July 23, 2018

NYS Cyber Security Toolkit

Deborah Snyder

NYS Chief Information Security Officer

Robert Samson

NYS Chief Information Officer

Welcome & Opening Remarks

Organizational Introductions

New York State Chief Information Security OfficeMulti-State Information Sharing & Analysis Center

Enterprise Information Security Office

Mission:

Protecting privacy and

safeguarding the State’s

information assets – data, systems

and infrastructure, through cyber

security leadership, awareness

and training, best practices and

partnerships.

• Critical Security Controls Framework, Assessment Tool – to baseline current state

• Asset Inventory Guidance & Templates – to identify critical information assets

• Secure System Development Life Cycle resources – to ensure secure design

• Cybersecurity Risk Assessment Tool – to streamline effective application security reviews

• NYS Cyber Security Policies, Standards & Guidelines – to enforce sound practices

• Training & Education – to enhance awareness & capabilities

– NYS Cyber Security Conference

– NYS Cyber Security Awareness online training course & Skills training – extended to counties

Partnership & Collaboration - “Local Government Cyber Security Toolkit”

• ITS Enterprise Information Security Office https://its.ny.gov/eiso/local-government

• MS-ISAC https://www.cisecurity.org/ms-isac/ms-isac-toolkit/

Cyber Security Tools & Resources

6

State, Local, Tribal, or Territorial

Government Entity

• 2003 – The MS-ISAC is founded as an initiative as part of New York State government for Northeast States

• 2004 – DHS funds the MS-ISAC as an initiative to support the cybersecurity needs of all State governments

• 2010 – The MS-ISAC breaks away from NYS and joins the Center for Internet Security as a program area

A Tale of Two ISACs

• Summer 2016– Public reporting of voter registration compromises

• January 2017– Intelligence Community Assessment (attribution of all

elections related activity)– Critical Infrastructure Designation

• July 2017– Election Critical Infrastructure Working Group meets at

MS-ISAC HQ

A Tale of Two ISACs

• September 2017

– Election Infrastructure Subsector Government Coordinating Council (EIS-GCC) established

– MS-ISAC Pilot for Elections Approved

• October 2017-February 2018

– MS-ISAC Pilot for Elections (NJ, VA, IN, TX, CO, UT, WA)

• February 2018

– EIS-GCC votes to establish EI-ISAC

• March 2018

– EI-ISAC Official Launch

A Tale of Two ISACs

Who can utilize these resources?

Eligible entities include:✓Counties✓Municipalities (towns, cities, villages, etc.)✓ Law Enforcement Agencies✓Public Authorities (power, water, transit,

etc.)✓Public Education (K-12, BOCES,

Community College, Universities)✓ Elections offices

• Register for the MS-ISAC’s services here:

https://learn.cisecurity.org/ms-isac-registration

• The MS-ISAC Stakeholder Engagement team will provide you with next steps:• Register your HSIN account

• Submit public IPs, domains, and subdomains

• Register for an MCAP account

• Add additional staff to your account

How to access MS-ISAC resources

Top 20 CIS Controls

Overview and NYS Implementation

Evolution of the CIS Controls

The CIS Controls™️

CIS Controls Version 7

Volunteer Process• Used our in-house collaborative platform: Workbench

• Received over 600 recommendations with over 300 members in the community

• https://Workbench.cisecurity.org

Ecosystem of Resources• Mappings to other Frameworks

– Special focus on NIST CSF [updated!]

• CIS Risk Assessment Method (CIS-RAM) [new]• ICS Companion Guide to the Controls [drafted]• Measures and Metrics [updated]• SME Implementation Guide• CIS Community Attack Model• Privacy and the Controls

Contribute Today!https://Workbench.cisecurity.org

controlsinfo@cisecurity.org

Organizational

Foundational

Basic

Prioritizing the Top 20 Controls

Basic▪ What every organization needs for essential cyber defense readiness

https://www.cisecurity.org/controls/

Foundational▪ Technical best practices that provide clear security benefits

https://www.cisecurity.org/controls/

Organizational▪ Focus on people & processes involved in cybersecurity

https://www.cisecurity.org/controls/

Top 20 Assessment▪ Straight-forward way to baseline your organization

▪ Focuses on specific, highly-effective, prioritized actions

▪ Maps to other Frameworks

▪ Industry-vetted

▪ EISO created a Top 20 Assessment Tool▪ Visualization – what we fondly call our “Blues Chart”

▪ Built-in assessment methodology & analytics

▪ User Guide

Why & How We Use The “Top 20” Straight▪ -forward way to assess & improve your organization’s

security posture

Focused on specific, highly▪ -effective, prioritized actions

Maps to other Frameworks▪

Industry▪ -vetted

EISO created a ▪ Top 20 Assessment ToolVisualization ▪ – what we fondly call our “Blues Chart”

Built▪ -in assessment methodology & analytics

User Guide ▪

Using the ToolFamily Control Control Description

Maturity Level

(enter data here)

Maturity Score

(Numerical)Notes

1.0

System 1.1Utilize an active discovery tool to identify devices connected to the organization's

network and update the hardware asset inventory.Not Performed 1

System 1.2Utilize a passive discovery tool to identify devices connected to the organization's

network and automatically update the organization's hardware asset inventory.Not Performed 1

System 1.3Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP

address management tools to update the organization's hardware asset inventory.Not Performed 1

System 1.4

Maintain an accurate and up-to-date inventory of all technology assets with the

potential to store or process information. This inventory shall include all hardware

assets, whether connected to the organization's network or not.

