Cybersecurity Quarterly
Summer 2022
A Publication from
Enacting Effective Security Awareness Training for Today's Workforce Expert Tips and Recommendations to Improve Your Cyber Defenses New Guidance to Apply Our Security Best Practices to Your Cloud Assets Evaluating the Business Implications of Cyber Risk
Ready Your Defenses Predicting the next big attack vector is nearly impossible. Instead, focus on what you do know by evaluating your organization's points of weakness and taking actions to gradually improve your defenses
Cybersecurity Quarterly
MDBR: Malicious Domain Blocking & Reporting
Your no-cost* proactive domain security service. Add an extra layer of cybersecurity protection at no cost that is proven, effective, and easy to deploy. * Available to U.S. State, Local, Tribal, and Territorial (SLTT)
government members of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®)
Acknowledgement This material is based upon work supported by the U.S. Department of Homeland Security under Grant Award Number, (19PDMSI00002).
2
Disclaimer The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security.
Sign Up →
Summer 2022
Contents
Featured Articles
Quarterly Regulars
Summer 2022 Volume 6 Issue 2 Founded MMXVII Editor-in-Chief Michael Mineconzo Supervising Editor Laura MacGregor Copy Editors Jay Billington David Bisson Autum Pylant
Staff Contributors Sean Atkinson Paul Hoffman Josh Moulin Aaron Piper Robin Regnier Thomas Sager Valecia Stocchetti
Five Steps to Improve Your Cyber Defenses Today Insightful advice to help jump start your cybersecurity program
8
The Growing Role of the Security Awareness Office How to lead training efforts to combat the leading cyber attack vector – humans
10
Connecting Cyber Risk to Business Risk Our new resource to help assess the impact of cyber threats on enterprises
14
New Guidance for Security Cloud Environments Our new guide to help apply our security best practices to your cloud assets
16
Jumpstart Your Security Program with Essential Cyber Hygiene Helping state, local, tribal, and territorial entities get started with implementing our essential cybersecurity best practices
18
CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 3 (IG3) The latest resource in our series of guides to assess cyber risk
20
Quarterly Update with John Gilligan
4
News Bits & Bytes
6
Cyberside Chat
23
ISAC Update
24
Event Calendar
25
Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460 Copyright © 2022 Center for Internet Security. All rights reserved.
3
Cybersecurity Quarterly
Quarterly Update
with John Gilligan
“While there has been little noticeable impact from Russia’s cyber attacks, it is too early to relax our defenses and preparedness.” Welcome to the summer issue of Cybersecurity Quarterly. Perhaps predictably, cyber attacks continue to be on the rise with increasing costs to organizations and individuals. While there has been little noticeable impact from Russia’s cyber attacks, it is too early to relax our defenses and preparedness. Also, it is becoming increasingly apparent that organizations can be roughly grouped into two categories: those that are capable of implementing effective cyber defenses (even if they have not fully done so to date) and those that aren't currently capable of effective cyber defenses due to lack of resources and/or talent. CIS, as well as a number of other organizations, are focusing substantial effort to identify and deploy cybersecurity solutions and support that can assist organizations that are in the second category.
similar vein, SANS has provided a complementary article that discusses how having a solid awareness program can assist in stopping or reducing the impact of cyber attacks and malicious actors. Aaron Piper from the CIS Security Best Practices team has contributed an article describing the recently launched Ransomware Business Impact Analysis Tool that has been integrated into the CIS Controls Self Assessment Tool (CSAT). This analysis capability, developed in partnership with Foresight Resilience Strategies (4RS), provides a valuable tool in preparing for potential ransomware attacks.
Valecia Stocchetti, also from CIS’s Security Best Practices team, has provided two articles. The first discusses the new how-to publication for Implementation Group 1 (IG1). Her second article Appropriately enough, this quarter’s issue is centered describes the Version 2.1 release of the CIS Risk around knowing your organization’s risks and being Assessment Method (CIS RAM), specifically the prepared for a cyber attack. Over the past four enhancements that expand CIS RAM to include months, recognizing the high potential of major Implementation Group 3 (IG3) of the CIS Controls. cyber attacks from Russia, CIS has carefully evaluated and reengineered how we respond to major cyber Another article in this issue addresses the new attacks. As an example, we determined that we must cloud companion guide for CIS Controls v8. Finally, regularly plan for and exercise ‘surge’ operations our CISO, Sean Atkinson, provides his regular demanding significantly expanded staffing across column. In this issue, he addresses the importance all three shifts and including weekends. This has of using a threat-informed approach when required that CIS change some of our operational developing an effective cyber defense program. processes as well as realign roles and responsibilities in our security operations center (SOC) and our I hope that you enjoy this quarter’s issue, and I hope customer engagement teams in response to you have a great summer! increased threat levels and/or major cyber events. Best Regards, CIS’s Josh Moulin has authored an article in this issue that describes the five top technical actions that organizations can do to prepare for a near-term cyber attack. This guidance was also John M. Gilligan distributed to all MS-ISAC members with step-byPresident & Chief Executive Officer step instructions available on the CIS website. In a Center for Internet Security
4
Summer 2022
CIS Azure Foundations Benchmark Securely configure your Microsoft Azure account with this consensus-based CIS Benchmark mapped to Microsoft’s Azure Security Benchmark. LEARN MORE
www.cisecurity.org/ benchmark/azure
5
Cybersecurity Quarterly
News Bits & Bytes CIS and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have announced the 13 winners of the national “Kids Safe Online” poster contest. The winners were selected from more than 260 submissions from across the country. The contest is open to students in grades K-12 with the goal of educating kids in age-appropriate ways about the dangers lurking online and ways to protect themselves and their communities. Students create artwork illustrating various issues related to cybersecurity ranging from cyber bullying to responsible social media usage. The winning artwork will be featured in the 2023 cyber safety kid's activity book. Learn more about the contest and our winners in our press release or see the winning posters in our May 2022 MS-ISAC Newsletter. The CIS Security Best Practices team has released several security updates to CIS Controls Self Assessment Tool (CSAT). Over the last quarter, our diligent team and our community of volunteers have updated more than 60 third-party libraries to newer versions, including several to resolve recent vulnerabilities including Django to 3.2.13, ipython to 8.0.1, Moment.js to 2.29.2, and Pillow to 9.1.1. Learn more about CIS CSAT and access the latest version at https://www.cisecurity.org/controls/ciscontrols-self-assessment-tool-cis-csat. The CIS Controls team has worked with its global community of volunteers to develop a number of new resources. For the U.S. State, Local, Tribal, and Territorial (SLTT) community, the team has established Essential Cyber Hygiene in the SLTT Community, a private community for SLTTs to safely share ideas, engage in discussions, and develop and promote essential cyber hygiene content.
