1 / 66

Role-Based Cybersecurity Training for Information Technology Professionals

Learn about your role in keeping IT systems secure throughout their lifecycle and in daily operations. Understand the basics of information security, incident response, user access control, security assessment, and continuous monitoring.

kozak
Download Presentation

Role-Based Cybersecurity Training for Information Technology Professionals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Role-Based Cybersecurity Training for Information Technology Professionals

  2. Module 1 • This module will cover topics: • Introduction • Safeguarding the FMCSA Mission

  3. Introduction WelcometoCybersecurity Training forInformationTechnologyProfessionals This coursewilldiscuss yourrole inkeepingITsystemssecure throughoutthe lifecycleandindailyoperations. Attheendofthecourse,youwillreadandacknowledgethe FMCSA RulesofBehaviorfor PrivilegedUserAccounts.

  4. Introduction Objectives • Attheendofthis courseyouwillbeableto: • Understandyourroleandresponsibilitiestoprotectinformationsystem security • Definethebasiccomponentsofan informationsecurityprogram. • Understandthebasics ofrespondingtoasecurity or privacyincident. • Understandthebasics ofuseraccess control. • Understand the basics of security assessment and authorization • Understanding the basics of continuous monitoring and responsibilities

  5. Introduction All ItTakesisOneIncident The primary mission of the Federal Motor Carrier Safety Administration (FMCSA) is to reduce crashes, injuries and fatalities involving large trucks and buses. Personal Identifiable Information is collected and stored in FMCSA information systems to provide critical medical and social services to millions of people. Information security professionals are responsible for protecting the IT assets that support the mission from unofficial access, disruption of service, and unauthorized modification. Understandingthethreats that informationsystems areexposedtoandtakingsteps tomitigatethem reducestherisk tonetworksandsystems.

  6. SafeguardingtheFMCSAMission

  7. SafeguardingtheFMCSAMission SecurityisanIntegratedSolution Informationsecurity is partofacomplexinterrelationshipthat includespolicy,people, procedures,andproducts.

  8. SafeguardingtheFMCSAMission Policy TheFederalInformationSecurity ManagementAct(FISMA)is the backboneof federallegislationregardinginformationsecurity.FISMA was signed into law part of the Electronic Government Act of 2002. Itrequiresfederalagenciesto develop,document,andimplementanenterpriseinformationsecurityprogramto cost-effectively reduceITsecurityrisks tofederalinformationassets.

  9. SafeguardingtheFMCSA Mission DepartmentGovernance TheFMCSACybersecurityProgram is FMCSA’s informationsecurity program. Oversightis providedby theDOT ‘s Officeofthe ChiefInformationOfficer (CIO) andChief Information Security Officer (CISO).TheProgramprovidesanenterprise-wide perspective,facilitatingcoordinationamongkey stakeholders,settingstandards, providingguidance, andsupporting streamlinedreportingandmetrics capabilities.  The FMCSACybersecurityProgram managesimplementationofDOT’s Cybersecurity standards,developCybersecurity policiesandproceduresspecifictothe FMCSA’soperatingenvironment,andmanageongoingCybersecurity operations.

  10. SafeguardingtheFMCSA Mission Procedure Federallegislationandguidanceinfluencesthe Department’stechnological infrastructureand informationassetsafeguards. Thetablelistssomesourcesoflegislationandguidancethathelptobuildaneffectivesecurity program,therebyprotectinginformationandsystems.

  11. SafeguardingtheFMCSA Mission Products Security mustbeconsideredwhendevelopingor acquiringany ITsystem. Asystemcan involveanythingfrom anoff-the-shelf pieceofsoftware–orahardwareperipherallikea printer–toanenterprise-wideweb-basedapplicationthat is useddailyby thousandsofemployees. All components–hardware,software,interconnections, facilities,infrastructure(e.g.,power,temperature),etc.– areallpartofthe informationsystem“product.”

