A PUBLICATION FROM
Everything Changes, Everything Stays the Same
The seasons change, but the threat of cyber attacks remain the same. As 2023 comes to a close, we look back on the security trends and threats that were on the forefront for the year, the progress the industry has made, and what we can expect moving into the new year and beyond.
Winter 2023 The Threats and Trends That Impacted the K-12 Community A Look at One of the Fastest Growing Strategies in Security and Risk Management How Small and Medium Businesses Can Improve Their Cybersecurity Posture One of Cybersecurity’s Leading Experts Reflects on How the Industry has Evolved and Where It’s Headed
Your All-in-One Cyber Defense Partner 24×7×365 SUPPORT
Albert
CIS CyberMarket
CIS Network Monitoring and Management
Rigorously vetted cybersecurity solutions with negotiated pricing just for SLTTs.
Powerful, cost-effective IDS solution that identifies SLTT-specific malicious network activity.
CIS SecureSuite Ad Placement
CIS Endpoint Security Services Get more capability with Spotlight add-on
Cost-effective endpoint protection and response solution with add-on offering real-time vulnerability data at your fingertips.
Malicious Domain Blocking and Reporting Plus MDBR+ Customizable secure DNS service that blocks access to harmful web domains and offers real-time reports.
Optimize your use of industry-leading security best practices with benefits, tools, and resources available to SLTTs at no cost.
CIS Hardened Images Securely pre-configured virtual machine images available to deploy from major cloud service provider marketplaces.
To learn more, visit www.cisecurity.org
Contents Featured Articles
Quarterly Regulars
Cybersecurity Quarterly is published and distributed in March, June, September, and December. Founded MMXVII. Published by Center for Internet Security, 31 Tech Valley Drive, East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity. org or call 518.266.3460 © 2024 Center for Internet Security. All rights reserved.
Understanding the Evolving Cyber Threat Landscape in K-12 Organizations Our new report looking in-depth at the cybersecurity trends and threats that most affected the K-12 community.
3
Top Takeaways from 2023 Gartner® Market Guide for Microsegmentation A look at the latest research from Gartner on how network segmentation and its increasing utilization in the security industry.
6
Fast-Track Your Implementation of Essential Cyber Hygiene Guidance on how small- and medium-sized enterprises can improve their cybersecurity posture with industry-recognized best practices.
8
Why Employee Cybersecurity Awareness Training Is Important Insights from four industry thought leaders on why training your workforce on security is critical for an effective cyber defense strategy.
10
Five Questions with Hall of Famer Tony Sager Our Senior VP and Chief Evangelist reflects back on his career in cybersecurity, how the field has evolved, and how the next generation of cybersecurity professionals can succeed.
16
Quarterly Update with John Gilligan
1
News Bits & Bytes
2
Cyberside Chat
14
ISAC Update
18
Event Calendar
20
Winter 2023 Volume 7 Issue 4 Editor-in-Chief
Michael Mineconzo Supervising Editor
Laura MacGregor Copy Editors
David Bisson Aaron Perkins Autum Pylant
Staff Contributors
Jay Billington Joshua Franklin Stephanie Gass Carlos Kizzee Aaron Perkins Natalie Schlabig Karen Sorady Kelly Wyland Winter 2023
i
Work more securely in the cloud Ad Placement
Microsoft Windows 10 and 11 in Azure Marketplace LAUNCH NOW
QuarterlyUpdate
with John Gilligan
“While the seasons continue to change, there is little change on the cybersecurity front.” As I write this, Winter Solstice has arrived, and we have transitioned formally into winter. Although I am not a fan of cold weather, I do look forward to longer days as we begin the new year. However, while the seasons continue to change, there is little change on the cybersecurity front. News reports of cyber breaches affecting millions of citizens are now daily occurrences. Ransomware attacks continue to increase, especially with small- and medium-sized organizations. Clearly, we have not yet turned the corner on getting out in front of our cybersecurity threats. This issue of Cybersecurity Quarterly looks back on 2023 by reflecting on activities and progress on the cybersecurity front. Some of the articles also look forward to what we might expect in 2024. Those of you who know Tony Sager, SVP and Chief Evangelist at the Center for Internet Security, Inc. (CIS®), will enjoy the interview with him in this issue. Tony was recently recognized with induction into the Cybersecurity Hall of Fame. In the interview, he reflects on his long career in cybersecurity. I recommend the interview to all our readers but especially those who are new to the cybersecurity field. Tony’s wisdom is, as they say, priceless. He is truly a national treasure. Several articles in this issue address recent events and progress along the cybersecurity front. Carlos Kizzee, our Senior VP of MS-ISAC® Strategy & Plans, provides an update on their recently issued publication, K-12 Report: CIS MS-ISAC Cybersecurity Assessment of the 2022–2023 School Year. This is the second report in this area; it details the nature of cyber threats in K-12 school organizations as well as progress in strengthening cybersecurity measures. In another article, Karen Sorady, VP of MS-ISAC Strategy & Plans in CIS’s Stakeholder Engagement organization, reviews the 2023 successes of the MS-ISAC and EI-ISAC®, including the enormously successful 2023 MS-ISAC Annual Meeting. In addition, Stephanie Gass, Director of Governance, Risk, and Compliance at CIS, has provided a piece that reviews one of the most impactful developments that affected security
in 2023 and we should expect to continue to do so in the coming year and beyond: Artificial Intelligence (AI). Several articles in this issue focus on ways to strengthen your cybersecurity program. Our partner Akamai has provided an article that reviews a recent report from Gartner that addresses the current and future trends in microsegmentation as well as how to take advantage of this architectural approach to improve the resiliency of your infrastructure. Josh Franklin, Senior Cybersecurity Engineer at CIS, provides guidance on how to implement “essential cyber hygiene” leveraging the first Implementation Group of the CIS Critical Security Controls® (CIS Controls®), which has been shown to defend against 80% of the most common cyber attack techniques. Finally, an article explaining the importance of cybersecurity awareness training leverages the insights of the MS-ISAC Security Awareness Working Group, represented by Jason Balderama, CISO of Marin County, California. It also incorporates inputs from our EI-ISAC and our Cyber Threat Intelligence organization, represented by Marci Andino, Matt Everman, and Randy Rose. Please enjoy this quarter’s issue, and have a great winter!
