BSidesSLC 2017 -- Andrew Hall -- NIST Risk Management Framework and why it should be utilized

[Music] hear me yeah my text on this risk management framework and why you should utilize it rushan or and Rahal and my twitter channels at rushan underscore w okay so I am an electrical engineer that speaks a little bit Chinese I minored in it I'm icassp and the CNS 40:16 which is in risk management I deal with risk management framework in my current jobs can't mention my company or what I do for this I like to design and build electronic badges for DCA tawan I made the party badge last year making party badge this year we might get into some of that later in the talk but you get into it I participate in DC a toll on

you Tessa Utah saying activities when possible and in the community doing this for a few years first time talking the outline of my talk pretty much go over what is missed in the RMF key points of the nest a 100 series documents which cover RMF how businesses can utilize RMF and help talk about how risk we utilize throughout the organization some of the RMF principles how it can help security and have FA have time we'll have some questions goodnight so un - what is this an arm at this is from the National Institute of Standards and Technology it provided many of the standards that are base that the government industry uses for different things they started going

through and making up guidelines and bases which is 800 series and they all have a 1800 series other special publications so they go through RMF is a method for the government to standardize on a security control mythology in the past that they had this cat bag cap they were all over the place through different organizations so they try to standardize it is going into RMF and I want to standardize across the government as a whole and also helps make it so different organizations speak a common language sky night goes through government-centric methods for security and some of it doesn't actually go into too much detail it's kind of overarching guidelines in some of the publication's well other ones go

into more control base and a little bit deeper on guidance and the documentation so RMF is the management of organizational risk of operating the system risks should be a driving method for organizations to assess their operational security risk is a key thing for any organization to be focus on it's not because that's a place where the c-suite all the way down to your gentleman plate you will usually understand what risk is and how to mitigate in some way so you speak a common language on risk you can be able to communicate ideas and appropriate assets appropriately to determine what risk is most beneficial to to be going after and not waste resources on a minor

risk bigger ones over and lurking that your team is not aware of in other areas and it provides a standard that the systems engineers it's cut off and can go through next slide

so we get into immigrated into a system engineering lifecycle not too sure you guys are familiar with the system engineering lifecycle basic diagrams up there it's basically from inception to grave for a device if you go through engineering it goes through all of your trade studies at the beginning assets allocating funds you into development you get into the requirements which are key points especially within RMF you get into the requirements of the system and the student is probably the earliest that security becomes a primal focus in the development lifecycle because if you can get your requirements for the system to the point that it's understood there's a your developer and through your contract then you don't have to

bolt on security later on in the cycle you'll have it more ingrained from the beginning going into high-level design detailed design into your software hardware and limitations so and then you go into actually getting fully tested builded and even when it's filled it doing periodic updates maintenance is all tied into the risk management framework where you're supposed to go through and do periodic analysis of the systems as they go through which businesses should be always doing you should always be analyzing and taking basically a health check of of your systems through their life and then when you retire a system you should go through proper steps of making sure there's no invalid data going out and proprietary data going out

of your systems anything that shouldn't be released out you don't forget that when your systems are being the end of life and intent to recycling or being smelted or wherever your your devices once you go to however you're coming the site that destroy your hardware the key points to the missed 800 series there is about 175 documents in the series have a big range of subjects your implementation is a primary focus of the documents it's made by a government agency so take some time to read them there they are somewhat tedious to go through and read if they you've started going through any of them but if you can start analyzing them and convert them into more your industry

speak or into ways that your normal business processes go it can help leverage ways that you can improve your processes useful in developing or improving local policies and procedures there's lots of law policies and procedures basis to the NIST framework because I have about 18 different control families and usually the first part of each one is a policy and procedure in place on how you do certain things what's your password policies what how's your training policies how does is other parts of the policies and procedures of your company organization and how do they go so it's important to to really focus on making sure everything is kind of documented and built up in your organization while

you implement risk measure it

and they do continue to update the documents and it's easy to look up look over look the key benefits within within the 800 series especially in the 853 series 800-53 a rav4 is one that I still honest with my work it goes through has over 600 different controls in there and within there there's over 2,000 sub controls on how to implement and allies an audit systems and security processes there is a different families domains of the risk management framework the SP 800 - 171 is a new one that came out it's mainly in beauty contractors for how they control unclassified information being able to secure their systems it's basically a subset of the overarching risk management framework as out there

which would be a good starting point for a lot of businesses that they don't have a input or experience working with the risk management framework is like in that one so it's very geared at protecting important information without really fit out to general populations and give you an idea of how the controls are looked at and insulated then there's the 114 Rev 1 goes into bring-your-own-device security is some guidelines on how to implement that things that you should look at if you're starting to implement a bring your own device policy at your organization 183 is network of things or Internet of Things or network and networks a whole bunch of different things on different key aspects of that type of technology

that you should be looking at how to communicate how they process how they talk and then - 3 Rev 1 is a guide and connecting risk assessments and gives you an Iowa idea of how to go about me doing risk assessments on systems how you should set your organization's to what type of groups of people involved in doing risk assessment

into how businesses can utilize a risk management framework and maybe lacking in securing different areas this will help force that we need to that your organization can help beef up their physical security aspects or their training aspects it gives you it can give you some talking points and bring up to management or other aspects and help them understand that these areas also need like that security of just in software or just in hardware there's many other domains within security that organizations need to make sure they're aware of and looking after not let a which any part go to the wayside GG goes into that social engineering aspect and other things that sometimes is lacking in some organizations it's a good place

