Embed Size (px)
Citation preview
First 90 daysMarch 30, 2015Cybersecurity
Challenges and ThreatsA State Perspective
October 6, 2016
State of Illinois © 2015 Confidential : For discussion only
2
3
4
5
6
7
8
9
10
What is being attacked?
EVERYTHING!
“No locale, industry or organization is bulletproof when it comes to the
compromise of data”
19
Breaches in State Government
South Carolina Department of Revenue
• Exposed Tax Records of 70 Million People
• Costs to the state - $70 Million
Utah – Medicaid Program
• Theft of 750,000 Medicaid Records
• Costs to the state - $9 Million
California – Reported that there have been multiple data breaches at state agencies
• Costs to the state - $8.8 Million
IBM 2016 Study of breaches in the U.S.
• $7.01 million is the average total cost of a data breach (up .5 mil from 2015)
• $221 is average cost per lost or stolen record
$ 86
$ 86 (what’s in
YOUR database?)
25
26
Distributed Denial of Service – Game Changer
Our Challenge
“What if an attacker injects code into devices to create a Fitbit botnet?” he says. Researchers have already shown it’s possible to wirelessly load malware onto a Fitbit in less than 10 seconds, he says, so the possibility isn’t fantastic.”
Andy Ellis – Chief Security Officer – Akami
Distributed Denial of Service – Game Changer
Our Challenge
“What if an attacker injects code into devices to create a Fitbit botnet?” he says. Researchers have already shown it’s possible to wirelessly load malware onto a Fitbit in less than 10 seconds, he says, so the possibility isn’t fantastic.”
Andy Ellis – Chief Security Officer – Akami
State Business Risk Life, Health and Safety
Delivering Services to our Citizens
Delivering Services to our Employees
Financial Risk Lost Revenue
Breach Costs
Fraud and Theft
State Business Risk Life, Health and Safety
Delivering Services to our Citizens
Delivering Services to our Employees
Financial Risk Lost Revenue
Breach Costs
Fraud and Theft
Privacy & Confidentiality Risk Personal Information –
Identify Theft
Confidential Information
State Business Risk Life, Health and Safety
Delivering Services to our Citizens
Delivering Services to our Employees
Reputational/Political Risk Elected Officials
Agency Directors
Program Managers
Financial Risk Lost Revenue
Breach Costs
Fraud and Theft
Privacy & Confidentiality Risk Personal Information –
Identify Theft
Confidential Information
State Business Risk Life, Health and Safety
Delivering Services to our Citizens
Delivering Services to our Employees
Elected Official?
Appointed Official?
Program Executive or Manager?
Fiduciary Responsibility?
Placed in the Public’s Trust?
Elected Official?
Appointed Official?
Program Executive or Manager?
Fiduciary Responsibility?
Placed in the Public’s Trust?
Or do you just want to make sure you just keep your job?
Information Security Protect information from
unauthorized disclosure
Ensure information is trustworthy
Guarantee reliable access to mission critical information
Cyber-Resiliency Ability to anticipate,
withstand and recover from adverse cyber-events.
Evolve and improve in pace with the ever-changing cyber landscape.
We DO know what we DO know! (known software
vulnerabilities)
Phishing is still the biggest sport (it’s easy)
63% of breaches involved weak, default or stolen passwords (we just don’t get it – Multi-factor!)
Social Unrest = Increased Attacks
Web Applications have weaknesses (many easy to fix –
just find them!)
We all make mistakes. (human errors cost us)
Data Breach Causes, Malicious or
Criminal Attack, 50%
Data Breach Causes, Negligent
Employees, 23%
Data Breach Causes, System Problems -
Both IT and Business Process
Failures, 27%
Data Breach Causes
Daily Phishing, Brute Force, Calls, SQLi
Ransomware – (but getting better)
DDos Attacks – States and Law Enforcement
Administrative Errors
Indications of Increased Nation State Activity
$0
$50
$100
$150
$200
$250
Co
st
Mitigating Breach Cost
Cost
$0
$50
$100
$150
$200
$250
Co
st
Mitigating Breach Cost
Cost
• The longer it takes to detect, the more it costs.
• 70% of attackers move from the initial victim to a secondary target within 24 hours.
• An attacker is in your environment for over 200 days before detection
• Victims MUST report incidents quickly!
| 47
48
• Threat Agent Risk Management Methodology (Intel 2007)• Intel Threat Agent Library, Casey, 2007• Verizon 2016 Data Breach Investigations Report• ENISA (European Union Agency for Network and
Information Security) Threat Landscape 2015 (published 2016)
• McAfee Labs 2016 Threat Predictions• Understanding the Threat Landscape in e-Government
Infrastructure for Business Enterprises, Pushpakumar 2015)• NTT 2016 Global Threat Intelligence Report• Symantec Internet Security Threat Report (ISTR) 2016
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
“A deliberate and
defined strategy”
The Strategy
1 Vision
5 Goals
25 Objectives
90 Plans of Action
Projects and Initiatives
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
The Strategy
• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which
facilitates and protects the business of the State of Illinois.
