Cybersecurity Quarterly
Spring 2022
A Publication from
Demystifying the Process of Securely Migrating to the Cloud
Our Guide to Help Bridge the Gap Between Security and Privacy
New Tool Updates to Help Assess and Manage Your Organization's Cyber Risk
Helping Smaller Government Entities Secure Their Endpoints on a Budget
A Multi-Layered Approach to Security No single solution will offer you a foolproof line of defense. By implementing various technologies that cover each other's weaknesses, you can build an effective cyber defense strategy.
Cybersecurity Quarterly
GET 10% OFF CIS Managed Security Services For more information, visit LEARN MORE www.cisecurity.org/mss
Expand your defense-in-depth strategy Security event analysis and notifications
2
Spring 2022
Contents
Featured Articles
Quarterly Regulars
Spring 2022 Volume 6 Issue 1 Founded MMXVII Editor-in-Chief Michael Mineconzo Supervising Editor Laura MacGregor Copy Editors Jay Billington David Bisson Autum Pylant
Staff Contributors Sean Atkinson Jay Billington Joshua Franklin Paul Hoffman Phyllis Lee Walter McKay Rylee Mowen Aaron Piper Robin Regnier Thomas Sager Valecia Stocchetti Kim Watson
Staying Secure When Migrating to the Cloud Insightful advice from our experts on how to move assets to the cloud securely
8
Serving the Underserved: Helping SLTTs Strengthen Their Security Affordably Our new partnership to help smaller government organizations secure their endpoints and maximize their budgets
12
Protecting Privacy Using the CIS Controls Privacy Guide Our new guide to bridge the gap between IT security controls and privacy principles
14
CIS Risk Assessment Method v2.1 for CIS Critical Security Controls v8 Updates to our guide to assess cyber risk and implement our security best practices
16
New Resources and Tools for Implementing the CIS Controls Fresh and updated tools and resources from the CIS Security Best Practices team
20
Quarterly Update with John Gilligan
4
News Bits & Bytes
6
Cyberside Chat
22
ISAC Update
24
Event Calendar
25
Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460 Copyright © 2022 Center for Internet Security. All rights reserved.
3
Cybersecurity Quarterly
Quarterly Update
with John Gilligan
“[Defense-in-depth] is not new, but has received additional attention with the recognition that multiple layers of cyber defenses are quite effective in defeating even sophisticated attacks.” Welcome to the Spring Issue of Cybersecurity Quarterly. I am hopeful that spring will bring some relief from both COVID and the increasing number of significant cyber-attacks. Experience has taught us, however, that any respite might be temporary. Currently, U.S. organizations are bracing for a potential onslaught of attacks from Russia in response to sanctions imposed due to the invasion of Ukraine. Thus far, the situation has been viewed by many as the “calm before the likely storm.” By the time this issue of Cybersecurity Quarterly is published, perhaps the situation will have changed. The theme for this quarter’s issue is layered security, exploiting the concept of defense-in-depth. This concept is not new, but has received additional attention with the recognition that multiple layers of cyber defenses are quite effective in defeating even sophisticated attacks. The concept of zero trust, which has been mandated for federal agencies by the White House, is based in large part on leveraging a layered defense architecture. One of the articles in this issue highlights the security challenges and recommended solutions for addressing security in cloud environments. The article is styled in a Q&A format, leveraging the insights of some CIS experts in this area. The piece addresses migration to the cloud, security best practices for cloud implementations, and other key questions that have been raised by state, local, tribal, and territorial (SLTT) organizations. CIS’s Kim Watson and Walter McKay provide expert advice in response to the questions posed by CIS Communications Director Jay Billington. Deborah Blyth, formerly with the State of Colorado and now with CrowdStrike, has put together a piece on the benefits of endpoint security. She explains the value provided in the new Endpoint Security
4
Services (ESS) offered by CIS in partnership with CrowdStrike. Deborah also shares some insights from her former role as CISO for the State of Colorado. There are several articles from the CIS Security Best Practices (SBP) team. Josh Franklin provides an overview of the CIS Controls Privacy Guide, a companion to the CIS Critical Security Controls that focuses on the important area of privacy. Valecia Stocchetti has provided an overview of the recentlyupdated CIS Risk Assessment Method (RAM) v2.1. This version of CIS RAM incorporates changes to reflect CIS Controls v8 released last summer, as well as some improvements to the risk assessment tools. This issue also includes an article that summarizes some of the other new resources released by CIS in the past quarter. These new resources include the widely-used Microsoft Windows Management Instrumentation (WMI) Guide, the new course on CIS Controls v8 that is available on the Salesforce Trailhead platform, and new CIS Controls v8 mappings. Paul Hoffman from the MS-ISAC team discusses the rapid growth of the ISAC community, now exceeding 13,000 members. Finally, our CISO, Sean Atkinson, provides his regular column. In this issue, he explains the importance and benefits of taking a layered approach to your security defenses. I hope that you enjoy this quarter’s issue and have a great spring! Best Regards,
John M. Gilligan President & Chief Executive Officer Center for Internet Security
Spring 2022
Stop cyberattacks in their tracks with CIS Endpoint Security Services Learn more
5
Cybersecurity Quarterly
News Bits & Bytes Since its discovery in December 2021, the Log4j vulnerability continues to be a major cyber threat for organizations around the world. Due to the widespread prevalence of Log4j, the high impact of an attack exploiting it, and evidence that malicious actors are actively targeting organizations with vulnerable versions of Log4j, CIS is encouraging all organizations to mitigate risk as soon as possible. Many vendors have already issued patches and provided recommendations on how to determine if an organization has been impacted by using their software. CIS has also launched the Log4j page on our website to provide more information to help you determine if your organization is at risk from this vulnerability and outline steps you can take to address the risks. Additional insights on the vulnerability from CIS CISO Sean Atkinson can also be found on our CISO Blog.
CIS has joined more than 100 other entities in support of a joint statement issued by the World Economic Forum that calls for a global baseline of security for internet-connected devices. The statement calls for manufacturers and vendors to identify and implement a set of security standards for Internet of Things (IoT) devices to help secure the digital future and ensure consumers around the world can rely on these devices securely. IoT devices, including smart TVs, watches, and home surveillance systems, already reside in most households around the world, and their presence will continue to grow as technology advances. These new products tend to lack adequate cyber protection because of the fast-paced evolution of modern information technologies. Read the full statement at https://cybertechaccord. org/industry-hackers-and-consumers-for-aglobal-baseline-for-consumer-iot-security/.
CIS Senior Vice President and Chief Evangelist Tony Sager has been selected to serve as a member of the U.S. Department of Homeland Security's (DHS) new Cyber Safety Review Board (CSRB). DHS established the CSRB as directed in President Biden’s Executive Order 14028: Improving the Nation’s Cybersecurity. The CSRB is composed of 15 highly esteemed cybersecurity leaders from the Federal Government and the private sector, who will review and assess significant cyber events to better protect the nation’s digital infrastructure. Other members include Robert Silvers, DHS Undersecretary for Policy, who will serve as Chair, and Heather Adkins, Google’s Senior Director for Security Engineering, who will serve as Deputy Chair. As Sager states, “I am really excited to be a part of the amazing group of people that Cybersecurity and Infrastructure Security Agency (CISA) has assembled!” Learn more about the CSRB at https:// www.cisa.gov/cyber-safety-review-board.