Best Regards,
John M. Gilligan President & Chief Executive Officer Center for Internet Security
Winter 2023
1
NewsBits&Bytes Nationwide Cybersecurity Review (NCSR) is Now Open The Nationwide Cybersecurity Review (NSCR) is now available through February 29, 2024. The NCSR is a no-cost, anonymous, annual self-assessment. All U.S. states (and agencies), local governments (and departments), tribal nations, and territorial (SLTT) governments are encouraged to participate. It is designed to measure gaps and capabilities of SLTT governments’ cybersecurity programs and is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Using the results of the NCSR, DHS delivers a bi-yearly anonymous summary report to Congress providing a broad picture of the cybersecurity maturity across the SLTT communities. Learn more here.
Hardened Windows Desktop OSes Debut on Azure Marketplace For years, CIS has partnered with the Microsoft Azure team to help cloud users improve their security. Much of this work has centered around the CIS Hardened Images®, virtual machine images pre-hardened to the security recommendations of the industry-leading CIS Benchmarks™. They simplify the process of hardening operating systems in many major cloud platforms, including Azure. These two Hardened Images stand out as they are the first ones created for Windows Desktop operating systems (OSes). Prior to their release, we offered Hardened Images for only Windows Servers.
CorpInfoTech Receives First CIS Controls Accreditation Corporate Information Technologies (CorpInfoTech) is the first organization to receive CIS Controls Accreditation under a joint program between CIS and CREST, an international nonprofit accreditation and certification body. CIS Controls Accreditation offers CIS SecureSuite® Members the ability to provide CIS Controls implementation, auditing, and/or assessment with the assurance that they have met the consistent and rigorous standards of CREST certification. CorpInfoTech, the first company to achieve this recognition, provides small- to mid-market organizations with expert IT services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services.
2
Cybersecurity Quarterly
Center for Internet Security’s Tony Sager Inducted into the Global Cyber Security Hall of Fame CIS is honored to announce the induction of Senior Vice President and Chief Evangelist Tony Sager into the Global Cyber Security Hall of Fame on November 15, 2023. Sager’s recognition celebrates his contributions during the transformational era that ushered in a fundamental shift in the role of cybersecurity in our economy, government, infrastructure, and society. The mission of the Global Cyber Security Hall of Fame is to “‘Respect the Past – Protect the Future’ and honor the innovative individuals and organizations that had the vision and leadership to create the foundational building blocks for the Cyber Security industry.” Sager’s inclusion in this prestigious institution reflects his instrumental role in navigating the transition from cybersecurity as a theoretical concept to its practical implementation in the digital age. “It seems clichéd, but it’s true – I am very humbled and a bit overwhelmed by the honor, putting me in the company of some of my professional heroes,” said Sager. “And most humbling, I never did anything alone. Anything I accomplished was in the company of great people, sometimes leading, sometimes following – and always grateful.”
Understanding the Evolving Cyber Threat Landscape in K-12 Organizations The largest and arguably least-funded contingent of the MS-ISAC, our new report looks at the top threats and issues that faced K-12 schools and highlights actions to take to protect students, staff, and sensitive data.
By Carlos Kizzee In today’s digital age, K-12 organizations face a myriad of cybersecurity challenges, ranging from malware and non-malware threats to evolving tactics employed by cyber threat actors (CTAs). The recently released CIS® MS-ISAC® K-12 Cybersecurity Assessment Report for the 2022-2023 School Year provides a comprehensive overview of the cybersecurity landscape specific to K-12 entities. This report offers valuable insights for cybersecurity professionals, IT leaders, and non-technical personnel in the U.S. State, Local, Tribal, and Territorial (SLTT) community, shedding light on the top threats, trends, and recommendations to bolster cyber defenses. The report, compiled by the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) in partnership with the Consortium for School Networking (CoSN), draws from first-hand reported data from over 4,600 K-12 entities, providing a rich source of industry-specific insights. Members of the K-12 community within the MS-ISAC, dedicated to advancing security maturity in K-12 organizations, also reviewed this report. This group
The report, compiled by the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) in partnership with the Consortium for School Networking (CoSN), draws from first-hand reported data from over 4,600 K-12 entities, providing a rich source of industry-specific insights.
of K-12 members is specifically devoted to consistently publishing cybersecurity best practices and insights to guide the K-12 community on where to begin their cyber maturity journey. This report encompasses a wide array of sources, including data collected from the 2022 Nationwide Cybersecurity Review (NCSR), MS-ISAC member feedback, direct reporting data from the CIS Security Operations Center (SOC), and threat data and associated analysis by the CIS Cyber Threat Intelligence (CTI) Team. This robust approach ensures that the report offers a holistic view of the cybersecurity challenges faced by K-12 organizations.
Report Highlights One of the key highlights of the report is the identification of the top threats affecting K-12 entities. The
Winter 2023
3
report reveals that Qakbot and CoinMiner emerged as the top two malware affecting K-12 entities between August 2022 and May 2023, constituting 43% of the Top 10 Malware during that period. This shift in the threat landscape contrasts with the prior year’s assessment, signifying the dynamic nature of cyber threats and the need for adaptive cybersecurity measures. The report also sheds light on the top non-malware threats affecting K-12 entities. Notably, it found that AsyncRAT and MageCart made up 69% of the Top 5 Non-Malware threats observed over the 2022-2023 school year. This insight underscores the significance of addressing non-malware threats, which often leverage legitimate tools and require a nuanced approach to mitigation. In addition to identifying the top threats, the report provides actionable recommendations K-12 organizations can use to bolster their cyber defenses. The report emphasizes the importance of training users to recognize and report phishing attempts, educating employees on how to deal with phishing emails, and implementing multi-factor authentication to mitigate the risk of phishing attacks. It’s important to note that the report underscores the need for prioritizing remediation efforts based on adversary activity, offering valuable guidance on operating an effective, risk-based vulnerability management program. The insights presented in the report are not only relevant to cybersecurity professionals and IT leaders but also hold significance for non-technical personnel in the K-12 community. As cybersecurity continues to be a top priority for K-12 organizations, the report serves as a valuable resource for superintendents, principals, and administrative staff, empowering them with
4
Cybersecurity Quarterly
As cybersecurity continues to be a top priority for K-12 organizations, the report serves as a valuable resource for superintendents, principals, and administrative staff, empowering them with data-driven insights for making informed decisions regarding cyber risk and prioritizing cyber defense measures. data-driven insights for making informed decisions regarding cyber risk and prioritizing cyber defense measures. Unsurprisingly, the complexities of shifting between in-person, virtual, and hybrid schooling have been met with an increasingly complicated and evolving cyber threat landscape, making it imperative for all stakeholders to be well-informed about the cybersecurity challenges faced by K-12 organizations. The CIS MS-ISAC K-12 Cybersecurity Assessment Report for the 2022-2023 school year offers an industry-specific overview of the evolving cyber threat landscape specific to K-12 entities. Download the report at https://www.cisecurity.org/insights/ white-papers/k-12-report-cis-ms-isac-cybersecurity-assessment-of-the-2022-2023-school-year to continue your K-12 organization’s journey to cyber maturity. Carlos P. Kizzee is the Senior Vice President for MSISAC Strategy and Plans. In that position, Kizzee is accountable for the engagement, account management, and training and education activities associated with MS-ISAC membership as well as key programs assessing and enhancing the security maturity of state, local, tribal, and territorial government agencies and activities. Previously, Kizzee served with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) as Vice President of Intelligence, building and supporting retail and hospitality industry security collaboration; and with Defense Security Information Exchange as Executive Director, promoting threat intelligence sharing and collaboration within the defense industrial base and actively supporting the development and establishment of the National Defense ISAC.
