DIR HB 3834 END USER CYBER SECURITY AWARENESS PRESENTATION Andy - - PDF document

1

DIR HB 3834 END USER CYBER SECURITY AWARENESS PRESENTATION

Andy Bennett Deputy CISO State of Texas

1

HB 3834 Training Disclaimer

DISCLAIMER These slides are distributed by the Texas Municipal League (TML) for informational purposes only. Accordingly, possession of these slides does not satisfy the annual training requirement under HB 3834 (86th Legislative Session).

2

2

Agenda

• Presenter Bio
• HB 3834 Overview and Requirements
• HB 3834 Training Session
• The principles of information security
• Safeguarding, response, and reporting best practices
• Real-world examples
• State and Federal Resources

3

4

Presenter Bio Andy Bennett is a boot wearin’ native Texan who serves the State of Texas as the Deputy Chief Information Security Officer. He has a diverse IT background covering 23 years of experience in roles across the enterprise and in a variety of sectors including government, banking, higher education, applied research, oil and gas, law enforcement, Fortune 500 consulting services, and more. He specializes in incident response, investigations, and change efforts and has a passion for

• security. He is the primary author of the State of Texas’ incident

response redbook template and is involved in strategic planning and rulemaking at the statewide level. His professional philosophy is “Show works better than tell, every time.”

3

State CISO and Cybersecurity Coordinator Role

TEXAS GOVERNMENT CODE

• Sec. 2054.511. CYBERSECURITY COORDINATOR. The State

Cybersecurity Coordinator shall "oversee cybersecurity matters for th[e] state.“ [LINK]

• Sec. 2054.512. CYBERSECURITY COUNCIL. “The state

cybersecurity coordinator shall establish and lead a cybersecurity council that includes public and private sector leaders and cybersecurity practitioners to collaborate on matters of cybersecurity concerning this state.” [LINK]

• Sec. 2054.514. RECOMMENDATIONS. “The state cybersecurity

coordinator may implement any portion or all of the recommendations made by the Cybersecurity, Education, and Economic Development Council under Subchapter N.” [LINK]

5

HB 3834 Overview

TEXAS GOVERNMENT CODE

• Sec. 2054.519. STATE CERTIFIED CYBERSECURITY TRAINING PROGRAMS [LINK]
• DIR, in consultation with the cybersecurity council and industry stakeholders shall “certify at least five

cybersecurity training programs for state and local government employees.“

• To be certified, “a cybersecurity training program must:
• Focus on forming information security habits and procedures that protect information resources; and
• Teach best practices for detecting, assessing, reporting and addressing information security threats.”

6

4

Meeting HB 3834 Training Requirements

Select a state certified cybersecurity training program

• If you are currently using a program that was developed in-house, submit it for certification
• Select a training program from the list of certified programs (available on the DIR website)

Complete training by June 14, 2020

7

Principles of Information Security

HB 3834 Topic Mapping Topic 1.1(a). Users should be aware of what ‘information security’ means

8

5

Defining Information Security

Availability

Definition: Information Security According to NIST, Information Security is “[t]he protection of information and information systems against unauthorized access, use, disclosure, modification, or destruction in order to provide confidentiality, integrity, and availability.” Source: NIST SP 800-171 Rev. 1

Information refers to “[a]ny communication or representation of knowledge such as facts, data, or

• pinions in any medium or form,

including textual, numerical, graphic, cartographic, narrative, or audiovisual.” Information System refers to “[a] discrete set of information resources

• rganized for the collection, processing,

maintenance, use, sharing, dissemination, or disposition of information.”

Source: NIST SP 800-171 Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Source: NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organization

9

Defining Information Security

Availability

C I A

Prevent unauthorized access and use of information resources Prevent unauthorized change and ensure reliability of information resources Ensure timely availability of information resources

Users must exercise due care to ensure the confidentiality, integrity, and availability of the information resources under their care.

10

6

Information Security Objective: Confidentiality

Information Security Objective: Confidentiality “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” Common Controls/Safeguards:

• Cryptography
• Access Management
• Acceptable Use Policy
• Information Security Awareness Policy
• Privacy Policy
• Social Media Policy

11

Availability

Information Security Objective: Integrity

Information Security Objective: Integrity “Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.” Common Controls/Safeguards:

• File Integrity Monitoring
• System Integrity Monitoring
• Hashing Technology

12

Availability

7

Information Security Objective: Availability

Information Security Objective: Availability “Ensuring timely and reliable access to and use of information.” Common Controls/Safeguards:

• Incident Response Plan
• Business Continuity Plan
• Disaster Recovery Plan
• Data/Record Retention Plans

13

Availability

Information Security Strategy

14

This Photo by Unknown Author is licensed under CC BY-ND This Photo by Unknown Author is licensed under CC BY-NC-ND

Defense-in-Depth Information assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks.

