Cybersecurity Quarterly (Summer 2021) by Cybersecurity Quarterly

Cybersecurity Quarterly

Summer 2021

A Publication from

Introducing New Tools and Capabilities to Help Defend Our Members CIS's New Guide to Mitigate Exploits Against a Common FileSharing Protocol

Protecting Your Network's Endpoints in the Age of Remote Work Strategies to Secure One of the Most Common Cyber-Attack Vectors: Humans

CIS Controls v8 is Here! After more than two years of hard work and dedication from a global community of experts, the latest enhancement to our security best practices has finally arrived to help make our connected, ever-evolving world a safer place

Cybersecurity Quarterly

Summer 2021

Contents

Featured Articles

18 is the New 20: CIS Controls v8 is Here! 8 The latest version of the CIS Controls has arrived with enhanced security guidance How to Mature Endpoint and Visibility Management for Public Sector Agencies Protecting the weakest links in your increasingly distributed network of devices

The Multi-State and Elections Infrastructure ISACs Undergo Digital Transformation Introducing new tools and capabilities to help the MS- and EI-ISACs defend members

Security Awareness is Managing Human 18 Risk: Achieving Data-Driven Results Improving security by addressing one of the most common attack vectors: humans Commonly Exploited Protocols: Server Message Block (SMB) Our new guide to securing a common protocol in today's remote workforce

CIS Community Defense Model v2.0 22 – Coming to a Computer Near You: Summer 2021 Our new and improved mapping showcasing how the CIS Controls address cyber-attacks Quarterly Regulars

Summer 2021 Volume 5 Issue 2 Founded MMXVII Editor-in-Chief Michael Mineconzo Supervising Editor Laura MacGregor Copy Editor Autum Pylant

Staff Contributors Sean Atkinson Paul Hoffman Josh Moulin Victoria Pasmanik Autum Pylant Emily Sochia Valecia Stocchetti

Quarterly Update with John Gilligan

News Bits & Bytes

Cyberside Chat

ISAC Update

Event Calendar

Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460 Copyright © 2021 Center for Internet Security. All rights reserved.

Cybersecurity Quarterly

Quarterly Update

with John Gilligan “One of the aspects that makes cybersecurity unique is that there is no single ‘silver bullet.’”

Welcome to the Summer Issue of Cybersecurity Quarterly. After a very long year, we seem to be seeing some daylight in our battle against COVID-19. Businesses are opening up, mask and social distancing restrictions are being loosened, and vaccinations are reducing the susceptibility of further outbreaks. While the prospects for our physical safety are improving, there is no parallel progress for our cyber safety. Recent ransomware attacks on key critical infrastructure organizations, as well as continuing cyber-attacks against both public and private organizations, continue to increase. The theme for this quarter’s issue is “the cybersecurity ecosystem.” One of the aspects that makes cybersecurity unique is that there is no single “silver bullet.” Rather, addressing cybersecurity threats requires focus on a number of physical and technical areas needed to build a resilient cyber ecosystem. Failure to address the totality of the cyber ecosystem results in gaps that can be exploited to compromise data and systems. Articles in this issue describe the tools and processes that contribute to making a secure cyber ecosystem. Tanium has authored an article on the maturing of endpoint management as organizations increasingly turn to protecting endpoints rather than focusing primarily on network-based protection. CIS’s Josh Moulin has provided an article that describes the new and upcoming tools and resources added to the Multi-State and Elections Infrastructure ISACs’ capabilities. This is an important read for those in government organizations at the state, local, tribal, and territorial levels. Another article by CIS addresses the recently released guide regarding mitigating and securing against vulnerabilities and exploits in the commonly used Service Message Block (SMB) protocol.

Last month CIS launched Version 8 of the CIS Controls in conjunction with the RSA Conference. One of this issue’s articles describes the updates and changes in the Controls v8, including reducing the number of Controls to 18, as well as expanded focus on cloud and mobile environments. The release of Controls v8 caps almost two years of work by the CIS team and many expert advisors. In addition to the overview of CIS Controls v8, another article highlights the upcoming release of CIS Community Defense Model 2.0, which maps the security recommendations in the CIS Controls to attack types based on wellknown industry threat reporting. CIS’s Sean Atkinson also provides an overview about how to leverage Version 8 to secure your organization’s ecosystem. SANS has provided an article addressing the human dimension of a cyber ecosystem. Specifically, the article addresses the importance of ensuring security awareness and managing human-centered risks. Finally, CIS's Paul Hoffman provides an article summarizing the past quarter’s activities in the ISACs, including the results of the most recent Nationwide Cybersecurity Review (NCSR). Conducted annually, nearly 3,000 state, local, tribal, and territorial organizations participated in the survey. The most recent survey shows continued strengthening of cybersecurity programs, but also highlights that there is still work to be done in a number of areas. I hope that you can use some of the information in this quarter’s issue to strengthen your organization’s cyber ecosystem. Best Regards,

John M. Gilligan President & Chief Executive Officer Center for Internet Security

Summer 2021

Expand your defense-in-depth strategy Security event analysis and notification LEARN MORE

Cybersecurity Quarterly

News Bits & Bytes The Center for Internet Security (CIS) has partnered with Deloitte, which is providing no-cost access for all members of Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure Sharing and Analysis Center (EIISAC) to its Cyber Detect and Respond Portal. The Cyber Detect and Respond Portal is a secure online platform for obtaining industry-leading and continually updated cyber threat intelligence (CTI). This collaboration further strengthens MS-ISAC’s efforts to share cyber-related information and reduce overall government cyber risk. Through the portal, members will be able to view and analyze detailed advisories on threats and vulnerabilities and customize notification settings to have them delivered automatically on a selected frequency. By augmenting these reports with the cyber threat bulletins from the U.S. Department of Homeland Security, MS-ISAC members have access to both government and private sector perspectives on cyber threats. For more information, view our press release. CIS worked with three vendors to pilot a new certification, CIS Benchmarks Configuration Certification, to demonstrate that a product will work in an environment hardened to the CIS Benchmarks. The new certification enables vendors to develop new products with the CIS Benchmarks built in, tested, and certified at outset. Building this confidence into the products takes the guesswork out of knowing whether or not a CIS Benchmarks-hardened environment will work without impact. Learn more in our blog post. The EI-ISAC has released its 2020 Elections Year in Review. In the 2020 General Election, CIS and the EI-ISAC's dedicated staff and their partners worked tirelessly to apply lessons learned

from the 2016 and 2018 elections. CIS proved it was uniquely positioned to handle both cybersecurity and misinformation reports to protect election infrastructure. The e-book outlining our election efforts is available to download for free on our website. The Cybersecurity and Infrastructure Security Agency (CISA) has released Best Practices for MITRE ATT&CK® Mapping as part of an ongoing effort to encourage a common language in threat actor analysis. CISA identifies understanding adversary behavior as the crucial first step in protecting networks and data and successfully mitigating cyber-attacks. Our defenses are strengthened when we share cyber threat intelligence (CTI) between and among the public and private sectors to help one another secure our systems, networks, and data against our adversaries. The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations and provides details on 100+ threat actor groups, including the techniques and software they are known to use. The Best Practices for MITRE ATT&CK Mapping guide provides network defenders with clear guidance, examples, and step-by-step instructions to make better use of MITRE ATT&CK. CIS has been named one of the “2021 Top Workplaces” in the New York Capital Region by the Albany Times Union. Only 62 companies made this year’s list, which has categories for small, medium, and large businesses. For the seventh time, CIS received honors in the mediumsized businesses category. CIS also received the Communication Award recognizing effective organization-wide communication ensuring that employees feel well informed about important decisions. The list of 2021 Top Workplaces is based solely on the results of an employee feedback survey.

