O F T H E

C Y B E R S E C U R I T Y

1. A G E N C Y O F T H E F U T U R E

T A B L E O F C O N T E N T S

3E X E C U T I V E S U M M A R Y

T H E R E S U L T S O F T H E G O V L O O P C Y B E R S E C U R I T Y S U R V E Y

T U R N I N G T H E O R Y I N T O P R A C T I C E : M I C H I G A N ’ S T R A N S F O R M A T I V E C Y B E R S E C U R I T Y

S T R A T E G Y

T H E I M P O R TA N C E O F A S S E S S I N G Y O U R I T E N V I R O N M E N T

P R O T E C T I N G O U R N A T I O N : A N O V E R -

V I E W O F T H E F E D E R A L G O V E R N M E N T ’ S C Y B E R S E C U -

R I T Y W A R

6121518

2.C Y B E R S E C U R I T Y

1 9 M E T R I C S T O T R A C K Y O U R C Y B E R S E C U R I T Y E F F O R T S

P R I V A T E S E C T O R S O L U T I O N S F O R F E D E R A L G O V E R N M E N T C Y B E R S E C U R I T Y

8 W A Y S T O M I T I G A T E R I S K S

Y O U R C Y B E R S E C U R I T Y C H E A T S H E E T

A B O U T G O V L O O P

2021242931

3. A G E N C Y O F T H E F U T U R E

This “Winning the Cybersecurity Battle” report is part of GovLoop’s Agency of the Future series, which explores the latest trends shaping government in the next 3-5 years. In ways yet to be seen, cybersecurity has already affected the “agency of the future.” Today, the world is interconnected like never before. As a nation, we must work collaboratively to ensure that cyber defense strategies are robust and effective to secure our way of life.

President Obama said during remarks at the White House, “the cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.” Throughout his tenure, President Obama has direct-ed agencies to conduct a thorough analysis of the

Federal Government’s efforts to protect data, infor-mation, communication and critical infrastructure. Often, we forget that every day Americans rely on cyber defense for our economic viability and security. Cyber includes much more than just our personal identity and social security numbers. Every day, cyber defense is used to protect:

� Broadband networks

� Information networks that power business, hospi-tals and schools

� Critical infrastructure

� Classified government intelligence and documents

C Y B E R S E C U R I T Y :W I N N I N G T H E C Y B E R S E C U R I T Y B A T T L EA G E N C Y O F T H E F U T U R E

E X E C U T I V E S U M M A R Y

4.C Y B E R S E C U R I T Y

This report provides an overview of the current cy-bersecurity landscape and the ‘need to know’ cyber information for government professionals. This re-port includes:

Results from 156 Public Sector Employees: This survey finds that 84% of respondents see cyberse-curity as a priority for their agency in the next 3-5 years. The trend cannot be overlooked; cybersecurity is now a mission critical practice within an agency. Additional findings include:

� 90 percent of respondents do not believe their agencies are fully prepared for a cyber attack. They cited the ever-changing nature of cyber threats, as well as inadequate staffing and training as primary obstacles for preparedness.

� 49 percent of respondents cited phishing as the largest threat to cyber security at their agency.

� 22 percent of respondents could not accurately assess the cybersecurity systems and policies of their agencies.

Interview with Dan Lohrmann – Chief Information Security Officer, Michigan: Lohrmann shares his ex-perience and expertise keeping Michigan safe through

innovative practices, such as the Michigan Cyber Range and improved training methods for state em-ployees.

Overview of Federal Government Cybersecurity Landscape: This section provides an overview of some of the efforts by the Obama Administration and highlights key findings from a recent GAO report.

Industry Perspectives: This report also includes three interviews with industry experts, highlighting how industry is assisting government in keeping in-formation and data safe.

Cybersecurity Cheat Sheet: Our cheat sheet will provide you with a synopsis of the guide, and the need to know cybersecurity information.

The agency of the future will revolve around con-solidating and integrating IT systems and connecting disparate data sets to improve decision-making. Ad-ditionally, the agency of the future will be rooted in data, cloud and mobile technology. With these trends shaping the public sector, the need is clear to adopt robust security protocols. This report is your first step to winning the cybersecurity battle.

I N A G O V L O O P S U R V E Y O F 1 6 7

P U B L I C S E C T O R E M P L O Y E E S ,

8 4 % S A I D C Y B E R S E C U R I T Y I S A

P R I O R I T Y F O R T H E I R A G E N C Y I N

T H E N E X T 3 - 5 Y E A R S .

6.C Y B E R S E C U R I T Y

With the digitization of documents, increased Inter-net access to public information, and data storage in the cloud, government resources have become more convenient and accessible for citizens and public sec-tor professionals. Yet, the increased access has also led to valuable data becoming vulnerable to those seeking to breach government security. Recently, GovLoop conducted a survey of 167 gov-ernment and industry professionals on their agency’s approach to cybersecurity. Respondents represent-ed federal agencies, such as the U.S. Department of State, the U.S. Department of Commerce, local and state government agencies from Montana, New York, and Idaho, as well as private sector professionals. The survey focused on the critical issue of cybersecurity and what agencies are doing (and, in many cases, not doing) to address cybersecurity concerns.

WHAT IS YOUR BIGGEST CHALLENGE WITH CYBERSECURITY?

The survey asked respondents to identify their big-gest cybersecurity challenge (See Figure 1). Respon-dents could choose from inadequate funding, inad-equate training, increased sophistication in threats, high volume of attacks, an agency’s failure to make cybersecurity a priority, or emerging technology. The survey found:

� 30 percent of respondents identified sophistica-tion of threats as their biggest concern.

� 21 percent of respondents cited staffing and training as a challenge.

� 11 percent of respondents identified thats cyber-security not a big enough priority within agency.

T H E R E S U L T S O F T H E G O V L O O P

C Y B E R S E C U R I T Y S U R V E Y

7. A G E N C Y O F T H E F U T U R E

In addition, respondents were able to add comments on how to im-prove cybersecurity in a unique government culture. One respon-dent said, “Overzealous IT ad-ministrators put unfriendly user controls on programs, driving em-ployees to work around security systems, instead of supporting the systems.” Recognizing these chal-lenges, 84% of respondents believe cybersecurity will be very impor-tant in the next 3-5 years. WHAT IS YOUR AGENCY’S LEVEL OF PREPAREDNESS FOR ATTACK?

