Hill Consulting, Inc.

Cybersecurity for Non-IT Executives

A Cybersecurity Solution by Gregory F. Hill, GIAC GSEC


 

Summary

Cybersecurity presents a risk to the entire organization[1] that transcends any single division or department, including Information Technology (IT). Cyber-attacks can originate from any area, so it is imperative that one or more executives with whole-organization authority have the responsibility for marshalling the forces to defend against them. The same high-level executives must also know how to react when IT or any other department discovers an attack.

The failure to react quickly and effectively may result in catastrophic consequences as have been demonstrated by numerous news reports on high profile organizations such as Target Stores, Equifax, and Yahoo. Executives do not need to be highly trained technical experts, nor do they need to be legal authorities but what they will require is to implement a plan of action and the authority to order an instant response the moment a problem appears.

The key is appreciating the gravity of the situation. Former CIA Director General David H. Petraeus, in a recent speech, echoed the warnings of many others when he stated that every organization will get hacked, and went on to say “There is no single app or product or firm that is going to protect you from all of the different threats that are out there”[2].

 In reality, Petraeus and the others may be significantly understating the problem. If the current growth of cybersecurity threats continues unabated, bad actors will attack every organization repeatedly. Simply, those with the best defenses and responses will weather the onslaught while it will hobble or destroy the unprepared and this applies to every organization regardless of size.  

In this rapidly evolving environment, some suggested approaches will not provide enough protection or effective responses in the current cyber threat landscape because they are out-of-date or were always inadequate solutions. This article will prepare managers to assess the maturity of their organization’s protection by determining if any of protections are based on inaccurate information (myths). It also provides recommendations for a proven successful framework for implementing more effective cybersecurity.

Total commitment from both the IT department and top management is vital for protecting the organization, and recovering from Cyber-attacks. Upper management needs to be generally aware of cybersecurity threats and their solutions, and be able to determine the protection level of the organization. They need to acquire the knowledge to allow them to recognize ineffective concepts, such as “defending the perimeter” and “security by obscurity”. Most importantly, they need to insist on “Defense in Depth” and a plan for instantaneous, effective responses.

What is Cybersecurity

“Cybersecurity is the top threat facing business and critical infrastructure in the United States, according to reports and testimony from the Director of National Intelligence, the Federal Bureau of Investigation and the Department of Homeland Security.”[3]

Cybersecurity entails protecting all computer-related equipment and their contents from observation or destruction by unauthorized parties. At first glance, this may seem straightforward at first glance, but the planning and implementation of an effective system is, while not impossible, reasonably complex, particularly as management moves processing into cloud ecosystems that are not under the firm’s direct control. Even so, most executives (65%) “..believe they have appropriate in-house security measures in place, yet 80% had been victims of a successful cyberattack or breach in the previous year”[4].

Note: Links provided in this document are for additional context only. No claim is made by the author as to their accuracy, nor should any recommendation be construed or implied.
In addition, only a handful of enterprises have all of the technical skills required to implement a complete security program, so most must depend on appliances, software, services, consulting and education from outside firms if they are going to assemble an effective cybersecurity operation. Management must acknowledge “cognitive dissonance” (the difference between belief and actuality) and recognize the urgency and risk of not having effective cybersecurity in order to determine how much of a commitment is necessary.

AT&T Cybersecurity Insights, Volume 7, 2018 Verizon Data Breach Investigations Report (DBIR), Microsoft Security Intelligence Report Volume 23

Cybersecurity definition from WhatIs.com

The next section contains an overview of the risks most managers will need to consider and monitor.

The Risks 

The best way to justify a project and a call to action is to spell out a catastrophic downside, detail the damage that could occur if the project is not implemented, and quantify the likelihood that the downside will occur. In the case of cybersecurity, this is not be a difficult task, given the statements from the Federal Government’s Intelligence Community, along with the frequent headlines in major news publications. Due to this publicity, many of the possible risks are well known, and publicly available surveys from AT&T, Verizon, and others are very helpful in specifying the risk by industry and workplace size.

What follows is a short list of some of the typical consequences of Cyber-attacks organized by the CIA (Confidentiality/Integrity/Availability) Triad security standard:

Confidentiality:

·         Confidentiality includes an organization’s proprietary and internal information, the loss and/or publication of which could cause customer relations problems, damage to reputation and competitive advantage, along with a host of other issues. A good example was the Sony hack attributed to North Korea, which exposed the internal communications of management opening a veritable Pandora’s Box of problems with executive behavior and policies, and millions of dollars’ worth of proprietary information.
Fortune.com - Sony Pictures: Inside the Hack of the Century, Part 1
Bloomberg.com - Sony to pay as much as $8 million to settle data breach claims

