- CPA to Cybersecurity
- Posts
- Agenda for Aug 2 Cloud Security Office Hours
Agenda for Aug 2 Cloud Security Office Hours
Steve McMichael
July 30, 2024
Hello, 👋
Here are two reasons to tune into Cloud Security Office Hours this Friday Aug 2 at 10:00 AM ET:
It has a great mission with great people. Check it out.
There are so many talented people out there who have skills that easily translate to the cloud. Our aim is to engage those who are interested in cloud security with those who have been in the field for years. Our weekly sessions bring together experts and novices for a one hour open forum for questions, stories, demonstrations, etc.
If you’re interested in GRC careers and/or NIST Cybersecurity Framework 2.0, I’ll be presenting the agenda below.
Hope to see you there!
Steve
Agenda
Why Careers in Cybersecurity GRC are Underrated (RANT)
Requested Topic: “Craziest Audit Failure Stories”
“The collapse of Enron was devastating to tens of thousands of people and shook the public’s confidence in corporate America
Enron was America’s 7th biggest company
Today the top 7 by revenue are:
Walmart
Amazon
ExxonMobil
Apple
CVS Health
UnitedHealth Group
Berkshire Hathaway
Most of Enron’s 21,000 employees lost their jobs without severance or health insurance
Arthur Andersen was charged with obstruction of justice for shredding documents, leading to its downfall and the loss of jobs for most of its 28,000 employees.
Enron’s collapse led to the conviction of 21 individuals
Cybersecurity Compliance Origins: SOX to SOC2
NIST Cybersecurity Framework 2.0
When, What, Why?
It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.
Recognized the growing threats to critical infrastructure and called for the development of a framework to enhance the cybersecurity posture of the United States.
It aimed to foster collaboration between the government and private sector, to improve the protection and resilience of critical infrastructure.
Established the requirements for NIST CSF
New self-assessment section
Greater focus on supply chain risk management
Removes the critical infrastructure focus, making it applicable to all organizations
Name change from "Framework for Improving Critical Infrastructure Cybersecurity" to the more widely accepted and commonly used nomenclature of ”Cybersecurity Framework" with an official abbreviation as the CSF
Changed scope to apply to all organizations, regardless of their associated sector, type or size
Added a sixth function called Govern to highlight the importance of governance
Elevated from previously being a subset of Identify
There was a re-categorization of many categories and subcategories
Increases the focus on cybersecurity supply chain risks
Improves language to facilitate better communication between technical and non-technical stakeholders.
Relevant Executive Orders and Regulations 📜
Cybersecurity Enhancement Act of 2014
Federal Information Security Modernization Act (FISMA) of 2014
Cybersecurity Information Sharing Act (CISA) of 2015
Executive Order 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure - May 2017
Executive Order 14028 on Improving the Nation’s Cybersecurity - May 2021
Applicability of the Cybersecurity Framework 🌎️
Bottom line on why CSF is needed:
Cybersecurity risk continues to increase, with no signs of slowing down
Costs of cybersecurity risks continue to grow
Why? 🤔
The greatest threat that faces any of us today is the threat of complexity: Trillions of lines of code in billions of devices, with ubiquitous connectivity across the globe.
Characteristics of the Framework 📏
Voluntary Framework
The CSF is a foundational resource that may be adopted voluntarily and through governmental policies and mandates.
Flexible, Adaptive
The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations.
Focus on Risk Instead of Controls
Organizations will continue to have unique risks — including different threats and vulnerabilities — and risk tolerances, as well as unique mission objectives and requirements. Thus, organizations’ approaches to managing risks and their implementations of the CSF will vary.
Focus on Risk Instead of Compliance
While compliance with regulations and standards is important, an organization’s goal is first to reduce risk, and to foster a risk-based mindset
Next, from that point compliance will naturally follow
Where Compliance Can Go Wrong: Password Complexity Requirements
Is this password secure?
A*QSuda@PxiTvwgDA2tG
 |  |
Other Options to Improve Authentication Security
Multi-Factor Authentication (MFA): This method requires users to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. Common factors include something you know (password or PIN), something you have (a smartphone or hardware token), and something you are (biometrics: fingerprint scans, facial recognition, or iris scans).
Using Known Password Lists: Implementing checks against lists of known compromised passwords can prevent users from choosing passwords that are already exposed and easy to guess. This can be particularly effective in stopping common and repeated password-related vulnerabilities.
Time-based One-time Password (TOTP): This is an algorithm that generates a one-time password which is valid only for a short period of time, providing an additional layer of security by ensuring that the password is not reusable.
Geographic and IP Restrictions: Limiting access based on geographic location or IP addresses can help prevent unauthorized access from high-risk areas or unfamiliar sources.
