Cybersecurity Our Shared Responsibility Cybersecurity Shared Responsibility • You can build the Great Wall of China – But it only takes one person to open the gate and let the enemy in The People and Process Gap We are at war Sun Tzu says, he will win: 1. Who prepares 2. Who knows when to fight and when not to fight 3. Who knows how to handle both superior forces and inferior forces 4. Whose army is animated by the same spirit throughout all its ranks 5. Who has military capacity and is not interfered with by the sovereign Preparing for Battle • Start thinking now before an incident • Preparation is not a one time thing – Educate yourself – Educate your employees – Constant improvement to your defenses • Education- The Price is Right! – SANS “Securing the Human” – NACO Cyber Guidebook – DHS Stop.Think.Connect. Preparing for Battle • Ignoring Cyber Security is like never going to the doctor so that he can never tell you that you are sick. Quick Training • Don’t pick up random USB sticks and plug them in to your computer – You wouldn’t randomly eat gum off the street, right? – That’s how Stuxnet ruined 1/5th of Iran’s nuclear centrifuges. Preparing for Battle • Identify your Cyber Security Team – Not solely the IT person’s responsibility • Confidence gap in protecting against threats – National Association of State CIOs survey says • 60% of State Officials are Extremely Confident • 24% of State Security Officers are Extremely Confident – Improve communication • Utilize outside resources – NACO, MS-ISAC, SANS, DHS Preparing for Battle State of Iowa provides SANS “Securing the Human” program at no charge. This is an excellent self paced training program comprised of 4 to 5 minute training videos. Contact Alison Radl with DAS at Alison.radl@iowa.gov Know When to Fight • Resources are limited – Time – Money • Easy to implement and highly effective security – Center for Internet Security Cyber Hygiene Campaign • • • • • Know what is connected to your network Implement key security settings (password policy) Limit and manage admin privileges Keep operating systems and applications up to date Repeat! • Find your most critical assets and protect them first Know What to Fight • What is valuable to the enemy? • Not only can they try and steal your data but they can encrypt your files so you lose your data(Ransomware). Know What to Fight • Social Engineering Attacks – Baiting-irritate or taunt someone into a response – Phishing-trick you into giving up information – Pretexting-a lie based on research to get data from you – Quid Pro Quo- a scam where the bad guy “helps” you with an issue but gains access to your data – Tailgating- Gaining physical access to an area by following someone into the facility How to Handle your (Inferior) Forces • In the Cybersecurity war, we have inferior forces – No agency can protect at 100% – Cyber criminals only need 1 win to get your data • Requires everyone working together • Requires everyone to stay safe online • Criminals are usually lazy and attack the “low hanging fruit” Animated by the Same Spirit Animated by the Same Spirit • Elected Officials and Department Heads – Set a good example – Learn – Educate – Practice – Promote Provide Capacity and Don’t Interfere • Internally – Budget for Cybersecurity initiatives – Listen to your Cybersecurity TEAM – Follow the policies and procedures that have been established to keep you safe • Externally – Be cautious with vendors • Don’t give them anytime remote access with full admin privileges for their convenience • Demand better security from them Thank you for attending! Joel Rohne IT/GIS Director Worth County Joel.rohne@worthcounty.org (641) 324-3668 Micah Van Maanen IT Director Sioux County micahvm@siouxcounty.org (712) 737-6818