Those entities interested in joining can email controlsinfo@cisecurity.org for more information. Additionally, the Controls team has released a number of new mappings to CIS Controls v8, including FFIEC CAT, Cyber Essentials, and ISO/IEC 27002:2022. Learn more about the new mappings on the CIS Controls Navigator or download them on CIS WorkBench. The latest $1.5 trillion federal omnibus spending bill includes a significant boost in funding for the MSISAC to help U.S. SLTT governments improve their cybersecurity posture. In the bill, the MSISAC has received another $11 million, bringing the federal government’s total contribution to $38 million for the current fiscal year. The funding increase was proposed by Senate Majority Leader Chuck Schumer and Sen. Kirsten Gillibrand. The two Democrats of New York, which is where CIS is headquartered, requested the additional funding amid an increased threat of cyber attacks emanating from Russia in retaliation for economic sanctions imposed over its invasion of Ukraine. Read more about the new funding in StateScoop. Verizon recently released its 2022 Data Breach Investigations Report (DBIR). As in years past, along with its findings on current threats and recommendations, the Verizon team includes mappings that can help organizations crosswalk patterns of particular relevance to them with the CIS Critical Security Controls and CIS Safeguards that can protect them from the attacks within those patterns. Within each industry section, organizations can find the Implementation Group 1 set of Controls that they can use as a starting point to improve their defenses based on the top patterns for that industry. Download the report at https://www.verizon.com/business/resources/ reports/dbir/.
Summer 2022
HOW BIG IS YOUR VULNERABILITY BLIND SPOT? SEE EVERYTHING ACROSS THE MODERN ATTACK SURFACE. Protect your organization and data from cyber attack. Use Tenable Risk Based Vulnerability Management solutions to implement and maintain CIS Controls.
Download Guide
7
Cybersecurity Quarterly
Five Steps to Improve Your Cyber Defenses Today Quick and effective cybersecurity tips to cut through the noise and help your organization kick off an effective cyber defense program By Josh Moulin A common theme I hear from information technology (IT) and cybersecurity professionals is that they are exhausted, burned out, and receiving a deluge of information each day about the newest novel cyber attack or next vulnerability that must be patched immediately. Many CIOs, CISOs, and other leaders express how difficult it is for them to cut through the immense volume of available information to find the few nuggets of actionable advice. Some are overwhelmed by the cybersecurity problems before them, not sure where to even get started or afraid that starting something rudimentary now may just be a waste of time because someday a new product or service will be implemented that will solve a security gap they’re facing. Allow me to suggest that it is okay to tackle a cybersecurity challenge by using a solution that may not be the best available answer to your problem. The best solutions often take time, money,
Start small, but start now. You could be amazed at how small iterative changes to a cyber program can have a dramatic impact on your cybersecurity posture. 8
expertise, and leadership support, all of which may or may not be available to you. As we have learned in Agile thinking, it is better to have an 80% solution next month than a 100% solution next year. Start small, but start now. You could be amazed at how small iterative changes to a cyber program can have a dramatic impact on your cybersecurity posture. With less-than-perfect solutions, your organization could be in a much better position than it was when you started. It’s no surprise that in today’s landscape, the threat of serious and devastating cyber attacks continues to increase. Although CIS has not observed significant increases in attacks attributed to Russia in light of the war in Ukraine, our intelligence continues to indicate this heightened cyber threat activity may be a very real possibility due to our country’s sanctions against Russia and support to Ukraine. Our cyber threat intelligence (CTI) team has observed threat activity from Russia and Russian sympathizers targeting other countries as well as mis- and disinformation campaigns targeting the West. The geo-political tension puts an even finer point on the need to mature our cybersecurity. Currently, organizations can use the Critical Security Controls® (CIS Controls®) as a roadmap to implement controls based on their risk profile and requirements. Our team of seasoned experts
Summer 2022
decided to take things one step further and look at what organizations can implement rapidly with little to no cost. Here are the top five things we recommend all organizations consider implementing. Step 1: If you are a U.S. State, Local, Tribal, or Territorial (SLTT) organization, join the MultiState Information Sharing and Analysis Center® (MS-ISAC®). It is free, takes only five minutes to do online, and instantly gives you access to a number of no-cost cybersecurity products and services provided in partnership with the Cybersecurity and Infrastructure Security Agency (CISA). Step 2: Protect your organization with a Domain Name System (DNS) security solution. If you are an SLTT, use the no-cost Malicious Domain Blocking and Reporting (MDBR) service available from the MS-ISAC. It takes about 15 minutes to protect your organization with this solution. If you are not an SLTT, look at no-cost providers such as Quad9. DNS security will help block malicious connections between your network and an adversary. Step 3: Enable multi-factor authentication (MFA) everywhere possible. This is an example of the less-than-perfect but effective solution you can implement right away. I understand it would be wonderful to have a full single sign-on (SSO) solution tied to Active Directory for all your applications, but how long is that going to take to implement? Why wait for that when Microsoft 365, Google Workspace, and so many other apps now offer MFA built in and for free? If a system offers MFA, turn it on without delay.
Step 4: Scan your environment and patch known vulnerabilities. Start by scanning your public-facing (connected to the public internet) systems. Focus your remediation efforts on those vulnerabilities that have known exploits by using CISA’s known exploited vulnerability (KEV) catalog. If you do not have a vulnerability scanning tool you can deploy, good open source tools exist. If you are not in a position to do this yourself, SLTTs and any private or public sector critical infrastructure organizations can request no-cost vulnerability scanning, web application scanning, and phishing assessments from CISA’s Cyber Hygiene (CyHy) program. SLTTs can also request scans from the MS-ISAC. Step 5: Enable logging in the systems, devices, and applications you can and setup a log collection platform. This does not have to be complicated, and some logs are better than no logs. If you can only log firewall traffic, do so. If you can log firewalls, switches, routers, endpoints, Apache and IIS logs, and others, that is even better. Most systems have native syslog capabilities, and you can get started by simply pointing them to a log collection platform (such as a server running free Ubuntu Linux with Rsyslog). If you have taken the above steps and are looking for what to do next, make sure that you have an updated incident response plan, that your backups are tested and adequate for your organization’s restoration objectives, and that they can withstand a ransomware attack. CIS has more details about this on our website at cisecurity.org/russian-cyberattacks, and CISA has their Shields Up webpage with additional resources at cisa.gov/shields-up. Recognized globally for his expertise in cybersecurity, Josh Moulin is the Senior Vice President of Operations & Security Services at CIS and has worked in cybersecurity since 2004. Prior to joining CIS, Moulin was an Executive Partner at Gartner and advised federal government and defense executives, a CIO and CISO within the U.S. nuclear weapons complex, and a commander of an FBI cybercrimes taskforce. He holds a Master’s Degree in Information Security & Assurance and over a dozen certifications in digital forensics and cybersecurity.