  12. TEST YOUR KNOWLEDGE • FISMA is: (Select all that apply) • Is a guidance from DOT • It requires FMCSA to develop, document, and implement an enterprise information security program to cost- effectively reduce risks to IT assets • It is a Federal law • It does not apply to FMCSA • When should Cybersecurity be taken into consideration? • When acquiring or developing a system • During operation • During disposal • During implementation

  13. TEST YOUR KNOWLEDGE • FISMA is: (Select all that apply) • Is a guidance from DOT • It requires FMCSA to develop, document, and implement an enterprise information security program to cost- effectively reduce risks to IT assets • It is a Federal law • It does not apply to FMCSA • When should Cybersecurity be taken into consideration? • When acquiring or developing a system • During operation • During disposal • During implementation

  14. Module 2 • This module will cover topic: • Information Security Program Management

  15. InformationSecurityProgramManagement

  16. Information Security ProgramManagement Introduction Individualswithhands-onresponsibilitiesfor thedaily operationsofsystemsmustunderstandhowtheir roles relatetothe informationsecurity programsatthe FMCSA and system level. SuchanunderstandingwillenableITPersonnelto perform theirduties withamindsetofappropriateand adequateprotectionforFMCSA’ITresources.

  17. Information Security ProgramManagement InformationSecurityProgramObjectives • Theoverallobjectiveofaninformationsecurity programis to protectthe informationandsystemsthatsupportthe operationsandassets oftheagency. • TosafeguardeachsystematFMCSAis toensurethatthe followingsecurity objectivescanberealizedfor their information: • Confidentiality- Protectinginformationfrom unauthorizedaccessanddisclosure. • Integrity- Assuringthereliabilityandaccuracy of informationandITresourcesby guardingagainst unauthorizedinformationmodificationor destruction. • Availability- Defendinginformationsystemsand resourcestoensuretimely andreliableaccess and useofinformation.

  18. Information Security ProgramManagement Threats • Informationsystemsarenotperfect,norarethepeoplethat interactwiththem or theenvironmentsinwhichthey function.As such,systemsarevulnerabletomisuse, interruptionsandmanipulation. • A threatis thepotentialtocauseunauthorizeddisclosure, unavailability,changes,or destructionofanasset. • Threatscancomefrominsideor outsideFMCSA. • Externalforces candisruptasystem,suchas ahacker maliciouslyaccessingor corruptingdata,or astorm disruptingpowerandnetworkaccess. • Anexampleofan internalthreatis anemployeewho inappropriatelychanges,deletes,or uses data.

  19. Information Security ProgramManagement Vulnerability • A vulnerabilityis any flawor weaknessthatcanbe exploitedandcouldresultinabreachor aviolationof asystem’ssecurity policy. • Someexamplesofvulnerabilitiesinclude: • Poorlycommunicatedor implementedpolicy; • Inadequatelytrainedpersonnel;and • Improperlyconfiguredsystemsor controls.

  20. Information Security ProgramManagement Risk A threatthatexploitsavulnerabilitycanallow informationtobeaccessed,manipulated,deleted, or otherwiseaffectedby thosewithouttheproper authority.Itmay alsopreventdataor asystemfrom beingaccessed. Risk is the likelihoodthatathreatwillexploita vulnerability.For example,asystemwithouta backuppowersourceis avulnerability.Athreat, suchas athunderstorm,wouldincreasethe likelihoodofapoweroutageandcreatearisk of systemfailure. Risk managementis theprocessof identifying threats andvulnerabilitiestoITassets and establishingacceptablecontrolstoreducethe likelihoodofasecuritybreachor violation.

  21. Information Security ProgramManagement SecurityControls • No informationsystemis completelysafefromthreats,butcontrolshelp mitigaterisks. • Controlsarepolicies,procedures,andpractices designedtodecreasethe likelihood,managethe impact,or minimizetheeffectofathreatexploiting avulnerability.Examplesofcontrols include: • Clearlydocumentedrolesandresponsibilities; • Security awarenessandtrainingprogram; • Incidentresponseplanning; • Physicalsecurity,likeguards,badges,andfences; • Environmentalcontrolsinserver rooms;and • Access controls,likepasswordsandPINs.

  22. Information Security ProgramManagement AnnualAssessment UnderFISMA,FMCSA mustdeterminethe effectivenessof its informationsecurityprogram. TheOfficeoftheInspector General(OIG) annuallyauditsinformationsecurity policiesand procedures. ITPersonnelmay beaskedtohelpreview existingsecurity documentation,configurations, procedures,systemtesting,inventory,or anythingelserelatedto informationsecurity.

