Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
1
DIR HB 3834 END USER CYBER SECURITY AWARENESS PRESENTATION
Andy BennettDeputy CISOState of Texas
1
HB 3834 Training Disclaimer
DISCLAIMER
These slides are distributed by the Texas Municipal League (TML) forinformational purposes only. Accordingly, possession of these slidesdoes not satisfy the annual training requirement under HB 3834 (86th
Legislative Session).
2
2
Agenda
• Presenter Bio• HB 3834 Overview and Requirements• HB 3834 Training Session
• The principles of information security• Safeguarding, response, and reporting best practices• Real-world examples
• State and Federal Resources
3
4
Presenter Bio
Andy Bennett is a boot wearin’ native Texan who serves the State of Texas as the Deputy Chief Information Security Officer. He has a diverse IT background covering 23 years of experience
in roles across the enterprise and in a variety of sectors including government, banking, higher education, applied
research, oil and gas, law enforcement, Fortune 500 consulting services, and more. He specializes in incident response, investigations, and change efforts and has a passion for
security. He is the primary author of the State of Texas’ incident response redbook template and is involved in strategic planning
and rulemaking at the statewide level. His professional philosophy is “Show works better than tell, every time.”
3
State CISO and Cybersecurity Coordinator Role
TEXAS GOVERNMENT CODESec. 2054.511. CYBERSECURITY COORDINATOR. The State Cybersecurity Coordinator shall "oversee cybersecurity matters for th[e] state.“ [LINK]
Sec. 2054.512. CYBERSECURITY COUNCIL. “The state cybersecurity coordinator shall establish and lead a cybersecurity council that includes public and private sector leaders and cybersecurity practitioners to collaborate on matters of cybersecurity concerning this state.” [LINK]
Sec. 2054.514. RECOMMENDATIONS. “The state cybersecurity coordinator may implement any portion or all of the recommendations made by the Cybersecurity, Education, and Economic Development Council under Subchapter N.” [LINK]
5
HB 3834 Overview
TEXAS GOVERNMENT CODE
Sec. 2054.519. STATE CERTIFIED CYBERSECURITY TRAINING PROGRAMS [LINK]
• DIR, in consultation with the cybersecurity council and industry stakeholders shall “certify at least five cybersecurity training programs for state and local government employees.“
• To be certified, “a cybersecurity training program must:
• Focus on forming information security habits and procedures that protect information resources; and
• Teach best practices for detecting, assessing, reporting and addressing information security threats.”
6
4
Meeting HB 3834 Training Requirements
Select a state certified cybersecurity training program• If you are currently using a program that was developed in-house, submit it for certification• Select a training program from the list of certified programs (available on the DIR website)
Complete training by June 14, 2020
7
Principles of Information Security
HB 3834 Topic MappingTopic 1.1(a). Users should be aware of what ‘information security’ means
8
5
Defining Information Security
Availability
Definition: Information SecurityAccording to NIST, Information Security is “[t]he protection of information and information systems against unauthorized access, use, disclosure, modification, or destruction in order to provide confidentiality, integrity, and availability.”Source: NIST SP 800-171 Rev. 1
Information refers to “[a]ny communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.”
Information System refers to “[a] discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”
Source: NIST SP 800-171 Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Source: NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organization
9
Defining Information Security
Availability
CIA
Prevent unauthorized access and use of information resources
Prevent unauthorized change and ensure reliability of information resources
Ensure timely availability of information resources
Users must exercise due care to ensure the confidentiality, integrity, and availability of the information resources under their care.
10
6
Information Security Objective: Confidentiality
Information Security Objective: Confidentiality“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”Common Controls/Safeguards:- Cryptography- Access Management- Acceptable Use Policy- Information Security Awareness Policy- Privacy Policy- Social Media Policy
11Availability
Information Security Objective: Integrity
Information Security Objective: Integrity“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.”Common Controls/Safeguards:- File Integrity Monitoring- System Integrity Monitoring- Hashing Technology
12Availability
7
Information Security Objective: Availability
Information Security Objective: Availability“Ensuring timely and reliable access to and use of information.” Common Controls/Safeguards:- Incident Response Plan- Business Continuity Plan- Disaster Recovery Plan- Data/Record Retention Plans
13Availability
Information Security Strategy
14
This Photo by Unknown Author is licensed under CC BY-ND
This Photo by Unknown Author is licensed under CC BY-NC-ND
Defense-in-Depth
Information assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks.