8

15 USER DOMAIN WORKSTATION DOMAIN LAN-TO-WAN DOMAIN LAN DOMAIN APPLICATION DOMAIN REMOTE ACCESS DOMAIN Public Internet

Encrypted Tunnel Encrypted Tunnel

WAN DOMAIN Public Internet

Vendors

WEB EMAIL

DMZ

TYPICAL IT INFRASTRUCTURE Information Security Strategy/Defense-in-Depth Information Security Strategy

Defense-in-Depth Information assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks.

16

Host-Based Controls Multi-Factor Authentication

• Username/Pass
• Fingerprint
• Windows Hello

Whole-Disk Encryption Encrypted Folders Anti-Malware Scanner Host-Based Firewall VPN Client Software

“Information assets” are protected by several layers of “technical” controls.

9

Information Security Strategy

Least Privileges & Segregation of Duties Limit user privileges (access/use) to no more than what is necessary to perform their duties. Ex: The judicial branch of government, by law, may decide the constitutionality of a law, but it may not create law. Why? Because this authority belongs to the legislature and CANNOT be delegated to another branch.

17

This Photo by Unknown Author is licensed under CC BY-SA

Information Security Controls/Safeguards

Controls/Safeguards Categories and Design Controls/safeguards are instruments implemented by an organization to ensure the “CIA” of “information assets”. They are categorized as one or several of the following: 1) Administrative; 2) Physical; or 3) Technical. They are designed for one or several outcomes: 1) Detection; 2) Deterrence; 3) Prevention; and/or 4) Correction. See NIST SP 800-53 Rev.4 for a comprehensive set of “controls”. (Link)

18

10

Information Security Controls/Safeguards

Administrative Controls/Safeguards Administrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls. Examples:

• Acceptable Use Policy
• Clean Desk Policy
• Wireless Communication Policy
• Wireless Communication Standard
• Data Retention Policy
• Information Classification Management Program
• Mechanical Hard Drive Destruction Procedure
• Vendor Management Program

19

Information Security Controls/Safeguards

Administrative Controls/Safeguards Your information security program should consist of a “policy framework.” The “policy framework” will balance the organization’s objectives and:

• Business requirements;
• Legal requirements; and
• Technical requirements.

20

• Documents stating an organization’s
• fficial position on an information

security issue. Policy

• Documents defining methods for

achieving system or procedural- specific requirements. Standards

• Documents outlining the

specific steps of a process. Procedures

• Documents outlining

voluntary methods

• r procedures.

Guidelines

11

Information Security Controls/Safeguards

Physical Controls/Safeguards Physical controls/safeguards generally refer to physical mechanisms implemented throughout an

• rganization’s premises to provide for the confidentiality, integrity, and availability of information
• assets. These controls may also be designed to detect, prevent, and/or correct security incidents.

Examples:

• Security guards
• Doors, cabinets, and locks
• Bollards, fences, and barbed wire
• Closed circuit television camera systems
• Motion detection systems
• Fire detection and suppression systems
• Heating, ventilation, and air conditioning systems

21

This Photo by Unknown Author is licensed under CC BY-SA

Information Security Controls/Safeguards

Technical Controls/Safeguards Technical controls/safeguards generally refer to the software and/or hardware mechanisms implemented throughout the network, in order to enforce the rules and requirements defined in the administrative controls. These controls may also be designed to detect, prevent, and/or correct security incidents. Examples:

• Firewalls
• VPN Gateway/Client Software
• Multi-Factor Authentication Systems
• File and Whole-Disk Encryption
• Anti-Virus and Malware Scanning Software

22

12

Information Security Principles

Information Security Principles: Key Takeaways 1. Defining ‘information security’ 2. The core objectives of ‘information security’ are:

a. Confidentiality b. Integrity c. Availability

3. Defense-in-Depth Principle 4. Least Privileges Principle 5. Safeguard/Control Categories and Types

23

Information Types and Classifications

HB 3834 Topic Mapping Topic 1.1(b). Users should be aware of the types of information (e.g., confidential, private, sensitive, etc.) they are responsible for safeguarding

24

13

Information Types and Classifications

Administrative Controls/Safeguards Administrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls. Examples:

• Acceptable Use Policy
• Clean Desk Policy
• Wireless Communication Policy
• Wireless Communication Standard
• Data Retention Policy
• Information Classification Management Program
• Example: Guideline on Safeguarding Sensitive Information
• Example: Digital Media Destruction Procedure
• Vendor Management Program

25

Information Types and Classifications

Administrative Controls/Safeguards Your information security program should consist of a “policy framework.” The “policy framework” will balance the organization’s objectives and:

• Business requirements;
• Legal requirements; and
• Technical requirements.

