Network Marketing Strategy - Overview of the Colorado Cyber Security Program

Transcription

1 COLORADO S CYBERSECURITY ASSESSMENT APPROACH Matt Devlin, CISA, CISM Deputy State Auditor September 30, 2014 Overview Colorado OSA and IT Audit Background State of Colorado IT and InfoSec Organizational Structures OSA s Cybersecurity Assessment Approach General description of what we have done in the past and what we are doing now Prior VA / Pen Test Audit (Nov. 2010) Current VA / Pen Test Audit (Dec ) Not a detailed or technical How To on VA / pen testing 2

2 Colorado OSA: Background Info OSA is under the Legislative Branch Reports to a nonpartisan Legislative Audit Committee (LAC) State Auditor is appointed to a 5 year term 3 Audit Divisions: Financial, Performance, and IT Approx. 70 auditors Produce about 50 to 55 products/reports year 3 Colorado OSA: Organizational Chart 4

3 Colorado OSA: Statutory Authority OSA has statutory authority to: Conduct audits of all state departments and agencies (Sec , C.R.S) Access at all times all of the books, accounts, reports, vouchers, or other records or information in any department, institution, or agency, including but not limited to records or information required to be kept confidential or exempt from public disclosure (Sec (2), C.R.S.) 5 Colorado OSA: IT Audit Division IT Audit Division: Est. in February 2006 (8 yrs., 8 mos. young!) 4 IT Audit Staff, Mainly Senior-level Auditors IT Audit Engagement Types: 1. Financial Audit Support (Statewide Single Audit) E.g., Fin. system ITGCs, SSAE 16 reviews, contractor audit reviews 2. Performance Audit Support E.g., MMJ, Vocational Rehab, Health Exchange, etc. 3. Standalone IT and InfoSec Audits (Technologies / Systems / Processes / Projects / Org. Unit) 6

4 FY 2014 Allocation of Audit Staff Performance Audits 47% Financial Audits 36% IT Audits 5% Other Work Products and Activities 5% Local Government Audit Reviews 7% 7 State of Colorado: IT Org. Structure Executive Branch Office of Information Technology (OIT) Est. in 2008 through legislation (SB ) Consolidation of IT from a decentralized model OIT sits under the Governor s Office Judicial Branch Separate IT (i.e., ITS) Legislative Branch Separate IT (i.e., LIS) 8

5 State of Colorado: InfoSec Org. Structure Executive and Judicial Branch Office of Information Security (OIS) Est. in 2006 through legislation (HB ) Consolidation of InfoSec (from a decentralized model?) OIS sits under OIT (i.e., the Exec. Branch IT Unit) Legislative Branch & Higher Ed. Institutions Excluded from OIS oversight, but have info. sec. reporting requirements 9 State of Colorado: IT & InfoSec Org Charts 10

6 CYBERSECURITY APPROACH: THE 2010 PEN TEST AUDIT Audit Objectives Objective #1 To review the Governor s Office of Cyber Security s progress in fulfilling the requirements of the Colorado Cyber Security Program (Section through 406, C.R.S.) 12

7 Audit Objectives Objective #2 To perform a covert penetration test of state networks, applications, and information systems Gain unauthorized access to state systems and data Simulate hacking attempts Test incident response 13 Audit Scope 14

8 VA vs. Pen Test Vulnerability Assessment assessment approach used to identify system weaknesses or vulnerabilities. Penetration Test assessment approach used to gain access to systems by exploiting or circumventing system weaknesses or vulnerabilities. Hacking vs Pen Test Difference Get Permission!!! Authorized by Governor s Office, State CISO, and other Dept. Mgt. 15 Audit Methodology In-house & Contract Audit OSA Partnered with 2 Contractors specializing in VA/pen testing Nonrisk-Based Approach Open to all state networks, applications, and systems Black Box no advance information on systems/networks/departments/agencies, etc. All attacks available; Nothing off limits! 16

9 Audit Methodology (cont.) Tests performed included: Network Scans (external /internal) Ports and Services Application/DB/OS Scans Patch Levels, Configuration Settings/Hardening Standards, Vendor Defaults, Brute Force, Website Security - Attacks to gain access to backend apps and DBs Social engineering Spam, Impersonation Physical-based attacks gaining unauthorized access to facilities and DCs What did we find?? 17 Office of Cyber Security Overall, the results of the Pen Test demonstrate that the State is at high risk of a system compromise and/or data breach. 18

10 Audit Results Relating to Objective #1: The Office of Cyber Security failed to successfully implement the Colorado Cyber Security Program, as required by statute. Info Sec Program Governance & Org. Structure Policy, procedures, and plans lacked definition, implementation, and enforcement InfoSec Operations & Controls InfoSec processes and controls lacked definition, implementation, and compliance All findings and recommendations were agreed to (or partially agreed to). 19 Audit Results (cont.) Relating to Objective #2: The State was at high risk of a system compromise and/or data breach by malicious individuals, including individuals both internal and external to the State. Hundreds of vulnerabilities identified Unnecessary and Insecure Ports, Services, and Utilities Exposed Management Interfaces Default and Easily Guessable Usernames and Passwords Unsecured Web Applications Lack of Internal Network Security Controls (e.g., network segmentation, hardening and patching, use of insecure network protocols, lack of IDS/IPS) 20