  23. Your Role in Information Security Program Management • Participate in DOT required security Role-Based Training and mandatory annual specialized security training • Examine unresolved information system vulnerabilities and determining which corrective action(s) or additional safeguards are necessary to mitigate them • Adhere to Change Management Policies/Procedures

  24. Information Security ProgramManagement Recap Thegoalofthe informationsecurity programis to keepinformationandinformationsystems appropriatelyconfidentialandavailable,while maintainingintegrity. Thelikelihoodand impactofathreatexploitinga vulnerabilityisarisk tothesystem. – Example:Accountprivilegesarenotdisabled whenemployeesareterminated (vulnerability).Adisgruntledformer employee (threat) creates arisk thattheorganization’s networkand datawillbecompromised. Thereis aninherentrisk inoperatingany informationsystem.Controlshelpminimizeand avoidsomeoftherisk.

  25. TEST YOUR KNOWLEDGE • An example of vulnerability is a well-trained staff: • True • False 2. Risk management: A. Is a processof identifying threats andvulnerabilitiestoITassets B. Establishes acceptablecontrolstoreducethe likelihoodofasecuritybreachor violation C. Is a flawor weaknessthatcanbe exploitedandcouldresultinabreachor aviolationofa system’ssecurity policy. D. Is the identification, assessment and prioritization of risks

  26. TEST YOUR KNOWLEDGE • An example of vulnerability is a well-trained staff: • True • False 2. Risk management: A. Is a processof identifying threats andvulnerabilitiestoITassets B. Establishes acceptablecontrolstoreducethe likelihoodofasecuritybreachor violation C. Is a flawor weaknessthatcanbe exploitedandcouldresultinabreachor aviolationofa system’ssecurity policy. D. Is the identification, assessment and prioritization of risks

  27. Module 3 • This module will cover topics: • User Access • Incident Handling

  28. UserAccess

  29. UserAccess Introduction Your jobgivesyouagreat dealoftechnicalinfluenceover thesystem. To complywithFederalpoliciesandregulations,and goodpractices,itis importanttoobserveseparation ofduties guidelines.

  30. UserAccess LevelofAccess Accesscontrolsexisttoensurethatonly authorizedindividualsgainaccesstoinformation systemresources,thatthey areassignedan appropriatelevelofprivilege,andthatthey are individuallyaccountablefor their actions. AtFMCSA,systemaccess administratorsor designeesprocessall internalrequests for access.Access is grantedaccordingtothemost restrictivesetofrights or privilegesneeded. The dataowneris responsibleforspecifyingthetype ofuser access whichmay beapproved.

  31. UserAccess RulesofBehaviorandUserAccess TheRulesof BehaviorForUseofFMCSAInformationTechnologyResources (FMCSARulesof Behavior)describetheuserresponsibilitiesandexpectedbehavior withregardto informationsystemusage.AllusersaccessingDepartment systemsandnetworksarerequiredtoreadand signtheFMCSARulesof Behaviorindicatingthat theyunderstand andagreetoabidebytherules beforereceivingaccess1. Monitor systemaccesstoensurethatthere is notanexcessiveor unusualnumberof individualsreceivinghighlevelor administrator–levelaccess to thesystem. Thiscouldindicatea lack ofcontrols–includingleastprivilegeand “needtoknow”controls. Ingeneral,individualsthatareadministeringthesystemshouldnotberesponsible for auditingor reviewingthesystemor its controls. 1SomeOpDivshave theirownRulesofBehaviorwhichusersmustreadand signbeforeaccessingthenetworkordata.

  32. UserAccess MonitoringUserAccess/Recertification Periodicrecertificationof useraccess ensuressystem access is limitedtothosewhohaveacurrentbusiness purpose. Review system user accountstatusonaquarterly recurrenceandreportedto theISSOandtosupervisors/managers. Terminate inactive accountswithina 60 day DOT defined timeframeunlesstheuser's supervisorprovideswritten certificationoftheneedforcontinuationofaccess. Accounts for separatedemployees,contractors, volunteers,or others nolongerrequiringaccess are terminatedimmediately.

