WIXLIB

public CIO Special reportpublic CIO Special reportDefenseMechanisms:FortifyingYour SystemsAs noted previously, the threats facedconsider your own attack surface, you first needby government are changing allto consider the building blocks of the securitythe time. A prudent governmentstack, and how you are protecting them.security practitioner needs to constantly ask:One powerful methodology forHow do my current defense tactics stack up?understanding your attack surface is theCan I defend against attacks from a hostileVERIS methodology, which stands fornation state trying to probe my systems?“Vocabulary for Event Recording andAgainst a for-profit criminal enterprise? AgainstIncident Sharing.” Available online ata script kiddie with off-the-shelf hackware?www.veriscommunity.net, the VERIS communityis an open framework that aims to provide aUnderstanding Your “Attack Surface”The array of potential defensive tacticsimpact assessment and threat classification.While VERIS was originally developed bycan choose the right tactics, key leadersthe private sector, it has now been releasedneed to assess the threats and responseas an open community to allow betteroptions in a methodical way. One way to docollaboration with governments and otherIn software development, a particularprogram’s attack surface can be defined asthe parts of the system that could conceivablybe “touched” by unauthorized users, evenbefore a breach would happen. In a physicalsecurity context, this would be the outsideof the building — the doors, windows andUnderstanding the“edge” of the systembeing protected isthe beginning ofprotecting againstunauthorized entry.A New Approach toDocument SecurityTo encrypt or not to encrypt? Thatsensitive portions of the document to beredacted. User roles can be defined that allowdifferent levels of access. Add-on softwarequestion has bedeviled security practitionersallows portions of a document to be encryptedand users alike. Encrypting an entire hardwithin the native file format. This approachdrive helps when a device is lost, but it isn’tis promising — it allows data to be securedmuch use when a document is emailed fromwhile following the organization’s normalthat hard drive — in plain text — or copieddocument workflows and processes.onto a non-encrypted portable flash drive.exterior walls. Understanding the “edge” ofLikewise, several companies are invest-the system being protected is the beginningindustry players. VERIS “is designed to provideAlternatively, full-document encryption can helping in intelligent agents that can scan a networkof protecting against unauthorized entry.a common language for describing securityprotect data while it’s in transit, but it hides thewithin an organization, and quickly identify dataincidents in a structured and repeatablesensitive information along with all of the otherthat could be sensitive, such as Social Securi-the greater the risk. This essential concept isn’tmanner.” It is increasingly being adopted bycontent that doesn’t need to be encrypted.ty numbers or patient addresses. The approachjust for software developers. In reality, it cangovernments to map out their attack surfacebe extended to all parts of the enterprise. Toand identify gaps in their current defenses.The greater the size of the attack surface,[6]To consider your own attacksurface, you first need toconsider the building blocksof the security stack, andhow you are protectingthem. All of the layers in thisgraphic are critical to anorganization’s infrastructure,and all are vulnerable toattacks. How does yoursecurity foundation stack up?comprehensive approach to incident tracking,can be bewildering. Before any organizationthat is to understand your “attack surface.”How Solid isYour SecurityFoundation?12New approaches are surfacing to makedata self-protecting — allowing only thecould end up making it easier to protect information, regardless of where the data lands. []PUBLIC CIO SPECIAL REPORT 7

public CIO Special reportpublic CIO Special reportThe Successful CISO’s ToolboxFamiliarize yourself with these tools and solutions. They will help you protectand fend off looming cybersecurity threats to your organization’s vital assets.Physical theftcountermeasuresApplicationsecuritytestingHot Topics:New TrendsImpactingSecurityIncidentmanagementand rapidresponseData losspreventionNetworkpenetrationtestingThe Mobile Threat VectorEncryptionsecurity concerns when it came to BYOD in theirIt’s no secret that government agenciesorganizations. These organizations pointed to aand their employees are increasingly shiftingnumber of important issues, including malwareto mobile platforms to get their work done. Ininfection (45%), unauthorized access (45%), dataa recent survey, CDG had government leadersleakage (36%), theft or loss of data (34%), and theidentify their top reasons for going mobile.separation of personal and business data (21%).14Overwhelmingly, respondents to the surveycited the need for increased productivity as thereason they