8
15
USER DOMAIN
WORKSTATION DOMAIN
LAN-TO-WAN DOMAINLAN DOMAIN
APPLICATION DOMAIN REMOTE ACCESS DOMAIN
Public Internet
Encrypted Tunnel
Encrypted Tunnel
WAN DOMAIN
Public Internet
Vendors
WEB
EMAIL DMZ
TYPICAL IT INFRASTRUCTURE
Information Security Strategy/Defense-in-Depth
Information Security Strategy
Defense-in-DepthInformation assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks.
16
Host-Based ControlsMulti-Factor Authentication- Username/Pass- Fingerprint- Windows HelloWhole-Disk EncryptionEncrypted FoldersAnti-Malware ScannerHost-Based FirewallVPN Client Software
“Information assets” are protected by several layers of “technical” controls.
9
Information Security Strategy
Least Privileges & Segregation of DutiesLimit user privileges (access/use) to no more than what is necessary to perform their duties.Ex: The judicial branch of government, by law, may decide the constitutionality of a law, but it may not create law.Why? Because this authority belongs to the legislature and CANNOT be delegated to another branch.
17
This Photo by Unknown Author is licensed under CC BY-SA
Information Security Controls/Safeguards
Controls/Safeguards Categories and DesignControls/safeguards are instruments implemented by an organization to ensure the “CIA” of “information assets”. They are categorized as one or several of the following: 1) Administrative; 2) Physical; or 3) Technical.
They are designed for one or several outcomes: 1) Detection; 2) Deterrence; 3) Prevention; and/or 4) Correction.See NIST SP 800-53 Rev.4 for a comprehensive set of “controls”. (Link)
18
10
Information Security Controls/Safeguards
Administrative Controls/SafeguardsAdministrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls.
Examples: Acceptable Use Policy Clean Desk PolicyWireless Communication PolicyWireless Communication Standard Data Retention Policy Information Classification Management Program Mechanical Hard Drive Destruction Procedure
Vendor Management Program
19
Information Security Controls/Safeguards
Administrative Controls/SafeguardsYour information security program should consist of a “policy framework.”
The “policy framework” will balancethe organization’s objectives and:- Business requirements; - Legal requirements; and- Technical requirements.
20
• Documents stating an organization’s official position on an information security issue.Policy
• Documents defining methods for achieving system or procedural-specific requirements. Standards
• Documents outlining the specific steps of a process.Procedures
• Documents outlining voluntary methods or procedures.Guidelines
11
Information Security Controls/Safeguards
Physical Controls/SafeguardsPhysical controls/safeguards generally refer to physical mechanisms implemented throughout an organization’s premises to provide for the confidentiality, integrity, and availability of information assets. These controls may also be designed to detect, prevent, and/or correct security incidents.
Examples: Security guards Doors, cabinets, and locks Bollards, fences, and barbed wire Closed circuit television camera systems Motion detection systems Fire detection and suppression systems Heating, ventilation, and air conditioning systems
21This Photo by Unknown Author is licensed under CC BY-SA
Information Security Controls/Safeguards
Technical Controls/SafeguardsTechnical controls/safeguards generally refer to the software and/or hardware mechanisms implemented throughout the network, in order to enforce the rules and requirements defined in the administrative controls. These controls may also be designed to detect, prevent, and/or correct security incidents.
Examples: Firewalls VPN Gateway/Client Software Multi-Factor Authentication Systems File and Whole-Disk Encryption Anti-Virus and Malware Scanning Software
22
12
Information Security Principles
Information Security Principles: Key Takeaways1. Defining ‘information security’2. The core objectives of ‘information security’ are:
a. Confidentialityb. Integrityc. Availability
3. Defense-in-Depth Principle4. Least Privileges Principle5. Safeguard/Control Categories and Types
23
Information Types and Classifications
HB 3834 Topic MappingTopic 1.1(b). Users should be aware of the types of information (e.g., confidential, private, sensitive, etc.) they are responsible for safeguarding
24
13
Information Types and Classifications
Administrative Controls/SafeguardsAdministrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls.
