crafting a cybersecurity strategy that works
play

Crafting a Cybersecurity Strategy that Works Texas Association of - PowerPoint PPT Presentation

Jul 11, 2023 •123 likes •692 views

Crafting a Cybersecurity Strategy that Works Texas Association of Broadcasters August 2016 Chris Homer PBS Technology & Operations Cybersecurity Strategy for Broadcasters Summary Broadcast Industry Challenges Understanding

  1. Crafting a Cybersecurity Strategy that Works Texas Association of Broadcasters August 2016 Chris Homer PBS Technology & Operations

  2. Cybersecurity Strategy for Broadcasters • Summary – Broadcast Industry Challenges – Understanding Risk – NIST Framework – How to establish a Cybersecurity Strategy

  3. Broadcast Industry Challenges • Broadcast Networks – Emergency Alert Systems – News & Weather, Production, Graphics – Traffic & Scheduling – Playout & Automation Systems – STL transport & Broadcast (spokes & hubs)

  4. • EAS Equipment – Common Alerting Protocol • September 30 2011 FEMA • eXtensible Markup Language (XML) standard – May be tied to local, state & FEMA Networks

  5. News Weather Production & Graphics • News Room Computer Systems NRCS • Non-Linear Editing Systems NLEs • Graphics Systems • Wire Services, Pool Feeds, Bonded Cellular • Closed Captioning via IP

  6. Traffic & Scheduling • Sales Tools • Traffic Scheduling • Schedule Import • Programming • BXF Export to Automation

  7. Playout & Automation Systems • Playout Servers • Storage Area Networks (Channel in a Box) (SAN/NAS) • Automation Systems • Library Systems (Disk, Tape, Cloud) • IP Playout

  8. STL or Spoke & Hub • IP over Microwave • Network Spoke & Hub Connectivity

  9. Broadcast Industry Challenges • Networks (Enterprise or Corporate) – Enterprise Resource Planning (ERP) – Finance – Sales – Research – Intranet/Extranet – Human Resources/Community Service

  10. Finance & Accounting Systems • Finance • Accounting – Accounts Payable – Accounts Receivable • Purchasing

  11. Broadcast Industry Challenges – News Data – Finance & Sales – Traffic & Scheduling – File Based Workflow – Viewer Data – Social Media Data

  12. News • Laptops & • Non-Linear Thumb Editing drives Systems • Wire Services • NRCS Rundowns

  13. Finance Sales & Admin • Human Resources/Employee Data • ERP Financial Data • Email

  14. Traffic & Scheduling • Contracts & Deals • Programming Grids • Schedules

  15. File Based Workflow • Media • Graphics • Meta Data/RDS • Marketing Content (Posters, Ads) • Web Based Content

  16. Community Services/Viewer Data • Local Events Charities • Nielsen Data • Viewer Data • Social Media Content

  17. Cybersecurity Journey • Understanding the Risks • Cyber Attack Chain Model • FCC CSRIC IV Report • NIST Cybersecurity Framework

  18. Understanding the Risks • Dead Air • Impact to Resources • Loss of Revenue • Embarrassment • Potential liability • Breach of employee, viewer or advertiser data

  19. Types of Attacks 7 of 10 Type Definition Web App Attack Attack the vulnerabilities and authentication of a web application layer such as invalidated redirects, cross site forgery, cross site scripting and others. Point-of-Sale Remote attacks against the environments where card transactions are conducted. Insider Misuse Internal or partner misuse of resources. Physical Theft & Loss of information asset whereas the data is more valuable than the asset. Loss Crimeware Use of malware followed by ramsomeware Cyber-espionage Access to state or corporate sensitive data. Denial of Service Any attack to compromise network or system availability. *2016 Data Breach Investigation Report-Verizon

  20. A Cyber Attack Chain Model Step Description Reconnaissance Find Target & Probing Harvest information (email, conference listings, public lists, etc.) Delivery & Attack Place delivery mechanism online Use social engineering to induce target to access malware or other exploits Installation & Exploit vulnerabilities on target systems to acquire access Exploitation Elevate user privileges and install additional “tools” Compromise & Exfiltration of data Expansion Use compromised systems to exploit additional systems

  21. Local Broadcast TV Station

  22. Local Broadcast Radio Station

  23. Central Broadcast TV Hub

  24. Model for Hardened Station General Traffic DAM Traditional IT (ERP, HR, Programming, Research) Users Scheduling Enterprise Network STL or WAN Public Web Station Editing Extra/Intra NRCS File Ingest Sites Playout to Hub Graphics Net Internal Internet Firewall

  25. FCC CSRIC IV Working Group 4 • FCC CSRIC IV Working Group 4 Report on Cybersecurity for the Telecommunication Industry • https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Rep ort_031815.pdf • Roadmap for Telecommunication Industry • Encourage Voluntary Action • The Communications Security, Reliability and Interoperability Council IV Working Group 4 March 2015

  26. FCC CSRIC IV Working Group 4 • Segment Analysis – Broadcasting – Cable – Wireless – Wireline – Satellite

  27. FCC CSRIC IV Working Group 4 • Feeder Segments – Cyber Ecosystem and Dependencies – Top Threats and Vectors – Framework Requirements and Barriers – Small and Medium Business – Measurements

  28. FCC CSRIC IV Working Group 4 • Small/Medium Business – Identifies what an SMB needs to protect, who has responsibility for a given task, and how an SMB can protect its critical infrastructure. – Use cases from various segments. – Identifies highest priority NIST Cybersecurity Framework subcategories for SMBs.

