July 23, 2018
NYS Cyber Security Toolkit
Deborah Snyder
NYS Chief Information Security Officer
Robert Samson
NYS Chief Information Officer
Welcome & Opening Remarks
Organizational Introductions
New York State Chief Information Security OfficeMulti-State Information Sharing & Analysis Center
Enterprise Information Security Office
Mission:
Protecting privacy and
safeguarding the State’s
information assets – data, systems
and infrastructure, through cyber
security leadership, awareness
and training, best practices and
partnerships.
• Critical Security Controls Framework, Assessment Tool – to baseline current state
• Asset Inventory Guidance & Templates – to identify critical information assets
• Secure System Development Life Cycle resources – to ensure secure design
• Cybersecurity Risk Assessment Tool – to streamline effective application security reviews
• NYS Cyber Security Policies, Standards & Guidelines – to enforce sound practices
• Training & Education – to enhance awareness & capabilities
– NYS Cyber Security Conference
– NYS Cyber Security Awareness online training course & Skills training – extended to counties
Partnership & Collaboration - “Local Government Cyber Security Toolkit”
• ITS Enterprise Information Security Office https://its.ny.gov/eiso/local-government
• MS-ISAC https://www.cisecurity.org/ms-isac/ms-isac-toolkit/
Cyber Security Tools & Resources
6
State, Local, Tribal, or Territorial
Government Entity
• 2003 – The MS-ISAC is founded as an initiative as part of New York State government for Northeast States
• 2004 – DHS funds the MS-ISAC as an initiative to support the cybersecurity needs of all State governments
• 2010 – The MS-ISAC breaks away from NYS and joins the Center for Internet Security as a program area
A Tale of Two ISACs
• Summer 2016– Public reporting of voter registration compromises
• January 2017– Intelligence Community Assessment (attribution of all
elections related activity)– Critical Infrastructure Designation
• July 2017– Election Critical Infrastructure Working Group meets at
MS-ISAC HQ
A Tale of Two ISACs
• September 2017
– Election Infrastructure Subsector Government Coordinating Council (EIS-GCC) established
– MS-ISAC Pilot for Elections Approved
• October 2017-February 2018
– MS-ISAC Pilot for Elections (NJ, VA, IN, TX, CO, UT, WA)
• February 2018
– EIS-GCC votes to establish EI-ISAC
• March 2018
– EI-ISAC Official Launch
A Tale of Two ISACs
Who can utilize these resources?
Eligible entities include:✓Counties✓Municipalities (towns, cities, villages, etc.)✓ Law Enforcement Agencies✓Public Authorities (power, water, transit,
etc.)✓Public Education (K-12, BOCES,
Community College, Universities)✓ Elections offices
• Register for the MS-ISAC’s services here:
https://learn.cisecurity.org/ms-isac-registration
• The MS-ISAC Stakeholder Engagement team will provide you with next steps:• Register your HSIN account
• Submit public IPs, domains, and subdomains
• Register for an MCAP account
• Add additional staff to your account
How to access MS-ISAC resources
Top 20 CIS Controls
Overview and NYS Implementation
Evolution of the CIS Controls
The CIS Controls™️
CIS Controls Version 7
Volunteer Process• Used our in-house collaborative platform: Workbench
• Received over 600 recommendations with over 300 members in the community
• https://Workbench.cisecurity.org
Ecosystem of Resources• Mappings to other Frameworks
– Special focus on NIST CSF [updated!]
• CIS Risk Assessment Method (CIS-RAM) [new]• ICS Companion Guide to the Controls [drafted]• Measures and Metrics [updated]• SME Implementation Guide• CIS Community Attack Model• Privacy and the Controls
Contribute Today!https://Workbench.cisecurity.org
Organizational
Foundational
Basic
Prioritizing the Top 20 Controls
Basic▪ What every organization needs for essential cyber defense readiness
https://www.cisecurity.org/controls/
Foundational▪ Technical best practices that provide clear security benefits
https://www.cisecurity.org/controls/
Organizational▪ Focus on people & processes involved in cybersecurity
https://www.cisecurity.org/controls/
Top 20 Assessment▪ Straight-forward way to baseline your organization
▪ Focuses on specific, highly-effective, prioritized actions
▪ Maps to other Frameworks
▪ Industry-vetted
▪ EISO created a Top 20 Assessment Tool▪ Visualization – what we fondly call our “Blues Chart”
▪ Built-in assessment methodology & analytics
▪ User Guide
Why & How We Use The “Top 20” Straight▪ -forward way to assess & improve your organization’s
security posture
Focused on specific, highly▪ -effective, prioritized actions
Maps to other Frameworks▪
Industry▪ -vetted
EISO created a ▪ Top 20 Assessment ToolVisualization ▪ – what we fondly call our “Blues Chart”
Built▪ -in assessment methodology & analytics
User Guide ▪
Using the ToolFamily Control Control Description
Maturity Level
(enter data here)
Maturity Score
(Numerical)Notes
1.0
System 1.1Utilize an active discovery tool to identify devices connected to the organization's
network and update the hardware asset inventory.Not Performed 1
System 1.2Utilize a passive discovery tool to identify devices connected to the organization's
network and automatically update the organization's hardware asset inventory.Not Performed 1
System 1.3Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP
address management tools to update the organization's hardware asset inventory.Not Performed 1
System 1.4
Maintain an accurate and up-to-date inventory of all technology assets with the
potential to store or process information. This inventory shall include all hardware
assets, whether connected to the organization's network or not.
