Page 1

Cybersecurity Quarterly Working Together to Train the Next Generation of Cybersecurity Professionals How Hackers Plan to Take Advantage of the Rise of VR

Spring 2018

A Publication from

The Industry's Collaborative Effort to Stop DNS Attacks in Their Tracks Getting Back to Basics When Assessing Your Vulnerabilities

Preventing Cyber Attacks: The Best Offense is a Good Defense The Latest Update from Our Global Community of Cybersecurity Professionals and Experts on the Best Actions to Take to Defend Your Organization Against Today's Most Pervasive Cyber Attacks


Gartner’s #1 Security Technology is Cloud Access Security Broker (CASB)

Unleash the power of the cloud with McAfee Skyhigh Security CloudTM Approved for the CIS CyberMarket

Contact: Jim Bergen (Jim_Bergen@McAfee.com) www.McAfee.com

AUTHORIZED


Cybersecurity Quarterly

Contents

Featured Articles

Quarterly Regulars

Confidence in the Connected World Spring 2018 Volume 2 Issue 1 Founded MMXVII Editor-in-Chief Michael Mineconzo Copy Editor Shannon McClain

Staff Contributors Freisi Alfonseca Molly Gifford Paul Hoffman Philippe Langlois Shannon McClain Ryan Spelman

Spring 2018

New & Improved: CIS Controls Version 7 Officially Released The latest update to our prioritized set of best practices is now available

8

The True Cyber Crime – Failing to Collaborate Working together to prepare the next generation of cybersecurity professionals

14

Quad9: What Have We Done So Far and How are We Moving Forward The cybersecurity industry's new collaborative effort to stop DNS attacks

16

Virtual Reality: The New Frontier of Social Engineering Taking advantage of users in a realm where deception is the name of the game

18

How Basic Cyber Hygiene Can Lead to More Effective Vulnerability Assessments Sometimes, getting back to the basics is the best way to protect your organization

20

Quarterly Update with Steve Spano

4

News Bits & Bytes

6

Threat of the Quarter

10

Cyber Tips & Tricks

22

MS-ISAC Update

24

SQL: Security Quotes & Letters

25

Calendar

26

Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518 266.3460 Copyright Š 2018 Center for Internet Security. All rights reserved

3


Cybersecurity Quarterly

Quarterly Update

with Steve Spano

“We continue to challenge ourselves to raise the bar” I’m immensely proud of the work that we do here at CIS − from the services we provide state and local governments through our Multi-State Information Sharing and Analysis Center® (MSISAC®), to the secure configurations found in our CIS Hardened Images and CIS BenchmarksTM that are used by organizations worldwide. We continue to challenge ourselves to raise the bar in the products, services, and value we bring to global public and private sector organizations. Toward this end, I’m particularly proud to announce the latest version of CIS ControlsTM, Version 7. The CIS Controls started as five professional colleagues, to include CIS’ Senior Vice President and Chief Evangelist Tony Sager, who shared a strong desire to define a set of criteria (or controls) that United States government agencies could adopt to help prevent the most pervasive cyber threats. Their efforts grew to 5,000 colleagues when the initial set of controls moved to the SANS Institute. At SANS, the controls evolved to a crowdsourced project known as the SANS Top 20. In 2015, SANS transferred the intellectual property to CIS, where it was rebranded as the CIS Controls. Today, over 100,000 individuals and organizations from across the globe have downloaded the CIS Controls. Some view the CIS Controls as a framework. While we won’t argue over what to call them, we believe the CIS Controls are more of an action-oriented set of implementation guides, a “how to” versus a “thou shalt.” Informed by our volunteers and the contributions from major security providers and experts, they represent true consensus-based

4

guidance that any organization can use to reduce a substantial amount of all known cyber-attacks. Each organization can view these guidelines through the lens of their risk posture and compliance requirements, and then take measurable steps to mitigate those risks. Even better, the CIS Controls can help map to parts of many other compliance guidance, such as PCI, HIPAA, and the NIST CSF. Version 7 of the CIS Controls reflect the evolving threat landscape. We are emphasizing a smaller subset of the CIS Controls under a new campaign referred to as Basic Hygiene. Basic Hygiene consists of the first six CIS Controls. These include inventory and control of hardware, inventory and control of software, vulnerability assessment, controlled use of administrative privilege, secure configurations, and monitoring of logs. We developed this Basic Hygiene campaign to highlight the truly mission-critical steps all organizations should take. The Basic Hygiene campaign is not intended to be a short cut for ignoring other important controls. Rather, it helps organizations get a jump-start on implementing the most basic set of controls that address the most pervasive threats. As always, we hope you enjoy this edition of Cybersecurity Quarterly. Please provide us feedback on how Version 7 of the CIS Controls is helping your organization.

Steve J. Spano, Brig. Gen., USAF (Ret.) President & Chief Operating Officer Center for Internet Security


Spring 2018

Where cloud images meet proven security.

Start Secure. Stay Secure. Combine the cost- and time-savings of virtual machines with the power of CIS Benchmarks, our best-practice cybersecurity guidelines. CIS Hardened Images reduce system vulnerabilities to protect against common cyber threats such as denial of service, unauthorized data access, insufficient authorization, and others. CIS Hardened Images are one of the easiest and most affordable ways to stay secure when working in the cloud. Available 24x7 on the Amazon Web Services’® AWS Marketplace®, AWS Marketplace for the IC, Google Cloud Platform™ (GCP) Service, and Microsoft Azure.

CIS is a nonprofit committed to securing the connected world against cyber threats.

Confidence in the Connected World

→ Protect yourself with CIS Hardened Images www.cisecurity.org/services/hardened-virtual-images/


Cybersecurity Quarterly

News Bits & Bytes On February 7th, the CIS Controls Version 6 met an important milestone — 100,000 downloads. The CIS Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. They are a relatively short list of high-priority, highly effective defensive actions that provide a "do-first" starting point for every enterprise seeking to improve their cyber defense. CIS Hardened Images are now available in AWS GovCloud. CIS Hardened Images, which are types of Amazon Machine Image (AMI) offerings that are securely configured based on the CIS Benchmarks, were launched in the Amazon Web Services (AWS) Marketplace in AWS GovCloud (US) in March. AWS GovCloud (US) is an AWS region designed to allow U.S. government agencies at the federal, state, and local level, along with contractors, educational institutions, and other U.S. customers, to host sensitive workloads in the cloud by addressing their specific regulatory and compliance requirements. Kroll is the newest vendor partner of CIS CyberMarket. Kroll, a leading global provider of risk solutions, is now offering a number of their services to all current MS-ISAC members, as well as other state, local, tribal, and territorial (SLTT) governments, nonprofits, and public education and healthcare institutions at an exclusive discounted rate. Through our partnership, eligible organizations can purchase data breach notification and response services, risk assessments, and network security and dark web monitoring from Kroll. Starting in 2018, CIS is now offering CIS SecureSuiteŽ Membership free to all state, local, tribal, and territorial (SLTT) governments