On February 23, CIS and over 20 other leading implementation-focused nonprofit cybersecurity organizations launched Nonprofit Cyber. The group is a global coalition of nonprofit organizations that are joining together to improve cybersecurity by developing, sharing, deploying, and increasing the awareness of cybersecurity best practices, tools, standards, and services. Nonprofit Cyber wants to build awareness of the work of cybersecurity nonprofits globally and align their work to achieve the greatest effect. “Our goal with Nonprofit Cyber is to collaboratively align our individual strengths into a collective force for good, taking positive action for the entire cyber ecosystem,” said CIS's Tony Sager, who is incoming co-chair of Nonprofit Cyber. There are 22 founding members of Nonprofit Cyber, including CIS, and the group welcomes others that work to implement best practices and solutions. Learn more about the organization at https://nonprofitcyber.org/.
The Most Trusted Source for Information Security Training, Certification, and2022 Research Spring
CIS & SANS Institute
Information Security Training Partnership SANS Institute partners with the Center for Internet Security (CIS) to provide its top-rated information security training and awareness programs to State, Local, Tribal, and Territorial (SLTT) Government organizations at significantly reduced costs. Leverage this special partnership to ensure that your employees have the skills and experience necessary to protect your critical organization from cyber threats. Program participants may purchase:
More than 45 of SANS most popular hands-on courses are available OnDemand, or live, online via Live Online.
Use SANS Security Awareness to train and test non-technical staff on email, file storage, digital access, and general data security.
Purchase training during the Summer Aggregate Buy Window to receive the best pricing of the year. Discounts are available June 1, 2022 through July 31, 2022. Contact partnership@sans.org, or visit www.sans.org/partnerships/cis for more information.
7
Cybersecurity Quarterly
Staying Secure When Migrating to the Cloud A few of our in-house experts at CIS provide some key insights and advice for organizations considering a move to the cloud and how they can do so securely By Jay Billington, Walter McKay, and Kim Watson Migrating your organization to the cloud can be a daunting task, especially for state, local, tribal, and territorial (SLTT) organizations. The task becomes even more monumental when the security implications of moving your organization's data into the cloud come into play. To address some of these important concerns and provide some advice and guidance to our members, Jay Billington, Director of Communications for CIS, sat down with Kim Watson, Senior Program Advisor, and Walter McKay, Senior Director of Software Engineering and Data Analytics, to discuss the topic and how CIS and the MS-ISAC are working to support organizations, especially SLTTs, with best practices and resources as they make the transition to the cloud. Jay Billington: What are some considerations for an SLTT organization considering a move to the cloud or currently implementing cloud security solutions? Kim Watson: I think investing in cloud services today has become a lot like purchasing a car – where the decisions are about the right ownership model, vendor, and operating requirements and not whether or not you need access to a vehicle. Should you own, lease, or rent on occasion? How do you plan to use the vehicle? Under what conditions? Do you trust the person or company you are buying
8
The best advice I can give to any organization making decisions about cloud investments is to first know yourself, and then find a trusted third-party to help match your options to your needs. from? Can you afford to be wrong? In many ways, these are the same questions you need to ask yourself about migrating to the cloud or using cloud services. The best advice I can give to any organization making decisions about cloud investments is to first know yourself, and then find a trusted third-party to help match your options to your needs. Your operating model, business objectives, regulatory requirements, and resources are the critical factors in making an appropriate investment. Deciding what service and deployment models fit your operational profile and what vendor offerings meet your criteria is not easy, so use information and tools from sources you can trust. The Cloud Security Alliance (CSA) has the Security, Trust, Assurance, and Risk (STAR) program to help organizations make more informed decisions. CIS provides our CIS Hardened Images and supporting
Spring 2022
CIS Benchmarks for major cloud computing platforms, as well as best practice guides and ebooks on cloud security. Use these resources. Leverage the expertise and experience of others to make more informed and appropriate investments. JB: There seems to be a lot of emphasis on cloud computing and cloud security. Is cloud security right for every organization? KW: Only a few years ago, there was still a fairly significant debate about who should move to the cloud and under what conditions. I think the large investment in telework and exponential increase in digital service offerings, when compared against current cyber threats and the shortage of cybersecurity resources, has changed that conversation. It is no longer if you should migrate to the cloud, but what should you transition to these managed environments and under what conditions. I think it is safe to say that in today’s business landscape, cloud computing is somehow a part of every organization’s daily operations, whether they realize it or not. That makes cloud security an essential part of managing risk in every organization. Cloud security considerations need to be a conscious part of your business decisions, even if you decide certain cloud offerings and services are not appropriate for your operations. JB: Which is more secure: protecting data in the cloud or on-site? KW: This is one of the most common questions organizations ask about migrating to cloud services. Interestingly, the question is based on an operating model that no longer applies to most organizations.