Not Performed 1
System 1.5
Ensure that the hardware asset inventory records the network address, hardware
address, machine name, data asset owner, and department for each asset and
whether the hardware asset has been approved to connect to the network.
Not Performed 1
System 1.6Ensure that unauthorized assets are either removed from the network, quarantined or
the inventory is updated in a timely manner.Not Performed 1
System 1.7
Utilize port level access control, following 802.1x standards, to control which devices
can authenticate to the network. The authentication system shall be tied into the
hardware asset inventory data to ensure only authorized devices can connect to the
network.
Not Performed 1
System 1.8Use client certificates to validate and authenticate systems prior to connecting to the
private network.Not Performed 1
Critical Security Control #1: Inventory and Control of Hardware Assets
Family Control Control DescriptionMaturity Level
(enter data here)
Maturity Score
(Numerical)Notes
1.1
System 1.1Utilize an active discovery tool to identify devices connected to the organization's
network and update the hardware asset inventory.Not Performed 1
System 1.2Utilize a passive discovery tool to identify devices connected to the organization's
network and automatically update the organization's hardware asset inventory.Not Performed 1
System 1.3Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP
address management tools to update the organization's hardware asset inventory.Not Performed 1
System 1.4
Maintain an accurate and up-to-date inventory of all technology assets with the
potential to store or process information. This inventory shall include all hardware
assets, whether connected to the organization's network or not.
Not Performed 1
System 1.5
Ensure that the hardware asset inventory records the network address, hardware
address, machine name, data asset owner, and department for each asset and
whether the hardware asset has been approved to connect to the network.In Process 2
A consolidated hardware asset inventory is recorded by the IT
department and separated by organizational department.
Records are validated annually to ensure that all devices are
accounted for.
The asset inventory contains the included list of records per
asset.
System 1.6Ensure that unauthorized assets are either removed from the network, quarantined or
the inventory is updated in a timely manner.Not Performed 1
System 1.7
Utilize port level access control, following 802.1x standards, to control which devices
can authenticate to the network. The authentication system shall be tied into the
hardware asset inventory data to ensure only authorized devices can connect to the
network.
Not Performed 1
System 1.8Use client certificates to validate and authenticate systems prior to connecting to the
private network.Not Performed 1
Critical Security Control #1: Inventory and Control of Hardware Assets
Using the Tool
Before After
Critical Security Control #1: Inventory and Control of
Hardware Assets
Critical Control 2:
Inventory and Control of Software Assets
Utilize an Active Discovery Tool Maintain Inventory of Authorized Software
Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor
Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools
Maintain Detailed Asset Inventory Track Software Inventory Information
Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories
Address Unauthorized Assets Address Unapproved Software
Deploy Port Level Access Control Utilize Application Whitelisting
Utilize Client Certificates to Authenticate Hardware Assets Implement Application Whitelisting of Libraries
Implement Application Whitelisting of Scripts
Physically or Logically Segregate High Risk Applications
Critical Security Control #1: Inventory and Control of
Hardware Assets
Critical Control 2:
Inventory and Control of Software Assets
Utilize an Active Discovery Tool Maintain Inventory of Authorized Software
Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor
Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools
Maintain Detailed Asset Inventory Track Software Inventory Information
Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories
Address Unauthorized Assets Address Unapproved Software
Deploy Port Level Access Control Utilize Application Whitelisting
Utilize Client Certificates to Authenticate Hardware Assets Implement Application Whitelisting of Libraries
Implement Application Whitelisting of Scripts
Physically or Logically Segregate High Risk Applications
Using the Tool
Using the Tool
Using the Tool
Top 20 Assessment Tool
Maturity Level/Score
Not Performed 1
In Process 2
In Place 3
Critical Security Control #’s 1 & 2
Asset ManagementHardware & Software
• Business Functions• Business Application Assets• Information / Data Assets• Hardware Assets• Software Assets• Personnel Assets
Asset Management Scope
It all starts here
Asset Management is an organizational responsibility
Asset Inventory - Hardware
Asset Inventory Data AnalysisCSC #1: Inventory & Control of Hardware AssetsActively manage (inventory, track, and correct) all hardware devices on the network.
WHY: So that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
CSC #2: Inventory & Control of Software AssetsActively manage (inventory, track, & correct) all software on the network.
WHY: So that only authorized software is installed and can execute, and that unauthorized, unmanaged software is found and prevented from installation or execution.
Asset Inventory - Software
Critical Security Control #3
Continuous Vulnerability Assessment & Remediation
Vulnerability Management
“Cyclical practice of identifying, classifying, remediating & mitigating vulnerabilities”
Preparation
Vulnerability scan
Define remediating
actions
Implement remediating
actions
Rescan / Validate
CSC #3: Continuous Vulnerability Management Continuously acquire, assess, & take action on new information.
