Professional Documents
Culture Documents
Audit Focus Q32023
Audit Focus Q32023
focus Q32023
Audit criteria updates Anastasiia Konoplova, CISA,CRISC, CDPSE,
CISA, CRISC, CDPSE Trainer,
LLC UAG,
Threat landscape risk ISACA Kyiv Chapter
Profile: https://www.linkedin.com/in/anastasiia-
factors konoplova-9342b57b/
Public activity:
https://www.slideshare.net/AnastasiiaKonoplova
Blog: https://www.facebook.com/llcuag
Reputation:
https://ec.europa.eu/futurium/en/Women4Cyber
Certifications: https://www.credly.com/users/anastasiia-
konoplova
1
Focusing audits, consider
2
Compliance Shift – 2022-2025
3
Current regulations on technology
4
Tech agenda
5
ENISA Certification Scheme
https://certification.enisa.europa.eu/ 6
https://www.commoncriteriaportal.org/cc/
7
Складові стандарта CC
https://www.commoncriteriaportal.org/cc/
8
Common Criteria Target of Evaluation and assurance levels
5.3 Target of evaluation (TOE) 5.3.2 TOE boundaries
The concept of a TOE boundary is fundamental to the specification of the ST (security target).
EXAMPLE Examples of TOEs include devices characterized by few A TOE may be a complete IT product (or products), a part of an IT product, or made up of various
interfaces, reduced attack surface, components. The ST shall clearly outline the physical and logical scope of the TOE as it is delivered
and a well-known supply chain: to the customer.
— a network device;
— a software application;
In the CC, a TOE can occur in several representations in relationship with the assurance criteria:
— an operating system;
NOTE These assurance criteria include testing (ATE) and vulnerability analysis (AVA), which require
— a virtualization system; TOE samples, some design (ADV_IMP), which require an implementation representation, e.g. source code,
— an integrated circuit; and lifecycle (ALC), which requires the TOE’s configuration list.
— the cryptographic co-processor of an integrated circuit; EXAMPLE TOE representations for a software TOE:
— an application for a mobile device; — a list of files in a configuration management system;
— a database application excluding the remote client software normally — a single master copy that has just been compiled;
associated with that database — the source code for a specific version of an open-source distribution;
application. — a box containing physical media and a manual, ready to be shipped to a customer;
— a binary file available for secure download;
— an installed and operational version.
TOEs can also be more complex, characterized by a large interface/large
TOE representations for a hardware TOE:
interfaces and/or number of — integrated circuit layout;
components, multiple manufacturing/integration phases, field upgradeable — memory mappings;
products such as: — wafers;
— a Local Area Network (LAN) including all terminals, servers, network — modules.
equipment and software; All of these are considered to be a TOE and wherever the term “TOE” is used in the CC, the context
— a mobile device; determines the representation that is described.
— gateways and hubs;
— a software application in combination with an operating system;
— a multi-function device, such as a multi-function printer;
— a Hardware Security Module (HSM).
9
https://www.commoncriteriaportal.org/files/ccfiles/CC2022PART1R1.pdf
Security functions of ICT product/service
10 Class FCS: 12 Class FIA: 13 Class FMT: 16 Class FRU:
8 Class FAU: 9 Class FCO: 17 Class FTA:
Cryptographic 11 Class FDP: User data protection Identification and Security 15 Class FPT: Protection of the TSF Resource
Security audit Communication TOE access
support . authentication . management. utilization
• 8.2 Security audit • 9.2 Non-repudiation of • 10.2 Cryptographic • 11.2 Access control policy (FDP_ACC) . • 12.2 Authentication • 13.2 Limited capabilities • 15.2 TOE emanation (FPT_EMS) . • 17.2 Limitation on • 16.1 Class description
automatic response origin (FCO_NRO) . key management • 11.2.5 FDP_ACC.1 Subset access control failures (FIA_AFL) and availability (FMT_LIM) • 15.2.5 FPT_EMS.1 Emanation of TSF and User scope of • 16.2 Fault tolerance
(FAU_ARP) • 9.2.6 FCO_NRO.1 (FCS_CKM) • 11.2.6 FDP_ACC.2 Complete access control • 12.2.5 FIA_AFL.1 • 13.2.5 FMT_LIM.1 Limited data selectable (FRU_FLT)
• 8.2.5 FAU_ARP.1 Selective proof of • 10.2.5 FCS_CKM.1 • 11.3 Access control functions (FDP_ACF) Authentication failure capabilities . • 15.3 Fail secure (FPT_FLS) . attributes • 16.2.6 FRU_FLT.1
Security alarms . origin. Cryptographic key handling • 13.2.6 FMT_LIM.2 Limited (FTA_LSA)
• 11.3.5 FDP_ACF.1 Security attribute-based access control • 15.3.5 FPT_FLS.1 Failure with preservation of Degraded fault
• 8.3 Security audit • 9.2.7 FCO_NRO.2 generation . • 12.3 Authentication availability secure state . • 17.2.5 FTA_LSA.1 tolerance .
