Role-Based Cybersecurity Training for Information Technology - PowerPoint Presentation

Role-Based Cybersecurity Training for Information Technology Professionals 1

Module 1This module will cover topics: Introduction Safeguarding the FMCSA Mission 2

3 T h i s c ourse will discuss your role in keeping IT systems secure throughout the life cycle and in daily operations.At the end of the course, you will read and acknowledge theFMCSA Rules of Behavior for Privileged User Accounts. I ntroduct i on W e l c om e to Cybersecurity Training for I n f o r m a ti o n Technology Professionals

4 A t t h e end of this course you will be able to:Understand your role and responsibilities to protect information system security Define the basic components of an information security program.Understand the basics of respond i n g to a security or privacy incident.Understand the basics of user access control.Understand the basics of security assessment and authorizationUnderstanding the basics of continuous monitoring and responsibilities Int r odu c tion Ob jecti ves

5  The primary mission of the Federal Motor Carrier Safety Administration (FMCSA) is to reduce crashes, injuries and fatalities involving large trucks and buses.  Personal Identifiable Information is collected and stored in FMCSA information systems to provide critical medical and social services to millions of people.Information security professionals are responsible for protecting the IT assets that support the mission from unofficial access, disruption of service, and unauthorized modification.Understanding the threats that information systems are exposed to and taking steps to mitigate them reduces the risk to networks and systems.IntroductionAll It Takes is One Incident

Safeguar d i ng the FMCSA Miss i o n6

7 I n f o rm ation security is part of a complex interrelationship that includes policy, people, procedures, and products.Safeguarding the FMCSA MissionSecurity is an Integrated Solution

8  T h e Federal Information Security Management Act (FISMA) is the backbone of federal legislation regarding information security. FISMA was signed into law part of the Electronic Government Act of 2002. It requires federal agencies to develop, document, and implement an enterprise information securi ty program to cost-effectively reduce IT security risks to federal information assets.Safeguarding the FMCSA Mi ss i on Po li c y

9  T h e FMCSA Cybersecurity Program is FMCSA’s information security program. Oversight is provided by the DOT ‘s Office of the Chief Information Officer (CIO) and Chief Information Security Officer (CISO). The Program provides an enterprise-wide perspective, facilitatin g coordination among key stakeholders, setting standards, providing guidance, and supporting streamli ne d r epo rt i n g an d metrics capabilities. The FMCSA Cybersecurity Program manages implementation of DOT’s Cybersecurity standards, develop Cybersecurity policies and procedures specific to the FMCSA’s operating environment, and manage ongoing Cybersecurity operations. Sa f e gu ar ding the FMCSA Mi ss ion D e p art m e n t Go ver n a n c e

10 I T Sec u rity Legislation and GuidancePrivacy LegislationNational Institute of Standards and Technology (NIST) Special Publications  E-Government Act of 2002 Clinger-Cohen Act of 1996 Health Insurance Portability and Accountability A c t of 1996 ( HI P AA)  Office of Management and Budget (OMB) Circular A-130 Privacy Act of 1974 Paperwork Reduction Act Children’s Online Privacy Protection Act (COPPA) NIST issues standards and guidelines to assis t federal agencies in implementing security and privacy regulations. Special publications can be found on the NIST Portal. Federal legislation and guidance influences the Department’s technological infrastructure and information asset safeguards.The table lists some sources of legislation and guidance that help to build an effective security program, thereby protecting information and systems. Sa f e gu ar ding the FMCSA Mi ss ion P r o ce du re

11  S e c u rity must be considered when developing or acquiring any IT system.A system can involve anything from an off-the-shelf piece of software–or a hardware peripheral like a printer–to an enterprise-wide web-based app lication that is used daily by thousands of employees.All components–hardware, software, i n t e rc onne ct i on s, f a c ili ties, infrastructure (e.g., power, temperature), etc.– are all part of the information system “product.”Safeguarding the FMCSA MissionProducts

12 When should Cybersecurity be taken into consideration? When acquiring or developing a system During operation During disposal During implementation FISMA is: (Select all that apply)Is a guidance from DOTIt requires FMCSA to develop, document, and implement an enterprise information security program to cost- effectively reduce risks to IT assetsIt is a Federal lawIt does not apply to FMCSATEST YOUR KNOWLEDGE

13 When should Cybersecurity be taken into consideration? When acquiring or developing a system During operation During disposal During implementation FISMA is: (Select all that apply)Is a guidance from DOTIt requires FMCSA to develop, document, and implement an enterprise information security program to cost- effectively reduce risks to IT assetsIt is a Federal lawIt does not apply to FMCSATEST YOUR KNOWLEDGE

