NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Similar documents
National Cybersecurity Assessment and Technical Services: Capability Brief. Presented by: Sean McAfee Updated: May 5, 2014

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Patch and Vulnerability Management Program

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Critical Security Controls

THE TOP 4 CONTROLS.

The Value of Vulnerability Management*

Cisco Security Optimization Service

Current IBAT Endorsed Services

Seven Strategies to Defend ICSs

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Continuous Network Monitoring

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

LogRhythm and NERC CIP Compliance

Information Security Office

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Information Technology Security Review April 16, 2012

Managing Vulnerabilities For PCI Compliance

White Paper The Dynamic Nature of Virtualization Security

Network Security and Vulnerability Assessment Solutions

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Extreme Networks Security Analytics G2 Vulnerability Manager

YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

Incident Response. Six Best Practices for Managing Cyber Breaches. Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software

Attachment A. Identification of Risks/Cybersecurity Governance

IBM Security QRadar Vulnerability Manager

Management (CSM) Capability

CA Vulnerability Manager r8.3

IBM Managed Security Services Vulnerability Scanning:

OCIE CYBERSECURITY INITIATIVE

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Network Access Control in Virtual Environments. Technical Note

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Managing non-microsoft updates

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Cisco Advanced Services for Network Security

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

2015 Vulnerability Statistics Report

Network Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name

A HELPING HAND TO PROTECT YOUR REPUTATION

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Cautela Labs Cloud Agile. Secured.

Cybersecurity and internal audit. August 15, 2014

TRIPWIRE NERC SOLUTION SUITE

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

How To Test For Security On A Network Without Being Hacked

Vulnerability Management

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Payment Card Industry Data Security Standard

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014

The Protection Mission a constant endeavor

Fusing Vulnerability Data and Actionable User Intelligence

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Network and Host-based Vulnerability Assessment

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Click to edit Master title style

How To Audit The Mint'S Information Technology

Top 20 Critical Security Controls

End of Support Should Not End Your Business. Challenge of Legacy Systems

Maruleng Local Municipality

IT Risk Management: Guide to Software Risk Assessments and Audits

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Carbon Black and Palo Alto Networks

REPORT State of Vulnerability Risk Management

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

STATE OF NEW JERSEY IT CIRCULAR

Incident Response. Six Best Practices for Managing Cyber Breaches.

Complete Patch Management

BUILDING AN EFFECTIVE VULNERABILITY MANAGEMENT PROGRAM. Henrik Åkerstrand Account Executive Nordics

Obtaining Enterprise Cybersituational

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Bringing Continuous Security to the Global Enterprise

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

WEB APPLICATION SECURITY TESTING GUIDELINES

Patching & Malicious Software Prevention CIP-007 R3 & R4

Ovation Security Center Data Sheet

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

IBM QRadar Security Intelligence April 2013

End-user Security Analytics Strengthens Protection with ArcSight

Managing IT Security with Penetration Testing

Verve Security Center

Transcription:

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Executive Summary BACKGROUND The NYS Local Government Vulnerability Scanning Project was funded by a U.S. Department of Homeland Security State Homeland Security Program (SHSP) grant from FY 2007. The objective of the project was to perform vulnerability scans 1 of New York local governments networks, compile scan results, and recommend mitigation methods, techniques, and procedures based on an analysis of the scan results. This effort was expected to result in a reduction of the cyber risk facing local governments. The project consisted of network vulnerability assessments performed by the New York State Office of Cyber Security (OCS) using the QualysGuard scanning tool. The project focused on externally accessible computers and networks. While it is also important to identify and evaluate vulnerabilities in internal computers and networks, they were not within the scope of this project. The assessments were designed to detect known vulnerabilities, as well as open ports 2 and services 3 on the participants external networks. As the project progressed, OCS added web application scans to detect application-level vulnerabilities 4. Both types of scans were conducted according to industry best practices. The scans were performed from February 2009 through June 2010. Results of the scans were reviewed and analyzed by a trained security analyst. Initially the project focused on New York counties, cities, and towns, but expanded to include other local governments including police and fire departments, schools, and an airport. As a result, the final pool of participants represented a wide cross-section of local governments. Ultimately, the NYS Local Government Vulnerability Scanning Project provided a detailed view of the external security posture of 271 distinct local governments in New York. FINDINGS The scans resulted in the following findings: 2,889 confirmed vulnerabilities; 1,892 potential 5 vulnerabilities; 1 A vulnerability scan is an effort to identify and prioritize weaknesses on target systems with the goal of assisting organizations by ultimately improving the security of their target systems. Vulnerability scans provide a snapshot of the security posture at a given point in time. 2 A port is an application-specific or process-specific software construct serving as a communications endpoint. 3 Services are more commonly known for providing business needs such as email, web/internet and remote access. 4 For more information on application-level vulnerabilities see https://www.owasp.org/index.php/category:owasp_top_ten_project 5 Potential vulnerabilities include vulnerabilities that cannot be fully confirmed. These vulnerabilities require further verification. ~ 1 ~

