The State of the State of Cybersecurity

JANUARY 8, 2015

When it rains…

2

Agenda

• Global View • Headlines and the General State of the Falling Sky

• Benchmarking, benchmarking and more benchmarking • Texas View • What We Knew – Security Assessment findings • What We Now Can See

• Where Do We Go From Here • Preview of the 2015-2020 Statewide Cybersecurity Strategy

3

The World Around Us

• 63% of victim organizations are made aware by external entities • Attackers spend an estimated 243 days on a victim network before they are discovered (down 173 days from 2011) 4

Commonalities and Comparable Traits

Industry

Attackers

Security Capabilities

Technology

Data

People

5

Commonalities and Comparable Traits

Government

Attackers

Security Capabilities

Technology

Data

People

6

Commonalities and Comparable Traits

Individual Agencies

Attackers

Security Capabilities

Technology

Data

People

7

Commonalities and Comparable Traits

Security Capabilities

8

Motivations, Targets and Objectives

• Financial Motivations Credit Cards – Direct Conversion Identity Information (PII) – Indirect Conversion Health Information (PHI) – Indirect Conversion

• Mayhem, Activism and Reputation

(Reuters) - Your medical information is worth 10 times more than your credit card number on the black market.

• Espionage

9

Web Application Attack Detections - Financially Motivated

10

Web Application Attacks – Ideologically Motivated

11

Are You Motivated?

In 2013, the five largest breaches accounted for 84% of all breached records. Lessons Learned From Global Customer Data Breaches And Privacy Incidents Of 2013-14

In the first eight months of 2014, the top five accounted for 92% of all breached records.

November 14, 2014By Stephanie Balaouras, Heidi Shey with Laura Koetzle, Rick Holland, Claire O'Malley

Hackers pick their victim organization carefully, learn its business, understand its partner relationships, and test for weaknesses and vulnerabilities. To cash in on personally identifiable information (PII), a hacker (and the organized crime syndicate funding the operation) wants to steal as many customer records as possible.

12

Let’s Talk About

13

Security Assessment Benchmark

Security Assessments Conducted 2011 through 2014 Over 40 Agencies comprising over 80% of State FTEs

Level 1: Initial/Ad Hoc Level 2: Developing/Reactive Level 3: Defined/Proactive Level 4: Managed Level 5: Optimized

App Security Vulnerability Mgmt

Availability

PKI - Encryption

Change Mgmt

Physical Security

Maturity Level Definitions

Source: Gartner

Confidentiality

Network Zones

Endpoint Admission 1 2

Network Perimeters

Governance

Due Diligence Standard State of the State

3 4

Monitoring

5

Mobile Security

Host Security

Access Mgmt Malware

Integrity

14

7 Trends Identified

1

IT staffing challenges

2

Data classification

3

Security governance / awareness

4

Identity and access management standardization

5

Security in software development

6

Consistent event monitoring and analysis

7

Internal network segmentation

15

Texas Statewide Security Program

16

The Texas Cybersecurity Framework

• Agency Security Plan Template Implemented in January 2014 • Vendor Product / Service Template Implemented in March 2014 • Updated Texas Administrative Code Ch. 202 Currently Draft - Publish February 2015

• Security Control Standards Catalog Currently Draft - Publish February 2015 • Guidelines and Whitepapers Ongoing effort • Governance, Risk and Compliance Solution To be complete Fall 2015

17

Agency Security Plans FUNCTIONAL AREA

Identify

Protect

Detect

SECURITY OBJECTIVE – Privacy and Confidentiality – Data Classification – Critical Information Asset Inventory – Enterprise Security Policy, Standards and Guidelines – Control Oversight and Safeguard Assurance – Information Security Risk Management – Security Oversight and Governance – Security Compliance and Regulatory Requirements Management – Cloud Usage and Security – Security Assessment and Authorization / Technology Risk Assessments – External Vendors and Third Party Providers

– Enterprise Architecture, Roadmap & Emerging Technology – Secure System Services, Acquisition and Development – Security Awareness and Training – Privacy Awareness and Training – Cryptography – Secure Configuration Management – Change Management – Contingency Planning – Media – Physical Environmental Protection – Personnel Security – Third-Party Personnel Security – System Configuration Hardening & Patch Management – Access Control – Account Management – Security Systems Management – Network Access and Perimeter Controls – Internet Content Filtering – Data Loss Prevention – Identification & Authentication – Spam Filtering – Portable & Remote Computing – System Communications Protection

• 40 security objectives defined • Aligned to “Framework for Improving Critical Infrastructure Cybersecurity” released by NIST in February 2014 • Responsive to SB 1134 (Ellis) and SB 1597 (Zaffirini)

– Malware Protection – Vulnerability Assessment – Security Monitoring and Event Analysis

Respond

– Cyber-Security Incident Response – Privacy Incident Response

Recover

– Disaster Recovery Procedures

18

Agency Security Plans

• Objective-based • Uniform understanding of agency security program maturity using traditional maturity model MATURITY DIR DESCRIPTION LEVEL

KEYWORDS

0

There is no evidence of the organization meeting the objective.

None, Nonexistent

1

The organization has an ad hoc, inconsistent, or reactive approach to meeting the objective.