Module 2This module will cover topic: Information Security Program Management 14

Info r m ation Security P r ogram Management15

16  I nd i v iduals with hands-on responsibilities for the daily operations of systems must understand how their roles relate to the information security programs at the FMCSA and system level.Such an understanding will enable IT Personnel to perform their duties with a m i ndset of appropriate and adequate protection for FMCSA’ IT resources.Information Security Program ManagementIntroduction

17 T h e o verall objective of an information security program is to protect the information and systems that support the operations and assets of the agency.To safeguard each system at FMCSA is to ensure that the following security ob j ectives can be realized for their information:Confidentiality - Protecting information fr om unau t ho r i z e d a cc e ss and disclosure.Integrity - Assuring the reliability and accuracy of information and IT resources by guarding against unauthorized information modification or destruction.Availability - De f end ing information systems and resources to ensure timely and reliable access and use of information.Information Security Program ManagementInformation Security Program Objectives

18  I n f o rmation systems are not perfect, nor are the people that interact with them or the environments in which they function. As such, systems are vulnerable to misuse, interruptions and manipulation.A threat is the potential to c au se unauthorized disclosure, unavailability, changes, or destruction of an asset.Threats can co me fr o m i n s i d e or outside FMCSA.External forces can disrupt a system, such as a hacker maliciously accessing or corrupting data, or a storm disrupting power and network access.An example of an interna l threat is an employee who inappropriately changes, deletes, or uses data.Informa tion Security Program ManagementThreats

19  A v u l ne rability is any flaw or weakness that can be exploited and could result in a breach or a violation of a system’s security policy.Some examples of vulnerabilities include:Poorly communicated or implemented po li cy;Inadequately trained personnel; andImproperly configured systems or controls.Information Security Prog ra m M a n a g eme nt Vu l n erability

20  A t h r ea t that exploits a vulnerability can allow information to be accessed, manipulated, deleted, or otherwise affected by those without the proper authority. It may also prevent data or a system from being accessed.Risk is the likelihood t ha t a threat will exploit a vulnerability. For example, a system without a backup po w e r s ou rce i s a v u lnerability. A threat, such as a thunderstorm, would increase the likelihood of a power outage and create a risk of system failure.Risk management is the process of identifying threats and vulnerabilities to IT assets and establishing acceptable controls to reduce the likelihood of a security br each or violation.Information Security Program ManagementRisk

21 N o i n f ormation system is completely safe from threats, but controls help mitigate risks.Controls are policies, procedures, and practices designed to decrease the likelihood, manage the impact, or minimize the effect of a threat expl o i ting a vulnerability. Examples of controls include:Clearly documented roles and r e s pon s i b ili t i e s; S ecurity awareness and training program;Incident response planning;Physical security, like guards, badges, and fences;Environmental controls in server rooms; andAccess controls, like pa ss words and PINs.Information Security Program ManagementSecurity Controls

22  U nde r FISMA, FMCSA must determine the effectiveness of its information security program.The Office of the Inspector General (OIG) annually audits information security policies and procedures.IT Personnel may be asked to help review existing se c u rity documentation, configurations, procedures, system testing, inventory, or anything e l se r e l a t e d to i nformation security.Information Security Program ManagementAnnual Assessment

Your Role in Information Security Program Management Participate in DOT required security Role-Based Training and mandatory annual specialized security training Examine unresolved information system vulnerabilities and determining which corrective action(s) or additional safeguards are necessary to mitigate them Adhere to Change Management Policies/Procedures 23

24  T h e goal of the information security program is to keep information and information systems appropriately confidential and available, while maintaining integrity.The likelihood and impact of a threat exploitin g a vulnerability is a risk to the system.– Example: Account privileges are not disabled when e m p l o y ee s a re terminated (vulnerability). A disgruntled former employee (threat) creates a risk that the organization’s network and data will be compromised.There is an inherent risk in operating any inform a t ion system. Controls help minimize and avoid some of the risk.Information Security Program Man agementRecap

25 2. Ri sk m anage m en t: A. Is a process of identifying threats and vulnerabilities to IT assets B. Establishes acceptable controls to reduce the likelihood of a security breach or violation C. Is a flaw or weakness that can be exploited and could result in a breach or a violation of a system’s security policy. D. Is the identification, assessment and prioritization of risksAn example of vulnerability is a well-trained staff:TrueFalseTEST YOUR KNOWLEDGE

