2014 Report

CIS 2014 Annual Report | 1

John M. GilliganChairman, Board of Directors

William F. PelgrinPresident & CEO

2014 ANNUAL REPORT

2 | CIS 2014 Annual Report

Commited to Protecting Critical Assets


Welcome Message

Who We Are

2014 at a Glance

CIS 2014 Highlights

Security Benchmark Resources

Integrated Intelligence Center

Security Operations Center

Computer Emergency Response Team

Intel Analysis

Multi-State Information Sharing & Analysis Center

Nationwide Cyber Security Review

Making Security Affordable

Making Security Practical

CIS Cares

CIS Leadership

Board of Directors

Executive Team

4

5

6

8

9

12

13

17

20

22

25

26

27

28

30

30

30


Welcome Message

Since its creation in 2000, the Center for Internet Security (CIS) has established itself as a valued and trusted resource for both the public and private sectors and has grown its mission, staff and programs to become an internationally recognized authority in cyber security. During 2014, CIS continued its momentum as a thought leader and driving force for improving cyber security by undertaking initiatives that furthered our ability to help our partners detect, defend and respond to threats. We are fulfilling the vital need for enhanced collaboration through our Integrated Intelligence Center, which in 2014 expanded to include new partners and enhanced information sharing and analysis. In support of our continued dedication to the adoption and use of open, interoperable standards for security automation, we released CIS-CAT 3.0 this year, which enables users to leverage a broader array of standards-based, automatable security content for assessing the security configuration of IT systems and applications. We have grown our business lines, including development of new security assessment services, and we improved our network monitoring program to better enable our partners to rapidly respond to threats and attacks on their infrastructures. We are proud of our successes, but we also recognize that there is much more to be done. We will continuously fine-tune our business processes and operations to be as efficient and effective as possible. As we move forward in 2015 and beyond, we will continue to strive for excellent service, innovative solutions and collaborative approaches that further our mission of enhancing cyber security readiness and response.

Sincerely,

John M. Gilligan Chairman of the Board

William F. Pelgrin President and Chief Executive Officer

William F. PelgrinPresident & CEO

John M. GilliganChairman


The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization whose mission is to enhance the security readiness and response of public and private sector entities, with a commitment to excellence through collaboration.

CIS serves as the key cyber security resource for state, local, tribal and territorial governments, including chief information security officers, homeland security advisors and fusion centers; produces consensus-based, best practice secure configuration benchmarks and security automation content; and provides products and resources that help partners achieve security goals through expert guidance and cost-effective solutions.

Who We Are

•

•


2014 at a Glance

689

State, Local, Tribal and Territorial Governmentsare members of MS-ISAC

$ 6.5 MILLION Cost Savings

achieved for the public sector through aggregate cyber

security buys

in Number of actionableevents reported to

partners

GR

OW

TH

170%

536

SECURITY BENCHMARKS GLOBAL MEMBERS

1.5 Trillion Records analyzed through the CIS Security Operations Center


States and local governments Participating in CIS Cyber Security Services

50 States

issued proclamations or letters

of support recognizingNational Cyber Security

Awareness Month

46FIRSTTIME

OUR NATIONAL CYBER ALERT THREAT

LEVEL RAISED TO ORANGE (HIGH)

Secure Configuration Benchmarks across 14 technology groups

100+

Fusion Centers Participating in

the CIS Integrated Intelligence Center

78


CIS 2014

HigHligHts


Security Benchmark reSourceSReducing Risk ThRough collaboRaTion and consensusSince its creation in 2000, CIS has built a worldwide reputation for providing consensus-based, industry best practice guidance that helps organizations to assess and improve their cyber security. These CIS Security Benchmarks resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications.

secuRe configuRaTion benchmaRks The CIS Benchmarks provide guidance on the security-focused configuration controls that should be applied for a wide range of technologies, specific procedures on how to implement those recommendations, and audit procedures to then verify that those controls are correctly implemented. The Benchmarks span the most commonly used IT systems and technology groups, including server and desktop operating systems, web browsers, mobile devices and more.

Thirty-two new and updated benchmarks were released in 2014, including those for VMware ESXi 5.1, Microsoft SQL Server 2014 and Apple iOS 8.

cis secuRiTy benchmaRks membeRship CIS Security Benchmarks membership comprises organizations and users from virtually every industry sector, and ranges in size from independent consultants to Fortune

500 companies. Overall membership grew by nearly 30% during 2014 to 536 enterprise members, representing businesses, governments, universities, and more from across the United States and around the globe. A significant portion of the membership growth is in the international arena, reflecting the growing global recognition of the importance of consensus-based, industry best practices available through CIS Security Benchmarks membership. CIS offers multiple membership categories, including discounted options for SLTT governments.


configuRaTion assessmenT Tool (cis-caT)A cornerstone of the CIS Security Benchmarks resources is CIS-CAT, our Configuration Assessment Tool. CIS-CAT is a powerful resource for analyzing and monitoring the security status of information systems and applications, and the effectiveness of internal security processes. CIS-CAT enables the assessment of multiple systems simultaneously by integrating CIS-CAT with system management utilities, helping organizations to provide fast, detailed assessments of enterprise deployments, as well as produce aggregate reports of configuration security posture across such environments. CIS-CAT is available to Security Benchmarks members.

cis-caT 3.0 and scap 1.2 ValidaTion In early 2014 CIS announced the release of CIS-CAT 3.0, an enhanced version of the tool, which provides CIS Security Benchmarks members with increased capabilities and access to a broader array of standards-based, automatable security information (content) for assessing the security configuration of IT systems and applications. The new release also allows for direct evidence-based reporting for a variety of technologies assessed for policy compliance and unified reporting for security configuration and software vulnerability assessments.

