Transcript Presentation

The State of the State of Cybersecurity
DECEMBER 12, 2014
Agenda
• Global View
• Headlines and the General State of the Falling Sky
• Texas View
• What We Knew – Security Assessment findings
• What We Now Can See
• Where Do We Go From Here
• Preview of the 2015-2020 Statewide Cybersecurity
Strategy
2
When it rains…
3
The World Around Us
• 63% of victim organizations are made
aware by external entities
• Attackers spend an estimated 243 days
on a victim network before they are
discovered (down 173 days from 2011)
4
Commonalities and Comparable Traits
Industry
Attackers
Security
Capabilities
Technology
Data
People
5
Commonalities and Comparable Traits
Government
Attackers
Security
Capabilities
Technology
Data
People
6
Commonalities and Comparable Traits
Individual Agencies
Attackers
Security
Capabilities
Technology
Data
People
7
Commonalities and Comparable Traits
Security
Capabilities
8
Web Application Attack Detections
- Financially Motivated
9
Web Application Attacks
– Ideologically Motivated
10
Motivations, Targets and objectives
• Financial Motivations
Credit Cards – Direct Conversion
Identity Information (PII) – Indirect Conversion
Health Information (PHI) – Indirect Conversion
• Mayhem, Activism and
Reputation
• Espionage
(Reuters) - Your medical information is worth 10
times more than your credit card number on the
black market.
11
Let’s Talk About
12
Security Assessment Benchmark
Security Assessments Conducted 2011 through 2014
*Approximately 40 Agencies – Over 80% of State FTEs
App Security
Vulnerability Mgmt
Availability
PKI -Encryption
Change Mgmt
Physical Security
Maturity Level
Definitions
Level 1: Initial/Ad Hoc
Level 2: Developing/Reactive
Level 3: Defined/Proactive
Level 4: Managed
Level 5: Optimized
Source: Gartner
Confidentiality
Network Zones
Endpoint Admission
1
2
Network Perimeters
Governance
3
4
Monitoring
5
Mobile Security
Host Security
Due Diligence Standard
State of the State
Access Mgmt
Malware
Integrity
13
7 Trends Identified
1
IT staffing challenges
2
Data classification
3
Security governance / awareness
4
Identity and access management standardization
5
Security in software development
6
Consistent event monitoring and analysis
7
Internal network segmentation
14
The Texas Cybersecurity Framework
• Agency Security Plan Template Implemented in January 2014
• Vendor Product / Service Template Implemented in March 2014
• Updated Texas Administrative Code Ch. 202 Currently
Draft - Publish February 2015
• Security Control Standards Catalog Currently Draft - Publish
February 2015
• Guidelines and Whitepapers Ongoing effort
• Governance, Risk and Compliance Solution To be
complete Fall 2015
15
Agency Security Plans
• 40 security objectives
defined
• Aligned to “Framework
for Improving Critical
Infrastructure
Cybersecurity” released
by NIST in February
2014
• Responsive to SB 1134
(Ellis) and SB 1597
(Zaffirini)
FUNCTIONAL
AREA
SECURITY OBJECTIVE
Identify
– Privacy and Confidentiality
– Data Classification
– Critical Information Asset Inventory
– Enterprise Security Policy, Standards and Guidelines
– Control Oversight and Safeguard Assurance
– Information Security Risk Management
– Security Oversight and Governance
– Security Compliance and Regulatory Requirements Management
– Cloud Usage and Security
– Security Assessment and Authorization / Technology Risk Assessments
– External Vendors and Third Party Providers
Protect
– Enterprise Architecture, Roadmap & Emerging Technology
– Secure System Services, Acquisition and Development
– Security Awareness and Training
– Privacy Awareness and Training
– Cryptography
– Secure Configuration Management
– Change Management
– Contingency Planning
– Media
– Physical Environmental Protection
– Personnel Security
– Third-Party Personnel Security
– System Configuration Hardening & Patch Management
– Access Control
– Account Management
– Security Systems Management
– Network Access and Perimeter Controls
– Internet Content Filtering
– Data Loss Prevention
– Identification & Authentication
– Spam Filtering
– Portable & Remote Computing
– System Communications Protection
Detect
– Malware Protection
– Vulnerability Assessment
– Security Monitoring and Event Analysis
Respond
– Cyber-Security Incident Response
– Privacy Incident Response
Recover
– Disaster Recovery Procedures
16
Agency Security Plans
• Objective-based
• Uniform understanding of agency security program
maturity using traditional maturity model
MATURITY DIR DESCRIPTION
LEVEL
KEYWORDS
0
There is no evidence of the organization meeting the objective.
None, Nonexistent
1
The organization has an ad hoc, inconsistent, or reactive approach to meeting the objective.
Ad-hoc, Initial
2
The organization has a consistent overall approach to meeting the objective, but it is still mostly reactive
and undocumented. The organization does not routinely measure or enforce policy compliance.
Managed, Consistent,
Repeatable
3
The organization has a documented, detailed approach to meeting the objective, and regularly measures
its compliance.
Compliant, Defined
4
The organization uses an established risk management framework to measure and evaluate risk and
integrate improvements beyond the requirements of applicable regulations.
Risk-Based, Managed
5
The organization has refined its standards and practices focusing on ways to improve its capabilities in the
most efficient and cost-effective manner.
Efficient, Optimized,
Economized
17
Agency Security Plan Observations
Overview of Maturity
50%
45%
Percentage of Agencies
40%
35%
30%
25%
20%
15%
10%
5%
0%
Nonexistent
Ad-hoc
Managed
Compliant
Risk-Based
Efficient
Maturity Levels
18
Observations – Size Matters
Maturity by Entity Size
3
2.5
Maturity
2
1.5
1
0.5
0
Under 50 FTEs
Medium
Over 1000 FTEs
Size – FTE Count
19
Effect of External Regulations
Maturity by Article
3
Article
Description
1
General Government
Varies
2
Health and Human
Services
HIPAA, CJIS,
IRS, SSA
3
Education
FERPA
4
Judicial
CJIS
5
Public Safety and
Criminal Justice
CJIS
6
Natural Resources
Varies
0.5
7
Business and
Economic
Development
Varies
0
8
Regulatory
Varies
Maturity
2.5
2
1.5
1
1
2
3
4
5
6
7
External
Regulations
8
Article Number
20
A Layer Below the Surface
STATEWIDE AVERAGE BY AREA
Identify 2.37
5.00
4.50
4.00
3.50
3.00
2.50
2.00
1.50
1.00
0.50
0.00
Recover
3.00
Respond
2.32
Protect 2.52
Detect 2.78
21
Highlights and Roadmap Improvements
Successes to Build Upon
Areas for Improvement
• Spam Filtering
• Data Loss Prevention
• Account Management
• Secure System Services,
Acquisition and Development
• Disaster Recovery
• Security Systems Management
• Cloud Usage and Security
22
A Look to the Future
23
Framework Lifecycle
24
Security Personnel
IT Classifications
IT Security Classifications
Systems Analyst I,
Network Specialist I
B16
Programmer I
B17
Systems Analyst II, Network Specialist II,
Web Administrator I
B18
Programmer II
B19
Systems Analyst III, Network Specialist III,
Web Administrator II
B20
Programmer III
B21
Systems Analyst IV, Network Specialist IV,
Web Administrator III
B22
Programmer IV
B23
Systems Analyst V, Network Specialist V,
Web Administrator IV
B24
Programmer V
B25
Systems Analyst VI, Network Specialist VI,
Web Administrator V
B26
Programmer VI
B27
New Security Classifications
Information Technology Security Analyst
I
B23
Information Technology Security Analyst
II
B25
Cybersecurity Analyst I
B25
Information Technology Security Analyst
III
B27
Cybersecurity Analyst II
B27
Cybersecurity Analyst III
B29
Information Security Officer /
Cybersecurity Officer
B30
Chief Information Security Officer
*B31
Education, Communication and Awareness
Objective 1 - Establish and expand the Texas Infosec Academy to provide the state’s
security personnel the knowledge needed to deliver agency security programs.
NICCS Core Security Professionals Courses