26 2. Ri sk m anage m en t: A. Is a process of identifying threats and vulnerabilities to IT assets B. Establishes acceptable controls to reduce the likelihood of a security breach or violation C. Is a flaw or weakness that can be exploited and could result in a breach or a violation of a system ’ s security policy. D. Is the identification, assessment and prioritization of risksAn example of vulnerability is a well-trained staff:TrueFalseTEST YOUR KNOWLEDGE

27 This module will cover topics: User Access Incident Handling Module 3

User A ccess 28

29 Y ou r j o b gives you a great deal of technical influence over the system. To comply with Federal policies and regulations, and good practices, it is important to observe separation of duties guidelines.User AccessIntroduction

30  A cc e s s controls exist to ensure that only authorized individuals gain access to information system resources, that they are assigned an appropriate level of privilege, and that they are individually accountable for their actions.At FMCSA, s y stem access administrators or designees process all internal requests for access. Access is granted acc o r d i n g to t h e most restrictive set of rights or privileges needed. The data owner is responsible for specifying the type of user access which may be approved.User AccessLevel of Access

31 1 So me O pDivs have their own Rules of Behavior which users must read and sign before accessing the network or data.The Rules of Behavior For Use of FMCSA Information Technology Resources (FMCSA Rules of Behavior) describe the user responsibilities and e xpected behavior with regard to information system usage. All users accessing Department syst e m s a nd n e t w o r ks are required to read and sign the FMCSA Rules of Behavior indicating that they understand and agree to abide by the rules before receiving access1.Monitor system access to ensure that there is not an excessive or unu sual number of individuals receiving high level or administrator–level access to the system. This could indicate a lack of controls–including least privilege and “need to know” controls.In general, individuals that are administering the system should not be responsible for auditing or reviewing the system or its controls.User AccessRules of Behavior and User Access

32  P e r iodi c recertification of user access ensures system access is limited to those who have a current business purpose.Review system user account status on a quarterly recurrence and reported to the ISSO and to supervisors/managers.Terminate inactive accounts wi t h in a 60 day DOT defined timeframe unless the user's supervisor provides written certification of the nee d f o r c on t i nua t i on of access.Accounts for separated employees, contractors, volunteers, or others no longer requiring access are terminated immediately.User AccessMonitoring User Access/Recertification

33  It i s i mportant to terminate user access promptly when an individual has separated from FMCSA. Separations can be due to termination of employment, retirement, or transfer. Terminations can potentially be hostile situations.In general at FMCSA , for routine separations, termination of user access occurs within 24 hours of the separ a t i on . F o r po t en t ially hostile terminations, access is terminated at the exact time of employee notification.Take time to discuss termination of access procedures with your supervisor if you do not know how this is ha ndl e d for your system.User AccessTerminating User Access

34  M on i t oring user access and monitoring privileged users is critical to the security of information systems.User access should be limited to a need to know basis. It should be periodically reviewed, and removed if access i s no longer required.The FMCSA Rules of Behavior must be signed before a user can access th e ne t w o rk o r t h e systems on the network.User AccessRecap

Incident Handling 35

36  P e r N IST SP 800-61 Rev. 2, Computer Security Incident Handling Guide, incident management entails:Preparation;Ensuring the proper policies and procedures, lines of communication and team members are identified prior t o an incident occurring.Detection & Analysis; (“Identification” at FMCSA)Identifying and d i ff e r e n t i a t i ng an incident from an event. This includes gathering, and initial triaging of all available data associated with the incident.Containment, Eradication, and Recovery; and I n itiated to seclude affected hosts and systems from the network, in itiating network blocks on adversaries, etc; address issues then bring the network/system back to production status.Post-Incident Activity (“Lessons Learned” at FMCSA)Notes and lessons learned from the response are evaluated, and in turn, used to improve the security landscape by i m p r o v i n g pa tc h i n g m e t hodo l og i e s , r ee v a l ua t i n g a cc e s s pe r m i ss i o n s , a cc oun t u s age , u s e r t r a i n i ng , e tc. In c id e nt Ha ndling I n c i d e n t H a nd li n g L ifec y cle O vervi ew

37  Each FMCSA system has an incident handling plan consists of : P o licies and procedures;System documentation;Incident Response Team (IRT); andMonitoring, communication, and mitigation tools.Incident HandlingPreparation

