cybersecurity in government: strategy, collaboration, and compliance
TRANSCRIPT
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
1/29
Cybersecurity in Government:
Strategy, Collaboration, and
Compliance
Stephen Cobb, CISSP
Senior Security Researcher
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
2/29
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
3/29
Q1: Which one of these are you?
State government employee
Federal government employee Local government employee
Service provider to government
None of the above
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
4/29
Some sobering stats 92% State officials who feel
cybersecurity v. important for the
state
24%CISOs who are very confident
they can protect states assetsagainst external threats
2012 Deloitte-NASCIO Cybersecurity Study
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
5/29
Top 5 barriers to addressing
cybersecurity
2012 Deloitte-NASCIO Cybersecurity Study
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
6/29
Plan of attack What data are we talking about?
What are the risks?
How do we address risks?
What strategies we can apply to
achieve success
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
7/29
What data are we talking about? Tax records, personal and business
Not the ones that are published
Medical records
Employees, state programs, clinics
Motor vehicle records
Personally Identifiable Information
PII of all kinds, notably SS#s, financial
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
8/29
All PII is fair game for bad guys
Name
AddressSocialMobile
Etc.
TaxHealthOtherInfo
PaymentInfo
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
9/29
What are the risks? Identity theft and financial fraud
Based on stolen data
Loss of IT functionality
Due to denial of service, file corruption
or deletion, data ransoming, DNS hacks
Fallout from the above and/ornegative compliance/audit reports
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
10/29
What motivates bad actorsIMPACTADVANTAGEMONEY
CREDENTIALS
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
11/29
How do they operate?
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
12/29
User clicks link Goes to compromised site Gets infected/owned
Malware server Command & Control
Popular
Attack
Technique
!?**!
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
13/29
Access to victim machine
Search and exfiltrate files
Use network connections
Access to webcam and audio
Passwords, system functions
Victim chat
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
14/29
What happens next?
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
15/29
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
16/29
How do we address risks? Catalog data and systems at risk
Name and prioritize risks
Outline threat vectors
Describe controls to be applied
Make sure policies are in place
Document each step of the way
Assess yourself and share wins
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
17/29
PII protection steps: risk PII is on server A, clearly a target
Main risk is theft or loss of data
Secondary risk is denial of access
to data
Threat actors could be internal or
external
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
18/29
Q2: Which of these following
may be considered PII?
Social Security number
Email address Face
Date of birth
All of the above
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
19/29
PII protection steps: vectors Which systems have access to
server A?
Which users have access to those
systems?
Can those systems be reached from
the public Internet
Are users uniquely identified?
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
20/29
PII protection steps: controls Strong authentication (2FA)
Firewalling and filtering
Anti-malware scanning at end points
and on servers
Encryption at rest and in transit
Logging of all activity and regular
review of logs
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
21/29
PII protection steps: policy Is all of this spelled out in policy?
Controls are mandated, behaviors
prescribed and proscribed
E.g. You will use two factor
authentication; sharing of credentials
forbidden; inactivity timeouts set Penalties made clear
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
22/29
PII protection steps: docs Government entities are subject to
audit, inspection, investigation
Auditors want documentation
For example, a breach of
unencrypted PII is bad
No documented risk assessment
addressing PII encryption is worse
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
23/29
Across all cybersecurity efforts
Assess yourself, before auditors do
Fix problems
Share wins
Make friends
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
24/29
Strategies for success If you are responsible for protecting
government IT systems:
Dont panic, you are not alone
Network with others, at all levels,
inside government, and out
ISSA, ISACA, (ISC)2, IAPP
MS-ISAC, NASCIO
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
25/29
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
26/29
Compliance as leverage Bosses may not like security
But everyone hates bad grades
Hard to avoid oversight
From FISMA to state auditors
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
27/29
If all else fails Try fear of headlines
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
28/29
Leverage what works
Consider sharing services across
departments, agencies
Identity management
Forensics
Threat intelligence
-
8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance
29/29
Thank you! [email protected]
WeLiveSecurity.com
www.eset.com
http://www.eset.com/http://www.eset.com/