Illinois DGS 16 presentation - Cyber Security Evolution - by Kirk Lonbom

First 90 daysMarch 30, 2015Cybersecurity

Challenges and ThreatsA State Perspective

October 6, 2016

State of Illinois © 2015 Confidential : For discussion only

2

3

4

5

6

7

8

9

10

What is being attacked?

EVERYTHING!

“No locale, industry or organization is bulletproof when it comes to the

compromise of data”

19

Breaches in State Government

South Carolina Department of Revenue

• Exposed Tax Records of 70 Million People

• Costs to the state - $70 Million

Utah – Medicaid Program

• Theft of 750,000 Medicaid Records

• Costs to the state - $9 Million

California – Reported that there have been multiple data breaches at state agencies

• Costs to the state - $8.8 Million

IBM 2016 Study of breaches in the U.S.

• $7.01 million is the average total cost of a data breach (up .5 mil from 2015)

• $221 is average cost per lost or stolen record

$ 86

$ 86 (what’s in

YOUR database?)

25

26

Distributed Denial of Service – Game Changer

Our Challenge

“What if an attacker injects code into devices to create a Fitbit botnet?” he says. Researchers have already shown it’s possible to wirelessly load malware onto a Fitbit in less than 10 seconds, he says, so the possibility isn’t fantastic.”

Andy Ellis – Chief Security Officer – Akami

Distributed Denial of Service – Game Changer

Our Challenge

“What if an attacker injects code into devices to create a Fitbit botnet?” he says. Researchers have already shown it’s possible to wirelessly load malware onto a Fitbit in less than 10 seconds, he says, so the possibility isn’t fantastic.”

Andy Ellis – Chief Security Officer – Akami

State Business Risk Life, Health and Safety

Delivering Services to our Citizens

Delivering Services to our Employees

Financial Risk Lost Revenue

Breach Costs

Fraud and Theft

State Business Risk Life, Health and Safety

Delivering Services to our Citizens

Delivering Services to our Employees

Financial Risk Lost Revenue

Breach Costs

Fraud and Theft

Privacy & Confidentiality Risk Personal Information –

Identify Theft

Confidential Information

State Business Risk Life, Health and Safety

Delivering Services to our Citizens

Delivering Services to our Employees

Reputational/Political Risk Elected Officials

Agency Directors

Program Managers

Financial Risk Lost Revenue

Breach Costs

Fraud and Theft

Privacy & Confidentiality Risk Personal Information –

Identify Theft

Confidential Information

State Business Risk Life, Health and Safety

Delivering Services to our Citizens

Delivering Services to our Employees

Elected Official?

Appointed Official?

Program Executive or Manager?

Fiduciary Responsibility?

Placed in the Public’s Trust?

Elected Official?

Appointed Official?

Program Executive or Manager?

Fiduciary Responsibility?

Placed in the Public’s Trust?

Or do you just want to make sure you just keep your job?

Information Security Protect information from

unauthorized disclosure

Ensure information is trustworthy

Guarantee reliable access to mission critical information

Cyber-Resiliency Ability to anticipate,

withstand and recover from adverse cyber-events.

Evolve and improve in pace with the ever-changing cyber landscape.

We DO know what we DO know! (known software

vulnerabilities)

Phishing is still the biggest sport (it’s easy)

63% of breaches involved weak, default or stolen passwords (we just don’t get it – Multi-factor!)

Social Unrest = Increased Attacks

Web Applications have weaknesses (many easy to fix –

just find them!)

We all make mistakes. (human errors cost us)

Data Breach Causes, Malicious or

Criminal Attack, 50%

Data Breach Causes, Negligent

Employees, 23%

Data Breach Causes, System Problems -

Both IT and Business Process

Failures, 27%

Data Breach Causes

Daily Phishing, Brute Force, Calls, SQLi

Ransomware – (but getting better)

DDos Attacks – States and Law Enforcement

Administrative Errors

Indications of Increased Nation State Activity

$0

$50

$100

$150

$200

$250

Co

st

Mitigating Breach Cost

Cost

$0

$50

$100

$150

$200

$250

Co

st

Mitigating Breach Cost

Cost

• The longer it takes to detect, the more it costs.

• 70% of attackers move from the initial victim to a secondary target within 24 hours.

• An attacker is in your environment for over 200 days before detection

• Victims MUST report incidents quickly!

| 47

48

• Threat Agent Risk Management Methodology (Intel 2007)• Intel Threat Agent Library, Casey, 2007• Verizon 2016 Data Breach Investigations Report• ENISA (European Union Agency for Network and

Information Security) Threat Landscape 2015 (published 2016)

• McAfee Labs 2016 Threat Predictions• Understanding the Threat Landscape in e-Government

Infrastructure for Business Enterprises, Pushpakumar 2015)• NTT 2016 Global Threat Intelligence Report• Symantec Internet Security Threat Report (ISTR) 2016

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

“A deliberate and

defined strategy”

The Strategy

1 Vision

5 Goals

25 Objectives

90 Plans of Action

Projects and Initiatives

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

The Strategy

• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which

facilitates and protects the business of the State of Illinois.