After completing a rigorous development, testing and verification process, CIS-CAT 3.0 achieved Security Content Automation Protocol (SCAP) v1.2 Validation from NIST in March 2014, becoming only the second security assessment product to obtain such approval. CIS-CAT 3.0 was awarded SCAP 1.2 validation as an Authenticated Configuration Scanner (ACS) with the Common Vulnerabilities and Exposures (CVE) Option. NIST validated CIS-CAT 3.0’s ACS and CVE Option capabilities across all Microsoft Windows and Red Hat Enterprise Linux profiles available under the SCAP 1.2 Validation Program.

SCAP 1.2 validation certifies that CIS-CAT 3.0 can successfully leverage a wide range of automatable content based on open, interoperable standards, which is cited as a best practice in many sources, including the NIST Cybersecurity Framework. Standards-based security automation allows for improved and consistent sharing of security information across various tools and reports. It also provides greater consistency in how IT systems and applications are assessed and the results reported.

CIS-CAT 3.0 can now evaluate target IT assets utilizing repositories of SCAP 1.2 content from a number of sources, including NIST’s United States Government Configuration Baseline (USGCB) and the Defense Information Systems Agency’s Security Technical Implementation Guides (DISA STIGs), as well as CIS’s

CIS-CAT achieved Security Content Automation Protocol (SCAP) 1.2 validation from the National Institute of Standards and Technology


expanding collection of CIS Security Benchmarks in SCAP format. CIS-CAT 3.0’s validation for the CVE Option also enables the tool to perform software vulnerability assessments according to the thousands of documented vulnerabilities maintained in MITRE’s CVE.

CIS-CAT 3.0’s SCAP 1.2 validation and CIS’s continued and rapidly increasing production of its security configuration Benchmarks as SCAP 1.2-based automatable content is evidence of its dedication to the adoption and use of open, interoperable standards for security automation.

cis pRoducT ceRTificaTionsCIS Certified Security Software Products are those that are tested and certified by CIS to accurately measure and report conformity of system configurations with the technical settings defined in the CIS Benchmarks. CIS Security Software Members can use the CIS “Certified” logo to demonstrate a strong commitment to consensus-based configuration security recommendations.

In 2014 the number of members awarded CIS product certifications increased by 29%.

medical deVice/sysTem secuRiTy benchmaRking iniTiaTiVe Medical devices and the systems they rely on have become so interconnected and mobile that they need to be protected from the ever-increasing volume of cyber threats in order to protect the confidentiality of patient information and safeguard patient safety. In recognition of this growing concern, CIS launched an initiative in 2013 to help bolster the protection of networked medical devices from cyber threats. CIS issued a request for information to U.S. medical device manufacturers that invited voluntary participation. The Medical Device Innovation, Safety and Security Consortium (MDISS), which has long been an established leader in medical device security and safety agreed to co-lead the initiative with CIS.

The result of this collaboration is two new resources in 2014, developed jointly by CIS and MDISS. The CIS/MDISS Security Benchmark Mapping Guidance provides security recommendations that can be used by medical device manufacturers during the product development process, as well as assist healthcare providers in evaluating the security controls for medical devices prior to purchase and implementation.

“The current security landscape makes it absolutely necessary for organizations to accurately evaluate security protocols and procedures to protect their data and keep their reputations intact. In earning the CIS benchmarking certification, it’s evident that we are playing a significant role in helping our Frontline users do that.”

- Larry Hurtado,President & CEO, Digital Defense Inc.


Additionally, healthcare providers can leverage the new CIS/MDISS guidance as supplementary resources to the widely used Manufacturer Disclosure Statement for Medical Device Security (MDS2) form, a collaboration between the Healthcare Information and Management Systems Society (HIMSS) and the National Electrical Manufacturers Association (NEMA), which provides manufacturers with a means for disclosing the security-related features of the medical devices they bring to market.

integrated intelligence center The operations core of the Center for Internet Security is our 24/7/365 Integrated Intelligence Center (IIC). The IIC serves as an important resource to facilitate collaboration across multiple levels of government (federal, state, local, tribal, and territorial), relevant domains (both cyber and physical), and key disciplines (law enforcement, military, policy, and technical) to improve the responsiveness and efficiency of anticipating and responding to cyber events.