to get a standard to judge current processes it can give you an idea of how the government's doing it and then how your organization compares if you you might be doing a lot better in other areas then what the guidelines say or you might be a little deficient in it and then it can into management into having them allocate resources right you can choose security team is big enough and has a proper background and experience to go through it's nothing to do and awesome helps enforce the program security through its lifecycle but you need to make sure that from contract from inception all the way to when you get rid of your item that security is being

like that and being taken care of or your for your equipment and your processes so this gets into the control families so access control is the big one ensure that people have the right right for their systems to do the job but not game or ripes and a aren't supposed to awareness and training audit and accountability is a big one how do you keep your record telling you keep them off and you review them it's all part of the audit part audit sections and being able to control them and secure them and make sure that your audits aren't being late to people without the right right security assessment authorization configuration management is a big one

being sure that you keep when you get new equipment you've itemized it you you part number it if you track it right and if there's any changes that groups do they document their changes to you're aware that site AK has a different configuration than site Y even though they initially started and it's at the same configuration you don't have a good configuration management process or planning then your sites can go out of sequence without a central repository knowing that you went a little a little off of what it's supposed to be instant response is a big one making sure that you have plans for both physical and digital attacks making sure that if weather or birth weights outside of

having site speeds the now service or why not you have a back-up plan and ways of making resources and moving it appropriately and not losing your uptime maintenance is important you know to track that media protection physical security environment protection of thumb that some places will usually forget to go about they don't / - server Zoar or do their badges quite appropriately so you have more access to locations that you really need to personnel security making sure you proper background checks and beer your employment with your employees quite right so you're able to analyze the risk that your employees provide or bringing into the environment system service acquisitions gets into when the back positions of new equipment

making sure that it goes through good supply chain and not have Road or malicious equipment get brought into your systems just have integrity and program management but it covers would be wealth of knowledge and information throughout ARMA and they also get into fifth standards are used within the controls so get into FIPS 140 - to the crypto and everything else will be tight in main surely use strong standards within your processes

now helps us carry is can be used by ever management to understand security risk otherwise that's a risk management framework kind of circle how yo sir it goes with the engine life cycle be that I showed earlier whether they made into a circle and go through the categorize your system you kind of figure out what your system is what does it do what type of data it processes it uses PPI is that have health information what what type is a proprietary information on your system you can need to determine what that system is used for before you can progress and then from that either you then go in and you can swipe the controls select the security what type

of things you need to implement on the to the system and then that's basically requirements part they implement those requirements within it and you assess it and make sure basically bring in a third party auditor and verify that the security was set up to your system is secure how you think it is and then you authorize it to be used in your operational environment and then you monitor you keep making sure that nothing's changed nothing goes different than what is inspected within your usage of the equipment all the way until you decommission it and you replace it with something that goes all through as most managers sea level all understand risk you can put your applications and

everything else all into a risk format going this is severe this is a nine type approach to suit your securing your devices it will help feel to give them idea of how important that our aspects of your security process and an implementation is I'm gonna let you keep your resources that are defined and not have groups get too big or too small for what their political needs

and in the metrics within the risk management framework fairly easy to understand and convey there's overlays within the 800s 53 to simplify and group the controls within it so there's so many so as you go in you can tailor different parts for different applications different risk environments that you're going to implement and make the requirements a little bit easier to push on to your equipment and to your subcontractors or your your suppliers on what what what you really need to mitigate the the purpose of being the equipment because you don't always need stuff what is more powerful or more complex than your security needs really require we want something that you can manage and be

appropriate here to your application as new technologies and new equipment comes about the RMF will always their plan to make it always develop and be lucid too so it's always current to new technologies so it's always good to go out and periodically update the information and review the documentation we get from the NIST websites and ARMA can help organizations and proven standards policies and procedures you can start making things so all the different groups that run your physical to here your personnel can start having a similar language to talk and communicate with and it security is more than this the digital realm you have to be aware of did securing all different ways and methods

like it's over my pain points I'll show the value of ties you can get the NIST documents from CSR seen if I gov and that's where you can go out and that has all the documentation there freely available to to grab and use and then I have a few of one guide to secure web services PIV card readers and their interpretation guides there's a few key one path listed up above and Gianna my question side while I do electronic badges like I deal with risk the two big pictures are actually the front of a badge so we're working on or you can see we added extra board in one area so we can accommodate message

carrying it well without mitigating its design and purpose the risk is in all the different aspects of life and what you do with it might not always be thinking that it pertains what's risk in different ways of me requirements until II needs and then we have any questions

you No

okay so the question is organizations that don't really have the policy to processes and they can't want to go through their normal way how to kind of convert them into joining the group and into a normal policy and procedures method yeah it's tough a lot of groups like to stay they do it one way they keep doing one way they don't like to change it's really you that's where the risk part comes in you can't have to show them that they're adding risk to the organization by not doing it way in a document method you can't have to sometimes think outside the box and give them examples that pertain to them which can be hard to

different groups where it if you can show how an organization got manipulated or hacked because they were lacking a proper method of doing with the circumstance but that helps push the point a little bit easier because then you have an example risk to bring in and show or else you're just going in and and this kind of showing them that this will improve your your way of work your way of life of going through when you document and have your policies and procedures out normals of everyone that a new hires and you a new can go in and understand the basis of the organization and start understanding your core role and your core Security's concerns

well they eventually learn deeper into the process of how you're the inner workings work that work anyone else

you [Applause]