·         Breaches can involve the theft of customers’ personal data which can be copied or removed and used for identity theft purposes, as has been reported recently by Target Stores, Home Depot, Equifax, Panera, Best Buy, Yahoo, Chili’s and many others. These attacks often result in lawsuits from customers, and fines from government agencies (see Case 1 below). This causes damage to reputation and customer goodwill, loss of business and potentially significant financial penalties.[5]
HuffingtonPost.com - Target To Pay $10 Million To Settle Lawsuit From Massive Data Breach

·         All 50 states have confidentiality breach reporting requirements[6] some of which include the possibility of civil penalties that in addition to embarrassment and financial consequences also require the expense and lost hours involved in satisfying the notification process. Health care providers are subject to Federal Laws that require stricter notification rules as well as fines.
NBCNews.com - Why State Data Breach Laws May Not Protect You
Summary of U.S. State Breach Notification Statutes

Availability:

·         All of an organization’s electronically stored information may be lost or held for ransom by malware that either deletes or encrypts important data on the network, such as documents and databases. Ransomware attacks, where encryption makes data unusable until it is unencrypted using a digital key or passphrase, were up 400% in 2017, largely due to the WannaCry attacks perpetrated against businesses, governments and hospitals in 150 countries. Another ransomware variety called SamSam is blamed for a recent attack on the IT systems of the city of Atlanta, GA. [7]
WikiPedia - WannaCry ransomware attack

·         Denial of Service (DoS) attacks, or more commonly the Distributed (DDoS) variety completely or partially block users from reaching an organization’s web site(s), resulting in lost business and client confidence, as well as disrupting communications.

·         Other malware, distributed through hacking, phishing attacks, social engineering, exploited web sites and downloads, and numerous other methods, can cause hardware breakdowns, operating system failures, communications disruptions, lost control of network devices, and many other disruptions that reduce the availability of computer resources. 

Integrity:

·         When the network’s integrity is compromised, the owner’s control of it is in jeopardy. At any time, the invader my take complete control, or can make undetected incremental changes over time that could cause incalculable damage.

·         Organizations using electronically controlled equipment may encounter massive outages or inaccurate readings from monitoring equipment, which could shut down entire systems, including power plants and other public utilities.[8]

Miscellaneous

In addition to the predictable risks enumerated above, there are the unpredictable consequences that unravel over time. Take the Target data breach discussed in Case 1 below, for example. After revealing the breach just before Christmas in 2013, which cost the retailer millions in sales, management acknowledged $61 million in breach-related charges which they expected to continue. Then in 2015 the store chain settled a $10 million lawsuit[9], agreeing to pay $10,000 to any customer that could prove financial damage. Later, in 2017 they settled the largest data breach lawsuit in history for $18.5 million, agreeing to further conditions that will not only cost them millions of dollars, but may affect their ability to compete in the marketplace with other retailers not shackled with the same restrictions.

NewsMax.com - Russia Hacks Critical Infrastructure

Wired.com - The CIA Secret to Cybersecurity That No One Seems to Get
CNN.com - Former NSA Director: China Has Hacked Every Major U.S. Corporation
ArsTechnica.com - DHS Warns of New Russia Hacks

How Risks Become Disasters

Cybersecurity exists to protect the organization from damage or complete shutdown from malicious activities directed toward computer systems or information. Fundamentally, IT departments primarily protect the computer network from outside intrusions by monitoring endpoints, usually connected through wired or wireless appliances called “routers”.

However, according to a digitalguardian.com article on July 26, 2017, 91% of all successful cyberattacks originate as “phishing” emails, which the IT department’s endpoint protections do little to prevent.

Simple observations are all that is necessary to determine if an organization is doing a good job of preventing human engineering attacks like phishing. Is plugging in and reading a USB drive allowed? Are there obvious posters about using strong passwords, not opening attachments, etc. in evidence? Are there cybersecurity reminder messages on computer screens?  Is there evidence of recent reminders via phone, email, or other form of announcements in the last week as part of a continuing cybersecurity program? If not, the answer is “No, your organization is not protected”.

Phishing attacks become more sophisticated every day. Bad actors monitor communications and construct emails that appear to be from familiar sources delivering safe-looking payloads with devastating consequences. In one case, a non-profit industry reference site was hacked and sent Microsoft Word documents to everyone who contacted the site. This correspondence looked exactly like an earlier legitimate notice but when opened allowed the illegitimate senders to get login and password information, which was then used in hacking attacks. Recently, a new European Union (EU) law, GDPR (General Data Protection Regulation), required any company storing information about citizens of EU countries must conform to stricter privacy guidelines and send notices to all of their customers. This flurry of notices with attachments from recognized Internet companies like Facebook, Twitter, Google, etc., provided excellent cover for bad actors going phishing. These cyber-criminals reproduced the official-looking notices and injected the attachments with malware to trick the unwary. 