Summer The Most Trusted Source for Information Security Training, Certification, and2021 Research

CIS & SANS Institute

Information Security Training Partnership SANS Institute partners with the Center for Internet Security (CIS) to provide its top-rated information security training and awareness programs to State, Local, Tribal, and Territorial (SLTT) Government organizations at significantly reduced costs. Leverage this special partnership to ensure that your employees have the skills and experience necessary to protect your critical organization from cyber threats. Program participants may purchase:

More than 45 of SANS most popular hands-on courses are available OnDemand, or live, online via Live Online.

Use SANS Security Awareness to train and test non-technical staff on email, file storage, digital access, and general data security.

Purchase training during the Summer Aggregate Buy window to receive the best pricing of the year. Discounts are available June 1 through July 31, 2021. Contact partnership@sans.org, or visit www.sans.org/partnerships/cis for more information.

Cybersecurity Quarterly

18 is the New 20: CIS Controls v8 is Here!

Version 8

With input from our global IT community, CIS launched CIS Controls Version 8, updated to keep up with the everchanging cyber ecosystem. By Autum Pylant The moment we’ve all been waiting for is finally here. The Center for Internet Security (CIS) officially launched CIS Controls v8, which was enhanced to keep up with evolving technology (modern systems and software), evolving threats, and even the evolving workplace. The pandemic changed a lot of things, and it also prompted changes in the CIS Controls. The newest version of the Controls now includes cloud and mobile technologies. There’s even a new CIS Control: Service Provider Management, that provides guidance on how enterprises can manage their cloud services.

Task-Based Focus Regardless of Who’s Executing the Control Since networks are basically borderless — meaning there is no longer an enclosed, centralized network where all the endpoints reside — the Controls are now organized by activity vs. how things are managed. Efforts to streamline the Controls and organize them by activity resulted in fewer Controls and fewer Safeguards (formerly Sub-Controls). There are now 18 top-level Controls and 153 Safeguards dispersed amongst the three Implementation

Groups (IGs). You read that right; there are no longer 20 CIS Controls. Apparently, 18 is the new 20!

IG1 = Basic Cyber Hygiene CIS Controls v8 officially defines IG1 as basic cyber hygiene and represents an emerging minimum standard of information security for all enterprises. IG1 (56 Safeguards) is a foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most prevalent attacks. IG2 (an additional 74 Safeguards) and IG3 (an additional 23 Safeguards) build upon previous IGs, with IG1 being the on-ramp to the Controls and IG3 including all the Safeguards for a total of 153. The recently released 2021 Verizon Data Breach Investigations Report (DBIR) mentioned CIS Controls v8 by name, calling out the implementation groups. Through a combination of mappings to Verizon’s revamped incident classification patterns, IGs, and security functions of the CIS Controls, they identified a core set of Controls that every enterprise should implement regardless of size and budget: Control 4: Secure Configuration of Enterprise Assets and Software

Summer 2021

Control 5: Account Management Control 6: Access Control Management Control 14: Security Awareness and Skills Training

The CIS Controls Ecosystem: It’s Not About the List The v8 release is not just an update to the Controls; the whole ecosystem surrounding the Controls has been (or soon will be) updated as well. This includes: CIS Controls Self Assessment Tool (CSAT) (Hosted & Pro) – a way for enterprises to conduct, track, and assess their implementation of the CIS Controls over

time, and measure implementation against industry peers; CIS CSAT hosted is free for use in a noncommercial capacity • Updated CIS CSAT Pro – on-premises, data sharing optional, different user roles for different organizations, separation of administrative function, different look and feel Community Defense Model (CDM) – data-driven, rigorous, transparent approach that helps prioritize the Controls based on the evolving threat; CDM v1.0 utilized the 2019 Verizon Data Breach Investigations Report (DBIR) to determine top attacks and the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework v6.3 • CDM v2.0 – Maps Safeguards as mitigations down to the ATT&CK Technique and Sub-

Cybersecurity Quarterly

Technique level (MITRE ATT&CK Framework v8.2), uses well-known industry threat reporting to determine the top attack types CIS Risk Assessment Method (CIS RAM) – helps an enterprise justify investments for reasonable implementation of the CIS Controls, define their acceptable level of risk, prioritize and implement the CIS Controls reasonably, and help demonstrate “due care” • CIS RAM 2.0 – includes a simplified CIS RAM worksheet for IG1, and additional modules tailored to developing key risk indicators using quantitative analysis CIS Controls Mobile Companion Guide – helps enterprises implement the consensus-developed best practices using CIS Controls v8 for phones, tablets, and mobile application CIS Controls Cloud Companion Guide – guidance on how to apply the security best practices found in CIS Controls v8 to any cloud environment from the consumer/customer perspective Mappings to other regulatory frameworks – enterprises that implement the CIS Controls can show compliance to other frameworks CIS Controls v8 and some of these tools and resources are available today! As additional resources are updated, they'll be added to the v8 page, so be sure to watch that space. Just as technology and the threat landscape evolved, so did the CIS Controls. v8 is the direct representation of adaptability, simplification, and consistency that you’ve come to expect from the CIS Controls.

Learn More about CIS Controls v8 Welcome to CIS Controls v8 Webinar – Based on feedback from users around the world and working in a breadth of industries, we enhanced CIS Controls Version 8 to keep up with modern systems and software. Learn about the newly released CIS Controls v8 including its creation, changes from v7, new updates for resources and tools, and more.

