Cybersecurity Quarterly (Summer 2019) by Cybersecurity Quarterly

Cybersecurity Quarterly

Summer 2019

A Publication from

How Our Albert IDS Can Protect Your Network — Now and in the Future The New Malware on the Rise in 2019 The Best Defense Against CyberAttacks? A WellTrained Workforce Can Developing a Cyber Risk Framework for Information Protect us in 2020?

A New Way to Look at the CIS Controls® With the release of CIS Controls Version 7.1 comes one of our most requested updates — prioritization methodology of the CIS Controls and Sub-Controls — to make implementing our best practices easier than ever before

Improve Your Security Posture with Training from SANS Institute The Most Trusted Source for Information Security Training, Certification, and Research

SANS Institute partners with the Center for Internet Security to provide its top-rated information security training and awareness programs to State, Local, Tribal, and Territorial Government organizations at significantly reduced costs. Leverage this special partnership to ensure that your employees have the skills and experience necessary to protect your critical organization from cyber threats.

Program participants may purchase:

More than 40 hands-on courses are available OnDemand or live, online in the evenings via vLive.

Train and test staff of all levels on email, file storage, digital access, and general data security.

Special discounts are available during our summer purchase window June 1 - July 31, 2019

Contact partnership@sans.org, or visit www.sans.org/partnership/cis for more information.

Cybersecurity Quarterly

Contents

Featured Articles

Quarterly Regulars

Confidence in the Connected World Summer 2019 Volume 3 Issue 2 Founded MMXVII Editor-in-Chief Michael Mineconzo Copy Editor Shannon McClain

Staff Contributors Sean Atkinson Justin Burr Brian Calkin Josh Franklin Paul Hoffman Joshua Palsgraf Aaron Piper Aaron Wilson

Summer 2019

A New Way of Looking at the CIS Controls Exploring new updates to the CIS Controls to make them easier than ever to implement in your organization

Securing Your Network with Albert A look at how CIS' intrusion detection system provides cost-effective protection against cyber-attacks

Cybersecurity in 2019: Preparing Your Organization for the Next Threats The best defense against cyber-attacks is a well-trained infosec workforce

Developing a National Cyber Disinformation Threat Response Network Can a cyber risk framework for information protect us from foreign actors in 2020?

Quarterly Update with John Gilligan

News Bits & Bytes

Threat of the Quarter

Cyber Tips & Tricks

ISAC Update

Cyberside Chat

Calendar

Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460 Copyright ÂŠ 2019 Center for Internet Security. All rights reserved.

Cybersecurity Quarterly

Quarterly Update

with John Gilligan

“...As soon as we make progress against known threats, new and more potent threats emerge.” Welcome to the June issue of Cybersecurity Quarterly. The overall theme for this issue is: Examining the Future of Cybersecurity. Having been personally involved with cybersecurity for a long time, I admit to bouts of pessimism about our progress. It seems that as soon as we make progress against known threats, new and more potent threats emerge. Moreover, the increasing complexity of modern information technology and operational technology-based systems results in what might be considered routine efforts, like basic cyber hygiene, being very difficult to implement effectively.

examining emerging threats discusses TrickBot, the latest Trojan attack payload.

I recently participated in a conference that examined the potential of artificial intelligence (AI) and machine learning (ML) in cybersecurity. Frankly, I was not sure what to expect. The session was held at a classified level and had an excellent panel of government and industry speakers. I left the session with renewed optimism about the future of cybersecurity. In particular, the speakers uniformly believed that AI and ML hold the key to reversing the dominance of offensive cybersecurity over defensive cybersecurity. In short, the conference highlighted that automation of the implementation of routine system and network administration tasks, as well as increasingly sophisticated tools leveraging AI and ML are beginning to permit organizations to effectively analyze the enormous data that pertains to potential cyber events. We will look to examine this area in future Cybersecurity Quarterly issues.

An article that I found particularly interesting addresses the rapidly growing issue of how to identify disinformation campaigns. The fast evolution of social media as a means to distribute “news” has resulted in difficulty in separating fact from opinion or fact from fiction. This is an area where there will continue to be significant attention from the technical and policy communities.

Additionally, CIS’ CTO Brian Calkin provides an overview of our Albert network monitoring technology. His overview discusses Albert’s current network security functionality, and addresses planned enhancements to the existing Albert devices. An excellent article from SANS provides advice on developing and maintaining the workforce needed to deal with the next generation of cyber threats.

Cyber Tips & Tricks provides advice for how to deal with a cyber breach. Finally, CIS’ CISO, Sean Atkinson, addresses the need to automate security and the potential use of “chaos-based tests” as a way to make progress in countering evolving threats. I hope you enjoy this quarter’s selection of topics as much as I have. Best Regards,

We start this quarter’s issue with an overview of the latest update to the CIS Controls. The primary addition in Version 7.1 is the inclusion of the concept of Implementation Groups. Three Implementation groups were developed through a consensus process to provide a “roadmap” for organizations as they implement the Controls. An additional article

John M. Gilligan President & Chief Executive Officer Center for Internet Security

Summer 2019

Always on Guard Albert

Network Security Monitoring & Analysis Specialized threat identification for U.S. State, Local, Tribal, & Territorial (SLTT) government entities. 24x7 Security Operations Center Unique SLTT-focused signature set Cost-effective solution Passive, fully managed intrusion detection system

Download Free Guide â&#x2020;&#x2019;

Cybersecurity Quarterly

News Bits & Bytes The Water Information Sharing and Analysis Center (WaterISAC) and the Multi-State Information Sharing & Analysis Center® (MSISAC®) have announced a new partnership to improve cross-sector collaboration between the water and wastewater sector and the U.S. State, Local, Tribal, and Territorial (SLTT) government sectors. The partnership reflects the interdependences between the two sectors. Leveraging each other’s strengths, the organizations will collaborate to monitor, analyze, and notify members of cybersecurity risks, vulnerabilities, and threats and enhance the cybersecurity of their respective members. CIS® has been named a 2019 Top Workplace among mid-sized companies in the New York State Capital Region by the Times Union for the fifth time. The Times Union partnered with Philadelphia-based Energage to determine the Capital Region's Top Workplaces. The results are based solely on an employee survey process. CIS added 63 new full-time employees in 2018, and the organization’s workforce increased 36 percent to a total of 176 employees. Enhancements to the CIS benefits programs made in 2018 include a paid volunteering program and extended bonding leave benefits for new parents. CIS also prioritized the integration of a progressive performance management system that supports engagement and professional development. CIS Hardened Images™ on Shielded Virtual Machines (VMs) are now available in the Google Cloud Platform (GCP) Marketplace. CIS Hardened Images are virtual machine images that have been preconfigured according to the security recommendations of the CIS Benchmarks™. A CIS Hardened Image incorporates the security recommendations outlined in the CIS Benchmark applicable to the operating system. Shielded VMs ensure organizations are only using trusted,

