Cybersecurity Quarterly
Fall 2017
A Publication from
The New Malspam That's Masquerading as a Familiar Face Migrating to the Cloud? Why You May Need a Helping Hand Where to Find Guidance on the Road to Data Security Compliance Why "Free" Doesn't Always Have to Come with a Catch
Permission Granted In the Age of Apps, Maintaining a Watchful Eye on Software Isn't Just About Employee Productivity - It's Basic Defense
Cybersecurity Quarterly
Contents
Featured Articles
Quarterly Regulars
Fall 2017
Keeping a Watchful Eye on Software Why maintaining an active inventory of software on your network is a crucial step in any effective cybersecurity strategy
8
Securing Microsoft O365 with a Third Party Solution As organizational data moves to the cloud, outside help may be the best strategy to ensure it stays protected
12
Navigating the Requirements for a Compliant Information Security Program How frameworks can help you develop data security policies that meet the regulations and requirements that govern your organization
16
Quarterly Update with Steve Spano
4
News Bits & Bytes
6
Threat of the Quarter
10
MS-ISAC Update
18
Cyber Tips & Tricks
19
Calendar
20
Confidence in the Connected World Fall 2017 Volume 1 Issue 2 Founded MMXVII Editor-in-Chief Michael Mineconzo Copy Editor Shannon McClain
Staff Contributors Eugene Kipniss Philippe Langlois Ryan Spelman Josh Traynor Jessica Williams Stacey Wright
Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518 266.3460 Copyright Š 2017 Center for Internet Security All rights reserved
3
Cybersecurity Quarterly
Quarterly Update
with Steve Spano
“Security is a shared responsibility” The advent of mainframe and the rapid proliferation of associated peripherals has ignited a revolution in IT that often feels like it is outpacing Moore’s Law. In its infancy, IT seemed to have limits. However, the prevailing consensus today is that just about anything can be written in software and automated. The only limit is our imagination. That’s both scary and exciting!
Many of these programs are added by employees with the best of intentions, but some come with huge risks. The larger the network or system, the more challenging it is to establish and manage a process to know what is software that you (and your team) are using. However, the more complex the network, the more important it is to have a disciplined process that organizational leaders understand and participate in. Security is a shared responsibility, vertically and horizontally across all organizations. So, how are you doing in your organization? To learn more about what to do on this step, I urge you to look at the CIS Controls, specifically Control 2.
One click from the App Store gives us instant access to software to help us manage our businesses, finances, and just about every aspect of our personal lives. It isn’t much different on our PCs or desktops. However, the ubiquitous access to software invites a plethora of potential threat vectors. As such, it is imperative we take the time to establish and manage the process of what software is running on our systems, the Good luck! version that is running, who is using that specific software, and why you are even running it. It sounds simple, right? The truth is, most people and organizations do not even have a disciplined process for managing the software they have installed on their enterprise, nor do they continuously assess the risks to their enterprise. If you could see just some of the things your organization is running, you might find: • • • •
4
Browser toolbars Video streaming services File sharing tools (such as Box) Games
Steve J. Spano, Brig. Gen., USAF (Ret.) President & Chief Operating Officer Center for Internet Security
001111010101001000100011111010101010010101010101010001010101010011110 10101010010000101010101010010101010100010001110100010100010100100010 Fall 2017 101000010101011110101010010101010101000110001101101010001001010101111 01010000101010100100101010001101000011011010100010010101011110101000 010101010010010101000110101000111101010100100010001111101010101001010 101010101000100101011111000011011010100010010101011110101000010101010 01001010100100011110101010010001000111110101010100101010101010100010 101010100111101010101001000010101111100001101101010001001010101111010 10000101010100100101010010001111010101001000100011111010101010010101 01010101000101010101001111010101010010000101010101010010101010100010 00111010001010001010010001010100001010101111010101001010101010100011 00011011010100010010101011110101000010101010010010101000110100001101 10101000100101010111101010000101010100100101010001101010001111010101 001000100011111010101010010101010101010001001010111110000110110101000 10010101011110101000010101010010010101001000111101010100100010001111 101010101001010101010101000101010101001111010101010010000101011111000 01101101010001001010101111010100001010101001001010100100011110101010 The enemies storming your IT castle have cyber skills, not catapults. You need more than strong walls to secure 01000100011111010101010010101010101010001010101010011110101010100100 your treasure—intellectual property, customer data 0010101010101001010101010001000111010001010001010010001010100001010 and sensitive emails. 01010000101010100100101010001101000011011010100010010101011110101000 01010101001001010100011010100011110101010010001000111110101010100101 010101010100010010101111100001101101010001001010101111010100001010101 00100101010010001111010101001000100011111010101010010101010101010001
Your data & IT are under siege. Choose your weapons wisely.
Confidence in the Connected World CIS is a non-profit sharing the collective knowledge and real-world experience of our members to fight cyber threats. Our tools and memberships safeguard thousands of organizations in industry, government and academia.
Powerful best practices A prioritized set of 20 cyber best practices protecting organizations from the most pervasive cyber attacks.
Harden your systems—fast Proven hardening guidelines and remediation to secure operating systems, software and networks on premises and in the cloud.