WHY: To identify vulnerabilities for remediation, & minimize opportunity for attacks
Tips• Ongoing Process• Go beyond PCs• Integrate &
automate processes
Web Profiler✓ Server type and version (IIS, Apache, etc.)
✓ Web programming language and version (PHP, ASP, etc.)
✓ Content Management System and version (WordPress, Joomla, Drupal, etc.)
Vulnerability Management Program
Send domains, IP ranges,
and contact info to:
Email notifications are sent broken down by:
• Out-of-Date systems that should be patched/updated and could
potentially have a vulnerability associated with it
• Up-to-Date systems have the most current patches
Port Profiler
• MS-ISAC will connect to 12 common ports on public IPs provided for our
monitoring program.
– Services: FTP, SSH, HTTP(S), SMB, RDP, VNC, SQL, and MongoDB
– 21, 22, 23, 25, 80, 139, 443, 445, 1433, 8080, 3306, 3389, 5432, 5900, 27017
• Services are identified by reading the banner information once we
connect.
– We seek predetermined keywords in the banner information that then allows us to tag hosts or
services that need a second look for if they need to be public facing.
Vulnerability Management Program
Vulnerability Management Program
• Quarterly notifications
• Contact [email protected] to:
• Opt out of this service
• Provide feedback on the Port Profiler
• Contact [email protected] if:
• You wish to add IP addresses
• To verify “VMP Notification” contacts
• Source IP address: 52.14.79.150
Port Profiler
TLP: WHITE
To gain an Anomali account contact:
Automated Threat Indicator Sharing via Anomali
Weekly Malware IPs and Domains
TLP: WHITE
MS-ISAC Advisories
Application Software Security
Critical Security Control # 18
Application Software Security
“Cyclical practice of building software secure and ensuring it stays secure.”
CSC #18: Application Software Security Manage the Security life-cycle of all in-house developed and acquired software.
WHY: To prevent, detect,and correct security weaknesses.
Tips• Ongoing Process• Begins in requirements
gathering• Ends when software is
retired.
http://www.its.ny.gov/document/secure-system-development-life-cycle-ssdlc-standard
What is the SSDLC?
Benefits:
• Reduces the number of vulnerabilities
• Reduces the impact to businesses if an incident occurs
• Decreases the risk of business service disruptions
• Increases the ability of the business to deliver services
Consistent
Comprehensive
Repeatable
Risk-Based
Mission-Focused
Right-Sized
Why is SSDLC Necessary?
• In 2017, Cyber-Espionage, Privilege Misuse, Web Application Attacks, & Miscellaneous Errors represented 75% of breaches in the Public Administration sector
• 50% of all breaches in Public Administration were discovered months or years after the initial compromise
• 68% of funds lost as a result of a cyber attack were declared unrecoverable
• $3.62 million was the average total cost of a data breach in 2017
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdfhttps://securityintelligence.com/media/2017-ponemon-institute-cost-of-a-data-breach-study/
PARTNERS/SUPPLIERS
▪ Contractual Requirements
▪ Regulatory Attestation
▪ Best Practice Controls
EMPLOYEES
▪ Awareness
▪ Self Enforcement
▪ Unified Posture
▪ Cyber Expertise
CITIZENS
▪ Expect Secure Access
▪ Expect Privacy
▪ Expect Data Accuracy
3rd PARTIES/CONTRACTORS
▪ Security Maturity
▪ Assessment Volume
▪ Governance & Reviews
▪ Regulatory Compliance
Denial of ServiceWeb Application Attack
Social Engineering
Malware
Spear Phishing
Spin
Insider threat
Hactivism
AGENCIES
▪ Non-Standard Practices
▪ Regulatory Drivers
▪ Varying Levels of Cyber Expertise
Credit Card Fraud
Breach
Threats to Government Organizations and Citizens
At MINIMUM, an SDLC must contain the following security activities:
1) Define Security Roles and Responsibilities
2) Orient Staff to the SDLC Security Tasks
3) Establish System Criticality Level
4) Classify Information
5) Establish System Identity Assurance Level Requirements
6) Establish System Security Profile Objectives
7) Profile the System
8) Decompose the System
9) Assess Vulnerabilities and Threats
10) Assess Risk
11) Select and Document Security Controls
12) Create Test Data
13) Test Security Controls
14) Perform Accreditation
15) Manage and Control Change
17) Perform System Disposal
16) Measure Security Compliance
SSDLC Security Activities
SSDLC Tools
https://its.ny.gov/secure-system-development-life-cycle-standard
https://its.ny.gov/document/secure-system-development-life-cycle-ssdlc-standard
We all have a role in protecting New York’s systems and information
Security needs to be consistently and comprehensively implemented using a secure SDLC
Security needs to be risk-based and right-sized
Security must be built into all systems from the very beginning
Key Takeaways
Application Software Security Application Risk Assessment
Critical Security Control # 18
Holistic – includes business, regulatory & technical perspectives.
