Cybersecurity Quarterly
Fall 2019
A Publication from
Protecting Your Organization Against the Recent Onslaught of Ransomware Attacks
How One of America's Biggest Rivals in Cyberspace Approaches Cyber Risk Management
Exploring One of the Most Common Cyber Attack Vectors: Spear Phishing
Learn About Our New Best Practice Guides for Implementing the CIS Controls
An Ingenious Defense Against Ransomware An in-depth look at how the Multi-State Information Sharing & Analysis Center (MS-ISAC) and its Albert Network Monitoring System protect state, local, tribal, and territorial governments against cyber attacks
Improve Your Security Posture with Training from SANS Institute The Most Trusted Source for Information Security Training, Certification, and Research
SANS Institute partners with the Center for Internet Security to provide its top-rated information security training and awareness programs to State, Local, Tribal, and Territorial Government organizations at significantly reduced costs. Leverage this special partnership to ensure that your employees have the skills and experience necessary to protect your critical organization from cyber threats.
Program participants may purchase:
More than 40 hands-on courses are available OnDemand or live, online in the evenings via vLive.
Train and test staff of all levels on email, file storage, digital access, and general data security.
Special discounts duringour oursummer winterpurchase purchasewindow window Special discountsare areavailable available during DecemberJune 1, 2019 - January 1 - July 31, 2019 31, 2020
partnership@sans.org, visitwww.sans.org/partnership/cis www.sans.org/partnership/cis for more Contact Contact partnership@sans.org, or or visit for information. more information.
Cybersecurity Quarterly
Contents
Featured Articles
Quarterly Regulars
Confidence in the Connected World Fall 2019 Volume 3 Issue 3 Founded MMXVII Editor-in-Chief Michael Mineconzo Copy Editors Shannon McClain Autum Pylant
Staff Contributors Sean Atkinson Amelia Gifford Reg Harnish Paul Hoffman Lee Myers Joshua Palsgraf Robin Regnier
Fall 2019
Taking Advantage of the CIS Controls Security Best Practices Guides & Resources An overview of CIS' new guides and resources for implementing the CIS Controls
8
MS-ISAC Effectiveness in Defeating SLTT Ransomware Attacks An in-depth look at how the MS-ISAC defeats cyber attacks against its members
12
Spear Phishing: Defending Against the Biggest Threat to State & Local Governments Exploring one of the most common attack vectors for ransomware and data breaches
16
Ransomware and How to Stop It A look at ransomware attacks in the SLTT space and methods to protect against them
20
Cyber Risk Management in China An introduction to the Chinese approach to managing risk in the cyber realm
24
Quarterly Update with John Gilligan
4
News Bits & Bytes
6
Threat of the Quarter
10
Cyberside Chat
28
ISAC Update
30
Calendar
31
Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460 Copyright Š 2019 Center for Internet Security. All rights reserved.
3
Cybersecurity Quarterly
Quarterly Update
with John Gilligan
“At CIS, we have redoubled our efforts to expand the protection that we provide to SLTT government organizations.” Welcome to the Fall 2019 issue of Cybersecurity Quarterly. As the days get shorter, I find that I am looking forward to temperatures that are more moderate and the upcoming festival of colors from fall foliage. I am hopeful, however, that we get to fully appreciate fall before we slide into winter. This quarter, we focus on ransomware. In this issue, we examine both on its effects on all organizations – especially state, local, tribal, and territorial (SLTT) governments – and methods to combat it. We have all seen the almost daily stories about public organizations falling victim to these attacks. Cybersecurity Ventures estimates that ransomware attacks will cost over $10 billion globally in 2019. The consequences of recent attacks in Atlanta, Baltimore, Louisiana, and Texas are well documented. The cost in each case was thousands to many millions of dollars.
very large number of ransomware attacks. In an additional article, CIS CyberMarket vendor partner Belarc has provided supporting information including ways to prevent ransomware attacks. As we head into the primary elections season, our CIS CyberMarket vendor partners at Valimail identify some of the security challenges and opportunities in providing protection against spear phishing. Spear phishing is a common attack vector for ransomware infections, especially related to preparation for the 2020 elections season. Other articles in this issue of Cybersecurity Quarterly include an update on new resources related to implementing the CIS Controls, including our recently released companion guides for cloud, mobile, IoT, and Windows 10, as well as an additional article examining China’s approach to managing cyber risk. I hope you enjoy this issue’s selection of articles.
A number of articles in this issue outline the nature of ransomware attacks. At CIS, we have redoubled our efforts to expand the protection that we provide to SLTT government organizations. In our Threat of the Quarter feature, the MSISAC Intel team explores Ryuk ransomware. Ryuk is a variant of crypto-ransomware that has become increasingly prevalent among our membership over the last couple of quarters. Another article summarizes the specific techniques used by CIS to help defeat ransomware attacks (and other cyber threats) against SLTT government organizations. In this article, the effectiveness of our Albert network monitoring solution’s alerting on ransomware signatures is explored. In addition, the article explains the importance of the rapid response by our Security Operations Center to defeating a
4
Best Regards,
John M. Gilligan President & Chief Executive Officer Center for Internet Security
Fall 2019
Enroll Now! National Cybersecurity Awareness Month Promo
10% Off New One Year Memberships September 16 – October 31 Promo Code: CIS-NCSAM2019 Enroll Now →
Cybersecurity Quarterly
News Bits & Bytes October is National Cybersecurity Awareness Month (NCSAM). NCSAM is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. NCSAM 2019 will emphasize personal accountability and stress the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. This year’s overarching message – Own IT. Secure IT. Protect IT. – will focus on key areas including citizen privacy, consumer devices, and e-commerce security. The NCSAM 2019 Toolkit is a comprehensive guide to make it easy to engage and promote the core theme and critical messages. Registration for the 2019 Nationwide Cybersecurity Review (NCSR) will officially open on October 1st . The NCSR is a no cost, anonymous, annual self-assessment that is designed to measure gaps and capabilities of U.S. State, Local, Tribal, and Territorial (SLTT) governments’ cybersecurity programs. The NCSR is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). For more information or to register for the 2019 NCSR, please visit https://www.cisecurity.org/ms-isac/ services/ncsr/. New Net Technologies (NNT) is now part of CIS CyberMarket. NNT is the leading provider of SecureOps, which combines the essential, foundational security controls as prescribed by CIS with the operational discipline of change management. By ensuring security controls are in place, combined with the ability to correlate changes within your environment, organizations are able to prevent and protect themselves against
6
all forms of breach, as well as gaining full control of changes for both security and operational peace of mind. Learn more on our partnership page. The National White Collar Crime Center (NW3C) and the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) announced a new partnership to improve support for U.S. SLTT law enforcement agencies. This partnership strengthens the existing support framework for U.S. law enforcement agencies and SLTT governments, helping the organizations' respective members improve their cybersecurity posture and combat cybercrime. Leet Cyber Security is now part of CIS CyberMarket. Leet Cyber Security helps organizations with the 'Hacker Problem.' Leet Cyber Security focuses on penetration testing, offensive security, and 'ethical hacking' to provide organizations with a clear understanding of security problems. By mimicking real world threats and identifying weaknesses, organizations can use this information to become meaningfully more secure. Learn more about Leet Cyber Security at https://leetcybersecurity.com/. CIS was an official launch partner in Authority to Operate (ATO) on Amazon Web Services (AWS). The ATO on AWS program addresses the unique needs and compliance requirements encountered in regulated markets. The program is a partner-driven process helping organizations converge common security frameworks to address security and compliance requirements. CIS worked with AWS to develop the AWS Security Automation and Orchestration (SAO) methodology, which enables AWS customers to constrain, track, and publish continuous risk treatments (CRT).
