Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012

Transcription

1 Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives Initiation date: January 2012 Completion date: June 2012 Nomination submitted by: Samuel A. Nixon Jr. Chief Information Officer Commonwealth of Virginia Virginia Information Technologies Agency June 3, 2013

2 Executive Summary In order to strengthen the Commonwealth of Virginia s information technology (IT) infrastructure against cyber attacks from an ever-expanding and evolving field of threats, in 2012 Commonwealth Security and Risk Management (CSRM) at the Virginia Information Technologies Agency (VITA) launched an initiative to evaluate the state of IT security programs and identify and minimize the most significant IT risks that affect the commonwealth. CSRM has become more effective at blocking cyber attacks on commonwealth systems. The primary objectives for the commonwealth s cyber security strategy are to: Prevent cyber attacks against the commonwealth's critical infrastructures Prevent theft of commonwealth data Reduce the commonwealth s vulnerability to cyber attacks Increase the commonwealth s ability to respond quickly and effectively against cyber attacks, minimizing damage and recovery time Establish cyber security knowledgeable workforce Establish cyber security resources at commonwealth agencies Improve cyber security situational awareness Identify and remediate risks to commonwealth data Establish IT infrastructure impact analysis To fulfill these objectives, CSRM created the Commonwealth IT Risk Management Program to expand the existing information security program. The purpose of this program is to identify where the most significant risks to the commonwealth exist, prioritize resources and efforts based on risk, ensure that IT and business leaders in state agencies understand the risks, set a risk threshold for the commonwealth as a whole, and ultimately use the knowledge acquired to strengthen the commonwealth s IT security posture. While the whole program is a long term project, the first step of the program was to do a comprehensive analysis of the threats impacting the Commonwealth as a whole. The analysis included a review of the security infrastructure in place protecting the IT environment and the identification of areas where improvements could be made. The review lead to an overhaul of the security infrastructure to increase the effectiveness of existing tools and introduce new capabilities to help defend the commonwealth environment. The outcome of this overhaul was an overall decrease in the number of successful attacks due to an introduction of additional content filtering, better correlation and identification of threats to systems, and additional monitoring tools increasing the effectiveness of security incident response.

3 Business problem and solution Information security is and will continue to be a major concern in the field of IT. Any lapse in the IT security readiness of the commonwealth could potentially lead to numerous undesirable outcomes. An information security event impacting a system supporting key commonwealth business functions could adversely impact the state s finances, or even result in the theft of data from commonwealth citizens and employees. Significant data breaches, such as those that occurred in the past year in South Carolina and Utah, result in significant costs. For example, the data breach at South Carolina s Department of Revenue reportedly will cost the state more than $20 million. The costs associated with the Utah Department of Health data breach are estimated to fall between $2 million and $10 million. It is therefore imperative that the commonwealth maintain a strong and consistent security posture in order to resist cyber attacks and defend against data loss and loss of critical business functions. This increased threat to the commonwealth from cyber attacks is quantifiable. In 2012, the number of security incidents increased by 20 percent. That increase comes on top of the 40 percent increase in security incidents seen in Security incident trending has been steadily increasing over time, such that the commonwealth is averaging 3 incidents per business day. In response to the data collected, CSRM has made upgrades to the commonwealth s security infrastructure, including the installation a new filter that reduces malicious Web traffic, an update to antivirus and intrusion detection technology that allows for more sophisticated detection and prevention of the most current style of cyber attacks, an event correlation engine and real-time full network inspection capabilities. The data collected and the resulting changes made have significantly improved the commonwealth s ability to resist cyber attacks. The threat management program was the first step to implementing the overall risk management program and Virginia will continue to build on this work in the coming year with the upcoming Risk Management Program. The primary goals of the Risk Management Program will include ensuring that senior leadership understands the risks they are subject to, identifying risks to systems that support the mission essential functions of the commonwealth, and determining where to direct resources in order to mitigate the most risk. CSRM will utilize the results of the risk analysis to set a risk threshold for the commonwealth. Agencies then can work toward staying within the identified risk threshold and understand the potential impact of exceeding that threshold. Significance of the project This project has numerous beneficiaries, including the commonwealth s agencies and citizens that use and rely upon the state s consolidated IT infrastructure to do business and receive services. These stakeholders benefit from the IT security infrastructure s increased resilience to cyber attacks and the decrease in the amount of malicious activity that has been recorded as a result of this project. Fewer effective cyber attacks

4 and security incidents mean a more secure environment for government business functions and the storage of citizen and agency data. This initiative aligns with objectives of the commonwealth s IT strategic plan, which call for the commonwealth to ensure a trusted and reliable technical environment, by ensuring anytime, anywhere service levels and protecting the assets, credentials and privacy of Commonwealth of Virginia systems and their users. Additionally, the project sets the state for better fulfillment of objective 3.3, where creating risk assessment data and best practices will help promote awareness and understanding of the roles and responsibilities of providers and users of commonwealth systems. This program also aligns with the Security priority ranked third on NASCIO s list, State CIO Priorities for 2013, and consisting of: risk assessment, governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third party security practices such as outsourcing increases and determining what constitutes due care or reasonable. Benefit of the project The completion of this project generated clear benefits for the commonwealth. The amount of essential data gathered during the risk management assessment was substantial, and CSRM now is even better informed of the current state of IT security in Virginia. The commonwealth continues to be a target for malicious attacks. While malware infections continued to be the top category for security incidents, there was a significant increasing in phishing incidents. There are additional indicators of the size of the cyber threat to Virginia in the data collected from the commonwealth s primary data center. The commonwealth received 117,842,683 alerts, or approximately four malicious attacks per second in Most attacks were not successful, and the information gathered will be immensely helpful in preventing future attacks. Based on this threat analysis, CSRM conducted an extensive overhaul of the security infrastructure, which included the addition of a filter that reduced malicious Web traffic, updates to antivirus and intrusion detection technology, upgrades to the event correlation engine, and the addition of real-time network inspection devices. The combination of these changes has resulted in a significant decrease in the number of attacks affecting commonwealth systems and added insight into the situational awareness of the security environment. The results also impacted the number of security incidents recorded. The tangible benefits of this overhaul are clear. The number of cyber attacks on the state s IT infrastructure was cut significantly, from over 14 million attacks in August 2012 to less than 7.5 million attacks by December. In 2012, the commonwealth filtered 698,942,080 spam messages and blocked 47,698 viruses from reaching commonwealth assets. Security personnel are constantly fine tuning the security environment to prevent unsolicited and malicious from reaching the state

5 employees computers. As a result, users do not realize how much spam is blocked from their mailboxes.

6 Information collected under the IT Risk Management Program also will help with future efforts. CSRM is investigating whether it can use the risk management data to implement a corresponding risk remediation process. The intent of the process will be to notify the appropriate parties at state agencies of their agency s particular risk and offer a possible solution with a corresponding implementation time frame. The risk remediation process will help agencies by enabling the assignment of resources for remediation when the agency is unable to address issues in a timely fashion.