Cyber HygieneSimple steps to keep your PSAP safeBy Jay
English
34
PSC
| ap
coin
tl.or
gCDE #41528
s many readers already know, our profession is undergoing a
number of technological and operational changes. With the slow but
steady
implementation of NG9-1-1 systems across the country and the
FirstNet deployment on the horizon, these are exciting and
innova-
tive times. As with any change, there are both challenges and
opportunities that come along with our transition to an IP-based
infrastructure. Principle among these challenges is the ability to
secure our networks and systems from unwanted intrusions and
attacks.
Cybersecurity risks have the potential to affect everything from
national security and public safety to our ability to use banking
services or even power our homes or vehicles. There has been a
dramatic increase in the number, frequency and severity of
cyberattacks on organizations in both the public and private
sector, raising concern about the very real risks present at every
level of any organization. A few figures (see Figs. 1 and 2)
illustrate the severity of that risk.
PSC
| Ja
nuar
y/Fe
brua
ry 2
016
35
36
PSC
| ap
coin
tl.or
g
While public safety has traditionally oper-ated in secure
environments, the transi-tion to an IP-based network of networks
will require all of us to be better-prepared to respond to, and
recover from, cyberattacks. In order to better prepare, a number of
relatively simple steps can be taken to implement and improve what
is known as cyber hygiene in our PSAPs and emergency communications
centers. According to the Infosec Institute, The Center for
Internet Security (CIS) and the Council on Cyber Security (CCS)
define cyber hygiene as a means to appropriately protect and
maintain IT systems and devices and implement cybersecurity best
practices.
As one of the leading authorities in cyber-security for
government systems, CIS, along with the National Governors
Association Governors Homeland Security Advisors Council have
launched a Cyber Hygiene Campaign. The campaign is a multi-year
effort that provides key recommendations for a low-cost program
that any organization can adopt to achieve immediate and effec-tive
defenses against cyberattacks. The basic tenets for this program,
extracted from the CIS website, are included below.
The top priorities for better cyber health (cyber hygiene) are:
Count: Know what is connected to and
running on your network. Configure: Implement key security
set-
tings to help protect your systems. Control: Limit and manage
those who have
administrator privileges to change, bypass or override your
security settings.
Patch: Regularly update all apps, software and operating
systems.
Repeat: Regularize the top priorities to form a solid foundation
of cybersecurity
for your organization. Repeating each top-priority item is
tantamount to more effec-tive security maturity. This cycle of
events must repeat frequently when appropriate.
Count Knowwhatsconnectedtoyournetwork.
Cybersecurity begins with knowing what is connected to your
network. To identify the existence of authorized and unauthorized
devices and lost or stolen assets, you need to begin with an
inventory. Knowing what IT assets you own will allow you to better
man-age your IT infrastructure and its security. Every piece of
equipment has vulnerabilities and exposes you to risk. How you
handle the risk will depend on what the equipment is and what
purpose it has. You cant protect what you dont know exists.
ConfigureProtectyoursystemsbyimplementingkeysecuritysettings.
Many breaches occur because of miscon-figured or poorly
configured systems, e.g., the administrator and/or guest default
passwords go unchanged and are thus readily known by attackers.
Without changes, the standard con-figurations that come installed
by default on most computers and servers are not secure.
Configuring devices using a few simple and easy steps can reduce
the risk of compromise.
ControlProtectyoursystemsbyproperlymanagingaccountsandlimitinguserandadministratorprivilegestoonlywhattheyneedtodotheirjob.
Properly controlling access to business information and systems
reduces the risk of accidents, unauthorized access/use and
security breaches. Failure to properly man-age access can result
in compromise and loss, damage, or unauthorized disclosure of
sen-sitive and private information. Special care must be taken with
privileged accounts used by system administrators, since they have
the ability to create accounts and change or bypass security
settings. Controlling access using good processes, including the
use of strong passwords, reduces the risk of accounts being
compromised and used for unauthorized purposes.
PatChProtectyoursystemsbykeepingcurrent!
Patch and vulnerability management is a security practice
designed to proactively prevent the exploitation of IT
vulnerabili-ties that exist within an organization. The expected
result is to reduce the time and money spent dealing with
vulnerabilities and exploitation of those vulnerabilities.
Proactively managing vulnerabilities of sys-tems will reduce or
eliminate the potential for exploitation and involve considerably
less time and effort than responding after exploitation has
occurred.1
rePeatProtectyoursystemsbyrepeatingyourtop-priorityitems.