• 11.4 Data authentication (FDP_DAU)
data generation Enforced proof of origin • 10.2.6 FCS_CKM.2 proof of identity • 13.3 Management of • 15.4 TSF initialization (FPT_INI)
Limitation on scope • 16.2.7 FRU_FLT.2
• 11.4.6 FDP_DAU.1 Basic Data Authentication of selectable
(FAU_GEN) . • 9.3 Non-repudiation of Cryptographic key (FIA_API) . functions in TSF • 15.4.5 FPT_INI.1 TSF initialization Limited fault tolerance .
• 8.3.5 FAU_GEN.1 distribution . • 11.4.7 FDP_DAU.2 Data Authentication with Identity of • 12.3.5 FIA_API.1 attributes .
receipt (FCO_NRR) (FMT_MOF)
• 15.5 Availability of exported TSF data • 16.3 Priority of
Audit data generation • 9.3.6 FCO_NRR.1 • 10.2.7 FCS_CKM.3 Guarantor Authentication proof of • 13.3.5 FMT_MOF.1 • 17.3 Limitation on service (FRU_PRS)
• 11.5 Export from the TOE (FDP_ETC) (FPT_ITA) multiple
• 8.3.6 FAU_GEN.2 User Selective proof of Cryptographic key identity Management of security • 16.3.5 FRU_PRS.1
access . • 11.5.6 FDP_ETC.1 Export of user data without security • 15.5.5 FPT_ITA.1 Inter-TSF availability within a concurrent
identity association receipt . • 12.4 User attribute functions behaviour Limited priority of
defined availability metric sessions
• 8.4 Security audit • 9.3.7 FCO_NRR.2 • 10.2.8 FCS_CKM.4 attributes definition (FIA_ATD) • 13.4 Management of service
• • 15.6.5 FPT_ITC.1 Inter-TSF confidentiality during (FTA_MCS) .
analysis (FAU_SAA) Enforced proof of Cryptographic key 11.5.7 FDP_ETC.2 Export of user data with security attributes . • 12.4.5 FIA_ATD.1 User security attributes • 16.3.6 FRU_PRS.2 Full
destruction •
transmission • 17.3.6 FTA_MCS.1
• 8.4.8 FAU_SAA.1 receipt . 11.6 Information flow control policy (FDP_IFC) . attribute definition . (FMT_MSA) . priority of service
• 10.2.9 FCS_CKM.5 • 15.7 Integrity of exported TSF data (FPT_ITI) Basic limitation on
Potential violation • 11.6.5 FDP_IFC.1 Subset information flow control • 12.5 Specification of • 13.4.1 Family behaviour • 16.4 Resource
Cryptographic key • 15.7.7 FPT_ITI.1 Inter-TSF detection of multiple concurrent
analysis • 11.6.6 FDP_IFC.2 Complete information flow control secrets (FIA_SOS) • 13.4.11 FMT_MSA.1 sessions allocation
derivation modification
• 8.4.9 FAU_SAA.2 • 11.7 Information flow control functions (FDP_IFF) • 12.5.6 FIA_SOS.1 Management of security (FRU_RSA).
• 10.2.10 FCS_CKM.6 • 15.7.8 FPT_ITI.2 Inter-TSF detection and • 17.3.7 FTA_MCS.2
Profile based anomaly • FDP_IFF.1 Simple security attributes Verification of secrets . attributes.
Per user attribute • 16.4.6 FRU_RSA.1
Timing and event of correction of modification .
detection .
