Cybersecurity Quarterly (Fall 2018)

Page 1

Cybersecurity Quarterly

Fall 2018

A Publication from

Tackling the Double-Edged Sword of Integrating IoT into Municipal Networks Protecting Users Against the Real Risks in Virtual Worlds How Insurers are Helping Organizations Better Manage Their Cyber Risk

Less Talk More Action For this year's National Cyber Security Awareness Month, do more than just raise awareness; take measurable action to improve your organization's cybersecurity



Cybersecurity Quarterly

Contents

Featured Articles

Quarterly Regulars

Fall 2018

A Little Less Talk, A Little More Action Increasing cybersecurity awareness is great, but it's nothing without taking action

8

How Can We Make Smart Cities More Secure? As IoT becomes more ubiquitous, can municipalities both expand integration and maintain their network security?

12

Virtual Worlds — Real Risks Maintaining security and compliance in an increasingly encompassing and complex digital world

14

Regulation, Education, and Underwriter Evolution Spur Interest in Cyber Insurance How insurance companies have evolved to address new challenges in cybersecurity

18

Quarterly Update with Steve Spano

4

News Bits & Bytes

6

Threat of the Quarter

10

Cyber Tips & Tricks

20

MS-ISAC Update

22

Cyberside Chat

23

Calendar

24

Confidence in the Connected World Fall 2018 Volume 2 Issue 3 Founded MMXVII Editor-in-Chief Michael Mineconzo Copy Editor Shannon McClain

Staff Contributors Sean Atkinson Molly Gifford Paul Hoffman Joshua Palsgraf Ryan Spelman Mike Woodward

Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518 266.3460 Copyright Š 2018 Center for Internet Security. All rights reserved

3


Cybersecurity Quarterly

Quarterly Update

with Steve Spano

“It is always better to be a leader of change than to let change lead you”

A

s we enter the fall season, it is impossible not to think about how things have changed. While we all observe the changing of the seasons, less obvious, but equally important, are the technical changes to the world around us. In my professional career, I have seen computers move from mainframes, to desktops, to laptops, to smartphones, to the cloud. Even our understanding of what is the internet is changing as we move from one dominated by people using computers, to one dominated by computers operating alone. It is estimated that, by 2020, there will be over 30 billion devices connected to the internet. That is more than three devices for every man, woman, and child on the planet. It is no wonder then that we are focusing on the “Internet of Things,” or IoT. This concept, an internet driven by devices rather than people, can manifest itself in many interesting and impactful ways. Smart cities, where IoT devices are producing information from which street light is in need of repair, to the movement of smart cars, could revolutionize urban life as we know it. But, it also opens the door to great risks to privacy and safety. Dan Lohrmann of Security Mentor shares a valuable article on how to confront these risks in “How Can We Make Smart Cities More Secure.” We are also in the process of creating virtual worlds in which our fellow citizens are spending increasing amounts of time. Whether it is Fortnite, Minecraft, or even Second Life, virtual worlds that reflect our own abound. But much like the “real” world, there are security threats within and around those virtual worlds, and the consequences could be significant. Kayva Pearlman of Linden Lab (the creators of Second Life) shares

4

some perspective on the threats within these environments in “Virtual Worlds – Real Risks.” Finally, no matter how much things change, some things stay the same. Not the least of which is the importance of insurance in underwriting all that we do. I am really pleased to have an article from Adam Cottini of Arthur J. Gallagher & Co. that talks about the changing role of cyber insurance in underwriting some of these new risks in “Regulation, Education, and Underwriter Evolution Spur Interest in Cyber Insurance.” As the seasons change, we all need to evaluate how our cybersecurity environment has changed, for good or for bad. My hope is that this issue of Cybersecurity Quarterly, and all of the great content within it, will provide an opportunity for you to look at these changes with a new perspective. So, as you sip your first pumpkin spice latte of the season and read this issue, remember it is always better to be a leader of change than to let change lead you.

Steve J. Spano, Brig. Gen., USAF (Ret.) President & Chief Operating Officer Center for Internet Security


Fall 2018

Special Discount: National Cyber Security Awareness Month

10 Off %

New One-year Membership

Cybersecurity assessment & remediation resources

• Access full-format CIS Benchmarks™ • Assess configuration with CIS-CAT Pro assessment tool • Rapidly implement recommendations with remediation content • Enhanced technical support

Promo code: CIS-NCSAM2018 Offer Expires: 31 Oct 2018

See promo terms at https://www.cisecurity.org/ cis-securesuite/promo-terms/


Cybersecurity Quarterly

News Bits & Bytes October is National Cyber Security Awareness Month (NCSAM). Every October, under the leadership of the U.S. Department of Homeland Security and the National Cyber Security Alliance (NCSA), government and industry come together to ensure every American has the resources they need to stay safer and more secure online. 2018 marks the 15th year of NCSAM. Each week of October will highlight a different theme focused on improving citizens' cybersecurity awareness and readiness. The themes for 2018 are: Week 1 (Oct 1st - 5th): Make Your Home a Haven for Online Safety Week 2 (Oct 8th - 12th): Millions of Rewarding Jobs: Educating for a Career in Cybersecurity Week 3 (Oct 15th - 19th): It's Everyone's Job to Ensure Online Safety at Work Week 4 (Oct 22nd - 26th): Safeguarding the Nation's Critical Infrastructure For more information on this year's NCSAM, visit https://staysafeonline.org/ncsam. Akamai is the newest vendor partner of CIS CyberMarket. MS-ISAC members, as well as other state, local, tribal, and territorial (SLTT) governments and related nonprofit and public organizations, will now be able to purchase Akamai's Enterprise Threat Protector, a recursive DNS-based security solution that proactively identifies, blocks, and mitigates targeted threats, including malware, ransomware, phishing, and data exfiltration. In addition to the discounted pricing available through CIS CyberMarket, interested electoral bodies can get the solution at no cost through the 2018 election cycle. More information can be found at https:// www.protectyourelection.com/get-started/

6

CIS Hardened Images are now available on Azure Government Marketplace. Announced at Microsoft's Inspire event in July, CIS Hardened Images are now available as paid hourly virtual machine offers in its Azure Government Marketplace. Azure Government is a cloud environment specifically for U.S. government entities and its solution providers. CIS Hardened Images are virtual machine images that have been securely configured according to the recommendations of the CIS Benchmarks. Collaboratively developed by a global community of experts, the CIS Benchmarks are configuration guidelines for various technology groups that can be used to safeguard systems against cyber threats. CIS released the CIS Controls V7 Implementation Guide for Industrial Controls Systems. In an acknowledgment that some operational environments present unique requirements not previously addressed by the CIS Controls, this new guide addresses how to use the CIS Controls to bolster cybersecurity amidst the unique constraints of Industrial Control System (ICS) environments. Those interested in the ICS Guide can download it here on the CIS website or watch a recording of the panel discussion webinar on the ICS Guide here. Chirag Arora, cybersecurity professional and CIS Controls supporter, has donated the CIS Controls CISO Risk Matrix Tool to CIS for sharing with its world-wide community. The CIS Controls Risk Matrix tool is a self-assessment tool that will help organizations track and prioritize their implementation of the CIS Controls. Users can also use the tool to compare their organization to other organizations in their same sector and cross reference how they are doing with other frameworks (e.g. NIST CSF), and get references to help them improve their own cybersecurity assessment.


