Cybersecurity Quarterly
Spring 2020
A Publication from
Adapting Your Security Model to Fit Our Mobile and Cloud-Based World Our New Pilot Project for Securing Elections Technology Protecting the 2020 Elections Through Industry Collaboration
Communicating Technical Recommendations to Non-Technical Leaders Effectively Ensuring Cybersecurity Professionals are Properly Equipped to Defend Against Future Cyber Threats
Security On-the-Go Today's workplace is increasingly going virtual — whether by choice or by circumstance. As we continue this digital transformation, maintaining security standards is more critical than ever before.
}; msg := ControlMessage{Target: r.FormValue("target"), Count: count}; cc <- msg; fmt.Fprintf(w, " capeString(r.FormValue("target")), count); }); http.HandleFunc("/status",func(w http.ResponseWriter ollChannel <- reqChan;timeout := time.After(time.Second); select { case result := <- reqChan: if re , "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal(http.ListenAndSe "html"; "log"; "net/http"; "strconv"; "strings"; "time" ); type ControlMessage struct { Target stri (chan ControlMessage);workerCompleteChan := make(chan bool); statusPollChannel := make(chan chan bo atusPollChannel); for { select { case respChan := <- statusPollChannel: respChan <- workerActive; c uff(msg, workerCompleteChan); case status := <- workerCompleteChan: workerActive = status; }}}; fun an bool) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) { hostTokens := st strconv.ParseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); return get"), Count: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for Target %s, count %d", h p.HandleFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqChan := make(chan bool); s e.Second); select { case result := <- reqChan: if result { fmt.Fprint(w, "ACTIVE"); } else { fmt.Fp int(w, "TIMEOUT");}}); log.Fatal(http.ListenAndServe(":1337", nil)); };package main; import ( "fmt" s"; "time" ); type ControlMessage struct { Target string; Count int64; }; func main() { controlChan := make(chan bool); statusPollChannel := make(chan chan bool); workerActive := false;go admin(contr spChan := <- statusPollChannel: respChan <- workerActive; case msg := <-controlChannel: workerActiv atus := <- workerCompleteChan: workerActive = status; }}}; func admin(cc chan ControlMessage, statu admin", func(w http.ResponseWriter, r *http.Request) { hostTokens := strings.Split(r.Host, ":"); r. ue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); return; }; msg := ControlMessage fmt.Fprintf(w, "Control message issued for Target %s, count %d", html.EscapeString(r.FormValue("ta http.ResponseWriter, r *http.Request) { reqChan := make(chan bool); statusPollChannel <- reqChan;ti := <- reqChan: if result { fmt.Fprint(w, "ACTIVE"); } else { fmt.Fprint(w, "INACTIVE"); }; return; al(http.ListenAndServe(":1337", nil)); };package main; import ( "fmt"; "html"; "log"; "net/http"; " ruct { Target string; Count int64; }; func main() { controlChannel := make(chan ControlMessage);wor := make(chan chan bool); workerActive := false;go admin(controlChannel, statusPollChannel); for { n <- workerActive; case msg := <-controlChannel: workerActive = true; go doStuff(msg, workerComplet ctive = status; }}}; func admin(cc chan ControlMessage, statusPollChannel chan chan bool) {http.Han equest) { hostTokens := strings.Split(r.Host, ":"); r.ParseForm(); count, err := strconv.ParseInt(r intf(w, err.Error()); return; }; msg := ControlMessage{Target: r.FormValue("target"), Count: count} for Target %s, count %d", html.EscapeString(r.FormValue("target")), count); }); http.HandleFunc("/s { reqChan := make(chan bool); statusPollChannel <- reqChan;timeout := time.After(time.Second); sele int(w, "ACTIVE"); } else { fmt.Fprint(w, "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, "TI :1337", nil)); };package main; import ( "fmt"; "html"; "log"; "net/http"; "strconv"; "strings"; "ti Count int64; }; func main() { controlChannel := make(chan ControlMessage);workerCompleteChan := ma ol); workerActive := false;go admin(controlChannel, statusPollChannel); for { select { case respCha ase msg := <-controlChannel: workerActive = true; go doStuff(msg, workerCompleteChan); case status nc admin(cc chan ControlMessage, statusPollChannel chan chan bool) {http.HandleFunc("/admin", func( strings.Split(r.Host, ":"); r.ParseForm(); count, err := strconv.ParseInt(r.FormValue("count"), 10 return; }; msg := ControlMessage{Target: r.FormValue("target"), Count: count}; cc <- msg; fmt.Fpri d", html.EscapeString(r.FormValue("target")), count); }); http.HandleFunc("/status",func(w http.Res an bool); statusPollChannel <- reqChan;timeout := time.After(time.Second); select { case result := { fmt.Fprint(w, "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal(ht ( "fmt"; "html"; "log"; "net/http"; "strconv"; "strings"; "time" ); type ControlMessage struct { Ta nnel := make(chan ControlMessage);workerCompleteChan := make(chan bool); statusPollChannel := make( Channel, statusPollChannel); for { select { case respChan := <- statusPollChannel: respChan <- work true; go doStuff(msg, workerCompleteChan); case status := <- workerCompleteChan: workerActive = sta ollChannel chan chan bool) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) Form(); count, err := strconv.ParseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf(w rget: r.FormValue("target"), Count: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for T get")), count); }); http.HandleFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqCha ;timeout := time.After(time.Second); select { case result := <- reqChan: if result { fmt.Fprint(w, case <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal(http.ListenAndServe(":1337", nil)); };pac tp"; "strconv"; "strings"; "time" ); type ControlMessage struct { Target string; Count int64; }; fu sage);workerCompleteChan := make(chan bool); statusPollChannel := make(chan chan bool); workerActiv ); for { select { case respChan := <- statusPollChannel: respChan <- workerActive; case msg := <-co g, workerCompleteChan); case status := <- workerCompleteChan: workerActive = status; }}}; func admi ol) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) { hostTokens := strings .ParseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); return; }; ms Count: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for Target %s, count %d", html.Esc ndleFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqChan := make(chan bool); statu cond); select { case result := <- reqChan: if result { fmt.Fprint(w, "ACTIVE"); } else { fmt.Fprint
Advanced Threats. Maximum Protection.