were moving their applications andservices to a mobile platform. This meant mobilityIntrusiondetection andpreventionRootkit/botnetpreventionfor government employees themselves — butalso tapping into the increased mobility of theconstituents that are served. One governmentagency CDG contacted — who asked to remainanonymous — noted that more than 40 percent ofthe traffic to its health and human services agency’sBy the year 2022.the average household with twoteenage children will own roughly50 Internet-connected devices,up from approximately 10 today.online services was coming from mobile devices.Many of the underprivileged and at-risk populationsserved didn’t have a traditional PC at home, butBackup andrecoverysecurityEndpointprotectionthey did have access to a smartphone with InternetPCI andpaymentsecurityaccess.13 Thus the mobile platform was not only away to reach the avant-garde techies out there, butactually those on the margins of society as well.For better or for worse, mobility has becomesomewhat synonymous with the notion ofBYOD, or bring your own device. Forty-onepercent of organizations surveyed by CDG had[8]Source: Organization for Economic Co-operation and Development[]PUBLIC CIO SPECIAL REPORT 9

public CIO Special reportpublic CIO Special reportMotivations for Going MobileCDG surveyed government leaders about what entices themto go mobile. Overwhelmingly, productivity rules the day.64%12%Increase inProductivitySpendingLess edDisasterRecoveryThe New Threats to CriticalPhysical Infrastructureunfortunately.” Kagel doesn’t see cybersecurity asan isolated threat, or something that only affectsThe recent Hollywood movie Tron: Legacythe computers themselves. As communitiesfictionalized a concern that has arisen in theincreasingly rely on computers, cybersecuritypopular consciousness of late. In the 1980sbecomes related to everything else.and 1990s, computer experts were primarilyIn order to comprehensively manage cyberworried about the havoc that could be wreakedthreats and the fallout from cyber incidents,inside computer systems. They were worriedKagel approaches cybersecurity from severalabout hackers stealing data, compromisingdifferent angles. His department is in closesystems and commandeering electroniccommunication with the county’s IT department,resources. As the drama of Tron: Legacy callsand passes along intelligence bulletins from theto mind, the growing concern of the 2000s isDepartment of Homeland Security and the FBI onexplains how society has moved towards aabout what happens when computer-basedemerging threats. In the event of a cyber event, hiscomplete reliance on technology, to the pointproblems make the jump into the real world.15department provides necessary assistance to thethat when a computer system goes down,computing department’s incident response team.employees go home because they cannot beProtection Strategies from Chester CountyAnd when Kagel thinks about criticalRobert J. Kagel, the deputy director forRobert J. Kagel, Deputy Director for EmergencyManagement, Chester County, Pennsylvaniaproductive without access to email. To addressIncreasingly,governmentmobility infrastructure, he thinks big. Eighty percent ofthis issue, Kagel suggests that companiesemergency management for Chester County, Pa.,the country’s critical infrastructure is ownedand government agencies take a hard look atdescribes the county as a vibrant and populousand operated by the private sector, but Kageltheir processes. They need to put proceduresBYODcenter of industry. It is the highest-income countybelieves that this percentage is even higher inin place for dealing with system failures inorder to ensure business continuity.in Pennsylvania and the 24 highest in the nation,southeast Pennsylvania. “The water systems, thewith a population of just over half a million. Thewastewater system, the electricity, the gas — allBut there continues to be challengeshampering BYOD adoption:county produces 90 percent of the health careof those infrastructure elements are owned andsecurity on the cyber front. Chester County,industry’s imaging systems and 47 percent of theoperated by the private sector.” As such, Kagel’sand every county in the country, will always becountry’s mushroom product. As Kagel puts it,department has a close relationship with privatevulnerable to cyber attacks. Kagel explains, “The25%“You’ve got about a 50 percent chance of havingcompanies to ensure their continued operation.reality is we’ll never be able to eliminate the threat,Policy Creation/Holdupsth20%Security Risks(Viruses/Malware)14%Diversity ofDevices andPlatforms16%Lack ofSecurityProtocols14%IT StaffingNeeded toSupport BYODSource: Center for Digital Government, 2013Unfortunately, there can never be completea mushroom that was grown in Chester County.”Cyber attacks on the private sector canLike many other government officials, Kagel has ahave devastating consequences for the county’sTo do this, Kagel focuses on the existing challengesgreater than 50 percent