Fall 2019
SECURITY THREATS MAY CHANGE, BUT AKAMAI’S ABILITY TO STOP THEM DOES NOT.
Cyber security in a hyper-connected world requires enterprise protection at the Network, Application and Data Center. Come see why the majority of the cabinet-level departments and all branches of the US Military trust the Akamai Threat Intelligence platform at carahsoft.com/innovation/Akamai-cyber.
7
Cybersecurity Quarterly
Taking Advantage of the CIS Controls Security Best Practice Guides & Resources Learn how to utilize our numerous new resources on integrating the security best practices outlined in the CIS Controls to the various aspects of your organization. By Robin Regnier Our hardworking CIS Controls Team, along with our global community of volunteers in the cybersecurity industry, have been busy creating new security best practices by publishing a number of guides, mappings, tools, and other great resources as part of our mission to secure the connected world. Taking advantage of our free resources is the first step in improving your cybersecurity.
CIS Controls Teleworking and Small Office Network Security Guide The newly published CIS Teleworking and Small Office Network Security Guide focuses on recommendations for basic network setup and securing your home routers and modems
Our hardworking CIS Controls Team, along with our global community of volunteers, have been busy creating new security best practices by publishing a number of guides, mappings, tools, and other great resources as part of our mission to secure the connected world. 8
against cyber threats. These devices are often designed for personal use, but may also be leveraged by small-to-medium-sized organizations within an enterprise setting. Securing these network devices is critical as they act as an on-ramp for internal networks to access the internet. As a result, they are subject to scans and attacks from outside networks. The threat surface grows as teleworking expands. A poorly configured home or small office device can affect an entire organization. Download the Teleworking and Small Office Network Security Guide
CIS Controls Microsoft Windows 10 Cyber Hygiene Guide We developed the CIS Controls Windows 10 Cyber Hygiene Guide to make cybersecurity basics for this particular technology easier to follow. The guide provides practical step-by-step assistance for securing computers running Windows 10 without the need for advanced technical knowledge. To make the process of securing your assets even easier, we also developed a spreadsheet that contains examples of methods for tracking hardware, software, and sensitive information in your organization. The guide
Fall 2019
is targeted to organizations concerned with stopping the theft of company information, website defacement, phishing attacks, ransomware, and data loss – just to name a few! Download the Microsoft Windows 10 Cyber Hygiene Guide1 Download the CIS Hardware and Software Asset Tracking Spreadsheet
CIS Controls Internet of Things Companion Guide Internet of Things (IoT) devices aren’t just invading our homes; these smart, connected machines have taken root in the workplace, and they are here to stay. To help secure this new frontier, we released a CIS Controls Companion Guide to help organizations apply the CIS Controls to the IoT. This resource helps organizations implement consensus-developed best practices using Version 7.1 of the CIS Controls. This guidance is aimed to provide security recommendations for a variety of IoT devices that often present unique and complex challenges for security professionals. Download the IoT Companion Guide
CIS Controls Mobile Companion Guide The CIS Controls team has released a new companion guide to help organizations break down and map the applicable CIS Controls and their implementation in mobile environments. This new resource helps organizations implement the consensus-developed best practices using CIS Controls for phones, tablets, and mobile applications. We focused on a consistent approach on how to apply our security recommendations to Google Android and Apple iOS environments. Download the Mobile Companion Guide 1
The CIS Controls Microsoft Windows 10 Cyber Hygiene Guide is an independent publication and is neither affiliated with, nor authorized, sponsored, or approved by, Microsoft Corporation.
CIS Controls Cloud Companion Guide Working with an army of global adopters and cybersecurity experts, the CIS Controls team created a Cloud Security Companion Guide to help secure cloud environments. This guide helps organizations break down and map the applicable CIS Controls and their implementation in cloud environments using consensus-developed best practices. Download the Cloud Companion Guide
Mapping the Sub-Controls to Regulatory Frameworks While the CIS Controls provide security best practices to help organizations defend assets in cyber space, your industry may require your organization to comply with certain regulatory frameworks. Our CIS Controls team has helped to address this issue by creating mappings of our Controls and Sub-Controls to some common regulatory frameworks. This makes implementing both the CIS Controls and your industry's governing regulations easier than ever before. Download the mapping between the CIS Controls and ISO 27001 Download the mapping between the CIS Controls and NIST Cybersecurity Framework (NIST CSF) We want to thank the many security experts who volunteer their time and talent to support the CIS Controls and other work we do at CIS. CIS products represent the effort of a veritable army of volunteers from across the industry, generously giving their time and talent in the name of a more secure online experience for all. Robin Regnier currently serves as the Controls Coordinator for the CIS Controls, as part of the Security Best Practices and Automation Group at the Center for Internet Security (CIS). In her role, Regnier works and collaborates with the CIS international community of cybersecurity experts, who help develop and update cybersecurity best practices guides and resources aiding users with the implementation of the CIS Controls.
9
Cybersecurity Quarterly
Threat of the Quarter This Quarter’s Threat: Ryuk Ransomware by Joshua Palsgraf, Cyber Intelligence Analyst, MS-ISAC
Throughout 2019, state, local, tribal, and territorial (SLTT) government entities have increasingly encountered ransomware attacks resulting in significant network downtime, delayed services to constituents, and costly remediation efforts. Currently, Ryuk ransomware is one of the most prevalent variants in the SLTT threat landscape, with infections doubling from the second to the third quarter of the year. The increase in Ryuk infections was so great that the MS-ISAC saw twice as many infections in the month of July compared to the first half of the year. In the third quarter alone, the MS-ISAC observed Ryuk activity across 14 states. Ryuk is a type of crypto-ransomware that uses encryption to block access to a system, device, or file until a ransom is paid. Ryuk is often dropped on a system by other malware, most notably TrickBot (featured in last quarter’s Threat of the Quarter), or gains access to a system via Remote Desktop Services. Ryuk demands payment via Bitcoin cryptocurrency and directs victims to deposit the ransom in a specific Bitcoin wallet. The ransom demand is typically between 15 and 50 Bitcoins, which is roughly $100,000-$500,000, depending on
Ryuk ransomware is one of the most prevalent variants in the SLTT threat landscape, with infections doubling from the second to the third quarter of the year. The increase in infections was so great that the MS-ISAC saw twice as many infections in the month of July compared to the first half of the year. 10
the price conversion. Once on a system, Ryuk will spread through the network using PsExec or Group Policy trying to infect as many endpoints and servers as possible. Then, the malware will begin the encryption process, specifically targeting backups and successfully encrypting them in most cases. Ryuk is often the last piece of malware dropped in an infection cycle that starts with either Emotet or TrickBot. Multiple malware infections may greatly complicate the process of remediation. The MS-ISAC has observed an increase in cases where Emotet or TrickBot are the initial infections and multiple malware variants are dropped onto the system with the end result being a Ryuk infection. For example, the MS-ISAC recently assisted in an incident where TrickBot successfully disabled the organization's endpoint antivirus application, spread throughout their network, and ended up infecting hundreds of endpoints and multiple servers. Since TrickBot is a banking trojan, it likely harvested and exfiltrated financial account information on the infected systems prior to dropping the Ryuk ransomware infection. Ryuk was dropped throughout the network, encrypting the organization’s data and backups, leaving ransom notes on the infected machines.
