$30 off During Our Annual Pro Sale. View Details »

Top-down vs. Bottom-up Risk Governance

Top-down vs. Bottom-up Risk Governance

This deck was presented live at the Federal Computer Security Manager’s Forum Offsite on Tuesday, June 20th at NIST Headquarters in Gaithersburg, MD.

Background
Risk management can be done top-down, bottom-up, middle-out, or some combination. Many of our government institutions have insecure systems because they confuse compliance with security when reviewing their enterprise as well as cybersecurity risks.

Key Takeaways
* "Compliant Insecurity" is real
* Tie cybersecurity risks to enterprise risks
* Understand where compliance ends and where security begins or vice-versa
* Evaluate risk management frameworks from other countries to see where we’re lacking or more advanced

Shahid N. Shah

June 20, 2017
Tweet

More Decks by Shahid N. Shah

Other Decks in Technology

Transcript

  1. Top Down vs. Bottom Up Governance of
    Risk, What’s Best?
    Presented to Federal Computer Security Manager’s
    Forum Offsite at NIST (June 2017)
    by Shahid N. Shah (@ShahidNShah)

    View Slide

  2. www.netspective.com 2
    @ShahidNShah
    Who is Shahid?
    Gov’t Tech & Security Advisor
    • 15 years of risk management and
    cybersecurity expertise (in healthcare,
    government, and other sectors)
    • 15 years of technology management
    experience (government, non-profit,
    commercial)
    • 18 years of safety critical devices experience
    • 25 years of software engineering and multi-
    discipline complex IT implementations (Gov.,
    defense, health, finance, insurance)
    Author of two chapters: “Understanding Medical Practice
    Cybersecurity Risks” and “How to Conduct a Health-
    Care Environment Electronic Risk Assessment”
    Need practical, no-nonsense & actionable federal
    cybersecurity training? Call me.

    View Slide

  3. www.netspective.com 3
    @ShahidNShah
    What’s this talk about?
    Background
    Risk management can be done top-
    down, bottom-up, middle-out, or some
    combination.
    Many of our government institutions
    have insecure systems because they
    confuse compliance with security when
    reviewing their enterprise as well as
    cybersecurity risks.
    Key takeaways
    • Tie cybersecurity risks to enterprise
    risks
    • Understand where compliance ends
    and where security begins or vice-
    versa
    • Evaluate risk management
    frameworks from other countries to
    see where we’re lacking or more
    advanced

    View Slide

  4. www.netspective.com 4
    This is a facilitated workshop, not
    a lecture.
    Please participate with opinionated
    (hopefully evidence-driven or experience-
    driven) views. I will be opinionated.

    View Slide

  5. www.netspective.com 5
    @ShahidNShah
    How to think about cybersecurity innovation
    Why? What? How?

    View Slide

  6. www.netspective.com 6
    There is no cybersecurity crisis
    specific to federal government.
    To get the best tools and frameworks with the best support, stay industry-neutral.
    Whenever something becomes “government specific” it slows down its innovation.
    Risk management, continuous
    diagnostics & mitigations will take us far.
    But how?

    View Slide

  7. www.netspective.com 7
    There is a government risk
    definition crisis.
    Risk taxonomies, risk measures, and risk metrics are at least
    confusing if not difficult to implement.
    How can we create a community or crowd-sourced set of
    definitions, especially of outcomes focused vs. process metrics?
    Are we looking for information assurance or risk assurance?

    View Slide

  8. www.netspective.com 8
    There is a government data
    privacy crisis.
    Not enough organizations have separated digital confidentiality
    and privacy policies from security policies.
    User behavior analytics (UBA) and data loss prevention (DLP)
    technology isn’t as widely deployed as it should be.

    View Slide

  9. www.netspective.com 9
    There is a secure software
    development crisis.
    Our software development lifecycles, languages, and tools are
    build for the networks of 1990s.
    Secure development lifecycles and modern software supply chain
    techniques must be implemented.

