Académique Documents
Professionnel Documents
Culture Documents
• NYS Cyber Security Policies, Standards & Guidelines – to enforce sound practices
• Training & Education – to enhance awareness & capabilities
– NYS Cyber Security Conference
– NYS Cyber Security Awareness online training course & Skills training – extended to counties
6
State, Local,
Tribal, or
Territorial
Government
Entity
A Tale of Two ISACs
• 2010 – The MS-ISAC breaks away from NYS and joins the
Center for Internet Security as a program area
A Tale of Two ISACs
• Summer 2016
– Public reporting of voter registration compromises
• January 2017
– Intelligence Community Assessment (attribution of all
elections related activity)
– Critical Infrastructure Designation
• July 2017
– Election Critical Infrastructure Working Group meets at
MS-ISAC HQ
A Tale of Two ISACs
• September 2017
– Election Infrastructure Subsector Government
Coordinating Council (EIS-GCC) established
– MS-ISAC Pilot for Elections Approved
• October 2017-February 2018
– MS-ISAC Pilot for Elections (NJ, VA, IN, TX, CO,
UT, WA)
• February 2018
– EIS-GCC votes to establish EI-ISAC
• March 2018
– EI-ISAC Official Launch
Who can utilize these resources?
Eligible entities include:
✓ Counties
✓ Municipalities (towns, cities, villages, etc.)
✓ Law Enforcement Agencies
✓ Public Authorities (power, water, transit,
etc.)
✓ Public Education (K-12, BOCES,
Community College, Universities)
✓ Elections offices
How to access MS-ISAC resources
• Register for the MS-ISAC’s services here:
https://learn.cisecurity.org/ms-isac-registration
Basic
Foundational
Organizational
Basic
▪ What every organization needs for essential cyber defense readiness
https://www.cisecurity.org/controls/
Foundational
▪ Technical best practices that provide clear security benefits
https://www.cisecurity.org/controls/
Organizational
▪ Focus on people & processes involved in cybersecurity
https://www.cisecurity.org/controls/
Top 20 Assessment
▪ Straight-forward way to baseline your organization
▪ Focuses on specific, highly-effective, prioritized actions
▪ Maps to other Frameworks
▪ Industry-vetted
Ensure that unauthorized assets are either removed from the network, quarantined or
System 1.6 Not Performed 1
the inventory is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices
can authenticate to the network. The authentication system shall be tied into the
System 1.7 Not Performed 1
hardware asset inventory data to ensure only authorized devices can connect to the
network.
Use client certificates to validate and authenticate systems prior to connecting to the
System 1.8 Not Performed 1
private network.
Before
Using the Tool After
Critical Security Control #1: Inventory and Control of Critical Control 2: Critical Security Control #1: Inventory and Control of Critical Control 2:
Hardware Assets Inventory and Control of Software Assets Hardware Assets Inventory and Control of Software Assets
Utilize an Active Discovery Tool Maintain Inventory of Authorized Software Utilize an Active Discovery Tool Maintain Inventory of Authorized Software
Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor
Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools
Maintain Detailed Asset Inventory Track Software Inventory Information Maintain Detailed Asset Inventory Track Software Inventory Information
Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories
Address Unauthorized Assets Address Unapproved Software Address Unauthorized Assets Address Unapproved Software
Deploy Port Level Access Control Utilize Application Whitelisting Deploy Port Level Access Control Utilize Application Whitelisting
Utilize Client Certificates to Authenticate Hardware Assets Implement Application Whitelisting of Libraries Utilize Client Certificates to Authenticate Hardware Assets Implement Application Whitelisting of Libraries
Physically or Logically Segregate High Risk Applications Physically or Logically Segregate High Risk Applications
Using the Tool
Using the Tool
Top 20 Assessment Tool
Maturity Level/Score
Not
Performed 1
In Process 2
In Place 3
Asset Management
Hardware & Software
Critical Security Control #’s 1 & 2
It all starts
here
Asset Management Scope
• Business Functions
• Business Application Assets
• Information / Data Assets
• Hardware Assets
• Software Assets
• Personnel Assets
Asset Management is an organizational responsibility
Asset Inventory - Hardware
CSC #1: Inventory & Control of
Asset Inventory Data Analysis
Hardware Assets
Actively manage (inventory, track,
and correct) all hardware devices on
the network.
Management Tips
• Ongoing Process
Continuously acquire,
Rescan / Validate Vulnerability scan • Go beyond PCs
assess, & take action on • Integrate &
new information. automate processes
• Quarterly notifications
• Contact vmp.dl@cisecurity.org
to:
• Opt out of this service
• Provide feedback on the Port
Profiler
• Contact soc@cisecurity.org if:
• You wish to add IP addresses
• To verify “VMP Notification”
contacts
VMP@cisecurity.org
TLP: WHITE
MS-ISAC Advisories
TLP: WHITE
Application Software Security
Comprehensive Mission-Focused
Repeatable Right-Sized
Benefits:
• Reduces the number of vulnerabilities
• Reduces the impact to businesses if an incident occurs
• Decreases the risk of business service disruptions
• Increases the ability of the business to deliver services
http://www.its.ny.gov/document/secure-system-development-life-cycle-ssdlc-standard
Why is SSDLC Necessary?