11 Audit Results (cont.) Relating to Objective #2 (cont.): Compromised or gained unauthorized access to: Numerous State Networks and Systems Lots of Sensitive and Confidential Information: Usernames and passwords (belonging to state employees and others non-state individuals) state employee records SSNs income levels birth dates contact information i.e., phone numbers and physical addresses. A data breach of this magnitude would have cost the State between $7 and $15 million to remediate (based on national averages at the time). All findings and recommendations were agreed to (or partially agreed to). 21 Audit Results (cont.) State of Colorado Penetration Test Results Risk Ranking by Network/System Network/System Component Tested External Network Testing Internal Network Testing Physical Security Testing Web Application Testing Social Engineering Modem Testing Wireless Network Testing Risk Ranking HIGH HIGH HIGH HIGH HIGH LOW LOW Source: Office of the State Auditor penetration test results. 22

12 Audit Results (cont.) Vulnerabilities by Severity High Medium Low Source: Colorado Office of the State Auditor. Key Vulnerability Areas 28.66% Web Apps 52.12% Web Server 5.48% Systems Other 13.74% Source: Colorado Office of the State Auditor. 23 Challenges First of It s Kind Audit OSA Authority to Conduct Pen Test? -Not specific Communication/Coordination All Business Management (as well as IT/InfoSec Mgt.) Very Complex IT Org, Systems, and Technologies Took a lot to plan, execute, and report Reporting Public vs. Private Info Diff. contractors partnering with OSA 24

13 Successes Information Security Posture Identified a Baseline! Raised Information Security Awareness within State Ops, the Legislature, and Public Increased OSA Authority new statute was created to allow our office to conduct ongoing VA s, pen tests, and technical security assessments after consultation and in coordination with, but not requiring the approval of, the CIO (Sec (1.5) et al, C.R.S.) 25 CYBERSECURITY APPROACH: CURRENT VA/PEN TEST AUDIT (TO BE RELEASED DEC. 2014)

14 Audit Objectives Objective #1: To conduct a vulnerability assessment, penetration test, and technical information security evaluation on state networks, applications, and systems. Objective #2: To gain an understanding of the root cause of identified information system security vulnerabilities. 27 Key Differences (vs. Prior Audit) Scope Size & Complexity Risk-based/Targeted (vs. Statewide/All-inclusive) White/Grey Box (vs. Black Box) Resulted in Fewer Networks, Systems, & Depts. No InfoSec Program Review Root Cause Analysis Focus Shorter Timeline Mar.-Dec (vs. more than 12 mos.) One Contractor (vs. 2 Prior) Simplify Communications & Processes Reports to Match OSA Style Communication With Management Simplified with 2 Entrance Meetings with IT/InfoSec Mgt. (vs. Business Mgt.) Reporting Public vs. Private Content Evaluation vs. Audit did not have to follow Yellow Book standards 28

15 Audit Scope Left Scope and Schedule Open in RFP The engaged contractor was required to work with us (OSA) to: 1. Define the networks, applications, and/or systems to be included in the scope,, based on risk; 2. Develop the audit schedule (working backwards from our LAC date). List of Scope Areas External Network (89,614 IP addresses) Internal Network (3, across diff. departments) Firewalls (10, mix of external & internal) Enterprise Apps (2, across diff. depts.) Web Apps (5, across diff. depts.) Social Engineering (spam to all Executive and Judicial Branch agencies) 29 Audit Results TBD Report to be released in December!!! Generalization: Lots of very similar findings as last time, indicating slow progress in maturing the state s info sec program 30

16 Outcomes (Expected) TBD but we re hoping to: Issue Two Reports Again: Management-level Report (Public ) Technical-level Report (Private) Provide Transparency & Value Identify System Vulnerabilities/Findings Identify Root Causes Raise Awareness of InfoSec Posture Provide Accountability Track Audit Findings & Recs Annual Report on Recommendations not Fully Implemented 31 Challenges New (and few) IT audit staff 1 contract monitor Independence Concern due to prior audit deputy moving into the CISO role New Contractor Get up to speed! Risk-based Scoping - Very complex IT organization and systems: Outdated technologies and systems Redundant systems New system developments 32

17 Challenges (cont.) Lots of Staff Turnover/Reorgs. Significant IT management turnover during the review, including: Secretary of Technology & State Chief Information Officer (CIO) Chief Technology Officer (CTO) Chief Operating Officer (COO) Chief Information Security Officer (CISO) Chief Customer Officer Director of HR Director of Enterprise Applications Communication/Coordination with appropriate management and staff 33 Challenges (cont.) Authority to conduct Pen Test Evaluations 2 separate but similar Rules of Engagement (for Exec. And Judicial Branch agencies/systems subject to our evaluation) Obtaining access to systems for credential testing Despite statutory authority (to access all state information and records) 34

18 Improvement Opportunities Tie Current Results to Prior Results to analyze trends about whether InfoSec is improving over time Multi-year Plan Continue risk-based coverage? Simplify Further smaller audits, dept.-specific Incident Response Testing Contractor Consistency to improve efficiencies in coordination of planning, fieldwork and reporting Develop In-house Expertise perform VA/pen tests using available tools and techniques 35 Questions? Contact me: