21 Free GRC Training Resources
Here are some free Governance, Risk, and Compliance training resources. (H/T Christian Hyatt, https://www.linkedin.com/in/christianhyatt/)
𝗦𝗢𝗖 𝟮
Here are some free Governance, Risk, and Compliance training resources. (H/T Christian Hyatt, https://www.linkedin.com/in/christianhyatt/)
𝗦𝗢𝗖 𝟮
Docent Institute is a non-profit charity. Give to Docent and support important educational and research initiatives and get a tax write-off.
[via POLITICO.COM Morning Cybersecurity 2 JAN 2018]
DFARS cybersecurity rules take effect – The recent New Year festivities brought with them more than just mountains of confetti litter and discarded “2018” glasses. The last day of 2017 also marked the deadline for defense contractors to meet minimum cybersecurity requirements for the systems they operate for the Pentagon. A federal contracting rule gave firms until Sunday to “provide adequate security on all covered contractor information systems,” with the technical standards agency NIST publishing a list of required security measures. The new regulation is the government’s most serious attempt yet to protect military data from hackers who have breached a series of sensitive targets in recent years, including the email network of the Joint Chiefs of Staff.
Please download (PDF):Â http://johndjohnson.com/resources/JOHNSON.HHALTED.OCT2017.pdf
This is an exhaustive resource covering many topics which will be further expanded upon.
An article by John Johnson on the difficulty of managing IIoT, and steps to take to improve IIoT security. (via IIoT World) https://is.gd/7bp7ST
There are lots of terms thrown around these days, such as: Internet of Things (IoT), Industrial Controls Systems (ICS), Operational Technology (OT). What this means is that there are billions of interconnected consumer devices and industrial systems, not running a traditional computer operating system. This number dwarfs the number of traditional computer systems and it is predicted to grow to tens of billions of connected devices by 2020. The Industrial IoTÂ could be defined as the subset of endpoints on our enterprise networks, which include building automation, industrial controls, sensors and embedded systems. Having spent nearly two decades in a manufacturing environment, I feel confident in saying that the number of Industrial IoT devices already outnumber traditional computer systems on our enterprise networks.
Automation technologies and machine to machine (M2M) communications hold great promise for streamlining processes, improving quality and efficiency in industry. The benefits of these systems should be recognized, but so should the risk they bring to the table.
We have created a category called Industrial IoT and dumped all the non-traditional systems into this box, yet these Industrial IoT devices don’t follow a single standard. These are systems, generally purchased and managed by non-IT teams to perform specific tasks. Some of these systems will be configurable, others will not. Some offer remote management, others don’t. Some come with default passwords, others require no authentication at all. They often utilize OT rather than IT protocols, which are less well understood by IT personnel. In addition, because of the lack of central ownership, there is rarely a complete inventory of these systems. This means that these systems are both at risk, and pose a risk to other IT systems because they do not follow traditional IT standards for management and security.
If the goal is to better secure these systems, the first step is to build a complete inventory of these assets. The goal should be to centralize this information and keep it up to date. This is an improvement over the poorly maintained spreadsheets that many companies utilize today, which vary from factory to factory. With a complete inventory of these systems, risk management requires insight into their configuration and posture. Because they are non-standard, it will require additional effort both to assess their exposure, and to define standards for how these assets should be configured. It will require executive sponsorship to devote the resources necessary to accomplish this with a reasonable timeline. This is the type of project that is very difficult to justify and drive from the bottom-up. Business leaders need to be made to see the value in the overall effort to develop standards and manage OT risk. In my experience, third party risk assessments of your manufacturing environment should help to communicate the risks to executives.
Now that you have a reliable inventory and assessment of where these systems are vulnerable, just how do you bring them in line with standards? How do you change from the default password and manage passwords on disparate systems in multiple business units? How do you perform change management with non-traditional IT systems? How do you track changes, and keep people from making unauthorized changes? Logging and auditing these systems may not be possible due to their limited system resources.
Non-traditional systems may often have vulnerabilities that cannot simply be patched. They may be running older and unsupported operating systems, or be designed to be open to M2M communications. They may require manual updates to firmware. They may be vulnerable to denial of service attacks, or even up the health and safety of employees at risk if they become compromised. These non-compliant systems may pose a risk and in some cases used as a platform to attack traditional IT systems. They may utilize wired or wireless connectivity. In some cases, they may need to communicate outbound to the Internet, to share data or for management and software updates.
Many of these systems were designed to serve limited functions. If they cannot all be managed, given that replacing them with more capable systems may be expensive and in many cases not possible, does this mean that you shift the security and management controls to the network? Today, the best practice is to isolate these systems on your network, but it doesn’t seem that simple network segmentation is going to be the best solution in the future, as these systems become more ubiquitous and integral to business operations.
Since it is not feasible, nor desirable, to entirely isolate these systems from the IT network, they will be attacked. How do you gain visibility to these attacks? If you see strange traffic or get an IDS alert, how do you track it down when Industrial IoT systems are involved? How do you correlate alerts across IT and OT, to accurately view the movement and actions of an adversary on your network? These are the challenges that we face today, and in the future as these systems grow in number and attacks shift from traditional IT computer systems to OT/ICS systems.
Without being able to have an accurate inventory, assess posture and vulnerabilities, account for threats and properly value these assets, calculating risk is a daunting task. Isn’t it reasonable to expect that in the future, the bulk of our risk resides with the bulk of our assets?
In the enterprise, today, our tools are limited. We find ourselves performing manual inventories. We have limited resources, so we can’t fully assess the posture and vulnerabilities and put the automation and management in place that we recognize will be required. We also cannot wait for vendors to build in proper remote management and authentication in every Industrial IoT system, down to the level of individual controllers and sensors. One thing that is for certain, is that we can start to converge IT and OT in the enterprise, so our approach to security and risk management is uniform and consistent. This way we can include OT in our budget and make it the priority it should be, with upper management support and a long-term roadmap.
I cannot predict the future with much reliability, however it seems evident that there are no simple solutions that we can implement ourselves. We need to partner with innovative vendors to solve these tremendous and important problems. This is a huge opportunity in the security vendor space to develop innovative solutions that help us move beyond enumerating our problems, to solving them. This may require change in the very architecture of networks and will certainly require a shift in our thinking.