Presentation is loading. Please wait.

Presentation is loading. Please wait.

WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore.

Published byBruno Fletcher Modified over 8 years ago

Similar presentations

Presentation on theme: "WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore."— Presentation transcript:

1 WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore City Government

2 FEDERAL AND STATE REQUIREMENTS WHEN NOT, IF

3 PCI DSS and PII - restrictions and guidelines In February 2013, President Obama issued Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” NIST - Commerce Department's National Institute of Standards and Technology framework guidelines provides the description of what's needed for a comprehensive cybersecurity program CJIS – data security protection for CJI (add CJIS if necessary) Md 304 Governmental Procedures – Security and Protection of Information Requiring State and local government units, when destroying records of an individual that contain personal information of the individual, to take reasonable steps to protect against unauthorized access to or use of the personal information under specified circumstances; requiring a government unit that collects specified personal information of an individual to implement and maintain specified security procedures and practices; etc. Synopsis of Laws Enacted 127 Chapter No. EFFECTIVE JULY 1, 2014 Federal and State Requirements WHEN, NOT IF

4 CONCERNS! The Ponemon Institute published “2015 Cost of Data Breach Study” in May 2015. The study stated “The cost of (a) or (data breaches) data breach varies by industry. The average global cost of (a) data breach per lost or stolen record is $154. However, if a healthcare organization has a breach the average cost could be as high as $363 and in education the average cost could be as high as $300. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68). The retail industry’s average cost increased dramatically from $105 last year to $165 in this year’s study.” Symantec April 2015 Volume 20 Report -2015 Internet Security Threat Report Government reports “a 183 percent increase in DNS amplification attacks between January and August 2014”. Distributed Denial of Service - DDoS WHEN, NOT IF

5 CONCERNS! New Ransomware As reported by CBS news on April 11, 2016 – “ An unusual strain of virus-like hacker software that exploits computer server vulnerabilities -- without requiring human interaction -- is a leading example of a new generation of "ransomware," according to a new report by Cisco Systems Inc.new generation of "ransomware," Hackers use such software to target large-scale networks and hold data hostage in exchange for bigger payments. Last year's 2,453 reports of ransomware hackings to the FBI totaled a reported loss of $24.1 million, making up nearly one-third of the complaints over the past decade. They also represented 41 percent of the $57.6 million in reported losses since 2005. Such losses are significantly higher than any paid ransoms because companies routinely include remediation costs, lost productivity, legal fees and sometimes even the price of lost data in their estimates. WHEN, NOT IF

6 Concerns! Insufficient Funding Lack of Resources How to Educate Non IT Staff How to Educate Citizens Lack of Control over External Devices Identification of Acceptable and Non-Acceptable Risk Identification of All Assets WHEN, NOT IF

7 Employees Partners VendorsCitizens

8 Educate Users Partnerships Review 3 rd Party Contracts Review and Update Policies Implement Tools HOW DO WE PREPARE WHEN, NOT IF

9 EDUCATE USERS Weakest Link verses Strongest Link Can spot and report oddities Should be suspicious Must use Strong Passwords Connect to Internet with Caution Must Secure mobile Devices WHEN, NOT IF

10 PARTNERSHIPS Industry or Sector Information sharing Teams and Committees Government Officials (I changed it, it was misspelled) Vendors Regional Committees Fusion Centers (A fusion center is a collaborative effort of two or more agencies that provide resources, expertise and information to the center with the goal of maximizing their ability to detect, prevent, investigate, and respond to criminal and terrorist activity) Local Universities FBI Regional Cyber Security Office Homeland Security Federal Agencies In-House Facilities Management In-House Risk management In-House Procurement In-House Human Resources WHEN, NOT IF

11 HVAC Electronic Identification Electrical 3 rd Party processing Websites ISP Providers REVIEW 3 RD PARTY CONTRACTS WHEN, NOT IF

12 Times have changed Physical security and electronic access Physical infrastructure and remote access User Remote Access Internet access Email Termination REVIEW AND UPDATE POLICIES WHEN, NOT IF

13 IMPLEMENT TOOLS In order to fight the Cyber-War and be in compliance with State and Federal laws, we must implement the CyberSecurity policies in line with state and federal laws, identify and mitigate risks while implementing software and/or equipment designed to:  Detect and Stop  Expose the Cyber-Attack Life Cycle  Report Cyber-Attack  Produce Forensic Attack Details WHEN, NOT IF

14 CELEBRATE CYBER SECURITY MONTH OCTOBER WHEN, NOT IF

15 Ever Changing Digital Environment More Sophisticated Attacks More Technology Vulnerabilities Human Element Policy (Policies) and Practices Trained Technical Staff Budget

Download ppt "WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore."

Similar presentations

Philippine Cybercrime Efforts

Philippine Cybercrime Efforts
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.

Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Cyberspace and the Police Mamoru TAKAHASHI Head of Computer Forensic Center, Hi-tech Crime Technology Division National Police Agency, Japan.

Cyberspace and the Police Mamoru TAKAHASHI Head of Computer Forensic Center, Hi-tech Crime Technology Division National Police Agency, Japan.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network security policy: best practices

Network security policy: best practices
By: Dr. Mohammed Alojail College of Computer Sciences & Information Technology 1.

By: Dr. Mohammed Alojail College of Computer Sciences & Information Technology 1.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Technician Module 2 Unit 8 Slide 1 MODULE 2 UNIT 8 Prevention, Intelligence & Deterrence.

Technician Module 2 Unit 8 Slide 1 MODULE 2 UNIT 8 Prevention, Intelligence & Deterrence.
The Financial Impact of Cyber Security 50 Questions Every CFO Should Ask A publication of the American National Standards Institute and the Internet Security.

The Financial Impact of Cyber Security 50 Questions Every CFO Should Ask A publication of the American National Standards Institute and the Internet Security.
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
Enterprise Computing Community June 13 - 15, 2010February 27, 2010 1 Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
Network Security Resources from the Department of Homeland Security National Cyber Security Division.

Network Security Resources from the Department of Homeland Security National Cyber Security Division.
Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Similar presentations

Ads by Google