9
Cybersecurity Quarterly
The Growing Role of the Security Awareness Officer As organizations look to improve their cybersecurity, those leading security awareness efforts must adapt to ensure staff has the knowledge to avoid potential attacks By Lance Spitzner The past few years have seen an explosion of interest in both the field of security awareness and the role of the security awareness officer. Even so, both this role and field are still very immature. As such, today we are going to help define what security awareness and the role of the security awareness officer are all about. Unlike other security fields like penetration testing or incident response that have been around for decades, awareness is a comparatively new, immature, and not yet fully defined field. In fact, the NIST NICE Cybersecurity Workforce taxonomy has yet to create or define a role for this field. Traditionally, when people discuss security awareness, they think of compliance or someone responsible for pushing out computer-based training (CBT) once a year as well as then tracking what percentage of the workforce took the training for audit/compliance purposes. This is an extremely outdated and no-longer-valid description. While compliance is still important, security awareness today is ultimately about managing human risk. Organizations can no longer take a purely technical approach to cybersecurity; we must also address the human element. In fact, the 2022 Verizon Data Breach Investigations Report (DBIR) identified that people were involved in over 82%
10
While compliance is still important, security awareness today is ultimately about managing human risk. Organizations can no longer take a purely technical approach to cybersecurity; we must also address the human element. In fact, the 2022 Verizon Data Breach Investigations Report (DBIR) identified that people were involved in over 82% of all breaches globally. of all breaches globally. This is why organizations endeavor to establish mature security awareness programs, to manage their human risk by changing organizational behavior. In fact, the most mature awareness programs go beyond just changing behavior and build a strong security culture with the metrics framework to demonstrate that change. Today’s security awareness officer goes far beyond just annual CBT. In many ways, they are experts in managing human risk, requiring skill sets and responsibilities to match.
Summer 2022
Defining Awareness First, what is a security awareness program? It is a structured approach to managing an organization’s human risk. You can gauge and measure the maturity of an awareness program by aligning to a security awareness maturity model. Mature awareness programs that have moved beyond compliance and toward promoting awareness and behavior change manage human risk by answering three key questions in this order. Human Risks: What are my top human risks? Not all human risk is manageable. As such, you must assess, identify, and prioritize your organization’s top human risks. This should be a data-driven process in partnership with key groups within security such as the Incident Response, Security Operations, Cyber Threat Intelligence, and Risk Management teams. Behaviors: What are the key behaviors that most effectively manage those risks? Once again, we need to prioritize behaviors. The fewer behaviors we focus on, the more likely people will change those behaviors — and at a lower cost to your organization. Change: How do we motivate and enable people to change those behaviors? One of my favorite behavior change models is the BJ Fogg Behavior model.
Measurement Once you look at security awareness and managing human risk through this lens, it becomes much easier to identify what metrics you should be focusing on by measuring what you care about. What do you care about? Your top human risks and the behaviors that most effectively manage those risks. In the past, I’ve been hesitant to suggest to organizations exactly what risks and behaviors to focus on, as risks are often unique to each organization. However, in this article, I’m going to try and do just that. I’m doing this for two reasons. One, my concern is that too many organizations simply don’t have the
data or resources to identify their top human risks. As such, they don’t know where to start. Secondly, an overwhelming amount of research points to the same finding; that most organizations share the same top three human risks – phishing, passwords and updating. Let’s define these risks, the behaviors that manage these risks, and how to measure those behaviors.
Phishing No matter the number of technical controls we throw at this problem, cyber attackers simply adapt and bypass them. As such, security awareness programs need to teach people how to identify and report these attacks. After people have been trained, measure their susceptibility to phishing attacks. Of our top human risks, this one is the simplest to measure. Click Rates: Measure the overall click rate of your organization. When you first roll out phishing training, this number will drop fast, perhaps from a 20% click rate to less than 2% click rate for more basic phishing templates. Once you are at around 2-3% click rate, consider using more difficult or more targeted phishing templates. Repeat Click Rates: For many organizations, this is their most valuable phishing metric, as this identifies those who are not changing behavior and points to a far greater risk to your organization. Reporting Rates: People who report represent the most resilient of your workforce, as they are not only identifying attacks but also enabling the security
11
Cybersecurity Quarterly
team to respond and secure the entire organization more proactively. When measuring reporting rates, it’s not so much the number of people that report that is key but how fast your security team gets the first reports. The sooner people report a suspected incident, the faster the security team can respond and manage potential incidents.
Passwords For several years now, passwords continue to also be a primary driver of breaches. As such, both strong passwords and the secure use of those passwords have become key. Encourage Strong Passwords: Ensure people are adapting and using strong passwords. Length is the new entropy; passphrases are now highly encouraged. This can be tested by running brute force/cracking solutions against password databases. Password Manager Adoption: If your organization has deployed password managers, measure the password manager adoption and use rate. What percentage of your workforce is using password managers? You should be able to pull this data from whichever department is managing password managers. Multi-Factor Authentication Adoption: Like password managers, if you have rolled out MFA, attempt to identify how much of your workforce has adopted it. MFA is especially important for critical or sensitive accounts.
Updating Of the three human risks we cover, this one may not apply to the role of the security awareness officer since end-user devices are actively patched by IT for some organizations. However, for many organizations, this is an issue, as so many people are now working remotely from home and are often using personal devices or home networks for work access. Your organization’s IT or Operations department will have several ways to measure this.
12
Summary Security awareness and training is an extremely exciting and fast-growing field. As organizations struggle to better understand and manage their human risk, the role of the security awareness officer will continue to expand in scope. The duties and metrics listed in this article are neither exhaustive nor perfect, but they represent a good starting point. Remember, you can’t measure everything; instead, successful security awareness officers prioritize measuring the most useful metrics. And to do that, you first need to know what your top human risks are and the behaviors that manage those risks. Lance Spitzner has more than 25 years of security experience in cyber threat research, security architecture, and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation of honeynets and his founding of the Honeynet Project. In addition, Spitzner has published three security books, consulted in more than 25 countries, and helped more than 350 organizations build security awareness and culture programs to manage their human risk. Spitzner is a frequent presenter and a serial tweeter (@lspitzner), and he works on numerous community projects. Before entering the information security field, Spitzner served as an armor officer in the U.S. Army’s Rapid Deployment Force and earned his MBA from the University of Illinois.
