Cybersecurity Quarterly (Winter 2021) by Cybersecurity Quarterly

Cybersecurity Quarterly

Winter 2021

A Publication from

Using Consensus to Bring Focus to the Most Critical Elements of Cybersecurity Working Together to Make Security Operations Less Complicated Integrating the CIS Critical Security Controls v8 Further Into Our Ecosystem of Resources

Stronger Together Defending against an onslaught of cyber-attacks alone is an impossible task. That's why we strive to foster a diverse community of cybersecurity professionals that can lean on their collective knowledge and cooperate to defend us all

Cybersecurity Quarterly

Expand your defense-in-depth strategy Security event analysis and notification LEARN MORE

Winter 2021

Contents

Featured Articles

The Power of Community Bringing together the collective knowledge of the cybersecurity community to make our connected world a safer place

What's in a Name? CIS Critical 12 Security Controls Our renewed focus on why using consensusbased best practices is critical to security Open Cybersecurity Alliance: Solving 14 the Security Interoperability Challenge How the cybersecurity community is working together to solve its biggest challenges Introducing v2.0 of the CIS Community Defense Model Our new guide to help design, implement, and improve your cybersecurity program

Cyber Hygiene: It's Not Just Recommended; It's Essential Why some of the simplest steps in security are also some of the most important

CIS Risk Assessment Method for the 22 CIS Critical Security Controls v8 Our revamped guide to assess your cyber risk and implement our security best practices Quarterly Regulars

Winter 2021 Volume 5 Issue 4 Founded MMXVII Editor-in-Chief Michael Mineconzo Supervising Editor Laura MacGregor Copy Editor Autum Pylant

Staff Contributors Sean Atkinson Paul Hoffman Carlos Kizzee Phyllis Lee Josh Moulin Tony Sager Valecia Stocchetti

Quarterly Update with John Gilligan

News Bits & Bytes

Cyberside Chat

ISAC Update

Event Calendar

Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460 Copyright © 2021 Center for Internet Security. All rights reserved.

Cybersecurity Quarterly

Quarterly Update

with John Gilligan

“It is well understood that defeating cyber threats requires cooperation among many operating as partners.” Welcome to the Winter Issue of Cybersecurity Quarterly. One year ago, we were grappling with the SolarWinds supply chain attack. Unfortunately, as we approach the end of 2021, we have a new and potentially more dangerous vulnerability in the Apache logging library application Log4j (or Log4Shell). While the vulnerabilities of SolarWinds and Log4j are technically quite different, they have some similar characteristics. Both are leveraging vulnerabilities to gain access to potentially all data and system resources. What will make the Log4j vulnerability difficult to deal with is the fact that this open-source tool is routinely embedded in many applications by developers; in some cases, unbeknownst to the user. It looks like we are in for another long cybersecurity winter! The theme for this quarter’s issue is appropriately ‘community.’ It is well understood that defeating cyber threats requires cooperation among many operating as partners. Chris Inglis, our new White House National Cyber Director, espouses this objective: “to defeat us, you must defeat all of us.” Chris is referring to the power of individuals and organizations collaborating to both thwart cyberattacks, as well as improve the cyber resilience of our systems and networks. Two articles in this issue address the power and benefits of the Multi-State and the Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) as community organizations. Carlos Kizzee, CIS's VP of Stakeholder Engagement, discusses ways that ISAC members can benefit from and get involved to fully leverage the ISAC communities, as well as CIS communities. In addition, Paul Hoffman, Director of Partnerships, highlights the recent achievement of surpassing 12,000 members in the MS-ISAC community. Valecia Stocchetti of the CIS Security Best Practices team has provided a pair of articles. The first introduces the CIS Community Defense Model (CDM)

v2.0. The CDM is an effort led by Valecia that provides a formal and granular assessment of the CIS Critical Security Controls, as well as the Implementation Groups, against known cyber threats. Valecia also provides a separate article on the recently-released CIS Risk Assessment Methodology (CIS RAM) v2.0. CIS RAM was developed in partnership with a number of organizations, including the primary author HALOCK Security Labs, to provide a robust risk assessment methodology that aligns with the CIS Controls. Our Chief Evangelist, Tony Sager, discusses the evolution of the Controls and rationale behind the recent naming change back to ‘CIS Critical Security Controls.’ Tony has also provided a companion article describing the benefits of “Essential Cyber Hygiene” (Implementation Group 1 of CIS Controls v8) and some background on the global community that has guided their development over the years. The Open Cybersecurity Alliance has contributed a piece on their community’s mission to increase interoperability across the security industry through common resources. The article describes some of their recent initiatives, as well as information on how individuals can get involved with the organization. Finally, our CISO, Sean Atkinson, addresses building collaborative trust between internal teams and external security assessment teams to develop effective security programs. His article reflects the recent experiences from CIS’s efforts to achieve SOC2 Type 2 Certification. I hope that you enjoy this quarter’s issue and have a great holiday season! Best Regards,

John M. Gilligan President & Chief Executive Officer Center for Internet Security

Winter 2021

Cybersecurity Quarterly

News Bits & Bytes Alan Paller, an icon of the cybersecurity industry, passed away on November 9. Many knew Paller as the founder of the SANS Institute, the world’s leading teacher of cybersecurity skills. At CIS, Paller was one of our Founders, a member of our Board of Directors, and a strong personal presence in any discussion about the current work and the future of CIS. In large part, our work reflects his vision, as well as his style of operation: an independent, mission-driven, nonprofit organization that gathers a large collaborative community – where collaboration means to take on real problems, produce real work, and generate measurable progress. At CIS, we are proud to be part of his legacy, working with our own world-wide community to develop, share, and use proven security practices, and also helping to find and develop the generation to come. Our full remembrance of Paller can be read here. The Nationwide Cybersecurity Review (NCSR) is open until February 28, 2022. The NCSR is a nocost, anonymous, annual self-assessment designed to measure gaps and capabilities of state, local, tribal, and territorial (SLTT) governments’ cybersecurity programs. The NCSR evaluates cybersecurity maturity across the nation while providing actionable feedback and metrics directly to individual respondents. All states (and agencies), local governments (and departments), tribal nations, and territorial governments are encouraged to participate. All new participants can register now at https://www.cisecurity.org/msisac/services/ncsr/. For questions about the NCSR, please reach out at ncsr@cisecurity.org. The Center for Internet Security (CIS) recently announced three new additions to lead its elections security efforts. Former Pennsylvania Secretary of State Kathy Boockvar will head the