chance of being targetedinfrastructure and its citizens. “The reality is thatand problems within the county’s cybersecurityby electronic hackers with malicious intent.if the electricity goes out because of an attackstrategies and works to find effective solutions.16As the head of the county’s emergency[10]“The reality iswe’ll never be ableto eliminate thethreat, but it’s moreimportant to be ableto mitigate it.”but it’s more important to be able to mitigate it.”on a supervisory control and data acquisitionCritical Protection in Michiganmanagement division within the Department of(SCADA) system . there’s real impact to theServices, Kagel is charged with protecting theeconomy and tax base here in Chester County,”county from a range of potential threats. Hissays Kagel. In such cases, Kagel and his teamMichigan’s first chief security officer (CSO) anddepartment provides 911 services, hazardousmust then shift their focus from managingdeputy director for cybersecurity and infrastructurematerial disposal, disaster response and fire rescuecyber threats to dealing with the immediateprotection. Now he is leading the development andtraining. Rather than dismissing cybersecurity as aconsequences of the attack. “We’re having toexecution of a comprehensive security strategy forremote, technological concern, Kagel recognizesensure that public safety continues and that thethe state’s resources and infrastructure. In his timeit as a necessary component of protectingpublic has access to basic needs,” Kagel says.as CSO, Lohrmann has successfully revamped thehis organization and the people it serves.In this vein, Kagel identifies severalIn October 2011, Daniel J. Lohrmann becamestate’s cybersecurity awareness training, developed“We’re responsible for anything that couldcybersecurity issues that should receive morean advanced training facility for cybersecuritypotentially affect the county,” he says, “and oneattention and resources. One such issue is theprofessionals and started initiatives for providingof them happens to be a cybersecurity threat,threat posed by the loss of technology. Kagelsecurity protection to the private sector.[ ]PUBLIC CIO SPECIAL REPORT 11

public CIO Special reportpublic CIO Special reportLohrmann and his team have also madeis regulating which personnel receivethe private sector. In February 2013, Presidentadministrative access. Kagel describes howObama released an executive order calledthose in positions of authority will often grant“Improving Critical Infrastructure Cybersecurity.”access to certain individuals without goingThe president emphasized that cybersecuritythrough the proper channels. “[They think,]is not just about identity theft, Social Security‘Oh, I’ll go give this person administrative rightsnumbers and credit card numbers. It is alsoto the system because I don’t want to have toabout maintaining the grid in critical sectors,deal with it, and they know what they’re doing,’”including water and transportation. In responsesays Kagel. Unfortunately, this lax approachto this order, Lohrmann is working to maketo administrative access causes holes in theMichigan an example of how the governmentsystem. Unauthorized individuals are given freecan work with the private sector to providerein to download programs, install featuresthe necessary cybersecurity protection.and make changes to the computer settings.Like Robert Kagel in Chester County,Lohrmann is developing a Cyber DisruptionThis broadens the threat environment andexposes the organization to vulnerabilities.Response Plan. Still in the developmentAnother challenge in cybersecurity is find-stages, this initiative seeks to establish aing the necessary funding for expenses. Kagelcommunication strategy and best practicesexplains how “leadership wants a safe, reliablefor the necessary actions following a majorcomputer environment, but they don’t want tocyber incident. The government respondsmake any investment necessary to achieve thosequickly and efficiently to natural disasters, andresults.” Those in leadership positions often priori-Lohrmann believes the same preparationstize easy access to information over cybersecurity.should be in place for cyber attacks. As such,It is only after a cyber incident that executives real-the initiative seeks to provide early warningsize the importance of a safe and secure network.and rapid information dissemination for theprivate sector during a cyber crisis. “TheseTo this end, Kagel is working at the federalare the same type of plans that already existlevel with the Department of Homeland Securityto try to get the emergency response communityfor fires, floods and tornadoes,” Lohrmannto adopt PIV-I.PIV-I, which stands for Personal Identifica-In 2012.the number ofattacks on criticalinfrastructure grewby 52%, according toa U.S. Department ofHomeland Security(DHS) cybersecurityresponse team.DHS has identified7,200 key industrialcontrol systems thatappear to be directlylinked to the Internetand vulnerable to attack.Source: U.S. Department of Homeland Security“All of these things we can do with a single iden-together to lower the cost, so that the technologytity, using this technology,” Kagel explains,can become accessible to everyone.