Fall 2019
How it Works Ryuk is primarily spread via other malware dropping it onto an existing infected system. Finding the dropper on a system for analysis is difficult due to the fact that the main payload deletes it after the initial execution. The dropper creates a file for the payload to be saved to; however, if the file creation fails, the dropper will then try to write it into its own directory. The dropper contains 32 and 64 bit modules of the ransomware. Once the file is created, the dropper then checks what process is currently running and writes in the appropriate module (32 or 64 bit). Following the execution of the main payload and the deletion of the dropper, the malware attempts to stop antivirus and antimalware related processes and services. It uses a preconfigured list, which can kill more than 40 processes and 180 services through taskkill and netstop commands. This preconfigured list is made up of antivirus processes, backups, databases, and document editing software. Additionally, the main payload is responsible for increasing persistence in the registry and injecting malicious payloads into several processes, such as the remote process. The process injection allows the malware to gain access to the volume shadow service and delete all shadow copies, including those used by third-party applications. Most ransomware uses the same, or similar, techniques to delete shadow copies, but does not delete ones from third-party applications. Ryuk achieves this through resizing the volume shadow service storage. Once
[Ryuk] will go after and delete files that have backup related extensions and any backups that are connected to the infected machine or network... making recovery nearly impossible unless external backups are saved and stored offline. resized, the malware can force the deletion of thirdparty application shadow copies. These techniques greatly complicate the mitigation process, as it hinders an organization's ability to restore systems to a pre-infection state. Furthermore, it will go after and delete multiple files that have backup related extensions and any backups that are currently connected to the infected machine or network. These anti-recovery tools used are quite extensive and more sophisticated than most types of ransomware, making recovery nearly impossible unless external backups are saved and stored offline. For encryption, Ryuk uses the RSA and AES encryption algorithms with three keys. The cyber threat actors (CTAs) use a private global RSA key as the base of their model. The second RSA key is delivered to the system via the main payload. This RSA key is already encrypted with the CTA’s private global RSA key. Once the malware is ready for encryption, an AES key is created for the victim’s files and this key is encrypted with the second RSA key. Ryuk then begins scanning and encrypting every drive and network share on the system. Finally, it will create the ransom note, "RyukReadMe. txt" and place it in every folder on the system.
Recommendations SLTT governments should adhere to best practices, such as those in the CIS Controls, as well as the many resources included in CIS SecureSuite Membership, which are both available at no cost to SLTT entities. The MS-ISAC also recommends organizations adhere to the full list of recommendations in the MS-ISAC Ransomware Security Primer, to limit the effect and risk of Ryuk ransomware to your organization.
11
Cybersecurity Quarterly
MS-ISAC Effectiveness in Defeating SLTT Ransomware Attacks How the MS-ISAC and our Albert intrusion detection system uniquely work together to protect SLTT government organizations from ransomware attacks By Reg Harnish & Lee Myers Ransomware has quickly become one of the most destructive, disruptive, and costly cybersecurity issues in history. Given the simplicity of its operation, easily automated deployment, and the high potential of success, ransomware has become the preferred method for cyber criminals.
Heat Map of Public Entity Ransomware Attacks, YTD 2019
According to Trend Micro, ransomware attacks have increased 363% since 2018. In addition, specific strains of ransomware, including ‘Ryuk’, appear to be targeting state and local governments. The biggest SLTT ransomware news-maker thus far for 2019 was the attack on the Baltimore City government. The city’s computer system was hit with ransomware in May 2019 that crippled the city’s government for over one month. Estimates put the cost to recover at over $18 million. The attack shut down city employees’ emails, halted credit card payments for city services and fines, and froze the property market.
Ransomware has quickly become one of the most destructive, disruptive, and costly cybersecurity issues in history... ransomware attacks have increased 363% since 2018. 12
Source: Malwarebytes Labs
About one year earlier, the Atlanta city government spent over $17 million to recover from a ransomware attack. In recent weeks, Louisiana school systems and 23 local government organizations in Texas have been hit with ransomware attacks. According to Malwarebytes Labs, a leading malware research organization, most victims of ransomware do not become media stories like Baltimore and Atlanta. The chart on the next page illustrates the cities most affected by ransomware in the first half of 2019. Not coincidentally, none of these entities are monitored by MS-ISAC Albert sensors.
Fall 2019
ransomware source). Once an endpoint has been compromised by ransomware, Albert detection can occur during several phases of the “attack,” including: 1. Download of Ransomware Executable – In most cases, a particular binary code (or payload) will have a signature that can be detected by Albert. Source: Malwarebytes Labs
Albert Effectiveness in Detecting Ransomware While ransomware has been proven highly lucrative and is growing as a threat, there are ways for organizations to defend themselves. The keys to ransomware survival are twofold: 1. Early detection and response 2. Effective data backups The Center for Internet Security (CIS) has developed and deployed a network monitoring system called Albert that plays a critical role in early detection of ransomware and other malicious attacks. CIS has deployed over 400 Albert sensors to help protect SLTT networks and systems from cybersecurity threats. Albert is a custom-designed Intrusion Detection System (IDS) developed by CIS specifically for monitoring SLTT networks. Albert consists of a combination of open source, government-owned, and CIS-developed software that performs malicious intrusion detection and network flow analysis. Albert’s specialty is detection of malicious network activity, which makes it particularly effective against ransomware attacks, which tend to be “chatty” (i.e., requiring communications back and forth to the
2. Establishing Command-and-Control (C2) – Once the ransomware executable software is installed on the target system, ransomware requires instructions from its “headquarters.” These communications can typically be detected by Albert. 3. Downloading of Encryption Key(s) – To proceed with encryption, ransomware must collect its public key. These communications can also typically be detected by Albert. 4. Periodic Check-In – Once activated, ransomware may require subsequent instructions from “headquarters.” These communications can also be detected by Albert. The chart on the following page details the typical phases in a ransomware attack. Albert sensors are loaded with the “signatures” of many known malicious threats. These signatures are derived from many sources including commercial threat providers, federal organizations, and the MSISAC itself. Albert threat signatures are updated twice daily. Over 20,000 signatures are loaded in each Albert sensor, approximately 470 of which are specific to ransomware. Threat alerts are generated by Albert sensors based on a match against one or more of
13
Cybersecurity Quarterly
the threat signatures. These alerts are automatically passed to the MS-ISAC and Elections infrastructure Information Sharing and Analysis Center® (EIISAC®) Security Operations Center (SOC), a 7/24/365 analysis and response facility operated by CIS. The average time from threat detection by an Albert sensor to SOC notification to an affected organization is five minutes. This response time is sufficiently rapid that, in most instances, an affected SLTT is able to mitigate the ransomware attack before it begins execution or does significant damage. The MS-ISAC Albert network monitoring system is capable of detection in each of the ransomware detection phases identified above. Detection is accomplished due to several Albert-specific and unique benefits, including the following: Automation – Effective ransomware/malware detection requires large volumes of data.
14
Automation within the CIS SOC permits the rapid analysis of very large volumes of Albert data. Customer Tailored Signatures – Albert is specifically tuned to identify malicious activity most common in SLTT environments, making malware detection faster and more accurate. SLTT Expertise – The CIS SOC personnel have longstanding working relationships with their SLTT members. They have an enormous repository of institutional knowledge – no one knows SLTTs better than the MS-ISAC and EI-ISAC organizations.
Albert Effectiveness Using Albert sensors to monitor state, local, tribal, and territorial government networks, the MS-ISAC has been proven enormously effective in detecting and defeating entirely or minimizing the impact of most strains of ransomware.
Fall 2019
In 2018, the MS-ISAC alerted and the SOC successfully acted on nearly 200 ransomware attacks. Through July 2019, 116 ransomwarerelated alerts have been identified, analyzed, and communicated to affected SLTT organizations. These services result in very significant cost avoidance benefits for members. Cost avoidance occurs in the following areas: Downtime not incurred – Organizations that detect ransomware attacks early are more likely to respond and recover quickly, minimizing organizational disruption and downtime. Upgrades and replacements not needed – Organizations that detect ransomware attacks early are less likely to require upgrading and replacement of hardware, software, networks, and other assets. Ransoms not paid – Organizations that detect ransomware attacks early are more likely to minimize spread and reduce impact, therefore making it less necessary to consider ransom payment. According to Coveware’s 2019 Q1 Ransomware Market Report (the latest report on ransomware costs), the average cost of a ransomware infection was $71,378 in 2018 and $77,407 in 2019. The chart below reflects MS-ISAC monitoring of federally-funded Albert sensors (about 200 of the 400 Albert sensors) over the past 19 months.