6

in the United States, including public universities and schools, law enforcement agencies, public transportation authorities, and utilities. CIS SecureSuite Membership gives organizations access to a collection of integrated cybersecurity resources such as CIS-CAT Pro Assessor, remediation content, and CIS-CAT Pro Dashboard. All of these tools help users evaluate and apply secure configuration settings to laptops, servers, network devices, and more. CIS has released its Handbook for Elections Infrastructure Security. Developed by CIS and its community of election partners, it outlines best practices for protecting elections infrastructure. The handbook is part of a comprehensive, nationwide approach to protect the democratic institution of voting and a national response to threats against elections infrastructure. The handbook and its accompanying worksheet can be downloaded at https://www.cisecurity.org/ elections-resources. CIS CyberMarket partner Skyhigh Networks has been named a Leader in the 2017 Gartner Magic Quadrant for Cloud Access Security Brokers (CASB). The first-ever Gartner Magic Quadrant on CASBs profiled 11 vendors across the industry and ranked Skyhigh among the top in the industry at helping organizations address the cloud data security needs and focus on securing data natively in the cloud. In January, the MS-ISAC released its annual 2018 SLTT Government Outlook, an in-depth whitepaper outlining its predictions for the types of malware, cyber threats, and tactics, techniques, and procedures (TTPs) that will be prevalent in 2018. The report can be downloaded at https://www.cisecurity.org/ white-papers/2018-sltt-government-outlook/


Spring 2018

7


Cybersecurity Quarterly

New & Improved: CIS Controls Version 7 Officially Released For nearly a decade, the CIS Controls have been a guide to help secure organizations against the most pervasive cyber attacks; the latest update to the Controls is now available By Philippe Langlois & Shannon Heesacker McClain CIS® recently launched the latest version of the CIS Controls™ on March 19th, 2018. The CIS Controls are a community-developed, prioritized set of cybersecurity best practices organizations can follow to improve their security posture and defend against common and pervasive cyber threats.

The “Fog of More” In the world of cybersecurity, we are constantly faced with more: more regulatory and compliance frameworks, more threats and vulnerabilities, and more products and solutions than even the most highly-competent CISO could hope to grasp. The “fog of more” is a daunting force that can overwhelm and confuse cybersecurity professionals. The CIS Controls aim to cut through the fog by providing clear, prioritized actions that any organization can take to improve their cyber defenses. To do this, we applied the Pareto Principle – the concept that for many activities, roughly 80% of the effects come from 20% of the causes¹ – to help prioritize cybersecurity actions. For example: in 2002, Microsoft found that roughly 20% of all bugs were causing 80% of reported errors², allowing them to focus their resources on the most needed fixes. The Pareto Principle is used by organizations around the world to help separate the “vital few” resources from the “useful many.”

8

But how does CIS narrow down all the possible cybersecurity actions that an organization can take?

A Community Approach In order to cut through the “fog of more," we collaborate with a global community of cybersecurity experts – leaders in academia, industry, and government – to secure input from volunteers at every level. The CIS Controls best practices are developed using a consensus approach involving discussion groups, forums, and community feedback. Version 7 of the CIS Controls was developed over the last year to align with the latest cyber threat data and reflect today’s current threat environment. Our public call for comment on Version 7 from January 24th – February 7th included feedback from a community of over 300 individuals dedicated to improving cybersecurity for all.

What’s Old, What’s New in Version 7 CIS Controls V7 keeps the same 20 controls that organizations around the world already depend upon to stay secure; however, the ordering has been updated to reflect today’s threat landscape. We’ve also updated the sub-controls to be more clear and ¹ http://www.nytimes.com/2008/03/03/business/03juran.html ² https://www.crn.com/news/security/18821726/microsoftsceo-80-20-rule-applies-to-bugs-not-just-features.htm


Spring 2018

precise, implementing a single “ask” per sub-control. CIS Controls V7 splits the controls into three distinct categories: basic, foundational, and organizational. Basic (CIS Controls 1-6): Key controls which should be implemented in every organization for essential cyber defense. Foundational (CIS Controls 7-16): The next step up from basic – these technical best practices provide clear security benefits and are a great idea for any organization to implement. Organizational (CIS Controls 17-20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 1720 are more focused on people and processes.

Key Principles The development of CIS Controls V7 was guided by 7 key principles which helped ensure a more robust end result.

5. Set the foundation for a rapidly growing “ecosystem” of related products and services from both CIS and the marketplace: We have much more experience with adopters and vendors since V6; for V7, we make it easier for everyone to understand, track, import, and integrate the CIS Controls into products, services, and corporate decision-making. 6. Make some structural changes in layout and format: To help keep the CIS Controls relevant and adaptive, we’ve restructured our content to be more flexible than before. 7. Reflect the feedback of a world-wide community of volunteers, adopters, and supporters: We are only as strong as the amazing volunteers that support us and hope to continue to provide a means of gathering and harnessing the global cybersecurity community for the benefit of everyone. By following these 7 key principles, the CIS Controls have become a more flexible, measurable, and useful resource for any business or organization looking to secure its systems.

1. Address current attacks, emerging technology, and changing mission/business requirements for IT: As part of our fundamental promise, the CIS A Resource for All Controls have been updated and reordered to reflect both the availability of new cybersecurity tools and The CIS Controls provide clear, prioritized guidance changes in the current threat landscape that all to help organizations tackle the most pervasive organizations are facing. cybersecurity threats. They are a free cybersecurity best practices resource for any organization to 2. Bring more focus to key topics like download and implement. To get started, visit authentication, encryptions, and application https://learn.cisecurity.org/20-controls-download. whitelisting: Guidance for each of these major security topics is covered in detail by CIS Controls V7 Philippe Langlois is a Technical Product Manager in a clearer, stronger, and more consistent fashion. for the CIS Controls. Langlois leads a community of cybersecurity experts who develop the CIS Controls, 3. Better align with other frameworks: With as well as manages the production, writing, and mapping to NIST Cybersecurity Framework, it’s never publication of a range of cybersecurity resources. been easier to function in a multi-framework world. Langlois holds an MS in Infrastructure Protection and International Security, and a BA in Criminology. 4. Improve the consistency and simplify the wording of each sub-control – one “ask” per subShannon Heesacker McClain (GISF) is a Marketing control: The community worked tirelessly to clarify Specialist at CIS, helping organizations learn how to and simplify each CIS Control, making it easier improve their cybersecurity posture and respond to for users to follow along. By eliminating multiple pervasive cyber threats. She holds a master’s degree tasks within a single sub-control, the CIS Controls in Political Science and Foreign Languages from the are easier to measure, monitor, and implement. University of Nebraska at Omaha, with a special focus on intelligence analysis and conflict resolution.