Protecting SLTT governments CIS is home to the Multi-State Information Sharing & Analysis Center®, which offers free 24x7 cyber support for U.S. State, Local, Tribal and Territorial (SLTT) government entities.
→ Download the Guide to the First 5 CIS Controls www.cisecurity.org/first-5-controls
Follow us on:
Cybersecurity Quarterly
News Bits & Bytes October is National Cyber Security Awareness Month. Now in its 14th year, this nationwide program led by the U.S. Department of Homeland Security and the National Cyber Security Alliance is a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online. Each week will focus on a new theme: Week 1 (Oct 2 – 6): STOP. THINK. CONNECT.: Simple Steps for Online Safety Week 2 (Oct 9 – 13): Cybersecurity in the Workplace is Everyone's Business Week 3 (Oct 16 – 20): Today's Predictions for Tomorrow's Internet Week 4 (Oct 23 – 27): The Internet Wants You: Consider a Career in Cybersecurity Week 5 (Oct 30 – 31): Protecting Critical Infrastructure from Cyber Threats CIS Hardened Images are now available on the Google Cloud Platform (GCP). These images are designed to be evaluated and deployed in minutes to deliver an increasingly broad array of common software infrastructure on Google Cloud Platform. They are configured based on the CIS Benchmarks, a set of internationally-recognized secure configuration recommendations collaboratively developed by our volunteer consensus community and used by thousands of organizations worldwide. CIS has been named the Information Systems Security Association's (ISSA) 2017 Organization of the Year. ISSA’s International Awards Selection Committee cited CIS’ “contributions to the security community and sustained membership in the association” as criteria for its decision.
6
The Organization of the Year award recognizes candidates with a sustained, proactive presence that directly contributes to the overall good and professionalism of the association and its membership, providing services, products, or direct support ensuring the promotion of the highest ethical standards in addressing information security and its future. The Multi-State Information and Analysis Center (MS-ISAC) has released the official results of its annual Nationwide Cyber Security Review (NCSR). Built upon the NIST Cybersecurity Framework (CSF) Core, the NCSR uses a maturity scale to assess how U.S. State, Local, Tribal, and Territorial (SLTT) entities address activities within the framework. This allows participants to assess how formalized these cybersecurity activities are within their organization. The 2016 Summary Report provides a point-in-time comparison, allowing SLTT entities to compare their responses to those of their peers. View the 2016 Summary Report at https://www.cisecurity. org/white-papers/2016-nationwide-cyber-securityreview-summary-report. Organizations can also register for the 2017 Nationwide Cyber Security Review, which will be open between October 2nd and December 15th, 2017 at https://www.cisecurity. org/ms-isac/services/ncsr. SANS has released its 2017 Security Awareness Report. Now in its 3rd year, the report highlights what successful security programs do right to change behavior and what lagging programs can do to improve and move beyond compliance. The report includes detailed recommendations and action plans to address the key findings uncovered in the analysis, based on over 1,000 participant surveys from the awareness community. Download the report at https://securingthehuman.sans.org/ resources/security-awareness-report-2017.
Fall 2017
7
Cybersecurity Quarterly
Keeping a Watchful Eye on Software Maintaining an accurate inventory of software is more than just eliminating potential employee distractions – it can also prevent potential legal and security risks By Philippe Langlois Welcome everyone to my second article for Cybersecurity Quarterly. In this article, I’ll discuss the second CIS Control: Inventory of Authorized and Unauthorized Software, which is perhaps my favorite control. I certainly won’t shock anyone by saying how great software is and how it has become the core foundation of most businesses. I will, however, note that unaccounted-for software can cause major headaches. As part of CIS security assessments, our CERT team will check to see what applications are installed on each system through the use of one of our scripts (https://github.com/CIS-CERT/CIS-ESP). It is amazing what they’ll find on some of these machines. Which begs us to ask, do you know if any of your employees installed Minecraft, or have an old instance of Java? Not only are unaccounted applications a potential distraction for your employees, they also represent a legal risk if the software isn’t properly licensed or if it allows for mischievous behavior, like peer-to-peer file sharing. Let’s go into a bit more detail on how you can protect your organization from these risks.
What is an inventory? At a high level, an inventory seems like a simple concept; just a list that says “this is what is allowed.” However, there’s much more to it than that. We see
8
As part of CIS security assessments, our CERT team will check to see what applications are installed on each system through the use of one of our scripts. It is amazing what they’ll find on some of these machines. an inventory as part of much larger process that involves a few core components, which we’ve organized into four sub-controls. Like most of the CIS Controls, these recommendations are based on leveraging automated processes as much as possible to arm busy cybersecurity professionals with some time-saving techniques and provide a level of consistency. The heart of this CIS Control is going be found in software inventory tools that not only provide a current list of software on your systems, but also allow you to determine which of those applications are approved for official use within your organization. In an ideal world, you’ll run an inventory tool, either remotely or through an agent, and it’ll compare the results of the scans to your current approved software inventory, flagging any discrepancies. From there, you have the choice of either removing the identified unapproved
Fall 2017
software, or setting it aside for review. As part of this inventory, you’ll want to make sure to collect sufficiently detailed information from your software to ensure that you know which versions are supported and which software may need updating.