Incident Ha ndlingDetecting and An a lyzing Incidents38Detecting potential security incidents may be difficult. Knowing how a system usually behaves and learning which symptoms can indicate potential incidents is a way to recognize when to further investigate.Correlation and analysis of events may help to identify potential incidents that may have been overlooked and could become a more serious problem. Early awareness of potential i n cidents can stop damage, disclosure, and other harmful effects before they happen.Incident detection and analysis may take several individuals reviewing activity before it is realiz e d t ha t a n i n c i dent has occurred.Within FMCSA, users should report all suspected computer security incidents to the Computer Security Incident Response Team (CSIRT) or FMCSA ISSM: CSIRT: 9-awa-soc@faa.gov FMCSA ISSM: Nicole Moore nicole.moore@dot.gov 202-366-9980

39  T he re is a delicate balance between protecting evidence from an incident and containing an incident to prevent further impact. If evidence is destroyed, it may be difficult to determine the root cause and prosecute the attacker.Cont a i nment strategies vary based on the type of incident. Criteria for determining the appr op r i a te str a t eg y i n clude:Potential damage to and theft of resources;Need for evidence preservation;Service availability (e.g., network connectivity, services provided to external parties);Time and res ou rc es needed to implement the strategy;Effectiveness of the strategy (e.g., partially contains the incident, fully contains the incident); andDuration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution).Incident HandlingIncident Containment

40  A ft e r an incident has been contained and evidence preserved, as appropriate, eradication may be necessary to eliminate components of the incident. Deleting malicious code and disabling breached user accounts are examples of eradication . For some incidents, eradication is either not necessary or is performed during recover y .  D u r i n g r ec o very, IT Administrators restore systems to normal operation and, as necessary, harden systems to prevent similar incidents. Recovery may involve such actions as restoring systems from clean ba ck ups, rebuilding systems from scratch, replacing compromised files with clean version s, installing patches, changing passwords, and adding or strengthening other security controls.Incident HandlingIncident Eradication and Recovery

41  Y o u may be asked to participate in “lessons learned” exercises to discuss:Exactly what happened, and at what times?How well did staff and management perform in dealing with the incident?Were the documented procedures follo w e d?Were they adequate?What information was needed sooner?Were any steps or actions taken t ha t m i gh t ha ve i nh ibited the recovery?What would the staff and management do differently the next time a similar incident occurs?What additional tools or resources are needed to detect, analyze, and miti ga te f uture incidents?Incident HandlingPost-Incident Activity

42 F e d e r al agencies are required by law to report incidents involving Personally Identifiable Information (PII) to the United States Computer Emergency Readiness Team (US-CERT) within one hour of di s c overy.Implement proper information system backups, applying software patches within timeframes established by FMCSA for security vulnerabilities, and accurately reporting security incidences in accordance with DOT policy, DOT CSIRC procedures and any FMCSA supplemental procedures; Incident handling plans are documented for systems to en s u re c o m pu t e r security incidents are handled efficiently and effectively.Assist System Owner in developing and documenting the process and responsibilities for incident handling.Be prepared in the Detection, Response, an d Resolution phases of the incident handling life cycle.Incident HandlingIncident Hand ling: Your Role

43  A p r i vacy incident requires coordination, collaboration, and communication between the Department and the affected OpDiv.The Breach Assessment and Response Team (BART) oversees the response efforts and activities for suspected or confirmed privacy incidents for the Department.The BART must review any communication, such as a notification letter, before FMCSA c on t acts a potentially impacted individual and will advise FMCSA if credit monitoring is necessary to an individual at ri sk f o r i den t i ty t he ft. In cident HandlingPrivacy Incident Response Team

44  E a ch system has an incident response plan which describes how to respond when an incident occurs.Federal agencies are required by law to report incidents involving PII to the US-CERT within one hour of discovery.Members of the IT team may be asked to help i n any of the four areas of incident management:Preparation;Detection & Analysis;Conta i n m en t, E r ad i c a t ion, and Recovery; andPost-Incident Activity.Incident HandlingRecap

45 2. Which are examples of a security incident? (Select all that apply) Lost PIV Lost laptop/phone SPII information sent over encrypted email to an authorized person Clicked on a malicious link that downloaded malware onto device As a member of the IT team, you should be prepared to be involved in the Detection, Response, and Resolution phases of the incident handling life cycle.True FalseTEST YOUR KNOWLEDGE

46 2. Which are examples of a security incident? (Select all that apply) Lost PIV Lost laptop/phone SPII information sent over encrypted email to an authorized person Clicked on a malicious link that downloaded malware onto device As a member of the IT team, you should be prepared to be involved in the Detection, Response, and Resolution phases of the incident handling life cycle.True FalseTEST YOUR KNOWLEDGE

Security Assessment And Authorization 47 Module 5

48 This module will cover topics: Security Assessment And Authorization Continuous Monitoring Summary

Security Assessment Security Control Assessment The testing and/or evaluation of the management, operational, and technical security controls in an information system Determination to the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system 49