Only a few years ago, there was still a fairly significant debate about who should move to the cloud and under what conditions...It is no longer if you should migrate to the cloud, but what should you transition to these managed environments and under what conditions. With the shift to bring your own device (BYOD), telework, remote collaboration, and increased business continuity/resilience requirements, the concept of data only living on-site is a bit of a fallacy. I think the more appropriate question in today’s world is “Who is more able to securely manage your data: you or the service provider?” There is no one right answer, since it depends on both the organization and the service provider. The unfortunate fact is that most organizations cannot adequately deploy or manage essential security controls or safeguards across their organization. Cloud and managed service providers are all about optimization and scale, creating the potential to improve an organization’s security posture as well as provide a business advantage. For this reason, I think all organizations need to identify what they do not do well from a security perspective and make that a consideration in any cloud investment decision. JB: What are CIS’s future plans to provide more cloud security solutions to SLTTs? Walter McKay: Today, CIS provides managed security service provider (MSSP) services to log, detect, and block cyber anomalies. CIS Endpoint Security Services (ESS) is a managed detection and response (MDR) solution we offer to SLTTs that provides robust detection, including asset discovery, vulnerability assessment, remediation prioritization support, role-based access control (RBAC) access to the vendor’s service portal, allow/ deny list management, blocking rules tuning, endpoint, and file quarantine support. The CIS SOC and engineering team provides enrolled MS-ISAC members with first- and second-level
9
Cybersecurity Quarterly
support under this service. Although not a direct cloud product, it protects an organization’s endpoints that have cloud workloads. Albert in the Cloud is a new service that is starting to gain interest among the MS-ISAC. This service provides more of a secondary (and at times tertiary) detection support, due to the fact that many of the cloud workloads have inherent security products deployed. We work closely with cloud service providers to fit this layer of defense into the existing cloud infrastructure. The product has already been deployed in Azure and AWS environments successfully. Albert in the Cloud has been specifically designed for cloud workloads, and CIS will continue to evolve this exciting new offering for SLTTs. JB: What are CIS’s future plans to provide more cloud security solutions to SLTTs? WM: The network perimeter has forever changed with the emergence of the hybrid cloud environment. Proper cyber defense in this environment is a fast-moving target that demands a shift to support dynamically-moving data and applications to and from any and all of the following: public cloud, private cloud, and onpremises IT infrastructures. SLTT organizations need to access data from any location securely. This poses unique IT and cyber challenges. Protecting access, devices, and the Internet of Things (IoT) has become more challenging with this change in landscape. CIS is actively looking to develop and provide a zero-trust architecture (ZTA) to MS-ISAC member organizations in the form of an MSSP offering. ZTA is not a product itself, but a collection of principles that provide a security framework around user access to network applications and data. Those principles include assuming the network is hostile, replacing implicit trust with adaptive access, securing resources rather than the network, authenticating users and devices, encrypting and monitoring all traffic, and logging all interactions. Secure access service edge (SASE) will be the foundation of this future MS-ISAC security offering from CIS. It will align with a zero-trust architecture and contain security capabilities tailored for the hybrid cloud environment. SASE has grown in
10
demand due to the need for scalability, flexibility, and increased security in cloud and hybrid infrastructures. As our member’s environments transition from on-prem infrastructure to the cloud, we intend to provide a hybrid solution that will efficiently transition to the cloud. Building a SASE solution will provide the needed agility and efficiency to handle the demands of networks transitioning to the cloud. Kimberly K. Watson is the Senior Program Advisor, Operations and Security Services at the Center for Internet Security (CIS) and has more than 30 years’ experience in information assurance, cybersecurity, and defensive cyber operations. Prior to joining CIS, she was the Technical Director for the Integrated Adaptive Cyber Defense (IACD) portfolio at the Johns Hopkins Applied Physics Laboratory. Watson was a technical leader at the Department of Homeland Security (DHS) from 2013-2015 and the National Security Agency (NSA) from 1987-2013. During her time at NSA, Watson specialized in vulnerability discovery, technology evaluation, and operational risk management. Walter McKay is the Senior Director of Data Analytics and Engineering, Operations and Security Services at the Center for Internet Security (CIS), where he is responsible for software development, data analytics, hardware engineering, cloud management, product and service support, and evaluating technologies for use by state, local, tribal, and territorial (SLTT) members of the MSand EI-ISAC. Prior to joining CIS, he was the Senior Development Manager for the New York State Health Exchange and the Senior Vice President of the Global Treasury Technology division of Bank of America. He has more than 20 years of experience in application development, infrastructure and networking technology, and technology leadership.
Spring 2022
Catalina macOS 10.15 ®
Now available in AWS® Marketplace LEARN MORE
11 macOS® is the registered trademark of Apple Inc.
Cybersecurity Quarterly
Serving the Underserved: Helping SLTTs Strengthen Their Security Affordably Smaller governments often have to find balance between purchasing security resources and limited budgets; CIS and CrowdStrike are working together to help tip the scales By Deborah Blyth The State of Colorado has benefited from a long-standing relationship with the Multi-State Information Sharing and Analysis Center (MSISAC), and we’ve happily used and promoted many of the tools and resources they make available. Our security strategy was based on the Center for Internet Security (CIS) Critical Security Controls, our systems were hardened to CIS Benchmarks, and working with local governments in Colorado, we created and published a chart of resources that are available from CIS and the MS-ISAC to help secure local government entities. However, the value of that relationship became personal to me in 2018 when Colorado suffered a ransomware event that took down the Colorado Department of Transportation (CDOT). When I understood the attack vector, it occurred to me that many of my peers could also be vulnerable and that it was urgent to help ensure they took action immediately to protect themselves. I reached out to the MS-ISAC and they helped to create a notification that they sent to their thousands of members across the country. A few weeks later, we scheduled a threat briefing in which I told my peers how we were compromised and how they could protect themselves, as well as answered questions. Almost 700 state and local IT and security personnel from across the nation attended.
12
Later, I was invited to join the MS-ISAC as part of its Executive Committee, and we spent many meetings discussing the need for proactive and responsive services that could be provided to smaller government entities. While we all agreed that Albert sensors – the network intrusion detection sensors at the edge of the network – are valuable, we were concerned that many local governments may not have resources to monitor for these detections and respond to threats in their environment quickly enough to prevent the disruption of service or the theft of sensitive data. Local governments, special jurisdictions, and school districts are often very under-resourced when it comes to protecting themselves against the ongoing barrage of cyber-attacks. Some of these entities may not have dedicated cybersecurity personnel and perhaps only a single IT resource responsible for administering all technology, including ensuring that the services they are providing and the critical infrastructure they are supporting are continuously available and protected from cyberattacks. Some of these entities may not have any dedicated full-time IT personnel at all. It isn’t a fair fight when these small organizations are outnumbered and the adversaries are better funded and have many nefarious tools at their disposal. In 2018, as a recovery strategy for the CDOT ransomware event and to protect the rest of the
Spring 2022
state, the State of Colorado rolled out an endpoint protection platform, selecting CrowdStrike Falcon after a thorough vetting and procurement process. I became an instant CrowdStrike fan when I saw what their solution was protecting us from every month and the threats it was preventing from executing in our environment. I also finally had a platform that could generate the reports needed to demonstrate that the security investment the state had made was successfully protecting state agencies from ongoing cyber-attacks. My team instantly evolved from trying to determine which of the 8.4 million daily security events merited their attention to being laser-focused on the specific events that posed the biggest threat. And because CrowdStrike was preventing malware from executing and was significantly easier to manage and administer than our previous cybersecurity tools, my team could spend more time addressing other important security initiatives. A few years later, the State of Colorado upgraded to CrowdStrike’s managed detection and response (MDR) solution, Falcon Complete, to resolve our own staffing challenges. There were times we experienced a revolving door on the security operations team, and it seemed we were rarely fully staffed. I was constantly in a cycle of recruiting, hiring, training, and replacing staff. CrowdStrike’s managed service was helpful in filling in the gaps when I wasn’t fully staffed or was trying to train for the skills I needed. And even when I was fully staffed, I typically had too few resources for the volume of security work that needed to get done. Knowing we had a skilled team handling endpoint security allowed me to make much better and more intelligent use of my in-house team. I really saw the value of having an MDR service. At the State of Colorado, we were lucky to have an adequate cybersecurity budget to purchase these valuable tools to help protect our infrastructure, which is often not the case for local governments and other smaller public organizations. That’s why I’m so excited that CIS and the MS-ISAC – already strong partners in cyber defense to local governments, special districts, school districts, and other smaller government entities – have teamed up with CrowdStrike to offer an affordable MDR solution to protect these under-resourced entities. Not only does CrowdStrike bring the very
best technology to protect these entities, but they are now partnered with the MS-ISAC, which will perform 24x7x365 management, continuous monitoring, analysis, and validation to ensure that notification occurs only when action is required, as well as incident response assistance should a breach ever occur. In this way, technology and security teams for local government entities can focus their limited resources on providing services for their residents, while knowing those services are protected by a combination of tools and services by the most knowledgeable teams in the business. More information about the CIS Endpoint Security Services (ESS), offered in partnership with CrowdStrike, can be found at https://www. cisecurity.org/services/endpoint-security-services. Deborah Blyth is an Executive Public Sector Strategist and part of the Public Sector Industry Business Unit at CrowdStrike, where she provides strategic advisory services related to enterprise cybersecurity solutions for public sector organizations across Federal, State and Local, Higher Education, and Healthcare. Prior to joining CrowdStrike, Blyth spent seven years as Colorado’s Chief Information Security Officer (CISO). During her tenure, she was successful at doubling the cybersecurity budget, recovering from a large-scale ransomware attack, and measurably reducing risk across the state. Blyth has over 25 years' technology background and 15 years leading information security programs. Before joining the State of Colorado, Blyth led the Information Technology Security and Compliance programs at TeleTech and Travelport. Blyth is a Colorado native, and graduated Summa Cum Laude with a Bachelor of Science degree from Regis University.
