Cybersecurity Quarterly (Spring 2021) by Cybersecurity Quarterly

Cybersecurity Quarterly

Spring 2021

A Publication from

Preventing Viruses, Bugs, and Other Threats to Your Cyber Health with the CIS Controls The Latest Updates to CIS CSAT Pro to Help You Better Assess Your Security Posture How to Ensure Your Organization's Security When Outsourcing IT

Calling in the Cyber Cavalry The past year has seen U.S. hospitals face a two-front war: battling a raging pandemic, while combating opportunistic cybercriminals. Learn about a new, no-cost service from CIS that strengthens hospital's cyber defenses

The Most Trusted Source for Information Security Training, Certification, and Research

CIS & SANS Institute

Information Security Training Partnership SANS Institute partners with the Center for Internet Security (CIS) to provide its top-rated information security training and awareness programs to State, Local, Tribal, and Territorial (SLTT) Government organizations at significantly reduced costs. Leverage this special partnership to ensure that your employees have the skills and experience necessary to protect your critical organization from cyber threats. Program participants may purchase:

More than 45 of SANS most popular hands-on courses are available OnDemand, or live, online via Live Online.

Use SANS Security Awareness to train and test non-technical staff on email, file storage, digital access, and general data security.

Purchase training during the Summer Aggregate Buy window to receive the best pricing of the year. Discounts are available June 1 through July 31, 2021.

Contact partnership@sans.org, or visit www.sans.org/partnership/cis for more information.

Spring 2021

Contents

Featured Articles

Quarterly Regulars

Spring 2021 Volume 5 Issue 1 Founded MMXVII Editor-in-Chief Michael Mineconzo Supervising Editor Laura MacGregor

Defending U.S. Hospitals Against Today's Cyber Threats How cybercriminals are targeting the healthcare sector and ways to defend against them

Improving Cyber Hygiene with Basic CIS Controls Protecting your systems from viruses, bugs, and other attack vectors with proper cyber hygiene

What You Need to Know About the CIS CSAT Pro v1.4.0 Updates New features and functionality to help your organization implement the CIS Controls

Establishing Basic Cyber Hygiene Through a Managed Service Provider (MSP) Ensuring basic cyber hygiene when outsourcing your IT operations

Quarterly Update with John Gilligan

News Bits & Bytes

Cyberside Chat

ISAC Update

Event Calendar

Staff Contributors Ginger Anderson Sean Atkinson Stephanie Gass Paul Hoffman Aaron Piper Robin Regnier

Cybersecurity Quarterly is published and distributed in March, June, September, and December.

Copy Editors Danielle Koonce Autum Pylant

Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460

Cybersecurity Quarterly

Quarterly Update

with John Gilligan

“We are entering a new era in cybersecurity where both nation states and hacker groups are expanding and accelerating their efforts to exploit weaknesses in security protections to achieve their objectives.” Welcome to the Spring Issue of Cybersecurity Quarterly. As I write this, I realize that the cybersecurity world has been rocked by multiple major events in the past few months. I suspect that some security professionals may be longing for the “good old days” when the primary concern was the COVID-19 pandemic. In late December, the United States was alerted to a pervasive cyber-attack leveraging a compromise of the SolarWinds Orion product. The ensuing exploitation of the organizations who installed the compromised Orion update has necessitated enormous efforts to identify, contain, and remediate the compromised environments. The damage to key government and private sector organizations is still being assessed. On the heels of SolarWinds, came the discovery of multiple vulnerabilities in Microsoft Exchange Server software with a number of organizations actively exploiting these vulnerabilities. Both of these attacks highlight that we are entering a new era in cybersecurity where both nation states and hacker groups are expanding and accelerating their efforts to exploit weaknesses in security protections to achieve their objectives. This issue of Cybersecurity Quarterly is appropriately focused on efforts that should be taken to improve the resilience of organizations to defend against cyber-attacks. Several articles describe CIS’s recently launched program to protect U.S. hospitals with a protected DNS service called Malicious Domain Blocking and Reporting (MDBR). MDBR was initially developed for state and local governments as an easily-installed, inexpensive, yet very effective security measure, and has proven quite effective. Several articles in this issue focus on advances being made to help organizations implement “basic cyber hygiene,” which CIS has defined as implementing

the 43 Safeguards that comprise Implementation Group One (IG1) of the CIS Controls. CIS’s Ginger Anderson has provided an article summarizing a recently published best practice guide advising on how to work with commercial Managed Service Providers to implement cyber hygiene. Security vendor, Tenable has provided a piece that describes how to implement basic cyber hygiene with the CIS Controls. Tenable recently became the first security tool vendor to implement the newly published CIS Controls Assessment Specification. Tenable now supports automated assessment of key Safeguards in IG1—a major step forward for organizations in assessing their security resilience. Also in this edition, is an article from CIS’s Aaron Piper describing the new features of CIS’s CSAT (Controls Self Assessment Tool) Pro. Paul Hoffman provides an update on the Multi-State and Elections Infrastructure ISACs, highlighting new services, such as MDBR and Virtual Service Reviews. Finally, our CISO, Sean Atkinson, also provides some advice regarding the importance of cyber hygiene. Let’s hope that we can report significant progress against major cyber-attacks, leveraging some of the efforts described in this issue, as well as COVID-19 by this summer. I hope you enjoy this quarter’s issue. Best Regards,