9


Cybersecurity Quarterly

Threat of the Quarter This Quarter’s Threat: Malicious Cyptocurrency Mining The recent increases in cryptocurrency’s popularity and value have spurred the usage of malicious cryptocurrency miners by cyber threat actors, causing a range of detrimental effects on affected systems. Malicious cryptocurrency miners primarily utilize a compromised system’s resources in order to generate revenue for a cybercriminal by mining various cryptocurrencies such as Bitcoin, Litecoin, Ether, and Monero. This activity is interlinked with the profitability of the cryptocurrency market, which is expected to remain higher than it was at this time last year.

threat actors on improperly secured websites to make money without the awareness of the websites’ administrators. Actors have even managed to place coin mining advertisements onto YouTube, causing users to experience warnings from their antivirus due to the presence of Coinhive. In addition, cyber threat actors have injected cryptocurrency mining code into legitimate browser plug-ins in order to mine the currency whenever the browser is in use, such as occurred with the “texthelp” plug-in.

Some of the repercussions of cryptocurrency mining include sluggish or unresponsive system performance due to increased central processing unit (CPU) and graphics processing unit (GPU) usage, a shortened device life expectancy due to overheating, and increased hardware and electricity bills. Furthermore, the Multi-State Information Sharing and Analysis Center (MS-ISAC) foresees that the installation of malicious cryptocurrency mining will be one of the biggest cyber threats faced by state, local, tribal, and territorial (SLTT) governments in 2018. This is largely because the installation of this malware indicates that the affected system is fully compromised by the actors, and thus far, the cyber threat actors have shown a propensity to target servers, which often have sensitive data on them.

The most malicious strains of cryptocurrency miners directly infect network devices, continuously siphoning resources from the unsuspecting users. This form of mining is possible by compromising networked devices with malicious mining software through traditional malware dissemination methods. Once compromised, unfettered mining capability is maintained by disabling the devices’ computing resource limits, including prioritized CPU or GPU usage, system temperature regulation, core usage ratio, and disabling sleep periods. As a result of the mining software absorbing all the CPU and GPU power of the vulnerable systems, the miner essentially functions as a denial of service (DoS) attack, since legitimate requests are ignored. Stressing the devices’ limits also diminishes the devices’ life expectancies, translating into unexpected hardware replacement costs.

Cryptocurrency miners cannot be strictly categorized as malware because they are an essential component of cryptocurrency and blockchain technology. Cryptocurrency mining may be employed legitimately, as an alternative to advertisements in the monetization of website traffic. For instance, Coinhive, a website-based miner, allows website administrators to leverage profit by utilizing the CPU resources of website visitors. Unfortunately, this legitimate service is also used maliciously by cyber

Other unexpected costs are incurred due to increased power consumption. Users affected by miners may find their devices to be sluggish or completely unresponsive, resulting in a decrease in productivity. The problems may result in more significant consequences depending on the affected system. For instance, a wastewater facility in Europe found a Monero cryptocurrency miner on servers connected to an industrial control system (ICS) operation technology network. The miner drained

10


Spring 2018

This graph serves as a comparison of the notifications generated from cryptocurrency mining activity and the average of the top 10 threats notifications. The average of the top 10 threats was created by adding the notifications for each individual threat type and dividing it by 10. Cryptocurrency notifications are caused by the identification of SLTT systems communicating with domains associated with malicious mining command and control (C2) networks. computing resources for the facility’s human machine interfaces (HMIs), limiting the ability to monitor physical processes, until the miner was discovered during routine monitoring. The presence of unauthorized cryptocurrency miners on a device is indicative of physical or cybersecurity vulnerabilities, which may be exploited in a variety of other ways. Some miners are delivered via spam and exploit kits, and do not require persistent access to the system. Certain miners automatically reach out to the designated cryptocurrency wallets to deposit earnings, requiring less interaction on behalf of the cyber threat actor. Examples of cryptocurrency miners utilizing the EternalBlue exploit, as well as Apace Struts2 and Oracle WebLogic vulnerabilities, are available in the wild. Furthermore, miners have been observed using obfuscation tactics, with malicious files named benignly, such as “Windows update” and “Anti-virus.” The WannaMine cryptocurrency miner is particularly prolific because it operates like a worm and leverages two separate propagation techniques in Windows environments, Mimikatz and EternalBlue. Initially, Mimikatz attempts to extract passwords and hashes of authenticated users stored in the Local Security Subsystem Service system process (LSASS.EXE). These stolen credentials are base64 encoded and sent outbound over port 8000 to command and control (C2) servers. The stolen credentials are used to further spread the infection

via Windows Management Instrumentation (WMI) and/or PsExec, and the malware likely collects additional credentials from newly compromised systems. If credentials are not captured, the miner spreads via the EternalBlue exploit on systems not patched with MS17-010. Cyber threat actors are incentivized by the high financial returns gained from cryptocurrency mining, with Talos researchers documenting incomes potentially exceeding $180,000 a year. Furthermore, unlike other financial schemes, malicious cryptocurrency mining requires little to no victim or actor interaction. Additionally, malicious cryptocurrency mining is more profitable than legitimate cryptocurrency mining because malicious actors are not burdened by the cost of hardware and electricity. Once the user detects and removes the mining software, the malicious actors simply move on to other vulnerable systems in order to maintain the revenue stream. It should be noted that if actors reduce the amount of resources the miners consume, the miners are more likely to go undetected for longer. According to Bitdefender research, PZChao is an operation targeting the technology, government, education, and telecommunications sectors, which distributes a bitcoin miner that eliminates all of other mining applications present in the system and operates discretely during selected hours. This operation is purportedly orchestrated by the Chinese Iron Tiger Advanced Persistent

11


Cybersecurity Quarterly

Threat (APT) group, also known for utilizing a variant of the Gh0st remote access trojan (RAT). SLTT governments may also be exposed to malicious cryptocurrency mining via organizational insiders. Similar to the way in which employees sometimes utilize organizational resources for recreation, they may also use resources for cryptocurrency mining to gain profits by physically installing mining rigs or installing mining software on agency resources. One such example is of a Federal Reserve System Administrator who was charged with the unlawful conversion of government resources when it was discovered he placed a cryptocurrency miner on a server. The System Administrator also created backdoors to monitor the mining activity, creating a security risk for the organization, as other cyber threat actors could make use of these backdoors. There are several other examples of employees and students setting up secret mining rigs and installing mining software in servers without authorization.

