Update on Inspectors General Information Technology Security Working Group I. Organization
Update on Inspectors General Information Technology Security Working Group I. Organization II. CSIRT Procedures III. Fusion Center – Protocols IV. IT Security Issues Phishing • Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. • Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. • Phishing emails may contain links to websites that are infected with malware. • Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. South Carolina Dept. of Revenue • August/September 2012 – DOR employee opens a phishing e-mail with attachment containing malware – Hacker obtains employee credentials and spends several weeks patiently and methodically scouring the system from a remote location gaining additional credentials and eventually downloading 74.7 gigabytes of data to the Internet October 10, 2012 was a bad day • Federal Secret Service notified the state of the suspected breach • The breach was undetected by the agency • For the next 15 days there was a quiet pursuit of the case by state and federal investigators October 26, 2012 was worse • Governor Nikki Haley held a press conference to tell the public https://www.youtube.com/watch?v=Lv4cCoUJG8E South Carolina DOR Issues Data not encrypted No multi-password system Laptops and desktops not encrypted No use of free state network monitoring system • Division of Information Technology recommended security procedures but state agencies were not required to follow the procedures • • • • Fixing the problems • Credit monitoring - $12 million in 1st year • Password system - $12,000 • 4 months later: – “state response to hacking is incomplete and uncertain” – IG report “statewide cybersecurity is inadequate” South Carolina – Good News • December 18, 2013 – and employee from the Department of Employment and Workforce downloaded information on 4,658 current and former employees to a personal device • December 19, 2013 – law enforcement notified the agency that security software had detected the violation The IT Security Working Group Organization • Co-Chair Mike Blackburn, IG Dept. of Education • Co-Chair Al Dennis, IG Dept. of Law Enforcement • Co-Chair Walter Sachs, IG Dept. of Management Services • Melinda Miguel, Chief Inspector General • Kim Mills, CIG Director of Audit (now Marvin Doyal) • Rodney MacKinnon, IG Office of Early Learning • Sharon Doredant, IG Dept. of Revenue • David Merck, IT Auditor Dept. of Children and Families CSIRT Procedures Fusion Center Protocols IT Security Issues The IT Security Working Group (expanded) Organization CSIRT Procedures Fusion Center Protocols IT Security Issues • Mike Blackburn, IG (DOE) • Julie Leftheris, IG (DHSMV) • Al Dennis, IG (FDLE) • Margaret Foltz, ISM (SSRC) • Walter Sachs, IG (DMS) • Bonny Allen, ISM (NSRC) • Melinda Miguel, CIG • Joe Maleszewski, IG (BOG) • Marvin Doyal, CIG, Audit Dir. • Mike Phillips, Fusion Center (FDLE) • Rodney MacKinnon, IG (OEL) • Mark Perez, Fusion Center (FDLE) • Sharon Doredant, IG (DOR) • Jason Allison (EOG) • David Merck, IT Auditor (DCF) • Kevin Smith, IT (DEM) The IT Security Working Group (Scope and Activities) Organization • • CSIRT Procedures Fusion Center Protocols IT Security Issues • • • • • • • IG IT Security Working Group established in June 2013 to evaluate issues crossing agencies Appointed informally by the CIG to include: DMS IG (co-chair), DOE IG (co-chair), FDLE IG (co-chair), DOR IG, HSMV IG, Chief Inspector General, CIG Director of Audit Evaluating the existence and potential standardization of CSIRT Protocols in the agencies Briefing from Fusion Center (w/ CIOs and ISMs) and toured the Fusion Center in June 2013 Holding Periodic Meetings CIG facilitated the appointment of the MS-ISAC designee CIG oversaw the movement of inventory housed with what was formally AEIT to FDLE/EOG Evaluating the need for Data Sharing Agreements Evaluating the need for Secret Security Clearance to receive classified reports from FDLE Computer Security Incident Response Team Procedures Organization CSIRT Procedures Fusion Center Protocols IT Security Issues 71A-1.014 Incident Response. (1) Each agency shall establish a Computer Security Incident Response Team (CSIRT) to respond to suspected computer security incidents by identifying and controlling the incidents, notifying designated CSIRT responders, and reporting findings to agency management. (2) The CSIRT membership shall include at a minimum the Information Security Manager, the Chief Information Officer, and a member from the Inspector General’s Office. (3) The CSIRT shall develop, document, and implement the agency computer security incident reporting process. (4) The CSIRT shall develop, document, and implement the agency computer security incident response process. (5) The agency computer security incident response process will include notification procedures to be followed for incidents where investigation determines non-encrypted personal information was, or is reasonably believed to have been, accessed by an unauthorized person, as required by Section 817.5681, F.S. (6) The CSIRT under the direction of the Chief Information Officer or Information Security Manager shall determine the appropriate response required for each suspected computer security incident. (7) The agency shall notify the Office of Information Security of computer security incidents including suspected or confirmed breaches within 24 hours of discovery. (8) Each suspected computer security incident, including findings and corrective actions, shall be documented and maintained as specified in the agency computer security incident procedures. (9) The CSIRT shall convene at least once a quarter. (10) The CSIRT shall provide regular reports to the agency Chief Information Officer. (11) Suspected computer security incidents shall be