I have to keep this updated? Once you inventory your current software, you’ll want to also consider how you’ll update your approved software list (from a process standpoint). Employees have jobs they need to do and sometimes that requires having access to specific software. If you don’t provide a means to allow users to get access to tools they need, they may try to circumvent your controls and you’re no better off. This is where providing a reasonable process for approving software is going to go a long way, in terms of getting buy-in from your employees. If people are really going to need the software, they’ll go through the process (as long as it’s not too painful).
The Dreaded Whitelist In addition to having a list of approved software and a scanner than can inventory the software on systems, you’ll also want to consider some of the preventive recommendations found in Control 2, such as application whitelisting and virtual machines. The concept of utilizing virtual machines is simple; if there’s a high risk application you absolutely must run, isolate it as much as you can from the environment. It’s not a perfect solution, but it at least provides that additional layer of security. The NSA Information Assurance Directorate, the U.S. Department of Homeland Security, and the Australian Signals Directorate have all made recommendations that application whitelisting is one of the best means of protecting an organization against cyber-attacks. However, within an environment, it is not necessarily the easiest thing to implement and requires planning and expertise to get right. The effectiveness of the strategy alone should warrant at least a genuine discussion on whitelisting within your organization. To help you along, we've provided some great resources regarding application whitelisting:
If you don’t provide a means to allow users to get access to tools they need, they may try to circumvent your controls and you’re no better off. Information Assurance Directorate (IAD) https://www.iad.gov/iad/library/ias/adversarymitigations/application-whitelisting-best-practices. cfm Industrial Controls Systems Cyber Emergency Response Team (ICS CERT) https://ics-cert.us-cert.gov/sites/default/files/ documents/Guidelines%20for%20Application%20 Whitelisting%20in%20Industrial%20Control%20 Systems_S508C.pdf Australia Signals Directorate https://www.asd.gov.au/publications/protect/ application_whitelisting.htm National Institute of Standards and Technology (NIST) http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-167.pdf
Philippe Langlois is a Technical Product Manager for the Center for Internet Security's Critical Security Controls (CIS Controls). In this role, Langlois leads an international community of cyber security experts who develop the CIS Controls, a set of actions proven to mitigate 85% of the most prevalent cyber threats. Langlois manages the production, writing, and publication of a range of cybersecurity resources. Working in collaboration with users of the CIS Controls, Langlois ensures the quality and utility of the CIS Controls guidance, plus the availability of tools, scripts, and other resources aiding users with implementation of the CIS Controls. Langlois holds an MS in Infrastructure Protection and International Security, a BA in Criminology, and certifications as a Global Industrial Cyber Security Professional (GICSP), GIAC Penetration Tester (GPEN) and GIAC Critical Security Controls Certification (GCCC).
9
Cybersecurity Quarterly
Threat of the Quarter This Quarter’s Threat: Emotet Banking Trojan & its Impersonation of MS-ISAC What is it? Emotet is a malware banking variant that uses malspam with either malicious embedded links or infected attachments. It’s in the same family of malware as Dridex and was regionally isolated in Europe, around Germany, until April 2017, at which point it jumped to the United States and morphed its capabilities. Unfortunately, when it jumped to the United States, it did so by using the Multi-State Information Sharing and Analysis Center (MS-ISAC) name as part of its social engineering lure. Emotet was first reported by the cybersecurity community in June 2014 and its first two versions targeted German and Austrian banking clients. A third version emerged in early 2015 with upgraded evasion techniques and the malware expanded outside of Germany and Austria to target Swiss banks. Emotet fell out of the public eye for most of 2015 and 2016 with the botnet infrastructure almost completely hosting Dridex in 2016. In mid-April 2017, a large scale campaign occurred in the United Kingdom and, by the end of April, the MS-ISAC observed a malspam campaign starting in the United States and using the MS-ISAC name and the names of federal employees. The significant majority of reporting from this campaign came from federal and SLTT (state, local, tribal, and territorial) government employees, suggesting that there was a social engineering component that recognized who the federal and MS-ISAC membership base was. However, it was also possible that there was a bias in the reporting to the federal government and the MS-ISAC, and the campaign targeted a wider audience. The MS-ISAC issued a Cyber Alert on April 26th (https://www.cisecurity.org/ms-isac/cis-ms-isac-
10
Malspam (malicious spam) Unsolicited emails, which either direct users to download malware from malicious web sites or trick the user into opening malware through an attachment branding-used-in-fraud-campaigns) and a blog post on April 28th (https://www.cisecurity.org/ emotet-changes-ttp-and-arrives-in-united-states) highlighting what we believe to be the first occurrence of Emotet in the United States. After April, Emotet quickly gained a footing in the United States, and with this, has experienced rapid evolution in its delivery and functionality. ProofPoint documented the mid-April 2017 UK campaign as using an attachment with fake phone bills and then switching to embedding links to malicious files within the emails. In the April U.S. variant, the MS-ISAC noted malicious PDF file attachments containing a link to JavaScript (JS), which the recipient was directed to download. During the summer, the attachments changed again and are now Microsoft Word documents containing malicious macros. The subject line of the emails varied between fake billing notifications to reports needing to be read. And in June, the MS-ISAC identified recent Emotet campaigns spreading the Pinkslipbot banking malware. The recent trend of adding propagation tools and techniques to ransomware (e.g. WannaCry and NotPetya) was picked up by crimeware in general, including Emotet. In recent campaigns, Emotet had added two spreader modules – the Outlook Scraper Module and the Network Enumeration Module.