The IIC includes the CIS 24/7/365 security operations center, incident response team, forensics lab, intelligence analysts and key partners – all working side-by-side to put the pieces of the puzzle together, and identify patterns that may not have been detected without this collaborative environment.

key iic Functional areaS: ӶThe Security Operations Center (SOC) provides 24/7/365 monitoring of cyber security threats and attacks that could impact SLTT governments. ӶThe Computer Emergency Response Team (CERT) team provides SLTT governments with malware analysis, computer and network forensics, vulnerability management, malicious code analysis mitigation and incident response. ӶIntel Analysis makes informed assessments about cyber trends, actors, and tactics, techniques, and procedures (TTPs) affecting SLTT governments. This includes intelligence and analytical support to state Homeland Security Advisors, Fusion Centers, Information Sharing and Analysis Centers (ISACs), and National Guard Bureau partners.

INTEGRATEDINTELLIGENCE

CENTER

CERT

Intel AnalysisSOC


In addition, the CIS IIC has staff assigned to the National Cybersecurity and Communications Integration Center (NCCIC) who work closely with all of the NCCIC partners, in both the public and private sectors. The NCCIC is an invaluable resource as both a source of cyber threat and event information and a vehicle to look at threats and attacks across sectors. The intel partners share information regarding threats to SLTTs. CIS provides daily briefs as well as weekly and monthly information on the cyber activity impacting SLTTs and routinely contributes to the Weekly Analytical Synopsis Product (WASP) published by the NCCIC.

iic: secuRiTy opeRaTions cenTeRdeTecTion and pReVenTionThrough its 24/7/365 Security Operations Center (SOC), CIS offers a number of services aimed at reducing risk to the nation’s SLTT government cyber domain. The SOC provides managed security services (MSS), network monitoring (known as Albert), along with threat and vulnerability analysis and notifications to SLTT governments, providing them with an enhanced ability to detect and defend against the latest cyber threats.

These services provide a view of system and network activity that enhances situational awareness of SLTT government networks across the country. The CIS SLTT government situational awareness contributes to the national cyber situational awareness assessment prepared by the NCCIC. It enables more timely cyber incident identification and response while providing more data for developing and implementing appropriate mitigation strategies tailored specifically to SLTT government cyber resources.

Through its MSS and Albert services, CIS analyzed more than 1.5 trillion records in 2014, and the number of actionable events we reported to our partners increased more than 170% from 2013. Several factors contributed to this increase in events, including significant growth in the number of SLTT partners taking advantage of our services, enhancements made to our network monitoring services, along with major vulnerabilities during 2014, such as BASH and Heartbleed, which impacted SLTT governments.

The SOC issues advisories and alerts to SLTT government partners and stakeholders, and also makes them available to the public online as appropriate. These advisories include customized risk ratings for government, businesses and home users.


In 2014 CIS, in partnership with DHS, continued expansion of its MSS and Albert security services, with 30 states and 16 local governments using the services as of the end of the year. This expanded view helps inform the overall threat landscape and enables CIS to better assist all SLTT governments with threat and mitigation resources. Efforts will continue throughout 2015 to engage additional SLTT governments in MSS and Albert services as part of a comprehensive strategy for improving our collective cyber security posture.

managed secuRiTy seRVicesThe CIS SOC Managed Security Services (MSS) include 24/7/365 monitoring and/or management of security devices such as firewalls, intrusion detection/prevention systems, web gateways and proxy devices. These services provide a view of system and network activity that enhances situational awareness of SLTT government networks across the country. The CIS SOC is able to analyze enormous amounts of data and cull out the issues specific to the SLTT environment, thus saving them time and resources, and eliminating their need to respond to non-events, such as false positives. The result is improved ability to address the cyber challenges and overall enhanced security.

The information available through the managed security services, combined with the research and analysis conducted by CIS and its partners and information derived from incident investigations, enables CIS to develop and update the situational awareness picture for SLTTs.

During 2014, more than one-third of the network attack activity tracked through the CIS SOC consisted of Structured Query Language injection (SQLi) attempts, inbound

port scans and network reconnaissance. Just over half of the malware infections CIS observed in 2014 were generic Trojan horse infections, which are designed to steal passwords or other sensitive information. The most prevalent single malware was Trojan.Kazy, which attempts to download additional malware to the infected machine and steal account information.

2014 Major Vulnerabilities Impacting SLTTsTwo major vulnerabilities that impacted SLTT governments in 2014 and resulted in a significant activity in the actionable events we reported out to our partners included the BASH and Heartbleed vulnerabilities.

Bourne Again Shell (BASH), aka “Shellshock” In September, reports surfaced on the BASH vulnerability. BASH is the default command line shell processor that is often run in a text window on Linux and UNIX systems, and allows users to type commands that cause actions. Successful exploitation of the vulnerability could result in an attacker gaining the same privileges as the logged on users, which could then entail installing programs, viewing, changing or deleting data or creating new accounts with full user rights.

CIS issued an advisory detailing the nature of the vulnerability, impacted systems and mitigation recommendations. Because the impacted systems represent the majority of web server platforms in the world, CIS raised the national Cyber Alert Threat Level to Yellow (Elevated). Signatures were deployed in CIS monitoring systems, which are in place in 30 states, to detect BASH-related scanning activity. We conducted a call with the National Council of ISACs and NCCIC personnel to brief out on the situation. CIS issued nearly 1,000 notices to our partners; there were no reported events or any open-source reports of SLTT government BASH-related compromises.

