A Prioritized Approach to Implement the NIST CSF
- Slides: 43
A Prioritized Approach to Implement the NIST CSF using the CIS Critical Security Controls Brian Ventura SANS Community Instructor ISSA Portland, Director of Education water@bighead. org @brianwifaneye
Who am I? Brian Ventura 20+ years in Information Technology, ranging from systems administration to project management and information security. Currently an Information Security Architect in Portland, Oregon and volunteer as the Director of Education for the Portland ISSA Chapter. Brian holds his CISSP, GSEC, GCFA, and GCCC, as well as other industry certifications. As the ISSA Director of Education, Brian coordinates relevant local and online training opportunities. Timbers Army, Thorns Riveter, bike commuter, Land Cruiser enthusiast https: //www. sans. org/instructors/brian-ventura SEC 440: Critical Security Controls: Planning, Implementing and Auditing SEC 566: Implementing and Auditing the Critical Security Controls - In-Depth MGT 414: SANS Training Program for CISSP® Certification Coming Soon… SEC 401: Security Essentials Bootcamp Style
City of Portland Delivery of services and value to Bureaus Align security strategy with business risk
NIST Framework+ City of Portland’s Adoption of CSF • Risk & remediation prioritization • Maturity gaps and selective metrics • Alignment of business risk to CSC • Budget & resource prioritization
NIST Framework
NIST Framework+
NIST Framework+ Info. Sec Service Catalog Risk Management CSC Top Twenty Budget: - Actual - Unfunded - Projections 3 year plan Maturity Matrix - Current State - Challenges - Progress - Investment - Future State KPI – Metrics 3 -year Quarter by Quarter Project Roadmap
NIST Framework+
NIST Framework+ Service Catalog
NIST+ Risk and Critical Security Controls
NIST+ Budget
NIST+ Maturity
NIST Roadmap
Governance
Operations
CIS Critical Security Controls Foundational Cyber Hygiene controls Prioritized order
CIS Critical Security Controls 1. Inventory of Authorized and Unauthorized Devices 11. Secure Configurations for Network Devices 2. Inventory of Authorized and Unauthorized Software 12. Boundary Defense 3. Secure Configurations for Hardware and Software 14. Controlled Access Based on the Need to Know 4. Continuous Vulnerability Assessment and Remediation 15. Wireless Access Control 5. Controlled Use of Administrative Privileges 13. Data Protection 16. Account Monitoring and Control 17. Security Skills Assessment and 6. Maintenance, Monitoring, and Analysis of Audit Appropriate Training to Fill Gaps Logs 18. Application Software Security 7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises
CIS Critical Security Control 1: Inventory of authorized and unauthorized devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. • Workstations, servers, printers, TVs, phones, what else? How do we find these?
CIS Critical Security Control 1: Inventory of authorized and unauthorized devices
CIS Critical Security Control 1: Inventory of authorized and unauthorized devices
CIS Critical Security Control 1: Inventory of authorized and unauthorized devices
CIS Critical Security Control 2: Inventory of authorized and unauthorized Software Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. • We need an inventory and a way to manage appropriate use of software!
CIS Critical Security Control 2: Inventory of authorized and unauthorized Software
CIS Critical Security Control 2: Inventory of authorized and unauthorized Software
CIS Critical Security Control 3: Secure configurations for hardware and software Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. • Example: Is our webserver using TLS for authentication/sensitive data transfers? Are our users using strong passwords?
CIS Critical Security Control 3: Secure configurations for hardware and software
CIS Critical Security Control 3: Secure configurations for hardware and software
CIS Critical Security Control 4: Continuous vulnerability assessment and remediation Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. • Are there vulnerabilities in our installed versions of Java, Flash, Windows, others?
CIS Critical Security Control 4: Continuous vulnerability assessment and remediation
CIS Critical Security Control 4: Continuous vulnerability assessment and remediation
CIS Critical Security Control 5: Controlled use of administrative privileges The misuse of administrative privileges is a primary method for attackers to move laterally inside a target enterprise. • This applies to any device: workstations, servers, applications, appliances, network devices.
CIS Critical Security Control 5: Controlled use of administrative privileges
CIS Critical Security Control 5: Controlled use of administrative privileges
Audit. Scripts: CSC Initial Assessment Tool Maintained and provided by CSC Editor James Taralla
Questions?
Links and Resources Center for Internet Security (CIS): https: //www. cisecurity. org/ NIST Cyber Security Framework (CSF): http: //www. nist. gov/cyberframework/ CIS Critical Security Controls (CSC): https: //www. cisecurity. org/critical-controls. cfm Auditscripts resources (provided by James Tarala, CSC Editor): https: //www. auditscripts. com/freeresources/critical-security-controls/ CSF planning spreadsheet: http: //www. tenable. com/whitepapers/nist-csfimplementation-planning-tool https: //www. sans. org/instructors/brian-ventura
My bobs workday
Implement tasks that promote reasoning and problem solving
Reiser implement
Implement imi
Your startup wants to implement an order fulfillment
Strategic management chapter 7
Arm high speed multiplier organization
Sitxfsa001a
Develop and implement a food safety program
Implement permanent product recording procedures
San topology types
Grondverzetband gebruikt
Components of swing
Implement food safety procedures
Implement
Trimble true tracker
Why are user interfaces hard to implement
Addition of polynomials using linked list
Eschew the implement of correction and vitiate the scion
Toilet preparation act 1955
Develop vs implement
Acquiring capital to implement strategies
Implement change management with these six steps
Deep learning approach and surface learning approach
Bandura's reciprocal determinism
Theoretical models of counseling
Research approach definition
Waterfall approach vs shower approach
Traditional approach vs object oriented approach
Multiple approach-avoidance
Difference between virtual circuit and datagram subnet
Pain in brain stem
Tegmen mastoideum ct
Normal csf values
Gm-csf
Gram positive cocci in urethral discharge
Csf traumatic tap
Pneumococci
Contraindications of lumbar puncture
Cerebrospinal fluid is present in
Csf orexin
менінгококовий менінгіт
Brain parenchyma
Arachnoid villi csf