Ensure users and devices can safely connect from anywhere, with industry-leading protection.
Proactively identify, block, and mitigate targeted threats, including zero-day attacks, malware, and phishing.
See Why
Cybersecurity Quarterly
Contents
Featured Articles
Spring 2020
A Guide for Securing Telework Environments Our recommendations to ensure remote work is still secure work
8
Understanding Initiatives for Cybersecurity Workforce Development Why ensuring that your cybersecurity team is properly trained is critical to your organization's future
10
Digital Transformation and Moving Beyond Perimeter Security Adapting our ideas of security to an increasingly perimeterless world
12
New Pilot Project RABET-V Tests Security of Election Technology A look at CIS's collaborative project to protect our non-voting election technology
14
Cyber Hygiene & Elections: Core 16 Components of Responsible Partnership How the industry is collaborating to help improve the security of the 2020 elections Quarterly Regulars
Spring 2020 Volume 4 Issue 1 Founded MMXVII Editor-in-Chief Michael Mineconzo Supervising Editor Laura MacGregor
Quarterly Update with John Gilligan
4
News Bits & Bytes
6
Cyberside Chat
18
ISAC Update
20
Event Calendar
22
Staff Contributors Sean Atkinson Josh Franklin Paul Hoffman Aaron Wilson
Cybersecurity Quarterly is published and distributed in March, June, September, and December.
Copy Editors Kimberly Kane Autum Pylant
For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460
Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061
Copyright Š 2020 Center for Internet Security. All rights reserved.
3
Cybersecurity Quarterly
Quarterly Update
with John Gilligan
“[T]he Coronavirus has changed a lot of things for us. Some experts project that many of these changes will be permanent.” Welcome to the Spring 2020 issue of Cybersecurity Quarterly. I write this as I am flying on a plane with seven other passengers — a flight that would typically be fully booked. What a change in a few short days. Coronavirus is dominating the news. As a society, we are learning new terms like “social distance” and “flattening the curve.” Yes, the Coronavirus has changed a lot of things for us. Some experts project that many of these changes will be permanent. One of the likely permanent changes is a significantly increased dependence on the virtual world to replace face-to-face communications. Like most of you, I am spending a good bit of my days in VTCs and conference calls. Spring has certainly brought more change than usual.
The Global Cyber Alliance describes the importance of cyber hygiene, as well as an overview of the elections security toolkit that they have developed to help elections offices implement effective security. CIS’s Senior Director of Elections Best Practices, Aaron Wilson, authored an article that describes a proposed process for rapidly verifying non-voting elections systems. The process is called Rapid Architecture-Based Election Technology Verification (RABET-V). This new process has been designed to reduce the cost and lead time for verifying and re-verifying elections systems. As one example, RABET-V will help ensure that security upgrades and patches can be safely and quickly implemented in elections systems. RABET-V will be piloted in 2020.
The topics for this issue are particularly relevant to our current situation. One article, by the CIS Security Best Practices team, addresses timely security guidance for teleworking. This piece summarizes the most important security priorities for both organizations and individuals, including use of twofactor authentication, enabling automated security updates, disabling risky protocols and enabling encryption capabilities, and how to configure your home router or firewall. An additional article from Akamai looks at adopting a zero-trust security model for organizations as they transition to more cloud- and virtual-based workplaces. Also in this issue, (ISC)2 has an article addressing how to properly prepare and train cybersecurity professionals for current and future industry conditions and trends. Sean Atkinson, our CISO at CIS, provides a look at how to address security both in a strategic, as well as an operational, perspective.
I hope you enjoy this quarter’s issue. I anticipate that the world will be quite different for our next issue. Please be safe and well during this time of global crisis.
The remainder of the articles in the spring issue address a second hot topic — ensuring security for our upcoming U.S. General Elections in November.
4
Best Regards,
John M. Gilligan President & Chief Executive Officer Center for Internet Security
Spring 2020
Detect Ransomware in Minutes Notifications sent within 6 minutes of malicious activity*
Cost-effective solution Passive, fully managed intrusion detection system
Find out more â&#x2020;&#x2019;
www.cisecurity.org * Exclusive 24x7 Network Monitoring for State, Local, Tribal and Territorial Governments
Cybersecurity Quarterly
News Bits & Bytes CIS is thrilled to share that the CIS Benchmarks were downloaded over 1 million times in 2019. The CIS Benchmarks provide security guidance for configuring operating systems, servers, cloud environments, and more. They are developed through a unique community consensus process involving volunteers from around the world. Check out our infographic to learn more about this major milestone. If you'd like to get involved, learn more on our Communities page. CIS has been named Election Security Partner of the Year at the inaugural Microsoft Security 20/20 awards, recognizing its efforts effecting change for one of our most critical global security challenges— election security. Microsoft Security 20/20 put the spotlight on companies and individuals with a clear-eyed view of the security challenges we face and smart solutions to help solve them. Finalists in 16 award categories were chosen among a global field of top Microsoft partners for demonstrating excellence in innovation, integration, and customer implementation. Winners were chosen based on a vote from a broad swath of Microsoft Security experts, which includes engineers, marketers, partners, managers, security architects, and more. CIS is honored to have been listed as one of only 75 employers on the 2020 Best Companies to Work for in New York list by the New York State Society of Human Resource Management (NYS-SHRM). These celebrated annual awards are part of a distinctive program that evaluates and ranks the best places of employment. This statewide survey and awards program is designed to identify, recognize, and honor the best places of employment in New York, whose practices benefit the state's businesses, economy, and workforce.
