DIR HB 3834 END USER CYBER SECURITY AWARENESS … · Information Security Principles: Key Takeaways 1. Defining ‘information security’ 2. The core objectives of ‘information

1

DIR HB 3834 END USER CYBER SECURITY AWARENESS PRESENTATION

Andy BennettDeputy CISOState of Texas

1

HB 3834 Training Disclaimer

DISCLAIMER

These slides are distributed by the Texas Municipal League (TML) forinformational purposes only. Accordingly, possession of these slidesdoes not satisfy the annual training requirement under HB 3834 (86th

Legislative Session).

2

2

Agenda

• Presenter Bio• HB 3834 Overview and Requirements• HB 3834 Training Session

• The principles of information security• Safeguarding, response, and reporting best practices• Real-world examples

• State and Federal Resources

3

4

Presenter Bio

Andy Bennett is a boot wearin’ native Texan who serves the State of Texas as the Deputy Chief Information Security Officer. He has a diverse IT background covering 23 years of experience

in roles across the enterprise and in a variety of sectors including government, banking, higher education, applied

research, oil and gas, law enforcement, Fortune 500 consulting services, and more. He specializes in incident response, investigations, and change efforts and has a passion for

security. He is the primary author of the State of Texas’ incident response redbook template and is involved in strategic planning

and rulemaking at the statewide level. His professional philosophy is “Show works better than tell, every time.”

3

State CISO and Cybersecurity Coordinator Role

TEXAS GOVERNMENT CODESec. 2054.511. CYBERSECURITY COORDINATOR. The State Cybersecurity Coordinator shall "oversee cybersecurity matters for th[e] state.“ [LINK]

Sec. 2054.512. CYBERSECURITY COUNCIL. “The state cybersecurity coordinator shall establish and lead a cybersecurity council that includes public and private sector leaders and cybersecurity practitioners to collaborate on matters of cybersecurity concerning this state.” [LINK]

Sec. 2054.514. RECOMMENDATIONS. “The state cybersecurity coordinator may implement any portion or all of the recommendations made by the Cybersecurity, Education, and Economic Development Council under Subchapter N.” [LINK]

5

HB 3834 Overview

TEXAS GOVERNMENT CODE

Sec. 2054.519. STATE CERTIFIED CYBERSECURITY TRAINING PROGRAMS [LINK]

• DIR, in consultation with the cybersecurity council and industry stakeholders shall “certify at least five cybersecurity training programs for state and local government employees.“

• To be certified, “a cybersecurity training program must:

• Focus on forming information security habits and procedures that protect information resources; and

• Teach best practices for detecting, assessing, reporting and addressing information security threats.”

6

4

Meeting HB 3834 Training Requirements

Select a state certified cybersecurity training program• If you are currently using a program that was developed in-house, submit it for certification• Select a training program from the list of certified programs (available on the DIR website)

Complete training by June 14, 2020

7

Principles of Information Security

HB 3834 Topic MappingTopic 1.1(a). Users should be aware of what ‘information security’ means

8

5

Defining Information Security

Availability

Definition: Information SecurityAccording to NIST, Information Security is “[t]he protection of information and information systems against unauthorized access, use, disclosure, modification, or destruction in order to provide confidentiality, integrity, and availability.”Source: NIST SP 800-171 Rev. 1

Information refers to “[a]ny communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.”

Information System refers to “[a] discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”

Source: NIST SP 800-171 Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Source: NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organization

9

Defining Information Security

Availability

CIA

Prevent unauthorized access and use of information resources

Prevent unauthorized change and ensure reliability of information resources

Ensure timely availability of information resources

Users must exercise due care to ensure the confidentiality, integrity, and availability of the information resources under their care.

10

6

Information Security Objective: Confidentiality

Information Security Objective: Confidentiality“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”Common Controls/Safeguards:- Cryptography- Access Management- Acceptable Use Policy- Information Security Awareness Policy- Privacy Policy- Social Media Policy

11Availability

Information Security Objective: Integrity

Information Security Objective: Integrity“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.”Common Controls/Safeguards:- File Integrity Monitoring- System Integrity Monitoring- Hashing Technology

12Availability

7

Information Security Objective: Availability

Information Security Objective: Availability“Ensuring timely and reliable access to and use of information.” Common Controls/Safeguards:- Incident Response Plan- Business Continuity Plan- Disaster Recovery Plan- Data/Record Retention Plans

13Availability

Information Security Strategy

14

This Photo by Unknown Author is licensed under CC BY-ND

This Photo by Unknown Author is licensed under CC BY-NC-ND

Defense-in-Depth

Information assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks.