CIS elections security mission as the Vice President of Election Operations and Support. Kentucky State Board of Elections Executive Director Jared Dearing will serve as the Senior Director of Elections Security. Longstanding South Carolina Elections Director Marci Andino will assume a leadership role as the Director of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). Boockvar, Dearing, and Andino will look to improve and expand the resources CIS provides to support the needs of the elections community through security best practices tailored for the unique nature of elections security and information sharing and cybersecurity tools offered through the EIISAC. Learn more in our recent press release. CIS Critical Security Controls v8 was just released in May of this year. Regardless of your architecture — cloud, hybrid, or on-premise, v8 will help you with your cybersecurity program. Many of you may also rely on MSPs for some of your services. If you are an MSP, rely on one, or want to learn how Controls v8 applies to you, listen to The CyberCast, a new podcast series co-hosted by Phyllis Lee, CIS Senior Director of the Controls, that helps makes security controls easy at https://www.thecybercast.com/. We are pleased to announce the release of the Azure Security Benchmark (ASB) v3 with mappings to the CIS Critical Security Controls (CIS Controls) v8. The ASB includes high-impact security guidance to mitigate against high priority threats. While the ASB is specific to Azure, this mapping shows the applicability of CIS Controls v8 to an enterprise’s cybersecurity program regardless of architecture. If your architecture is cloud-based, on-premise or hybrid, the CIS Controls will work for you! Learn more and download the Benchmark here.

The Most Trusted Source for Information Security Training, Certification, and2021 Research Winter

CIS & SANS Institute

Information Security Training Partnership SANS Institute partners with the Center for Internet Security (CIS) to provide its top-rated information security training and awareness programs to State, Local, Tribal, and Territorial (SLTT) Government organizations at significantly reduced costs. Leverage this special partnership to ensure that your employees have the skills and experience necessary to protect your critical organization from cyber threats. Program participants may purchase:

More than 45 of SANS most popular hands-on courses are available OnDemand, or live, online via Live Online.

Use SANS Security Awareness to train and test non-technical staff on email, file storage, digital access, and general data security.

Purchase training during the Winter Aggregate Buy window to receive the best pricing of the year. Discounts are available December 1, 2021 through January 31, 2022. Contact partnership@sans.org, or visit www.sans.org/partnerships/cis for more information.

Cybersecurity Quarterly

The Power of Community

When the cybersecurity community comes together to share resources and defense strategies, we all become more secure, better protected organizations By Carlos P. Kizzee Community is more than just the numerical addition and aggregation of disparate elements. Community involves the alignment of those elements along common interests to collectively identify and achieve mutually beneficial outcomes. The most beneficial and valuable outcomes that are needed tend to be complex, multi-faceted problems that cannot be resolved by individual impacted entities. The power of community is in its ability to consistently multiply value collectively so that 1+1 consistently produces something much greater than 2, and the quality and fidelity of that output increases exponentially as the community improves. Historically, community has been an essential element in the success of every major culture. Every significant cultural achievement of mankind reflects both the power and the value of community. The more complex the problem, the greater the need and benefit of an efficiently engaged collective. Cyber bad guys have figured out the value of sharing infrastructure and collaborating to share vulnerable targets and exploited threat attack data. It only makes sense that we should do the same and lean on the power of community to defend against their attacks. CIS as a security organization offers a host of capabilities that greatly shift the balance of power

The power of community is in its ability to consistently multiply value collectively so that 1+1 consistently produces something much greater than 2, and the quality and fidelity of that output increases exponentially as the community improves. in the threat equation. In creating, deploying, and sustaining those capabilities, we too leverage the power of community, doing so for the collective good of the connected world. CIS aligns a community of thousands of cybersecurity experts who collectively oversee over a hundred configuration guidelines that enable systems to be safeguarded from ever-changing threats. The CIS Benchmarks are consensusdeveloped security configurations, each maintained by its own community. Additionally, CIS aligns hundreds of information technology security professionals in the CIS Critical Security Controls Community. Together within this community, they create and maintain the CIS Critical Security Controls (CIS Controls); a core set of prioritized cybersecurity best practices that enable an implementing

Winter 2021

organization to roadmap an effective cybersecurity program and achieve measurable security maturity. The resulting impact on security of these two communities embody the power of community. CIS oversees both the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) as two of the twentyplus nationally recognized Information Sharing and Analysis Centers (ISACs) in the United States. Both of these ISACs represent communities of public sector critical infrastructure operators responsible for some of the Nation’s most essential and widely depended upon infrastructure. The value proposition of the MS-ISAC and EI-ISAC lies in their ability to successfully align a diverse base membership of over 12,000 state, local, tribal, and territorial entities into communities; enabling both a deeper understanding of the threat landscape and the tactics of threat actors targeting them, and the collective identification and coordinated application of best practice solutions to detect and mitigate those threats. The MS- and EI-ISAC value proposition is sustained by an active threat intelligence and incident response infrastructure that benefits from the collective knowledge of shared threat activity, and the outputs of active collaboration among participants in a threat intelligence environment that sees an average monthly sharing of over 40,000 indicators. Of these 40,000+ indicators, an average of 2,000 per month are novel indicators, enabling the tracking of over 5,000 campaigns a month and the tracking of over 400 threats per month that are specifically targeting the SLTT community. These are more than numbers. Each of these statistics represent the ability to prevent, detect, and timely respond to threats that simply would not be possible without the power of community. In addition to enabling an environment for highly effective analytical collaboration, both ISACs maintain committees and working groups providing members with trusted and focused peer-to-peer collaboration on contemporary and critical topics of common interest. These communities are able to

So what? Why should you care? What does this mean to you? Absolutely nothing if you don’t BELONG. identify and publish best practices and provide collaborative environments where members are able to collectively develop solutions and to maintain services and capabilities, like the Metrics Working Group does for the Nationwide Cybersecurity Review (NCSR) assessment capability that benefits the security maturity of peer ISAC members, as well as the broader base of the SLTT community. Whether it is active participation in peer working groups like the K-12 Working Group, or it is in collectively serving to generate or actively leveraging and benefiting from the growing list of table top exercises published by the Business Resilience Working Group, ISAC membership provides many opportunities for collaboration and is a free and valuable arrow in the quiver of public sector entities that reflects the power of community. So what? Why should you care? What does this mean to you? Absolutely nothing if you don’t BELONG. Communities are like gym memberships…they are best and most effective when you participate. If you are looking for a resolution to carry you forward in the CIS community here are a few next steps for you: If you aren’t an MS- or EI-ISAC member, or you know someone who isn’t but should be, take the step to get in touch to learn more via https://learn. cisecurity.org/contact-us, or sign up to join the MS-ISAC at https://learn.cisecurity.org/ms-isacregistration or the EI-ISAC at https://learn.cisecurity. org/ei-isac-registration. If you are an ISAC member, connect with your ISAC Member Engagement Teams via info@ msisac.org or elections@cisecurity.org to set up an engagement to discuss who you are, what you have, where you are going, and to let them help to align you with the specific capabilities and services available that best fit your requirements.