Summer 2022
13
Cybersecurity Quarterly
Connecting Cyber Risk to Business Risk In collaboration with Foresight Resilience Strategies (4RS), CIS has developed a new analysis tool to help professionals solve the cyber risk to business risk challenge By Aaron Piper It's no secret that the increase in ransomware attacks poses a critical threat to business operations. These threats are also making it increasingly difficult for businesses to find adequate and affordable cyber insurance coverage. As a result, enterprise leaders around the world have tasked information security leaders with connecting cyber risk to business risk and quantifying the impact.
They also integrated the CIS Community Defense Model (CDM) into the tool. The CDM found that IG1 provides mitigation against the top five attack patterns listed in the 2019 Verizon Data Breach Investigations Report (DBIR), including ransomware.
Collaboration Solves the Cyber Risk to Business Risk Challenge
The Ransomware Business Impact Analysis tool applies scores for ransomware-related Controls to estimate an enterprise’s likelihood of being affected by a ransomware attack. Those who have already started an assessment using CIS-hosted CSAT can import the scores from that assessment.
Over the past year, the Center for Internet Security (CIS) and Foresight Resilience Strategies (4RS) – a consulting group known for building tools that quantify information risk in financial terms – have worked together to solve this issue. This collaboration has resulted in the CIS Controls Self Assessment Tool (CIS CSAT) Ransomware Business Impact Analysis tool. The tool helps organizations of all sizes conduct a rapid and inexpensive cyber risk self-assessment and present those findings in language that speaks to business executives. 4RS integrated the CIS Critical Security Controls (CIS Controls) v7.1 Implementation Group 1 (IG1) Safeguards, which are defined as essential cyber hygiene, into its risk models and simulations.
14
Identifying the Impact of a Ransomware Attack on a Business
The tool will help users: Characterize and forecast the business impact of a ransomware incident should one occur Estimate the likelihood of a loss event in the coming 12 months based on their implementation of the CIS Controls Calculate the financial risk of an incident based on measures of impact and likelihood Make risk-informed decisions about their information security
Summer 2022
Better engage non-technical stakeholders in cyber risk management efforts Prioritize efforts and effectively allocate resources
Who Should Use the CIS CSAT Ransomware Business Impact Analysis Tool? Cybersecurity professionals can use this tool to assess, report, and propose changes in Controls based on a return-on-investment analysis. Financial and operational business leads can better understand how the budget they have deployed to cybersecurity provides financial benefits in terms of concrete loss prevention. Board members can approach presentations and discussions of cyber risk in a way that's consistent with how they review reports on the company’s financial exposure for other risk categories. Stakeholders at all management levels can communicate about their cyber risk in a common framework and language. The tool walks users through multiple loss categories, allowing potential financial impact ranges to be entered for each category and subcategory. These categories cover a variety of topics, including: Productivity Costs Response Costs Replacement Costs Legal Costs Competitive Advantage Costs Reputation Costs The CIS CSAT Ransomware Business Impact Analysis tool helps organizations better understand how likely a ransomware attack might be for their organization and how impactful it might be if
the organization were to suffer a ransomware attack. The reporting from the tool can be used to enhance the discussion on ransomware risk at an enterprise level, ultimately enabling organizations to better invest in protection against these attacks.
How to Use the Report Promote discussion, understanding, and consensus among stakeholders on the estimated business impact of a successful ransomware attack as well as the importance and value of mitigating the risk of such an event. Integrate cybersecurity risk management into the overall risk management and risk governance processes by quantifying it in financial terms. Prioritize the implementation of additional Safeguards. Provide a defensible financial risk analysis to support sound resource allocation decisions. Take the first step in assessing your organization's cyber risk and access the Business Impact Analysis Quick Start Guide Aaron Piper is a Senior Cybersecurity Engineer at the Center for Internet Security (CIS). He focuses on automation, tooling, and measurement efforts for the CIS Critical Security Controls (CIS Controls), and he is the Product Owner for the CIS Controls Self Assessment Tool (CIS CSAT). Prior to working at CIS, Piper worked in cybersecurity for the federal government for more than a decade.
15
Cybersecurity Quarterly
New Guidance for Securing Cloud Environments Our new guide helps to connect the security best practices contained in the CIS Controls and the security concerns that arise when migrating to the cloud By Gregory Carpenter and Robin Regnier Cloud computing is poised to drive organizations' digital strategies over the coming years. According to Gartner, more than 85% of organizations will embrace a "cloud-first principle" by 2025. The same proportion said they'll look to cloud technologies to deliver on their business goals going forward. Along the way, they'll need to consider the challenges of securing the cloud. Asset visibility, data protection, and other security functions become more complex when organizations don't own an environment's underlying physical infrastructure. Attackers know that organizations are struggling to navigate these complexities on their own. This explains why external cloud assets were more prevalent than on-premises resources in both incidents and breaches for 2021, as Verizon found in its Data Breach Investigations Report (DBIR).
Security Best Practices in the Cloud While many of the core security concerns of enterprise IT systems are shared within cloud environments, the main challenge in applying best practices is tied to the fact that these systems typically operate software and hardware under different assumed security responsibilities. Organizations don't need to go it alone in their cloud security efforts. In fact, they can use a familiar set of best practices to create secure cloud environments.
16
Attackers know that organizations are struggling to navigate these complexities on their own. This explains why external cloud assets were more prevalent than on-premises resources in both incidents and breaches for 2021, as Verizon found in its Data Breach Investigations Report (DBIR). Working with an army of global adopters and cybersecurity experts, the CIS Critical Security Controls (CIS Controls) team has created a cloud security companion guide to help organizations secure their cloud-based assets. The CIS Controls v8 Cloud Companion Guide explains how to map and implement relevant CIS Safeguards in a cloud environment using consensus-developed best practices.