8

15

USER DOMAIN

WORKSTATION DOMAIN

LAN-TO-WAN DOMAINLAN DOMAIN

APPLICATION DOMAIN REMOTE ACCESS DOMAIN

Public Internet

Encrypted Tunnel

Encrypted Tunnel

WAN DOMAIN

Public Internet

Vendors

WEB

EMAIL DMZ

TYPICAL IT INFRASTRUCTURE

Information Security Strategy/Defense-in-Depth


Defense-in-DepthInformation assets are protected by many interlocking, redundant, and complimentary controls to detect, deter, and prevent attacks.

16

Host-Based ControlsMulti-Factor Authentication- Username/Pass- Fingerprint- Windows HelloWhole-Disk EncryptionEncrypted FoldersAnti-Malware ScannerHost-Based FirewallVPN Client Software

“Information assets” are protected by several layers of “technical” controls.

9


Least Privileges & Segregation of DutiesLimit user privileges (access/use) to no more than what is necessary to perform their duties.Ex: The judicial branch of government, by law, may decide the constitutionality of a law, but it may not create law.Why? Because this authority belongs to the legislature and CANNOT be delegated to another branch.

17

This Photo by Unknown Author is licensed under CC BY-SA

Information Security Controls/Safeguards

Controls/Safeguards Categories and DesignControls/safeguards are instruments implemented by an organization to ensure the “CIA” of “information assets”. They are categorized as one or several of the following: 1) Administrative; 2) Physical; or 3) Technical.

They are designed for one or several outcomes: 1) Detection; 2) Deterrence; 3) Prevention; and/or 4) Correction.See NIST SP 800-53 Rev.4 for a comprehensive set of “controls”. (Link)

18

10


Administrative Controls/SafeguardsAdministrative controls/safeguards generally refer to the policies, standards, procedures, and guidelines adopted to provide for the confidentiality, integrity, and availability of information. Administrative controls can be enforced through physical and technical controls.

Examples: Acceptable Use Policy Clean Desk PolicyWireless Communication PolicyWireless Communication Standard Data Retention Policy Information Classification Management Program Mechanical Hard Drive Destruction Procedure

Vendor Management Program

19


Administrative Controls/SafeguardsYour information security program should consist of a “policy framework.”

The “policy framework” will balancethe organization’s objectives and:- Business requirements; - Legal requirements; and- Technical requirements.

20

• Documents stating an organization’s official position on an information security issue.Policy

• Documents defining methods for achieving system or procedural-specific requirements. Standards

• Documents outlining the specific steps of a process.Procedures

• Documents outlining voluntary methods or procedures.Guidelines

11


Physical Controls/SafeguardsPhysical controls/safeguards generally refer to physical mechanisms implemented throughout an organization’s premises to provide for the confidentiality, integrity, and availability of information assets. These controls may also be designed to detect, prevent, and/or correct security incidents.

Examples: Security guards Doors, cabinets, and locks Bollards, fences, and barbed wire Closed circuit television camera systems Motion detection systems Fire detection and suppression systems Heating, ventilation, and air conditioning systems

21This Photo by Unknown Author is licensed under CC BY-SA


Technical Controls/SafeguardsTechnical controls/safeguards generally refer to the software and/or hardware mechanisms implemented throughout the network, in order to enforce the rules and requirements defined in the administrative controls. These controls may also be designed to detect, prevent, and/or correct security incidents.

