Cybersecurity Quarterly (Winter 2019) by Cybersecurity Quarterly

Cybersecurity Quarterly

Winter 2019

A Publication from

Stopping Cyber Criminals from Ruining the Holiday Season Protecting the Weak Link in U.S. Election Infrastructure â&#x20AC;&#x201D; Non-Voting Election Technology Lifting Up a New Generation of Cybersecurity Professionals

Cyber Cleanliness is Next to Cyber Readiness Developing an effective cyber hygiene program should be the first step to ensure the cybersecurity health of your organization and protect your sensitive data in the new year

The Most Trusted Source for Information Security Training, Certification, and Research

CIS & SANS Institute

Information Security Training Partnership SANS Institute partners with the Center for Internet Security to provide its top-rated information security training and awareness programs to State, Local, Tribal, and Territorial Government organizations at significantly reduced costs. Leverage this special partnership to ensure that your employees have the skills and experience necessary to protect your critical organization from cyber threats. Program participants may purchase:

More than 35 of SANS most popular hands-on courses are available OnDemand, or live, online in the evenings via vLive.

Use SANS Security Awareness to train and test non-technical staff on email, file storage, digital access, and general data security.

Purchase Buytowindow receive the best pricing Purchasetraining trainingduring duringthe theWinter WinterAggregate Buy Window receiveto the best pricing of the year.of the year. Discounts are available now through JanuaryJanuary 31, 2019.31, 2020. Discounts are available now through

Contact partnership@sans.org, or visit www.sans.org/partnership/cis for more information.

Cybersecurity Quarterly

Contents

Featured Articles

Quarterly Regulars

Confidence in the Connected World Winter 2019 Volume 3 Issue 4 Founded MMXVII Editor-in-Chief Michael Mineconzo Copy Editors Shannon McClain Autum Pylant

Staff Contributors Sean Atkinson Josh Franklin Amelia Gifford Paul Hoffman Aaron Piper Aaron Wilson

Winter 2019

How to Implement & Assess Your Cyber Hygiene Using the CIS Controls to build and enact an effective cyber hygiene program

Back to Basics – An Action Plan for 2020 To protect ourselves in 2020, it's time to go back to the fundamentals of cybersecurity

Top Ways to Avoid Falling Victim to Cyber-Attacks During the Holidays Methods to stop malicious attackers from ruining the holiday season

Beyond the Ballot Box: Securing America's Supporting Election Technology A look at CIS' best practices for protecting the weak link in our election infrastructure

US Cyber Challenge – Building America's Best Educating a much needed new generation of cybersecurity professionals

Quarterly Update with John Gilligan

News Bits & Bytes

Cyberside Chat

ISAC Update

Calendar

Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460 Copyright © 2019 Center for Internet Security. All rights reserved.

Cybersecurity Quarterly

Quarterly Update

with John Gilligan

“[Not] implementing these basic security practices and controls,... continues to be the most significant challenge in providing security.” Welcome to the Winter 2019 issue of Cybersecurity Quarterly. As we approach the holiday season, we need to be aware that the end of the year is becoming a period of significantly increased cyberattacks. Unfortunately, cyber thieves prey on the sense of urgency that many people have as the year comes to a close, whether that is in regards to completing their holiday shopping online, renewing their health benefits, or addressing tax-related issues. Many are not as familiar with the potential dangers and what to watch for online. In this issue, we have an excellent article from SANS that identifies holiday-related cyber threats and how to protect against them.

to assist smaller public and private organizations who have limited resources and cyber expertise.

The primary theme for this issue is implementing basic cyber hygiene for organizations and individuals. Basic cyber hygiene consists of the actions and controls that address the most common cyber threats. Although there has been increased attention to the need for implementing these basic security practices and controls, many organizations do not do so. This weakness continues to be the most significant challenge in providing security, especially for small businesses or organizations and individuals. These basic cyber hygiene actions include: cyber asset inventory, configuration control to include prompt patching, using secure configurations, monitoring of audit logs, and continuous vulnerability scanning. An article from our Security Best Practices team describes how to use the CIS Critical Security Controls to assess cyber hygiene and how organizations can develop a cyber hygiene program. The Global Cyber Alliance provides an overview of how basic cyber hygiene practices can help protect against the causes of 2019’s largest data breaches and how available resources, such as their Cybersecurity Toolkit for Small Business, can help organizations improve their basic cyber defenses. This toolkit, which is provided free to organizations, has been specifically designed

Finally, development of cybersecurity professionals continues to be one of our nation’s biggest challenges. The U.S. Cyber Challenge (USCC), which is sponsored by CIS, has had over 10,000 participants. The program is being refocused to emphasize development of leaders and teachers in cybersecurity. In particular, the emphasis is on quality of participant over quantity and increased focus on post-USCC program development for very high potential individuals. An overview of the USCC and the new program elements is also provided in this issue. Finally, our resident CISO and regular contributor, Sean Atkinson, provides his recommendations for security training in 2020.

