Cybersecurtity Essentials F
Cybersecurtity Essentials F
Essentials for
Broadband
Service Providers
By: Russell Saffell, MPS, IAS, CHS-IV, CHPP
Director of Member Security & Critical Infrastructure Protection
Internet vs. Cyberspace
INTERNET CYBERSPACE
Single, interconnected, worldwide system of A global domain within the information
computer networks that share: environment consisting of an inter-dependent
network of information technology
The Internet Architecture Board (IAB) infrastructures, including:
specified protocol suite
The name and address spaces managed The internet, telecommunications networks
by the Internet Corp. for Assigned Names Computer systems
and Numbers (ICANN) Embedded processors and controllers
Source: CSRIC IV, Working Group 4 Final Report-
Cybersecurity Risk Management and Best Practices, Internet Society
Source: CSRIC IV, Working Group 4 Final Report:
Cybersecurity Risk Management and Best Practices, Beecham Research
What is Cybersecurity?
Cybersecurity is “the collection of tools, policies,
security concepts, security safeguards, guidelines, risk
management approaches, actions, training, best
practices, assurance and technologies that can be
used to protect the cyber environment and organization
and user’s assets.”
~International Telecommunications Union~
What Does Cybersecurity Look Like?
In Short Cyber Security is:
Security Architecture
Secure Operating Systems
Security By Design
Secure Coding
Secure Environment
Secure People
Open Security Architecture (OSA)
Design Principals
Securing Operating Systems
Stage and
Isolate the Only Install Validate all
Carefully
System on a the Overall Install all Patches
Evaluate the
Protected Installation Minimum Boot Critical Before
Integrity &
Network in & Necessary Process Updates & Deploying
Source of
a Test Hardening for the Must Also Security System in
any Device
Environmen Desired Be Secure Patches Production
Driver Code
t System Environmen
t
Securing Operating Systems
If Already
Deployed in
Production, Configure Install
Configure
Remove all Users, Groups, Additional
Resource Security Testing
Unnecessary & Security
Controls
Services, Authentication Controls
Applications, &
Protocols
Secure by Design & Secure Coding
This refers to the software you run on your systems.
Was it developed with security in mind?
Quality
Customer Service
BSP Cybersecurity Traps
• Breach of Privacy:
What are you monitoring?
Just your customer’s internet traffic, meta-data etc.?
The content of your customer’s internet packet traffic?
Are you maintaining customer’s internet logs or content?
For how long?
For what purpose?
Did all your customer’s have to sign a release of information authorizing this?
Is this the same for both residential and business customers?
• Is any of this okay?
BSP Cybersecurity Traps
• Are you Blacklisting Certain Websites & IP Addresses?
What is the criteria for a website to be blacklisted?
Inappropriate vs Dangerous sites.
Are sites black listed indefinitely, or are they revisited and reclassified if found
to be no longer dangerous?
What if a site was blacklisted because it had some malicious adware on it that has since
been removed by the site owner?
• What About Freedom of Choice?
• Is this not Censorship?
BSP Cybersecurity Traps
• What About False Positives?
Intrusion detection and prevention controls can often block legitimate traffic
How can this impact your customers?
Safe
? Danger
BSP Suggested Responsibilities
Offer optional cafeteria style cybersecurity services
DDoS Mitigation
Block IP Address Spoofing
Follow Common Internet Standards and Best Practices for configuring routing
devices to validate source addresses and block spoofed traffic:
RFC-2827
BCP 38
BCP 84
Most security appliances and routers now offer filters as part of their configuration
options.
High-Level Cybersecurity in Practice
Must Include:
Policies and Procedures
Awareness Education Program
Vendor Products and Services Vetting Process
Continuing Education for Cybersecurity Practitioners
Legal/Regulatory Compliance
Risk Assessment and Management
Continuous Planning, Training, and Testing
Physical Security of all Technical Infrastructure
3 Types of Security Access Controls
PHYSICAL
LOGICAL
HUMAN
10 Principles of Security = IR(M)P²D⁵R
Identify Risks
Mitigate Prepare
Protect Deter
Detect Delay
Deny Defend
Recover
Understanding Risk
VULNERABILIT
RIS
ASSET/TARGET THREAT
Place, person, Terrorist, or
Y
Psychological,
K
Potential for loss or
system, equipment criminal technical/logical, damage by threat/s
or infrastructure group/individuals, or physical which detects or
that you are trying or imminent natural characteristic that accesses
to protect hazard with the can leave the asset vulnerabilities which
ability to impact the unprotected or expose the asset
target exploitable
Calculating Risk
RIS
LIKELIHOOD vs. IMPACT =
K
Likelihood Impact (Consequence)
Rare (Very Low) E Insignificant (Low – NO Business Impact) 1
Unlikely (Low) D Minor (Low – Minor Business Impact, some loss of confidence) 2
Moderate (Medium) C Moderate (Medium – Business is Interrupted, loss of confidence) 3
Likely (High) B Major (High – Business is Disrupted, major loss of confidence) 4
Almost Certain (Very High) A Catastrophic (High – Business cannot continue) 5
Qualifying Likelihood
How to Qualify Likelihood Rating
Skill (High Skill Level Required » Low or No Skill Level Required) 1=High Skill, 5=No Skill
Ease of Access (Very Difficult to Do » Very Simple to Do) 1=Very Difficult, 5=Very Simple
Incentive (High Incentive » Low Incentive) 1=Low Incentive, 5=High Incentive
Resource (Requires Expensive or Rare Equipment » No Resources Required) 1=Rare/Expensive, 5=No Resources
TOTAL (Add Rating and Divide by 4) 1=E 2=D 3=C 4=B 5=A
Categorizing Risks
Impact (Consequence)
Insignificant Minor Moderate Major Catastrophic
Likelihood 1 2 3 4 5
A (Almost Certain) H H E E E
B (Likely) M H H E E
C (Possible) L M H E E
D (Unlikely) L L M H E
E (Rare) L L M H H
E Extreme Risk: Immediate action required to mitigate the risk or decide not to proceed.
