Cynthia Brumfield - Cybersecurity Risk Management

10 CHAPTER 3 Tools and Techniques for Detecting Cyber Incidents IntroductionWhat Is an Incident?I. Detect A. Anomalies and Events 1. Establish Baseline Data for Normal, Regular Traffic Activity and Standard Configuration for Network Devices2. Monitor Systems with Intrusion Detection Systems and Establish a Way of Sending and Receiving Notifications of Detected Events; Establish a Means of Verifying, Assessing, and Tracking the Source of AnomaliesA Word about Antivirus Software3. Deploy One or More Centralized Log File Monitors and Configure Logging Devices throughout the Organization to Send Data Back to the Centralized Log Monitor4. Determine the Impact of Events Both Before and After they Occur5. Develop a Threshold for How Many Times an Event Can Occur Before You Take Action B. Continuous Monitoring 1. Develop Strategies for Detecting Breaches as Soon as Possible, Emphasizing Continuous Surveillance of Systems through Network Monitoring2. Ensure That Appropriate Access to the Physical Environment Is Monitored, Most Likely through Electronic Monitoring or Alarm Systems3. Monitor Employee Behavior in Terms of Both Physical and Electronic Access to Detect Unauthorized Access 4. Develop a System for Ensuring That Software Is Free of Malicious Code through Software Code Inspection and Vulnerability Assessments5. Monitor Mobile Code Applications (e.g., Java Applets) for Malicious Activity by Authenticating the Codes’ Origins, Verifying their Integrity, and Limiting the Actions they Can Perform6. Evaluate a Provider’ s Internal and External Controls’ Adequacy and Ensure they Develop and Adhere to Appropriate Policies, Procedures, and Standards; Consider the Results of Internal and External Audits7. Monitor Employee Activity for Security Purposes and Assess When Unauthorized Access Occurs8. Use Vulnerability Scanning Tools to Find Your Organization’ s Weaknesses C. Detection Processes 1. Establish a Clear Delineation between Network and Security Detection, with the Networking Group and the Security Group Having Distinct and Different Responsibilities2. Create a Formal Detection Oversight and Control Management Function; Define Leadership for a Security Review, Operational Roles, and a Formal Organizational Plan; Train Reviewers to Perform Their Duties Correctly and Implement the Review Process3. Test Detection Processes Either Manually or in an Automated Fashion in Conformance with the Organization’ s Risk Assessment4. Inform Relevant Personnel Who Must Use Data or Network Security Information about What Is Happening and Otherwise Facilitate Organizational Communication5. Document the Process for Event Detection to Improve the Organization’ s Detection SystemsSummaryChapter QuizEssential Reading for Tools and Techniques for Detecting a Cyberattack

11 CHAPTER 4 Developing a Continuity of Operations Plan Introduction A. One Size Does Not Fit All I. Response A. Develop an Executable Response Plan B. Understand the Importance of Communications in Incident Response C. Prepare for Corporate–Wide Involvement During Some Cybersecurity Attacks II. Analysis A. Examine Your Intrusion Detection System in Analyzing an Incident B. Understand the Impact of the Event C. Gather and Preserve Evidence D. Prioritize the Treatment of the Incident Consistent with Your Response Plan E. Establish Processes for Handling Vulnerability Disclosures III. Mitigation A. Take Steps to Contain the Incident B. Decrease the Threat Level by Eliminating or Intercepting the Adversary as Soon as the Incident Occurs C. Mitigate Vulnerabilities or Designate Them as Accepted Risk IV. Recover A. Recovery Plan Is Executed During or After a Cybersecurity Incident B. Update Recovery Procedures Based on New Information as Recovery Gets Underway C. Develop Relationships with Media to Accurately Disseminate Information and Engage in Reputational Damage Limitation SummaryChapter QuizEssential Reading for Developing a Continuity of Operations Plan

