introduction to cybersecurity best practices · hackers, attackers and individuals with malicious...
TRANSCRIPT
1
Office of the State Comptroller
Thomas P. DiNapoli
State & Local Government Accountability
Andrew A. SanFilippo
Executive Deputy Comptroller
Gerry Cochran, IT Specialist
Jennifer Van Tassel, Associate Examiner
Presentation ObjectivesImprove the cybersecurity of local governmentsand school districts by:
Reviewing information technology (IT) securityfundamentals.
Describing common cybersecurity threats and ways toreduce the risk of becoming a victim.
Raising awareness about cybersecurity best practices.
Encouraging and enabling participants to evaluate theircybersecurity polices, procedures and technologies.
Cybersecurity Background,
Security Fundamentals and
Risk Assessment
2
Cybersecurity
The body of technologies, processes, and practicesdesigned to protect computers, networks, programs,and data from attack, damage, or unauthorized access.
One of the most challenging aspects of cybersecurityis the quickly and constantly evolving nature ofsecurity risks.
Hackers, Attackers and Individualswith Malicious Intent
Regardless of what you call them – hackers, attackers orindividuals with malicious intent – there are people whomay intentionally try to access your computers and datawithout authorization.
Looking for profit, enjoyment, payback or a challenge.
Possessing expert technical skill or very little skill.
Seeking specific targets or crimes of opportunity.
Originating from inside or outside of the entity.
A Realistic AssumptionSomewhere out in cybserspace there is a hacker, attacker orindividual with malicious intent who would like to harm,steal, access, sell, and/or disrupt your computer system,website and/or electronic data.
It is no longer wise to think that nobody is interested inyour computers, network or data, because you are toosmall or don’t have anything of value to steal.
History has shown that cybercrimes sometimes affectthe most unlikely victims.
3
IT Security Fundamentals CIA Triad: An IT security model comprising three maincomponents: confidentiality, integrity and availability(CIA). Each component represents a fundamental objectiveof information security.
Defense‐in‐Depth: The implementation of multiplelayers of security.
Principle of Least Privilege: Computer users should havejust enough computer privileges to be able to do their jobs.
IT Risk Assessment IT risks arise from the potential loss of the confidentiality, integrity
and/or availability (CIA) of electronic information or IT systems.
Risks are a measure of the extent to which an entity is threatened by apotential IT security circumstance or event, and are a function of boththe adverse impacts that would arise if the circumstance or eventoccurs and the likelihood of such occurrence.
IT risk assessment is a sound starting point for determining what canthreaten the safety and security of your IT environment and thendeveloping a strategy for addressing those threats.
Most Important Cybersecurity Control You
An individual who is vigilant about cybersecurity canhave a significant, positive impact on the cybersecurityof an organization through the early identification ofpotential computer problems.
A screen looks different, a task takes unusually long oran unfamiliar message requesting an action orinformation appears.
Check with IT support personnel before clicking on anyattachment or link that is suspicious, unexpected orconfusing.
4
Cybersecurity Threat:
PHISHING
Phishing A social‐engineering method in which the attacker sendsout legitimate‐looking emails to many individuals at once,in an attempt to gather confidential information fromvictims.
Appears to come from a well‐known, trusted source.
Resembles the traditional sport of fishing, in that theattacker has a lure with bait that he hopes will entice atleast a few prey.
Spear‐Phishing A form of phishing that targets a specific individual or
organization.
Instead of trying to capture as many victims as possible, focuseson one or a few key targets (e.g., chief executive officer,treasurer).
Message appears to come from a trusted source.
Attackers often gather information about their targets (e.g.,college attended, sports interests) through Internet searches andsocial‐media sites before an attack, to help make their requestappear more authentic.
5
Why Is Phishing So Popular?
Because it is very effective! Even a small number of emailmessages have a high probability of successfullyobtaining sensitive information.
Google Study Finds Email Scams Are More Effective ThanYou'd Expect Certain websites included in phishing emailssuccessfully lured users up to 45 percent of the time.