13
Cybersecurity Quarterly
Protecting Privacy Using the CIS Controls Privacy Guide Our new guide that helps to connect the security best practices contained in the CIS Controls and the multitude of privacy considerations that organizations must consider By Joshua Franklin
[The CIS Controls Privacy Guide] provides a bridge between IT security professionals looking to better understand how privacy applies to IT security controls, and privacy or legal professionals who need to better understand how modern technology and IT Who Should Use the CIS Controls Privacy processes might impact privacy. Guide? The CIS Controls Privacy Guide provides best practices and guidance for implementing the CIS Critical Security Controls (CIS Controls) while considering the privacy impacts on the workforce, customers, and third-party organizations such as contractors. The Privacy Guide supports the objectives of the CIS Controls by aligning privacy principles and highlighting potential privacy concerns that may arise when using the CIS Controls.
14
This Privacy Guide is intended for both IT security professionals, who are familiar with the CIS Controls, and privacy or legal staff within an enterprise. This document provides a bridge between IT security professionals looking to better understand how privacy applies to IT security controls, and privacy or legal professionals who need to better understand how modern technology and IT processes might impact privacy.
specific CIS Controls, and enables them to develop additional mitigations to assist with meeting their privacy objectives. In noting privacy implications of the CIS Controls and suggesting mitigations, the CIS Controls Privacy Guide takes a broad view of privacy, since laws vary from country to country. It’s therefore critical that IT security and privacy teams work in tandem to achieve both regulatory and internal privacy goals.
The guide enables a line of communication between these two groups and enhances the overall governance process by which business and legal management communicate with IT and cybersecurity teams. Proper data governance helps enterprises better understand the privacy implications associated with implementing
Adapting the CIS Controls for Privacy In order to place the CIS Controls in the context of privacy, CIS leveraged the Fair Information Practice Principles (FIPPs) and the General Data Protection Regulation (GDPR). The FIPPs are a set of eight principles that come from the United States Privacy Act of 1974. The GDPR is a multifaceted
Spring 2022
regulation governing the processing of personal data, as well as other technical aspects of an enterprise, in the European Union and beyond. The essential characteristics of the regulation are to protect personal data as a fundamental right and that privacy is to be respected. Many new privacy regulations across the world are using the GDPR as a framework for privacy law in their own country, state, or region.
Privacy regulations are changing everywhere, and all the time. Our mindset around how to collect and protect enterprise and personnel data needs to adapt to this new reality.
Privacy Implications of CIS Controls
Additional Discussion: A general guidance area to include relevant tools, products, or threat information that could be of use can be found here.
For each CIS Control, the following items are considered: Privacy Applicability: Explores the degree to which a CIS Control pertains to privacy. Only specific Safeguards within a Control contribute toward privacy. This could include protecting the privacy of employees and customers, but may also include the enterprise’s IT systems. Privacy Implications: Includes the privacy issues and/or risks associated with implementing specific CIS Controls. Data Collection: This focuses on the types of data collected by the enterprise when implementing a CIS Control. While there is always a specific focus on personally identifiable information (PII), other data types may also be assessed, such as open data, commercial data, and customer data (e.g., information about individuals using a company’s services). Data Storage: After data is collected, it must be stored somewhere until it is deleted. This portion analyzes issues associated with storing data, such as where and how it is stored, and the parties involved in the storage process. Fair Information Practice Principles (FIPP): Includes concerns and other information associated with FIPP. General Data Protection Regulation (GDPR) Principles: Includes concerns and other information associated with the GDPR principles. Only prespecified GDPR principles will be listed.
Looking to the Future of Privacy Privacy regulations are changing everywhere, and all the time. Our mindset around how to collect and protect enterprise and personnel data needs to adapt to this new reality. Privacy regulations from one country may affect organizations not residing in that country via IT policy or contractual means. Cursory approaches to privacy will be insufficient in the near future. Privacy engineering, privacy risk analysis, and other practices detailed within the CIS Controls Privacy Guide can play an important role in meeting new privacy regulations and maintaining confidence in their approach. The CIS Controls Privacy Guide can be downloaded at https://www.cisecurity.org/insights/whitepapers/cis-controls-v8-privacy-companion-guide. Joshua Franklin is a Senior Security Engineer for the CIS Critical Security Controls at the Center for Internet Security (CIS) where he is developing best practices for mobility, IoT, and elections. Prior to CIS, Franklin researched enterprise mobile security, cellular security, and electronic voting at the National Institute of Standards and Technology (NIST). While at NIST, he managed the mobile security laboratory at the National Cybersecurity Center of Excellence (NCCoE). Franklin graduated from George Mason University with a Master of Science in Information Security and Assurance. He has presented at a variety of cybersecurity conferences including DEF CON, RSA, and ShmooCon.
15
Cybersecurity Quarterly
CIS Risk Assessment Method v2.1 for CIS Critical Security Controls v8 Announcing the latest version of our free tool to help organizations assess their cyber risk, prioritize their action plan, and implement our security best practices By Valecia Stocchetti Laws, regulations, and information security standards all tell us to demonstrate “reasonable” security. However, a breach should not be the first time we try to define “reasonableness.” If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that the risk is reasonable to the enterprise and other interested parties at the time of the breach. The recently released CIS Risk Assessment Method (CIS RAM) v2.1 can help your enterprise demonstrate due care. CIS RAM v2.1 is an information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). Enterprises accomplish this by first defining their acceptable level of risk and then managing that risk after implementation of the Controls. Few enterprises can apply all Controls to all their environments and information assets. That’s because some Controls, while offering effective security, may do so at the cost of necessary efficiency, collaboration, utility, productivity, or available budget and other resources. CIS RAM v2.1 version supersedes CIS RAM v2.0, which was first released in October 2021.
