73rd AnnualTexas Association
of County Auditors Fall Conference
Holiday Inn San Antonio RiverwalkSan Antonio, Texas
October 16-19, 2018
AnniversarySAN ANTONIO
300
DE BÉJAR
th
Welcome to the River City
IT Cybersecurity for Counties
Wednesday, October 17
1:05-1:55 p.m.
Michael Cheng, Head of Information Security, Bexar County
This session will introduce an effective framework to quickly improve counties'
cybersecurity posture.
Michael Cheng, Head of Information Security, Bexar County, San Antonio Cheng joined Bexar County Information Technology as the head of information security in June 2018. He is responsible for establishing and maintaining vision, strategy, and program to ensure Bexar County information assets and technologies are adequately protected. Prior to current position, Cheng was Chief Information Security Officer at Aviage Systems, one of GE Aviation’s
joint ventures.
1
October, 2018
CYBERSECURITY AT COUNTIES
7/27/17 1
AGENDA
10/10/2018 2
Major Cybersecurity Threats
Challenges
Quick Wins and Long Term Strategy
2
MAJOR CYBERSECURITY THREATS
10/10/2018 3
10/10/2018 4
3
THREATS TO STATES/COUNTIES/CITIES
10/10/2018 5
WE ARE TARGETED
10/10/2018 6
Government agencies are ranked #7 sectors in Americas, experiencing most cyber-attacks and
system compromises in 2017
4
THINGS ARE AT RISK
10/10/2018 7
Election Systems & Election Information
Criminal Justice Information (CJI) & Criminal History Record Information (CHRI)
Personal Identified Information (PII)
Personal Medical Information
Payment Card Data
Government Secrets
“2018 Data Breach Investigation Report” by Verizon
POSSIBLE ENTRY POINTS
10/10/2018 8
Phishing Emails
System Vulnerabilities
Incorrect Configurations
Third Parties
5
CHALLENGES
10/10/2018 9
CHALLENGES COUNTIES ARE COMMONLY FACING
Out-of-date IT Infrastructure
Over-used Privileged Accounts
Lack of Boundary Defense
Ignorance of Security Incidents
…
10/10/2018 10
We are extremely vulnerable
6
QUICK WINS AND LONG TERM STRATEGY
10/10/2018 11
THINGS TO QUICKLY ENHANCE CYBERSECURITY
Asset Management Inventory and control of hardware devices
Inventory and control of software
Control security configurations of hardware and software
Access Control Control of Privileged Accounts
Vulnerability Management Continuous vulnerability management
Security Monitoring Maintenance, Monitoring and Analysis of Audit Logs
10/10/2018 12
7
RESOURCES TO LEVERAGE
10/10/2018 13
MS-ISAC (https://www.cisecurity.org/ms-isac/)
DHS
Texas DIR contracts and services
LONG TERM STRATEGY
10/10/2018 14
Establish Cybersecurity Program
Adopt Mature Cybersecurity Framework, CIS Top 20 Controls, NIST, etc.
Transform IT Infrastructure, cloud based
8
THANKS
10/10/2018 15
Michael Cheng – Head of Information Security @ Bexar County, [email protected], 210-335-0208
Free Lined Graph Paper from http://incompetech.com/graphpaper/lined/
Free Lined Graph Paper from http://incompetech.com/graphpaper/lined/