Fall 2018

Democracy Depends on Those who Defend It. Election-related cyberattacks are becoming increasingly widespread — democracy depends on protecting your infrastructure from these threats. That’s why Akamai is offering state and local government officials enterprise-level threat protection, at no cost or obligation*. Our enterprise threat protection will be offered throughout the 2018 election cycle to help ensure the integrity of our election procedures. Find out how you can protect your infrastructure this election season, at no cost or obligation*.

Get started at www.protectyourelection.com/get-started/

*Standard Akamai terms and conditions apply

7


Cybersecurity Quarterly

A Little Less Talk, A Little More Action While improving awareness is admirable, for this National Cyber Security Awareness Month, let's all take measurable action to improve our cybersecurity posture By Aimée Larsen Kirkpatrick Ahhhh – it’s that time of year again. The weather is starting to get cooler, the kids are back in school, pumpkin spice is back in EVERYTHING… and it’s National Cyber Security Awareness Month (NCSAM). I’m well-versed in NCSAM – I ran the program for five years during my time at the National Cyber Security Alliance (NCSA). When I first began my tenure, I thought it would be about raising awareness and making measurable social change, but that really wasn’t the case. National Cyber Security Awareness Month was (and still is) more of a platform for government to take stock of what has happened, what should happen, and how we might get there. It was a lot of talk. Events, panels, keynotes, conferences, webinars, more panels. There was a club of us who traveled around the country together. We were in a new city every week, but the same people were talking about the same thing. Every year. It was a lot of talk and not enough action. Don’t get me wrong. I do think National Cyber Security Awareness Month is very important. We should all take a moment to take a step back to see what we have accomplished and put an eye to the future for what needs to still be done. It's essential to chart the path forward, to have the conversations, and put the agreements in place so

8

It’s essential to chart the path forward, to have the conversations, and put the agreements in place so we can better coordinate...But the truth is, the bad guys are still winning. While we talk about cybersecurity, they are out there launching the next attack. we can better coordinate across government and the private sector. We do need to raise the national consciousness about cybersecurity. Governments, businesses, and individuals need to be educated about how to protect themselves. But the truth is, the bad guys are still winning. While we talk about cybersecurity, they are out there launching the next attack. So, here is my challenge to all of you for this year's National Cyber Security Awareness Month: less talk, more action. Or maybe just more action. There’s always more that can be done to improve your organization's cybersecurity posture. This October, in addition to all of your organization's awareness-raising activities, take measurable action on one of those many items


Fall 2018

that have been sitting on your “to do” list. If you need suggestions or are wondering where you’re going to get the resources, here are two ideas for solutions that are freely available and can be adopted by any organization: Email Authentication (a/k/a DMARC): If you haven’t implemented DMARC, or Domainbased Message Authentication, Reporting, and Conformance, in your organization yet, RIGHT NOW is a good time to get started! What is DMARC, you ask? It’s a form of email authentication that prevents direct domain spoofing. Last year during National Cyber Security Awareness Month, the U.S. Department of Homeland Security (DHS) mandated that all U.S. civilian domains become DMARC compliant. The federal government has until October 16th, 2018 to fully comply with this mandate. This was a great initiative by DHS!

National Cyber Security Awareness Month is a good time to take stock of where we are and where we need to go. developed Quad9 to leverage a global recursive anycast DNS service with multiple threat intelligence feeds to provide enterprise level security to anyone and any organization, at no cost. Quad9 combines internet security, privacy, and performance to provide world class service. And did I mention it’s free?

Currently, Quad9 blocks up to 2 million threats per day and has resolvers in more than 130 locations around the globe. It’s simple to set up; it’s just a change to your DNS settings (visit Quad9.net to learn how). This past spring, New York City incorporated Quad9 into its NYC Secure program and is now protecting all users of the New York City guest and Consider DMARC for your own organization. DMARC public WiFi. is a set of policies that you put into your DNS record. DMARC is free and there’s no reason why you should Though it’s been years since I’ve been directly not be able to get started on implementation. The involved with National Cyber Security Awareness Global Cyber Alliance (GCA) has created a whole Month, I am pleased to see that it has continued on. suite of resources, including a comprehensive tool It’s a good time to take stock of where we are and to walk you through the entire implementation where we need to go. Happy National Cyber Security process, video tutorials, educational webinars, Awareness Month! and other resources to help you implement DMARC in your organization. Visit DMARC. GlobalCyberAlliance.org for more information. Aimée Larsen Kirkpatrick is the Global DNS Security (a/k/a Quad9): In collaboration with Packet Clearing House (PCH) and IBM, GCA

Communications Officer for the Global Cyber Alliance (GCA). She also serves as a Senior Research Fellow for the Anti-Phishing Working Group (APWG) and advises on their public education initiatives. Prior to GCA, she was President of ALK Strategies, a communication and public affairs consulting practice focused on start-ups and nonprofits. Larsen Kirkpatrick was formerly with the National Cyber Security Alliance (NCSA). As the Partnership Engagement & Strategic Initiatives Director for the NCSA, Larsen Kirkpatrick established strategies and programs to engage and broaden NCSA’s stakeholder base and expand its audiences. Larsen Kirkpatrick was a 2012 Executive Women’s Forum Women of Influence Award recipient. She also currently sits on the Board of Trustees for the EU chapter of Anti-Phishing Working Group (APWG).

9


Cybersecurity Quarterly

Threat of the Quarter This Quarter’s Threat: TLS v1.2 Adoption by the Industry and its Impact on SLTT Governments This year, the Information Technology (IT) industry is moving away from the use of Transport Layer Security (TLS) v1.0, and the seldom used v1.1, and is adopting TLS v1.2 as the main way for securing the transportation of data. This is due to the known vulnerabilities of v1.0, which permit cyber attacks that can result in the interception and modification of data being transported. Industry adoption of TLS v1.2 will directly affect state, local, tribal, and territorial (SLTT) governments who remain on v1.0, due to compatibility and service issues. Adhering to industry best practices, like upgrading to TLS v1.2 and disabling outdated versions, will prevent any potential future issues.

