©2016 Maze & Assoc ia tes 1

Cyber-security for Local Governments

SAMFOG

©2016 Maze & Assoc ia tes 2

©2016 Maze & Assoc ia tes 3

PresenterDonald E. Hester, CISA, CRISC, CAP CISSPIS Audit DirectorDonaldH@MazeAssociates.com

Blog: www.LearnSecurity.orgFacebook: facebook.com\LearnSec

©2016 Maze & Assoc ia tes 4

The Problem

Albert Gonzalez, 28

With accomplices, he was involved in data breaches of most of the major data breaches: Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston Market, Forever 21, DSW and others.

The public trusts that we will keep their information safe

from crooks like these.

©2016 Maze & Assoc ia tes 5

Who is behind data breaches?• 70% from external agents• 48% caused by insiders• 11% implicated business partners• 27% involved multiple parties

Source:

©2016 Maze & Assoc ia tes 6

Data Loss Trends

Number of incidents per year.Source:

©2016 Maze & Assoc ia tes 7

What do you think the trend has been since 2010?

©2016 Maze & Assoc ia tes 8

Data Loss Trends Source:

©2016 Maze & Assoc ia tes 9

Source:

©2016 Maze & Assoc ia tes 10

Source:

©2016 Maze & Assoc ia tes 11

Source:

©2016 Maze & Assoc ia tes 12

Incidents by organization type. Where do you think local

government rates?

©2016 Maze & Assoc ia tes 13

Source:

©2016 Maze & Assoc ia tes 14

What state has the most data breaches?

©2016 Maze & Assoc ia tes 15

California

Source:

©2016 Maze & Assoc ia tes 16

Top Concerns1. Securing the IT environment 2. Managing and retaining data 3. Managing IT risk and compliance 4. Ensuring privacy 5. Enabling decision support and analytics 6. Managing System Implementations 7. Preventing and responding to computer fraud 8. Governing and managing IT investment/spending 9. Leveraging emerging technologies 10.Managing vendors and service providers

http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TopTechnologyInitiatives/Pages/2013TTI.aspx

Orange text are all PCI related

©2016 Maze & Assoc ia tes 17

IT Control Environment

©2016 Maze & Assoc ia tes 18

IT Governance

Determine

Objectives

Assess Risk

Apply Controls

Assess Controls Monitor

©2016 Maze & Assoc ia tes 19

©2016 Maze & Assoc ia tes 20

Risk Assessment Activities• The identification of objectives relevant to the

reduction of errors, policy violations, fraud, or noncompliance.

• Monitor and respond to this increase in risk• The Information Technology (IT) department

should periodically identify and communicate risks for which employees should be particularly vigilant.

• Changes in software should be subject to extensive evaluation and testing in order to identify and manage risks associated with use.

Source: Internal Control Guidelines California Local Agencies 2015 SCO

©2016 Maze & Assoc ia tes 21

Apply Controls “Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels.”

Source: AICPA’s Auditing Standard AU-C §315.A91

©2016 Maze & Assoc ia tes 22

IT Control Standards Although there is no required IT standard for local governments, The National Institute of Standards and Technology (NIST) encourages state, local and tribal governments to consider the use of NIST guidelines, as appropriate.

By adopting NIST standards the local government demonstrates due diligence in designing and implementing appropriate controls around its information systems.

©2016 Maze & Assoc ia tes 23

Recommendation National Institute of Standards and Technology NIST SP 800-53 rev. 4

Moderate risk system as defined by NIST SP 800-60

Risk Management Framework (RMF)

©2016 Maze & Assoc ia tes 24

Does outsourcing our financial application eliminate the risks in the IT Control Environment?

©2016 Maze & Assoc ia tes 25

What is Cloud Computing? The “Cloud” Buzz word Overused cliché Ill defined Many different definitions Marketing term All hype The “unknown path” Service provider “____-as-a-service” Nebulous

©2016 Maze & Assoc ia tes 26

Definition

“..[a] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be provisioned and released with minimal management effort or service provider interactions.” NIST & Cloud Security Alliance

A utility model of technology delivery.

