 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Slides:

Advertisements

Similar presentations

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,

Advertisements

Khammar Mrabit Director Office of Nuclear Security

Checking & Corrective Action

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

David A. Brown Chief Information Security Officer State of Ohio

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

Dr. Julian Lo Consulting Director ITIL v3 Expert

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Security Controls – What Works

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

Incident Response Updated 03/20/2015

Website Hardening HUIT IT Security | Sep

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

SEC835 Database and Web application security Information Security Architecture.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Information Systems Security Computer System Life Cycle Security.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Agency Risk Management & Internal Control Standards (ARMICS)

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

H UMAN R ESOURCES M ANAGEMENT Beki Webster Director, HR, Intelligence Systems Division Northrop Grumman Information Systems July 31, 2009.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Engineering Essential Characteristics Security Engineering Process Overview.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

1 American Recovery and Reinvestment Act of 2009: Challenges Facing the Department of Transportation and the Office of Inspector General’s Strategy for.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Albany Bank Corporation Security Incident Management Program.

Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Information Security tools for records managers Frank Rankin.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.

Defining your requirements for a successful security (and compliance

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Team 1 – Incident Response

Security Standard: “reasonable security”

Team 4 – Mack, Josh, Felicia, Kevin and Walter

Team 2 – understand vulnerabilities

Cyber Protections: First Step, Risk Assessment

NYBA 2017 Technology, Compliance &

I have many checklists: how do I get started with cyber security?

By: Tekeste Berhan Habtu Chief Executive Officer Venue: African Union

NRC Cyber Security Regulatory Overview

National Cyber Security

Enhanced alerting and collaborative incident management

IS Risk Management Framework Overview

DSC Contract Management Committee Meeting

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com

Presentation transcript:

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram, Director, Emagined Security  Scott Johnson, Senior Consultant, Emagined Security  Mike Weber, Labs Director, Coalfire Systems

 Schedule  Breaks  Bathrooms  Protocol for asking questions  Experiment

 To provide a forum for auditors to learn about penetration testing and how such testing, when applied properly, improves the security of the people, processes, and systems that run governments.  Cautionary Note: You will NOT be a competent penetration tester as a result of this course!  How do I become a competent penetration tester?

 In 2010, the Colorado Office of the State Auditor conducted a performance audit of the Governor’s Office of Cyber Security. The audit included:  A review of the Office of Cyber Security’s progress in implementing the Colorado Cyber Security Program.  A system-wide, covert or “Red Team” penetration test of the State of Colorado’s information systems. ◦ All attack types, except DoS or DDoS, were within scope.  The assessment was performed covertly to test the State’s incident detection & response capabilities.

 Colorado Statutory Requirements  National Institute of Standards and Technology Requirements  Industry Best Practices  Primary Tenet: The State should protect citizen data from unauthorized access!

 Breach the security of the State of Colorado’s network and gain access to personally identifiable, sensitive, and/or confidential information.  Identify security weaknesses in systems or web applications that, if exploited, would provide an attacker with significant visibility, confidential data, or the ability to attack the site’s users— Colorado’s citizens and businesses.  Test monitoring, detection, and incident response capabilities.

 A penetration test is NOT the same as an audit or security assessment!! ◦ Penetration tests simulate real world attacks ◦ Penetration tests will NOT identify all vulnerabilities in a system ◦ Penetration tests will NOT identify all internal threats ◦ Penetration tests will NOT be able to determine the cause or reason for the existence of the vulnerability exploited – This is where state auditors came in handy!  What is large-scale? ◦ 67,000 public facing IP addresses (each with potentially 65,000 + ports) ◦ All state buildings in the Denver metro area ◦ All state-owned telephone numbers

 Colorado Office of the State Auditor, IT Audit Division  Colorado Office of Information Security  Coalfire Systems – OSA Prime Contractor (Experts in Network and Physical Security Testing)  Emagined Security – OSA Sub-Contractor (Experts in Web Application Penetration Testing)

 Ongoing and unresolved vulnerabilities identified during routine audits/assessments  Lack of executive level support for information security  Untested information security staff ◦ You will fight like you train!!!  Systemic or Enterprise-wide changes made to the IT environment  Lack of funding for information security

 Overall, we concluded that the State is at serious risk of a system compromise and/or data breach by malicious individuals.  Total of 9 public recommendations and 2 confidential recommendations.  Identification of 100s of specific vulnerabilities, including specific remediation steps.  Compromise of agency networks and systems and access to thousands of confidential citizen and state employee records.

 Greater transparency into Colorado information security practices  Additional money and personnel for the Office of Information Security  Authority for our office to perform routine penetration tests  Skill development of state staff in the conduct of penetration tests  Identification and remediation of serious vulnerabilities within state government information systems  Increase oversight by the General Assembly

 Colorado Risk, Incident, Security, Compliance (CRISC) application ◦ Open source application – OpenFISMA  Vulnerability management lifecycle tracking  Standardized risk assessment for each finding  Mitigation planning  Evidence of remediation  Identification of systemic organizational issues

 Communicate, communicate, and communicate!  Social Engineering – Demonstrate why security awareness is critical.  Ensure risk and impact of findings are demonstrated – e.g., steal lots of sensitive information.  Use methodical approach to identify “targets” early in reconnaissance phase.  Ensure are well defined and agreed upon.  Modify reporting to meet the needs of different audiences

 Dianne Ray, CPA, State Auditor ◦ ◦  Jonathan C. Trull, Deputy State Auditor ◦ ◦

 A copy of the public report is available at the Colorado Office of the State Auditor’s website: /Home?openform The report is located under the Governor’s Office link, report # 2068A.