  33. UserAccess TerminatingUserAccess It is importanttoterminateuser accesspromptly whenan individualhas separatedfromFMCSA. Separationscanbeduetoterminationof employment,retirement,or transfer.Terminations canpotentiallybehostilesituations. IngeneralatFMCSA,for routineseparations, terminationofuser accessoccurs within24hours oftheseparation.For potentiallyhostile terminations,access is terminatedattheexacttime ofemployeenotification. Taketimetodiscussterminationof access procedureswithyoursupervisorifyoudonot knowhowthisishandledforyoursystem.

  34. UserAccess Recap Monitoringuser access andmonitoringprivilegedusers is criticaltothesecurityof informationsystems. User accessshouldbe limitedtoaneedtoknow basis.It shouldbeperiodicallyreviewed,andremovedifaccess is no longerrequired. TheFMCSARulesofBehaviormustbesignedbeforea user canaccess thenetworkor thesystemsonthe network.

  35. Incident Handling

  36. IncidentHandling IncidentHandlingLifecycleOverview • Per NISTSP 800-61Rev.2,ComputerSecurity IncidentHandlingGuide, incidentmanagemententails: • Preparation; • Ensuringtheproperpoliciesandprocedures,linesofcommunicationandteammembersare identifiedpriortoanincidentoccurring. • Detection& Analysis;(“Identification”atFMCSA) • Identifyinganddifferentiatinganincidentfromanevent. Thisincludesgathering,andinitial triagingofall availabledataassociatedwith theincident. • Containment,Eradication,and Recovery;and • Initiatedtosecludeaffectedhostsandsystemsfromthenetwork,initiatingnetworkblockson adversaries,etc;addressissuesthenbringthenetwork/systembacktoproductionstatus. • Post-IncidentActivity(“LessonsLearned”atFMCSA) • Notesandlessonslearnedfromtheresponseareevaluated,andinturn,usedtoimprovethe securitylandscapebyimprovingpatchingmethodologies,reevaluatingaccesspermissions, accountusage,usertraining,etc.

  37. IncidentHandling Preparation • Each FMCSA system has an incident handling plan consists of: • Policiesandprocedures; • Systemdocumentation; • IncidentResponseTeam(IRT);and • Monitoring,communication,andmitigationtools.

  38. IncidentHandling DetectingandAnalyzingIncidents Detectingpotentialsecurityincidentsmay bedifficult.Knowinghowasystemusually behavesandlearningwhichsymptomscan indicatepotentialincidentsis awayto recognizewhentofurther investigate. Correlationandanalysisofevents may helpto identify potentialincidentsthatmay havebeenoverlookedandcouldbecomeamoreseriousproblem.Early awareness ofpotentialincidentscanstopdamage,disclosure,andother harmfuleffects before they happen. Incidentdetectionandanalysismay takeseveralindividualsreviewingactivity before itis realizedthatan incidenthas occurred. WithinFMCSA,usersshouldreportallsuspectedcomputersecurity incidentstothe ComputerSecurityIncidentResponseTeam(CSIRT) or FMCSAISSM: CSIRT: 9-awa-soc@faa.gov FMCSA ISSM: Nicole Moore nicole.moore@dot.gov 202-366-9980

  39. IncidentHandling IncidentContainment • Thereis adelicatebalancebetweenprotectingevidencefrom an incidentand containingan incidenttopreventfurther impact.Ifevidenceis destroyed,itmay be difficulttodeterminetherootcauseandprosecutetheattacker. • Containmentstrategies vary basedonthetypeof incident.Criteriafor determining theappropriatestrategy include: • Potentialdamagetoandtheftofresources; • Needfor evidencepreservation; • Serviceavailability(e.g.,networkconnectivity,services providedtoexternal parties); • Timeandresourcesneededto implementthestrategy; • Effectiveness ofthestrategy (e.g.,partiallycontainsthe incident,fully contains the incident);and • Durationofthesolution(e.g.,emergencyworkaroundtoberemovedinfour hours,temporaryworkaroundtoberemovedintwoweeks,permanentsolution).