Cloud Challenge: Sharing the Responsibility One of the main challenges in applying best practices to cloud environments is how these systems operate under assumed security
Summer 2022
responsibilities that differ from those of traditional on-premises environments. There is often a shared security responsibility between the user and the cloud provider. In the Guide, we identify who is responsible for cloud security tasks outlined in the Safeguards. These duties are specific to the four most common cloud service models: IaaS (Infrastructure-as-a-Service) PaaS (Platform-as-a-Service) SaaS (Software-as-a-Service) FaaS (Function-as-a-Service) Throughout this Guide, we consider the unique mission and business requirements found in cloud environments. We also examine unique risks (vulnerabilities, threats, consequences, and security responsibilities) to cloud environments. These risks drive the priority of enterprise security requirements (e.g., availability, integrity, and confidentiality of data). Using the CIS Controls v8 Cloud Companion Guide, the consumer will have the tools they need to tailor the CIS Controls in the context of a specific IT/OT cloud environment. It’s an essential starting point for those who wish to conduct a security improvement assessment and create a corresponding map for the road ahead.
Securing the Connected World Advancements in cloud technologies have brought people together in new and exciting ways. The key to creating secure cloud environments comes
Using the CIS Controls v8 Cloud Companion Guide, the consumer will have the tools they need to tailor the CIS Controls in the context of a specific IT/ OT cloud environment. from the community, too – specifically, bringing experts together to create consensus-developed resources like the CIS Controls companion guides. We are deeply grateful for the volunteers who helped develop the CIS Controls v8 Cloud Companion Guide. We hope our resources help your enterprise bolster its defenses. Ensure your organization's cloud-based assets are secure and download the CIS Controls v8 Cloud Companion Guide. Robin Regnier serves as the Controls Coordinator for the Center for Internet Security (CIS). In this role, she serves as project coordinator for the Controls Team, promotes and furthers the adoption of the CIS Critical Security Controls (CIS Controls), and performs active outreach to CIS's global community of volunteers and adopters. Gregory Carpenter is currently a Security Partner Strategist on the AWS Security and Compliance Acceleration Team helping partners and customers meet their security and authorization needs, whether it be architecting, configuring, deploying, or integrating tools and controls. Throughout his career, Carpenter has excelled at partner and customer communication and security and compliance support. Prior to AWS, he spent four years at CIS helping members and non-members as they navigate through their own cybersecurity strategy with a focus on cloud cybersecurity products and strategy for the global community. In his previous life, his work includes over 15 years as a federal, state, and DoD Datacenter System Administrator. Carpenter has also contributed on several CIS Benchmarks, along with the latest version of the CIS Critical Security Controls. When his head is not in the Cloud, he enjoys time with his family, time on his Harley, ice hockey, lacrosse, and mountain biking.
17
Cybersecurity Quarterly
Jumpstart Your Security Program with Essential Cyber Hygiene Our new resource to assist U.S. State, Local, Tribal, and Territorial (SLTT) organizations apply the CIS Safeguards in Implementation Group 1 (IG1) to their environments By Valecia Stocchetti Many cyber attacks can be attributed to a lack of good cyber hygiene. Failing to patch known vulnerabilities, poor configuration management, and inefficient management of administrative privileges are just some ways to invite risks into an enterprise's network that can put day-to-day and long-term operations in jeopardy. These failures primarily trace back to the complexity of modern systems management and "The Fog of More" – an overload of defensive support (i.e., more options, more tools, more knowledge, more advice, and more requirements, but not always more security).
Bringing Essential Cyber Hygiene into Focus To prevent teams from getting overwhelmed, any large-scale cybersecurity program needs
To prevent teams from getting overwhelmed, any largescale cybersecurity program needs a way to bring focus to the most effective and fundamental things that need to be done. They need to practice essential cyber hygiene. a way to bring focus to the most effective and fundamental things that need to be done. They need to practice essential cyber hygiene. The Center for Internet Security (CIS) defines essential cyber hygiene as Implementation Group 1 (IG1) of the CIS Critical Security Controls (CIS Controls). Essential cyber hygiene is the foundation for any good cybersecurity program and represents a minimum standard of information security for all enterprises. CIS and its divisions, the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC), have taken the notion of essential cyber hygiene one step further with the release of Establishing Essential Cyber Hygiene. The guide provides an overview of each Safeguard in IG1 and explains why they are important to implement. Supplementary
18
Summer 2022
resources, tools, and policy templates are also included in the Guide. Additionally, the Guide aligns with the MS-ISAC's Nationwide Cybersecurity Review (NCSR) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to help organizations measure their security improvements against their peers using industry-leading recommendations.
Getting Started with Essential Cyber Hygiene When tasked with implementing a cybersecurity program, many enterprises ask “How do we get started?” The answer is simple: start with essential cyber hygiene. IG1 of the CIS Controls consists of a foundational set of 56 Safeguards that defend against the most common cyber attacks. IG1 consists of Safeguards that are least costly and least difficult to implement. As such, we assert that every enterprise should deploy IG1's Safeguards. Applying all of the Safeguards listed in IG1 will help thwart general, non-targeted attacks and strengthen an enterprise’s security program. IG2 and IG3 build upon IG1, which is the on-ramp to the CIS Controls. By defining IG1 as essential cyber hygiene, we're able to specify tools that can implement these essential security actions, use
IG1 is not just another list of good things to do; it is an essential set of steps that provides a viable defense against the top attacks – malware, ransomware, web application hacking, insider and privilege misuse, and targeted intrusions – that are outlined in the CIS Community Defense Model (CDM) v2.0. measurements to track an enterprise's progress or maturity, and leverage reporting to manage an enterprise improvement program. IG1 is not just another list of good things to do; it is an essential set of steps that provides a viable defense against the top attacks – malware, ransomware, web application hacking, insider and privilege misuse, and targeted intrusions – that are outlined in the CIS Community Defense Model (CDM) v2.0. CDM data backs the premise that all enterprises should start with essential cyber hygiene, or IG1, as a way to defend against these top five attack types. Ready to find out more on how to jumpstart your cybersecurity program? Download our Establishing Essential Cyber Hygiene guide. Valecia Stocchetti is a Senior Cybersecurity Engineer for the Center for Internet Security (CIS). Stocchetti came to CIS from the eCommerce field, where she worked complex financial fraud cases. She is a graduate of the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Stocchetti worked in the MS- and EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements. In her current role, she works with various attack models and data, including the MITRE Enterprise ATT&CK framework, to help validate and prioritize the CIS Controls. Stocchetti holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC).