The survey also asked respondents to rate their agency’s prepared-ness for a cyber attack. Accord-ing to our results, agencies have

an opportunity to make significant strides to be prepared in the event of an attack (See Figure 2):

� 8 percent of respondents said their agencies are not at all prepared for a cyber attack.

� 10 percent of respondents said their agencies were fully pre-pared for a cyber attack.

� 22 percent of respondents admitted they did not know enough to provide an answer, showing a lack of awareness of cybersecurity issues.

� 60 percent of respondents be-lieve their agencies are either moderately (30 percent) or somewhat (30 percent) pre-pared for a cyber attack.

WHAT TYPE OF CYBER ATTACKS CONCERNS YOU MOST?

The survey also explored the kinds of cyber attacks that most con-cerns agencies. Respondents could choose from cross-site scripting, denial of service, phishing, distrib-uted denial of service, logic bombs, and structured query language in-jection (See Figure 3). Forty nine percent believe phishing (obtain-ing a user’s personal information by posing as a trustworthy entity) is the attack that poses the highest risk. As agencies focus on where to begin in improving cybersecuri-ty, clearly phishing should be a pri-ority. For those that said “other,” many wrote they have “no idea” or simply “don’t know” which at-tacks pose the highest threat. This

What is your biggest challenge with cybersecurity? (Figure 1)

What is Your Agencies Level of Preparedness? (Figure 2)

Inadequate staffing and

training

Emerging technology

increases risks

Limited funding to provide protection

Not a big enough priority within agency

Speed, number and consistency

of attacks

30% 21% 12%12% 11% 4%

Growing sophistication

of threats

Moderately prepared to combat

an attack

Somewhat prepared to combat

an attack

Fully prepared to combat

an attack

Not prepared to combat

an attack

8%10%22%30%30%

Unknown - I am unable to

make an appropriate assessment

answer adds to a general trend in the results of this survey: a lack of awareness about important cyber security issues and initiatives.

Hackers may operate alone or in very small groups. Additionally, hackers can be part of foreign na-tions’ military efforts, in which na-tions organize widespread hacking operations as part of their na-tional security strategy. Agencies may have a hard time prosecuting the culprits and must focus on the kind of security that would pre-vent an attack, instead of trying to take legal action later.

What Type of Cyber Attacks Concern You the Most? (Figure3)

Who is Conducting the Attacks? (Figure4)

49%49%38%27%27%26%19%16%14%11%10%

6%

Viruses

Phishing

Trojan Horses

Denial - of - service

Worms

DistributedDenial - of - service

Other

Cross - site scripting

Structured QueryLanguage injection

Passive wiretapping

Logic bombs

Wardriving

Phishing

60%

48%

44%

44%

40%

35%

34%

28%

21%

21%

13%

10%

Hackers

Spyware or malware authors

Criminal groups

Phishers

Nations

Spammers

Terrorists

Bot - Network operators

Insiders

International corporate spies

Other

Business competitors

Survey in Review To overcome some of the chal-lenges presented by the survey, the GovLoop survey finds that cyberse-curity is a critically important field that will benefit from increased collaboration and implementation of best practices. The key findings from our survey include:

� 90 percent of respondents do not believe their agencies are fully prepared for a cyber attack and named the ever-changing, ever-challenging nature of cyber threats as well as inadequate staffing and training as the big-gest obstacles standing in the way of full-preparedness.

� 84 percent see cybersecurity as a priority for their agency in the next 3-5 years.

� 49 percent of respondents cited phishing as the largest threat to cyber security at their agency.

� 22 percent of respondents could not accurately assess the cybersecurity systems and poli-cies of their agencies.

Cybersecurity initiatives are es-sential to protect critical infra-structure, identities and confiden-tial government data. Agencies can no longer afford to take a reac-

tive stance to cybersecurity; they must continue to become more proactive, ahead of the trends and one step ahead of attackers. Our report continues to provide an overview of the government land-scape, and how agencies can stay secure in a quickly changing threat environment.

How Will Cyber Security Shape the Agency of the Future?

In the next three to five years, cybersecurity will remain the key focus for government agen-cies. As cloud computing and mobile technologies are adopt-ed, agencies must pay close at-tention to their security efforts. The ability to proactively stop

and mitigate cyber attacks is a guiding principle for the agency of the future.

Chris Daly, Lead Business Program Manager and Solutions Architect for Data Centers Security and Switching at Juniper Networks, shared expert in-sights on how cybersecurity will shape the future of government. Daly noted, “Attacks are becoming much more visible and pervasive. Before, attacks re-sembled single skirmishes between an attacker and a single target. Now there are full attack campaigns, with well thought out strategies and tactics, mul-tiple targets, and specific goals by attackers.” Daly cautioned that sophisticated attacks will continue to grow in complexity, and in the next three to five years, agencies must consider significantly new ap-proaches to address these complex threats.

Agencies will not only be tested by more perva-sive and complex threats, but they also will face the prospect of additional cyber legislation. Potential legislation will mandate specific actions in regards to cyber defense strategies. “Cybersecurity will become one of the must-haves and agencies face the reality of cyber security legislation coming out within the next three to five years as well. There’s no way it can be avoided,” noted Daly. President Obama’s recent Executive Order provides a step in the right direction, yet legislation is still needed to address private and public sector requirements for cyber initiatives.

Although threats persist and agencies face the prospects of additional cyber mandates, agencies can still mitigate risks by taking the proper secu-rity measures. One of the first steps to improved security is defining the kinds of attacks that exist and the threats to the agency. As Daly identified, “At

Juniper Networks we have defined two major types of attacks - what we call the ‘outside-in attacks’ and ‘inside-out attacks.’ Essentially, an outside-in attack is when an attacker focuses on the web resources of a data center as the target, and we are seeing a lot more of those attacks as a result of poor coding and web security designs.” An inside-out attack is where a user endpoint is targeted by a remote attacker. So-cial engineering techniques and weak endpoint de-fenses have made these attacks easier to succeed, and the exploited endpoints are used to launch at-tacks on enterprise resources.

To prevent these attacks from happening, Daly rec-ommended a few best practices as a starting point. Daly recommended the following steps as starting points:

� Stay current with the NIST report 800-53r4 and recommended controls.