16
How is CIS RAM v2.1 Structured? When enterprises conduct a cyber risk assessment for the first time, it can be challenging to know where to start. CIS RAM is a powerful, free tool to guide the prioritization and implementation of the CIS Controls and to complement an enterprise’s technical ability with a sound business risk-decision process. It is also designed to be consistent with more formal security frameworks and their associated risk assessment methods. Most importantly, CIS RAM enables enterprises of varying security capabilities to navigate the balance between implementing security controls, accounting for risks, and meeting the broader needs of their enterprise. CIS RAM v2.1 is made up of a family of documents. The first, CIS RAM Core, is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help readers rapidly understand and implement CIS RAM. In addition to CIS RAM Core, CIS RAM v2.1 provides three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups (IGs): IG1, IG2, and IG3. Each document includes a workbook with a corresponding guide and features examples, templates, exercises, background material, and
Spring 2022
further guidance on risk analysis techniques. To date, CIS has released several documents in the CIS RAM v2.1 family, including: CIS RAM Core v2.1, CIS RAM v2.1 for IG1, and CIS RAM v2.1 for IG2. CIS RAM v2.1 for IG3 is currently under development.
CIS RAM Core As previously mentioned, CIS RAM is made up of a family of documents. The foundation of all of these documents is CIS RAM Core. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM. CIS RAM uses the Duty of Care Risk Analysis (DoCRA) standard, which presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their enterprise and are the core tenets upon which the CIS RAM family of documents is built. Enterprises that use CIS RAM for IG2 and CIS RAM Core can then develop a plan, as well as expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets.
What to expect in CIS RAM v2.1 for IG2 Risk assessments may be conducted in a variety of ways. They may focus initially on recommended CIS Controls to identify vulnerabilities within a given scope, they may focus primarily on determining how well protected those assets are by the CIS Controls, or they may focus first on known threats to see how they would play out in an environment. Risk assessments may also vary in methodology, using quantitative analysis (purely numerical representations of risk) or qualitative analysis (ranked value statements). CIS RAM v2.1 for IG2 focuses on a set of CIS Safeguards within the CIS Controls, and combines both qualitative and quantitative analyses. CIS
RAM v2.1 for IG2 was designed to help enterprises conduct a risk assessment if they have expertise in developing, managing, and configuring systems, applications, and networks. IG2 enterprises are able to understand how asset classes are configured and managed and are able to evaluate risks associated with separate asset classes, rather than the enterprise as a whole. CIS RAM for IG2 assists these enterprises by significantly automating risk estimations and threat models. It reduces the complexity of risk analysis by providing the following: A simple format for stating an enterprise’s Impact Criteria and a range of magnitudes of Impact that you or others may suffer Guidance for stating your enterprise’s Risk Acceptance Criteria A fixed definition for Expectancy Criteria A simple Risk Register Automated Expectancy calculation based on the commonality of reported threats and the Maturity of the enterprise’s Safeguards As with all CIS RAM v2.1 modules, CIS RAM v2.1 for IG2 provides a workbook along with a corresponding guide. These documents have material to help readers accomplish their risk assessments and include examples, templates, exercises, background material, and further guidance on risk analysis techniques.
What’s New in CIS RAM v2.1? While minor enhancements were made throughout CIS RAM Core v2.1, CIS RAM v2.1 for IG1, and CIS RAM v2.1 for IG2, one major change was also made. As of CIS RAM v2.1, we are migrating to the term “Expectancy” (rather than “Likelihood”), which is formally defined in CIS RAM as the estimation that if an incident were to occur that it would be due to the threat described in the analysis. “Expectancy” does not imply probability that an incident may happen within a given time period, as “likelihood” and
17
Cybersecurity Quarterly
“probability” do. Rather, it implies that we know a security incident will occur, but we expect it to occur via a foreseeable threat. CIS RAM v2.1 automates the estimation of security incidents by comparing the commonality of reported threats to the reliability of Safeguards that would prevent them. Therefore, “expectancy” is a more appropriate term. This change was decided during the development of CIS RAM v2.0 for IG2. Since the original CIS RAM v2.0 documents were released in October 2021 using the term “Likelihood,” we decided to upgrade all CIS RAM v2.0 documents to v2.1, rather than starting a new minor version in the middle of releasing the CIS RAM family of documents. As a result, this change will bring consistency and clarity to enterprises that wish to use any of the CIS RAM v2.1 documents to conduct a risk assessment. Additionally, for those that may have already begun a risk assessment using v2.0 for IG1 and wish to switch to v2.1, we are confident that it will be a smooth transition.
Why CIS RAM v2.1? If your enterprise experiences a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that risk is reasonable to the enterprise and appropriate to other interested parties at the time of the breach. CIS RAM provides a method for evaluating risk by calculating the expectancy of an impact to customers, business objectives, and external entities (regulators, vendors, etc.). It also provides a method to “draw a line” at an enterprise’s acceptable risk definition, with risks below the line adhering to “due care,” and risks above the line requiring risk treatment. Together, these principles provide enterprises with a concise and defendable process to accept or address risk. Risk analysis helps shape and customize controls to address the internal and external challenges that enterprises face. Too often, enterprises rely on gap assessments to determine the severity of their vulnerabilities. Gap assessments, audits, and maturity assessments imply that your gaps need to be remediated completely.
18
CIS RAM enables you to apply just the right amount of security — not too much, not too little — striking a balance between keeping your enterprise safe and ensuring you can conduct business as usual. Remediating all gap assessment deficiencies can lead to over-securing and over-investing, while remediating risks identified in a CIS RAM assessment can lead to applying just the right amount of security and investment. In short, CIS RAM Risk Assessments validate reasonable implementation, helping you determine what is reasonable to implement and what is not. CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.1 in 2022. CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
Taking the Next Step Ready to conduct a cyber risk assessment? Download CIS RAM v2.1 for CIS Controls v8 for step-by-step processes, example walk-throughs, and more. For a more in-depth look at the updates for IG2, watch our CIS RAM 2.1 for IG2 Workshop. Valecia Stocchetti is a Senior Cybersecurity Engineer for the Center for Internet Security (CIS). Stocchetti came to CIS from the eCommerce field, where she worked complex financial fraud cases. She is a graduate of the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Stocchetti worked in the MS- and EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements. In her current role, she works with various attack models and data, including the MITRE ATT&CK framework, to help validate and prioritize the CIS Controls. Stocchetti holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC).
Spring 2022
HOW BIG IS YOUR VULNERABILITY BLIND SPOT? SEE EVERYTHING ACROSS THE MODERN ATTACK SURFACE. Protect your organization and data from cyber attack. Use Tenable Risk Based Vulnerability Management solutions to implement and maintain CIS Controls.