HeartbleedOne of the most significant incidents we faced in 2014 was the Heartbleed vulnerability, which impacted a reported two-thirds of the websites on the Internet. This vulnerability, which was announced in April, was discovered in Open SSL’s implementation of the TLS ‘heartbeat’ extension that could allow for the disclosure of sensitive information. OpenSSL is an open-source implementation of the SSL protocol used by a number of other projects. SSL (Secure Sockets Layer) is a protocol that ensures secure communication over the Internet via encryption. This issue could allow an attacker to compromise the private key and other sensitive data stored in memory.

CIS, in coordination with NCCIC immediately took steps to assist SLTT governments in addressing Heartbleed, including issuing advisories describing the criticality of the vulnerability, noting that exploit code was released and providing mitigation recommendations.

We raised the national Cyber Alert Threat Level to Orange (High) for the first time in our history. Orange indicates a high risk of increased hacking, virus or other malicious cyber activity which targets or compromises core infrastructure.

The same day we raised the alert level, we conducted a conference call, with over 400 MS-ISAC members participating, along with representatives from the NCCIC and US-CERT. Additional calls were held with DHS and the National Council of ISACs to brief on the threat and the remediation efforts. CIS conducted scans of over 500 SLTT domains a week after the announcement. Less than 1% of the sites scanned were vulnerable, which was indicative of the quick remediation efforts.

Throughout the following weeks, CIS provided daily updates to the NCCIC, which briefed senior White House officials. Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator specifically recognized our efforts during a speech launching National Cyber Security Awareness Month.

“This collaboration worked quite well, and now with BASH and Shellshock, we’re getting an opportunity to practice even more.”

- Michael Daniel, Special Assistant to the President and Cybersecurirty Coordinator


cis neTwoRk moniToRing seRVices (albeRT)The CIS Network Monitoring Services, known as Albert, is an automated process of collecting, correlating and analyzing computer network security information across government systems. Logs and records detailing the traffic flow of the associated network(s) are continuously analyzed and correlated against known malicious patterns, trends and other indicators. Automatic “hits” on potentially malicious software code or other malicious cyber activity are further analyzed by CIS. The analysis identifies traffic to known malicious IP addresses and domains as well as malicious code. Notices are sent to individual partners in accordance with the partners’ escalation procedures. This enables partners to rapidly respond to threats and attacks on their infrastructure.

In 2014 CIS implemented an enhanced version of Albert, which allowed us to significantly improve the analysis process. Partners can now customize and specify what types of notifications it wishes to receive. For example, some organizations only want to be notified of critical and emergency events. Others may want to be notified of “peer-to-peer” connections or certain types of scans that would be determined to be informational. The enhanced Albert capabilities also contribute to our weekly and monthly reports of malicious indicators that are shared with our partners.

More than 53,000 actionable events were reported in 2014 from activity detected through the Albert service, with the majority resulting from generic Trojans and the Zeus malware.

ThReaT and VulneRabiliTy noTificaTions In addition to the notices generated by the MSS and Albert services, the CIS SOC provides proactive analysis of open-source data and information received from

trusted third parties to identify threats and vulnerabilities impacting SLTT governments. During 2014, the CIS SOC issued more than 14,000 notices to SLTT governments, nearly triple the volume from just two years ago. The majority of activity resulted from Spamhaus sink hole notifications and account compromises that were identified through our research activities.


spamhausIn September, CIS was provided access to the sinkhole maintained by Spamhaus. Spamhaus is an international nonprofit organization whose mission is to track the Internet’s spam operations and sources to provide dependable real-time anti-spam protection for Internet networks, and to work with law enforcement agencies to identify and pursue spam and malware gangs worldwide. This provided CIS with real-time access to a database of IP addresses of hijacked PCs infected by illegal third party exploits. Every day, data on compromised systems is downloaded (over 100,000 IPs) by CIS and compared against our database of SLTT IPs to generate notices to impacted entities. In late 2014 CIS distributed notices to 1,347 organizations that had compromised systems.

iic: compuTeR emeRgency Response Team (ceRT)Response and RecoVeRy CIS has a dedicated team available to assist with malware and log analysis, computer forensics, code analysis, and mitigation recommendations.

In 2014 the CERT handled a broad range of incidents, of which a majority focused on malware infections, compromised servers and ransomware. The volume of incident response we provided to our partners nearly tripled from 2013.

key incidenT Response acTiViTies malwaReA number of the malware infections addressed by the CERT included crimeware-themed malware such as Zeus (Zbot), Zero Access, and Qakbot. The most common methods of infection were drive-by-downloads that exploited a vulnerability in out-of-date software running on the victim’s workstation, and phishing emails containing malicious links and/or attachments. The CERT also responded to a number of Conficker infections, which indicates that there are still a large number of systems that are severely outdated, as patches that mitigate the Conficker malware have been available since late 2008.

compRomised seRVeRs The majority of these servers are public-facing systems such as web servers. The most common way servers become compromised is by running outdated software.

When asked, “Would you recommend the CIS/MS-ISAC response services to other state and local government entities?”- 100% of the

survey respondents said yes.


