Cyber Defense eMagazine May 2019

More documents

Recommendations

Info

Standardizing Security: Mitigating IoT Cyber Risks (Part II of an II Part Series) By Daniel Jetton, Vice President of Cyber Services, OBXtek And Carter Simmons, Deputy Program Manager, OBXtek Introduction In the first part of this discussion, we demonstrated the need for standardized security for devices within the Internet of Things (IoT) because the proliferation of these devices has gotten ahead of security, not only due to the vulnerabilities they may have, but the sheer ubiquity of this phenomena and the unknown amount of personal data that may be at risk. While the government has taken some action in the form of the DHS Cybersecurity Strategy and legislation like the Cyber Shield Act of 2017, a tried and true process must be adopted. We are moving forward on these things to some degree but need a defined standard. The Risk Management Framework In February the National Institute of Standards and Technology (NIST) published the draft Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT), also referred to as NISTIR 8200, to provide government and public entities information on developing and using cybersecurity standards in IoT systems, components and services. It is an artifact derived from the Internet of Things (IoT) Task Group, established in April 2017 by the Interagency International Cybersecurity Standardization Working Group (IICS WG) established in December 2015 to coordinate on major issues in international cybersecurity standardization. Specifically, it describes IoT and representative applications of IoT; reviews core areas of cybersecurity with relevant standards; details IoT cybersecurity risks, threats and objectives; analyzes current cybersecurity standards for IoT and; provides mapping of IoT cybersecurity standards to core areas of cybersecurity. NISTIR 8200 states that 92
“Standards-based cybersecurity risk management will continue to be a major factor in the trustworthiness of IoT applications and devices.” IoT is unique and will require tailoring existing standards as well as creating new standards to address the wide array of IoT devices. Without these standards it would be nearly impossible to harden IoT devices across the board and across various sectors, while maintaining their functionality (NIST, 2018 Internet). In addition, the report states, “… the adoption of IoT brings cybersecurity risks that pose a significant threat to the nation.” In September 2018, NIST release a draft of their internal report (NISTIR) 8222 Internet of Things (IoT) Trust Concerns. In it, they break down 17 trust concerns that impact the security of IoT devices and services and is derived from their SP 800-183 (“Networks of Things”). They identify actions for mitigation and push additional areas for further exploration and study. As of the publication date of this article, the current draft has been withdrawn from the web, “to synchronize with other pending documents on this topic, and to ensure time for stakeholders to review and comment.” NIST adds that, “Once the draft document has been re-posted, the comment period will be extended” (NIST, 2018 Interagency). To expand upon this, we feel a NIST Risk Management Framework (RMF) approach may be used to secure IoT devices. The RMF is a common information security framework used by the federal government to improve information security and risk management processes. Simply stated, the RMF provides a review of an information system’s security against established baselines. Identified risks are either fixed, mitigated, or deemed acceptable, in accordance with their usage. Once the system has gone through the testing phase of the RMF, the security and risk level of the system is vetted to the owner of the system. The designated “owner” may then accept the risk and grant the system an Authorization to Operate (ATO) on their network. The six-step process, involves 1) categorization of information systems based on impact due to loss of Confidentiality, Integrity, and Availability (CIA), 2) selection of security controls in accordance with a baseline and categorization results, 3) implementation of NIST security controls, 4) assessment of security controls addressing objectives and methods verifying compliance, schedule and procedures/validation and assessment with remediation as necessary, 5) authorization of information systems results in submittal and review of the package to the System Owner (SO) who will accept any residual risk and 6) monitoring of security controls to detect changes, their impact and updating of documentation to reflect current status. The cycle is typically three years before reassessment, unless other continuous monitoring strategies are in place. 93