“Phishing” is an unfortunate nickname for one of the most dangerous and malicious genres of cyber-attacks. Very often, the intent is ultimately not to fish for individual information or credentials, but to destroy a complete business or network, or a step towards damaging a complete power grid or other infrastructure to cripple an entire metropolitan area, country, or region. Ignoring phishing attacks, or failing to counter them, probably will lead to disaster.

Risks to Managers or Why Should They Care?

The seemingly endless news reports about data breaches have one thing in common beyond heavy monetary and reputational costs: the disturbing trend that one or more high-ranking executives usually is fired or forced to leave. Simply, upper management feels they must show their concern for the breach by finding someone else to shoulder the responsibility. Action taken higher up in the organization has greater public impact and visibility.

For example, in the Yahoo breach case, the company fired their top lawyer, and the CEO “took a seven-figure financial hit”[10].  At Target, the blame for the “resignations” of both the CEO (Chief Executive Officer) and CIO (Chief Information Officer) fell on the credit-card security breach[11]. A Cybersecurity Executive Order issued by the President on May 11, 2017 (reproduced in Appendix D below) clearly holds Heads of Agencies accountable for any breaches[12].

High-level managers have the most to lose when an organization suffers from a cyber-attack. Not only will the operational problems and their aftermath affect the mission, but also penalties and enhanced scrutiny from outside sources may jeopardize positions, careers, and the financial well-being of multiple executives. Subsequent lawsuits and criminal actions may also single out individual managers for damage claims.

Clearly, leaving this kind of risk to technicians (i.e., the IT Department) who may not fully appreciate or even care about the risks to upper management, is not a wise option. When the owners or board members feel the pressure and need to demonstrate that they understand the gravity of the situation, it will rarely seem like enough to blame a middle-management Network Administrator, so they are forced to fry bigger fishes.

The buck stops here: 8 security breaches that got someone fired
Forbes.com - Target CEO Fired - Can You Be Fired If Your Company is Hacked?
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 11. 2017

Addressing the Risks

If you have read this far, you are now firmly ensconced in one of three camps: the “OMG, we’re doomed!” group, the “No worries, the IT Department has it under control” team, or the “OK, it is a big challenge, but we will find a way to deal with it” faction. In case it is not obvious, the right group is the last one because, while cyber risks are daunting and fearsome, they are not insurmountable. Managers can mitigate them with diligence and determination. To succeed, the first thing the manager must do is clear away the cobwebs of conventional thinking and false assumptions, in other words identify what is true and what is false.

Myths and False Assumptions

Myth: Cybersecurity is not strategic

Truth: The lack of cybersecurity makes strategic goals moot

A Cyber-attack has the potential to obliterate all of the strategic goals of an organization. For this reason, it is essential for security to be a risk incorporated and given equal emphasis with all major goals. This Forbes.com article repeated an observation burned into the consciousness of all security professionals and well-informed managers: “Unfortunately, there are only two types of organizations today: those that have been hacked and those that have been hacked but just don’t know it yet.”[13]

The previous examples (Target, Equifax, etc.) are cautionary tales, but they happened to huge organizations, ones with practically unlimited resources, which allowed them to take the unexpected hit and continue in business. Many businesses cannot survive the attack and aftermath, ceasing to exist. An integral part of any enterprise strategy should include a plan for how to handle the continuation of the business post-attack.

Myth: IT Alone Should Handle Cybersecurity

Truth: All departments must take responsibility

The biggest false assumption is the perception that the IT department will take care of cybersecurity because it is part of that department’s responsibility. The problem is that while it is possible that IT will handle most cyberattacks, they normally lack the perspective and authority to do a comprehensive job.

Inherent vulnerabilities in the IT-centric model are frequently first revealed during a catastrophic cyber-attack. In addition, even though management is more likely to acknowledge the risks in the wake of an incident, they do not often rethink their approach.[14]. Most IT departments concentrate on increasing the availability and ease-of-use of computer systems, which may actually work against security goals, because most attacks originate outside of IT and inside the firewall.

All departments in an organization have assets in the form of information stored digitally, so cybersecurity requires the participation of all segments of the firm along with their managers. If the person responsible for cybersecurity is not a manager or is a lower-level supervisor in the IT department, the logistics of collaboration with upper-level department heads to conduct and effective program will be more difficult.

Cybersecurity risks are equal to or greater than the other fundamental concerns of the organization. They may be more serious, because according to their “CFO Insights” series of advice for Chief Financial Officers, the accounting firm Deloitte states, “While the average cost of a data breach may be well documented, the long-term effects on corporate reputation and brand significantly add to the toll.”[15] The same Deloitte article makes a strong case for “hands on” participation in cyber-risk mitigation by the CFO.