Securing Your Cloud Infrastructure with CIS Controls v8 Webinar – You asked and we listened! Based on feedback from users around the world and working in a breadth of industries, we enhanced CIS Controls Version 8 to keep up with modern systems and software. CIS partnered with like-minded organizations, Cloud Security Alliance (CSA) and SAFECode, to provide input into CIS Controls v8 to help our users secure their cloud environments. In this webinar, subject-matter experts from CIS, CSA, and SAFECode go into detail on the benefits of our partnership and review each organization's contributions to the new and updated guidance for cloud infrastructure contained in CIS Controls v8. Cybersecurity Where You Are Episode 7: CIS Controls v8...It’s Not About the List – Host and CIS Senior Vice President and Chief Evangelist, Tony Sager welcomes guests Randy Marchany and Phyllis Lee. Marchany is the Chief Information Security Officer (CISO) at Virginia Tech, and Lee serves as Senior Director of the CIS Controls. The connection between the two guests is the CIS Controls – a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. Cybersecurity Where You Are Episode 8: CIS Controls v8 First Impressions – Host and CIS Senior Vice President and Chief Evangelist, Tony Sager welcomes guests Phyllis Lee, Senior Director of the CIS Controls, and CIS Controls Community Adopter and Volunteer, Rick Doten. Picking up where the previous episode left off, Lee highlights the guiding principles that helped the development of v8 start off strong. Autum Pylant is a Communications Manager at CIS. She primarily focuses on promoting the CIS Controls, CIS Benchmarks, and CIS Hardened Images as part of an overall communications strategy for media pitches to trade journals. She served 10 years in the U.S. Air Force as a military broadcaster and holds numerous degrees: BS in Computer Security, MA in Clinical Mental Health Counseling, Master of Public Administration (MPA), and Doctor of Public Administration (DPA).

peString(r.FormValue("target")), count); }); http.HandleFunc("/status",func(w http.ResponseWrit lChannel <- reqChan;timeout := time.After(time.Second); select { case result := <- reqChan: if "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal(http.ListenAnd Summer 2021 tml"; "log"; "net/http"; "strconv"; "strings"; "time" ); type ControlMessage struct { Target st han ControlMessage);workerCompleteChan := make(chan bool); statusPollChannel := make(chan chan usPollChannel); for { select { case respChan := <- statusPollChannel: respChan <- workerActive; f(msg, workerCompleteChan); case status := <- workerCompleteChan: workerActive = status; }}}; f bool) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) { hostTokens := rconv.ParseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); retu t"), Count: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for Target %s, count %d", HandleFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqChan := make(chan bool); Second); select { case result := <- reqChan: if result { fmt.Fprint(w, "ACTIVE"); } else { fmt. t(w, "TIMEOUT");}}); log.Fatal(http.ListenAndServe(":1337", nil)); };package main; import ( "fm ; "time" ); type ControlMessage struct { Target string; Count int64; }; func main() { controlCh make(chan bool); statusPollChannel := make(chan chan bool); workerActive := false;go admin(con Chan := <- statusPollChannel: respChan <- workerActive; case msg := <-controlChannel: workerAct us := <- workerCompleteChan: workerActive = status; }}}; func admin(cc chan ControlMessage, sta min", func(w http.ResponseWriter, r *http.Request) { hostTokens := strings.Split(r.Host, ":"); ("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); return; }; msg := ControlMessa mt.Fprintf(w, "Control message issued for Target %s, count %d", html.EscapeString(r.FormValue(" tp.ResponseWriter, r *http.Request) { reqChan := make(chan bool); statusPollChannel <- reqChan; <- reqChan: if result { fmt.Fprint(w, "ACTIVE"); } else { fmt.Fprint(w, "INACTIVE"); }; return (http.ListenAndServe(":1337", nil)); };package main; import ( "fmt"; "html"; "log"; "net/http"; ct { Target string; Count int64; }; func main() { controlChannel := make(chan ControlMessage);w = make(chan chan bool); workerActive := false;go admin(controlChannel, statusPollChannel); for <- workerActive; case msg := <-controlChannel: workerActive = true; go doStuff(msg, workerCompl ive = status; }}}; func admin(cc chan ControlMessage, statusPollChannel chan chan bool) {http.H uest) { hostTokens := strings.Split(r.Host, ":"); r.ParseForm(); count, err := strconv.ParseInt tf(w, err.Error()); return; }; msg := ControlMessage{Target: r.FormValue("target"), Count: coun r Target %s, count %d", html.EscapeString(r.FormValue("target")), count); }); http.HandleFunc(" reqChan := make(chan bool); statusPollChannel <- reqChan;timeout := time.After(time.Second); se t(w, "ACTIVE"); } else { fmt.Fprint(w, "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, " 337", nil)); };package main; import ( "fmt"; "html"; "log"; "net/http"; "strconv"; "strings"; " ount int64; }; func main() { controlChannel := make(chan ControlMessage);workerCompleteChan := ); workerActive := false;go admin(controlChannel, statusPollChannel); for { select { case respC e msg := <-controlChannel: workerActive = true; go doStuff(msg, workerCompleteChan); case statu admin(cc chan ControlMessage, statusPollChannel chan chan bool) {http.HandleFunc("/admin", fun trings.Split(r.Host, ":"); r.ParseForm(); count, err := strconv.ParseInt(r.FormValue("count"), eturn; }; msg := ControlMessage{Target: r.FormValue("target"), Count: count}; cc <- msg; fmt.Fp , html.EscapeString(r.FormValue("target")), count); }); http.HandleFunc("/status",func(w http.R bool); statusPollChannel <- reqChan;timeout := time.After(time.Second); select { case result : fmt.Fprint(w, "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal( "fmt"; "html"; "log"; "net/http"; "strconv"; "strings"; "time" ); type ControlMessage struct { el := make(chan ControlMessage);workerCompleteChan := make(chan bool); statusPollChannel := mak annel, statusPollChannel); for { select { case respChan := <- statusPollChannel: respChan <- wo ue; go doStuff(msg, workerCompleteChan); case status := <- workerCompleteChan: workerActive = s lChannel chan chan bool) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request rm(); count, err := strconv.ParseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf et: r.FormValue("target"), Count: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for t")), count); }); http.HandleFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqC imeout := time.After(time.Second); select { case result := <- reqChan: if result { fmt.Fprint(w ase <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal(http.ListenAndServe(":1337", nil)); };p "; "strconv"; "strings"; "time" ); type ControlMessage struct { Target string; Count int64; }; ge);workerCompleteChan := make(chan bool); statusPollChannel := make(chan chan bool); workerAct for { select { case respChan := <- statusPollChannel: respChan <- workerActive; case msg := <workerCompleteChan); case status := <- workerCompleteChan: workerActive = status; }}}; func ad ) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) { hostTokens := strin arseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); return; }; 11 unt: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for Target %s, count %d", html.E leFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqChan := make(chan bool); sta

Advanced Threats. Maximum Protection.

Ensure users and devices can safely connect from anywhere, with industry-leading protection.

Proactively identify, block, and mitigate targeted threats, including zero-day attacks, malware, and phishing.

See Why

Cybersecurity Quarterly

How to Mature Endpoint and Visibility Management for Public Sector Agencies In an increasingly connected world, securing endpoints can be a challenge, but with the right steps and tools, any organization can be ready for whatever comes next. By Chris Cruz State, local, and educational organizations are tasked with serving constituents, students, businesses, and staff by delivering services, expanding economic opportunities, and improving crisis response. With increasing emphasis on cybersecurity readiness, IT leaders have been tasked with protecting communities and departments, with less resources to execute across all areas. With users being more distributed than ever, the endpoint has become the most vulnerable frontier from a cybersecurity perspective, and it needs to be secured.