Transport Layer Security TLS is a standardized protocol that secures communication by encrypting data while it is in transit. TLS helps secure data exchanges over the internet, such as those with web, email, file transfer protocol (FTP), voice over IP (VoIP), application programming interfaces (API), and virtual private network (VPN) servers. Securing data with TLS as it crosses the internet prevents cyber threat actors from being able to compromise the transported information. In order for a server to obtain and utilize TLS, it must have a certificate from a certificate authority, such as Digicert and Globalsign. The certificate allows the server to show that the domain being used has been

SLTT governments who use outdated versions of TLS insufficiently protect and secure their data from a variety of cyber attacks. 10

verified as trustworthy. As new, more secure TLS versions come out, new certificates are produced.

The Effect on SLTT Governments The IT industry’s adoption of the TLS v1.2 is due to the known vulnerabilities of v1.0, which permit the interception and modification of data being transported. SLTT governments who use outdated versions of TLS, including v1.0, and its predecessor, Secure Sockets Layer (SSL), insufficiently protect and secure their data from a variety of cyber attacks. Attacks like BEAST, FREAK, Heartbleed, and POODLE have the ability to compromise the confidentiality and integrity of the data being exchanged over the insecure protocols. These attacks can be successful, even if the SLTT government has the updated version of TLS v1.2, by using a specific technique called downgrade attack. Downgrade attacks allow cyber threat actors to exploit servers that also run outdated versions of TLS, by forcing these servers to communicate over those vulnerable versions of TLS/SSL, instead of the more secure v1.2. This could lead to data breaches or data alteration if older versions of TLS/SSL are not disabled. As of June 30, 2018, the Payment Card Industry Data Security Standards (PCI DSS) no longer supports v1.0 and will only support v1.1, per the National Institute of Standards and Technology (NIST) Special publication (SP) 800-52 rev 1. Therefore, SLTT governments that accept credit card payments while using v1.0 or other outdated or misconfigured versions that are not PCI compliant may be held liable if their systems are compromised. Multiple other industry vendors are making the shift to v1.2 and discontinuing v1.0 and v1.1. Some of the more notable vendors that are making this


Fall 2018

change are Adobe, Cloud.gov, GitHub, IBM, and Microsoft. For example, Microsoft Office 365 is mandating the use of TLS v1.2 starting October 31, 2018. Consequently, any SLTT government using Office 365 or other services while using TLS v1.0, v1.1, or any other outdated or misconfigured versions will experience connection and usage issues in certain circumstances. For instance, due to Office 365 servers disabling older versions of TLS/SSL, clients and work stations that run older operating systems that do not support TLS v1.2 will get a security message and will not be able to connect to Microsoft’s cloud server. Additionally, those who have configured Microsoft Exchange to only use TLS v1.2 (disabling older versions) will still be able to send and receive messages with users who have not updated, but those messages will not be encrypted. Another industry change is that several certificate authorities, such as Digicert and Globalsign, are revoking outdated certificate versions. Constituents will receive privacy warnings, as shown below, when they attempt to connect to SLTT government websites using older versions. This privacy warning may make clients hesitant about visiting the website, which will hinder the SLTT government’s ability to fully engage and inform their constituents.

Recommendations from MS-ISAC SLTT governments are strongly encouraged to ensure that this industry shift does not adversely affect them by making sure all secure data transactions are conducted over TLS v1.2. This will also aid in preventing connectivity issues when a service migrates to TLS v1.2. The MS-ISAC advises SLTT governments to immediately update all services to TLS v1.2 and disable outdated TLS/SSL versions (including v1.1). Instructions on how to update are available online for most web browsers, including Microsoft Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox, Opera, and Apple Safari. To find out if

your server is running the latest TLS versions, type the URL into a SSL server test, like Qualys SSL Lab, and look under configuration for what TLS/SSL protocols are being used. If TLS v1.2 is not being used, a TLS v1.2 certificate must be purchased from a certificate authority and uploaded to the server. This guarantees SLTT governments will have no compatibility or service issues with accepting credit card payments or connecting to vendors, certificate authorities, or others that only accept v1.2. Furthermore, disabling outdated TLS/SSL versions (including v1.1) will safeguard them from cyber threat actors who can use the outdated versions of TLS/SSL to compromise the confidentiality and integrity of their data in transit. In essence, daily tasks will run smoothly, like sending and receiving emails, receiving online credit card payments, engaging constituents, and securing data in transit. After completing this recommendation, SLTT governments should appropriately test their systems to ensure that not only their clients, but their workstations at all of their offices, have their web browsers updated. Having updated web browsers will confirm that there will be no compatibility or service issues for clients when they are connecting to SLTT government websites and servers. If the use of TLS v1.1 is absolutely necessary, SLTT governments should ensure the implementation follows NIST SP 800-52 rev 1, which provides assistance in implementing the proper security guidelines and protocols when using TLS v1.1. It contains ways to effectively use the Federal Information Processing Standards (FIPS) and NIST recommended cryptographic algorithms. Finally, when possible, plan to implement TLS v1.3 by ensuring service and equipment purchases and upgrade plans incorporate it. The Internet Engineering Task Force (IETF) published a proposed standard for TLS v1.3 as an encryption protocol in RFC 8446. TLS v1.3 includes improved performance to mitigate various cryptographic attacks, such as eavesdropping, tampering, and message forgery. The new standard also specified new requirements for TLS v1.2 implementations. We expect the IETF to finalize TLS v1.3 within a year and for the protocol to start being adopted after its announcement.