supported images. Shielded VMs on Google Cloud are beneficial because they protect VMs against advanced threats, ensure workloads are trusted and verifiable, protect secrets against exfiltration and replay, and offer live migration and patching. For more information, view our blog post. The Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®) is now a member of the National Council of Information Sharing and Analysis Centers (NCI). The NCI serves as a forum for sharing physical and cyber threat and response information across sectors and as a gateway for federal agencies and other partners to reach the ISAC community. Established by the nation’s critical infrastructure sectors, ranging from airlines to water utilities, ISACs support a majority of U.S. private critical infrastructure with threat information and analysis, mitigation resources, and other services. The NCI also has an operational role following incidents of national significance. The Global Cyber Alliance (GCA) announced an over $1 million gift from Craig Newmark Philanthropies to help provide critical cybersecurity protections for the media and journalists, and for elections offices and community organizations as they prepare for the 2020 U.S. presidential election. The GCA toolkits will provide concrete and effective means for these groups to better secure themselves against malicious actors who aim to attack the organizations and people that facilitate our democratic process. Included in the toolkits, and made available at no cost, will be operational tools, clear guidance, and recommendations, all designed to significantly reduce cyber risk and shore-up defenses. The toolkits will follow the CIS Controls cybersecurity best practices.

valimail.com

Summer 2019

STOP FRAUDULENT USE OF GOVERNMENT DOMAINS WITH AUTOMATED DMARC ENFORCEMENT 4 Blocks phishing, spoofing, W-2 attacks, wire fraud attacks of state + local domains 4 Only FedRAMP-authorized DMARC solution 4 Never compromises or exposes PII/PHI 4 Requires minimal resources for implementation + management

Get a free domain analysis at valimail.com/domain-analysis4

Cybersecurity Quarterly

A New Way to Look at the CIS Controls How our latest update to the CIS Controls can make implementing their recommendations in your organization easier than ever. By Josh Franklin & Aaron Piper The CIS Controls are internationally-recognized cybersecurity best practices for defense against common threats. They are a consensus-developed resource that brings together expert insight about cyber threats, business technology, and security. The CIS Controls are used by organizations with varying resources and risk exposure to build an effective cyber defense program. In our experience, however, organizations of every size and complexity still need more help to get started. To help, we developed the latest version of the CIS Controls, CIS Controls V7.1.

What’s New in V7.1 Implementation Groups (IGs) – a new prioritization for the CIS Controls, at the Sub-Control level. A detailed methodology to help organizations assess which IG they fall within. Edits requested by the global community that clarify certain CIS Controls and Sub-Controls.

A New Way to Look at the CIS Controls The IGs are self-assessed categories for organizations based on relevant cybersecurity attributes. Each IG identifies which CIS Controls, at the Sub-Control level, are reasonable for an organization with a similar risk profile and

The CIS Controls are used by organizations with varying resources and risk exposure to build an effective cyber defense program... However, organizations of every size and complexity still need more help to get started. To help, we developed CIS Controls V7.1. resources to implement. The IGs are a simple and accessible way to help organizations classify themselves and focus their security resources and expertise while leveraging the value of the CIS Controls best practices To develop the IGs, we first identified a core set of Sub-Controls that organizations with limited resources, expertise, and risk exposure should focus on. This is IG1, which combines effective security value with technology and processes that are generally already available. IG1 also provides a basis for more tailored and sophisticated action in situations which call for it. The CIS Sub-Controls in IG1 represent “Cyber Hygiene” – the essential protections that must be

Summer 2019

CIS Controls V7.1

put into place to defend against common attacks. All organizations, regardless of which IG they are categorized as, would complete the Sub-Controls identified in IG1. Each IG builds upon the previous one. IG2 identifies additional Sub-Controls for organizations with more resources and expertise than those in IG1, but also greater risk exposure. Finally, the rest of the Sub-Controls are included in IG3.

on implementing the CIS Sub-Controls within that IG. You’ll be off to a great start defending your assets in cyberspace.

Introducing the CIS Controls Assessment Module

In cybersecurity, it can be challenging to identify what you should be doing to protect your organization and measure if you’re actually doing it – but it doesn’t have to be. The CIS Controls Cyber Hygiene and Beyond Assessment Module was released to the community to help your organization assess its adherence Through the development of CIS Controls V7.1 and to established best practices. The CIS Controls the Implementation Groups, businesses from around Assessment Module is a new, semi-automated way the world can more easily: to measure your organization’s application of CIS Controls Implementation Group 1 in Windows Create an effective cybersecurity program on a 10 environments. The 43 CIS Sub-Controls in budget Implementation Group 1 are assessed using a combination of scripts and survey questions. Practice cyber hygiene with limited resources and expertise Leveraging CIS-CAT Prioritize their cybersecurity efforts To get started, download the CIS Controls V7.1 and identify your organization’s IG. Once you’ve determined which IG is appropriate, you can focus

The CIS Controls Assessment Module runs inside of CIS-CAT Pro Assessor v4, leveraging the tool’s ability to conduct both local and remote assessments. The results are compatible with CIS-CAT Pro Dashboard. This allows CIS SecureSuite® Members

Cybersecurity Quarterly

to use the familiar CIS-CAT Pro Dashboard features such as viewing individual assessment results and generating graphs to show compliance over time. In addition to being available to CIS SecureSuite Members in CIS-CAT Pro Assessor v4, the CIS Controls Assessment Module for Implementation Group 1 in Windows 10 environments is also available for free in CIS-CAT Lite v4.