How to Be More Confident in Your Patching & Compliance Many organizations don’t have confidence in answering questions such as: “How many devices do we have?” “How are we measuring data privacy risk today?” or “How do we scope an attack that has been around longer than 90 days?” No matter how confident you are in answering these questions now, it’s never too late to look at maturing your cybersecurity posture. According to the CSO Pandemic Impact Survey, 61 percent of security and IT leaders are concerned about increased cyberattacks targeting remote workers. It’s time to get ahead of the curve.

According to the CSO Pandemic Impact Survey, 61 percent of security and IT leaders are concerned about increased cyberattacks targeting remote workers. It’s time to get ahead of the curve. But where to start? How can organizations begin maturing their cybersecurity posture? It all starts with visibility of their endpoints – on-premises, in the cloud, or fully remote. Because you can’t control what you can’t see, organizations must first shed light on all of the endpoints that are inside or even outside of their environment. Are your endpoints doing the heavy lifting for endpoint visibility and discovery? The most effective technologies use agents installed on networks to passively or actively identify the devices they are physically near or those they have recently contacted. Central scans can be configured, but are often not as useful due to complicated network firewalls and perimeters.

Barriers to Visibility When organizations think about cybersecurity, a common sentiment is that a hack is “bound to happen” and “there’s nothing we can do

Summer 2021

beyond what we’re doing now.” And because budgets are tight and the problem is complex, it’s no wonder the news headlines are full of new examples of ransomware attacks on the public sector. Many of the tools that organizations use today do not give full visibility and control to endpoints because those tools must be loaded on every known endpoint. Luckily, there’s been a lot of development around the practice of finding unknown and unmanaged endpoints. Another strategy to dealing with a hack is falling back on insurance coverage; some organizations see it as their best defense. For now, you can outsource financial risks, but what about the lasting impact of a public relations disaster? And, what about the value of having a good offense? Banking on insurance coverage may be increasingly expensive in the long run, so it’s best to be proactive with securing your endpoints and thinking outside of the box to do so.

Closing the Gap To close these gaps, organizations need endpoint management and security tools that provide the visibility, control, and rapid response required for managing endpoints efficiently, thus improving and accelerating incident response, and achieving strong IT hygiene at scale. Once you’ve got visibility into the assets you have milling-about in your environment, it’s time to focus on controlling those assets in a comprehensive way.

To close these gaps, organizations need endpoint management and security tools that provide the visibility, control, and rapid response required for managing endpoints efficiently, thus improving and accelerating incident response, and achieving strong IT hygiene at scale. For example, if you find that unpatched laptop, the next step is to patch it as soon as possible, and to make sure you can answer questions like, “Why is this laptop not patched?” and “Where is it located?” What if the next 30 laptops you find are on different versions? What if users continue to decline the updates? How do you monitor for configuration drift? Having control over these scenarios and the ability to find the information you need, in realtime, is critical to your organization’s success. When it comes to having comprehensive control, there are a few areas where organizations can focus. One area is tool and cost optimization control. With a distributed user-base, this need is greater because IT administrators have even less oversight around what tools are being used. The first step to cost reduction is identifying the problem: 1) do you have unused or underutilized hardware (hardware with little load) and 2) do you have underutilized software? If only 75% of users with licenses for a particular software have logged in within the last six months, do they really need it? Being able to pose and quickly answer questions like these will be highly impactful in increasing efficiency and reducing operating costs. Once your costs and tools are optimized, the next step to endpoint management maturity is focusing on data privacy. How are you measuring your data privacy risk today? What are your biggest concerns? These are tough questions to answer across an entire distributed environment, but having the right tools can help you avoid opening Pandora's box, by giving you a comprehensive view into the sensitive data being stored in your environment, and the steps you can take to secure that data.

Cybersecurity Quarterly

Securing your organization is no longer a “budget-allowing” line item. It’s not nice-to-have; it’s a must-have, essential spend that every state and local government and educational institution must plan for. Hackers are moving faster now than ever. How do you plan to respond to incidents on-premises or off? How are you working to reduce mean time to resolution? Effective incident response is about confidently running through the stages of an incident: from better identification, to scoping, all the way through to remediation and lessons learned. Incident response does not happen in a vacuum; many incidents are the result of missing patches and lack of compliance or not following the rules. Getting a handle on these activities is tough – but necessary, and possible with the right tools.

Being Ready for.... Whatever Comes Next Securing your organization is no longer a “budgetallowing” line item. It’s not nice-to-have; it’s a must-have, essential spend that every state and local government and educational institution must plan for. Is your organization ready for reduced shadow IT? Endpoint compliance? IT cost optimization? Mature endpoint management? Make sure you’re ready for whatever comes next.

Tanium has partnered with the Center for Internet Security to support their mission and help state, local, tribal, and territorial government organizations gain unprecedented visibility and control over their IT environment. For a gap assessment and to learn more about how current government funding and grants can provide budget support for tools that will give you visibility and control, visit our partnership site. Chris Cruz has over 30 years of experience in government. Most recently, he served as Director and CIO for the County of San Joaquin, California. Prior to this position, he served as the State of California’s Deputy CIO, where he led the State's Data Center and Information Cyber Security Program for four years. Cruz's government experience has spanned healthcare, public health, finance, food and agriculture, law enforcement, general government, and IT infrastructure, project management, applications, and procurement. In addition to these government entities, Cruz spent several years in executive leadership positions, serving as the CIO for both the California Department of Food and Agriculture and Department of Health Care Services, and he was the first CIO for the Health Benefits Exchange, now referred to as Covered California. Cruz is a staunch believer that you can never have enough security to protect your most critical assets, and serves as an advisor to the Tanium State, Local, and Education business at Tanium. Learn more about Tanium here.

Summer 2021

Get Visibility and Control of Your Endpoints Make sure your team can ﬁnd unknown endpoints and close visibility gaps. Get a complimentary gap assessment today, available to CIS members. LEARN HOW

Real-Time Visibility

Comprehensive Control

Rapid Response

Cybersecurity Quarterly

The Multi-State and Elections Infrastructure ISACs Undergo Digital Transformation As the world and the workplace continue to change, the MS- and EI-ISACs expand their capabilities with new tools and resources to keep one step ahead of cybercriminals. By Josh Moulin The amount of disruption, distraction, and loss as a result of the global COVID-19 pandemic has resulted in new cyber risks and vulnerabilities across our nation. Adversaries, both domestic and foreign, have capitalized on this fact by increasing the frequency and sophistication of cyber-attacks. According to a recent report from Bitdefender, ransomware incidents alone have increased by 715% during the COVID-19 pandemic and some of our most critical infrastructure has been targeted, including public utilities, hospitals, and government organizations. Beyond the sharp rise in ransomware, the damage is still being assessed from complex attacks like SolarWinds, Hafnium, and Pulse Secure. Home to both the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), CIS offers cybersecurity products, services, education, and expertise to over 11,000 state, local, tribal, and territorial (SLTT) organizations and nearly 3,000 election offices across the United States1. The unparalleled visibility that CIS has into cyber activity and threats facing our SLTT organizations, combined with the input of our membership and that of our federal partners at CISA, has helped shaped our future strategy and called attention to the imminent need for digital transformation of the MS- and EI-ISACs. Providing new tools and

According to a recent report from Bitdefender, ransomware incidents alone have increased by 715% during the COVID-19 pandemic and some of our most critical infrastructure has been targeted, including public utilities, hospitals, and government organizations. capabilities to our team of cybersecurity and risk management experts at CIS will translate to immediate value and actionable data to assist our SLTTs identify, prevent, detect, respond, and recover from cyber incidents. The digital transformation underway within the MS- and EI-ISACs includes several recently released and upcoming resources.