As we enter 2020, we will be hearing quite a bit about the upcoming primaries and general elections. CIS has developed a guidebook entitled Security Best Practices for Non-Voting Election Technology. The guidebook is intended to provide a voluntary basis for vendors of non-voting equipment (e.g., voter registration, poll books, election management systems, and election night reporting systems) to ensure that they have adequately addressed security in the development of their product. An overview of the guidebook is provided in this issue.

I hope you enjoy this issue’s selection of articles and have a great holiday season. Best Regards,

John M. Gilligan President & Chief Executive Officer Center for Internet Security

Winter 2019

Detect Ransomware in Minutes

Specialized threat identification for U.S. State, Local, Tribal, & Territorial(SLTT) government entities

• Cost-effective solution • Passive, fully managed

intrusion detection system Find out more →

www.cisecurity.org

Cybersecurity Quarterly

News Bits & Bytes (ISC)2 is the newest vendor partner of CIS CyberMarket. (ISC)2 is a leading authority on cybersecurity certifications. Its growing membership base of 140,000 is united in helping protect people and data. MS-ISAC and EI-ISAC members can receive discounted pricing on a number of cybersecurity certification training courses from (ISC)2, including its Certified Information Systems Security Professional (CISSP). Learn more about (ISC)2 at https://www.cisecurity. org/services/cis-cybermarket/training/isc2/. CIS launched a new Department of Defense (DoD) STIG compliant CIS Benchmark and Hardened Image for Red Hat Enterprise Linux 7. Security Technical Implementation Guides (STIGs) are configuration standards for DoD Information Assurance (IA) and IA-enabled devices and systems, containing technical guidance to “lock down” information systems and software that might otherwise be vulnerable to a malicious cyber-attack. With the launch of Red Hat Enterprise Linux, organizations can rely on CIS Benchmarks and Hardened Images for STIG compliance. The new CIS Benchmark recommendations map to the STIG when applicable, and include the remaining STIG and CIS recommendations that do not map to each other. The 2019 Nationwide Cybersecurity Review (NCSR) will officially close on December 31st . The NCSR is a no cost, anonymous, annual self-assessment that is designed to measure gaps and capabilities of U.S. State, Local, Tribal, and Territorial (SLTT) governments’ cybersecurity programs. The NCSR is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). For more information or to complete the NCSR, please visit https://www.cisecurity.org/ms-isac/services/ncsr/.

The Global Cyber Alliance (GCA), working with its partners, launched the Automated IoT Defense Ecosystem (AIDE), a first-of-its-kind cybersecurity development platform for Internet of Things (IoT) products. AIDE enables small businesses, manufacturers, service providers, and individuals to identify vulnerabilities, mitigate risks, and secure IoT devices against the growing volume of threats to this interconnected environment. AIDE enables automated collection, analysis, distribution, and display of attacks on IoT devices and a means to implement distributed defense of these devices. Visit globalcyberalliance.org to learn more or gcaaide.org to request access to GCA AIDE. At the State of Minnesota's 9th Annual Cyber Security Summit, CIS was awarded the 2019 Founders Award for National Cyber Defense Leadership – the first-ever organizational award presented at the annual event. Represented at the event by Senior Vice President and Chief Evangelist Tony Sager, CIS accepted the award that recognized its body of work supporting both public and private sectors against cyber threats and the added value CIS has provided to government and business stakeholders in the state. CIS has announced the release of CIS Hardened Images for Debian Linux 8 and Debian Linux 9 on three major cloud service providers. Amazon Web Services (AWS) Marketplace, Microsoft Azure Marketplace, and Google Cloud Platform (GCP) Marketplace now offer more ways to bring the security configuration recommendations of the CIS Benchmarks to the cloud through CIS Hardened Images. CIS Hardened Images for Linux are updated every month to ensure incorporation of applicable new operating system patches. For more information, view our blog post covering them.

Winter 2019

Let us hack you, before they do. \While you are attempting to make sound security decisions, there is a very good chance you are failing to account for what a real world adversary would do to circumvent your defenses. Leet Cyber Security provides this understanding of your organizations' adversaries by mimicking what Cyber Criminals would do to hack into your organization and gain access to your most critical assets. In a controlled and safe setting, we take on the role of "Cyber Criminal" so that you can become measurably and meaningfully more secure. Leet Cyber Security focuses on penetration testing and offensive security to determine real risk for any organization in any industry. www.leetcybersecurity.com 7

Cybersecurity Quarterly

How to Implement and Assess Your Cyber Hygiene Learn how to utilize our security best practices outlined in the CIS Controls to develop an effective cyber hygiene program that best fits your organization and its needs By Josh Franklin & Aaron Piper Just like physical hygiene keeps us healthy and protects us from common germs, cyber hygiene is important for protecting your organization from common cyber threats. Implementing cyber hygiene security best practices is the CISrecommended way to help prevent data breaches, system misconfigurations, and more. But what exactly does cyber hygiene entail? This article will highlight the development process for establishing a cyber hygiene program and help identify a program that works for your organization. These cyber hygiene security guidelines are adapted from the CIS Controls V7.1. The CIS Controls are a free, internationally-recognized set of cybersecurity best practices. They're known for bringing together expert insight about threats, business technology, and defensive options. They provide an effective and simple way to manage an organization’s security improvement regime.

