Presentation on theme: "David A. Brown Chief Information Security Officer State of Ohio"— Presentation transcript:
1David A. Brown Chief Information Security Officer State of Ohio Cybersecurity in OhioDavid A. BrownChief Information Security OfficerState of Ohio
2Threats Against Government Denial of ServiceSpear PhishingSQL InjectionWeb DefacementsMalware (Keyloggers, Trojans,etc.)Theft of DevicesHacktivist Activity
3Examples of the ThreatFebruary 2012 – Missouri’s Official Web Site DefacementApril 2012 – Utah Department of Health –Medicaid System HackOctober South Carolina Department of Revenue Data BreachOctober 2012 – City of Burlington, Washington System AttackDecember 2012 – South Carolina Department of Employment & Workforce Web DefacementJanuary 2013 – Florida Dept. of Juvenile Justice Device TheftMissouri Defacement – no data lossUtah – 780,000 records stolenSouth Carolina Data Breach – 6.4 million records stolen by a foreign hacker – spear phishingCity of Burlington - $400,000 diverted to other accounts across the country.South Carolina Defacement – no data lossFlorida Juvenile Justice– mobile device with 100,000 youth and employee records stolen from office – no encryption or password protectionSeveral incidents have occurred in Ohio as well. All of the threats noted earlier have occurred here in state and/or local agencies.
4State of Ohio Security Program Approximately 100 agencies, boards, and commissions under programDecentralized environmentChief Information Security Officer responsibilities under ORC :Coordinate the implementation of security policies and procedures in state agenciesAssist each agency with the development of a security strategic plan
5State of Ohio Security Program April 2011 – State sets IT Standard ITS-SEC-02Establishes NIST as state security frameworkCreates enterprise security controls that align with Consensus Audit Guidelines (SANS Top 20 Critical Controls)Agencies to be compliant with CAG by October 2012Fall 2012 – Agencies required to submit strategic security plan to Office of Information Security & PrivacyLeveraged CAG self-assessment in US Homeland Security CSET toolExplain value of CSET tool for local municipalities and county governments
6State of Ohio Security Program SANS Top 20 Critical Controls (Consensus Audit Guidelines)Hardware InventorySoftware InventorySecure Configuration of SystemsSecure Configuration of Network DevicesBoundary DefenseSecurity Audit LogsApplication Software SecurityControlled Use of Administrative PrivilegesControlled Access/Need to KnowVulnerability ManagementAccount Monitoring & ControlMalware DefenseLimiting Ports, Protocols, ServicesWireless Device ControlData Loss PreventionSecure Network EngineeringPenetration TestingIncident Response CapabilityData Recovery CapabilitySecurity Training
7State of Ohio Security Program Ohio is one of a few states who have adopted the SANS Top 20 Critical ControlsThe Consortium for Cybersecurity Action was established in 2012Ensures that updated versions of the controls reflected the most relevant threat informationShares lessons learned from organizations that have implemented them.Ohio participates in this consortium.CISOs for Ohio and Colorado co-chair a state/local government workgroup for the Consortium.US State Department saw a 94% reduction in measured security risk by implementing these controls
8State of Ohio Security Program Security Services Provided by OISP Today:Risk AssessmentsSecurity AssessmentsSecurity ArchitectureSecurity ConsultingIT Security Policies/StandardsIncident ResponseVulnerability AssessmentsPenetration Testing (limited)Enterprise SIEMSecurity Awareness & TrainingCyber Intelligence and Threat ManagementAgencies may provide other services as well.
9State of Ohio Security Program Industrial Control Systems AssessmentsBegan these assessments in February 2012Partnered with US Homeland Security to conduct two pilot assessmentsEach assessment was completed within one dayNo cost to the State of Ohio
10State of Ohio Security Program Securing the HumanBegan offering this training in 2011Online training produced by SANS Institute36 different modules of trainingUpdated twice a year based on current threatsApproximately 50,000 state employees will be trained this yearExcellent reviews by our users
11State of Ohio Security Program Enterprise SIEMBegan offering this service in 2012Collect security logs from systems5 agencies participating todayExtending to all cabinet agenciesOver 100 Million event logs analyzed per dayBoth agencies and OISP monitor system
12Challenges Facing Government Funding for securityCybersecurity authority and governanceAttractive targets for cybercriminals and hacktivistsLack of skilled staffSophistication of attacksAccording to the 2012 Deloitte – NASCIO Cybersecurity study, many governments fund security at 1-2% of overall IT budget. Some don’t fund it at all. While this study pertained to state governments, local governments have the same issue. In fact, many have little budget for IT as a whole and do not have dedicated IT staff and rely on vendors. 78% of the states saw their security budgets remain about the same or become reduced during 2010 and 2011.The study also pointed out that many CISOs operate in a highly distributed model with little direct authority over agency strategies, activities, and resources.The study also showed that government agencies host systems that contain a lot of personal information, making them attractive targets for cybercriminals and hacktivists.
13What Can You Do? Assess and communicate security risks Consider shared security servicesEncourage user education in security awarenessExplore alternative funding for cybersecurityUse the no-cost assessments provided by DHSEncourage IT personnel to use the DHS CSET Tool to do assessments and develop plan of action.Become a member of the MS-ISACLeverage free cybersecurity training provided by various sourcesDevelop an incident response planDevelop a disaster recovery plan
14Cybersecurity Council The Cybersecurity, Education, and Economic Development Council was created under ORC in 2012.Consists of 12 members appointed by Governor, Speaker of the House, and President of the Senate.Council is to conduct a study and make recommendations regarding:Improving the infrastructure of the state’s cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education.Specific actions that would accelerate growth of the cybersecurity industry in the state.