Presentation

advertisement

The State of the State of Cybersecurity

D ECEMBER 12, 2014

Agenda

• Global View

• Headlines and the General State of the Falling Sky

• Texas View

• What We Knew – Security Assessment findings

• What We Now Can See

• Where Do We Go From Here

• Preview of the 2015-2020 Statewide Cybersecurity

Strategy

2

When it rains…

3

The World Around Us

• 63% of victim organizations are made aware by external entities

• Attackers spend an estimated 243 days on a victim network before they are discovered (down 173 days from 2011)

4

Commonalities and Comparable Traits

Industry

Attackers

Security

Capabilities

Technology Data

People

5

Commonalities and Comparable Traits

Government

Attackers

Security

Capabilities

Technology Data

People

6

Commonalities and Comparable Traits

Individual Agencies

Attackers

Security

Capabilities

Technology Data

People

7

Commonalities and Comparable Traits

Security

Capabilities

8

Web Application Attack Detections

- Financially Motivated

9

Web Application Attacks

– Ideologically Motivated

10

Motivations, Targets and objectives

• Financial Motivations

Credit Cards –

Direct Conversion

Identity Information (PII) –

Indirect Conversion

Health Information (PHI) –

Indirect Conversion

• Mayhem, Activism and

Reputation

• Espionage

(Reuters) - Your medical information is worth 10 times more than your credit card number on the black market.

11

Let’s Talk About

12

Security Assessment Benchmark

Security Assessments Conducted 2011 through 2014

*Approximately 40 Agencies – Over 80% of State FTEs

App Security

Vulnerability Mgmt Availability

PKI -Encryption Change Mgmt

Physical Security Confidentiality

Maturity Level

Definitions

Level 1: Initial/Ad Hoc

Level 2: Developing/Reactive

Level 3: Defined/Proactive

Level 4: Managed

Level 5: Optimized

Source: Gartner

Network Zones

Network Perimeters

Monitoring

Mobile Security

Malware

Endpoint Admission

1

2 Governance

3

4

Host Security

5

Integrity

Access Mgmt

Due Diligence Standard

State of the State

13

1

2

3

4

5

6

7

7 Trends Identified

IT staffing challenges

Data classification

Security governance / awareness

Identity and access management standardization

Security in software development

Consistent event monitoring and analysis

Internal network segmentation

14

The Texas Cybersecurity Framework

• Agency Security Plan Template

Implemented in January 2014

• Vendor Product / Service Template

Implemented in March 2014

• Updated Texas Administrative Code Ch. 202

Currently

Draft - Publish February 2015

• Security Control Standards Catalog

Currently Draft - Publish

February 2015

• Guidelines and Whitepapers

Ongoing effort

• Governance, Risk and Compliance Solution

To be complete Fall 2015

15

Agency Security Plans

• 40 security objectives defined

• Aligned to “Framework for Improving Critical

Infrastructure

Cybersecurity” released by NIST in February

2014

• Responsive to SB 1134

(Ellis) and SB 1597

(Zaffirini)

FUNCTIONAL

AREA

Identify

Protect

Detect

Respond

Recover

SECURITY OBJECTIVE

– Privacy and Confidentiality

– Data Classification

– Critical Information Asset Inventory

– Enterprise Security Policy, Standards and Guidelines

– Control Oversight and Safeguard Assurance

– Information Security Risk Management

– Security Oversight and Governance

– Security Compliance and Regulatory Requirements Management

– Cloud Usage and Security

– Security Assessment and Authorization / Technology Risk Assessments

– External Vendors and Third Party Providers

– Enterprise Architecture, Roadmap & Emerging Technology

– Secure System Services, Acquisition and Development

– Security Awareness and Training

– Privacy Awareness and Training

– Cryptography

– Secure Configuration Management

– Change Management

– Contingency Planning

– Media

– Physical Environmental Protection

– Personnel Security

– Third-Party Personnel Security

– System Configuration Hardening & Patch Management

– Access Control

– Account Management

– Security Systems Management

– Network Access and Perimeter Controls

– Internet Content Filtering

– Data Loss Prevention

– Identification & Authentication

– Spam Filtering

– Portable & Remote Computing

– System Communications Protection

– Malware Protection

– Vulnerability Assessment

– Security Monitoring and Event Analysis

– Cyber-Security Incident Response

– Privacy Incident Response

– Disaster Recovery Procedures

16

Agency Security Plans

• Objective-based

• Uniform understanding of agency security program maturity using traditional maturity model

MATURITY

LEVEL

DIR DESCRIPTION

0

1

2

3

4

5

There is no evidence of the organization meeting the objective.

The organization has an ad hoc, inconsistent, or reactive approach to meeting the objective.

KEYWORDS

None, Nonexistent

Ad-hoc, Initial

The organization has a consistent overall approach to meeting the objective, but it is still mostly reactive and undocumented. The organization does not routinely measure or enforce policy compliance.