Threat Intelligence Platform (TIP) Last month a new threat intelligence platform was placed into production. The TIP allows our cyber intelligence analysts to consume commercial and federal feeds and combine them with the These offerings are made available in part due to a cooperative agreement between CIS and the Cybersecurity and Infrastructure Security Agency (CISA). 1

Summer 2021

indicators of compromise (IOCs) that we create by responding to real-world incidents within our SLTT community. The MS- and EI-ISACs are now using this intelligence to better enrich our alerts and provide our 24x7x365 Security Operations Center (SOC) staff with additional context. Additionally, we now offer bidirectional IOC sharing with our members using STIX/TAXII and MISP feeds, giving SLTTs access to the largest collection of vetted IOCs specific to U.S. SLTTs available. SLTTs able to consume these feeds have the ability to immediately place the IOCs into production on their own networks, giving near real-time threat detection and prevention to their organization.

Data Management and Analytics CIS has organized a new team of software engineers and data analysts to better manage and utilize the massive amount of SLTT information available to us. Part of this effort includes the implementation of new data management tools and capabilities such as cloud-based data lakes, a data warehouse, and analysis tools. These analytical tools will help our analysts with retrospective analyses of data and using machine learning (ML) and artificial intelligence (AI) to find potential malicious activity within data where no other signature-based tool would detect it.

Security Information and Event Management (SIEM) Capability CIS is in the initial stages of replacing our existing software with a best-in-class cloud-based SIEM to be utilized by our SOC analysts, incident response team, intelligence team, and others. This SIEM will be part of our larger data strategy and will overlay on the data platform discussed above. The SIEM will provide the ability to aggregate and correlate data from multiple sources and give our analysts a single point of view for all events and alerts.

Security Orchestration, Automation, and Response (SOAR) Once the data warehouse and SIEM are implemented and tuned, CIS will add a SOAR capability to our digital transformation efforts.

SOAR will be a force-multiplier within our SOC, allowing us to create playbooks to automatically respond to activity and alerts. For example, if an Albert Intrusion Detection System (IDS) alerts on a ransomware attack coming from a specific domain, SOAR can interact with the TIP, adding the domain to a list of IOCs and push those to all of our users subscribed to that feed. SOAR can also add the domain to our Malicious Domain Blocking and Reporting (MDBR) capability, proactively blocking the rest of our MDBR users from accessing that domain. All of this would be done without requiring a SOC analyst’s interaction and within seconds. While our teams execute these major projects, we continue to enhance existing products and services. Our MDBR service continues to be a hugely successful program, being used by thousands of organizations across the U.S. and blocking millions of malicious Domain Name System (DNS) requests each month. Our partners at CISA have recently agreed to renew the MDBR program for another year, continuing this protection, at no cost, to any SLTT who wishes to use the service. Our Albert IDS program continues to evolve with a focus on Microsoft Azure and AWS cloud protection, and we are in the process of selecting vendors for a new Endpoint Protection Platform (EPP) offering. These enhancements are much needed and cannot come soon enough. While we are excited to see these capabilities added to our portfolio and the value they will bring to our SLTTs, we continue to urge all organizations to put the necessary focus on cybersecurity and insure basic cyber hygiene through the implementation of the CIS Controls. Recognized globally for his expertise in cybersecurity, Josh Moulin is the Senior Vice President of Operations & Security Services at CIS and has worked in cybersecurity since 2004. Prior to joining CIS, Moulin was an Executive Partner at Gartner and advised federal government and defense executives, a CIO and CISO within the U.S. nuclear weapons complex, and a commander of an FBI cybercrimes taskforce. He holds a Master’s Degree in Information Security & Assurance and over a dozen certifications in digital forensics and cybersecurity.

Cybersecurity Quarterly

Security Awareness is Managing Human Risk: Achieving Data-Driven Results Effectively managing cyber risk in your organization means more than just patching systems and installing updates; your staff remain one of the most common attack vectors. By Lance Spitzner Cybersecurity is no longer just about technology; it’s also about people, especially as people represent not only one of the top risks to organizations, but one of the fastest growing. According to the most recent Verizon Data Breach Investigations Report (DBIR), 85% of the reported 5,250 breaches in the last year involved a human element. Security awareness is part of—and an extension of—the security team, to enable organizations to effectively manage and measure that risk. Security teams often have different specialties to help manage different elements of risk, such as vulnerability management, endpoint security, security operations centers, or incident response teams. Security awareness is simply another piece to the puzzle, just a piece that focuses on the human side of risk. Reach out to an organization running a mature security awareness program and you are likely to hear something like this from their security team, “The awareness team is key to helping us

According to the most recent Verizon Data Breach Investigations Report (DBIR), 85% of the reported 5,250 breaches in the last year involved a human element. 18

simplify security for our workforce and effectively manage our human cyber risk.” The goal of security awareness is to change behavior and ultimately, to manage human risk. So how does an organization make the switch to managing human risk? Consider the following: 1. Identify an organization’s top human risks. 2. Define the key behaviors that most effectively manage those risks. 3. Communicate to, train, and engage your workforce so they exhibit those key behaviors. New, or less mature awareness programs, tend to start with and focus only on step #3 (engagement), especially programs that are only compliance focused. However, truly mature awareness programs, especially those integrated with the rest of their security efforts, also include and address the first two stages. For organizations to truly manage all elements of their cyber risk, they need to focus not only on technology, but also the human side. So, how do organizations build and leverage a mature awareness program, enabling them to not only far more effectively manage and measure

Summer 2021

their human risk, but also embed a much stronger security culture? One of the most common steps is to start with a human risk assessment. The concept of risk assessments are not new. There are numerous options and frameworks, such as NIST SP800-30 and FAIR. For an awareness program, you leverage a similar approach, but focus on identifying your top human risks. To be effective in any risk assessment, use data to drive your decisions as much as possible — far too often risk decisions are based too much on emotion. Some of the most effective sources for data on your top human risks can include:

and how. One of the easiest ways to accomplish this step is to simply ask your workforce with a quick behavioral risk survey. The resulting reports from a behavioral risk assessment/survey are extremely powerful in helping you identify not only who is handling your most sensitive data but how they are handling it, and which methods may be the riskiest. This ensures you provide the right training to the right people and nothing more, ultimately reducing program costs and unneeded training. The bonus with such an approach is you can also leverage this data for compliance purposes as compliance is often driven by the type of data people handle.