Not Performed 1

System 1.5

Ensure that the hardware asset inventory records the network address, hardware

address, machine name, data asset owner, and department for each asset and

whether the hardware asset has been approved to connect to the network.

Not Performed 1

System 1.6Ensure that unauthorized assets are either removed from the network, quarantined or

the inventory is updated in a timely manner.Not Performed 1

System 1.7

Utilize port level access control, following 802.1x standards, to control which devices

can authenticate to the network. The authentication system shall be tied into the

hardware asset inventory data to ensure only authorized devices can connect to the

network.

Not Performed 1

System 1.8Use client certificates to validate and authenticate systems prior to connecting to the

private network.Not Performed 1

Critical Security Control #1: Inventory and Control of Hardware Assets

Family Control Control DescriptionMaturity Level

(enter data here)

Maturity Score

(Numerical)Notes

1.1

System 1.1Utilize an active discovery tool to identify devices connected to the organization's

network and update the hardware asset inventory.Not Performed 1

System 1.2Utilize a passive discovery tool to identify devices connected to the organization's

network and automatically update the organization's hardware asset inventory.Not Performed 1

System 1.3Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP

address management tools to update the organization's hardware asset inventory.Not Performed 1

System 1.4

Maintain an accurate and up-to-date inventory of all technology assets with the

potential to store or process information. This inventory shall include all hardware

assets, whether connected to the organization's network or not.

Not Performed 1

System 1.5

Ensure that the hardware asset inventory records the network address, hardware

address, machine name, data asset owner, and department for each asset and

whether the hardware asset has been approved to connect to the network.In Process 2

A consolidated hardware asset inventory is recorded by the IT

department and separated by organizational department.

Records are validated annually to ensure that all devices are

accounted for.

The asset inventory contains the included list of records per

asset.

System 1.6Ensure that unauthorized assets are either removed from the network, quarantined or

the inventory is updated in a timely manner.Not Performed 1

System 1.7

Utilize port level access control, following 802.1x standards, to control which devices

can authenticate to the network. The authentication system shall be tied into the

hardware asset inventory data to ensure only authorized devices can connect to the

network.

Not Performed 1

System 1.8Use client certificates to validate and authenticate systems prior to connecting to the

private network.Not Performed 1

Critical Security Control #1: Inventory and Control of Hardware Assets

Using the Tool

Before After

Critical Security Control #1: Inventory and Control of

Hardware Assets

Critical Control 2:

Inventory and Control of Software Assets

Utilize an Active Discovery Tool Maintain Inventory of Authorized Software

Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor

Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools

Maintain Detailed Asset Inventory Track Software Inventory Information

Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories

Address Unauthorized Assets Address Unapproved Software

Deploy Port Level Access Control Utilize Application Whitelisting

Utilize Client Certificates to Authenticate Hardware Assets Implement Application Whitelisting of Libraries

Implement Application Whitelisting of Scripts

Physically or Logically Segregate High Risk Applications

Critical Security Control #1: Inventory and Control of

Hardware Assets

Critical Control 2:

Inventory and Control of Software Assets

Utilize an Active Discovery Tool Maintain Inventory of Authorized Software

Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor

Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools

Maintain Detailed Asset Inventory Track Software Inventory Information

Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories

Address Unauthorized Assets Address Unapproved Software

Deploy Port Level Access Control Utilize Application Whitelisting

Utilize Client Certificates to Authenticate Hardware Assets Implement Application Whitelisting of Libraries

Implement Application Whitelisting of Scripts

Physically or Logically Segregate High Risk Applications

Using the Tool

Using the Tool

Using the Tool

Top 20 Assessment Tool

Maturity Level/Score

Not Performed 1

In Process 2

In Place 3

Critical Security Control #’s 1 & 2

Asset ManagementHardware & Software

• Business Functions• Business Application Assets• Information / Data Assets• Hardware Assets• Software Assets• Personnel Assets

Asset Management Scope

It all starts here

Asset Management is an organizational responsibility

Asset Inventory - Hardware

Asset Inventory Data AnalysisCSC #1: Inventory & Control of Hardware AssetsActively manage (inventory, track, and correct) all hardware devices on the network.

WHY: So that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

CSC #2: Inventory & Control of Software AssetsActively manage (inventory, track, & correct) all software on the network.

WHY: So that only authorized software is installed and can execute, and that unauthorized, unmanaged software is found and prevented from installation or execution.

Asset Inventory - Software

Critical Security Control #3

Continuous Vulnerability Assessment & Remediation

Vulnerability Management

“Cyclical practice of identifying, classifying, remediating & mitigating vulnerabilities”

Preparation

Vulnerability scan

Define remediating

actions

Implement remediating

actions

Rescan / Validate

CSC #3: Continuous Vulnerability Management Continuously acquire, assess, & take action on new information.