19
Cybersecurity Quarterly
CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 3 (IG3) The CIS Security Best Practices team has released the next cyber risk assessment resource in its series for CIS RAM v2.1 to help organizations implement our security best practices By Valecia Stocchetti Laws, regulations, and information security standards all tell us to demonstrate “reasonable” security. However, a breach should not be the first time we try to define “reasonableness.” If you do suffer a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language that judges use to describe "reasonableness." If a court ruling finds you failed to demonstrate due care, you could be subject to significant non-compliance penalties, legal fees, and/or other fines.
Using Risk Assessments Enterprises can use a risk assessment to demonstrate which controls are "reasonable" to implement, meaning that they've done their due diligence and taken sufficient care to protect themselves and their
Enterprises can use a risk assessment to demonstrate which controls are "reasonable" to implement...but, it can be challenging to know where to start. This is where the Center for Internet Security Risk Assessment Method (CIS RAM) v2.1 can help. 20
concerned parties against a breach. But, it can be challenging to know where to start. This is where the Center for Internet Security Risk Assessment Method (CIS RAM) v2.1 can help. CIS RAM v2.1 is an information risk assessment method designed to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls) – all while keeping relevant risks and business needs in mind. It's also designed to be consistent with more formal security frameworks and their associated risk assessment methods. When using CIS RAM v2.1, enterprises begin by defining their acceptable level of risk and then managing that risk after implementing the CIS Controls. Few enterprises can apply all Controls to all of their environments and information assets, however. While some Controls offer effective security, they may do so at the cost of necessary efficiency, collaboration, utility, productivity, or available budget and other resources. Fortunately, CIS RAM v2.1 provides three different approaches to support enterprises at three levels of capability that align with the CIS Controls' Implementation Groups (IGs) – IG1, IG2, and IG3. IG3 Safeguards assist enterprises with IT security experts who are experienced in securing sensitive and
Summer 2022
confidential data. They aim to prevent and/or lessen the impact of sophisticated attacks. The third document in the CIS RAM v2.1 family, CIS RAM v2.1 for IG3, is now available for download. It will help enterprises in IG3 to build and improve upon their cybersecurity program and demonstrate that the risk is reasonable to the enterprise and appropriate to other parties if and when a breach occurs.
[CIS RAM v2.1 for IG3] will help enterprises in IG3 to build and improve upon their cybersecurity program and demonstrate that the risk is reasonable to the enterprise and appropriate to other parties if and when a breach occurs.
What to Expect in CIS RAM v2.1 for IG3
ransomware, malware, web application hacking, insider and privilege misuse, and targeted intrusions Enterprises may conduct risk assessments in – from the CIS Community Defense Model (CDM), a variety of ways. They may focus initially on thereby helping enterprises assess their risk implementing recommended CIS Controls to identify against the most common types of attacks. vulnerabilities within a given scope, determining how well they've protected those assets using What's more, CIS RAM for IG3 assists enterprises by the CIS Controls, or addressing known threats to significantly automating risk estimations and threat see how they would play out in an environment. models. It reduces the complexity of risk analysis by Risk assessments may also vary in methodology providing: depending on whether they're using quantitative analysis (purely numerical representations of risk) A simplified format for stating an enterprise’s or qualitative analysis (ranked value statements). Impact Criteria and range of magnitudes of Impact that you or others may suffer CIS RAM for IG3 is specifically designed to help enterprises conduct a risk assessment if they have Guidance for stating your enterprise’s Risk expertise in developing, managing, and configuring Acceptance Criteria systems, applications, and networks as well as if they are capable of modeling threats against those A fixed definition for Expectancy Criteria systems. It also supports enterprises that understand how to configure and manage asset classes as well as A simplified Risk Register evaluate how different threats create different risks. It does this by integrating the five attack types – Automated Expectancy calculation based on the commonality of reported threats and the maturity of the enterprise’s Safeguards Mapping to the CDM to assist in threat modeling CIS RAM v2.1 for IG3 uses v8 of the CIS Controls and comes with a workbook and a corresponding guide. These documents help readers accomplish their risk assessments and include examples, templates, exercises, background material, and further guidance on risk analysis techniques. While CIS RAM for IG3 is the last major document to be released, we are actively working on developing other CIS RAM modules that can help supplement
21
Cybersecurity Quarterly
the risk assessment process. For those interested in helping with these efforts, contact us at controlsinfo@cisecurity.org.
CIS RAM Core CIS RAM is made up of a family of documents. The foundation of all of these documents is CIS RAM Core. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM. CIS RAM uses the Duty of Care Risk Analysis (DoCRA) standard. It presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals for creating a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their enterprise and that function as the core tenets upon which the CIS RAM family of documents is built. Enterprises that use CIS RAM for IG3 and CIS RAM Core can then develop a plan and set expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets. CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years, receiving positive feedback from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS first collaborated to bring the
22
methods to the public as CIS RAM v1.0 in 2018 and now v2.1 in 2021-2022. For its part, CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard upon which CIS RAM is built.
Taking the Next Step Toward Reasonable Security Ready to conduct a cyber risk assessment? Download CIS RAM v2.1 for IG3 for step-by-step processes, example walk-throughs, and more. It’s free for any enterprise to use to conduct a cyber risk assessment. Join the CIS RAM Community on CIS WorkBench. Watch the recording of our CIS RAM v2.1 for IG3 workshop. Questions about CIS RAM? Email controlsinfo@ cisecurity.org with any questions you might have. Valecia Stocchetti is a Senior Cybersecurity Engineer for the Center for Internet Security (CIS). Stocchetti came to CIS from the eCommerce field, where she worked complex financial fraud cases. She is a graduate of the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Stocchetti worked in the MS- and EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements. In her current role, she works with various attack models and data, including the MITRE Enterprise ATT&CK framework, to help validate and prioritize the CIS Controls. Stocchetti holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC).