� Identify and continuously monitor the devices, us-ers and access points on your network.

� Learn about your vendor partner roadmap and product feature sets.

� Be a prudent early adopter of new technology that can address some of the new complex threats that are emerging.

Finally, Daly indicated the importance of communi-cation. “One example that comes to mind in terms of showing the importance of communication is that a customer may ask about a capability, not realizing that a feature set was already included in a product they had,” said Daly. “It’s important to get that educa-tion, and go deep with your vendor partners as you try to address new requirements.” Undoubtedly, the agency of the future will be defined by a proactive approach to cybersecurity efforts.

An expert interview with Chris Daly, Lead Business Program Manager and Solutions Architect for Data Centers Security and Switching, Juniper Networks

10.C Y B E R S E C U R I T Y

M I C H I G A N ’ S T R A N S F O R M A T I V E

C Y B E R S E C U R I T Y S T R A T E G Y

12.C Y B E R S E C U R I T Y

T U R N I N G T H E O R Y I N T O P R A C T I C E :

In an effort to improve cybersecurity programs, the State of Michigan launched a robust cyber strategy in 2011. The strategy included improved training meth-ods for employees and created the Michigan Cyber Range. These initiatives were created in the State of Michigan as government leaders recognized the ur-gency and importance of a properly defined cyberse-curity strategy.

As multiple IT systems power government service delivery, agencies are exposed to more risks. Rogue cloud use by agency employees, too much reliance on vulnerable mobile apps, and a lack of understand-ing of what is on agency’s networks have exposed or-ganizations to increased cyber risks. “Cybersecurity is vitally important in everything we do. Technology is an integral part of Governor Snyder’s plan and his whole strategy as governor is to enable efficiency using technology,” said Lohrmann.

OVERVIEW OF THE MICHIGAN CYBERSECURITY STRATEGY

In this report, Dan Lohrmann, Chief Security Officer, State of Michigan, shared his expertise as a leader in cybersecurity defense.

M I C H I G A N ’ S T R A N S F O R M A T I V E

C Y B E R S E C U R I T Y S T R A T E G Y

Prevention: take proactive steps to keep an event from occurring.

Early Detection and Rapid Response: to discover attacks early and respond quickly to minimize risks.

Control, Management and Restoration: take appro-priate steps to minimize damage and quickly return to normal operations if an attack occurs.

Under Lohrmann’s leadership, Michigan has become

a national leader in cyber defense. The cybersecurity

strategy developed in 2011 by the State of Michigan is

published at michigan.gov/cybersecurity, and is

available for download. This strategy is a must read

for any security professional working in government.

Specifically, Michigan’s cyber strategy addressed:

13. A G E N C Y O F T H E F U T U R E

In addition, the strategy includes three distinct sections. Part I de-fines cybersecurity in the State of Michigan, which is built on three pillars:

Confidentiality: ensure that private information remains private.

Integrity: make sure that govern-ment data is complete, whole and defensibly sound.

Availability: make information se-curely available to those who need access.

The cyber plan also includes sec-tions on Michigan’s cyber response strategy and Michigan’s unique cy-ber industry opportunity. “We’re about halfway through that plan now. It involved many components and we’ve taken many steps,” not-ed Lohrmann.

Across all levels of government, one of the main concerns by Chief Security Officers (CSO) is the lack of training for employees. Michigan has proactively offered cyber train-ing. Beyond providing resources and training to state employees, cyber training and resources are

available to contractors, local government officials, businesses, homes and families. Each of these stakeholder groups can access on-line toolkits tailored specifically to meet their cyber needs.

TRANSFORMING CYBERSECURITY TRAINING: THE MICHIGAN CYBER RANGE

Within the state government, Lohrmann led an initiative to transform how the state conducts cyber training. “Every CIO will tell you that training is important. But to give you an example, we’ve re-ally overhauled our whole training approach. We basically threw away our whole training. It was not ef-fective. It was not working. It was death by PowerPoint.”

� Michigan created a new, in-teractive training opportunity through informative videos around core topics. Initially, the training program included about 5,000 people, but has now grown to well over 45,000 employees. “We’ve gotten fan-

tastic feedback - employees say they love it. It’s just been a huge success, a totally different ap-proach,” said Lohrmann. Some of the training topics include:

� Understanding Security at Work

� Employee Responsibilities

� Confidential Information

� Password Security

� Workstation Security

� Physical Security

� Common Threats and Viruses

� Mobile Worker Challenges

� Internet Access at Work

The challenging part of cyber training is that effective training requires tailored information for each employee. To overcome this obstacle, Michigan has launched the Cyber Range, which is de-signed specifically for cybersecu-rity professionals. “It’s a research, development and test environ-

“ AT TA C K S R A N G E T H E F U L L G A M U T : E V E RY T H I N G

F R O M W E B - B A S E D AT TA C K S T O P E O P L E

S C A N N I N G O U R N E T W O R K S T RY I N G T O F I N D

H O L E S I N T H E P E R I M E T E R , ” S A I D D A N L O H R M A N N ,

“ S TAT E O F M I C H I G A N C S O .

14.C Y B E R S E C U R I T Y

ment, a leading edge, team training for technology professionals. We are providing really good training for not just government staff, but also partnering with the private sector. We’ve had a lot of private critical infrastructure protection operators involved in the Cyber Range,” said Lohrmann.

The Michigan Cyber Range is a fas-cinating initiative to stay in front of attackers. Like a shooting range, the Cyber Range allows organiza-tions to conduct “live-fire” exer-cises in a controlled environment. These simulations are tailored to the participants and used to un-derstand a variety of situations. The Range conducts cyber train-ings for groups or individuals, and participants learn strategies fo-cused on protecting:

� Critical infrastructure defense

� Homeland security

� Criminal justice and law en-forcement

� Information Communications Technology (ICT) and related industry academic and educa-tional programs and curriculum

� Private sector entrepreneurial, small and medium business sec-tors

The Cyber Range model is a great exercise to collaborate and share information across sectors.

PERSISTENT AND EVOLVING THREATS REMAIN FOR STATE GOVERNMENTS

Although Michigan has taken a robust approach to their cyber defense strategy, Lohrmann em-phasized they are still at risk. Lohrmann said, “Attacks range the full gamut: everything from web-based attacks to people scanning our networks trying to find holes in the perimeter.”

