Minimum Cyber-Security Requirements: What You Need To Know

What is Information Security and Why Do We Need It?

In the digital world we trust insecure data from unauthenticated sources.

WHAT?!?

Why do we need information security

Definitions First◦ Data – electronically stored information *

◦ Authenticated vs. Unauthenticated – Do you know who or what they are? Are you sure?

◦ Firewall – a security system that uses hardware and/or software mechanisms to prevent unauthorized users from accessing an organization’s internal computer network.

◦ Malicious Software – software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. This Includes spyware, adware, viruses and general malware.

◦ Software Patches – software that correct a problem.

Lets break that down a bit

In the digital world we trust insecure data from unauthenticated sources.

Aren’t Computers Protecting Us?

Requests http://www.tdbank.com

Server Returns TDBank Homepage

User Submits Logon Information

Server Account Information

Requests

http://www.tdbank.com

Serv

er R

etur

ns T

DBank

Homep

age

User Submits Logon

Information

Reque

sts

http

://www.td

bank

.comHacker Returns TDBank

Homepage

Hacke

r Sub

mits

Log

on

Info

rmat

ion

Hacker Returns Error Page

Political Espionage Retaliation Internal Threats Just Because I Can Financial Gain

This will never happen to me….

Still don’t believe me?

Still don’t believe me?

Still don’t believe me?

Good Policy Best of Breed Technology Solutions Staff and End User Education

So what do we do?

What everyone should do!Make sure computers used to do bank transactions are not used for any other

Internet work – like email or browsing.

Best Practices for a Cyber Security Policy

Establish an IT Cyber Security Policy Put someone in charge to develop and implement plans and

policies Develop a cyber security plan (many examples can be found

online) Promote and increase the awareness and training of cyber

security and user understanding of risks and risk behavior Communicate the responsibilities for the organization and

individual users’ protection of information; ◦ Be aware of regulations regarding the protection of information.

Establish communication procedures ◦ Everyone needs top knows what, how and to whom to report a

cyber security incident or problem.

The plan should also… Identify threats, vulnerabilities and consequences and take

appropriate action to mitigate and prevent them;◦ Includes password policies (strength and updating)

Prepare for the inevitable – COOP and COG: Continuity of Operations and Continuity of Government ◦ Disaster recovery, including protecting the availability and recoverability

of the organization’s information services and missions Ensure a hardware and software asset inventory is

maintained

An unprotected computer is one that does not:(or What all your computers need to do) …Have antivirus or spyware protection software

installed and updated regularly …Have installed hardware or software firewall to

manage communications between and among networks

…Require the user to authenticate (using a password or a token) when logging on

…Have operating system and software patches installed and regularly updated

POLL QUESTION!

How to Protect your Computing Environment

Protect Your Border Use a strong firewall What is a firewall? A system (software or hardware or

both) designed to prevent unauthorized access to or from a private network.◦ US Border Patrol = Firewall

Gateway - something that serves as an entrance or a means of access. ◦ US Customs Border Crossing = Gateway

What Comes Through the Border? Email Websites File transfers DATA!!! Is it good or bad data?

Is the Data OK? Emails are scanned in the same way our border patrol

looks at suspicious vehicles or people doing not normal things (i.e., profiling)

Viruses have signatures that behave in certain matters. Variants – little changes that behave a little differently but overall have the same profile.

Is the Data OK? Spam is the scanned much the same way a virus is

detected: Behavior Behavior could be an attachment type of file; i.e., zip,

exe, or bat file. Words or suspicious and known URL links that appear

in an email. This is possible why a good email is flagged bad

because of possible suspicious behavior.

Where is Your Protection? Cloud protection

◦ First goes into 3rd party system, is scanned then forwarded to your system

Software gateway scanning – harder to manage but effective and easy control

Hardware Devices – Barracuda, Watchguard, Sonic Wall. etc. – can be costly but some work with cloud to continue updates.

You are Always the Last Line of Defense Other analogy of data request

◦ Web request = ordering a package from outside US.◦ Goes through okay undetected…..(may still contain a virus)◦ Delivery comes your house (equivalent to your PC)◦ Houses have security systems, computers have them to:

referred to “endpoint security.” Even though a package is delivered, it gets scanned again at delivery.