6
CIS is proud to now be one of more than 25 partner organizations of the Open Cybersecurity Alliance (OCA). OCA brings together vendors and end users to create an open cybersecurity ecosystem where products can freely exchange information, insights, analytics, and orchestrated response. OCA supports commonly developed code and tooling and the use of mutually agreed upon technologies, data standards, and procedures. The OCA is governed under the auspices of OASIS, which offers projects a path to standardization and de jure approval for reference in international policy and procurement. CIS Hardened Images consumers clocked more than 300 million computed usage hours in 2019; up from over 160 million in 2018. CIS has created over 30 different Hardened Images that have been duplicated across four different cloud platforms. More than 100 different countries use the Images. The CIS Red Hat Enterprise Linux 7 Benchmark – Level 1, alone had over 46 million compute hours in 2019, followed by almost 30 million for the CIS CentOS Linux 7 Benchmark – Level 1. For more information on this accomplishment, read our press release. The Global Cyber Alliance (GCA) was awarded the SC Media 2020 Editor’s Choice Award, which was presented at a ceremony in San Francisco during RSA Conference 2020. The award was given based on information from SC Media events, research conducted by the SC Media editorial team, and feedback from readers, analysts, vendors, and the Editorial Advisory Board of SC Magazine. The award recognizes GCA’s development and deployment of global solutions that contribute to eradicating cyber risk.
Spring 2020
TRAIN, CERTIFY AND DEVELOP YOUR GREATEST ASSET â&#x20AC;&#x201C; YOUR PEOPLE
(ISC)2 believes in a safe and secure world for all. And we know that a cybersecure future starts with your team. As the largest nonprofit membership association of certified cybersecurity professionals, we help you train and certify staff to better secure critical assets. We also empower government organizations to hone the knowledge and skills needed for focused threat prevention, protection, response and recovery. Set your team up for success with (ISC)2 instructor-led training. Take advantage of special pricing available through our partnership with the Center for Internet Security.
Exclusive 15% Discount for MS-ISAC and EI-ISAC Members
START HERE
7
Cybersecurity Quarterly
A Guide for Securing Telework Environments Whether for the safety of employees or offering them flexibility, remote work will continue to increase, and security remains of the utmost importance By Josh Franklin With COVID-19 here to stay for a while, some employers are recommending additional telework to help keep employees safe and productivity up. While you’re working from home, consider reviewing the Telework and Small Office Network Security Guide to keep your home network equipment safe too! Not only will this help to protect sensitive information, it will also help protect everyone using the network, such as family and friends. Telecommuting is more popular than ever, allowing people to work from home or alternative environments away from the traditional office. According to Forbes, remote work has become the “standard operating mode” for half of U.S. employees – however, 38% lack the technological support they need. While this trend has increased flexibility, it’s also increased the potential for
8
Telecommuting is more popular than ever, allowing people to work from home or alternative environments... According to Forbes, remote work has become the “standard operating mode” for half of U.S. employees – however, 38% lack the technological support they need. cyber-attacks to affect the organization from a remote workplace. So, how can teleworking employees help protect themselves and their organization from cyber threats? Our hardworking CIS Controls team has released a guide to help teleworkers and small offices implement cybersecurity best practices. This guide provides cybersecurity best practices for hardening routers, modems, and other network devices. As the trend of remote work continues to grow, the CIS Telework and Small Office Network Security Guide will be a helpful resource for small-to-medium businesses and home offices. It’s the latest application of the CIS Controls cybersecurity best practices, as part of our mission to secure the connected world.
Spring 2020
Our hardworking CIS Controls team has released a guide to help teleworkers and small offices implement cybersecurity best practices... for hardening routers, modems, and other network devices. Securing Critical Devices The CIS Telework and Small Office Network Security Guide focuses on recommendations for basic network setup and securing your home routers and modems against cyber threats. These devices are often designed for personal use, but may also be leveraged by remote workers for business use. Securing these network devices is critical as they act as an on-ramp for internal networks to access the internet. As a result, they are subject to scans and attacks from outside networks. The threat surface grows as teleworking expands. A poorly configured home or small office device can affect an entire organization.
Serious Security for Serious Threats Our goal with this guide is to assist individuals and organizations in securing commodity routers, modems, and other network devices. Securing these devices is important, as there are serious cybersecurity implications if these network devices are successfully attacked. For example:
defense controls, they may be in some way liable for breaches and data loss caused by insecure computer networks and systems. There are many network devices created for small office or home office situations, but these devices are not always equal in terms of security features when compared to more expensive “enterprise-class” devices. The CIS Telework and Small Office Network Security Guide provides recommendations on: How to initially purchase a router or modem that fits your organization’s security needs How to perform regular maintenance Proper disposal techniques Practical descriptions for enabling authentication and encryption Guidance for turning off unneeded services that attackers can exploit
From Policy to Implementation Security for network devices, such as routers and modems, is essential. In order to protect their systems and data, teleworkers are encouraged to configure their network devices using the guidance found in the CIS Telework and Small Office Network Security Guide. It provides best practices for purchasing, setting up, maintaining, and disposing of network devices. With this guide, users can take cyber defense from policy to practice, and implement security with confidence.
If someone can access your network, they may be able to read sensitive company files, like tax information, personally identifiable information (PII) about employees, and other proprietary information that should not be shared with someone outside of the organization.