Developing Cyber Hygiene Guidance Measuring your organization against a security best practice, such as the CIS Controls, will help you take stock of your cybersecurity health. CIS Controls V7.1 helps organizations prioritize their cybersecurity activities with the introduction of Implementation Groups (IGs). The IGs provide a simple and accessible way to help organizations classify themselves as belonging to one of these IGs to focus their security

resources, expertise, and risk exposure while leveraging the value of the CIS Controls program, community, complementary tools, and working aids. To develop the IGs, CIS took a “horizontal” look across all of the CIS Controls and identified a core set of defenses that organizations with limited resources and risk exposure should focus on. We call these accessible and high-value Sub-Controls IG1 or cyber hygiene. They provide effective security value with technology and processes that are generally already available while providing a basis for more tailored and sophisticated action if warranted. Building upon IG1, CIS identified an additional set of Sub-Controls for organizations with more resources and expertise, but also greater risk exposure. These more advanced security techniques form the second Implementation Group (IG2). Finally, the remainder of the CIS Sub-Controls makes up IG3. Watch this short video to learn more:

Winter 2019

Staying Fresh with Cyber Hygiene Helping adopters of the CIS Controls implement cyber hygiene is important to us, so we created a page to allow cybersecurity professionals to explore the CIS Controls at the Sub-Control level — check it out here. The release of V7.1 introduces our methodology that will enable you to decide which IG is for your organization. With this tool, you can filter by IG, and then add additional CIS Sub-Controls based on your organizational needs. Be mindful of the following attributes: data sensitivity, technical expertise of staff, and available resources for cybersecurity, which are the CIS-recommended attributes for choosing your IG. Start with IG1 and work your way up to IG2 or IG3. Export your selection to the desired format once you have completed your selections. Additional filtering features include regulatory framework mappings for the NIST Cybersecurity Framework (CSF) and ISO 27001 where you can tie the IGs into your report. We hope to add more mappings in the coming months. If there’s a framework that’s important to you and your organization, please let us know by emailing controlsinfo@cisecurity.org and we’ll add it to the queue of mappings.

CIS Controls Self-Assessment Tool An additional resource for your organization is the CIS Controls Self-Assessment Tool (CIS CSAT). CIS CSAT is a free web application tool that organizations can use to conduct, track, and assess their implementation of the CIS Controls. CIS CSAT supports collaboration by allowing users to delegate questions, validate responses, create sub-organizations, and more. At any point, you can export your results into various formats, such as Excel, PowerPoint, and PDF. With CIS CSAT, you can create a new assessment, view historical assessments, and compare your results to an anonymized “peer group” within the same industry. An update to CIS CSAT was recently released on December 2nd. This update includes security enhancements for the tool. Additionally, this new version allows CIS personnel to change the

Primary Owner for an organization, enabling CIS to support related user requests (such as when organizations have personnel changes).

Security for Every Organization At home and in the workplace, cyber hygiene is an important best practice for keeping our systems and data secure. Just like washing our hands and brushing our teeth, using strong passwords and known Wi-Fi networks is something everyone should do. The CIS Controls have always provided best practices for organizations to defend their cyber assets. The development of Implementation Groups helps organizations and enterprises from around the world: Bolster their organization’s security Create cybersecurity programs on a budget Implement best practices regardless of cyber expertise Defend systems and data with limited resources Find out where your cyber hygiene stands by downloading the CIS Controls and assessing against Implementation Group 1 today. Josh Franklin is a Senior Cybersecurity Engineer at CIS. He is the product owner for CIS Controls V7.1 and V8. He is also focused on developing companion guides for mobile and Internet of Things (IoT) technologies. Prior to CIS, Franklin researched enterprise mobile security, cellular security, and electronic voting at National Institute of Standards and Technology (NIST). While at NIST, he managed the mobile security laboratory at the National Cybersecurity Center of Excellence (NCCoE). Franklin possesses a Master of Science in Information Security and Assurance from George Mason University Aaron Piper is the Senior Controls Content Development Lead for the CIS Controls at CIS. As part of the Security Best Practices Group, Piper focuses on the automation of our CIS Controls Self-Assessment Tool (CIS CSAT). Prior to working at CIS, Piper worked in cybersecurity for the Federal Government for more than a decade.