Management oversight is required to make sure the IT department prioritizes and addresses risks in conjunction with management policies. Even executing cybersecurity properly is no guarantee of success. Remember General Petraeus’ quote: “There is no single app or product or firm that is going to protect you from all of the different threats that are out there”.

In the same article, the General repeated something said by almost every security expert: your organization has already been hacked, so deluding yourself into thinking it has not is a mistake. This invalidates another traditional cybersecurity belief, that you can protect your organization with “Perimeter Security”.

Myth:  Perimeter or edge security is enough

Truth: No, it is not.

Perimeter Security or Edge Protection is a throwback to when most organizations connected to the outside world by a telephone wire connected to a 300-baud modem. The theory was that monitoring the only line to the outside world with software and hardware tools would prevent anything bad from getting into the network. These days, even the smallest institution has hundreds, if not thousands of connections, or “endpoints” that bad actors will exploit to gain entry to the network. Besides the main Internet connection(s), these may include any Wi-Fi, Bluetooth, RF, or cellular wireless devices, as well as any wired devices that may be available to outsiders, such as kiosks, metering equipment, etc. In addition, any outside computer or USB device connected inside the network is another potential endpoint, providing an entry for malware. If the IT department declares that they have covered cybersecurity because the perimeter is blocked, this should not be a comfort.

Myth:  Security through obscurity or nobody knows we exist

Truth: No individual or organization is too small to be attacked.

“Security through Obscurity” is a myth that postulates that an organization may be too small to attract the attention of bad actors or malware. This has never been true, but is even less so now, when the design of automated malware systems is to attack the sheer volume of sites, regardless of size.

For example, current ransomware viruses attack everyone, from home users to giant corporations and governments. In addition, the goal of many attacks is to use equipment to form “botnets” that combine the computing power of networked computers as well as other connected devices, like cameras, routers, appliances, and any other smart gadgets. This is done to facilitate denial of service attacks, spam mail and message distribution along with other nefarious activities. These types of attacks may also have the effect of slowing or disrupting parts of the hijacked victim’s systems, as well as causing actual damage by overtaxing devices and overwriting data.

There is also the possibility of peripheral damage to the organization identified as the source of bad actor activity, such as insertion into the Internet’s version of the “No Fly List”, the DNSBL (Domain Name Server Black List). This curated list contains known spam and malware purveying servers by DNS domain.

When an organization’s hijacked mail server is used for some nefarious purpose, it may end up on the DNSBL. This can be especially costly to companies sending large volumes of emails, because mail servers all over the Internet will probably reject most of them. It may take several months of good behavior to get off the list.

Myth:  Smart Firewalls are a single-step solution

Truth: A Firewall is one part of a Defense in Depth strategy.

All you need is a “smart firewall”. Some amazing products are out there in the realm of firewalls that will intercept known attacks and even learn and evolve on their own to become more effective over time. Frequent updates from the manufacturer increases their power to recognize and reject new attacks. “Whitelists” and “Blacklists” programmed into the firewall appliance will only allow specifically approved applications to communicate on the network, or will reject known malware programs from spreading. Firewalls, whether hardware or software, serve as a solid base for a cybersecurity solution, but they need help.

 Firewalls are the Maginot Line of cybersecurity, which has come to define “an impressive but often ineffectual means of protection or defense” (Bing.com) or “a metaphor for expensive efforts that offer a false sense of security” (Wikipedia.org).

Bad actors are the first to buy new firewalls on the market and are constantly working to find ways to exploit them. They are, at best, a strong layer in a multi-layered “Defense in Depth” system. Every firewall is breach-able, either through exploits in the firewall itself, or by circumventing it with phishing attacks, so additional measures are necessary.

In addition, the expense of maintaining firewalls increases with their effectiveness, as do the hours spent in maintaining them. They may also become a bottleneck due to their process of scanning, decrypting and encrypting all incoming and outgoing traffic, slowing down the entire network. Because they are inside the network, they provide no protection from attempts to block or intercept traffic on the outside, such as DNS attacks[16].  

Virtual firewalls, also called security clouds, may be less vulnerable to attack than hardware firewalls, and because they operate outside of the LAN, they may be effective for DoS attacks. Because they are cloud-based, they are also less likely to slow down LAN users.

No matter which type of firewall is used, it is never a complete solution on its own.

“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain.”
– Kevin Mitnick, “The World’s Most Famous Hacker”[17]

3 Common DNS Attacks and How to Fight Them

Myth:  Cybersecurity Insurance is enough

Truth: A good idea, but not alone.

