Presentation is loading. Please wait.

Presentation is loading. Please wait.

David A. Brown Chief Information Security Officer State of Ohio

Similar presentations

Presentation on theme: "David A. Brown Chief Information Security Officer State of Ohio"— Presentation transcript:

1 David A. Brown Chief Information Security Officer State of Ohio
Cybersecurity in Ohio David A. Brown Chief Information Security Officer State of Ohio

2 Threats Against Government
Denial of Service Spear Phishing SQL Injection Web Defacements Malware (Keyloggers, Trojans,etc.) Theft of Devices Hacktivist Activity

3 Examples of the Threat February 2012 – Missouri’s Official Web Site Defacement April 2012 – Utah Department of Health –Medicaid System Hack October South Carolina Department of Revenue Data Breach October 2012 – City of Burlington, Washington System Attack December 2012 – South Carolina Department of Employment & Workforce Web Defacement January 2013 – Florida Dept. of Juvenile Justice Device Theft Missouri Defacement – no data loss Utah – 780,000 records stolen South Carolina Data Breach – 6.4 million records stolen by a foreign hacker – spear phishing City of Burlington - $400,000 diverted to other accounts across the country. South Carolina Defacement – no data loss Florida Juvenile Justice– mobile device with 100,000 youth and employee records stolen from office – no encryption or password protection Several incidents have occurred in Ohio as well. All of the threats noted earlier have occurred here in state and/or local agencies.

4 State of Ohio Security Program
Approximately 100 agencies, boards, and commissions under program Decentralized environment Chief Information Security Officer responsibilities under ORC : Coordinate the implementation of security policies and procedures in state agencies Assist each agency with the development of a security strategic plan

5 State of Ohio Security Program
April 2011 – State sets IT Standard ITS-SEC-02 Establishes NIST as state security framework Creates enterprise security controls that align with Consensus Audit Guidelines (SANS Top 20 Critical Controls) Agencies to be compliant with CAG by October 2012 Fall 2012 – Agencies required to submit strategic security plan to Office of Information Security & Privacy Leveraged CAG self-assessment in US Homeland Security CSET tool Explain value of CSET tool for local municipalities and county governments

6 State of Ohio Security Program
SANS Top 20 Critical Controls (Consensus Audit Guidelines) Hardware Inventory Software Inventory Secure Configuration of Systems Secure Configuration of Network Devices Boundary Defense Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access/Need to Know Vulnerability Management Account Monitoring & Control Malware Defense Limiting Ports, Protocols, Services Wireless Device Control Data Loss Prevention Secure Network Engineering Penetration Testing Incident Response Capability Data Recovery Capability Security Training

7 State of Ohio Security Program
Ohio is one of a few states who have adopted the SANS Top 20 Critical Controls The Consortium for Cybersecurity Action was established in 2012 Ensures that updated versions of the controls reflected the most relevant threat information Shares lessons learned from organizations that have implemented them. Ohio participates in this consortium. CISOs for Ohio and Colorado co-chair a state/local government workgroup for the Consortium. US State Department saw a 94% reduction in measured security risk by implementing these controls

8 State of Ohio Security Program
Security Services Provided by OISP Today: Risk Assessments Security Assessments Security Architecture Security Consulting IT Security Policies/Standards Incident Response Vulnerability Assessments Penetration Testing (limited) Enterprise SIEM Security Awareness & Training Cyber Intelligence and Threat Management Agencies may provide other services as well.

9 State of Ohio Security Program
Industrial Control Systems Assessments Began these assessments in February 2012 Partnered with US Homeland Security to conduct two pilot assessments Each assessment was completed within one day No cost to the State of Ohio

10 State of Ohio Security Program
Securing the Human Began offering this training in 2011 Online training produced by SANS Institute 36 different modules of training Updated twice a year based on current threats Approximately 50,000 state employees will be trained this year Excellent reviews by our users

11 State of Ohio Security Program
Enterprise SIEM Began offering this service in 2012 Collect security logs from systems 5 agencies participating today Extending to all cabinet agencies Over 100 Million event logs analyzed per day Both agencies and OISP monitor system

12 Challenges Facing Government
Funding for security Cybersecurity authority and governance Attractive targets for cybercriminals and hacktivists Lack of skilled staff Sophistication of attacks According to the 2012 Deloitte – NASCIO Cybersecurity study, many governments fund security at 1-2% of overall IT budget. Some don’t fund it at all. While this study pertained to state governments, local governments have the same issue. In fact, many have little budget for IT as a whole and do not have dedicated IT staff and rely on vendors. 78% of the states saw their security budgets remain about the same or become reduced during 2010 and 2011. The study also pointed out that many CISOs operate in a highly distributed model with little direct authority over agency strategies, activities, and resources. The study also showed that government agencies host systems that contain a lot of personal information, making them attractive targets for cybercriminals and hacktivists.

13 What Can You Do? Assess and communicate security risks
Consider shared security services Encourage user education in security awareness Explore alternative funding for cybersecurity Use the no-cost assessments provided by DHS Encourage IT personnel to use the DHS CSET Tool to do assessments and develop plan of action. Become a member of the MS-ISAC Leverage free cybersecurity training provided by various sources Develop an incident response plan Develop a disaster recovery plan

14 Cybersecurity Council
The Cybersecurity, Education, and Economic Development Council was created under ORC in 2012. Consists of 12 members appointed by Governor, Speaker of the House, and President of the Senate. Council is to conduct a study and make recommendations regarding: Improving the infrastructure of the state’s cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education. Specific actions that would accelerate growth of the cybersecurity industry in the state.

15 Questions?

16 Contact Information David A. Brown State Chief Information Security Officer Ohio Department of Administrative Services 30 E. Broad Street FL 40 Columbus, OH Office: (614)

Download ppt "David A. Brown Chief Information Security Officer State of Ohio"

Similar presentations

Ads by Google