Content management systems (CMS) in particular are a very popular means of compromising servers, as the attack surface is very broad due to a wide variety of third-party CMS plugins being used. These third-party plugins are typically not updated as frequently as the core CMS that is installed and are often a target of attack. Another very common method of exploitation is via a vulnerable web application in which attackers are able to successfully conduct SQL injection and cross-site scripting attacks to gain unauthorized access to the system and the data it is serving.

After identifying the trend in the CMS compromises, CIS incorporated a proactive process in which domains of our partners are profiled quarterly and those entities running outdated CMS are notified. Through our Vulnerability Management Program, CIS profiles our partners’ webservers on a weekly basis resulting in timely notification and assistance for remediation.

RansomwaReRansomware, such as CryptoLocker and CryptoWall, continued to be an issue for SLTT governments in 2014. We saw the first wave of Cryptowall infections affecting SLTTs in late spring, with an increase in infections in the fall, after a new variant was released.

Once a system becomes compromised with ransomware, the malware encrypts all of the documents on the system’s file server, as well as on any network share the system has access to. Once encrypted, the attackers demand a payment, usually ranging from $200 to $1000 to decrypt the files.

Two of the most common ways entities were compromised was via malicious advertisements being hosted on popular websites, or victims clicking on links in emails or opening malicious attachments.

Due to the increase in the ransomware threats, CIS issued various cyber alerts, which included the domain indicators for our partners to block in order to minimize the risk of their data being encrypted.

adVanced peRsisTenT ThReaT (apT) The CERT responded to a number of incidents related to Advanced Persistent Threat (APT) activity, which included a variety of system and server compromises. For all of the incidents, Indicators of Compromise (primarily domains and IP address) were extracted and historical data from the Albert system was analyzed, and these indicators were then added to Albert for future monitoring and notification.

“CIS CERT is a very valuable asset, especially for under resourced state and local government agencies.”


dyRe banking TRojanDyre or Dyreza is a banking Trojan initially discovered in Europe targeting numerous financial institutions in the first half of 2014. In the last quarter of 2014, CIS observed increased activity related to Dyre, which intercepts communications with banking web sites and directs traffic to attacker controlled servers to trick users into believing they are securely connected to their bank, while actually providing information to the attacker’s server. CIS issued a cyber alert that highlighted the phishing email characteristics, system level indicators and associated IPs and domains. The CERT responded to multiple Dyre incidents impacting our state and local partners and was able to extract indicators from the responses that were shared with members through multiple advisories.

sweeT oRange exploiT kiTIn October CIS identified a campaign in which the Sweet Orange Exploit Kit was being used to distribute various malware, including Qakbot, onto unpatched end-user systems. This exploit kit is hosted on compromised websites and contains various exploits for vulnerabilities in Internet Explorer, Adobe and Java. To lure victims to websites hosting the exploit kit, threat actor(s) are primarily relying on malicious advertisements, as well as compromising websites running outdated content management system, the majority of which were vulnerable versions of WordPress and Joomla CMS. CIS issued an alert highlighting the attack vector, a detailed listing of the websites used to redirect the users, and the exploit-hosting websites they were redirected to. Leveraging the Albert infrastructure, we were able to provide critical information to the NCCIC on the exploit kit, the websites that were compromised and the malware being distributed.

impRoVing capabiliTies CIS continues to seek ways to improve services and resources to adapt and predict the changing threat environment that impacts our partners. In addition to the enhancements to our Albert infrastructure, we implemented a number of new or enhanced services throughout 2014 that enable us to better serve our partners.

malicious code analysis plaTfoRm (mcap)In late 2013 CIS launched the Malicious Code Analysis Platform (MCAP) for SLTT governments. This portal allows for malware analysis in a sandboxed environment without submitting the code to public websites. It also enables SLTT governments to conduct threat/intel research for malware samples based on various indicators of comprise, including domain, IP, URL and others. In 2014 we continued to expand the MCAP with hundreds of users across the states leveraging the platform for their incident response needs.

compRehensiVe secuRiTy assessmenTsIn order to increase the proactive services we are providing to our partners and help them secure their infrastructure, CIS developed a Comprehensive Security Assessment Service in 2014. Through this service, an entity’s network is assessed using our CIS-CAT


and the CIS Enumeration and Scanning Program (ESP) tool, in order to identify existing compromises, policy violations and misconfigurations. A report is delivered to the entity highlighting the findings and recommendations on how to improve their cyber security posture. This service can be performed remotely, which minimizes the overall cost to the entity. This new service targets small and medium size organizations, which typically do not have the technical expertise and/or resources to secure their infrastructure.

iic: inTel analysisThe Intel Analysis arm of the CIS Integrated Intelligence Center serves as a resource for the collection and analysis of actionable strategic, tactical, and operational intelligence for the nation’s SLTT governments, including all 78 recognized fusion centers and 55 state Homeland Security Advisors (HSAs).

The IIC is the DHS-recognized resource for collaborative cyber information sharing and analysis among fusion centers, and is a key cyber intelligence resource for the National Governor’s Association Homeland Security Advisors Council (GHSAC).