Once on the bogus pages ‐‐ which tend to imitatelegitimate sites, in an effort to obtain people's privatedetails ‐‐ 14 percent of people unwittingly submittedtheir information to hackers.
Phishing Defense #1: Be Suspicious Be suspicious of emails that:
originate from unknown senders
include a URL (web address) that does not match that of the legitimate website
request you to provide or confirm personal or financialinformation
have poor spelling or grammar
include threats or incredible offers (both of which are intended to play on your emotions and spur you to act)
contain files that have an .exe, .zip, or .pdf extension.
Phishing Defense #2: Be Selective
Be selective about opening attachments andclicking on links.
It is best to open attachments only when youare expecting them, even if you know thesender.
6
Phishing Defense #3: Be Proactive
Have an up‐to‐date antivirus software programinstalled and enabling the feature to scanattachments with the antivirus program beforedownloading and saving them to your computer.
Refrain from sharing too much personalinformation on social media websites.
Cybersecurity Threat:
RANSOMWARE
Ransomware Scenario
Imagine the following: You are locked out of yourcomputer, your computer has been infected withmalware, or your data has been deleted or stolen andsomeone contacts you demanding that you pay a fee orfine (ransom) to regain access to your computer systemand data.
What actions should you take?
7
Ransomware
Criminals create links and websites that install malware(ransomware) on the computers of unsuspectingcomputer users and then display messages demandingpayment in exchange for restoring the computer to itsprevious functioning state.
The message may even falsely claim to originate from a lawenforcement agency and demand that you pay a “fine”(ransom) to avoid prosecution for illegal activity (e.g.,using unauthorized software, downloading illegal contentfrom the Internet) detected on your computer and regainaccess to your system or files.
Ransomware Recommendation #1: Do Not Pay The Ransom Before Contacting Cybersecurity Experts
There is no guarantee that paying a ransom will ensure theavailability of the computer system and data, protect thecomputing environment and resources, or prevent futureransom demands.
Cybersecurity experts can assist in determining the best wayto proceed and may be able to lend free technical expertisenecessary to investigate and remedy or resolve the problem.
Cybersecurity Experts
Center for Internet Security’s Multi‐State Information Sharing & AnalysisCenter
http://msisac.cisecurity.org/about/
New York State Office of Information Technology Services
http://www.its.ny.gov/incident‐reporting
Industrial Control Systems Cyber Emergency Response Team
https://ics‐cert.us‐cert.gov/About‐Industrial‐Control‐Systems‐Cyber‐Emergency‐Response‐Team
8
Ransomware Recommendation #2: Consult With Your Legal Counsel
Individuals and organizations that demand ransoms for the saferestoration of the functionality of computer systems are breaking the law.Their attempts to “extort” money should be discussed with your legalcounsel, who can assist with reporting the incident to law enforcement.
Depending on the nature of the incident, you may have notificationrequirements under the New York State Breach Notification Law. Legalcounsel can assist you in determining if the incident has triggerednotification requirements and in complying with those notifications, asnecessary.
Ransomware Recommendation #3: Consult With Your Insurance Provider
Depending on the nature of the incident and the type ofinsurance coverage your organization has, you shouldconsider contacting your insurance provider to report theincident.
Ransomware: Paying the Price
A local government or school district may ultimatelyhave to pay money to regain access to its computersystem and data, but we recommend doing so only afterobtaining technical assistance and advice from experts.
9
Reduce the Odds of Becoming a Victim
Training
Backups
Patch Management
Antivirus Protection
Administrative Privileges
Application Whitelisting
Ransomware Defense #1: Provide Employees With Cybersecurity Training Before A Problem Occurs
Training can help computer users to: understand theiremployer’s computer policies and their personalresponsibilities with respect to those policies; adopt safecomputing practices; and know how to react in the eventof a suspected problem.
The time to provide cybersecurity training is before aproblem such as a ransom demand occurs.