Fall 2017
Outlook Scraper Module: This module scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts. Network Enumeration Module: This module involves a self-extracting RAR file containing two components: a bypass and a service component. The bypass component is used for enumeration of network resources and either finds writable share drives or tries to brute force user accounts, such as the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk. In the variant that uses the MS-ISAC name, the email is sent from an email address that uses “MSISAC” or a similar reference as the alias. The actual sender email address varies, but is not affiliated with the Center for Internet Security (CIS) or the MS-ISAC. The text of the email is typically short and includes a reference to “verify and pay your invoice,” encouraging the recipient to click the link. The emails always close with “MS-ISAC.” If a user clicks the link, they download a Word document containing malicious macros. Analysis shows that the macros in the document contain encoded junk and just one actual function which is designed to retrieve an executable file from a domain. The GET request returns a Windows Executable using a 14-18 character file name of randomized letters, which is the Emotet Trojan.
Recommendations CIS employees will never request that you provide us with sensitive information, such as passwords or bank account information. Email communications from the MS-ISAC will originate from MSISAC.ORG or CISECURITY.ORG email addresses and will contain proper MS-ISAC and CIS branding. We recommend the following best practices, also contained in the CIS Controls, to limit the effect of phishing emails and scams on your organization: Emotet has recently been able to bypass email security filters, so the MS-ISAC recommends
educating end users about malspam threats and social engineering tactics. Remind them never to click on links or open attachments delivered with unexpected or unsolicited emails. If you don’t have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails should be reported to the security and/or information technology (IT) departments. Use antivirus programs with automatic updates of signatures and software. Mark external emails with a banner denoting they are from an external source. Implement filters at the email gateway to filter out emails with known phishing indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall. Utilize Sender Policy Framework (SPF), a validation system that minimizes spam emails by detecting email spoofing and allowing administrators to specify who is allowed to send email from a given domain by creating a SPF record in the Domain Name System (DNS). Adhere to the principal of least privilege. Adhere to additional best practices, such as those described in the CIS Controls and CIS Benchmarks. If a user opens a malicious email, we recommend: Run an antivirus scan on the system and take action based on the results to isolate the infected computer and reimage it. If an infection is found, users should also change their passwords to any account accessed on the infected system.
11
Cybersecurity Quarterly
Securing Microsoft O365 with a Third Party Solution As the use of cloud services for everyday business activities continues to grow, so does the need for third party help to secure organizations' sensitive data By Srini Gurrapu Microsoft’s Office 365 (O365) has enjoyed tremendous growth over the last few years, eclipsing all other cloud services in terms of total users, but enforcing security across the platform may require a third party solution, such as a Cloud Access Security Broker (CASB). According to Skyhigh research, 91.4% of all enterprises have at least 100 users using O365: OneDrive for Business has the highest penetration rate with 79.1% of organizations possessing at least 100 users, and Exchange Online comes at second (66.9%).
O365 Security Concerns Microsoft has made significant investments in service-level security of O365. However, users can still perform high-risk actions within these applications, by accident or with malicious intent. Taken together, the average organization experiences 2.7 threats each month within O365 including: 1.3 compromised accounts 0.8 insider threats 0.6 privileged user threats
12
Fall 2017
O365 is the home to business-critical data The average enterprise has 204 files that contain “password” in the file name in OneDrive. In all, 17.1% of all files stored in OneDrive and SharePoint Online contain sensitive data. Broken down by data type: 9.4% of data is confidential (e.g. financial records, business plans, etc.) 4.1% of data contains personally identifiable information (e.g. Social Security numbers, tax ID numbers, etc.) 1.9% of data contains protected health information (e.g. patient diagnosis, medical record IDs, etc.) 1.7% of data contains payment information (e.g. credit card numbers, bank account numbers, etc.) Given the amount of sensitive information in O365, it’s important that enterprises protect all sensitive data created in or uploaded to O365. Specifically, they need to: 1. Prevent regulated/high-value data from being stored in O365 Preventing regulated or high-value data from moving to the cloud is a two-part problem: 1) detecting sensitive data and 2) enforcing controls to prevent this data from living within O365. 2. Prevent unauthorized data from being shared externally Today—using cloud-native tools such as OneDrive— employees share a significant amount of data with collaborators and external partners. Sometimes, however, well-intentioned employees unknowingly share sensitive information with unauthorized parties. To prevent this type of sharing, and to minimize risk of data loss, organizations should place “guardrails” around collaboration. They must enforce appropriate sharing via content-aware policies. One method would be to prohibit external sharing by
default except for with a whitelisted set of email domains, or simply prevent sharing with personal email domains, such as Gmail or Yahoo! Mail.