Throughout 2014 the IIC expanded its support as the key source of cyber threat information and intelligence including:

IIC analysis combines traditional U.S. Intelligence Community (USIC) intelligence analysis formatting with the easily understood and highly actionable CIS format to provide unbiased representations of timely issues, avoid making assumptions, and clearly delineate judgments in the standard USIC format. Source information for IIC products is drawn from IIC partners, MS-ISAC monitoring, and information from federal and SLTT governments, fusion centers, law enforcement agencies, third parties, other information sharing and analysis centers (ISACs), and open source reporting.

fusion cenTeR cybeR piloT DHS designated CIS as the coordinating entity for the Office of the Director National Intelligence Program Manager-Information Sharing Environment (ODNI PM-ISE), and DHS Fusion Center Cyber Pilot. Participants include a number of fusion centers, in partnership with the International Association of Chiefs of Police, the National Fusion

Ӷ24x7x365 on-call support and situational awareness for fusion centers in addition to all MS-ISAC members ӶPublication of more than 40 intelligence products, including several joint products with fusion centers ӶAssistance with the Fusion Center Cyber Analyst training course at the NCFI in Hoover, Alabama ӶAiding the International Association of Chief ’s of Police (IACP) in developing its online Cyber Crime Center


Center Association, the ODNI PM-ISE, and DHS.

Key objectives of the pilot included the creation of a cyber program model for fusion centers; standardization of distribution and sharing protocols between and among the fusion centers, CIS and stakeholders; and assistance to DHS in development of a training regime to build cyber analytical skills among SLTT governments.

The pilot is scheduled for completion in May 2015. CIS will then assist in the implementation of the recommendations resulting from the pilot final report.

2014 acTiViTy TRacked ThRough iic inTel analysis In 2014 CIS notified fusion centers and MS-ISAC members of hacktivist targeting in 86 incidents ranging from doxing of law enforcement officers and SLTT government officials, to targeted cyber attacks, to overall threats targeting SLTT government entities.

CIS produced analytical reports regarding some of the most prevalent actors and their techniques. This provides additional context for the victims, and allows for fact-based education of the network owners and operators.

Overall, hacktivists continue to conduct operations against SLTT governments with the majority of attacks in support of previously identified agendas, including anti-U.S. motivations, justice for victims, and an end to alleged police brutality. The majority of hacktivist activity remains associated with controversial incidents or appears to be opportunistic website defacements, doxing incidents, and data exfiltration.

suppoRTing naTional inTelligenceIn support of national cyber intelligence requirements, CIS has been providing cyber threat information to DHS Office of Intelligence and Analysis (I&A). DHS I&A regularly disseminates this information in formatted reports to appropriate law enforcement and homeland security intelligence consumers. The reports have consistently received excellent evaluations from these consumers, reflecting the high value of CIS information.

iic TRaining and collaboRaTion acTiViTies The IIC supports the Fusion Center Cyber Analyst Training Course, hosted at the United States Secret Service NCFI in Hoover, Alabama, by providing presenters and class content.

The Fusion Center Cyber Pilot has four goals:

ӶDetermination of Current Capabilities

ӶCreation of Core Requirements and Recommendations

ӶStandardized Threat Information Sharing Protocols and Mechanisms

ӶTraining


The IIC runs a monthly “CIS Seminar” series, utilizing subject matter experts who deliver cyber training via webinars to all CIS members at no cost. Information regarding trends, tactics, techniques, and procedures are presented and the seminars are building the knowledge base of cyber security experts throughout the U.S.

The IIC, in collaboration with DHS, hosted and helped develop the first Cyber Security Specialized Analytical Seminar Series (SASS) in June for fusion centers. Partner organizations included the DHS Office of Cybersecurity and Communications (CS&C), the NCCIC, the U.S. Secret Service, the Federal Bureau of Investigation, the National Cyber Investigative Joint Task Force, the New York State Office of Information Technology Services, New York State Intelligence Center (NYSIC), as well as more than two dozen fusion centers.

multi-State inFormation Sharing and analySiS center CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), one of the longest-standing national ISACs. The MS-ISAC, which includes representation by state Chief Information Security Officers or their equivalents, Chief Information Officers, local governments, tribal entities and U.S. territories, is designated by the U.S. Department of Homeland Security (DHS) as a key resource for cyber threat protection, response and recovery for the nation’s state, local, tribal and territorial (SLTT) governments.

bRinging slTT goVeRnmenT pRofessionals TogeTheR The MS-ISAC has fostered a trusted environment between and among its SLTT government partners and with DHS. CIS conducts monthly MS-ISAC membership meetings via webcast that provide an interactive forum for sharing information on cyber security issues important to the SLTT government cyber domain. DHS participates in these webcasts, providing the opportunity for them to connect with SLTT government officials on a monthly basis. The MS-ISAC Executive Committee comprises representatives who are elected by the MS-ISAC members to assist in providing strategic guidance and recommendations for the MS-ISAC. The members also participate in a number of issue-specific working groups to target the areas of most concern to the members.