26

• Documents stating an organization’s
• fficial position on an information

security issue. Policy

• Documents defining methods for

achieving system or procedural- specific requirements. Standards

• Documents outlining the

specific steps of a process. Procedures

• Documents outlining

voluntary methods

• r procedures.

Guidelines

14

Information Types and Classifications

Top Secret Secret Confidential

LESS MORE LESS

CONTROL S

ACCESS MORE INFORMATION CLASSIFICATION MANAGEMENT PROGRAM EXAMPLE

A formal system for: 1. Classifying information a. Primarily based on the potential damage to national security, if information is released to an unauthorized party. 2. Safeguarding Information a. What controls apply? b. Who can access and use it? c. When can it be accessed? d. How can it be used? e. Where and how to store it? 3. Declassifying Information a. When, why, and how.

Information Classification Management Program National Policy: EO 12958, Later Replaced By EO 13526 (Link) Implementing Directive: 32 CFR Part 2001/2004, "Classified National Security Information Directive No. 1“ (Link)

27

Information Types and Classifications

CONFIDENTIAL CONVERSATION

DOCUMENT CLASSIFICATION: CONFIDENTIAL (C)

Who can access and use this information? Where and how can this information be stored?

28

15

Information Types and Classifications

Information Types and Classifications: Key Takeaways 1. Safeguarding of information is informed by information classification 2. Information classification informs:

• a. What controls apply?
• b. Who can access and use it?

c. When can it be accessed?

• d. How can it be used?
• e. Where and how to store it

29

Forms and Locations of Information

HB 3834 Topic Mapping Topic 1.1(c). Users should be aware of the forms and locations of the information they are responsible for safeguarding

30

16

Forms and Locations of Information

Information Asset: Physical Form

31

Physical information assets at “rest”.

Forms and Locations of Information

Information Asset: Oral Form

32

Audio information assets in “use” and “transit”.

17

Forms and Locations of Information

Information Asset: Electronic Form

33

Electronic information assets in “use” and “transit”.

34 USER DOMAIN WORKSTATION DOMAIN LAN-TO-WAN DOMAIN LAN DOMAIN APPLICATION DOMAIN REMOTE ACCESS DOMAIN Public Internet

Encrypted Tunnel Encrypted Tunnel

WAN DOMAIN Public Internet

Vendors

WEB EMAIL

DMZ

TYPICAL IT INFRASTRUCTURE

Forms and Locations of Information

18

Forms and Locations of Information

Forms and Locations of Information: Key Takeaways 1. Information must be safeguarded regardless of form or location 2. Information Forms:

• a. Physical (“hardy-copy”);
• b. Oral (audio/spoke word); and

c. Digital/Electronic.

35

Safeguarding Against Unauthorized Access

HB 3834 Topic Mapping Topic 1.2(a). Users should be aware of how to safeguard against unauthorized access to information, information systems, and secure facilities/locations Topic 1.2(b). Users should be aware of how to safeguard against unauthorized use of information and information systems

36

19

37 USER DOMAIN WORKSTATION DOMAIN LAN-TO-WAN DOMAIN LAN DOMAIN APPLICATION DOMAIN REMOTE ACCESS DOMAIN Public Internet

Encrypted Tunnel Encrypted Tunnel

WAN DOMAIN Public Internet

Vendors

WEB EMAIL

DMZ

TYPICAL IT INFRASTRUCTURE

Informa rmation S ion Securit curity C Controls/Saf /Safeguar eguards

Safeguarding Against Unauthorized Access Safeguarding Against Unauthorized Access

Administrative Controls/Safeguards Your information security program should consist of a “policy framework.” The “policy framework” will balance the organization’s objectives and:

• Business requirements;
• Legal requirements; and
• Technical requirements.