In the latest AT&T Cybersecurity report mentioned previously, 28%  of organizations polled planned to spend their entire cybersecurity budget on insurance, 54% planned to include it as just one part in their overall strategy. The AT&T report went on to evaluate the reliance on insurance under the heading “Short-term thinking” as follows: “Too many enterprises are leaning on their cyber insurance policies to deal with the immediate financial fallout of a breach while ignoring long-term reputational damage.

Their emphasis on the short term could do more damage to the business than loss of critical data.” Insurance may be valuable as a financial risk mitigation strategy, but only as a small part of the overall cybersecurity strategy. The Federal Department of Homeland Security (DHS) is working to encourage the market for cybersecurity insurance with various programs and an information website.[18]

There is another reason that insurance alone is not a complete solution. In the case of the Equifax breach in 2017, for example, as many as 145.5 million people may have had their credit information (names, Social Security numbers, birth dates, addresses, credit card numbers, and driver’s license information) compromised. This was nearly half of the population of the United States[19]. Imagine that you were one of those people and Equifax announced, “Don’t worry about a thing, ladies and gentlemen! We have cybersecurity insurance so the amount of money we will lose is negligible!” In other words, insurance will not help regain a reputation or customer confidence.

Myth:  Cybersecurity is a goal

Truth: Cybersecurity is a continuous process.

Cybersecurity is a continuous, ever changing process. Having effective cybersecurity must be a strategic goal, but the measure of success is linear over time. Until the invention of a new Internet, sanitized of all flaws with the cooperation of every government and organization in the world, cybersecurity will forever require continuous effort and expense.

Myth:  Cybersecurity is nothing but a cost center

Truth: A good cybersecurity program yields many benefits.

Industry estimates for cybersecurity are trending towards 10%-12% of the total IT budget[20]. However, this is not cost without benefit. A good cybersecurity program potentially provides institutional memory, business continuity, informational assurance, employee empowerment, and competitive advantages.[21] A detailed cybersecurity plan, documented and published, should be placed where it is available to every employee. The plan should also be backed up with training sessions and frequent reminders, to include changes as they occur. Raising the cybersecurity level of every individual in the organization creates “institutional memory”, meaning that the knowledge continues even as the population changes. With a cybersecurity-educated workforce, the risk of organization-wide interruptions is reduced, along with the attendant costs. Data, as well as the users’ confidence in its accuracy is enhanced when it is not damaged by interruption and possible corruption from cyber-attacks (informational assurance). A well run cybersecurity program brings the entire workforce together with the idea that each person is equally important in the common effort to be vigilant and protective against cyber-attacks. This empowers employees, especially with liberal positive reinforcement, and translates to a workforce that is engaged in their work and will have a competitive advantage because of the positive teamwork culture and the fact that they are seldom encumbered by the effects of cyber-attacks.   

“Hackers find more success with organizations where employees are under appreciated, over worked and under paid. Why would anyone in an organization like that care enough to think twice before clicking on a phishing email?”[22]
– James Scott
    

Tech Beacon – 30 Cybersecurity Stats That Matter Most

Forbes.com - These are 10 Cybersecurity Myths That Must Be Busted

TechRadar.com – 6 Cybersecurity Myths That Need to Disappear

American Water Works Association Top 10 Cybersecurity Myths

Four Cybersecurity Myths Organizations Need to Bust

The Solution Plan

1.      Establish a cybersecurity position independent of the IT department

2.      Get the latest information

3.      Use normal management practices

a.      List the risks

b.      List current solution for each risk

c.       Determine the gaps

d.      Create plans to fill the gaps

4.      Involve everyone

5.      Keep evolving

Establish a cybersecurity position independent of IT

Many organizations have a Chief Security Officer strictly concerned with protecting physical assets. If there is a digital security officer at all, it is usually the Network Administrator in the IT department. The current trend is to add the digital responsibilities to the CSO, as evidenced by this passage in Chron.com, the online content of the Houston Chronical: “Broadly, a CSO is the highest-level executive directly responsible for an organization's entire security function. Increasingly, CSOs are not only responsible for their organizations' physical security needs but also their digital or electronic security requirements, including computer networks. Because IT is now considered to be an area of vulnerability for companies, some are now using the title "chief information security officer, or CISO, instead.”[23]

Combining management of physical security with cybersecurity solves a number of problems. Physical security responsibility has always crossed all departments, because plant security involves every employee and every department has valuable physical assets to protect.

Cybersecurity has always shared those features, yet the person in charge was usually a subordinate to the IT Manager not even on the management level.  The Chief Security Officer always works at the highest management levels, because all of the Department Heads have a stake in protecting the physical assets of the company. It is finally becoming obvious that the same conditions exist with digital assets as well.

Smaller organizations may not have a CSO, or need one, because each individual is responsible for protecting the physical assets under their control, at the direction of upper management. Digital assets require a more technical solution, along with same direction from upper management. All organizations are subject to the same cybersecurity dangers, regardless of size. Therefore, even if the enterprise is not large enough to have a CSO or CSIO, there still must be a top-level manager maintaining a strategic plan.

