Embed Size (px)
Citation preview
DECEMBER 12, 2014
The State of the State of Cybersecurity
Agenda
• Global View• Headlines and the General State of the Falling Sky
• Texas View• What We Knew – Security Assessment findings• What We Now Can See
• Where Do We Go From Here• Preview of the 2015-2020 Statewide Cybersecurity
Strategy
2
When it rains…
3
The World Around Us
• 63% of victim organizations are made aware by external entities
• Attackers spend an estimated 243 days on a victim network before they are discovered (down 173 days from 2011)
4
Commonalities and Comparable Traits
5
TechnologySecurity CapabilitiesDataAttackersPeople
Industry
Commonalities and Comparable Traits
6
TechnologySecurity CapabilitiesDataAttackersPeople
Government
Commonalities and Comparable Traits
7
TechnologySecurity CapabilitiesDataAttackersPeople
Individual Agencies
Commonalities and Comparable Traits
8
Security Capabilities
Web Application Attack Detections- Financially Motivated
9
Web Application Attacks – Ideologically Motivated
10
Motivations, Targets and objectives
• Financial MotivationsCredit Cards – Direct ConversionIdentity Information (PII) – Indirect ConversionHealth Information (PHI) – Indirect Conversion
11
(Reuters) - Your medical information is worth 10 times more than your credit card number on the black market.
• Mayhem, Activism and Reputation
• Espionage
12
Let’s Talk About
Security Assessment Benchmark
13
Due Diligence StandardState of the State
App Security
Availability
Change Mgmt
Confidentiality
Endpoint Admission
Governance
Host Security
Access MgmtIntegrityMalware
Mobile Security
Monitoring
Network Perimeters
Network Zones
Physical Security
PKI - Encryption
Vulnerability Mgmt
1
2
3
4
5
Maturity Level DefinitionsLevel 1: Initial/Ad HocLevel 2: Developing/ReactiveLevel 3: Defined/Proactive Level 4: ManagedLevel 5: OptimizedSource: Gartner
Security Assessments Conducted 2011 through 2014*Approximately 40 Agencies – Over 80% of State FTEs
7 Trends Identified
14
Internal network segmentation
Consistent event monitoring and analysis
Security governance / awareness
IT staffing challenges
Security in software development
1
2
3
4
5
6
Data classification
7
Identity and access management standardization
The Texas Cybersecurity Framework
• Agency Security Plan Template Implemented in January 2014
• Vendor Product / Service Template Implemented in March 2014
• Updated Texas Administrative Code Ch. 202 Currently Draft - Publish February 2015
• Security Control Standards Catalog Currently Draft - Publish February 2015
• Guidelines and Whitepapers Ongoing effort
• Governance, Risk and Compliance Solution To be complete Fall 2015
15
Agency Security Plans
• 40 security objectives defined
• Aligned to “Framework for Improving Critical Infrastructure Cybersecurity” released by NIST in February 2014
• Responsive to SB 1134 (Ellis) and SB 1597 (Zaffirini)
16
FUNCTIONAL AREA SECURITY OBJECTIVE
Identify
– Privacy and Confidentiality– Data Classification– Critical Information Asset Inventory– Enterprise Security Policy, Standards and Guidelines– Control Oversight and Safeguard Assurance– Information Security Risk Management– Security Oversight and Governance– Security Compliance and Regulatory Requirements Management– Cloud Usage and Security– Security Assessment and Authorization / Technology Risk Assessments– External Vendors and Third Party Providers
Protect
– Enterprise Architecture, Roadmap & Emerging Technology– Secure System Services, Acquisition and Development – Security Awareness and Training– Privacy Awareness and Training– Cryptography– Secure Configuration Management– Change Management– Contingency Planning– Media– Physical Environmental Protection– Personnel Security– Third-Party Personnel Security – System Configuration Hardening & Patch Management– Access Control– Account Management– Security Systems Management– Network Access and Perimeter Controls– Internet Content Filtering– Data Loss Prevention– Identification & Authentication – Spam Filtering– Portable & Remote Computing– System Communications Protection
Detect
– Malware Protection– Vulnerability Assessment – Security Monitoring and Event Analysis
Respond– Cyber-Security Incident Response– Privacy Incident Response
Recover – Disaster Recovery Procedures
Agency Security Plans
• Objective-based• Uniform understanding of agency security program
maturity using traditional maturity model
MATURITY LEVEL DIR DESCRIPTION KEYWORDS
0 There is no evidence of the organization meeting the objective. None, Nonexistent
1 The organization has an ad hoc, inconsistent, or reactive approach to meeting the objective. Ad-hoc, Initial
2 The organization has a consistent overall approach to meeting the objective, but it is still mostly reactive and undocumented. The organization does not routinely measure or enforce policy compliance.