    View Slide

  10. www.netspective.com 10
    @ShahidNShah
    Why did we see a drop in incidents reported?
    Incidents reported by Federal Agencies Federal cyber incidents reported FY 2016

    View Slide

  11. www.netspective.com 11
    @ShahidNShah
    Federal Cyber Incidents after redefinition in 2016

    View Slide

  12. www.netspective.com 12
    @ShahidNShah
    We must define risks to match threats / budgets
    Incidents reported by Federal Agencies Cyber budget vs. incident threats

    View Slide

  13. www.netspective.com 13
    @ShahidNShah
    We need to reclassify and redefine risks
    Agency
    Component
    Bureau
    Branch
    Process / System / App
    Team / Group
    Individual
    Top Down
    Risk
    Governance is
    easier but
    sometimes
    incomplete
    Bottom Up
    Risk
    Governance is
    harder but
    more inclusive
    Metrics Guidelines
    Old-style OMB (budget)
    New OMB (enterprise)
    Outcomes vs. Process?
    Recovery, etc.
    Taxonomies
    Commercial
    Fed
    Agency, etc.
    Sys/Software
    Supply Chain
    What about
    contractors?

    View Slide

  14. www.netspective.com 14
    @ShahidNShah
    Don’t confuse risks with security/vulnerabilities
    • How many of you have a “risk
    culture” or have a Chief Risk
    Officer?
    • What’s the difference between
    institution/agency risks vs.
    compliance risks vs. security risks?
    • Should you focus on hazards,
    vulnerabilities first or risks first?
    • Should you go top down or
    bottom up?
    Agency
    Component
    Bureau
    Branch
    Process / System / App
    Team / Group
    Individual
    Sys/Software
    Supply
    Chain?
    What about
    contractors?

    View Slide

  15. www.netspective.com 15
    @ShahidNShah
    Middle-out may work best
    Agency
    Component
    Bureau
    Branch
    Process / System / App
    Team / Group
    Individual
    Cyber Risks
    Operational Portfolios
    Risk Catalogs
    Threat Sharing
    Secure Lifecycles
    Tools (CDM)
    Shadow IT
    Enterprise Risks
    Mission Portfolios
    Risk Catalogs
    Key Performance
    Indicators (KPIs)
    Objectives & Key Results
    (OKRs)
    How do we tie cyber
    risks to enterprise risks
    and KPIs / OKRs?

    View Slide

  16. www.netspective.com 16
    @ShahidNShah
    Workforce gaps are the biggest risk
    The National Cybersecurity Workforce Framework

    View Slide

  17. www.netspective.com 17
    @ShahidNShah
    Top-down risks: compliance vs. security
    Compliance: often binary (yes/no)
    Security: always continuous
    You can be compliant and not secure,
    secure but not compliant, or both
    Compliant insecurity is pretty common
    CDM?
    Evidence?
    Attestation?

    View Slide

  18. www.netspective.com 18
    @ShahidNShah
    An example of compliant insecurity
    Compliance Requirement
    • Encrypt all data at FIPS 140 level
    Insecure but compliant
    • Full disk encryption
    – Encryption keys stored on same disk
    • SSL encryption
    – No TLS negotiation or man in the middle
    monitoring
    Secure and compliant
    • Full disk encryption
    – Disk-independent key management
    • TLS encryption
    – Force SSL  TLS and monitor for MIM
    threats

    View Slide

  19. www.netspective.com 19
    @ShahidNShah
    Another example of compliant insecurity
    Compliance Requirement
    • Establish procedures for creating,
    changing, and safeguarding
    passwords
    Insecure but compliant
    • Default admin password
    • Documentation says password should be
    changed upon initial setup
    • Documentation says password should be
    rotated frequently
    Secure and compliant
    • When device or software is initially setup, it
    forces a password change
    • Device or software prompts to change
    password regularly
    • Device or software reports, each night, if
    default passwords aren’t changed or
    rotations haven’t occurred

    View Slide

  20. www.netspective.com 20
    @ShahidNShah
    Why does compliant insecurity occur?
    Compliance is focused on…
    • Regulations
    • Meetings & discussions
    • Documentation
    • Artifact completion checklists
    Instead of…
    • Top-down risk management
    – Probability of attacks
    – Impact of successful attacks
    • Middle-out threat models
    – Attack surfaces
    – Attack vectors
    – Understanding data liquidity
    • Bottom-up asset management
    – Full inventory assessment
    – Continuous change management
    – Asset- and risk-specific threat mitigation
    • Regular pen testing, user behavior analytics,
    and data loss prevention activities

    View Slide

  21. www.netspective.com 21
    @ShahidNShah
    Audience Participation
    Can you think of other compliant
    insecurity?
    • No, you’re nuts – it’s not very common
    • Yes, it’s pretty common but there’s nothing we can do about
    it (showing “green” on dashboards but still with
    vulnerabilities)
    • Yes, it’s pretty common but if we work together we can
    create catalogs of similar risks and remediate them

    View Slide

  22. www.netspective.com 22
    @ShahidNShah
    Forget compliance…at first
    Get your security operations in
    proper order before concentrating
    on compliance.
    Start sounding like a broken
    record, ask “is this about security
    or compliance?” often.