Cybersecurity management is not a one-person job under any circumstances. In their “Tenets of effective cyber-risk programs” Deloitte recommends adding an “Inspector General” to work along with the CSIO and the CIO, who should also remain engaged: “Designate an “Inspector General.”

One leading practice employed by some companies is to shift the monitoring and investigation of cyber risk to an internal designee, whose role is like that of an Inspector General. That person is responsible for investigating a breach if it occurs and reporting it. The Inspector General does not own all of security, but can break the language barrier between cyber specialists and management. In some companies, for example, CIOs are charged with maintaining an adequate level of walls, but the monitoring or detection is done by someone in the CRO organization who reports up to the CFO.”[24] 

Get the latest information

Start with the latest DBIR (Data Breach Investigative Report) prepared annually by Verizon. The cell phone giant investigates all of the previous years’ data breaches and significant incidents and arranges them by industry. Use this report along with others, like the ones previously mentioned by AT&T and Microsoft, to locate your firm’s industry to pinpoint what kinds of risks it may face and what strategies are likely to work against them. Make a list.

Next, visit the NIST (National Institute of Standards and Technology) site and become familiar with the NIST Cybersecurity Framework. In the words of current Secretary of Commerce Wilbur Ross: “Cybersecurity is critical for national and economic security. The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO’s.”[25]

The framework, which is now mandatory for all Federal Agencies, is a model developed for both public and private organizations by stakeholders from government, industry, and academia. The current version, constantly updated and enhanced, will have major additions coming in the second half of 2018. Managers should subscribe to the site for notices.

Revise the suggested NIST Framework so that it makes sense for your organization, using the information from the DBIR above to protect against the types of risks prevalent in your particular industry. Go over the list with the IT Security Officer to address all vulnerabilities.

Keep abreast of cybersecurity trends and news by subscribing to email feeds, or creating your own with Google alerts using related terms (like "computer security" OR "cybersecurity" OR "cybercrime" OR "data breach" OR "malware" OR "advanced persistent threats" OR "botnet" OR "hacker" OR "Hacking"). Visit web sites detailing the latest reported attacks and vulnerabilities (see suggestions under “Readiness Web Sites” in Appendix A below).

Reading the current reports of cyber-attacks is a great opportunity to write down questions the cybersecurity team and take action if necessary based on the answers. For example, when reading about the Target breach, you might wonder if any appliances attached to your network are secure (Target’s POS machines were not). When reading about the Uber attack, the question of whether or not your organizations staff or contract developers use GitHub should come up.

 Use Normal Management Practices

Normal management includes defining risks and devising strategies to mitigate them. In the “Get Latest Information” section above, the manager or team responsible for cybersecurity made a list of the likely risks based on observed dangers by industry, with the help of the DBIR report, the NIST Framework, and other materials.

The next step was to work with others to determine the current mitigation level of the listed risks. Many of these will be simply “yes” or “no”, with others completely or partially mitigated.

The third step is to analyze the gaps, the areas that are only partially protected or not at all.

Once the gaps have been determined, plan to fill them, using information from the NIST Framework and supplemental material previously referenced.

After the manager has acquired current information and training, the most important steps in achieving and maintaining a secure environment are to be observant, ask questions, and take action based on the answers. Any organization that has not undergone a thorough cybersecurity audit is making numerous illogical mistakes. To paraphrase Homer Simpson, unsecure workplaces make many “D’oh!” decisions. Here are a few examples:

1.      Email names should not be the same as login names, or half of the work is already done for bad actors, not to mention spammers and other irritants.

2.      Default passwords are easy to guess. Even if someone’s password is “password” for just a few minutes, it may be long enough for an attacker to gain entry and retrieve administrator passwords. Ask the IT department.

3.      Email addresses are easy to guess, such as first initial and last name. If an attacker can get an employee name and guess the email addresses, everyone is wide open to fishing attacks and spam.

4.      Employees log into external sites using their work email accounts or login names and passwords. A common technique of cybercriminals is to set up a fake version of a popular industry site to harvest user names and passwords. Many visitors will use their work credentials, providing bad actors all the information they need to hack the work system. It also provides attackers with information to create credible phishing attacks.

5.      Allowing anyone to connect USB storage devices or phones to any computers inside the network. This is a gaping hole in security. These devices work to extract important information or load malware, possibly without the knowledge of the user. When inserting a USB memory stick into a computer, a screen should appear indicating that its use is prohibited, or there is an indication that it is being scanned for malware, along with a request for credentials. If so, your cybersecurity program is doing its job. Otherwise, probably not.