Cybersecurity Quarterly

Look into being a part of the solution by joining one of the CIS community-driven activities like the CIS Benchmarks or CIS Critical Security Controls Community via https://www.cisecurity.org/ communities/. Join an existing working group or reach out to the MS-ISAC to query about forming a new working group or peer community group in the new year. Share your interest with the Member Engagement Team via info@msisac.org or contact your membership account manager directly for assistance. Register to be or to connect with a mentor in the ISAC Mentoring Program currently in (re) development. This is a GREAT opportunity for you to mature, make a difference, and impact the future of cybersecurity. Look for information in the new year, or reach out via info@msisac.org or contact your membership account manager directly for more information. Last, but by no means least, SAVE THE DATE and plan to attend the 15th Annual MS-ISAC and EIISAC Annual Meeting with almost 1,000 of your peers. Next year’s Annual Meeting will be held at the Hilton Baltimore Inner Harbor in Baltimore, Maryland on August 7 – 10, 2022. Your attendance will ensure that you can fulfill the annual meeting’s theme of “Connect, Secure, and Mature” to further enjoy and prove the power of community (and maybe catch an Orioles game across the street). Have a safe, healthy, and happy holiday season and make sure that you do all that you can to promote and enjoy the power of community in your cybersecurity efforts! Carlos P. Kizzee is the Vice President of Stakeholder Engagement of the Center for Internet Security’s (CIS) Multi-State Information Sharing and Analysis Center (MS-ISAC). Previously, Kizzee served with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) as Vice President of Intelligence, building and supporting retail and hospitality industry security collaboration; and with Defense Security Information Exchange as Executive

Director, promoting threat intelligence sharing and collaboration within the defense industrial base and actively supporting the development and establishment of the National Defense ISAC. Prior to those roles, Kizzee served as the Vice-President for Multi-Sector Initiatives for CIS, and within the U.S. Department of Homeland Security (DHS) as the Deputy Director, Stakeholder Engagement and Cyber Infrastructure Resilience Division, and the Program Manager for a Joint Program Office implementing key operational information sharing and information sharing support program activities associated with public-private threat information sharing, collaboration, and automation. Kizzee also served within DHS as the Director of Strategic Cyber Initiatives for the Critical Infrastructure and Cyber Protection Branch of the National Cyber Security Division, Counsel for the National Operations Center, Senior Counsel for Infrastructure Protection, and as a Senior Attorney-Advisor for the DHS Office of General Counsel, General Law Division. Kizzee is a graduate of the United States Naval Academy and served as a career Marine Corps Officer. He received a Juris Doctorate from the Georgetown University Law Center, and a Master of Laws from the Judge Advocate General’s School of the Army at the University of Virginia’s School of Law.

Winter 2021

Get Visibility and Control of Your Endpoints Make sure your team can ﬁnd unknown endpoints and close visibility gaps. Get a complimentary gap assessment today, available to CIS members. LEARN HOW

Real-Time Visibility

Comprehensive Control

Rapid Response

Cybersecurity Quarterly

What's in a Name? CIS Critical Security Controls Our consensus-based security best practices remain the same, but with a new name that emphasizes their core goal: identifying the most critical actions to secure your enterprise By Tony Sager The conversation that eventually led to the CIS Critical Security Controls started with a series of observations and questions, and a simple idea. At the time, I was at the National Security Agency (NSA) leading a defensive organization dedicated to the discovery and analysis of vulnerabilities in technology and operational systems – likely the largest such organization in the U.S. government. This gave me the opportunity to see security flaws at scale, whether we found them, or the attackers found them for us. What I observed was that we kept finding the same problems over and over again, in every domain. What was going on? By then (the mid-2000s), even NSA openly shared security guidance with the public (starting in June 2001), part of a public-private wave of excellent defensive guidance, tools, training, threat intelligence, and frameworks. But I also observed that despite all of these defensive resources, most people were more overwhelmed than empowered. The most frequent question I heard was “what do I do first?” This led to a simple meeting to gather answers for that simple question. To do that, more questions had to be asked: How does an enterprise get started on cyber defense? What are the most important, foundational steps

I observed that despite all of these defensive resources, most people were more overwhelmed than empowered. The most frequent question I heard was “what do I do first?” that everyone should take, based on our experience of testing systems and studying attackers? I reiterated that we CANNOT try to solve the entire cybersecurity problem in one meeting or with one list! The output of that meeting was a two-page letter that went to some friends in the U.S. government, with this simple advice: if you don’t know how to get started, here’s our best advice for the most important things you need to get started on. A short letter soon turned into a large-scale community-supported volunteer project, led by the Center for Strategic and International Studies. The original project was formally known as “20 Most Important Controls for Continuous Cyber Security Enforcement: the Consensus Audit Guidelines.” When it later moved to the SANS Institute for ongoing support, it was eventually titled “Critical Controls for Effective Cyber Defense,” with most people referring to it as the “SANS Top 20.”

Winter 2021

By version five, I had retired from NSA and took over the project, standardizing the name as “The Critical Security Controls for Effective Cyber Defense,” soon finding a permanent home at the Center for Internet Security (CIS). As we integrated this work into a more complete portfolio of Security Best Practices along with the CIS Benchmarks, we also simplified the naming and branding to “CIS Controls.” Throughout the multiple versions and the variations in naming, we never lost sight of the guiding principles that started this conversation and this movement. While there are thousands of things that an enterprise could do to defend itself, what are the most important, most CRITICAL things that everyone should do to get started, based on what attackers are doing? After a lot of feedback and a lot of discussion, we’ve decided to reemphasize those guiding principles by formalizing the name of the project as the “CIS Critical Security Controls,” while shortening it to the “CIS Controls” after the first mention. I must mention that we do the same with our organization’s name. At first mention, we are the Center for Internet Security, and subsequently, we are CIS. This lets us state more clearly what we are trying to do, and helps put our work in the context of the myriad of security frameworks across the industry. We don’t try to compete with all of those comprehensive, formal, or legal schemes. Instead, we bring focus and priority to any enterprise security improvement program – especially for those companies that cannot do it themselves – in a way that is consistent with and mapped to all of them. You may see us referred to as the CIS Critical Security Controls, CIS Controls, or even just the Controls, and we'll answer to any of those names. While the name is important, and the formal name is the CIS Critical Security Controls, what they do is most important: they provide a prioritized and prescriptive path to improve an enterprise's cybersecurity posture. We’re changing our wording in another area as well. Previously, we decided to bring some rigor to the notion of “cyber hygiene,” one of the most-used, least-defined phrases in the industry, by formalizing Implementation Group 1 of the CIS Controls as