Josh Franklin is a Senior Cybersecurity Engineer at CIS. He is the product owner for CIS Controls V7.1 and V8. He is also focused on developing companion guides for mobile and Internet of Things (IoT) technologies. Prior to CIS, Franklin researched enterprise mobile security, cellular security, and electronic voting at National Institute of Standards If a router or other computer systems in a network and Technology (NIST). While at NIST, he managed are compromised, they may become part of a botnet, the mobile security laboratory at the National which can be used to attack other computer systems Cybersecurity Center of Excellence (NCCoE). Franklin and organizations connected to the internet. possesses a Master of Science in Information Security and Assurance from George Mason University. If an organization doesn’t implement basic cyber
9
Cybersecurity Quarterly
Understanding Initiatives for Cybersecurity Workforce Development Ensuring your cybersecurity workforce is properly trained and skilled for the future is not only your organization's best defense; it's also one of its best assets By John McCumber One of the seminal concerns with trying to make sense of the cybersecurity profession and the jobs market in particular is the use of the term â&#x20AC;&#x153;cybersecurity professional." There is an amorphic and loose confederation of careers, jobs, and position descriptions that inevitably get lumped into the broader cybersecurity bucket. Once this takes place, many will try to ascribe salary bands, educational requirements, and career paths. The sheer breadth of options ensures these are futile endeavors. Our friends at the National Initiative for Cybersecurity Education (NICE) took on the daunting challenge of deconstructing and analyzing the various elements of the cybersecurity profession and ended up with a framework that defines 33 specialty areas and 52 work roles that form the basis for the profession. This breakdown is then detailed with a list of knowledge, skills, and abilities (KSAs) assigned to each work role to illustrate an in-depth look into which functions are required for each work role. These details are critical when it comes to the important work of writing effective position descriptions and organizational staffing plans. Accurate position descriptions and staffing plans are key to filling the global cybersecurity workforce gap that has been documented by (ISC)2 and other organizations in study after study. One of our
10
One of our biggest challenges as a profession is accurately defining knowledge, skills, and abilities required to fill critical security roles. In order to effectively recruit the next generation of professionals, we need to start now to better understand, and then document, these requirements. biggest challenges as a profession is accurately defining knowledge, skills, and abilities required to fill critical security roles. In order to effectively recruit the next generation of professionals, we need to start now to better understand, and then document, these requirements. I find it useful to look at a prospective employee from the perspective of three necessary knowledge areas: foundational, organizational, and career growth. Foundational knowledge is that which is required when the employee comes in on Day One. For some jobs, that may be a four-year degree and perhaps a certification or two. It may be a combination of education and experience. In any case, this is where hiring managers and human
Spring 2020
resources personnel need to be most careful. Look closely at the list of required foundational knowledge you create, and you can likely cut that in half. You should adjust foundational knowledge requirements because there will also be a need for new employees to acclimate to the hiring organization and learn the unique aspects of their new environment. No matter how skilled the new hire is, they will need to grasp the many nuances of processes, policies, and procedures used in any hiring organization. This goes for technology as well. They may be an expert-level network guru, but they will need to analyze and understand not only your configurations, but why and how they have evolved into their current state. Knowing that no matter whom you hire will need time and support for this process is vital in ensuring that you prepare your new hires to succeed in the long term. Finally, you should already have a plan for each new hire to continue to grow in not only their specialty areas, but as future managers and leaders as well. Start by ensuring they know they can stay current and even develop new skills while performing their primary functions on a dayby-day basis. Forward thinking organizations even subsidize relevant training and educational opportunities for employees. You may be asking, what if I train them and they leave? Take a tip from Richard Branson, who famously quipped, “What if we don’t train them and they stay?” Ongoing training is not only good for the individual, but for the organization as a whole. Preparing your employees for advancement is just good business. The U.S. military is a great example of this. Prepare everyone to ultimately advance in your organization. Many, perhaps most, will not, but by having a published policy that actively encourages your personnel to grow their potential either within your sphere or without means you have set yourself up for successful recruiting. Numerous fast food franchises have found value in providing tuition assistance for their employees who want to attend college. Do the same. What is most interesting, however, are those elements missing from the NICE Framework. The
You may be asking, what if I train them and they leave? Take a tip from Richard Branson who famously quipped, “What if we don’t train them and they stay?” framework is meant to define the nature of jobs whose primary function is cybersecurity assessment, implementation, and management. What they don’t cover are the enormous array of information technology, software, and security positions that have critical cybersecurity responsibilities and are not represented in the framework. It’s past time we recognize the ubiquity of cybersecurity concerns that permeate our modern culture. We are facing dramatic societal change often driven by the relentless advance of information and related technology. For nearly every advantage offered by surveillance systems, money exchanges, online shopping, and remote management, there is an ever-expanding catalogue of vulnerabilities with threats just waiting to exploit them. The future requires us to break out of our hidebound definitions and job descriptions for cybersecurity, and apply the triad of confidentiality, integrity, and availability across the spectrum of our interconnected society. John McCumber is the Director of Cybersecurity Advocacy, North America for (ISC)2. In this role, McCumber represents (ISC)2’s 145,000+ members as their spokesperson. His duties require him to work with legislators on Capitol Hill and provide strategic input to national and international committees on critical cybersecurity issues. McCumber is a retired U.S. Air Force officer and former Cryptologic Fellow of the National Security Agency. During his military career, he served in the Defense Information Systems Agency and on the Joint Staff at the Pentagon as an information warfare officer during the Persian Gulf War. He was appointed a Fellow of (ISC)2 in 2016, an honor that recognizes elite information security professionals. Before joining (ISC)2, McCumber held roles with Gartner and Symantec, served as chair of the TechAmerica Cybersecurity Committee, and was appointed an interim CISO for a post-breach federal contractor.
11
Cybersecurity Quarterly
Digital Transformation and Moving Beyond Perimeter Security As organizations migrate more operations to the cloud and their workforces become increasingly mobile, our security models must adapt to fit the changing digital environment By Dan Thuss Digital transformation has many different definitions depending on who you are talking to. For agencies, digital transformation is generally perceived as the modernization of infrastructure to take advantage of the cloud, which enables the creation and delivery of new services and programs to help improve the lives of their constituents.
