NYS Cyber Security Toolkit

July 23, 2018

Robert Samson Deborah Snyder

NYS Chief Information Officer NYS Chief Information Security Officer
Welcome & Opening Remarks
Organizational Introductions
New York State Chief Information Security Office
Multi-State Information Sharing & Analysis Center
Enterprise Information Security Office
Mission:

Protecting privacy and

safeguarding the State’s
information assets – data, systems
and infrastructure, through cyber
security leadership, awareness
and training, best practices and
partnerships.
 Cyber Security Tools & Resources
• Critical Security Controls Framework, Assessment Tool – to baseline current state
• Asset Inventory Guidance & Templates – to identify critical information assets
• Secure System Development Life Cycle resources – to ensure secure design
• Cybersecurity Risk Assessment Tool – to streamline effective application security reviews

• NYS Cyber Security Policies, Standards & Guidelines – to enforce sound practices
• Training & Education – to enhance awareness & capabilities
– NYS Cyber Security Conference
– NYS Cyber Security Awareness online training course & Skills training – extended to counties

Partnership & Collaboration - “Local Government Cyber Security Toolkit”

• ITS Enterprise Information Security Office https://its.ny.gov/eiso/local-government
• MS-ISAC https://www.cisecurity.org/ms-isac/ms-isac-toolkit/

6
State, Local,
Tribal, or
Territorial
Government
Entity
 A Tale of Two ISACs

• 2003 – The MS-ISAC is founded as an initiative as part of New

York State government for Northeast States

• 2004 – DHS funds the MS-ISAC as an initiative to support the

cybersecurity needs of all State governments

• 2010 – The MS-ISAC breaks away from NYS and joins the
Center for Internet Security as a program area
 A Tale of Two ISACs
• Summer 2016
– Public reporting of voter registration compromises

• January 2017
– Intelligence Community Assessment (attribution of all
elections related activity)
– Critical Infrastructure Designation

• July 2017
– Election Critical Infrastructure Working Group meets at
MS-ISAC HQ
 A Tale of Two ISACs
• September 2017
– Election Infrastructure Subsector Government
Coordinating Council (EIS-GCC) established
– MS-ISAC Pilot for Elections Approved
• October 2017-February 2018
– MS-ISAC Pilot for Elections (NJ, VA, IN, TX, CO,
UT, WA)
• February 2018
– EIS-GCC votes to establish EI-ISAC
• March 2018
– EI-ISAC Official Launch
 Who can utilize these resources?
Eligible entities include:
✓ Counties
✓ Municipalities (towns, cities, villages, etc.)
✓ Law Enforcement Agencies
✓ Public Authorities (power, water, transit,
etc.)
✓ Public Education (K-12, BOCES,
Community College, Universities)
✓ Elections offices
 How to access MS-ISAC resources
• Register for the MS-ISAC’s services here:
https://learn.cisecurity.org/ms-isac-registration

• The MS-ISAC Stakeholder Engagement team

will provide you with next steps:
• Register your HSIN account
• Submit public IPs, domains, and subdomains
• Register for an MCAP account
• Add additional staff to your account
Top 20 CIS Controls
Overview and NYS Implementation
Evolution of the CIS Controls

The CIS Controls™️

CIS Controls Version 7
 Volunteer Process
• Used our in-house collaborative platform: Workbench
• Received over 600 recommendations with over 300 members in
the community
• https://Workbench.cisecurity.org
 Ecosystem of Resources
• Mappings to other Frameworks
– Special focus on NIST CSF [updated!]
• CIS Risk Assessment Method (CIS-RAM) [new]
• ICS Companion Guide to the Controls [drafted]
• Measures and Metrics [updated]
• SME Implementation Guide
• CIS Community Attack Model
• Privacy and the Controls
Contribute Today!
https://Workbench.cisecurity.org
controlsinfo@cisecurity.org
Prioritizing the Top 20 Controls

Basic

Foundational

Organizational
 Basic
▪ What every organization needs for essential cyber defense readiness

https://www.cisecurity.org/controls/
 Foundational
▪ Technical best practices that provide clear security benefits

https://www.cisecurity.org/controls/
 Organizational
▪ Focus on people & processes involved in cybersecurity

https://www.cisecurity.org/controls/
 Top 20 Assessment
▪ Straight-forward way to baseline your organization
▪ Focuses on specific, highly-effective, prioritized actions
▪ Maps to other Frameworks
▪ Industry-vetted

▪ EISO created a Top 20 Assessment Tool

▪ Visualization – what we fondly call our “Blues Chart”
▪ Built-in assessment methodology & analytics
▪ User Guide
 Why & How We Use The “Top 20”
▪ Straight-forward way to assess & improve your organization’s
security posture
▪ Focused on specific, highly-effective, prioritized actions
▪ Maps to other Frameworks
▪ Industry-vetted