H High Risk: Action should be taken to compensate the risk.
M Moderate Risk: Action should be taken to monitor the risk
L Low Risk: Routine acceptance of the risk
Managing Risk Avoidance
Acceptance
Mitigation vs. Preparedness
• Mitigation & Preparedness Go Hand & Hand
Mitigation is the effort to reduce loss of life and property by
lessening the impact of disasters and real world events. (DHS)
= Individual Actions
= Limits Loss
Preparedness is a continuous cycle of planning, organizing,
training, equipping, exercising, evaluating, and taking corrective
action in an effort to ensure effective coordination during
incident response. (DHS)
= Cycle of individual actions ensuring readiness to respond.
Preparedness
• Knowledge + Experience
Planning, Training and Exercises
Real world events
Hot-Wash, Lessons Learned
Revise & Adjust
Implement new controls and
mitigation strategies.
Repeat!
Administrative Functions
• Policies:
Physical Security/Access Control
Cybersecurity
Training
Risk Assessment & Assignment
Delegation of Authority & Order of Succession
Incident Reporting
Privacy and Information Handling
Public Information & Media Relations
Subject Matter Expert Functions
• Plans, Procedures, Guidelines & Methodologies:
Security & Cybersecurity Plans
Training Plans
Risk Assessment Methodology
Emergency Operations Plans
Hazard Mitigation Plans
Disaster Recovery Plans
Continuity of Operations/Services & Resilience Plans
SOP & SOG for Critical Functions (with checklists)
Security Awareness Critical Training
Cybersecurity Awareness for All Employees
Emergency Operations
Information Privacy
Media Relations
Cybersecurity Awareness Critical Training
Basic Network Security Offered to
Basic System Security
Internet Safety Tips All Customers
Responsible Use
Deterrence
• Deterrence is the art of getting inside a would-be criminal’s head and
psychologically making them believe that the probability of success is less than
desirable, thereby eliminating the risk.
• Also to remove temptation from the equation. If a would-be criminal never sees
a valuable target, then there are no social-tendencies leading to potential
criminal activity.
• To accomplish this there are several actions you can take including:
The use of Overt Multi-Layered Security.
Compartmentalized Access: The principle of least privilege; to limit the access of
individuals to only those areas where their job function requires.
Deterrence
Administrative Methods
Security Policy
Employee screening (insider threat)
Security signage
Prohibit non-critical storage and staging
Annual security program and vulnerability assessments
Armed (vetted) Security Guards
Neighbor awareness security program
Deterrence
Systems, & Technologies
Employees trained to spot Social Engineering Attacks
Motion activated lighting and video surveillance
Limited access smart locks and access card systems/readers
Security fencing to include solutions with blast and ballistic resistance
Environmental and physical vehicle barriers
Security lighting to include motion activated strobe illumination
Robust cybersecurity program
Detection
• The purpose of detection is to identify suspicious behavior of unauthorized and
authorized individuals prior to any unlawful activity taking place and recognizing
and timely reporting unlawful activity as it occurs. This may include:
Parameter Surveillance Detection & Counter Surveillance.
Serious negative changes in mood of an employee (hostility, depression,
desperation, etc.).
Monitoring logs of access, and identifying irregularities.
Audit trails and logs
Reporting suspicious activity (see something, say something).
Alarm System with Law Enforcement Dispatch.
• These are more covert actions, and may require the use of
hidden cameras, and employee and community training
Additional Detection Systems
System Intrusion Detection
External/internal video analytic systems
External/internal motion sensing systems
External seismic detection systems
Glass break sensors
Fence climbing/tampering sensors
UAV detection systems
Delay
• Through the use of physical and technological obstacles, an intruder’s
objective can be seriously delayed. This will allow detection and
defense to have more time.
• This may happen if your measures designed to deter are inadequate,
or if a would-be criminals resolve is great enough to motivate them to
assume the risk of being caught.
• Some additional delay measures (both overt and covert) include:
Interior locking doors, no interior signage, & confusing building design.
Locked gates, motion lights and cameras, roving armed security and or/dogs inside parameter.
Strong Passwords, Encryption, Honey-Pots
Deny
• Ultimately we want to deny any unauthorized access, while
not prohibiting or restricting authorized access. This is
generally accomplished by utilizing access controls:
Card/Code & Biometric Access.
No piggy-backing.
Armed gate and front desk security.
ID card verification (either by a verification system or security personnel).
Escort all visitors.
Implementation of strong policies, plans, procedures, and training.
Deny (Cont.)
• Cyber related controls to deny unauthorized access to
information systems include (but are not limited to):
Air Gapped Critical Systems
Updated Antivirus Software
Role Based Security.
Layered Cybersecurity Controls.
Intrusion Detection & Prevention Systems.
Heavily protected Network Access Points.
Updated Software, Firmware, and Security Patches.
Strong Passwords and 2-Factor Authentication.
Defend (Physical)
Defense is also referred to as
response. This is where
security personnel, apprehend
the culprit/s. Law enforcement
has to get involved during this
phase.
Defend (Cyber)
• Cyber related controls to Defend against unauthorized access to
information systems include (but are not limited to):
Cybersecurity Awareness Training
Join my
Cybersecurity Taskforce
What Else Can You Do?
If you see Something,
Say Something!
If you can Fix it,
FIX IT!
What Else Can You Do?
• Use your resources:
www.iamu.org/security
Russell Saffell
Director of Member Security & Critical Infrastructure Protection
[email protected]
(515)289-1999