In particular, this year Lohrmann has noticed an uptick in spear phishing. Spear phishing is an e-mail spoofing attack that attempts to retrieve unauthorized access of data and information. For in-stance, a spear phishing attack may solicit personal information from a specific (often senior) official within an organization. Instead of a mass e-mail to everyone in an organization, it may be directed at the CEO asking them by name to open an attached file or click a link. In Michigan, Lohrmann ex-plained they have seen four spear fishing attacks this year. In each case, employees received a simple email that attempts to obtain un-authorized access to IT systems. “We had a number of emails sent that were very simple and said things like, ‘Your email box is full. Click here and we’ll take care of it for you at the help desk.’ In some cases, the more simplistic, the more powerful. This is because

the email used words like SOM.” In Michigan, SOM is used internally to abbreviate State of Michigan. In this instance, the attacker used specific language to target their attack. Although the attack was ul-timately thwarted, the spoofing ef-fort is still a powerful temptation for employees.

During one spear phishing attack, 2,500 employees received the email and another 156 fell victim to the attack. After clicking, the 156 employees were asked for their credentials used to login to government resources. “The at-tacker knew that once they had those credentials, they could then use that data to then go after the databases and go after the bigger fish.”

Thankfully, Lohrmann’s team was able to prevent any data loss and breach of systems from this at-tack. He noted that these attacks are becoming much more sophis-ticated. “Never before have we had that amount of dedicated spear phishing in the state,” said Lohrmann.

MICHIGAN CYBER SUMMIT: ANOTHER PROACTIVE STEP TO THWART THREATS

The State of Michigan has hosted two Cyber Summits. The Summits have included cybersecurity tracks on business, education, home us-ers/families, law enforcement and government. Although work will always remain, Michigan has taken authoritative steps to maintain se-curity in a dynamic environment.

15. A G E N C Y O F T H E F U T U R E

The Importance of Assessing Your IT EnvironmentJen Nowell, Director of Strategic Program, US Public Sector, Syman-tec, provided her expert insights on the state of cybersecurity in government. Nowell described the importance of agencies con-ducting a thorough analysis of the risk and vulnerabilities of an

agency’s network. This has become especially impor-tant, as the threat landscape for agencies is growing more sophisticated. “As threats continue to grow in complexity, the old approach of being reactive is re-ally no longer effective,” said Nowell. “There has been an increase in sophistication and highly-targeted at-tacks are on the rise. Federal organizations’ data are good targets for attackers.”

Employees and agencies are now deploying dozens of devices, approved and unapproved on public sec-tor networks. This dynamic has challenged agencies to retain visibility on their networks. Everything from mobile phones, printers, routers and switches or any-thing with an IP address, may potentially lead to a security threat. In light of this changing reality, Nowell cites three key action steps for agencies:

1. BROADEN YOUR AWARENESS

To combat this growing sophistication of threats, agencies must gain broader awareness of the risks on their networks. Nowell suggests that agencies may not have the tools in place to adequately un-derstand their assets and security environment. “In a lot of agencies, devices will come online that they are not aware of. If they have a way to easily assess at any point in time when new systems come online, whether it’s hardware or software, that’s a good start. Then administrators can start to assess what their baseline is and watch for new vulnerabilities coming,” said Nowell.

2. MAKE AN ASSESSMENT

In order to improve security, agencies need to start by assessing the network and understanding who and what is accessing the network. Nowell explained that, “agencies need to start by understanding what their

assets are and then work to understand, ‘what is my normal?’ Then explore what the deviations are from the normal baselines. Ultimately, this gives value back to the organization.”

3. INVOLVE SECURITY PERSONNEL

“The security officer must also have a seat at the table. Security officers can explain how assuming risk here will create trade-offs for the agency,” said Now-ell. Her comments reaffirmed the importance of two important stages in building a robust security system:

� Increased visibility through asset discovery: Agencies must validate users and identify the point of entry for security.

� Management of devices and assets on a network: Government agencies must correct misconfigured devices and keep security patches updated. This will help them be proactive and take action to as-sure any compliance with policy to reduce risks.

Nowell identified additional challenges that revolve around a quickly changing landscape. In particular, Nowell identified mobile security as a challenge, “We now have to look for vulnerabilities coming from [mo-bile] devices coming online. So when we think about a security program, you need to understand your en-tire environment. Agencies really need to make sure they have a handle on their environment before they know what their standard baseline should look like.”

By conducting a thorough assessment of a network, agencies can work towards building stronger secu-rity protocols, and can help keep information secure. Agencies are facing more sophisticated threats than ever before, but by being proactive and working to spot vulnerabilities and risk, they can mitigate the growing risks.

16.C Y B E R S E C U R I T Y

The security intelligence to keep you safe.

Copyright © 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.

Even as hackers and cybercriminals race to exploit new technologies, Symantec keeps you safe. Our leading security intelligence identifies and stops mutating malware, protects business data and apps from mobile to the cloud, and uses advanced behavioral data to prevent malicious insiders from exploiting sensitive information.

Download the Symantec Government Internet Security Threat Report at go.symantec.com/govthreatreport for an in-depth view of the dynamic threat landscape and how to best defend against these threats.

18.C Y B E R S E C U R I T Y

P R O T E C T I N G O U R N A T I O N :

Michigan is not alone in its efforts to update its cy-bersecurity strategy. At the federal level of govern-ment, the need for improved security is clear as well. The U.S. Computer Emergency Readiness Team (U.S. CERT) reported that number of incidents reported by federal agencies has increased 782 percent from 2006 to 2012.

Gregory Wilshusen recently spoke with Chris Dorobek on GovLoop’s daily podcast, the DorobekI-NSIDER, about these growing attacks. Wilshusen is the Director of Information Security Issues at the Government Accountability Office (GAO) and was the main author of the report, “National Strat-egy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented.” Like Lohrmann, Wilshusen called attention to the chal-lenging threat landscape for federal agencies:

“We are in a constantly changing environment. So you have trade-offs. Businesses and agencies are also adding new technologies all the time, like cloud com-puting or mobile devices. Sometimes the implemen-tation of these devices precedes the development of

effective security controls over those technologies. So while those newer technologies can provide a lot of benefits, if the security is not appropriately con-sidered and implemented it can introduce risk to the organization.”