Examples: Acceptable Use Policy Clean Desk Policy Wireless Communication Policy Wireless Communication Standard Data Retention Policy Information Classification Management Program
Example: Guideline on Safeguarding Sensitive Information Example: Digital Media Destruction Procedure
Vendor Management Program
25
Information Types and Classifications
Administrative Controls/SafeguardsYour information security program should consist of a “policy framework.”
The “policy framework” will balancethe organization’s objectives and:- Business requirements; - Legal requirements; and- Technical requirements.
26
• Documents stating an organization’s official position on an information security issue.Policy
• Documents defining methods for achieving system or procedural-specific requirements. Standards
• Documents outlining the specific steps of a process.Procedures
• Documents outlining voluntary methods or procedures.Guidelines
14
Information Types and Classifications
Top Secret
Secret
Confidential
LESS
MORE LESS
CONTROLS ACCESS
MORE
INFORMATION CLASSIFICATION MANAGEMENT PROGRAM EXAMPLE
A formal system for:1. Classifying information
a. Primarily based on the potential damage to national security, if information is released to an unauthorized party.
2. Safeguarding Informationa. What controls apply?b. Who can access and use it?c. When can it be accessed?d. How can it be used?e. Where and how to store it?
3. Declassifying Informationa. When, why, and how.
Information Classification Management ProgramNational Policy: EO 12958, Later Replaced By EO 13526 (Link)Implementing Directive: 32 CFR Part 2001/2004, "Classified National Security Information Directive No. 1“ (Link)
27
Information Types and Classifications
CONFIDENTIAL CONVERSATION
DOCUMENT CLASSIFICATION: CONFIDENTIAL (C)
Who can access and use this information?
Where and how can this information be stored?
28
15
Information Types and Classifications
Information Types and Classifications: Key Takeaways1. Safeguarding of information is informed by information classification2. Information classification informs:
a. What controls apply?b. Who can access and use it?c. When can it be accessed?d. How can it be used?e. Where and how to store it
29
Forms and Locations of Information
HB 3834 Topic MappingTopic 1.1(c). Users should be aware of the forms and locations of the information they are responsible for safeguarding
30
16
Forms and Locations of Information
Information Asset: Physical Form
31
Physical information assets at “rest”.
Forms and Locations of Information
Information Asset: Oral Form
32
Audio information assets in “use” and “transit”.
17
Forms and Locations of Information
Information Asset: Electronic Form
33
Electronic information assets in “use” and “transit”.
34
USER DOMAIN
WORKSTATION DOMAIN
LAN-TO-WAN DOMAINLAN DOMAIN
APPLICATION DOMAIN REMOTE ACCESS DOMAIN
Public Internet
Encrypted Tunnel
Encrypted Tunnel
WAN DOMAIN
Public Internet
Vendors
WEB
EMAIL DMZ
TYPICAL IT INFRASTRUCTURE
Forms and Locations of Information
18
Forms and Locations of Information
Forms and Locations of Information: Key Takeaways1. Information must be safeguarded regardless of form or location2. Information Forms:
a. Physical (“hardy-copy”);b. Oral (audio/spoke word); andc. Digital/Electronic.
35
Safeguarding Against Unauthorized Access
HB 3834 Topic MappingTopic 1.2(a). Users should be aware of how to safeguard against unauthorized access to information, information systems, and secure facilities/locationsTopic 1.2(b). Users should be aware of how to safeguard against unauthorized use of information and information systems
36
19
37
USER DOMAIN
WORKSTATION DOMAIN
LAN-TO-WAN DOMAINLAN DOMAIN
APPLICATION DOMAIN REMOTE ACCESS DOMAIN
Public Internet
Encrypted Tunnel
Encrypted Tunnel
WAN DOMAIN
Public Internet
Vendors
WEB
EMAIL DMZ
TYPICAL IT INFRASTRUCTUREInformation Security Controls/Safeguards
Safeguarding Against Unauthorized Access
Safeguarding Against Unauthorized Access
Administrative Controls/SafeguardsYour information security program should consist of a “policy framework.”
The “policy framework” will balancethe organization’s objectives and:- Business requirements; - Legal requirements; and- Technical requirements.