▪ EISO created a Top 20 Assessment Tool

▪ Visualization – what we fondly call our “Blues Chart”
▪ Built-in assessment methodology & analytics
▪ User Guide
 Using the Tool
Maturity Level Maturity Score
Family Control Control Description Notes
(enter data here) (Numerical)
Critical Security Control #1: Inventory and Control of Hardware Assets 1.0
Utilize an active discovery tool to identify devices connected to the organization's
System 1.1 Not Performed 1
network and update the hardware asset inventory.
Utilize a passive discovery tool to identify devices connected to the organization's
System 1.2 Not Performed 1
network and automatically update the organization's hardware asset inventory.
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP
System 1.3 Not Performed 1
address management tools to update the organization's hardware asset inventory.
Maintain an accurate and up-to-date inventory of all technology assets with the
System 1.4 potential to store or process information. This inventory shall include all hardware Not Performed 1
assets, whether connected to the organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware
System 1.5 address, machine name, data asset owner, and department for each asset and Not Performed 1
whether the hardware asset has been approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or
System 1.6 Not Performed 1
the inventory is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices
can authenticate to the network. The authentication system shall be tied into the
System 1.7 Not Performed 1
hardware asset inventory data to ensure only authorized devices can connect to the
network.
Use client certificates to validate and authenticate systems prior to connecting to the
System 1.8 Not Performed 1
private network.
 Using the Tool
Maturity Level Maturity Score
Family Control Control Description Notes
(enter data here) (Numerical)
Critical Security Control #1: Inventory and Control of Hardware Assets 1.1
Utilize an active discovery tool to identify devices connected to the organization's
System 1.1 Not Performed 1
network and update the hardware asset inventory.
Utilize a passive discovery tool to identify devices connected to the organization's
System 1.2 Not Performed 1
network and automatically update the organization's hardware asset inventory.
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP
System 1.3 Not Performed 1
address management tools to update the organization's hardware asset inventory.
Maintain an accurate and up-to-date inventory of all technology assets with the
System 1.4 potential to store or process information. This inventory shall include all hardware Not Performed 1
assets, whether connected to the organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware A consolidated hardware asset inventory is recorded by the IT
department and separated by organizational department.
address, machine name, data asset owner, and department for each asset and
Records are validated annually to ensure that all devices are
whether the hardware asset has been approved to connect to the network. accounted for.
System 1.5 In Process 2
The asset inventory contains the included list of records per
asset.

Ensure that unauthorized assets are either removed from the network, quarantined or
System 1.6 Not Performed 1
the inventory is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices
can authenticate to the network. The authentication system shall be tied into the
System 1.7 Not Performed 1
hardware asset inventory data to ensure only authorized devices can connect to the
network.
Use client certificates to validate and authenticate systems prior to connecting to the
System 1.8 Not Performed 1
private network.
 Before
Using the Tool After
Critical Security Control #1: Inventory and Control of Critical Control 2: Critical Security Control #1: Inventory and Control of Critical Control 2:
Hardware Assets Inventory and Control of Software Assets Hardware Assets Inventory and Control of Software Assets

Utilize an Active Discovery Tool Maintain Inventory of Authorized Software Utilize an Active Discovery Tool Maintain Inventory of Authorized Software

Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor

Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools

Maintain Detailed Asset Inventory Track Software Inventory Information Maintain Detailed Asset Inventory Track Software Inventory Information

Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories

Address Unauthorized Assets Address Unapproved Software Address Unauthorized Assets Address Unapproved Software

Deploy Port Level Access Control Utilize Application Whitelisting Deploy Port Level Access Control Utilize Application Whitelisting

Utilize Client Certificates to Authenticate Hardware Assets Implement Application Whitelisting of Libraries Utilize Client Certificates to Authenticate Hardware Assets Implement Application Whitelisting of Libraries

Implement Application Whitelisting of Scripts Implement Application Whitelisting of Scripts

Physically or Logically Segregate High Risk Applications Physically or Logically Segregate High Risk Applications
Using the Tool
Using the Tool
Top 20 Assessment Tool
Maturity Level/Score
Not
Performed 1
In Process 2

In Place 3
Asset Management
Hardware & Software
Critical Security Control #’s 1 & 2
 It all starts
here
Asset Management Scope
• Business Functions
• Business Application Assets
• Information / Data Assets
• Hardware Assets
• Software Assets
• Personnel Assets
Asset Management is an organizational responsibility
 Asset Inventory - Hardware
CSC #1: Inventory & Control of
Asset Inventory Data Analysis
Hardware Assets
Actively manage (inventory, track,
and correct) all hardware devices on
the network.

WHY: So that only authorized

devices are given access, and
unauthorized and unmanaged
devices are found and prevented
from gaining access.
 Asset Inventory - Software
CSC #2: Inventory & Control of
Software Assets
Actively manage (inventory, track, &
correct) all software on the network.

WHY: So that only authorized

software is installed and can execute,
and that unauthorized, unmanaged
software is found and prevented from
installation or execution.
Continuous Vulnerability
Assessment & Remediation
Critical Security Control #3
 Vulnerability Management
CSC #3: Continuous
Vulnerability Preparation

Management Tips
• Ongoing Process
Continuously acquire,
Rescan / Validate Vulnerability scan • Go beyond PCs
assess, & take action on • Integrate &
new information. automate processes

WHY: To identify Implement Define

remediating remediating
vulnerabilities for actions actions

remediation, & minimize “Cyclical practice of identifying, classifying,

opportunity for attacks remediating & mitigating vulnerabilities”
Vulnerability Management Program
Web Profiler
✓ Server type and version (IIS, Apache, etc.) Send domains, IP ranges,
✓ Web programming language and version and contact info to:
(PHP, ASP, etc.) soc@msisac.org
✓ Content Management System and version
(WordPress, Joomla, Drupal, etc.)