Cybersecurity Quarterly

Back to Basics — An Action Plan for 2020 2019 was another record year for cyber-attacks and breaches. To protect your organization in 2020, it's time to go back to the basics of cybersecurity. By Aimée Larsen Kirkpatrick We are closing down on 2019 − a banner year for data breaches, ransomware, and attacks against governments. According to an article recently published by SC Magazine, the top 12 breaches of the past year account for more than 11 billion records being exposed. That’s just the tip of the iceberg; ransomware had a pretty good run shutting down municipalities and schools across the country — more than 70 state and local governments have been affected, including more than 500 individual schools. These breaches and attacks have significant consequences, bringing business to a halt and impacting services — often crippling critical services, such as emergency response (911, fire, police) and hospitals which often now rely on Internet connectivity and networks to be able to respond and deliver services. Additionally, the economic consequences can be devastating — recovery from a ransomware attack can cost hundreds of thousands of dollars and can easily escalate into the millions.

According to an article recently published by SC Magazine, the top 12 breaches of the past year account for more than 11 billion records being exposed. That’s just the tip of the iceberg. 10

Top 12 Data Breaches of 2019 Data Breach

Total Records Exposed

ElasticSearch Server Breach

108 million

Canva Data Breach

139 million

Chinese Job Seekers MongoDB Data Breach

202 million

Indian Citizens MongoDB Database

275 million

Third-Party Facebook App Data Exposure

540 million

Dream Market Breach

620 million

"Collection#1" Data Breach

773 million

Verifications.io Data Breach

808 million

First American Data Breach

885 million

TrueDialog Data Breach

1 billion +

Orvibo Leaked Database

2 billion

Social Media Profiles Data Leak

4 billion

Source: SC Magazine

Winter 2019

So, what do we do about it? It’s time to go back to the basics. Start 2020 off with an oldie but goodie: basic cyber hygiene. It’s not rocket science. It’s not the latest and greatest technology. It’s not even a silver bullet. But it is tried and true. We know — and have known for years — that basic cyber hygiene is the fundamental building block to better security. As part of the annual New Year’s resolution tradition, commit to the fundamentals of cybersecurity so you are a bit better prepared to weather the storm no matter what 2020 throws at your organization. Good cyber hygiene doesn’t guarantee that you won’t be attacked, but it does put you in a better position to survive and focus on what’s most important to you and the community you serve. We understand, cyber hygiene isn’t glamorous or particularly exciting, but it is critical. Cyber hygiene requires commitment and time set aside each week to work on making sure the right actions and resources are in place and being maintained. Where to start? Use the CIS Controls for guidance. Start with Implementation Group 1 and work your way through. If you already have the practices implemented, set aside time to review and take stock of where your organization is at and ensure nothing is falling through the cracks. Then, take steps to up your game and improve. But what about implementation? There are a number of resources out there to help with operational implementation. The Global Cyber

Cyber hygiene requires commitment and time set aside each week to work on making sure the right actions and resources are in place and being maintained. Alliance (GCA) has created the Cybersecurity Toolkit for Small Business with a wealth of resources (aligned to the CIS Controls). While the toolkit was designed with small businesses in mind, many of the resources can be used by anyone, especially state and local government organizations. For election offices, GCA, in conjunction with CIS, has developed the Cybersecurity Toolkit for Elections (also aligned with the CIS Controls, as well as the CIS Handbook for Election Infrastructure Security) to help election offices shore up their defenses, an important task as we prepare for the 2020 elections. Start 2020 off in the driver’s seat — put good cyber hygiene at the top of your list and make it an organizational priority throughout the year.

Aimée Larsen Kirkpatrick is the Global Communications Officer for the Global Cyber Alliance (GCA). Prior to GCA, she was President of ALK Strategies, a communication and public affairs consulting practice focused on start-ups and nonprofits. Kirkpatrick was also formerly the Partnership Engagement & Strategic Initiatives Director for the National Cyber Security Alliance (NCSA). At NCSA, Kirkpatrick established strategies and programs to engage and broaden NCSA’s stakeholder base and expand its audiences. Kirkpatrick was a 2012 Executive Women’s Forum Women of Influence Award recipient. She also currently sits on the Board of Trustees for the EU chapter of Anti-Phishing Working Group (APWG).

Cybersecurity Quarterly

Top Ways to Avoid Falling Victim to Cyber-Attacks During the Holidays As adversaries get smarter with their attack tactics this holiday season, so must we. By John Pescatore

There are common cyber-attack methods that we see regardless of the time of year, but with the madness that can come with the end-of-year holiday season, we need to remember our cybersecurity roots and make sure we are following best practices. “Look both ways before crossing the street” has always been good advice and taking a moment before clicking on anything claiming to be urgent is, too. Malicious actors are feeding on our end-of-year sense of urgency and using messaging in their phishing and watering hole attacks that try to convince people to click on things more quickly than they might otherwise – “Click here or you’ll lose your health benefits,” for example. While you may, in fact, need to renew your health benefits, and quickly, the bad guys are counting on that sense of urgency to lead you to bypass due diligence and click on bad links. Another common attack thread around this time of year has to do with tax-related issues –whether it’s communications spouting “donate to this charity,” “do this for tax reasons,” or “there are new changes in the tax law – act now!” Pause and read closely before clicking. Rest assured, communications you receive at the end of year about taxes are never from the IRS.