Recommendations Fortunately, there are a variety of recommendations that can decrease the likelihood that malicious cryptocurrency miners will take advantage of network devices. 1. Check for abnormally high resource use, suspicious files, log entries, and spikes in electricity use as these are indicators that cryptocurrency mining may be occurring on your network. 2. Educate end users on the symptoms of cryptominer infections and how to report potential infections. 3. Ensure computer use policies include clauses against the use of unauthorized software, including cryptocurrency miners. 4. Block ingress and egress traffic to TCP and UDP ports 3333, 5555, 7777, and 14444 at your demarcation point, if there is not an existing business purpose. 5. Monitor for routine web traffic to cryptocurrency mining domains.

12

6. Apply patch MS17-010 provided by Microsoft to vulnerable systems immediately after appropriate testing. 7. Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing. 8. Implement Group Policy Objects (GPOs) to prevent the scripted execution of Sysinternals Suite tools, such as PSExec. 9. Implement the Credential Guard feature in Windows products to guard against the extraction of credentials stored in LSASS.EXE. Credential Guard creates a virtual container that the operating system cannot access directly and stores all domain secrets in that virtual container. 10. Consider creating a WMI subscription that logs new Event Consumer or Process creations to the Application event log. This increases visibility into when WMI is being utilized for remote execution or malware persistence. 11. As many cryptocurrency mining malware variants use Powershell during the infection process, restrict the execution of Powershell to authorized signed scripts or disable Powershell if it is not needed. 12. Enable logging of Powershell script execution to assist in detecting anomalous activity and store logs for at least 90 days. 13. Keep all hardware, operating systems, applications, antivirus software and signatures, content management systems (CMS), and essential software up-to-date, with automatic updates of signatures and software, to mitigate potential exploitation by malicious actors. This includes thirdparty applications and plugins. Monitor and take action on new information regarding vulnerabilities, exploits, and attacks. 14. Run software as a non-privileged user (one without administrative privileges) to diminish effects of a successful infection. 15. Disable or remove software, ports, protocols, and services that are not in use.


BECOME A CYBER FELLOW AN ELITE ONLINE CYBERSECURITY MASTER OF SCIENCE DEGREE FOR $15,000 For more information: online.engineering.nyu.edu/partner/cis tandon.online@nyu.edu • 646.997.3623

@nyutandon #TechInService2Society


Cybersecurity Quarterly

The True Cyber Crime? – Failing to Collaborate The cybersecurity industry has a profound shortage of qualified job candidates; building a better applicant pool requires the coordination of academia and industry partners By Nasir Memon With the exponential growth of the Internet of Things and the digital threats to our very democracy in the news on a daily basis, the need for cybersecurity experts is self-evident. Public and private organizations are valiantly trying to keep pace, but have been stymied by a lack of qualified candidates to fill their open security posts – despite rising salaries and high levels of reported job satisfaction. The only solution is to quickly build a vastly larger, stronger pool of applicants armed with up-tothe-minute knowledge, hands-on experience, and the ability to think creatively and collaboratively. Those of us working in academia bear a great responsibility for educating just such a workforce. But, just as essential, academia must quickly bring to bear its impressive creative and collaborative skills to vastly expand the number and types of students who choose to embark upon this challenging educational path. We must reach out with urgency to our natural partners: industry and government. Perhaps our delivery method can be as disruptive as the technology we study. Online programs certainly hold the promise of massive scalability. Online learning also opens an important talent pool: Midcareer professionals from security and other tech fields who are limited by time, location, and the demands of work and family. Additionally, online

14

The only solution [to the lack of qualified job candidates] is to quickly build a vastly larger, stronger pool of applicants armed with up-to-the-minute knowledge, hands-on experience, and the ability to think creatively and collaboratively. programs are often an attractive choice for those concerned with affordability. At New York University Tandon School of Engineering (NYU Tandon), for example, our new Cyber Fellows initiative – an elite, competitive online master’s program – costs just $15,000, thanks to generous scholarships, with no compromises to the high caliber of instruction. We envision it could scale to accommodate hundreds, or even thousands, of students. But we have all read the Massive Open Online Course (MOOC) promises before. Once universities attract high-caliber candidates for cybersecurity education, it is of utmost importance that we supplement theoretical, textbook-based models of teaching with practical, hands-on experiences, designed in partnership by the very institutions that will employ our graduates. This is indeed possible in remote-learning environments.


Spring 2018

Remote learning, executed properly, can also foster the kind of lasting networks that cybersecurity professionals need: communities of peers and corporate mentors. The best virtual classrooms provide a platform for meaningful exchanges of experiences among students and professors crossing boundaries of geography and experience. Some universities are giving students access to virtual labs and even cyber ranges – which simulate the problems of protecting vast networks. Both approaches provide test environments in which students can safely practice addressing security scenarios in a controlled environment. Our Cyber Fellows will soon get access to a cyber range that the New York City Cyber Command is building to train its own experts. This cooperation grew out of discussions with New York City and its business giants, who told us they see a gap between what even the best universities teach and the precise set of skills that graduates need in order to step into top security positions. They were eager to mentor our students, employ them as interns, and provide them with their own real problems that would form the basis of students’ capstone projects. They were ready to forge a new type of relationship with educators. Industry partners can indeed provide solid, timely advice about current trends and developments – a must in a world where increasingly sophisticated threats and new cures emerge every day. A good industry partner can help a school design a curriculum that ensures that its graduates can stay a step ahead of black-hat hackers – and that course offerings are continually updated as the need arises. At NYU Tandon, our many partners include Blackstone, Facebook, Goldman Sachs, IBM

It is of utmost importance that we supplement theoretical, textbookbased models of teaching with practical, hands-on experiences, designed in partnership by the very institutions that will employ our graduates. Security, J.P. Morgan, and Morgan Stanley, and in addition to their real-world insights, they provide internship opportunities and real-world problems that will form the basis of students’ capstone projects, providing layers of concrete applicability. With the average cost of a single data breach expected to exceed $150 million by 2020, it’s obvious why businesses and public organizations are eager to hire qualified security experts, and with more intrusive privacy breaches being reported all the time, the human cost is incalculable. Our institutions of higher learning can find willing partners in government and industry, and together we can stand at the forefront of solving one of our most pressing societal problems. Nasir Memon, Associate Dean of Online Learning of New York University Tandon School of Engineering (NYU Tandon), launched one of the country’s first cybersecurity academic programs at what is now the NYU Tandon School of Engineering and founded what has grown into the largest student-led cybersecurity competitions worldwide. A professor of NYU Tandon’s Computer Science and Engineering Department, an affiliate faculty member of the NYU Courant Institute of Mathematical Sciences, and the head of NYU Abu Dhabi’s cybersecurity program, he helped lead NYU into a multidisciplinary approach to cybersecurity that combines technology expertise with research into policy, business, social sciences, and more. Memon’s research focuses on digital forensics, biometrics, data compression, network security, and human behavioral aspects of security. He holds 12 patents in image compression and security and has published more than 250 articles in journals and conference proceedings.