Managed, Consistent, Repeatable
3 The organization has a documented, detailed approach to meeting the objective, and regularly measures its compliance.
Compliant, Defined
4 The organization uses an established risk management framework to measure and evaluate risk and integrate improvements beyond the requirements of applicable regulations.
Risk-Based, Managed
5 The organization has refined its standards and practices focusing on ways to improve its capabilities in the most efficient and cost-effective manner.
Efficient, Optimized, Economized
17
Agency Security Plan Observations
18
Nonexistent Ad-hoc Managed Compliant Risk-Based Efficient0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%Overview of Maturity
Per
cent
age
of A
genc
ies
Maturity Levels
Observations – Size Matters
19
Under 50 FTEs Medium Over 1000 FTEs0
0.5
1
1.5
2
2.5
3
Maturity by Entity SizeM
atur
ity
Size – FTE Count
Effect of External Regulations
20
1 2 3 4 5 6 7 80
0.5
1
1.5
2
2.5
3
Maturity by ArticleM
atur
ity
Article Description External Regulations
1 General Government Varies
2 Health and Human Services
HIPAA, CJIS, IRS, SSA
3 Education FERPA
4 Judicial CJIS
5 Public Safety and Criminal Justice
CJIS
6 Natural Resources Varies
7 Business and Economic Development
Varies
8 Regulatory Varies
Article Number
A Layer Below the Surface
21
Identify
Protect
DetectRespond
Recover
0.00
5.00 2.37
2.52
2.782.32
3.00
Statewide Average by Area
Highlights and Roadmap Improvements
Successes to Build Upon• Spam Filtering• Account Management• Disaster Recovery• Security Systems Management
22
Areas for Improvement• Data Loss Prevention• Secure System Services,
Acquisition and Development• Cloud Usage and Security
A Look to the Future
23
Framework Lifecycle
24
Security PersonnelIT Classifications IT Security Classifications New Security Classifications
Systems Analyst I, Network Specialist I
B16
Programmer I B17
Systems Analyst II, Network Specialist II, Web Administrator I
B18
Programmer II B19
Systems Analyst III, Network Specialist III, Web Administrator II
B20
Programmer III B21
Systems Analyst IV, Network Specialist IV, Web Administrator III
B22
Programmer IV B23 Information Technology Security Analyst I B23
Systems Analyst V, Network Specialist V, Web Administrator IV
B24
Programmer V B25 Information Technology Security Analyst II
B25 Cybersecurity Analyst I B25
Systems Analyst VI, Network Specialist VI, Web Administrator V
B26
Programmer VI B27 Information Technology Security Analyst III
B27 Cybersecurity Analyst II B27
Cybersecurity Analyst III B29
Information Security Officer / Cybersecurity Officer
B30
Chief Information Security Officer *B31
Education, Communication and Awareness
26
Objective 1 - Establish and expand the Texas Infosec Academy to provide the state’s security personnel the knowledge needed to deliver agency security programs.
NICCS Core Security Professionals Courses 6 Career Tracks
CISO Strategic Course Budget, Strategy, Executive Communication, Leadership
Certification Exam Preparation Courses CISSP, CISM, CEH, CISA
Texas Cybersecurity Framework Training TAC 202 and Security Control Standards
RSA Archer eGRC Training Incident Reporting and Analysis Agency Security Plans and Risk Management
Platform for exercises Tabletop Incident Response Scenarios Red Team / Blue Team - detection and active response Statewide coordination exercises Participation in national readiness such as Cyber Storm
Education, Communication and Awareness
27
Objective 2 - Deliver high quality communication products and events that provide valued information to security personnel, partners and stakeholders throughout the state.
X 5
28
Security Operations and Services
Objective 1 - Establish an Enterprise Managed Security Services Provider (MSSP) and Multisourcing Service Integrator (MSI) model to provide key security operations for statewide program and agency functions.
Objective 2 – Identify and protect from cybersecurity threats against Texas information resources (Identify / Protect).
Objective 3 - Detect cyber attacks and identify attack campaigns launched against Texas information resources and critical infrastructure (Detect).
29
Coordination – Collaboration – Outreach
Objective 1 - Establish a statewide cybersecurity coordination and collaboration platform (HSIN).
Objective 2 - Enable regional cybersecurity response coordination.
Objective 3 - Coordinate statewide cybersecurity exercises and preparedness.
Objective 4 – Coordinate the information sharing among the state’s key entities.
Objective 5 – Establish a competent and capable cybersecurity workforce supply.
Thank You
30
