Information Technology Security Presentation to Joint Legislative - - PowerPoint PPT Presentation

Information Technology Security

Presentation to Joint Legislative Committee on Information Technology Oversight

Chip Moore State Chief Information Security Officer Office of Information Technology Services

December 13, 2012

Introduction

• Security adage: there are two kinds of
• rganizations

– Those that have been hacked – Those that don’t know they’ve been hacked

• Attempts to steal or compromise data are

constant, and hackers will probably get into your systems

• Key issue is what have you done to protect your

data and minimize the damage

2

Outline

• Threats

– Entry points – Types of threats

• Current themes in IT security
• IT security in state government
• Opportunities for improvement
• Questions

3

Cyber infrastructure

4

• Internet Connections – Three (3)
• Wide Area Network Connections ~3,700
• Exposed Servers (Web, Mail, Mainframe, Agency

Applications >1,000)

• PCs and laptops (~64,000)
• Core Applications (Windows, Office, Adobe, anti-virus)
• E-mail (Threats: Spam, fake email, viruses and spyware)
• Web (Threats: Malicious web pages)

State’s backbone network and POPs (Points of Presence)

Threats and Motivations

• Organized crime – motive is profit
• Hacktivists – motive is to make a point, political

motive, embarrassment of an organization

• State sponsored hackers - government belief

that you may be able to destabilize an economy

• Black hat – pride, bragging rights
• Script kiddies - people looking to say they are

successful security professionals

5

Techniques

• Fake electronic mail
• Unknown software vulnerabilities
• Hacking including web defacements
• Interruptions to Internet service that would

limit citizens’ ability to conduct state business

• Viruses
• Social engineering

6

Challenges

• Protecting data when it is everywhere

– Ever-changing technology, tablets and smartphones, have made data mobile

• Workforce demanding to use personal devices for work
• Human behavior

– Policies, rules and regulations will not stop people from acting without thinking

• Insider threats
• Password management
• Timely removal of confidential data at the end of its

usefulness

• Business demands for data sharing

7

Themes in IT security

• National Association of State Chief

Information Officers (NASCIO) call to action issued last month

– Enterprise approach

• Fewer silos = better security
• Enforce standards
• Minimize entries to network
• Approach reduces operational costs

8

What are we doing?

• Technical security controls – antivirus, firewalls, intrusion detection

and monitoring, encryption of devices and some data

• Training and Awareness – provide monthly training newsletters to

executive branch agencies

• ITS has mandatory annual training for all employees
• Information sharing - relationships with Homeland Security and the

FBI to receive and provide information for ongoing investigations

• Audits – we have audits performed by the State Auditor, the federal

government and private industry for regulatory compliance.

• Annually provide and update security standards based on

international security standards.

• Preparing for a third party vulnerability assessment and limited

penetration testing

9

Areas for Improvement

• Additional funding for

– More outside vulnerability and penetration testing – Additional security controls purchased at the enterprise level – Data Loss Prevention

• Encryption, other technical approaches
• Start with most critical data
• As first step, agencies should evaluate their data and

programs to determine sensitivity and risk of exposure

• Employee Security Training and Awareness

– More training and newsletters; timely notifications of significant, current threats

Cost vs. risk

• IT security, like any security, is a matter of cost
• vs. risk

– How much willing to spend to achieve what level of security

• Cost of a breach is also significant

– Lost credibility and trust – Cost of notifying citizens, as required by law – Cost of protecting citizens against identity theft after a breach

Questions?

Chip Moore Chief Information Security Officer (919) 754-6300 charles.moore@nc.gov http://www.esrmo.scio.nc.gov/

12