How Does the Module Work? PowerShell scripts are used to automate 13 of the CIS Sub-Controls in Implementation Group 1: 3.4, 4.2, 6.2, 8.2, 8.5, 9.4, 10.1, 10.2, 10.4 13.6, 15.7, 16.9, and 16.11. Some have customizable values that can be configured to better fit your organization. (Note: these values can be set in the Assessor Properties file, which is different than tailoring in CIS WorkBench.) These values include minimum password length, days allowed since the last system image backup, days of inactivity before an account is considered dormant, and maximum allowable seconds for the screen timeout. Some Sub-Controls are more procedural in nature and don’t really lend themselves to automation. For instance, many of the Organizational Sub-Controls (CIS Controls 17-20) fall into this category. Survey questions are used to address these Sub-Controls. Self-assessed answers can be saved in the Assessor Properties file and will be applied to any CIS Controls Assessment Module scans. Then, when something changes (i.e., when your organization implements a new Sub-Control), these answers can be updated for future assessments. Alternatively, questions can be set to be answered interactively by modifying the Assessor Properties file. Any interactive questions will be asked on the command line in CIS-CAT Pro Assessor for each of the machines in the assessment. There are three profiles available using the CIS Controls Assessment Module, allowing you to run: Just the automated checks Just the survey questions Both the automated checks and the survey questions for full coverage of Implementation Group 1

At CIS, we believe in collaboration. Working with a global community to develop, validate, and promote cybersecurity best practices is what we’re all about. Growing Together At CIS, we believe in collaboration. Working with a global community to develop, validate, and promote cybersecurity best practices is what we’re all about. So, where will the CIS Controls Assessment Module go next? We’d love to hear your thoughts! Join the CIS Controls Assessment Module community and help us grow this new feature. It’s all taking place on our collaborative CIS WorkBench forums. Get started with the CIS Controls Assessment Module for free using CIS-CAT Lite. If you're already a member, you can login to CIS WorkBench to download the latest version and access full reporting features via CIS-CAT Pro Dashboard and more with CIS SecureSuite Membership.

Josh Franklin is a Senior Cybersecurity Engineer at the Center for Internet Security (CIS). He is the product owner for CIS Controls Version 7.1 and the upcoming Version 8. He is also focused on developing companion guides for mobile and Internet of Things (IoT) technologies. Prior to CIS, Franklin researched enterprise mobile security, cellular security, and electronic voting at National Institute of Standards and Technology (NIST). While at NIST, he managed the mobile security laboratory at the National Cybersecurity Center of Excellence (NCCoE). Franklin graduated from George Mason University with a Master of Science in Information Security and Assurance. Aaron Piper is a Senior Controls Content Development Lead at the Center for Internet Security (CIS) for the organization's Security and Best Practices Group. He is mainly focused on the automation of our CIS Controls Assessment Tool. Prior to CIS, Piper worked at the National Security Agency (NSA) for about 10 years.

Summer 2019

SECURITY THREATS MAY CHANGE, BUT AKAMAIâ&#x20AC;&#x2122;S ABILITY TO STOP THEM DOES NOT.

Cyber security in a hyper-connected world requires enterprise protection at the Network, Application and Data Center. Come see why the majority of the cabinet-level departments and all branches of the US Military trust the Akamai Threat Intelligence platform at carahsoft.com/innovation/Akamai-cyber.

Cybersecurity Quarterly

Threat of the Quarter This Quarterâ&#x20AC;&#x2122;s Threat: TrickBot

The TrickBot banking trojan is an increasingly common threat to SLTT governments. As shown to the right, it has steadily climbed the MS-ISAC Top Ten Malware list, where it was number four in April and number two in May. TrickBot infections have nearly doubled during the first two quarters of the year, increasing 115 percent per month. In the second quarter alone, the MSISAC observed TrickBot activity across 24 states. TrickBot is a modular banking trojan that uses man-in-the-browser attacks to steal financial account information, such as login credentials for online banking sessions. TrickBot is either disseminated via malspam campaigns or dropped by other malware. Once on a system, TrickBot will disable antivirus, propagate throughout the network, sets up the man-in-the-browser attacks, and potentially drop other malware.

TrickBot infections have nearly doubled during the first two quarters of the year, increasing 115 percent per month. In the second quarter alone, the MS-ISAC observed TrickBot activity across 24 states. 12

TrickBot infections are often accompanied by additional malware infections. It is known to be dropped by other malware, most notably by the Emotet. Additionally, TrickBot is specifically known to drop Ryuk and GlobeImposter ransomware. Multiple malware infections may greatly complicate the process of remediation. The MS-ISAC observed an increase in cases where there were multiple variants of malware dropped onto infected systems after a TrickBot infection. In some instances, TrickBot was able to successfully disable endpoint antivirus applications, allowing the infection to spread across the network and compromise hundreds of systems. For example, the MS-ISAC CERT recently assisted an organization with a TrickBot and Ryuk ransomware infection. In this incident, TrickBot successfully disabled the organization's endpoint antivirus application, spread throughout their network, and ended up infecting hundreds of

Summer 2019

endpoints and multiple servers. Since TrickBot is a banking trojan, it likely harvested and exfiltrated financial account information on the infected systems prior to dropping the Ryuk ransomware infection. After Ryuk was dropped throughout the network, it encrypted the organization’s data, leaving ransom notes on the machines.

How it Works The malspam campaigns delivering TrickBot use third-party branding familiar to the recipient, such as invoices from accounting and financial firms. The emails typically include an attachment, such as a Microsoft Word or Excel document. The opened attachment will prompt the user to enable macros, which executes a VBScript to run a PowerShell script to download the malware. Once downloaded, TrickBot (being VM aware) will run checks to ensure it is not in a sandbox environment. Then it attempts to disable antivirus programs, such as Microsoft Windows Defender. Once executed, TrickBot redeploys itself and creates a scheduled task that provides persistence. To download its modules, it starts communicating with command-and-control (C2) servers. These C2 servers are constantly changing and are used to download additional modules which are formatted as Dynamic Link Libraries (DLLs). One of TrickBot’s main features is its man-inthe-browser attacks that target online banking session information. It uses two types of web injects, a redirection attack and a server side injection. A redirection attack sends victims to fraudulent banking site replicas when they navigate to certain banking websites. This fake website is hosted on the cyber threat actor’s (CTA) malicious server and harvests the victim’s login

The malware is continuously updated with new modules and versions. These updates enhance TrickBot’s sophistication by giving it the ability to perform reconnaissance, steal information, and propagate across a network. information. A server side injection intercepts the response from a bank’s server, injects additional client-side code into the webpage, and can steal the victim’s banking credentials through form grabbing. Form grabbing records sensitive information typed into HTML forms, rather than capturing all keystrokes as with a keylogger. The malware is continuously updated with new modules and versions. These updates enhance TrickBot’s sophistication by giving it the ability to perform reconnaissance, steal information, and propagate across a network. These modules, not including its main web injection modules, can be categorized into three categories based on their function: System/Network Reconnaissance modules harvest information that is specific to the system the malware is being run on. Credential and User Information Harvesters harvest all types of data from the infected system through various manors. Network Propagation modules are designed to gain access to the entire network that the initial infected system is connected to.