Authorization Authorization (to Operate) The official management decision given by a senior organizational official to authorize operation of an information system Explicit acceptance of the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls 50

Security Assessment Documentation The basic documents needed for security assessment in FMCSA are: System Security Plan Disaster Recovery/Contingency Plan Configuration Management Plan Business Impact Analysis 51

Security Assessment Process Usually Performed by a third party assessment group Based on FIPS-199, NIST SP 800-53, 800-53A, etc. Documentation is Collected and Reviewed Controls are tested/evaluated For new systems and systems being reauthorized all controls are tested For existing systems a subset of controls is tested annuallyAn assessment statement is writtenFor new systems the authorization package is prepared.52

Plans of Action & Milestones Results of security assessment produces: Technical vulnerabilities Controls not implement effectively (weaknesses) Areas of non-compliance with policies Risks must be prioritized in the POA&M Risks with greatest impact to the system get resources for remediation firstOA must examine risks across all systems and prioritize based on mission impact53

Security Assessment & Authorization Systems or Applications must have a documented security authorization Must be obtained prior to operation Must be updated upon “Significant Change” to the system Must be maintained over life of system Continuous Monitoring Authorization granted by the Authorizing Official54

Ensuring that appropriate security requirements are implemented and enforced for all DOT information systems or networks Assist System Owner in security documentation Participate in assessment interview and provide evidence to support security control implementation upon request Ensure changes to the system follow established configuration management process 55 Your Role In Security Authorization

What is Continuous Monitoring? 56

Continuous MonitoringDefinition Track the security state of an information system after the initial assessment Identify changes and resulting impact to security Maintain the security authorization for the system over time Challenges: Today’s environments are highly dynamic environments with changing threats, vulnerabilities, technologies, and missions/business processes Requires the active involvement of information system owners and common control providers, chief information officers, senior information security officers, and authorizing officials.57

Continuous MonitoringOngoing Assessment Previously systems were “certified and accredited” every 3 years Process involved examination of all controls every 3 years Augmented with annual self assessments New OMB and NIST guidance requires ongoing assessment for continuous monitoring Annual assessment of 1/3 of the controls Monthly vulnerability scanningMonthly configuration audits58

Continuous MonitoringSecurity Status Report Annual reporting of security posture presented to the Authorizing Official Identifies known security risks associated with operating the system Risks previously identified and accepted New Risks for which decision is required AO is provided recommendations Risks to acceptRisks to mitigate along with schedule and resourcesAuthorizing Official decides on risks to accept and approves POA&M59

Your Role In Continuous Monitoring Ensuring that the cybersecurity posture of the information system, application and network is maintained during all maintenance, monitoring activities, installations or upgrades, and throughout day-to-day operations Implement scanning solutions Results incorporated into continuous monitoring Scanning to support Cyberscope reportingAll DOT information Systems must undergo scanning in authenticated modeModerate and high systems with database servers must conduct authenticated database vulnerability scanning.Review audit logsDOT Policy is to keep 7 contiguous days of security events for an information system at the highest level of detail supported, without exceeding 85% of the available system storage capacity or overwriting earlier audit events Address new vulnerabilities and attack vectorsUpdate security configuration based on benchmarks/standards60

Summary 61

Additional Responsibilities 62 Ensuring that hardware, software, data, and facility resources are archived, sanitized, or disposed of in a manner consistent with the information system termination plan Develop web applications and websites in accordance with the DOT Secure Web Application Standards Refrain from making copies of sensitive files As much as possible process data at its source When using encryption ensure both the encryption module and the algorithm are FIPS 140-2 validated when developing applications ensure adequate event logging and reviewMust provide for user accountabilityAvoid “the fox guarding the hen house” when establishing log review procedures.

63 A t on e time, IT Professionals were only responsible for traditional administrative tasks for systems they supported. The role of securing systems belonged to someone else. However, due to the ever-changing risk environment brought about by the interconnection of s ystems, all parties involved with systems have a role in securing them.SummaryConclusi o n

64 Systems are reaccredited and certified every 3 years a. True b. False TEST YOUR KNOWLEDGE Systems Authority-to-Operate is granted by the FMCSA ISSM a. True b. False

65 Systems are reaccredited and certified every 3 years a. True b. False TEST YOUR KNOWLEDGE Systems Authority-to-Operate is granted by the FMCSA ISSM a. True b. False

Please sign the FMCSA Rules of Behavior for Privileged User Accounts to receive credit for this course . 66