38

• Documents stating an organization’s
• fficial position on an information

security issue. Policy

• Documents defining methods for

achieving system or procedural- specific requirements. Standards

• Documents outlining the

specific steps of a process. Procedures

• Documents outlining

voluntary methods

• r procedures.

Guidelines

20

Safeguarding Against Unauthorized Access

Administrative Controls/Safeguards Administrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls. Examples:

• Acceptable Use Policy
• Clean Desk Policy
• Wireless Communication Policy
• Wireless Communication Standard
• Data Retention Policy
• Information Classification Management Program
• Mechanical Hard Drive Destruction Procedure
• Vendor Management Program

39

Safeguarding Against Unauthorized Access

Physical Controls/Safeguards Physical controls/safeguards generally refer to physical mechanisms implemented throughout an

• rganization’s premises to provide for the confidentiality, integrity, and availability of information
• assets. These controls may also be designed to detect, prevent, and/or correct security incidents.

Examples:

• Security guards
• Doors, cabinets, and locks
• Bollards, fences, and barbed wire
• Closed circuit television camera systems
• Motion detection systems
• Fire detection and suppression systems
• Heating, ventilation, and air conditioning systems

40

This Photo by Unknown Author is licensed under CC BY-SA

21

Safeguarding Against Unauthorized Access

Technical Controls/Safeguards Technical controls/safeguards generally refer to the software and/or hardware mechanisms implemented throughout the network, in order to enforce the rules and requirements defined in the administrative controls. These controls may also be designed to detect, prevent, and/or correct security incidents. Examples:

• Firewalls
• VPN Gateway/Client Software
• Multi-Factor Authentication Systems
• File and Whole-Disk Encryption
• Anti-Virus and Malware Scanning Software

41

Safeguarding Against Unauthorized Access

Safeguarding Against Unauthorized Access: Key Takeaways 1. Access to information must be controlled internally and externally 2. Access is controlled by:

a. Administrative Controls/Safeguards b. Physical Controls/Safeguards c. Technical Controls/Safeguards

42

22

Secure Storage of Information

43

HB 3834 Topic Mapping Topic 1.2(c). Users should be aware of best practices related to securely storing information

44 USER DOMAIN WORKSTATION DOMAIN LAN-TO-WAN DOMAIN LAN DOMAIN APPLICATION DOMAIN REMOTE ACCESS DOMAIN Public Internet

Encrypted Tunnel Encrypted Tunnel

WAN DOMAIN Public Internet

Vendors

WEB EMAIL

DMZ

TYPICAL IT INFRASTRUCTURE

Informa rmation S ion Securit curity C Controls/Saf /Safeguar eguards

Secure Storage of Information

23

Secure Storage of Information

Information Asset: Physical (“Hard-Copy”) Form

45

Physical information assets should be stored and locked according to policy.

Secure Storage of Information

Information Asset: Oral Form

46

Confidential or sensitive conversations should take place in secure areas where unauthorized individuals cannot eavesdrop.

24

Secure Storage of Information

Information Asset: Electronic Form

47

Information stored on an authorized and encrypted cloud storage services only Information stored on authorized and encrypted mobile media

• nly

Information stored on authorized and encrypted workstations

• nly

Information stored on authorized and encrypted mobile devices

• nly

Secure Storage of Information

Secure Storage of Information: Key Takeaways 1. Information must be stored in a secure manner 2. Organization policy should dictate where

a. Filing cabinets and/or safes b. Authorized and secure cloud storage services (e.g., Microsoft OneDrive) c. Authorized and secure removable media (e.g., USB flash drives) d. Authorized and secure mobile devices (e.g., cell phones)

48

25

Information Sanitization and Media Destruction

HB 3834 Topic Mapping Topic 1.2(d). Users should be aware of best practices related to securely disposing and sanitizing information and information systems

49

Information Sanitization and Media Destruction

Administrative Controls/Safeguards Your information security program should consist of a “policy framework.” The “policy framework” will balance the organization’s objectives and:

• Business requirements;
• Legal requirements; and
• Technical requirements.

50

• Documents stating an organization’s
• fficial position on an information

security issue. Policy

• Documents defining methods for

achieving system or procedural- specific requirements. Standards

• Documents outlining the

specific steps of a process. Procedures

• Documents outlining

voluntary methods

• r procedures.

Guidelines

26

Information Sanitization and Media Destruction

Administrative Controls/Safeguards Administrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls. Examples:

• Acceptable Use Policy
• Clean Desk Policy
• Wireless Communication Policy
• Wireless Communication Standard
• Data Retention Policy
• Information Classification Management Program
• Mechanical Hard Drive Destruction Procedure
• Vendor Management Program

51

Information Sanitization: Refers to “the actions taken to render data written on media unrecoverable by both

• rdinary and extraordinary means” (Source: NIST SP 800-88 Rev. 1)

Information Destruction: Refers to actions taken to permanently destroy media in which data/information is stored.

DOCUMENT CLASSIFICATION: CONFIDENTIAL (C)

FIRE ZEROIZATION REDACTION DEGAUSSING DRILLING DRILLING SHREDDING OTHER COMMON SANITIZATION & DESTRUCTION METHODS For more information, see NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization (Link)

Information Sanitization and Media Destruction

52

27

Information Sanitization and Media Destruction

Information Sanitization and Destruction: Key Takeaways 1. Information must be sanitized or destroyed in accordance with policy 2. Organization policy should dictate when and how information is either

a. Sanitized; or b. Destroyed.

53

Information Security Threats, Risks, and Attacks

HB 3834 Topic Mapping Topic 2.1(a). Users should be aware of the meaning of ‘threat’ with regards to information security Topic 2.1(b). Users should be aware of common ‘threat actors’ and their motivations Topic 2.1(c). Users should be aware of the meaning of ‘risk’ with regards to information security

54

28

Information Security Threats, Risks, and Attacks

Availability

Definition: [Information Security] Threat

According to NIST, a ‘threat’ is “[a]ny circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other

• rganizations, or the Nation through a system via unauthorized access, destruction,

disclosure, modification of information, and/or denial of service.”

Source: NIST SP 800-171 Rev. 1

55

Information Security Threats, Risks, and Attacks

Availability

Definition: [Information Security] Threats

[Information Security] Threats

Human-Based

Threat actors who take actions to compromise the CIA of an organization.

Nature-Based

Threat actors who take actions to compromise the CIA of an organization.

Impact: Confidentiality, Integrity, and Availability

56

29

Information Security Threats, Risks, and Attacks

Availability

Definition: Threat Actors

According to NIST, ‘threat actor’ refers to “[a]n individual or group posing a threat.”

Source: NIST SP 800-150

57

Information Security Threats, Risks, and Attacks

THREAT ACTORS

HACKTIVISTS CRIMINALS INSIDERS STATE ACTORS Conduct attacks in furtherance

• f political

interests. Conduct attacks in furtherance

• f financial

interests. Conduct attacks in furtherance

• f personal

interests. Destruction, disruption, and espionage in furtherance

• f national

interests.

Availability

Impact: Confidentiality, Integrity, and Availability

58

30

Information Security Threats, Risks, and Attacks

Availability

Definition: [Information Security] Risk

According to NIST, a ‘risk’ is “[a] measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image,

• r reputation), organizational assets, individuals, other organizations, and the Nation.”

Source: NIST SP 800-53 Rev. 4

59

Information Security Threats, Risks, and Attacks

Availability

Definition: [Information Security] Attack

According to NIST, an ‘attack’ is “[a]n attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality.”

Source: NIST SP 800-82 Rev. 2

60

31

61 USER DOMAIN WORKSTATION DOMAIN LAN-TO-WAN DOMAIN LAN DOMAIN APPLICATION DOMAIN REMOTE ACCESS DOMAIN Public Internet

Encrypted Tunnel Encrypted Tunnel

WAN DOMAIN Public Internet

Vendors

WEB EMAIL

DMZ

TYPICAL IT INFRASTRUCTURE

CO COMMO MMON A N ATTACK V VECTORS

Information Security Threats, Risks, and Attacks Information Security Threats, Risks, and Attacks

Information Security Threats, Risks, and Attacks: Key Takeaways 1. Threats can be categorized as either:

a. Nature-based; or b. Human-based.

2. Threat actor motivations help us categorize them as either:

a. Hacktivists; b. Insiders (unintentional/intentional); c. Criminal; d. State-Sponsored; e. Opportunists; or f. Other.

3. Threat actors target and attack their victims based on their motivations, means, and victim vulnerabilities.

62

32

Identifying Common Attacks

HB 3834 Topic Mapping Topic 2.1(d). Users should be aware of the meaning of ‘attack’ with regards to information security Topic 2.2(a). Users should be aware of the meaning of ‘threat’ with regards to information security

63

Indicators for Common Attacks

Social Engineering Attacks

• Description:
• According to NIST, social engineering refers to “[t]he act of deceiving an individual into revealing

sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.” Source: NIST SP 800-63-3 Digital Identity Guidelines

• Threat Actor Objective:
• Manipulate a target (i.e., a user) into providing unauthorized access to information or information

systems.