Email notifications are sent broken down by:

• Out-of-Date systems that should be patched/updated and could
potentially have a vulnerability associated with it
• Up-to-Date systems have the most current patches
 Vulnerability Management Program
Port Profiler
• MS-ISAC will connect to 12 common ports on public IPs provided for our
monitoring program.
– Services: FTP, SSH, HTTP(S), SMB, RDP, VNC, SQL, and MongoDB
– 21, 22, 23, 25, 80, 139, 443, 445, 1433, 8080, 3306, 3389, 5432, 5900, 27017
• Services are identified by reading the banner information once we
connect.
– We seek predetermined keywords in the banner information that then allows us to tag hosts or
services that need a second look for if they need to be public facing.
Vulnerability Management Program
Port Profiler

• Quarterly notifications
• Contact vmp.dl@cisecurity.org
to:
• Opt out of this service
• Provide feedback on the Port
Profiler
• Contact soc@cisecurity.org if:
• You wish to add IP addresses
• To verify “VMP Notification”
contacts

• Source IP address: 52.14.79.150

 Weekly Malware IPs and Domains
Automated Threat Indicator Sharing via Anomali

To gain an Anomali account contact:

VMP@cisecurity.org
TLP: WHITE
 MS-ISAC Advisories

TLP: WHITE
Application Software Security

Critical Security Control # 18

 Application Software Security
CSC #18: Application
Software Security
Manage the Security Tips
• Ongoing Process
life-cycle of all in-house
• Begins in requirements
developed and acquired gathering
software. • Ends when software is
retired.
WHY: To prevent, detect,
and correct security
weaknesses.
“Cyclical practice of building software
secure and ensuring it stays secure.”
 What is the SSDLC?
Consistent Risk-Based

Comprehensive Mission-Focused

Repeatable Right-Sized

Benefits:
• Reduces the number of vulnerabilities
• Reduces the impact to businesses if an incident occurs
• Decreases the risk of business service disruptions
• Increases the ability of the business to deliver services

http://www.its.ny.gov/document/secure-system-development-life-cycle-ssdlc-standard
 Why is SSDLC Necessary?
• In 2017, Cyber-Espionage, Privilege Misuse, Web
Application Attacks, & Miscellaneous Errors represented
75% of breaches in the Public Administration sector

• 50% of all breaches in Public Administration were

discovered months or years after the initial compromise

• 68% of funds lost as a result of a cyber attack were

declared unrecoverable

• $3.62 million was the average total cost of a data breach in 2017

https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
https://securityintelligence.com/media/2017-ponemon-institute-cost-of-a-data-breach-study/
 Threats to Government Organizations and Citizens

Web Application Attack Hactivism

Denial of Service
Spear Phishing

Social Engineering
PARTNERS/SUPPLIERS CITIZENS
▪ Contractual Requirements ▪ Expect Secure Access
▪ Regulatory Attestation ▪ Expect Privacy
▪ Best Practice Controls Spin
▪ Expect Data Accuracy

EMPLOYEES 3rd PARTIES/CONTRACTORS

▪ Awareness ▪ Security Maturity

▪ Self Enforcement ▪ Assessment Volume

▪ Unified Posture ▪ Governance & Reviews

▪ Cyber Expertise ▪ Regulatory Compliance Malware

AGENCIES
▪ Non-Standard Practices
▪ Regulatory Drivers
▪ Varying Levels of Cyber Expertise Breach
Insider threat

Credit Card Fraud

 SSDLC Security Activities
At MINIMUM, an SDLC must contain the following security activities:
1) Define Security Roles
7) Profile the System
and Responsibilities
13) Test Security
Controls
2) Orient Staff to the 8) Decompose the
SDLC Security Tasks System

14) Perform
3) Establish System 9) Assess Vulnerabilities Accreditation
Criticality Level and Threats

15) Manage and Control

Change
4) Classify Information 10) Assess Risk

16) Measure Security

5) Establish System 11) Select and Compliance
Identity Assurance Document Security
Level Requirements Controls
17) Perform System
6) Establish System Disposal
Security Profile 12) Create Test Data
Objectives
 SSDLC Tools

https://its.ny.gov/document/secure-system-development-life-cycle-ssdlc-standard
https://its.ny.gov/secure-system-development-life-cycle-standard
 Key Takeaways

We all have a role in protecting New York’s systems and information

Security needs to be consistently and comprehensively implemented
using a secure SDLC
Security needs to be risk-based and right-sized

Security must be built into all systems from the very beginning
Application Software Security
Application Risk Assessment

Critical Security Control # 18

 Layered Risk Assessment Process
Holistic – includes business, regulatory & technical perspectives.
Comprehensive technical review - from interface to infrastructure.
Layer Method / Activities NIST 800-53 Top 20 Validation / Metrics

Business Impact &  Interviews – identify business IR-1, IR-2, IR-3, IR-4 CSC 19: Incident Response and Management  Incident management procedures exist
Administrative

