of 14
State Cyber Threat Landscape
States have comprehensive information about citizens
Organized cyber criminals have targeted government and higher education
agencies for the past few years.
Data loss from government impacts citizen trust and has the potential to impact
state business by affecting citizen services, revenue collections, or unplanned
spending
There has been high-profile cyber attacks from loose-knit, politically-motivated groups operating globally.
These groups are distinct from more well established cyber criminal
organizations, in both organizational structure (ad-hoc vs. top-down) and motivation (hacktivism vs. monetary gain).
State Governments Are a Target
2
Texas has a population of 26+ million
Texas agencies spread across over 3 million IP addresses
Attacks mirror the larger Internet
Since January of 2009: 34 incidents of lost data
Range from network breach to
lost/stolen laptops
Texas is not immune
The Changing Face of External Breaches
Emerging cybercrime and state-sponsored threats will require a strong response from states.
In terms of external security breaches, which of the following apply to your state?
Texas
Overall Infections are lower, but vectors
have expanded
Web vulnerabilities are still a significant
vector for attack
Similar attacks year-over-year
A distinct issue for a State with thousands
of field workers
No significant activity from state-
sponsored attackers
The OCISO does not track financial fraud
Top Five Barriers faced in addressing CybersecurityInsufficient resources against growing sophistication of threats and emerging technologies make the
need to raise stakeholder awareness to gain their support and funding the more critical.
Identified Trends in Texas
Internal network segmentation
Consistent event monitoring and analysis
Standards in security governance / awareness
IT staffing challenges
Security in software development
1
2
3
4
5
6
Data classification7
Identity and access management standardization
Increased Focus on Security
0 Bills Introduced
81st
Session
1 Bill Introduced
1 Bill Enrolled
82nd
Session
5 Bills Introduced
4 Bills Enrolled
83rd
Session
Multiple groups established to identify and address security issues
Texas Cybersecurity, Education, and Economic Development Council
Statewide Information Security Advisory Committee
Information Security Working Group
State Security Operations Group
Cyber Texas
Texas Legislative Action
SB1101 & SB1102
Establishes a statewide coordinator within DIR to develop strategies for and implement solutions related to cybersecurity education and economic
development
Extends the council created in the 82nd Legislative Session to provide recommendations.
SB 1134
Creates clarity in the role DIR performs such as developing strategies and a framework for protecting critical infrastructure, maintaining a clearinghouse for
the states cybersecurity matters, and to provide training to state personnel as well as promote public awareness of cybersecurity issues.
SB1597
Requires agencies to submit a security plan to DIR
Frameworks and Standards
HTTP://XKCD.COM/927/
Texas Statewide Security Program Overview
Security Services
Texas Cybersecurity Framework
Plan &Strategy
Education & Awareness
Direct Elected ServicesCooperative Contract
Procurement Offerings
Managed
Services
TAC 202
Agency
Security
Plan
Template
Control
Catalog
Operations
Vendor
Services
Alignment
Identify RecoverProtect RespondDetect
Risk Management
Security Officer TrainingAgency Personnel
AwarenessPublic Awareness
Agency Security Plan Template
40 security objectives defined
Aligned to Framework for Improving Critical Infrastructure Cybersecurity released by NIST on February 12
Agencies are guided to specify the
controls they have in place for each
security objective
Framework Components
Agency Security Plan Template
Delivered in January / Responses Due in October
Vendor Product / Service Template
Delivered in March
Texas Administrative Code Ch. 202
Target February 2015
Guidelines and Whitepapers
Developed as Necessary
Risk Management within the Framework
In development within SISAC Risk Assessment Subcommittee
Security Hierarchy of Needs
Rick Holland, Principal Analyst, Forrester, @rickhholland
Must do the fundamentals well or
you'll never be able to address the
top level threats.
Contact
Edward Block
512.463.8807