12 CHAPTER 5 Supply Chain Risk Management IntroductionI. NIST Special Publication 800–161II. Software Bill of MaterialsIII. NIST Revised Framework Incorporates Major Supply Chain Category A. Identify, Establish, and Assess Cyber Supply Chain Risk Management Processes and Gain Stakeholder Agreement B. Identify, Prioritize, and Assess Suppliers and Third-Party Partners of Suppliers C. Develop Contracts with Suppliers and Third-Party Partners to Address Your Organization舗s Supply Chain Risk Management Goals D. Routinely Assess Suppliers and Third-Party Partners Using Audits, Test Results, and Other Forms of Evaluation E. Test to Make Sure Your Suppliers and Third-Party Providers Can Respond to and Recover from Service Disruption SummaryChapter QuizEssential Reading for Supply Chain Risk Management

13 CHAPTER 6 Manufacturing and Industrial Control Systems Security Essential Reading on Manufacturing and Industrial Control Security

14 Appendix A: Helpful Advice for Small Organizations Seeking to Implement Some of the Book’s Recommendations

15 Appendix B: Critical Security Controls Version 8.0 Mapped to NIST CSF v1.1

16 Answers to Chapter Quizzes

17 Index

18 End User License Agreement

1 Preface – Overview of the NIST FrameworkFIGURE 0.1 NIST CORE FRAMEWORK.FIGURE 0.2 NIST CATEGORIES, SUBCATEGORIES, AND INFORMATIVE REFERENCES.FIGURE 0.3 NIST FUNCTIONS AND CATEGORIES.FIGURE 0.4 NIST IMPLEMENTATION TIERS.FIGURE 0.4 NIST FRAMEWORK RISK MANAGEMENT CYCLE.

2 Chapter 1FIGURE 1.1 HARDWARE ASSETS.FIGURE 1.2 DETERMINING THREAT LIKELIHOOD.

3 Chapter 6FIGURE 6.1 FUNCTION AND CATEGORY UNIQUE IDENTIFIERS.FIGURE 6.2 FUNCTION AND CATEGORY UNIQUE PROTECTION ELEMENTS.FIGURE 6.3 FUNCTION AND CATEGORY UNIQUE DETECTION ELEMENTS.FIGURE 6.4 FUNCTION AND CATEGORY UNIQUE109 RESTORE ELEMENTS.FIGURE 6.5 FUNCTION AND CATEGORY UNIQUE RECOVERY ELEMENTS.

1 Cover

2 Title page

3 Copyright

4 Dedication

5 Table of Contents

6 Academic Foreword

7 Acknowledgments

8 Preface – Overview of the NIST Framework

9 Begin Reading

10 Appendix A: Helpful Advice for Small Organizations Seeking to Implement Some of the Book’s Recommendations

11 Appendix B: Critical Security Controls Version 8.0 Mapped to NIST CSF v1.1

12 Answers to Chapter Quizzes

13 Index

14 End User License Agreement

1 i

2 ii

3 iii

4 iv

5 v

6 vi

7 vii

8 viii

9 ix

10 x

11 xi

12 xii

13 xiii

14 xiv

15 xv

16 xvi

17 xvii

18 xviii

19 xix

20 xx

21 xxi

22 xxii

23 xxiii

24 xxiv

25 1

26 2

27 3

28 4

29 5

30 6

31 7

32 8

33 9

34 10

35 11

36 12

37 13

38 14

39 15

40 16

41 17

42 18

43 19

44 20

45 21

46 22

47 23

48 24

49 25

50 26

51 27

52 28

53 29

54 30

55 31

56 32

57 33

58 34

59 35

60 36

61 37

62 38

63 39

64 40

65 41

66 42

67 43

68 44

69 45

70 46

71 47

72 48

73 49

74 50

75 51

76 52

77 53

78 54

79 55

80 56

81 57

82 58

83 59

84 60

85 61

86 62

87 63

88 64

89 65

90 66

91 67

92 68