ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGY AVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION Cyber Security: NG-SEC 101 What you need to know and how to achieve compliance Jeremy L. Smith, CISSP
49
Embed
Cyber Security: NG-SEC 101 What you need to know and how ... · Overview • Part 1: ... NENA NG9-1-1 Security ... encryption, viruses, patching, auditing, and more) 8. Physical Security
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
Webinar Frequently Asked Questions• Q&A at the end, please use your chat pod in left corner• Today’s webinar is being recorded and will be sent• PowerPoint slides to also be redistributed• If you didn’t register, email [email protected] to
Cyber Security - Defined• Protection of information/property from theft, corruption, or
natural disaster, while allowing the information and property to remain accessible and useful to its users. • Collective processes and mechanisms by which valuable
information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively
• Translation:– Keeping your mission critical infrastructure or systems and the
information stored on them safe and available!
ARCHITECTURE ENGINEERING COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
• With everyone connected the need for a consistent baseline becomes critical:– How does one agency and/or ESINet ensure that another cannot take it down? – How will each agency know what to do?– Each agency could have different interpretation of what it means to be secure– How would many in the industry go from “no security” to “enough security”– What is enough security?– How will vendors be able to comply without baseline?– Chasing a moving target
Standards provide a consistent baseline to start improving security during and after the transition to NG9-1-1
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
What does NG-SEC Address?4. Security Policies5. Information Classification & Protection6. General Security (network connectivity, multi-homed devices,
wireless, and more) 7. Safeguarding Information Assets (user ID and authentication,
passwords, system access, certificates, access control, rights and permissions, encryption, viruses, patching, auditing, and more)
8. Physical Security9. Network and Remote Access (includes firewalls, VPNs, etc)10. Change Control and Documentation11. Compliance Audits and Reviews12. Exception Approval and Risk Acceptance Process13. Incident Response Plan *Section titles map to actual
NG‐SEC sections
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
Compliance – defined • At a high-level, achieving NG-SEC compliance means purposefully
creating, procuring, installing and maintaining NG9-1-1 solutions in a fashion that meets or exceeds the detailed security requirements outlined in the NG-SEC specification through independent and recurring verification.
• More plainly it means, increasing the level of security in your NG9-1-1 solution and having it independently verified against the NG-SEC spec.
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
Not connected today…• If you are not yet interconnected…– You have a little more time– Take advantage of the time you have to prepare– But need to focus more on PSAP security and less on the
network– Plan ahead by increasing PSAP security to reduce risk when
network does come
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
• If you are part of a WAN (e.g. sharing map data today, or as part of some host/remote config)– You already have introduced risk which will increase as NG9-1-1
evolves– You need to focus on PSAP Security– But also need to ensure your WAN is compliant– Not too late to start actively planning for NG-SEC compliance –
but start immediately
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
State Agencies• Some things to consider:– Establish state-level governance and policies– Ensure any state-run equipment is compliant– Include it in pilot programs to see how agencies will handle it?– NG-SEC compliance a requirement for inclusion on state
contract?– Statewide Audit program?– Only fund centers who are NG-SEC compliant?– State-funded penetration/vulnerability assessments?
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
What does NG-SEC Address?4. Security Policies5. Information Classification & Protection6. General Security (network connectivity, multi-homed devices,
wireless, and more) 7. Safeguarding Information Assets (user ID and authentication,
passwords, system access, certificates, access control, rights and permissions, encryption, viruses, patching, auditing, and more)
8. Physical Security9. Network and Remote Access (includes firewalls, VPNs, etc)10. Change Control and Documentation11. Compliance Audits and Reviews12. Exception Approval and Risk Acceptance Process13. Incident Response Plan
*Section titles map to actual NG‐SEC sections
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
• Information classification is the framework for evaluating and protecting information and assets that contain information• Information is categorized based on the sensitivity,
applicable policies and/or legal and statutory requirements.• Classifying Data:
– Public [Examples: RFP, Phone Number)– Sensitive (Internal Use Only) [Examples: Internal
• Network security forms a cornerstone of the overall security posture for any NG9-1-1 Entity. • Improperly secured network can present many problems to an
NG9-1-1 Entity such as providing an avenue for intrusion, loss of service including an inability to accept 911 calls, or a conduit for propagation of malicious code.• Entities need to implement or conduct:
– Network Inventory– Control network ingress/egress points with firewall– Avoid use of Dual-Homed devices– Secure wireless connections– Security training for employees and security personnel– Incorporate security into all activities (e.g. project plan charters, new
projects, purchases, etc. Build it into the DNA of the organization!)
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
• All NG9-1-1 Entity information resources shall be kept physically secured and protected from theft, misappropriation, misuse, unauthorized access and damage• Locked doors• Challenge folks who don’t belong• ID badges shall be used on entrance to building• Mobile devices shall be protected (e.g. laptop in
hotel)• Fire plans, fire suppression systems, UPS,
generator, HVAC• Equipment locked in server rooms/wire closets
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
• Agencies that deploy NG9-1-1 networks and develop security policies for them are required to conduct periodic audits or reviews to ensure that both the NG9-1-1 networks and the systems that are connecting to it comply with NG-SEC– Audits can be conducted internally or externally. – Internal audits are used to "self-check" an organization's compliance with security standards and/or
policies. – Entities performing internal audits or “self-checks” may use external, 3rd party resources if
necessary– External audit leverages a non-biased 3rd Party to independently perform the audit
• Internal Audits shall be conducted at a minimum of annually.• External audits shall be conducted at a minimum of once every 3 years.• Security audits shall utilize various methods to assess the security of networks
and processes, applications, services and platforms including automated tools, checklists, documentation review, penetration testing and interviews
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
• There may be occasions when it is not possible to comply due to technical constraints, cost restrictions, or other reasons
• When such occasions arise, the resultant security risk shall be identified, documented and managed– Risk justification: Provides a business case for waiver or exception of the security requirement– Risk identification: Aims to thoroughly and unambiguously define the risk, the scope of what is at risk,
and how the risk was identified.– Risk assessment: Uses three risk factors to assess: the potential severity of the risk, the impact of the
risk, and the likelihood of the risk actually happening. These factors assist in deciding the mitigation of the risk, and in determining the frequency of review for the risk.
– Risk analysis: Evaluates the feasibility and costs of different mitigation strategies relative to the potential cost impact.
– Risk acceptance and approval: Only when risk cannot be totally removed or reduced to an acceptable level then it has to be accepted as is and get approval from NG9-1-1 Risk Acceptance Approver and include an Exception Approval/Risk Acceptance Form (EA/RAF).
ARCHITECTURE ENGINEERING COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
• An Incident Response Plan is:– formal, written plan detailing how an
organization will respond to a computer security incident. Examples of security incidents include virus outbreaks, hacking attempts, critical service outages, denials of service, and more