John M. Gilligan President & Chief Executive Officer Center for Internet Security

Spring 2021

Expand your defense-in-depth strategy Security event analysis and notification LEARN MORE

Cybersecurity Quarterly

News Bits & Bytes The Center for Internet Security (CIS) is excited to announce that CIS Controls Version 8 will be coming in Spring 2021. What can you expect in the new version of the CIS Controls? Inclusion of modern technologies Defining the Implementation Groups (IGs) so that enterprises can implement a prioritized set of Safeguards, or Sub-Controls, based on risk exposure and resources Consistent, simplified Safeguards based on measurable actions Task-based focus regardless of who’s executing the Control Updates to guides and mappings For more information on the CIS Controls, visit our website, or sign up to received the latest updates on the release of CIS Controls Version 8. CIS released Managing Cybersecurity Supply Chain Risks in Election Technology: A Guide for Election Technology Providers, in response to a need identified by the broader election community. It is the first of its kind for the election technology industry and continues CIS’s approach of providing cybersecurity best practices for the election community. The guide is intended to assist election technology providers in identifying the most significant cybersecurity supply chain risks for their products and choosing appropriate risk mitigation approaches for those risks. It also aids in the development and implementation of a meaningful supply chain risk management program. You can find Managing Cybersecurity Supply Chain Risks in Election Technology: A Guide for Election Technology

Providers and more Election Security Best Practices Resources at https://www.cisecurity.org/electionsresources/. The U.S. Department of Homeland Security (DHS) has announced the release of funding for eight different types of preparedness grants worth nearly $1.87 billion. Together, these programs provide critical funding to assist state, local, tribal, and territorial (SLTT) governments in building and sustaining capabilities to prevent, protect against, respond to, and recover from acts of terrorism and other disasters. DHS has identified five critical priority areas for attention: cybersecurity, soft targets and crowded places, intelligence and information sharing, domestic violent extremism, and emerging threats. Grant recipients under the State Homeland Security Program and Urban Area Security Initiative will be required to dedicate a minimum of 30% of awards to address these five priority areas, with at least 7.5% of received funds dedicated to cybersecurity — an increase of at least $25 million across the country. SLTTs that have completed the Nationwide Cybersecurity Review (NCSR), a prerequisite for receiving grants through these programs, can find further information at www.dhs.gov and http://www.fema.gov/grants. CIS launched our new podcast: Cybersecurity Where You Are. Co-hosted by CIS's Tony Sager, Senior Vice President and Chief Evangelist, and Sean Atkinson, Chief Information Security Officer, each episode will dive into some of the latest topics and trends in the cybersecurity industry. Check out Episode 1: Welcome to the Basics, Episode 2: Then, Now, and Into the Future, and Episode 3: Third-party Risk Management – Beyond the Questionnaire on our website, and be sure to subscribe to the podcast on your favorite platform. Episodes are available on iTunes, Google Podcasts, and Spotify.

Spring 2021

Simple, no-cost* ransomware defense for hospitals

*Learn More: www.cisecurity.org/hospitals/

Cybersecurity Quarterly

Defending U.S. Hospitals Against Today’s Cyber Threats The healthcare sector is one of the most targeted industries by cybercriminals. To help protect against these attacks, CIS is offering a no-cost cyber defense service to U.S. hospitals. By CIS Staff The cost of cybercrime is often calculated in terms of financial loss, inconvenience, or reputational damage. But when it comes to health and hospital systems, the harm caused by a cyber-attack can be far worse. Ransomware-encrypted systems can delay the delivery of life-saving treatment. Data breaches can expose the personal data of vulnerable patients. Entire health systems have had their systems shut down due to cyber-attacks, with an increased risk to human life. In one of the worst examples, in October 2020, a woman was diverted from emergency care at a local hospital and sent to a facility 20 miles away. The local hospital’s servers had been encrypted during a ransomware attack, and the hospital could not accept patients. Tragically , the woman died.

Cyber-Attacks Escalating Against Hospitals and Patients During the COVID-19 pandemic, cyber-attacks on health and hospital systems and their patients have escalated. Concerns about the virus have enabled criminals and scam artists to fool hospital employees into clicking on email links with the promise of scarce protective equipment. Instead of providing the expected goods however, the emails delivered

malware that led to encrypted systems and data breaches. In an effort to cope with the enormous influx of contagious patients, hospitals have expanded their use of internet-based technology. While remote access and telehealth services facilitate ongoing care, they also create more opportunities for attackers to infiltrate systems.