WHY: To identify vulnerabilities for remediation, & minimize opportunity for attacks

Tips• Ongoing Process• Go beyond PCs• Integrate &

automate processes

Web Profiler✓ Server type and version (IIS, Apache, etc.)

✓ Web programming language and version (PHP, ASP, etc.)

✓ Content Management System and version (WordPress, Joomla, Drupal, etc.)

Vulnerability Management Program

Send domains, IP ranges,

and contact info to:

soc@msisac.org

Email notifications are sent broken down by:

• Out-of-Date systems that should be patched/updated and could

potentially have a vulnerability associated with it

• Up-to-Date systems have the most current patches

Port Profiler

• MS-ISAC will connect to 12 common ports on public IPs provided for our

monitoring program.

– Services: FTP, SSH, HTTP(S), SMB, RDP, VNC, SQL, and MongoDB

– 21, 22, 23, 25, 80, 139, 443, 445, 1433, 8080, 3306, 3389, 5432, 5900, 27017

• Services are identified by reading the banner information once we

connect.

– We seek predetermined keywords in the banner information that then allows us to tag hosts or

services that need a second look for if they need to be public facing.

Vulnerability Management Program

Vulnerability Management Program

• Quarterly notifications

• Contact vmp.dl@cisecurity.org to:

• Opt out of this service

• Provide feedback on the Port Profiler

• Contact soc@cisecurity.org if:

• You wish to add IP addresses

• To verify “VMP Notification” contacts

• Source IP address: 52.14.79.150

Port Profiler

TLP: WHITE

To gain an Anomali account contact:

VMP@cisecurity.org

Automated Threat Indicator Sharing via Anomali

Weekly Malware IPs and Domains

TLP: WHITE

MS-ISAC Advisories

Application Software Security

Critical Security Control # 18

Application Software Security

“Cyclical practice of building software secure and ensuring it stays secure.”

CSC #18: Application Software Security Manage the Security life-cycle of all in-house developed and acquired software.

WHY: To prevent, detect,and correct security weaknesses.

Tips• Ongoing Process• Begins in requirements

gathering• Ends when software is

retired.

http://www.its.ny.gov/document/secure-system-development-life-cycle-ssdlc-standard

What is the SSDLC?

Benefits:

• Reduces the number of vulnerabilities

• Reduces the impact to businesses if an incident occurs

• Decreases the risk of business service disruptions

• Increases the ability of the business to deliver services

Consistent

Comprehensive

Repeatable

Risk-Based

Mission-Focused

Right-Sized

Why is SSDLC Necessary?

• In 2017, Cyber-Espionage, Privilege Misuse, Web Application Attacks, & Miscellaneous Errors represented 75% of breaches in the Public Administration sector

• 50% of all breaches in Public Administration were discovered months or years after the initial compromise

• 68% of funds lost as a result of a cyber attack were declared unrecoverable

• $3.62 million was the average total cost of a data breach in 2017

https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdfhttps://securityintelligence.com/media/2017-ponemon-institute-cost-of-a-data-breach-study/

PARTNERS/SUPPLIERS

▪ Contractual Requirements

▪ Regulatory Attestation

▪ Best Practice Controls

EMPLOYEES

▪ Awareness

▪ Self Enforcement

▪ Unified Posture

▪ Cyber Expertise

CITIZENS

▪ Expect Secure Access

▪ Expect Privacy

▪ Expect Data Accuracy

3rd PARTIES/CONTRACTORS

▪ Security Maturity

▪ Assessment Volume

▪ Governance & Reviews

▪ Regulatory Compliance

Denial of ServiceWeb Application Attack

Social Engineering

Malware

Spear Phishing

Spin

Insider threat

Hactivism

AGENCIES

▪ Non-Standard Practices

▪ Regulatory Drivers

▪ Varying Levels of Cyber Expertise

Credit Card Fraud

Breach

Threats to Government Organizations and Citizens

At MINIMUM, an SDLC must contain the following security activities:

1) Define Security Roles and Responsibilities

2) Orient Staff to the SDLC Security Tasks

3) Establish System Criticality Level

4) Classify Information

5) Establish System Identity Assurance Level Requirements

6) Establish System Security Profile Objectives

7) Profile the System

8) Decompose the System

9) Assess Vulnerabilities and Threats

10) Assess Risk

11) Select and Document Security Controls

12) Create Test Data

13) Test Security Controls

14) Perform Accreditation

15) Manage and Control Change

17) Perform System Disposal

16) Measure Security Compliance

SSDLC Security Activities

SSDLC Tools

https://its.ny.gov/secure-system-development-life-cycle-standard

https://its.ny.gov/document/secure-system-development-life-cycle-ssdlc-standard

We all have a role in protecting New York’s systems and information

Security needs to be consistently and comprehensively implemented using a secure SDLC

Security needs to be risk-based and right-sized

Security must be built into all systems from the very beginning

Key Takeaways

Application Software Security Application Risk Assessment

Critical Security Control # 18

Holistic – includes business, regulatory & technical perspectives.

