Unclassified // For Unlimited Distribution
BradfordWillkeCyberSecurityAdvisor,Mid‐AtlanticRegion
NationalCyberSecurityDivision(NCSD)
OfficeofCybersecurityandCommunications(CS&C)
U.S.DepartmentofHomelandSecurity(DHS)
HomelandSecurityPerspectives:CyberSecurityPartnershipsand
MeasurementActivities
16Oct2012
Presenter’s Name June 17, 2003Unclassified // For Unlimited Distribution
2
GrowthofCyberThreats
1980 1985 1990 1995 2000 2012
Password guessingSelf-replicating code
Password crackingExploiting known vulnerabilities
Disabling audits
Burglaries
Back doors
Hijacking sessions
Sweepers
Sniffers
Packet spoofing
Network mngt. diagnostics
GUIAutomated probes/scans
Staging
www attacks
“Stealth”/advanced scanning techniques
Distributed attack toolsCross site scripting / PhishingDenial of Service
Sophisticated C2
Convergence
Estonia DoSRussia invades Georgia
SophisticationRequired of Actors
Declining
Sophisticationof Available Tools
Growing
Soph
istic
atio
n
Low
High
Stuxnet
DNS exploits
Unclassified // For Unlimited Distribution
CyberPartnershipExamples
AMSCCyberSub‐Committee(Pittsburgh) MS‐ISAC(Multi‐StateInformationSharingandAnalysisCenter) OhioStatewideCyberSecurityStrategy VALGITE(VirginiaLocalGovernmentITExecutives) VOICCE(Virginia’sOperationalIntegrationCyberCenterofExcellence
3
Unclassified // For Unlimited Distribution
AreaMaritimeSecurityCommittee:CyberSub‐Committee DHS,USCG,CIKR,andBusinessPartnership CommitteePremises:
• Incidentresponseandcontinuityofoperationsstill needwork• Partnersneedcredibleplanningtemplatesandtest‐ablescenarios• ASMEdatabaseforcyberrespondersisusefulandneeded• Organizationsneeda“411”systemforinformationonwheretovoluntarily
report,requesttechnicalassistance,requestnon‐technicalincidenthandling,requestlawenforcementresponses,tocyberincidents
• Organizationswouldbenefitfromalocalemergencymanagement,“911‐like,”functionthatmobilizesregionalandlocalcyberresponses– andcreatesaregionalcommonoperatingpicture
4
Unclassified // For Unlimited Distribution
MS‐ISACOverview State,Local,Territorial,andTribalPartnership OperatedbyNY‐basedCenterforInternetSecurity OperationalServices:
• Incidentcoordination,handling,andresponse• “Albert”servicesforthreatmonitoring,detection,andprevention• Fee‐for‐Servicemodelforvulnerabilityand“PEN”testing• Lowcost($.75/student)forannualcybersecurityawareness&training• FREE post‐incidentvulnerabilityandmitigationservice• Broadassistancewithstateandlocalincidents,muchbeyondcyber
5
Unclassified // For Unlimited Distribution
OhioStatewideCyberStrategy Developedin2011;adoptedin2012 LedbyOhioHomelandSecurityAdvisoryCouncil– CyberWorkingGroup
• DirecttiestoOhioStrategicAnalysisandInformationCenter(SAIC)• Co‐chairedbyOhioChiefInformationSecurityOfficerandOhioOfficeof
HomelandSecurity Organizesbothinternal,state‐focusedandexternal,partner–focused(i.e.,
academia,privatesector,publicsector)activities Createsatwelve‐month,renewableactionplan,withfiveinitiatives:
• Initiative1:Sharecybersecuritythreatinformationacrossthehomelandsecurityenterprise
• Initiative2:Createacybersecuritycultureinstateandlocalgovernment• Initiative3:Partnerwiththepublicandprivatesectorstosupporttheircyber
securityefforts• Initiative4:Identifycyberresources(humanandequipment)toleveragefor
creatingcyberincidentresponseteams• Initiative5:RaisecybersecurityawarenessacrossOhio
6
Unclassified // For Unlimited Distribution8
NCSRMethodology TheNCSRmethodologyleveragedanexistingcybersecurity
controlsframeworkdevelopedbytheMS‐ISAC• The2011NCSRutilizedaControlMaturityModel(CMM)to
measurehoweffectivetheStateandLocalgovernments’riskmanagementprogramsareatdeployingagivencybersecuritycontrolbasedonriskmanagementprocesses
• Thismethodologyuseskeymilestonesandbenchmarksformeasuringtheeffectivenessofsecuritycontrolplacementbasedonriskmanagementprocesses
Unclassified // For Unlimited Distribution9
NCSRMaturityModelLevel ControlMaturityLevelDescription
Ad‐HocActivitiesforthiscontrolareoneormoreofthefollowing:‐ Notperformed‐ Performedbutundocumented/unstructured‐ Performedanddocumented,butnotapprovedbymanagement
DocumentedPolicy
Thecontrolisdocumentedinapolicythathasbeenapprovedbymanagementandiscommunicatedtoallrelevantparties.