Privacy functions, risk IR-5, IR-6, IR-7, IR-8

IR-10
 COOP/DR Plans
Compliance  Interview, questionnaire CA-7, CM-8, IA-3, SA-4 CSC 1: Inventory of Authorized/Unauthorized Devices  Information and system owners
 Prior security review & audit SC-17, SI-4, PM-5 CSC 2: Inventory of Authorized/Unauthorized Software identified, applicable laws and
regulations identified
results/findings
 Incidents if any

Secure Design Plan  Information security plan AC-2, AC-6, AC-17 CSC 5: Controlled Use of Administrative Privileges  SSDLC, access matrix, data flow
Secure

 Identity Assurance worksheet (roles, AC-19, CA-7, IA-4 CSC 14: Controlled Access Based on Need to Know diagrams, system and business function
SDLC

IA-5, SI-4 CSC 16: Account Monitoring and Control documentation

separation of duties)

Web Site/Application  Web app scanning CA-2, CA-5, CA-6 CSC 7: Email and Web Browser Protections  encryption in transit/rest, pen test
(Qualys/WebInspect) CA-8, RA-6, SI-6 CSC 20: Penetration Tests and Red Team Exercises results
PM-6, PM-14
 Application code scan/review
 Code review
 Pen-testing

Application, core  Discovery & Relationship Mapping CA-2, CA-7, RA-5 CSC 4: Continuous Vulnerability Assessment and  Web, network and code scan results,
services & databases (ITSM CMDB); dependencies SC-34, SI-4, SI-7, AT-1 Remediation SSDCL documentation
AT-2, AT-3, AT-4, SA-11 CSC 9: Limitation and Control of Network Ports, Protocols,
 Application code scan/review
Technical Controls

SA-16, PM-13, PM-14 and Services

 Code review PM-16 CSC 13: Data Protection
 Database configuration & control CSC 18: Application Software Security
review

Platform (host, cloud)  Configuration assessment (CIS-CAT; CA-7, CM-2, CM-3 CSC 3: Secure Configurations  Secure configuration standards and
DISA, Qualys, Nessus, hardening CM-5, CM-6, CM-7 CSC 6: Maintenance, Monitoring, and Analysis of Audit secure configuration scan results
CM-8, CM-9, CM-11 Logs
guidance) MA-4, RA-5, SA-4 CSC 11: Secure Configurations for Network Devices
 Network & Host Vulnerability SC-15, SC-34, SI-2
scanning (authenticated)
 CAIQ & 3rd party practices

Infrastructure  Network Mapping & Scanning
 Service Level Agreements
 Resiliency Level (Incidents, RTO/RPO
objectives)
AC-4, AC-17, AC-20 CSC 8: Malware Defenses  SLA documentation and aligned with
CA-3, CA-7, CA-9 CSC 10: Data Recovery Capability business mission and criticality.
CM-2, SA-9, SC-7 CSC 12: Boundary Defense Network diagrams with PDS/IDS.
SC-8, SI-4 CSC 15: Wireless Access Control
 Measures 3 Key Areas
BUSINESS RISK INDEX
• Business Impact
• Privacy Impact
Business
• Regulatory Compliance Risk
• Business Continuity Scoring across 3
• Business Alignment indices produces an
Technical overall application
TECHNICAL RISK INDEX
• Application, services, Db
Security risk profile.
• Technical Controls Risk
• Resiliency Risk profiles drive
• Technical Alignment
• Disaster Recovery heat-maps &
scorecards for
OPERATIONAL RISK INDEX clusters & agencies
• Documentation Operational
• Process
• Technical Controls
Risk
• Operational Environment
 Cyber Security Risk Assessment Tool
Ease-of-use & Efficiency
• Menu-driven
• Self-assessment tool
• Automatic report creation
• Available online & offline
Security/Privacy
• Private SharePoint, access
restricted to authorized persons
Analytics/business intelligence -
Business & Technical Risk Indices,
scorecards & dashboards

Critical Success Factors

• SMEs available
• Data accuracy
 Operational Risk Index (ORI)
Ease-of-use & Efficiency
• Menu-driven
• Self-assessment tool
• Automatic report creation
• Available online & offline
Security/Privacy
• Private SharePoint, access
restricted to authorized persons
Analytics/business intelligence -
Business & Technical Risk Indices,
scorecards & dashboards

Critical Success Factors

• SMEs available
• Data accuracy
 Level 2 Self-Assessment
Ease-of-use & Efficiency
• Menu-driven
• Self-assessment tool
• Automatic report creation
• Available online & offline
Security/Privacy
• Private SharePoint, access
restricted to authorized persons
Analytics/business intelligence -
Business & Technical Risk Indices,
scorecards & dashboards

Critical Success Factors

• SMEs available
• Data accuracy
Level 3 Comprehensive Risk Assessment
Ease-of-use & Efficiency
• Menu-driven
• Self-assessment tool
• Automatic report creation
• Available online & offline
Security/Privacy
• Private SharePoint, access
restricted to authorized persons
Analytics/business intelligence -
Business & Technical Risk Indices,
scorecards & dashboards

Critical Success Factors

• SMEs available
• Data accuracy
Operational Risk Assessment Walk Through
 Application-level Reporting: Executive Summary
• Summarized high-level overview

• Changes reflected in real-time

Executive Summary Report –

Sample Data
Incident Response and
Management

Critical Security Control # 19

 Incident Response Plan?
CSC #19: Incident Response and
Management
Protect information/reputation by
developing incident response
infrastructure to quickly discover
and recover from an attack.