• • 12.5.7 FIA_SOS.2 TSF • 13.4.12 FMT_MSA.2 Secure Maximum quotas
• 8.4.10 FAU_SAA.3
14 Class FPR: cryptographic key FDP_IFF.2 Hierarchical security attributes . • 15.8 Internal TOE TSF data transfer (FPT_ITT) . limitation on
• FDP_IFF.3 Limited illicit information flows
Generation of secrets . security attributes . multiple concurrent • 16.4.7 FRU_RSA.2
Simple attack heuristics Privacy . destruction .
• 12.6 User • 13.4.13 FMT_MSA.3 Static • 15.8.8 FPT_ITT.1 Basic internal TSF data transfer
sessions Minimum and
• 10.3 Cryptographic • FDP_IFF.4 Partial elimination of illicit information flows protection
• 8.4.11 FAU_SAA.4 authentication attribute initialization . • 17.4 Session maximum quotas.
• 14.2 Anonymity operation (FCS_COP) • FDP_IFF.5 No illicit information flows • 15.8.9 FPT_ITT.2 TSF data transfer separation .
Complex attack (FIA_UAU) • 13.4.14 FMT_MSA.4 Security locking and
heuristics (FPR_ANO) • 10.3.5 FCS_COP.1 • FDP_IFF.6 Illicit information flow monitoring • 12.6.16 FIA_UAU.1 attribute value inheritance • 15.8.10 FPT_ITT.3 TSF data integrity monitoring termination
• 8.5 Security audit • 14.2.5 FPR_ANO.1 Cryptographic • 11.8 Information Retention Control (FDP_IRC) . Timing of • 13.5 Management of TSF • 15.9 TSF physical protection (FPT_PHP) . (FTA_SSL) .
Anonymity . operation . •
review (FAU_SAR) . 11.8.5 FDP_IRC.1 Information retention control authentication . data (FMT_MTD) • 15.9.9 FPT_PHP.1 Passive detection of physical • 17.4.10
• 8.5.8 FAU_SAR.1 Audit • 14.2.6 FPR_ANO.2 • 10.4 Random bit • • 12.6.17 FIA_UAU.2
11.9 Import from outside of the TOE (FDP_ITC) . • 13.5.9 FMT_MTD.1 attack . FTA_SSL.1 TSF-
Anonymity without generation
review . • 11.9.5 FDP_ITC.1 Import of user data without security attributes User authentication Management of TSF data . • 15.9.10 FPT_PHP.2 Notification of physical attack initiated session 18 Class FTP:
soliciting information . (FCS_RBG)
• 8.5.9 FAU_SAR.2 • 11.9.6 FDP_ITC.2 Import of user data with security attributes before any action • 13.5.10 FMT_MTD.2 • 15.9.11 FPT_PHP.3 Resistance to physical attack locking. Trusted
• 14.3 Pseudonymity • 10.4.6 FCS_RBG.1 • 12.6.18 FIA_UAU.3
Restricted audit review • 11.10 Internal TOE transfer (FDP_ITT) Management of limits on TSF • 15.10 Trusted recovery (FPT_RCV) • 17.4.11
• 8.5.10 FAU_SAR.3 (FPR_PSE) Random bit generation Unforgeable data . FTA_SSL.2 User- path/channels .
(RBG) • 11.10.7 FDP_ITT.1 Basic internal transfer protection • 15.10.8 FPT_RCV.1 Manual recovery .
Selectable audit review • 14.3.5 FPR_PSE.1 authentication . • 13.5.11 FMT_MTD.3 Secure initiated locking • 18.2.5 FTP_ITC.1 Inter-
• 10.4.7 FCS_RBG.2 • 11.10.8 FDP_ITT.2 Transmission separation by attribute • 15.10.9 FPT_RCV.2 Automated recovery .
• 8.6 Security audit Pseudonymity . • 12.6.19 FIA_UAU.4 TSF data • 17.4.12 TSF trusted channel .
• 14.3.6 FPR_PSE.2 Random bit generation • 11.10.9 FDP_ITT.3 Integrity monitoring. Single-use • 15.10.10 FPT_RCV.3 Automated recovery without
event selection • 13.6 Revocation (FMT_REV) FTA_SSL.3 TSF- • 18.3 Trusted channel
(FAU_SEL) Reversible (external seeding) . • 11.10.10 FDP_ITT.4 Attribute-based integrity monitoring. authentication undue loss
initiated termination
• 13.6.5 FMT_REV.1 protocol (FTP_PRO) .
pseudonymity • 10.4.8 FCS_RBG.3 • 11.11 Residual information protection (FDP_RIP) mechanisms • 15.10.11 FPT_RCV.4 Function recovery .