DocumentedStandards /Procedures
ThecontrolmeetstherequirementsforDocumentedPolicyandsatisfiesallofthefollowing:‐ Afullsuiteofdocumentedstandardsandproceduresthathelpguideimplementationandmanagementoftheenterprise‐widepolicy‐ Communicatedtoallrelevantparties
Risk MeasuredThecontrolmeetstherequirementsforDocumentedStandards/Proceduresandsatisfiesallofthefollowing:‐ Controlisatleastpartiallyassessedtodeterminerisk‐ Managementisawareoftherisks
RiskTreated
ThecontrolmeetstherequirementsforRiskMeasuredandsatisfiesallofthefollowing:‐ Ariskassessmenthasbeenconducted‐ Managementmakesformalrisk‐baseddecisionsbasedontheresultsoftheriskassessmenttodeterminetheneedforthecontrol‐ Thecontrolisdeployedinthoseareaswherejustifiedbyrisk,butisnotdeployedwherenotjustifiedbyrisk
RiskValidated
ThecontrolmeetstherequirementsforRiskTreatedandsatisfiesallofthefollowing:‐ Ifthecontrolisdeployed(inthoseareaswherejustifiedbyrisk),theeffectivenessofthecontrolhasbeenexternallyaudited/testedtovalidatethatthecontroloperatesasintended‐ Ifthecontrolisnotdeployed(inthoseareaswherenotjustifiedbyrisk),management’sdecisiontonotimplementthecontrolwasdeterminedtobesound
Unclassified // For Unlimited Distribution
Methodology:AssessedControlAreas
10
The2011NCSRexamined12cybersecuritycontrolareas: SecurityProgram RiskManagement PhysicalAccessControls LogicalAccessControls SecurityWithinTechnologyLifecycles InformationDisposition MaliciousCode MonitoringandAuditTrails IncidentManagement BusinessContinuity SecurityTesting
Unclassified // For Unlimited Distribution11
IndividualReport
Everyrespondentreceivedareportimmediatelyaftertheycompletedthereview.TheIndividualReportincluded:
• DetailsontheReportingmethodology;• Afulllistofthequestionsasked;• Howtherespondentansweredeachquestion,and;• Highleveloptionsforconsiderationbasedonanswers.
TheIndividualReportwasprotectedasPCII,andwasonlydisseminatedviatheSecureUS‐CERTPortal.
Unclassified // For Unlimited Distribution12
SummaryReportTheNCSRSummaryReportwasreleasedtorespondentsonMarch16,2012.TheSummaryReporthighlightedkeyfindingsfromthe2011ReviewincludingidentifiablegapsandrecommendationsonhowStatesandLocalgovernmentscanincreasetheirriskawareness.TheSummaryReportwillnotbeattributabletospecificrespondentsororganizations.TheSummaryReportwillallowrespondentstocomparetheiranswersagainstthenationalaveragesanddeterminetheirindividualstrengths&weaknesses.
Unclassified // For Unlimited Distribution14
Results:SecurityControlAreas
Rank Process Area Ad‐Hoc
DocumentedPolicy‐DocumentedStandardsandProcedures
RiskMeasured ‐RiskValidated
1 MaliciousCode 12% 36% 52%2 PhysicalAccessControl 16% 39% 46%3 LogicalAccessControl 18% 40% 42%4 SecurityTesting 42% 22% 36%5 IncidentManagement 32% 38% 31%6 BusinessContinuity 33% 36% 31%7 PersonnelandContracts 29% 41% 30%8 SecurityProgram 30% 40% 30%9 InformationDisposition 27% 44% 29%10 SecuritywithinTechnologyLifecycle 36% 35% 29%11 RiskManagement 45% 26% 29%12 MonitoringandAuditTrails 46% 27% 28%
These results are based on the 162 responses
Unclassified // For Unlimited Distribution
KeyFindings:CapabilitiesandGaps
Strengths:• 52%haveimplementedand/orvalidated
protectivemeasuresforthedetectionandremovalofmaliciouscode
• 81%ofallrespondentshaveadoptedcybersecuritycontrolframeworksand/orsecuritymethodologies
• 42%haveimplementedand/orvalidatedlogicalaccesscontrols(e.g.,termination/transferprocedures,ACLs,remoteaccess)
15
Weaknesses: 42%ofrespondentsstatedtheydonothave
independenttestingand/orauditprogramestablished
45%ofrespondentsstatedtheyhavenotimplementedaformalriskmanagementprogram(e.g.,riskassessments,securitycategorization)
46%ofrespondentsstatedtheyhavenotimplementedMonitoringandAuditTrailswhichisimportanttodetermineifanincidentisoccurringorhasoccurred.