WHY: Planning can help with

discovery of attack and minimizing
the impact.
(What you don’t want!)
Key New York State Cyber Players
NYS Office of NYS Public Safety Agencies
Information Technology • New York State Police
• Homeland Security and Emergency Services
Enterprise Information • NYS Intelligence Center (NYSIC)
Security Office (EISO) • Division of Military and Naval Affairs (DMNA)

NYS Cyber Security Center for Internet Security

Advisory Board
Multi-State Information Sharing and
Executive Director & members Analysis Center
New York State EISO Cyber Command Center Capabilities
 Incident Response Objectives
• Assess the scope, magnitude and source of intrusions
• Identify root cause
• Quantify the damage
• Assist with remediation
• Make recommendations to prevent reoccurrence
• Lessons learned

Lessons
Prepare Identification Containment Eradication Recovery
Learned

Incident Response Process

Cyber Partners
Incident Response

Incident Response Escalation

State: Federal:
Local EISO CyCom
MSISAC US DHS
Response OCT CIRT
NYSP/NYSIC FBI

Bi-directional Information Sharing

NYS Cyber Incident Reporting Procedures
http://www.its.ny.gov/incident-reporting
• Cyber Command Center Hotline: 518-242-5045
• Please identify the urgency of the call.
• After hours (5PM- 9AM, weekends and holidays), call NYS Watch Center at 518-
292-2200 and ask to report a cyber incident to the Cyber Command Center.

If related to County Board of Election Systems – Call 1-844-OCT-CIRT

• Email CYCOM@ITS.NY.GOV.
• If including sensitive data and you are outside of the NYS Office 365 (O365)
tenancy, consider encrypting using the Enterprise Information Security Office
(EISO)’s PGP public key. The key may be found on the EISO web site at
http://its.ny.gov/eiso/incident-reporting/
MS-ISAC 24 x 7 Security Operations Center
Central location to report any cybersecurity incident

• Support:
– Network Monitoring Services
– Research and Analysis

• Analysis and Monitoring:

– Threats
– Vulnerabilities
– Attacks

• Reporting:
– Cyber Alerts & Advisories To report an incident or request
– Web Defacements assistance:
– Account Compromises Phone: 1-866-787-4722
– Hacktivist Notifications Email: soc@msisac.org
 Computer Emergency Response Team

• Incident Response (includes on-site assistance)

• Network & Web Application Vulnerability Assessments
• Malware Analysis
• Computer & Network Forensics
• Log Analysis
• Statistical Data Analysis
To report an incident or request
assistance:
Phone: 1-866-787-4722
Email: soc@msisac.org
 Malicious Code Analysis Platform
A web based service that enables members to
submit and analyze suspicious files in a controlled
and non-public fashion

• Executables
• DLLs
• Documents
• Quarantine files
• Archives

To gain an account contact:

TLP: WHITE
mcap@msisac.org
Security Awareness & Training

Critical Security Control # 17

 Security Awareness & Training
CSC #17: Implement a Security
Awareness and Training Program
Identify the specific knowledge, skills
and abilities needed to support
defense of the enterprise and
develop a plan to remediate gaps.

WHY: Attackers will look for the

weakest link (e.g., social engineering,
phishing attacks).
Cybersecurity Awareness Materials
 Awareness & Training
Provide opportunities to increase awareness, knowledge,
competencies, and skills to reduce overall security risk

• Citizen and workforce outreach

• Awareness activities and events
• Federal, state, and local government partnerships
• Cyber training
• Promote available resources

https://its.ny.gov/eiso/local-government
Break – 10 minutes
Organizational Security

Policies, Standards, Guidelines &

National Cyber Security Review
 NYS Information Security Policies,
Standards and Guidelines
Find important information on security policy and standards in New York State at
https://its.ny.gov/eiso/policies/security
• Why?
Policy
NYS-P03-002 Information Security Policy
NYS-S13-001 Secure System Development Lifecycle (SSDLC) Standard Standards • What?
NYS-S13-003 Sanitization/Secure Disposal Standard
NYS-S13-005 Cyber Incident Response Standard Guidelines • Considerations?
NYS-S14-001 Information Security Risk Management Standard
NYS-S14-002 Information Classification Standard
Procedures • How?
NYS-S14-008 Secure Configuration Standard
NYS-S14-013 Account Management/Access Control Standard
NYS-P14-001 Acceptable Use of Information Technology Resources
 Nationwide Cyber Security Review (NCSR)
• U.S Department of Homeland Security sponsored, voluntary cyber security self
assessment – in partnership with MS-ISAC, NASCIO and NACo

• Measures the level of cyber security maturity and risk awareness in government

• Annual survey runs from October 1 – November 30

• To register: https://msisac.cisecurity.org/resources/ncsr/registration/

• Anonymized results shared in a summary report to U.S. Congress in alternate

(odd-numbered years)