Wilshusen’s comments fall closely in line with vari-ous mandates and strategies created by the Obama Administration. On February 12, 2013, President Obama released the Executive Order, Improving Critical Infrastructure Cybersecurity. This Executive Order was a reminder that too often cybersecurity is described solely as identity theft or stolen credit card numbers.

The executive order specifically focuses on critical infrastructure, which the executive order defines: “As used in this order, the term critical infrastruc-ture means systems and assets, whether physical or virtual, so vital to the United States that the inca-pacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Specifically,

O V E R V I E W O F T H E F E D E R A L

G O V E R N M E N T ’ S C Y B E R S E C U R I T Y W A R

19. A G E N C Y O F T H E F U T U R E

the report defines critical infra-structure as broadband networks, power grids, financial data, hospi-tals, schools, and dozens of other services.

With this Executive Order, Presi-dent Obama has made it readily clear that cybersecurity is a vital part of our national and economic priorities. In a fact sheet provided by the White House, the Adminis-tration provides six focus areas:

� Development of a descrip-tion of the functional relation-ships within the Department of Homeland Security and across the Federal Government re-lated to critical infrastructure security and resilience within 120 days.

� Completion of an assessment of the existing public-private partnership model and recom-mended options for improv-ing the partnership within 150 days.

� Identification of baseline data and systems requirements for the Federal Government to en-able efficient information ex-change within 180 days.

� Development of a situational awareness capability for critical infrastructure within 240 days.

� Update the National Infrastruc-ture Protection Plan within 240 days.

� Completion of a national criti-cal infrastructure security and resilience research and devel-opment plan within 2 years.

Across the federal government, agencies have been reforming their

security policies to comply with Presidential Directives and man-dates. In particular, the Depart-ment of Defense has taken signifi-cant steps to improve their cyber defense. In 2011, the Department of Defense named cyberspace a new domain of warfare. Just like our military protects us from physical threats, cyber programs are being developed to fight to secure our personal information, data and critical infrastructure.

One example is US Cyber Com-mand (USCYBERCOM). “US-CYBERCOM plans, coordinates, integrates, synchronizes, and con-ducts activities to: direct the op-erations and defense of specified Department of Defense informa-tion networks and; prepare to, and when directed, conduct full-spec-trum military cyberspace opera-tions in order to enable actions in all domains, ensure US/Allied free-dom of action in cyberspace and deny the same to our adversar-ies,” states the website. Additional

Department of Defense cyber de-fense programs include:

Army Cyber Command

Navy Cyber Forces

Air Forces Cyber / 24th Air Force

Although the federal government and the armed forces have made great strides in cybersecurity ef-forts, there will always be new and emerging threats to critical infra-structure and IT systems. Govern-ment agencies must continue to take the lead in advising cyberse-curity policy and staying one step ahead of the attackers.

20.C Y B E R S E C U R I T Y

19 METRICS TO TRACK YOUR CYBERSECURITY EFFORTSThe steps taken by the federal government are just starting points, and much work is yet to be done to improve the security of IT systems, data and critical infrastructure. Jim Richmann, Study Director of Cybersecurity Research, In-stitute of Defense Analyses, recently spoke during a GovLoop webinar, Combating the Cyber Landscape. Richmann’s presentation focused on how agencies can establish cyber metrics to improve security strategies. Prior to identifying potential metrics for agencies to adopt, Richmann provided an overview of the foundational elements needed to create metrics at an agency. Four areas he focused on were:

In the presentation, Richmann identified 19 potential metrics for agencies to use, but cautioned that agencies must tailor their metrics to meet their needs. The examples he presented were:

1. Percentage of source traffic covered by foundational cyber defense assets in DMZs2. Currency of enterprise virus signatures3. Percentage of client systems that have current enterprise virus signatures4. Percentage of desktops with automated patching5. Percentage of desktops with automated integrity checking6. Volume of traffic blocked at border router (segmented by type)

7. Blocked port scan volume at border router8. Currency of firmware patches for foundational cyber defense assets9. Known zero day export exposure (publicly known)10. Uptime and availability for assets11. Number of cyber attacks that are detected: Viruses, spam, phishing attacks, etc.12. Assets not patched to current standard13. Firmware not updated to enterprise standards14. Assets failing integrity check15. Non-standard software installations detected16. Known zero-day exploit exposure (publicly known)17. Currency of required administrator training18. Vulnerability scan statistics19. Source code scan results (where available and applicable)

Cybersecurity is only effective when agencies can baseline and measure success. In order to do so, agencies must place an emphasis on defining metrics that fit organizational need, and work diligently to identify risks, assess vulner-abilities and create a robust set of metrics to measure success.

Understand Your Cybersecurity Foundation: This foundation includes hardware and software assets, including, rout-ers, switches, physical point-to-point circuits, SANs, management tools, satellite links and wireless hubs.

Know Your Dedicated Defense Assets: These assets are designed only to provide cyber defense. These elements in-clude enterprise virus scanning software, intrusion detection systems, firewalls and PKI.

Identify Your Unique Cyberspace Assets: These assets exist only in cyberspace. Some examples include end-user hardware clients, application servers, web servers, mobile devices, web servers, ERP systems, printers, scanners and application software.

Assets that Leverage Cyberspace: These assets utilize cyberspace, but their primary existence and function is in other domains. Some examples include weapons systems, related platforms, support systems and infrastructure.

"Cyber threats are rising rapidly and government needs an alternative, secure solution

to the present operating environment where multiple types of information."

Read about “Ensuring Cross-Domain Security with SecureView MILS Workstations”

"IT Professionals are faced with providing secure technology solutions in a quickly changing IT landscape. Dell's Connected Security approach allows US Federal agencies to securely connect and share intelligence across the entire enterprise, boost IT productivity and protect sensitive information"

Read about “Providing Secure Mobility for US Federal Agencies”

Private Sector Solutions for Federal Government CybersecurityToday’s IT landscapes exerts tremendous pressures on government entities to secure information. Response to this imperative is coming under scrutiny from the high-est levels of government. Dell’s Connected Security strat-egy provides end-to-end security solutions to secure data from the end point, through the data center, and into the cloud. For example, Dell and Intel have collaborated in developing one of the most secure tablets for government agencies, the Latitude 10 ES.