The average organization experiences 2.7 threats each month within Office 365 due to high-risk user actions. When a policy violation does occur, the remediation action should take place in real-time, otherwise any delay in remediation might result in a data loss incident. 3. Block download of data from corporate O365 to personal devices One of the concerns with O365 is information falling in the wrong hands due to a lack of endpoint security controls. Personal devices that are unmanaged lack enterprise endpoint security that enforces device policies, such as drive encryption and device PIN. For this reason, many enterprises want to limit the ability to download corporate data to managed devices only. (continued on next page)
13
Cybersecurity Quarterly
To that end, when users access O365, organizations should perform a certificate check to validate the device has appropriate endpoint security in the form of an EMM/MDM solution. They should utilize an EMM/MDM provider to validate not only that the endpoint has a certificate, but that the user is accessing from a known device and not another device. 4. Capture an audit trail of all user activities for forensic investigations Accurately detecting threats requires complete visibility into all user and administrator activity. Additionally, security analysts require this information to effectively investigate a wide range of incidents, whether it be a data loss incident, insider threat, privileged user threat, or compromised account. Organizations should capture a complete audit trail of all user activity in O365 for post-incident forensics. There are over 500 distinct activities that users and administrators can perform across O365 applications. Organizations should categorize each activity into a set of higher level categories (e.g. data access, data sharing, data deletion, etc.), to allow security analysts to browse activity by category for a specific user, or for a specific time frame. 5. Detect compromised accounts and insider/ privileged user threats O365, like most other enterprise cloud services, operate under a shared responsibility model for security. O365 customers are responsible for actions users take within the platform that compromise data and pose a threat. Compromised accounts are also a significant threat. However, detecting threats is challenging because of the potential for a high rate of false positives. Organizations must implement the right security controls that can accurately detect insider threats, privileged user threats, and compromised accounts. One way to do so would be to build a model for users and groups that represent their typical behavior in O365. Anytime user activities deviate
14
Accurately detecting threats requires complete visibility into all user and administrator activity... There are over 500 distinct activities that users and administrators can perform across O365 applications. from this model in a meaningful way that’s indicative of a threat, an alert should be generated for further investigation. Srini Gurrapu is the Vice President of Customer Solutions at Skyhigh Networks. Srini has 20 years of experience in networking, security, virtualization, mobile and cloud security markets at several success companies such as BlueCoat, Neoteris (acquired by Juniper), FaceTime (now Actiance), RingCube (acquired by Citrix), Virtual Bridges, and Wheel Innovationz. Srini led product management and strategic alliances at these startups and helped drive the vision, strategy, and execution. Srini’s primary forte is building trusting advisory relationships with customers, delivering innovative solutions that make customers successful in their strategic initiatives. Srini also worked as EIR (Entrepreneur-In-Residence) at Austin Ventures, one of the large VC firms in US.
Gartner’s #1 Security Technology is Cloud Access Security Broker (CASB)
Cloud Security for Every App, Every Device, Every User Approved for the CIS CyberMarket
Contact: Jesse.Fulger@cissecurity.org www.skyhighnetworks.com
AUTHORIZED
Cybersecurity Quarterly
Navigating the Requirements for a Compliant Information Security Program Determining what data security policies and protocols to enforce in your organization can be difficult; Luckily, there are many resources out there that can help By Ralph Johnson There are several reasons why having an information security program is important, but a primary reason is to comply with regulatory requirements. Your organization is the holder of information – for your customers, employees, vendors, and third parties. This myriad of information may or may not be covered by some regulation that requires protection. Whether the protection of the information is required by regulation or not, due care still puts forth an expectation that the information will be protected. Frameworks were designed to standardize how data is protected. However, these frameworks often leave the process by which an organization chooses to take action open ended. This allows the organization flexibility to build its individual information security program to fit the organizational needs and culture. Some frameworks, such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-LeachBliley (GLB) Act, and Payment Card Industry Data Security Standard (PCI DSS), are regulatory or compulsory by either legislation or contractual obligation. Others, such as the National Institute of Standards and Technology (NIST) 800 Series and the International Organization of Standardization (ISO) and International Electrotechnical Commission (IEC) ISO/IEC 27000 series, are best practice frameworks and are not compulsory, but provide solid guidance
16
to implement a comprehensive information security program. Depending on the type of information your organization possesses, one or more of the numerous frameworks will provide proper guidance as to how you store and protect this information. For organizations that work with protected health information (PHI), such as health insurance companies, HIPAA provides requirements that customer information must be handled and stored confidentially and securely. Companies that offer consumer financial products and services, a category that includes most insurance providers, fall under the jurisdiction of the GLB Act and the Federal Trade Commission’s (FTC) Safeguards Rule, which requires the safeguarding of sensitive customer information, as well as transparency of informationsharing practices. These, as well as other regulatory frameworks, require that information security protocols be in place and outline some baseline requirements for those programs. However, they both leave the choice of exactly how to implement an information security program up to each organization’s discretion. To help shape your organization’s information security program, there are also information security frameworks available. These include the NIST Framework for Improving Critical Infrastructure
Fall 2017
Cyber Security, the NIST 800 series, a catalog of security controls constructed by and utilized to secure federal information systems, the ISO/IEC 27000 series, a set of standards developed jointly by the ISO and the IEC, and the Control Objectives for Information and Related Technologies (COBIT), a framework developed by the Information Systems Audit and Control Association (ISACA). These frameworks outline many of the steps and best practices an organization should perform to successfully implement a proper security posture that meets regulatory standards. These frameworks cover a wide variety of information security requirements, including data accessibility protocols, network architecture, and user awareness training, among many others. They are often very comprehensive (the latest version of NIST 800-53 contains 462 pages of recommendations), but allow organizations to easily explain to other interested parties, such as auditors, the basis of their security controls.