B E YO N D T Y PI C A L I N CI D E N T R E S P O N S E
Boost Preparedness and Resilience with a Cyber Risk Retainer Kroll delivers more than a typical incident response retainer— CIS CyberMarket members secure a Cyber Risk Retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services. Unlike most providers, you can customize the Cyber Risk Retainer to include a wide range of services:
Ad Placement
Peace of Mind for CIS CyberMarket Members Kroll merges unrivaled expertise and frontline threat intel to protect, detect, and respond against cyberattacks.
3,000+
IR Engagements Per Year
100K+
Hours In Offsec Work Per Year
650+
Experts Worldwide
Talk to a Cyber Expert Kroll on CIS CyberMarket
Explore all Kroll Services
Top Takeaways from 2023 Gartner® Market Guide for Microsegmentation As network infrastructure becomes more complex and organizations continue to emphasize zero trust in their network architectures, a one-size-fits-all approach to security will no longer fit the needs.
By Ravit Greitser Hybrid environments, a sharp increase in ransomware attacks, and stringent compliance mandates are some of the daily challenges faced by today’s security teams. At the same time, perimeter-based security solutions, such as traditional network firewalls and VPNs, are no longer valid in today’s threat landscape. According to the first Gartner® Market Guide for Microsegmentation: “Security and risk management (SRM) leaders are primarily adopting and implementing microsegmentation technologies as part of a larger zero trust architecture initiative to stop lateral movement in hybrid environments.” As a Representative Vendor in Gartner’s 2023 Market Guide, Akamai can offer some key insights on how to address the findings of the report.
Our 4 Top Takeaways The report presents the views of Gartner® on the current and future key microsegmentation trends so you can choose the right solution and protect your organization. Our four top takeaways from the full report are: •
Microsegmentation adoption will soar
•
Interest in microsegmentation spans all verticals and geographies
•
A phased approach with zero trust projects
•
Microsegmentation vendors to add zero trust network architecture (ZTNA) capabilities
6
Cybersecurity Quarterly
According to Gartner, “By 2026, 60% of organizations working toward zero trust architecture will use more than one deployment form of microsegmentation, which is up from less than 5% in 2023.” 1. Microsegmentation Adoption Will Soar According to Gartner, “By 2026, 60% of organizations working toward zero trust architecture will use more than one deployment form of microsegmentation, which is up from less than 5% in 2023.” While legacy perimeter-based solutions can still enforce policies among network sites, they fall short when it comes to segmenting east-west traffic between workloads. Gartner recommends that SRM leaders implement microsegmentation “to enable policies at the workload level to stop lateral movement and limit the blast radius of malware by leveraging discovery features and integration with cloud infrastructure automation to ease initial work and operational maintenance.”
2. Interest in Microsegmentation Spans All Verticals and Geographies The microsegmentation market is booming. Gartner sees interest in microsegmentation across all verticals and geographic areas. Digital transformation and the rise of ransomware are the main driving forces behind this interest. Over the past few years, we have seen ransomware target organizations in every industry.
Therefore, microsegmentation, which was once reserved for enterprises and sizable organizations, has now made its way into the mainstream and even public sector entities. Mid-sized organizations are evaluating microsegmentation solutions.
3. A Phased Approach with Zero Trust Projects Gartner recommends that organizations “scale progressively by choosing which workloads to prioritize, in stages, and be conservative when defining project planning.” Organizations should prioritize selecting vendors whose segmentation solutions are not only scalable and flexible but also align with their changing business needs. Start by aligning your zero trust investments to your most pressing business needs and opt for a trusted zero trust vendor over vendors that evolved overnight by rebranding their older solution as zero trust.
•
Workload isolation based on security policy: Akamai allows microsegmentation between any two workloads across any environment and uses an infinite number of labels to define policy between those workloads. A flexibility of labels is critical to expressing different types of policy.
•
Policy enforcement, including the definition of rules based on various factors: With Akamai, policies can be based on granular settings (not just IP or port), such as multidimensional labels to automate policy deployment or other application characteristics. Attributes are collected automatically and shown in the Reveal map.
•
Deploy in virtualized and infrastructure as a service (IaaS) environments: Akamai provides the most comprehensive microsegmentation solution across any environment, including cloud, virtualized, and on-premises environments with the ability to scale to any size.
4. Microsegmentation Vendors to Add ZTNA Capabilities The report notes, “Longer-term, Gartner observes that microsegmentation vendors try to expand beyond the initial scope of segmentation assets within a data center by adding remote access features (e.g., zero trust network access [ZTNA]).” Akamai’s strategy is to bring highly capable ZTNA and segmentation capabilities together into a unified core architecture for zero trust.
How Akamai Delivers on Gartner’s Requirements Akamai provides the most flexible microsegmentation solution with security capabilities, which can help you get more value for your segmentation investment. Akamai’s alignment to core capabilities listed in the report include: •
Flow mapping: Flow mapping allows you to gather and show north/south and east/west traffic flow as well as use them in the policy definition. Akamai’s visibility map, Reveal, automatically discovers and visualizes all applications, workloads, and communication flows down to the process-level context across containers, Internet of Things/operational technology (IoT/OT), and virtual machines. This visualization enables security teams to easily label and group all assets and applications, detect risk, and automatically create least-privilege security policies.
Learn More About Microsegmentation To dive deeper into the outlook for microsegmentation, key trends to watch, and recommendations for leaders who manage infrastructure security, download the Gartner Market Guide to Microsegmentation. Ravit Greitser is a Senior Product Marketing Manager at Akamai Technologies. She has vast experience in product marketing and technical writing, specializing in cybersecurity.
Winter 2023
7
Fast-Track Your Implementation of Essential Cyber Hygiene Small and medium enterprises need to be concerned about security just as much as larger organizations with more resources. Our new guide provides a roadmap to implement essential security measures to improve their cyber defenses.