15


Cybersecurity Quarterly

Quad9: What Have We Done So Far and How Are We Moving Forward? The new collaborative effort by the cybersecurity community to combat costly DNS attacks and how they're moving forward to adapt and prevent further cyber attacks By John Todd Disclaimer: CIS is one of the founding organizations of the Global Cyber Alliance (GCA) and maintains a strategic partnership with the organization. Quad9 is a free, recursive, anycast DNS platform created in collaboration with IBM, Packet Clearinghouse, and the Global Cyber Alliance. At its public launch in November 2017, the pilot project had around 700,000 users, mostly state and local governments, who were communicating with us during the start-up. We’ve grown considerably in the last three plus months, seeing an approximate 25-fold increase in our peak traffic, and our growth curve for queries is looking great. This is the exciting time during which a project starts to get traction, and every day the usage graphs look better and better. It’s also a time when edge case problems get discovered and worked on, so that’s keeping us busy as well. Our target was to launch in 70 locations, and we exceeded that number and went public with 100 anycast resolvers distributed worldwide in November. We’ve since grown by another 8 locations, and we have many more in the pipeline for the next month or so. One of our primary goals is to provide security against malware and phishing by implementing a blocklist in our 9.9.9.9 resolver. When a client sends

16

On just one day last month, we provided 1.7 million blocks for clients, from users in more than 150 countries. . . each of those blocked queries represents some malicious website or phishing destination that was prevented from performing their goal. a query about a domain that is in that blocklist, we currently provide a negative answer, meaning that the connection fails. On just one day last month, we provided 1.7 million blocks for clients, from users in more than 150 countries. Given the billions of queries we serve every day, this doesn’t sound like a lot, but each of those blocked queries represents some malicious website or phishing destination that was prevented from performing their goal. This is a significant monetary loss and time loss prevention for our end users – it’s clear that we’re helping decrease cybersecurity risks. So, what’s next for Quad9?

New Services We have several other variations of our resolver


Spring 2018

which will include different features that can be chosen based on which IP address set is used for your systems. For instance, we will shortly have a variation of the resolver which implements Extended Client Subnet (ECS) data and which also supports our blocklist. This will allow Content Delivery Networks (CDNs) to provide better results to end users who wish to compromise with the slightly lowered privacy that ECS implies. Some people may find this tradeoff useful, so we will be providing this option.

Growth The network is growing quickly – we’ll be continuing to push deployments into areas where we don’t have low-latency coverage. Brazil, India, and other parts of Asia have higher latency than we’d like, so those areas are on our target list, as well as expanding the equipment footprint in areas that are highest in current query counts. We rolled a truckload of servers into the warehouse recently, and they’re rolling out again destined for our heaviest-use locations. Frankfurt, Palo Alto, London, Amsterdam, Chicago, and Singapore are our standout cities right now, as they have the highest density of interconnections, so those have received equipment or are pending upgrade first.

Connectivity We’re also continuing to increase peering (interconnection with other networks) in areas where we have equipment, but where some users are not getting the best performance. Even though we have multiple locations in-continent, Australia is notably poorly-covered due to a few large local providers in that area not peering with our transit network. This often is a matter of business policy at those providers that we can’t influence, though we would encourage any customer seeing slow performance to ask their ISP why they can’t get to 9.9.9.9 quickly. We have some alternate plans to help with areas like Australia, but that may take some time to implement (weeks or maybe a few months.) There are thousands of interconnections that are maintained with other networks, but we don’t connect with everyone yet – more work will be

done on that project in the coming months. We’re working on concepts of building a webpage that will allow end users to send a link to their ISP that includes the relevant information needed to persuade ISPs to peer with us at the most local point possible. You can be part of the effort to make the Internet a more well-connected place – more on that soon.

Documentation We’re working on extending the website for explanations of the project, documenting our transparency and privacy guidelines, publishing more information about how to configure various home and office routers to use the project, and generally expanding the website to include more data that would be useful to service providers, end users, and enterprises who want to learn more about Quad9. You can visit our website at quad9. net. John Todd has been working with the Internet since the 1980s across a wide range of technologies including VoIP, massively multiplayer games, ISPs, satellite communications, and public directory systems such as the DNS, primarily with a focus in operations management and product/project management. He currently serves as the Executive Director of Quad9 and was instrumental in its development. Previous to Quad9, John was a Senior Technologist at Packet Clearing House where he supervised projects involving code development, operations, and partner relationships to build extensions of existing platforms or create new offerings as part of the PCH portfolio.

17


Cybersecurity Quarterly

Virtual Reality: A New Frontier of Social Engineering Social engineering has become one of the most successful tools for hackers; what happens when this strategy enters a world where everything is already not what it seems? By Kavya Pearlman We are crossing a new frontier with virtual reality. Virtual reality (VR) combines technology and human psychology to deliver a depth of convincing experiences anywhere, anytime. We are looking at a whole new dimension created via head-mounted displays and hand controllers to provide fully immersive experiences. While the technology brings to life amazing art and entertainment, such as the “Ready Player One” movie, there is a darker side to the technology that multiplies the threat of social engineering multifold. Social engineering is the act of taking advantage of human behavior — a human mistake — to steal confidential information. This tactic works because it’s easier for hackers to exploit the natural inclination to trust someone than to figure out a new way to access a system.

18

Social engineering is the act of taking advantage of human behavior — a human mistake — to steal confidential information. Imagine the sophistication of this strategy when technology itself can convince the human brain that it's somewhere it's really not. virtual universes up to now, such as Second Life by Linden Lab, only existed in three dimensions (3D) and were experienced via a computer screen. For better or for worse, this is changing faster than imagined.

Imagine the sophistication of this strategy when technology itself can convince the human brain that it is somewhere it is really not. This only gets worse when we combine the social aspects, as multiple individuals can now interact and share experiences via use of virtual reality. This is good for a social engineer, but bad for innocent users who have the potential to get tricked by a person with ill intent.

Global revenues from virtual reality technologies will reach $7.17 billion by the end of this year, according to a new report by Greenlight Insights (Greenlight Insights is the global leader in virtual and augmented reality market intelligence), which also predict that global VR revenues will total close to $75 billion by 2021¹ (see Figure 1 on next page).