According to the Center for Internet Security, reviewing your
repeat list will insure that each cycle of each individual
pri-ority has been appropriately met and that nothing falls through
the cracks in your cyber health maturity.2
In addition to reading and following the basic guidelines
provided by CIS, there are other procedures that should be
developed
Figure 1 Data breaches recorded in the United States by number
of breaches and records exposed.
Figure 2 Comparison of complaints in the United States by
year.
with regard to an overall cyber hygiene pro-gram. These include
preventative measures such as background checks; basic cyber
hygiene education and training for center personnel; and
instructions in how to and how not to handle information, including
equipment and media used to store and input data. In addition, as
we experience a high turnover rate in our profession, the
organiza-tion should have termination procedures that include the
return of all keys, pass cards and
sensitive material. The organization should have a code of
conduct that outlines expecta-tions of its personnel. Additional
workplace policies may be required that are specific to the
organizations function.
Media handlingControls for classification, labeling and
treatment of all forms of media should be implemented.
Organizations should implement a removable media policy that
restricts the use of or controls the use of removable media such
as USB drives, external hard drives, etc. For transporta-tion,
media or devices containing sensi-tive information must be marked
as such and hand delivered by the custodian of records/data. If
there is an overriding business need to do otherwise, then, with
appropriate approval, it may be shipped in sealed packages
utilizing recorded/certi-fied delivery.
Cybersecurity begins with knowing what
is connected to your network.
PSC
| Ja
nuar
y/Fe
brua
ry 2
016
37
38
PSC
| ap
coin
tl.or
g
Regular scans for vulnerabilities should be run against the
information system and hosted applications when new
vulner-abilities potentially affecting these system/applications
are identified and reported. Hardening standards are used to ensure
a secure configuration and enumerate improper configurations. The
remedia-tion of legitimate vulnerabilities identified should be
prioritized according to the sever-ity of the risk.
aCCess ManageMentAccess management is the management
and control of the ways in which entities are granted or denied
access to resources. The purpose of access management is to ensure
that the proper identity verification is made when an individual
attempts to access secu-rity sensitive buildings, computer systems
or data. It has two areas of operations: logical and physical
access. Logical access is the access to an IT network, system,
service or application. Physical access is the access to a physical
location such as a building, parking lot, garage or office. Access
management leverages identities, credentials and privi-leges to
determine access to resources by authenticating credentials.
Logical and physical access are often viewed as the most
significant parts of iden-tity credentialing and access management
from a return on investment (ROI) perspec-tive. To maximize that
return, a successful access management solution is dependent on
identity, credentials and attributes for making informed access
control decisions, preferably through automated mechanisms. This
approach enables an access manage-ment initiative to promote
security and trust and meet business needs while achieving the
envisioned value.
niCe WorkforCe fraMeWorkThe National Initiative for
Cybersecurity
Education (NICE) developed a National Cybersecurity Workforce
Framework (Workforce Framework) to define the cyber-security
workforce and provide a common taxonomy and lexicon by which to
classify and categorize workers. The Workforce Framework lists and
defines specialty areas of cybersecurity work and provides a
description of each. Each of the types of work is placed into one
of seven overall categories. The Workforce Framework also
identifies common tasks and knowledge,
skills and abilities (KSAs) associated with each specialty
area.
Workforce planning is a systematic way for organizations to
determine future human capital requirements (demand), identify
cur-rent human capital capabilities (supply), and design and
implement strategies to transition the current workforce to the
desired future work state. Effective workforce planning highlights
potential risk areas associated with aligning the workforce to work
require-ments. Applied correctly, workforce planning allows
organizations to adjust resources to meet future workloads,
patterns of work and fundamental changes in how work is
accom-plished. A workforce planning approach must fit the needs of
a specific organization and account for unique characteristics of
the cybersecurity profession.
The first step in workforce planning, define and identify,
emphasizes the col-lection of workforce data that defines the
workforce and the identification of positions/roles within the
workforce with specific, role-based competencies and proficiency
levels. This activity in turn establishes the knowl-edge, skills
and abilities (KSAs) that are the attributes required to perform a
job and are generally demonstrated through qualifying experience,
education or training.
The Federal Communications Commissions (FCC) Task Force on
Optimal PSAP Architecture (TFOPA) will release a report which
includes an entire document dedicated to cybersecurity for PSAPs
and emergency communications. This document will provide additional
information as to how PSAPs and public safety entities can
potentially clas-sify positions within their organizations and what
types of targeted training would serve each position best. The
document is due to be released in mid-December of 2015 and will be
available via the FCC website. This will provide another tool for
the public safety cybersecurity toolkit, and it is recommended
reading for all levels of public safety com-munications
personnel.
