![Page 1: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/1.jpg)
Building and Measuring a Cybersecurity Program
Michael Miranda
![Page 2: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/2.jpg)
Michael Miranda
• Assistant Professor, Information Security, UH West Oahu
• Principal Consultant, SPARTIX
• Director of Information Security, Hawaiian Telcom
• Program Manager – Cybersecurity, Referentia
• Cybersecurity, Programmer – Northrop Grumman, Verizon – DoD Contractor
• Attorney
• GCFA, GSNA, GCIA, GREM
• Gonzaga U., UH Manoa, U of Central Florida
• Maryknoll Grad
![Page 3: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/3.jpg)
![Page 4: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/4.jpg)
![Page 5: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/5.jpg)
![Page 6: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/6.jpg)
![Page 7: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/7.jpg)
![Page 8: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/8.jpg)
![Page 9: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/9.jpg)
![Page 10: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/10.jpg)
![Page 11: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/11.jpg)
![Page 12: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/12.jpg)
Step 1
• Focus on YOU
• Don’t chase threats…yet
• YOU means YOU, whatever your current position in the organization is and wherever you have influence
• You do not need to wait for some other voice above to start executing the basics of cybersecurity
![Page 13: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/13.jpg)
A cybersecurity program is the sum of all the efforts of all the stakeholders in the organization.
![Page 14: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/14.jpg)
Management
and Admin
Planning,
Design and
Engineering
Operations
and Field
![Page 15: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/15.jpg)
Policy,
Procedure
and Risk
Management
Plan and
Design with
Security from
the Start
Always
execute using
cybersecurity
best practices
![Page 16: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/16.jpg)
There is no
magic here.
![Page 17: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/17.jpg)
No need to
reinvent the
wheel.
![Page 18: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/18.jpg)
Step 2
• Leverage Published Standards
• There is security guidance for nearly every aspect of cybersecurity.
![Page 19: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/19.jpg)
Management and Admin
• NIST Cybersecurity Framework• Identify
• Protect
• Detect
• Respond
• Recover
• Center for Internet Security• Top 20 Controls
![Page 20: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/20.jpg)
![Page 21: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/21.jpg)
![Page 22: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/22.jpg)
Operations and Field
• NIST Computer Security Incident Handling Guide
• MITRE Ten Strategies of a World-Class Cybersecurity Operations Center
• Cyber Incident Handling Program – Chairman of the Joint Chiefs of Staff Manual
• Cybersecurity Technical Training is For All• SANS
• Offensive Security
![Page 23: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/23.jpg)
![Page 24: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/24.jpg)
![Page 25: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/25.jpg)
![Page 26: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/26.jpg)
![Page 27: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/27.jpg)
![Page 28: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/28.jpg)
![Page 29: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/29.jpg)
Planning, Design and Engineering
• Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies
• Secure network design of a critical infrastructure network
• Center for Internet Security• Benchmarks – secure configuration guidelines for
various technology (e.g. workstations, servers, operating systems, applications)
![Page 30: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/30.jpg)
![Page 31: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/31.jpg)
• Account Policies
• Local Policies
• Security Options
• Accounts, Audit, DCOM, Devices
• Domain Controller, Domain
Member, Microsoft Network
Client, Microsoft Network Server,
Network Access, Network
Security, Recovery Console,
Shutdown, System Cryptography,
System Objects, System
Settings, User Account Control
• Event Log
• Restricted Groups
• System Services
• Registry
• File System
• Wired Network Policies
• Windows Firewall with Advanced
Security
• Network List Manager Policies, etc.
![Page 32: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/32.jpg)
“If you can’t measure it, you can’t improve it.”
-- Peter Drucker
![Page 33: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/33.jpg)
Step 3
• Measure your activities
• SMART Milestones• Specific
• Measurable (percentage, YES/NO)
• Assignable (accountable)
• Realistic
• Time-related
• Goal is to ascertain overall risk
![Page 34: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/34.jpg)
Which Models for
Metrics?
![Page 35: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/35.jpg)
![Page 36: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/36.jpg)
Everyone has ideas…
![Page 37: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/37.jpg)
CIS Controls V7Measures & Metrics
• Active Device Discovery System
• Anti-Spam Gateway
• Application Aware Firewall
• Asset Inventory System
• Backup / Recovery System
• Data Inventory / Classification System
• Dedicated Administration Systems
• DNS Domain Filtering System
• Endpoint Protection System
• Host Based Data Loss Prevention (DLP) System
• Host Based Firewall
• Identity & Access Management System
• Incident Management Plans
• Log Management System / SIEM
• Multi-Factor Authentication System
• Network Based Data Loss Prevention (DLP) System
• Network Based Intrusion Detection System (NIDS)
• Network Based Intrusion Prevention System (IPS)
• Network Device Management System
• Network Firewall / Access Control System
• Network Level Authentication (NLA)
• Network Packet Capture System
• Network Time Protocol (NTP) Systems
• Network URL Filtering System
• Passive Device Discovery System
• Patch Management System
• Penetration Testing Plans
• Privileged Account Management System
• Public Key Infrastructure (PKI)
• SCAP Based Vulnerability Management System
• Secure Coding Standards
• Software Application Inventory
• Software Vulnerability Scanning Tool
• Software Whitelisting System
• System Configuration Baselines & Images
• System Configuration Enforcement System
• Training / Awareness Education Plans
• Web Application Firewall (WAF)
• Whole Disk Encryption System
• Wireless Intrusion Detection System (WIDS)
![Page 38: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/38.jpg)
CIS Controls V7Measures & Metrics
![Page 39: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/39.jpg)
What percentage of the organization's unauthorized assets have not been removed from the network, quarantined or added to the inventory in a timely manner?
• Inventory all assets (physical and on the network)
• Process for identifying authorized devices
• Process for removing, isolating or adding to the official inventory
• Determination based on risk on how long it should take for the activity occur
• Who does each activity enumerated above?
![Page 40: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/40.jpg)
CIS Controls V7 Measures & Metrics
![Page 41: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/41.jpg)
CIS Controls V7 Measures & Metrics
![Page 42: Building and Measuring a Cybersecurity Program › wp-content › uploads › 2019 › 10 › 191010-04 … · and Risk Management Plan and Design with Security from the Start Always](https://reader033.vdocument.in/reader033/viewer/2022053018/5f21b76350f2f36fad36fbde/html5/thumbnails/42.jpg)
Summary
1. Focus on YOU and your sphere of influence and control• Management and Administration
• Planning, Design and Engineering
• Operations and Field
2. Leverage published standards and to implement cybersecurity
3. Measure your activities
IF YOU DON’T HAVE A CISO, YOU CAN STILL DO THIS TO PROTECT OUR WATER SYSTEMS