Cost Efficiency Albert sensors cost about $10,000 for initial installation and about $13,400/year for monitoring. This is a fraction of the cost for solutions offered by comparable commercial providers, which generally cost an average of $60,000 for initial installation and an average of $25,000 for annual monitoring.
Conclusion The Albert network monitoring system coupled with the MS-ISAC/EI-ISAC SOC operated by CIS is an extremely effective and enormously cost-efficient investment in protecting SLTT organizations against malware threats, including ransomware. While this article examined the specific benefits against ransomware, there are a large number of other malware threats that are similarly detected and mitigated by Albert and the CIS SOC. As one member noted: “The MS-ISAC might be the most effective and efficient defense against cyber-attacks in the entire government.” Reg Harnish is the Executive Vice President of Security Services at CIS. His responsibilities include leading the development and implementation of CIS’ Security Services, which includes the MS-ISAC and EI-ISAC. Previously, Harnish was the Founder and CEO of GreyCastle Security, a cybersecurity services provider. Harnish is a fellow of the National Cybersecurity Institute, and a contributor to the Forbes Technology Council. He has authored numerous books on cybersecurity.
Ransomware Cost Avoidance Period
MS-ISAC Defeated Average Cost of Total Ransomware a Ransomware Ransomware Infections* Infection** Cost Avoidance
2018 (Jan - Dec)
189
$71,378
$13,490,442
2019 (Jan - July)
116
$77,407
$8,979,212
Totals
305
$22,469,654
* Number of confirmed ransomware infections that were detected by MS-ISAC Albert network monitoring that were partially or completely defeated through detection, rapid escalation, and effective response efforts. ** Includes costs of ransom(s) and downtime, does not include costs for infrastructure upgrades or professional services.
Lee Myers is the Director of the Security Operations Center (SOC) at CIS. Myers is responsible for leading the CIS 7/24/365 SOC, which provides real-time network monitoring, cybersecurity event analysis, and cyber threat warnings and advisories to U.S. State, Local, Tribal, and Territorial (SLTT) government entities. Myers joined CIS as a SOC Analyst in 2012, shortly after earning a B.S. in Information Security and Forensics from the Rochester Institute of Technology.
15
Cybersecurity Quarterly
Spear Phishing: Defending Against the Biggest Threat to State & Local Governments What do ransomware, fraud, data breaches, and election hacking all have in common? Spear phishing By Benn Stratton So far, 2019 has been a wake-up call for U.S. state and local governments as they have increasingly become the targets of sophisticated cyber-attacks. Over the last nine months, the national news has been filled with examples highlighting the unique vulnerabilities and damage these attacks are causing. Election Security: The Mueller Report (officially titled Report on the Investigation into Russian Interference in the 2016 Presidential Election) documented interference by Russian operatives in the 2016 U.S. elections, which targeted state and local boards of elections with malicious email and cyber-attacks. Ransomware: In the first eight months of 2019, industry reports identified over 70 attacks against state and local governments (over 60% of all ransomware attacks in the U.S.). These attacks have cost taxpayers millions in ransom payments, remediation costs, and disrupted public services.
In the first eight months of 2019, industry reports identified over 70 [ransomware] attacks against state and local governments (over 60% of all ransomware attacks in the U.S.). 16
Fraud: Numerous municipalities have paid millions in fraudulent payments to scammers who sent emails appearing to come from legitimate government contractors or employees.
Spear Phishing: The Most Common and Dangerous Cyber-Attack Vector Email has become the foundation of how our government communicates. This makes government particularly vulnerable to fraudulent email. “Spear phishing� is deceptive email that attempts to trick specific, targeted individuals into disclosing sensitive information or execute malicious files. Spear phishing leverages publicly available information about government agencies, contracts, elected officials, and social media to be highly effective – and thanks to its use of impersonation techniques, it can be extremely hard to detect.
Fall 2019
Protecting Against the Three Types of Spear Phishing Spear phishing attacks take advantage of a fundamental lack of robust sender identity in email infrastructure to sneak past traditional defenses. They do this by using three types of impersonation: exact-domain attacks, lookalike-domain attacks, and open-signup attacks.
Exact-Domain Attacks From: Duke Adams, Information Security <adams@mycounty.gov> Subject: URGENT – Password Reset Required Due to a compromised account, all users of the County Human Resources Portal must reset their password immediately. To reset your password, please follow the instructions in the link below…. Exact-domain attacks, or “spoofing,” are the most common and dangerous phish because they appear to come from the exact email address used by an organization – in other words, the spoofed organization’s domain is right there in the “From” field of the email. The spoofed email usually directs the recipient to take some action that compromises sensitive information or creates a vulnerability for the hacker to exploit. Fortunately, an industry standard has emerged that can protect government domains from spoofing. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is administered in DNS and provides a domain owner worldwide visibility to all email senders using its domain. Additionally, DMARC can be configured to stop any spoofed email from being delivered – on any email receiver worldwide. When implemented properly, DMARC allows domain owners to ensure that only authorized senders can send email that appears to come “From” their domains. DMARC was mandated by DHS in 2018 for federal .gov domains. Today, over 90% of federal .gov domains are fully protected from spoofed emails. However, DMARC adoption at the state and local government level lags far
Leveraging Federal Election Security Funding to Accelerate DMARC Adoption In order to help states protect the 2020 elections, the Election Assistance Commission made $380M in elections security grants authorized by the Help America Vote Act (HAVA) available in late 2018. This funding is intended to help states modernize voting systems and implement basic cybersecurity protections to protect the 2020 elections from foreign cyber interference. Additionally, the DHS Cyber Infrastructure Protection Agency (CISA) has published an online Election Security Resource Library with specific guidance recommending the use of HAVA funding to protect against spear phishing by implementing DMARC and multi-factor authentication. By leveraging federal election security funding to prevent spear phishing, state and local governments also benefit by protecting themselves from ransomware, fraud, data breaches, and other similar threats. behind, with less than 10% of state and local domains having implemented DMARC.
Lookalike-Domain Attacks and Open-Signup Attacks The two other types of spear phishing impersonation attacks exploit weaknesses in human cognition and mobile platforms to trick recipients into opening fraudulent email. Lookalike-domain attacks, also known as untrusted-domain attacks, homograph attacks, or typo-squatting attacks, are emails that are sent from a domain that looks similar to a trusted domain, but is actually controlled by the attacker. Such attacks often use very slight typographical differences or Unicode characters to make a domain look almost indistinguishable from a recognized domain. An example would be an email that comes from “1bm.com” instead of “ibm.com.”
17
Cybersecurity Quarterly
Lookalike-Domain Attack From: Jane Doe, CFO <jane.doe@1bm.com> Subject: Urgent - Please process payment today Hi, I have an urgent payment that I need submitted to one of our major vendors ASAP. Can you please immediately process a wire transfer to our vendor's account details listed below... State and local governments can protect their own domains from this type of attack by utilizing the .gov Top Level Domain (TLD). Unlike common TLDs like .org, .net, or .com, the .gov TLD is managed by GSA and only available to verified U.S. government entities. They can then instruct citizens, contractors, and partners that legitimate email from them will only originate from a .gov domain.