    View Slide

  23. www.netspective.com 23
    @ShahidNShah
    Make sure the right people are in charge
    Law: Compliance Order: Security

    View Slide

  24. www.netspective.com 24
    @ShahidNShah
    Make sure the right people are in charge
    Compliance knowledge bases
    FISMA PCI DSS
    HIPAA CDM
    FDA SOX
    Security knowledge areas
    Firewalls &
    Encryption
    User Behavior
    Analytics
    Pen Testing &
    Access Control
    Data Loss
    Prevention
    Continuous
    Monitoring
    Packet Analysis
    NIST
    CDM

    View Slide

  25. www.netspective.com 25
    @ShahidNShah
    Understand what’s what
    Risks Threats Privacy Security
    Compliance Audits Remediation

    View Slide

  26. www.netspective.com 26
    @ShahidNShah
    Audience Participation
    Are your senior executives well versed in the major
    concepts like risk vs. threats vs. compliance vs. security vs.
    privacy?
    • Yes, this is all elementary and our team understands it
    completely
    • No, we understand most of the concepts but some of the
    nuances aren’t clear
    • No, we do not understand all the concepts and could use
    guidance

    View Slide

  27. www.netspective.com 27
    There is a government data
    privacy crisis.
    Not enough organizations have separated digital confidentiality
    and privacy policies from security policies.
    User behavior analytics (UBA) and data loss prevention (DLP)
    technology isn’t as widely deployed as it should be.

    View Slide

  28. www.netspective.com 28
    @ShahidNShah
    Data provenance needed for proper privacy
    Provenance /
    Source
    Ownership Steward
    Units of
    Measure
    Location
    Device
    Confidence /
    Probability
    Subject area /
    Classification
    Confidentiality
    Creation User /
    Org
    Transformed? Analyzed? Interpreted? Quality Metrics Curated?
    Revisions?
    Combinable /
    Aggregatable?

    View Slide

  29. www.netspective.com 29
    Preparing annual controls catalogs and
    compliance documentation or passing
    audits doesn’t mean you’re safe.
    Not enough organizations differentiate between point in time
    assessments versus continuous monitoring.
    Only continuous monitoring of data assets (in addition
    to system assets), from the bottom-up, ensures security.

    View Slide

  30. www.netspective.com 30
    The DHS led CDM Program covers 15 continuous
    diagnostic capabilities. Your data is not secure
    unless you understand the entire lifecycle.
    Phase 1: Endpoint Integrity
    • HWAM – Hardware Asset Management
    • SWAM – Software Asset Management
    • CSM – Configuration Settings Management
    • VUL – Vulnerability Management
    Phase 2: Least Privilege and Infrastructure Integrity
    • TRUST –Access Control Management (Trust in People Granted
    Access)
    • BEHAVE – Security-Related Behavior Management
    • CRED – Credentials and Authentication Management
    • PRIV – Privileges
    Phase 3: Boundary Protection and Event Management for
    Managing the Security Lifecycle
    • Plan for Events
    • Respond to Events
    • Generic Audit/Monitoring
    • Document Requirements, Policy, etc.
    • Quality Management
    • Risk Management
    • Boundary Protection – Network, Physical, Virtual

    View Slide

  31. www.netspective.com 31
    @ShahidNShah
    Consider costs while planning security
    100% security is
    impossible so
    compliance driven
    environments must
    be slowed by cost
    drivers
    Source: Olovsson 1992, “A structured approach to computer security”

    View Slide

  32. www.netspective.com 32
    @ShahidNShah
    Perimeter defense doesn’t account for data
    Firewalls and encryption
    aren’t enough
    Many breaches occur by
    insiders, lots of data
    disseminated accidentally
    Rely on risk-based role-
    aware user behavior
    analytics and anomaly
    detection

    View Slide

  33. www.netspective.com 33
    @ShahidNShah
    Understand architecture transition impacts
    Mainframes Client/Server Web 1.0
    Service-oriented
    Architecture
    (SOA)
    Web 2.0 & APIs
    Web-oriented
    Architecture
    (WOA)
    Event-driven
    Architecture
    (EDA)
    Data-driven
    Architecture
    (DDA)
    Prevalent healthcare industry architectures
    EDI HL7 X.12 MLLP
    DDS MQTT SOAP AMQP XMPP WCTP SNMP REST SMTP MLLP