This shift to mobile and cloud is seen as a boon for productivity and cutting costs, but unfortunately, there is always a downside.
This modernization includes moving data center infrastructure and applications to the cloud. But, it's not only infrastructure and applications that move to the cloud; human/people resources also move to the cloud. For example, employees are becoming more mobile and the expectation is that work gets done wherever they are. In addition, increasingly, third-parties, such as contractors or other agencies, need access to your applications. This shift to mobile and cloud is seen as a boon for productivity and cutting costs, but unfortunately, there is always a downside.
For the past 30 years, security was all about building a strong perimeter defense to keep attackers out and keep agency data from being compromised or stolen. For users or third-parties who needed remote access, access over a VPN solved that need. The security mantra was very much about trusting a user and device because it was â&#x20AC;&#x153;insideâ&#x20AC;? the network and granting network level access based on that fact: inside = good, outside = bad.
Agencies face significant headwinds regarding network architecture, security posture, and their attack surface. Thatâ&#x20AC;&#x2122;s not because of any risks of the cloud itself; the cloud has proven to be quite mature and resilient, but are related to the threat landscape, shifting attack surface, and industry megatrends that fundamentally change the way that you and your teams need to think about infrastructure, the network, and security.
12
With the move to cloud, the notion of a perimeter and allowing unfettered network access becomes obsolete and even dangerous. One of the key philosophies of a Zero Trust model is the assumption that every user, every server, and every request is untrusted until proven and that trust is continuously and dynamically assessed every time a user or device makes a request to access a resource. This approach no longer relies on the trusted perimeter; in fact, the perimeter no longer exists and there is no longer an inside or outside.
Spring 2020
This [Zero Trust] approach no longer relies on the trusted perimeter; in fact, the perimeter no longer exists and there is no longer an inside or outside. However, completely transforming to a Zero Trust perimeterless security model is unlikely to be accomplished overnight and it's much more likely to be a multi-year strategic transformation project.
Akamai’s Transition to Perimeterless Security Akamai has been moving towards a perimeterless security model for a number of years, but we have dramatically accelerated this transition since 2018. The core goals of that transition were: No “inside” vs “outside,” no on-net or off-net, everyone is outside. Eliminate VPN access Eliminate passwords All internal application would be like SaaS apps Every office would act only as a hotspot for internet access Fast forward to 2020, and Akamai is well on the way to achieving these goals. For example, the
vast majority of around 7,000 global employees no longer rely on VPN access when they are working remotely, and we expect by the end of 2020 to switch off VPN access completely. To date, the transformation at Akamai has delivered a number of benefits, including increased employee productivity, enhanced user experience, and reduced costs. A 2019 paper published by McKinsey and Co. (Five Moves to Make During a Digital Transformation) notes that a digital transformation focused on a few high-level objectives for the transformation – such as driving innovation or improving productivity – have a higher chance of being successful. Another key component is being bold in your scope; don’t limit the scale of your deployment just because it is new. Projects that are agency-wide in their scope are 1.5x more likely to succeed. Instead of focusing on a single function or business unit, effectively bifurcating and keeping two different systems running for years and years, the vision of an agency-wide deployment, while large in scope, is more likely to lead to a successful outcome. To learn more about how Akamai can help you start your transition to perimeterless zero-trust security as a part of your digital transformation, please visit https://www.carahsoft.com/vendors/akamaienterprise-threat-protector. Daniel Thuss is a Solutions Engineering Manager at Akamai Technologies, where he focuses on helping the world’s largest companies fundamentally transform and secure their enterprise networks through Zero Trust. Thuss's background includes a broad set of internet technologies in the cloud and on the ground, including cloud security, internet optimization, secure remote access, and end-to-end internetworking. Running a highly focused team that is dedicated to digital transformation, Thuss specializes in solutioning emerging products into markets across the United States, Europe, and the Middle East.
13
Cybersecurity Quarterly
New Pilot Project RABET-V Tests Security of Election Technology Ensuring the security of our elections means more than just protecting voting machines; CIS is leading a collaborative project to protect our non-voting election technology By Aaron Wilson Securing the nation’s elections goes beyond the voting machines that are used to cast and tally ballots on Election Day. Electronic poll books, election night reporting systems, electronic ballot delivery, and other non-voting election technology systems also need to be secured. The Center for Internet Security (CIS) is piloting a new process called RABET-V for verifying the security of this nonvoting election technology.
Closing the Gaps in Securing Non-Voting Technology The Help America Vote Act (HAVA) defines voting systems and establishes a means for testing them. Non-voting election technology (i.e., all the other election technology) doesn’t currently have an
Securing the nation’s elections goes beyond the voting machines that are used to cast and tally ballots on Election Day. Electronic poll books, election night reporting systems, electronic ballot delivery, and other nonvoting election technology systems also need to be secured. 14
equivalent means for testing. Non-voting election technology, such as electronic poll books and election night reporting sites, are often internetconnected and trusted to provide important election administration services. CIS recognized the criticality of these technologies to the security of elections and worked with a community of election stakeholders to release a best practices guide, Security Best Practices for Non-Voting Election Technology, in October 2019. Shortly thereafter, CIS convened a group of election officials, election technology providers, and other industry stakeholders to discuss how to verify the security of non-voting election technology. This new process for testing election technology is based on modern software development and testing practices.