an average of 6 total vulnerabilities per scanned host 6 ; 60 (2%) of the vulnerabilities were rated at a critical level (see chart below), meaning exploitation could result in complete system compromise; 44.8% of all hosts on participants networks had a serious (level 3 or higher) vulnerability. At least one host with a serious vulnerability was present on every participant s network; 30% of all vulnerabilities were attributed to web server software; 31.67% of vulnerabilities were due to insecure remote access implementations (the largest percentage of the critical vulnerabilities); 24% of local governments use a remote access method that has been known to be vulnerable for over ten years; and configuration issues and the use of outdated technologies (software/hardware) were determined to be the root cause of the vulnerabilities on most participants networks. Vulnerability Severity Levels OCS offered participants the opportunity to have multiple scans performed in an effort to evaluate remediation efforts and detect any new vulnerability that might have been introduced. Not all of the original participants opted for a recurring scan schedule. For the 198 participants receiving follow-up scans, 30.7% of all vulnerabilities were remediated on their networks. These participants also remediated 60% of the most serious (level 4 and 5) confirmed vulnerabilities. The report findings conclude that local governments can improve their cyber security posture with a few modifications and enhancements to current processes and/or configurations. These include: upgrading all end-of-life systems which are no longer supported to eliminate inherent security vulnerabilities; following a defined patch management 7 policy; eliminating insecure remote access configurations to enhance perimeter security; continuing periodic scanning as a part of its cyber security strategy; and 6 A host is a system or computer that contains business and/or operational software and/or data. 7 Patching is a process by which vulnerabilities are mitigated through regular scheduled updates to software. ~ 2 ~

following security best practices. As a result of the scanning process, OCS was able to aggregate the IP address spaces of the local governments. This aggregation allowed OCS to create and maintain a database inventory of addresses, owners, and owner contact information. The inventory enabled OCS to implement a no-cost custom alerting service to the local governments. Upon receipt of reports of malicious or suspicious activity from trusted third party sources, OCS is now able to check the IP address inventory against the suspicious activity source and notify local governments of a potential breaches in a timely fashion. This project improved capabilities of both OCS and the participating local governments by: providing the local governments with increased awareness of security issues; helping local governments confirm and understand their vulnerability exposure; helping local governments remediate discovered vulnerabilities; increasing OCS s intelligence gathering capabilities; and improving communication between the State and locals, thereby enabling: o data integration with several of OCS s existing services that allowed OCS to notify participants of problems discovered by Managed Security Services and Global Threat Monitoring Services ; and o improved situational awareness. Although the project has concluded, vulnerability scanning is still being delivered at no cost to the local governments and OCS plans to continue as long as funding allows. Conclusion Vulnerability assessments are a vital part of any information security program. Such assessments provide a high value service at a low cost. By systematically identifying and remediating vulnerabilities, an organization significantly reduces its exposure to exploits and attacks. Lessons Learned and Recommendations More needs to be done to educate local government about the importance of cyber security. With constrained financial resources, limited funding has been an impediment to securing the information assets of these governments. Through this project, we have found some governments that did not have any staff charged with security responsibility. We also found a wide range of aptitudes and skills related to information security within local government. Some participants were able to respond quickly to evaluate and remediate a discovered vulnerability, while others struggled to comprehend the scope of the vulnerabilities and the steps necessary to secure their networks. The following recommendations for local governments have been derived directly from the project s findings: Provide more education to staff regarding the importance of information security. Identify a person responsible for information security regardless of the size of the organization. ~ 3 ~

Follow best practices for building and hardening systems when deploying new systems to help alleviate configuration issues. Replace end-of-life and other outdated technologies. Keep software licenses up-to-date, thereby maintaining access to critical system patches that address current vulnerabilities. Have a defined patch management policy to properly secure systems. Improve the selection of services and software. Since many local governments rely on third party hosting for information technology needs, care must be taken in selecting those providers. Include security requirements in contractual agreements for third-party hosting of information technology. Include vulnerability assessments as part of its information security program.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information