Comprehensive technical review - from interface to infrastructure.
Layered Risk Assessment Process
Layer Method / Activities NIST 800-53 Top 20 Validation / Metrics
Business Impact & Privacy
Interviews – identify business functions, risk
COOP/DR Plans
IR-1, IR-2, IR-3, IR-4IR-5, IR-6, IR-7, IR-8IR-10
CSC 19: Incident Response and Management Incident management procedures exist
Compliance Interview, questionnaire Prior security review & audit
results/findings Incidents if any
CA-7, CM-8, IA-3, SA-4SC-17, SI-4, PM-5
CSC 1: Inventory of Authorized/Unauthorized DevicesCSC 2: Inventory of Authorized/Unauthorized Software
Information and system owners identified, applicable laws and regulations identified
Secure Design Plan Information security plan Identity Assurance worksheet (roles,
separation of duties)
AC-2, AC-6, AC-17AC-19, CA-7, IA-4IA-5, SI-4
CSC 5: Controlled Use of Administrative PrivilegesCSC 14: Controlled Access Based on Need to KnowCSC 16: Account Monitoring and Control
SSDLC, access matrix, data flow diagrams, system and business function documentation
Web Site/Application Web app scanning (Qualys/WebInspect)
Application code scan/review Code review Pen-testing
CA-2, CA-5, CA-6CA-8, RA-6, SI-6PM-6, PM-14
CSC 7: Email and Web Browser ProtectionsCSC 20: Penetration Tests and Red Team Exercises
encryption in transit/rest, pen test results
Application, core services & databases
Discovery & Relationship Mapping (ITSM CMDB); dependencies
Application code scan/review Code review Database configuration & control
review
CA-2, CA-7, RA-5SC-34, SI-4, SI-7, AT-1AT-2, AT-3, AT-4, SA-11SA-16, PM-13, PM-14PM-16
CSC 4: Continuous Vulnerability Assessment and RemediationCSC 9: Limitation and Control of Network Ports, Protocols, and ServicesCSC 13: Data ProtectionCSC 18: Application Software Security
Web, network and code scan results, SSDCL documentation
Platform (host, cloud) Configuration assessment (CIS-CAT; DISA, Qualys, Nessus, hardening guidance)
Network & Host Vulnerability scanning (authenticated)
CAIQ & 3rd party practices
CA-7, CM-2, CM-3CM-5, CM-6, CM-7CM-8, CM-9, CM-11MA-4, RA-5, SA-4SC-15, SC-34, SI-2
CSC 3: Secure ConfigurationsCSC 6: Maintenance, Monitoring, and Analysis of Audit LogsCSC 11: Secure Configurations for Network Devices
Secure configuration standards and secure configuration scan results
Infrastructure Network Mapping & Scanning Service Level Agreements Resiliency Level (Incidents, RTO/RPO
objectives)
AC-4, AC-17, AC-20CA-3, CA-7, CA-9CM-2, SA-9, SC-7SC-8, SI-4
CSC 8: Malware DefensesCSC 10: Data Recovery CapabilityCSC 12: Boundary DefenseCSC 15: Wireless Access Control
SLA documentation and aligned with business mission and criticality. Network diagrams with PDS/IDS.
Tech
nic
al C
on
tro
lsA
dm
inis
trat
ive
Secu
reSD
LC
Business Risk
Technical Security
Risk
Operational Risk
Measures 3 Key Areas
Scoring across 3 indices produces an overall application risk profile.
Risk profiles drive heat-maps & scorecards for clusters & agencies
BUSINESS RISK INDEX• Business Impact• Privacy Impact• Regulatory Compliance• Business Continuity• Business Alignment
TECHNICAL RISK INDEX• Application, services, Db• Technical Controls• Resiliency• Technical Alignment• Disaster Recovery
OPERATIONAL RISK INDEX• Documentation• Process• Technical Controls• Operational Environment
Cyber Security Risk Assessment ToolEase-of-use & Efficiency• Menu-driven• Self-assessment tool• Automatic report creation• Available online & offline
Security/Privacy• Private SharePoint, access
restricted to authorized persons
Analytics/business intelligence -Business & Technical Risk Indices, scorecards & dashboards
Critical Success Factors• SMEs available• Data accuracy
Operational Risk Index (ORI)Ease-of-use & Efficiency• Menu-driven• Self-assessment tool• Automatic report creation• Available online & offline
Security/Privacy• Private SharePoint, access
restricted to authorized persons
Analytics/business intelligence -Business & Technical Risk Indices, scorecards & dashboards
Critical Success Factors• SMEs available• Data accuracy
Level 2 Self-AssessmentEase-of-use & Efficiency• Menu-driven• Self-assessment tool• Automatic report creation• Available online & offline
Security/Privacy• Private SharePoint, access
restricted to authorized persons
Analytics/business intelligence -Business & Technical Risk Indices, scorecards & dashboards
Critical Success Factors• SMEs available• Data accuracy
Ease-of-use & Efficiency• Menu-driven• Self-assessment tool• Automatic report creation• Available online & offline
Security/Privacy• Private SharePoint, access
restricted to authorized persons
Analytics/business intelligence -Business & Technical Risk Indices, scorecards & dashboards
Critical Success Factors• SMEs available• Data accuracy
Level 3 Comprehensive Risk Assessment
Operational Risk Assessment Walk Through
• Summarized high-level overview
• Changes reflected in real-time
Executive Summary Report –
Sample Data
Application-level Reporting: Executive Summary
Incident Response and Management
Critical Security Control # 19
Incident Response Plan?
