160 likes | 315 Views
Cybersecurity in Ohio. David A. Brown Chief Information Security Officer State of Ohio. Threats Against Government. Denial of Service Spear Phishing SQL Injection Web Defacements Malware (Keyloggers, Trojans,etc.) Theft of Devices Hacktivist Activity. Examples of the Threat.
E N D
Cybersecurity in Ohio David A. Brown Chief Information Security Officer State of Ohio
Threats Against Government • Denial of Service • Spear Phishing • SQL Injection • Web Defacements • Malware (Keyloggers, Trojans,etc.) • Theft of Devices • Hacktivist Activity
Examples of the Threat • February 2012 – Missouri’s Official Web Site Defacement • April 2012 – Utah Department of Health –Medicaid System Hack • October 2012 -South Carolina Department of Revenue Data Breach • October 2012 – City of Burlington, Washington System Attack • December 2012 – South Carolina Department of Employment & Workforce Web Defacement • January 2013 – Florida Dept. of Juvenile Justice Device Theft
State of Ohio Security Program • Approximately 100 agencies, boards, and commissions under program • Decentralized environment • Chief Information Security Officer responsibilities under ORC 125.18: • Coordinate the implementation of security policies and procedures in state agencies • Assist each agency with the development of a security strategic plan
State of Ohio Security Program • April 2011 – State sets IT Standard ITS-SEC-02 • Establishes NIST 800-53 as state security framework • Creates enterprise security controls that align with Consensus Audit Guidelines (SANS Top 20 Critical Controls) • Agencies to be compliant with CAG by October 2012 • Fall 2012 – Agencies required to submit strategic security plan to Office of Information Security & Privacy • Leveraged CAG self-assessment in US Homeland Security CSET tool
State of Ohio Security Program SANS Top 20 Critical Controls (Consensus Audit Guidelines) • Hardware Inventory • Software Inventory • Secure Configuration of Systems • Secure Configuration of Network Devices • Boundary Defense • Security Audit Logs • Application Software Security • Controlled Use of Administrative Privileges • Controlled Access/Need to Know • Vulnerability Management • Account Monitoring & Control • Malware Defense • Limiting Ports, Protocols, Services • Wireless Device Control • Data Loss Prevention • Secure Network Engineering • Penetration Testing • Incident Response Capability • Data Recovery Capability • Security Training
State of Ohio Security Program • Ohio is one of a few states who have adopted the SANS Top 20 Critical Controls • The Consortium for Cybersecurity Action was established in 2012 • Ensures that updated versions of the controls reflected the most relevant threat information • Shares lessons learned from organizations that have implemented them. • Ohio participates in this consortium. • CISOs for Ohio and Colorado co-chair a state/local government workgroup for the Consortium. • US State Department saw a 94% reduction in measured security risk by implementing these controls
State of Ohio Security Program Security Services Provided by OISP Today: • Risk Assessments • Security Assessments • Security Architecture • Security Consulting • IT Security Policies/Standards • Incident Response • Vulnerability Assessments • Penetration Testing (limited) • Enterprise SIEM • Security Awareness & Training • Cyber Intelligence and Threat Management
State of Ohio Security Program • Industrial Control Systems Assessments • Began these assessments in February 2012 • Partnered with US Homeland Security to conduct two pilot assessments • Each assessment was completed within one day • No cost to the State of Ohio
State of Ohio Security Program • Securing the Human • Began offering this training in 2011 • Online training produced by SANS Institute • 36 different modules of training • Updated twice a year based on current threats • Approximately 50,000 state employees will be trained this year • Excellent reviews by our users
State of Ohio Security Program • Enterprise SIEM • Began offering this service in 2012 • Collect security logs from systems • 5 agencies participating today • Extending to all cabinet agencies • Over 100 Million event logs analyzed per day • Both agencies and OISP monitor system
Challenges Facing Government Funding for security Cybersecurity authority and governance Attractive targets for cybercriminals and hacktivists Lack of skilled staff Sophistication of attacks
What Can You Do? Assess and communicate security risks Consider shared security services Encourage user education in security awareness Explore alternative funding for cybersecurity Use the no-cost assessments provided by DHS Encourage IT personnel to use the DHS CSET Tool to do assessments and develop plan of action. Become a member of the MS-ISAC Leverage free cybersecurity training provided by various sources Develop an incident response plan Develop a disaster recovery plan
Cybersecurity Council • The Cybersecurity, Education, and Economic Development Council was created under ORC 121.92 in 2012. • Consists of 12 members appointed by Governor, Speaker of the House, and President of the Senate. • Council is to conduct a study and make recommendations regarding: • Improving the infrastructure of the state’s cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education. • Specific actions that would accelerate growth of the cybersecurity industry in the state.
Contact Information David A. Brown State Chief Information Security Officer Ohio Department of Administrative Services 30 E. Broad Street FL 40 Columbus, OH 43215 Office: (614) 644-9391