Examples: Firewalls VPN Gateway/Client Software Multi-Factor Authentication Systems File and Whole-Disk Encryption Anti-Virus and Malware Scanning Software

22

12

Information Security Principles

Information Security Principles: Key Takeaways1. Defining ‘information security’2. The core objectives of ‘information security’ are:

a. Confidentialityb. Integrityc. Availability

3. Defense-in-Depth Principle4. Least Privileges Principle5. Safeguard/Control Categories and Types

23

Information Types and Classifications

HB 3834 Topic MappingTopic 1.1(b). Users should be aware of the types of information (e.g., confidential, private, sensitive, etc.) they are responsible for safeguarding

24

13



Examples: Acceptable Use Policy Clean Desk Policy Wireless Communication Policy Wireless Communication Standard Data Retention Policy Information Classification Management Program

Example: Guideline on Safeguarding Sensitive Information Example: Digital Media Destruction Procedure


25




26





14


Top Secret

Secret

Confidential

LESS

MORE LESS

CONTROLS ACCESS

MORE

INFORMATION CLASSIFICATION MANAGEMENT PROGRAM EXAMPLE

A formal system for:1. Classifying information

a. Primarily based on the potential damage to national security, if information is released to an unauthorized party.

2. Safeguarding Informationa. What controls apply?b. Who can access and use it?c. When can it be accessed?d. How can it be used?e. Where and how to store it?

3. Declassifying Informationa. When, why, and how.

Information Classification Management ProgramNational Policy: EO 12958, Later Replaced By EO 13526 (Link)Implementing Directive: 32 CFR Part 2001/2004, "Classified National Security Information Directive No. 1“ (Link)

27


CONFIDENTIAL CONVERSATION

DOCUMENT CLASSIFICATION: CONFIDENTIAL (C)

Who can access and use this information?

Where and how can this information be stored?

28

15


Information Types and Classifications: Key Takeaways1. Safeguarding of information is informed by information classification2. Information classification informs:

a. What controls apply?b. Who can access and use it?c. When can it be accessed?d. How can it be used?e. Where and how to store it

29

Forms and Locations of Information

HB 3834 Topic MappingTopic 1.1(c). Users should be aware of the forms and locations of the information they are responsible for safeguarding

30

16


Information Asset: Physical Form

31

Physical information assets at “rest”.


Information Asset: Oral Form

32

Audio information assets in “use” and “transit”.

17


Information Asset: Electronic Form

33

Electronic information assets in “use” and “transit”.

34

USER DOMAIN

WORKSTATION DOMAIN



Public Internet

Encrypted Tunnel

Encrypted Tunnel

WAN DOMAIN

Public Internet

Vendors

WEB

EMAIL DMZ

TYPICAL IT INFRASTRUCTURE


18


Forms and Locations of Information: Key Takeaways1. Information must be safeguarded regardless of form or location2. Information Forms:

a. Physical (“hardy-copy”);b. Oral (audio/spoke word); andc. Digital/Electronic.

35

Safeguarding Against Unauthorized Access

HB 3834 Topic MappingTopic 1.2(a). Users should be aware of how to safeguard against unauthorized access to information, information systems, and secure facilities/locationsTopic 1.2(b). Users should be aware of how to safeguard against unauthorized use of information and information systems

36

19

37

USER DOMAIN

WORKSTATION DOMAIN



Public Internet

Encrypted Tunnel

Encrypted Tunnel

WAN DOMAIN

Public Internet

Vendors

WEB

EMAIL DMZ

TYPICAL IT INFRASTRUCTUREInformation Security Controls/Safeguards





38





20





39


Physical Controls/SafeguardsPhysical controls/safeguards generally refer to physical mechanisms implemented throughout an organization’s premises to provide for the confidentiality, integrity, and availability of information assets. These controls may also be designed to detect, prevent, and/or correct security incidents.

Examples: Security guards Doors, cabinets, and locks Bollards, fences, and barbed wire Closed circuit television camera systems Motion detection systems Fire detection and suppression systems Heating, ventilation, and air conditioning systems

40This Photo by Unknown Author is licensed under CC BY-SA

21


Technical Controls/SafeguardsTechnical controls/safeguards generally refer to the software and/or hardware mechanisms implemented throughout the network, in order to enforce the rules and requirements defined in the administrative controls. These controls may also be designed to detect, prevent, and/or correct security incidents.