CSC #19: Incident Response and ManagementProtect information/reputation by developing incident response infrastructure to quickly discover and recover from an attack.
WHY: Planning can help with discovery of attack and minimizing the impact.
(What you don’t want!)
Key New York State Cyber Players
NYS Office ofInformation Technology
Enterprise InformationSecurity Office (EISO)
NYS Public Safety Agencies
• New York State Police• Homeland Security and Emergency Services• NYS Intelligence Center (NYSIC)• Division of Military and Naval Affairs (DMNA)
NYS Cyber Security Advisory Board
Executive Director & members
Center for Internet Security
Multi-State Information Sharing and Analysis Center
New York State EISO Cyber Command Center Capabilities
Incident Response Objectives
Prepare Identification Containment Eradication RecoveryLessons Learned
Incident Response Process
• Assess the scope, magnitude and source of intrusions
• Identify root cause
• Quantify the damage
• Assist with remediation
• Make recommendations to prevent reoccurrence
• Lessons learned
Cyber PartnersIncident Response
Local Response
State:EISO CyCom
OCT CIRTNYSP/NYSIC
MSISACFederal:US DHS
FBI
Bi-directional Information Sharing
Incident Response Escalation
NYS Cyber Incident Reporting Procedureshttp://www.its.ny.gov/incident-reporting
• Cyber Command Center Hotline: 518-242-5045• Please identify the urgency of the call. • After hours (5PM- 9AM, weekends and holidays), call NYS Watch Center at 518-
292-2200 and ask to report a cyber incident to the Cyber Command Center.
If related to County Board of Election Systems – Call 1-844-OCT-CIRT
• Email [email protected].• If including sensitive data and you are outside of the NYS Office 365 (O365)
tenancy, consider encrypting using the Enterprise Information Security Office (EISO)’s PGP public key. The key may be found on the EISO web site at http://its.ny.gov/eiso/incident-reporting/
• Support:– Network Monitoring Services– Research and Analysis
• Analysis and Monitoring:– Threats– Vulnerabilities– Attacks
• Reporting:– Cyber Alerts & Advisories – Web Defacements– Account Compromises– Hacktivist Notifications
MS-ISAC 24 x 7 Security Operations CenterCentral location to report any cybersecurity incident
To report an incident or request
assistance:
Phone: 1-866-787-4722
Email: [email protected]
• Incident Response (includes on-site assistance)
• Network & Web Application Vulnerability Assessments
• Malware Analysis
• Computer & Network Forensics
• Log Analysis
• Statistical Data Analysis
Computer Emergency Response Team
To report an incident or request
assistance:
Phone: 1-866-787-4722
Email: [email protected]
TLP: WHITE
A web based service that enables members to submit and analyze suspicious files in a controlled
and non-public fashion
• Executables
• DLLs
• Documents
• Quarantine files
• Archives
To gain an account contact:
Malicious Code Analysis Platform
Security Awareness & Training
Critical Security Control # 17
Security Awareness & Training
CSC #17: Implement a Security Awareness and Training Program
Identify the specific knowledge, skills and abilities needed to support defense of the enterprise and develop a plan to remediate gaps.
WHY: Attackers will look for the weakest link (e.g., social engineering, phishing attacks).
Cybersecurity Awareness Materials
Awareness & TrainingProvide opportunities to increase awareness, knowledge, competencies, and skills to reduce overall security risk
• Citizen and workforce outreach
• Awareness activities and events
• Federal, state, and local government partnerships
• Cyber training
• Promote available resources
https://its.ny.gov/eiso/local-government
Break – 10 minutes
Organizational Security
Policies, Standards, Guidelines &National Cyber Security Review
NYS Information Security Policies,
Standards and GuidelinesFind important information on security policy and standards in New York State at
https://its.ny.gov/eiso/policies/security
NYS-P03-002 Information Security Policy
NYS-S13-001 Secure System Development Lifecycle (SSDLC) Standard
NYS-S13-003 Sanitization/Secure Disposal Standard
NYS-S13-005 Cyber Incident Response Standard
NYS-S14-001 Information Security Risk Management Standard
NYS-S14-002 Information Classification Standard
NYS-S14-008 Secure Configuration Standard
NYS-S14-013 Account Management/Access Control Standard
NYS-P14-001 Acceptable Use of Information Technology Resources
• Why?Policy
• What?Standards
• Considerations? Guidelines
• How?Procedures
Nationwide Cyber Security Review (NCSR)• U.S Department of Homeland Security sponsored, voluntary cyber security self
assessment – in partnership with MS-ISAC, NASCIO and NACo
• Measures the level of cyber security maturity and risk awareness in government
• Annual survey runs from October 1 – November 30
• To register: https://msisac.cisecurity.org/resources/ncsr/registration/
• Anonymized results shared in a summary report to U.S. Congress in alternate
(odd-numbered years)
• Free, annual, cyber security self-assessment, aligned to the NIST Cybersecurity
Framework and designed to evaluate cybersecurity maturity and
risk management.