11


Cybersecurity Quarterly

How Can We Make Smart Cities More Secure? As cities and towns across the country continue to add IoT devices — and potential vulnerabilities — into their networks, maintaining security is of the utmost importance By Dan Lohrmann As the number of connected devices skyrockets around the globe, the Internet of Things (IoT) is splintering-off into many different areas of life. Innovative topics now range from medical devices to connected vehicles and from home appliances to global travel apps. One hot trend that is growing under the IoTumbrella is referred to as “smart cities.” But nailing-down the actual definition of a smart city is complicated, as Computerworld Magazine discovered. The truth is that no city wants to be a ‘dumb’ city. How hot are smart cities? According to Frost & Sullivan, the global smart cities market is projected to reach $1.56 trillion by 2020. Many security pros are worried. Will government networks and/or personally-owned smartphones with apps really be used to control and administer all of these critical functions? In the same way that

In early 2018, IBM X-Force Red and Threatcare discovered 17 zero-day vulnerabilities in smart city sensors and controls used in cities around the world. 12

WiFi, cloud computing, and Bring Your Own Device (BYOD) to Work technologies emerged over the past two decades, new advances in technology are raising alarming questions. Several research reports, such as this one from IBM, have shown that most smart city deployments are not that difficult to hack. Here’s an excerpt: “In early 2018, IBM X-Force Red and Threatcare discovered 17 zero-day vulnerabilities in smart city sensors and controls used in cities around the world. Left unpatched, these vulnerabilities could allow hackers to gain access to sensors and manipulate data.” What is your view: Is this trend that is creating ‘smart everything’ really a: Cool innovation or scary privacy concern? Cutting edge efficiency or hacker paradise? Job opportunity or time to clean-out your Y2K bunker? ‘All of the above’ at the same time? My response is that ‘all of the above’ is probably the best answer – with the exception of the Y2K bunker.


Fall 2018

What Can Governments Do To Help Smart Cities Stay Safe Cities? In a recent speech given by General Motors (GM) President Dan Ammann on auto cybersecurity as we head towards autonomous vehicles, Ammann said, “safety and (cyber) security are now the same thing.” Therefore, governments that deploy smart city technology have an obligation to ensure that these innovative practices are deployed safely and securely. So what steps can government take? First, understand your current “As Is” enterprise environment regarding IoT technologies deployed by your government. The vulnerabilities described by IBM fell into three categories: public default passwords, authentication bypass, and SQL injection. You can use the same techniques to discover vulnerabilities within your enterprise network: 1. Search Shodan or Censys, two search engines for IoT and connected devices, for the specific locations and IP addresses of devices under your control. 2. Match the search data to published vendor information to determine what the device is used for, such as air-quality monitoring.

city technologies are properly deployed, managed, and kept up-to-date regarding firmware, software, and available patches. Third, consider building a smart city (or IoT) strategic and/or tactical plan that maps out where your government is going over the next few years. This plan will include the business case, technology involved, project management steps with timelines, and deliverables. Wrap cybersecurity best practices around the entire smart city deployment. Your smart city plan can be a part of a wider technology strategy, or be stand alone. Either way, make sure that the right people are at the table including tech leaders, legal, HR, business areas, budget (finance), internal audit, etc. One final thought: Sometimes new “smart” infrastructure upgrades are deployed without anyone using the “smart city” label. Just as printers are often deployed with internet connections and default settings, items such as cameras, parking meters, and even street signs can be hacked. Even if no one wants to use the “smart” label, you may already have more IoT devices than you realize. My advice: Take this opportunity to offer solutions (not just problems) to government business areas, and be an enabler of secure smart cities technology for your organization.

Second, remediate these known vulnerabilities under your control while ensuring that new smart city technologies are deployed securely. Changing default passwords is low-hanging fruit.

Dan Lohrmann is an internationally recognized cybersecurity leader, technologist, and author. Starting his career at NSA, Lohrmann has served global organizations in the public and private sectors in many leadership capacities. As a top Michigan government technology executive for 17 years, Lohrmann was National CSO of the Year, Public Official of the Year, and a Computerworld Premier 100 IT Leader. He is currently CSO & Chief Strategist at Security Mentor, and advises federal, state and local governments on cybersecurity strategy.

Sadly, smart devices can be deployed without the knowledge of the security team or even the technology department. You may want to consider an enterprise-wide cyber committee that cuts across business areas to ensure that IoT devices and smart

Follow Dan on Twitter at: @govcso Dan’s award-winning blog: http://www.govtech. com/blogs/lohrmann-on-cybersecurity/ CSO Magazine articles: http://www. csoonline.com/author/dan-lohrmann

3. Search for vendor support information (such as installation guides) that outline password protection, troubleshooting, and other security features.

13


Cybersecurity Quarterly

Virtual Worlds — Real Risks As virtual reality becomes an increasingly prevalent part of society, developing a framework for security and compliance for virtual worlds is crucial to protect users By Kavya Pearlman The use of immersive technologies like virtual reality (VR) and augmented reality (AR) are on the rise globally. The global virtual reality market is expected to exceed more than $33 billion by 20241. With the evolution of VR, virtual worlds that previously only existed in three dimensional (3D) space are getting a new life and a whole new appeal for the masses. Many virtual worlds, including Second Life, continue to exist in 3D, accessible via desktop. Other virtual worlds are emerging that are both desktop and VR-enabled. With this renewed interest and involvement of advanced technologies, focus on security, risk, and compliance is renewed as well. Establishing a risk's definition in a virtual world is far more complex than in Massively Multiplayer Online (MMO) games. This complexity brings about the need to establish a framework that will allow individuals and organizations to combat against security challenges and remain compliant in the ever changing world of regulations.

What are Virtual Worlds? A virtual world is a computer-based online community environment that is designed and shared by individuals and allows them to interact in a custom-built, simulated world. Virtual worlds are digital environments that exhibit the following properties2:

14

The global virtual reality market is expected to exceed more than $33 billion by 2024. 1. Individuals are represented within the world as ‘avatars.’ 2. Interactions take place in real time. 3. The world is shared, meaning the world is accessible to more than one member, as are the objects within it. 4. The world is persistent – it continues to exist even after a user exits the world, and user-made changes to the world are preserved. 5. There is an underlying automated rule set, the ‘physics’ that determine how individuals affect changes. A few examples of popular virtual worlds include Second Life, Sansar, IMVU, VR Chat, and Facebook 1

Virtual Reality Market Size Projected to be Around US$33 Billion by 2022, MarketWatch, 30 Aug 2018. https://www.marketwatch. com/press-release/virtual-reality-market-size-is-projected-to-bearound-us-33-billion-by-2022-2018-08-30 2 Security Threats in Virtual World, InfoSec Institute, 12 Jun 2013. https://resources.infosecinstitute.com/security-threats-invirtual-world/


Fall 2018

Payment Fraud, Chargebacks, Pickpocketing, Begging, Transaction Integrity

Commerce

Intellectual Property Laws, Copyrights, Patents, Terms of Services / Contractual Obligations

Payment Card Industry – Data Security Standards (PCI-DSS), Sarbanes Oxley (SOX), State Regulations, International Regulations e.g. General Data Protection Regulation (GDPR) etc.

