Cybersecurity in Government: Strategy, Collaboration, and Compliance

8/13/2019 Cybersecurity in Government: Strategy, Collaboration, and Compliance

1/29

Cybersecurity in Government:

Strategy, Collaboration, and

Compliance

Stephen Cobb, CISSP

Senior Security Researcher


2/29


3/29

Q1: Which one of these are you?

State government employee

Federal government employee Local government employee

Service provider to government

None of the above


4/29

Some sobering stats 92% State officials who feel

cybersecurity v. important for the

state

24%CISOs who are very confident

they can protect states assetsagainst external threats

2012 Deloitte-NASCIO Cybersecurity Study


5/29

Top 5 barriers to addressing

cybersecurity

2012 Deloitte-NASCIO Cybersecurity Study


6/29

Plan of attack What data are we talking about?

What are the risks?

How do we address risks?

What strategies we can apply to

achieve success


7/29

What data are we talking about? Tax records, personal and business

Not the ones that are published

Medical records

Employees, state programs, clinics

Motor vehicle records

Personally Identifiable Information

PII of all kinds, notably SS#s, financial


8/29

All PII is fair game for bad guys

Name

AddressSocialMobile

Etc.

TaxHealthOtherInfo

PaymentInfo


9/29

What are the risks? Identity theft and financial fraud

Based on stolen data

Loss of IT functionality

Due to denial of service, file corruption

or deletion, data ransoming, DNS hacks

Fallout from the above and/ornegative compliance/audit reports


10/29

What motivates bad actorsIMPACTADVANTAGEMONEY

CREDENTIALS


11/29

How do they operate?


12/29

User clicks link Goes to compromised site Gets infected/owned

Malware server Command & Control

Popular

Attack

Technique

!?**!


13/29

Access to victim machine

Search and exfiltrate files

Use network connections

Access to webcam and audio

Passwords, system functions

Victim chat


14/29

What happens next?


15/29


16/29

How do we address risks? Catalog data and systems at risk

Name and prioritize risks

Outline threat vectors

Describe controls to be applied

Make sure policies are in place

Document each step of the way

Assess yourself and share wins


17/29

PII protection steps: risk PII is on server A, clearly a target

Main risk is theft or loss of data

Secondary risk is denial of access

to data

Threat actors could be internal or

external


18/29

Q2: Which of these following

may be considered PII?

Social Security number

Email address Face

Date of birth

All of the above


19/29

PII protection steps: vectors Which systems have access to

server A?

Which users have access to those

systems?

Can those systems be reached from

the public Internet

Are users uniquely identified?


20/29

PII protection steps: controls Strong authentication (2FA)

Firewalling and filtering

Anti-malware scanning at end points

and on servers

Encryption at rest and in transit

Logging of all activity and regular

review of logs


21/29

PII protection steps: policy Is all of this spelled out in policy?

Controls are mandated, behaviors

prescribed and proscribed

E.g. You will use two factor

authentication; sharing of credentials

forbidden; inactivity timeouts set Penalties made clear


22/29

PII protection steps: docs Government entities are subject to

audit, inspection, investigation

Auditors want documentation

For example, a breach of

unencrypted PII is bad

No documented risk assessment

addressing PII encryption is worse


23/29

Across all cybersecurity efforts

Assess yourself, before auditors do

Fix problems

Share wins

Make friends


24/29

Strategies for success If you are responsible for protecting

government IT systems:

Dont panic, you are not alone

Network with others, at all levels,

inside government, and out

ISSA, ISACA, (ISC)2, IAPP

MS-ISAC, NASCIO


25/29


26/29

Compliance as leverage Bosses may not like security

But everyone hates bad grades

Hard to avoid oversight

From FISMA to state auditors


27/29

If all else fails Try fear of headlines


28/29

Leverage what works

Consider sharing services across

departments, agencies

Identity management

Forensics

Threat intelligence


29/29

Thank you! [email protected]

WeLiveSecurity.com

www.eset.com
http://www.eset.com/http://www.eset.com/

Cybersecurity in Government: Strategy, Collaboration, and Compliance

Documents