• Free, annual, cyber security self-assessment, aligned to the NIST Cybersecurity

Framework and designed to evaluate cybersecurity maturity and
risk management.
Strategic Planning and
Decision-Making
 Strategic Planning
• Identify gaps & improvement opportunities
– Basic controls (1-6) with low maturity ratings

• Use the analysis to “chart a course”

– Roadmap - prioritized initiatives/investments
that “move the dial” & provide best return
– Justification - budget & staffing requests
 Roadmap, Priorities, Investments

Enhanced Protecting Protecting Protecting Protecting Protecting Protecting

Visibility, Business User Business Business Sensitive NYS
Monitoring Email Accounts Devices Applications Data Infrastructure
& Detection
 Example: Pre-Investment Maturity
Critical Control 5:
Critical Security Control #1: Inventory and Control of Critical Control 2: Critical Control 3: Critical Control 4: Critical Control 6:
Secure Configurations for Hardware and Software on Mobile Devices,
Hardware Assets Inventory and Control of Software Assets Continuous Vulnerability Management Controlled Use of Administrative Privileges Maintenance, Monitoring, and Analysis of Audit Logs
Laptops, Workstations and Servers

Utilize an Active Discovery Tool Maintain Inventory of Authorized Software Run Automated Vulnerability Scanning Tools Maintain Inventory of Administrative Accounts Establish Secure Configurations Utilize Three Synchronized Time Sources

Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor Perform Authenticated Vulnerability Scanning Change Default Passwords Maintain Secure Images Active Audit Logging

Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools Protect Dedicated Assessment Accounts Ensure the Use of Dedicated Administrative Accounts Securely Store Master Images Enable Detailed Logging

Deploy Automated Operating System Patch

Maintain Detailed Asset Inventory Track Software Inventory Information Use Unique Passwords Deploy System Configuration Management Tools Ensure Adequate Storage for Logs
Management Tools

Use Multifactor Authentication for All Administrative Implement Automated Configuration Monitoring
Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories Deploy Automated Software Patch Management Tools Central Log Management
Access Systems

Address Unauthorized Assets Address Unapproved Software Compare Back-to-back Vulnerability Scans Use of Dedicated Machines for All Administrative Tasks Deploy SIEM or Log Analytic Tool

Deploy Port Level Access Control Utilize Application Whitelisting Utilize a Risk-rating Process Limit Access to Script Tools Regularly Review Logs

Utilize Client Certificates to Authenticate Hardware Log and Alert on Changes to Administrative Group
Implement Application Whitelisting of Libraries Regularly Tune SIEM
Assets Membership

Log and Alert on Unsuccessful Administrative Account

Implement Application Whitelisting of Scripts
Login

Physically or Logically Segregate High Risk Applications

 Example: Post-Implementation Maturity
Critical Security Control #1: Inventory and Control of
Hardware Assets
Utilize an Active Discovery Tool
Use a Passive Asset Discovery Tool
Use DHCP Logging to Update Asset Inventory
Maintain Detailed Asset Inventory
Maintain Asset Inventory Information
Address Unauthorized Assets
Deploy Port Level Access Control
Utilize Client Certificates to Authenticate Hardware
Assets
Critical Control 2:
Inventory and Control of Software Assets
Maintain Inventory of Authorized Software
Ensure Software is Supported by Vendor
Utilize Software Inventory Tools
Track Software Inventory Information
Integrate Software and Hardware Asset Inventories
Address Unapproved Software
Utilize Application Whitelisting
Implement Application Whitelisting of Libraries
Implement Application Whitelisting of Scripts
Physically or Logically Segregate High Risk Applications
Critical Control 3:
Continuous Vulnerability Management
Run Automated Vulnerability Scanning Tools
Perform Authenticated Vulnerability Scanning
Protect Dedicated Assessment Accounts
Deploy Automated Operating System Patch
Management Tools
Deploy Automated Software Patch Management Tools
Compare Back-to-back Vulnerability Scans
Utilize a Risk-rating Process
Critical Control 5:
Critical Control 4: Critical Control 6:
Secure Configurations for Hardware and Software on Mobile Devices,
Controlled Use of Administrative Privileges Maintenance, Monitoring, and Analysis of Audit Logs
Laptops, Workstations and Servers
Maintain Inventory of Administrative Accounts Establish Secure Configurations Utilize Three Synchronized Time Sources
Change Default Passwords Maintain Secure Images Active Audit Logging
Ensure the Use of Dedicated Administrative Accounts Securely Store Master Images Enable Detailed Logging
Use Unique Passwords Deploy System Configuration Management Tools Ensure Adequate Storage for Logs
Use Multifactor Authentication for All Administrative Implement Automated Configuration Monitoring
Central Log Management
Access Systems
Use of Dedicated Machines for All Administrative Tasks Deploy SIEM or Log Analytic Tool
Limit Access to Script Tools Regularly Review Logs
Log and Alert on Changes to Administrative Group
Regularly Tune SIEM
Membership
Log and Alert on Unsuccessful Administrative Account
Login
Governance - Benchmarking Performance
• Use Top 20 & NCSR to track progress:
– Security program performance
• Did initiatives provide expected improvements?
• What activities improved our security posture?
• What controls should we focus on?
– Report to executives
• Demonstrate improvements & validate spending
 Recap
• Assess your current security posture
• Identify gaps & areas for improvement
• Create a plan - priorities, resources
– Use controls, tools & processes to focus efforts
• Asset Management
• Vulnerability Scanning
• Secure SDLC
• Application Risk Assessments
• Operational Controls
– Policies & Standards
– Awareness and Training
• Track & report performance
Mitigating Cyber Risks through
Legal, Insurance & Procurement
Resources
 Mitigating Cyber Risks Through
Legal, Insurance & Procurement Resources
Legal: Conduct Contract Reviews
– Data Sharing Agreements Terms & Conditions
– Standard Contract Clauses for IT Contracts
• https://its.ny.gov/sites/default/files/documents/appendix_c_-_its_standard_contract_clauses_.pdf
– OGS Contracts Terms & Conditions
Insurance:
– Cyber Liability Coverage
• Privacy/Network Security Liability
• Professional Liability/Technology Errors & Omissions Coverage
 Mitigating Cyber Risks Through
Legal, Insurance & Procurement Resources
Procurement:
Office of General Services Procurement Services Group
• Email: customer.services@ogs.ny.gov
• Website: www.ogs.ny.gov
• Annual NY GovBuy Training: https://govbuy.ogs.ny.gov/