Strategic Planning and Decision-Making
Strategic Planning
• Identify gaps & improvement opportunities
– Basic controls (1-6) with low maturity ratings
• Use the analysis to “chart a course”
– Roadmap - prioritized initiatives/investments that “move the dial” & provide best return
– Justification - budget & staffing requests
Protecting
Business
Enhanced
Visibility,
Monitoring
& Detection
Protecting
User
Accounts
Roadmap, Priorities, Investments
Protecting
Business
Devices
Protecting
Business
Applications
Protecting
Sensitive
Data
Protecting
NYS
Infrastructure
Example: Pre-Investment MaturityCritical Security Control #1: Inventory and Control of
Hardware Assets
Critical Control 2:
Inventory and Control of Software AssetsCritical Control 3:
Continuous Vulnerability Management
Critical Control 4:
Controlled Use of Administrative Privileges
Critical Control 5:
Secure Configurations for Hardware and Software on Mobile Devices,
Laptops, Workstations and Servers
Critical Control 6:
Maintenance, Monitoring, and Analysis of Audit Logs
Utilize an Active Discovery Tool Maintain Inventory of Authorized Software Run Automated Vulnerability Scanning Tools Maintain Inventory of Administrative Accounts Establish Secure Configurations Utilize Three Synchronized Time Sources
Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor Perform Authenticated Vulnerability Scanning Change Default Passwords Maintain Secure Images Active Audit Logging
Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools Protect Dedicated Assessment Accounts Ensure the Use of Dedicated Administrative Accounts Securely Store Master Images Enable Detailed Logging
Maintain Detailed Asset Inventory Track Software Inventory InformationDeploy Automated Operating System Patch
Management ToolsUse Unique Passwords Deploy System Configuration Management Tools Ensure Adequate Storage for Logs
Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories Deploy Automated Software Patch Management ToolsUse Multifactor Authentication for All Administrative
Access
Implement Automated Configuration Monitoring
SystemsCentral Log Management
Address Unauthorized Assets Address Unapproved Software Compare Back-to-back Vulnerability Scans Use of Dedicated Machines for All Administrative Tasks Deploy SIEM or Log Analytic Tool
Deploy Port Level Access Control Utilize Application Whitelisting Utilize a Risk-rating Process Limit Access to Script Tools Regularly Review Logs
Utilize Client Certificates to Authenticate Hardware
AssetsImplement Application Whitelisting of Libraries
Log and Alert on Changes to Administrative Group
MembershipRegularly Tune SIEM
Implement Application Whitelisting of ScriptsLog and Alert on Unsuccessful Administrative Account
Login
Physically or Logically Segregate High Risk Applications
Example: Post-Implementation MaturityCritical Security Control #1: Inventory and Control of
Hardware Assets
Critical Control 2:
Inventory and Control of Software AssetsCritical Control 3:
Continuous Vulnerability Management
Critical Control 4:
Controlled Use of Administrative Privileges
Critical Control 5:
Secure Configurations for Hardware and Software on Mobile Devices,
Laptops, Workstations and Servers
Critical Control 6:
Maintenance, Monitoring, and Analysis of Audit Logs
Utilize an Active Discovery Tool Maintain Inventory of Authorized Software Run Automated Vulnerability Scanning Tools Maintain Inventory of Administrative Accounts Establish Secure Configurations Utilize Three Synchronized Time Sources
Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor Perform Authenticated Vulnerability Scanning Change Default Passwords Maintain Secure Images Active Audit Logging
Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools Protect Dedicated Assessment Accounts Ensure the Use of Dedicated Administrative Accounts Securely Store Master Images Enable Detailed Logging
Maintain Detailed Asset Inventory Track Software Inventory InformationDeploy Automated Operating System Patch
Management ToolsUse Unique Passwords Deploy System Configuration Management Tools Ensure Adequate Storage for Logs
Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories Deploy Automated Software Patch Management ToolsUse Multifactor Authentication for All Administrative
Access
Implement Automated Configuration Monitoring
SystemsCentral Log Management
Address Unauthorized Assets Address Unapproved Software Compare Back-to-back Vulnerability Scans Use of Dedicated Machines for All Administrative Tasks Deploy SIEM or Log Analytic Tool
Deploy Port Level Access Control Utilize Application Whitelisting Utilize a Risk-rating Process Limit Access to Script Tools Regularly Review Logs
Utilize Client Certificates to Authenticate Hardware
AssetsImplement Application Whitelisting of Libraries
Log and Alert on Changes to Administrative Group
MembershipRegularly Tune SIEM
Implement Application Whitelisting of ScriptsLog and Alert on Unsuccessful Administrative Account
Login
Physically or Logically Segregate High Risk Applications
Governance - Benchmarking Performance
• Use Top 20 & NCSR to track progress:
– Security program performance• Did initiatives provide expected improvements?