Past incidents/breaches Past assessments/audits Industry risk reports (such as Verizon DBIR) Human risk/behavior assessments Cyber Threat Intelligence (CTI) A common challenge with any type of risk assessment is getting a solid handle around the basics: what is your most sensitive data, where is that data being stored, and how is it processed? Remember, for most organizations your goal is to ultimately secure your data, so risk assessments often start with tracking your data. For human risk assessments, it is no different, but instead of tracking what systems are handling your data and how, you identify who is handling your most sensitive data

Behavioral risk assessments, like the one from SANS Security Awareness allow you to identify information handling risk in your organization. These insights will deeply inform risk management planning and help to develop a training plan that will allow you to train more effectively, often reducing training cost.

To effectively manage human risk, your ability to leverage data to identify your top human risks will directly impact your ability to effectively manage those risks. Behavioral risk assessments, like the one from SANS Security Awareness, allow you to identify information handling risk in your organization. These insights will deeply inform risk management planning and help to develop a training plan that will allow you to train more effectively, often reducing training cost. Learn more about the SANS Security Awareness Behavioral Risk Assessment by visiting https://www. sans.org/security-awareness-training/products/ cyber-risk-insight-suite/behavioral/. Lance Spitzner, SANS Institute Director of Research & Community, has over 25 years of security experience in cyber threat research, security architecture, and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation of honeynets and founding of the Honeynet Project. In addition, Spitzner has published three security books, consulted in over 25 countries, and helped over 350 organizations build security awareness and culture programs to manage their human risk. Spitzner is a frequent presenter, serial tweeter (@lspitzner), and works on numerous community projects. Before information security, Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois. Learn more about SANS Security Awareness at www.sans.org/securityawareness-training or contact SSAinfo@sans.org.

Cybersecurity Quarterly

Commonly Exploited Protocols: Server Message Block (SMB) The rise of telework has led to cybercriminals exploiting a common protocol for file sharing. Our new guide helps your organization defend against this attack vector. By Valecia Stocchetti The COVID-19 pandemic and the shift to telework environments has changed the way many enterprises do business. The Server Message Block (SMB) protocol – a proprietary Microsoft Windows communication protocol mainly used for file and printer sharing – has made the transition from the workplace to the “home office” easier, by allowing users access to files via remote server. While attacks on exploitable protocols like SMB have been happening for years, the increase in telecommuting has opened up a whole new playing field for cybercriminals. Poorly secured network protocols and services are basically an open invitation for attackers. And, if there’s one thing that remains the same over time, it’s that cyber-attackers – if given the opportunity – will target what’s easily accessible. It’s a no-brainer. In response, the Center for Internet Security (CIS) developed guidance, Exploited Protocols: Server Message Block, to help enterprises mitigate these risks.

Server Message Block Attacks While SMB has many benefits, one of the biggest is the ease of having files in a central location for multiple users to access. This can be helpful for employees who work remotely and need access to files that are maintained or managed on their

While attacks on exploitable protocols like SMB have been happening for years, the increase in telecommuting has opened up a whole new playing field for cybercriminals. enterprise’s network. While the convenience of SMB technology is great, security needs to be a priority. SMB vulnerabilities have been around for 20+ years. In general, most cyber-attacks involving SMB do not occur because an enterprise failed to procure an expensive tool or application, but rather because there was a failure to implement best practices surrounding SMB. In 2017, EternalBlue, an exploit used against a vulnerability in SMB v1.0, set the stage for some of the most intrusive and impactful malware in cybersecurity history. Among the malware that used the EternalBlue exploit are WannaCry (ransomware) and Emotet (Trojan), both of which can self-propagate throughout a network, causing widespread damage. While some of these threats may no longer be relevant today, it is important to note that as new

Summer 2021

threats emerge, they will continue to use similar attack techniques to exploit a system or network. The recent SolarWinds attack is a good example of this, as it too exploited the SMB protocol.

Securing SMB Exploited Protocols: Server Message Block leverages security best practices from the CIS Controls and secure configuration recommendations from the CIS Benchmarks to help enterprises implement and secure the use of SMB.

SMB vulnerabilities have been around for 20+ years. In general, most cyber-attacks involving SMB do not occur because an enterprise failed to procure an expensive tool or application, but rather because there was a failure to implement best practices surrounding SMB.

There are several direct mitigations for securing SMB, By implementing the direct mitigations and many of which are low or no cost to an organization: supporting controls introduced in Exploited Protocols: Server Message Block, enterprises can confidently strengthen their cybersecurity posture Update and Patch Against SMB Vulnerabilities while protecting their assets. Block SMB at the Network Level Download the guide at https://www.cisecurity.org/ white-papers/cis-controls-v8-exploited-protocolsRestrict and Protect SMB at the Host Level server-message-block-smb/. Use Secure Authentication Methods for SMB Protect Data and Use Encryption for SMB The guide breaks down each mitigation, explains the importance of securing SMB (from an attack perspective), and introduces related CIS Controls and/or CIS Benchmarks. It also provides additional supportive controls for protecting against and detecting SMB-based attacks.

Valecia Stocchetti is a Senior Cybersecurity Engineer for the CIS Controls at the Center for Internet Security. Stocchetti comes to CIS from the eCommerce field where she worked complex financial fraud cases. She is a graduate from the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Stocchetti worked in the MS- and EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements for the MS- and EI-ISAC SLTT community. In her current role, she works with various attack models and data, including the MITRE ATT&CK framework, to help validate and prioritize the CIS Controls. Stocchetti holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC). While she enjoys all things InfoSec, she particularly finds the cybercrime and espionage fields fascinating, which is what led her to this career in the first place.

Cybersecurity Quarterly

CIS Community Defense Model v2.0 – Coming to a Computer Near You: Summer 2021 Building off v1.0, CIS Community Defense Model v2.0 will illustrate how the security recommendations contained in the CIS Controls mitigate against various attack types. By Valecia Stocchetti Changes and advances in technology (and changes in workplace circumstances) have prompted a revamp of the CIS Community Defense Model (CDM). Set to go live in a few months, the new and improved CIS CDM v2.0 plays off of the foundational principles that made v1.0 so great! While the first version primarily leveraged two well-known industry resources – the 2019 Verizon Data Breach Investigations Report (DBIR) and the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework v6.3 – the updated version uses those sources (2020 Verizon DBIR and MITRE ATT&CK Framework v8.2) along with other national and international threat reports in an effort to better validate the findings.