Page 1 and 2:
5 Reasons Why Cloud Security is Imp
Page 3 and 4:
Data Sniffing is Threatening Your P
Page 5 and 6:
CEO, Cyber Defense Media Group Publ
Page 7 and 8:
7
Page 9 and 10:
9
Page 11 and 12:
11
Page 13 and 14:
13
Page 15 and 16:
Your website could be vulnerable to
Page 17 and 18:
17
Page 19 and 20:
Cloud computing helps organizations
Page 21 and 22:
the day, if the customer data store
Page 23 and 24:
8 Cybersecurity Practices In Health
Page 25 and 26:
V. Amplified M&A activities in the
Page 27 and 28:
7. Maintain Compliance with HIPAA T
Page 29 and 30:
Whether it’s malicious outsiders
Page 31 and 32:
About the Authors Cody Cornell is t
Page 33 and 34:
altered. And with the decentralized
Page 35 and 36:
Simplifying Cybersecurity Deploymen
Page 37 and 38:
If you do not want Alert Logic auto
Page 39 and 40:
Backups like The Last Resort The im
Page 41 and 42: About the Author Pedro Tavares is a
Page 43 and 44: Legacy Infrastructure Legacy infras
Page 45 and 46: Enterprise Insider Threats on The R
Page 47 and 48: Your Security Teams are Destroying
Page 49 and 50: Using Behavior to Detect Complete A
Page 51 and 52: Ivanti Priorities this month:
Page 53 and 54: Phishing Awareness - The More They
Page 55 and 56: ecognized leader for security aware
Page 57 and 58: On Security and Privacy, States Are
Page 59 and 60: This federal push will not be a sil
Page 61 and 62: miniature bridges - an email can cr
Page 63 and 64: Network Traffic Analysis (NTA) By T
Page 65 and 66: Traffic Analysis Engine These are t
Page 67 and 68: The Internet of Things Signal Trans
Page 69 and 70: oth - convenience and security of t
Page 71 and 72: 4. Cloud and Speed: Companies that
Page 73 and 74: Two Steps on - One Step Back By Mil
Page 75 and 76: Always Take Care about Your Trainin
Page 77 and 78: CTI in some way, which is an increa
Page 79 and 80: would show that it’s so hard to a
Page 81 and 82: It’s All About The Logs Looking i
Page 83 and 84: A well designed and properly implem
Page 85 and 86: Salaries have significantly grown i
Page 87 and 88: Let’s take a look into a kid’s
Page 89 and 90: What happened then? This destroys a
Page 91: Opt Parental Controls for all your
Page 95 and 96: the de facto security standard simi
Page 97 and 98: About the Authors Dan Jetton is the
Page 99 and 100: According to KPMG’s Global Sector
Page 101 and 102: Data Sniffing is Threatening Your P
Page 103 and 104: About the Author William J. Tomlins
Page 105 and 106: if the line meets the acceptable le
Page 107 and 108: Is Your Encryption Flexible Enough?
Page 109 and 110: to other chat apps is geometric, an
Page 111 and 112: The Critical Role TAPs Play in Netw
Page 113 and 114: About the Author Alastair Hartrup i
Page 115 and 116: Thanks to these attacks, the demand
Page 117 and 118: Why CIOs/CISO’s Positions Are Bec
Page 119 and 120: slowly to how they would normally.
Page 121 and 122: Over time, as operators compile mul
Page 123 and 124: QIDs from associated metadata, the
Page 125 and 126: 125
Page 127 and 128: 127
Page 129 and 130: 129
Page 131 and 132: 131
Page 133 and 134: 133
Page 135 and 136: 135
Page 137 and 138: 137
Page 139 and 140: 139
Page 141 and 142: 141
Page 143 and 144:
143
Page 145 and 146:
145
Page 147 and 148:
147
Page 149 and 150:
149
Page 151 and 152:
You asked, and it’s finally here
Page 153 and 154:
Marketing and Partnership Opportuni
Page 155 and 156:
Regent University’s Institute for
Page 157 and 158:
157
Page 159 and 160:
159
show all

Cyber Defense eMagazine May 2019

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?