Recommendations SLTT governments should adhere to best practices, such as those described in the CIS Controls, which are included in CIS SecureSuite® Membership. The MS-ISAC recommends organizations adhere to the full list of recommendations in the MS-ISAC TrickBot Security Primer, to limit the effect and risk of TrickBot to your organization.

Cybersecurity Quarterly

Securing Your Network with Albert How CIS' Albert intrusion detection system uniquely protects our members' networks from cyber-attacks — and how we plan on staying ahead of malicious actors in the future By Brian Calkin One of the core cybersecurity services offered by CIS is its network monitoring service known as Albert. This Intrusion Detection System (IDS), which uses open source software combined with the expertise of the CIS 24x7 Security Operations Center (SOC), is primarily focused on identifying malicious activity either leaving or entering an organization’s network infrastructure. In order to achieve the broadest level of visibility in a cost-effective way, the service relies upon passive sensors sitting at the outermost edge of an organization’s network perimeter, monitoring traffic by way of a network tap or span port on a network switch or router.

How Albert Works Albert’s primary means of detecting and reporting malicious activity is by leveraging an opensource, high-performance, signature-based detection engine running a unique and targeted signature set. These signatures are developed by CIS leveraging multiple sources, including commercial signatures for standard malware and crimeware, advanced persistent threat (APT) indicators, and our own in-house research and reporting on specific threats to U.S. State, Local, Tribal, and Territorial (SLTT) government networks. Additionally, it also monitors raw network packets and converts data into a netflow format for efficient storage and analysis of historical data.

Once malicious activity is identified, Albert collects data on the threat, and then compresses, encrypts, and sends the generated alert to CIS’ 24x7 SOC. There, a SOC analyst reviews and validates the alert for malicious activity. Once the alert is analyzed and verified as actionable, our SOC notifies the affected organization on the threat and related data, such as which IP addresses are affected, the identified issues, mitigation recommendations, and all traffic associated with the event. Currently, over 400 Albert devices are deployed throughout the country, continuously monitoring our members’ networks for malicious activity. Collectively, these devices log 85 billion log lines a day and up to 37 petabytes a month as they monitor the traffic flowing through our members’ network infrastructure. The Albert monitoring service plays an integral role in helping the MS-ISAC protect our over 6,000 SLTT members and the over 48,000 domains actively monitored by our SOC.

Using Historical Data for Future Protection In addition to alerting your organization on malicious activity in real-time, Albert also makes available a comprehensive monthly activity report, summarizing the malicious activity identified by each sensor deployed in your organization’s

Summer 2019

environment. These reports provide details for all actionable alerts for the previous month, statistics on data such as total alerts generated vs. actionable alerts, as well as a review of the total volume of monitored traffic. Traditional network security monitoring services alert on malicious activity from the time a signature is deployed, going forward. However, by leveraging netflow logs, the CIS SOC can review data retroactively to search for malicious activity. This allows previous network activity to be searched for specific threats reported by partners, as well as further investigation of any major concerns identified in the network environment. The CIS SOC also maintains a 24x7 hotline for answering questions or querying this netflow data.

The Next Generation of Albert While the Albert IDS service offers a smart and cost-effective network monitoring solution, as with any technology in our industry, we must continually update and advance to stay up-to-speed with the ever-changing threat landscape. Later this year, our team will be upgrading the open-source IDS engine that serves as the foundation of Albert to a new version, improving the service’s overall performance significantly. Today, nearly half of all monitored network traffic is encrypted and it is expected that the percentage will increase, especially as more malware utilizes encrypted channels to transmit and receive data from compromised systems. In response to this, our team will be enhancing our ability to analyze and alert on malicious encrypted traffic. Moving forward, we will also be looking at enabling other data types for collection and analysis. Looking further ahead, our engineering team has even more impactful improvements and upgrades planned for our Albert IDS in 2020 that will revolutionize the service for our members in state, local, tribal, and territorial government organizations that utilize it. These changes will expand Albert’s capabilities and help it better address the changing IT enterprise environment, as well as the new technologies and services being integrated into our users’ networks. Stay tuned later this year for updates on all of the exciting new advancements we

have planned for Albert in the near future. We hear time and time again from our members that our Albert IDS service, supported by our experienced team of analysts, provides a valuable and cost-effective solution for monitoring and protecting the networks of SLTT governments from the most prevalent and dangerous cyber threats. “We can rest a little bit easier now knowing that you are always monitoring our internet traffic for malicious activity.” "Unless MS-ISAC has a rating system like Yelp where I can give you five stars and a positive review, I think we are set. Thanks for everything!” "We take advantage of many ‘no-charge’ services that MS-ISAC provides its members and we have found that the ‘at fee’ services like our Albert Sensor monitoring enhance our security program in a very cost-effective manner." As the threat landscape continues to change, so too must the tools we utilize to detect and mitigate those threats. As such, CIS plans to continue to improve and augment our existing Albert network monitoring solution with new capabilities that will help SLTTs protect their networks against known, as well as unknown, malicious activity in their organizations. Together we can stay one step ahead of malicious actors that may try to harm your organization, your employees, or your citizens. Brian Calkin is the Chief Technology Officer of CIS. He is responsible for establishing CIS’ technological vision, technical strategy, and technology-related plans for growth. Calkin also supervises CIS’ Internal Research and Development program. Previously, he served as the Vice President of Operations at CIS. In that role, his responsibilities included overseeing all aspects of CIS Operations activities, including the CIS Security Operations Center (SOC) and the Computer Emergency Response Team (CERT). Calkin earned a Bachelor’s of Science in Applied Networking and Systems Administration from the Rochester Institute of Technology and a Master’s of Science in Information Assurance from Norwich University.

Cybersecurity Quarterly

Cybersecurity in 2019: Preparing Your Organization for the Next Threats Cyber-attacks are becoming more sophisticated and frequent. The best defense against this growing threat is a well-trained information security workforce By Scott Cassity As the electronic connectivity of our lives and businesses continues to grow, so do the risks to our information and assets. Each year, more and more respected brands are being exploited as cyber-attacks become more sophisticated. Cyberrelated incidents and the number of individuals or customers impacted by them are only going to continue to increase. We are entering an era where it’s not if your data will be breached, but when. An attack on your company’s assets or data has a tremendous impact on finances and brand. The only way for organizations to prepare and respond to cyber threats is to attract and retain cybersecurity professionals with cyber defense certifications and the expertise necessary to manage the evolving cyber landscape.