Examples: Firewalls VPN Gateway/Client Software Multi-Factor Authentication Systems File and Whole-Disk Encryption Anti-Virus and Malware Scanning Software

41


Safeguarding Against Unauthorized Access: Key Takeaways1. Access to information must be controlled internally and externally2. Access is controlled by:

a. Administrative Controls/Safeguardsb. Physical Controls/Safeguardsc. Technical Controls/Safeguards

42

22

Secure Storage of Information

43

HB 3834 Topic MappingTopic 1.2(c). Users should be aware of best practices related to securely storing information

44

USER DOMAIN

WORKSTATION DOMAIN



Public Internet

Encrypted Tunnel

Encrypted Tunnel

WAN DOMAIN

Public Internet

Vendors

WEB

EMAIL DMZ

TYPICAL IT INFRASTRUCTUREInformation Security Controls/Safeguards


23


Information Asset: Physical (“Hard-Copy”) Form

45

Physical information assets should be stored and locked

according to policy.


Information Asset: Oral Form

46

Confidential or sensitive conversations should take place

in secure areas where unauthorized individuals cannot

eavesdrop.

24


Information Asset: Electronic Form

47

Information stored on an authorized and encrypted cloud

storage services only

Information stored on authorized and

encrypted mobile media only

Information stored on

authorized and encrypted

workstations only

Information stored on

authorized and encrypted

mobile devices only


Secure Storage of Information: Key Takeaways1. Information must be stored in a secure manner 2. Organization policy should dictate where

a. Filing cabinets and/or safesb. Authorized and secure cloud storage services (e.g., Microsoft OneDrive)c. Authorized and secure removable media (e.g., USB flash drives)d. Authorized and secure mobile devices (e.g., cell phones)

48

25

Information Sanitization and Media Destruction

HB 3834 Topic MappingTopic 1.2(d). Users should be aware of best practices related to securely disposing and sanitizing information and information systems

49




50





26





51

Information Sanitization: Refers to “the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means” (Source: NIST SP 800-88 Rev. 1)

Information Destruction: Refers to actions taken to permanently destroy media in which data/information is stored.

DOCUMENT CLASSIFICATION: CONFIDENTIAL (C)

FIRE ZEROIZATION

REDACTION DEGAUSSING

DRILLING DRILLING

SHREDDING OTHER

COMMON SANITIZATION & DESTRUCTION METHODS

For more information, see NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization (Link)


52

27


Information Sanitization and Destruction: Key Takeaways1. Information must be sanitized or destroyed in accordance with policy2. Organization policy should dictate when and how information is either

a. Sanitized; orb. Destroyed.

53

Information Security Threats, Risks, and Attacks

HB 3834 Topic MappingTopic 2.1(a). Users should be aware of the meaning of ‘threat’ with regards to information securityTopic 2.1(b). Users should be aware of common ‘threat actors’ and their motivationsTopic 2.1(c). Users should be aware of the meaning of ‘risk’ with regards to information security

54

28


Availability

Definition: [Information Security] ThreatAccording to NIST, a ‘threat’ is “[a]ny circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.”Source: NIST SP 800-171 Rev. 1

55


Availability

Definition: [Information Security] Threats

[Information Security] Threats

Human-Based

Threat actors who take actions to compromise the CIA of an organization.

Nature-Based

Threat actors who take actions to compromise the CIA of an organization.

Impact: Confidentiality, Integrity, and Availability

56

29


Availability

Definition: Threat ActorsAccording to NIST, ‘threat actor’ refers to “[a]n individual or group posing a threat.”Source: NIST SP 800-150

57


THREAT ACTORS

HACKTIVISTS CRIMINALS INSIDERS STATE ACTORS

Conduct attacks in furtherance of political interests.

Conduct attacks in furtherance of financial interests.

Conduct attacks in furtherance of personal interests.

Destruction, disruption, and espionage in furtherance of national interests.

AvailabilityImpact: Confidentiality, Integrity, and Availability

58

30


Availability

Definition: [Information Security] RiskAccording to NIST, a ‘risk’ is “[a] measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.”

Source: NIST SP 800-53 Rev. 4

59


Availability

Definition: [Information Security] AttackAccording to NIST, an ‘attack’ is “[a]n attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality.”Source: NIST SP 800-82 Rev. 2

60

31

61

USER DOMAIN

WORKSTATION DOMAIN



Public Internet

Encrypted Tunnel

Encrypted Tunnel

WAN DOMAIN

Public Internet

Vendors

WEB

EMAIL DMZ

TYPICAL IT INFRASTRUCTURECOMMON ATTACK VECTORS



Information Security Threats, Risks, and Attacks: Key Takeaways1. Threats can be categorized as either:

a. Nature-based; orb. Human-based.