These are just a few of the things that indicate a change in perspective. When email addresses were designed and Internet policies were determined, cyber-attacks were not a serious consideration. In today’s world, the perspective has changed and the priority has shifted.

Now all managers must think in terms of every policy adding more resistance to prevent easy cyber incursions. Suddenly cloud storage shifts from a possible security risk to an opportunity to move the risk far away outside of the castle walls. Once the cybersecurity perspective is firmly entrenched in the organization, management decision-making will increase the efficacy of the cybersecurity program.

Since email is the top source of cyber-attacks, management should consider hosting on the cloud, using a hosted server, or a complete offsite mail system like Microsoft Office 365, Google Gmail for Business, Zimbra, PanTerra, etc.

The most important aspect of cybersecurity management is how management responds to attacks. Reviewing high profile breaches also

Involve Everyone

Everyone in an organization must be involved in the Cybersecurity planning and execution, because everyone will be victimized in cyber-attacks. One estimate, previously referenced in this document, are that 91% of successful cyber-attacks originate as phishing emails.

Over half of the tactics cited in the Verizon Data Breach Investigative Report potentially involved non-IT employees, including the introduction of malware (30%), errors in software and social attacks (17% each), privilege misuse (12%), and physical actions (11%). For a workplace to have any chance of being cyber secure, employees must be able to recognize these events and know what to do about them.

The cybersecurity plan should be prominently displayed along with the disaster plan at every bulletin board. Every Intranet home site should have a prominent link to the cybersecurity plan and daily reminders. Every employee must attend at least one cybersecurity class.

Keep Evolving

Cybersecurity is a continuous process so if a firm reached perfection today and stopped evolving, it would probably be hacked by noon tomorrow. Like all forms of progress in an organization, management establishes priorities and keeps the enterprise thriving with a vision for the future.

Accomplishing those vital goals includes recognition of the importance of investing time and effort into cybersecurity. Improve security by learning from every cyber-attack whether it results in a breach or is successfully thwarted. Learning and progress do not occur in a vacuum, so publicize all attacks internally and make sure everyone knows about them so they can learn, too.

There can be no stigma attached to discovering a breach, or a virus, or ransomware. Reward anyone who discovers or thwarts a cyber-attack with at a minimum, praise, and ideally something more tangible.

Bad outcomes are associated with concealing or ignoring an attack, as can be easily seen by reading the accounts of the Target, Equifax, and Yahoo breaches along with others. Inaction and attempts to conceal in those cases only served to multiply the negative effects many times over.

Follow the process of the NIST Framework, which is an ever-repeating cycle composed of the steps: Identify, Protect, Detect, Respond, and Recover. Commit to the process because interrupting the cycle by failing to execute any step will drastically reduce the overall effectiveness.

As managers and other staff members involved in cybersecurity become more expert in the depth and breadth of the landscape they are trying to protect, more questions should come to mind. Record these questions, asked them, and act on the answers. For example, did any of Target’s staff ever wonder if their cash registers where storing unencrypted data? Apparently not.

Conclusion

“Cyber crime damage costs to hit $6 trillion annually by 2021.

Global ransomware damage costs are predicted to exceed $5 billion in 2017.”[26]

Cyber-crime is growing at an increasing rate every day because its creators are successful and thriving. There is nothing on the horizon that suggests this trend will abate. This means that to avoid total destruction from cyber-crime, every organization must at least have the following steps in place:

1.      There must be a person responsible for cybersecurity at the highest level of management. This person must have the authority to foster collaboration with all departments and order immediate responses in case of emergency.

2.      At least a full-time time employee (or outsourced equivalent) is necessary to keep up with changes in the cyber threat landscape, software and hardware patches, applicable laws, and constant auditing of organizational activities.

3.      At least an annual audit by an outside firm that specializes in cybersecurity.

4.      An organization-wide culture of being constantly aware of and alert for the signs of cyber-attacks, and a process for communicating to everyone instantly.

5.      The discipline and resolve to act on every single internal sign of cyber-attack. Prioritizing is for planning – any sign of a cyber-attack inside the network must be eradicated immediately (remember as an example, Target had warnings but did not take action immediately).

Case 1: The Target Stores Breach

The Result

On May 23rd, 2017, 47 states and the District of Columbia announced the final settlement in a class action suit in the Target Stores cyber-attack. The amount the chain store agreed to pay was 18.5 million dollars, the largest amount assessed so far in a data breach case. Previously in 2015, Target had agreed in a court settlement to pay up to 10 million dollars in $10,000 increments to any customers who could prove losses[27].