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
The Strategy
• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which
facilitates and protects the business of the State of Illinois.
• Goal 2 – Security of State of Illinois Information and SystemsProtect the confidentiality, integrity and availability of State of Illinois information and technology assets and
ensure the State’s cyber resiliency.
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
The Strategy
• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which
facilitates and protects the business of the State of Illinois.
• Goal 2 – Security of State of Illinois Information and SystemsProtect the confidentiality, integrity and availability of State of Illinois information and technology assets and
ensure the State’s cyber resiliency.
• Goal 3 – A Secure Technology TransformationPrepare, plan and execute effective information and cyber security strategies in support of the State of
Illinois’ technology transformation.
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
The Strategy
• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which
facilitates and protects the business of the State of Illinois.
• Goal 2 – Security of State of Illinois Information and SystemsProtect the confidentiality, integrity and availability of State of Illinois information and technology assets and
ensure the State’s cyber resiliency.
• Goal 3 – A Secure Technology TransformationPrepare, plan and execute effective information and cyber security strategies in support of the State of
Illinois’ technology transformation.
• Goal 4 – Emerging Threats, Risks and OpportunitiesProactively address the emerging and ever-changing information and cyber security threat and risk landscape
while seizing opportunities to learn, improve and grow.
.
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
The Strategy
• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which
facilitates and protects the business of the State of Illinois.
• Goal 2 – Security of State of Illinois Information and SystemsProtect the confidentiality, integrity and availability of State of Illinois information and technology assets and
ensure the State’s cyber resiliency.
• Goal 3 – A Secure Technology TransformationPrepare, plan and execute effective information and cyber security strategies in support of the State of
Illinois’ technology transformation.
• Goal 4 – Emerging Threats, Risks and OpportunitiesProactively address the emerging and ever-changing information and cyber security threat and risk landscape
while seizing opportunities to learn, improve and grow.
• Goal 5 – A Cyber-Secure IllinoisExpand influence and cyber security improvement opportunities beyond State of Illinois government to
enhance the cyber security posture of the entire state, with an emphasis on the state’s critical infrastructure.
$0
$50
$100
$150
$200
$250
Co
st
Mitigating Breach Cost
Cost
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
Outcomes (we measure against these!)
• Illinois' cybersecurity strategies and programs are continually aligned with the business strategies of Illinois agencies, boards and commissions as well as the enterprise as whole.
• Cybersecurity programs and initiatives are developed based on a sound and consistent Risk Management Process across all state agencies.
• A culture of cyber-risk awareness at all levels of state government has been created and is continually enhanced.
• The overall cybersecurity posture of the state continues to improve through the use of a common cybersecurity framework.
• Illinois has developed and maintains a proactive approach to threat and attack detection and rapidly and effectively responds to mitigate the threats and reduce the impact to the state.
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
Outcomes (we measure against these!)
• Cybersecurity planning is prevalent during all phases of the solution development.
• Emerging information security threats and vulnerabilities are quickly identified and ranked based on Risk. Critical vulnerabilities are rapidly addressed to reduce the likelihood of successful exploit by attackers.
• Rapid, consistent and effective security incident response capabilities reduce the impact of security incidents, and response effectiveness is continually improved.
• Effective and consistent enterprise-wide cybersecurity policies are effectively communicated, monitored for compliance and resulting in a more secure enterprise.
• Illinois' cybersecurity workforce is well-trained, continually developed and aligned with national standards.
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
Outcomes (we measure against these!)
• State of Illinois information is protected from unauthorized disclosure.
• State of Illinois information is trustworthy.
• State of Illinois Information and Systems Are Available When Needed.
• The State of Illinois has the Ability to Withstand and Quickly Recover from Deliberate Attacks, Accidents or Naturally Occurring threats or incidents.
• The State of Illinois Maintains a Technology Infrastructure Which is Secure.
• The State of Illinois Provides Effective Mobile Capabilities in a Secure Manner.
• The State of Illinois Utilizes Cloud Resources in an Effective, Efficient and Cyber-secure Manner.
©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential
Outcomes (we measure against these!)
• Enterprise Applications are Deployed and Maintained Utilizing Security Best Practices and are protected from Cyber Threats.
• The State Aggressively Utilizes Data Analytics to Improve the Lives of Citizens While Maintaining Security and Privacy.
• The Illinois Technology Transformation and Consolidation has resulted in a More Cyber-Secure State.
| 61
Thank you!