Ransomware Defense #2: Perform Backups In A Timely Manner And Maintain Copies Offline And Offsite
On a test basis, periodically restore backups to ensurethey will function as intended in the event of anemergency.
Good backup procedures minimize potential businessdisruptions and lessen an attacker’s leverage.
10
Ransomware Defense #3: Apply Software Patches And Updates In A Timely Manner
A “patch” is software that is used to correct a problem,such as a security vulnerability, that exists within anapplication or an operating system. Securityvulnerabilities in software can be exploited to infect acomputer with malware.
When security vulnerabilities in software are discovered,the software vendor typically issues a free patch (fix) tocorrect the problem.
Ransomware Defense #4: Install And Keep Antivirus Protection Up‐To‐Date
Antivirus software is used to prevent, detect and removecomputer viruses that can make computers andcomputer networks inoperable.
Antivirus protection should be installed and configuredto run periodic, full system scans, as well as to updatethe virus definitions daily.
Ransomware Defense #5: Control Administrative Privileges
When malware infects a computer, it is installed andoperates under the permissions of the current user – theperson who opened the email attachment or visited theinfected website.
Ensuring that general‐purpose users are not givenadministrative‐level privileges will help to reduce theimpact of a malware infection by limiting its capabilitieson the infected computer.
11
Ransomware Defense #6: Implement Application Whitelisting
An application whitelist is a list of applications that an entitydecides are authorized to be present or active on its computersystem.
The goal of the technology used to enforce an applicationwhitelist is to stop the execution of unauthorized softwareincluding malware.
Application whitelisting is more practical to implement incomputer environments that are centrally‐managed andwhere the entity has sufficient, knowledgeable personnel todevote to implementing and maintaining the control.
Ransomware: Detective Capability of Logs
An audit log is a computer‐generated series of recordsabout computer events pertaining to operating systems,applications and computer‐user activities. A computersystem often has several types of audit logs, eachdevoted to a specific type of activity.
Enabling and reviewing logs can provide informationabout previous or current attacks against theorganization, as well as assist with any responseactivities following the discovery of an incident orcompromise.
Questions?
12
Cybsersecurity
Best Practices
Hardware, Software and Data Inventories
Best Practice: Maintain detailed, up‐to‐date inventory records for all
computer hardware, software and electronic data.
Without the proper identification of all devices on a network,unauthorized devices and software can be easily introduced, putting thenetwork and data at risk. A single compromised device can become alaunching point for further network attacks, quickly turning onecompromised device into many.
Inadequate inventory records makes it unlikely that software patchesnecessary to address known security vulnerabilities can be applied on atimely basis, if at all.
Hardware, Software and Data Inventories (Continued)Inadequate records increases the likelihood that you may inadvertentlyviolate copyright laws by having more software users than licenses for aparticular application and incur penalties as a result.
IT security alerts and bulletins issued by software vendors, municipalassociations, and federal and state agencies reference specific types andversions of devices and software. These alerts are intended to raiseawareness about threats, sometimes imminent threats, to computersystems. Accurate inventory records can help you determine if theseadvisories are relevant to your unique computing environment.
It is very challenging to protect computer resources, including data, if youdo not know exactly what resources you have and where those resourcesreside.
13
Data ClassificationData classification is the process of assigning data to acategory (e.g., public, internal use, confidential) that willdetermine the level of internal controls over that data.
An inventory of information assets (i.e., data) that classifiesdata according to its sensitivity and identifies where the dataresides (e.g., servers, workstations, and laptops) is importantbecause different kinds of information require different levelsof protection.
Policies and TrainingBest Practice: Adopt IT policies that define appropriate user
behavior, describe the tools and procedures needed to protect data andinformation systems, and explain the consequences of policy violations.Provide entity‐wide, cybersecurity training that is closely tied to the ITpolicies.
Acceptable Use
Breach Notification (New York State Technology Law Section 208 (8))
Password
Online Banking
While your IT policies tell users what to do, training provides them withthe skills to do it.