By Joshua Franklin Cybersecurity is not just a concern for large corporations and government entities; it’s a critical issue for businesses of all sizes. Cyber threat actors (CTAs) are increasingly targeting small businesses in particular. If successful, the consequences of those cyber attacks can be devastating. To help you defend your small or medium-sized enterprise (SME), we released the CIS Implementation Guide for Small- and Medium-Sized Enterprises. This comprehensive resource works as a ladder to help you rapidly adopt Implementation Group 1 (IG1) of the CIS Critical Security Controls® (CIS Controls®). In this article, we’ll explain how.
of the IG1 Safeguards into place within your IT infrastructure.
3 Common Cybersecurity Challenges for Small Businesses Small businesses like yours represent the foundation of business and public service sectors. They are also often the least prepared to protect themselves against a cyber attack. Here are a few cybersecurity challenges that SMEs everywhere commonly face every day: •
Limited Resources: Small businesses often operate on tight budgets, leaving little room for substantial investments in cybersecurity measures. This limitation can lead to vulnerabilities that cybercriminals are quick to exploit.
•
Lack of Expertise: Many small business owners and employees lack the expertise needed to navigate the ever-evolving landscape of cyber threats effectively. Without adequate knowledge and training, they may inadvertently expose the business to risks.
•
Insufficient Security Policies: Often, small businesses operate without comprehensive cybersecurity policies and procedures. This lack of structure can result in weak password management, data exposure, and inadequate access controls.
The Importance of Essential Cyber Hygiene IG1 is not just another list of good things to do; it is a set of steps that help you deal with today’s most common types of attacks by establishing essential cyber hygiene. The methodology provided in this guide helps you to fasttrack a large majority of the recommended actions within IG1. Once you’ve taken all of the steps recommended within this guide, you should identify the IG1 Safeguards you have yet to complete and ensure you are putting all
IG1 is not just another list of good things to do; it is a set of steps that help you deal with today’s most common types of attacks by establishing essential cyber hygiene. 8
Cybersecurity Quarterly
Countering Cyber Threats with Our Guide Our implementation guide helps you to defend your small- or medium-sized enterprise against the following types of threats:
•
Theft of Information: Malicious hackers and dissatisfied employees try to obtain personally identifiable information (PII) or steal credit card information, customer lists, intellectual property, and other sensitive information.
•
Password Theft: Attackers steal passwords to access company systems.
•
Phishing Attacks: A phishing email looks like legitimate correspondence and tries to trick recipient into clicking on a link that installs malware on the system.
•
Ransomware: Ransomware is malicious software that blocks access to a computer, enabling criminals to hold your data for ransom.
•
Natural Disasters: Data loss occurs due to natural events and accidents like fires and floods.
•
Defacement and Downtime: Attackers force your website or other technology to no longer look or function properly. This could be as a joke, for political reasons, or to damage your reputation.
It’s Not All or Nothing To help you address the threats discussed above, this guide lists a variety of free or low-cost tools as well as procedures you can implement to improve your security. Additionally, the Center for Internet Security, Inc. (CIS®) recommends the following cybersecurity approach to help you prioritize your efforts within the constraints listed above. This phased approach is as follows: •
Phase 1 – Complete the five inventory worksheets included in the guide: •
Enterprise Asset Inventory Worksheet
•
Software Asset Inventory Worksheet
•
Data Inventory Worksheet
•
Service Provider Inventory Worksheet
•
Account Inventory Worksheet
•
Phase 2 – Complete the Asset Protection Worksheet for each asset in the inventory.
•
Phase 3 – Complete the Account Security Worksheet for each account in the account inventory.
•
Phase 4 – Complete the Backup and Recovery Worksheet for each asset.
•
Phase 5 – Complete the Incident Response Worksheet.
•
Phase 6 – Ensure that all employees review the training options listed in the Cyber Education Worksheet.
Each step in Phase 1 includes worksheets or spreadsheets to help you along the way. This phase involves knowing what’s connected to your network, the software you use, what data is being protected, your service providers, and your accounts. Phase 2 focuses on protecting your technology, while Phase 3 ensures that you’ve appropriately locked down each account your enterprise uses. Phase 4 helps you to back up and store enterprise data elsewhere. Finally, Phases 5 and 6 help your enterprise to prepare in advance for disruptive events using planning and education.
Your Roadmap to Digital Safety It’s time to take action. This guide is your roadmap to digital safety; you can begin using it with limited resources and technical know-how. Your small business might be a target, but you don’t have to be a victim. Be prepared, be informed, and stay safe. You can download a copy of the CIS Implementation Guide for Small- and Medium-Sized Enterprises at https://www.cisecurity.org/insights/white-papers/ implementation-guide-for-small-and-medium-sized-enterprises-cis-controls-ig1. Joshua Franklin is a Senior Security Engineer for the CIS Critical Security Controls at the Center for Internet Security (CIS), where he is developing best practices for mobility, IoT, and elections. Prior to CIS, Franklin researched enterprise mobile security, cellular security, and electronic voting at the National Institute of Standards and Technology (NIST). While at NIST, he managed the mobile security laboratory at the National Cybersecurity Center of Excellence (NCCoE). Franklin graduated from George Mason University with a Master of Science in Information Security and Assurance. He has presented at a variety of cybersecurity conferences including DEF CON, RSA, and ShmooCon.
Winter 2023
9
Why Employee Cybersecurity Awareness Training Is Important Even the most sophisticated security programs can be thwarted because of a simple human error. That’s why a robust security awareness program is crucial for building a rock-solid cyber defense plan.
By CIS Staff Not everyone invests in employee cybersecurity awareness training, especially in the case of hybrid workplaces. In a 2023 study, a third of companies told Hornetsecurity they don’t provide cybersecurity awareness training for remote employees. This is despite the fact that 75% of these companies’ remote personnel can access sensitive data. It’s not always easy to cut through the noise and see why a security awareness program is important when you’re juggling a lot of cybersecurity priorities at once. To help offer some context, we asked experts at CIS®, the MultiState and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®), and MS-ISAC member organizations to discuss why security awareness training is important – particularly to U.S. State, Local, Tribal, and Territorial (SLTT) government organizations such as yours. Here’s what they had to say.
Marci Andino, Sr. Director of EI-ISAC at CIS Cybersecurity is everyone’s responsibility! Election offices play a crucial role in our democracy. They must be prepared for the 2024 general election and the unwanted cyber activity that accompanies a Presidential election. This is equally true for both large and small jurisdictions, as the internet provides equal access to all election offices. In addition to election-related training required to conduct efficient elections, election officials must increase their cybersecurity awareness to protect critical election infrastructure in their offices, warehouses, and at polling locations. Employee security awareness training
10
Cybersecurity Quarterly
In a 2023 study, a third of companies told Hornetsecurity they don’t provide cybersecurity awareness training for remote employees. This is despite the fact that 75% of these companies’ remote personnel can access sensitive data. will help election officials defend against phishing attacks, insider threats, and other tactics used by our adversaries to disrupt the election process. It will also give them insight into no-cost solutions available to election offices that they can use to train their permanent and seasonal workers to appropriately respond to such attacks.