Cyber-related incidents and the number of individuals or customers impacted by them are only going to continue to increase. We are entering an era where it’s not if your data will be breached, but when. 16

Cyber threats are a moving target for every type of organization as attacks become more sophisticated and impactful. Organizations that are best prepared for malicious tactics are not just anticipating attacks correctly, but also have a team of capable, certified practitioners with specialized cyber knowledge and real-world applicability of their skills.

Enterprise Cyber Vulnerabilities Will Continue to be Exposed in 2019 In 2018, respected companies had well-publicized data breaches impacting millions of customers. Some of the most notable ones that occurred during the year included: A database attack at Exactis exposed 340 million personal information records. Hackers stole user information from almost 30 million people on Facebook. Vulnerabilities in UnderArmour’s MyFitnessPal health tracker accounts resulted in the theft of 150 million users’ personal data. According to Thales e-Security’s 2018 Data Threat Report, US federal agencies are experiencing a high rate of incidents, with 71% of IT security professionals reporting at least one data breach.

Summer 2019

According to Symantec, cybersecurity predictions for 2019 foresee more and more major corporate systems under attack. They predict that more organizations, governments, and individuals will be impacted by the following cyber threat events in 2019: Exploitation of Artificial Intelligence (AI) Systems; use of AI to conduct cyber-attacks; and increased use of AI to identify vulnerabilities and counter attacks Attack reach will increase as 5G network capability rolls out Internet of Things (IoT) massive botnet attacks will be more widespread and impactful as use of homebased IoT devices increase Data-in-transit breaches to organizations and individuals will continue to rise Supply chain attacks will continue to increase in numbers and become more sophisticated

Don’t React; Certify the Cyber Defense Skills of Your InfoSec Force What can your organization do to ensure you have the specialized expertise to respond to the imminent threats on your company’s assets and customer information? Hiring and maintaining individuals with subject matter expertise and knowledge of cybersecurity best practices will be the most important part of your company’s

According to Symantec, cybersecurity predictions for 2019 foresee more and more major corporate systems under attack. They predict that more organizations, governments, and individuals will be impacted by cyber threat events in 2019. cybersecurity strategy. The most effective training and certification programs should provide not only up-to-date knowledge and methods, but also true hands-on cybersecurity skills that go beyond theory, such as those offered by GIAC. By ensuring your employees have a mastery of specific jobs duties and technologies means that no matter how the cyber threat landscape evolves next, you can count on your information security workforce to defend your enterprise against even the most sophisticated of attacks. Be prepared for cybersecurity risk in 2019: hire the right cybersecurity professionals with the right credentials for each role on your team. Keep your team's skills sharp by encouraging your current information security workforce to strengthen their knowledge with wellrespected training and certification programs. Scott Cassity currently serves as the Managing Director of the Global Information Assurance Certification (GIAC) organization at SANS Institute and Board Member at the SANS Technology Institute. Cassity provides leadership and business development strategies to ensure best practices when developing the cybersecurity workforce. Cassity also serves several non-profit endeavors in his community. He is the current President of ChildHelp of East Tennessee, a children's advocacy organization. Cassity holds an Master of Business Administration from Vanderbilt University's Owen Graduate School of Management, and a Bachelor of Business Administration from University of Kentucky. For more information on GIAC certifications, contact media@giac.org.

Cybersecurity Quarterly

Developing a National Cyber Disinformation Threat Response Network After a foreign-led disinformation campaign wreaked havoc on the 2016 elections, should the federal government develop a cyber risk framework to stop a repeat in 2020? By Benjamin J. Brostoff Russian interference in the 2016 elections revealed a significant gap in our cyber defenses. A centralized disinformation campaign combined with “Active Measures” divided and confused Americans, sowing doubt in the democratic process. These Active Measures are central to Russia’s new warfighting strategy, and while social media companies are improving in their efforts to identify and delete disinformation from Russia and elsewhere, there is more to be done. Current cyber risk management frameworks do not address “information” as a distinct category, nor do they contain controls that can be applied easily to social media. A 2018 investigation on Russian Active Measures conducted for the House Permanent Select Committee on Intelligence recommended that “Congress should identify options available to the private sector and federal government that would address the social media vulnerabilities exploited by the Russian government.” As a partial response, this article suggests developing controls and related processes to identify and deal with disinformation in social media before it becomes a problem. Active Measures seek to damage public trust in institutions, public discourse, and facts in general. These Active Measures were employed as part of

Current cyber risk management frameworks do not address “information” as a distinct category, nor do they contain controls that can be applied easily to social media. the build-up phase of Russia’s New Generation Warfare strategy for annexing the Crimean Peninsula in 2014. For an example closer to home, we need look no further than Russian interference in the 2016 election. A Congressional study pointed out that, because of Active Measures, “for more than a year, U.S. politics have been consumed by bitter recriminations, charges, and countercharges about the attacks. The reliability of the democratic vote – the bedrock of the U.S. republic – was widely and repeatedly questioned” (House of Representatives: Report on Russian Active Measures, 2018). These attacks can and should be mitigated with a coordinated approach by professionals using familiar management frameworks. Active Measure Management will necessarily overlap with more standard risk management strategies in the same way we must consider whether the lock on the server room door belongs in the Cyber Risk framework or in the Physical Risk framework.

Summer 2019

For an Active Measure Management Framework addition to a Cyber Risk Management Framework, I introduce a single new asset type, “Information.” Information is the key for a functioning democracy; it changes how voters make their decisions. This is why the Russians attack our information, and this is why we find that mass disinformation campaigns injure us so severely. Many cyber risk control frameworks deal with the security of data, but they generally avoid the provenance, authentication,

Control Title

and tagging of the information that data actually represents. For example, a company may implement TLS to make sure that data is transmitted securely, but if a valid user is on the other end of the line, a user could be duped into accepting manipulated data. Thinking of “Information” as a new type of asset, some possible controls include those listed in the chart below:

Asset Type

Security Function

Control Descriptions

Information

Identify

Identify key sources of information

Create a system to identify how users get their information.

Information

Protect

Maintain information integrity

Ensure Americans have access to quality information sources.

Information

Identify

Identify key influencers of opinion

Create a system to identify people who are levers of public opinion

Information

Protect

Protect influencers from foreign manipulation

Actively protect influencers from foreign manipulation.