Download Guide
19
Cybersecurity Quarterly
New Resources and Tools for Implementing the CIS Controls The CIS Security Best Practices team and its global community of volunteers continue to churn out valuable new resources to help implement our best practices By CIS Staff Even with the release of CIS Controls v8 well in the rearview mirror, the CIS Security Best Practices team, in collaboration with our global community of volunteers, continue to work diligently to release new tools, updates, and resources to make our best practices more accessible and easier to implement.
CIS Controls Commonly Exploited Protocols: Microsoft Windows Management Instrumentation This guide will focus on a commonly exploited protocol, Microsoft Windows Management Instrumentation (WMI) Remote Protocol, and the Safeguards an enterprise can implement, in part or whole, to reduce their attack surface or detect anomalies associated with the exploitation of WMI. The goal is to deliver a set of best practices from the CIS Controls, CIS Benchmarks, or additional guidance, that all enterprises can use to protect against WMI-facilitated attacks. This is accomplished by mapping WMI classes2 or events that cyber threat actors (CTAs) can use to conduct attacks to the MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK® Framework v8.2). Specifically, the guide focuses on identifying MITRE ATT&CK Tactics, the “why” behind a CTA’s actions, and the ATT&CK Techniques or ATT&CK Sub-Techniques within those Tactics.
20
CIS Controls v8 Introductory Course Available on Salesforce’s Trailhead CIS Controls v8 helps organizations keep up with modern systems and software, and can ultimately help improve your cybersecurity posture. The CIS Controls team recently worked with Salesforce's Trailhead to create an introductory course on CIS Controls v8 Implementation Group 1 (IG1), also known as essential cyber hygiene. Not all organizations are able to implement any security framework wholesale. That’s why CIS prioritized the Controls and its supporting Safeguards for you; we always recommend starting with IG1. What is Trailhead? Trailhead is an online learning platform with free, self-paced, bite-sized content that gives everyone the tools for learning new technologies and skills or expanding their existing knowledge. Salesforce has created a robust and thorough educational resource for its users in Trailhead – and learners don’t have to be Salesforce customers in order to take advantage. CIS Controls v8 Trailhead Module The introductory course on Trailhead will help you manage your organization’s cybersecurity risk via essential cyber hygiene. You will learn what needs
Spring 2022
to be implemented to protect your network against top threats through examples and knowledge checks throughout the module. In particular, the CIS Controls module covers: Inventorying, controlling, and configuring assets and protecting data Account management, access controls, and continuously managing vulnerabilities Protecting email, defending against malware, recovering data, and reasons why managing networks is critical Raising security awareness, managing service providers, and reasons why responding to incidents are critical
The CyberCast New episodes of The CyberCast, a podcast series co-hosted by CIS Senior Director of Controls Phyllis Lee on CIS Controls v8 that is purpose built for MSPs, MSSPs, and IT practitioners, are now available. Each episode covers a new security control, how it maps to the different frameworks, the impact it has, how to build a policy around it, how the threat actors exploit it, what you can do to defend against it, and common mistakes or oversights made when implementing into your tech stack. You can listen to the series at https://www.thecybercast.com.
Updates to CIS CSAT Hosted and Pro
include new functionality, such as the ability to enable multi-factor authentication, updated system recommendation information, and further security fixes. The latest version of CIS CSAT Pro can be downloaded on CIS WorkBench.
Additional New CIS Controls v8 Resources CIS Controls Navigator has been updated with NIST SP 800-53 Rev 5 Moderate, NERC-CIP, and CJIS. Learn more about the Controls and Safeguards and see how they map to other security standards at https:// www.cisecurity.org/controls/cis-controls-navigator/. Thanks to members of the CIS Controls Community, CIS Controls v8 has now been translated in to Spanish, which can be downloaded at https://learn. cisecurity.org/cis-controls-download. New mappings for CIS Controls v8 have been released, aligning our security best practices to NERC-CIP, CJIS, GCMA FS.31, and NIST SP 800-53 Rev Moderate and Low Baselines. These new mappings can be downloaded at https://workbench.cisecurity. org/community/94/files. We're looking for feedback from the community on draft mappings of CIS Controls v8 to ISO 27002, FFEIC CAT, and UK Cyber Essentials for Implementation Group 1 (IG1). You can help provide input at https://workbench.cisecurity.org/ community/94/files.
Version 1.5.2 of the CIS Controls Self-Assessment Tool (CSAT) Hosted is now available. This new version includes fixes for several bugs, updates numerous third-party libraries to newer versions, and includes a number of performance updates.
CIS greatly appreciates the many global security experts who volunteer to support CIS Controls. Our resources represent the effort of a veritable army of volunteers from across the industry, generously giving their time and talent in the name of a more secure online experience for everyone.
A number of new updates have been released over the past quarter for CIS CSAT Pro. Crucially, the Log4j third-party library was updated to the most recent version in order to address a critical vulnerability found in earlier versions. Also updated were numerous third-party packages to resolve vulnerabilities present in embedded package dependencies. Other recent updates to the tool
Thanks to these volunteers, the CIS Controls continue to grow in influence and impact across a world-wide community of adopters, vendors, and supporters. Our nonprofit business model is only possible because the industry is filled with people who have great technical expertise and great community spirit. Let’s continue to collaborate to create confidence in a connected world!
21
Cybersecurity Quarterly
Cyberside Chat This Quarter's Topic: Approaching Defense-in-Depth with a Threat-Informed Perspective By Sean Atkinson, Chief Information Security Officer, CIS As organizations implement multiple layers of security controls, it is important to understand the necessity of building a resilient defense-in-depth strategy. Implementing the Swiss Cheese Model is often a valuable perspective in showing control effectiveness and gaps.
In information security, the adage may be to prevent everything, but in reality, this doesn’t make sense without a threat-adjusted approach, as the cost incurred to manage every threat is unrealistic. We see in the illustration below, by applying the Swiss Cheese Model to defined security controls, we are able to thwart adversarial tactics. In order to move the maturity of the model forward, this should now be a threat-informed defense-indepth strategy. In information security, the adage may be to prevent everything, but in reality, this doesn’t make sense without a threat-adjusted approach, as the cost incurred to manage every threat is unrealistic. Threat-informed defensive posturing enables an organization to address the
22
risk and likelihood of attacks being used against it. With this approach, it is critical to understand the organizational risk posture to effectively manage high-risk areas. Using the MITRE ATT&CK framework, an organization can view adversary tactics and techniques with procedures and sub-procedures. A quick checklist of threat-informed defense-indepth: 1. Inventory of current defensive controls 2. Know where the gaps exist through testing and assessment/audit 3. Answer the question – Which attackers are most likely to be targeted against my organization? a. What tactics do they use? b. What techniques do they use? c. What procedures/sub-procedures do they use? 4. Can we identify and track these types of procedures and techniques? a. If Yes – Test to make sure b. If No – Build a plan of action, determine if compensating controls can be used, and test your plan.