Common Cyber Threats Facing Hospitals Today In the U.S., it seems not a day goes by without some kind of cyber-attack against a hospital or healthcare system. The U.S. Department of Health and Human Services Office for Civil Rights maintains a website listing all of the breaches affecting 500 or more individuals. The list demonstrates how successful hackers continue to be using everyday tools such as email. The most common threats to hospitals are the same as those targeting private businesses and public organizations, but with potentially more dire consequences: 1. Ransomware - By encrypting critical systems, ransomware can interfere with hospital operations and lock patient records, preventing care. For

Spring 2021

example, a lack of information about allergic reactions or a delay in lab results can postpone critical treatments. 2. Phishing - While phishing has been a problem for many years, there has been a 700% increase in COVID-themed phishing emails directed towards the healthcare sector and the general public. Phishing is one of the main delivery vectors for ransomware and other types of malware. 3. Data Breaches - According to the Office of Civil Rights website, 12.6 million individuals were affected by 162 hacking incidents on healthcare entities within a three-month period. The types of data targeted by cyber-attackers include: • • • • •

Personally-identifiable information (PII) Protected Health Information (PHI) and other healthcare records Payment information Business intelligence Intellectual property

Protecting U.S. Hospitals From Today's Cyber Threats As hospitals strive to provide quality health care for their patients, especially in the wake of the COVID-19

pandemic, in today's connect world, they also have to worry about hackers, spies, and criminals seeking to take advantage of the very services that they provide. Healthcare and hospital systems should use every means at their disposal to protect their systems. However, with the reduced revenue resulting from the pandemic, adequate investment in cybersecurity can be challenging. That's why, in partnership with Akamai, the Center for Internet Security (CIS) is offering a Malicious Domain Blocking and Reporting (MDBR) service AT NO COST to all public and private hospitals and related healthcare organizations in the United States. This service provides an additional layer of cybersecurity protection that is proven, effective, and easy to deploy. CIS is offering this defensive solution at no cost as part of our mission to make the connected world a safer place. Our nonprofit status and mission focus enable us to offer this ransomware protection at no cost to any public or private hospital or healthcare system that can benefit from it. All U.S. hospital systems are encouraged to register. Learn more and register at https://www.cisecurity. org/hospitals/.

Cybersecurity Quarterly

Improving Cyber Hygiene with Basic CIS Controls Visibility is the bedrock of any effective cyber defense program. Here’s how the Basic CIS Controls can position you for security success. By Joe Decker In 2020, the word “hygiene” became more important than ever before. Washing your hands, using sanitizer, wearing a mask; all of these habits were top-of-mind as part of personal hygiene in the era of COVID-19. When we adhere to personal hygiene, we eliminate “attack vectors” of disease and keep our bodies healthy. The same idea applies to cyber hygiene. The Center for Internet Security (CIS) has found that a majority of successful cyber-attacks can be traced back to poor cyber hygiene practices as a root cause. These include: Unpatched vulnerabilities: Exploitable vulnerabilities left unpatched in your environment are a welcome mat for threat actors. Poor administrative and configuration practices: Whether it’s a weak password policy, or dormant user accounts left active, poor administrative practices can lead to unwanted intrusions. Insufficient asset tracking: You can’t protect what you can’t see. That Windows XP box left in a closet for legacy purposes, or the Windows 98 machine that runs your parking lot ticket booth are both potential backdoors into your environment that may have been completely forgotten.

When we adhere to personal hygiene, we eliminate “attack vectors” of disease and keep our bodies healthy. The same idea applies to cyber hygiene. The Center for Internet Security (CIS) has found that a majority of successful cyber-attacks can be traced back to poor cyber hygiene practices as a root cause. By maintaining proper cyber hygiene, you can reduce and eliminate attack vectors used by threat actors, focus more on day-to-day operations, and worry less about when and how you will be attacked.

CIS Controls Establish a Baseline of Cyber Hygiene The CIS Controls are a prioritized set of actions designed to protect your organization and its valuable assets from known cyber-attack vectors. There are currently 20 Controls, ranging from asset inventory to Red Team exercises.

Spring 2021

Over the years, the 20 CIS Controls have been expanded and refined. In Version 7, they are broken down into three categories: Basic, Foundational, and Organizational: The first six Basic Controls are commonly referred to as the “cyber hygiene” Controls. They are predominantly focused on essential security guidelines like asset and configuration management, vulnerability assessment, and continuous monitoring. These Controls are the bedrock of any cyber defense program, and should be implemented by all organizations, regardless of size or industry. Controls 7-16, the Foundational Controls, enable you to further develop the framework of an efficient and reliable security program. These best practices cover areas such as malware defense and data protection, and are a great way to shore up your cybersecurity program. Controls 17-20 are known as Organizational Controls. These Controls provide guidance around the people and processes necessary for good cyber hygiene. By implementing these Controls, you are able to test the previous Controls for effectiveness and increase security awareness throughout your organization.

4 Key Benefits of Implementing Basic CIS Controls Using the CIS Control Assessment Specification as a detailed guide, security teams can easily align their efforts in vulnerability management