The Latitude 10 tablet, is powered by the dual core Intel® Atom™ processor Z2760. The Intel® Atom™ processor Z2760 delivers the hardware, authentication, data protec-tion, tracking and recovery security features that meet the stringent security needs for government agencies. Some security features include:

� Dell Data Protection Security Tools, providing an inte-grated end point security management suite that utiliz-es the fingerprint and smart card reader in the Latitude 10 as well as third-party security devices.

� Trusted Platform Module (TPM) 1.2 hardware to allow networks to check device integrity and to assign full trust.

� Microsoft® BitLocker Drive Encryption.

� Computrace Support for stealth tracking software to allow the recovery of lost or stolen devices.

� A Noble Lock slot for added hardware security.

� The Latitude 10 is currently the only tablet in the mar-ket that provides dual-authentication of Windows 8.

In a special government edition of Dell Power Solutions Magazine, Scott Stevens, Senior Security Strategist, and Robert Slocum, Senior Marketing Strategist for Security and Mobility Solutions, build on Dell and Intel’s security focus, exploring how the federal government has priori-tized cybersecurity. The Comprehensive National Cyber-security Initiative (CNCI) signed by President Obama in 2008 as well as the February 2013 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, mandate calls for enhancing the security and resiliency through vol-untary, collaborative efforts between the commercial civil-ian community, technology venders and service providers, and federal agencies.

Adapted from the 2013 Government Special Edition of Dell Power Solutions

CHALLENGE: CREATING COMPREHENSIVE SECURITY

The goal of the CNCI is to enhance “situational aware-ness of network vulnerabilities, threats and events within the federal government.” Sharing data across a network as vast as the federal government is extremely complex. Federal agencies need to create a comprehensive security approach that can ensure security within an agency and between agencies.

SOLUTION: UTILIZING HOLISTIC APPROACHES

IT systems are more than the sum of parts. “Rather than thinking about security as a stand-alone problem, gov-ernment entities at all levels should consider a holistic method.” The Dell Connected Security Portfolio embeds by addressing security measures at the start of develop-ment, protects by detecting threats and mitigating risks and responds by destroying threats and collecting digital evidence.

CHALLENGE: BALANCING ACCESS AND PROTECTION

Some agencies share and secure information. As Slocum and Stevens pointed out, “Agencies charged with safeguard-ing constituent data, employee information and intellectual property also must provide rapid access to the information that government workforces need to perform their jobs.” This dual mandate creates a challenge for cybersecurity.

SOLUTION: STORING DATA SMARTER

Government agencies must analyze the costs and benefits of offline, mobile, or cloud access to their data. Once agen-cies decide on a storage solution, they can tailor a security approach. “If data does not need to reside on endpoint devices,” said the authors, “a virtualized client environment may be suitable.” On the other hand, “if data does need to reside on endpoint devices, deploying encryption for data at rest can be essential for keeping information from falling into the wrong hands,” noted the authors.

President Obama called upon federal agencies to create cybersecurity protocols that ensure the safety of our na-tion and critical infrastructure. Dell answered the call and offers integrated and innovative solutions to accomplish this critical mission.

"Cyber threats are rising rapidly and government needs an alternative, secure solution

to the present operating environment where multiple types of information."

Read about “Ensuring Cross-Domain Security with SecureView MILS Workstations”

"IT Professionals are faced with providing secure technology solutions in a quickly changing IT landscape. Dell's Connected Security approach allows US Federal agencies to securely connect and share intelligence across the entire enterprise, boost IT productivity and protect sensitive information"

Read about “Providing Secure Mobility for US Federal Agencies”

24.C Y B E R S E C U R I T Y

8 W A Y S T O M I T I G A T E R I S K S

The GovLoop survey, Michigan case study and the federal cybersecurity overview provide a solid over-view of the current state of cybersecurity in govern-ment and the obstacles blocking improvement. States like Michigan have been able to retain security and meet mission needs. Below we have highlighted eight best practices to prevent cyber attacks.

1. LEADERSHIP In order to effectively adopt cyber efforts, executive buy-in is required. High-level support is needed not only to obtain organizational support, but also to ob-tain proper funding levels. “In Michigan, we’ve been fortunate to have executive buy-in. Getting buy-in and an understanding by executive leadership is key.

We’ve had that with our governor and CIO, a team of people that really get it and understand the impor-tance of cybersecurity,” said Lohrmann.

2. TRAINING / EDUCATION

In order to retain security personnel, organizations need to focus on investing in training for employees. In order for training to be effective, organizations must provide the right level of training for each em-ployee. For instance, personnel working on the front lines of cybersecurity defense strategies will require different training from employees in the public affairs department. Michigan is a great example of this dis-tinction, as they adopted numerous training programs for employees, tailored specifically toward their skill

25. A G E N C Y O F T H E F U T U R E

level. As Lohrmann noted, “I think that education and training are key. I think that the reality is that our staff is both our biggest strength and also our biggest cyber weak-ness. You talk to almost any CIO in the country or any organization in the government or private sector says you need training.”

Providing training alone is not enough. Organizations need to implement metrics around train-ing to measure effectiveness. The Michigan case study is a great ex-ample. In that case, when their old training model was not working, they developed new training to fit organizational need. “In Michigan, we had to start over and throw out our old training and start from scratch. We took a hard look at our training and decided to do something that’s more effec-tive and has metrics that we can

measure. Now, we can see if we’re changing behavior or if we’re actu-ally making a difference with our training,” said Lohrmann.

3. CONTINUOUS MONITORING

Continuous monitoring is one part of a six-step process in the NIST Risk Management Framework (RMF), from NIST publication 800-53, rev4. Continuous monitoring is a process where an agency defines their IT systems, categorizes risk levels, applies controls and then continuously monitors their sys-tems against threats. Continuous monitoring is an essential step for organizations to identify and mea-sure the security implications for planned and unexpected changes to hardware, software, and firm-ware to assess vulnerabilities in a

dynamic threat space. This holistic view of security for IT systems is essential as agencies are faced with increasing threats.

4. PREPARING AGAINST SOPHISTICATED ATTACKS

Attacks are becoming more so-phisticated and complex for agen-cies. As the Michigan case study showed, attackers are improving their ability to mask attacks and spoofing efforts. Michigan’s Cyber Range is a great example of a gov-ernment agency learning to stay one step ahead of attackers, and being ready to thwart sophisticat-ed attacks.