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

The Strategy

• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which

facilitates and protects the business of the State of Illinois.

• Goal 2 – Security of State of Illinois Information and SystemsProtect the confidentiality, integrity and availability of State of Illinois information and technology assets and

ensure the State’s cyber resiliency.

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

The Strategy

• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which

facilitates and protects the business of the State of Illinois.

• Goal 2 – Security of State of Illinois Information and SystemsProtect the confidentiality, integrity and availability of State of Illinois information and technology assets and

ensure the State’s cyber resiliency.

• Goal 3 – A Secure Technology TransformationPrepare, plan and execute effective information and cyber security strategies in support of the State of

Illinois’ technology transformation.

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

The Strategy

• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which

facilitates and protects the business of the State of Illinois.

• Goal 2 – Security of State of Illinois Information and SystemsProtect the confidentiality, integrity and availability of State of Illinois information and technology assets and

ensure the State’s cyber resiliency.

• Goal 3 – A Secure Technology TransformationPrepare, plan and execute effective information and cyber security strategies in support of the State of

Illinois’ technology transformation.

• Goal 4 – Emerging Threats, Risks and OpportunitiesProactively address the emerging and ever-changing information and cyber security threat and risk landscape

while seizing opportunities to learn, improve and grow.

.

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

The Strategy

• Goal 1 – A Best-in-Class Information & Cyber Security ProgramCreate a best-in-class cyber security program in line with best practices and national frameworks which

facilitates and protects the business of the State of Illinois.

• Goal 2 – Security of State of Illinois Information and SystemsProtect the confidentiality, integrity and availability of State of Illinois information and technology assets and

ensure the State’s cyber resiliency.

• Goal 3 – A Secure Technology TransformationPrepare, plan and execute effective information and cyber security strategies in support of the State of

Illinois’ technology transformation.

• Goal 4 – Emerging Threats, Risks and OpportunitiesProactively address the emerging and ever-changing information and cyber security threat and risk landscape

while seizing opportunities to learn, improve and grow.

• Goal 5 – A Cyber-Secure IllinoisExpand influence and cyber security improvement opportunities beyond State of Illinois government to

enhance the cyber security posture of the entire state, with an emphasis on the state’s critical infrastructure.

$0

$50

$100

$150

$200

$250

Co

st

Mitigating Breach Cost

Cost

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

Outcomes (we measure against these!)

• Illinois' cybersecurity strategies and programs are continually aligned with the business strategies of Illinois agencies, boards and commissions as well as the enterprise as whole.

• Cybersecurity programs and initiatives are developed based on a sound and consistent Risk Management Process across all state agencies.

• A culture of cyber-risk awareness at all levels of state government has been created and is continually enhanced.

• The overall cybersecurity posture of the state continues to improve through the use of a common cybersecurity framework.

• Illinois has developed and maintains a proactive approach to threat and attack detection and rapidly and effectively responds to mitigate the threats and reduce the impact to the state.

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

Outcomes (we measure against these!)

• Cybersecurity planning is prevalent during all phases of the solution development.

• Emerging information security threats and vulnerabilities are quickly identified and ranked based on Risk. Critical vulnerabilities are rapidly addressed to reduce the likelihood of successful exploit by attackers.

• Rapid, consistent and effective security incident response capabilities reduce the impact of security incidents, and response effectiveness is continually improved.

• Effective and consistent enterprise-wide cybersecurity policies are effectively communicated, monitored for compliance and resulting in a more secure enterprise.

• Illinois' cybersecurity workforce is well-trained, continually developed and aligned with national standards.

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

Outcomes (we measure against these!)

• State of Illinois information is protected from unauthorized disclosure.

• State of Illinois information is trustworthy.

• State of Illinois Information and Systems Are Available When Needed.

• The State of Illinois has the Ability to Withstand and Quickly Recover from Deliberate Attacks, Accidents or Naturally Occurring threats or incidents.

• The State of Illinois Maintains a Technology Infrastructure Which is Secure.

• The State of Illinois Provides Effective Mobile Capabilities in a Secure Manner.

• The State of Illinois Utilizes Cloud Resources in an Effective, Efficient and Cyber-secure Manner.

©2016 State of Illinois – Department of Innovation and Technology (DoIT) Internal Confidential

Outcomes (we measure against these!)

• Enterprise Applications are Deployed and Maintained Utilizing Security Best Practices and are protected from Cyber Threats.

• The State Aggressively Utilizes Data Analytics to Improve the Lives of Citizens While Maintaining Security and Privacy.

• The Illinois Technology Transformation and Consolidation has resulted in a More Cyber-Secure State.

| 61

Thank you!