Another tactic we’ve seen ramping up, especially in the last few years, is e-skimming attacks. This rise in e-skimming can be attributed to the use of payment-as-a-service solutions by small business and other similarly-sized organizations. As more organizations use such payment software, the bad guys have zeroed in on the payment software itself, injecting rogue code to capture payment card information from tens of thousands of organizational users at once. Consumers and organizations each have a role to play in protecting themselves from such scams. For consumers, it largely comes down to adopting safer practices to keep your personally identifiable information under lock and key. For online transactions, use a secure payment service, like PayPal, or a virtual credit card, like Visa Checkout or an equivalent that gives you card numbers for one-time use. Sign up for alerts for credit card transactions where your card is not present, so you’ll be alerted to suspicious activity, such as the purchase of 27 designer dresses in China. Be suspicious of a vendor that hasn’t at least invested in obtaining a seal that shows they have been security audited; when clicking a payment

Winter 2019

If you do get an alert after visiting a certain website, let the company know. Too often, vendors don’t find out an attack has happened until quite a while later, and by notifying them, you are helping them react more quickly.

Make sure that if one of your passwords is compromised, you change it everywhere else you’re using that same password. Don’t forget all those loyalty programs you’ve given a password to.

Keep lines of communication open with your customers so they have avenues to take to alert you to potential breaches or attacks. Knowledge is power.

Consider signing up for Have I Been Pwned, Firefox Monitor, or a similar monitoring service to alert you to your information being compromised.

Enable two-factor or multi-factor authentication for your customer-facing sites and encourage your customers to move to stronger forms of authentication.

icon, if the URL turns green, it shows the seller has gone the extra mile and gotten what’s called an extended validation web certificate. Neither of these is a guarantee of safety, but they do raise the bar for attackers.

When it comes to shoring up cybersecurity defenses to protect both the consumer and the organization’s reputation, the onus falls largely on the organization. It’s vital to have the cybersecurity staff on hand who can implement foundational web application and server security and other critical controls. Ensure you have implemented the CIS Controls. These are basic hygiene and anti-theft controls that should be in place at every business and government organization. Go the extra mile and get an extended validation web certificate to help establish this as an industry standard. Implement DMARC in your e-mail systems for the same reason. Get security audited and display a seal on your site to indicate to customers that you have done the work to earn their trust and business. Get ahead of fake account creation by implementing Captchas and being proactive about alerting customers to suspicious account activity. If a dormant account all of a sudden becomes active, that’s unusual behavior worth alerting the account holder about.

With consumers adopting safer practices and organizations implementing proper controls and going the extra mile in cybersecurity, we all have a chance to make it through the end-of-year holiday season uncompromised. Of course, organizations can’t ensure that their sites are safeguarded without skilled cybersecurity professionals. As should be blindingly clear by now, the threat landscape is constantly evolving; continuous cybersecurity training will ensure your security staff is staying ahead of the threats of today and tomorrow. John Pescatore joined SANS in January 2013 with 35 years’ experience in computer, network, and information security. He was Gartner’s Lead Security Analyst for 13 years, working with Global 5000 corporations and major technology and service providers. Prior to joining Gartner Inc. in 1999, Pescatore was Senior Consultant for Entrust Technologies and Trusted Information Systems. Prior to that, Pescatore spent 11 years with GTE developing secure computing systems. Pescatore began his career at the National Security Agency (NSA), where he designed secure voice systems, and the United States Secret Service, where he developed secure communications and surveillance systems. He holds a BSEE from the University of Connecticut and is an NSA Certified Cryptologic Engineer.

Cybersecurity Quarterly

Beyond the Ballot Box: Securing America's Supporting Election Technology Protecting the weak link in America's election infrastructure â&#x20AC;&#x201D; non-voting election technology By Aaron Wilson There is more to Americaâ&#x20AC;&#x2122;s election technology than most people know. Most people are familiar with voting systems and voter registration systems. How many people are familiar with electronic poll books, on-demand ballot printers, election night reporting systems, and electronic ballot delivery solutions? These solutions are internet-connected systems and their compromise would have serious impacts on election operations and public confidence. To help secure these critical systems, CIS developed a set of best practices for securing non-voting election technology. These best practices are built upon the set of security controls found in the CIS Controls. They combine the CIS Controls and web application security best practices with election-specific concerns and constraints.

Non-voting election technology refers to the internet-connected products and services that handle sensitive ballot, voter, and election results data... Internetconnected technologies are the most at-risk components of the election infrastructure. 14

We created the guide by working with state and local election technologists, election technology providers, and other community stakeholders. Implementing the recommendations in this guide can significantly reduce the risk of internet-connected election technologies being compromised and adversely impacting Election Day operations.

Defining Non-Voting Election Technology Non-voting election technology refers to the internet-connected products and services that handle sensitive ballot, voter, and election results data. This includes election night reporting systems, electronic poll books, electronic ballot delivery systems, and voter registration systems. Internet-connected technologies are the most atrisk components of the election infrastructure. The CIS Security Best Practices for NonVoting Election Technology Guide covers five areas: Network and Architecture, Servers and Workstations, Software Application, Data, and Administration. The areas were chosen carefully based on similarities in threats, mitigations, and governance.