While the name is important, what they do is most important: they provide a prioritized and prescriptive path to improve an enterprise's cybersecurity posture. “basic cyber hygiene.” We didn’t quite hit the mark with “basic,” which some interpreted as “easy.” From now on we’ll refer to Implementation Group 1 as “essential cyber hygiene,” which more accurately reflects the importance of these foundational defensive actions. Essential cyber hygiene (IG1) represents an emerging minimum standard of information security for all enterprises, and is the on-ramp to the CIS Critical Security Controls. As always, we view our work at CIS as keepers of your trust. We are not a distant, intellectual thinktank or large agency. Your needs and your input drive every CIS decision and product, and we are proud of our work, and mindful of our responsibility to the community. Tony Sager is a Senior Vice President and Chief Evangelist for CIS. He leads the development of the CIS Critical Security Controls, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions the use of the CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’s independent world-wide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. Sager retired from the National Security Agency (NSA) in 2012 after 34 years as a mathematician, computer scientist, and executive manager. One of the Agency’s first software vulnerability analysts, he led the System & Network Attack Center, the NSA’s first defensive network security analysis organization. In 2001, Sager led the release of NSA security guidance to the public. He also expanded the NSA’s role in the development of open standards for security. Sager also founded the Vulnerability Analysis & Operations Group, the NSA's top technical organization in defensive analysis.

Cybersecurity Quarterly

Open Cybersecurity Alliance: Solving the Security Interoperability Challenge The open-source community is looking to solve one of the biggest security challenges organizations face today: ensuring their tools can integrate with each other seamlessly By Anshul Garg, RoseAnn Guttierrez, and Dee Schur Most security teams use several security tools to manage the security infrastructure within their organization. Each tool was acquired to solve a specific problem. Each tool added to the environment poses a different challenge. Almost 50% of newly acquired security tools require individually coded integrations. How bad is it? Most large security teams are equally represented by analysts and integrators. It takes a lot of time and effort to implement a tool properly. Along with installation, testing, tuning, patching, and compliance, the tool needs to be incorporated into your environment and processes. Ideally, you would also train your team to use the new tool. These activities take time and attention away from security tasks and can significantly reduce your team’s effectiveness.

Analysts like Forrester and 451 Research have reported on security tool sprawl in the past few years, noting that as many as 40% of organizations admit that their development teams are so overwhelmed by security alerts that they can’t respond to at least 25% of them. 14

Then, there is the issue of the increasing numbers of security products or tool sprawl, which adds to security complexity. While tool unmanageability doesn’t happen overnight, it slowly creeps in with every addition of a new solution. Gathering information across multiple tools and disparate data sources takes time, and time is a precious commodity especially in your SOC where seconds matter. Instead of fixing a problem, businesses suddenly have added orchestration complications. Tool proliferation is a well-documented concern. Analysts like Forrester and 451 Research have reported on security tool sprawl in the past few years, noting that as many as 40% of organizations admit that their development teams are so overwhelmed by security alerts that they can’t respond to at least 25% of them. The main repercussions that businesses will experience with multiple point solutions is excessive costs and less effective threat responses. This is a two-pronged issue. Not only is tool integration demanding, but tool proliferation also exacerbates the problem. Most often, the security teams have functioned as the human glue to stitch disparate tools together. The security ecosystem of today needs to look at better ways to work together and to stop working in silos. The Open Cybersecurity Alliance (OCA) was formed to supply answers to these vexing obstacles.

Winter 2021

Open Cybersecurity Alliance The Open Cybersecurity Alliance (OCA) is an opensource community with the mission of increasing interoperability across the security industry by developing and promoting sets of common code, tooling, patterns, and practices so that cybersecurity tools can share data. The OCA, formed under the auspices of OASIS Open, aims to foster collaboration between vendors, public and private organizations, and security practitioners to drive security interoperability. Open Cybersecurity Alliance is building an open ecosystem where cybersecurity products interoperate without the need for customized integrations. Using community-developed standards and practices, OCA is simplifying integration across the threat lifecycle. In a recent blog on top technology trends, Gartner refers to a cybersecurity mesh architecture, which aligns closely with the work underway in OCA. This open collaboration has the potential to greatly improve the AS-IS ecosystem with products that can seamlessly interoperate with one another. This would reduce the time it takes to integrate

new tools. It would also create an opportunity for security teams to be more efficient, businesses to get more Return on Investment (ROI) on tools they already have, and the opportunity for improved products, features, and services – helping drive the outcome of an even stronger security posture.

Current OCA Projects Open Cybersecurity Alliance is building an open ecosystem where cybersecurity products interoperate without the need for customized integrations. Using community-developed standards and practices, OCA is simplifying integration across the threat lifecycle. Some of the community's most recent projects can be seen in the above graphic.

Who Should Get Involved? Developers and cyber specialists from the public and private sector, corporate supporters, and technology consumers all have a voice in shaping the future of security and driving interoperability between security tools.

Cybersecurity Quarterly

How You Benefit from Joining the OCA

community accomplish its mission.

Simply put, you will reduce costs by reducing the complexity of architecting and deploying everincreasing cyber solutions.

Join us on Slack: https://join.slack.com/t/ open-cybersecurity/shared_invite/zt-ojjqlwvpUFG32P5VzIdEMsjSc2iYlQ

Unlike industry-specific platforms for sharing threat data, OCA is uniquely focused on product interoperability, with benefits for the entire cybersecurity community. Unlike vendor partner alliances, OCA is a collaborative community with open governance. OCA is working on projects that span key conversations happening in the security industry, including Zero Trust, Extended Detection and Response (XDR), and more.

Join the various project and discussion lists: https://lists.oasis-open-projects.org/g/oca

As Jon Olstik recently pointed out in his blog for CSO, "openness is critical!" Look at the OCA projects that interest you and get involved. We need your help to change and create the data formats and standards we all will leverage to improve the security ecosystem. You can use the following links to learn more about how to get involved with OCA and help the

For more information on sponsorship opportunities, contact dee.schur@oasis-open.org The above article was a collaborative piece composed by the following Open Cybersecurity Alliance (OCA) community leaders: Anshul Garg, Senior Product Marketing Manager for IBM Security; RoseAnn Guttierrez, Technical Enablement Specialist for IBM Security Business Development Technical Alliance Program (TAP); and Dee Schur, Senior Manager, Development & Advocacy for OASIS Open.