• Common Threat Actor Techniques:

1. Phishing (Email): A threat actor may send emails to your organization, purporting to represent a trusted entity, such as a vendor or co-worker. This email will typically request the recipient to either provide information, open an attached document (containing malware), or click an embedded link to an infected website. 2. Smishing (SMS): A threat actor may send text messages to a user, purporting to represent a trusted entity, such as a vendor or co-worker. This text message will request the recipient to either provide confidential information or click a link to an infected website. 3. Vishing (Voice): A threat actor may call your organization, purporting to represent a trusted entity, such as a vendor or co-worker. During this call, the threat actor will ask questions designed to trick the recipient into divulging confidential information. 4. Masquerading (In-Person): A threat actor may arrive at your organization, purporting to represent a trusted entity, such as a vendor or delivery person.

64

33

Indicators for Common Attacks

Phishing Attack Example

http:notdocusign.com

Trusted sender? Threat actor spoofs a trusted colleague’s email address to deceive the user. Risk Mitigation: Contact the sender out-of-band (phone or separate email) to confirm. Threat actor prompts the user to visit a fraudulent site to review a contract. Risk Mitigation: Hover over the links to reveal their URL. If suspicious: 1) Do not click on the link; and 2) Report the email to your

• rganization’s IT or

Information Security Department.

THREAT INDICATOR 1. Threat actor sends user a fraudulent email prompting action a. Appears to come from a trusted source (spoofed) b. Prompts user to click a link 2. Threat actor directs user to fraudulent site 1. Prompts user to provide username and password 2. Prompts user to download MS Office document containing malware (macro- based)

65

Indicators for Common Attacks

Phishing Attack Example

http:notdocusign.com

This is not “https:docusign.com” The user’s email/password are captured for unauthorized reuse by the threat actor. Risk Mitigation: If you have made it this far and notice the URL is suspicious: 1) Do not provide your username and password; 2) Do not click on any of the links on the page; and 3) Report the email to your

• rganization’s IT or

Information Security Department.

THREAT INDICATOR 1. Threat actor sends user a fraudulent email prompting action a. Appears to come from a trusted source (spoofed) b. Prompts user to click a link 2. Threat actor directs user to fraudulent site 1. Prompts user to provide username and password 2. Prompts user to download MS Office document containing malware (macro- based)

66

34

Indicators for Common Attacks

Phishing Attack Example

THREAT INDICATOR 1. Threat actor sends user a fraudulent email prompting action a. Appears to come from a trusted source (spoofed) b. Prompts user to click a link 2. Threat actor directs user to fraudulent site 1. Prompts user to provide username and password 2. Prompts user to download MS Office document containing malware (macro- based)

http:notdocusign.com

Risk Mitigation: If you have made it this far and have downloaded a file: 1) Do not enable content (macros); and 2) Report the email to your

• rganization’s IT or

Information Security Department. The user downloads the fraudulent contract document for review. This document contains a macro-based malware, which will infect his/her computer and network upon activation.

67

Indicators for Common Attacks

Phishing Attack Example Next Up: Ransomware & Indicators of Compromise

The user clicked “enable content” on the Word document, which infects his/her PC and network with “ransomware”.

68

35

Indicators for Common Attacks

Ransomware Attacks

• Description:
• According to the Department of Homeland Security, ransomware refers to “[a] type
• f malicious software, or malware, designed to deny access to a computer system
• r data until a ransom is paid. Ransomware typically spreads through phishing

emails or by unknowingly visiting an infected website.” Source: Department of Homeland Security

• Threat Actor Objective:
• To deny the victim access to computer systems or data until a ransom is paid.
• Common Threat Actor Techniques:
• Phishing (Email): A threat actor may send emails to your organization, purporting to

represent a trusted entity, such as a vendor or co-worker. This email will typically request the recipient to either provide information, open an attached document (containing malware), or click an embedded link to an infected website.