    View Slide

  34. www.netspective.com 34
    @ShahidNShah
    Define threats
    • Capability, for example:
    – Access to the system (how much privilege escalation
    must occur prior to actualization?)
    – Able to reverse engineer binaries
    – Able to sniff the network
    • Skill Level, for example:
    – Experienced hacker
    – Script kiddie
    – Insiders
    • Resources and Tools, for example:
    – Simple manual execution
    – Distributed bot army
    – Well-funded organization
    – Access to private information
    • Motivation + Skills and Capabilities tells you what
    you’re up against and begins to set tone for
    defenses
    Create minimal documentation that you will
    keep up to date
    Create risk and threat models…and share them widely
    He will win who, prepared himself, waits to take the enemy unprepared – Sun Tzu
    Source: OWASP.org, Microsoft

    View Slide

  35. www.netspective.com 35
    @ShahidNShah
    Visualize risks / attacks / vulnerabilities

    View Slide

  36. www.netspective.com 36
    @ShahidNShah
    Create an Attack Library…and share it!
    • Password Brute Force
    • Buffer Overflow
    • Canonicalization
    • Cross-Site Scripting
    • Cryptanalysis Attack
    • Denial of Service
    • Forceful Browsing
    • Format-String Attacks
    • HTTP Replay Attacks
    • Integer Overflows
    • LDAP Injection
    • Man-in-the-Middle
    • Network Eavesdropping
    • One-Click/Session Riding/CSRF
    • Repudiation Attack
    • Response Splitting
    • Server-Side Code Injection
    • Session Hijacking
    • SQL Injection
    • XML Injection
    Source: Microsoft

    View Slide

  37. www.netspective.com 37
    @ShahidNShah
    Collect attack causes and mitigations…& share!
    • Define the relationship between
    • The exploit
    • The cause
    • The fix
    SQL Injection
    Use of Dynamic
    SQL
    Use
    parameterized
    SQL
    Use stored
    procedure with
    no dynamic SQL
    Ineffective or
    missing input
    validation
    Validate input
    Source: Microsoft

    View Slide

  38. www.netspective.com 38
    @ShahidNShah
    Audience Participation
    Are your security threats properly modeled, prioritized, and
    shared?
    • We have a well understood threat assessment process and we
    have properly documented threat models tied to our risk
    assessments at the asset level (bottom up)
    • We have a well understood threat assessment process and we
    have properly documented threat models tied to our risk
    assessments at the security boundaries but not at the asset level
    (top down)
    • We the understand threat assessment process but we have not
    documented threat models tied to our risk assessments
    • No, we haven’t done proper threat assessments tied to risks

    View Slide

  39. www.netspective.com 39
    @ShahidNShah
    No security theater! Make risk-based decisions
    How you know you’re “secure”
    • Value of assets to be protected is understood
    • Known threats, their occurrence, and how they will impact the
    business are cataloged
    • Kinds of attacks and vulnerabilities have been identified along with
    estimated costs
    • Countermeasures associated with attacks and vulnerabilities, along
    with the cost of mitigation, are understood
    • Real risk-based decisions drive decisions not security theater

    View Slide

  40. www.netspective.com 40
    @ShahidNShah
    Review security body of knowledge
    Everyone
    • FIPS Publication 199 (Security
    Categorization)
    • FIPS Publication 200 (Minimum Security
    Requirements)
    • NIST Special Publication 800-60
    (Security Category Mapping)
    Executives and security ops
    • NIST Special Publication 800-18
    (Security Planning)
    • NIST Special Publication 800-30 (Risk
    Management)
    Security ops and developers
    • NIST Special Publication 800-53
    (Recommended Security Controls)
    • Microsoft Patterns & Practices, Security
    Engineering
    • OWASP
    • IEEE Building Code for Medical Devices (IoT)
    Auditors
    • NIST Special Publication 800-53
    (Recommended Security Controls)
    • NIST Special Publication 800-53A Rev 1
    (Security Control Assessment)
    • NIST Special Publication 800-37 (Certification
    & Accreditation)

    View Slide

  41. www.netspective.com 41
    @ShahidNShah
    Key Takeaways
    • If you have good security operations in place then meeting
    compliance requirements is easier and more straightforward.
    • Even if you have a great compliance track record, it doesn’t
    mean that you have real security.