RABET-V Introduction The first public details of this process were released in late January 2020 in our National Association of Secretaries of State (NASS) Winter Conference white paper entitled How to Improve Election Technology Verification. There can be numerous challenges with verifying non-voting technology. The primary challenge is conducting a verification process which supports
Spring 2020
There can be numerous challenges with verifying non-voting technology. The primary challenge is conducting a verification process which supports rapid product changes... while continuing to provide assurances of security, reliability, and usability. rapid product changes, such as the ones required to keep internet-connected technology constantly patched, while continuing to provide assurances of security, reliability, and usability. To address this challenge, the RABET-V process takes a riskbased approach to verify product revisions, where the risk estimate is based heavily on the product architecture and the providerâ&#x20AC;&#x2122;s software development processes. Better system architectures and more mature internal software development processes yield lower risk estimates and more time- and costefficient verification cycles. This creates incentives for sound architecture and development practices early on. RABET-V is also designed to take advantage of modern software development, testing, and deployment practices and tools. By deploying a risk-based process and leveraging modern practices and tools, RABET-V can provide a high confidence, flexible, rapid, and cost-effective process for verifying non-voting election systems.
RABET-V Pilot Program and Steering Committee CIS is partnering with its U.S. Federal, State, and industry partners to conduct a RABET-V Pilot
Program in 2020 to evaluate and refine the RABET-V process and address open questions from both technical and non-technical perspectives. This effort will be guided by a Steering Committee comprised of election officials, election technology providers, and other election infrastructure stakeholders.
RABET-V Public Project Repository There are many details of RABET-V still to be developed, reviewed, and evaluated. CIS has set up a public GitHub repository to manage this and engage the broader community for help. To follow along with the pilot project or to contribute to its development, check out the RABET-V Pilot Program GitHub Repository.
Learn More Additional information about RABET-V can be found in the white paper How to Improve Election Technology Verification: Background information Benefits of this approach Process and testing rules Activity descriptions Pilot program and open questions Our white paper How to Improve Election Technology Verification is available for download on the CIS website. Aaron Wilson joined the Center for Internet Security in January 2019 to lead its election security work. Wilson has spent his career building innovative and secure technology solutions primarily for election jurisdictions. He began his career auditing voting systems with the Florida Division of Elections. In his most recent position before CIS, Wilson helped build and manage voting systems for the nation's latest federally certified voting system manufacturer. Wilson enjoys programming and product management and has a real passion for improving our nation's election technology.
15
Cybersecurity Quarterly
Cyber Hygiene & Elections: Core Components of Responsible Partnership As the 2020 elections approach, industry stakeholders continue to offer solutions to enhance U.S. elections security and strengthen the credibility of the voting process By Megan Stifel Super Tuesday 2020 is in the history books. By all accounts, there were no security issues in the voting processes across the states. That’s important to repeat: the 2020 primaries to date took place without a major security incident. This should give us confidence heading into the fall election cycle, but it should not soften our resolve to ensure efforts continue apace to enhance the security of our elections infrastructure. There are a range of actions stakeholders have and can continue to take to buttress the security of our electoral process. They include technical measures and, to an extent, non-technical measures that can enhance or weaken societal views on the voting process and its outcome. Regardless of the action taken, the credibility of those affecting and undertaking the action is critical. Put another way – summarizing one election security official’s remarks – “responsible partners only please.” When surveying the election security community and those that interact with it, many organizations
Super Tuesday 2020 is in the history books. By all accounts... the 2020 primaries to date took place without a major security incident. 16
emerge. They range from for-profit to nonprofit, public to private, and include security, services, and academia. Our organization, the Global Cyber Alliance (GCA), is among that community and similarly brings together a cross section of organizations in pursuing our mission of reducing cyber risk by following our mantra: “Do Something. Measure It.” We are following this approach for election security and believe our track record to date supports our membership in the responsible partner category. GCA is a nonprofit, approaching its fifth birthday. The Center for Internet Security (CIS), the City of London Police, and the Manhattan District Attorney founded GCA in September 2015. Since that time, our partnership ranks have grown to more than 270 organizations in 33 countries across a majority of the sectors of the economy. We focus on helping to close the cybersecurity gap (created by market incentives) by uniting global communities and through outreach to make available free resources that operationalize cybersecurity best practices. Chief among these practices are the CIS Controls, the NCSC Cyber Essentials, the Australia Mitigation Strategies, and the NIST Cybersecurity Framework. In the case of elections, to augment the tremendous work of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), and to
Spring 2020
implement the CIS Handbook for Elections Infrastructure Security, GCA collaborated with CIS to develop the Cybersecurity Toolkit for Elections. The toolkit combines a number of free cybersecurity resources for common configurations and includes reference materials and a community forum to support implementation. Critical to its credibility, a tool selection process and change control board govern tool selection and removal, and an advisory group provides input to the toolkit’s ongoing development. In addition to offerings such as Microsoft’s Account Guard and McAfee’s Skyhigh Security Cloud, the toolkit also includes Albert Network Monitoring, an intrusion detection capability offered only to state, local, tribal, and territorial government entities. We welcome opportunities to engage the election community on the toolkit and invite feedback at toolkit@ globalcyberalliance.org. While technical resources provide the greatest leverage in reducing cybersecurity risk, communicating publicly about these efforts can also go a long way toward building confidence and resilience in election outcomes. It is critical that election offices, elected officials, candidates for office, and the journalists covering elections utilize available tools to ensure the privacy of their methods of communicating, particularly via personal email and social media, and that they also employ basic cyber hygiene, such as the capabilities included in our toolkits. For example, most, if not all, major free email and social media platforms offer two-factor or multi-factor authentication. In addition, some platforms also offer elected officials and candidates the opportunity to be verified or to otherwise avail themselves of additional security support from the platform. What’s common among these offerings is that they come at no additional
With years of fear, uncertainty, and doubt casting a shadow over the cybersecurity industry and contributing to a feeling of helplessness online, election officials and the broader election community have taken steps to counter this narrative. monetary cost. In most cases, they also do not require a significant time investment or technical knowledge. Most importantly, they are effective. With years of fear, uncertainty, and doubt casting a shadow over the cybersecurity industry and contributing to a feeling of helplessness online, election officials and the broader election community have taken steps to counter this narrative. CIS, GCA, and our partners have collaborated to make effective cybersecurity resources freely available and accessible to further support these officials’ efforts, and we stand ready and willing to expand our responsible partnerships. Join us! Megan Stifel is Executive Director, Americas, at the Global Cyber Alliance. She previously served as Cybersecurity Policy Director at Public Knowledge, and, prior to that position, as a Director for International Cyber Policy at the National Security Council (NSC), where she worked to expand the U.S. government's information and communications technology policy abroad. Prior to the NSC, Stifel served in the U.S. Department of Justice as Director for Cyber Policy in the National Security Division and as counsel in the Criminal Division’s Computer Crime and Intellectual Property Section. Before law school, Stifel worked for the U.S. House of Representatives Permanent Select Committee on Intelligence. She received a Juris Doctorate from the Maurer School of Law at Indiana University and a Bachelor of Arts from the University of Notre Dame. She is a partner with Social Venture Partners Charleston, a Senior Fellow in the Atlantic Council’s Cyber Statecraft Initiative, and a Visiting Fellow at George Mason University’s National Security Institute.