Jason Balderama, CISO of Marin County, California, and MS-ISAC Security Awareness Working Group Co-chair Cyber attacks and data breaches are becoming increasingly common; they remind everyone why exercising security best practices is so important. While technical security controls like firewalls, email security, and endpoint protection provide layers of defense against cyber threats, no one technical solution can stop all cyber attacks. Information security awareness training provides tools, techniques, and best practices that SLTT
employees can use to spot potential threats, take appropriate actions, and protect their organizations. SLTT/election offices can measure their security maturity with frameworks such as NIST CSF, NIST 800-53, and the CIS Critical Security Controls® (CIS Controls®). Most if not all of these frameworks include security awareness training as a component and offer insight into what is effective security awareness training. They also include detailed information on how to meet the control and how to use metrics to measure effectiveness. All SLTT and election agencies perform critical services to the community. As organizations that store and process the private information of our residents, we have a duty to instill trust with the public. Implementing best practices such as security awareness training is a simple and cost-effective way to help meet this important goal. Mathew Everman, Information Security Operations Manager at CIS Employee cybersecurity awareness training falls within the CIS Controls for good reason. All breaches begin with the human factor; putting in the effort to harden those vectors for attack is equally if not more important than any software or hardware hardening. Most public sector organizations struggle with limited funding, limited employee count, and/or tight specialization restrictions. In many cases, this leads to a limited staff of identified or in-house security professionals who are available to those teams on a daily basis. Helping internal resources understand the risk of a threat along with key indicators trains those employees on what to watch out for and how
Employee cybersecurity awareness training falls within the CIS Controls for good reason. All breaches begin with the human factor; putting in the effort to harden those vectors for attack is equally if not more important than any software or hardware hardening. to react accordingly, effectively making the entire organization a strong security team. This creates the so-called human firewall. Building a basic security awareness program according to your needs may be time-consuming, but it doesn’t have to be expensive. The positive return on investment is so great that it’s nearly immeasurable. Data gathered by a cyber threat actor – no matter how insignificant – can be a small piece of a larger puzzle that could lead to an upstream breach of more sensitive data. The duty and responsibility of our public sector is to protect, provide for, and guide the public. The safety and security of the public is directly connected to the safety and security of those charged with its care. Taking the time to ensure those key public sector members are well informed and emboldened to identify and report possible security incidents is absolutely key to the public wellbeing. As the information threat landscape grows, building a strong human knowledge infrastructure will ensure employees stay ahead of emerging threats and build security into their daily duties and functions.
Randy Rose, Senior Director of Security Operations and Intelligence at CIS Maslow must rethink his hierarchy of needs! The internet has firmly rooted itself somewhere near the base of his famous pyramid. And just as we cannot forego using cyberspace, neither can we forego employee security awareness training. In fact, it’s just the opposite. Cybersecurity training, education, and awareness have become increasingly important in a world where people, regardless of their technical chops, are left with no choice but to use technology every day in a multitude of ways. They need to complete tasks at work, organize their schedule, balance their checkbook,
Winter 2023
11
review their children’s homework, and pay for everyday items, just to name a few. When we rely so heavily on technology, it’s easy to take the threats we face because of it for granted. Combined with the rapid pace at which technology and associated attacks change, we must do our best to keep ourselves, our families, and our colleagues aware and vigilant. Humans all learn differently, but one thing is certain: we all learn by repetition. It’s important for awareness of cybersecurity risks and best practices to be frequent and varied. The key to a good security awareness program is connecting new ideas with old ones. People learn most quickly when they can relate new information to things they already know. To maximize retention, messages should be straightforward, build upon prior knowledge, and rely on real-world examples and comparisons to tangible, non-technical concepts. Additionally, there should be a mixture of delivery styles covering at least reading, listening, watching, and doing. Cybersecurity education that sticks can be the difference between a user who clicks a link and a user who stops to think. And that difference can save an organization millions.
Security Awareness Training to Support Your Future As our experts point out above, security awareness training won’t be losing any of it’s value anytime soon. In the 2023 Data Breach Investigation Report (DBIR), Verizon Enterprise found that nearly three quarters of data breaches involve the human element. This finding shows why it’s important to invest in building a security awareness program now.
12
Cybersecurity Quarterly
In the 2023 Data Breach Investigation Report (DBIR), Verizon Enterprise found that nearly three quarters of data breaches involve the human element. This finding shows why it’s important to invest in building a security awareness program now. We’re here to help! Through our partnership with the SANS Institute, we’re proud to bring you SANS Security Awareness training that can help fortify your employees against social engineering and other cyber attacks exploiting the human element. Developed by highly experienced cybersecurity instructors and experts, SANS Security Awareness offers a customizable mix of end user training content to address relevant threats, teach security concepts that are critical to your workplace, and adhere to the ideologies of your organization’s corporate culture. Demos are also available for all versions of SANS Security Awareness. Now through January 31, U.S. State, Local, Tribal, and Territorial government entities can save over 50% on the SANS Institute’s security awareness training programs, including SANS Security Awareness, technical training courses, and more. The First Step in Building a Positive Security Culture Cybersecurity awareness training for employees helps you minimize your risks stemming from the human element. No technology solution can help you stop all cyber attacks and data breach vectors, after all. Which is why you need a human firewall, a positive security culture built on security awareness training that connects new ideas to old. With it, you can protect the critical services, individuals, and infrastructure that you as an SLTT are instrumental in supporting.