Virtual Reality is Here to Stay

Social Engineering

Virtual worlds are not new, and neither are threats from social engineering. However, most of the

Like with many technologies, the weakest link in ¹ http://variety.com/2017/digital/news/virtual-reality-industryrevenue-2017-1202027920


Spring 2018

threats faced in the past 15 years during the social media boom are going to be replicated in VR platforms, such as Sansar from Linden Lab (www.sansar.com) and Spaces from Facebook. While the majority of the responsibility lies on the developers of these worlds, we must not ignore that humans are the ones living and interacting with these experiences. Here is some quick advice for anyone who is crossing into this new frontier along with Linden Lab:

security is often the users themselves. Here is the dark side of virtual reality that exploits the human factor:

For Creators and Developers: VR products are the second chance at getting it right (yes, I am talking about Facebook and Twitter’s unconscious role in influencing public opinion). So when you build for a VR platform, keep in mind to make your ecosystem safe and secure for the people who use it. What you may consider cool can prove to be fatal in the hands of an evil adversary. Take efforts like incorporating anti-phishing measures in your products and chat boxes.

For VR Users and Visitors: Stay vigilant! Recognize, Interjection of information or data into VR platforms report, and respond to threats like phishing links to mislead or entice users into selecting items that or impersonation to the respective VR platforms. exfiltrate personal identifiable information (PII) Another aspect that may seem very basic, but remains key to countering social engineering Use of fake VR applications that steal personal – don’t trust strangers in virtual worlds! information or exfiltrate behavioral data Finally, whether you are a new user or a Replace legitimate VR content with malicious seasoned creator and developer, THINK Security, content to compromise users’ computers or other INCORPORATE Privacy, and STAY Vigilant as hardware and install malware and spyware you cross this new frontier of virtual reality. Sabotage the availability of VR devices and ecosystems to interrupt important meetings, potentially taking over the VR experience and asking for a ransom Compromise unique individual identifiers, such as physical movements and verbal or physical ticks, to socially engineer and digitally impersonate a user.

So What Can We Do About It? While VR opens a whole new dimension and higher level of threat landscape, the solutions to these issues still start with the traditional thought process, aka awareness. The social engineering

Kavya Pearlman is the Information Security Director at Linden Lab, the developer of virtual world Second Life and social VR platform Sansar. Prior to Linden Lab, Pearlman advised Facebook's Information Security Team on mitigating third party security risks. Her security career has also led her to hold roles as a ISMS Manager for a corporate immigration law firm, a Network Security Analyst for Allstate Insurance, and founder of her own independent cybersecurity research company. Kavya holds a MS in Network Security from DePaul University, Chicago. She is also a CISM (Certified Information Security Manager) and a certified PCI-DSS ISA (Internal Security Assessor). Pearlman grew up in India and immigrated to the United States in 2007.

19


Cybersecurity Quarterly

How Basic Cyber Hygiene Can Lead to More Effective Vulnerability Assessments Sometimes, the best first steps to assessing an organization's vulnerabilities are the basics: understanding what's on the network and how valuable it truly is to cyber criminals By Matthew Dunn As the Supervisor of an FBI Cyber Crimes Squad, I often heard many victims, including small businesses and local government entities, say they had never considered themselves a viable target. This lack of awareness was due in large part to the fact they didn’t believe they had sensitive or profitable information on their networks that would be highly sought after by cyber criminals. These victims failed to recognize that, in today’s world, most information can be monetized and criminals will attempt to steal anything they can offer on a multitude of sites on the deep and dark web. Additionally, most victims never spent time analyzing who their adversaries could be and then developing a strategy to mitigate risks from these attackers. Many people talk about the need to develop a plan to address vulnerabilities. While there are a plethora of technical vulnerability scans you can run on your network and systems, this is almost putting the cart before the horse. A network inherently consists of many systems. The results of a broad vulnerability scan across the entire network could easily overwhelm an IT department, especially one within a local government agency or small business with limited resources.

20

For cyber vulnerability assessments to be effective, you must know your network and understand your critical data assets – that’s the essential foundation of a strong cyber hygiene program.

Case in Point: How a Lack of Cyber Hygiene on a Local Government’s Network Delayed Remediation A local government was recently victimized by ransomware, which impacted the municipality’s police and fire dispatch systems, online utility payment system, centralized accounting system, and many other critical segments on its network. Upon initial consultation with responding law enforcement, it was revealed the IT Director was unaware of how many servers were on the network. This lack of awareness delayed the initial remediation, especially when combined with limited viable backups for restoration. This case was very typical of the data breaches I witnessed in my career with the FBI, especially those concerning local government or small business victims.

Beware .gov Portal Privilege Policies and Configuration Many local agency websites are accessed through


Spring 2018

a main .gov portal. Although this is convenient for constituents, a common lack of basic cyber hygiene, such as instituting a policy of “least privilege,” accentuates vulnerabilities to the network. Threat actors easily identify this vulnerability and through a variety of techniques (phishing, social engineering, credential theft, etc.) are able to gain access to an employee’s account and then move laterally across the network, exfiltrating PII or other sensitive data and/or encrypting files across numerous systems in a ransomware attack.

Protect Your Network Vulnerability assessments need to start with the basics. Once you have a thorough understanding of the configuration of your network and where critical data is stored, you can start to reduce your vulnerabilities through a strong set of fundamentals: Least privilege policies Deletion of unused email addresses Strong password policies Multi-factor authentication Viable backups Application whitelisting Configuration management

Join “Cyber Security Anonymous” Being able to recognize threats is essential in creating an effective cyber vulnerability assessment. In law enforcement, we referred to this as the first step in joining Cyber Security Anonymous – admitting you are a target. Once you’ve accepted the fact that no matter who you are, you possess information sought after by cyber criminals, you can begin to assess the vulnerabilities of the network where that critical information is stored. The vulnerability assessment process cannot be relegated solely to your IT department, especially

Once you’ve accepted the fact that no matter who you are, you possess information sought after by cyber criminals, you can begin to assess the vulnerabilities of the network where that critical information is stored. since many of its strategic drivers will go beyond technical concerns. The C-Suite or government leaders must participate in the vulnerability assessment, since they may view the entity’s critical assets differently than those identified by the CISO or other IT department personnel. Meeting with industry executives in similar roles or participating in federal and local law enforcement and private sector informationsharing platforms, such as InfraGard, can provide timely intelligence regarding current and emerging trends employed by cyber threat actors. Knowing the tactics, techniques, and procedures (TTPs) typically deployed to gain access to your network is crucial. This will help you reduce the overwhelming results from a vulnerability scan and concentrate on mitigating high-priority risks to systems that hold your critical data. Today’s threat actors are constantly evolving TTPs to gain access to victims’ networks. Implementing a strategy of defense-in-depth through measures such as least privilege, strong passwords, multifactor authentication, application whitelisting, and configuration management is fundamental to cyber hygiene. They must be part of your cyber security strategy to allow you to effectively remediate flaws identified through a vulnerability assessment. Matthew Dunn is an Associate Managing Director of Kroll's Cyber Security and Investigations Practice. Prior to Kroll, Dunn gained decades of service with the FBI, as well as in the practice of law, handling litigation matters in both federal agency and private practice contexts. While with the FBI, many of Dunn's assignments involved global investigations, which informs his perspective on cyber and other threats.