• What activities improved our security posture?
• What controls should we focus on?
– Report to executives • Demonstrate improvements & validate spending
Recap• Assess your current security posture • Identify gaps & areas for improvement• Create a plan - priorities, resources
– Use controls, tools & processes to focus efforts• Asset Management• Vulnerability Scanning• Secure SDLC• Application Risk Assessments• Operational Controls
– Policies & Standards– Awareness and Training
• Track & report performance
Mitigating Cyber Risks through Legal, Insurance & Procurement Resources
Mitigating Cyber Risks Through Legal, Insurance & Procurement Resources
Legal: Conduct Contract Reviews
– Data Sharing Agreements Terms & Conditions
– Standard Contract Clauses for IT Contracts• https://its.ny.gov/sites/default/files/documents/appendix_c_-_its_standard_contract_clauses_.pdf
– OGS Contracts Terms & Conditions
Insurance:
– Cyber Liability Coverage
• Privacy/Network Security Liability
• Professional Liability/Technology Errors & Omissions Coverage
Procurement: Office of General Services Procurement Services Group
• Email: [email protected]• Website: www.ogs.ny.gov• Annual NY GovBuy Training: https://govbuy.ogs.ny.gov/
Buying 101 for Local Governmenthttps://nyspro.ogs.ny.gov/content/buying-101-local-government
Using OGS Centralized Contractshttps://nyspro.ogs.ny.gov/content/using-ogs-centralized-contracts-0
Mitigating Cyber Risks Through Legal, Insurance & Procurement Resources
Mitigating Cyber Risks Through Legal, Insurance & Procurement Resources
Manufacturer Umbrella Contracthttps://www.ogs.ny.gov/purchase/snt/awardnotes/7360022802can.HTM
• Procure Software, Hardware, Cloud-based Products and related Implementation services, based on a Manufacturer’s Products.
Procure Project Based Information Technology Consulting Services (PBITS) https://ogs.ny.gov/purchase/snt/awardnotes/7360022772can.htm
• Use this contract to procure services to:• Provide network monitoring, logging (IDS/IPS, 3rd Party MSS)• Conduct cyber risk assessments • Perform technical vulnerability remediation• Develop secure IT architecture• Enhance cyber preparedness and incident response planning, training and exercises
Mitigating Cyber Risks Through Legal, Insurance & Procurement Resources
Distributer Umbrella Contracthttps://www.ogs.state.ny.us/purchase/snt/awardnotes/7360022876can.HTM
• Procure Software, Hardware, and small amounts of related services for manufacturers unable to secure a Manufacturers Umbrella Contract.
Hourly Based Information Technology Services(HBITS) https://www.ogs.ny.gov/BU/PC/hbits/default.asp
• Procure Staff Augmentation services
New York GovBuy Conference Resources2017: https://govbuy.ogs.ny.gov/2017-courses
• IT Umbrella Manufacturer and Distributor Contracts: How to Buy IT Products
o Recorded Session: https://govbuy.ogs.ny.gov/it-umbrella-manufacturer-and-distributor-contracts-how-buy-it-products
2018: https://govbuy.ogs.ny.gov/2018-courses
• Local Governments: What You Need to Know About Purchasing
o Recorded Session: https://govbuy.ogs.ny.gov/local-governments-what-you-need-know-about-purchasing-0
• Intro to OGS & Procurement Services
o https://govbuy.ogs.ny.gov/new-who-ogs-and-how-navigate-our-website
• IT Project Based Information Technology Services (PBITS) Contracts: Case Studies in how to procure IT Project Based Services
o Recorded Session: https://govbuy.ogs.ny.gov/it-project-based-information-technology-services-pbits-contracts-case-studies-how-
procure-it-project
• IT Umbrella Manufacturer and Distributor Contracts: Case Studies in how to procure IT products
o https://govbuy.ogs.ny.gov/it-umbrella-manufacturer-and-distributor-contracts-case-studies-how-procure-it-products
• Acquiring Contract Solutions through General Services Administration (GSA) Federal Contracts
o https://govbuy.ogs.ny.gov/new-acquiring-contract-solutions-through-general-services-administration-gsa-federal-contracts
Cyber Security Service Offerings
NYS Shared Service Offerings
Policy/Standards
Compliance Support
Education & Awareness
Risk Assessment & Remediation
Secure Architecture & Engineering
Monitoring
Threat Intelligence Analysis/Response
Vulnerability Management
Digital Forensics & Incident Response
Penetration Testing
Continuity/Disaster Recovery Planning
Security Analytics
Table Top Exercises
NChief Information Security Office
– Main: 518.242.5200 [email protected]
– Cyber Command Center (CyCom):
518.242.5045 [email protected]
– Local Government Resources
https://its.ny.gov/local-government
Federal Government Service Offerings
US DHS Cybersecurity Services
• Cyber Resilience Review (operational resilience and cybersecurity practices)
• External Dependencies Management (issues related to vendors and reliance on external entities)
• Risk and Vulnerability Assessment (whether and by what methods an adversary can defeat network controls)