peString(r.FormValue("target")), count); }); http.HandleFunc("/status",func(w http.ResponseWrit lChannel <- reqChan;timeout := time.After(time.Second); select { case result := <- reqChan: if "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal(http.ListenAnd Winter 2021 tml"; "log"; "net/http"; "strconv"; "strings"; "time" ); type ControlMessage struct { Target st han ControlMessage);workerCompleteChan := make(chan bool); statusPollChannel := make(chan chan usPollChannel); for { select { case respChan := <- statusPollChannel: respChan <- workerActive; f(msg, workerCompleteChan); case status := <- workerCompleteChan: workerActive = status; }}}; f bool) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) { hostTokens := rconv.ParseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); retu t"), Count: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for Target %s, count %d", HandleFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqChan := make(chan bool); Second); select { case result := <- reqChan: if result { fmt.Fprint(w, "ACTIVE"); } else { fmt. t(w, "TIMEOUT");}}); log.Fatal(http.ListenAndServe(":1337", nil)); };package main; import ( "fm ; "time" ); type ControlMessage struct { Target string; Count int64; }; func main() { controlCh make(chan bool); statusPollChannel := make(chan chan bool); workerActive := false;go admin(con Chan := <- statusPollChannel: respChan <- workerActive; case msg := <-controlChannel: workerAct us := <- workerCompleteChan: workerActive = status; }}}; func admin(cc chan ControlMessage, sta min", func(w http.ResponseWriter, r *http.Request) { hostTokens := strings.Split(r.Host, ":"); ("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); return; }; msg := ControlMessa mt.Fprintf(w, "Control message issued for Target %s, count %d", html.EscapeString(r.FormValue(" tp.ResponseWriter, r *http.Request) { reqChan := make(chan bool); statusPollChannel <- reqChan; <- reqChan: if result { fmt.Fprint(w, "ACTIVE"); } else { fmt.Fprint(w, "INACTIVE"); }; return (http.ListenAndServe(":1337", nil)); };package main; import ( "fmt"; "html"; "log"; "net/http"; ct { Target string; Count int64; }; func main() { controlChannel := make(chan ControlMessage);w = make(chan chan bool); workerActive := false;go admin(controlChannel, statusPollChannel); for <- workerActive; case msg := <-controlChannel: workerActive = true; go doStuff(msg, workerCompl ive = status; }}}; func admin(cc chan ControlMessage, statusPollChannel chan chan bool) {http.H uest) { hostTokens := strings.Split(r.Host, ":"); r.ParseForm(); count, err := strconv.ParseInt tf(w, err.Error()); return; }; msg := ControlMessage{Target: r.FormValue("target"), Count: coun r Target %s, count %d", html.EscapeString(r.FormValue("target")), count); }); http.HandleFunc(" reqChan := make(chan bool); statusPollChannel <- reqChan;timeout := time.After(time.Second); se t(w, "ACTIVE"); } else { fmt.Fprint(w, "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, " 337", nil)); };package main; import ( "fmt"; "html"; "log"; "net/http"; "strconv"; "strings"; " ount int64; }; func main() { controlChannel := make(chan ControlMessage);workerCompleteChan := ); workerActive := false;go admin(controlChannel, statusPollChannel); for { select { case respC e msg := <-controlChannel: workerActive = true; go doStuff(msg, workerCompleteChan); case statu admin(cc chan ControlMessage, statusPollChannel chan chan bool) {http.HandleFunc("/admin", fun trings.Split(r.Host, ":"); r.ParseForm(); count, err := strconv.ParseInt(r.FormValue("count"), eturn; }; msg := ControlMessage{Target: r.FormValue("target"), Count: count}; cc <- msg; fmt.Fp , html.EscapeString(r.FormValue("target")), count); }); http.HandleFunc("/status",func(w http.R bool); statusPollChannel <- reqChan;timeout := time.After(time.Second); select { case result : fmt.Fprint(w, "INACTIVE"); }; return; case <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal( "fmt"; "html"; "log"; "net/http"; "strconv"; "strings"; "time" ); type ControlMessage struct { el := make(chan ControlMessage);workerCompleteChan := make(chan bool); statusPollChannel := mak annel, statusPollChannel); for { select { case respChan := <- statusPollChannel: respChan <- wo ue; go doStuff(msg, workerCompleteChan); case status := <- workerCompleteChan: workerActive = s lChannel chan chan bool) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request rm(); count, err := strconv.ParseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf et: r.FormValue("target"), Count: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for t")), count); }); http.HandleFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqC imeout := time.After(time.Second); select { case result := <- reqChan: if result { fmt.Fprint(w ase <- timeout: fmt.Fprint(w, "TIMEOUT");}}); log.Fatal(http.ListenAndServe(":1337", nil)); };p "; "strconv"; "strings"; "time" ); type ControlMessage struct { Target string; Count int64; }; ge);workerCompleteChan := make(chan bool); statusPollChannel := make(chan chan bool); workerAct for { select { case respChan := <- statusPollChannel: respChan <- workerActive; case msg := <workerCompleteChan); case status := <- workerCompleteChan: workerActive = status; }}}; func ad ) {http.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) { hostTokens := strin arseInt(r.FormValue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Error()); return; }; 17 unt: count}; cc <- msg; fmt.Fprintf(w, "Control message issued for Target %s, count %d", html.E leFunc("/status",func(w http.ResponseWriter, r *http.Request) { reqChan := make(chan bool); sta

Advanced Threats. Maximum Protection.

Ensure users and devices can safely connect from anywhere, with industry-leading protection.

Proactively identify, block, and mitigate targeted threats, including zero-day attacks, malware, and phishing.

See Why

Cybersecurity Quarterly

Introducing v2.0 of the CIS Community Defense Model Announcing the latest version of our guide illustrating how the CIS Critical Security Controls can help organizations defend against the most common cyber-attacks By Valecia Stocchetti The Center for Internet Security (CIS) Community Defense Model (CDM) v2.0 can be used to design, prioritize, implement, and improve an enterprise’s cybersecurity program. Enterprises naturally want to know how effective the CIS Critical Security Controls (CIS Controls) are against the most prevalent types of attacks. The CDM was created to help answer that and other questions about the value of the Controls based on currently available threat data from industry reports. This guide is the second edition of the CDM. The same security experts who help create the CIS Controls work with CIS to apply the CDM to current threat data. Enterprises that adopt the CIS Controls have repeatedly asked us to identify “What should we do first?” In response, the Controls Community sorted the Safeguards in the CIS Controls into three Implementation Groups (IGs) based on their difficulty and cost to implement. Implementation Group 1 (IG1), the group that is least costly and difficult to implement, is what we call essential cyber hygiene and are the Safeguards we assert that every enterprise should deploy. For enterprises that face more sophisticated attacks or that must protect more critical data or systems, these Safeguards also provide the foundation for the other two Implementation Groups (IG2 and IG3).

Backs up the CIS Controls with Real Data Our methodology is straightforward. The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework allows us to express any attack type as a set of attack techniques, which we refer to as attack patterns. For each of the five most prevalent attack types, we collect the corresponding attack patterns through analysis of industry threat data. We then track which Safeguards defend against each of the techniques found in those attack patterns. This methodology allows us to measure which Safeguards are most effective overall for defense across attack types. CDM v2.0 can be used by any enterprise to design, prioritize, implement, and improve its security program. Our work with the CIS Controls and ATT&CK framework, combined with using industry threat data to back our analysis, is the backbone of the CDM. We understand that not all enterprises will be able to perform this type of analysis on their own, which is why we created the CDM.