Buying 101 for Local Government

https://nyspro.ogs.ny.gov/content/buying-101-local-government

Using OGS Centralized Contracts

https://nyspro.ogs.ny.gov/content/using-ogs-centralized-contracts-0
 Mitigating Cyber Risks Through
Legal, Insurance & Procurement Resources
Manufacturer Umbrella Contract
https://www.ogs.ny.gov/purchase/snt/awardnotes/7360022802can.HTM
• Procure Software, Hardware, Cloud-based Products and related Implementation services,
based on a Manufacturer’s Products.

Procure Project Based Information Technology Consulting Services (PBITS)

https://ogs.ny.gov/purchase/snt/awardnotes/7360022772can.htm
• Use this contract to procure services to:
• Provide network monitoring, logging (IDS/IPS, 3rd Party MSS)
• Conduct cyber risk assessments
• Perform technical vulnerability remediation
• Develop secure IT architecture
• Enhance cyber preparedness and incident response planning, training and exercises
 Mitigating Cyber Risks Through
Legal, Insurance & Procurement Resources
Distributer Umbrella Contract
https://www.ogs.state.ny.us/purchase/snt/awardnotes/7360022876can.HTM
• Procure Software, Hardware, and small amounts of related services for
manufacturers unable to secure a Manufacturers Umbrella Contract.

Hourly Based Information Technology Services(HBITS)

https://www.ogs.ny.gov/BU/PC/hbits/default.asp
• Procure Staff Augmentation services
 New York GovBuy Conference Resources
2017: https://govbuy.ogs.ny.gov/2017-courses
• IT Umbrella Manufacturer and Distributor Contracts: How to Buy IT Products
o Recorded Session: https://govbuy.ogs.ny.gov/it-umbrella-manufacturer-and-distributor-contracts-how-buy-it-products
2018: https://govbuy.ogs.ny.gov/2018-courses
• Local Governments: What You Need to Know About Purchasing
o Recorded Session: https://govbuy.ogs.ny.gov/local-governments-what-you-need-know-about-purchasing-0
• Intro to OGS & Procurement Services
o https://govbuy.ogs.ny.gov/new-who-ogs-and-how-navigate-our-website
• IT Project Based Information Technology Services (PBITS) Contracts: Case Studies in how to procure IT Project Based Services
o Recorded Session: https://govbuy.ogs.ny.gov/it-project-based-information-technology-services-pbits-contracts-case-studies-how-
procure-it-project
• IT Umbrella Manufacturer and Distributor Contracts: Case Studies in how to procure IT products
o https://govbuy.ogs.ny.gov/it-umbrella-manufacturer-and-distributor-contracts-case-studies-how-procure-it-products

• Acquiring Contract Solutions through General Services Administration (GSA) Federal Contracts
o https://govbuy.ogs.ny.gov/new-acquiring-contract-solutions-through-general-services-administration-gsa-federal-contracts
Cyber Security Service
Offerings
 NYS Shared Service Offerings
NChief Information Security Office
– Main: 518.242.5200 EISO@its.ny.gov
– Cyber Command Center (CyCom):
518.242.5045 CyCom@its.ny.gov
– Local Government Resources
https://its.ny.gov/local-government
Policy/Standards
Compliance Support
Education & Awareness
Risk Assessment & Remediation
Secure Architecture & Engineering
Monitoring
Threat Intelligence Analysis/Response
Vulnerability Management
Digital Forensics & Incident Response
Penetration Testing
Continuity/Disaster Recovery Planning
Security Analytics
Table Top Exercises
Federal Government
Service Offerings
 US DHS Cybersecurity Services
Assessments
• Cyber Resilience Review (operational
resilience and cybersecurity practices)
• External Dependencies Management (issues
related to vendors and reliance on external
entities)
• Risk and Vulnerability Assessment (whether
and by what methods an adversary can
defeat network controls)
• Phishing Campaign Assessment
• Vulnerability Scanning
• Validated Architecture Design Review
• Cybersecurity Evaluation Tool
• Cybersecurity Advisors (CSA)
– Rich Richard Jr., Region II
Richard.Richard@hq.dhs.gov
631.241.3662
• Cybersecurity Exercise Support
• Incident Response
• Awareness and Training
– Stop.Think.Connect
https://www.dhs.gov/stopthinkconnect
– Federal Virtual Training Environment
https://niccs.us-cert.gov/training/federal-virtual-
training-environment-fedvte
MS-ISAC Service Offerings
 EI-ISAC 24x7 Security Operations Center
1-866-787-4722
SOC@cisecurity.org
ELECTIONS@CISECURITY.ORG

