Cybersecurity 101:

Securing Your Digital Environment

​

MCNC Vital Cyber Consulting

Fall 2024

© 2024 MCNC - General Use – v1.0

2

WHO ARE WE?

Jason Shirley

Managing Consultant

jshirley@mcnc.org

Jason Folker

Senior Client Consultant

jfolker@mcnc.org

Chris Hovis

Client Consultant

chovis@mcnc.org

3

SECURING YOUR DIGITAL ENVIRONMENT

No matter where you’re starting from, this webinar provides a blueprint for building your Cybersecurity Program.

​

​

4

WHAT IS A CYBERSECURITY PROGRAM?

5

WHAT IS A CYBERSECURITY PROGRAM?

The collective effort your organization puts into protecting the confidentiality, integrity, and availability of your information assets.

​

• Policies
• Standards
• Processes & Procedures
• Technical Controls

​

​

​

6

WHAT IS A CYBERSECURITY PROGRAM?

Policies

​

• High-level documents that sets an organization's expectations and goals.
• Defines what needs to be done and why without detailing how to do it.
• Typically approved by senior leadership.

​

​

Example: “An Acceptable Use Policy outlines what constitutes appropriate use of institutional-owned assets.”

​

​

7

WHAT IS A CYBERSECURITY PROGRAM?

Standards

​

• Detailed, specific statements that support policies.
• Defines what must be done to ensure consistency across systems and processes.
• Often based on industry best practices or regulatory requirements.

​

​

Example: “A password standard specifies minimum requirements such as length, complexity, and expiration frequency”

​

​

8

WHAT IS A CYBERSECURITY PROGRAM?

Processes & Procedures

​

• Detailed, step-by-step instructions for completing tasks.
• Focus on how to carry out an activity to ensure consistent execution.
• Action-oriented and may involve technical or manual steps.

​

​

Example: “A backup procedure outlines the steps needed to schedule, perform, and verify backups.”

​

​

9

WHAT IS A CYBERSECURITY PROGRAM?

Technical Controls

​

• Tools, configurations, or technologies used to enforce security measures.
• Implement and support policies and standards at the technical level.
• Automating security tasks to reduce human error.

​

​

Example: “Multi-factor authentication (MFA) ensures that users provide additional verification before gaining access to critical systems.”

​

​

10

WHERE TO BEGIN?

11

WHERE TO BEGIN?

Step 1. Pick a framework

​

• Provides a structured approach to protecting your information assets.

​

• Simplifies your efforts to prioritize security initiatives, allocate resources, and measure progress over time.

​

• Center for Internet Security (CIS) version 8.1 framework.

​

​

12

WHERE TO BEGIN?

Step 2. Establish your

Cybersecurity Program

​

• Outlined in the Information Security Policy

​

• Defines the objectives and core principles

​

• Establishes roles and responsibilities

​

​

13

WHERE TO BEGIN?

Step 3. Catalog Existing Controls

​

• Administrative controls
• policies, standards, processes and procedures, inventories.

​

• Technical controls
• Antimalware, firewalls, intrusion detection systems, encryption tools…

​

​

​

​

14

OK, NOW WHAT?

15

OK, NOW WHAT?

Step 4. Start Building

​

Your Cybersecurity Program should include the following processes:

​

• Asset Management
• Software Asset Management
• Data Management
• Secure Configuration
• Account & Credential Management
• Network Management
• Vulnerability Management

​

​

​

​

​

​

• Audit Log Management
• Malware Defense
• Data Recovery
• Security Awareness Training
• Service Provider Management
• Incident Response Management

​

​

​

​

16

ASSET MANAGEMENT

Enterprise assets:

​

• End-user devices
• Servers
• Network devices
• IoT
• Physical, virtual, or Cloud based
• OnPrem or Remotely connected

https://www.cisecurity.org/insights/white-papers/enterprise-asset-management-policy-template

17

SOFTWARE ASSET MANAGEMENT

Software assets:

​

• Operating Systems
• Applications
• Libraries and Services

​

https://www.cisecurity.org/insights/white-papers/software-asset-management-policy-template-for-cis-control-2

18

DATA MANAGEMENT

​

​

Data assets:

​

• Financial Data
• Education records
• Personally Identifiable Information (PII)
• Personal Health Information (PHI)

https://www.cisecurity.org/insights/white-papers/data-management-policy-template-for-cis-control-3

19

SECURE CONFIGURATION

​

​

Configurable assets:

​

• Operating Systems
• Applications
• Cloud services & platforms
• Network appliances

https://www.cisecurity.org/insights/white-papers/secure-configuration-management-for-cis-control-4

20

ACCOUNT & CREDENTIAL MANAGEMENT

​

​

Account assets:

​

• Standard user accounts
• Administrative accounts
• Service Accounts
• Default Accounts
• Vendor Accounts

https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6

21

NETWORK MANAGEMENT

​

​

Network assets:

​

• Firewalls
• Routers
• Switches
• Wireless Access Points

22

VULNERABILITY MANAGEMENT

​

​

Enterprise assets:

​

• End-user devices
• Servers
• Network devices
• IoT
• Faculty/Staff
• Physical, virtual, or Cloud based

https://www.cisecurity.org/insights/white-papers/vulnerability-management-policy-template-for-cis-control-7

23

AUDIT LOG MANAGEMENT

​

​

Audit logs:

​

• Operating Systems logs
• Application logs
• Authentication logs
• Firewall logs
• Antivirus logs
• Web server logs

https://www.cisecurity.org/insights/white-papers/audit-log-management-policy-template-for-cis-control-8

24

MALWARE DEFENSE

​

​

Enterprise Assets:

​

• End-user devices
• Servers

https://www.cisecurity.org/insights/white-papers/malware-defense-policy-template-for-cis-control-10

25

DATA RECOVERY

​

​

Assets to be backed up:

​

• Databases
• File Shares
• Applications
• Virtual Machines
• System states

https://www.cisecurity.org/insights/white-papers/data-recovery-policy-template-for-cis-control-11

26

SECURITY AWARENESS TRAINING

​

​

Training topics:

​

• Social engineering attacks
• Authentication best practices
• Data handling best practices
• Unintentional data exposure
• Recognizing and reporting incidents
• Transmitting data over insecure networks

https://www.cisecurity.org/insights/white-papers/security-awareness-skills-training-policy-template-for-cis-control-14

27

SERVICE PROVIDER MANAGEMENT

​

​

Types of service providers:

​

• Internet providers
• Onprem Applications
• Cloud based service providers (IaaS, PaaS, SaaS)

https://www.cisecurity.org/insights/white-papers/service-provider-management-policy-template-for-cis-control-15

28

INCIDENT RESPONSE MANAGEMENT

​

​

IR elements:

​

• Personnel designated to manage IR
• IR contact information
• Assigned IR roles and responsibilities
• Defined communication method

https://www.cisecurity.org/insights/white-papers/incident-response-policy-template-for-cis-control-17

29

SUMMARY

​

​

Step 1. Pick a framework

Step 2. Establish your Cybersecurity Program

Step 3. Catalog Existing Controls

Step 4. Start Building

​

• Asset Management
• Software Asset Management
• Data Management
• Secure Configuration
• Account & Credential Management
• Network Management
• Vulnerability Management

​

​

​

​

​

​

• Audit Log Management
• Malware Defense
• Data Recovery
• Security Awareness Training
• Service Provider Management
• Incident Response Management

​

​

30

WHAT’S NEXT?

31

WHAT’S NEXT?

​

• Leverage available NCDPI security services and resources.
• Expect New K-12 Cybersecurity Program Initiatives.
• Cybersecurity Program Template
• Cybersecurity Assessment Tool
• Follow MCNC blog series.

CEU Certificate of Completion

NCDPI K-12 Cybersecurity Webinar Series

Next Webinar

December 11, 2024, 10am

NCLGISA Strike Team Multifactor Authentication Phishing

Join Cory Rankin from the NCLGISA strike team as he steps through the complexities of MFA Phishing. Specifically, Cory will go over what it is, how it works, and how you can protect yourself.

Register here

33

34

QUESTIONS?

35

QUESTIONS RAISED

1. Can the Program Framework Google sheet be shared? https://docs.google.com/spreadsheets/d/1wS2c-QoH4T0Ojmv_tVoPtZWIpFbdQYAr-5Shd9umieA/edit?usp=sharing

​

1. Are the CIS Controls prioritized?

Yes, kinda. CIS developed what they call Implementation Groups - IG1, IG2, IG3. The idea is each group of controls builds upon the other. Start with IG1, then IG2, then IG3. IG1 represents “essential cyber hygiene”, the foundational set of controls/safeguards every organization should strive to achieve first.

​

Within the Implementation Group, the controls are not prioritized necessarily. But, CIS did develop what they call “Attack Cards” that identify the safeguards that are most effective in protecting against the top 5 most common threats - Malware, Ransomware, Web Application Hacking, Insider and Privilege Misuse, and Targeted Intrusions. The Attack Cards are part of the CIS Community Defense Model documentation located here: https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0

​

1. Do you have guidance on staffing cybersecurity?

At this time there is no specific guidance. We have taken a note to look at this as part of the Cybersecurity Program Plan initiative.