Information

Identify

Identify contributors of opinion

Create a system to identify nodes of opinion

Information

Respond

Investigate opinion manipulation

If baseline public opinion trends out of the ordinary, it should be investigated for manipulation

Information

Protect

Authorize opinion contribution

Create a system to attribute opinion contribution to specific individuals. This allows for disclosure of manipulation and foreign ties.

Information

Protect

Authenticate General Hayden’s news worthiness strategy, for information contribution example.

Information

Protect

Establish confirmation bias reporting

Create a system to highlight to users the level of confirmation bias a piece of information might contain. For example, if Facebook is only providing conservative or liberal political content, users should be made aware.

Information

Respond

Establish and monitor reporting center

Create a system whereby the public can request investigation into potential Active Measure manipulation.

Cybersecurity Quarterly

Developing a framework to detect information warfare campaigns requires creating technologies to detect them. One major insight revealed during investigation of possible threat scenarios is the need for a national online authentication scheme. To quote former NSA and CIA Director General Michael Hayden, “in the informational space, all right, the Russians are Americans, all right? The identity they assume is you and me” (CSIS, 2018). Dealing with the Active Measures translation of this threat, where these attacks occur over social media, requires a strategy very similar to a zerotrust framework. It is well within the American government’s right and cryptographic capability to produce some sort of secure opt-in authentication mechanism for its citizens. Not every website would want to use it and protecting internet freedoms is essential for growth and free exchange of ideas. Some sites will not and should not implement the system to maintain anonymity, but it is possible the New York Times would not like their comment section inundated by Russian trolls and bots. Such an authentication mechanism would enable websites to ensure only Americans can contribute opinions or information and is an example of a control that could be created to manage Active Measures. Another idea is to baseline public opinion by using domain-specific sentiment lexicon monitoring to detect changes in the ways people express themselves on social media. The foundation for understanding this system is simple: an information warfare campaign seeks to change a group’s attitude or belief about an idea. Therefore, if we can detect the change in attitude, we can detect

the information warfare campaign. Sentiment change between times should take place within a statistically calculable range of values. Extreme values exhibited as a result of observable outside events could be filtered out by analysts, while inflection points in rates of change would indicate a likely outside disruption, as illustrated in the example chart below. In this way, we can know precisely when an information warfare campaign has begun. A system like this has never been created, but could be implemented by either large social media companies or a government with access to their data. In conclusion, the government has only begun to address the concerns that Active Measures raise for our society. If our adversaries can manipulate our elections in the face of the combined might of the CIA, NSA, FBI, and hundreds of other three letter agencies, they have clearly hit a blind spot. Expert discussion is needed to determine further potential security controls and this should not be considered a comprehensive list. With further research and a “whole-ofgovernment” response to Active Measures, a proper threat management strategy can be utilized to mitigate impact and ensure the democratic process operates free of foreign influence. As an expat web developer and entrepreneur in China, Benjamin Brostoff learned firsthand of the influence and accessibility of the so-called Chinese “Water Army.” After returning home, he began his cybersecurity career and leveraged his previous experience to develop methods for combating the spread of false information. Brostoff holds a Bachelor’s Degree in Mathematical Economics from Pomona College and a Masters of Science in Security Informatics from Johns Hopkins University. He is currently honing his technical skills at The Aerospace Corporation.

Summer 2019

Krollâ&#x20AC;&#x2122;s experienced leaders help clients make confident decisions about people, assets, and operations across the globe.

INVESTIGATIONS AND RISK MANAGEMENT SOLUTIONS Cyber Security & Incident Response

Business Intelligence & Due Diligence

Fraud & Corruption Investigations

AML & ABC Compliance

Asset Search & Recovery

Third-Party Screening

Dispute Advisory & Litigation Support

Security Risk Management

kroll.com 21

Cybersecurity Quarterly

Cyber Tips & Tricks This Quarter’s Tip: So, You've Been Impacted by a Data Breach; Now What? by Joshua Palsgraf, Cyber Intelligence Analyst, MS-ISAC One of the unfortunate truths in this world is that, sooner or later, you will be impacted by a data breach. Once this happens, how does one go about rectifying the situation, making sure that the impact to you personally is minimized? This seemingly daunting task can be simplified as long as you understand and follow these simple steps. First and foremost, confirm that there was indeed a data breach that impacts you. Sometimes, companies will send out notifications to alert you of a data breach. Even if you receive a notification, you should do an Internet search to ensure there was an actual data breach that occurred to a company or organization holding your information. According to this year’s Version Data Breach Investigations Report, there were 2,013 confirmed data breaches. When I think I may have been impacted by a data breach, I check https://haveibeenpwned.com/. This website allows you to check if your personal data has been compromised by a public database dump or post. You can check by searching for your email address, username, or password through their database. The site only checks publicly available database dumps and is not all inclusive. Therefore, it should be used in conjunction with an Internet or news search if you think you may have been impacted by a data breach. Next, determine what the data breach means for you. Your research in step one may find that there is no impact to you, or that it impacts you in a drastic way. When it comes to data breaches, you can think of information as belonging to three loose categories. The least sensitive category represents information that is publicly available, such as information that can be easily found online or in a phone book. This would include information like one’s name and address. The second category, sensitive information, would include information not publicly available that is considered to be sensitive, such as email addresses, dates of birth, or

payment card information. This is information that can result in activity, such as fraudulent charges on a stolen credit card or increased spam emails. The last category, most sensitive, is made up of sensitive personal identifiable information. This information includes social security numbers, online account usernames and passwords, passport numbers, and sensitive financial account information. For awareness, these categories are extremely loose and some information, such as one’s name and date of birth, separately can seem to be in different categories. However, when used together, the sensitivity of the information increases, due to its increased ability to identify someone. The last step is to take action based on the impact of the data breach. How exactly you are impacted will affect the type of action you need to take. When it comes to information in the least sensitive category, there is not much one can do except stay vigilant and keep the knowledge of this breach in the back of your mind. On the other hand, if you have information impacted from the other two categories, there are specific actions you can take. When it comes to these categories, the action depends on what specific information is affected by the data breach. For example, if your credit card information is affected, you can contact your credit card company and cancel your credit card. If your passwords are affected, change all passwords believed to be affected. For information on passwords, reference our MS-ISAC Newsletter. If you believe financial information is impacted, contact major consumer creditreporting bureaus (Equifax, Experian, Innovis, TransUnion) and ask for a fraud alert to be placed on your name. Lastly, if you think your identity is stolen, immediately report the theft to the federal government at https://identitytheft.gov/. This site will help you go through what happened and will help you create a personalized recovery plan.