21


Cybersecurity Quarterly

Cyber Tips & Tricks This Quarter’s Tip: Cyber Spring Cleaning by Freisi M. Alfonseca, Cyber Intelligence Analyst, MS-ISAC Spring is in the air and the time has come again for some digital spring cleaning. Prior to ushering in the warmer weather, roll up your sleeves, and take time to perform a few digital chores. On this year’s to-do list be sure to include: device and software inventory, software updates, secure device disposal, email inbox clear outs, and password updates. It is becoming easier and easier to accumulate Internet connected devices. Just think about the number of laptops, tablets, phones, and smart devices in your office and home. If you’re struggling to remember all of what you have, it’s probably time to take a few notes from the building blocks of cybersecurity, the CIS Controls. Controls 1 & 2 lead you on the path to “know thyself” through the inventory of devices and the software running on them. Once those steps are complete and you know the lay of your lands, Control 4 advocates keeping your devices secure. How do you make sure all that hard work was not for naught? Updates are a necessary evil! Sometimes they take a long time, but it’s all worth it in the end to ensure the security of your devices. Simplify your life by setting up automatic updates that run while you don’t plan on using your device − this has the added benefit of ensuring you don’t forget to update. After inventorying the devices, you may find you have accumulated a miniature museum of obsolete technology! Yes, I am talking about that stack of eight-inch floppy disks and 56KB modem in your basement. If you decide that you would like to get rid of a few hunks of metal and plastic gathering dust, be sure to securely recycle them. All hard drives and components that contain sensitive data should be shredded or destroyed to eliminate the risk of a cyber threat actor getting their hands

22

on the information. Perhaps you don’t want to get rid of devices; instead, give them a facelift. Dispose of the unused apps and old downloaded items on them. Be sure to empty the recycling bin/trash bin to fully remove those files. The security of your devices shouldn’t be the only security concern on your mind. Social media accounts can be awesome, but you should be confident the information exposed to the public is appropriate and intentional. Be sure to review the security and privacy settings on your social media profiles to ensure they are suitable to your needs. Let us not forget about old emails, as our inboxes deserve a good scrub, too. During your spring cleaning, take the opportunity to clear out the emails sitting in your inbox, subfolders, and the trash folder. Then, make sure to also delete any emails containing sensitive information that is no longer needed or at the least, download that information to a safer location. The spring cleaning process could not be complete without the updating of passwords! We’re all guilty of it, holding onto a password for years at a time because it is so effortless to remember. Alas, this is a huge security risk, particularly if this password has been used time and time again across accounts. If you haven’t already heard, NIST published new digital authentication standards. This is especially important for accounts that bar access to financial information, personally identifiable information (PII), and electronic health records. Make yourself a tall glass of lemonade and get cracking at making your new passwords! These spring cleaning digital chores will help refresh your cybersecurity posture and will ease your mind, so you can enjoy the warm weather and fresh flowers.


Spring 2018

Kroll’s experienced leaders help clients make confident decisions about people, assets, and operations across the globe.

INVESTIGATIONS AND RISK MANAGEMENT SOLUTIONS Cyber Security & Incident Response

Business Intelligence & Due Diligence

Fraud & Corruption Investigations

AML & ABC Compliance

Asset Search & Recovery

Third-Party Screening

Dispute Advisory & Litigation Support

Security Risk Management

23 kroll.com/CIS


Cybersecurity Quarterly

MS-ISAC Update The MS-ISAC Membership Reaches a Significant Milestone

2017 Nationwide Cyber Security Review Summary Report

2018 is off to a great start for the MS-ISAC Stakeholder Engagement team! Through our continued hard work, thousands of miles of travel, countless phone calls, and untold speaking engagements, the team has continued to foster incredible growth and help strengthen the cybersecurity defenses of the state, local, tribal, and territorial (SLTT) community.

In June of 2009, the U.S. Department of Homeland Security (DHS) was directed by the United States Congress to develop a cyber-network security assessment that would measure gaps and capabilities of state, local, tribal, and territorial (SLTT) governments’ cybersecurity programs. The first Nationwide Cyber Security Review (NCSR) was conducted in 2011 by DHS. In 2013, DHS partnered with the Multi-State Information Sharing & Analysis Center (MS-ISAC), the National Association of State Chief Information Officers (NASCIO), and the National Association of Counties (NACo) to develop and conduct the second NCSR. Since 2013, the NCSR has been conducted on an annual basis, and 2017 marked the sixth year the self-assessment has been conducted.

On February 15th, the City of Pflugerville, Texas, became our 2000th member! Since our inception in 2010, we have steadily increased our membership and our commitment to local governments is paying very big dividends. With our increased focus and greater reach, we hope to surpass the 3,000 member mark in short order. Every day, the MS-ISAC community continues to grow larger and stronger, and we look forward to 2018 being our most successful year yet! Thank you to all of our current members for touting us to the greater community. Without your efforts on our behalf, we would not have achieved this goal.

24

The 2017 Nationwide Cyber Security Review Summary Report will be available Q2 of 2018 and can be found at https://www. cisecurity.org/ms-isac/ services/ncsr/. The results are based on participation from 476 SLTT entities broken down by 45 states, 129 locals (representing 39 states), 5 tribes, and 297 state agencies. The report will provide insight on the level of maturity of the SLTT’s information security programs from year-to-year. Using the results, DHS and MS-ISAC will continue to work with our partners on improving the overall cybersecurity maturity of the SLTT community. For more information or to register for the 2018 NCSR, please visit us at https://www.cisecurity.org/ms-isac/services/ncsr/


Spring 2018

SQL: Security Quotes & Letters From Our Readers Security Knowledge, Anecdotes, and Advice from Our Community Welcome to our inaugural edition of our latest addition to Cybersecurity Quarterly, "SQL: Security Quotes and Letters from Our Readers." Each issue, we'll feature quotes and bits of knowledge shared by our readers from the SLTT community on how their organizations are handling and addressing unique cybersecurityrelated issues and problems they're facing. "Spectre and related bugs are an example that you need to be suspicious of all hardware, even if its from a Fortune 100 company. We all make mistakes, which is why I keep a zero trust environment. It is not that I’m paranoid; it is just it's easier for me start from distrust and move to trust, than the other way around!” - Anonymous Reader Deputy ISO from State Government Agency “While there are a lot of questions around GDPR and its impact, it is sure to force many people to think hard about where their data is and who is responsible for it. Even as a county government, we need to think about it. While we may not have many European citizens living in our county, we do have a popular national park within our borders that gets a lot of international tourists. Understanding what personally

identifiable information these tourists may have shared with us was one of the first things I did.” - Anonymous Reader Governance and Compliance Manager from County Government “Security orchestration is the new watch word it seems. What’s interesting is a lot of people conflate it with automation, when in reality it’s a different beast. Automation means people are stepping out and machines are taking over. Security orchestration is man and machine working together to better manage the plethora of software, devices, and tools we all have nowadays” - Anonymous Reader IT Security Analyst from State Government "There is no 'S' in IoT" (referring to security) - Anonymous Reader Senior IT Manager for Regional Water Utility If you have any valuable insights or advice that you believe would be useful to share with your peers in the industry and would like to be featured in our next edition of "SQL: Security Quotes and Letters from Our Readers," we invite you to share them with us. You can send your submission via email to info@ cisalliance.org.