38
• Documents stating an organization’s official position on an information security issue.Policy
• Documents defining methods for achieving system or procedural-specific requirements. Standards
• Documents outlining the specific steps of a process.Procedures
• Documents outlining voluntary methods or procedures.Guidelines
20
Safeguarding Against Unauthorized Access
Administrative Controls/SafeguardsAdministrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls.
Examples: Acceptable Use Policy Clean Desk PolicyWireless Communication PolicyWireless Communication Standard Data Retention Policy Information Classification Management Program Mechanical Hard Drive Destruction Procedure
Vendor Management Program
39
Safeguarding Against Unauthorized Access
Physical Controls/SafeguardsPhysical controls/safeguards generally refer to physical mechanisms implemented throughout an organization’s premises to provide for the confidentiality, integrity, and availability of information assets. These controls may also be designed to detect, prevent, and/or correct security incidents.
Examples: Security guards Doors, cabinets, and locks Bollards, fences, and barbed wire Closed circuit television camera systems Motion detection systems Fire detection and suppression systems Heating, ventilation, and air conditioning systems
40This Photo by Unknown Author is licensed under CC BY-SA
21
Safeguarding Against Unauthorized Access
Technical Controls/SafeguardsTechnical controls/safeguards generally refer to the software and/or hardware mechanisms implemented throughout the network, in order to enforce the rules and requirements defined in the administrative controls. These controls may also be designed to detect, prevent, and/or correct security incidents.
Examples: Firewalls VPN Gateway/Client Software Multi-Factor Authentication Systems File and Whole-Disk Encryption Anti-Virus and Malware Scanning Software
41
Safeguarding Against Unauthorized Access
Safeguarding Against Unauthorized Access: Key Takeaways1. Access to information must be controlled internally and externally2. Access is controlled by:
a. Administrative Controls/Safeguardsb. Physical Controls/Safeguardsc. Technical Controls/Safeguards
42
22
Secure Storage of Information
43
HB 3834 Topic MappingTopic 1.2(c). Users should be aware of best practices related to securely storing information
44
USER DOMAIN
WORKSTATION DOMAIN
LAN-TO-WAN DOMAINLAN DOMAIN
APPLICATION DOMAIN REMOTE ACCESS DOMAIN
Public Internet
Encrypted Tunnel
Encrypted Tunnel
WAN DOMAIN
Public Internet
Vendors
WEB
EMAIL DMZ
TYPICAL IT INFRASTRUCTUREInformation Security Controls/Safeguards
Secure Storage of Information
23
Secure Storage of Information
Information Asset: Physical (“Hard-Copy”) Form
45
Physical information assets should be stored and locked
according to policy.
Secure Storage of Information
Information Asset: Oral Form
46
Confidential or sensitive conversations should take place
in secure areas where unauthorized individuals cannot
eavesdrop.
24
Secure Storage of Information
Information Asset: Electronic Form
47
Information stored on an authorized and encrypted cloud
storage services only
Information stored on authorized and
encrypted mobile media only
Information stored on
authorized and encrypted
workstations only
Information stored on
authorized and encrypted
mobile devices only
Secure Storage of Information
Secure Storage of Information: Key Takeaways1. Information must be stored in a secure manner 2. Organization policy should dictate where
a. Filing cabinets and/or safesb. Authorized and secure cloud storage services (e.g., Microsoft OneDrive)c. Authorized and secure removable media (e.g., USB flash drives)d. Authorized and secure mobile devices (e.g., cell phones)
48
25
Information Sanitization and Media Destruction
HB 3834 Topic MappingTopic 1.2(d). Users should be aware of best practices related to securely disposing and sanitizing information and information systems
49
Information Sanitization and Media Destruction
Administrative Controls/SafeguardsYour information security program should consist of a “policy framework.”
The “policy framework” will balancethe organization’s objectives and:- Business requirements; - Legal requirements; and- Technical requirements.
50
• Documents stating an organization’s official position on an information security issue.Policy
• Documents defining methods for achieving system or procedural-specific requirements. Standards
• Documents outlining the specific steps of a process.Procedures
• Documents outlining voluntary methods or procedures.Guidelines
26
Information Sanitization and Media Destruction
Administrative Controls/SafeguardsAdministrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls.