2. Threat actor motivations help us categorize them as either:a. Hacktivists;b. Insiders (unintentional/intentional);c. Criminal;d. State-Sponsored;e. Opportunists; orf. Other.

3. Threat actors target and attack their victims based on their motivations, means, and victim vulnerabilities.

62

32

Identifying Common Attacks

HB 3834 Topic MappingTopic 2.1(d). Users should be aware of the meaning of ‘attack’ with regards to information securityTopic 2.2(a). Users should be aware of the meaning of ‘threat’ with regards to information security

63

Indicators for Common Attacks

Social Engineering Attacks• Description:

• According to NIST, social engineering refers to “[t]he act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.” Source: NIST SP 800-63-3 Digital Identity Guidelines

• Threat Actor Objective:• Manipulate a target (i.e., a user) into providing unauthorized access to information or information

systems.

• Common Threat Actor Techniques:1. Phishing (Email): A threat actor may send emails to your organization, purporting to represent

a trusted entity, such as a vendor or co-worker. This email will typically request the recipient to either provide information, open an attached document (containing malware), or click an embedded link to an infected website.

2. Smishing (SMS): A threat actor may send text messages to a user, purporting to represent a trusted entity, such as a vendor or co-worker. This text message will request the recipient to either provide confidential information or click a link to an infected website.

3. Vishing (Voice): A threat actor may call your organization, purporting to represent a trusted entity, such as a vendor or co-worker. During this call, the threat actor will ask questions designed to trick the recipient into divulging confidential information.

4. Masquerading (In-Person): A threat actor may arrive at your organization, purporting to represent a trusted entity, such as a vendor or delivery person.

64

33


Phishing Attack Example

http:notdocusign.com

Trusted sender? Threat actor spoofs a trusted colleague’s email address to deceive the user.

Risk Mitigation: Contact the sender out-of-band (phone or separate email) to confirm.

Threat actor prompts the user to visit a fraudulent site to review a contract.

Risk Mitigation: Hover over the links to reveal their URL. If suspicious: 1) Do not click on the link; and 2) Report the email to your organization’s IT or Information Security Department.

THREAT INDICATOR1. Threat actor sends user a

fraudulent email prompting action

a. Appears to come from a trusted source (spoofed)

b. Prompts user to click a link2. Threat actor directs user to

fraudulent site1. Prompts user to provide

username and password2. Prompts user to download

MS Office document containing malware (macro-based)

65


Phishing Attack Examplehttp:notdocusign.com

This is not “https:docusign.com”

The user’s email/password are captured for unauthorized reuse by the threat actor.

Risk Mitigation: If you have made it this far and notice the URL is suspicious: 1) Do not provide your

username and password; 2) Do not click on any of the

links on the page; and 3) Report the email to your

organization’s IT or Information Security Department.








66

34










http:notdocusign.com

Risk Mitigation: If you have made it this far and have downloaded a file: 1) Do not enable content

(macros); and 2) Report the email to your

organization’s IT or Information Security Department.

The user downloads the fraudulent contract document for review. This document contains a macro-based malware, which will infect his/her computer and network upon activation.

67



Next Up: Ransomware & Indicators of Compromise The user clicked “enable

content” on the Word document, which infects his/her PC and network with “ransomware”.

68

35


Ransomware Attacks• Description:

• According to the Department of Homeland Security, ransomware refers to “[a] type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.” Source: Department of Homeland Security

• Threat Actor Objective:• To deny the victim access to computer systems or data until a ransom is paid.

• Common Threat Actor Techniques:• Phishing (Email): A threat actor may send emails to your organization, purporting to

represent a trusted entity, such as a vendor or co-worker. This email will typically request the recipient to either provide information, open an attached document (containing malware), or click an embedded link to an infected website.

69


Ransomware Attack Example

INDICATOR OF COMPROMISE

1. The user is presented with a ransom note addressing:a. What happened?b. How do I recover?c. How do I pay the

ransom?2. Denial of access to system

files/resourcesa. Files or system are encryptedb. Recovery of files contingent

upon:1. Ability to decrypt (or pay the

ransom); or2. Recover from backups.