Summer 2022
Cyberside Chat This Quarter's Topic: Threat-Informed Preparation By Sean Atkinson, Chief Information Security Officer, CIS
Organizations throughout the world deal with risk every day. Risk is inherent in doing business and, if any part of that business has a connection to the internet, you inherit those risks. Over time, security controls have been designed and built to treat this risk as a mitigation against external threats. Several factors are required to make sure that the risk treatment strategy is working. The first is to audit and assess the control. Is it working as expected? Has it been updated to address new threats (if the control has that capability)? What is the maintenance schedule, and are patching cycles part of the device’s lifecycle within your organization? Following this assessment to give the status of the control is another to give the effectiveness of the control itself. Have recent technologies or changes in organization or security strategy opened new opportunities to rip and replace, or do modules exist to provide extended functionality? This assessment is not the same as the “new shiny toy” that will fix all security controls and reduce your risk to nil. The assessment is strategic. Have we applied the right control to reduce our risk to an acceptable level? Thinking about this from a business perspective will also address the controls benefit in terms of business impact analysis. Looking from the business lens and how controls support performing business functions is a critical element to build
This assessment is not the same as the “new shiny toy” that will fix all security controls and reduce your risk to nil. The assessment is strategic. Have we applied the right control to reduce our risk to an acceptable level?
the right controls for the right purpose. Use of controls should have the business in mind when they are instantiated. Restrictive controls that impede business is not the goal nor the solution to risk mitigation. Security controls should inherit a business process and be applied as protection. They should not prevent the business from functioning. Given this requirement, security controls are not meant to be weak and allow any activity. Fit for purpose is the objective in that they protect and prevent risk from occurring, but they must do so not at the cost of business functionality – a balance needs to be reached. Taking these elements into account, the recommended next stage is for risk mitigations to be informed by threats. As an example, looking at the Verizon Data Breach Investigation Report (DBIR) and reviewing specific industrial vertical and the attack techniques employed is a good place to start. Why prioritize the implementation of controls if the control being implemented does not address your industries greatest risk? If web application attacks are the most common attack vector, use this information to strategically review and assess your current controls. Looking at the attack methods through the lens of the MITRE ATT&CK framework can provide insights into advanced persistent threat (APT) group attack patterns along with the tactics that are being used. Threat-informed approaches will now allow specific consideration of risks and allow your to review your approach to building security controls against adversarial threats. The caveat is that you do not focus on a single attack pattern; a comprehensive approach to security is required. The best example is following Implementation Group 1 (IG1) of the CIS Critical Security Controls (CIS Controls). Threat informed assessments provide you with guidance on where dollars should be spent to have a greater probability of reducing your risk and thwarting attackers.
23
Cybersecurity Quarterly
ISAC Update By Paul Hoffman, Director of Stakeholder Engagement & Partnerships, MS-ISAC I am writing this after returning from the first, in-person CIS annual full staff meeting since the onset of COVID-19 in early 2020. The future is indeed bright for our MS- and EI-ISAC members and partners. After a long hiatus of connecting inperson with colleagues, our meeting this week was energizing and filled with new ideas and directions to help our state, local, tribal, and territorial government members and further advance our mission. It is a very exciting time to be part of the ISACs! In pure numbers, membership growth continues apace. The MS-ISAC continues its rapid growth with over 13,600 member organizations to date. We are also continuing to work more closely with our partners at the Cybersecurity and Infrastructure Security Agency (CISA) on outreach to our constituents, both from a new member standpoint and enhancing our current members' cyber maturity.
After a long hiatus of connecting in-person with colleagues, our meeting this week was energizing and filled with new ideas and directions to help our state, local, tribal, and territorial government members and further advance our mission. It is a very exciting time to be part of the ISACs! Of course, we continue to offer our Virtual Service Reviews (VSRs) to the membership to help finetune the services and benefits derived from being part of our organization. If you are interested in scheduling a VSR and taking a look under the hood of your MS- or EI-ISAC membership with our team, please reach out to info@msisac.org. The EI-ISAC continues to grow its membership, as well. It is working closely with the community regarding our current elections and in preparation
24
for the November midterms. The challenges are there, but the EI-ISAC is well positioned to overcome them. They have been hard at work, not only helping to protect our nation's critical election infrastructure but also promoting membership and taking every opportunity to inform and educate the community at large about the importance of cybersecurity as we approach the 2022 midterm elections. The EI-ISAC stands ready to help our election community with their cybersecurity needs. The MS- and EI-ISACs are membership-based organizations that work at the behest and to the benefit of our members. Our members define us and guide us, and we thank you for all of your efforts! Become involved, volunteer for our working groups, make your thoughts known, tell us your concerns, and allow us to wield the power of over 13,000 U.S. SLTT communities, from the smallest school districts to the largest states, to benefit us all. Please feel free to reach out to me (paul.hoffman@cisecurity. org) with your thoughts. They are always welcome. Enjoy your summer knowing that the MS- and EIISACs are your trusted partners in the prevention, protection, response, and recovery from cyber incidents. Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to your colleagues. We are stronger and more connected than ever before!
Summer 2022
Upcoming Events July July 7 – 10 The National Association of Secretaries of State (NASS) will host its 2022 NASS Summer Conference at Hilton Baton Rouge Capital Center in Baton Rouge, Louisiana. Secretaries of State from around the United States will gather together to network, share knowledge, and learn from their peers. Senior Director of the EI-ISAC Marci Andino will lead a session at the conference on misinformation reporting. Learn more at https://www.nass.org/events/nass-2022-summerconference. July 18 – 19 Midwest Tech Talk 2022 will take place at the Osage High School in Osage Beach, Missouri. The event will bring together K-12 technology leaders and professionals from around the region to network and learn about the latest industry trends from subject matter experts. MS-ISAC Senior Program Specialist Michelle Nolan will lead a session on cybersecurity resources for K-12 schools. Learn more at https://www.midwesttechtalk.com/. July 19 Cyber Security Summit: Philadelphia will take place at the Marriott Philadelphia Downtown, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/philadelphia22/. July 19 – 21 The National Association of State Election Directors (NASED) will host its 2022 NASED Summer Conference in Madison, Wisconsin. State election officials from across the country will gather together to hear from colleagues and other stakeholders on the latest developments and difficulties facing election and voter registration administrators in 2022 as well as discover resources and solutions to
current challenges. Learn more at https://www. nased.org/2022conf. July 21 – 24 The National Association of Counties (NACo) will host its 2022 NACo Annual Conference and Exposition at the Gaylord Rockies Resort and Convention Center in Aurora, Colorado. The event is the largest meeting of elected and appointed county officials from across the country. Participants from counties of all sizes will come together to shape NACo's federal policy agenda, share proven practices, and strengthen knowledge networks to help improve residents’ lives and the efficiency of county government. The MS-ISAC team will be on the show floor, sharing our resources for county governments. Learn more at https://www.naco.org/ events/2022-naco-annual-conference. July 26 – 27 AWS re:Inforce will take place at the Boston Convention and Exhibition Center in Boston, Massachusetts. AWS re:Inforce is a learning conference focused on security, compliance, identity, and privacy. The conference features access to hundreds of technical and business sessions, an AWS Partner expo, a keynote featuring AWS Security leadership, and more. At the event, CIS Senior Director of Controls Phyllis Lee and AWS Senior Manager for Security and Compliance Partners Tim Sandage will co-lead a breakout session on raising your security posture with the CIS Critical Security Controls and CIS Benchmarks, and CIS Product Owner for Benchmarks and Cloud Mia LaVada will lead a partner theater session on cloud security fundamentals. The CIS team will also be on the show floor at Booth 320 sharing our cloud security resources with attendees. Learn more at https:// reinforce.awsevents.com/. July 28 Cyber Security Summit: DC Metro will take place at the Ritz-Carlton, Tysons Corner, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. CIS CISO Sean
25
Cybersecurity Quarterly
Atkinson will lead a panel discussion on ransomware and zero trust. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/summit/ dcmetro22/.