Winter 2019

For each area, we provide an in-depth discussion on the threats to and governance of that area, then describe the mitigations – recommended best practices – in more detail. The mitigations are intended for technical audiences who will be implementing the security best practices. Additional narrative is provided for non-technical management who need to understand the rationale and security context for each best practice.

Security Profiles for Best Practices To better assist election technology providers and election officials with understanding and utilizing our best practices, we defined and assigned each best practice to one of three profiles: Level 1, Level 2, or Level 3. The profiles build upon themselves. The goal is to have all election technology solutions at a Level 1 or above. If a technology solution achieves Level 2, it implies that best practices in both Level 1 and Level 2 are met. Level 1 – Minimum best practices that are most broadly applicable and effective when employed in security applications by organizations. Level 2 – Additional controls that form a defensein-depth strategy for election technology solutions with more invested time and resources.

To enable the elections that define democracy, we must protect the security and reliability of elections infrastructure. security, reliability, and functionality in a flexible, change-tolerant manner. We aren’t just developing theoretical ideas; CIS will be piloting this process with actual states, counties, and election vendors working together. You can take a good first step today by downloading the CIS Security Best Practices for Non-Voting Election Technology Guide and begin implementing the recommendations. Together, we can continue to improve the security of elections.

Election Security Best Practices To enable the elections that define democracy, we must protect the security and reliability of elections infrastructure. Through a best practices approach, we aim to help organizations involved in elections better understand what to focus on, know how to prioritize and parse the enormous amount of guidance available on protecting IT-related systems, and engage in additional collaboration to address common threats to this critical aspect of democracy.

Level 3 – Advanced, automated security controls.

Up Next? Strengthening Verification Processes CIS is also working on how to verify systems against these best practices. Traditional voting systems are verified against large monolithic standards using lengthy and expensive certification campaigns run by independent test laboratories. This approach doesn’t incentivize change or innovation in either the requirements or the systems. This might be okay for voting systems since they are offline installs. It is imperative, however, for internet-connected election technology to be responsive and adapt quickly to changes in the threat landscape. CIS is addressing this with a new verification process model that will provide certain assurances of

Aaron Wilson joined the Center for Internet Security in January 2019 to lead its election security work. Wilson has spent his career building innovative and secure technology solutions primarily for election jurisdictions. He began his career auditing voting systems with the Florida Division of Elections. In his most recent position before CIS, Wilson helped build and manage voting systems for the nation's latest federally certified voting system manufacturer. Wilson enjoys programming and product management and has a real passion for improving our nation's election technology.

Cybersecurity Quarterly

US Cyber Challenge – Building America's Best An introduction to the organization leading the charge of educating the next generation of cybersecurity leaders By Doug Logan When Karen Evans launched the US Cyber Challenge (USCC) in late 2009, corresponding with her publication of the paper, “A Human Capital Crisis in Cybersecurity” with the Center for Strategic and International Studies (CSIS), her goal was to do her part to head off the impending human capital crisis by finding 10,000 of America’s best and brightest, and plugging them into a career in cybersecurity. For over ten years, the USCC has continued this mission, refining its techniques to more successfully meet the goals for which it was founded. As we enter into the 11th year of the program, we’re excited to be implementing some small changes to allow us to better Build America’s Best; but first, let’s talk a bit about the history of the program. Evans is a firm believer in competitions and that the competitive spirit can be utilized to both

When [we] launched the US Cyber Challenge (USCC) in late 2009,... [our] goal was to do [our] part to head off the impending human capital crisis by finding 10,000 of America’s best and brightest, and plugging them into a career in cybersecurity. 16

attract talent to the field and potentially build their hands-on cybersecurity skills to the next level. For this reason, qualifying for any US Cyber Challenge cyber camp has always required that the individual first be a high scorer in a competition. The primary way individuals have qualified each year has been through an online competition called CyberQuests that is traditionally offered in the spring. This online quiz has been designed to be extremely difficult to pass on the first attempt, but has allowed multiple submission attempts to improve a score. This was done by design to attract individuals with a passion to learn that are constantly looking to improve and grow. Individuals who scored above a certain threshold were then invited to a weeklong, boot-camp style cyber camp in the summer. These invitation-only cyber camps were designed from the beginning to expose the students to ethics concepts, four days of intensive classes, and companies that are hiring at the corresponding job fair, culminating with a Capture-The-Flag (CTF) competition on the fifth day where students mimic real-world attackers to gain flags and give their team points. The classes themselves have purposely been fast-paced, drink-from-the-fire-hose type classes designed to give the students more material than they could possibly consume in a day, but hopefully ignite a passion in that area of study. In the pilot year of the program, each day of class was