Risk Mitigation: If you have made it this far have downloaded a file: 1) Do attempt to pay or

decrypt;2) Immediately report the

ransom to your organization’s IT or Information Security Department; and

3) Follow instructions regarding who and how this information can be shared.

70

36

Identifying Common Attacks

Identifying Common Attacks: Key Takeaways1. Attacks are an attempt to compromise the “CIA” of information/information resources.2. Common attacks targeting the end-user include:

a. Social Engineering; andI. Phishing (Email)II. Smishing (SMS)III. Vishing (Voice)IV. Masquerading (In-Person)

b. Ransomware.

3. End-users need to know:1. What they are;2. How they work;3. How to spot them;4. How to report and respond to them.

71

Respond/Report on Common Attacks and Suspicious Activity

HB 3834 Topic MappingTopic 2.2(a). Users should be aware of how to respond and report on common attacks or suspicious activity (either by best practice or policy)

72

37


General best practices for responding to reporting on common threats and suspicious activity:1. If you see something, say something;

a. Suspicious computer or network activity indicating an attempted attack.b. Suspicious computer or network activity indicating a successful attack.c. Any suspicious behavior in the workplace.

2. Know who you are required to report suspicious activity to;a. E.g., Help-Desk, IT, Information Security, or other.

3. Know when you are required to report suspicious activity;a. Know how soon, as well.

4. With whom you can share this information; anda. Before and after reporting.

5. What – if any – additional actions they should take in response.

73


State Notification and Reporting Law and Rules

Source: Texas Administrative Code

Secure Reporting for State Agencies Title 1, Part 10, Chapter 202, Subchapter

B, Rule § 202.23Security Reporting for Institutions of Higher Education• Title 1, Part 10, Chapter 202, Subchapter

C, Rule §202.73

TEXAS ADMINISTRATIVE CODE

TEXAS GOVERNMENT CODE

Source: Texas Government Code Section 2054.1125

74

38

Who:The City of Atlanta was the victim of a Ransomware attack conducted by two Iranian hackers, Faramarz Shahi Savandi (35y) and Mohammad Mehdi Shah Mansouri (28y).- Members of the SamSam Group (non-State affiliated).- Ransom demand of $51,000 in (~6) Bitcoin.

What: The threat actors infected several mission-critical resources, ultimately affecting many services and programs, such as: utilities, parking, and even court services.

Response/Reporting Lessons Learned:March 22 (~5am), a City of Atlanta employee discovered the ransom note on an Atlanta Police Department computer. This employee took a picture of the ransom note with a cell phone and leaked the incident to local media, 11Alive.- 11Alive covered the story, tipping off the threat actors, who then deleted the ransom

portal, leaving the City with no option to pay. (link)

Key Takeaway:- If you discover an incident, immediately report it to your organization’s department

responsible for responding to computer security incidents.- DO NOT share this information with anyone else, unless authorized and directed to do so

by your organization.


75


Texas Department of Information ResourcesIn Texas, if you are impacted by an incident, DIR provides the following resources: 1. Bulk Purchasing2. Network Products and Related Services Contracts3. Managed Services End-User IT4. Information Technology Security (ITS) Products and

Services

For more information about these resources, please visit: Link

More information on State Security Resources Below.

76

39


Respond/Report on Common Attacks and Suspicious Activity: Key Takeaways1. Attacks are an attempt to compromise the “CIA” of information/information resources.2. End-users need to know what to do when they identify an attack or suspicious activity:

a. Who to report it to;b. How to report it;c. When to report it;d. What to do after it has been reported; ande. Who else they can share the information with.