In addition to the NICE work and the soon-to-be-released TFOPA
report, all
agencies and personnel should at least have a high level of
familiarity with the NIST National Cybersecurity Framework (NCF).
The NCF is a voluntary framework developed by NIST working with
various stakeholders to identify existing standards, guidelines and
practices that could be integrated into a guid-ing framework for
reducing cyber risks to critical infrastructure. The framework core
describes a set of activities that can be used to achieve the
desired cybersecurity specific outcome. These activities are
comprised of the functions, categories, subcategories and
informative references described below:
IdentifyDevelop the organizational understanding to manage
cybersecurity risk to systems, assets, data and capabilities. The
activities in the identify function are foundational for effective
use of the frame-work. Understanding the business context,
resources that support critical functions and related cybersecurity
risks enables an orga-nization to focus and prioritize its efforts
consistent with its risk management strategy and business
needs.
ProtectDevelop and implement the appropriate safeguards to
ensure deliv-ery of critical infrastructure services. The protect
function supports the ability to limit or contain the impact of a
potential cybersecurity event.
DetectDevelop and implement the appropriate activities to
identify the occur-rence of a cybersecurity event. The detect
function enables timely discovery of cyber-security events.
RespondDevelop and implement the appropriate activities to take
action regarding a detected cybersecurity event. The respond
function supports the ability to contain the impact of a potential
cybersecurity event.
RecoverDevelop and implement the appropriate activities to
maintain plans for resilience and to restore any capabilities or
services that were impaired due to a cyber-security event. The
recover function sup-ports timely recovery to normal operations to
reduce the impact from a cybersecurity event.
Understanding that our current systems are vulnerable, the need
for education and emphasis on cybersecurity and cyber hygiene with
emerging technologies takes on an even more important role. Unlike
our current net-works, next generation systems are based on the
concept of Emergency Services IP net-works (ESINets). These are
networks of net-works designed to facilitate interoperability
As public safety professionals, we must
understand that a lack of cybersecurity poses a clear
and present danger.
39
PSC
| Ja
nuar
y/Fe
brua
ry 2
016
and a rapid flow of information between the public, PSAPs and
responders. NG9-1-1 systems rely on cyber capabilities and as a
result, are targets of opportunity for cyberat-tack. Our ability to
secure our networks and such critical data from cyberattack must be
a primary consideration when operating any such systems.
For all of these reasons, now is the time to begin educating
ourselves on cybersecurity and implementing good cyber hygiene
prac-tices in our centers. We need to understand not only the risk,
but also what we can to do mitigate that risk. Waiting until the
systems are in place is too late. While we strive to combat the
current cyberattacks, cybercrimi-nals are already designing the
next vector for attack, and they are constantly adapting. As public
safety professionals, we are accus-tomed to adapting quickly to
changing con-ditions. We need to use this experience, and our
capabilities as communications experts, to plan for and prevent
cyberattacks.
There are some very exciting and inter-esting times ahead in our
profession. We cannot for one minute allow the threat of
cyberattack to deter us from progressing or from performing the
life-saving, critical tasks
each and every emergency communications professional carries out
every day. We must provide the public at large with the best
pos-sible life-saving technologies represented by NG9-1-1 and other
next generation public safety systems. In providing those
technolo-gies, it is no less important to provide mod-ern,
progressive and realistic tools at all levels to protect the public
safety communications enterprise. As public safety professionals,
we must understand that a lack of cybersecurity poses a clear and
present danger to the PSAPs and emergency communications system(s)
in the United States. The actors, vectors and outcomes for
cyberattacks against public safety vary widely; our approach to
defend-ing against these attacks cannot.
Cyber-risk management strategies must be implemented in support
of PSAP opera-tions taking into consideration available PSAP
resources and levels of expertise. We must force ourselves to think
outside the box when cybersecurity approaches are consid-ered and
when solutions are suggested, and we must be ever mindful of our
responsibility to protect our networks and systems just as we
protect the public we use those systems to serve.
Jay English is the Director of Communications Center and 9-1-1
Services for APCO International. He has served in public safety and
emergency communications for over 25 years. He also has a
background in electronic warfare and intelligence with the United
States Air Force and served as a cyber crimes inves-tigator during
his law enforcement career. He served as the chairman of the FCC
TFOPA working group on Optimal Cybersecurity Approach for
PSAPs.
References1 Mell, Peter, Tiffany Bergeron, and David
Henning. NIST SP 800-40 Version 2.0, Creating a Patch and
Vulnerability Management Program (2005): National Institute of
Standards and Technology. Web.
