• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ CSIAC Webinar – Applying the Top 20 Critical Controls for Risk Assessment – Chat Log

CSIAC Webinar – Applying the Top 20 Critical Controls for Risk Assessment – Chat Log

This is the edited chat log from the CSIAC Webinar, “Applying the Top 20 Critical Controls for Risk Assessment“.

Notice: This content may contain personal or third-party views and opinions not associated with the government.
Please see our terms of use located here: https://www.csiac.org/csiac-terms-of-use/

 

Jack R: Is the Return for being compliant a numerical score?

Jack R: Does Risk Management assess the risk of not noticing a risk?

Gavriil M: Very good question Jack.

Jack R: Why use Risk Management rather than the principle of system integrity as in Theory of Constraints?

Jack R: Why not Code Protection as well as Data Protection?

Jack R: How does software get authorized?

Rafael N: I would imagine through your CM process.

Jack R: How often achieves “Continuously”?

Ken S: Need tools to “continuously”!

Richard B: Continuously is defined by the organization.

Rafael N: Also depends on the requirements defined in the specific control

Jack R: Richard, to what degree of efficacy?

Michelle V: Jack, to their level of comfort as it relates to “acceptable risk”.

Richard B: My organization says CMP shall be run at least quarterly.

Jack R: How to avoid unauthorized editing of logs?

Richard B: Some of our vendors can do it more often, so they are encouraged to.

Richard B: Jack: permission management

Rafael N: Separate your admins from your auditors and put auditing program in place

Richard B: Rafael, separation of duty is a big part of things.

Richard B: However, the small companies have trouble doing this.

Rafael N: Indeed; at the very least their personnel should have separate accounts for each function

Jack R: Most software systems are not auditable.

Darrell M: Does your registration process also include BYOD? Is there policy that dictates what happens if that (BYOD) is lost?

Richard B: Disagree Jack.

Rafael N: Def disagree

Michelle V: Echoing disagreement

Richard B: Depending on what OS the app runs on, there is the opportunity to integrate into the system auditing.

Rafael N: with “most software systems are not auditable”. Most of them have the functionality built in.

Jack R: #10. Why not also Code Recovery Capability?

Richard B: What I find the most challenging is doing and enforcing change management

Michelle V: Change Management built-in with ITSM

Rafael N: Definitely a challenge, Richard

Richard B: Michelle, what does ITSM stand for?

Michelle V: Recovery Capability achievable with use of High Availability Disaster Recovery (HADR)

Rafael N: IT Service Management

Jack R: Richard, Quite so and Change Management is fundamental to Auditing.

Michelle V: ITSM = IT Service Management

Richard B: Thanks for the definition.

Michelle V: My pleasure

Rafael N: Need-to-know is critical and needs to be periodically reviewed

Jack R: If your system is auditable then you have a complete awareness of the system vulnerability surface. I’ll bet you don’t even know how many latent bugs your deployed system contains.

Rafael N: Software to help implement wireless access control should be purchased and used periodically

Joseph S: A trusted employee is not a control… prison is full of embezzlers that were trusted employees

Richard B: So true Joseph!!!!

Michelle V: Latent bugs should be identified with daily/weekly vulnerability scans

Richard B: Training and assessment needs to be higher than 17 IMHO…

Rafael N: No but implementing an Insider Threat program will help mitigate being taken advantage of by “trusted employees”

Rafael N: trust but verify

Rafael N: There’s nothing to train and assess without the first 16

Rafael N: Very true, Michelle

Jack R: Michelle. Pls cite a site where latent bugs are actually known, not just ‘should’ be known..

Rafael N: What is a “latent bug”?

Richard B: Trying to do the first 16 without properly trained personnel is a waste of time and effort.

Rafael N: True statement, Richard; I was more speaking to a continual training and awareness program

Jack R: A bug that exists after the software is deployed.

Rafael N: All personnel should know their part to play in incident response

Michelle V: Jack, working with DoD, internal sites are almost always aware and informing their stakeholders

Rafael N: Okay well that’s where defense-in-depth comes in and mitigation of risk; no system is 100% secure

Ken S: Not just know their part, but also exercise the IRP.

Jack R: #19 How about somebody who stops the vulnerability?

Richard B: reporting of issues outside of your organization is a dangerous issue from a goodwill and liability issue.

Rafael N: Good point, Ken

Jack R: Testing finds only anticipated faults, not all the faults.

Rafael N: Stops the vulnerability or mitigates/removes the vulnerability?

Rafael N: Still have to practice due diligence, Richard

Nathan L: thanks

Gavriil M: Thank you all.

Jack R: Rafael, Stops means remove the vulnerability.

Alan : Cheers!

Rafael N: Gotcha

David : Thanks – good “short & sweet” intro!

Rafael N: That usually means removing the software/hardware, etc. altogether

Rafael N: Most vulnerabilities can only be mitigated

Jack R: What site applies the 20 controls and what degree of invulnerability have they achieved?