77

State Security Resources

How DIR Can Partner With You to Keep Your Systems and Citizens Secure

78

40

STATE INFORMATION SECURITY RESOURCES DIR AWARENESS, EDUCATION AND TRAINING SERVICES

SECURITY TRAINING

Information Security Forum Monthly Gartner Webinars

Link

INFORMATION SHARING

Security List Texas Cybersecurity Weekly Monthly Information

Security Meetings MS-ISAC Notifications

Link


79

INFORMATION SECURITY PLANNING

Alignment with the Texas Cybersecurity Framework

5 functional areas 40 security objectives Comprehensive information

security planning

Link

Incident Response

Risk and Compliance

Managed Security Services (MSS)

Security Monitoring and Device Management

Host Based IDS/IPS

Network Based IDS/IPS

Managed Firewall

Managed Web App Firewall

Malware Detection System

Security Information and Event Management (SIEM)

Threat Research

Security Operations Center Services

Managed Endpoint Security

Incident Response Preparedness

Digital Forensics

Security Incident Management

Penetration Test

Web and Mobile Application Test

Vulnerability Scanning

Web App Vulnerability Scanning

Risk Assessment

Cloud Compliance Assessment

State Security Resources (MSS)

80

41

Security Monitoring and Device Management Services (MSS)Remote Management and Operations

San Antonio,

Texas

Tampa,

Florida

Dallas,

Texas

San Jose,

California

Security Operations Center Services(Onsite Management)

DIR NSOC

Austin, Texas

Where Needed

Texas

Available Only in Legacy Data Centers:

• Endpoint Management Services

• Intrusion Detection/Prevention System Services

• Managed Firewall Services

• Malware Detection Systems

• Security Operations Center (SOC) Services

• Host-based Intrusion Prevention Systems*

Available for ALL Systems and Locations:

• Web Application Firewall Services

• Threat Research

Available for Non-DCS managed systems:

• Host-based Intrusion Prevention Services

• Security Information and Event Management (SIEM)

State Security Resources (Security Monitoring and Device Management)

81

Incident Response PreparednessProvides a critical review of current internal processes and procedures for handling events, incidents, and evidence. Includes:

• Detective control configurations

• Deployed preventative and detective solution sets throughout the environment

• Current incident response plans

• Incident responder and handler skillset evaluations

• Incident responder and handler training evaluations

• Evidence seizure and storage procedure analysis

• Electronic data recovery

• Litigation support

Digital Forensics• “On Demand” service

• Use of Encase and/or Carbon Black for analysis of hard drive images

Incident Response Management• No retainer for this service

• Address adverse events, issues, or occurrences that may occur in your environment

• Includes detection, triage, response activities, and containment of computer security events

Incident Response Services (MSS)

State Security Resources (Incident Response Services)

82

Incident Response Redbook: A Template to help Build a Planhttps://pubext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Incident%20Response%20Template%202019.pdf

42

State Security Resources (Interlocal Contract)

• Interlocal Contract (ILC)https://dirsharedservices.service-now.com/dir

83

Risk & Compliance Services (MSS)

• Penetration Testing

• Vulnerability Scanning

• Web Application Scanning

• Web and Mobile Application Penetration Testing

• Risk Assessments

• Cloud Compliance

State Security Resources (Risk & Compliance Services)

84

43

TAKEAWAYS1. Information security is interdisciplinary, consisting of risk management, technology, and compliance.2. Consider adopting a recognized framework, such as the NIST/TX CSF, to plan, design, implement, and maintain your

enterprise information security program.3. Identify your information assets, assess the risks of each, and implement controls to achieve an “acceptable level of

risk”.1. Know what you have;2. Know your risks;3. Prepare to defend;4. Prepare to respond; and5. Prepared to recover.

4. Use a “risk-based” approach to ensure you provide for the confidentiality, integrity, and availability of your information assets.

5. Do not go it alone – consider leveraging the state level resources provided by the DIR


85

Federal Resources

NIST COMPUTER SECURITY RESOURCE CENTER

NIST Cybersecurity Framework (Link)

NIST Special Publications (Link)

NIST NICE Cybersecurity Workforce Framework (Link)

NIST SP 800-12 Rev. 1, An Introduction to Information Security (Link)

NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments (Link)

NIST SP 800-50, Building an Information Security Awareness and Training Program (Link)

NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide (Link)

NIST Glossary of Key Information Security Terms (Link)

86

44

Contact Information

For more information about DIR’s cybersecurity services:[email protected]

For more information about HB 3834:[email protected]

Helpful Resources and Templateshttps://dir.texas.gov/View-About-DIR/Information-

Security/Pages/Content.aspx?id=139

87