Open-Signup Attack (Gmail, Yahoo, etc.) From: Microsoft Support <sptx852j3z@gmail. com> Subject: Password is expiring soon The password to your Microsoft account is set to expire soon. In order to continue to access your account, please use the following link to create... Open-signup attacks take advantage of the fact that mobile email applications display the sender’s name in the “From” field, without showing the email address that the sender is using. Hackers anonymously create a new email account on any free service (Gmail, Yahoo Mail, etc.) and give it a deceptive, friendly "From” name. Hackers can easily use social media to figure out a name that the target will trust − the name of a trusted coworker, friend, family member, or business. If the recipient looks at the email on their mobile device, it will not be apparent that the email is actually from a fraudulent email account.
Act Now With the 2020 elections just a year away and ransomware attacks at an all time high, it is imperative that state and local governments take
18
proactive measures to protect their domains and enterprises from spear phishing and malicious email. To protect against the infinite number of possible deceptive senders using these techniques, innovative new commercial offerings that verify the trustworthiness of each sender before the email is delivered can greatly reduce the risk of these types of attacks. One example is Valimail’s new Defend solution, which augments secure email gateways and malware detection to protect against all types of spear phishing attacks. Benn Stratton currently serves as Director of Public Sector for Valimail. For the past 30 years, he has served in both the public and private sector, driving innovation to support national security priorities across the federal government. He has a deep knowledge and expertise in working with federal, state, and local governments to navigate the government procurement to accelerate the adoption of new cybersecurity capabilities. Stratton is a graduate of the United States Military Academy at West Point and Duke University. A former Army Officer and Special Operations veteran, Stratton served as an Infantry and Special Forces Officer in Central America with the 82nd Airborne Division and 7th Special Forces Group at Fort Bragg (NC). He can be reached at benn.stratton@valimail.com.
Fall 2019
FIGHT PHISHING— PROTECT PUBLIC SECTOR DOMAINS Only FedRAMP-authorized DMARC solution Definitive, identity-based, phishing protection— including open-signup and impersonation attacks Prevents domain spoofing Requires minimal resources for implementation + management Get a free phishing analysis at valimail.com/phishing-analysis
19
Cybersecurity Quarterly
Ransomware and How to Stop it Ransomware has become a prevailing threat for state and local government organizations, but the threat can be mitigated with simple security controls. By Sumin Tchen Ransomware has affected all types of organizations, including U.S. state and local governments, health care providers, large international enterprises, and even managed IT service providers. Will this scourge stop anytime soon? Probably not. As Willie Sutton is claimed to have said when asked why he robs banks, “That’s where the money is.” As long as attackers can relatively easily perform successful ransomware attacks and get paid, these attacks will likely continue. The important thing to know is that these attacks can almost all be prevented — not by putting the perpetrators in jail, like Willie Sutton, but by implementing cyber defense best practices, such as those recommended by the Center for Internet Security (CIS).
Impact of Ransomware The impact that ransomware has had on organizations of all sizes over just the past few years is astonishing, but it's especially astonishing in regards to U.S. state and local governments. At least 170 U.S. state and local government organizations have been successfully attacked by ransomware since 20131, with the most occurring in the past few years, as illustrated in the graph on the next page.
20
These attacks have cost governments significant time and money, in addition to the negative impacts on operations and services. Examples include the following: Atlanta, GA, where a ransomware attack affected almost all of the city’s agencies and cost the city an estimated $17 million in direct costs. 2 Baltimore, MD, where the city’s payment and email services were offline for over a month. Riviera Beach, FL, where emergency response systems and email were down and the town decided to pay a ransom of $600,000.³ As state and local agencies continue to offer more digital services, the impact of successful ransomware attacks will become even more devastating.
The How and Why of Ransomware We’ve already explained why ransomware happens. As in Willie Sutton’s quote, it’s where the money is. Ransomware is about earning money for the ¹“Early Findings: Review of State and Local Government Ransomware Attacks”, Recorded Future, April 2019 ²"U.S. Cities are Under Attack from Ransomware — and it's Going to Get Much Worse," Vice News, June 17, 2019 ³"Florida Town Pays $600,000 Virus Ransom," BBC Technology, 21 June 2019
Fall 2019
attackers, not for espionage or data exfiltration purposes. Studies of Bitcoin transactions show that at least $100 million in ransom payments have been made to attackers between 2013 and 2017.⁴ These are just the payments made to the attackers. It’s even more expensive to recover lost computer systems, and to maintain services and product deliveries to your customers while those systems are being recovered. In fact, it was discovered that some ransomware recovery services secretly pay the ransoms to get their customers’ systems back up and running.⁵ Unless ransomware attacks become more difficult and expensive to implement, they will likely continue to grow over the coming years.
How Ransomware Breaches Occur In order to effectively stop ransomware breaches, we need to know how they occur. We will focus on the initial attack vectors, because currently that is the only proven way to stop these breaches. Past breaches have used the following attack vectors: Remote Desktop Protocol (RDP) and Remote Desktop Services (RDS) are used to infect servers
and workstations. Unpatched, internet-facing servers and desktops are particularly vulnerable to this attack because no user interaction is required to infect the computer. This attack vector was used in the 2017 WannaCry attacks. Recently, Microsoft released security updates to prevent a similar vulnerability from being used in new attacks. Email attachments are used to install ransomware on the recipient’s machine, and likely, use the infected machine to gain access to the network and servers by escalating user privileges and dropping ransomware on servers with critical data. These attachments can contain malware that targets unpatched applications or operating systems. The attachments can also target Microsoft Macros. Drive-by websites contain exploit kits with multiple malware options that can infect a visitor’s web browser or plug-ins without any action by the visitor. The website can be legitimate without the owners knowing that it has been compromised or one ⁴"On the Economic Significance of Ransomware Campaigns: A Bitcoin Transactions Perspective," Aug 2018, Table I. ⁵"Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers," ProPublica, May 15, 2019
21
Cybersecurity Quarterly
specifically crafted by the attackers to impersonate a legitimate website. The malware exploits target unpatched software, such as web browsers and plug-ins like Adobe Flash Player, Oracle Java, etc. Malvertising is a modification on drive-by attacks. This is where malware is delivered by online ads on legitimate websites, via advertising networks, and infects visitors with vulnerable web browsers or other vulnerable web software. Typically, no user interaction is required to infect their computer.
How to Stop Ransomware Based on the ransomware attack vectors described above, the following controls should be used to stop these attacks from becoming successful breaches: Keep operating systems and applications, including web browsers and plug-ins, up to date. There is no indication that any ransomware attack has used a zero day vulnerability, so patching for known vulnerabilities is sufficient. Remove all end of life (EOL) software and replace with supported versions. Limit the use of administrative privileges. Use secure configurations, such as those offered by CIS, or vendors, such as Microsoft and Red Hat.
The CIS Controls At Belarc, we try to keep things simple. Our recommendation on how best to implement an effective cybersecurity strategy: Establish a process to implement and regularly monitor the CIS Controls, especially the Basic CIS Controls. We like the CIS Controls because they are based on lessons learned from actual attacks and breaches, and are created by people from multiple industries and government, including the NSA and DHS, who have deep knowledge of all aspects of cybersecurity. In total, there are only twenty CIS Controls and the first six are what are known as the Basic Controls, which are listed here. Please download the CIS Controls document for a full description of all of the CIS Controls.