“ T H E R E A L I T Y I S T H AT O U R S TA F F I S

B O T H O U R B I G G E S T S T R E N G T H A N D A L S O

O U R B I G G E S T C Y B E R W E A K N E S S , ” D A N

L O H R M A N N , C I S O , S TAT E O F M I C H I G A N

26.C Y B E R S E C U R I T Y

5. KEEPING SYSTEMS UPDATED

Although preparing for sophisti-cated attacks is essential, the ma-jority of attacks still remain related to phishing attempts and attacks against unpatched systems. In or-der to prevent the more common attacks, be sure to always update systems with the latest software patches and upgrades. Often these updates are removing vulnerabili-ties, and helping to keep systems secure.

6. TALENT MANAGEMENT

Like many IT fields, government agencies are desperately in need of hiring top cyber talent. Lohrmann noted that keeping talent is key to success, “I’d say another best prac-

tice is retaining talent. We’ve lost a number of good, key people. It’s a hot market right now. Keeping talent and keeping good people is difficult at the moment. Attracting the right people and keeping them is challenging for government.”

7. DISASTER RECOVERY PLANNING

For government agencies, the real-ity is that getting attacked is not a matter of if, but when. With the growing sophistication of threats, no system is perfect and at some point, an agency will be compro-mised. Therefore, it’s essential for agencies to have a plan in place as to what to do once they are at-tacked and how to get the system back up and running, minimizing data loss.

8. PROPERLY FUNDING PROGRAMS

With any government program, funding is a challenge. Lohrmann identified a work-around for funding cyber programs: “When we didn’t have the funding, didn’t have the priorities, we made sure that security was built into those key enterprise projects early on. There are always projects happen-ing in government, so what proj-ects are getting funded? What are the major new systems?” In these cases, he advised agencies to be-come involved in core enterprise projects early and make sure that security is built up front for those programs, rather than seeking spe-cial funding that is separate from enterprise projects.

What does it mean to be Secure?

In today’s complex and quickly changing cybersecurity land-scape, organizations are con-stantly under the threat of a cyber attack. As attacks become more common and risks in-crease, how can IT departments understand how secure they are in a dynamic threat landscape?

To explore this trend, GovLoop spoke with Sanjay Castelino, the vice president and market leader of SolarWinds. SolarWinds delivers powerful and af-fordable IT management and monitoring software to over 150,000 customers worldwide – from Glob-al 1000 enterprises to nearly every civilian agency, DoD branch and intelligence agency, and was named by Forbes as one of the top 10 fastest growing tech-nology companies. Castelino highlighted what being secured means for government agencies. “To be se-cured means you [are able to] verify that the strate-gy and approach you’ve taken around securing your environment is being executed well,” said Castelino.

Castelino noted how security professionals often assist their clients in defining the right level of se-curity. “Most security professionals will tell you that they will take an approach where they built layers of security. They expect certain security layers could be breached and that multiple layers will ultimately provide them enough protection so that it’s highly unlikely that a significant breach will occur,” said Castelino.

One of the security strategies often deployed is con-tinuous monitoring. “Continuous monitoring is one step in any risk framework as it pertains to securi-ty,” said Castelino. However, continuous monitoring has a unique set of challenges for IT administrators. To create an effective continuous monitoring strat-egy, agencies need to focus on both the training of personnel and the automation of tasks. As Castelino said, “To do continuous monitoring effectively, you have to take a holistic approach to security.”

Taking the holistic approach recommended by Casteli-no does not mean monitoring everything. “Monitor-ing everything makes no sense in the IT realm. Since there is so much data, you literally couldn’t make sense of monitoring everything,” identified Castelino. “The whole idea in securing your environment is making sure the people, both inside and outside the organization, aren’t breaking the rules. There are al-ways people who don’t think the rules apply to them and want to do something different. At the end of the day, the continuous monitoring technology and approach ensures people don’t do that by flagging activity as it happens,” noted Castelino.

Castelino identified additional questions IT admin-istrators should ask when starting a continuous monitoring plan. One of them is, “What am I already monitoring and what do I want to monitor?” Once that answer is identified, Castelino recommends to “then close that gap in the simplest way that you can, you don’t need to buy into big security frame-works or expensive tools. A lot of organizations are already monitoring a lot. For example, you might al-ready have a configuration management tool in place that can provide the data for identifying unauthor-ized configuration changes on a continuous basis.” For agencies already monitoring, the challenge be-comes effectively executing security policies and finding an intelligent means to correlate data. This is where agencies often turn to a Security Information & Event Management (SIEM) solution.

Continuous monitoring is one step to confirm se-cure IT environments for government agencies. “So-larWinds is about practical tools for the IT users that are powerful and affordable and easy to use. That’s been SolarWinds’ mantra from day one. If you don’t implement something practical, you could have a great strategy that is very poorly implemented,” said Castelino. Security in a modern context is truly complex, but by taking actions such as continuous monitoring, agencies can reduce risks and mitigate damage from attacks.

An expert interview with Sanjay Castelino, Vice President and Market Leader, SolarWinds

28.C Y B E R S E C U R I T Y

Network • Application & Server • Storage • VirtualizationLog & Security • Help Desk • Secure File Transfer

IT Management & Monitoring Solutions for Government

mount a better defense

Cyber attacks are a serious threat to our economy and national security. Agencies need the capability to quickly defend against and respond to known threats and recover from incidents, whether caused by accident, natural disaster, or malicious attack.

Government IT managers are responding to these threats with continuous monitoring. Their operations, information assurance, and cyber security teams are well served with actionable intelligence from SolarWinds® IT management and monitoring software, which can be used to proactively identify threats, take automated action to quarantine and mitigate damage, and analyze data to prevent future attacks.

SolarWinds solutions use a “collect once, report many” strategy that’s a unique functionalityin a single, cost-effectiveset of tools.

Join nearly every civilian agency, DoD branch, and intelligence agency in using SolarWinds to address IT management and monitoring challenges.