• 8.6.5 FAU_SEL.1 Revocation • 17.4.13 • 18.3.9 FTP_PRO.1
Selective audit • 14.3.7 FPR_PSE.3 Random bit generation • 11.11.5 FDP_RIP.1 Subset residual information protection • 12.6.20 FIA_UAU.5 • 15.11 Replay detection (FPT_RPL) FTA_SSL.4 User-
(internal seeding – • 13.7 Security attribute Trusted channel
• 8.7 Security audit Alias pseudonymity • 11.11.6 FDP_RIP.2 Full residual information protection Multiple authentication • 15.11.5 FPT_RPL.1 Replay detection . initiated termination protocol
single source) expiration (FMT_SAE) .
data storage • 14.4 Unlinkability • 11.12 Rollback (FDP_ROL) . mechanisms • 15.12 State synchrony protocol (FPT_SSP) • 17.5 TOE access • 18.3.10 FTP_PRO.2
• 10.4.9 FCS_RBG.4 • 13.7.5 FMT_SAE.1 Time-
(FAU_STG) . (FPR_UNL) • 11.12.5 FDP_ROL.1 Basic rollback . • 12.6.21 FIA_UAU.6 Re- • 15.12.5 FPT_SSP.1 Simple trusted banners Trusted channel
Random bit generation limited authorization .
• 8.7.12 FAU_STG.1 • 14.4.5 FPR_UNL.1 authenticating . acknowledgement . (FTA_TAB) establishment
(internal seeding – • 11.12.6 FDP_ROL.2 Advanced rollback . • 13.8 Specification of
Audit data storage Unlinkability of • 12.6.22 FIA_UAU.7 • 15.12.6 FPT_SSP.2 Mutual trusted • 17.5.5 FTA_TAB.1 • 18.3.11 FTP_PRO.3
multiple sources) . • 11.13 Stored data confidentiality (FDP_SDC) . Management Functions
location . operations Protected acknowledgement . Default TOE Trusted channel data
• 10.4.10 FCS_RBG.5 • 11.13.5 FDP_SDC.1 Stored data confidentiality . authentication
(FMT_SMF) .
• 8.7.13 FAU_STG.2 • 14.5 Unobservability • 13.8.5 FMT_SMF.1 • 15.13 Time stamps (FPT_STM) access banners . protection .
Random bit generation • 11.13.6 FDP_SDC.2 Stored data confidentiality with dedicated feedback .
Protected audit data (FPR_UNO) . (combining noise Specification of Management • 15.13.7 FPT_STM.1 Reliable time stamps • 17.6 TOE access • 18.4 Trusted path
method • 12.7 User
storage • 14.5.9 FPR_UNO.1 sources) . Functions • 15.13.8 FPT_STM.2 Time source history (FTP_TRP) .
• 11.14 Stored data integrity (FDP_SDI) identification
• 8.7.14 FAU_STG.3 Unobservability • 10.4.11 FCS_RBG.6 • 13.9 Security management • 15.14 Inter-TSF TSF data consistency
(FTA_TAH) • 18.4.5 FTP_TRP.1
Guarantees of audit • 14.5.10 FPR_UNO.2 • 11.14.7 FDP_SDI.1 Stored data integrity monitoring (FIA_UID) • 17.6.5 FTA_TAH.1
Random bit generation roles (FMT_SMR) . (FPT_TDC) Trusted path
data availability Allocation of • 11.14.8 FDP_SDI.2 Stored data integrity monitoring and action . • 12.7.6 FIA_UID.1 TOE access history
service • 13.9.9 FMT_SMR.1 Security • 15.14.5 FPT_TDC.1 Inter-TSF basic TSF data
• 8.7.15 FAU_STG.4 information impacting • 11.15 Inter-TSF user data confidentiality transfer protection Timing of identification • 17.7 TOE session
• 10.5 Generation of roles consistency
Action in case of unobservability . (FDP_UCT) . • 12.7.7 FIA_UID.2 User establishment
random numbers • 13.9.10 FMT_SMR.2 • 15.15 Testing of external entities (FPT_TEE) .