    View Slide

  42. Resources

    View Slide

  43. www.netspective.com 43
    @ShahidNShah
    The CDM Program BPA Tools Catalog

    View Slide

  44. www.netspective.com 44
    @ShahidNShah
    DHS Open Source Cybersecurity Catalog

    View Slide

  45. www.netspective.com 45
    @ShahidNShah
    SecTools.org and DHS Research Program

    View Slide

  46. www.netspective.com 46
    @ShahidNShah
    Security Lifecycle challenges and advice
    • How do you design and build in
    security when the software,
    hardware, and medical devices
    come from third parties?
    • What risk management and
    investment prioritization
    frameworks should you use?
    • Are you using a bottom-up risk
    assessment or top-down risk
    cataloging process?

    View Slide

  47. www.netspective.com 47
    @ShahidNShah
    Cybersecurity Framework
    • Developed in collaboration with industry, provides guidance to an
    organization on managing cybersecurity risk
    • Supports the improvement of cybersecurity for the Nation’s Critical
    Infrastructure using industry-known standards and best practices
    • Provides a common language and mechanism for organizations to
    – describe current cybersecurity posture;
    – describe their target state for cybersecurity;
    – identify and prioritize opportunities for improvement within the context of risk
    management;
    – assess progress toward the target state;
    – Foster communications among internal and external stakeholders.
    • Composed of three parts: the Framework Core, the Framework
    Implementation Tiers, and Framework Profiles
    4

    View Slide

  48. www.netspective.com 48
    @ShahidNShah
    Cybersecurity Frameworks (FDA, NIST, etc.)
    Function Category
    IDENTIFY
    Asset Management
    Business Environment
    Governance
    Risk Assessment
    Risk Management
    PROTECT
    Access Control
    Awareness and Training
    Data Security
    Information Protection Processes and
    Procedures
    Protective Technology
    DETECT
    Anomalies and Events
    Security Continuous Monitoring
    Detection Processes
    RESPOND
    Communication
    Analysis
    Mitigation
    Improvements
    RECOVER
    Recovery Planning
    Improvements
    Communication
    4

    View Slide

  49. www.netspective.com 49
    @ShahidNShah
    Asset management challenges and advice
    • Where is your hardware and
    software inventory stored?
    • How are you tracking
    configuration settings?
    • Who’s curating your
    vulnerabilities?
    • How are your boundaries
    documented?

    View Slide

  50. www.netspective.com 50
    @ShahidNShah
    ENISA Threat Landscape

    View Slide

  51. www.netspective.com 51
    @ShahidNShah
    ENISA Threat Agents

    View Slide

  52. www.netspective.com 52
    @ShahidNShah
    Accounts management challenges & advice
    • Do you have identity,
    credentialing, and access
    management (ICAM) or just
    IAM?
    • Do you have user behavior
    analytics (UBA) capabilities?
    • Is your training tied to specific
    risks and assets from a bottom-
    up perspective?

    View Slide

  53. www.netspective.com 53
    @ShahidNShah
    Event management challenges & advice
    • How sophisticated is your
    security information and event
    management (SIEM)
    infrastructure?
    • Do you run breach and incident
    simulations to help prepare for
    contingencies?
    • Do you have a data spill or
    other incident response plan
    documented and ready to
    execute?

    View Slide

  54. www.netspective.com 54
    @ShahidNShah
    ISAOs as a Model for Regional Cooperation
    http://www.dhs.gov/isao

    View Slide

  55. www.netspective.com 55
    @ShahidNShah
    ISAO Value Proposition
    https://www.us-cert.gov/sites/default/files/c3vp/CISCP_20140523.pdf

    View Slide

  56. www.netspective.com 56
    @ShahidNShah
    ISAOs and Coordinating Processes
    A CSIRT Process Model for Improving Information Sharing & Knowledge Capture in Cybersecurity
    https://www.itu.int/dms_pub/itu-t/oth/06/35/T063500000200515PDFE.pdf

    View Slide

  57. www.netspective.com 57
    @ShahidNShah
    Security Information Interoperability
    http://secure360.org/wp-content/uploads/2014/05/Threat-Intelligence-Sharing-using-STIX-and-TAXII.pdf

    View Slide

  58. Thank You
    Visit http://www.netspective.com
    E-mail [email protected]
    Follow @ShahidNShah
    Call 202-713-5409

    View Slide