Summer 2019

Gallagher at a Glance Gallagher has been designing solutions to meet our clients’ unique needs for 90 years. Founded in 1927 by Arthur J. Gallagher, we pioneered many of the innovations in risk management used by businesses in all industries today. We believe that the best environment for learning and growing is one that remembers the past and invents the future. A global corporation with more than 710 offices in 33 countries, Gallagher is a company with 24,700+ family members driven by our strong heritage and culture.

Gallagher’s Cyber Liability Practice Gallagher’s Cyber Liability Insurance professionals are dedicated to a holistic philosophy of approaching cyber risk. Our practice provides innovative insurance policy solutions and also offers comprehensive cyber risk management services. Our robust risk management services platform includes: • Proprietary Cyber Insurance • Best Practices (policies, articles, Limits Modeling / Third-Party white papers, and webinars) • Incident Response Planning Benchmarking / Cost of a Breach • Complimentary Preventive Services Calculator / Quantitative Cyber • Strategic Vendor Relationships Analysis • Insurance Coverage Gap Analysis • Insurance Policy Design and / Broker Table Top Exercises / Implementation • Contract Analysis Insurance Policy On-Boarding • On-line Network Assessments

Gallagher’s CIS Value Added Cyber Enhancement Amendatory Gallagher has taken the opportunity to negotiate an exclusive CIS enhancement amendatory endorsement that expands the insurance terms provided by Everest Insurance® for CIS SecureSuite® membership. This endorsement will be provided to CIS SecureSuite® Members exclusively through Gallagher. This industry leading cyber insurance amendatory provides broad enhancements to the existing Everest policy language. CIS SecureSuite® Members may be eligible for a 10% discount and the Gallagher CIS Amendatory upon submitting a completed application (Everest Cyber Elevation Application - CIS Version) to SecureSuiteSubmissions@everestre.com with a carbon copy to Aimee_McNulty@ajg.com.

Learn more at AJG.com/Cyber Ethical disclaimer: “Arthur J. Gallagher & Co. has been recognized as one of the “World’s Most Ethical Companies” in 2012, 2013, 2014, 2015, 2016, 2017 and 2018. “World’s Most Ethical Companies” and “Ethisphere” names and marks are registered trademarks of Ethisphere LLC. Gallagher Disclaimer: The information contained herein is offered as insurance industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client-specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis. Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).

Cybersecurity Quarterly

ISAC Update MS-ISAC & EI-ISAC Membership Continues its Rapid Growth for 2019

CIS Launches Election Technology Procurement Guide

Results for the second quarter of 2019 have seen the MS-ISAC and EI-ISAC team maintain the momentum we built through 2018 and the first quarter of 2019. We fully anticipate to add our 6,000th member in the early weeks of June 2019. As our team has continued their frenzied pace of criss-crossing the country for numerous speaking engagements and exhibit spaces, and making countless phone calls to prospective and current members while at the office, our dedicated team members have continued to foster incredible growth and help strengthen the cybersecurity defenses of the State, Local, Tribal, and Territorial (SLTT) community.

CIS led the development of A Guide for Ensuring Security in Election Technology Procurements, and its companion online tool, to assist election officials with ensuring security is properly accounted for in their election technology procurements.

For the MS-ISAC, our growth rates for tribal entities have been outstanding and we will be building upon our solid record of achievement within this sector. We are on pace for 100 Tribal members this year, which is a huge increase from the mere 40 members from the sector we had at this time last year. For the EI-ISAC, growth in membership among election entities is preceding apace and stands at nearly 1,700 entities. All in all, the second quarter of 2019 has been a major success! Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to the greater community. We are stronger and more connected than ever before!

With support from the Democracy Fund, the Guide was created to help the election community better obtain quality security outcomes in procurements. CIS worked with a group of election stakeholders from federal, state, and local governments, community associations, and election technology vendors to develop a set of best practices tailored to improve security in election procurements. There are several goals of having best practices for procurement. Some of the new Guideâ&#x20AC;&#x2122;s suggestions for election officials to help them make elections safer include: ask questions about security in a way that will elicit meaningful responses; evaluate responses to separate well-crafted language from truly secure solutions; incorporate the right language into contracts to foster quality ongoing contract management; and increase consistency in vendor expectation. To address these goals, the Guide provides helpful context for procurement decisions and 33 best practices that cover the categories of people, process, and technology. Each best practice provides suggested Request for Proposal language, ideas on how to tell good and bad responses apart, as well as helpful tips and other resources. This project includes an online tool that allows filtering and exporting of the best practices. This means election officials can tailor the best practices to the type of procurement, such as a procurement for cloud services for a critical system. Officials can use the exported best practices to copy and paste into Requests for Proposals, as an evaluation checklist, or however else they see fit.

Summer 2019

Cyberside Chat This Quarter's Topic: Controlling Chaos & Ideas for Future Cyber Defense by Sean Atkinson, Chief Information Security Officer, CIS A resiliency awareness has been introduced and made actionable through the coined term chaos engineering. The term and practice, developed by Netflix, takes an alternative approach to introduce and manage vulnerabilities, failures, and catastrophes within the IT environment. In practice, the approach involves purposefully using chaosbased tests where production systems would be taken offline to emulate a multitude of hardware issues in an effort to determine what actions will need to be addressed if such a systematic weakness occurs. Measuring the time and ability to respond to systematic weaknesses manually or through load balanced, automated methods allowed Netflix to determine the level of resilience within their environment. Actionable intelligence provided Netflix the ability to determine gaps that could potentially disrupt continuous delivery to their customer base. In my opinion, this is revolutionary. This approach moves the ball forward to not allow the disruption of random events and response activities when they occur, but also to utilize that “randomness” as a method to capture the essence of incident response and reactive response to such events. It didn’t take long for others to see the potential, especially in cybersecurity. Adversarial attacks have long been part of the critical thinking philosophy

Actionable intelligence provided Netflix the ability to determine gaps that could potentially disrupt continuous delivery to their customer base. In my opinion, this is revolutionary.

of the “Red Team.” Now, the automatability of these attacks prove that applying security chaos is the next wave of implementable control verification and resiliency testing. Taking the table top scenario and executing the issues in a live environment will prove advantageous in the event the attacks occur. Additionally, preparation and response planning should be part of the chaos response process and ingrained in the “Blue Team.” The issues of such processes would be identified with terms such as “Blast Radius,” the level of “chaos testing” that any one system could take, and how hard do we try to break production before we “actually break production.” The issue could also be “Collateral Damage,” when connected or interfaced systems are caught in the chaos test. These questions and the planning for such engagements requires a detailed level of knowledge and understanding of the systems being tested and the potential consequences of a misfire. Through careful considerations the processes integrated as part of controls testing and resiliency awareness will add a new dimension of control capability.