To aid in implementation, there is specific guidance for the actual tools used to manage and protect the information, operating systems, servers, and other systems covered by your information security program. Some examples of these are the CIS Benchmarks, also a consensus-based list of best practices developed by cybersecurity experts, and the Defense Information Systems Agency’s (DISA) Security Technical Implementation Guides (STIGs), technical guidance protocols developed by the Department of Defense. Both of these documents help organizations ensure that the software and hardware are as secure as possible, by providing detailed technical configurations (the settings and switches) developed specifically to make networks and systems less hackable. While these guidelines may not appropriately apply to every aspect of an organization, for those who are directed by regulation to protect important information, they represent excellent roadmaps to execute those directives at a technical level.
Whether the protection of the information is required by regulation or not, due care still puts forth an expectation that the information will be protected.
Implementing an effective information security program that complies with all of the appropriate regulatory requirements that govern your industry can be a daunting task. However, there are a multitude of resources that can assist your organization in developing a successful information security program that effectively secures your information. By choosing the right framework and tools to comply with the regulations that affect your industry, your organization can ensure its security program protects the vital information entrusted to it by your customers, employees, and vendors.
To make this process easier, there are additional programs that can assist in implementing an information security program that meets the standards established by these frameworks. One such guide is the Center for Internet Security's Critical Security Controls (CIS Controls), which are referenced as an implementation aid for the NIST Cybersecurity Framework and map to most other information security frameworks. The CIS Controls are especially relevant because they are developed by a community of experts based on their first-hand experience as cyber defenders. The CIS Controls provide both a ranking order of which tasks to tackle when and benchmarks that need to be met for each. As the CIS Controls are threat-based and updated regularly to adapt to new developments in the threat landscape, they are highly regarded as a helpful and timely tool for organizations trying to cut through the “fog� around cybersecurity.
Ralph Johnson CISSP, HISP, CISM, CIPP/US has served as Chief Information Security & Privacy Officer of King County, Washington for the past 13 years. In this capacity, he oversees information security and privacy issues for the entire county and has established the information assurance program from policy development, compliance, information risk management, metrics and controls selection, implementation, monitoring and evaluation. Ralph has been with King County for 28 years, serving in multiple IT and management roles. In addition, he is an instructor in the Information Security and Risk Management Continuum Program at the University of Washington.
17
Cybersecurity Quarterly
MS-ISAC Update National Cyber Security Awareness Month 2017 Since its inception under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, National Cyber Security Awareness Month (NCSAM) has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions, and young people across the nation. 2017 marks the event's 14th year. With recent legislation and support from the White House, cybersecurity is a popular topic of discussion, and rightfully so. More specifically, there is even stronger focus on consumers and their cyber safety. Everyone, regardless of age, is a consumer and thus, this year, each theme will focus on the consumer and their cybersecurity and safety needs. NCSAM 2017 also marks the 7th anniversary of the STOP. THINK. CONNECT.™ campaign. Each year, NCSAM highlights the overall message of STOP. THINK. CONNECT.™ and the capstone concepts of the campaign, like “Keep a Clean Machine,” “Protect Your Personal Information,” “Connect with Care,” “Be Web Wise,” “Be a Good Online Citizen,” “Own Your Online Presence,” and “Lock Down Your Login.” For 2017, NCSAM will focus on a different cybersecurity issue for each week in October. Week 1: Oct. 2 - 6 STOP. THINK. CONNECT.™: Simple Steps to Online Safety: Staying safe and secure online is our shared responsibility. Here's easy-to-follow, actionable advice for everyone. STOP: make sure security measures are in place. THINK: about the consequences of your actions and behaviors online. CONNECT: and enjoy the internet. Week 2: Oct. 9 - 13 Cybersecurity in the Workplace Is Everyone's Business: Whatever your place of business – whether it’s a large or small organization, healthcare
18
provider, academic institution, or government agency – creating a culture of cybersecurity from the breakroom to the board room is essential and a shared responsibility among all employees. Week 3: Oct. 16 - 20 Today's Predictions for Tomorrow's Internet: Take a look into our future through the lens of the connected internet and identify strategies for security, safety, and privacy, while leveraging the latest technology. With the explosion of digital interconnectivity, it's critical to explore everyone’s role in protecting our cyber ecosystem. Week 4: Oct. 23 - 27 The Internet Wants You: Consider a Career in Cybersecurity: A key risk to our economy and security is the shortage of cybersecurity professionals to protect our extensive networks. Growing the next generation of a skilled cybersecurity workforce – as well as training those already in the workforce – is a starting point to building stronger defenses. Week 5: Oct. 30 - 31 Protecting Critical Infrastructure from Cyber Threats: The systems that support our daily lives – such as electricity, financial institutions, and transportation – are increasingly dependent upon the internet. Building resilience in critical infrastructure is crucial to our national security.