Reducing your attack surface with the Basic CIS Controls 1-5 goes a long way towards mitigating issues and stopping attackers at the gates. to meet the CIS Control requirements. Reducing your attack surface with the Basic CIS Controls 1-5 goes a long way toward mitigating issues and stopping attackers at the gates. 1. Remove Blind Spots Across Your Network (CIS Controls 1 and 2) Compiling an accurate asset inventory is the first step in any cybersecurity program, but it is very hard to do effectively. Few organizations have sufficient visibility into their complete environment, which is a significant challenge for security teams who are left “flying blind.” Achieving the first two CIS Controls – Inventory and Control of Hardware and Inventory and Control of Software Assets – ensure that organizations can actively manage—inventory, track, and correct—all hardware devices and software installations on the network, while preventing access to unauthorized or unmanaged devices or programs. This helps eliminate visibility gaps across your attack surface. 2. Illuminate and Prioritize High-Risk Vulnerabilities (CIS Control 3) Vulnerability scanning is essential to proper cyber hygiene. The third CIS Control – Continuous Vulnerability Management – requires organizations to continuously assess their complete environment in order to identify and remediate vulnerabilities, and minimize the window of opportunity for attackers. Organizations should generally aim to scan at least weekly. This ensures that your security team has fresh data and a complete view of both assets and vulnerabilities. While diligent scanning can lead to “vulnerability overload,” industry metrics such as the Common Vulnerability Scoring System (CVSS) or Tenable’s Vulnerability Priority Rating (VPR) can help

Cybersecurity Quarterly

security teams prioritize high-risk vulnerabilities to remediate first. 3. Prevent Lateral Movement or PrivilegeEscalation Attacks (CIS Control 4) Inconsistent or poorly maintained user management is another form of vulnerability that can expose your organization to attack. The fourth CIS Control – Controlled Use of Administrative Privileges – deals with the processes and tools that manage the use, assignment, and configuration of administrative privileges on computers, networks, and applications. Without strong admin controls, you create additional pathways for attackers to escalate attacks and move laterally across your network, leveraging inactive users or disabled accounts that might otherwise remain under the radar. 4. Harden Your Most Critical Assets (CIS Control 5) Configuration issues are yet another potential backdoor for threat actors looking to cause mischief. The fifth CIS Control – Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers – ensures that your organization will establish, implement, and actively manage the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process. This helps prevent attackers from exploiting vulnerable services and settings.

Conclusion CIS Controls 1-5 are the first step to maintaining essential cyber hygiene. Discovering your hardware and software assets builds a clear picture of what you must protect and where those assets reside on your network. Through vulnerability and configuration scanning, you can assess your assets for risk and learn how to fix issues that open your environment to attack vectors used by threat actors. By establishing and maintaining essential cyber hygiene, you can eliminate the low-hanging fruit across your environment that attackers are most likely to exploit, and reduce unacceptable risks affecting your most vital assets. To learn how Tenable can streamline the implementation of Basic CIS Controls, visit our partner page: https://www.tenable.com/center-forinternet-security-cis-partnership. For more information on the CIS Controls and cyber hygiene, visit https://www.cisecurity.org/controls/. Additionally, stay up to date on the upcoming release of CIS Controls Version 8 and its simplified and shortened guidance to ensuring cyber hygiene by signing up for updates at https://learn.cisecurity. org/controls-v8-interest. A former U.S. Navy submariner, Joe Decker is a Security Engineer for Tenable Public Sector. Decker specializes in State and Local Government cybersecurity, and along with veteran community volunteerism, is a leader of Tenable’s Veteran Employee Resource Group.

Spring 2021

HOW BIG IS YOUR VULNERABILITY BLIND SPOT? SEE EVERYTHING ACROSS THE MODERN ATTACK SURFACE. Protect your organization and data from cyber attack. Use Tenable Risk Based Vulnerability Management solutions to implement and maintain CIS Controls.

Download Guide

Cybersecurity Quarterly

What You Need to Know About the CIS CSAT Pro v1.4.0 Updates An expansive list of new features have been added to CIS's latest tool to help organizations effectively implement the security recommendations contained in the CIS Controls. By Aaron Piper The CIS Controls Self Assessment Tool (CIS CSAT) allows organizations to perform assessments on their implementation of the CIS Controls. This enables users to track their progress over time, prioritize their implementation, and identify areas for improvement. The tool makes the powerful security guidance of the CIS Controls easier for teams to adopt into their organizations.

PCI DSS mappings, and the NIST 800-53 mappings are available in the mappings section of the SubControl. Users can click on a mapping block to see more information on the requirement from the external framework. Mapping blocks in this section are organized by framework and sorted to make it easier to find mappings of interest. Download the CIS Controls mapping to NIST CSF from the CIS website or from CIS WorkBench.

Recently, there have been updates to CIS CSAT Pro, the on-premises version of CIS CSAT available exclusively to CIS SecureSuite Members to increase assessment options and improve overall user experience. These updates in v1.3.0 and the more recently released 1.4.0 include: Mapping to the NIST Cybersecurity Framework (CSF) Ability to import CSAT Pro CSV files Capabilities to delete assessments and edit assessment details Unassigning tasks

NIST CSF Mappings Added to CIS CSAT Pro v1.4.0

Import CIS CSAT Pro Assessments

CIS Controls mappings to the NIST CSF v1.1 are now included in CIS CSAT Pro. The NIST CSF mappings,

CIS CSAT Pro already allowed Organization Admins to import previously exported XLSX spreadsheets from CIS CSAT Hosted. Organization Admins

Spring 2021

can now also import assessments from CSAT Pro CSV files. This populates the new assessment with scores from a previously exported CSAT Pro assessment and is available by selecting the “Import Assessment” button in the Assessments section of an Organization Info page.

Ability to Unassign Tasks An assigned task can now be unassigned from the Sub-Control view using the trash can icon to the right of the assigned user’s name.

