks and needs from service

providers Tasks and needs from law

enforcement and insurance Insurance and law enforcement

integration Business department integration

Legal Finance Security PR/Communications

Incident Response/Command Integration Role Stand up/down

command. ESTABLISH

ASSESS the risks.

COMMUNICATE to whom and when.

EXECUTE your approach to address risks.

3rd Parties who will assist and how.

Manual Work Arounds - Considerations

Document assumptions for those services that remain up

All areas need to address actions to implement if no access to technology on network Assume 2 weeks or more without technology Identify/develop manual forms Requires creative thought What cloud services will be available/useful?

Identify activation tasks Those actions when notified network/applications going down

Payroll Don’t assume just pay last pay period Pay for staff furloughed

Runner needs for on-site staff

Alternate supply, shipping, manufacturing

Vendor/3rd party support available

Protection of downtime devices if part of dependencies

Implications to manual process when portions of the environments are up


Network/Device Isolation/Segmentation

Appropriate isolation and segmentation will help to protect during an attach and limit impact.

Perform data analysis that defines micro-segments and different levels of authorization based on user, device and location.

Define the requirements for segmentation and network authorization levels based on user, device and location.

Draw up a network architecture that shows the number of segments and the number and type of control points between segments.

Use network access controls, firewalls and intrusion prevention systems as part of the network segmentation implementation.

Develop a baseline profile for each user - who they are, what devices they use, where they connect from, and how they authenticate. Monitor user behavior based on that profile.

Leverage network management tools to analyze network traffic and compare it to defined segments.

Implement appropriate segmentation for locations and network.


Considerations

Two situations Quick Controlled

Identify shutdown checklist for both options Ensure dependencies understood Devices could be manually disconnected

from network as part of preparation phase if needed/possible

Document isolation based on network segmentation

Script shutdown process(es)

End devices images must be part of shutdown

Cloud access/services

Determine estimated timeline Don’t overestimate capability Understand reality

Considerations

Detailed understanding of RTO/RPO and priority within tiers

Security assessment/assessment of backups/data protection

End device rebuild

Cloud-based authentication Base config off-line environment

Prioritization of service/location

Detailed checklist with dependencies Ensure all appliances, devices, servers noted Ensure DB/App/services mappings and

order are considered Network -> authentication -> Tier 0 services

-> Tier 1+ services What can be done in parallel

Shutdown Recovery

Shutdown/Recovery


Considerations

Understand actual RPO needs

Verify all data is backed-up. No exceptions Include dev/test

Replication for Short RPO (< 12 hours)

Architect for full recovery not just DR Exercise or operational needs

Immutable back-ups/replication for production Cannot be overwritten or accessed Off-network is best

End devices images must be part of immutably backups

Appliance/network device configurations

Authentication (AD/DNS) – Don’t rely on cloud that is always connected to your network

Considerations

Regular (monthly/quarterly) tests of recovery capability for all tiers Don’t reply on just operational restore

requests Include backup restores as part of DR

exercises Include replicated environments as well.

Perform stress test to see how many parallel streams/recoveries can be done

Document time to recovery each tier to identify if will meet RTO

Preparation Capability Verification

Backups/Data Protection


Testing the Recovery

More than a DR or Mock Exercise

Incident Command

Stand up and down Integrated BC plan/action simulated

Include full business process and use the manual processes Include when portions of the technology are available

Simulate rebuild scenario

Include end devices Cloud access 3rd parties Stress tests – “all” environment tests

Integration of technology recovery with manual processes

Use all exercise types

Mock Tabletop Simulated Recovery

Business

Technology


Additional Resources

Multiple Resources

https://www.ready.gov/cybersecurity

https://www.cisa.gov/cyber-essentials

https://www.dhs.gov/be-cyber-smart

https://www.fbi.gov/investigate/cyber

Your Technology providers

Your Cyber Insurance Carriers

REMEMBER

If you think you are smarter than

the threat actors, that is like

clicking on a phishing link.


Final Thoughts

Things to think about.

Executable security response plan

Detailed shutdown and recovery plans

Verify capability via testing

Train people

Implement appropriatetechnology solutions

Don’t forget 3rd party riskand include in preparations

Governance andcontinued oversight


Functional and defined manual work arounds

Data protection review and assessment

Richard [email protected](602) 370-1864

Thank You!

Questions?

digital self-defense & preparation · 2 days ago · saas tools: bia on-demand, bcm one,...

Documents