22
CIS Control 1: Inventory and Control of Hardware Assets CIS Control 2: Inventory and Control of Software Assets CIS Control 3: Continuous Vulnerability Management CIS Control 4: Controlled Use of Administrative Privileges CIS Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs Ransomware has had a dramatic impact on U.S. state and local government organizations, health care providers, and large international enterprises. Ransomware attacks will likely continue because attackers stand to make a lot of money and itâ&#x20AC;&#x2122;s relatively easy to accomplish. This state of affairs will continue unless both public and private organizations make these breaches more difficult to accomplish. When we analyze actual security breaches, it is clear that to achieve real security, organizations need to follow good cybersecurity hygiene practices. This can best be accomplished by implementing and continuously monitoring proven security controls from organizations, such as CIS, in an automated and low-cost fashion using IT asset management solutions, such as those offered by Belarc. Sumin Tchen, founder and principal at Belarc, has over 30 years of experience in helping to build successful technology firms, including Belarc (ITAM & Cyber Security), Computer Controls (building control systems), Eliza (telephony-based voice recognition), ProcessTech (dynamic modeling software), and Adaptive Networks (networking over AC power lines). Tchen has a B.S. in Electrical Engineering from Cornell University and an M.S. in Management from the Massachusetts Institute of Technology (MIT).â&#x20AC;&#x2039;
Fall 2019
23
Cybersecurity Quarterly
Cyber Risk Management in China A brief introduction to the Chinese approach to establishing cybersecurity risk management standards By Bo Guan Cybersecurity became important in China during the economic boom in the 1980s and 1990s. As private companies gained ground in China and personal computers became cheaper and more widespread, the meaning of “security” expanded from protecting physical property to include digital security in state-owned networks and personal computing space. Previously relying on ISO/IEC for protecting digital information1, beginning in the 1990s, China began publishing its own national cybersecurity standards. GB 158511995, “Information Security Technology Security Techniques and Digital Signature Schemes,” was the first national standard for cybersecurity (“GB” is the Pinyin abbreviation for “national standard.” “GB/T” stands for “recommended national standard”). In 1999, a comprehensive national cybersecurity risk management standard, GB 17859-1999, set the gold standard for cybersecurity risk management in asset categorization, risk level assessment, auditing, and controls. GB 17859-1999 has three main goals: Provide a reference for the formulation of safety codes for computer information systems and the supervision and inspection by law-enforcement departments. Provide technical support for safe product development.
24
Provide technical guidance for construction and management of safety systems. It also set the standard for establishing Chinese independent encryption algorithms, their usage, and security. Together with “BMB” information security standards, these national measures led the way for the development of cloud computing infrastructures and industrial control systems (“BMB” stands for Confidentiality Standard). They also enabled businesses and organizations to identify and address basic security problems in their information systems. Chinese risk management standards resemble those used in U.S. frameworks. The standards are classified as Foundational Standards, Management Methods, Application Guide, Classification Guides, Constructional Regulations, and Evaluation Regulations. Currently, there are ten major standards and guideline documents that serve as leading references for Chinese organizations, as outlined on the next page. While all details for these standards are not available in open-source literature, publicly available information provides significant insight into Chinese thinking about the importance of applying national standards to cybersecurity risk management. Cai, C., (2019) Comparison of Chinese and American Cyber Space Strategies: Goals, Methods and Models. 1
Fall 2019
Chinese Major Cybersecurity Risk Management Standards Label
Title
Classification
GB 17859-1999
Cybersecurity Risk Classification Protection Standards
Foundational Standard
GB/T 25058-2010
Cybersecurity Risk Classification and Protection Implementation Guide
Foundational Standard
GB/T 22240-2008
Cybersecurity Risk Application Classification Guide
Application Guide, Classification Guide
GB/T 22239-2008
Cybersecurity Protection Level Foundational Requirements
Application Guide, Fundamental Regulations
GB/T 20271-2006
General Cybersecurity Technologies Requirements
Application Guide, Constructional Regulations
GB/T 25070-2010
Requirements and Recommendations for Security Prioritization of Designing Protective Technology
Application Guide, Constructional Regulations
GB/T 28448-2012
Cybersecurity Classification and Prioritization Evaluation Standard
Application Guide, Evaluation Regulations
GB/T 28449-2012
System Cybersecurity Classification and Prioritization Evaluation Guide
Application Guide, Evaluation Regulations
GB/T 20269-2006
Cybersecurity Management Guideline
Application Guide, Management Methods
GB/T 20282-2006
Cybersecurity Engineering Management Requirement
Application Guide, Management Methods
They also demonstrate similarities with U.S. cybersecurity risk management frameworks from which they were likely derived. GB/T 28449 and GB/T 22239, for instance, classify standards as either technology or management requirements. Technology requirements include physical environments, internet communications, domain borders, application environment, and management centers. Management requirements include policies, organizations, personnel, construction management, and operational management. These standards were updated in the past decade to add supplementary standards for emerging technologies encompassing information network protection, information systems, cloud computing platforms, big data resources, and industrial controls. They emphasize the importance in maintaining security in mobile terminals and controls, mobile applications, and wireless endpoint connections. 2
GB/T 20269 is a more comprehensive guideline. It defines Policy and Systems; Organization and Personnel Management; Risk Management; Environment and Resource Management; Operations and Maintenance Management; Business Continuity Management; Supervision and Inspection Management; and Life Cycle Management as the eight most important elements in information system security.3 Similar to U.S. cyber risk assessment guidelines, GB/T 20269 emphasizes the notion that risk assessment begins with asset identification and Li, M. & Zhu, G. & Lu, L. (2019, January 15). Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019) Standard Interpretation 3 Li, X. (2015). Regulation of Cyber Space: An Analysis of Chinese Law on Cyber Crime. International Journal of Cyber Criminology, 9(2), 185-204. 2
25
Cybersecurity Quarterly
analysis. Next, the organization needs to identify the threats and vulnerabilities and assess the risks to form a risk analysis of the information system. The process may be conducted by experts carrying out a qualitative and comprehensive assessment of the assets, threats, and vulnerabilities. For vulnerabilities, the organization can perform penetration testing, malware scanning, and define the vulnerability assessment's duration and scope to eliminate unnecessary interference and target specific weaknesses inside the system. After risk identification, cybersecurity staff need to analyze and assess the risks and potential impacts based on previous experience and reports. This step requires assigning precise risk levels in preparation for the evaluation step. The operations team would come in and study all the assets and risks and decide whether certain operations can be allowed to continue. Sometimes conflicts may occur, for example, when a residual risk resides inside a 24-hour always-on system with no alternatives put into place. At this stage, the operation requires approval from the organization and the cybersecurity staff needs to notify the security team to avoid the risks and put forward control measures that are assigned to them individually.4 GB/T 20269 also provides instructions on how to select the right organizations to do security assessments and what confidentiality requirements should be assigned. The selection of assessment organizations should be based on their qualifications, recognition from national competent agencies, and its reputation. In some cases, the organization must be designated by the State for information system risk assessment. The process also requires third-party agency personnel to sign confidentiality agreements. It recommends hiring contracts officers who specialize in developing confidentiality agreements. In addition, confidentiality agreements for third-party organizations must adhere to the requirements in “Law of the People’s Republic of China on Guarding State Secrets.” Fang, Q. (2009, June 06). China National Information Security and Strategic Measures 5 (2006, May 31). Information security technology Information system security management requirements GB/T 20269—2006) ICS 35.040 L80 4
26
For technology testing, the guideline put forward three recommended procedures. Testing begins by giving the necessary authorizations to technology testers who are then strictly supervised by the Assessed Party. Only one of these procedures needs to be additionally implemented to satisfy the test process requirement. Finally, the framework also includes recommended procedures during information retrieval, storage, and transfer. It suggests that transfer procedures should be stipulated, sensitive parameters need to be concealed or replaced, and that the data should be kept in designated areas, restricting the physical location of assets within a set of rules and guidelines.5 China has taken many examples and guidelines from U.S. and international standards as it develops its own national standards. These standards will be modified based on requirements of the 2017 national cybersecurity law and by a deeper understanding of the local issues as organizations gain experience in applying the standards to their information systems. Standards will also be updated to remain current with technology developments, and government enforcement of the standards in national data centers will ensure the standards are applied nationwide. Raising social awareness in personal privacy is also a very good way in pushing organizations in China to start caring more about information confidentiality and integrity and will result in a safer security environment for the public. Bo Guan is a graduate student majoring in Security Informatics at John Hopkins University's Information Security Institute. Prior to enrolling in the master's program at John Hopkins University, Guan worked for three years in the industry as a software engineer specializing in web and mobile application development. Guan's current research is focused on Certificate Issuance and Revocation using Blockchain data structure.