Navigation and Display Updates Ability to Delete Assessments With CIS CSAT Pro v1.4.0, Organization Admins are now able to delete assessments they no longer want. This is available in the Action column on both the My Assessments section of the home page and the Assessments section of Organization Info pages. Use with caution since deleting an assessment cannot be undone.

Several other changes make it easier to navigate and use CIS CSAT Pro. Two of these changes are visible in the Sub-Control view: Sub-Control numbers are now displayed along with the Sub-Control title The “Assigned To,” “Assigned By,” “Completed By,” and “Validated By” users are now links that navigate to the User Profile for the listed user Additionally, the Number and Title for each task in the Assessment Summary page are now clickable and will take you to the task/Sub-Control view for that task.

Ability to Edit Assessment Details Another addition to the Action column for an assessment is the new “Edit Assessment” icon. The edit assessment functionality allows Organization Admins to update an assessment’s name, start date, and due date after an assessment is created. Previously, this information could not be changed after the initial creation of the assessment.

Cybersecurity Quarterly

Organization logos (if uploaded) are now displayed in two more locations – in the Organization Chart and on the first slide in an assessment’s Board Level Slides export. These new locations are in addition to the Organization Info page where the logo was previously displayed.

Getting Started with CIS CSAT Pro v1.4.0 Interested in trying out the new version? It’s available to CIS SecureSuite Members via CIS WorkBench: Join the CSAT Pro Community Download the appropriate installer for your environment (Windows or Unix) If you’re new to CIS CSAT Pro, the Deployment Guide walks you through installation If you have installed a previous version of CIS CSAT Pro, the installer will upgrade your existing installation. These new, additional features to the tool will make the powerful security guidance of the CIS Controls easier for teams to implement, track, and document progress of their adoption in their organizations.

Bug Fixes We have also fixed a couple of issues to help make the installation process and restarting CIS CSAT Pro after a system reboot go more smoothly. Check out the change log to see the full list of changes for this release and previous CIS CSAT Pro releases. And, read CIS blogs about features added in previous releases: CIS CSAT Pro v1.2.0 blog CIS CSAT Pro v1.1.0 blog CIS CSAT Pro v1.0.0 blog

Aaron Piper is a Senior Cybersecurity Engineer at CIS. He focuses on automation, tooling, and measurement efforts for the CIS Controls, and is the Product Owner for the CIS Controls Self Assessment Tool (CIS CSAT). Prior to working at CIS, Piper worked in cybersecurity for the Federal Government for more than a decade.

peString(r.FormValue("target")), count); }); http.HandleFunc("/status",func(w http.ResponseWrit lChannel <- reqChan;timeout := time.After(time.Second); select { case result := <- reqChan: if "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal(http.ListenAnd Spring 2021 tml"; "log"; "net/http"; "strconv"; "strings"; "time" ); type ControlMessage struct { Target st han ControlMessage);workerCompleteChan := make(chan bool); statusPollChannel := make(chan chan usPollChannel); for { select { case respChan := <- statusPollChannel: respChan <- workerActive; f(msg, workerCompleteChan); case status := <- workerCompleteChan: workerActive = status; }}}; f bool) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) { hostTokens := rconv.ParseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); retu t"), Count: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for Target %s, count %d", HandleFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqChan := make(chan bool); Second); select { case result := <- reqChan: if result { fmt.Fprint(w, "ACTIVE"); } else { fmt. t(w, "TIMEOUT");}}); log.Fatal(http.ListenAndServe(":1337", nil)); };package main; import ( "fm ; "time" ); type ControlMessage struct { Target string; Count int64; }; func main() { controlCh make(chan bool); statusPollChannel := make(chan chan bool); workerActive := false;go admin(con Chan := <- statusPollChannel: respChan <- workerActive; case msg := <-controlChannel: workerAct us := <- workerCompleteChan: workerActive = status; }}}; func admin(cc chan ControlMessage, sta min", func(w http.ResponseWriter, r *http.Request) { hostTokens := strings.Split(r.Host, ":"); ("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); return; }; msg := ControlMessa mt.Fprintf(w, "Control message issued for Target %s, count %d", html.EscapeString(r.FormValue(" tp.ResponseWriter, r *http.Request) { reqChan := make(chan bool); statusPollChannel <- reqChan; <- reqChan: if result { fmt.Fprint(w, "ACTIVE"); } else { fmt.Fprint(w, "INACTIVE"); }; return (http.ListenAndServe(":1337", nil)); };package main; import ( "fmt"; "html"; "log"; "net/http"; ct { Target string; Count int64; }; func main() { controlChannel := make(chan ControlMessage);w = make(chan chan bool); workerActive := false;go admin(controlChannel, statusPollChannel); for <- workerActive; case msg := <-controlChannel: workerActive = true; go doStuff(msg, workerCompl ive = status; }}}; func admin(cc chan ControlMessage, statusPollChannel chan chan bool) {http.H uest) { hostTokens := strings.Split(r.Host, ":"); r.ParseForm(); count, err := strconv.ParseInt tf(w, err.Error()); return; }; msg := ControlMessage{Target: r.FormValue("target"), Count: coun r Target %s, count %d", html.EscapeString(r.FormValue("target")), count); }); http.HandleFunc(" reqChan := make(chan bool); statusPollChannel <- reqChan;timeout := time.After(time.Second); se t(w, "ACTIVE"); } else { fmt.Fprint(w, "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, " 337", nil)); };package main; import ( "fmt"; "html"; "log"; "net/http"; "strconv"; "strings"; " ount int64; }; func main() { controlChannel := make(chan ControlMessage);workerCompleteChan := ); workerActive := false;go admin(controlChannel, statusPollChannel); for { select { case respC e msg := <-controlChannel: workerActive = true; go doStuff(msg, workerCompleteChan); case statu admin(cc chan ControlMessage, statusPollChannel chan chan bool) {http.HandleFunc("/admin", fun trings.Split(r.Host, ":"); r.ParseForm(); count, err := strconv.ParseInt(r.FormValue("count"), eturn; }; msg := ControlMessage{Target: r.FormValue("target"), Count: count}; cc <- msg; fmt.Fp , html.EscapeString(r.FormValue("target")), count); }); http.HandleFunc("/status",func(w http.R bool); statusPollChannel <- reqChan;timeout := time.After(time.Second); select { case result : fmt.Fprint(w, "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal( "fmt"; "html"; "log"; "net/http"; "strconv"; "strings"; "time" ); type ControlMessage struct { el := make(chan ControlMessage);workerCompleteChan := make(chan bool); statusPollChannel := mak annel, statusPollChannel); for { select { case respChan := <- statusPollChannel: respChan <- wo ue; go doStuff(msg, workerCompleteChan); case status := <- workerCompleteChan: workerActive = s lChannel chan chan bool) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request rm(); count, err := strconv.ParseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf et: r.FormValue("target"), Count: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for t")), count); }); http.HandleFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqC imeout := time.After(time.Second); select { case result := <- reqChan: if result { fmt.Fprint(w ase <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal(http.ListenAndServe(":1337", nil)); };p "; "strconv"; "strings"; "time" ); type ControlMessage struct { Target string; Count int64; }; ge);workerCompleteChan := make(chan bool); statusPollChannel := make(chan chan bool); workerAct for { select { case respChan := <- statusPollChannel: respChan <- workerActive; case msg := <workerCompleteChan); case status := <- workerCompleteChan: workerActive = status; }}}; func ad ) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) { hostTokens := strin arseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); return; }; 17 unt: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for Target %s, count %d", html.E leFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqChan := make(chan bool); sta