Comprehensive technical review - from interface to infrastructure.

Layered Risk Assessment Process

Layer Method / Activities NIST 800-53 Top 20 Validation / Metrics

Business Impact & Privacy

Interviews – identify business functions, risk

COOP/DR Plans

IR-1, IR-2, IR-3, IR-4IR-5, IR-6, IR-7, IR-8IR-10

CSC 19: Incident Response and Management Incident management procedures exist

Compliance Interview, questionnaire Prior security review & audit

results/findings Incidents if any

CA-7, CM-8, IA-3, SA-4SC-17, SI-4, PM-5

CSC 1: Inventory of Authorized/Unauthorized DevicesCSC 2: Inventory of Authorized/Unauthorized Software

Information and system owners identified, applicable laws and regulations identified

Secure Design Plan Information security plan Identity Assurance worksheet (roles,

separation of duties)

AC-2, AC-6, AC-17AC-19, CA-7, IA-4IA-5, SI-4

CSC 5: Controlled Use of Administrative PrivilegesCSC 14: Controlled Access Based on Need to KnowCSC 16: Account Monitoring and Control

SSDLC, access matrix, data flow diagrams, system and business function documentation

Web Site/Application Web app scanning (Qualys/WebInspect)

Application code scan/review Code review Pen-testing

CA-2, CA-5, CA-6CA-8, RA-6, SI-6PM-6, PM-14

CSC 7: Email and Web Browser ProtectionsCSC 20: Penetration Tests and Red Team Exercises

encryption in transit/rest, pen test results

Application, core services & databases

Discovery & Relationship Mapping (ITSM CMDB); dependencies

Application code scan/review Code review Database configuration & control

review

CA-2, CA-7, RA-5SC-34, SI-4, SI-7, AT-1AT-2, AT-3, AT-4, SA-11SA-16, PM-13, PM-14PM-16

CSC 4: Continuous Vulnerability Assessment and RemediationCSC 9: Limitation and Control of Network Ports, Protocols, and ServicesCSC 13: Data ProtectionCSC 18: Application Software Security

Web, network and code scan results, SSDCL documentation

Platform (host, cloud) Configuration assessment (CIS-CAT; DISA, Qualys, Nessus, hardening guidance)

Network & Host Vulnerability scanning (authenticated)

CAIQ & 3rd party practices

CA-7, CM-2, CM-3CM-5, CM-6, CM-7CM-8, CM-9, CM-11MA-4, RA-5, SA-4SC-15, SC-34, SI-2

CSC 3: Secure ConfigurationsCSC 6: Maintenance, Monitoring, and Analysis of Audit LogsCSC 11: Secure Configurations for Network Devices

Secure configuration standards and secure configuration scan results

Infrastructure Network Mapping & Scanning Service Level Agreements Resiliency Level (Incidents, RTO/RPO

objectives)

AC-4, AC-17, AC-20CA-3, CA-7, CA-9CM-2, SA-9, SC-7SC-8, SI-4

CSC 8: Malware DefensesCSC 10: Data Recovery CapabilityCSC 12: Boundary DefenseCSC 15: Wireless Access Control

SLA documentation and aligned with business mission and criticality. Network diagrams with PDS/IDS.

Tech

nic

al C

on

tro

lsA

dm

inis

trat

ive

Secu

reSD

LC

Business Risk

Technical Security

Risk

Operational Risk

Measures 3 Key Areas

Scoring across 3 indices produces an overall application risk profile.

Risk profiles drive heat-maps & scorecards for clusters & agencies

BUSINESS RISK INDEX• Business Impact• Privacy Impact• Regulatory Compliance• Business Continuity• Business Alignment

TECHNICAL RISK INDEX• Application, services, Db• Technical Controls• Resiliency• Technical Alignment• Disaster Recovery

OPERATIONAL RISK INDEX• Documentation• Process• Technical Controls• Operational Environment

Cyber Security Risk Assessment ToolEase-of-use & Efficiency• Menu-driven• Self-assessment tool• Automatic report creation• Available online & offline

Security/Privacy• Private SharePoint, access

restricted to authorized persons

Analytics/business intelligence -Business & Technical Risk Indices, scorecards & dashboards

Critical Success Factors• SMEs available• Data accuracy

Operational Risk Index (ORI)Ease-of-use & Efficiency• Menu-driven• Self-assessment tool• Automatic report creation• Available online & offline

Security/Privacy• Private SharePoint, access

restricted to authorized persons

Analytics/business intelligence -Business & Technical Risk Indices, scorecards & dashboards

Critical Success Factors• SMEs available• Data accuracy

Level 2 Self-AssessmentEase-of-use & Efficiency• Menu-driven• Self-assessment tool• Automatic report creation• Available online & offline

Security/Privacy• Private SharePoint, access

restricted to authorized persons

Analytics/business intelligence -Business & Technical Risk Indices, scorecards & dashboards

Critical Success Factors• SMEs available• Data accuracy

Ease-of-use & Efficiency• Menu-driven• Self-assessment tool• Automatic report creation• Available online & offline

Security/Privacy• Private SharePoint, access

restricted to authorized persons

Analytics/business intelligence -Business & Technical Risk Indices, scorecards & dashboards

Critical Success Factors• SMEs available• Data accuracy

Level 3 Comprehensive Risk Assessment

Operational Risk Assessment Walk Through

• Summarized high-level overview

• Changes reflected in real-time

Executive Summary Report –

Sample Data

Application-level Reporting: Executive Summary

Incident Response and Management

Critical Security Control # 19

Incident Response Plan?