17
Cybersecurity Quarterly
Cyberside Chat This Quarter's Topic: A Convergence of Cybersecurity Communication by Sean Atkinson, Chief Information Security Officer, CIS
18
While we start off with a new year for 2020, the management and implications of improving the capability and sustainability of our cybersecurity infrastructure is not a new topic. The cadence of risk analysis and the review of our capabilities is part of our internal and external assessments, allowing us either justification for the work performed or justification for the need of more resources. One item that has been part of the understanding, communicating, and assessment of the security infrastructure is reporting the risk or control to upper management.
[W]e need a common interference, adding context to the capability of the controls understood at a high level and a management of risk with the same approach. The interference I speak of is the in-between – strategic level thinking with operational level information.
The connotation and issue have been a technicalfocused approach to risk and controls, where upper management may not understand or be able to adjust to a technical operational view of the risk/ control. Here we need a common interference, adding context to the capability of the controls understood at a high level and a management of risk with the same approach. The interference I speak of is the in-between – strategic level thinking
with operational level information. The example I pose is the wave interference and two possible diagrams. First, we look at constructive interference, where the combination of waves creates a greater wave length - “we are on the same page” or “you are talking my language.” This case is where the amplitudes reinforce one another and provide for even greater amplitude. This is the uncommon alignment.
Spring 2020
Secondly, we look at destructive interference. This is where the amplitude of waves is opposed to each other and communication is lost. Here is the common place where most companies find themselves, either the communication is untimely, out of sequence, or simply not understood. The message here is that both sides of the strategic/ operational line need to avail themselves of the other. Understand and provide due diligence to bring together each voice to create something greater – we need to “get on the same frequency” – that when bringing the information together creates something greater than both messages alone. The underlying requirement then becomes "how do we work towards a common language that harnesses both the strategic and operational levels?" One element to consider is the use of risk as a guide to operationalize the issue via storytelling. Here, the context of the technical situation can be articulated in a way that others can easily understand: “We are exposed due to a missing control and have a situation of reputational damage from the likely loss of PII.” A simple cause and effect statement could provide the necessary story to articulate that something needs to be done and strategic support is required. We add elements of impact and probability to the
The message here is that both sides of the strategic/operational line need to avail themselves of the other. Understand and provide due diligence to bring together each voice to create something greater – we need to “get on the same frequency.” scenario to introduce elements of risk management (probability is likely, or impact is reputational). The example is very simple, but using a story of impact and probability starts to bring in a common vocabulary for the group to use as the medium upon which constructive interference can thrive. Similarly, the board and executive leadership should articulate their risk appetite so that the narrative from the CISO can be tuned to the audience and provide the necessary level of information for communication of the need, but also in a manner that pertinent questions can be asked. It is at this point where executive leadership need to challenge both the story and their understanding to start a process of building their understanding and appreciation for the issues and challenges surrounding cybersecurity.
19
Cybersecurity Quarterly
ISAC Update MS-ISAC & EI-ISAC Start Off 2020 with New Membership Milestones Membership growth for the first quarter of 2020 has continued apace! This quarter, the MS-ISAC welcomed our 9,000th new member, the County of Twin Falls, Idaho. Through the quarter, the MS-ISAC Stakeholder Engagement team has continued our robust growth by adding an average of nearly 250 new government organizations to the membership each month. At over 9,000 members, the MS-ISAC is, by far, the largest ISAC focusing on the SLTT community! The MS-ISAC can now count 182 of the top 200 cities (by population) in the U.S. as members, including all of the top 50. With 2020 being an election year, we have been concentrating on our EI-ISAC members and expect to roll out some new services to serve this community. Now with over 2,500 members, the EI-ISAC is poised for continued expansion with the upcoming election cycle. As of the end of this quarter, the EI-ISAC can now count 20 states with complete county level membership. Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to your SLTT brethren. We are stronger and more connected than ever before!
The 2018 Nationwide Cybersecurity Review Summary Report is Now Available
The 2018 Nationwide Cybersecurity Review (NCSR) Summary Report provides insight on the level of maturity and risk awareness of the state, local, tribal, and territorial (SLTT) information security programs from year to year. Using the results of this Summary Report, U.S. Department of Homeland Security (DHS) and the MS-ISAC continue to work with our SLTT partners on improving their cybersecurity maturity. The 2018 NCSR results are based on participation from 669 SLTT entities consisting of 43 states, 277 local governments (from 43 states), 6 tribes, and 343 state agencies (from 24 states). This reflected a 41% increase in participation from 2017. In June 2009, DHS was directed by the United States Congress to develop a cyber-network security assessment that would measure gaps and capabilities of SLTT governmentsâ&#x20AC;&#x2122; cybersecurity programs. The first NCSR was conducted in 2011 by DHS. In 2013, DHS partnered with the MS-ISAC, the National Association of State Chief Information Officers (NASCIO), and the National Association of Counties (NACo) to develop and conduct the second NCSR. Since 2013, the NCSR has been conducted on an annual basis, and 2018 marks the seventh year the self-assessment has been conducted. The full 2018 NCSR Summary Report is available on our website. To download a copy of the report, please visit https://www.cisecurity.org/whitepapers/2018-nationwide-cybersecurity-review-ncsrsummary-report/.