• In 2017, Cyber-Espionage, Privilege Misuse, Web
Application Attacks, & Miscellaneous Errors represented
75% of breaches in the Public Administration sector
• $3.62 million was the average total cost of a data breach in 2017
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
https://securityintelligence.com/media/2017-ponemon-institute-cost-of-a-data-breach-study/
Threats to Government Organizations and Citizens
PARTNERS/SUPPLIERS CITIZENS
▪ Contractual Requirements ▪ Expect Secure Access
Social Engineering ▪ Regulatory Attestation ▪ Expect Privacy
▪ Best Practice Controls Spin
▪ Expect Data Accuracy
14) Perform
3) Establish System 9) Assess Vulnerabilities Accreditation
Criticality Level and Threats
https://its.ny.gov/document/secure-system-development-life-cycle-ssdlc-standard
https://its.ny.gov/secure-system-development-life-cycle-standard
Key Takeaways
Security must be built into all systems from the very beginning
Application Software Security
Application Risk Assessment
Business Impact & Interviews – identify business IR-1, IR-2, IR-3, IR-4 CSC 19: Incident Response and Management Incident management procedures exist
Administrative
Secure Design Plan Information security plan AC-2, AC-6, AC-17 CSC 5: Controlled Use of Administrative Privileges SSDLC, access matrix, data flow
Secure
Identity Assurance worksheet (roles, AC-19, CA-7, IA-4 CSC 14: Controlled Access Based on Need to Know diagrams, system and business function
SDLC
Web Site/Application Web app scanning CA-2, CA-5, CA-6 CSC 7: Email and Web Browser Protections encryption in transit/rest, pen test
(Qualys/WebInspect) CA-8, RA-6, SI-6 CSC 20: Penetration Tests and Red Team Exercises results
PM-6, PM-14
Application code scan/review
Code review
Pen-testing
Application, core Discovery & Relationship Mapping CA-2, CA-7, RA-5 CSC 4: Continuous Vulnerability Assessment and Web, network and code scan results,
services & databases (ITSM CMDB); dependencies SC-34, SI-4, SI-7, AT-1 Remediation SSDCL documentation
AT-2, AT-3, AT-4, SA-11 CSC 9: Limitation and Control of Network Ports, Protocols,
Application code scan/review
Technical Controls
Platform (host, cloud) Configuration assessment (CIS-CAT; CA-7, CM-2, CM-3 CSC 3: Secure Configurations Secure configuration standards and
DISA, Qualys, Nessus, hardening CM-5, CM-6, CM-7 CSC 6: Maintenance, Monitoring, and Analysis of Audit secure configuration scan results
CM-8, CM-9, CM-11 Logs
guidance) MA-4, RA-5, SA-4 CSC 11: Secure Configurations for Network Devices
Network & Host Vulnerability SC-15, SC-34, SI-2
scanning (authenticated)
CAIQ & 3rd party practices
Infrastructure Network Mapping & Scanning AC-4, AC-17, AC-20 CSC 8: Malware Defenses SLA documentation and aligned with
Service Level Agreements CA-3, CA-7, CA-9 CSC 10: Data Recovery Capability business mission and criticality.
CM-2, SA-9, SC-7 CSC 12: Boundary Defense Network diagrams with PDS/IDS.
Resiliency Level (Incidents, RTO/RPO SC-8, SI-4 CSC 15: Wireless Access Control
objectives)
Measures 3 Key Areas
BUSINESS RISK INDEX
• Business Impact
• Privacy Impact
Business
• Regulatory Compliance Risk
• Business Continuity Scoring across 3
• Business Alignment indices produces an
Technical overall application
TECHNICAL RISK INDEX
• Application, services, Db
Security risk profile.
• Technical Controls Risk
• Resiliency Risk profiles drive
• Technical Alignment
• Disaster Recovery heat-maps &
scorecards for
OPERATIONAL RISK INDEX clusters & agencies
• Documentation Operational
• Process
• Technical Controls
Risk
• Operational Environment
Cyber Security Risk Assessment Tool
Ease-of-use & Efficiency
• Menu-driven
• Self-assessment tool
• Automatic report creation
• Available online & offline
Security/Privacy
• Private SharePoint, access
restricted to authorized persons
Analytics/business intelligence -
Business & Technical Risk Indices,
scorecards & dashboards
Lessons
Prepare Identification Containment Eradication Recovery
Learned
State: Federal:
Local EISO CyCom
MSISAC US DHS
Response OCT CIRT
NYSP/NYSIC FBI
• Email CYCOM@ITS.NY.GOV.