Advanced Threats. Maximum Protection.

Ensure users and devices can safely connect from anywhere, with industry-leading protection.

Proactively identify, block, and mitigate targeted threats, including zero-day attacks, malware, and phishing.

See Why

Cybersecurity Quarterly

Establishing Basic Cyber Hygiene Through a Managed Service Provider (MSP) When utilizing a Managed Service Provider (MSP) to supplement your IT infrastructure and services, ensuring they meet basic cyber hygiene standards is crucial. By Ginger Anderson Small and medium-sized enterprises can face a variety of IT challenges: insufficient funding, constantly evolving technologies, growing legal and regulatory requirements, and a lack of skilled and trained IT employees. Oftentimes, these enterprises rely on third-parties like Managed Service Providers (MSPs) for portions, or in some cases, all of their IT infrastructure and services so that they can focus on other operations. The Center for Internet Security (CIS) has released guidance to help enterprises with this challenge. The new guide, Establishing Basic Cyber Hygiene Controls Through a Managed Service Provider, can help small and medium enterprises ensure their basic cyber hygiene needs are met by their service provider. The CIS Controls use Implementation Groups to prioritize where organizations should start in

their basic cyber hygiene plan. By understanding which Implementation Group and CIS Controls meet your enterprise’s needs, you will be more prepared to incorporate an MSP into your strategy.

The CIS Controls The CIS Controls are internationally recognized for bringing together expert insights about threats, business technologies, and defensive options into an effective, coherent, and simple way to manage an organization’s security improvement program. They are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are comprised of 20 Controls that are supported by 171 Sub-Controls, or Safeguards. In CIS Controls v7.1, CIS introduced a new prioritization scheme called Implementation Groups (IGs): IG1 is the definition of basic cyber hygiene and represents an emerging minimum standard of information security for all enterprises. IG2 prescribes what has to be done for more sensitive components of an enterprise depending upon the services and information they handle.

Spring 2021

IG3 is the highest level of cyber hygiene. These are steps fully mature enterprises should take to protect the most sensitive parts of their missions.

The new guide considers the issue from the perspective of the CIS Controls and provides a baseline of questions to ask MSPs. It is especially important to know:

Learn about and download the CIS Controls by visiting our website.

The types of controls that are implemented at the MSP for their own security

MSP Services and Solutions

Which CIS Controls are implemented by the MSP on behalf of its clients

MSPs, from a security perspective, can help enterprises reduce the risk of understaffed and underfunded in-house solutions. Due to their offerings, MSPs are highly attractive to potential clients. They offer a wide range of solutions and services that include, but are not limited to, those listed below: Anti-virus, anti-spam, anti-phishing, and antimalware services Data backup services Network monitoring services Software configuration and provisioning services Cloud computing services (applications, services, resources, management) Hardware configuration and implementation services Network infrastructure configuration, implementation, and enhancement services Patch, repair, and update management services On-demand augmentation of incumbent staff/ expertise

Ensuring Basic Cyber Hygiene with MSPs How can small and medium enterprises protect themselves while taking advantage of some of the benefits of working with an MSP? Asking the right questions when shopping for a provider can help inform an enterprise’s decisions.