The findings in v1.0 show that the CIS Controls are effective at mitigating approximately 83% of all the ATT&CK Techniques, and more specifically 90% of the ransomware ATT&CK Techniques identified in the framework. CIS CDM v1.0 Findings: Mitigating Attack Techniques The findings in v1.0 show that the CIS Controls – a prioritized and prescriptive set of Safeguards that mitigate the most common cyber-attacks against systems and networks – are effective at mitigating approximately 83% of all the ATT&CK Techniques, and more specifically 90% of the ransomware ATT&CK Techniques identified in the framework. CIS CDM v1.0 demonstrates the effectiveness of the CIS Controls v7.1 – and the three Implementation Groups (IGs) against a variety of other attack techniques: Malware: Implementing IG1 (basic cyber hygiene) of the CIS Controls can mitigate 79% of ATT&CK Techniques in the malware attack pattern.

Summer 2021

Insider Privilege & Misuse: 100% of the techniques can be defended against by properly implementing the CIS Safeguards in IG1. Web-Application Hacking: 100% of instances of web-application hacking techniques can be defended against by implementing all of the CIS Controls. Targeted Intrusion: 80% of targeted intrusion techniques can be defended against by implementing all of the CIS Controls.

Improving Security Mappings: v1.0 vs. v2.0 For CIS CDM v1.0, CIS created a master mapping between ATT&CK Mitigations and CIS Safeguards (formerly known as Sub-Controls), identifying the security function. Using the Verizon DBIR, CIS then identified the top five attack types: WebApplication Hacking, Insider and Privilege Misuse, Malware, Ransomware, and Targeted Intrusions. An attack pattern, comprised of a specific set of ATT&CK Techniques, was then created for each attack type. The master mapping was then used to map each attack pattern back to the CIS Safeguards, identifying the security value each CIS Safeguard provided against the ATT&CK Techniques. In order to improve the fidelity of v2.0’s mapping, CIS made some improvements: Mapping down to the ATT&CK Technique & SubTechnique level Only including the specific ATT&CK Techniques & Sub-Techniques within the ATT&CK Mitigations that can be mitigated or detected by implementing a CIS Safeguard Using additional well-known industry resources to derive attack pattern mappings for each attack type

Stay tuned; CIS CDM v2.0 is coming to a computer near you this summer! We’re very excited to provide you with this valuable and unique resource once again, and to finally share our findings. While you’re waiting on the big reveal, join the CIS Community Defense Model Community to learn more and to get involved. Valecia Stocchetti is a Senior Cybersecurity Engineer for the CIS Controls at the Center for Internet Security. Stocchetti comes to CIS from the eCommerce field where she worked complex financial fraud cases. She is a graduate from the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Stocchetti worked in the MS- and EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements for the MS- and EI-ISAC SLTT community. In her current role, she works with various attack models and data, including the MITRE ATT&CK framework, to help validate and prioritize the CIS Controls. Stocchetti holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC). While she enjoys all things InfoSec, she particularly finds the cybercrime and espionage fields fascinating, which is what led her to this career in the first place.

Community Defense Model v2.0 Findings Drum roll please...v2.0 shows that—wait, did you really think we’d give the results away right now?!

Cybersecurity Quarterly

Cyberside Chat This Quarter's Topic: Reflecting on the Progress of the CIS Controls By Sean Atkinson, Chief Information Security Officer, CIS As we see the release of Version 8 of the CIS Controls, I wanted to reflect on the updates and progress I have seen across the Controls since my first experience with their implementation, when they were in their fifth iteration. The progress within the world of technology and its application to the digitization of business processes and practices provides an impetus for all control frameworks to continually adjust their posture to maintain a minimum baseline. The CIS Controls are constantly being monitored and adjusted to meet this evolution in businesses and technologies. With Version 8, there is consolidation and new emphasis provided. We have seen promotions of Controls and the famous Top 20 shifting to become 18 Controls. In my early days of audit and IT compliance, I struggled with alignment and implementation of a repeatable process for other control frameworks. Some are designed to provide guidance through advising and non-prescriptive measures, while others are overtly prescriptive and have firm requirements. It was then that I happened upon the CIS Controls. I found I was now able to translate and map other control frameworks into actionable controls that brought auditability and repeatability from an operations perspective. The newest version has provided some excellent updates. The one I specifically focus on from an internal perspective with respect to CIS is “Data.”

In my early days of audit and IT compliance, I struggled with alignment and implementation of a repeatable process for other control frameworks... It was then I happened upon the CIS Controls 24

Specifically, data protection and the need to provide and justify the controls we have with respect to the data sets managed within the organization and throughout the business units. I am happy to see data being aligned with the inventory of systems and software as a critical element for managing risk within an organization. The volunteer community has done an excellent job again with recommendations and consolidation of Controls into discrete sets of actionable requirements for organizations based on the Implementation Groups (IGs), first seen in Version 7.1, enabling organizations to align their information security programs, whether it is beginning with IG1 or more mature organizations with IG2 and IG3, for sustainability and continuous improvement. The need for continuous evaluation and improvement is indicative of the updates seen in CIS Controls v8 aligning new capabilities and controls from a cloud, mobile, and remote work perspective. These changes align to new initiatives seen in the market and modern IT infrastructures. A common sentiment is that cybersecurity is a journey and not a destination, therefore being able to continually assess and manage the need to implement controls that align with continuously evolving work practices and the ability to map control frameworks with those practices is especially important. The community feedback and utilization of the CIS Controls is extremely valuable. This enables CIS, and you as the community, to contribute to future best practices. This highlights the collaboration efforts of the community to provide best practices and methods of implementation and sustainability for auditable and repeatable practices within organizations. Thanks to all who contribute; you make mapping the cybersecurity journey much easier to follow.

Summer 2021

ISAC Update The ISAC 2nd quarter story is a good one – new milestones hit, service adoption at a furious pace, and our K-12 outreach is paying big dividends. Let’s talk about a milestone first: On May 19 at 1:30 PM, the MS-ISAC onboarded Orland School District 135 in Illinois as our official 11,000th member. A small school district covering the Village of Orland Park and serving 500 K-8 students through 10 schools, Orland School District represents exactly what the MS-ISAC excels at: helping those small organizations that don’t have the support to fight this battle on their own. We aren’t just about the small entities either. Our Malicious Domain Blocking and Reporting (MDBR) service and Healthcare MDBR are protecting entire states and major hospital systems, respectively, and we are pushing hard to expand these services to as many organizations as we possibly can. In that vein, the pilot portion of MDBR has come to an end and we're proud to announce this service is fully funded through 2022! Last quarter, we introduced our Virtual Service Reviews (VSR). They have become an unqualified success with over 80 completed to date, and many more scheduled. A quick recap of the service: These quick 30-40 minute meetings allow our members to reacquaint themselves with their current service levels, make adjustments as needed, and take advantage of any offerings they haven’t utilized previously. It is the perfect “tune-up” for your MS- or EI-ISAC membership. If you are interested in scheduling a Virtual Service Review and taking a look under the hood of your membership with our team, please reach out to info@msisac.org. While elections have taken a bit of a back burner, rest assured that the EI-ISAC is working hard to not only help protect this critical infrastructure, but also promoting membership and taking every opportunity to inform and educate the elections community. The 2020 Nationwide Cybersecurity Review (NCSR)