“and overall, help reduce those costs.”Strides have been made with PIV-I on a policyKagel has already put several of thesesolutions into practice within his organization. Hislevel. The Office of Management and Budgetdepartment has credentialed all of its emergencytion Verification Interoperable, is a certificate-based(OMB) issued a memo in 2011, stipulating that anyresponders using the PIV-I standard. This meansmechanism that provides federal-approved stan-computer systems implemented from that pointthat emergency responders can arrive at andards for identity proofing. It is able to prove theforward need to be able to support the capability toemergency scene and immediately authenticateidentity of the individual presenting the credential,authenticate using PIV-I.18 But Kagel still anticipateswho they are and what they can do. It also providesand ineffective identity and access management.and allows the user to be authenticated into theseveral barriers to widespread adoption.them access to different online county services,In today’s technologically complex world, it cansystem. It then provides the right access level basedoften be difficult to ascertain a person’s identity,on the attributes assigned to the individual’s identity.says. “Now you can add cyber to the list.”17PIV-I and the Proliferationof User IdentitiesAnother potential threat is that posed by weakand individuals can easily maintain several different[12]One of the challenges within this areagreat strides in developing security protection forKagel says that strong identity and authen-The main challenge lies in engaging thevendor community in the adoption process.which allows for secure information sharing.Another ongoing initiative in Kagel’s depart-Currently, the cost of adopting PIV-I is prohibitive.ment is the development and implementation of aidentities. As an example, Kagel describes howtication capabilities are critical to cybersecurity,“If you talk to the vendors, the vendors say,hazard mitigation plan. As required by the federalhe has a computer that is not connected to any ofespecially at the state and local level. Adopt-‘Well, it’s the government’s fault,’ and if yougovernment, the purpose of this plan is to reduce thehis organization’s systems. This leads to potentialing PIV-I would benefit many governmentaltalk to the government, they say, ‘Well, it’s theimpact of future disasters. While the original mitiga-holes in the system, because it is impossible tosystems, including welfare, food stamps, fish-vendor’s fault,’” says Kagel, who says that thetion plan only addressed naturally occurring disas-determine, “Well, am I really who I say I am?”ing licenses and the regulation of online access.government and the vendors need to workters, the new one will encompass cyber incidents. [ ]PUBLIC CIO SPECIAL REPORT 13

public CIO Special reportDennis Burnettpublic CIO Special reportBehind the Scenes:Effective strategiesfrom the fieldBuilding Cyber City, USAOne could be forgiven for thinking thatof Texas at San Antonio’s Center for Infrastructure Assurance and Security and regularly hostedthe mighty Department of Defense, with itsin San Antonio.” The command also works closelyformidable resources in the Washington, D.C.,with private sector companies as well to stay inno-area wouldn’t be interested in partnering.vative. “The Air Force has entered into Collabora-But even the U.S. military is looking to sharetive Research and Development Agreements withresources with universities, private firms, highseveral industry partners to find mutual benefit inschools and communities around the nation.sharing problem sets and solutions,” he says.“Partnering is an absolute necessity in the“The most important aspect of the nation’sdevelopment of tomorrow’s cyber warriors,” saysdefense in this domain, both now and in theGeneral McLaughlin. “The 24th Air Force has thefuture, is the development of a world-classadvantage of being located in San Antonio, a.k.a.cyber workforce,” says McLaughlin. “We areCyber City USA, which has fostered an amazingcommitted to encouraging interest and inspiringpartnership of government organizations, industrycreativity in this domain through the mentorshipleaders and cutting-edge academic institutionsof the next generation of cyber leaders.”that are working together to make our nationsafer.” Indeed, the 24th Air Force worked closelywith city leaders and the Air Force Association in[14]Partnering for DollarsDan Loh

Defense Mechanisms New Trends Impacting Security Equipping Personnel with Cyber Awareness 2.0 Cyber- seCurity A ReseARch RepoRt fRom the center for digital government Maj. Gen. J. Kevin McLaughlin is the commander of the 24th Air Force, one of two component numbered air forces under Air Force Space Command, and Air Forces Cyber (AFCYBER),