360 likes | 366 Views
Learn about the Federal Student Aid overview of guaranty agency cyber security assessment programs and discover best practices for improving cybersecurity. This session will cover topics such as cyber security awareness, spear phishing, safeguarding sensitive information, and the impact of potential risks.
E N D
NCHER2018 Annual Conference June 2018 Charleston, SC
Introductions • Andy Newton Deputy Chief Information Security Officer (CISO) Federal Student Aid, U.S. Department of Education • Theon S. Dam IT Specialist INFOSEC Federal Student Aid, U.S. Department of Education
Federal Student Aid (FSA) overview of guaranty agency cyber security assessment programs…
Best Practices for Improving Cybersecurity Andy Newton | Theon Dam U.S. Department of Education Federal Student Aid
Agenda • Purpose • Cyber Security & Privacy Awareness • Department of Homeland Security’s BOD 18-01 & OMB 15-13 • Q &A
Purpose • To provide Cyber Security guidance and best practices for protecting Student and other sensitive information.
Cyber Security & Privacy Awareness • Security & Privacy Awareness Training • All new hires should complete training prior to being granted access to any information systems or assets • Conduct Background checks on all new employees and contractors • Training for existing staff should be completed at least annually and records kept • Role Based Training • Managers, IT staff, security staff, etc. • Training must be completed at least annually
Spear Phishing • Sent to an individual or a smaller, more select group within a targeted organization • Appear as if they have been sent from a legitimate organization or known individual • May be personalized using information from social media and the Internet Goal is to obtain specific information or infect the target’s computer system with malware
Spear Phishing—How It Works Fake emails masquerading as legitimate correspondence are sent to targeted users. The user clicks on a link or opens an attachment. Malware is executed and installed on the user’s computer. The attacker uses the malware to escalate their privileges. Access is gained to passwords and other systems. Data gathered from end user workstations, servers and databases is transmitted back to the attacker through the Internet.
Identifying Phishing/Spear Phishing • Slow down and analyze email messages for one or more of these phishing indicators before taking action • You don’t know the sender • The sender’s email address match the “friendly” name displayed • The email is not similar to what you have received from the sender in the in the past • Includes a link • Contains an attachment you weren’t expecting or that is out of context for the sender • Includes information that may have been found on social media or refers to a current news event • Immediate action is required • Requests you provide sensitive information about yourself or the Department • Contains poor grammar, misspellings and punctuation errors
Tips to Safeguard Sensitive Information • Minimize PII • Collect only PII that you are authorized to collect, and at the minimum level necessary • Limit number of copies containing PII to the minimum needed • Secure PII • Store PII in an appropriate access-controlled environment • Use fictional personal data for presentations or training • Review documents for PII prior to posting • Safeguard PII in any format • Disclose PII only to those authorized • Safeguard the transfer of PII • Do not email PII unless it is encrypted or in a password protected attachment • Alert FAX recipients of incoming transmission • Use services that provide tracking and confirmation of delivery when mailing • Dispose of PII Properly • Delete/dispose of PII at the end of its retention period or transfer it to the custody of an archives, as specified by its applicable records retention schedule
Potential Risk Impacts Financial Regulatory Strategic Technology Reputation • Compromise of networks allowing unauthorized access to information • Failure to protect personally identifiable information from unauthorized disclosure • Inaccurate, unreliable and/or incomplete financial statements and/or records • Inadequate, ineffective and/or inappropriate internal controls • Inconsistent, inaccurate and/or inefficient administration, disbursement, and servicing of student aid • Ineffective oversight and monitoring of Title IV programs and participants • Failure to adhere to and/or implement requirements associated with Title IX/Clery Act • Failure to resolve key control deficiencies identified during the audit process • Failure to achieve program targets • Failure to achieve enrollment and retention targets • Inability to perform significant academic or scientific research
DHS BOD 18-01 & OMB M-15-13 • Binding Operational Directive 18-01 by Department of Homeland Security (DHS) • OMB M-15-13 by White House Office of Management and Budget • Issued October/November 2017 • Required all Federal agencies to enhance E-Mail and Web Security
DHS BOD 18-01 (OMB 15-13) • E-Mail Security requirement as stated in DHS BOD 18-01 • Use STARTTLS • STARTTLS is protocol command converting insecure connection to secure connection using SSL/TLS • Enable STARTTLS make passive man-in-middle attack more difficult • SSL v2 & SSL v3 – disabled on mail servers • 3DES & RC4 Ciphers – turned off on mail servers
DHS BOD 18-01 (OMB 15-13) • Web Security requirement as stated in DHS BOD 18-01 (https://cyber.dhs.gov) • HTTPS (Hypertext Transfer Protocol Secure) • HSTS (Strict Transport Security) • Ensure web browsers uses secure web connection HTTPS • SSL v2 & SSL v3 – disabled on web servers • 3DES & RC4 Ciphers – turned off on web servers • TLS v1.0 (Transport Layer Security) – disabled • TLS v1.1 or v1.2 – enable by March 2018 • Minimum of SHA-256 (SHA-2)
DHS BOD 18-01 (cont’d) • How to test for compliancy.. • HTTPS (Hypertext Transfer Protocol Secure) • Visit URL – Is it HTTPS in the web address box? See:
DHS BOD 18-01 (cont’d) • How to test for compliancy.. • Visit Qualys SSL Lab at.. https://www.ssllabs.com/ssltest/analyze.html?d=www.ssllabs.com. Enter the hostname and click on “Submit” • HSTS (Strict Transport Security) • SSL v2 & SSL v3 – disabled (mail & web servers) • 3DES & RC4 Ciphers – turned off • TLS v1.0 (Transport Layer Security) – disabled • TLS v1.1 or v1.2 – enable • Minimum of SHA-256 (SHA-2)