CSC #19: Incident Response and ManagementProtect information/reputation by developing incident response infrastructure to quickly discover and recover from an attack.

WHY: Planning can help with discovery of attack and minimizing the impact.

(What you don’t want!)

Key New York State Cyber Players

NYS Office ofInformation Technology

Enterprise InformationSecurity Office (EISO)

NYS Public Safety Agencies

• New York State Police• Homeland Security and Emergency Services• NYS Intelligence Center (NYSIC)• Division of Military and Naval Affairs (DMNA)

NYS Cyber Security Advisory Board

Executive Director & members

Center for Internet Security

Multi-State Information Sharing and Analysis Center

New York State EISO Cyber Command Center Capabilities

Incident Response Objectives

Prepare Identification Containment Eradication RecoveryLessons Learned

Incident Response Process

• Assess the scope, magnitude and source of intrusions

• Identify root cause

• Quantify the damage

• Assist with remediation

• Make recommendations to prevent reoccurrence

• Lessons learned

Cyber PartnersIncident Response

Local Response

State:EISO CyCom

OCT CIRTNYSP/NYSIC

MSISACFederal:US DHS

FBI

Bi-directional Information Sharing

Incident Response Escalation

NYS Cyber Incident Reporting Procedureshttp://www.its.ny.gov/incident-reporting

• Cyber Command Center Hotline: 518-242-5045• Please identify the urgency of the call. • After hours (5PM- 9AM, weekends and holidays), call NYS Watch Center at 518-

292-2200 and ask to report a cyber incident to the Cyber Command Center.

If related to County Board of Election Systems – Call 1-844-OCT-CIRT

• Email CYCOM@ITS.NY.GOV.• If including sensitive data and you are outside of the NYS Office 365 (O365)

tenancy, consider encrypting using the Enterprise Information Security Office (EISO)’s PGP public key. The key may be found on the EISO web site at http://its.ny.gov/eiso/incident-reporting/

• Support:– Network Monitoring Services– Research and Analysis

• Analysis and Monitoring:– Threats– Vulnerabilities– Attacks

• Reporting:– Cyber Alerts & Advisories – Web Defacements– Account Compromises– Hacktivist Notifications

MS-ISAC 24 x 7 Security Operations CenterCentral location to report any cybersecurity incident

To report an incident or request

assistance:

Phone: 1-866-787-4722

Email: soc@msisac.org

• Incident Response (includes on-site assistance)

• Network & Web Application Vulnerability Assessments

• Malware Analysis

• Computer & Network Forensics

• Log Analysis

• Statistical Data Analysis

Computer Emergency Response Team

To report an incident or request

assistance:

Phone: 1-866-787-4722

Email: soc@msisac.org

TLP: WHITE

A web based service that enables members to submit and analyze suspicious files in a controlled

and non-public fashion

• Executables

• DLLs

• Documents

• Quarantine files

• Archives

To gain an account contact:

mcap@msisac.org

Malicious Code Analysis Platform

Security Awareness & Training

Critical Security Control # 17

Security Awareness & Training

CSC #17: Implement a Security Awareness and Training Program

Identify the specific knowledge, skills and abilities needed to support defense of the enterprise and develop a plan to remediate gaps.

WHY: Attackers will look for the weakest link (e.g., social engineering, phishing attacks).

Cybersecurity Awareness Materials

Awareness & TrainingProvide opportunities to increase awareness, knowledge, competencies, and skills to reduce overall security risk

• Citizen and workforce outreach

• Awareness activities and events

• Federal, state, and local government partnerships

• Cyber training

• Promote available resources

https://its.ny.gov/eiso/local-government

Break – 10 minutes

Organizational Security

Policies, Standards, Guidelines &National Cyber Security Review

NYS Information Security Policies,

Standards and GuidelinesFind important information on security policy and standards in New York State at

https://its.ny.gov/eiso/policies/security

NYS-P03-002 Information Security Policy

NYS-S13-001 Secure System Development Lifecycle (SSDLC) Standard

NYS-S13-003 Sanitization/Secure Disposal Standard

NYS-S13-005 Cyber Incident Response Standard

NYS-S14-001 Information Security Risk Management Standard

NYS-S14-002 Information Classification Standard

NYS-S14-008 Secure Configuration Standard

NYS-S14-013 Account Management/Access Control Standard

NYS-P14-001 Acceptable Use of Information Technology Resources

• Why?Policy

• What?Standards

• Considerations? Guidelines

• How?Procedures

Nationwide Cyber Security Review (NCSR)• U.S Department of Homeland Security sponsored, voluntary cyber security self

assessment – in partnership with MS-ISAC, NASCIO and NACo

• Measures the level of cyber security maturity and risk awareness in government

• Annual survey runs from October 1 – November 30

• To register: https://msisac.cisecurity.org/resources/ncsr/registration/

• Anonymized results shared in a summary report to U.S. Congress in alternate

(odd-numbered years)

• Free, annual, cyber security self-assessment, aligned to the NIST Cybersecurity

Framework and designed to evaluate cybersecurity maturity and

risk management.