possible audit data • 14.5.11 FPR_UNO.3 (FCS_RNG) • 11.15.5 FDP_UCT.1 Basic data exchange confidentiality . identification before (FTA_TSE)
any action . Restrictions on security roles . • 15.15.5 FPT_TEE.1 Testing of external entities .
loss. Unobservability without • 10.5.5 FCS_RNG.1 • 11.16 Inter-TSF user data integrity transfer protection • 17.7.5 FTA_TSE.1
• 12.8 User-subject • 13.9.11 FMT_SMR.3 • 15.16 Internal TOE TSF data replication
• 8.7.16 FAU_STG.5 soliciting information Random number (FDP_UIT) TOE session
binding (FIA_USB) . Assuming roles consistency (FPT_TRC) .
Prevention of audit • 14.5.12 FPR_UNO.4 generation . • 11.16.6 FDP_UIT.1 Data exchange integrity establishment .
data loss Authorized user • 12.8.5 FIA_USB.1 • 15.16.5 FPT_TRC.1 Internal TSF consistency .
• 11.16.7 FDP_UIT.2 Source data exchange recovery
observability . User-subject binding . • 15.17 TSF self-test (FPT_TST)
• 11.16.8 FDP_UIT.3 Destination data exchange recovery
• 15.17.5 FPT_TST.1 TSF self-testing
11
CMMC (US DoD Procurement requirements, 2025)
• Safeguard sensitive
information to
enable and protect
the warfighter
• Dynamically
enhance DIB
cybersecurity to
meet evolving
threats
• Ensure
accountability while
minimizing barriers
to compliance with
DoD requirements
• Contribute towards
instilling a
collaborative culture
of cybersecurity and
cyber resilience
• Maintain public trust
through high
professional and
ethical standards
12
https://www.acq.osd.mil/cmmc/about-us.html
ISO 27001:2022, 27002:2022 – updated control structure
5 Organizational controls 6 People controls 7 Physical Controls 8 Technological controls
• 5.1 Policies for information security • 6.1 Screening • 7.1 Physical security perimeters • 8.1 User end point devices
• 5.2 Information security roles and responsibilities • 6.2 Terms and conditions of employment • 7.2 Physical entry • 8.2 Privileged access rights
• 5.3 Segregation of duties • 6.3 Information security awareness, education, and • 7.3 Securing offices, rooms and facilities • 8.3 Information access restriction
• 5.4 Management responsibilities training • 7.4 Physical security monitoring • 8.4 Access to source code
• 5.5 Contact with authorities
• 6.4 Disciplinary process • 7.5 Protecting against physical and environmental • 8.5 Secure authentication
• 5.6 Contact with special interest groups
• 5.7 Threat intelligence • 6.5 Responsibilities after termination or change of threats • 8.6 Capacity management
• 5.8 Information security in project management employment • 7.6 Working in secure areas • 8.7 Protection against malware
• 5.9 Inventory of information and other associated • 6.6 Confidentiality or non-disclosure agreements • 7.7 Clear desk and clear screen • 8.8 Management of technical vulnerabilities
assets • 6.7 Remote working • 7.8 Equipment siting and protection • 8.9 Configuration management
• 5.10 Acceptable use of information and other • 6.8 Information security event reporting • 7.9 Security of assets off-premises • 8.10 Information deletion
associated assets
• 7.10 Storage media • 8.11 Data masking
• 5.11 Return of assets
• 5.12 Classification of information • 7.11 Supporting utilities • 8.12 Data leakage prevention
• 5.13 Labelling of information • 7.12 Cabling security • 8.13 Information backup
• 5.14 Information transfer • 7.13 Equipment maintenance • 8.14 Redundancy of information processing facilities
• 5.15 Access control • 7.14 Secure disposal or re-use of equipment • 8.15 Logging
• 5.16 Identity management
• 8.16 Monitoring activities
• 5.17 Authentication information
• 5.18 Access rights • 8.17 Clock synchronization
• 5.19 Information security in supplier relationships • 8.18 Use of privileged utility programs
• 5.20 Addressing information security within supplier 4. Context of • 8.19 Installation of software on operational systems
the 9. Performance 10.