Fall 2019
Krollâ&#x20AC;&#x2122;s experienced leaders help clients make confident decisions about people, assets, and operations across the globe.
INVESTIGATIONS AND RISK MANAGEMENT SOLUTIONS Cyber Security & Incident Response
Business Intelligence & Due Diligence
Fraud & Corruption Investigations
AML & ABC Compliance
Asset Search & Recovery
Third-Party Screening
Dispute Advisory & Litigation Support
Security Risk Management
kroll.com 27
Cybersecurity Quarterly
Cyberside Chat This Quarter's Topic: The Cyber Risk Conversation by Sean Atkinson, Chief Information Security Officer, CIS
Normal day-to-day business activities often donâ&#x20AC;&#x2122;t involve a specific focus on information security and making good decisions based on risk and controls. The spectrum of risk management often falls through the hierarchy based on a top-down process. As it falls, a lagging culture of risk management may not have anyone to catch it. It is here that we must identify the stakeholders and those within the business processes who can make a big difference between an attack and a catastrophic incident.
Risk and the Organizational Culture Risk elicitation and defining the underlying threats to an organization may only ever be discussed at senior levels within the organization. It may not be until a security assessment or penetration test discovers a vulnerability that a risk is uncovered. These risks could also have been identified with a collaborative intake process from all members of the organization. Question: Do you regularly poll internal stakeholders for their opinion about risk or use scenario based discussions to identify risk? This relates back to an earlier blog post about using the CIS Controls to discover gaps that could be
As it falls, a lagging culture of risk management may not have anyone to catch it. It is here that we must identify the stakeholders and those within the business processes who can make a big difference between an attack and a catastrophic incident. 28
articulated as risks. This process I define is to start that conversation with those responsible to implement those controls technically, operationally, and/or physically. As we analyze risk, the intake can take many forms from simply asking: Is our network at risk? What is the biggest risk you see to the network? How would this particular risk occur? Can we stop a malware outbreak and what is our response time? If we were to download a malicious file, what is our Mean Time to Detection (MTD), and the associated response and eradication timelines? The aim here is to ask questions that require a scenario response, a deeper dive into an answer of just yes and no. In order to start answering these questions, start with a plausible scenario and an
Fall 2019
engaged audience to uncover and discover risks across business processes, technical functions, and operational controls.
Risk and the Inevitable Meltdown The alignment of increasing technological complexity and the coupling of these systems being part of an interactive business process can and will lead to an inevitable risk. A single system failure will have a domino effect of either missing or bad data being consumed by a process that leads to further consequences across the business process. Here is a quick checklist of items to think about for both scoping your risk conversation and the underlying scenario development to elaborate on events that have potential to impact your organization. 1. Select an element of the business process that would be compromised in some manner. 2. Determine the coupling of this system to both other systems and the business processes that are reliant on the integrity and availability of this system. 3. Provide adversary intent to compromise the system â&#x20AC;&#x201C; ransomware, destruction of integrity, information theft, etc. 4. Determine the indicators of compromise. How would you know this event occurred? 5. With input from other stakeholders, how long
If we are not prepared to respond, then we have prepared to fail... cyber risk should be understood as an organizational risk... it is not simply a technical risk assigned to a technical business unit; it affects all aspects of an organization. would it have taken to know the event occurred? The premise here is that more time leads to greater consequences of loss and increased recovery time. 6. Are current response plans effective in response and restoration for the scenario chosen?
Risk and Reality If we are not prepared to respond, then we have prepared to fail. The above exercise is simply to illustrate that cyber risk should be understood as an organizational risk. This reasoning is to identify that it is not simply a technical risk assigned to a technical business unit; it affects all aspects of an organization. Given the complexity and interconnectedness of our data, process capability, and systems, a failure to anticipate cyber risk is the actualization of inaction, and cyber risk inaction cultivates increased consequences and unquantifiable impact. Sean Atkinson is the Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CISâ&#x20AC;&#x2122; enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, Atkinson served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk, and Compliance (GRC) across the globe. Prior to GLOBALFOUNDRIES, Atkinson led security implementation as Internal Control, Risk, and Information Security Manager for the New York State Statewide Financial System (SFS).
29
Cybersecurity Quarterly
ISAC Update MS-ISAC & EI-ISAC Memberships Continue Their Exponential Growth
Registration for the 2019 Nationwide Cybersecurity Review
Membership growth for the third quarter of 2019 has been robust and the MS-ISAC is on pace to add our 7,000th member near the end of October. We have been averaging 219 new members per month. At 6,800 members, the MS-ISAC is the largest ISAC focusing on the SLTT community!
The Nationwide Cybersecurity Review (NCSR) is a no-cost, anonymous, annual self-assessment that is designed to measure gaps and capabilities of U.S. State, Local, Tribal, and Territorial (SLTT) governmentsâ&#x20AC;&#x2122; cybersecurity programs.
Our tribal membership just crossed a new milestone with the addition of our 100th member! We have secured a speaking engagement at the premier tribal event of the year, TribalNet, occurring in November, and we anticipate further growth in this underserved sector. K-12 membership is another bright spot, with 1,200 current members. Lastly, we have seen excellent growth in the public airport sector. Our outreach there continues and we anticipate a 35% membership increase for 2019. The EI-ISAC has also achieved a significant milestone in the 3rd quarter with the onboarding of their 2,000th member! With nearly 2,100 members, the EI-ISAC is poised for continued growth with the upcoming election cycle. The EI-ISAC can now count 17 states with complete county-level membership. Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to the greater community. Thanks to your help, we are stronger and more connected than ever before!