Access ControlsBest Practice: Know all points of entry to your computing
environment and data, and ensure that all access is authorized andsecure. Use available electronic means to enforce and monitor compliancewith access controls. Place particular emphasis on limiting access to andprotecting personal, private, and sensitive information.
Have written procedures in place for granting, changing, andterminating access rights.
Allow users to access only what is necessary to complete their jobduties (principle of least privilege).
Periodically review all accounts and disable any account that cannot beassociated with an authorized user.
14
User Accounts and Passwords To ensure individual accountability within the network, each user
should have his or her own network account (username and password).Likewise, to ensure individual accountability within softwareapplications, each user should have his or her own user account(username and password).
Users should be able to set their own passwords.
Criteria you should considerwith regard to passwords:
Complexity requirements
Length
Aging
Reuse of old passwords
Failed log‐on attempts.
Strictly Control the Use of Administrative Privileges
Administrative privileges are highly privileged accounts that generallyallow users to: view all data on the system or network; make changes tothe settings configured on the system or network; and create new useraccounts, or change the levels of privileges granted to existing useraccounts, on the system or network.
Administrative privileges are necessary for only a small number of userswith particular job duties.
There are countless ways that attackers who gain administrative privilegescan leverage their positions to increase the level of damage caused when asystem or network is breached.
Antivirus ProtectionBest Practice: Install antivirus software and configure it to updateautomatically. Force scans of all newly discovered devices, such as flash drivesand digital cameras, and disable the auto‐play feature for USB devices.
Antivirus software scans your computer or device and looks for certaincharacteristics of known malware (signatures) or other suspicious activity.If something of concern is identified, the software attempts to prevent theagent from causing harm by, for example, removing malware from withina file or quarantining files.
Since malware is constantly taking new forms, an antivirus programcannot be expected to identify and neutralize all types of malware. This isone of the reasons why multiple layers of IT security (defense in depth)are required to keep computer systems and data safe.
15
Patch ManagementBest Practice: Adopt patch‐management policies and procedures thatensure that all patches and updates are applied on a regular basis.
A “patch” is software that is used to correct a problem, such as a securityvulnerability, that exists within an application or an operating system.
When security vulnerabilities in software are discovered, the softwarevendor typically issues a free patch (fix) to correct the problem. The patchshould be applied as soon as possible to reduce the likelihood thatsomeone with malicious intent could successfully exploit thevulnerability.
At some point, vendors discontinue issuing patches (e.g., MicrosoftWindows XP).
Online BankingBest Practice: Entities should adopt a suite of technology‐based and nontechnical controls to ensure online banking is conducted as safely as possible.
Adopt an online banking policy and enter into bank agreements.
Segregate duties.
Enable alerts and other security measures available from the bank.
Set up accounts that do not have access to and/or cannot be accessed through the Internet, and use those accounts for long‐term savings.
Provide cybersecurity training to officers and employees responsible for online banking.
Consider using a separate (dedicated) computer for online banking transactions, one that is not used for email or Internet browsing.
Online Banking (continued) Type the bank’s website address into the Internet browser’s address bar
every time.
Do not allow the computer or web browser to save online banking loginnames or passwords.
Use a wired rather than wireless network for financial transactions.
Monitor accounts on a timely basis, at least every two or three days, forunauthorized or suspicious activity.
Any suspicious activity should be reported immediately. There is alimited recovery window, and a rapid response may preventadditional losses.
To be effective, monitoring must occur frequently even during timeswhen many personnel may be on leave (e.g., 4th of July week; theweeks before, during and immediately after Christmas).
16
Wireless NetworksBest Practice: Configure your wireless network to broadcast only as
far as necessary, enable the best available encryption, and require strong passwords.
Wireless access point coverage should radiate out to the windows, but not beyond.
Enable the most‐secure encryption available (currently WPA2).
Require a strong password for connecting to the wireless network.
