D ECEMBER 12, 2014

• Global View
• Headlines and the General State of the Falling Sky
• Texas View
• What We Knew – Security Assessment findings
• What We Now Can See
• Where Do We Go From Here
• Preview of the 2015-2020 Statewide Cybersecurity
Strategy
2

3

• 63% of victim organizations are made aware by external entities
• Attackers spend an estimated 243 days on a victim network before they are discovered (down 173 days from 2011)
4

Commonalities and Comparable Traits
Attackers
Security
Capabilities
Technology Data
People
5

Commonalities and Comparable Traits
Attackers
Security
Capabilities
Technology Data
People
6

Commonalities and Comparable Traits
Attackers
Security
Capabilities
Technology Data
People
7

Commonalities and Comparable Traits
8

Web Application Attack Detections
- Financially Motivated
9

Web Application Attacks
– Ideologically Motivated
10

• Financial Motivations
Credit Cards –
Direct Conversion
Identity Information (PII) –
Indirect Conversion
Health Information (PHI) –
Indirect Conversion
• Mayhem, Activism and
Reputation
• Espionage
(Reuters) - Your medical information is worth 10 times more than your credit card number on the black market.
11

12

Security Assessments Conducted 2011 through 2014
*Approximately 40 Agencies – Over 80% of State FTEs
App Security
Vulnerability Mgmt Availability
PKI -Encryption Change Mgmt
Physical Security Confidentiality
Maturity Level
Definitions
Level 1: Initial/Ad Hoc
Level 2: Developing/Reactive
Level 3: Defined/Proactive
Level 4: Managed
Level 5: Optimized
Source: Gartner
Network Zones
Network Perimeters
Monitoring
Mobile Security
Malware
Endpoint Admission
1
2 Governance
3
4
Host Security
5
Integrity
Access Mgmt
Due Diligence Standard
State of the State
13

1
2
3
4
5
6
7
IT staffing challenges
Data classification
Security governance / awareness
Identity and access management standardization
Security in software development
Consistent event monitoring and analysis
Internal network segmentation
14

• Agency Security Plan Template
Implemented in January 2014
• Vendor Product / Service Template
Implemented in March 2014
• Updated Texas Administrative Code Ch. 202
Currently
Draft - Publish February 2015
• Security Control Standards Catalog
Currently Draft - Publish
February 2015
• Guidelines and Whitepapers
Ongoing effort
• Governance, Risk and Compliance Solution
To be complete Fall 2015
15

• 40 security objectives defined
• Aligned to “Framework for Improving Critical
Infrastructure
Cybersecurity” released by NIST in February
2014
• Responsive to SB 1134
(Ellis) and SB 1597
(Zaffirini)
FUNCTIONAL
AREA
Identify
Protect
Detect
Respond
Recover
SECURITY OBJECTIVE
– Privacy and Confidentiality
– Data Classification
– Critical Information Asset Inventory
– Enterprise Security Policy, Standards and Guidelines
– Control Oversight and Safeguard Assurance
– Information Security Risk Management
– Security Oversight and Governance
– Security Compliance and Regulatory Requirements Management
– Cloud Usage and Security
– Security Assessment and Authorization / Technology Risk Assessments
– External Vendors and Third Party Providers
– Enterprise Architecture, Roadmap & Emerging Technology
– Secure System Services, Acquisition and Development
– Security Awareness and Training
– Privacy Awareness and Training
– Cryptography
– Secure Configuration Management
– Change Management
– Contingency Planning
– Media
– Physical Environmental Protection
– Personnel Security
– Third-Party Personnel Security
– System Configuration Hardening & Patch Management
– Access Control
– Account Management
– Security Systems Management
– Network Access and Perimeter Controls
– Internet Content Filtering
– Data Loss Prevention
– Identification & Authentication
– Spam Filtering
– Portable & Remote Computing
– System Communications Protection
– Malware Protection
– Vulnerability Assessment
– Security Monitoring and Event Analysis
– Cyber-Security Incident Response
– Privacy Incident Response
– Disaster Recovery Procedures
16