Contact Andy Newton Deputy Chief Information Security Officer (CISO) Federal Student Aid US Department of Education 830 First Street, NE Washington DC 20202 Email: Andy.Newton@ed.gov Phone: 202-377-4226
Contact Theon S. Dam IT Specialist INFOSEC Federal Student Aid US Department of Education 830 First Street, NE Washington DC 20202 Email:Theon.S.Dam@ed.gov Phone: 202-377-3106
Best Practices in Improving Information Technology and Cyber Security
Recent Updates to Federal Information Technology Practices • Compliance • Guaranty agencies – Compliance reviews by U.S. Department of Education (USDOE) • Best practices for agencies with upcoming reviews
Background • FDOE established the Office of Student Financial Assistance pursuant to Chapter 1009, Florida Statutes • OSFA is responsible for providing access and administering: • State and federal grants • Scholarships • Loans
Background, Continued • Federal Family Education Loan Program (FFELP) system resides on a mainframe located at the Northwest Regional Data Center (NWRDC) - a separate facility • Mainframe security software utilized to control access to the FFELP System, including application programs and data files • Desktop security is maintained in-house by FDOE IT; however, OSFA dictates security levels (e.g. multi-factor authentication) that may exceed FDOE standards
OSFA’s Approach to Compliance Reviews • Words mean something • ECD = Estimated Completion Date or Expected Completion Date • Be engaged at all levels: importance of understanding the relationship of information security to business processes, not seeing the consequences of poor information security • Business • IT • Data Center
OSFA’s Approach to Compliance Reviews, Continued • How do you eat an Elephant? • Start with what you know and have • Fill in the blanks • Tweak and expand • Document, Document, Document • FDOE’s lengthy approval process for policy leads OSFA to create and implement its own (stronger) policies • Transfer of information • Email is public record • No .zip files • ShareFile - provides notification of up/downloads
OSFA’s Approach to Compliance Reviews, Continued • Priorities in a state government environment vs available funds • PII • Access controls • Security awareness training (low cost) • Location/personal security • Previous location with security doors and armed security personnel • Move to current location – culture shock • Changes made to harden security
OSFA’s Approach to Compliance Reviews, Continued • Multifactor authentication (MFA) under review at the FDOE level: • Push by state requirements • Push by OSFA/National Institute of Standards and Technology (NIST) standards • OSFA as FDOE’s MFA Guinea pig – fingerprint readers
OSFA’s Security Measures • OSFA does not want to make those kinds of headlines! • In fact, we had the foresight to maintain our 30 year old mainframe system, which luckily is so antiquated that hackers (well-versed in web systems) ……. DIDN’T IGNORE small issues • Mainframe proved a challenge even to FSA and Blue Canopy contractors
Security Issues, Continued • Limits use of contractors • Requires a Level 2 background for contractors and regular full-time equivalent employees (FTEs) • OSFA security requirements and training • Managers monitor contractors work and access requirements
Lessons Learned: Expectation vs. Reality, Continued • Expectation of preparation for mainframe system/questions: • Prior to visit, several teleconferences solidifying “rules of engagement” and an understanding of OSFA’s complex environment occurred. • Evidence not requested during visit, and not able to be provided outside of data center.
Lessons Learned: Expectation vs. Reality, Continued • The addition of a “new” Blue Canopy assessor not onsite for the assessment or in any of the “rules of engagement” meetings. • Evidence requested and satisfaction with the evidence given became confusing and inconsistent.
Lessons Learned: Expectation vs. Reality, Continued • Expectation that results at visit conclusion would be similar to preliminary findings report • Overall, a good visit and review of our specific situation • FSA/Blue Canopy’s 3+ day on-site visit to OSFA went smoothly as the assessment team proved quite flexible • Generally the assessment team would meet with the OSFA security team first thing in the morning and set up the day’s agenda, coordinating which security control groups they wished to discuss that morning and afternoon with the appropriate personnel needed for interviews, arranging each session to fit personnel work schedules
Lessons Learned: Expectation vs. Reality, Continued • The assessment team needs very little support to do their job: a room, a table, and some light and they were off and running. • The physical security at both our business center and our off-site data center was assessed. • OSFA and NWRDC received great feedback during our exit meeting and review; however, as previously mentioned, this proved a bit premature as more evidence, scans, etc. were requested after Blue Canopy finished their onsite assessment and “critical findings” threatened. • Preliminary findings report was most helpful compared to self-assessment to ID specific issues; however, most issues were predetermined by scanning that we provided to FSA.
Lessons Learned: Recommendations • Better preparation to avoid last minute collection of evidence leading to critical findings, security issues, or confusing evidence • Assessment team needs to allow for additional time for the review of artifacts and evidence collected • Additional time required for team to understand the environment to allow for more specific question and collection of evidence • Avoid collecting ERL the week prior to onsite visit
Lessons Learned: Recommendations • Keep Vulnerability scans in sync with Patches • Your phone, copier, fax and printer may be vulnerable • For units where Desktop services are separate from Applications (FFELP), force cohesion • Realize that some computers and phone systems may be more integrated than you may realize
Contact Information Levis Hughes Chief Executive Office of Student Financial Assistance Florida Department of Education 325 W. Gaines Street Tallahassee, FL 32399 Email:Levis.Hughes@fldoe.org Phone: 850-410-6810