The guide contains a questionnaire that can be modified to address an enterprise’s specific concerns before it is provided to the MSP. The 43 Safeguards in CIS Controls IG1 provide a guideline for basic cyber hygiene for all enterprises. In particular, IG1 can be easily implemented by small and medium enterprises, potentially with support from an MSP. These Safeguards will help organizations protect their IT infrastructure, systems, and data from most cyber-attacks. The new guide, Establishing Basic Cyber Hygiene Controls Through a Managed Service Provider, is an effective way for enterprises to ensure their basic cyber hygiene needs are met when contracting with an MSP. Download the guide on our website. Ginger Anderson is a Senior Cybersecurity Engineer at the Center for Internet Security (CIS). Anderson started her career as an enlisted Intelligence Analyst with the U.S. Army and later as a commissioned Intelligence Officer. She has additionally supported the Federal Bureau of Investigation (FBI) and U.S. Department of Homeland Security (DHS) in their cyber operations. She holds a B.S. in Systems Engineering from the United States Military Academy, a M.S. in Geospatial Analysis from Pennsylvania State University, and is working towards a Ph.D. in Data Science through the University of Maryland.

Cybersecurity Quarterly

Cyberside Chat This Quarter's Topic: A Proper Regimen for Cyber Health By Sean Atkinson, Chief Information Security Officer, CIS Early in my career, hearing “cyber hygiene” often drew me to the correlation between personal hygiene as it relates to systems and services I was auditing. Mentally, I built a model of my position as an internal Information Security (IS) auditor and the assessment process similar to how the human body functions, to create a hygiene analogy.

[I]f I implement the Controls, my cyber health should be improved, much as if running and eating healthy will likely make me stronger and healthier.

To begin defining physical attributes, an understanding of the physical environment is critical to determine the impact within the regulatory and legislative space. As humans, we have specific attributes that are limited by genetics and physical laws. To maintain proper hygiene, I concluded that the space in which we exist is defined by specific rules, such as regulations, policies, certification requirements, etc.

Blood – Data

We know that a single manual or guide telling us how to live a healthy life doesn't exist. So, much like the various fitness and diet regimens for personal health, I correlated compliance and control frameworks to a diet and fitness regimen. My first encounter with the CIS Controls was Version 5, where I began to use the Controls as a method to assist in the decision-making process. Doing X will have the likelihood of resulting in Y, so if I implement the Controls, my cyber health should be improved, much as if running and eating healthy will likely make me stronger and healthier. The physical infrastructure, I decided was similar to the human body in the following ways: Skeleton – Infrastructure Brain – Data Center Other Organs – Systems/Services Circulatory System – Network

While these analogies for our computer systems are very loose, it helped me to define the construction within the environment. I thought about our yearly reviews, audits, penetration tests, and control assessments. I saw those functions similar to visiting the doctor for an annual checkup or the dentist twice a year for a cleaning. These routine activities I correlated to internal and external assessments on control activities, such as data retention, security control reviews, etc. Finally, there is surgery; something is immediately wrong and we need to fix it. I identified this process as the internal incident and remediation of an exposed vulnerability. We have identified something is not right and it needs to be fixed. Also, patching could be something akin to preventative surgery. We don’t do it right away, but perform testing and analysis to make sure it is the right choice at the right time to reduce any risk of harm, but also to maintain a certain level of health. My review of my thought processes may be very simplistic, but as our systems and technology advance and the requirements for new elements of privacy and regulatory control become more abundant, it may behoove ourselves to review our systems in such a manner and really take care of our system health, creating effective cyber hygiene.

Spring 2021

ISAC Update Continued membership growth, new services, and making the most of your MS- and EI-ISAC membership By Paul Hoffman, Director of Stakeholder Engagement, MS-ISAC The first quarter of 2021 has marked the return toward our more traditional membership growth curve for the MS-ISAC, following the tumultuous times of 2020. After reaching 10,000 members in November 2020, the MS-ISAC membership has now grown to 10,600 this quarter. Leading the way is our Education sector, specifically the K-12 subsector, which now stands at 2,320 members, making up approximately 22% of our total membership. Our Malicious Domain Blocking and Reporting (MDBR) service continues to perform extremely well, and with the recent expansion of the service to include private hospitals and healthcare organizations, we are making a significant contribution to protecting the Healthcare sector during these times of elevated ransomware risk. Beginning last month, the MDBR service became available to private hospital organizations in the United States, offering the same proactive domain security service that over 1,000 SLTT organizations have benefited from since last summer. If you are interested in this program, please direct your inquiry to hospitalservices@cisecurity.org or learn more about the service at https://www.cisecurity.org/ hospitals.