Examples: Acceptable Use Policy Clean Desk PolicyWireless Communication PolicyWireless Communication Standard Data Retention Policy Information Classification Management Program Mechanical Hard Drive Destruction Procedure
Vendor Management Program
51
Information Sanitization: Refers to “the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means” (Source: NIST SP 800-88 Rev. 1)
Information Destruction: Refers to actions taken to permanently destroy media in which data/information is stored.
DOCUMENT CLASSIFICATION: CONFIDENTIAL (C)
FIRE ZEROIZATION
REDACTION DEGAUSSING
DRILLING DRILLING
SHREDDING OTHER
COMMON SANITIZATION & DESTRUCTION METHODS
For more information, see NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization (Link)
Information Sanitization and Media Destruction
52
27
Information Sanitization and Media Destruction
Information Sanitization and Destruction: Key Takeaways1. Information must be sanitized or destroyed in accordance with policy2. Organization policy should dictate when and how information is either
a. Sanitized; orb. Destroyed.
53
Information Security Threats, Risks, and Attacks
HB 3834 Topic MappingTopic 2.1(a). Users should be aware of the meaning of ‘threat’ with regards to information securityTopic 2.1(b). Users should be aware of common ‘threat actors’ and their motivationsTopic 2.1(c). Users should be aware of the meaning of ‘risk’ with regards to information security
54
28
Information Security Threats, Risks, and Attacks
Availability
Definition: [Information Security] ThreatAccording to NIST, a ‘threat’ is “[a]ny circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.”Source: NIST SP 800-171 Rev. 1
55
Information Security Threats, Risks, and Attacks
Availability
Definition: [Information Security] Threats
[Information Security] Threats
Human-Based
Threat actors who take actions to compromise the CIA of an organization.
Nature-Based
Threat actors who take actions to compromise the CIA of an organization.
Impact: Confidentiality, Integrity, and Availability
56
29
Information Security Threats, Risks, and Attacks
Availability
Definition: Threat ActorsAccording to NIST, ‘threat actor’ refers to “[a]n individual or group posing a threat.”Source: NIST SP 800-150
57
Information Security Threats, Risks, and Attacks
THREAT ACTORS
HACKTIVISTS CRIMINALS INSIDERS STATE ACTORS
Conduct attacks in furtherance of political interests.
Conduct attacks in furtherance of financial interests.
Conduct attacks in furtherance of personal interests.
Destruction, disruption, and espionage in furtherance of national interests.
AvailabilityImpact: Confidentiality, Integrity, and Availability
58
30
Information Security Threats, Risks, and Attacks
Availability
Definition: [Information Security] RiskAccording to NIST, a ‘risk’ is “[a] measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.”
Source: NIST SP 800-53 Rev. 4
59
Information Security Threats, Risks, and Attacks
Availability
Definition: [Information Security] AttackAccording to NIST, an ‘attack’ is “[a]n attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality.”Source: NIST SP 800-82 Rev. 2
60
31
61
USER DOMAIN
WORKSTATION DOMAIN
LAN-TO-WAN DOMAINLAN DOMAIN
APPLICATION DOMAIN REMOTE ACCESS DOMAIN
Public Internet
Encrypted Tunnel
Encrypted Tunnel
WAN DOMAIN
Public Internet
Vendors
WEB
EMAIL DMZ
TYPICAL IT INFRASTRUCTURECOMMON ATTACK VECTORS
Information Security Threats, Risks, and Attacks
Information Security Threats, Risks, and Attacks
Information Security Threats, Risks, and Attacks: Key Takeaways1. Threats can be categorized as either:
a. Nature-based; orb. Human-based.
2. Threat actor motivations help us categorize them as either:a. Hacktivists;b. Insiders (unintentional/intentional);c. Criminal;d. State-Sponsored;e. Opportunists; orf. Other.
3. Threat actors target and attack their victims based on their motivations, means, and victim vulnerabilities.
62
32
Identifying Common Attacks
HB 3834 Topic MappingTopic 2.1(d). Users should be aware of the meaning of ‘attack’ with regards to information securityTopic 2.2(a). Users should be aware of the meaning of ‘threat’ with regards to information security
63
Indicators for Common Attacks
Social Engineering Attacks• Description:
• According to NIST, social engineering refers to “[t]he act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.” Source: NIST SP 800-63-3 Digital Identity Guidelines
• Threat Actor Objective:• Manipulate a target (i.e., a user) into providing unauthorized access to information or information
systems.