agreements 5. Leadership 6. Planning 7. Support 8. Operation
evaluation Improvement • 8.20 Networks security
• 5.21 Managing information security in the information Organization • 8.21 Security of network services
and communication technology (ICT) supply chain • 4.1 • 5.1 Leadership • 6.1 Actions to • 7.1 Resources • 8.1 Operation • 9.1 Monitoring, • 10.1 Continual • 8.22 Segregation of networks
• 5.22 Monitoring, review and change management of Understanding and address risks • 7.2 planning and measurement, improvement
supplier services • 8.23 Web filtering
the commitment and Competence control analysis and • 10.2
• 5.23 Information security for use of cloud services organization • 5.2 Policy opportunities • 7.3 Awareness • 8.2 evaluation Nonconformity • 8.24 Use of cryptography
• 5.24 Information security incident management and its context • 5.3 • 6.1.1 General • 7.4 Information • 9.2 Internal and corrective • 8.25 Secure development life cycle
planning and preparation • 4.2 Organizational • 6.1.2 Communicatio security risk audit action • 8.26 Application security requirements
• 5.25 Assessment and decision on information security Understanding roles, Information n assessment • 9.2.1 General • 8.27 Secure system architecture and engineering
events the needs and responsibilities security risk • 7.5 • 8.3 • 9.2.2 Internal principles
• 5.26 Response to information security events expectations , and assessment Documented Information audit • 8.28 Secure coding
• 5.27 Learning from information security incidents of interested authorities • 6.1.3 information security risk programme
• 5.28 Collection of evidence • 8.29 Security testing in development and acceptance
parties Information • 7.5.1 General treatment • 9.3
• 5.29 Information security during disruption • 4.3 security risk • 7.5.2 Creating Management • 8.30 Outsourced development
• 5.30 ICT readiness for business continuity Determining treatment and updating review • 8.31 Separation of development, test and production
• 5.31 Legal, statutory, regulatory and contractual the scope of • 6.2 • 7.5.3 Control • 9.3.1 General environments
requirements the information Information of documented • 9.3.2 • 8.32 Change management
• 5.32 Intellectual property rights security security information Management • 8.33 Test information
• 5.33 Protection of records management objectives and review inputs • 8.34 Protection of information systems during audit
• 5.34 Privacy and protection of personal identifiable system planning to • 9.3.3 testing
information (PII) • 4.4 achieve them Management
• 5.35 Independent review of information security Information review results
• 5.36 Compliance with policies, rules and standards for security
information security management
• 5.37 Documented operating procedures system
13
The NIST Cybersecurity Framework 2.0 - 2024
GOVERN (GV) – Establish and monitor the organization’s cybersecurity risk
management strategy, expectations, and policy.
• The GOVERN Function is cross-cutting and provides outcomes to inform how an organization will achieve
and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder
expectations. Governance activities are critical for incorporating cybersecurity into an organization’s
broader enterprise risk management strategy. GOVERN directs an understanding of organizational context;
the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles,
responsibilities, and authorities; policies, processes, and procedures; and the oversight of cybersecurity
strategy.
IDENTIFY (ID) – Help determine the current cybersecurity risk to the organization.
• Understanding its assets (e.g., data, hardware, software, systems, facilities, services, people) and the
related cybersecurity risks enables an organization to focus and prioritize its efforts in a manner consistent
with its risk management strategy and the mission needs identified under GOVERN . This Function also
includes the identification of improvements needed for the organization’s policies, processes, procedures,
and practices supporting cybersecurity risk management to inform efforts under all six Functions. Initial
Public Draft The NIST Cybersecurity Framework 2.0 6
DETECT (DE) – Find and analyze possible cybersecurity attacks and compromises.
• DETECT enables timely discovery and analysis of anomalies, indicators of compromise, and other
potentially adverse cybersecurity events that may indicate that cybersecurity attacks and incidents are
occurring. • RESPOND (RS) – Take action regarding a detected cybersecurity incident. RESPOND
supports the ability to contain the impact of cybersecurity incidents. Outcomes within this Function cover
incident management, analysis, mitigation, reporting, and communication.
RECOVER (RC) – Restore assets and operations that were impacted by a cybersecurity
incident.