After reaching 10,000 members in November 2020, the MSISAC membership has now grown to 10,600 this quarter. Leading the way is our Education sector, specifically the K-12 subsector, which now stands at 2,320 members, making up approximately 22% of our total membership.

The EI-ISAC is also continuing its growth and, while the spotlight is somewhat dimmed now that the 2020 election season has passed, the EIISAC remains ever vigilant and is working with the community to ensure safe and secure elections. Additionally, the EI-ISAC is on the doorstep to its 3,000th member and we hope to secure that number in the coming months. As we move through the first quarter of 2021, we will continue to bring new services to further support our diverse membership. Of particular note for this quarter is the introduction of our membership Virtual Service Reviews (VSR). These quick 30-40 minute meetings allow our members to reacquaint themselves with their current service levels, make adjustments as needed, and take advantage of any offerings they haven’t utilized previously. It is the perfect “tune-up” for your MS- or EI-ISAC membership. If you are interested in scheduling a Virtual Service Review and taking a look under the hood of your membership with our team, please reach out to info@msisac.org. We will continue to evolve and grow while always maintaining our commitment to our core mission to improve the overall cybersecurity posture of the nation's state, local, tribal, and territorial governments through focused cyber threat prevention, protection, response, and recovery. Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to your SLTT colleagues (and now private hospitals). We are stronger and more connected than ever before!

Cybersecurity Quarterly

Upcoming Events April April 7 Virtual Cyber Security Summit: San Diego will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. CIS CISO Sean Atkinson will be a featured speaker at the online event, leading a panel discussion covering insider threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details and learn more at https:// cybersecuritysummit.com/summit/sandiego21/. April 14 Virtual Cyber Security Summit: Denver will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details and learn more at https:// cybersecuritysummit.com/summit/denver21/. April 20 – 22 Collision, one of the largest technology conferences in North America, will take place virtually. The event brings together global tech leaders, high-potential startups, and top media to discuss the latest industry trends. Over 450 speakers will lead over 100 hours of online content over the event's three days. Learn more or register at https://collisionconf.com/. April 20 – 23 The Texas Association of Governmental Information Technology Managers (TAGITM) will be hosting its 2021 TAGITM Annual Education Conference at the Renaissance Austin Hotel in Austin, Texas. The focus of the event will be The Reality of Being Virtual, educating government IT leaders and professionals in the state on the realities of the new virtual and hybrid workforce. Learn more at https://www.tagitm.org/page/2021conference.

April 26 – 28 The Massachusetts Attorney General's Office will be hosting the 2021 National Cyber Crime Conference (NCCC) virtually. Over the past nine years, the NCCC has become the premier annual cybercrime and digital evidence training event for law enforcement, prosecutors, and forensic examiners. Learn more at https://www.mass.gov/ service-details/national-cyber-crime-conference.

May May 6 Virtual Cyber Security Summit: Nashville will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. CIS CISO Sean Atkinson will be a featured speaker at the online event, leading a panel discussion covering insider threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/summit/ nashville21/. May 13 Virtual Cyber Security Summit: Dallas will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details and learn more at https:// cybersecuritysummit.com/summit/dallas21/. May 17 – 20 RSA Conference 2021, one of the cybersecurity industry's largest and most anticipated events, will take place virtually this year. Centered around this year's theme – Resilience – attendees will gain actionable insights from hundreds of traditional and immersive sessions, collaborate and share different perspectives with peers that will spark new approaches, and see the latest technology. Learn

Spring 2021

more or register at https://www.rsaconference. com/usa. May 25 – 27 The National Association of State Chief Information Officers (NASCIO) will be hosting the NASCIO 2021 Midyear Conference virtually. The annual event gives state CIOs and members of their staff the opportunity to come together with others in the industry to network and discuss emerging IT trends and strategies impacting government technology. Learn more at https:// www.nascio.org/conferences-events/.

June June 9 Virtual Cyber Security Summit: Silicon Valley will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. CIS CISO Sean Atkinson will be a featured speaker at the online event, leading a panel discussion covering insider threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details and learn more at https:// cybersecuritysummit.com/summit/siliconvalley21/. June 23 Virtual Cyber Security Summit: Seattle/ Portland will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/summit/ seattleportland21/. June 29 Virtual Cyber Security Summit: Philadelphia will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. CIS CISO Sean Atkinson will be a featured speaker at the online event, leading panel discussions covering insider threats and ransomware. Through

our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details and learn more at https:// cybersecuritysummit.com/summit/philadelphia21/.

July July 7 Virtual Cyber Security Summit: St. Louis/ Oklahoma City will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. CIS CISO Sean Atkinson will be a featured speaker at the online event, leading panel discussions covering insider threats and ransomware. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/ summit/stlouisokc21/. July 7 Virtual Cyber Security Summit: Detroit will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details and learn more at https:// cybersecuritysummit.com/summit/detroit21/. July 16 – 19 The National Association of Counties (NACo) will be hosting the NACo Annual Conference and Exposition at the Austin Convention Center in Austin, Texas. The event is the largest meeting of county elected and appointed officials from across the country. County leaders from across the U.S. will convene in Travis County, Texas, to adopt positions on pressing federal policies affecting counties and exchange innovative solutions to challenges facing American communities. Learn more at https://www.naco.org/events/conferences.

Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699