  29. NIST Cybersecurity Framework • Framework Core • Framework Tiers • Framework Profiles • Link • http://www.nist.gov/cyberframework/upload /cybersecurity-framework-021214.pdf

  30. NIST Cybersecurity Framework • Framework Core – Each item designed for desired outcome – Function – Category – Sub-category – Informative Reference

  31. Framework Core Functions • Identify • Protect • Detect • Respond • Recover

  32. *Framework for Improving Critical Infrastructure Cybersecurity NIST-2014

  33. *Framework for Improving Critical Infrastructure Cybersecurity NIST-2014

  34. Identify • Asset Management • Business Environment • Governance • Risk Assessment • Risk Management Strategy

  35. Protect • Access Control • Awareness and Training • Data Security • Maintenance • Protective Technology • Information Protection Processes/Procedures

  36. Detect • Security Monitoring • Anomalies & Events • SIEM • Detection Processes

  37. Respond • Response Planning • Communications • Analysis • Mitigation • Improvements

  38. Recover • Recovery Planning • Improvements • Communications

  39. Framework Tiers • Tier 1-Partial • Tier 2-Risk Informed • Tier 3-Repeatable • Tier 4-Adaptive

  40. Tier 1-Partial • Lack of formal process • Lack of awareness • Unable to collaborate outside of organization

  41. Tier 2-Risk Informed • Formal process may exist within parts of the organization • Some awareness but not organization wide • May understand role but not formalized

  42. Tier 3-Repeatable • Formal process has become policy • Organization wide approach • Understands dependencies

  43. Tier 4-Adaptive • Continuous improvement • Organization wide and has become part of the culture • Has become a great partner outside the organization

  44. Cyber Risk Management • Executive • Business Process • Operations/Implementation

  45. Executive • Successful Implementation – Required support at the highest level – Buy-in from all stake holders – Continuous improvement – Governance

  46. Business Process • Process to include – Risk Planning – Recovery Planning – Communication & Training

  47. Operations/Implementation • Operations and Engineering – Asset Management – Change Management – Incident Management – Respond & Recover

  48. Steps to Establish a Cybersecurity Program • Prioritize & Orient • Create Current Profile • Perform Risk Assessment • Create Target Profile • Perform Gap Analysis • Create Action Plan

  49. Prioritize & Orient • Prioritize – Determine the scope of systems and assets that support the business. • Orient – Identifies assets, regulatory requirements, and overall risk approach.

  50. Create Current Profile • Create Curent Profile – Current categories/sub-categories – e.g. Asset Management, User Control

  51. Perform Risk Assessment • Guided by Risk Management Process • Analyze current environment • Use pertinent and emerging data

  52. Create Target Profile • Create Target Profile – Desired categories and sub-categories – e.g. Security policy, monitoring service – Customer and stakeholder requirements

  53. Analyze & Prioritize Gaps • Perform Gap Analysis • Differences between current profile and target profile • e.g. Lack of Governance, Process, Monitoring

  54. Action Plan/Execute • Create Action Plan • Cost analysis • Execute • Repeat

  55. Organizational Changes • Governance • Communication • Culture • Response

  56. Conclusion • Cybersecurity is: – A Change of mindset & culture – Supported at the highest level in organization – Everyone’s responsibility – Doable through use of process & technology – Ongoing

Recommend

Single Sales Apportionment: Crafting a Multi State Strategy Crafting a Multi State Strategy

Single Sales Apportionment: Crafting a Multi State Strategy Crafting a Multi State Strategy

Presenting a live 110 minute teleconference with interactive Q&A Single Sales Apportionment: Crafting a Multi State Strategy Crafting a Multi State Strategy Meeting Tax Compliance and Planning Demands Amid Significant Changes in

652 views • 39 slides
Crafting Learning Outcomes & Identifying Common Ground: A Strategy for Faculty

Crafting Learning Outcomes & Identifying Common Ground: A Strategy for Faculty

Crafting Learning Outcomes & Identifying Common Ground: A Strategy for Faculty Consensus-building Cynthia Bair Van Dam, Jessica Waters, & Brad Knight Session outline 1. Context 2. Generalizability 3. Case Study 4. Group Activity 5.