The MS-ISAC works closely with other organizations to continue to build trusted relationships to further enhance the cyber security posture of the nation. Such outreach and collaboration includes working with the National Governors Association (NGA), the Governors Homeland Security Advisors Council (GHSAC), the National Association

Membership in the MS-ISAC grew by 23% in 2014 to 689, representing all 50 states, 629 local governments, 3 U.S. territories and 7 tribal entities.


of State Chief Information Officers (NASCIO), the National Association of Counties (NACo), National Cyber Security Alliance (NCSA) and many others. CIS also partners with the other national critical infrastructure sector ISACs through the National Council of ISACs.

The Annual Meeting is the cornerstone MS-ISAC event each year, focused on deliverable-oriented working sessions that address specific areas of the MS-ISAC’s objectives, with the ultimate goal to enhance our overall cyber security posture by working collectively.

2014 marked the largest-attended annual meeting to date, with nearly 260 attendees representing 49 states, 1 tribal entity and more than 45 local governments. 2014 also marked the first time that fusion center personnel attended, with over 50 fusion centers represented.

pRoViding educaTion & awaRenessAn important part of the CIS mission is to raise awareness and provide resources that help users stay informed about the ever-changing cyber threat landscape. CIS achieves this in a number of ways, including the development and distribution of monthly cyber tips newsletters (which organizations can brand with their own logos); bimonthly educational webcasts, with registrants in 2014 from all 50 states, several U.S. Territories, and 21 countries; a daily cyber tips feed on the CIS public website; and a variety of guides, whitepapers and other resources.

naTional cybeR secuRiTy awaReness monTh Each October, CIS serves as a co-host with the U.S. Department of Homeland Security,

the National Association of Chief Information Officers and the National Cyber Security Alliance in promoting National Cyber Security Awareness Month (NCSAM). CIS develops and distributes Cyber Security Awareness Toolkit materials to all 50 states and U.S. territories in support of Awareness Month. The goal is to promote a consistent message about cyber security education and awareness and provide products for broad distribution.


The materials include posters, bookmarks, calendars and other awareness material. These materials are branded so that each MS-ISAC Member can customize them with its own logo and website. CIS also makes this information available to the public online at www.msisac.org.

CIS also coordinates a proclamation campaign, inviting each state governor and local elected official to sign a proclamation in support of NCSAM, thus showing the importance of cyber security at leadership levels. Once again in 2014, all 50 state governors issued proclamations or letters of support, along with 1 U.S. Territory and 18 local government officials.

naTional kids safe online posTeR conTesT One of the most popular awareness activities that CIS conducts is the annual Kids Safe Online Poster Contest, which encourages young people to use the Internet safely and securely. The contest engages them as they create messages and images to communicate to their peers the importance of staying safe online. Thirteen entries are selected and appear in the national calendar distributed each year as part of the Awareness Month Toolkit. In 2014 13 states participated in the contest.

naTional besT of The web conTesT CIS conducted its 6th annual Best of the Web contest in 2014 to recognize state, local and territorial governments that use websites to promote cyber security.

State Government Winner 2014State of Delaware

Local Government Winner 2014Cuyahoga County, Ohio


Providing a national Picture oF Sltt government cyBer Security readineSSnaTionwide cybeR secuRiTy ReViewThe Nationwide Cyber Security Review (NCSR) is an annual, voluntary self-assessment survey designed to evaluate cyber security management within state, local, tribal and territorial governments.

DHS partnered with CIS, along with NASCIO and NACo to develop and conduct the Review, which took place for the third time in 2014.

The NCSR utilizes a Control Maturity Model to measure how effective an organization’s security program is at deploying a given control, in light of identified risks to an organization’s operations. Categories covered in the survey include security program, risk management, business continuity, physical access controls and a number of other key areas.

Participation in the 2014 NCSR included 48 states, 40 local governments and 164 state agencies.

Findings from the 2014 Review indicate that SLTT cyber security professionals have made progress in promoting a holistic cyber security program, including improvements

in states’ incident management capabilities and greatly improved physical security program maturity by local governments.

While progress has been made, there are still significant challenges facing SLTT governments, and the NCSR continues to be an important resource for helping entities assess their posture, identify gaps, and measure progress.

DHS, NASCIO and CIS began work to align the upcoming 2015 NCSR to the NIST Cybersecurity Framework (CSF). The 2015 NCSR will leverage current industry cross-mappings between the NIST CSF and industry best practices, allowing organizations to better understand and adopt the Framework.

“Overall the NCSR provided the State with good information and the ability to collaborate. The results of the NCSR allow the State insight into the larger picture of the State security position.”

- John F. Byers, Chief Information Security Officer, State of Kansas


making Security aFFordaBle The procurement process for state and local governments can be time consuming, costly, and complex. For many entities, a lack of staff and technical expertise, coupled with budget constraints can have a negative impact on their ability to implement the security controls needed to defend against the ever-increasing threats.

2014 marked the third year of the CIS purchasing alliance program, which aggregates the purchasing power of the public sector to allow all participants the ability to improve their cyber security posture at a lower cost than they could achieve individually.

Product and service choices for the aggregate buys are driven by the positive impact on cyber security infrastructure and customer needs. The offerings are also focused on products that address leading security guidelines, including the Critical Security Controls and the Australian Defence Signals Directorate’s Top 35 Strategies to Mitigate Targeted Cyber Intrusions. CIS oversees a review board comprising government partners to review and select potential offerings, and then engages the vendor community to negotiate volume discount purchasing opportunities.

