The State of the State of Cybersecurity
JANUARY 8, 2015
When it rains…
2
Agenda
• Global View • Headlines and the General State of the Falling Sky
• Benchmarking, benchmarking and more benchmarking • Texas View • What We Knew – Security Assessment findings • What We Now Can See
• Where Do We Go From Here • Preview of the 2015-2020 Statewide Cybersecurity Strategy
3
The World Around Us
• 63% of victim organizations are made aware by external entities • Attackers spend an estimated 243 days on a victim network before they are discovered (down 173 days from 2011) 4
Commonalities and Comparable Traits
Industry
Attackers
Security Capabilities
Technology
Data
People
5
Commonalities and Comparable Traits
Government
Attackers
Security Capabilities
Technology
Data
People
6
Commonalities and Comparable Traits
Individual Agencies
Attackers
Security Capabilities
Technology
Data
People
7
Commonalities and Comparable Traits
Security Capabilities
8
Motivations, Targets and Objectives
• Financial Motivations Credit Cards – Direct Conversion Identity Information (PII) – Indirect Conversion Health Information (PHI) – Indirect Conversion
• Mayhem, Activism and Reputation
(Reuters) - Your medical information is worth 10 times more than your credit card number on the black market.
• Espionage
9
Web Application Attack Detections - Financially Motivated
10
Web Application Attacks – Ideologically Motivated
11
Are You Motivated?
In 2013, the five largest breaches accounted for 84% of all breached records. Lessons Learned From Global Customer Data Breaches And Privacy Incidents Of 2013-14
In the first eight months of 2014, the top five accounted for 92% of all breached records.
November 14, 2014By Stephanie Balaouras, Heidi Shey with Laura Koetzle, Rick Holland, Claire O'Malley
Hackers pick their victim organization carefully, learn its business, understand its partner relationships, and test for weaknesses and vulnerabilities. To cash in on personally identifiable information (PII), a hacker (and the organized crime syndicate funding the operation) wants to steal as many customer records as possible.
12
Let’s Talk About
13
Security Assessment Benchmark
Security Assessments Conducted 2011 through 2014 Over 40 Agencies comprising over 80% of State FTEs
Level 1: Initial/Ad Hoc Level 2: Developing/Reactive Level 3: Defined/Proactive Level 4: Managed Level 5: Optimized
App Security Vulnerability Mgmt
Availability
PKI - Encryption
Change Mgmt
Physical Security
Maturity Level Definitions
Source: Gartner
Confidentiality
Network Zones
Endpoint Admission 1 2
Network Perimeters
Governance
Due Diligence Standard State of the State
3 4
Monitoring
5
Mobile Security
Host Security
Access Mgmt Malware
Integrity
14
7 Trends Identified
1
IT staffing challenges
2
Data classification
3
Security governance / awareness
4
Identity and access management standardization
5
Security in software development
6
Consistent event monitoring and analysis
7
Internal network segmentation
15
Texas Statewide Security Program
16
The Texas Cybersecurity Framework
• Agency Security Plan Template Implemented in January 2014 • Vendor Product / Service Template Implemented in March 2014 • Updated Texas Administrative Code Ch. 202 Currently Draft - Publish February 2015
• Security Control Standards Catalog Currently Draft - Publish February 2015 • Guidelines and Whitepapers Ongoing effort • Governance, Risk and Compliance Solution To be complete Fall 2015
17
Agency Security Plans FUNCTIONAL AREA
Identify
Protect
Detect
SECURITY OBJECTIVE – Privacy and Confidentiality – Data Classification – Critical Information Asset Inventory – Enterprise Security Policy, Standards and Guidelines – Control Oversight and Safeguard Assurance – Information Security Risk Management – Security Oversight and Governance – Security Compliance and Regulatory Requirements Management – Cloud Usage and Security – Security Assessment and Authorization / Technology Risk Assessments – External Vendors and Third Party Providers
– Enterprise Architecture, Roadmap & Emerging Technology – Secure System Services, Acquisition and Development – Security Awareness and Training – Privacy Awareness and Training – Cryptography – Secure Configuration Management – Change Management – Contingency Planning – Media – Physical Environmental Protection – Personnel Security – Third-Party Personnel Security – System Configuration Hardening & Patch Management – Access Control – Account Management – Security Systems Management – Network Access and Perimeter Controls – Internet Content Filtering – Data Loss Prevention – Identification & Authentication – Spam Filtering – Portable & Remote Computing – System Communications Protection
• 40 security objectives defined • Aligned to “Framework for Improving Critical Infrastructure Cybersecurity” released by NIST in February 2014 • Responsive to SB 1134 (Ellis) and SB 1597 (Zaffirini)
– Malware Protection – Vulnerability Assessment – Security Monitoring and Event Analysis
Respond
– Cyber-Security Incident Response – Privacy Incident Response
Recover
– Disaster Recovery Procedures
18
Agency Security Plans
• Objective-based • Uniform understanding of agency security program maturity using traditional maturity model MATURITY DIR DESCRIPTION LEVEL
KEYWORDS
0
There is no evidence of the organization meeting the objective.
None, Nonexistent
1
The organization has an ad hoc, inconsistent, or reactive approach to meeting the objective.