69

Indicators for Common Attacks

Ransomware Attack Example

INDICATOR OF COMPROMISE

1. The user is presented with a ransom note addressing: a. What happened? b. How do I recover? c. How do I pay the ransom? 2. Denial of access to system files/resources

a. Files or system are encrypted b. Recovery of files contingent upon:

1. Ability to decrypt (or pay the ransom); or 2. Recover from backups.

Risk Mitigation: If you have made it this far have downloaded a file: 1) Do attempt to pay or decrypt; 2) Immediately report the ransom to your

• rganization’s IT or

Information Security Department; and 3) Follow instructions regarding who and how this information can be shared.

70

36

Identifying Common Attacks

Identifying Common Attacks: Key Takeaways 1. Attacks are an attempt to compromise the “CIA” of information/information resources. 2. Common attacks targeting the end-user include:

a. Social Engineering; and

I. Phishing (Email) II. Smishing (SMS) III. Vishing (Voice) IV. Masquerading (In-Person)

b. Ransomware.

3. End-users need to know:

1. What they are; 2. How they work; 3. How to spot them; 4. How to report and respond to them.

71

Respond/Report on Common Attacks and Suspicious Activity

HB 3834 Topic Mapping Topic 2.2(a). Users should be aware of how to respond and report on common attacks or suspicious activity (either by best practice or policy)

72

37

Respond/Report on Common Attacks and Suspicious Activity

General best practices for responding to reporting on common threats and suspicious activity: 1. If you see something, say something;

a. Suspicious computer or network activity indicating an attempted attack. b. Suspicious computer or network activity indicating a successful attack. c. Any suspicious behavior in the workplace.

2. Know who you are required to report suspicious activity to;

a. E.g., Help-Desk, IT, Information Security, or other.

3. Know when you are required to report suspicious activity;

a. Know how soon, as well.

4. With whom you can share this information; and

a. Before and after reporting.

5. What – if any – additional actions they should take in response.

73

Respond/Report on Common Attacks and Suspicious Activity

State Notification and Reporting Law and Rules

Source: Texas Administrative Code

Secure Reporting for State Agencies

• Title 1, Part 10, Chapter 202, Subchapter

B, Rule § 202.23 Security Reporting for Institutions of Higher Education

• Title 1, Part 10, Chapter 202, Subchapter

C, Rule §202.73

TEXAS ADMINISTRATIVE CODE TEXAS GOVERNMENT CODE

Source: Texas Government Code Section 2054.1125

74

38

Who: The City of Atlanta was the victim of a Ransomware attack conducted by two Iranian hackers, Faramarz Shahi Savandi (35y) and Mohammad Mehdi Shah Mansouri (28y).

• Members of the SamSam Group (non-State affiliated).
• Ransom demand of $51,000 in (~6) Bitcoin.

What: The threat actors infected several mission-critical resources, ultimately affecting many services and programs, such as: utilities, parking, and even court services. Response/Reporting Lessons Learned: March 22 (~5am), a City of Atlanta employee discovered the ransom note on an Atlanta Police Department computer. This employee took a picture of the ransom note with a cell phone and leaked the incident to local media, 11Alive.

• 11Alive covered the story, tipping off the threat actors, who then deleted the ransom

portal, leaving the City with no option to pay. (link) Key Takeaway:

• If you discover an incident, immediately report it to your organization’s department

responsible for responding to computer security incidents.

• DO NOT share this information with anyone else, unless authorized and directed to do so

by your organization.

Respond/Report on Common Attacks and Suspicious Activity

75

Respond/Report on Common Attacks and Suspicious Activity

Texas Department of Information Resources In Texas, if you are impacted by an incident, DIR provides the following resources:

• 1. Bulk Purchasing
• 2. Network Products and Related Services Contracts
• 3. Managed Services End-User IT
• 4. Information Technology Security (ITS) Products and

Services For more information about these resources, please visit: Link More information on State Security Resources Below.

76

39

Respond/Report on Common Attacks and Suspicious Activity

Respond/Report on Common Attacks and Suspicious Activity: Key Takeaways 1. Attacks are an attempt to compromise the “CIA” of information/information resources. 2. End-users need to know what to do when they identify an attack or suspicious activity:

a. Who to report it to; b. How to report it; c. When to report it; d. What to do after it has been reported; and e. Who else they can share the information with.