Strategic Planning and Decision-Making

Strategic Planning

• Identify gaps & improvement opportunities

– Basic controls (1-6) with low maturity ratings

• Use the analysis to “chart a course”

– Roadmap - prioritized initiatives/investments that “move the dial” & provide best return

– Justification - budget & staffing requests

Protecting

Business

Email

Enhanced

Visibility,

Monitoring

& Detection

Protecting

User

Accounts

Roadmap, Priorities, Investments

Protecting

Business

Devices

Protecting

Business

Applications

Protecting

Sensitive

Data

Protecting

NYS

Infrastructure

Example: Pre-Investment MaturityCritical Security Control #1: Inventory and Control of

Hardware Assets

Critical Control 2:

Inventory and Control of Software AssetsCritical Control 3:

Continuous Vulnerability Management

Critical Control 4:

Controlled Use of Administrative Privileges

Critical Control 5:

Secure Configurations for Hardware and Software on Mobile Devices,

Laptops, Workstations and Servers

Critical Control 6:

Maintenance, Monitoring, and Analysis of Audit Logs

Utilize an Active Discovery Tool Maintain Inventory of Authorized Software Run Automated Vulnerability Scanning Tools Maintain Inventory of Administrative Accounts Establish Secure Configurations Utilize Three Synchronized Time Sources

Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor Perform Authenticated Vulnerability Scanning Change Default Passwords Maintain Secure Images Active Audit Logging

Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools Protect Dedicated Assessment Accounts Ensure the Use of Dedicated Administrative Accounts Securely Store Master Images Enable Detailed Logging

Maintain Detailed Asset Inventory Track Software Inventory InformationDeploy Automated Operating System Patch

Management ToolsUse Unique Passwords Deploy System Configuration Management Tools Ensure Adequate Storage for Logs

Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories Deploy Automated Software Patch Management ToolsUse Multifactor Authentication for All Administrative

Access

Implement Automated Configuration Monitoring

SystemsCentral Log Management

Address Unauthorized Assets Address Unapproved Software Compare Back-to-back Vulnerability Scans Use of Dedicated Machines for All Administrative Tasks Deploy SIEM or Log Analytic Tool

Deploy Port Level Access Control Utilize Application Whitelisting Utilize a Risk-rating Process Limit Access to Script Tools Regularly Review Logs

Utilize Client Certificates to Authenticate Hardware

AssetsImplement Application Whitelisting of Libraries

Log and Alert on Changes to Administrative Group

MembershipRegularly Tune SIEM

Implement Application Whitelisting of ScriptsLog and Alert on Unsuccessful Administrative Account

Login

Physically or Logically Segregate High Risk Applications

Example: Post-Implementation MaturityCritical Security Control #1: Inventory and Control of

Hardware Assets

Critical Control 2:

Inventory and Control of Software AssetsCritical Control 3:

Continuous Vulnerability Management

Critical Control 4:

Controlled Use of Administrative Privileges

Critical Control 5:

Secure Configurations for Hardware and Software on Mobile Devices,

Laptops, Workstations and Servers

Critical Control 6:

Maintenance, Monitoring, and Analysis of Audit Logs

Utilize an Active Discovery Tool Maintain Inventory of Authorized Software Run Automated Vulnerability Scanning Tools Maintain Inventory of Administrative Accounts Establish Secure Configurations Utilize Three Synchronized Time Sources

Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor Perform Authenticated Vulnerability Scanning Change Default Passwords Maintain Secure Images Active Audit Logging

Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools Protect Dedicated Assessment Accounts Ensure the Use of Dedicated Administrative Accounts Securely Store Master Images Enable Detailed Logging

Maintain Detailed Asset Inventory Track Software Inventory InformationDeploy Automated Operating System Patch

Management ToolsUse Unique Passwords Deploy System Configuration Management Tools Ensure Adequate Storage for Logs

Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories Deploy Automated Software Patch Management ToolsUse Multifactor Authentication for All Administrative

Access

Implement Automated Configuration Monitoring

SystemsCentral Log Management

Address Unauthorized Assets Address Unapproved Software Compare Back-to-back Vulnerability Scans Use of Dedicated Machines for All Administrative Tasks Deploy SIEM or Log Analytic Tool

Deploy Port Level Access Control Utilize Application Whitelisting Utilize a Risk-rating Process Limit Access to Script Tools Regularly Review Logs

Utilize Client Certificates to Authenticate Hardware

AssetsImplement Application Whitelisting of Libraries

Log and Alert on Changes to Administrative Group

MembershipRegularly Tune SIEM

Implement Application Whitelisting of ScriptsLog and Alert on Unsuccessful Administrative Account

Login

Physically or Logically Segregate High Risk Applications

Governance - Benchmarking Performance

• Use Top 20 & NCSR to track progress:

– Security program performance• Did initiatives provide expected improvements?