Rafael N: Many sites do so but that data may be difficult to find

Rafael N: There’s a whole assessment program with an accompanying database/software based on the 20 controls

Gemma A: FISMA Scorecard

CSIAC: Please note: downloading the slides requires registration and login.

CSIAC: You can register to become a CSIAC.org member here: https://www.csiac.org/register/

Jack R: If I score 100% compliance on all 20 controls will my system be invulnerable to cyber actions?

Keith K: Are the 20 controls in priority order (slides 9-10)?

Tiffany G: Jack – no. The point is to limit your risk the best you can by identifying the areas that tend to make you most vulnerable and locking them down.

Rafael N: No, Jack. No such thing as 100% secure. You can only eliminate what risk you can and mitigate the rest.

Richard B: Jack, I don’t think that 100% on all controls is realistically attainable.

Rafael N: The goal is to lower risk to an acceptable level

Tiffany G: You can use the controls as a metric within something like the NIST RMF to help you assess and monitor your risk over the lifecycle of the system.

Jack R: It is the ‘grey area” of Risks that hackers exploit.

Tiffany G: It’s not about compliance/non-compliance, it’s about risk management, which is the best we can do.

Gemma A: Jack, the answers is yes…there is never 100% security.

Rafael N: A 100% secure system is one that is powered down and off-line and even then there’s physical threat.

Michelle V: There is such a thing known as Zero-Day Exploit.

Richard B: Correct Michelle

Michelle V: Zero-Day meaning it’s hot off the presses, something that just came out.

Jack R: The way to achieve 100% of risks is Goldratt’s Constraint Theory.

Gemma A: For Zero-Day Exploit you can contact DHS CERT

Jack R: A Zero Day exploit is irrelevant if your system is invulnerable to exploits.

Ken S: are you familiar with the ICS-CERT CSET for assessing your company to the CSC 20

Michelle V: Zero Day is a thing and most relevant. There is no such thing as a system that is invulnerable.

Tiffany G: Systems cannot be made “invulnerable” to exploits.

Ken S: sure they can if you shut them off

Keith K: Ken, you can still exploit an offline system through other technical means.

Gavriil M: yes, Ken. Very good to control the CSC 20 compliance.

Richard B: Ken, if the machine is off, you still have physical security issues.

Michelle V: Static and dynamic analysis as well

Ken S: yep, I can steal your hard drive and then take it to my lab and pull off what I need.

Michelle V: Right, Ken!

Victoria F: How to protect blogs such as WordPress?

Richard B: There is more involved with authorizing software than just analyzing the code/how the software runs.

Jack R: What degree of error does the IT department commit when authorizing your software?

CSIAC: If you would like to ask questions after the webinar. Please ask them here: https://www.csiac.org/podcast/applying-the-20-critical-controls-for-risk-assessment/#respond

Keith K: Need to use machine learning tools to sift through log data and make sense of it. Of course, still need a human to “sanity check” the results.

Michelle V: Tools like Splunk help a lot with log data analysis

Frankie S: Thank you

YouTube Live Stream User: How does an independent test team test for weaknesses in SDLC?

Michelle V: Software Assurance Maturity Model may assist with SDLC

Keith K: Comply to connect–for IoT?

CSIAC: You may be interested in this webinar: https://www.csiac.org/podcast/comply-to-connect-c2c/

Keith K: Cool, thanks CSIAC.

Jack R: Can non-functional testing as is used in hardware, e.g., Intel, be useful in sofware?

Ken S: Michelle Vicotor, splunk or another option is a tool called AristotleInsight.

Michelle V: I’m going to check it out, Ken. Thanks.

Michelle V: Code reviews, yuck! 🙁

Jack R: According to Prof. E. W. Dijkstra “Testing shows the presence, not the absence of bugs.”

Michelle V: Penetration testing is also a good way.

Ken S: Code Reviews (automated and non-automated (peer reviews) is crucial for ensuring securely developed software. One of my favorite tools is HP Fortify. They keep the rule packs up to date and matches nicely to our Security Technical Implementation Guides for Application Security and Development.

CSIAC: Design and Development Process for Assured Software – Volume 1 https://www.csiac.org/journal-issue/design-and-development-process-for-assured-software-volume-1/

Jack R: Checking for buffer overflow is non-functional (unless the programmer intended to achieve buffer overflow).

Ken S: Repeat Message: For those that haven’t check out the free solution from DHS ICS-CERT Cybersecurity Evaluation Tool (CSET), there is also the CyberResilencyReview (CRR) for comparing your environment to industry standards.

Keith K: Thanks, great talk!

Michelle V: Thanks!

Jack R: Thanks, Andrew. Informative.

Andrew Hurd: Thank you Everyone!

Ken S: good job Andy!!

CSIAC: Register for the next Webinar here: https://www.csiac.org/podcast/software-defined-wan-sd-wan-security-implications-and-design-solutions/

Michelle V: SD-WAN! Yahsss!

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Featured Content

Data Privacy Day is January 28th

You can help create a global community that respects privacy, safeguards data, and enables trust. You can help teach others about privacy at home, at work, and in your community.

Learn How

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.