saw another year of high participation with a total of 2,934 participants across the state, local, tribal, or territory (SLTT) community. The NCSR is a no-cost, anonymous self-assessment, available to any SLTT organization. The NCSR allows an organization to develop a cybersecurity posture benchmark and receive customized reports to understand their cybersecurity maturity. On May 1, we began using LogicManager, a userfriendly Governance Risk and Compliance (GRC) platform to support the NCSR. This platform includes new features to help end-users evaluate their cybersecurity maturity. All previous NCSR participants can now log in at https://cis. my.logicmanager.com/ and view their current and historical assessment details. In addition, two new resources have been created for MS-ISAC members and NCSR participants: First Steps Within a Cybersecurity Program, a brief guide that provides actions that can be implemented to establish and improve an organization’s cybersecurity program, and MS-ISAC Risk Assessment Guide, a guide from the MS-ISAC Metrics Workgroup that provides steps on how to leverage NCSR responses to perform a risk assessment. These resources (and many more!) can be found at https:// www.cisecurity.org/ms-isac/services/ncsr/. We are gearing up for another successful year for the NCSR. The 2021 NCSR will open October 1. All new participants can register now at https:// www.cisecurity.org/ms-isac/services/ncsr/. The MS- and EI-ISAC is a constantly evolving and vibrant organization and we welcome your feedback on how we can better serve our member organizations. Please feel free to reach out to me directly with your ideas and thoughts at paul. hoffman@cisecurity.org. Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to your SLTT colleagues (and now private hospitals). We are stronger and more connected than ever before!

Cybersecurity Quarterly

Upcoming Events July July 7 Virtual Cyber Security Summit: St. Louis/ Oklahoma City will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. CIS CISO Sean Atkinson will lead panel discussions on insider threats and ransomware. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https:// cybersecuritysummit.com/summit/stlouisokc21/. July 9 – 12 The National Association of Counties (NACo) will be hosting the NACo Annual Conference and Exposition at the Gaylord National Resort and Convention Center in National Harbor, Maryland. County leaders from across the U.S. will convene to adopt positions on federal policies and exchange solutions to challenges facing their communities. A representative from the MS-ISAC will lead a session on security in hybrid work environments, and our team will be at Booth 319 meeting with attendees discussing the resources available from MS-ISAC and CIS. Learn more at https://www.naco.org/ events/2021-naco-annual-conference. July 12 — 15 The Florida Local Government Information Systems Association (FLGISA) will host its FLGISA 2021 Annual Conference at the Hilton Orlando Bonnet Creek in Orlando. The event will bring together local government technology professionals from across the state to network and learn about the latest technologies and trends. MS-ISAC Senior Program Specialist Kyle Bryans will speak at the event, leading a session on no-cost cybersecurity resources. Learn more at https://www.flgisa.org/events/. July 14 Virtual Cyber Security Summit: Detroit will take place, bringing together executives, business leaders, and cybersecurity professionals virtually

to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https:// cybersecuritysummit.com/summit/detroit21/. July 21 Virtual Cyber Security Summit: DC Metro will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. CIS CISO Sean Atkinson will be leading a panel discussion covering insider threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https:// cybersecuritysummit.com/summit/dcmetro21/. July 29 — 31 The 84th Louisiana Municipal Association (LMA) Annual Convention will take place at Raising Cane's River Center in Baton Rouge, Louisiana. The event will bring together local government professionals from across the state to learn about the latest issues concerning their communities. MS-ISAC Program Specialist Michelle Nolan will lead a session on cybersecurity resources for local governments. Learn more at https://www.lma. org/LMA/Events/Annual_Convention/Convention/ Home_2021.aspx.

August August 9 — 13 The Healthcare Information and Management Systems Society (HIMSS) Global Health Conference & Exhibition will take place across the Caesars Forum Conference Center, VenetianSands Expo Center, and Wynn – Encore Resort in Las Vegas. Health care professionals from around the globe will come together to connect for education, innovation, and collaboration. CIS EVP of Operations and Security Services Ed Mattison will be speaking on the floor of the Cybersecurity Command Center and the CIS team will be meeting

Summer 2021

with attendees and discussing our resources for healthcare organizations at Booth C365. Learn more at https://www.himss.org/global-conference. August 22 — 25 GMIS International will be hosting its 50th GMIS MEETS at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. The conference will bring together public sector IT leaders and professionals from across the country to network, exchange ideas, and learn the latest from industry experts. MS-ISAC Program Specialist Michelle Nolan will speak at the event, leading a session on cybersecurity resources for SLTT governments. Learn more at https://www. gmis.org/page/2021homepage. August 22 — 27 The Maryland Association of Elections Officials (MAEO) will host the 2021 MAEO Annual Conference at the Clarion Resort Fontainebleau Hotel in Ocean City, Maryland. The event will bring together the state's election leaders to network and learn about the latest industry topics and trends. EI-ISAC Senior Program Specialist Paul Jones will speak at the event, leading a session on EIISAC membership and available resources. Learn more at https://maeo.net/annual-conference/. August 24 — 25 AWS re:Inforce will take place at the George R. Brown Convention Center in Houston. Attendees will come together for content about AWS products and services, a keynote featuring AWS Security leadership, lessons on improving their cloud security posture, and direct access to experts who can help solve their biggest security challenges. The CIS team will be at our booth, meeting with attendees and discussing our resources for AWS users. Learn more at https://reinforce.awsevents.com/. August 24 Virtual Cyber Security Summit: Chicago will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/ summit/chicago21/.

August 29 — September 1 The Annual Georgia Association of Voter Registration and Election Officials (GAVREO) Conference will take place at the Jekyll Island Convention Center in Jekyll Island, Georgia. The event is designed to improve election administration and voter registration among municipal, county, and state election officials. The EI-ISAC team will be at the event to educate attendees about the nocost cybersecurity resources available to elections entities. Learn more at https://cviog.uga.edu/ training-and-education/conferences/electionsofficials-and-voter-registrars.html

September September 16 Virtual Cyber Security Summit: Miami will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/ summit/miami21/. September 19 — 22 The 2021 Alabama Leaders in Education Technology (ALET) Fall Symposium will take place at the Perdido Beach Resort in Orange Beach, Alabama. The event will bring together the state's education IT leaders and professionals to network, collaborate, and gain insights on the latest industry trends. MS-ISAC Program Specialist Michelle Nolan will lead a session on no-cost cybersecurity resources for K-12 school districts. Learn more at https://goalet.org/2021-fall-symposium/. September 22 — 24 The 2021 League of California Cities Annual Conference and Expo will take place at the SAFE Credit Union Convention Center in Sacramento, California. The event will bring together leaders from the state's municipalities to network and discuss the latest issues facing their citizens. MS-ISAC Senior Program Specialist Brendan Montagne will speak at the event, discussing MS-ISAC membership and available resources. Lear more at https://www. cacities.org/Education-Events/Annual-Conference.

Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699