Anomaly Detection and Login Monitoring: Tools that monitor login attempts and detect anomalies (like logins from new devices or locations) can trigger additional authentication requirements or alerts.
Facilitates Communication and Collaboration
When implementing the CSF, managers will focus on how to achieve risk targets through common services, controls, and collaboration, as expressed in the Target Profile and improved through the actions being tracked in the action plan (e.g., risk register, risk detail report, POA&M)
Holistic Cybersecurity Framework 🌐
Confidently navigate the complex landscape of cyber threats
Identify vulnerabilities ➡️ protect critical assets ➡️ detect potential breaches ➡️ respond effectively to incidents ➡️ recover swiftly from disruptions
Provides a high-level, strategic view of an orgnaization’s management lifecycle of any given cybersecurity risk
6 Functions ➡️ 22 Categories ➡️ 106 Subcategories
Cyber Resilience is Probably a Better Name than “Cybersecurity”
Term | Definition | So What? |
|---|---|---|
Cyber Resilience | An organization’s ability to withstand and adapt to cyber threats by implementing proactive measures, effectively responding to and recovering from cyber attacks or disruptions, and maintaining essential functions while minimizing damage. This encompasses a range of strategies, including robust security controls, regular vulnerability assessments, employee education on cybersecurity best practices, and the establishment of incident response plans. | Probably a better name than “Cybersecurity,” where secure seems narrowly PROTECT focused Think both left and right of boom “It’s not if, but when” “There’s two types of organizations” Be proactive to prevent or minimize impact of cyber incidents Also be able to quickly detect, isolate, restore and recover systems if when a cyber incident occurs |
Intended Audience & Purpose of CSF 👥
Critical Infrastructure ⚙️
Term | Definition | So What |
|---|---|---|
Critical Infrastructure | “Any physical or virtual infrastructure that is considered so vital to the United States that its incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these” - DHS | The Department of Homeland Security (DHS) lists 16 Critical Infrastructure sectors |
Chemical - Organizations and companies that manufacture, store, use, and transport potentially dangerous chemicals used by other critical infrastructure sectors
Commercial Facilities - Buildings, facilities, and spaces used for commercial purposes, including retail, entertainment, and hospitality
Communications - Networks, systems, and assets involved in providing communication services, including broadcasting, telecommunications, and internet service providers
Critical Manufacturing - Facilities and processes involved in the production of essential goods, such as metals, machinery, transportation equipment, and pharmaceuticals
Dams - Structures, systems, and resources related to dam operations and water control, including hydroelectric power generation .
Defense Industrial Base - Companies and assets involved in the research, development, production, and maintenance of defense-related equipment, systems, and services
Emergency Services - Agencies, organizations, and personnel responsible for emergency management, firefighting, medical services, and public safety
Energy - Resources, systems, and infrastructure involved in the production, transmission, and distribution of energy, including electricity, oil, and natural gas
Financial Services - Institutions and systems providing financial services, including banking, insurance, investment, and payment systems
Food and Agriculture Sector - Facilities, systems, and resources related to the production, processing, and distribution of food, beverages, and agricultural products
Government Facilities - Buildings, offices, and structures used by federal, state, local, tribal, and territorial governments for administrative and public services
Healthcare and Public Health - Facilities, personnel, and networks involved in providing healthcare services, medical research, and public health support
Information Technology - Systems, networks, and infrastructure used for information processing, storage, and communication, including software development and cybersecurity
Nuclear Reactors, Materials, and Waste - Facilities, processes, and materials associated with nuclear power generation, research, and waste management
Transportation Systems - Infrastructure, networks, and assets involved in the movement of people and goods, including aviation, maritime, rail, and road transportation
Water and Wastewater Systems - Facilities, systems, and resources responsible for providing drinking water and managing wastewater treatment and disposal
Profile Templates and Tailoring 🪡
Smart Grid Profile
Manufacturing Profile
Valuable beyond Critical Infrastructure
Non-Critical Verticals | CSF Benefits |
|---|---|
Retail | Protect their customer’s data, secure the company’s online transactions, and manage their supply chain vulnerabilities |
Manufacturing | Address industrial control system security and intellectual property protection and to help secure product development |
CSF is a series of best practices and guidelines and not a compliance standard that must be strictly adhered to
It can be scaled up or down
Only 32 pages long in version 2.0!
Concise and relatively quick to implement
BUT – official NIST documents tell you what to do, without telling you how to do it
That is why A/CCRF and A/CCRP are important to your career growth and progression!
Purpose
CSF helps organizations:
Describe current cybersecurity posture
Describe target state for cybersecurity
Identify and prioritize opportunities for improvement
Assess progress toward the target state
Communicate among internal and external stakeholders