Winter 2023
13
CybersideChat 2023: The Year of AI and Beyond By Stephanie Gass, Director of Governance, Risk & Compliance, CIS “Given the scope, the scale, the speed and the potential impact of artificial intelligence, it is essential that harms continue to be identified both at the start of the AI creation process and throughout the life cycle. Failure to identify and address harms can have a catastrophic impact on an organization.” – Vivienne Artz, OBE Looking back over 2023, without a doubt Artificial Intelligence (AI) stole the stage, with ChatGPT just reaching its one-year anniversary in November. A key to better understanding AI comes from the mindset that society shapes AI, while AI in turn shapes the world. Technology and humans are re-defining the world as we know it. It is no surprise that organizations are seeing how AI can benefit their products and services, as well as processes. The key to managing AI effectively relies heavily upon the governance framework defined by the organization. To assist organizations looking to leverage AI, the National Institute of Standards and Technology (NIST) has developed an AI Risk Management Framework (AI RMF). The framework outlines key
A key to better understanding AI comes from the mindset that society shapes AI, while AI in turn shapes the world. 14
Cybersecurity Quarterly
components such as trustworthy and responsible AI usage. The intent behind the AI RMF is to provide organizations with a practical resource that can be contextualized to fit the needs of the organization. Late October, President Biden issued an Executive Order requiring that all government agencies need to ensure “safe, secure, and trustworthy development and use of AI”. In addition to the NIST AI RMF, the European Union (EU) has agreed upon terms for the EU AI Act this December. Similarly, to privacy with GDPR, the EU is paving the way for regulatory standards in trustworthy AI. The premise is to safeguard fundamental rights of individuals and business alike. With no set date for compliance, it would benefit organizations to familiarize themselves with the requirements and understand the gaps within their environments. The International Organization for Standardization (ISO) just published ISO/IEC 42001 Artificial Intelligence Management System (AIMS). If your organization is providing or using AI in products and services, it outlines the responsible development and use of AI. Key components of ISO/IEC 42001 include commitments to responsible AI, reputation management, AI governance, controls adaptation, and identifying opportunities. The standard aligns with related ISO/IEC management system standards, such as 27001 (Information Security), 27701 (Privacy) and 9001 (Quality).
When establishing an AI governance framework, an organization should make decisions about how to manage AI risks and design the appropriate programs to manage the risks to acceptable levels. This is not a static process but one that will continue to evolve as AI evolves. Here are some items to consider: •
What decisions need to be made regarding the integration of AI into the organization?
•
How are those decisions made and by whom?
•
Once decisions have been reached, how does the organization translate the decisions into programs?
•
Have processes and metrics been defined to understand the effectiveness of the programs?
AI can be extremely powerful, for better or worse, but understanding the risks and responsibly using AI can greatly benefit society. There are still plenty of unknowns, but as we look to 2024, AI governance frameworks and implementation will continue to be a hot topic.
Ad Placement
Five Questions with Hall of Famer Tony Sager A conversation with our chief evangelist, co-creator of the CIS Critical Security Controls, and elder statesman of cybersecurity, Tony Sager, on his storied career in the field, how the field has evolved, and where the industry is headed.
By CIS Staff Tony Sager is Senior Vice President and Chief Evangelist for Center for Internet Security, Inc. (CIS®). In November 2023, he was inducted into the Global Cyber Security Hall of Fame. Sager’s recognition celebrates his contributions during the transformational era that ushered in
a fundamental shift in the role of cybersecurity in our economy, government, infrastructure, and society. Sager’s inclusion in this prestigious institution reflects his instrumental role in navigating the transition from cybersecurity as a theoretical concept to its practical implementation in the digital age. Here, he answers five questions about the past, present, and future of cybersecurity and CIS.
I wound up at CIS because of the vision – the idea that a nonprofit could focus community energy into collective action. And that’s still the vision we have today. What was the landscape of cybersecurity when you first joined CIS? My cyber career started in 1977. In any year, I might think, “Wow, this is a tough problem. We’re working hard, and it’s changing fast.” And then two years later, everything would be doubled in challenge, work, and complexity of change. The same was true when I joined CIS in 2015. The explosion of cloud services was interesting but not pervasive then. Ransomware was much less of a ”thing” and hard to monetize without risk to the attacker. We thought of criminals and victims as focused on large dollar targets. The technical problems to solve were daunting but mostly understood. I wound up at CIS because of the vision – the idea that a nonprofit could
16
Cybersecurity Quarterly
focus community energy into collective action. And that’s still the vision we have today. How have you seen the cybersecurity field change since then? Just in the last few years, threats and attackers have become more professional, better organized, and bolder. And they have moved into new areas, like disinformation – attacking the consumption of information, not the technology. Meanwhile, victims are more plentiful than ever, and the economics of attacks mean that even small dollar victims add up to huge returns. We’ve also seen huge changes in the way we collectively use technology (work from home, cloud services, etc.) leading to rapid changes in attack surface and vulnerabilities. What keeps you up at night regarding the challenges organizations face with cybersecurity? Most of the work you see in cybersecurity is just dealing with the problem as we see it today, essentially, so that we can “live to fight another day.” But sadly, we (our industry) have created an unwinnable model. The vast majority of enterprises will never have the resources or expertise to defend themselves. So we really need to shift to a model where most security is built in, bought, and just part of the infrastructure. We have to do both: fight today’s fight to survive and reinvent the problem. I just worry that we don’t have the energy, resources, or national will to do both. What excites you the most about what you see happening in cybersecurity? I think we are finally starting to treat cyber more as an economic/social risk problem to be managed and less as a technology puzzle to be solved. This means a more holistic look at the problem and the possible solution
space. This means that technical progress must be driven as much by public policy and behavioral economics in addition to technology. I am encouraged by more activism and teamwork among government agencies and industry (There’s still a long way to go.) to treat this as a shared problem requiring shared solutions. What advice could you provide to individuals who are early in their cybersecurity career? Have a plan for serendipity! Just in my time, we’ve gone from a world of stand-alone personal computers to a world-wide connected web as the engine for all commerce and information sharing. No job is static, and no one can predict the twists and turns. So prepare yourself by “learning to learn” in order to keep up. Be curious and keep your eye on emerging technologies. Learn to say “Yes!” to new assignments and challenges. And most important – make friends in the business. They will help you learn, help you grow, act as your “sensors” for what’s coming, and serve as your allies in deciding what to do about it.
No job is static, and no one can predict the twists and turns. So prepare yourself by “learning to learn” in order to keep up. Be curious and keep your eye on emerging technologies. Learn to say “Yes!” to new assignments and challenges. And most important – make friends in the business. Winter 2023
17
ISACUpdate MS-ISAC Year in Review: How We’ve Grown and Will Continue to in 2024 By Karen Sorady, Vice President of Strategies and Plans, MS-ISAC In the ever-evolving landscape of cybersecurity, the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) continues to be at the forefront, fostering community connections and better enabling U.S. State, Local, Tribal, and Territorial (SLTT) governments to safeguard themselves from cyber threats. As we reflect on the past quarter and the year, the growth in MS-ISAC membership and the collective achievements of our community are indeed worth celebrating.
K-12 Cybersecurity Challenges: A Comprehensive Report One of the key highlights of this quarter is the publication of the CIS MS-ISAC K-12 Cybersecurity Report. In a world where educational institutions face unprecedented challenges, especially in navigating the complexities of virtual and hybrid schooling, CIS and the MS-ISAC recognize the pivotal role that K-12 schools play. Comprising nearly one-third of MS-ISAC membership, K-12 schools
represent a significant portion of our community.