Virus, Worms, Keyloggers, Trojans, Intellectual Property Theft, Account Takeover, Malicious Game Servers, Software Vulnerability Exploitation

Create COPPA

Vandalism, Harassment, Stalking, Defamation, Disparagement, Spam, Social Engineering, Cyber Squatting, Avatar Identity Theft, Account Takeover, Privacy Risks, Risk to Minors, Online Disputes Among Users, Attack on Users' Machines through Game Client

GDPR

Connect Security and Compliance Framework via Virtual World Triad: Connect - Create - Commerce Spaces. Several virtual world use cases exist in various take place via text chats, voice chats, and even domains, such as medical, social, e-commerce, human gestures. Needless to say, security concerns entertainment, and training, just to name a few. of social media come into play for any virtual world that has a social component to it. If proper With the adoption of virtual reality, virtual worlds attention is not paid, privacy and confidentiality may increasingly function as centers of commerce, issues may result in lost trust and sometimes incur trade, and business. A real virtual world, however financial penalties. 2018 saw the introduction of complex, can still be differentiated via three key GDPR (General Data Protection Regulation), which terms. This hierarchical triad of virtual world tiers is applicable to EU Data Subjects and requires gradually ascend in complexity, and consequently, all organizations to protect EU Data Subjects’ in potential risk. These three tiers that have the data, as well as facilitate various rights related potential to serve as building blocks for assessing to their online activities and information. Then risks associated are: Create, Connect, and Commerce. there are risks related to minors resulting in legal Not all virtual worlds incorporate all three pillars. obligations, like the Children's Online Privacy The introduction of each additional pillar in a Protection Rule (COPPA) for the U.S. and various virtual world increases the associated risks for both other international regulations worldwide. individual users and the organization operating it. Virtual Worlds that enable you to CREATE – Some Security & Compliance in Virtual Worlds virtual worlds permit user content creation. Whether these environments and avatars are being created by either the virtual world developers or the Virtual Worlds that enable you to CONNECT – users/creators, security risks of various magnitude Virtual worlds are the perfect places to connect emerge. Since the contents are all created online with fellow humans representing themselves in and remain hosted online, the security risks are the form of other avatars. These connections may

15


Cybersecurity Quarterly

Image: In-world training during National Cyber Security Awareness Month 2017: Second Life similar to risks associated with any online platform. Creators in virtual worlds need to pay attention to threats like computer viruses, worms, and trojans that may carry malicious programs, such as key loggers. Where such creation is allowed, or indeed encouraged, the terms applying to the ownership of the use of such creations must be carefully managed. With the additional pillar “CREATE,” the key issues of intellectual property, copyright, and patent law apply to the virtual world. Virtual Worlds that enable you to do COMMERCE – Virtual economies are emergent economies that exist in various virtual worlds and are typically driven by in-world needs, such as in-game objects, virtual goods, and other forms of commerce. An economy arises as a result of the choices that players make under the scarcity of real and virtual resources, such as time or currency. When an in-world currency can be exchanged into real-world currency, such as US dollars (USD), a multitude of compliance and security requirements come into play. The added risks are then similar to any financial technology (fintech) organization. In these cases, virtual property has considerable real monetary value within the real-world, global economy. Depending on the architecture and payment integrity licensing, a flavor of financial security standards, such as Payment Card Integrity - Data Security Standard (PCI-DSS) or various federal and state regulations, become mandate for organizations operating in the virtual world. For U.S.-based organizations, the Corporate and Auditing Accountability, Responsibility, and Transparency Act, more commonly called the Sarbanes–Oxley Act or SOX, may apply.

16

The projected growth of VR and virtual worlds has attracted the unwanted attention of both hackers and organized crime. For each pillar - Create, Connect, and Commerce - businesses are exposed to additional risks. Calculating risks for virtual worlds is complex and attention must be paid to understand the root causes. As VR-enabled virtual worlds become mainstream, applying the triad framework, like 3C models, is a good place to start to help mitigate risks. Kavya Pearlman is the Information Security Director at Linden Lab, the developer of virtual world Second Life and social VR platform Sansar. Prior to Linden Lab, Pearlman advised Facebook's Information Security Team on mitigating third party security risks. Her security career has also led her to hold roles as an ISMS Manager for a corporate immigration law firm, a network security analyst for Allstate Insurance, and founder of her own independent cybersecurity research company. Pearlman holds a MS in Network Security from DePaul University, Chicago. She is also a CISM (Certified Information Security Manager) and a certified PCI-DSS ISA (Internal Security Assessor). Pearlman grew up in India and immigrated to the United States in 2007. Pearlman remains passionate towards building a secure future for the humanity in both real and virtual worlds. Pearlman was recently named 2018 Minority CISO of the Year by the International Consortium of Minority Cybersecurity Professionals (ICMCP) and a Top 20 Cybersecurity Influencer for 2018 by IFSEC Global.


Fall 2018

Kroll’s experienced leaders help clients make confident decisions about people, assets, and operations across the globe.

INVESTIGATIONS AND RISK MANAGEMENT SOLUTIONS Cyber Security & Incident Response

Business Intelligence & Due Diligence

Fraud & Corruption Investigations

AML & ABC Compliance

Asset Search & Recovery

Third-Party Screening

Dispute Advisory & Litigation Support

Security Risk Management

kroll.com 17


Cybersecurity Quarterly

Regulation, Education, and Underwriter Evolution Spur Interest in Cyber Insurance New technologies and digital integration have brought new cyber risks to organizations. To help address these issues, insurance companies have risen to the challenge By Adam Cottini For many organizations, their insurance portfolio includes general liability, workers compensation, auto liability, property, professional liability, and employment practices liability. Until recently, cyber insurance was not on the list – but this is beginning to change.

sought after to help insulate companies from the financial impact of a data breach. Consumer interest continues to grow, as does the experience of underwriters in addressing these issues. Ultimately, the consumer is likely to benefit from improved cyber risk management practices.

Technology deployment and digital transformation have brought new cyber risks, resulting in financial losses with far-reaching consequences. New laws have been enacted worldwide to address these exposures, creating new responsibilities and potential consequences. While every organization must address these issues and the new cyber threat environment, managing cybersecurity has become daunting, expensive, and disruptive.