reported according to agency reporting procedures. (12) Agency workers shall report loss of mobile devices immediately according to agency reporting procedures. (13) Agency workers shall immediately report lost security tokens, smart cards, identification badges, or other devices used for identification and authentication purposes according to agency reporting procedures. Computer Security Incident Response Team Procedures Organization CSIRT Procedures Fusion Center Protocols IT Security Issues • Agencies used Carnegie-Mellon templates from 2003 training • Issues: – IG not a core team member – ISM has a duel role as the CIO or reports to the CIO – Categorization and escalation protocols are similar, but not uniform FDLE Fusion Center - Protocols Organization CSIRT Procedures Fusion Center Protocols IT Security Issues October Meeting with Information Security Managers FDLE Fusion Center Update Agency Intelligence Liaison Officers IG IT Working Group Update House/Senate Committee Meetings Incident Reporting Administrative Breach Protocols CSIRT Policy Review Information Security Plans Information Sharing (Obstacles and Opportunities) Security Clearances MOU FDLE Fusion Center - Protocols Organization CSIRT Procedures Fusion Center Protocols IT Security Issues Class 1 Incident: Informational Incident This level of incident has a low impact to the agency’s or data center’s information technology resources and is contained within the agency or data center. The following criteria define Class 1 incidents: 1. Data classification: Unauthorized disclosure of information has not occurred. 2. Legal issues: Lost or stolen hardware that has low monetary value and may be considered standard business equipment. 3. Business impact: Incident does not involve any mission services. 4. Expanse of service disruption: Incident is localized. 5. Threat potential: There is no threat to other information technology resources. 6. Public interest: Slight potential for public interest. 7. Policy infraction: Security policy violations determined by the agency. Class 2 Incident: Warning Incident This level of incident has impacted the agency’s or data center’s information technology resources and is contained within the agency or data center. The following criteria define Class 2 incidents: 1. Data classification: Unauthorized disclosure of information has not been determined. 2. Legal issues: Lost or stolen hardware with low monetary value and is part of mission critical systems. 3. Business impact: Incident involves mission services. 4. Expanse of service disruption: Incident affects several business units within the agency. 5. Threat potential: Threat to other information technology resources is possible. 6. Public interest: There is the potential for public interest. 7. Policy infraction: Security policy violations determined by the agency. FDLE Fusion Center - Protocols Organization CSIRT Procedures Fusion Center Protocols IT Security Issues Class 3 Incident: Critical Incident This level of incident has impacted the agency critical mission and has the potential to result in high public interest. The following criteria define Class 3 incidents: 1. Data classification: Unauthorized disclosure of information has occurred. 2. Legal issues: Lost or stolen hardware with high monetary value. 3. Business impact: Incident involves mission critical services. 4. Expanse of service disruption: Disruption is wide spread across the agency. 5. Threat potential: Incident has spread to other systems within the agency. 6. Public interest: There is likely public interest in the incident. 7. Policy infraction: Security policy violations determined by the agency. Class 4 Incident: Emergency Incident This level of incident has impacted or has the potential to impact other state information technology resources or become events of public interest. The following criteria define Class 4 incidents: 1. Data classification: Unauthorized disclosure of confidential information has occurred. 2. Legal issues: Lost or stolen hardware with high monetary value and is part of mission critical systems; incident investigation transferred to law enforcement. 3. Business impact: Threat to other agency information technology resources is high. 4. Expanse of service disruption: Disruption has spread to other agencies. 5. Threat potential: Incident has spread to third-party information technology resources. 6. Public interest: There is high public interest in the incident. 7. Policy infraction: Security policy violations determined by the agency. A few minutes with Senator Ring http://www.flsenate.gov/media/videoplayer?EventID=2443 575804_2014021049 IT Security Issues • Organization • CSIRT Procedures • Fusion Center Protocols • IT Security Issues • • • • Focus on broader policy which will allow the rule(s) to focus more on specifics. Continue requiring agency “strategic” and “operational” IT Security Plans. Strategic plans should cover 3-year period. Continue “bottom up” approach with Statewide Strategic Plan; ensure sufficient guidance (and possibly templates) are provided to assist agencies in the completion of their strategic plans. Clearly define/describe difference between: (a) risk analysis, (b) gap analysis, and (c) internal audits. Define “event” and/or “incident”, require all events/incidents to be reported to FDLE and AEIT/potential successor agency, and define time frame for reporting such events/incidents. Agency ISM should conduct internal agency audit; peer review of audit performed by other agency ISMs. Requirement to include appropriate security specs in solicitations/contracts. Retain IT security rules. Organization CSIRT Procedures Questions/Comments? Fusion Center Protocols IT Security Issues Walter Sachs Inspector General Department of Management Services (850) 413-8740 [email protected]
© Copyright 2024