Managed, Consistent,

Repeatable

The organization has a documented, detailed approach to meeting the objective, and regularly measures its compliance.

The organization uses an established risk management framework to measure and evaluate risk and integrate improvements beyond the requirements of applicable regulations.

Compliant, Defined

Risk-Based, Managed

The organization has refined its standards and practices focusing on ways to improve its capabilities in the most efficient and cost-effective manner.

Efficient, Optimized,

Economized

17

Agency Security Plan Observations

50%

45%

40%

35%

30%

25%

20%

15%

10%

5%

0%

Nonexistent Ad-hoc

Overview of Maturity

Managed Compliant

Maturity Levels

Risk-Based Efficient

18

Observations – Size Matters

Maturity by Entity Size

3

2,5

2

1,5

1

0,5

0

Under 50 FTEs Medium

Size – FTE Count

Over 1000 FTEs

19

Effect of External Regulations

3

2,5

2

1,5

1

0,5

0

1 2

Maturity by Article

3 4 5

Article Number

6 7 8

Article

1

2

3

4

5

6

7

8

Description External

Regulations

General Government Varies

Health and Human

Services

HIPAA, CJIS,

IRS, SSA

Education

Judicial

Public Safety and

Criminal Justice

Natural Resources

FERPA

CJIS

CJIS

Varies

Varies Business and

Economic

Development

Regulatory Varies

20

A Layer Below the Surface

STATEWIDE AVERAGE BY AREA

Recover

3,00

Identify

5,00

4,50

4,00

3,50

3,00

2,50

2,00

1,50

1,00

0,50

0,00

2,37

Protect 2,52

Respond

2,32

Detect

2,78

21

Highlights and Roadmap Improvements

Successes to Build Upon

• Spam Filtering

• Account Management

• Disaster Recovery

• Security Systems Management

Areas for Improvement

• Data Loss Prevention

• Secure System Services,

Acquisition and Development

• Cloud Usage and Security

22

A Look to the Future

23

Framework Lifecycle

24

Security Personnel

IT Classifications

Systems Analyst I,

Network Specialist I

Programmer I

Systems Analyst II, Network Specialist II,

Web Administrator I

Programmer II

Systems Analyst III, Network Specialist III,

Web Administrator II

Programmer III

Systems Analyst IV, Network Specialist IV,

Web Administrator III

Programmer IV

B16

B17

B18

B19

B20

B21

B22

B23

Systems Analyst V, Network Specialist V,

Web Administrator IV

Programmer V

B24

B25

Systems Analyst VI, Network Specialist VI,

Web Administrator V

Programmer VI

B26

B27

IT Security Classifications

I

Information Technology Security Analyst B23

Information Technology Security Analyst

II

B25

Information Technology Security Analyst

III

B27

New Security Classifications

Cybersecurity Analyst I

Cybersecurity Analyst II

Cybersecurity Analyst III

Information Security Officer /

Cybersecurity Officer

Chief Information Security Officer

B25

B27

B29

B30

*B31

Education, Communication and Awareness

Objective 1 - Establish and expand the Texas Infosec

Academy to provide the state’s security personnel the knowledge needed to deliver agency security programs.

NICCS Core Security Professionals Courses

 6 Career Tracks

CISO Strategic Course

 Budget, Strategy, Executive Communication, Leadership

Certification Exam Preparation Courses

 CISSP, CISM, CEH, CISA

Texas Cybersecurity Framework Training

 TAC 202 and Security Control Standards

RSA Archer eGRC Training

 Incident Reporting and Analysis

 Agency Security Plans and Risk Management

Platform for exercises

 Tabletop Incident Response Scenarios

 Red Team / Blue Team - detection and active response

 Statewide coordination exercises

 Participation in national readiness such as Cyber Storm

26

Education, Communication and Awareness

Objective 2 - Deliver high quality communication products and events that provide valued information to security personnel, partners and stakeholders throughout the state.

X

5

27

Security Operations and Services

Objective 1 - Establish an Enterprise Managed Security

Services Provider (MSSP) and Multisourcing Service

Integrator (MSI) model to provide key security operations for statewide program and agency functions.

Objective 2 – Identify and protect from cybersecurity threats against Texas information resources (Identify / Protect).

Objective 3 - Detect cyber attacks and identify attack campaigns launched against Texas information resources and critical infrastructure (Detect).

28

Coordination – Collaboration – Outreach

Objective 1 - Establish a statewide cybersecurity coordination and collaboration platform (HSIN).

Objective 2 - Enable regional cybersecurity response coordination.

Objective 3 - Coordinate statewide cybersecurity exercises and preparedness.

Objective 4 – Coordinate the information sharing among the state’s key entities.

Objective 5 – Establish a competent and capable cybersecurity workforce supply.

29

Thank You

30

Download