Cybersecurity Regulation has Caught Our Attention

In a quest to manage the many challenges posed by cyber risk, the cyber insurance market has taken a leadership position to support organizations of all sizes. Cyber insurance products are now highly

While every organization must address these issues and the new cyber threat environment, managing cybersecurity has become daunting, expensive, and disruptive. 18

Broad and sweeping cybersecurity regulations have been enacted or proposed to make consumer data more secure, accessible, and removable by the data holder. Several cybersecurity regulations have been implemented in the United States and European Union that are broad and impactful. Specific to the financial sector, the New York Department of Financial Service Cybersecurity Regulation (NYDFS Part 500), went into effect August 2017, with additional requirements effective September 2018. This regulation, applicable to covered financial entities under the New York Department of Financial Services, was a first of its kind in the U.S. designed to promote better cyber hygiene. An even wider impact may be seen from the newly enacted General Data Protection Regulation (GDPR), which went into effect May 25, 2018. GDPR aims to enforce stronger and more consistent data security on organizations that handle personal data.


Fall 2018

Deploying the concept of Privacy by Design, GDPR seeks to enhance the privacy rights of individuals who entrust organizations with their data, and to allow individuals to have greater control over the ways their data is handled. The changes introduced by GDPR are far-reaching and apply across all 28 EU member nations and the UK. In some cases, GDPR will apply to organizations based in the United States; even if those organizations do not have physical locations in the EU or UK. Finally, California has passed a state law called The California Consumer Privacy Act of 2018 (AB 375). It will go into effect January 1, 2020 and furthers the concept of Privacy by Design, highlighting several key rights afforded to California residents, similar to the GDPR.

Cyber Threat Education is Increasing More information-sharing and threat-monitoring tools have allowed organizations to better understand the sources of cyber threats. The most common security and privacy threats arise from hacking, malware, social engineering, human errors, or malicious actors. Motivations behind these security and privacy threats vary and may include: Financial gain by obtaining Personally Identifiable Information (PII) and selling or using it for identity theft. This includes protected health Information and payment card information. Corporate competitive advantage obtained by accessing confidential information, such as trade secrets, formulas, designs processes, and methods Espionage conducted by, or on behalf of, nation states “Hacktivists� with an agenda or desire to expose a perceived injustice Cyber-terrorists motivated by social, ideological, religious or political objectives Thrill-seekers with no agenda

Meaningful Cyber Risk Management Can Make a Difference in Cyber Insurance The underwriting of cyber insurance has evolved. The insurance industry is beginning to take a leadership position by promoting good cyber hygiene through cyber risk management, in exchange for better insurance terms and conditions. A few areas of cyber risk management deployment that may positively impact underwriting evaluations include machine learning technology deployed on end-points and automated compliance tools designed to measure the effectiveness of technical controls. At the time of securing cyber insurance, it's advantageous for policyholders to highlight the effectiveness of these types of initiatives. In some situations, underwriters may offer more favorable cyber insurance premiums as recognition for deploying meaningful cyber risk management solutions.

Cyber Insurance Becomes Relevant Cyber insurance is quickly becoming one of the many important tools utilized to address cyber risk. Simultaneously, cyber insurance is catching the attention of the C-Suite. Fortunately, the insurance market is not only able to offer quality cyber insurance solutions, but it is evolving to recognize and reward meaningful cyber risk management deployment. Adam Cottini is Managing Director, Cyber Liability Practice for Arthur J. Gallagher & Co. He is responsible for the overall direction of the Cyber Liability Practice, including development of state of the art product solutions, insurance gap analysis, risk exposure analysis, risk modeling, benchmarking, and best practices implementation. Previously, he managed a diverse book of professional liability accounts for Gallagher. Cottini came to Gallagher from AmWINS Brokerage, where he was Assistant Vice President within the Financial Risk Group. His focus within AmWINS was producing and marketing professional and executive liability insurance solutions for public, private, nonprofit, and association entities. Prior to AmWINS, Cottini worked at AIG in the Middle Market Executive Liability Group as an Underwriter/Underwriting Manager.

19


Cybersecurity Quarterly

Cyber Tips & Tricks This Quarter’s Tip: Making the Most Out of a Conference by Mike Woodward, Cyber Intelligence Analyst, MS-ISAC Prior to starting in the industry, I attended my first cyber conference, where I learned firsthand the dos and don’ts for getting the most out of a conference. This ranged from mistakenly not having business cards on hand to a fortuitous pre-session conversation with someone who would end up being a coworker in a few months! Whether you're looking to learn more about your specific field, become exposed to emerging technologies and ideas, or increase your network, attending a conference will help you achieve these goals and more. The following suggestions will help you optimize your conference experience.

Selecting the Right Conference The continued growth of the cybersecurity industry has resulted in a proliferation of conferences that cater to various sectors or subfields. Selecting the right conference that meets your needs and goals is the first step. For instance, if you are looking to expand specific skills through training, then it might be advantageous to attend a smaller, more niche conference. On the other hand, a larger conference, like RSA or DEF CON, could appeal to an individual looking to increase exposure or learn about multiple topics. Take a few minutes to consider what you want to get out of the conference and then look online, as many cybersecurity publications provide lists and descriptions of conferences to help you pick the right one. Also, reach out to your colleagues, since they may have attended a conference that would be perfect for you or can give you advice on a conference that isn’t quite what you think it is.

Be Prepared by Planning a Schedule The long list of speakers, exhibits, and activities can be a bit daunting, so a little planning will go a long way! Many conferences have mobile apps available,

20

which you can use to prioritize your event schedule and receive updated information. The app might provide biographies on the speakers, but you can also research them on LinkedIn or other platforms to get a feel for what will be most worthwhile. Check the list of vendors and research their products, so that you know which booths you'd like to visit. Of course, this is just a tentative schedule, so don’t worry about straying from the plan to attend a social event. Social events and team exercises are a good chance to interact with colleagues in a more informal setting and to make new connections.

Connect and Follow Up At a conference, you'll be able to meet more people than you can possibly remember. Rather than becoming absorbed by your phone, take advantage of this networking opportunity by striking up conversations before and in between events. Make sure to have plenty of business cards on hand to exchange with people (don’t make my mistake!). You can write down when you met the person and what you discussed on their business card, so that you can reference this information when you reach out to them. Additionally, consider using a note taking app during the sessions to write down questions and main points. Refer to these notes during the session’s question-and-answer portion or to connect with the subject matter expert after the talk. After the conference, use the business cards you received and your notes to email your new contacts. Let them know it was nice to meet them, elaborate on your initial conversation, and mention how you might be able to collaborate moving forward. A lot of the conference’s value comes from the people you meet, who may end up being invaluable resources in the future. Take advantage of these opportunities and best of luck at your next conference!


Fall 2018

Gallagher at a Glance Gallagher has been designing solutions to meet our clients’ unique needs for 90 years. Founded in 1927 by Arthur J. Gallagher, we pioneered many of the innovations in risk management used by businesses in all industries today. We believe that the best environment for learning and growing is one that remembers the past and invents the future. A global corporation with more than 710 offices in 33 countries, Gallagher is a company with 24,700+ family members driven by our strong heritage and culture.