Andrew Dolan Eugene Kipniss

Director, Stakeholder Engagement Senior Program Specialist
EI-ISAC EI-ISAC
518.880.0693 518.880.0716
Andrew.Dolan@cisecurity.org Eugene.kipniss@cisecurity.org
 Monitoring of IP Range & Domain Space
IP Monitoring Domain Monitoring
• IPs connecting to malicious • Notifications on
C&Cs compromised user
• Compromised IPs credentials, open source and
• Indicators of compromise third party information
from the MS-ISAC network • Vulnerability Management
monitoring (Albert) Program (VMP)
• Notifications from Spamhaus
Send domains, IP ranges,
and contact info to:
soc@msisac.org
Additional Benefits of Both ISACs
• Situational Awareness
Resources
• Insider access to federal
information
• Product and Training Discounts
• Cybersecurity Exercise
Participation
• Workgroups
• Webcasts
 HSIN Community of Interest
Access to:
• MS-ISAC Cyber Alert Map
• Archived webcasts & products
• Cyber table top exercises
• Guides and templates
• Message boards
 SecureSuite
• Workbench
– Platform for creating and maintaining resources
– https://workbench.cisecurity.org
• CIS-CAT Pro
– Configuration and Vulnerability Assessment Tool
– Assessor and Dashboard can be downloaded from
Workbench
DDoS Mitigation and Web Protection Services
Google - Protect Your Election
• Project Shield DDoS Protection
• Two Factor Authentication
• Advanced Phishing Protection (GSuite)
• Password Alert Plugin for Chrome
• General Security Support

Cloudflare – Athenian Project

• Full enterprise offering
• DDoS protection
• Web Application Firewall (WAF)
• Content Delivery Network (CDN)
• 24x7 Support

Both services are available to any SLTT organization responsible for public-
facing elections infrastructure related to voter registration information and
election night reporting
• Collaborative Purchasing
– End-User Security Awareness Training
– Advanced Technical Training Courses & Degree Programs
– Consulting Services
– Two-Factor Authentication
– Cloud Access Security Management
• Over $40 million in savings for our members
• Learn more at www.cisecurity.org/services/cis-cybermarket or contact
info@cisalliance.org
 Who can I call for help?
Security Operations Center (SOC)
SOC@cisecurity.org - 1-866-787-4722
31 Tech Valley Dr., East Greenbush, NY 12061-4134
www.cisecurity.org

to join or get more information:

https://learn.cisecurity.org/ms-isac-
registration
Election Infrastructure
ISAC Resources
 Who We Serve

EI-ISAC Members include:

• 48 State Elections Entities
• Over 500 Local Government Elections Entities
County Clerks, Secretaries of State, Registrars of Voters,
Departments of Elections, Boards of Elections
 About EI-ISAC Membership

Free and Voluntary

No Mandated Information Sharing
Registration is the only requirement!
To join or get more information:
https://learn.cisecurity.org/ei-isac-registration
 An Elections-focused Cyber Defense Suite
• 24x7x365 network • Election-specific threat
monitoring intelligence
• Incident response and • Training sessions and
remediation webinars
• Threat and vulnerability • Promote security best
monitoring practices
• DDoS mitigation and web
protection services
 Elections Weekly News Alert
• MS-ISAC analysis to provide key context
– General election industry or election security reports
– Legislative action on election security issues
– Best practice examples from peers in the election community
– General technology/cybersecurity stories that may have an election link/impact
• Released on Wednesday afternoons
 Cybersecurity Spotlight
• Key Security Terms and Best Practices
– What it is
– Why does it matter
– What you can do
• Released on Friday afternoons
 Elections Sector Quarterly Report
• Compiles analysis of elections-specific events identified by/reported to
MS-ISAC
• Provides highlights of MS-ISAC election activities
 Election-specific Cyber Alerts
• Short e-mail alerts regarding immediate threats
– Targeted at both executive and technical staff
• Provides overview of activity and actionable recommendations
– Executive Overview
– Executive Recommendations
– Technical Overview
– Technical Recommendations
 Handbook for EI Security
• Intended for Elections Officials and Technical
Support Teams
• Analyzes the risks of key election
system components
• Describes specific technical controls
and processes to improve security
• Assessment tool to be made available
Order Hard Copies:
https://learn.cisecurity.org/ei-handbook

https://www.cisecurity.org/elections-resources