Kids Safe Online Poster Contest Each year, the MS-ISAC runs its annual poster contest for K-12 students to have their cybersecurity focused artwork judged for the opportunity to be featured in our calendars and posters that are distributed nationwide. Participation is free, and details on the contest and how to enter can be found at https:// www.cisecurity.org/ms-isac/ms-isac-toolkit/. For any further questions, please reach out to info@ msisac.org.
Fall 2017
Cyber Tips & Tricks This Quarter’s Tip: Take Advantage of Free by Stacey Wright, Intel Program Manager, MS-ISAC I can’t tell you how many times I’ve heard “you get what you pay for” in response to so many of the free MS-ISAC offerings. This leaves me struggling to explain that, at least in our case, free isn’t really free. It’s just free to you because we have a funding stream − DHS. This is the case for many cybersecurity resources out there. In the next few paragraphs, I’m going to highlight a few of my favorites that you should be taking advantage of. And since they are free, they fit into almost every budget!
preparation and general knowledge. Each course is connected to the NICE Cybersecurity Workforce Framework, so you can work your way through the career pathway to your ideal knowledge.
Business Email Compromise (BEC) 101 Workshop – If you are a CISO, CIO, or CEO of a small or mid-size entity and you want to know more about one of the most financially devastating cybersecurity threats, you won’t want to miss the BEC 101 Workshop. These half-day events are modeled after last year’s National Initiative for Cybersecurity Education Ransomware Workshops. This year, the MS-ISAC is (NICE) Cybersecurity Workforce Framework and working with the Research & Education Networking, CyberSeek – The NICE Cybersecurity Workforce Retail, and National Health ISACs, as well as the FBI, Framework (https://www.nist.gov/itl/appliedUSSS, and Symantec, to bring together cybersecurity cybersecurity/nice/resources/nice-cybersecurityexperts from across the country to speak about a workforce-framework) was designed by the National threat that costs some individual victim businesses Institute of Standards and Technology (NIST) as millions of dollars and businesses worldwide Publication 800-181 and has continued to expand. more than $5 billion annually. With Symantec, a It is a great resource for anyone looking to work in sponsoring partner of the events, reporting that BEC cybersecurity or hire cybersecurity experts. It breaks scams have increased more than 2400% over the last the field down into 7 categories, 30+ specialty areas, three years, can you afford not to come? and 50+ work roles. CyberSeek (http://cyberseek. org) expands on these to match job titles to career Events be will taking place across the US from pathways, commonly requested certifications, and October through November 2017 in NYC, Boston, maps of where jobs exist. Together, these are very Denver, Seattle, San Francisco, Miami, Kennedy powerful resources for job hunters, but they're also Space Center, Dallas, Phoenix, Kansas City, Columbus, great for anyone trying to write a job description. Nashville, Philadelphia, and Los Angeles. To receive You can use these to make sure you’ve got good job information on the specific dates and locations, and titles and job tasks that match what others use, and to reserve a seat, email info@cisecurity.org. then connect in the certifications applicants should have and the appropriate pay scale. I hope these free resources, as well as others offered by CIS, will help you on your career path, while also Federal Virtual Training Environment (FedVTE) convincing you that sometimes “free” is a good (https://fedvte.usalearning.gov) – FedVTE offers thing! If you know of other free resources that free, online, on-demand cybersecurity training that fellow readers can take advantage of, please send is available to all federal, state, local, tribal, and them to me, Stacey Wright, at info@msisac.org. The territorial government employees, as well as U.S. MS-ISAC is putting together a list of the best free veterans. Currently, there are more than 60 courses cybersecurity resources so we can help spread the in the program, which provide certification exam word!