• RECOVER supports timely restoration of normal operations to reduce the impact of cybersecurity incidents
and enable appropriate communication during recovery efforts.
https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd 14
NIST SP 800-53r5
• 322 Security controls (1189 controls) in 20 Controls families by alphabet, flexible
implementation, may be by baseline – prepared by design for assurance
https://nvlpubs.nist.gov/nistpubs/Special
Publications/NIST.SP.800-53r5.pdf
15
Zero trust – initial for FA till 2024
https://zerotrust.cyber.gov/
https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf 16
17
Regulators react: +resilience
https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2021/ss121-march-22.pdf 19
Time matters. Just time to ensure service
https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-
statement/2021/ss121-march-22.pdf
20
Outsourcers of outsourcers, or forth-parties
https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
21
Financial sector financially motivated persistent threats
https://www.bleepingcomputer.com/tag/fin7/
22
DBIR 2023
The highest quality statistics of confirmed incidents for the
past year. Provides insight into the most likely attacker real-
world tactics and tools. Does not provide insight into errors
and insiders.
A E C D
• Akamai Technologies • Energy Analytic Security • Censys, Inc. • Dell
• Ankura Exchange (EASE) • Center for Internet Security • Department of Government
• Apura Cyber Intelligence • Edgescan • Cequence Security Services, Victorian State
• Elevate Security • CERT Division of Carnegie Government, Australia
• Emergence Insurance Mellon University’s Software • DomainTools
B • EUROCONTROL Engineering Institute
• Bit-x-bit • Eviden • CERT – European Union
• BitSight • CERT Polska K
• BlackBerry • Check Point Software • K-12 Security Information
Technologies Ltd. Exchange (K-12 SIX)
• Chubb • Kaspersky
I G • Coalition • KordaMentha
• Irish Reporting and • Global Resilience Federation • Computer Incident Response
Information Security Service • GreyNoise Center Luxembourg (CIRCL)
(IRISS-CERT) • Coveware L
• Ivanti • CrowdStrike • Legal Services Information
• Cybersecurity and Sharing and Analysis
J Infrastructure Security Agency Organization (LS-ISAO)
F
• JPCERT/CC (CISA)
• Federal Bureau of • CyberSecurity Malaysia, an
Investigation – Internet Crime agency under the Ministry of
Complaint Center (FBI IC3) Communications and P
• Fortinet H Multimedia (KKMM) • Palo Alto Networks
• HackEDU • Cybersixgill • Proofpoint
• CYBIR
M
• Malicious Streams W
• Maritime Transportation N V
• WatchGuard Technologies,
System ISAC (MTS-ISAC) • NetDiligence® • VERIS Community Database Inc.
• mnemonic • NETSCOUT • Verizon Cyber Risk Programs
• Verizon Cyber Security
Consulting
O S • Verizon DDoS Defense
• Okta • S21sec • Verizon Network Operations
• OpenText Cybersecurity • SecurityTrails, a Recorded and Engineering
Future Company • Verizon Threat Research
• Shadowserver Foundation Advisory Center (VTRAC)
• SISAP – Sistemas Aplicativos • Vestige Digital Investigations
U
• Shodan
• U.S. Secret Service • Swisscom
https://www.verizon.com/business/resources/reports/dbir/
23
MITRE ATT@CK
https://attack.mitre.org/#
Processing Output
• Capturing data • Threat landscape for
• Data analysis planning
• Output preparation • Threat advisories
• Scenarios in order to
mitigate impact
25
Threat landscape: ENISA
https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view
https://www.enisa.europa.eu/news/enisa-news/how-to-map-the-cybersecurity-threat-landscape-follow-the-enisa-6-step-methodology
26
Preparation of TI analytics products
1.Actionable Information
2.Collection
3.Preparation
4.Storage
5.Analysis
6.Distribution
7.Lab: Extracting Indicators
8.Lab: Handout
https://www.first.org/education/trainings
27
What to collect?
28
About cybersecurity monitoring
https://www.enisa.europa.eu/publications/proactive-detection-measures-and-information-sources 29
AI in cybersecurity tools: 2023
https://www.enisa.europa.eu/publications/artificial-intelligence-and-cybersecurity-research 30
This defines cybersec 2025 (in regulations) - 2030 (in reality)
War Compliance
• Politics, government security agencies on • More requirements –AML, PII, Governance;,
the board; more consequences (AML&GDPR), bigger
• not only money under risk, but life in budgets
warfare, critical infrastructure and with IoT
Collaboration Convergence
• Via industry and government; • Out of tech: OSINT is weapon of journalists;
• via community (e.g. MITRE, SANS); awareness needs teachers; compliance
• via technology (e.g.DBIR) requires lawyers, governance - economics
31