2 Cyber Hygiene Toolkit. Center For Internet Security. Web. 9
Dec. 2015. Retrieved from
https://www.cisecurity.org/cyber-pledge/tools.cfm.
Sourceshttp://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
http://www.wrsc.org/attach_image
yearly-comparison-cyber-crime-complaints
783111_Editorial.indd 1 12/14/15 7:38 PM
40
PSC
| ap
coin
tl.or
g
1. There has been a dramatic decrease in the number, frequency
and severity of cyberattacks on organizations in both the public
and private sector.
a. True b. False2. While public safety has traditionally
operated in secure environments, the transition to an IP based
network of networks will require all of us to be better prepared
to:
a. Respond to, and recover from, cyber-attacks.
b. Report and repair cyber damage. c. Report incidents to the
appropriate
authorities. d. Respond to and report cyber-attacks.3. Cyber
hygiene is defined as: a. A means to appropriately protect and
maintain IT systems and devices and implement cybersecurity best
practices.
b. A means to detect cyber criminal activity. c. A means by
which PSAPs can identify and
report suspicious cyber activity.4. The Federal Communications
Commissions
(FCC) Task Force on Optimal PSAP Architecture (TFOPA) report on
cybersecurity will be released
a. In June of 2016. b. In May of 2016. c. In December of 2015.
d. In December of 2016.5. The Federal Communications
Commissions
(FCC) Task Force on Optimal PSAP
Cde eXaM #41528Architecture (TFOPA) will release a report which
includes an entire document dedicated to cybersecurity for PSAPs
and emergency communications. This document will provide additional
information as to:
a. How public safety entities can conduct targeted training for
active shooter and hostage negotiation scenarios.
b. How PSAPs and public safety entities can potentially classify
positions within their organizations and what types of targeted
training would serve each position best.
c. How PSAPs can potentially classify sensitive information
within their organizations.
d. How PSAPs can effectively implement anti-virus and
anti-malware protection programs and thwart all possible cyber
crime.
6. Regular scans for vulnerabilities should never be run against
the information system and hosted applications. When new
vulnerabilities potentially affecting these system/applications are
identified and reported, contact the appropriate authorities.
Conducting regular scans is not an effective method of securing
systems.
a. True b. False7. Workforce planning is a systematic way
for
organizations to determine future human capital requirements
(demand) identify current human capital capabilities (supply),
Using the CDe ArtiCles for CreDit1. Study the CDE article in
this issue.
2. Answer the exam questions online or using this form.
Photocopies are acceptable, but dont enlarge them.
3. Fill out the appropriate information section(s), and submit
the form to:
APCO Institute 351 N. Williamson Blvd. Daytona Beach, FL
32114-1112
Questions? Call us at 888/APCO-9-1-1
You can now access the CDe exam online! Go to
http://apco.remote-learner.net/login/index.php to create your
username and password. Enter article in the search box and click on
2015 Public Safety Communications Magazine Article Exams, then
click on Cyber Hygiene #41528 to begin the exam. Once the exam is
completed with a passing grade, a certificate is available by
request for $15.
orDering inforMAtion: If you are APCo certified and will be
using the CDE exams for recertification, complete this section and
return the form when you send in your request for recertification.
Do not send in the exams every month. There is no cost for
APCO-certified personnel to use the CDE article program.
APCO Instructor Certificate #
Expiration Date:
APCO EMD Basic Certificate #
Expiration Date:
If you are not APCo certified and would like to use the CDE
exams for other certifica-tions, fill out this section and send in
the completed form with payment of $15 for each exam. You will
receive an APCO certificate in the mail to verify exam completion.
(APCO instructors and EMD students, please use section above
also.)
Name:
Title:
Organization:
Address:
Phone: Fax:
Email:
I am certified by: MPC PowerPhone Other If other, specify:
My check is enclosed, payable to APCO Institute for $15. Use the
attached purchase order for payment.
and design and implement strategies to transition the current
workforce to the desired future work state.
a. True b. False 8. The NIST National Cybersecurity
Framework
(NCF) includes all of the following, EXCEPT: a. Identify b.
Protect c. Detect d. Report e. Recover 9. Cyber risk management
strategies must be
implemented in support of PSAP operations without regard for
available PSAP resources and levels of expertise. Cybersecurity is
too important to allow local resource limitations to inhibit a
comprehensive approach.
a. True b. False10. Access management is: a. The management and
control of personnel
within any organization. b. The management and control of
entities
and resources. c. The management and control of the ways
in which entities are granted or denied access to buildings and
facilities.
d. The management and control of the ways in which entities are
granted or denied access to resources.