©2016 Maze & Assoc ia tes 27

Cloud Definitions Cloud Service Provider (CSP)

entity that offers one or more cloud services in one or more deployment models

Cloud Service Offering (CSO) the actual IaaS/PaaS/SaaS solution available from a CSP

a CSP may provide several different CSOs

©2016 Maze & Assoc ia tes 28

Reasons

Efficiency

Agility

Innovation

©2016 Maze & Assoc ia tes 29

Cloud Provider Benefits (NIST SP 800-144) They will have specialized staff The platform will typically be more uniform They have the ability to scale and add redundancy Better backup and recovery May support a greater number of mobile devices Data may be centralized and not on laptops

©2016 Maze & Assoc ia tes 30

Cloud Risks Where’s My Data? The Bad Divorce Trust but Verify “I thought you knew” I didn’t think of that Clarify Consider Expectations, Put it in Writing Compatibility

©2016 Maze & Assoc ia tes 31

Where’s My Data? In the information age your key asset is information. Some information requires protection

(Credit Card Data, Student Records, SSN, etc…) Your information could be anywhere in the world You may loss access to your data (availability)

ISP failure Service provider failure Failure to pay (service provider stops access)

©2016 Maze & Assoc ia tes 32

The Bad Divorce “Vendor Lock” All relationships come to an end

Let you down, had a breach, SLA performance etc… The company fails/gets sold Introductory pricing or it goes up over time

Transition to new vendor or in-source How will you get your data back?

Lack of Portability between PaaS Clouds Example, something built for Google won’t work for SharePoint or

Amazon Get a prenup – get it in the contract up front

©2016 Maze & Assoc ia tes 33

Trust but Verify Assurance How do you know they are protecting your data?

Not everyone is treated the same by service providers Disclosure concerning security posture 3rd party independent verification (audit/assessment)

SAS 70 / SSAE 16 SysTrust / WebTrust ISO 27001 Certification Audit / Assessment MOU/MOA & ISA

©2016 Maze & Assoc ia tes 34

“I thought you knew” Cloud systems are typically more complex

This may create a larger attack surface Breach Notification When do you want to know about a data breach? (Data that you are legal obligated to protect)

Typical contracts give wide latitude for service providers Actual verses possible breach Timeliness of notification

©2016 Maze & Assoc ia tes 35

I didn’t think of that Dependencies

Infrastructure – Internet Authentication management (SSO) Operational budget Greater dependency on 3rd parties

Other considerations Complex legal issues Multi-tenancy Transborder data flow Jurisdiction and Regulation Support for Forensics

©2016 Maze & Assoc ia tes 36

Clarify What do they mean by “Cloud” Establish clear responsibilities and accountability Your expectations Cost of compensating controls What will happen with billing disputes Will your data be in a multi-tenant environment What controls will you have

©2016 Maze & Assoc ia tes 37

Consider The reputation of the service provider

Track record of issues Large or small, likelihood of change Vendor ‘supply chain management’ issues

The reliability of the service or technology Is the technology time tested Competency of cloud provider

Typically you have no control over upgrades and changes Training for staff

©2016 Maze & Assoc ia tes 38

Compatibility When will they upgrade their service?

Will they be ready when you are ready for an upgrade of dependent software

Will you be ready when they are ready to upgrade Browser-based Risks and Risk Remediation What software will be required on the client side?

Java Flash Active-X Silverlight HTML 5

©2016 Maze & Assoc ia tes 39

New Attack Vectors Hypervisor complexity Data leakage (multi-tenant environment) Man in the Middle Browser vulnerabilities Mobile device vulnerabilities

©2016 Maze & Assoc ia tes 40

Service Agreements Service Level Agreement (SLA)

Some are predefined and non-negotiable Some are negotiable (typically cost more)

Terms of Service May cover privacy Breach notification Licensing Acceptable use (What you can and can’t do) Limitations on liability (Typically in the favor of the service provider) Modifications of the terms of service (Do you want this?) Data ownership

©2016 Maze & Assoc ia tes 41

Traditional Risks No Matter Where You Go Insider threat,

Instead of your staff it is their staff Access control

How can you control and monitor? Authentication

Another logon or SSO Data sanitation

Is your data really deleted? Others????

©2016 Maze & Assoc ia tes 42

Could Provider Controls

©2016 Maze & Assoc ia tes 43

What to do? Careful planning before engagement Understand the technical aspects of the solution Make sure it will meet your needs (security and

privacy) Maintain accountability

Define data location restrictions Ensure laws and regulations are met Make sure they can support electronic discovery and forensics

Follow NIST and Cloud Security Alliance guidance

©2016 Maze & Assoc ia tes 44

Resources Cloud Security Alliance

cloudsecurityalliance.org NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud

Computing NIST SP 800-145 The NIST Definition of Cloud Computing NIST SP 800-146 Cloud Computing Synopsis and Recommendations Federal Cloud Computing Strategy, February 2011 CIO.gov DoD Cloud Computing Security Requirements Guide (CC SRG) ISACA: Cloud Computing Management Audit/Assurance Program, 2010