August August 7 – 10 After a two-year hiatus, the MS-ISAC and EIISAC will host the 15th Annual ISAC Meeting at the Hilton Baltimore Inner Harbor in Baltimore, Maryland. The theme of this year’s meeting is Connect, Secure, and Mature. It’s all about networking with your peers, hearing from cybersecurity experts, and learning about the latest methods and tools to protect against cyber attacks – today and into the future. This important summit will gather 900 SLTT and election officials who work in the areas of cybersecurity, information technology, and related departments. Join us as we share ideas about how to improve the cybersecurity posture of U.S. State, Local, Tribal, and Territorial (SLTT) governments as well as our critical election infrastructure. Learn more at https://www. cisecurity.org/event-calendar/annual-isac-meeting. August 15 – 19 The Oregon Association of County Clerks (OACC) will host the 110th OACC Annual Conference at the Pendelton Convention Center in Pendelton, Oregon. The event will bring together clerks, recorders, and election officials from across the state to network, discuss current trends in state elections, and learn from thought leaders. Senior Director of the EI-ISAC Marci Andino will participate in a panel on cybersecurity resources for elections entities. Learn more at https://oacclerks.org/oacc/. August 16 Cyber Security Summit: Detroit will take place at the Marriott at the Renaissance Center, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. CIS CTO Kathleen Moriarty will lead a panel discussion on cloud security. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details.
26
Learn more at https://cybersecuritysummit.com/ summit/detroit22/. August 20 – 24 The Election Center will host its 37th Annual National Conference at the Grand Hyatt Denver in Denver, Colorado. Election leaders and professionals from across the country will come together at the event to network and collaborate with peers as well as explore opportunities, resources, and best practices leading to success in the 2022 midterm elections. Senior Director of the EI-ISAC Marci Andino will lead a breakout session on no-cost cybersecurity resources for election entities. Learn more at https://www.electioncenter.org/. August 21 – 24 Government Management Information Systems (GMIS) International will host GMIS MEETS 2022 at the Loews Philadelphia Hotel in Philadelphia, Pennsylvania. Leaders in the public sector IT industry from across the country will come together for informative educational sessions on topics important in today's environment, interaction with industry-leading providers, networking opportunities, and much more. MS-ISAC Senior Program Specialist Michelle Nolan will lead a session on prioritizing cybersecurity using the Nationwide Cybersecurity Review (NCSR). Learn more at https:// www.gmis.org/page/2022homepage. August 26 Cyber Security Summit: Chicago will take place at the Marriott Marquis Chicago, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. CIS CISO Sean Atkinson will lead a panel discussion on ransomware and zero trust. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/summit/ chicago22/. August 29 – September 1 VMWare will host VMWare Explore US 2022 at the Moscone Center in San Francisco, California. With a focus on solving the problems faced in our multi-workload, multi-cloud, and multi-workspace IT environment, VMWare Explore will show attendees how to accelerate cloud transformation,
Summer 2022
build and operate a cloud native platform, secure and empower a hybrid workforce, connect and secure clouds and apps, and expand their horizons. The event will bring together cloud professionals from around the globe and across platforms to network with peers, hear from industry thought leaders, and learn new strategies for navigating a multi-cloud world. The CIS team will be on the show floor at the event, sharing our cloud security resources with attendees. Learn more at https://www.vmware.com/explore/us.html.
September September 8 The Critical Infrastructure Cyber Security Summit will take place virtually, bringing together leaders and professionals in charge of protecting the nation's critical infrastructure to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free registration. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/summit/ criticalinfrastructure22/. September 16 Cyber Security Summit: Charlotte will take place at the Sheraton Charlotte Hotel, bringing together business leaders and cybersecurity professionals to learn about the latest cyber threats. CIS CTO Kathleen Moriarty will lead a panel discussion on cloud security. Through our partnership, SLTT entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/summit/ charlotte22/. September 12 – 15 TribalHub will host the 23rd Annual TribalNet Conference and Tradeshow at the Grand Sierra Resort and Casino in Reno, Nevada. The event will bring together leaders from tribal government, tribal gaming and enterprise, and tribal health, as well as other technology-focused professionals from around the country to network with peers, learn from others facing similar challenges and opportunities, and create and manage key vendor partnerships. The MS-ISAC team will be at the event, sharing our cybersecurity resources for
tribal governments. Learn more at https://www. tribalnetconference.com/. September 18 – 21 The Michigan Government Management Information Sciences (Mi-GMIS) will host its 2022 Mi-GMIS Fall Conference at the Boyne Mountain Resort in Boyne Falls, Michigan. Government IT leaders and professionals from across the state will come together at the event to network and collaborate with peers, learn from industry thought leaders, and discover leading solutions. MS-ISAC Senior Program Specialist Kyle Bryans will lead a breakout session on current threats and resources for local governments. Learn more at https://www. mi-gmis.org/event-4644821. September 26 – 28 Cyber Risk Alliance will host InfoSec World 2022 at Disney's Coronado Spring Resort in Lake Buena Vista, Florida. The conference will bring together security practitioners and executives to hear expert insights, enlightening keynotes, and interactive breakout sessions that inform, engage, and connect the infosec community. This multiday event provides participants with essential information and tools required to better enhance and protect their organizations. The CIS team will be on the show floor, sharing our cybersecurity best practices and resources. Learn more at https://www. infosecworldusa.com/. September 29 The Cyber Security Healthcare Summit will take place virtually, bringing together leaders and professionals in charge of protecting the nation's healthcare system and its patients to learn about the latest cyber threats. Through our partnership, SLTT entities can receive free registration. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/summit/ healthcare-west/.
27
Copyright © 2022 Center for Internet Security, Inc., All rights reserved.
Interested in being a contributor? Please contact us: cybermarket@cisecurity.org www.cisecurity.org 518.266.3460