Cybersecurity Quarterly

Upcoming Events July July 10 – 11 The American Public Power Association will hold its 2019 Southeast Regional Municipal Utility Cybersecurity Summit at the Hilton Orlando Buena Vista Palace. The summit will educate municipal utilities on establishing and maintaining a successful cybersecurity program. MS-ISAC Program Manager Eugene Kipniss will be a featured panelist at the event, discussing information sharing resources for public utilities. th

July 16th – 18th MISTI will hold its Annual IT Audit and Controls (ITAC) Conference at the Hyatt Regency Crystal City in Arlington, Virginia. ITAC is the premier event for IT audit executives and those tasked with ensuring that data is governed in a secure and responsible way, while addressing risks related to information technology. CIS Senior VP Tony Sager will co-lead a breakout session on using the CIS Controls in IT audits and a workshop on integrating cyber defense in the risk decision-making process.

July 12th – 15th The National Association of Counties (NACo) Annual Conference & Expo will take place jointly at the Paris Las Vegas Hotel & Casino and Bally's Las Vegas Hotel & Casino. Participants will come together to shape NACo's federal policy agenda, share proven practices, and strengthen knowledge networks to help improve residents’ lives and the efficiency of county government.

July 22nd – 26th The State of Alaska and the MS-ISAC will jointly hold the Alaska Recruitment and Member Conference in Anchorage, Alaska, to connect with current and new MS-ISAC members from across the state. MS-ISAC Director of Partnerships Stacey Wright, Program Manager Eugene Kipniss, Senior Program Specialist Greta Noble, and Program Specialist Jessica Cone will all speak at the event on various MS-ISAC resources and benefits.

July 14th – 16th The National Association of State Election Directors (NASED) will hold their 2019 NASED Summer Conference at the Omni Austin Hotel Downtown in Austin, Texas. The event will bring together state election directors and other election officials to discuss the latest developments in election administration. EI-ISAC Elections Program Manager Kateri Gill and Director Ben Spear will present at the conference on elections security.

July 30th – 31st The Nevada Secretary of State's Office will hold its Nevada Elections Conference in Reno, Nevada, which will bring together election stakeholders from across the state to learn how to prepare for and secure future elections. EI-ISAC Elections Program Manager Kateri Gill will speak at the event about leveraging EI-ISAC membership.

July 16 Cyber Security Summit: DC Metro will take place at The Ritz-Carlton, Tysons Corner, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. CIS VP Steve Gold will be a featured panelist at the event, speaking on cloud security, and CIS Executive VP Curtis Dukes will deliver the closing keynote. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.

August 12th – 14th The West Virginia Secretary of State's Office will host the West Virginia County Clerk Election Training Conference, bringing county clerks from around the state to dive in-depth into the latest updates on election protection and cybersecurity. EI-ISAC Elections Program Manager Kateri Gill and Director Ben Spear will present at the conference on EI-ISAC membership and elections security.

August

Summer 2019

August 14th – 17th The Maryland Association of Counties (MACo) will hold its MACo 2019 Summer Conference at the Roland Powell Convention Center in Ocean City, Maryland. The event will focus on changes in government and constituent services and how counties are harnessing that change for the good of all. MS-ISAC Program Specialist Kyle Bryans will be part of a panel at the conference's opening Tech Expo event, discussing data privacy and protection. August 18 – 22 The National Association of State Technology Directors (NASTD) will hold its 2019 NASTD Annual Conference & Technology Showcase at the Westin Indianapolis Hotel, where state government IT leaders and professionals from around the country will come together to learn about the latest issues from industry experts. MSISAC Senior VP Thomas Duffy will lead a session at the event on today's cybersecurity landscape. th

August 22nd – 24th The North Carolina Association of County Commissioners (NCACC) will be holding the 112th NCACC Annual Conference at the Grandover Resort in Greensboro, North Carolina. The event will bring together county government leaders from the state's 100 counties to network and learn ways to overcome challenges and improve the lives of their citizens. MS-ISAC Program Specialist Jessica Cone will be a featured speaker at the event, discussing cyber threats against county governments and resources to help mitigate the risk of attack. August 25th – 28th GMIS International will hold its 2019 GMIS MEETS Conference at the Disney Coronado Springs Resort in Lake Buena Vista, Florida. The event will bring together government IT leaders and professionals to network, exchange ideas, and learn from experts. MS-ISAC Program Manager Eugene Kipniss will colead a breakout session at the event on responding to municipal cyber incidents, and another breakout session on the CIS Configuration Assessment Tool and Malicious Code Analysis Platform. August 27th Cyber Security Summit: Chicago will take place at the Hyatt Regency Chicago, bringing together

executives, business leaders, and cybersecurity professionals to learn about the latest threats from industry leaders. CIS VP Steve Gold will be a featured panelist at the event, speaking on insider threats and cloud security. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.

September September 13th – 14th The National Strategic Planning and Analysis Research Center (NSPARC) at Mississippi State University will hold its 3rd Annual Data Summit at The Mill at MSU Conference Center in Starkville, Mississippi. The two-day event will focus on data science and the growing emergence of “smart cities.” CIS Senior VP Tony Sager will deliver the keynote at the event. September 17th Cyber Security Summit: Charlotte will take place at The Westin Charlotte, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest threats from industry leaders. CIS VP Steve Gold will be a featured panelist at the event, speaking on insider threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. September 24th – 26th CloudLIVE will take place at the Encore Boston Harbor Hotel, bringing together cloud leaders and professionals to network, collaborate, and learn about harnessing the power of the cloud. CIS Product Owner for Cloud Greg Carpenter will lead a breakout session on cloud security. September 29th – October 2nd The Municipal Information Systems Association of California (MISAC) will hold its 2019 MISAC Annual Conference at the Portola Hotel & Spa in Monterey, California. The event will bring together the state's information systems leaders and professionals to network and learn from industry experts. MS-ISAC Senior Program Specialist Greta Noble and Program Specialist Brendan Montagne will present at the event, speaking on MS-ISAC services available to local governments.

Confidence in the Connected World

CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699