Spring 2022
The following is an example of implementing such a practice using the MITRE ATT&CK enterprise matrices: 1. Review groups to get an understanding of their potential targets and if your organization is one of them. a. The example we will use is APT 19 – AKA (Codoso, C0d0so0, Codoso Team, Sunshop Group) 2. We see that this organization chooses to target high-tech organizations. 3. When we click on the group name, we get a number of techniques used as well as the software they employ to execute the technique. 4. We click on the ATT&CK Navigator layers box and view in the attack-navigator browser – we can see at each tactical layer the techniques applied. The techniques are highlighted in blue. 5. Correlate these techniques to the controls you have inventoried. Are these elements covered by the current internal defense-in-depth security program? Applying the threat-informed model takes multiple iterations and perspectives to make sure you understand the potential threats for your organization. This exercise may also assist in uncovering elements of the risk appetite within the organization, especially when it comes to gaps in the control posture of the organization. We can also use this process as a way to assess an organization's risk appetite, as illustrated in the following example: The utility of understanding the gaps within your infrastructure is either to determine what you have yet to fix or those gaps that are accepted as part of the overall information security program. In many cases, the adage is to remove all gaps from your infrastructure and have solid cheese slices, but for many, that is not a reasonable approach to cybersecurity. The aim is to apply the right amount of control to reduce the size of the holes within your infrastructure to a point where risk is minimized and in line with the organization's risk appetite. The adage in spending $1 million to protect $100,000 of
assets is not a great return on investment – and why these decisions need organizational context. Review a test of your organization's controls, choosing one of the techniques APT19 attempted to get users to launch malicious attachments delivered via spear-phishing emails (T1566.001). Using this tactic from the MITRE ATT&CK framework, you would simulate an attack strategy and determine if the layered controls were effective in preventing the attack. Specific emails to individuals in the organization will determine if the delivery mechanism is thwarted with email controls, if the email controls are bypassed, and if the recipient identifies the email as suspicious. After the test, ask these questions: 1. Are controls in place to prevent the delivery of the malicious file? 2. Is awareness training in place to teach personnel not to click on links or attachments from unknown sources should a malicious file be delivered? 3. If user execution occurs, are controls in place to identify malicious activity? 4. Can the execution of malicious files be prevented? 5. Are network-based blocking controls in place? Utilizing tests with these elements will assist in determining if controls are in place to manage a specific threat type. Given the volume of threats, managing an assessment approach is time consuming, but multiple threats may be mitigated with the same set of controls and posture assessments. It is not about assessing every threat, but rather those that are specific to your organization and most likely to be used against you. By applying threat models, such as the Swiss Cheese Model in combination with the MITRE ATT&CK, organizations are able to define a comprehensive defense-in-depth approach to managing risk that is appropriate for their line of business.
23
Cybersecurity Quarterly
ISAC Update Spring is in the air. Well...hopefully. Here in Upstate NY, we received some significant snowfall not too long ago. With the change in weather, I’d like to give you our quarterly update on the MS- and EI-ISACs. The first quarter of 2022 has been incredibly productive from a membership standpoint; shortly before this issue was published, we added our 13,000th MS-ISAC member! Based on past trends, the safe bet was that this member would be a K-12 public school. They are the fastest growing membership contingent. However, the honor instead went to our second-fastest growing sector – county-level government. On March 15, we officially welcomed Blount County, Tennessee as our 13,000th member. As the world continues to become more dangerous in the digital realm, the MS-ISAC stands as a bastion, helping our members improve their cyber maturity and strengthen their cyber defenses. As we work toward that goal, we have realigned our regional structure and our team of dedicated account managers to closely align with the Cybersecurity and Infrastructure Security Agency's (CISA) 10 regions across the country. This new alignment will help us to leverage resources and work in closer collaboration with the CISA cybersecurity advisors who serve those regions. Of course, we continue to offer our Virtual Service Reviews (VSRs) to the membership to help fine-tune the services and benefits derived from being part of our organization. If you are interested in scheduling a Virtual Service Review and taking a look under the hood of your MS- or EI-ISAC membership with our team, please reach out to info@msisac.org. The EI-ISAC continues its upward trajectory with nearly 3,500 members from the critical election sector. They have redoubled their efforts in light of current world events and the upcoming 2022 election cycle. They have been hard at work, not only helping to protect our nation's critical election infrastructure but also promoting
24
membership and taking every opportunity to inform and educate the community at large about the importance of cybersecurity as we approach the 2022 midterm elections. The EI-ISAC stands ready to help our election community with their cybersecurity needs. From programs like Endpoint Detection and Response (EDR) to Malicious Domain Blocking and Reporting (MDBR) to an upcoming revised election handbook, the cyber maturity of this vital sector is their focal point. The MS- and EI-ISACs are membership-based organizations that work at the behest and to the benefit of our members. Our members define us and guide us, and we thank you for all of your efforts! Become involved, volunteer for our working groups, make your thoughts known, tell us your concerns, and allow us to wield the power of nearly 13,000 SLTT communities, from the smallest school districts to the largest states, to benefit us all. Please feel free to reach out to me (paul.hoffman@cisecurity. org) with your thoughts. They are always welcome. Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to your colleagues. We are stronger and more connected than ever before!
Spring 2022
Upcoming Events April April 7 Cyber Security Summit: Miami will take place at the Hilton Miami Downtown, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. CIS CTO Kathleen Moriarty will lead a panel discussion on cloud security. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/summit/ miami22/. April 13 – 15 The Southern Municipal Conference (SMC) will host its SMC Spring IT Summit in Cocoa Beach, Florida. The event will bring IT leaders from the group's network of state municipal leagues together to learn about the latest topics affecting southern cities. MS-ISAC Senior Program Specialist Kyle Bryans will lead a session on no-cost cybersecurity resources for cities and municipalities. Learn more at http://southernmunicipalconference.org/. April 19 The New York State Tug Hill Commission will host its 31st Annual Tug Hill Local Government Conference at Turning Stone Event Center in Verona, New York. Local government leaders and officials from the Tug Hill region of New York State and beyond will gather together to network, share knowledge, and learn from thought leaders. The MS-ISAC team will be on the show floor, sharing our resources for local governments. Learn more at https://tughill.org/lgc2022/. April 20 – 24 The National Association of Election Officials will host its April 2022 Election Center Special Workshop at the Westin Houston Hotel, Memorial City in Houston, Texas. Election officials from across the country will gather at the event to hear from colleagues and stakeholders in election administration on the myriad of new challenges
facing election and voter registration administrators in 2022, as well as discover resources and solutions to current challenging narratives. Senior Director of the EI-ISAC Marci Andino will present at the event on no-cost cybersecurity resources from the EI-ISAC. Learn more at https://www.electioncenter.org/. April 21 – 22 The Nebraska Education Technology Association (NETA) will host its 2022 NETA Spring Conference at the CHI Health Center in Omaha, Nebraska. The event will bring together K-12 staff, teachers, superintendents, technology directors, and education stakeholders from around the state to network and learn about the latest industry trends from subject matter experts. MS-ISAC Senior Program Specialist Brendan Montagne will lead a session on cybersecurity resources for K-12 schools. Learn more at https://netasite.org/. April 25 – 28 The Texas Library Association (TLA) will host its 2022 TLA Conference at the Fort Worth Convention Center in Fort Worth, Texas. The event aims to promote the health of librarians and libraries by equipping attendees with the tools needed to recover from uncertainty, rebalance their lives, and reconnect with their colleagues and the communities they serve. The MS-ISAC team will be on the show floor, sharing our resources for public libraries. Learn more at https://txla.org/annualconference/. April 26 – 28 The Armed Forces Communications and Electronics Association (AFCEA) will host AFCEA TechNet Cyber at the Baltimore Convention Center in Baltimore, Maryland. The event is a forum for military, industry, and academia to devise new strategies to build resilience and defend networks. The CIS team will be exhibiting at Booth 2825, sharing our resources to help organizations meet federal cybersecurity guidelines. Learn more at https://events.afcea.org/afceacyber22.