• Phishing Campaign Assessment• Vulnerability Scanning• Validated Architecture Design Review• Cybersecurity Evaluation Tool
• Cybersecurity Advisors (CSA)– Rich Richard Jr., Region [email protected]
• Cybersecurity Exercise Support
• Incident Response
• Awareness and Training– Stop.Think.Connecthttps://www.dhs.gov/stopthinkconnect– Federal Virtual Training Environmenthttps://niccs.us-cert.gov/training/federal-virtual-training-environment-fedvte
Assessments
MS-ISAC Service Offerings
Eugene Kipniss
Senior Program Specialist
EI-ISAC
518.880.0716
EI-ISAC 24x7 Security Operations Center
1-866-787-4722
Andrew Dolan
Director, Stakeholder Engagement
EI-ISAC
518.880.0693
• IPs connecting to malicious C&Cs
• Compromised IPs
• Indicators of compromise from the MS-ISAC network monitoring (Albert)
• Notifications from Spamhaus
Monitoring of IP Range & Domain Space
IP Monitoring Domain Monitoring• Notifications on
compromised user credentials, open source and third party information
• Vulnerability Management Program (VMP)
Send domains, IP ranges, and contact info to:
Additional Benefits of Both ISACs• Situational Awareness
Resources• Insider access to federal
information• Product and Training Discounts• Cybersecurity Exercise
Participation• Workgroups• Webcasts
Access to:
• MS-ISAC Cyber Alert Map
• Archived webcasts & products
• Cyber table top exercises
• Guides and templates
• Message boards
HSIN Community of Interest
SecureSuite• Workbench
– Platform for creating and maintaining resources – https://workbench.cisecurity.org
• CIS-CAT Pro– Configuration and Vulnerability Assessment Tool– Assessor and Dashboard can be downloaded from
Workbench
DDoS Mitigation and Web Protection Services
Google - Protect Your Election• Project Shield DDoS Protection• Two Factor Authentication• Advanced Phishing Protection (GSuite)• Password Alert Plugin for Chrome• General Security Support
Cloudflare – Athenian Project• Full enterprise offering• DDoS protection• Web Application Firewall (WAF)• Content Delivery Network (CDN)• 24x7 Support
Both services are available to any SLTT organization responsible for public-facing elections infrastructure related to voter registration information and
election night reporting
• Collaborative Purchasing
– End-User Security Awareness Training
– Advanced Technical Training Courses & Degree Programs
– Consulting Services
– Two-Factor Authentication
– Cloud Access Security Management
• Over $40 million in savings for our members
• Learn more at www.cisecurity.org/services/cis-cybermarket or contact [email protected]
Who can I call for help?
Security Operations Center (SOC)
[email protected] - 1-866-787-472231 Tech Valley Dr., East Greenbush, NY 12061-4134
www.cisecurity.org
to join or get more information:
https://learn.cisecurity.org/ms-isac-registration
Election Infrastructure ISAC Resources
EI-ISAC Members include:
• 48 State Elections Entities
• Over 500 Local Government Elections Entities
County Clerks, Secretaries of State, Registrars of Voters, Departments of Elections, Boards of Elections
Who We Serve
Free and Voluntary
No Mandated Information Sharing
Registration is the only requirement!
About EI-ISAC Membership
To join or get more information:
https://learn.cisecurity.org/ei-isac-registration
• 24x7x365 network monitoring
• Incident response and remediation
• Threat and vulnerability monitoring
• Election-specific threat intelligence
• Training sessions and webinars
• Promote security best practices
An Elections-focused Cyber Defense Suite
• DDoS mitigation and web protection services
• MS-ISAC analysis to provide key context
– General election industry or election security reports
– Legislative action on election security issues
– Best practice examples from peers in the election community
– General technology/cybersecurity stories that may have an election link/impact
• Released on Wednesday afternoons
Elections Weekly News Alert
• Key Security Terms and Best Practices
– What it is
– Why does it matter
– What you can do
• Released on Friday afternoons
Cybersecurity Spotlight
• Compiles analysis of elections-specific events identified by/reported to MS-ISAC
• Provides highlights of MS-ISAC election activities
Elections Sector Quarterly Report
• Short e-mail alerts regarding immediate threats
– Targeted at both executive and technical staff
• Provides overview of activity and actionable recommendations
– Executive Overview
– Executive Recommendations
– Technical Overview
– Technical Recommendations
Election-specific Cyber Alerts
Handbook for EI Security
• Intended for Elections Officials and Technical
Support Teams
• Analyzes the risks of key election
system components
• Describes specific technical controls
and processes to improve security
• Assessment tool to be made available
Order Hard Copies:
https://learn.cisecurity.org/ei-handbook
https://www.cisecurity.org/elections-resources