Where to Start? The CDM tells us that IG1 defends against the top five attacks. The CDM can also help an enterprise focus on which technical IG1 Safeguards are most effective in defending against specific attacks.

Winter 2021

We at CIS feel that this is a powerful approach to an enterprise’s risk management strategy. For CDM v2.0, the top five attack types are: Malware, Ransomware, Web Application Hacking, Insider Privilege and Misuse, and Targeted Intrusions. Our analysis found that, overall, implementing IG1 Safeguards defends against 77% of ATT&CK (sub-)techniques used across the top five attack types. That percentage goes up to 91% if all CIS Safeguards are implemented. These results strongly reinforce the value of a relatively small number of well-chosen and basic defensive steps (IG1) and also support IG1 as the preferred on-ramp to implementing the CIS Controls. We also found that CIS Safeguard 4.1 “Establish and Maintain a Secure Configuration Process” is most effective in defending against the top five attacks, reinforcing the importance of secure configurations, such as those contained within the CIS Benchmarks. Additionally, independent of any specific attack type, implementing IG1 Safeguards defends against 74% of ATT&CK (sub-)techniques in the MITRE ATT&CK framework, and implementation of all CIS Safeguards defends against 86% of ATT&CK (sub-) techniques in the framework. Since many ATT&CK (sub-)techniques are used across multiple attack types, we can extrapolate that the CIS Controls defend against more than the top five attacks mentioned in this guide. We also analyzed each attack type individually. As an example, our analysis determined that implementing IG1 Safeguards defends against 78% of Ransomware ATT&CK (sub-)techniques, and implementing all CIS Safeguards defends against 92% of those techniques. This is just the tip of the iceberg. This and other indepth analysis can be found in the CDM v2.0 guide.

What the Numbers Say Overall, our analysis provides us with three key findings: IG1 provides a viable defense against the top five attack types. Enterprises achieve a high level of protection and are well-positioned to

defend against the top five attack types through implementation of essential cyber hygiene, or IG1. These results strongly reinforce the value of a relatively small number of well-chosen and basic defensive steps (IG1). As such, enterprises should aim to start with IG1 to obtain the highest value and work up to IG2 and IG3, as appropriate. Independent of any specific attack type, the CIS Controls are effective at defending against a wide array of attacks. Specifically, the CIS Controls are effective at defending against 86% of the ATT&CK (sub-)techniques found in the ATT&CK framework. More importantly, the Controls are highly effective against the five attack types found in industry threat data. The bottom line is that the CIS Controls, and specifically IG1, are a robust foundation for your cyber security program. Establishing and maintaining a secure configuration process (CIS Safeguard 4.1) is a linchpin Safeguard for all five attack types. CIS Safeguard 4.1 is most effective in defending against the top five attack types, reinforcing the importance of secure configurations, such as those contained within the CIS Benchmarks. CDM v2.0 affirms the prioritization of the CIS Controls and Implementation Groups. In particular, CDM data backs the premise that all enterprises should start with essential cyber hygiene, or IG1, as a way to defend against the top five attacks. Valecia Stocchetti is a Senior Cybersecurity Engineer for the Center for Internet Security (CIS). Stocchetti came to CIS from the eCommerce field, where she worked complex financial fraud cases. She is a graduate of the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Stocchetti worked in the MS- and EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements. In her current role, she works with various attack models and data, including the MITRE ATT&CK framework, to help validate and prioritize the CIS Controls. Stocchetti holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC).

Cybersecurity Quarterly

Cyber Hygiene: It's Not Just Recommended; It's Essential When it comes to developing a plan to make your organization more secure, implementing straight-forward, foundational practices can often be the most effective By Tony Sager The term “cyber hygiene” has been around for at least a couple of decades, and is usually attributed to Vint Cerf. The earliest I can remember using it in my presentations is around 2003 or 2004. The general notion is that a lack of good cyber hygiene is at the heart of most cyber-attacks.

Why Cyber-Attacks Are Successful Simple enough, but there’s an important idea in here. Study after study, and test after test gives us the same depressing result. Almost all successful attacks take advantage of conditions that could reasonably be described as “poor hygiene” including: Failure to patch known vulnerabilities Poor configuration management Inefficient management of administrative privilege

Study after study, and test after test gives us the same depressing result. Almost all successful attacks take advantage of conditions that could reasonably be described as “poor hygiene.” 20

This does not mean that system operators and users are lazy or don’t care. At CIS, we attribute these failures primarily to the complexity of modern systems management, as well as a noisy and confusing environment of technology, marketplace claims, and oversight/regulation (“The Fog of More”). Defenders are just overwhelmed. Therefore, any large-scale security improvement program needs a way to bring focus and attention to the most effective and fundamental things that need to be done.

Basic Cyber Hygiene is Essential We do this at CIS by moving “cyber hygiene” from a notion or tagline into a campaign of specific actions, supported by a complementary market ecosystem of content, tools, training, and services. We’ve recently codified our definition of “essential cyber hygiene” as consisting of the Safeguards found in Implementation Group 1 (IG1) of the CIS Critical Security Controls (CIS Controls). A concrete definition can be used to specify tools that can be used to implement the actions, measurements to track progress or maturity, and reporting that can be used to manage an enterprise improvement program. And in today’s environment of shared technology, linked by complex business

Winter 2021

Cybersecurity defenders...just want a way to focus on positive, constructive action. This is a core principle of what CIS brings to the community: a volunteer-driven approach to share ideas and labor, to focus on the most important things we need to do, and to help us all get there.

relationships and hidden dependencies, this approach provides a specific way to negotiate “trust” and an “expectation” of security. (Are you a safe partner to bring into my supply chain? Can I count on this merchant to safely hold my financial information?) This approach way is better than paper surveys or inconsistent interpretation of abstract security requirements. Our recent release of the CIS Community Defense Model v2.0 also provides the technical underpinning for that declaration. IG1 is not just another list of good things to do; it’s an essential set of steps that helps all enterprises deal with the most common types of attacks we see in real life.

Community and Cyber Defense Cybersecurity defenders are already flooded with information about attackers, vulnerabilities, and malware. But, as with public health, most don’t have the time, expertise, or interest to read the latest research. They just want a way to focus on positive, constructive action. This is a core principle of what CIS brings to the community: a volunteer-driven approach to share ideas and labor, to focus on the most important things we need to do, and to help us all get there.