25
Cybersecurity Quarterly
April 27 Cyber Security Summit: Silicon Valley will take place at the DoubleTree by Hilton San Jose, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. CIS CISO Sean Atkinson will lead a panel discussion on ransomware. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/summit/ siliconvalley22/.
May
May 5 The Connecticut Education Network (CEN) will host its 9th Annual CEN Member Conference at the Connecticut Convention Center in Hartford, Connecticut. Education technology leaders and professionals from across the state will come together at the event to network and collaborate with peers, learn during insightful training sessions, and hear from industry experts. MS-ISAC Senior Program Specialist Kyle Bryans will lead a breakout session on no-cost cybersecurity resources for K-12 public schools. Learn more at https://ctedunet.net/ annual-conference.
May 3 – 5 The New York State Local Government Information Technology Directors Association (NYSLGITDA) will host its 2022 NYSLGITDA Spring Conference at the Marriott Syracuse Downtown in Syracuse, New York. The event will bring together New York local government IT leaders to network, learn from thought leaders, and discover new strategies to better serve their communities. The CIS team will be on the show floor, sharing our resources for local governments. Learn more at https://nyslgitda.org/ events/spring-conference-2022-2/.
May 12 – 13 The Indiana CTO Council, a state chapter of the Consortium for School Networking (CoSN), will host the Indiana CTO Clinic at the Renaissance Indianapolis North Hotel in Carmel, Indiana. Education technology leaders from across the state will come together at the event to network with peers and learn the latest industry updates from leading thought leaders. MS-ISAC Program Specialist Elijah Cedano will lead a session on nocost services for K-12 schools. Learn more at https:// www.indianactocouncil.org/clinic.
May 4 – 5 LogicManager will host IMPACT 2022 at the Hotel Commonwealth Boston in Boston, Massachusetts. The event will be two days full of knowledge sharing, networking, and learning with and from members of the LogicManager community. It’s an opportunity to take a step back, plan for the future, and understand the importance of governance, risk, and compliance teams. MS-ISAC Senior Member Programs Analyst Tyler Scarlotta will lead a session on information security best practices. Learn more at https://www.logicmanager.com/ impact-2022-logicmanager-customer-conference.
May 13 Cyber Security Summit: St. Louis will take place at the Marriott St. Louis Grand, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. CIS CTO Kathleen Moriarty will lead a panel discussion on cloud security, and CIS CISO Sean Atkinson will lead a discussion on ransomware. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/ summit/stlouis22/.
May 5 Cyber Security Summit: Denver will take place at the Hilton Denver City Center, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/ summit/denver22/.
26
May 16 – 17 The Texas Department of Information Resources, Office of the Chief Information Security Officer will host the 22nd Annual Information Security Forum for Texas Government at the Palmer Events Center in Austin, Texas. The educational conference will bring together security and IT professionals from public sector organizations across the state of Texas to learn about security trends and upcoming technologies. MS-ISAC
Spring 2022
Program Specialist Michelle Nolan will lead a session on how local governments can strengthen their cybersecurity posture with support from the MS-ISAC. Learn more at https://dir.texas.gov/ information-security/information-security-forum. May 23 – 25 AWS Summit Washington D.C. will take place at Walter E. Washington Convention Center. Attendees will deepen their cloud knowledge and gain new skills to design and deploy solutions in the cloud to accelerate their mission. The CIS team will be exhibiting at Booth 520, sharing our cloud security resources with attendees, and CIS Product Owner for CIS Benchmarks and Cloud, Mia LaVada, will lead an expo theater session on our DISA STIG resources. Learn more at https://aws. amazon.com/events/summits/washington-dc/.
June June 1 – 4 The Florida City and County Management Association (FCCMA) will host the 2022 FCCMA Annual Conference at the Renaissance Orlando at SeaWorld in Orlando, Florida. The event will bring together local government leaders and professionals from across the state to network with peers, learn from industry thought leaders, and discover innovative solutions to better serve their communities. MS-ISAC Senior Program Specialist Kyle Bryans will lead a session on no-cost cybersecurity resources for local governments. Learn more at https://fccma.org/annual-conference/. June 6 – 9 The 2022 RSA Conference will take place at the Moscone Center in San Francisco. The event will bring cybersecurity leaders and professionals from around the world together to gain insights, join conversations, and experience solutions that could make a huge impact on their organizations. The CIS team will be at Booth 4228 in the North Expo Hall, sharing our knowledge and resources with attendees. CIS Senior VP and Chief Evangelist Tony Sager will also speak at the event, co-leading sessions on nonprofits' roles in the cybersecurity community and maintaining a secure software supply chain, as well as joining a panel of experts to discuss using public policy to drive better security
and measurable compliance standards. Learn more at https://www.rsaconference.com/usa. June 15 Cyber Security Finance & Banking Summit will take place virtually, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/ summit/finance22/. June 20 – 23 Collision will take place at the Enercare Center in Toronto. The event will bring together tech industry leaders and professionals from around the world to network, learn from industry thought leaders, and discover new strategies and solutions from leading companies. The CIS team will be exhibiting on the show floor and sharing our cybersecurity resources. Learn more at https://collisionconf.com/. June 21 – 23 The Georgia Emergency Management and Homeland Security Agency and the Georgia Department of Education will host the 2022 Georgia School Safety & Homeland Security Conference at the Columbus Georgia Convention and Trade Center in Columbus, Georgia. Education and public safety leaders from across the state will come together to gain valuable knowledge and advice on improving school safety. MS-ISAC Senior Program Specialist Kyle Bryans will lead a session at the event on no-cost cybersecurity resources for K-12 schools. Learn more at https://gema.georgia. gov/events/2022-06-21/save-date. June 22 Cyber Security Summit: Nashville takes place at the Renaissance Nashville Hotel, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. CIS CISO Sean Atkinson will lead a panel discussion on ransomware. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details and learn more at https://cybersecuritysummit.com/summit/ nashville22/.
27
Copyright © 2022 Center for Internet Security, Inc., All rights reserved.
Interested in being a contributor? Please contact us: cybermarket@cisecurity.org www.cisecurity.org 518.266.3460