Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber-Security among American Local Governments Donald F. Norris, Anupam Joshi and Timothy Finin University of Maryland, Baltimore County Baltimore, Maryland.

Published byCathleen O’Neal’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Cyber-Security among American Local Governments Donald F. Norris, Anupam Joshi and Timothy Finin University of Maryland, Baltimore County Baltimore, Maryland."— Presentation transcript:

1 Cyber-Security among American Local Governments Donald F. Norris, Anupam Joshi and Timothy Finin University of Maryland, Baltimore County Baltimore, Maryland Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

2 Cyber-Security among American Local Governments Why is it important? Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

3 Cyber-Security among American Local Governments Number of governments Spending on IT Number of attacks Effect of attacks Cost to the economy Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

4 Cyber-Security among American Local Governments Locus of attacks Attack vectors Web Sites Social Engineering Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

5 Cyber-Security among American Local Governments No CS or SS literature on local government cybersecurity Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

6 Cyber-Security among American Local Governments Method: Focus Group of CIOs and CISOs State of Maryland Baltimore City Baltimore County Howard County Montgomery County Prince George’s County Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

7 Cyber-Security among American Local governments Findings cannot be generalized Findings can be used to direct further research Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

8 Cyber-Security among American Local Governments Attack – an attempt by any party to gain unauthorized access to any component of an information technology system for the purpose of causing mischief or doing harm. Incident – any event that compromises the confidentiality, integrity or availability of an information asset (Verizon) Breach – an incident that resulted in confirmed disclosure (not just exposure) to an unauthorized party (Verizon) Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

9 Cyber-Security among American Local Governments Attacks - 24/7/365 Thousands per day Some will inevitably be successful Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

10 Cyber-Security among American Local Governments End user is the problem “Our biggest struggle now is … the human being, our weakest link.” Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

11 Cyber-Security among American Local Governments “Running a [phishing] campaign with just three e-mails gives the attacker a better than 50% chance of getting at least one click. Run that campaign twice and that probability goes up to 80%, and sending 10 phishing e-mails approaches the point where most attackers would be able to slap a ‘guaranteed’ sticker on getting a click.” (Verizon, 2013 DBIR) Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

12 Cyber-Security among American Local Governments Insufficient funding and staff “IT is … less than two percent of the overall budget. Less than two percent. Yet 100 percent of the people in [the county] are using IT. So, you know, you’re right, you know, we don’t have the resources, we don’t have the manpower. [We] … try and use our money the best way we can and … you’re right, sometimes things can be solved with money.” Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

13 Cyber-Security among American Local Governments Governance and federation (executive, legislative and judicial branches and divisions within the executive) “I’ve got responsibility over all three branches of government. However I can’t legally enforce policy, due to the pesky constitution, over the legislative and judicial branches. But I am responsible for their security” Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

14 Cyber-Security among American Local Governments Insufficient or under-enforced cybersecurity policies “There has to be someone in charge [and] … there has to be policy … the rules of the road. Not all state and local governments or units within them have appropriate cybersecurity policies and not all implement the policies that they have well.” Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

15 Cyber-Security among American Local Governments Actions to improve cybersecurity: Technical Managerial and Policy Governance Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

16 Cyber-Security among American Local Governments Technical Cybersecurity tools and practices Vulnerability assessment Two factor authentication and authorization Continually scan and test Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

17 Cyber-Security among American Local Governments Managerial and Policy Assess vulnerabilities User training and control Control over external devices Create a culture for cybersecurity Cybersecurity insurance Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

18 Cyber-Security among American Local Governments Governance Overcome the federation problem Ensure that all departments and units and their staff comply with policy Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

19 Cyber-Security among American Local Governments Conclusions Attacks are constant; some will succeed Technology is under control Human side is vulnerable Managerial and Policy need attention Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

20 Cyber-Security among American Local Governments Future Research Types of cyberattacks Vulnerabilities Current CS policies and practices v. “Best Policies and Practices” Addressing the Gaps Addressing the human element Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

21 Cyber-Security at the Grassroots: American State and Local Governments and the Management of Website Security THANK YOU! Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Download ppt "Cyber-Security among American Local Governments Donald F. Norris, Anupam Joshi and Timothy Finin University of Maryland, Baltimore County Baltimore, Maryland."

Similar presentations

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Koen Maris – The Human Factor in Information technology – Copyright 2005 – The Human Factor in Information Technology.

Koen Maris – The Human Factor in Information technology – Copyright 2005 – The Human Factor in Information Technology.
Security Controls – What Works

Security Controls – What Works
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
The 10 Deadly Sins of Information Security Management

The 10 Deadly Sins of Information Security Management
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, 2004. This work is the intellectual property.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Information Security Awareness Levels of TAFE South Australia Employees Hong Chan Bachelor of IT ( Honours ) Supervisor: Dr Sameera Mubarak.

Information Security Awareness Levels of TAFE South Australia Employees Hong Chan Bachelor of IT ( Honours ) Supervisor: Dr Sameera Mubarak.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
Information Security Phishing Update CTC

Information Security Phishing Update CTC
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Similar presentations

Ads by Google