Tony Sager is a Senior Vice President and Chief Evangelist for CIS. He leads the development of the CIS Critical Security Controls, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions the use of the CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’s independent world-wide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. Sager retired from the National Security Agency (NSA) in 2012 after 34 years as a mathematician, computer scientist, and executive manager. One of the Agency’s first software vulnerability analysts, he led the System & Network Attack Center, the NSA’s first defensive network security analysis organization. In 2001, Sager led the release of NSA security guidance to the public. He also expanded the NSA’s role in the development of open standards for security. Sager also founded the Vulnerability Analysis & Operations Group, the NSA's top technical organization in defensive analysis.

Learn more about how you can assess and remediate your implementation of the CIS Controls using the tools and resources available as part of a CIS SecureSuite Membership.

Cybersecurity Quarterly

CIS Risk Assessment Method v2.0 for CIS Critical Security Controls v8 Announcing the latest version of our free tool to help organizations assess their cyber risk, prioritize their action plan, and implement our security best practices By Valecia Stocchetti Risk assessments are valuable tools for understanding the threats enterprises face, allowing them to organize a strategy and build better resiliency and business continuity, all before a disaster occurs. Preparation is key – after all, the worst time to plan for a disaster is during a disaster. The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM helps enterprises define their acceptable level of risk, and then manage that risk after implementation of the Controls. Few enterprises can apply all Controls to all environments and information assets. Some Controls offer effective security, but at the cost of necessary efficiency, collaboration, utility, productivity, or available funds and resources. When enterprises conduct a cyber risk assessment for the first time, it can be challenging to know where to start. CIS RAM is a powerful, free tool to guide the prioritization and implementation of the CIS Controls, and to complement an enterprise’s technical credibility with a sound business risk-decision process. It is also designed to be consistent with more formal security frameworks and their associated risk assessment

When enterprises conduct a cyber risk assessment for the first time, it can be challenging to know where to start. CIS RAM is a powerful, free tool to guide the prioritization and implementation of the CIS Controls, and to complement an enterprise’s technical credibility with a sound business risk-decision process. methods. Most importantly, CIS RAM lets enterprises of varying security capabilities navigate the balance between implementing security controls, risks, and enterprise needs.

CIS RAM Can Help Your Enterprise Demonstrate “Due Care” If you experience a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that risk is reasonable to the enterprise and appropriate to other interested parties at the time of the breach. CIS RAM provides a method

Winter 2021

to “draw a line” at an enterprise’s acceptable risk definition, with risks below the line adhering to “due care,” and risks above the line requiring risk treatment. At the core of CIS RAM is the Duty of Care Risk (DoCRA) methodology, which allows enterprises to weigh the risks of not implementing the controls and its potential burden on the enterprise. CIS RAM helps you answer questions like: 1. What are my enterprise’s risks? 2. What constitutes “due care” or “reasonableness?” 3. How much security is enough?

What’s New for CIS RAM v2.0 CIS RAM is made up of a family of documents, with CIS RAM Core at the foundation of it all. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM. It is also useful for enterprises and cybersecurity practitioners who are experienced at assessing risk, and who are able to quickly adopt RAM’s principles and practices for their environment. As previously mentioned, CIS RAM uses DoCRA, which presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines. The standard includes three principles and 10 practices

that guide risk assessors in developing this universal translator for their enterprise. And now, CIS RAM v2.0 helps enterprises estimate the likelihood of security incidents by using data about real world cybersecurity incidents. We have evolved our thinking about threat likelihood so instead of asking, “how likely is it that this risk will occur,” we now ask, “when a security incident occurs, what is the most likely way it will happen here?” CIS RAM now uses data from the Veris Community Database to help each enterprise automatically estimate that likelihood by comparing the real-world incident data to the resilience of their deployment of each CIS Safeguard. CIS RAM v2.0 provides three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups: IG1, IG2, and IG3. One document for each Implementation Group will be the anchors in the CIS RAM family and will be available for both v8 and v7.1 of the CIS Critical Security Controls. Each document will have a workbook with a corresponding guide. The first of many documents in the CIS RAM v2.0 family, CIS RAM v2.0 for Implementation Group 1 and CIS RAM v2.0 for Implementation Group 1 Workbook are now available for download and will help enterprises in IG1 to build their cybersecurity program. These IG1 documents automate much of the risk assessment process so that enterprises with little or no cybersecurity expertise can become aware of their risks, and know which to address first. All CIS RAM documents have material to help readers accomplish their risk assessments, and include the following: examples, templates, exercises, background material, and further guidance on risk analysis techniques. We are actively working on CIS RAM v2.0 for IG2 and IG3.

The CIS RAM Core Process CIS RAM Core risk assessments involve the following activities: Developing the Risk Assessment Criteria and Risk Acceptance Criteria: Establish and define the criteria for evaluating and accepting risk.

Cybersecurity Quarterly

Modeling the Risks: Evaluate current implementations of the CIS Safeguards that would prevent or detect foreseeable threats. Evaluating the Risks: Estimate the likelihood and impact of security breaches to arrive at the risk score, then determine whether identified risks are acceptable. Recommending CIS Safeguards: Propose CIS Safeguards that would reduce unacceptable risks.

Taking the Next Step

Evaluating Recommended CIS Safeguards: Riskanalyze the recommended CIS Safeguards to ensure that they pose acceptably low risks without creating an undue burden.

Ready to conduct a cyber risk assessment? Download CIS RAM for step-by-step processes, example walkthroughs, and more. It’s free for any organization to use to conduct a cyber risk assessment.

Enterprises that use CIS RAM and CIS RAM Core can then develop a plan, as well as expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets.

CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.

Valecia Stocchetti is a Senior Cybersecurity Engineer for the Center for Internet Security (CIS). Stocchetti came to CIS from the eCommerce field, where she worked complex financial fraud cases. She is a graduate of the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Stocchetti worked in the MS- and EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements. In her current role, she works with various attack models and data, including the MITRE ATT&CK framework, to help validate and prioritize the CIS Controls. Stocchetti holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC).

Winter 2021

Cyberside Chat This Quarter's Topic: Building Collaborative Trust with External Security Assessment Teams By Sean Atkinson, Chief Information Security Officer, CIS Building an information security and risk management program requires careful and deliberate attention to threats, change management, integration of best practices, and continued due diligence. Once a program is established and internally viewed as effective, a number of approaches can be taken to understand gaps or opportunities for continuous improvement. Effectiveness can be accomplished a number of ways, including self-assessment, internal audit, or external review. It is here that I want to address the external assessment and the mentality some organizations may have with respect to external assessors. As with many organizations, the utility of external assessment provides validation of both the implementation and effectiveness of security controls. The field work or assessment period is a time of stress and making sure curated evidence is gathered, processed, and delivered timely. It is also the time where feedback to the external security assessment or penetration testing team can be used to build collaborative approaches to testing internal and external infrastructure. From an internal perspective, where your control program is being assessed, it can seem adversarial; an "us vs. them" mentality for how these assessment progress. It can often take on such a persona due to the underlying principles that are at play. If the resulting assessment is to get a certificate or checkbox audit completed with minimal findings, then this is aligning to a compliance program rather than security. The adage that I would like to express is that this is the time you need to challenge the organization to provide less restrictions on what is provided both in scope and resources to external assessors.