• If including sensitive data and you are outside of the NYS Office 365 (O365)
tenancy, consider encrypting using the Enterprise Information Security Office
(EISO)’s PGP public key. The key may be found on the EISO web site at
http://its.ny.gov/eiso/incident-reporting/
MS-ISAC 24 x 7 Security Operations Center
Central location to report any cybersecurity incident
• Support:
– Network Monitoring Services
– Research and Analysis
• Reporting:
– Cyber Alerts & Advisories To report an incident or request
– Web Defacements assistance:
– Account Compromises Phone: 1-866-787-4722
– Hacktivist Notifications Email: soc@msisac.org
Computer Emergency Response Team
• Executables
• DLLs
• Documents
• Quarantine files
• Archives
TLP: WHITE
mcap@msisac.org
Security Awareness & Training
https://its.ny.gov/eiso/local-government
Break – 10 minutes
Organizational Security
• Measures the level of cyber security maturity and risk awareness in government
• To register: https://msisac.cisecurity.org/resources/ncsr/registration/
Utilize an Active Discovery Tool Maintain Inventory of Authorized Software Run Automated Vulnerability Scanning Tools Maintain Inventory of Administrative Accounts Establish Secure Configurations Utilize Three Synchronized Time Sources
Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor Perform Authenticated Vulnerability Scanning Change Default Passwords Maintain Secure Images Active Audit Logging
Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools Protect Dedicated Assessment Accounts Ensure the Use of Dedicated Administrative Accounts Securely Store Master Images Enable Detailed Logging
Use Multifactor Authentication for All Administrative Implement Automated Configuration Monitoring
Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories Deploy Automated Software Patch Management Tools Central Log Management
Access Systems
Address Unauthorized Assets Address Unapproved Software Compare Back-to-back Vulnerability Scans Use of Dedicated Machines for All Administrative Tasks Deploy SIEM or Log Analytic Tool
Deploy Port Level Access Control Utilize Application Whitelisting Utilize a Risk-rating Process Limit Access to Script Tools Regularly Review Logs
Utilize Client Certificates to Authenticate Hardware Log and Alert on Changes to Administrative Group
Implement Application Whitelisting of Libraries Regularly Tune SIEM
Assets Membership
Utilize an Active Discovery Tool Maintain Inventory of Authorized Software Run Automated Vulnerability Scanning Tools Maintain Inventory of Administrative Accounts Establish Secure Configurations Utilize Three Synchronized Time Sources
Use a Passive Asset Discovery Tool Ensure Software is Supported by Vendor Perform Authenticated Vulnerability Scanning Change Default Passwords Maintain Secure Images Active Audit Logging
Use DHCP Logging to Update Asset Inventory Utilize Software Inventory Tools Protect Dedicated Assessment Accounts Ensure the Use of Dedicated Administrative Accounts Securely Store Master Images Enable Detailed Logging
Use Multifactor Authentication for All Administrative Implement Automated Configuration Monitoring
Maintain Asset Inventory Information Integrate Software and Hardware Asset Inventories Deploy Automated Software Patch Management Tools Central Log Management
Access Systems
Address Unauthorized Assets Address Unapproved Software Compare Back-to-back Vulnerability Scans Use of Dedicated Machines for All Administrative Tasks Deploy SIEM or Log Analytic Tool
Deploy Port Level Access Control Utilize Application Whitelisting Utilize a Risk-rating Process Limit Access to Script Tools Regularly Review Logs
Utilize Client Certificates to Authenticate Hardware Log and Alert on Changes to Administrative Group
Implement Application Whitelisting of Libraries Regularly Tune SIEM
Assets Membership
• Acquiring Contract Solutions through General Services Administration (GSA) Federal Contracts
o https://govbuy.ogs.ny.gov/new-acquiring-contract-solutions-through-general-services-administration-gsa-federal-contracts
Cyber Security Service
Offerings
NYS Shared Service Offerings
NChief Information Security Office
Policy/Standards
– Main: 518.242.5200 EISO@its.ny.gov Compliance Support
– Cyber Command Center (CyCom): Education & Awareness
Risk Assessment & Remediation
518.242.5045 CyCom@its.ny.gov Secure Architecture & Engineering
Monitoring
Threat Intelligence Analysis/Response
– Local Government Resources Vulnerability Management
https://its.ny.gov/local-government Digital Forensics & Incident Response
Penetration Testing
Continuity/Disaster Recovery Planning
Security Analytics
Table Top Exercises
Federal Government
Service Offerings
US DHS Cybersecurity Services
Assessments • Cybersecurity Advisors (CSA)
– Rich Richard Jr., Region II
• Cyber Resilience Review (operational Richard.Richard@hq.dhs.gov
resilience and cybersecurity practices) 631.241.3662
Both services are available to any SLTT organization responsible for public-
facing elections infrastructure related to voter registration information and
election night reporting
• Collaborative Purchasing
– End-User Security Awareness Training
– Advanced Technical Training Courses & Degree Programs
– Consulting Services
– Two-Factor Authentication
– Cloud Access Security Management
• Over $40 million in savings for our members
• Learn more at www.cisecurity.org/services/cis-cybermarket or contact
info@cisalliance.org
Who can I call for help?
Security Operations Center (SOC)
SOC@cisecurity.org - 1-866-787-4722
31 Tech Valley Dr., East Greenbush, NY 12061-4134
www.cisecurity.org
https://www.cisecurity.org/elections-resources