• What activities improved our security posture?

• What controls should we focus on?

– Report to executives • Demonstrate improvements & validate spending

Recap• Assess your current security posture • Identify gaps & areas for improvement• Create a plan - priorities, resources

– Use controls, tools & processes to focus efforts• Asset Management• Vulnerability Scanning• Secure SDLC• Application Risk Assessments• Operational Controls

– Policies & Standards– Awareness and Training

• Track & report performance

Mitigating Cyber Risks through Legal, Insurance & Procurement Resources

Mitigating Cyber Risks Through Legal, Insurance & Procurement Resources

Legal: Conduct Contract Reviews

– Data Sharing Agreements Terms & Conditions

– Standard Contract Clauses for IT Contracts• https://its.ny.gov/sites/default/files/documents/appendix_c_-_its_standard_contract_clauses_.pdf

– OGS Contracts Terms & Conditions

Insurance:

– Cyber Liability Coverage

• Privacy/Network Security Liability

• Professional Liability/Technology Errors & Omissions Coverage

Procurement: Office of General Services Procurement Services Group

• Email: customer.services@ogs.ny.gov• Website: www.ogs.ny.gov• Annual NY GovBuy Training: https://govbuy.ogs.ny.gov/

Buying 101 for Local Governmenthttps://nyspro.ogs.ny.gov/content/buying-101-local-government

Using OGS Centralized Contractshttps://nyspro.ogs.ny.gov/content/using-ogs-centralized-contracts-0

Mitigating Cyber Risks Through Legal, Insurance & Procurement Resources

Mitigating Cyber Risks Through Legal, Insurance & Procurement Resources

Manufacturer Umbrella Contracthttps://www.ogs.ny.gov/purchase/snt/awardnotes/7360022802can.HTM

• Procure Software, Hardware, Cloud-based Products and related Implementation services, based on a Manufacturer’s Products.

Procure Project Based Information Technology Consulting Services (PBITS) https://ogs.ny.gov/purchase/snt/awardnotes/7360022772can.htm

• Use this contract to procure services to:• Provide network monitoring, logging (IDS/IPS, 3rd Party MSS)• Conduct cyber risk assessments • Perform technical vulnerability remediation• Develop secure IT architecture• Enhance cyber preparedness and incident response planning, training and exercises

Mitigating Cyber Risks Through Legal, Insurance & Procurement Resources

Distributer Umbrella Contracthttps://www.ogs.state.ny.us/purchase/snt/awardnotes/7360022876can.HTM

• Procure Software, Hardware, and small amounts of related services for manufacturers unable to secure a Manufacturers Umbrella Contract.

Hourly Based Information Technology Services(HBITS) https://www.ogs.ny.gov/BU/PC/hbits/default.asp

• Procure Staff Augmentation services

New York GovBuy Conference Resources2017: https://govbuy.ogs.ny.gov/2017-courses

• IT Umbrella Manufacturer and Distributor Contracts: How to Buy IT Products

o Recorded Session: https://govbuy.ogs.ny.gov/it-umbrella-manufacturer-and-distributor-contracts-how-buy-it-products

2018: https://govbuy.ogs.ny.gov/2018-courses

• Local Governments: What You Need to Know About Purchasing

o Recorded Session: https://govbuy.ogs.ny.gov/local-governments-what-you-need-know-about-purchasing-0

• Intro to OGS & Procurement Services

o https://govbuy.ogs.ny.gov/new-who-ogs-and-how-navigate-our-website

• IT Project Based Information Technology Services (PBITS) Contracts: Case Studies in how to procure IT Project Based Services

o Recorded Session: https://govbuy.ogs.ny.gov/it-project-based-information-technology-services-pbits-contracts-case-studies-how-

procure-it-project

• IT Umbrella Manufacturer and Distributor Contracts: Case Studies in how to procure IT products

o https://govbuy.ogs.ny.gov/it-umbrella-manufacturer-and-distributor-contracts-case-studies-how-procure-it-products

• Acquiring Contract Solutions through General Services Administration (GSA) Federal Contracts

o https://govbuy.ogs.ny.gov/new-acquiring-contract-solutions-through-general-services-administration-gsa-federal-contracts

Cyber Security Service Offerings

NYS Shared Service Offerings

Policy/Standards

Compliance Support

Education & Awareness

Risk Assessment & Remediation

Secure Architecture & Engineering

Monitoring

Threat Intelligence Analysis/Response

Vulnerability Management

Digital Forensics & Incident Response

Penetration Testing

Continuity/Disaster Recovery Planning

Security Analytics

Table Top Exercises

NChief Information Security Office

– Main: 518.242.5200 EISO@its.ny.gov

– Cyber Command Center (CyCom):

518.242.5045 CyCom@its.ny.gov

– Local Government Resources

https://its.ny.gov/local-government

Federal Government Service Offerings

US DHS Cybersecurity Services

• Cyber Resilience Review (operational resilience and cybersecurity practices)

• External Dependencies Management (issues related to vendors and reliance on external entities)