• Common Threat Actor Techniques:1. Phishing (Email): A threat actor may send emails to your organization, purporting to represent
a trusted entity, such as a vendor or co-worker. This email will typically request the recipient to either provide information, open an attached document (containing malware), or click an embedded link to an infected website.
2. Smishing (SMS): A threat actor may send text messages to a user, purporting to represent a trusted entity, such as a vendor or co-worker. This text message will request the recipient to either provide confidential information or click a link to an infected website.
3. Vishing (Voice): A threat actor may call your organization, purporting to represent a trusted entity, such as a vendor or co-worker. During this call, the threat actor will ask questions designed to trick the recipient into divulging confidential information.
4. Masquerading (In-Person): A threat actor may arrive at your organization, purporting to represent a trusted entity, such as a vendor or delivery person.
64
33
Indicators for Common Attacks
Phishing Attack Example
http:notdocusign.com
Trusted sender? Threat actor spoofs a trusted colleague’s email address to deceive the user.
Risk Mitigation: Contact the sender out-of-band (phone or separate email) to confirm.
Threat actor prompts the user to visit a fraudulent site to review a contract.
Risk Mitigation: Hover over the links to reveal their URL. If suspicious: 1) Do not click on the link; and 2) Report the email to your organization’s IT or Information Security Department.
THREAT INDICATOR1. Threat actor sends user a
fraudulent email prompting action
a. Appears to come from a trusted source (spoofed)
b. Prompts user to click a link2. Threat actor directs user to
fraudulent site1. Prompts user to provide
username and password2. Prompts user to download
MS Office document containing malware (macro-based)
65
Indicators for Common Attacks
Phishing Attack Examplehttp:notdocusign.com
This is not “https:docusign.com”
The user’s email/password are captured for unauthorized reuse by the threat actor.
Risk Mitigation: If you have made it this far and notice the URL is suspicious: 1) Do not provide your
username and password; 2) Do not click on any of the
links on the page; and 3) Report the email to your
organization’s IT or Information Security Department.
THREAT INDICATOR1. Threat actor sends user a
fraudulent email prompting action
a. Appears to come from a trusted source (spoofed)
b. Prompts user to click a link2. Threat actor directs user to
fraudulent site1. Prompts user to provide
username and password2. Prompts user to download
MS Office document containing malware (macro-based)
66
34
Indicators for Common Attacks
Phishing Attack Example
THREAT INDICATOR1. Threat actor sends user a
fraudulent email prompting action
a. Appears to come from a trusted source (spoofed)
b. Prompts user to click a link2. Threat actor directs user to
fraudulent site1. Prompts user to provide
username and password2. Prompts user to download
MS Office document containing malware (macro-based)
http:notdocusign.com
Risk Mitigation: If you have made it this far and have downloaded a file: 1) Do not enable content
(macros); and 2) Report the email to your
organization’s IT or Information Security Department.
The user downloads the fraudulent contract document for review. This document contains a macro-based malware, which will infect his/her computer and network upon activation.
67
Indicators for Common Attacks
Phishing Attack Example
Next Up: Ransomware & Indicators of Compromise The user clicked “enable
content” on the Word document, which infects his/her PC and network with “ransomware”.
68
35
Indicators for Common Attacks
Ransomware Attacks• Description:
• According to the Department of Homeland Security, ransomware refers to “[a] type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.” Source: Department of Homeland Security
• Threat Actor Objective:• To deny the victim access to computer systems or data until a ransom is paid.
• Common Threat Actor Techniques:• Phishing (Email): A threat actor may send emails to your organization, purporting to
represent a trusted entity, such as a vendor or co-worker. This email will typically request the recipient to either provide information, open an attached document (containing malware), or click an embedded link to an infected website.
69
Indicators for Common Attacks
Ransomware Attack Example
INDICATOR OF COMPROMISE
1. The user is presented with a ransom note addressing:a. What happened?b. How do I recover?c. How do I pay the
ransom?2. Denial of access to system
files/resourcesa. Files or system are encryptedb. Recovery of files contingent
upon:1. Ability to decrypt (or pay the
ransom); or2. Recover from backups.
