Cyber-Security among American Local Governments Donald F. Norris, Anupam Joshi and Timothy Finin University of Maryland, Baltimore County Baltimore, Maryland.

Slides:

Advertisements

Similar presentations

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Advertisements

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

Koen Maris – The Human Factor in Information technology – Copyright 2005 – The Human Factor in Information Technology.

Security Controls – What Works

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

1 An Overview of Computer Security computer security.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

The 10 Deadly Sins of Information Security Management

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.

© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Information Security Awareness Levels of TAFE South Australia Employees Hong Chan Bachelor of IT ( Honours ) Supervisor: Dr Sameera Mubarak.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

Information Security Phishing Update CTC

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Why build a strategy? 7/15/2015 University of Wisconsin–Madison2 Options: Detection or Prevention Last strategic plan was five years old and never formally.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Dimensions of E – Commerce Security

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

Promoting safe and healthy ways of using the internet in the classroom Ms. Sherman.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Enterprise Cybersecurity Strategy

Csci5233 computer security & integrity 1 An Overview of Computer Security.

SecSDLC Chapter 2.

Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Computer Security By Duncan Hall.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Resources for Meeting Internet Safety Requirements Cheryl Elliott James Madison University Bill Johnsen Virginia Beach City Public Schools Educational.

Incident Response Christian Seifert IMT st October 2007.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Washington State Auditor’s Office Cybersecurity Preparing for the Inevitable Washington State Auditor’s Office Peg Bodin, CISA, Local IS Audit Manager.

Michael Wright • Chief Security Officer • Tech Lock

Your Partner for Superior Cybersecurity

Thomas A. Baden Jr. | Commissioner and State Chief Information Officer

Security of Digital Signatures

Information Security, Theory and Practice.

Your security risk is higher than ever.

ISSeG Integrated Site Security for Grids WP2 - Methodology

2016 Data Breach Investigations Report

Office of Information Technology October 18, 2016

Understanding HIPAA Dr. Jennifer Lu.

Chapter 3: IRS and FTC Data Security Rules

Cybersecurity Awareness

COMPTIA CAS-003 Dumps VCE

I have many checklists: how do I get started with cyber security?

Research for Cyber Security Warwick University Industry Day 2018

KnowBe4 is the world's most popular integrated platform for awareness training combined with simulated phishing attacks.

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Security Essentials for Small Businesses

Network Security Best Practices

Cybersecurity compliance for attorneys

Cybersecurity Am I concerned?

How to Mitigate the Consequences What are the Countermeasures?

Anatomy of a Large Scale Attack

Drew Hunt Network Security Analyst Valley Medical Center

XX XX $ $ Dark Web Scans Simulated Phishing

Presentation transcript:

Cyber-Security among American Local Governments Donald F. Norris, Anupam Joshi and Timothy Finin University of Maryland, Baltimore County Baltimore, Maryland Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Why is it important? Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Number of governments Spending on IT Number of attacks Effect of attacks Cost to the economy Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Locus of attacks Attack vectors Web Sites Social Engineering Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments No CS or SS literature on local government cybersecurity Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Method: Focus Group of CIOs and CISOs State of Maryland Baltimore City Baltimore County Howard County Montgomery County Prince George’s County Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local governments Findings cannot be generalized Findings can be used to direct further research Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Attack – an attempt by any party to gain unauthorized access to any component of an information technology system for the purpose of causing mischief or doing harm. Incident – any event that compromises the confidentiality, integrity or availability of an information asset (Verizon) Breach – an incident that resulted in confirmed disclosure (not just exposure) to an unauthorized party (Verizon) Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Attacks - 24/7/365 Thousands per day Some will inevitably be successful Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments End user is the problem “Our biggest struggle now is … the human being, our weakest link.” Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments “Running a [phishing] campaign with just three s gives the attacker a better than 50% chance of getting at least one click. Run that campaign twice and that probability goes up to 80%, and sending 10 phishing s approaches the point where most attackers would be able to slap a ‘guaranteed’ sticker on getting a click.” (Verizon, 2013 DBIR) Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Insufficient funding and staff “IT is … less than two percent of the overall budget. Less than two percent. Yet 100 percent of the people in [the county] are using IT. So, you know, you’re right, you know, we don’t have the resources, we don’t have the manpower. [We] … try and use our money the best way we can and … you’re right, sometimes things can be solved with money.” Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Governance and federation (executive, legislative and judicial branches and divisions within the executive) “I’ve got responsibility over all three branches of government. However I can’t legally enforce policy, due to the pesky constitution, over the legislative and judicial branches. But I am responsible for their security” Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Insufficient or under-enforced cybersecurity policies “There has to be someone in charge [and] … there has to be policy … the rules of the road. Not all state and local governments or units within them have appropriate cybersecurity policies and not all implement the policies that they have well.” Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Actions to improve cybersecurity: Technical Managerial and Policy Governance Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Technical Cybersecurity tools and practices Vulnerability assessment Two factor authentication and authorization Continually scan and test Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Managerial and Policy Assess vulnerabilities User training and control Control over external devices Create a culture for cybersecurity Cybersecurity insurance Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Governance Overcome the federation problem Ensure that all departments and units and their staff comply with policy Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Conclusions Attacks are constant; some will succeed Technology is under control Human side is vulnerable Managerial and Policy need attention Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security among American Local Governments Future Research Types of cyberattacks Vulnerabilities Current CS policies and practices v. “Best Policies and Practices” Addressing the Gaps Addressing the human element Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016

Cyber-Security at the Grassroots: American State and Local Governments and the Management of Website Security THANK YOU! Prepared for: UMBC Public Policy Forum Baltimore, Maryland April 15, 2016