31%ofallrespondentshaveneverperformedacontingencyexercise
67%ofallrespondentsstatedithasbeenatleasttwoyearssincetheyupdatedtheirInformationSecurityPlan
66%ofallrespondentsstatedithasbeenatleasttwoyearssincetheyupdatedtheirDisasterRecoveryPlans
Unclassified // For Unlimited Distribution
2011NationwideCyberSecurityReview‐ RegisteredRespondents
Range Frequency
0 11 142‐3 164‐9 1610‐20 6
Respondents
Total 206
16
HomelandSecurity
Unclassified // For Unlimited Distribution
Key Resilience DomainsAM
AssetManagementidentify,document,andmanageassetsduringtheirlifecycle IM
IncidentManagementidentifyandanalyzeITevents,detectcybersecurityincidents,anddetermineanorganizationalresponse
CCM
ConfigurationandChangeManagementensuretheintegrityofITsystemsandnetworks SC
M
ServiceContinuityManagementensurethecontinuityofessentialIToperationsifadisruptionoccurs
RISK
RiskManagementidentify,analyze,andmitigateriskstocriticalserviceandITassets
EXD
ExternalDependenciesManagementestablishprocessestomanageanappropriatelevelofIT,security,contractual,andorganizationalcontrolsthataredependentontheactionsofexternalentities
CNTL
ControlsManagementidentify,analyze,andmanageITandsecuritycontrols TR
NG TrainingandAwareness
promoteawarenessanddevelopskillsandknowledgeofpeople
VM
VulnerabilityManagementidentify,analyze,andmanagevulnerabilities SA
SituationalAwarenessactivelydiscoverandanalyzeinformationrelatedtoimmediateoperationalstabilityandsecurity
18
HomelandSecurity
Unclassified // For Unlimited Distribution
MaturityNotJustCapability AMIL(MaturityIndicatorLevel)measuresprocessinstitutionalization,
anddescribesattributesindicativeofmaturecapabilities.
MILLevel5– DefinedAllpracticesareperformed(MIL‐1);planned(MIL‐2);managed(MIL‐3);measured(MIL‐4);andconsistentacrossallinternalconstituencieswhohaveavestedinterest— processes/practicesaredefinedbytheorganizationandtailoredbyorganizationalunitsfortheiruse,andsupportedbyimprovementinformationsharedamongstorganizationalunits.
MILLevel4– MeasuredAllpracticesareperformed(MIL‐1);planned(MIL‐2);managed(MIL‐3);andperiodicallyevaluatedforeffectiveness,monitored&controlled,evaluatedagainstitspracticedescription&plan,andreviewedwithhigher‐levelmanagement.
MILLevel3– ManagedAllpracticesareperformed(MIL‐1);planned(MIL‐2);andgovernedbytheorganization,appropriatelystaffed/funded,assignedtostaffwhoareresponsible/accountable&adequatelytrained,producesexpectedworkproducts,placedunderappropriateconfigurationcontrol,andmanagedforrisk.
MILLevel2– PlannedAllpracticesareperformed(MIL‐1);andestablished,planned,supportedbystakeholders,standardsandguidelines.
MILLevel1– PerformedAllpracticesareperformed,andthereissufficientandsubstantialsupportfortheexistenceofthepractices.
MILLevel0– IncompletePracticesarenotbeingperformed,orincompletelyperformed.
19
Presenter’s Name June 17, 2003Unclassified // For Unlimited Distribution
DepartmentofHomelandSecurityNationalProtectionandProgramsDirectorate
CyberSecurityandCommunications
20
Contact InformationBradford Willke [email protected]