77

State Security Resources How DIR Can Partner With You to Keep Your Systems and Citizens Secure

78

40

STATE INFORMATION SECURITY RESOURCES

DIR AWARENESS, EDUCATION AND TRAINING SERVICES

SECURITY TRAINING

• Information Security Forum
• Monthly Gartner Webinars

Link

INFORMATION SHARING

• Security List
• Texas Cybersecurity Weekly
• Monthly Information

Security Meetings

• MS-ISAC Notifications

Link

State Security Resources

79

INFORMATION SECURITY PLANNING

• Alignment with the Texas

Cybersecurity Framework

• 5 functional areas
• 40 security objectives
• Comprehensive information

security planning Link

Incident Response Risk and Compliance

Managed Security Services (MSS)

Security Monitoring and Device Management

• Host Based IDS/IPS
• Network Based

IDS/IPS

• Managed Firewall
• Managed Web App

Firewall

• Malware Detection

System

• Security Information

and Event Management (SIEM)

• Threat Research
• Security Operations

Center Services

• Managed Endpoint

Security

• Incident Response

Preparedness

• Digital Forensics
• Security Incident

Management

• Penetration Test
• Web and Mobile

Application Test

• Vulnerability

Scanning

• Web App

Vulnerability Scanning

• Risk Assessment
• Cloud Compliance

Assessment

State Security Resources (MSS)

80

41

Security Monitoring and Device Management Services (MSS)

Remote Management and Operations

San Antonio, Texas Tampa, Florida Dallas, Texas San Jose, California

Security Operations Center Services (Onsite Management)

DIR NSOC Austin, Texas Where Needed Texas Available Only in Legacy Data Centers:

• Endpoint Management Services
• Intrusion Detection/Prevention System Services
• Managed Firewall Services
• Malware Detection Systems
• Security Operations Center (SOC) Services
• Host-based Intrusion Prevention Systems*

Available for ALL Systems and Locations:

• Web Application Firewall Services
• Threat Research

Available for Non-DCS managed systems:

• Host-based Intrusion Prevention Services
• Security Information and Event Management (SIEM)

State Security Resources (Security Monitoring and Device Management)

81

Incident Response Preparedness

Provides a critical review of current internal processes and procedures for handling events, incidents, and evidence. Includes:

• Detective control configurations
• Deployed preventative and detective solution sets throughout the

environment

• Current incident response plans
• Incident responder and handler skillset evaluations
• Incident responder and handler training evaluations
• Evidence seizure and storage procedure analysis
• Electronic data recovery
• Litigation support

Digital Forensics

• “On Demand” service
• Use of Encase and/or Carbon Black for analysis of hard drive

images

Incident Response Management

• No retainer for this service
• Address adverse events, issues, or occurrences that may occur

in your environment

• Includes detection, triage, response activities, and

containment of computer security events

Incident Response Services (MSS)

State Security Resources (Incident Response Services)

82

Incident Response Redbook: A Template to help Build a Plan

https://pubext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Incident%20Response%20Template%202019.pdf

42

State Security Resources (Interlocal Contract)

• Interlocal Contract (ILC)

https://dirsharedservices.service-now.com/dir

83

Risk & Compliance Services (MSS)

• Penetration Testing
• Vulnerability Scanning
• Web Application Scanning
• Web and Mobile Application

Penetration Testing

• Risk Assessments
• Cloud Compliance

State Security Resources (Risk & Compliance Services)

84

43

TAKEAWAYS

1. Information security is interdisciplinary, consisting of risk management, technology, and compliance. 2. Consider adopting a recognized framework, such as the NIST/TX CSF, to plan, design, implement, and maintain your enterprise information security program. 3. Identify your information assets, assess the risks of each, and implement controls to achieve an “acceptable level of risk”. 1. Know what you have; 2. Know your risks; 3. Prepare to defend; 4. Prepare to respond; and 5. Prepared to recover. 4. Use a “risk-based” approach to ensure you provide for the confidentiality, integrity, and availability of your information assets. 5. Do not go it alone – consider leveraging the state level resources provided by the DIR

State Security Resources

85

Federal Resources

NIST COMPUTER SECURITY RESOURCE CENTER

NIST Cybersecurity Framework (Link) NIST Special Publications (Link) NIST NICE Cybersecurity Workforce Framework (Link)

NIST SP 800-12 Rev. 1, An Introduction to Information Security (Link) NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments (Link) NIST SP 800-50, Building an Information Security Awareness and Training Program (Link) NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide (Link)

NIST Glossary of Key Information Security Terms (Link)

86

44

Contact Information

For more information about DIR’s cybersecurity services: DIRSecurity@dir.texas.gov For more information about HB 3834: TXTrainingCert@dir.texas.gov Helpful Resources and Templates https://dir.texas.gov/View-About-DIR/Information- Security/Pages/Content.aspx?id=139

87