547 views • 38 slides
Practical Strategy: Crafting a Plan, Not a Paperweight Ron Whitehead, City Manager, The Town of

Practical Strategy: Crafting a Plan, Not a Paperweight Ron Whitehead, City Manager, The Town of

Practical Strategy: Crafting a Plan, Not a Paperweight Ron Whitehead, City Manager, The Town of Addison With Rick Robinson, SDi Consulting, LLC ICMA Conference Presenters Who we are Why are we here? What we will accomplish? What can

721 views • 48 slides
CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the economy Agenda The actual situation Strategy of the ministry Risk management a common language Some good practice examples 2 The

427 views • 21 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Raising Cybersecurity Awareness at a Small Agency, What Works for Me, Will it Work for You???

Raising Cybersecurity Awareness at a Small Agency, What Works for Me, Will it Work for You???

Raising Cybersecurity Awareness at a Small Agency, What Works for Me, Will it Work for You??? Ralph Mosios Federal Housing Finance Agency Chief Information Security Officer March 16, 2016 AGENDA Who is FHFA? The FHFA Security Awareness

360 views • 17 slides
Crafting Presentation Part Deux The Guiding Principles We must support both popcorn

Crafting Presentation Part Deux The Guiding Principles We must support both popcorn

Crafting Presentation Part Deux The Guiding Principles We must support both popcorn crafting (simple crafting/repairing) as well as a full -time crafter class We MUST create a vibrant economy that ensures that the crafter class

473 views • 32 slides
CRAFTING CRAFTING WINNING WINNING LFPP LFPP/FMPP FMPP PR PROPOS OPOSALS ALS A National

CRAFTING CRAFTING WINNING WINNING LFPP LFPP/FMPP FMPP PR PROPOS OPOSALS ALS A National

CRAFTING CRAFTING WINNING WINNING LFPP LFPP/FMPP FMPP PR PROPOS OPOSALS ALS A National Good Food Network Webinar April 12 th , 2018 Web ebinar Over inar Overview view Welcome & Intros Webinar Tech Dawn Thilmany and Becca

921 views • 69 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based

National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based

National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based security technologies Harry Perper Chief Engineer National Cybersecurity FFRDC The MITRE Corporation 18 January, 2017 STRATEGY VISION

774 views • 9 slides
Upcoming Guide on Being Strategic about Cybersecurity BDT Efforts to Assist Member States

Upcoming Guide on Being Strategic about Cybersecurity BDT Efforts to Assist Member States

Upcoming Guide on Being Strategic about Cybersecurity BDT Efforts to Assist Member States in Producing a National Cybersecurity Strategy 1 National Cybersecurity Strategies Developing a Reference Guide to help Member States produce a

399 views • 14 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance

A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance

A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance Michael Gutsche, Cybersecurity Strategy Peter Bronson, Cybersecurity Strategy #MicroFocusCyberSummit This document contains forward looking

245 views • 21 slides
Whats New at Ontario Works The Social Assistance Service Modernization Strategy, initiated

Whats New at Ontario Works The Social Assistance Service Modernization Strategy, initiated

Whats New at Ontario Works The Social Assistance Service Modernization Strategy, initiated by the Ontario Government, has called on Ontario Works providers to modernize practices. This will provide clients with improved services and

395 views • 27 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2019 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

212 views • 19 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2018 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

325 views • 18 slides
ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity Related to Subregional Seminar on Cybersecurity for Information and Communication Networks 21 June 2005 Lima, Peru Christine Sund Christine Sund

921 views • 48 slides
Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel Sofia, Bulgaria Mr. Joaqun Castelln , Operational Director Spanish National Security Department Ms. Anita TIKOS , Desk Officer for International

197 views • 15 slides
EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU Cybersecurity European policy overview e-IRG e-IRG 4 December 2019 Brussels Anni Hellman, Senior Expert, Permanent Representation of Finland to the European Union Seconded for the Finnish Presidency from the Directorate General

320 views • 28 slides
How .CO ccTLD handles cybersecurity matters Agenda 1. About us 2. .CO Security Motivation

How .CO ccTLD handles cybersecurity matters Agenda 1. About us 2. .CO Security Motivation

How .CO ccTLD handles cybersecurity matters Agenda 1. About us 2. .CO Security Motivation Relationship Strategy Policies Process 3. .COllaboration Efforts in Colombia 4. Q&A 2 About us . CO Internet Started

529 views • 26 slides
MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity Consultants, The Cybersecurity Expert Guys Cybersecurity Researcher 2 Agenda 1. Account Takeover via Forgot Password Function 2. Amazon S3

2.36k views • 75 slides
Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical Facilities Local Government Schools Law Enforcement Media Outlets The threat and how to think about it Ransomware has rapidly emerged as the most

398 views • 15 slides
INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

368 views • 33 slides

More recommend