FOR TODAY’S THREATS

Go to SolarWinds.com/federal for information and a FREE trial.

with SolarWinds Cyber Security & Continuous Monitoring Solutions

Call 877.946.3751

29. A G E N C Y O F T H E F U T U R E

C H E A T S H E E T

Cyber security attacks may come from hackers, organizations, criminal networks, or disgruntled employees. A recent GAO report, A Better Defined and Implemented National Strategy is Needed to Address Persistent Challenges, GAO highlights, the most commonly cited attackers. Due to increasingly reliance on technology, there are more kinds of attackers, run-ning both simple and sophisticated scripts, attempting to compromise information. We’ve highlighted the key terms for you below:

BOT-NETWORK OPERATORS: GAO states, “Bot-network operators use a network, or bot-net, of compro-mised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks.” Bot-network operators often are using these techniques in an attempt to obtain financial gains.

PHISHERS: Phishers are groups of people looking to steal identities or information, such as social security information and credit card numbers, for monetary objectives. Spam, spyware and malware are commonly used to corrupt information.

CROSS-SITE SCRIPTING: GAO describes this as “an attack that uses third-party web resources to run a script within the victim’s web browser or scriptable application.” Users can fall victim to this when visiting malicious web-sites or links. By visiting these sites, victims allow the attacker to potentially “steal cookies… log keystrokes, and

capture screenshots,” leaving sensitive information vulnerable for exploitation.

DENIAL-OF-SERVICE: This attacks prevents the user from gaining authorized access to networks, systems, or applications by using up resources.

LOGIC BOMBS: According to GAO, a logic bomb is “a piece of programming code intentionally inserted into a software system that will cause a malicious function to occur when one or more specified conditions are met”

STRUCTURED QUERY LANGUAGE INJECTION: This attack “involves the alteration of a database search in a web-based application, which can be used to obtain unauthorized access to sensitive information in a database,” says GAO.

DATA-AT-REST: Data recorded and stored on storage media. Conversations on this topic revolve around whether the data is encrypted, and how strong the encryption is.

DATA-IN-USE: Data that is not in an “at rest” state. Conversations revolve around the protocols that keeps this kind of data secure, who has access, how data may be terminated.

DATA-IN-TRANSIT: Data that is being transferred between systems within or outside a network.

Agencies across all levels of government are looking at ways to remain secure in a changing threat landscape. Our cheat sheet is designed to get you up to speed on cyber terminology, access to additional resources and chart out how cyber will impact your agency in the next 3-5 years.

GLOSSARY – THE NEED TO KNOW TERMS

30.

5 CORE CYBERSECURITY CHALLENGES

1 Responding to a quickly changing threat landscape

2 Retaining top cyber talent within government

3 Creating programs designed to assess risk and protect critical infrastructure

4 Educating and raising awareness about cyber programs

5 Promoting and funding research and development initiatives

5 CORE CYBERSECURITY OPPORTUNITIES

1 Developing security policies assuming that your network is always compromised

2 Organizing courses for employees as security and technology changes

3 Sending concise warnings and descriptions of possible threats to employees

4 Ensuring continuous monitoring, communication, education, awareness and assessment as threats change

5 Collaborating with peers and staying up-to-date on latest trends (see resources below)

CYBERSECURITY CORE RESOURCES

GovLoop Cybersecurity Knowledge Hub

Department of Homeland Security – Cybersecurity is Everyone’s Business

Michigan Cyber Initiative

Cybersecurity Resources: National Institute of Standards and Technology (NIST)

Stanford Cybersecurity Library

Strategies to Mitigate Targeted Cyber Intrusions

Glossary of Key Information Security Terms

CYBERSECURITY AND THE AGENCY OF THE FUTURE Today, agencies are exposed to more threats than ever before. They are constantly looking at IT systems and looking at ways to remain secure. A recent GAO report, A Better Defined and Implemented National Strategy is Needed to Address Persistent Challenges, identifies reported incidents are up 786 percent since 2006. , The risks are too high and the con-sequences too severe for agencies not to adapt their approach to cybersecurity. Agencies must become more proactive in addressing cyber threats, and learning ways to stay out in front and quickly adapt in a changing landscape.

In the next 3-5 years, cybersecurity is going to be essential in protecting our way of life and government service provi-sion. Cybersecurity is increasingly becoming the ability to protect critical infrastructure, along with our identities and data. Some examples include:

Protecting our dams and water supply

Information networks that power our economy and fuel business growth

Networks that connect hospitals to data in crisis situations

Confidential government programs and data

Power grids in major metropolitan cities

Cybersecurity is essential to the agency of the future. As agencies continue to adopt new and emerging technologies, they are becoming exposed to more risks. To protect IT systems and safely adopt technology, agencies must continue to place an emphasis on cybersecurity initiatives.

31. A G E N C Y O F T H E F U T U R E

A C K N O W L E D G E M E N T S

GovLoop’s mission is to connect government to improve government. We aim to inspire public sector profes-sionals by acting as the knowledge network for government. The GovLoop community has over 65,000 mem-bers working to foster collaboration, solve problems and share resources across government.

The GovLoop community has been widely recognized across multiple sectors. GovLoop members come from across the public sector. Our membership includes federal, state, and local public servants, industry experts and professionals grounded in academic research. Today, GovLoop is the leading site for addressing public sec-tor issues.

GovLoop works with top industry partners to provide resources and tools to the government community. GovLoop has developed a variety of guides, infographics, online training and educational events, all to help public sector professionals become more efficient Civil Servants.

LOCATION

GovLoop is headquartered in Washington, D.C., where a team of dedicated professionals shares a common commitment to connect and improve government.

734 15th St NW, Suite 500Washington, DC 20005Phone: (202) 407-7421Fax: (202) 407-7501

A B O U T G O V L O O P

The GovLoop team is thankful to all of those who contributed to this report. We thank everyone for their active community engagement, input and knowledge shared while developing this report. This guide would not have been possible without your assistance and from the support of our sponsor, Dell, Juniper Networks, SolarWinds and Symantec.

LEAD AUTHOR: Patrick Fiorenza, Senior Research Analyst

CO-AUTHOR: Kathryn David, GovLoop Research Fellow

EDITOR: Steve Ressler, GovLoop Founder and President and Andrew Krzmarzick, Director of Community Engagement

DESIGNER Russell Yerkes, GovLoop Design Fellow

For more information about this report, please contact Patrick Fiorenza, Senior Research Analyst at pat@govloop.com or @pjfiorenza.

32.C Y B E R S E C U R I T Y

734 15th St NW, Suite 500Washington, DC 20005Phone: (202) 407-7421

Fax: (202) 407-7501