  40. IncidentHandling IncidentEradicationandRecovery After anincidenthas beencontainedandevidence preserved,as appropriate,eradicationmay be necessarytoeliminatecomponentsofthe incident. Deletingmaliciouscodeanddisablingbreacheduser accountsareexamplesoferadication.Forsome incidents,eradicationis eithernotnecessaryor is performedduringrecovery. Duringrecovery,ITAdministratorsrestoresystemsto normaloperationand,as necessary,hardensystemsto preventsimilarincidents.Recoverymay involvesuch actionsas restoringsystemsfrom cleanbackups, rebuildingsystemsfrom scratch,replacingcompromised files withcleanversions,installingpatches,changing passwords,andaddingor strengtheningothersecurity controls.

  41. IncidentHandling Post-IncidentActivity • Youmay beaskedtoparticipatein“lessonslearned” exercisestodiscuss: • Exactlywhathappened,andatwhattimes? • Howwelldidstaffandmanagementperform indealingwiththe incident? • Werethedocumentedproceduresfollowed? • Werethey adequate? • Whatinformationwasneededsooner? • Wereany steps or actionstakenthatmighthaveinhibitedtherecovery? • Whatwouldthestaffandmanagementdodifferently thenexttimeasimilar incidentoccurs? • Whatadditionaltools or resourcesareneededtodetect,analyze,andmitigate future incidents?

  42. IncidentHandling IncidentHandling:YourRole Implement proper information system backups, applying software patches within timeframes established by FMCSA for security vulnerabilities, and accurately reporting security incidences in accordance with DOT policy, DOT CSIRC procedures and any FMCSA supplemental procedures; Incidenthandlingplansaredocumentedfor systemsto ensurecomputersecurity incidentsarehandled efficientlyandeffectively. Assist System Owner in developingand documentingtheprocessandresponsibilitiesfor incidenthandling. Be prepared inthe Detection,Response,andResolutionphasesofthe incidenthandlinglifecycle. Federalagenciesarerequiredbylawto reportincidentsinvolvingPersonallyIdentifiableInformation (PII)to theUnitedStatesComputerEmergencyReadinessTeam(US-CERT)within onehourof discovery.

  43. IncidentHandling PrivacyIncidentResponseTeam A privacy incidentrequirescoordination, collaboration,andcommunicationbetweenthe DepartmentandtheaffectedOpDiv. TheBreach Assessment and Response Team (BART) oversees the response efforts and activities for suspected or confirmed privacy incidents for the Department. TheBARTmustreviewany communication,suchas anotificationletter,beforeFMCSA contacts a potentiallyimpactedindividualandwilladvise FMCSA if credit monitoringis necessary toanindividualatrisk for identitytheft.

  44. IncidentHandling Recap • Eachsystem has an incidentresponseplanwhich describeshowtorespondwhenan incidentoccurs. • Federalagenciesarerequiredby law toreport incidentsinvolvingPIItothe US-CERTwithinone hourofdiscovery. • Members of the IT team may beaskedtohelpinany ofthe four areasof incidentmanagement: • Preparation; • Detection& Analysis; • Containment,Eradication,and Recovery;and • Post-IncidentActivity.

  45. As a member of the IT team, you should be prepared to be involvedinthe Detection,Response,andResolutionphasesofthe incidenthandlinglifecycle. True False TEST YOUR KNOWLEDGE • 2. Which are examples of a security incident? (Select all that apply) • Lost PIV • Lost laptop/phone • SPII information sent over encrypted email to an authorized person • Clicked on a malicious link that downloaded malware onto device

  46. As a member of the IT team, you should be prepared to be involvedinthe Detection,Response,andResolutionphasesofthe incidenthandlinglifecycle. True False TEST YOUR KNOWLEDGE • 2. Which are examples of a security incident? (Select all that apply) • Lost PIV • Lost laptop/phone • SPII information sent over encrypted email to an authorized person • Clicked on a malicious link that downloaded malware onto device

  47. Security Assessment And Authorization Module 5

  48. This module will cover topics: • Security Assessment And Authorization • Continuous Monitoring • Summary

  49. Security Assessment • Security Control Assessment • The testing and/or evaluation of the management, operational, and technical security controls in an information system • Determination to the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system

  50. Authorization • Authorization (to Operate) • The official management decision given by a senior organizational official to authorize operation of an information system • Explicit acceptance of the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls

More Related