• Risk and Vulnerability Assessment (whether and by what methods an adversary can defeat network controls)

• Phishing Campaign Assessment• Vulnerability Scanning• Validated Architecture Design Review• Cybersecurity Evaluation Tool

• Cybersecurity Advisors (CSA)– Rich Richard Jr., Region IIRichard.Richard@hq.dhs.gov631.241.3662

• Cybersecurity Exercise Support

• Incident Response

• Awareness and Training– Stop.Think.Connecthttps://www.dhs.gov/stopthinkconnect– Federal Virtual Training Environmenthttps://niccs.us-cert.gov/training/federal-virtual-training-environment-fedvte

Assessments

MS-ISAC Service Offerings

Eugene Kipniss

Senior Program Specialist

EI-ISAC

518.880.0716

Eugene.kipniss@cisecurity.org

EI-ISAC 24x7 Security Operations Center

1-866-787-4722

SOC@cisecurity.org

ELECTIONS@CISECURITY.ORG

Andrew Dolan

Director, Stakeholder Engagement

EI-ISAC

518.880.0693

Andrew.Dolan@cisecurity.org

• IPs connecting to malicious C&Cs

• Compromised IPs

• Indicators of compromise from the MS-ISAC network monitoring (Albert)

• Notifications from Spamhaus

Monitoring of IP Range & Domain Space

IP Monitoring Domain Monitoring• Notifications on

compromised user credentials, open source and third party information

• Vulnerability Management Program (VMP)

Send domains, IP ranges, and contact info to:

soc@msisac.org

Additional Benefits of Both ISACs• Situational Awareness

Resources• Insider access to federal

information• Product and Training Discounts• Cybersecurity Exercise

Participation• Workgroups• Webcasts

Access to:

• MS-ISAC Cyber Alert Map

• Archived webcasts & products

• Cyber table top exercises

• Guides and templates

• Message boards

HSIN Community of Interest

SecureSuite• Workbench

– Platform for creating and maintaining resources – https://workbench.cisecurity.org

• CIS-CAT Pro– Configuration and Vulnerability Assessment Tool– Assessor and Dashboard can be downloaded from

Workbench

DDoS Mitigation and Web Protection Services

Google - Protect Your Election• Project Shield DDoS Protection• Two Factor Authentication• Advanced Phishing Protection (GSuite)• Password Alert Plugin for Chrome• General Security Support

Cloudflare – Athenian Project• Full enterprise offering• DDoS protection• Web Application Firewall (WAF)• Content Delivery Network (CDN)• 24x7 Support

Both services are available to any SLTT organization responsible for public-facing elections infrastructure related to voter registration information and

election night reporting

• Collaborative Purchasing

– End-User Security Awareness Training

– Advanced Technical Training Courses & Degree Programs

– Consulting Services

– Two-Factor Authentication

– Cloud Access Security Management

• Over $40 million in savings for our members

• Learn more at www.cisecurity.org/services/cis-cybermarket or contact info@cisalliance.org

Who can I call for help?

Security Operations Center (SOC)

SOC@cisecurity.org - 1-866-787-472231 Tech Valley Dr., East Greenbush, NY 12061-4134

www.cisecurity.org

to join or get more information:

https://learn.cisecurity.org/ms-isac-registration

Election Infrastructure ISAC Resources

EI-ISAC Members include:

• 48 State Elections Entities

• Over 500 Local Government Elections Entities

County Clerks, Secretaries of State, Registrars of Voters, Departments of Elections, Boards of Elections

Who We Serve

Free and Voluntary

No Mandated Information Sharing

Registration is the only requirement!

About EI-ISAC Membership

To join or get more information:

https://learn.cisecurity.org/ei-isac-registration

• 24x7x365 network monitoring

• Incident response and remediation

• Threat and vulnerability monitoring

• Election-specific threat intelligence

• Training sessions and webinars

• Promote security best practices

An Elections-focused Cyber Defense Suite

• DDoS mitigation and web protection services

• MS-ISAC analysis to provide key context

– General election industry or election security reports

– Legislative action on election security issues

– Best practice examples from peers in the election community

– General technology/cybersecurity stories that may have an election link/impact

• Released on Wednesday afternoons

Elections Weekly News Alert

• Key Security Terms and Best Practices

– What it is

– Why does it matter

– What you can do

• Released on Friday afternoons

Cybersecurity Spotlight

• Compiles analysis of elections-specific events identified by/reported to MS-ISAC

• Provides highlights of MS-ISAC election activities

Elections Sector Quarterly Report

• Short e-mail alerts regarding immediate threats

– Targeted at both executive and technical staff

• Provides overview of activity and actionable recommendations

– Executive Overview

– Executive Recommendations

– Technical Overview

– Technical Recommendations

Election-specific Cyber Alerts

Handbook for EI Security

• Intended for Elections Officials and Technical

Support Teams

• Analyzes the risks of key election

system components

• Describes specific technical controls

and processes to improve security

• Assessment tool to be made available

Order Hard Copies:

https://learn.cisecurity.org/ei-handbook

https://www.cisecurity.org/elections-resources