6 Career Tracks
CISO Strategic Course

Budget, Strategy, Executive Communication, Leadership
Certification Exam Preparation Courses

CISSP, CISM, CEH, CISA
Texas Cybersecurity Framework Training

TAC 202 and Security Control Standards
RSA Archer eGRC Training


Incident Reporting and Analysis
Agency Security Plans and Risk Management
Platform for exercises




Tabletop Incident Response Scenarios
Red Team / Blue Team - detection and active response
Statewide coordination exercises
Participation in national readiness such as Cyber Storm
26
Education, Communication and Awareness
Objective 2 - Deliver high quality
communication products and events that
provide valued information to security
personnel, partners and stakeholders
throughout the state.
X
27
5
Security Operations and Services
Objective 1 - Establish an Enterprise Managed Security
Services Provider (MSSP) and Multisourcing Service
Integrator (MSI) model to provide key security operations
for statewide program and agency functions.
Objective 2 – Identify and protect from cybersecurity threats
against Texas information resources (Identify / Protect).
Objective 3 - Detect cyber attacks and identify attack
campaigns launched against Texas information resources
and critical infrastructure (Detect).
28
Coordination – Collaboration – Outreach
Objective 1 - Establish a statewide
cybersecurity coordination and
collaboration platform (HSIN).
Objective 2 - Enable regional
cybersecurity response coordination.
Objective 3 - Coordinate statewide
cybersecurity exercises and
preparedness.
Objective 4 – Coordinate the
information sharing among the state’s
key entities.
Objective 5 – Establish a competent and
capable cybersecurity workforce supply.
29
Thank You
30