The NCSR is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF provides a common language for understanding, managing, and expressing cybersecurity risk. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and align policy, business, and technological approaches to managing risk. Benefits of participating in the NCSR include: Receive metrics specific to your organization to identify gaps and develop a benchmark to gauge year-to-year progress, as well as anonymously measure your results against your peers. For HIPAA compliant agencies, translate your NCSR scores to the HIPAA Security Rule scores of an automatic self-assessment tool. Access to informative references such as NIST 80053, COBIT, and the CIS Controls that can assist in managing cybersecurity risk. Nationally, aggregate NCSR data provides a baseline, foundational understanding of SLTT cybersecurity posture to help drive policy, governance, and resource allocation. Enable Federal partners to better understand the status quo and engage in more strategic, cyberspecific planning and preparedness to help manage national risk and improve SLTT core capabilities. The NCSR will be open from October 1st to December 31st. To register for the 2019 NCSR, please visit https://www.cisecurity.org/ms-isac/services/ncsr/
30
Fall 2019
Upcoming Events October September 29th – October 2nd The Municipal Information Systems Association of California (MISAC) will hold the 2019 MISAC Annual Conference in Monterey, California, where government IT leaders and professionals from across the state will come together to network and learn from industry experts. MS-ISAC Senior Program Specialist Greta Noble and Program Specialist Brendan Montagne will present at the event on services available from the MS-ISAC. October 2nd – 3rd The Rochester Chapter of ISSA, Western New York Chapter of ISACA, and Rochester Chapter of OWASP will hold the Rochester Security Summit in Rochester, New York, bringing together the regional community of IT security professionals to network and learn from industry experts. CIS Executive VP of Security Services Reg Harnish will keynote the event. October 2nd – 3rd The Vermont League of Cities and Towns will hold their Town Fair 2019 in Killington, Vermont. The event will bring together the state's municipal leaders and professionals to network, attend training sessions, and learn about issues facing the state's city and town governments. October 3rd Cyber Security Summit: New York will take place at The Grand Hyatt New York, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. CIS VP Steve Gold will be a featured panelist at the event, speaking on panels covering insider threats and cloud security. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. October 7th The County Commissioners Association of Pennsylvania (CCAP) will hold their 4th Annual CCAP Cybersecurity Summit in State College,
Pennsylvania. The event will educate and engage key county stakeholders in strategies for cyber incident prevention and response. MS-ISAC Program Manager Eugene Kipniss will be a featured panelist at the event, speaking on cybersecurity resources available to local governments. October 8th The Capital Area Intermediate Unit will hold their 2nd Annual Keystone Education Security Summit in Enola, Pennsylvania. The event will focus on improving security in the state's schools, teaching participants how to create a safe and secure environment. MS-ISAC Program Manager Eugene Kipniss will present two sessions at the event, covering MS-ISAC services and cyber best practices. October 8th – 10th Borderless Cyber USA will take place at The National Press Club in Washington, D.C. The event will discuss cybersecurity challenges, solutions, and collaboration opportunities, encouraging participants to join an engaged community that will generate more productive ideas, activities, and alliances. CIS Senior VP Tony Sager will keynote the event, discussing cyberdefense strategies October 9th The Oklahoma OneNet Cybersecurity Forum will take place at Oklahoma City Community College, bringing together the state's public IT security leaders and professionals to learn the latest strategies and best practices from industry experts. MS-ISAC Program Specialist TJ Scandaliato will present at the event on MS-ISAC services. October 10th – 11th Government Technology will hold the Ohio Digital Government Summit in Columbus. The event will bring together the state's public and private sector to help spread best practices and spur innovation in the state's government organizations. CIS Cybersecurity Solutions Manager Jamie Ward will be a featured panelist at the event, speaking on election security.
31
Cybersecurity Quarterly
October 17th Cyber Security Summit: Scottsdale will take place at the Hilton Scottsdale Resort & Villas in Scottsdale, Arizona, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. CIS VP Steve Gold will be a featured panelist at the event, speaking on cloud security. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. October 20th – 23rd The International City/County Management Association (ICMA) will hold the 2019 ICMA Annual Conference in Nashville, bringing together local government management professionals to learn about tools and strategies for managing local governments in today’s complex environment. The MS-ISAC team will be spreading the word about our services for local governments at Booth #854. October 21st – 23rd North Carolina Community Colleges will be hosting its IIPS Fall Conference 2019 in Charlotte. The event will bring together IT leaders and professionals from the state's community colleges to learn the latest updates in the industry. CIS Cybersecurity Solutions Manager Jamie Ward will lead a session on cybersecurity solutions available to public colleges from CIS and the MS-ISAC.
October 25th – 28th The Association of School Business Officials (ASBO) International will hold its ASBO International Annual Conference & Expo in National Harbor, Maryland, bringing together school business officials to network and learn about the latest updates in the industry. MS-ISAC Program Manager Eugene Kipniss will present at the event on available MS-ISAC services for public school districts. October 26th – 29th The International Association of Chiefs of Police (IACP) will host their 126th IACP Annual Conference and Expo in Chicago, where law enforcement leaders will learn new strategies, techniques, and resources they need to navigate the evolving policing environment. MS-ISAC Director of Partnerships Stacey Wright will lead a session on discussing cybersecurity needs with IT staff. October 28th – 30th The (ISC)2 Security Congress will take place in Orlando, Florida, bringing together cybersecurity professionals to learn the latest industry updates, foster collaboration, and gain knowledge, tools and expertise to protect their organizations. CIS Senior VP Kathleen Patentreger will speak with AWS on a panel discussing compliance through automation.
November
October 22nd – 25th The North American Electric Reliability Corporation's (NERC) Electric Information Sharing & Analysis Center (E-ISAC) and SERC Reliability Corporation will host GridSecCon 2019 in Atlanta. The conference will bring together cyber and physical security experts to share emerging security trends, policy advancements, and lessons learned related to the electricity industry.
November 3rd – 6th The GMIS Illinois Annual Networking & Training Symposium (GIANTS) 2019 will take place in Bloomington, Illinois. Local government IT leaders and professionals from around the state will gather together to network and learn about the latest trends in local government technology. MS-ISAC Program Manager Eugene Kipniss will lead a session at the event on cybersecurity best practices.
October 24th – 26th The Nebraska Secretary of State's Office will host the Nebraska County Election Officials' October Training Event in Kearny, Nebraska to educated the state's election officials on the latest industry updates and best practices. EI-ISAC Program Manager Kateri Gill will speak at the conference on resources available from the EI-ISAC.
November 4th – 8th Microsoft Ignite will take place in Orlando. The event will bring together developers and IT professionals to learn innovative ways to build solutions and manage their infrastructure from experts from Microsoft and other industry leaders. The CIS team will be spreading the word about our security products for Azure at Booth #2438.
32
Fall 2019
November 6th Cyber Security Summit: Boston will take place at The Westin Copley Place, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. CIS VP Steve Gold will be a featured panelist at the event, speaking on cloud security. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. November 7th The Governor's Office of Homeland Security and Pennsylvania Region 13 Task Force will hold their 4th Annual Security & Risk Management Symposium in Pittsburgh. The symposium will address criminal activities, security threats, risk management strategies, prioritization of resources, and protection of critical infrastructure assets. MS-ISAC Director of Partnerships Stacey Wright will present at the event on low and no-cost resources available to state and local governments. November 11th – 14th The 20th Annual TribalNet Conference & Tradeshow will take place in Nashville, where tribal government leaders and IT professionals will gather together to network and learn about the latest best practices and technologies. MS-ISAC Director of Stakeholder Engagement Andrew Dolan will lead a breakout session at the event on social engineering. November 12th – 15th The California Education Technology Professionals Association (CETPA) will hold their 2019 CETPA Annual Conference in Anaheim, California, bringing together the state's technology leaders and professionals from the education sector to learn best practices and strategies from industry experts. MS-ISAC Program Specialist Brendan Montagne will lead a session on available MS-ISAC services. November 13th – 14th Cyber Security & Cloud Expo North America 2019 will take place in Santa Clara, California. The event will bring together IT and security professionals for top-level content and discussion. CIS VP Steve Gold and Cloud Product Owner Greg Carpenter will lead a session at the event on cloud security best practices.
November 20th – 22nd The New England Association of City & Town Clerks (NEACTC) will host their 52nd Annual NEACTC Conference in Rockport, Maine, bringing together the region's local government leaders to network and learn the latest updates on sector issues. The MS-ISAC team will be at the event, spreading the word about our services for local governments. November 21st Cyber Security Summit: Houston will take place at the The Westin Houston, Memorial City, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. CIS VP Steve Gold will be a featured panelist at the event, speaking on insider threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
December December 2nd – 6th AWS re:Invent will take place in Las Vegas, bringing together AWS users for deep technical sessions, hands-on bootcamps, hackathons, workshops, chalk talks, keynotes, and of course, some fun. The CIS team will be spreading the word about our security products for AWS at Booth #1807. December 5th Cyber Security Summit: Los Angeles will take place at The Beverly Hilton, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. CIS VP Steve Gold will be a featured panelist at the event, speaking on cloud security. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. December 12th – 13th Government Technology will hold the Pennsylvania Digital Government Summit in Harrisburg, Pennsylvania. The event will bring together the state's public and private sector to help spread best practices and spur innovation in the state's government organizations. MSISAC Director of Partnerships Stacey Wright will be a featured speaker at the event.
33
Confidence in the Connected World
Copyright Š 2019 Center for Internet Security, All rights reserved.
CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699