During 2014 277 entities took advantage of aggregate buy opportunities, an increase of nearly 30% from 2013.

In total, more than $6.5 million in cost savings was achieved in 2014 through the purchasing alliance.


making Security Practical cybeR hygiene campaignThe national Cyber Hygiene Campaign, a joint effort of CIS, the Council on CyberSecurity and the Governors Homeland Security Advisors Council, aims to create a nationwide movement toward measurable–and sustainable–improvements in cybersecurity.

The Campaign is simple but powerful—applying just a few basic hygiene behaviors will mitigate the majority of known attack vectors. By implementing these critical basics, organizations can free up limited resources to focus on the more difficult cyber challenges.

The Campaign is focused on five Top Priorities that once implemented, are proven to dramatically improve an organization’s cyber posture – addressing the vast majority of the known cyber threats. These Top Priorities support the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework).

The Top Priorities for Better Cyber Health are: Count: Know what’s connected to and running on your network. Configure: Implement key security settings to help protect your systems. Control: Limit and manage those who have admin privileges to change, bypass, or override your security settings. Patch: Regularly update all apps, software and operating systems. Repeat: Regularize the Top Priorities to form a solid foundation of cybersecurity for your organization.

Toolkits were developed in 2014 and are available online to guide organizations through these Top Priorities. The toolkits are action-oriented resources that each contain a Plain English Guide, a Technical How-To Guide, a How-to-Measure Guide, Additional Resources and a mapping to the NIST Cybersecurity Framework.

Download Cyber Hygiene Toolkits at www.cisecurity.org


CIS Cares, the employee volunteer program dedicated to supporting community efforts, participated in and donated to the following causes in 2014:

ӶProvided canine ballistic vests for a local county sheriff’s department ӶCollected over 100 pounds of food items for the Regional Food Bank ӶHeld a school supply drive that benefited a local community ӶHosted an ALS Ice Bucket Challenge to support a local ALS clinic ӶParticipated in the American Cancer Society Making Strides Against Breast Cancer Walk ӶProvided support to families as part of Adopt a Family for the holidays


CIS LeadershipBoard of DirectorsOfficers

John M. Gilligan, ChairmanPresidentGilligan Group, Inc.

Jack Arthur, TreasurerExecutive Vice PresidentOcto Consulting Group

William F. PelgrinPresident & CEO Center for Internet Security

Deirdre O’Callaghan SecretaryCenter for Internet Security

Directors

Dr. Ramon BarquinPresident & CEOBarquin International

Karen S. EvansPartnerKE&T Partners, LLC

Maureen O. HelmerPartnerHiscock & Barclay, LLP

Clint Kreitner

Bruce MoultonVice President, Information Technology National Grand Bank

Alan PallerFounder & Director of Research SANS Institute

Franklin Reeder

Phil VenablesManaging Director & Chief Information Risk Officer, Goldman Sachs & Co.

Executive Team

Julie EvansChief Operating Officer

Rick ComeauStrategic Advisor

Thomas Duffy Senior Vice President Operations & Services

Laura Iwan Senior Vice PresidentPrograms

Deirdre O’CallaghanChief Counsel

Al SzesnatChief Financial Officer

Krista MontieDirector of Communications

Rick StegmannChief Information Officer

Kerry CoffeyController

Carolyn ComerDirector of Human Resources


2015 uPdate Subsequent to the close out of calendar year 2014, exciting changes have taken place at CIS that we wanted to include in this annual report.

On January 1, 2015, the Council on CyberSecurity and the Center for Internet Security joined forces to maximize their synergies into a single nonprofit organization providing national and international leadership in cybersecurity with a strong and bold new vision.

CIS and CCS have been work closely together for more than a year on programs and issues to advance cybersecurity. Jane Holl Lute, former president and CEO of the Council on CyberSecurity and William Pelgrin, president and CEO of CIS, brought the two organizations together to build on the successful track records of the two groups, resulting in one authoritative source synonymous with quality, expertise, integrity and trust.

The integration will take cybersecurity policy, best practices and technologies to the next level, all of which are required to address the evolving cybersecurity challenges on a global scale.

The existing programs and activities of the two entities, including the Multi-State Information Sharing and Analysis Center, the Security Benchmarks program, the Critical Security Controls and the U.S. Cyber Challenge will continue to operate under the umbrella of the newly integrated organization, as will the valued existing partnerships with the public and private sectors.

Combining the programs—in technology, applications, workforce, and policy—will greatly extend our current reach nationwide and around the world to all types and levels of enterprise, including private, municipal, national, and international.

We are establishing the kind of independent, authoritative, and expert platform to promote best practice in cybersecurity. It’s not about bigger – it’s about better.

For more information, visit www.cisecurity.org or follow CIS on Twitter at @CISecurity


Center for Internet Security31 Tech Valley Drive | East Greenbush, NY | 12061

T: 518-266-3460 | F: 518-266-2085www.cisecurity.org | @CISecurity

2014 Report

Documents

Transcript of 2014 Report