Episode 71 of the CIS Cybersecurity Where You Are podcast.
The insights gathered through the Nationwide Cybersecurity Review (NCSR) and feedback from MS-ISAC members, coupled with data from the CIS Security Operations Center (SOC) along with inputs from Consortium for School Networking (CoSN), empower K-12 leaders to make informed decisions regarding cyber risk. This report not only highlights the evolving threat landscape but also provides practical guidance for improving cyber defenses in the education sector.
Protecting the Pillars of Justice: SLTT Judicial Report
Carlos Kizzee, Senior VP of Strategies and Plans for the MS-ISAC, and two of our contributors from our K-12 community, Dr. Bhargav Vyas, Assistant Superintendent for Compliance and Information Systems & Data Protection Officer at MonroeWoodbury Central School District, and Terry Loftus, Assistant Superintendent & Chief Information Officer of Integrated Technology Services at San Diego County Office of Education, dive into the details of this report in
Additionally, we’ve addressed the unique challenges faced by U.S. SLTT judicial entities in our Security Best Practices for SLTT Judicial Entities Report. Given their critical role in communities, possession of sensitive data, segmented IT support structures, and limited resources, SLTT judicial organizations are attractive targets for cyber threat actors (CTAs). This report not only aids in enhancing their cybersecurity programs but also supports a requirement outlined in the Consolidated Appropriations Act of 2023.
Year in Review: Strengthening Our Foundation Looking back, our achievements this year underscore our commitment to providing world-class support to MS-ISAC members. We have built a support unit that is steadily moving
Looking back, our achievements this year underscore our commitment to providing worldclass support to MS-ISAC members. We have built a support unit that is steadily moving toward becoming a centralized, world-class customer service branch.. 18
Cybersecurity Quarterly
Through 55 in-person engagements across 32 states, the MS-ISAC has impacted over 18,000 conference attendees, fostering a sense of community and shared commitment to cybersecurity. toward becoming a centralized, worldclass customer service branch. Our collaborative efforts with Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) field staff have expanded engagement and support to SLTT entities nationwide. Additionally, through 55 in-person engagements across 32 states, the MS-ISAC has impacted over 18,000 conference attendees, fostering a sense of community and shared commitment to cybersecurity. Our Leadership Mentoring Program continues to nurture the cyber leaders of the future, cultivating over 275 mentoring relationships. In conducting over 665 individual member organization reviews, including Service Reviews, Maturity Reviews, NCSR Demos, and CIS SecureSuite® Membership Reviews, we’ve witnessed a record-high participation rate from our more than 16,400 members, indicating the growing awareness and importance of cybersecurity across all sectors.
New NCSR Summary Report: Insights for the Community We are excited to announce the release of the 2022 Nationwide Cybersecurity Review (NCSR) Summary Report, featuring anonymized data findings from the October 2022 through February 2023 NCSR submission cycle. With a record-setting participation from 3,681 SLTT organizations, the report highlights a 6% average year-to-year increase in cyber maturity scoring for returning NCSR participants. Notably, entities using a security framework scored 58% higher than organizations that do not, emphasizing the importance of adopting best practices in cybersecurity. Virtual Service Review Rooms: Personalized Support for ISAC Members
2024, with the event scheduled to take place in Orlando, Florida, on June 23-26, 2024. Keep an eye on your email for more information surrounding exclusive events and opportunities specifically designed for the MS-ISAC community. If your organization is not a member yet, we invite you to join here today for free! The MS-ISAC remains dedicated to fostering collaboration, providing support, and empowering the SLTT community with the tools and tactics to navigate the ever-changing cybersecurity landscape successfully. Together, we build a stronger, more resilient cybersecurity community. Finally, from all of us at the MS-ISAC, we wish you and yours the very best in the new year!
We invite ISAC members to take advantage of our Virtual Service Review Rooms, where you can meet with our team to review your organization’s current ISAC status, update contacts, review currently utilized services, and learn more about available resources. Contact the team at info@cisecurity.org to reserve a time slot today. What’s Next: ARMOR Week and ISAC Annual Meeting Looking ahead, we are excited to announce ARMOR Week, a two-day virtual event tailored exclusively to our SLTT members. Taking place on January 10-11, 2024, ARMOR Week will focus on empowering SLTT stakeholders to reduce risks and develop a stronger cyber workforce. Also, registration for the ISAC Annual Meeting will open in early February Winter 2023
19
UpcomingEvents January January 7 - 10 The Government Management Information Sciences (GMIS) Alabama Winter Conference will take place at the Embassy Suites – Huntsville in Huntsville, Alabama. This conference allows Alabama government IT professionals to network, share knowledge, and learn how to best keep their organization safe against cyber threats. Learn more and register at https://www.eventleaf.com/ gmis2024winter.
January 10 - 12 The 2024 Arkansas Municipal League Winter Conference will take place at the Little Rock Statehouse Convention Center in Little Rock, Arkansas. The event will bring together city and town leaders from across the state to learn from industry thought leaders, network with peers, and learn about new solutions and tactics to help them better serve their constituents. MS-ISAC Regional Engagement Manager Kyle Bryans will be onsite sharing information about free cybersecurity resources for local governments. Learn more at https:// www.arml.org/.
January 17
January 30 - February 1
The Pennsylvania Association of Intermediate Units (PAIU) will host the PAIU Instructional Media Services Professional Development Day. The event will promote and support collaboration within the education system and help IT and other related professionals fulfill a wide range of service needs for students and school districts. MS-ISAC Regional Engagement Manager Megan Incerto will lead a session at the event on free cybersecurity resources for public education. Learn more at https://www. paiu.org/PAIMS.
The Florida Local Government Information Systems Association (FLGISA) will host the FLGISA 2024 Winter Symposium at the Embassy Suites Lake Buena Vista South in Lake Buena Vista, Florida. All Florida local government agency technology professionals are welcome to attend to learn from industry leaders and network with peers. MS-ISAC Regional Engagement Manager Kyle Bryans will be part of a discussion panel with CISA and leaders from the State of Florida to discuss cybersecurity services for local governments. Learn more at https:// www.flgisa.org/events/.
January 26 Cyber Security Summit: Tampa will take place at the Hilton Tampa Downtown in Tampa, Florida. It will bring together business leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/tampa24/.
February February 2 Cyber Security Summit: Atlanta will take place at the Grand Hyatt Atlanta in Buckhead in Atlanta, Georgia. It will bring together business leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ atlanta24-feb/.