Public Website Information DisclosureBest Practice: Establish a framework for classifying data based on its levelof sensitivity, review all materials before they are posted to your publicwebsite, and then periodically review the content of your public website toensure that your internal controls over sensitive information are operating asintended.
Google search operators: Limit search results to those that match criteria beyond simple
keywords. Maintain a list of websites, file types, and keywords to search on a
regular basis. Google allows users to create searches and periodically receive email
alerts of new content that matches those searches.‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
http://www.googleguide.com/advanced_operators_reference.htmhttp://www.google.com/alerts
Physical and Environmental Security
Best Practices: Periodically assess physical and environmental
security measures to ensure they adequately protect computer resourcesand the facilities or infrastructure that house or support those resourcesfrom intentional or unintentional harm, loss or impairment.
Physical access controls restrict the entry and exit of personnel and/orequipment and media from an area.
Locks, gates and security personnel.
Smoke detectors, fire alarms and extinguishers, protection from waterdamage due to plumbing leaks or other flooding, and uninterruptiblepower supplies.
17
Physical and Environmental Security (Continued)
An organization’s personnel can play an important part in physicalsecurity by being trained and encouraged to question people whomthey do not recognize in restricted areas.
It is important to consider and evaluate physical security measuresboth during normal business hours and at other times for example,when an area or building may be unoccupied.
We have found servers: On a basement floor in a municipality that experienced flooding
in the past. Next to the refrigerator in a break room. In an open area in a recreation center. In a closet used daily by staff and visitors to the facility.
FirewallsBest Practice: Install one or more securely configured firewalls, and
monitor the logs and alerts the firewall(s) generate. Update the firewallrules as necessary using a formal change management control process.
Firewalls consist of hardware and/or software that control the flow ofnetwork traffic between networks or hosts (e.g., computers) that employdiffering security postures or goals.
There are several types of firewalls, each with varying capabilities, toanalyze network traffic and allow or block specific instances bycomparing traffic characteristics to existing policies.
IT Disaster Recovery Planning Best Practice: Develop a formal IT disaster recovery plan that
addresses the range of threats to your IT system(s), distribute theplan to all responsible parties, and ensure that it is periodicallytested and updated as needed.
The plan should focus on sustaining critical businessfunctions during and after a disruption.
Technology recovery strategies should consider the possiblerestoration of hardware, applications, data and connectivity.
The plan should include policies and procedures to ensurethat all critical information is routinely backed up so that itwould be available in the event of an emergency.
18
BackupsBest Practice: Back up data at regular intervals; verify the data has
been backed up; store the backup media in a secure, off‐site location; andverify the ability to restore the data backup.
While many entities perform some type of backup procedures, far fewerperiodically attempt to restore a backup to ensure the process isfunctioning as intended and that data would be available in the event ofan emergency.
As noted in the discussion of ransomware, it is important to maintainoffline copies of backups in case an attack renders online files unusable.
Information Disposal and Media Sanitization
Best Practice: Adopt written policies and procedures that outline theproper process to use in verifying that personal, private and sensitive datais entirely destroyed or removed from electronic media prior to theequipment’s disposal or reuse.
Local governments can contract with third parties who specialize ininformation disposal and media sanitation. Prior to doing so, the entitycan, among other things, review and evaluate the disposal company’sinformation security polices, require that the company be certified by arecognized trade association or similar third party, and/or require thecompany to provide written certification that information was disposed ofin the agreed‐upon manner.
National Institute of Standards and Technology http://www.nist.gov/
Contracts for IT Support ServicesBest Practice: Contracts (service level agreements or SLAs) for IT
support services should be in writing, clearly state the local government’ssecurity needs and expectations, and specify the level of service to beprovided by the independent contractor or vendor.
The components of an SLA vary but can include: identification of theparties to the contract; definitions of terminology; term/duration ofagreement; scope/subject; limitations (what, if anything, is excluded);service level objectives and performance indicators; roles andresponsibilities; nonperformance impact; pricing, billing and terms ofpayment; security procedures; audit procedures; reporting;reviews/updates; and approvals.
