Cybersecurity in Ohio
David A. Brown
Chief Information Security Officer
State of Ohio
• Denial of Service• Spear Phishing• SQL Injection• Web Defacements• Malware (Keyloggers, Trojans,etc.)• Theft of Devices• Hacktivist Activity
Threats Against Government
Examples of the Threat
• February 2012 – Missouri’s Official Web Site Defacement• April 2012 – Utah Department of Health –Medicaid System Hack• October 2012 -South Carolina Department of Revenue Data Breach• October 2012 – City of Burlington, Washington System Attack• December 2012 – South Carolina Department of Employment &
Workforce Web Defacement• January 2013 – Florida Dept. of Juvenile Justice Device Theft
State of Ohio Security Program
Approximately 100 agencies, boards, and commissions under program
Decentralized environment Chief Information Security Officer responsibilities under ORC
125.18: Coordinate the implementation of security policies and
procedures in state agencies Assist each agency with the development of a security strategic
plan
State of Ohio Security Program
April 2011 – State sets IT Standard ITS-SEC-02 Establishes NIST 800-53 as state security framework Creates enterprise security controls that align with Consensus
Audit Guidelines (SANS Top 20 Critical Controls) Agencies to be compliant with CAG by October 2012
Fall 2012 – Agencies required to submit strategic security plan to Office of Information Security & Privacy Leveraged CAG self-assessment in US Homeland Security
CSET tool
State of Ohio Security Program
SANS Top 20 Critical Controls (Consensus Audit Guidelines)
• Hardware Inventory• Software Inventory• Secure Configuration of Systems• Secure Configuration of Network
Devices• Boundary Defense• Security Audit Logs• Application Software Security• Controlled Use of Administrative
Privileges• Controlled Access/Need to Know• Vulnerability Management
• Account Monitoring & Control• Malware Defense• Limiting Ports, Protocols, Services• Wireless Device Control• Data Loss Prevention• Secure Network Engineering• Penetration Testing• Incident Response Capability• Data Recovery Capability• Security Training
State of Ohio Security Program
• Ohio is one of a few states who have adopted the SANS Top 20 Critical Controls
• The Consortium for Cybersecurity Action was established in 2012• Ensures that updated versions of the controls reflected the most
relevant threat information• Shares lessons learned from organizations that have implemented
them. • Ohio participates in this consortium.• CISOs for Ohio and Colorado co-chair a state/local government
workgroup for the Consortium.
• US State Department saw a 94% reduction in measured security risk by implementing these controls
State of Ohio Security ProgramSecurity Services Provided by OISP Today:
•Risk Assessments•Security Assessments•Security Architecture•Security Consulting•IT Security Policies/Standards•Incident Response•Vulnerability Assessments•Penetration Testing (limited)•Enterprise SIEM
• Security Awareness & Training
• Cyber Intelligence and Threat Management
State of Ohio Security ProgramIndustrial Control Systems Assessments•Began these assessments in February 2012•Partnered with US Homeland Security to conduct two pilot assessments•Each assessment was completed within one day•No cost to the State of Ohio
State of Ohio Security ProgramSecuring the Human•Began offering this training in 2011•Online training produced by SANS Institute•36 different modules of training•Updated twice a year based on current threats•Approximately 50,000 state employees will be trained this year•Excellent reviews by our users
State of Ohio Security ProgramEnterprise SIEM•Began offering this service in 2012•Collect security logs from systems•5 agencies participating today•Extending to all cabinet agencies •Over 100 Million event logs analyzed per day•Both agencies and OISP monitor system
Challenges Facing Government1. Funding for security
2. Cybersecurity authority and governance
3. Attractive targets for cybercriminals and hacktivists
4. Lack of skilled staff
5. Sophistication of attacks
What Can You Do?1. Assess and communicate security risks
2. Consider shared security services
3. Encourage user education in security awareness
4. Explore alternative funding for cybersecurity
5. Use the no-cost assessments provided by DHS
6. Encourage IT personnel to use the DHS CSET Tool to do assessments and develop plan of action.
7. Become a member of the MS-ISAC
8. Leverage free cybersecurity training provided by various sources
9. Develop an incident response plan
10. Develop a disaster recovery plan
Cybersecurity Council The Cybersecurity, Education, and Economic Development Council
was created under ORC 121.92 in 2012. Consists of 12 members appointed by Governor, Speaker of the
House, and President of the Senate. Council is to conduct a study and make recommendations
regarding: Improving the infrastructure of the state’s cybersecurity
operations with existing resources and through partnerships between government, business, and institutions of higher education.
Specific actions that would accelerate growth of the cybersecurity industry in the state.
Questions?
Contact Information
David A. BrownState Chief Information Security Officer
Ohio Department of Administrative Services30 E. Broad Street FL 40
Columbus, OH 43215Office: (614) 644-9391