Gallagher’s Cyber Liability Practice Gallagher’s Cyber Liability Insurance professionals are dedicated to a holistic philosophy of approaching cyber risk. Our practice provides innovative insurance policy solutions and also offers comprehensive cyber risk management services. Our robust risk management services platform includes: • Proprietary Cyber Insurance • Best Practices (policies, articles, Limits Modeling / Third-Party white papers, and webinars) • Incident Response Planning Benchmarking / Cost of a Breach • Complimentary Preventive Services Calculator / Quantitative Cyber • Strategic Vendor Relationships Analysis • Insurance Coverage Gap Analysis • Insurance Policy Design and / Broker Table Top Exercises / Implementation • Contract Analysis Insurance Policy On-Boarding • On-line Network Assessments

Gallagher’s CIS Value Added Cyber Enhancement Amendatory Gallagher has taken the opportunity to negotiate an exclusive CIS enhancement amendatory endorsement that expands the insurance terms provided by Everest Insurance® for CIS SecureSuite® membership. This endorsement will be provided to CIS SecureSuite® Members exclusively through Gallagher. This industry leading cyber insurance amendatory provides broad enhancements to the existing Everest policy language. CIS SecureSuite® Members may be eligible for a 10% discount and the Gallagher CIS Amendatory upon submitting a completed application (Everest Cyber Elevation Application - CIS Version) to SecureSuiteSubmissions@everestre.com with a carbon copy to Aimee_McNulty@ajg.com.

Learn more at AJG.com/Cyber Ethical disclaimer: “Arthur J. Gallagher & Co. has been recognized as one of the “World’s Most Ethical Companies” in 2012, 2013, 2014, 2015, 2016, 2017 and 2018. “World’s Most Ethical Companies” and “Ethisphere” names and marks are registered trademarks of Ethisphere LLC. Gallagher Disclaimer: The information contained herein is offered as insurance industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client-specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis. Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).

21


Cybersecurity Quarterly

MS-ISAC Update The MS-ISAC Membership Reaches Another Significant Milestone

2018 continues to be a banner year for the MSISAC Stakeholder Engagement team! Through our continued hard work, thousands of miles of travel, countless phone calls, and untold speaking engagements and exhibit spaces, the team has continued to foster incredible growth and help strengthen the cybersecurity defenses of the state, local, tribal, and territorial (SLTT) community. On August 20th, 2018 the Sweetwater Union High School District in Chula Vista, California, became our 4,000th member! The steady growth of our membership continues apace. The EI-ISAC also hit a significant milestone with four states successfully enrolling all of their counties. Florida, South Carolina, Maryland, and Ohio now have complete county coverage. In addition, New York and Nevada have nearly complete county coverage, only lacking enrollment from a handful of their counties. Since our inception in 2010, we have steadily grown membership and our commitment to SLTT governments is paying very big dividends. With an increased focus on elections security, we are expanding our reach and providing a truly valuable service to our nation. Thank you to all of our current members for touting us to the greater community. Without your efforts on our behalf, we would not have achieved this goal.

22

Nationwide Cyber Security Review Open for Submissions from October 1st - December 15th

What is the Nationwide Cyber Security Review? The Nationwide Cyber Security Review (NCSR) is a no-cost, anonymous, annual self-assessment designed to measure gaps and capabilities of state, local, tribal, and territorial governments' cybersecurity programs. It is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), is sponsored by the Department of Homeland Security (DHS) & the MultiState Information Sharing & Analysis Center (MS-ISAC), and in partnership with the National Association of State Chief Information Officers (NASCIO), the National Association of Counties (NACo), and GMIS International.

2017 Participation by Entity Type:

By participating in the NCSR you will: • Utilize the NCSR to fulfill your justification requirement for cybersecurity investments under the Homeland Security Grant Program • Receive metrics specific to your organization • Use the metrics provided to identify gaps in your security program • Anonymously measure your results against peers • Be a part of the ongoing effort to chart national cybersecurity maturity & identify areas of concern

• Access to informative references such as NIST 800-53, COBIT, and the CIS Controls that can assist in managing cybersecurity risk • For HIPAA compliant agencies, translates your NCSR scores to the HIPAA Security Rule scores for an automatic self-assessment tool • Develop a benchmark to gauge year-to-year progress Note: National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) list the NCSR as a risk management resource for SLTTs

Evaluate Your Cybersecurity Maturity Today! NCSR is open October 1, 2018 - December 15, 2018


Fall 2018

Cyberside Chat This Quarter's Topic: How Security Controls Can Improve Your Cybersecurity Posture by Sean Atkinson, Chief Information Security Officer, CIS Security is a journey, not a destination. It's important to understand that as security and IT introduce critical configurations and security controls, management will be required over time. A single audit of a configuration in the deployment of a new system is an important check. It’s equally important to confirm over time that your initial deployment configurations are still accurate and compliant.

Membership, both allow users to measure their compliance to the CIS Benchmark recommendations.

Measuring Compliance

“Regular cadence” monitoring – This involves rechecking the systems to confirm their deployed compliant status is still in effect. How often this monitoring takes place could be based on criticality of the system, the size of data centers, or other factors. For example, critical systems may require weekly or monthly reviews while a large data operation may only require annual monitoring.

CIS offers two helpful resources that organizations can use to improve their cybersecurity posture. CIS Benchmarks™ are secure configuration guidelines and CIS-CAT is a configuration assessment tool. These resources align control with functionality and security with compliance.

Continuous Monitoring Once you’ve confirmed compliance to a baseline, there are two continuous monitoring items to consider:

The first step for any organization is to establish a baseline of security. This will be the secure image for any system deployed within an IT environment. There can be hundreds of different configuration checks necessary to secure a particular operating system, server, or mobile device – this is where the free CIS Benchmarks recommendations can be extremely helpful. These recommendations are developed through hours of discussion and debate by our global community of volunteers via CIS WorkBench.

Change management – This comes into play when a configuration is needed (such as the installation of particular applications or software) that is not aligned to the secure baseline. In these cases, the required change should be documented as part of a change management process. Be sure to document the impact of any configuration change on your system by running another compliance scan after the change has been implemented.

Are you a cloud-enabled enterprise? Our CIS Hardened Images can provide a secure baseline based on the CIS Benchmarks. They’re available on AWS Marketplace, Google Cloud Platform, and Microsoft Azure.