Is Any of this 100% None of the security systems are 100% perfect since

threats are always evolving If you say it’s okay to release, if it’s okay to come

through, it still may not be safe Behavior on types of viruses and intrusion are the

cornerstone on stopping DDOS, bank theft, and multiple variant viruses such as key loggers

Keep updated and do what is updated the most easily for simple distribution in your environment

QUIZ TIME

End User Education – The Best Defense

STOP & THINK! Always be suspicious – look for red flags

◦ If a stranger came to your door and informs you he is from your bank and would like to verify a few items with you and proceeds to ask you your name, social security number and date of birth what would you do?

Why is an email any different?

For example: You receive an email at work from a bank that you do

not do business with asking for you to click on the attachment to verify information.

9 out of 10 times you will click on the link, thinking it’s work related. ◦ How is this different than someone showing up at your door?

Don’t Assume that an Attachment is Safe

Did you look up contact information to verify that this is a legitimate bank?

Inspect the link in the email to see if it looks real or fake.

Did you call the bank to see if they sent the email out? Did you seek help from your technology staff? Is this necessary?

◦ YES! Better to be safe than loose all your data, or worse yet comprise your entire networks data

Don’t Assume that a Link in an Email or Website is Safe! Don’t click on links from inside emails In all cases involving security or banking information:

◦ Look for web addresses with “https://” or “shttp://”, the “s” means the site takes extra measures to help secure your information.

◦ “http://” is not secure. Only go to trusted websites

◦ Make sure the site is legitimate: Before entering any information look for signs that the site is secure.

◦ Look for a closed padlock on your web browser’s address bar ◦ Never use unsecured wireless networks to make an online purchase

Protect your $$: ◦ When banking and shopping, check to be sure the sites is security

enabled.

It Isn’t Just a Mouse Click Attackers may attempt to gather information by

sending emails requesting that you confirm purchase or account information.

Legitimate businesses will not solicit this type of information through email. Contact the merchant directly if you are alerted to a problem.

Use contact information found on your account statement, not in the email.

You Must Outsmart the Attackers How?

◦ By stopping and thinking before you click◦ Ensure your computer has antivirus software and it is up to

date. Reminder to renew your antivirus when it is expired◦ Verify your anti virus is running and doing scans. Check the

logs after a scan.◦ Verifying that an email was sent with an attachment by the

sender Train your technical staff; train your users Make sure your contractors meet these standards

You Must Outsmart the Attackers Use strong passwords, do not use names, date of

births, etc. If you’re in doubt, then don’t click on it Turn your computer off or lock it when not in use Keep your operating system updates up to date Don’t go to untrusted sites Scan your computers for spyware or malware weekly

www.njgmis.org www.gmis.org www.cisecurity.org www.stopthinkconnect.org msisac.cisecurity.org msisac.cisecurity.org/resources/toolkit/oct13/

index.cfm

Some Resources

Articles based on an extended version of this presentation will be in upcoming issues

of New Jersey Municipalities Magazine.

Contact Us(732) 734-1805www.njgmis.org

njgmis@njgmis.org

GMIS-NJis the League’s Official Technology

Management Support Organization

CGCIO Program at Rutgers:http://spaa.newark.rutgers.edu/cgcio

GMIS-NJ’s AnnualTechnologyEducation

ConferenceMarch 27th 2014

“The Palace” in Somerset (Franklin Township)Registration information at:

www.njgmis.org/conference.htmlnjgmis@njgmis.org

Justin HeymanCertified Government CIODirector of Information TechnologyTownship of Franklin, NJJustin.Heyman@twp.franklin.nj.us

Todd CostelloDirector of MISTownship of Middletown, NJtcostell@middletownnj.org

Contact InformationMarc PfeifferPfeifferGov, LLCPfeiffer.Gov@gmail.com

Robert McQueenCertified Government CIOChief Information OfficerPrinceton, NJrmcqueen@princetonnj.gov