Ad-hoc, Initial
2
The organization has a consistent overall approach to meeting the objective, but it is still mostly reactive and undocumented. The organization does not routinely measure or enforce policy compliance.
Managed, Consistent, Repeatable
3
The organization has a documented, detailed approach to meeting the objective, and regularly measures its compliance.
Compliant, Defined
4
The organization uses an established risk management framework to measure and evaluate risk and integrate improvements beyond the requirements of applicable regulations.
Risk-Based, Managed
5
The organization has refined its standards and practices focusing on ways to improve its Efficient, Optimized, capabilities in the most efficient and cost-effective manner. Economized
19
2013 Nationwide Cyber Security Review
NCSR • 2013 review is the second national survey of state, local, tribal and territorial (SLTT) governments • First review conducted in 2011 • Cybersecurity maturity self assessment • 304 total participants including all 50 states
20
Developed by…
21
Framework / Methodology for Security Program and Controls
Which control frameworks and/or security methodologies are your organization's information security controls based on? (Select all that apply)
Texas Administrative Code, Chapter 202 is currently under revision to a FISMA / NIST 800-53 structure.
22
Top Identified Security Concerns
Texas top identified security concern (from Security Assessment findings): • Almost all assessed agencies appear to not have sufficient resources to support minimum security-related activities
23
Maturity Comparison
Previous NCSR
NIST Cyber Security Framework (CSF)
Gartner
Texas Agency Security Plan
12 Control Areas
90 Subcategories
17 Control Areas
40 Control Objectives
Ad-Hoc • Not Performed • Performed but undocumented / unstructured Documentation • Documented Policy • Documented Standards / Procedures Risk Aware Managed • Risk Measured • Risk Treated • Risk Validated
Proposed Maturity: • Not performed • Performed but undocumented • Risk Assessment performed, not implementing. • Documented in Policy or Business Case. • Policies and Procedures plus Standards are all defined. • Procedures and Standards defined; Implementation in process . • Tested and verified. • Measured and repeatable (continuously improved).
•
• • •
•
•
• •
Level 1: Initial / Ad Hoc Level 2: Developing / Reactive Level 3: Defined / Proactive Level 4: Managed Level 5: Optimized
• •
•
Level 0: None, Nonexistent Level 1: Ad-hoc, Initial Level 2: Managed, Consistent, Repeatable Level 3: Compliant, Defined Level 4: Risk-Based, Managed Level 5: Efficient, Optimized, Economized
24
Agency Security Plan Observations
Overview of Maturity
50% 45%
Percentage of Agencies
40% 35% 30% 25% 20% 15% 10% 5% 0% Nonexistent
Ad-hoc
Managed
Compliant
Risk-Based
Efficient
Maturity Levels
25
Observations – Size Matters
Maturity by Entity Size 3 2.5
Maturity
2 1.5 1 0.5 0 Under 50 FTEs
Medium
Over 1000 FTEs
Size – FTE Count
26
A Layer Below the Surface
STATEWIDE AVERAGE BY PROGRAM AREA
MATURITY
0
None, Nonexistent
Identify 2.37
1
Ad-hoc, Initial
2
Managed, Consistent, Repeatable
3
Compliant, Defined
4
Risk-Based, Managed
5
Efficient, Optimized, Economized
5.00
4.00
LEVEL
3.00
Recover 3.00
2.00 1.00
Protect 2.52
0.00
Respond 2.32
Detect
KEYWORDS
2.78
27
Highlights and Roadmap Improvements
Successes to Build Upon
Areas for Improvement
• Spam Filtering
• Data Loss Prevention
• Account Management • Disaster Recovery
• Secure System Services, Acquisition and Development
• Security Systems Management
• Cloud Usage and Security
28
A Look to the Future
29
Planning – Strategy - Governance
30
Hierarchy of Cybersecurity Needs
Security Intelligence Risk Based Security
Security Essentials
31
Security Operations and Services
Objective 1 - Establish an Enterprise Managed Security Services Provider (MSSP) and Multisourcing Service Integrator (MSI) model to provide key security operations for statewide program and agency functions. Objective 2 – Identify and protect from cybersecurity threats against Texas information resources (Identify / Protect). Objective 3 - Detect cyber attacks and identify attack campaigns launched against Texas information resources and critical infrastructure (Detect).
32
Security Intelligence and Analysis
Vocabulary for Event Recording and Incident Sharing (VERIS) •External •Internal •Partner
•Confidentiality •Integrity •Availability
Actors
Actions
Attributes
Assets
• Malware • Hacking • Social • Misuse • Physical • Error • Environment al • Variety • Ownership • Management • Hosting • Accessibility • Cloud
33
Coordination – Collaboration – Outreach
Objective 1 - Establish a statewide cybersecurity coordination and collaboration platform (HSIN). Objective 2 - Enable regional cybersecurity response coordination.
Objective 3 - Coordinate statewide cybersecurity exercises and preparedness. Objective 4 – Coordinate the information sharing among the state’s key entities. Objective 5 – Establish a competent and capable cybersecurity workforce supply.
34
Thank You
Regardless of industry vertical, we’re not all that different Similar Risks
Similar Attackers Similar Solutions Similar Customers What you can’t see might be killing you Benchmark and compare Stay curious, question everything Data doesn’t lie, but it may hide the truth. But without it, everything may be hiding.
35