As an example, if an external penetration testing team is assessing your environment, do you keep them at the external perimeter and require they break through as part of the assessment scope? This is a good and a viable task. At the same time, would you allow the teams inside the network so they have access beyond the first layer of control to perform an assessment? Would you repeat this same idea into other segmented parts of your network? The reasons for allowing such access is reliance on a single control or security mechanism is not really testing resiliency. At each layer of defense within an enterprise, the assessment should define some level of scope to determine the effectiveness of the depth of control. Ultimately, findings across these layers can be calculated based on the number of controls that would need to be bypassed as a likelihood risk score. If we as a community are not utilizing the skills and capabilities of external teams to our greatest advantage, we are doing a disservice to ourselves, our co-workers, and stakeholders. If the external assessment used is a grading system and the scope is so limited it is in the favor of successfully being compliant, you have missed an opportunity to determine a true security posture. Adversaries do not limit their scope to determine organizational resiliency. If you are not testing across layers of defense the eventual failure of one of those layers could ultimately undermine a nicely curated compliance program and expose the fact that a security program is nonexistent. Collaboration is key to finding security vulnerabilities and gaps within an organization. Working with external teams to determine an effective scope of security will ultimately make organizations more resilient and engaged with external assessors to find the weaknesses and work with them to determine sustainable remediation.

Cybersecurity Quarterly

ISAC Update Happy Holidays! The MS-ISAC Fourth Quarter saw yet another milestone. On October 29, the city of Brigantine, New Jersey became our 12,000th member! The month of October was notable for being National Cybersecurity Awareness Month (NCSAM). The culmination of weeks of planning, NCSAM sees the team traveling around the country to give presentations and educational seminars to help promote cyber safety and security across our SLTT membership. We also help SLTT government entities issue proclamations regarding cybersecurity in celebration of the event, and this year, we were able to get the Governors of all 56 U.S. states and territories to issue these proclamations! Of course, the work of the MS-ISAC isn’t just about celebration. We continue to offer our Virtual Service Reviews (VSRs) to the membership to help fine tune the services and benefits derived from being part of our organization. If you are interested in scheduling a Virtual Service Review and taking a look under the hood of your MS- or EI-ISAC membership with our team, please reach out to info@msisac.org. We also introduced a new offering this quarter: Endpoint Security Services (ESS). This new device-

level protection and response solution, provided in partnership with CrowdStrike, is an excellent way to protect your employees and devices in today's remote and hybrid work environment. If you are interested in learning more about this low-cost offering, please reach out to the CIS Services team at services@cisecurity.org. Not only has the EI-ISAC been hard at work helping to protect our nation’s critical elections infrastructure, but they also have been hard at work within that community, promoting membership and taking every opportunity to inform and educate the community at-large about cybersecurity in both the virtual and physical worlds. From election day situation rooms to newsletters and advisories, the EI-ISAC has garnered respect around the country. The MS- and EI-ISACs are membership-based organizations and work at the behest and to the benefit of our members. Our members define us and guide us and we thank you for all of your efforts! Become involved, volunteer for our working groups, make your thoughts known, tell us your concerns, and allow us to wield the power of over 12,000 SLTT communities, from the smallest school districts to the largest states, to benefit us all. Please feel free to reach out to me (paul.hoffman@ cisecurity.org) with your thoughts. They are always welcome. Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to your colleagues. We are stronger and more connected than ever before!

Winter 2021

Upcoming Events January January 19 – 20 The Learning Technology Center of Illinois will host its SecureED Schools K12 Data Privacy & Cybersecurity Conference virtually. K-12 administrators, technology leaders, and IT staff from around the state will come together to learn best practices, strategies, and tools. Attendees will participate in hands-on demonstrations, panel discussions, and presentations to improve the security posture of school districts. MS-ISAC Senior Program Specialist Michelle Nolan will lead a session on no-cost cybersecurity resources for K-12 schools, and CIS Senior Cybersecurity Engineer Aaron Piper will speak on assessing an organization's essential cyber hygiene. Learn more at https://ltcillinois.org/events/securedschools/.

February February 2 – 3 The Idaho Education Technology Association (IETA) will host the IETA 2022 Conference at the Boise Center in Boise, Idaho. The event will bring together K-12 staff, teachers, superintendents, technology directors, and education stakeholders from around the state to network and learn about the latest industry trends from subject matter experts. MSISAC Senior Program Specialist Brendan Montagne will lead a session on cybersecurity resources for K-12 schools. Learn more at https://ieta.events/. February 6 – 9 The 2022 Pennsylvania Educational Technology Expo and Conference (PETE&C) will take place at the Hershey Lodge in Hershey, Pennsylvania. The statewide event will provide quality programs focused on technology in the educational field for its vast audience of teachers, administrators, technology directors, school board members and more. MS-ISAC Senior Program Specialist Kyle Bryans will lead a hands-on workshop highlighting cybersecurity tools and resources available to the state's educational institutions. Learn more at https://www.peteandc.org/.

February 7 – 10 The 2022 RSA Conference will take place at the Moscone Center in San Francisco. The event will bring cybersecurity leaders and professionals from around the world together to gain insights, join conversations, and experience solutions that could make a huge impact on their organizations. The CIS team will be at Booth 4228 in the North Expo Hall, sharing our knowledge and resources with attendees. CIS Senior VP and Chief Evangelist Tony Sager will also speak at the event, co-leading a session on nonprofits' roles in the cybersecurity community, and joining a panel of experts to discuss using public policy to drive better security and measurable compliance standards. Learn more at https://www.rsaconference.com/usa. February 12 – 16 The National Association of Counties (NACo) will host its 2022 NACo Legislative Conference at the Washington Hilton in Washington, D.C. The event will bring together nearly 2,000 county officials to focus on federal policy issues that impact counties and their residents. Attendees will have the opportunity to engage in policy and educational sessions, interact with federal officials, and participate in congressional briefings and meetings. Learn more at https://www.naco. org/events/2022-naco-legislative-conference.

March March 14 – 16 The National League of Cities (NLC) will host its annual Congressional City Conference at the Marriott Marquis in Washington, D.C. The event will provide local leaders with the tools and connections to help build a brighter future for our nation’s cities, towns, and villages. Attendees will take part in an immersive program alongside administration officials, members of Congress, and fellow local elected officials to learn strategies to respond to the challenges facing America’s hometowns. Learn more at https://ccc.nlc.org/.

Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.266.3460