Winter 2019

literally a four- or five-day SANS course crammed into a single day and taught by top SANS instructors. Over the years, the intensity of the material has been tuned down a notch from that first year, but it still mimics that same fire-hose type mentality. This format has proven successful for over a decade and has reliably been turning out top notch individuals passionate about the security field, and capable of learning new technologies and concepts quickly. Every step of the process has produced exactly the type of talent it was designed to find and train, and yet over the years, we heard a number of USCC graduates express their frustration of trying to land that first job in the cybersecurity space. We knew how impressive these students were, but in many cases, this was not being reflected when these students were applying for jobs. In fact, we found that many of the students didn’t even know they should include the US Cyber Challenge on their resume. For this reason, in 2013, we started teaching a resume writing class at the camps in the evening to equip the students with the non-technical skills required to land that first job. This class has been a huge success with many more USCC graduates now reporting getting called back for interviews and landing positions. Many individuals have specifically stated that they saw drastically different results after updating their resume. However, even with these changes, we’re not seeing anywhere close to our goal of 80% of USCC graduates reporting that they landed a job in cybersecurity. As a result, we’re switching things up again.

For over a decade... [USCC] has reliably been turning out top notch individuals passionate about the security field, and capable of learning new technologies and concepts quickly. Every year for the last 10 years that we’ve done the program, there has been someone who indicates that they wished that there was something more beyond the initial US Cyber Challenge camp. In fact, we’ve encouraged individuals who participate in the camps to come back the following year as a Teacher’s Assistant (TA), and potentially come back the next year or the year after as an instructor. While we’ve successfully had a number of individuals make this leap, there has been no formal process to handle this and we’ve been limited in the number of volunteer opportunities. This year, we plan on fixing some of those challenges. We will be putting together a program for developing individuals beyond a single Cyber Camp. Our goal is to help build these individuals to the next level and build cybersecurity leaders that can impact their communities. This will include training on presentation skills, regular USCC webinars conducted by USCC alumni, and more actively getting students plugged into internship opportunities that match their skillsets. As part of this, we will be giving a number of USCC graduates the opportunity to intern at the Center for Internet Security. If you know of any other organizations that may be able to take on a number of interns and may wish to sponsor this next year of the US Cyber Challenge, please let us know! Doug Logan is the CEO for Cyber Ninjas, as well as the Chief Technologist for the US Cyber Challenge (USCC). He has over 15 years of experience in various roles in information technology, and over six years specifically in application security. A product of the US Cyber Challenge program, Logan kicked off his cybersecurity career after participating the pilot year of the USCC, and serving as a teacher’s assistant the following year. He has stayed involved in the program for over 10 years, and is passionate about building the next generation of cybersecurity leaders.

Cybersecurity Quarterly

Cyberside Chat This Quarter's Topic: The CISO Christmas Wish List by Sean Atkinson, Chief Information Security Officer, CIS

As I start to plan for the holiday season, I thought this would be a good opportunity to provide a wish list that could be used by my fellow CISOs and information security professionals to start our 2020 security journeys on the right foot. My emphasis is an integrated training program that can be used to enhanced the CISO office, and provide awareness and mentoring to the organization, as well as the community. My list: 1. Security awareness and actionable intent, rather than just a security check box — My preference is to train and test. An example would be to train with respect to social engineering and then test with a phishing campaign internally. Did the message sink in and are personnel aware of the potential threat? 2. Integrated approaches to security controls — A combination of data events with respective training on alerts, false positives, and how to improve the detection metrics. This is strictly focused on the “Blue” team and classes from SANS that can provide a wealth of knowledge. My training plan for 2020: a. SEC511: Continuous Monitoring and Security Operations b. SEC555: SIEM with Tactical Analytics

My list is vast and varied, but at the end of the day, the CISO has a continuous learning requirement. 3. Use the data to train, and train using the data — If we can make the process of understanding our data and its classification more consistent and repeatable, we move towards a better understanding of our environment. If we use our data to train, we can experience known user and entity behavior to create our baseline of activity. 4. Train and be trained, a program of shadowing and mentoring — As executive responsibilities grow, it is important to engage with the operational security level of the organization. The information discerned from shadowing operations and the lower level organizational interactions provides a new risk perspective, which does require a time investment, but ultimately is extremely valuable. This itself becomes a program of CISO training. Also, mentoring either internally or externally, providing advice, and commentary through social media or events is extremely beneficial to others. 5. Red team — Create and use personnel to build a team to look at systems, data, and use cases with a “critical thinking” mentality. Training exists to provide a critical perspective and is a valuable tool for any CISO. My list is vast and varied, but at the end of the day, the CISO has a continuous learning requirement. Listed above are a few items to think about in terms of how you manage your 2020 journey in cybersecurity. Please reach out if you have additional training wishes, and I wish you a happy holidays. – Sean

Winter 2019

Krollâ&#x20AC;&#x2122;s experienced leaders help clients make confident decisions about people, assets, and operations across the globe.