• Objective-based
• Uniform understanding of agency security program maturity using traditional maturity model
MATURITY
LEVEL
DIR DESCRIPTION
0
1
2
3
4
5
There is no evidence of the organization meeting the objective.
The organization has an ad hoc, inconsistent, or reactive approach to meeting the objective.
KEYWORDS
None, Nonexistent
Ad-hoc, Initial
The organization has a consistent overall approach to meeting the objective, but it is still mostly reactive and undocumented. The organization does not routinely measure or enforce policy compliance.
Managed, Consistent,
Repeatable
The organization has a documented, detailed approach to meeting the objective, and regularly measures its compliance.
The organization uses an established risk management framework to measure and evaluate risk and integrate improvements beyond the requirements of applicable regulations.
Compliant, Defined
Risk-Based, Managed
The organization has refined its standards and practices focusing on ways to improve its capabilities in the most efficient and cost-effective manner.
Efficient, Optimized,
Economized
17

50%
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
Nonexistent Ad-hoc
Overview of Maturity
Managed Compliant
Maturity Levels
Risk-Based Efficient
18

Maturity by Entity Size
3
2,5
2
1,5
1
0,5
0
Under 50 FTEs Medium
Size – FTE Count
Over 1000 FTEs
19

3
2,5
2
1,5
1
0,5
0
1 2
Maturity by Article
3 4 5
Article Number
6 7 8
Article
1
2
3
4
5
6
7
8
Description External
Regulations
General Government Varies
Health and Human
Services
HIPAA, CJIS,
IRS, SSA
Education
Judicial
Public Safety and
Criminal Justice
Natural Resources
FERPA
CJIS
CJIS
Varies
Varies Business and
Economic
Development
Regulatory Varies
20

STATEWIDE AVERAGE BY AREA
Recover
3,00
Identify
5,00
4,50
4,00
3,50
3,00
2,50
2,00
1,50
1,00
0,50
0,00
2,37
Protect 2,52
Respond
2,32
Detect
2,78
21

Highlights and Roadmap Improvements
Successes to Build Upon
• Spam Filtering
• Account Management
• Disaster Recovery
• Security Systems Management
Areas for Improvement
• Data Loss Prevention
• Secure System Services,
Acquisition and Development
• Cloud Usage and Security
22

23

24

IT Classifications
Systems Analyst I,
Network Specialist I
Programmer I
Systems Analyst II, Network Specialist II,
Web Administrator I
Programmer II
Systems Analyst III, Network Specialist III,
Web Administrator II
Programmer III
Systems Analyst IV, Network Specialist IV,
Web Administrator III
Programmer IV
B16
B17
B18
B19
B20
B21
B22
B23
Systems Analyst V, Network Specialist V,
Web Administrator IV
Programmer V
B24
B25
Systems Analyst VI, Network Specialist VI,
Web Administrator V
Programmer VI
B26
B27
IT Security Classifications
I
Information Technology Security Analyst B23
Information Technology Security Analyst
II
B25
Information Technology Security Analyst
III
B27
New Security Classifications
Cybersecurity Analyst I
Cybersecurity Analyst II
Cybersecurity Analyst III
Information Security Officer /
Cybersecurity Officer
Chief Information Security Officer
B25
B27
B29
B30
*B31

Objective 1 - Establish and expand the Texas Infosec
Academy to provide the state’s security personnel the knowledge needed to deliver agency security programs.
NICCS Core Security Professionals Courses
 6 Career Tracks
CISO Strategic Course
 Budget, Strategy, Executive Communication, Leadership
Certification Exam Preparation Courses
 CISSP, CISM, CEH, CISA
Texas Cybersecurity Framework Training
 TAC 202 and Security Control Standards
RSA Archer eGRC Training
 Incident Reporting and Analysis
 Agency Security Plans and Risk Management
Platform for exercises
 Tabletop Incident Response Scenarios
 Red Team / Blue Team - detection and active response
 Statewide coordination exercises
 Participation in national readiness such as Cyber Storm
26

Objective 2 - Deliver high quality communication products and events that provide valued information to security personnel, partners and stakeholders throughout the state.
X
5
27

Objective 1 - Establish an Enterprise Managed Security
Services Provider (MSSP) and Multisourcing Service
Integrator (MSI) model to provide key security operations for statewide program and agency functions.
Objective 2 – Identify and protect from cybersecurity threats against Texas information resources (Identify / Protect).
Objective 3 - Detect cyber attacks and identify attack campaigns launched against Texas information resources and critical infrastructure (Detect).
28

Coordination – Collaboration – Outreach
Objective 1 - Establish a statewide cybersecurity coordination and collaboration platform (HSIN).
Objective 2 - Enable regional cybersecurity response coordination.
Objective 3 - Coordinate statewide cybersecurity exercises and preparedness.
Objective 4 – Coordinate the information sharing among the state’s key entities.
Objective 5 – Establish a competent and capable cybersecurity workforce supply.
29

30