February 3 - 7 The Texas Computer Education Association (TCEA) Convention & Expo will take place at the Austin Convention Center in Austin, Texas. Attendees will take advantage of 800+ sessions, 450+ exhibitors, influential speakers, and forever-free TCEA membership. Walk away with gamechanging tools, strategies, knowledge, and know-how that will help you make your mark on education. Learn more at https://convention.tcea.org/.
20 Cybersecurity Quarterly
February 4 - 7
February 17
The Pennsylvania Educational Technology Expo and Conference will take place at the Hershey Lodge and Convention Center in Hershey, Pennsylvania. The event will bring together education technology leaders from across the state to learn in over 200 educational sessions to increase their knowledge and awareness of new concepts and resources. MS-ISAC Regional Engagement Manager Megan Incerto will lead a session on free cybersecurity resources for public K-12 schools. Learn more at https://www. peteandc.org/.
Cyber Security Summit: Silicon Valley will take place at the Santa Clara Marriott in Santa Clara, California. It will bring together business leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ siliconvalley24/.
February 7 - 9 The Idaho Education Technology Association (IETA) will host IETA 2024 at The Boise Center in Boise, Idaho. The event will bring together education technology leaders from across the state to learn from industry experts and discover how to enhance the education of Idaho’s students with tomorrow’s technology. MS-ISAC Regional Engagement Manager Michelle Nolan will lead a session at the event on how public education institutions can work with the MS-ISAC for incident response and ransomware prevention. Learn more at https://ieta.events/.
February 7 - 10 The National Association of Secretaries of States (NASS) will hold their Annual NASS Winter Conference at the Grand Hyatt in Washington, D.C. The 2024 conference will cover election security, state heritages, international relations, and an overview of cybersecurity strategies. Learn more at https://www.nass.org/events/nass2024-winter-conference.
February 21 - 22 The South Carolina Cyber Association (CyberSC) will host Palmetto Cyber Summit 2024 at the Cooperative Conference Center in Columbia, South Carolina. The event will bring together experts to provide timely content and address a variety of cybersecurity issues impacting South Carolinians. Attendees will hear from government and industry leaders on the latest developments and gain insights into managing today’s cybersecurity challenges. MS-ISAC Regional Engagement Manager Kyle Bryans will lead a session on enhancing email protection with resources from the MS-ISAC Learn more at https:// cybersc.us/events.
February 29 - March 1 The Mid-America Association for Computers in Education will host MACE 2024 at Kansas State University in Manhattan, Kansas. The annual educational technology conference will offer technology leaders and professionals the opportunity to network with peers and learn about the latest topics of interest in the industry. MS-ISAC Regional Engagement Manager Megan Incerto will lead a session on no-cost cybersecurity resources for public K-12 schools. Learn more at https://www.mace-ks.org/.
March March 1 Cyber Security Summit: Seattle/ Bellevue will take place at the Hyatt Regency Seattle in Seattle, Washington. It will bring together business leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/seattle24/.
March 3 - 6 Financial Services Information Sharing and Analysis Center (FS-ISAC) is hosting its 2024 FS-ISAC Americas Spring Summit in San Diego, California. Attendees can gain the information needed to address threats, develop new strategies, and meet changing regulations specific to the Americas region. More details and registration will be released soon at https://www.fsisac. com/events/2024-americas-spring.
March 7 Cyber Security Summit: San Diego will take place at the Marriott Marquis San Diego Marina in San Diego, California. It will bring together business leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ sandiego24/.
Winter 2023
21
March 11 - 13
March 14 - 17
March 20
The Pennsylvania Department of Education (PDE) will host the 2024 PDE Data Summit at the Hershey Lodge and Convention Center in Hershey, Pennsylvania. Attendees will experience impactful professional learning opportunities, gain technical skills, and leave with a better understanding of their data and how it can be used to support and benefit the school communities they serve. MS-ISAC Regional Engagement Manager Megan Incerto will lead a session on no-cost cybersecurity resources for public K-12 schools. Learn more at https://www.education.pa.gov/ DataAndReporting/PDEDataSummit/.
Independent Community Bankers of America (ICBA) Live will be held at the Orlando World Center Marriott in Orlando, Florida. This multi-day event attracts thousands of community bankers looking to connect, share ideas, and leverage a wide array of educational opportunities including thought provoking and inspiring general sessions, actionable learning labs, and peer-driven roundtables. Learn more and register at https://www.icba.org/ events/icba-live.
Cyber Security Summit: Rosemont/ Chicago O’Hare will take place at the Hyatt Regency O’Hare Chicago in Rosemont, Illinois. It will bring together business leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ rosemont24/.
March 11 - 13 The Healthcare Information and Management Systems Society (HIMSS) Global Health Conference and Expo will be held in Orlando, Florida, at the Orange County Convention Center. Join other health professionals to network, learn about new cutting-edge technologies, and gain insight to the global health landscape. Learn more and register at https://www.himss.org/ global-conference.
March 12 Cyber Security Summit: New York will take place at the Sheraton New York Times Square Hotel in New York, New York. It will bring together business leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ newyork24-mar/.
22 Cybersecurity Quarterly
March 19 - 20 The Inaugural Billington State and Local CyberSecurity Summit kicks off in Washington, D.C., at the National Press Club. Attendees will explore what can be done to enhance the cybersecurity of the states, counties, cities, and municipalities that comprise the United States and the critical infrastructure sectors in these areas. T.J. Sayers, Director of Intelligence and Incident Response at CIS, will co-lead a session on how Chinese cyber threats can impact state and local governments. All government employees can attend the event for free, and non-government employees can receive $100 off registration with registration code CIS100SL. Learn more and register at https://billingtoncybersecurity.com/ inaugural-billington-state-and-localcybersecurity-summit/.
March 20 AWS IMAGINE: Nonprofit will take place in Arlington, Virginia, at Amazon HQ2. This conference brings together nonprofit leaders, purpose-focused technologists, and impact innovators to discuss how technology can help drive a positive impact for both people and the planet. Learn more and register at https://aws.amazon.com/ government-education/nonprofits/ imagine-nonprofit/.
March 22 Cyber Security Summit: Miami will take place at the Hilton Miami Downtown in Miami, Florida. It will bring together business leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/miami24/.
Stop cyber attacks in their tracks. Ad Placement
CIS Endpoint Security Services, now with Spotlight
LEARN MORE
CIS CyberMarket
Interested in being a contributor? Please contact us: cybermarket@cisecurity.org www.cisecurity.org 518.266.3460
cisecurity.org info@cisecurity.org 518-266-3460 Center for Internet Security @CISecurity TheCISecurity cisecurity