Scribd Logo
Upload

Welcome to Scribd!

  • Cybersecurity in Government: Strategy, Collaboration, and Compliance

    Uploaded by

    scobb99
    24 views29 pages
    Slides for security awareness, may be shared and used for same but not sold.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Slides for security awareness, may be shared and used for same but not sold.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    24 views29 pages

    Cybersecurity in Government: Strategy, Collaboration, and Compliance

    Uploaded by

    scobb99
    Slides for security awareness, may be shared and used for same but not sold.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 29

    Cybersecurity in Government: Strategy, Collaboration, and Compliance

    Stephen Cobb, CISSP Senior Security Researcher

    The challenge
    Valuable data is collected, processed and stored at all levels of government A wide array of bad actors are trying to acquire, or disrupt access to, that data Numerous rules and regulations require government entities to protect that data Most government entities have scarce resources

    Q1: Which one of these are you?


    State government employee Federal government employee Local government employee Service provider to government None of the above

    Some sobering stats


    92% State officials who feel
    cybersecurity v. important for the state

    24% CISOs who are very confident


    they can protect states assets against external threats

    2012 Deloitte-NASCIO Cybersecurity Study

    Top 5 barriers to addressing cybersecurity

    2012 Deloitte-NASCIO Cybersecurity Study

    Plan of attack
    What data are we talking about? What are the risks? How do we address risks? What strategies we can apply to achieve success

    What data are we talking about?


    Tax records, personal and business
    Not the ones that are published

    Medical records
    Employees, state programs, clinics

    Motor vehicle records Personally Identifiable Information


    PII of all kinds, notably SS#s, financial

    All PII is fair game for bad guys


    Name Address Social Mobile Etc.

    Tax Health Other Info

    Payment Info

    What are the risks?


    Identity theft and financial fraud
    Based on stolen data

    Loss of IT functionality
    Due to denial of service, file corruption or deletion, data ransoming, DNS hacks

    Fallout from the above and/or negative compliance/audit reports

    What motivates bad actors


    MONEY ADVANTAGE IMPACT

    CREDENTIALS

    How do they operate?

    !?**!

    User clicks link

    Goes to compromised site

    Gets infected/owned

    Popular Attack Technique


    Malware server Command & Control

    Access to victim machine Search and exfiltrate files Use network connections Access to webcam and audio Passwords, system functions Victim chat

    What happens next?

    How do we address risks?


    Catalog data and systems at risk Name and prioritize risks Outline threat vectors Describe controls to be applied Make sure policies are in place Document each step of the way Assess yourself and share wins

    PII protection steps: risk


    PII is on server A, clearly a target Main risk is theft or loss of data Secondary risk is denial of access to data Threat actors could be internal or external

    Q2: Which of these following may be considered PII?


    Social Security number Email address Face Date of birth All of the above

    PII protection steps: vectors


    Which systems have access to server A? Which users have access to those systems? Can those systems be reached from the public Internet Are users uniquely identified?

    PII protection steps: controls


    Strong authentication (2FA) Firewalling and filtering Anti-malware scanning at end points and on servers Encryption at rest and in transit Logging of all activity and regular review of logs

    PII protection steps: policy


    Is all of this spelled out in policy? Controls are mandated, behaviors prescribed and proscribed
    E.g. You will use two factor authentication; sharing of credentials forbidden; inactivity timeouts set

    Penalties made clear

    PII protection steps: docs


    Government entities are subject to audit, inspection, investigation Auditors want documentation For example, a breach of unencrypted PII is bad No documented risk assessment addressing PII encryption is worse

    Across all cybersecurity efforts


    Assess yourself, before auditors do Fix problems Share wins Make friends

    Strategies for success


    If you are responsible for protecting government IT systems: Dont panic, you are not alone Network with others, at all levels, inside government, and out ISSA, ISACA, (ISC)2, IAPP MS-ISAC, NASCIO

    Compliance as leverage
    Bosses may not like security But everyone hates bad grades Hard to avoid oversight From FISMA to state auditors

    If all else fails


    Try fear of headlines

    Leverage what works


    Consider sharing services across departments, agencies Identity management Forensics Threat intelligence

    Thank you!
    stephen.cobb@eset.com WeLiveSecurity.com www.eset.com

    You might also like