Ad-hoc, Initial

2

The organization has a consistent overall approach to meeting the objective, but it is still mostly reactive and undocumented. The organization does not routinely measure or enforce policy compliance.

Managed, Consistent, Repeatable

3

The organization has a documented, detailed approach to meeting the objective, and regularly measures its compliance.

Compliant, Defined

4

The organization uses an established risk management framework to measure and evaluate risk and integrate improvements beyond the requirements of applicable regulations.

Risk-Based, Managed

5

The organization has refined its standards and practices focusing on ways to improve its Efficient, Optimized, capabilities in the most efficient and cost-effective manner. Economized

19

2013 Nationwide Cyber Security Review

NCSR • 2013 review is the second national survey of state, local, tribal and territorial (SLTT) governments • First review conducted in 2011 • Cybersecurity maturity self assessment • 304 total participants including all 50 states

20

Developed by…

21

Framework / Methodology for Security Program and Controls

Which control frameworks and/or security methodologies are your organization's information security controls based on? (Select all that apply)

Texas Administrative Code, Chapter 202 is currently under revision to a FISMA / NIST 800-53 structure.

22

Top Identified Security Concerns

Texas top identified security concern (from Security Assessment findings): • Almost all assessed agencies appear to not have sufficient resources to support minimum security-related activities

23

Maturity Comparison

Previous NCSR

NIST Cyber Security Framework (CSF)

Gartner

Texas Agency Security Plan

12 Control Areas

90 Subcategories

17 Control Areas

40 Control Objectives

Ad-Hoc • Not Performed • Performed but undocumented / unstructured Documentation • Documented Policy • Documented Standards / Procedures Risk Aware Managed • Risk Measured • Risk Treated • Risk Validated

Proposed Maturity: • Not performed • Performed but undocumented • Risk Assessment performed, not implementing. • Documented in Policy or Business Case. • Policies and Procedures plus Standards are all defined. • Procedures and Standards defined; Implementation in process . • Tested and verified. • Measured and repeatable (continuously improved).



• • •





• •

Level 1: Initial / Ad Hoc Level 2: Developing / Reactive Level 3: Defined / Proactive Level 4: Managed Level 5: Optimized

• •



Level 0: None, Nonexistent Level 1: Ad-hoc, Initial Level 2: Managed, Consistent, Repeatable Level 3: Compliant, Defined Level 4: Risk-Based, Managed Level 5: Efficient, Optimized, Economized

24

Agency Security Plan Observations

Overview of Maturity

50% 45%

Percentage of Agencies

40% 35% 30% 25% 20% 15% 10% 5% 0% Nonexistent

Ad-hoc

Managed

Compliant

Risk-Based

Efficient

Maturity Levels

25

Observations – Size Matters

Maturity by Entity Size 3 2.5

Maturity

2 1.5 1 0.5 0 Under 50 FTEs

Medium

Over 1000 FTEs

Size – FTE Count

26

A Layer Below the Surface

STATEWIDE AVERAGE BY PROGRAM AREA

MATURITY

0

None, Nonexistent

Identify 2.37

1

Ad-hoc, Initial

2

Managed, Consistent, Repeatable

3

Compliant, Defined

4

Risk-Based, Managed

5

Efficient, Optimized, Economized

5.00

4.00

LEVEL

3.00

Recover 3.00

2.00 1.00

Protect 2.52

0.00

Respond 2.32

Detect

KEYWORDS

2.78

27

Highlights and Roadmap Improvements

Successes to Build Upon

Areas for Improvement

• Spam Filtering

• Data Loss Prevention

• Account Management • Disaster Recovery

• Secure System Services, Acquisition and Development

• Security Systems Management

• Cloud Usage and Security

28

A Look to the Future

29

Planning – Strategy - Governance

30

Hierarchy of Cybersecurity Needs

Security Intelligence Risk Based Security

Security Essentials

31

Security Operations and Services

Objective 1 - Establish an Enterprise Managed Security Services Provider (MSSP) and Multisourcing Service Integrator (MSI) model to provide key security operations for statewide program and agency functions. Objective 2 – Identify and protect from cybersecurity threats against Texas information resources (Identify / Protect). Objective 3 - Detect cyber attacks and identify attack campaigns launched against Texas information resources and critical infrastructure (Detect).

32

Security Intelligence and Analysis

Vocabulary for Event Recording and Incident Sharing (VERIS) •External •Internal •Partner

•Confidentiality •Integrity •Availability

Actors

Actions

Attributes

Assets

• Malware • Hacking • Social • Misuse • Physical • Error • Environment al • Variety • Ownership • Management • Hosting • Accessibility • Cloud

33

Coordination – Collaboration – Outreach

Objective 1 - Establish a statewide cybersecurity coordination and collaboration platform (HSIN). Objective 2 - Enable regional cybersecurity response coordination.

Objective 3 - Coordinate statewide cybersecurity exercises and preparedness. Objective 4 – Coordinate the information sharing among the state’s key entities. Objective 5 – Establish a competent and capable cybersecurity workforce supply.

34

Thank You

Regardless of industry vertical, we’re not all that different Similar Risks

Similar Attackers Similar Solutions Similar Customers What you can’t see might be killing you Benchmark and compare Stay curious, question everything Data doesn’t lie, but it may hide the truth. But without it, everything may be hiding.

35