25


Cybersecurity Quarterly

Upcoming Events March March 29th New York University (NYU) will be hosting another installment of its NYU Cyber Lecture webinar series, Dispelling the Top 10 Myths of Cybersecurity, featuring CrowdStrike Co-Founder & CTO Dmitri Alperovitch. During the webinar, Alperovitch will share his experiences from the cyber equivalent of hand-to-hand combat with some of the most sophisticated intrusion actors and dispel the top 10 popular misconceptions that most people have about cybersecurity. For more information, visit http://cyberlecture.engineering.nyu.edu/

April April 3rd - 6th The Alliance for Innovation will be holding its Transforming Local Government Conference in Tacoma, Washington, bringing local government leaders together to learn innovative solutions to problems they face. CIS IT Security Program Manager Jamie Ward and Stakeholder Engagement Program Manager Paul Hoffman will lead a learning lab at the event on cybersecurity for local government. SLTT governments can receive special rates on registration. Contact the CIS CyberMarket team for more details. April 4th - 8th The 2018 MS-ISAC Annual Meeting will take place at the Intercontinental Hotel in New Orleans. MS-ISAC members from all 56 states and territories, as well as many local government, tribal, and fusion center representatives from across the country will gather together to learn from and network with their peers in state, local, tribal, and territorial (SLTT) government. The theme for this year's meeting is “Embracing Change and Staying Secure," and will feature a number of educational keynote and breakout sessions geared toward our MS-ISAC members and the challenges that they face on a daily basis during the event.

26

April 10th - 12th EDUCAUSE will hold its 16th Annual Security Professionals Conference at the Renaissance Baltimore Harborplace Hotel, bringing together security professionals from the education sector to network and learn about the latest issues facing the industry. CIS Senior VP Tony Sager will be delivering the closing keynote for the event. April 12th - 13th The Commonwealth of Virginia Information Security Council will be holding its 5th Annual Commonwealth of Virginia Information Security Conference at the Altria Theater in Richmond, Virginia. The event will bring together information security professionals from across the state to share ideas on managing, auditing, and assessing security for their organizations. CIS Senior Director Ryan Spelman will be leading a breakout session at the event on cyber threats, best practices, and resources for state and local governments. April 16th - 20th RSA Conference 2018 will take place at the Moscone Center in San Francisco. IT security leaders and professionals from around the country will gather together at this premiere industry event to learn about new approaches to information security, discover the latest technology, and interact with top security leaders and pioneers. Technical Product Manager for the CIS Controls, Philippe Langlois, will be speaking at the event. April 22nd - 24th The National Association of Chief Information Officers (NASCIO) will be holding its NASCIO Annual Midyear Conference at the Hilton Baltimore, where state government IT leaders and professionals from across the country will gather together to network and learn about the latest issues facing state governments. April 30th - May 2nd The National Security Institute will be holding its 33rd Annual Impact 2018 Security Forum at the


Spring 2018

Westfields Marriott in Chantilly, Virginia. The forum will bring together government and contractor security leaders to discuss the latest security threats and challenges. CIS Executive VP Curtis Dukes will be speaking to all attendees from the main stage on proactive defenses against cyber threats.

May May 7th - 8th (ISC)2 will be holding Secure Summit DC at the MGM National Harbor in Oxon Hill, Maryland, bringing together cybersecurity professionals to equip them to tackle today's threats, and arm them with the knowledge, tools, and expertise to better protect their organizations. CIS Senior VP Tony Sager will lead a breakout session at the event on lessons learned during his long, storied career at the National Security Agency (NSA). May 8th - 10th The Critical Infrastructure Association of America (CIAOA) will be holding its HACKNYC 2018 Conference and Expo at 11 Times Square in New York City. The event will bring together leaders and professionals from critical national infrastructure to share ideas on how to fortify the defenses of our nation's critical infrastructure and prevent cyber attacks. May 13th Cyber Security Summit: Dallas will take place at the Ritz-Carlton Dallas, bringing together senior executives, business leaders, and senior cybersecurity professionals to learn about the latest threats from industry leaders. CIS Senior Director Ryan Spelman will be a featured panelist at the event, speaking on ransomware. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. May 20th The Public Technology Institute (PTI) with hold its National Symposium on Cybersecurity & Local Government at the NACo/NLC Local Government Leadership Center in Washington, DC. The event provides a forum for local governments and the cybersecurity industry to share how communities can balance the needs for security and innovation.

MS-ISAC Director of Stakeholder Engagement Andrew Dolan and others from the MS-ISAC team will speak at the event on a number of important cybersecurity issues facing SLTT governments today. May 31st SC Media will be holding its 12th Annual RiskSec Conference at Convene at 237 Park Avenue in New York City. The event will bring together cybersecurity leaders and professionals together to network and learn insights from industry thought leaders. CIS Senior VP and Chief Evangelist Tony Sager will lead a breakout session at the event on best practices in building and maintaining security.

June June 5th Cyber Security Summit: Boston will take place at the Westin Copley Place, bringing together senior executives, business leaders, and senior cybersecurity professionals learn about the latest threats from industry leaders. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. June 18th - 20th Norwich University College of Graduate and Continuing Studies will be holding its 2nd Annual Cyber Security Summit at its campus in Northfield, Vermont. Norwich alumni and other industry professionals will come together to explore and discuss the latest in cybersecurity policy from both the federal level and the practical application of that policy on a local or business level. CIS President and COO Steve Spano will be speaking at the event on how to connect C-Suite and IT professionals to better assess and address security posture and business risk. June 28th Cyber Security Summit: DC Metro will take place at the Ritz-Carlton, Tysons Corner in McLean, Virginia, bringing together senior executives, business leaders, and senior cybersecurity professionals learn about the latest threats from industry leaders. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.

27


Confidence in the Connected World

Copyright Š 2018 Center for Internet Security, All rights reserved.

CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699

Cybersecurity Quarterly (Spring 2018)  

The Spring 2018 issue of Cybersecurity Quarterly, the official digital publication from CIS

Cybersecurity Quarterly (Spring 2018)  

The Spring 2018 issue of Cybersecurity Quarterly, the official digital publication from CIS