INVESTIGATIONS AND RISK MANAGEMENT SOLUTIONS Cyber Security & Incident Response

Business Intelligence & Due Diligence

Fraud & Corruption Investigations

AML & ABC Compliance

Asset Search & Recovery

Third-Party Screening

Dispute Advisory & Litigation Support

Security Risk Management

kroll.com 19

Cybersecurity Quarterly

ISAC Update MS-ISAC & EI-ISAC Finish 2019 with Record Membership Growth

Last Chance to Complete the 2019 Nationwide Cybersecurity Review

Membership growth for the fourth quarter of 2019 has been record setting! The MS-ISAC added our 7,000th AND 8,000th new member this quarter! While we had been averaging 249 members per month in 2019, October and November blew those numbers out of the water, with 602 and 503 new members respectively!

The Nationwide Cybersecurity Review (NCSR) is a no-cost, anonymous, annual self-assessment that is designed to measure gaps and capabilities of U.S. State, Local, Tribal, and Territorial (SLTT) governmentsâ&#x20AC;&#x2122; cybersecurity programs.

At 8,400 members, the MS-ISAC is, by far, the largest ISAC focusing on the SLTT community! The MS-ISAC also holds the distinction of having 178 of the top 200 cities (by population) in the U.S. as members, including all of the top 50. Additionally, our team attended TribalNet in November, and their work at the conference led to a 50% increase in tribal membership, furthering our growth in 2019 in this underserved sector. Our growth in the Elections sector continues apace. Now with nearly 2,400 members, the EI-ISAC is poised for continued expansion with the upcoming 2020 election cycle. The EI-ISAC can also now count 18 states with complete county level membership. Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to the greater community. We are stronger and more connected than ever before!

The NCSR is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF provides a common language for understanding, managing, and expressing cybersecurity risk. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and align policy, business, and technological approaches to managing risk. Benefits of participating in the NCSR include: Receive metrics specific to your organization to identify gaps and develop a benchmark to gauge year-to-year progress, as well as anonymously measure your results against your peers. For HIPAA compliant agencies, translate your NCSR scores to the HIPAA Security Rule scores of an automatic self-assessment tool. Access to informative references such as NIST 80053, COBIT, and the CIS Controls that can assist in managing cybersecurity risk. Nationally, aggregate NCSR data provides a baseline, foundational understanding of SLTT cybersecurity posture to help drive policy, governance, and resource allocation. Enable Federal partners to better understand the status quo and engage in more strategic, cyberspecific planning and preparedness to help manage national risk and improve SLTT core capabilities. The NCSR will close on December 31st. For more information on the 2019 NCSR, please visit https:// www.cisecurity.org/ms-isac/services/ncsr/.

Winter 2019

Upcoming Events January January 30th – February 2nd The National Association of Secretaries of State (NASS) and the National Association of State Election Directors (NASED) will jointly hold their 2020 Winter Conference at the Washington Fairmont Hotel in Washington, D.C. Secretaries of State, state elections leaders, and their staff from across the country will come together to network with their peers and learn from industry experts on the latest issues facing U.S. elections. EI-ISAC Director Ben Spear will speak at the event, participating in a panel discussing how to protect against ransomware attacks.

February February 5th Cyber Security Summit: Atlanta will take place at Grand Hyatt Atlanta in Buckhead, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. CIS CISO Sean Atkinson will be a featured speaker at the event. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. February 24th – 28th RSA Conference 2020 will take place at the Moscone Center in San Francisco. A dedicated community of peers will come together to exchange the biggest, boldest ideas that will help propel the industry forward through expertled sessions, thought-provoking keynotes, indepth trainings and tutorials, groundbreaking innovation programs, state-of-the-art product demos, and countless networking opportunities. CIS Senior Director of Election Security Aaron Wilson will lead a session at the conference on securing supporting election technology.

Washington Hilton in Washington, D.C., bringing together nearly 2,000 elected and appointed county officials to focus on federal policy issues that impact counties and their residents. Attendees have the opportunity to engage in policy sessions, interact with federal officials, and participate in congressional briefings and meetings.

March March 8th – 11th The National League of Cities will be hosting their annual Congressional City Conference in Washington, D.C. The event will allow city officials from across the country to hear directly from policymakers and thought leaders about the important issues to cities, discover the latest funding opportunities to support economic growth, and learn emerging practices to strengthen local communities. March 20th Cyber Security Summit: Tampa will take place at the Hilton Downtown Tampa, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. CIS CISO Sean Atkinson will be a featured speaker at the event. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. March 30th – April 1st CyberRisk Alliance will hold InfoSec World 2020 at Disney's Contemporary Resort in Lake Buena Vista, Florida. Information security practitioners hailing from more than 100 nations around the world will be in attendance to learn the skills to be both a business partner and enabler, and the technical expertise to prevent, detect, and respond to security challenges. CIS Senior VP Tony Sager will be a featured speaker at the event, co-leading a breakout session on cyberdefense control strategy.

February 29th – March 4th The National Association of Counties (NACo) will hold its 2020 NACo Legislative Conference at the

Confidence in the Connected World

CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699