Risk Mitigation: If you have made it this far have downloaded a file: 1) Do attempt to pay or
decrypt;2) Immediately report the
ransom to your organization’s IT or Information Security Department; and
3) Follow instructions regarding who and how this information can be shared.
70
36
Identifying Common Attacks
Identifying Common Attacks: Key Takeaways1. Attacks are an attempt to compromise the “CIA” of information/information resources.2. Common attacks targeting the end-user include:
a. Social Engineering; andI. Phishing (Email)II. Smishing (SMS)III. Vishing (Voice)IV. Masquerading (In-Person)
b. Ransomware.
3. End-users need to know:1. What they are;2. How they work;3. How to spot them;4. How to report and respond to them.
71
Respond/Report on Common Attacks and Suspicious Activity
HB 3834 Topic MappingTopic 2.2(a). Users should be aware of how to respond and report on common attacks or suspicious activity (either by best practice or policy)
72
37
Respond/Report on Common Attacks and Suspicious Activity
General best practices for responding to reporting on common threats and suspicious activity:1. If you see something, say something;
a. Suspicious computer or network activity indicating an attempted attack.b. Suspicious computer or network activity indicating a successful attack.c. Any suspicious behavior in the workplace.
2. Know who you are required to report suspicious activity to;a. E.g., Help-Desk, IT, Information Security, or other.
3. Know when you are required to report suspicious activity;a. Know how soon, as well.
4. With whom you can share this information; anda. Before and after reporting.
5. What – if any – additional actions they should take in response.
73
Respond/Report on Common Attacks and Suspicious Activity
State Notification and Reporting Law and Rules
Source: Texas Administrative Code
Secure Reporting for State Agencies Title 1, Part 10, Chapter 202, Subchapter
B, Rule § 202.23Security Reporting for Institutions of Higher Education• Title 1, Part 10, Chapter 202, Subchapter
C, Rule §202.73
TEXAS ADMINISTRATIVE CODE
TEXAS GOVERNMENT CODE
Source: Texas Government Code Section 2054.1125
74
38
Who:The City of Atlanta was the victim of a Ransomware attack conducted by two Iranian hackers, Faramarz Shahi Savandi (35y) and Mohammad Mehdi Shah Mansouri (28y).- Members of the SamSam Group (non-State affiliated).- Ransom demand of $51,000 in (~6) Bitcoin.
What: The threat actors infected several mission-critical resources, ultimately affecting many services and programs, such as: utilities, parking, and even court services.
Response/Reporting Lessons Learned:March 22 (~5am), a City of Atlanta employee discovered the ransom note on an Atlanta Police Department computer. This employee took a picture of the ransom note with a cell phone and leaked the incident to local media, 11Alive.- 11Alive covered the story, tipping off the threat actors, who then deleted the ransom
portal, leaving the City with no option to pay. (link)
Key Takeaway:- If you discover an incident, immediately report it to your organization’s department
responsible for responding to computer security incidents.- DO NOT share this information with anyone else, unless authorized and directed to do so
by your organization.
Respond/Report on Common Attacks and Suspicious Activity
75
Respond/Report on Common Attacks and Suspicious Activity
Texas Department of Information ResourcesIn Texas, if you are impacted by an incident, DIR provides the following resources: 1. Bulk Purchasing2. Network Products and Related Services Contracts3. Managed Services End-User IT4. Information Technology Security (ITS) Products and
Services
For more information about these resources, please visit: Link
More information on State Security Resources Below.
76
39
Respond/Report on Common Attacks and Suspicious Activity
Respond/Report on Common Attacks and Suspicious Activity: Key Takeaways1. Attacks are an attempt to compromise the “CIA” of information/information resources.2. End-users need to know what to do when they identify an attack or suspicious activity:
a. Who to report it to;b. How to report it;c. When to report it;d. What to do after it has been reported; ande. Who else they can share the information with.