20
Spring 2020
21
Cybersecurity Quarterly
Upcoming Events April April 29 – May 3 The National Association of Election Officials will hold its Election Center Special Workshop at the Grand Hyatt Hotel in Seattle, Washington. The workshop will offer crucial training sessions for the region's election officials. EI-ISAC Elections Program Manager Kateri Gill will present on available resources for election agencies from the EI-ISAC.
May May 6 – 8 The Association for Computer Professionals in Education (ACPE) Northwest will hold its 2020 ACPEnw Annual Conference at the Mount Hood Oregon Resort in Welches, Oregon. The conference will foster partnerships that support the sharing of knowledge, skills, and best practices. MS-ISAC Program Manager Greta Noble, Senior Account Management Specialist Jessica Cone, and Account Management Specialist Brendan Montagne will discuss MS-ISAC resources for public school districts. May 12 – 14 The International Association of Chiefs of Police (IACP) will hold the 2020 IACP Technology Conference at the Oregon Convention Center in Portland, Oregon. The event will bring together leading practitioners to explore opportunities for law enforcement to apply the latest technology to create efficient solutions and to keep pace with sophisticated cyber-enabled crimes. MS-ISAC Director of Partnerships Stacey Wright will lead a session at the event on information technology and security for law enforcement professionals. May 20 – 22 The Governmental Information Processing Association of Wisconsin (GIPAW) will hold the annual GIPAW Spring Conference at the Best Western Premier Waterfront Hotel and Conference Center in Oshkosh, Wisconsin. Government technology leaders and professionals from around
22
the state will come together at the event to network and learn the latest updates in the industry. MSISAC Senior Account Management Specialist Kyle Bryans and Account Management Specialist Brendan Montagne will discuss MS-ISAC services. May 20 – 22 The North Carolina Local Government Information Systems Association (NCLGISA) will hold its 2020 NCLGISA Spring Symposium in Wilmington, North Carolina. The event will bring together local government information technology professionals from across the state to network and learn about the latest industry updates. MS-ISAC Program Manager Greta Noble and Senior Account Management Specialist Jessica Cone will co-lead a session on MS-ISAC services for local government.
June June 2 – 3 AWS: Public Sector Summit will take place at the Walter E. Washington Convention Center in Washington, D.C. The event will bring together cloud users from government, education, and nonprofits, as well as AWS partners who serve the public sector to network with colleagues and peers, discover new cloud-based skills, and learn about topics such as machine learning, hybrid cloud, database migration, and security. June 9 Alabama Leaders in Educational Technology (ALET) will be hosting the ALET Summer Conference in Hoover, Alabama. The event will bring Alabama EdTech leaders together to discuss system-level challenges and solutions. MS-ISAC Senior Account Management Specialist Jessica Cone and Account Management Specialist Brendan Montagne will speak on MS-ISAC services at the event. June 19 Cyber Security Summit: Seattle will take place at the Sheraton Grand Seattle, bringing together executives, business leaders, and cybersecurity
Spring 2020
professionals to learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. June 22 – 24 CyberRisk Alliance will hold InfoSec World 2020 at Disney's Coronado Springs Resort in Orlando, Florida. Information security practitioners hailing from more than 100 nations around the world will be in attendance to learn the skills to be both a business partner and enabler, and the technical expertise to prevent, detect, and respond to security challenges. CIS Senior VP Tony Sager will be a featured speaker at the event, co-leading a breakout session on cyberdefense control strategy. June 24 Cyber Security Summit: Silicon Valley will take place at the DoubleTree by Hilton Hotel San Jose, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. June 30 – July 1 AWS re:Inforce, the first dedicated AWS cloud security conference, will take place at the George R. Brown Convention Center in Houston, Texas. Attendees will dive deep into cloud security, identity and access management, and compliance topics, and leave with actionable best practices for AWS security services and data privacy, as well as the know-how to build their architecture securely.
July July 13 – 15 The Massachusetts Attorney General's Office will host the 8th Annual National Cyber Crime Conference (NCCC) at the Four Points by Sheraton Norwood in Norwood, Massachusetts. NCCC has become the premier annual cyber crime and digital evidence training event for law enforcement, prosecutors, and forensic examiners. MS-ISAC Director of Partnerships Stacey Wright will speak at the event, discussing the cyber threat landscape in state, local, tribal, and territorial government.
July 14 Cyber Security Summit: Toronto will take place at the Marriott Downtown at CF Toronto Eaton Centre, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. July 17 – 20 The National Association of Counties (NACo) will be holding their 85th Annual NACo Conference and Exposition at the Orange County Convention Center in Orlando, Florida. County elected and appointed officials from across the country will come together to shape NACo's federal policy agenda, share proven practices and strengthen knowledge networks to help improve residents’ lives and the efficiency of county government. July 19 – 23 Microsoft Inspire will take place at the Mandalay Bay Convention Center in Las Vegas. The event will bring Microsoft partners together to create connections, empower possibilities, and celebrate together, as well as learn about new product innovations and releases from Microsoft in the coming year. July 23 Cyber Security Summit: DC Metro will take place at The Ritz-Carlton, Tysons Corner in McLean, Virginia, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. July 28 Cyber Security Summit: Tampa will take place at the Hilton Tampa Downtown, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
23
Copyright Š 2020 Center for Internet Security, All rights reserved.
CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699