19
Cybersecurity Quarterly
Upcoming Events September September 24th - 26th The Business Council of New York State Annual Conference takes place in Bolton Landing, New York, drawing business leaders from across the state together to discuss how to continue to improve the state’s business climate and economy. CIS President & COO Steve Spano will address attendees from the main stage on the importance of cybersecurity. September 26th - 27th Government Technology (GovTech) will be holding its Massachusetts Digital Government Summit in Boston. Government leaders from around the state will gather at the event to discuss the latest technology issues facing the state of Massachusetts. MS-ISAC Director of Stakeholder Engagement Andrew Dolan will be a featured speaker at the event, discussing cyber threats facing state and local government organizations. September 27th CIS CyberMarket and Skyhigh Networks will be hosting Securing Microsoft Office 365 for State and Local Government, a webinar on Skyhigh for Office 365. The event will include a live demo of Skyhigh's product by one of the company's product engineers and highlight how SLTT organizations can effectively utilize a Cloud Access Security Broker (CASB) in their information security program. Contact the CIS CyberMarket team for more details. October October 1st - 31st All month, the U.S. Department of Homeland Security and the National Cyber Security Alliance will celebrate National Cyber Security Awareness Month. Each week will cover a different topic focused on ensuring every citizen has the resources they need to stay safe and secure online. For more information, visit https://staysafeonline.org/ncsam. October 1st - 4th The Association of Government Risk Pools (AGRIP) Fall Education Forum will take place in
20
Baltimore. Leaders from the nation's government risk pools will learn about and discuss the latest issues facing their industry. CIS Senior Director Ryan Spelman will lead a breakout session on the importance and benefits of cyber risk insurance. October 2nd The Global Resilience Federation will be holding its Cross-Sector Leadership Forum in Baltimore, bringing together ISAC and CERT leaders from across the spectrum to discuss the unique issues they face and learn from their peers in other industries. MS-ISAC Senior VP Tom Duffy and Senior Program Executive Roisin Suver will participate in a panel discussion on cyber threats. October 2nd - 4th ISACA will be holding CSX 2017 North America in Washington D.C., one of the organization's primary annual events focused on cybersecurity and cyber threats. CIS Senior VP Tony Sager will be leading a breakout session on effective cyberdefense strategy. October 3rd The National Science Foundation (NSF) and George Mason University will be co-hosting the NSF City & County Cybersecurity Workshop at the George Mason campus in Manassas, Virginia. City and county government IT leaders will gather at the workshop to learn the latest issues facing the sector. MS-ISAC Senior VP Tom Duffy and Program Manager Kevin Moran will be participating in a panel discussion on cyber threats facing to state and local governments. October 3rd - 5th The Cyber Health Working Group, a joint effort by InfraGard and the FBI Washington, D.C. Field Office's Cyber Task Force, will host the inaugural Healthcare Cyber Sharing Summit at George Mason University in Manassas, Virginia, focusing on the intersection of healthcare and information technology. CIS Executive VP Curtis Dukes will be part of a panel discussion on cost-effective cybersecurity strategies and resources.
Fall 2017
October 5th - 6th The Cyber Future Foundation's 2nd Annual Global Cyber Future Summit will take place in Dallas and bring cybersecurity leaders together to share ideas on building actionable guidance and frameworks for cybersecurity. CIS Senior Director Ryan Spelman will be part of a breakout session on cybersecurity education and workforce development. October 6th Investment Advisor Watch will hold its 5th Annual Cybersecurity for Financial Services Conference in Washington, D.C. Financial security leaders and professionals will come together to discuss methods and strategies for improving cybersecurity in the financial sector. CIS Senior VP Tony Sager will be participating in a panel discussion on third party vendor security management. October 11th GreyCastle Security's 5th Annual Cybersecurity Symposium will take place in Albany, New York. Cybersecurity leaders and professionals will come together at the event to talk and learn about current and future issues facing the industry. Technical Product Manager for the CIS Controls Philippe Langlois will lead a breakout session at the event on how the CIS Controls can help organizations prioritize their security program. October 16th - 17th Johns Hopkins University Applied Physics Laboratory will be hosting the Integrated Cyber Conference on its campus in Laurel, Maryland. The event will bring together the Integrated Adaptive Cyber Defense (IACD), Automated Indicator Sharing (AIS), and Information Sharing communities to collaborate and learn from one another. CIS Senior VP Tony Sager will be a featured speaker, discussing cyber defense, while Executive VP Curtis Dukes will be moderating a panel on financial sector security. October 16th - 18th The International Association of Privacy Professionals (IAPP) will hold Privacy. Security. Risk. 2017 in San Diego, where privacy and security professionals will gather to discuss the latest issues in their industry. CIS Senior Director Kathryn Burns will co-lead a breakout session on the CIS Controls and cybersecurity risk management.
October 19th Government Technology (GovTech) will be holding its Connecticut Digital Government Summit in Hartford, Connecticut. Government leaders from around the state will gather at the event to discuss the latest technology issues facing the state of Connecticut. MS-ISAC Director of Stakeholder Engagement Andrew Dolan will be a featured speaker at the event, discussing cyber threats facing state and local government organizations. October 19th - 20th The Albany Law Journal of Science & Technology Cyber Conference, held by the Albany Law Journal of Science & Technology and the Cybersecurity & Privacy Law Center at Albany Law School, will take place, bringing cyber law professionals together to discuss the latest issues facing the industry. CIS Senior Director Ryan Spelman will be speaking on a panel on cyber risk insurance and liability. November November 8th Cyber Security Summit: Boston will take place, bringing together senior executives, business leaders, and senior cybersecurity professionals to network and learn about the latest cyber threats from industry leaders. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. November 29th - December 1st The MIS Training Institute (MISTI) will be holding its 2017 IT Audit & Controls (ITAC) Conference in Austin, Texas. At the event, leaders and professionals in information technology auditing and governance will gather to learn the latest updates from industry thought leaders. CIS Senior VP Tony Sager will be leading a breakout session on the CIS Controls. November 30th Cyber Security Summit: Los Angeles will take place, bringing together senior executives, business leaders, and senior cybersecurity professionals to network and learn about the latest threats from industry leaders. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
21
Confidence in the Connected World
Copyright Š 2017 Center for Internet Security, All rights reserved.
CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699