If we maintain a process of control, compliance, and monitoring, it will allow for the creation of a complete asset management process, a configuration profile for deployed systems, and a managed process for incorporating changes into the system. Each part of this process will increase overall cyber hygiene and provide the impetus for maturing an information security program. Tools like CIS-CAT Pro can help organizations along the path to security and compliance.

Once you’ve established a secure baseline for your image, it’s time to see how it stacks up to the CIS Benchmarks. CIS-CAT Lite, our free tool, and CIS-CAT Pro, available through CIS SecureSuite

Paying Attention to the Process

23


Cybersecurity Quarterly

Upcoming Events October October 8th - 10th (ISC)2 Security Congress 2018 will take place in New Orleans. The event will bring together information security leaders and professionals to network and learn about the latest developments in their field from industry thought leaders. CIS Executive VP Curtis Dukes will lead a session on adopting security automation standards and Senior VP Kathleen Patentreger will co-lead a session on AWS security automation and orchestration. October 9th The ISSA Des Moines Chapter will be holding its Secure Iowa Conference at Des Moines Area Community College in Ankeny, Iowa. The event will bring together the state's information security professionals to network and learn from industry leaders. CIS Senior VP Tony Sager will keynote the event, discussing the CIS Controls and implementing cybersecurity best practices effectively. October 9th – 10th The Rochester Chapter of ISSA, the Rochester Chapter of OWASP, and ISACA Western New York Chapter will co-host the Rochester Security Summit 2018 in Rochester, New York. The event will bring together the region's IT security professionals to network and discuss the latest industry developments. CIS CISO Sean Atkinson will lead a session on security and chaos engineering. October 11th – 13th The Center for Homeland Defense & Security (CHDS), the U.S. Department of Homeland Security, and FEMA's National Preparedness Directorate will co-host the 11th Annual Homeland Defense and Security Education Summit at the State University of New York at Albany. The conference will bring together homeland security and emergency response leaders to discuss how education and research practices can help identify and solve challenges facing homeland security professionals.

24

October 16th Cyber Security Summit: Phoenix will take place at the Renaissance Phoenix Downtown, bringing together executives, business leaders, and cybersecurity professionals learn about the latest industry threats. CIS Senior Director Ryan Spelman will be a featured panelist at the event, discussing incident response. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. October 17th – 18th Cyber Security Atlanta will take place at the Georgia World Congress Center, bringing together thousands of industry professionals to network and learn the latest updates in the field. CIS Senior Director Ryan Spelman will lead a breakout session on using compliance as a competitive advantage. October 18th The Wyoming Association of Risk Management (WARM) will host the WARM Cyber Security Summit in Casper, Wyoming. The event will focus on informing Wyoming government leaders on the importance of cybersecurity for state and local government. CIS Senior Director Ryan Spelman will lead a number of sessions and panels at the event. October 21st – 24th The 2018 NASCIO Annual Conference will take place in San Diego. Members of NASCIO from across the country will gather together to discuss and learn about the latest issues facing government IT professionals from industry thought leaders. October 22nd – 24th The National League of Cities Risk Information Sharing Consortium (NLC-RISC) will hold the 2018 NLC-RISC Staff Conference in Little Rock, Arkansas. The event will offer educational sessions for professionals from state municipal leaguesponsored risk pools to learn about the latest topics and issues facing their industry. CIS Senior Director Ryan Spelman will lead a session on cyber risk.


Fall 2018

October 22nd – 24th The 8th Annual Cyber Security Summit will take place in Minneapolis. The event will bring together stakeholders from industry, government, and academia to discuss the state of cybersecurity. CIS VP Tony Sager will be a featured speaker at the event, discussing how to balance cybersecurity with other business interests, as well as an invitationonly legislative briefing on IT security governance. October 23rd – 24th SC Cyber and the State of South Carolina will hold the State of South Carolina Cyber Security Awareness Symposium in Columbia, South Carolina. The conference will bring together state employees to learn about the latest developments in cybersecurity in government. CIS President and COO Steve Spano will keynote the event. October 25th – 26th InfraGard's Cyber Health Working Group will hold their Inaugural Healthcare CyberGard Conference in Charlotte, North Carolina. The event will allow IT professionals in the healthcare sector to network and learn about new industry innovations and threats. CIS Executive VP Curtis Dukes will keynote the event, discussing how to develop a cybersecurity strategy on a budget.

November 6th – 9th MISTI will be holding its annual AuditWorld Conference & Expo in Las Vegas. The event will bring together audit and governance professionals to discuss industry issues and developments. CIS Senior VP Tony Sager will be a featured speaker, leading a session on cyber defense, as well as speaking at the event's IT Audit Leadership Summit . November 13th – 14th The American Public Power Association (APPA) will hold its first APPA Cybersecurity Summit in Austin, Texas. Public power leaders and professionals will gather together to network and learn about the latest cybersecurity practices, trends, and technologies. CIS Senior Director Ryan Spelman will be a featured panelist at the event, discussing current threats and information sharing. November 14th – 15th Infosecurity North America will take place at the Jacob K. Javits Convention Center in New York City. The event will bring together information security professionals to network and learn about the latest issues facing the industry. CIS Senior VP Tony Sager will speak on the event's closing panel, discussing security governance strategy.

October 30th – 31st The Connecticut Conference of Municipalities (CCM) will hold its 36th Annual CCM Convention at Foxwoods Resort Casino in Mashantucket, Connecticut. The event will bring together Connecticut municipal employees to share their knowledge and discuss current trends. MS-ISAC Senior Program Specialist Eugene Kipniss will lead a session on MS-ISAC services and best practices.

November 29th Cyber Security Summit: Los Angeles will take place at The Beverly Hilton, bringing together executives, business leaders, and cybersecurity professionals learn about the latest industry threats. CIS Senior Director Ryan Spelman will be a featured panelist at the event, discussing protecting against insider threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.

November

December

November 5th – 9th The Public Risk Management Association (PRIMA) will hold PRIMA Institute 2018 in West Palm Beach, Florida. The event will provide educational programing for risk management professionals on trends and best practices. MS-ISAC Senior Program Specialist Eugene Kipniss and EI-ISAC Director Ben Spear will co-lead a session on MS-ISAC services.

December 3rd – 4th The National Initiative for Cybersecurity Education (NICE) will hold the 2018 NICE K12 Cybersecurity Education Conference in San Antonio, Texas. The event will bring together leaders from education, government, industry, and nonprofits to discuss cybersecurity education and encouraging students to explore cybersecurity careers.

25


Confidence in the Connected World

Copyright Š 2018 Center for Internet Security, All rights reserved.

CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.