77
State Security Resources
How DIR Can Partner With You to Keep Your Systems and Citizens Secure
78
40
STATE INFORMATION SECURITY RESOURCES DIR AWARENESS, EDUCATION AND TRAINING SERVICES
SECURITY TRAINING
Information Security Forum Monthly Gartner Webinars
Link
INFORMATION SHARING
Security List Texas Cybersecurity Weekly Monthly Information
Security Meetings MS-ISAC Notifications
Link
State Security Resources
79
INFORMATION SECURITY PLANNING
Alignment with the Texas Cybersecurity Framework
5 functional areas 40 security objectives Comprehensive information
security planning
Link
Incident Response
Risk and Compliance
Managed Security Services (MSS)
Security Monitoring and Device Management
Host Based IDS/IPS
Network Based IDS/IPS
Managed Firewall
Managed Web App Firewall
Malware Detection System
Security Information and Event Management (SIEM)
Threat Research
Security Operations Center Services
Managed Endpoint Security
Incident Response Preparedness
Digital Forensics
Security Incident Management
Penetration Test
Web and Mobile Application Test
Vulnerability Scanning
Web App Vulnerability Scanning
Risk Assessment
Cloud Compliance Assessment
State Security Resources (MSS)
80
41
Security Monitoring and Device Management Services (MSS)Remote Management and Operations
San Antonio,
Texas
Tampa,
Florida
Dallas,
Texas
San Jose,
California
Security Operations Center Services(Onsite Management)
DIR NSOC
Austin, Texas
Where Needed
Texas
Available Only in Legacy Data Centers:
• Endpoint Management Services
• Intrusion Detection/Prevention System Services
• Managed Firewall Services
• Malware Detection Systems
• Security Operations Center (SOC) Services
• Host-based Intrusion Prevention Systems*
Available for ALL Systems and Locations:
• Web Application Firewall Services
• Threat Research
Available for Non-DCS managed systems:
• Host-based Intrusion Prevention Services
• Security Information and Event Management (SIEM)
State Security Resources (Security Monitoring and Device Management)
81
Incident Response PreparednessProvides a critical review of current internal processes and procedures for handling events, incidents, and evidence. Includes:
• Detective control configurations
• Deployed preventative and detective solution sets throughout the environment
• Current incident response plans
• Incident responder and handler skillset evaluations
• Incident responder and handler training evaluations
• Evidence seizure and storage procedure analysis
• Electronic data recovery
• Litigation support
Digital Forensics• “On Demand” service
• Use of Encase and/or Carbon Black for analysis of hard drive images
Incident Response Management• No retainer for this service
• Address adverse events, issues, or occurrences that may occur in your environment
• Includes detection, triage, response activities, and containment of computer security events
Incident Response Services (MSS)
State Security Resources (Incident Response Services)
82
Incident Response Redbook: A Template to help Build a Planhttps://pubext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Incident%20Response%20Template%202019.pdf
42
State Security Resources (Interlocal Contract)
• Interlocal Contract (ILC)https://dirsharedservices.service-now.com/dir
83
Risk & Compliance Services (MSS)
• Penetration Testing
• Vulnerability Scanning
• Web Application Scanning
• Web and Mobile Application Penetration Testing
• Risk Assessments
• Cloud Compliance
State Security Resources (Risk & Compliance Services)
84
43
TAKEAWAYS1. Information security is interdisciplinary, consisting of risk management, technology, and compliance.2. Consider adopting a recognized framework, such as the NIST/TX CSF, to plan, design, implement, and maintain your
enterprise information security program.3. Identify your information assets, assess the risks of each, and implement controls to achieve an “acceptable level of
risk”.1. Know what you have;2. Know your risks;3. Prepare to defend;4. Prepare to respond; and5. Prepared to recover.
4. Use a “risk-based” approach to ensure you provide for the confidentiality, integrity, and availability of your information assets.
5. Do not go it alone – consider leveraging the state level resources provided by the DIR
State Security Resources
85
Federal Resources
NIST COMPUTER SECURITY RESOURCE CENTER
NIST Cybersecurity Framework (Link)
NIST Special Publications (Link)
NIST NICE Cybersecurity Workforce Framework (Link)
NIST SP 800-12 Rev. 1, An Introduction to Information Security (Link)
NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments (Link)
NIST SP 800-50, Building an Information Security Awareness and Training Program (Link)
NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide (Link)
NIST Glossary of Key Information Security Terms (Link)
86
44
Contact Information
For more information about DIR’s cybersecurity services:[email protected]
For more information about HB 3834:[email protected]
Helpful Resources and Templateshttps://dir.texas.gov/View-About-DIR/Information-
Security/Pages/Content.aspx?id=139
87