As part of the 2017 settlement, the retailer also agreed to take a number of steps to insure the situation did not reoccur. According to the USA Today article, the steps included:

·         Develop, implement and maintain a comprehensive information security program

·         Employ an executive or officer responsible for executing the program

·         Hire an independent expert to conduct a security assessment

·         Maintain and support data security software on the company’s network

·         Take steps to control network access, including password rotation policies and two-factor authentication

What Happened

In the lawsuit, the prosecutors determined that cyber-attackers obtained access to the computer gateway server using credentials issued by Target to a third party vendor. The attackers illegally acquired the credentials in November of 2013 and used them to exploit weaknesses in the system to gain access to Target’s customer database.

The cyber thieves were then able to copy full names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other unspecified sensitive data from 41 million customers. They were able to acquire contact information for more than 60 million customers (Target’s official press release indicated “up to 70 million individuals.”)

Target’s FireEye security software warned them several times that potential malware had been loaded on the system when it detected the hacker’s tools to read and send the customer data. However, management decided not to take any action on the alerts.

On December 19th, 2013 Target finished its preliminary assessment and publicly announced the breach had occurred, affecting 40 million credit card numbers and contact information for about 70 million customers.

On January 10th, 2014 Target revised their estimate, saying up to 110 million customers’ credit and debit card information may have been stolen.[28]

The article from the SANS Reading Room available at the link below gives an amazingly detailed step-by-step description of how the breach unfolded.

https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

What did we learn?

Some conclusions reached from the volume of articles written about the incident are:

1.      While compliance to basic security standards is good, it is not enough and applying the “Defense in Depth” strategy in order of risk is imperative.

2.      Investigate any warning, no matter how small or irrelevant it appears, understand and eradicate it.

3.      Encrypt all sensitive data, both in transit and at rest. Make sure that this philosophy is also enforced on any peripherals attached to the network (Target’s POS machines stored unencrypted data long enough for it to be harvested).


 

Case 2: The Uber Hack and Cover Up

The Results

The data breach experienced by the ride sharing system is unique in that it was covered up and yet details have been released publicly. According to CNN[29] coverage, the Uber CEO said that two people hacked the company database and copied the personal data of 57 million users, including the driver’s license numbers of 600,000 Uber drivers.

They were able to hack the site using GitHub, a repository of programming source code used by millions of developers worldwide.  Uber’s programmers use GitHub to store and share programs on which they are collaborating. Apparently they included security credentials in their code, a common practice, and the hackers used the information to extract data from the company database.

When the hackers contacted Uber, the company made a deal with them to destroy the data in exchange for a payment of $100,000. Hopefully, they removed the credentials from GitHub as well, though there is no evidence of that. T However, it seems to happen all the time, in fact there are guesses around that ransomware bad actors were paid over $2 billion last year. The worst thing about this is that it only encourages the hackers.

Uber violated the law by not notifying users and reporting the breach to law enforcement. The states of New York and Massachusetts are investigating, and the Federal Trade Commission is being encouraged consider large fines. Congress is considering investigating as well. The United Kingdom, Italy, and the Philippines have contacted Uber for an explanation. Other countries will certainly join in as time goes on.

What did we learn?

Uber’s new CEO is working to improve the company’s reputation. Along those lines, Uber announced that the two employees responsible for the payoff are no longer with the company, along with the former chief security officer.

Paying off cyber-attackers is a false economy. Upon discovery, all of the penalties and notification requirements will be enforced anyway, and there will be enhanced penalties and much worse publicity and embarrassment when the truth comes out.

Appendix A -Terms

The terms defined below are the most important industry terms for a manager overseeing an organization’s cybersecurity strategy and their definitions may only be a subset or adaptation of the broader definitions available elsewhere.

Term

Definition

APT

Advance Persistent Threat – this term is usually used to describe a concentrated, stealthy, long-term attack on a single organization or industry. These attacks are usually perpetrated by governments with the goal of destroying a target or using it as a strategic piece in a larger attack. For example, the 2016 attacks of the Russian government on the election system in the United States, the Sony breach by North Korea, detected attacks on power grids around the world, etc.

attack surface

Reducing the openings for bad actors to exploit the computer systems of an organization is to minimize the “attack surface”. In practical terms, this describes all of the endpoints subject to exploitation. Obviously, reduction is a priority.

bad actor

Computer security professionals refer to the perpetrators of computer attacks as “Bad Actors”. Bad Actors may be governments, crime organizations, individuals, or any combination.

botnet

A group of computers or other smart gadgets (anything with a computer chip and an Internet connection) that are under the unified control of a single entity. The control is usually accomplished by embedding software in the devices that will execute tasks automatically or on command. If the botnet is created by bad actors, it may be used for a variety of nefarious purposes, including DDos attacks, SPAM blizzards, intercepting and distributing information, and to infect more machines.

blacklist

A list of prohibited items. In cybersecurity, there are three important types: websites, email servers, and malware. The first usually blocks network users from navigating to servers that are known to infected or contain objectionable information. The second is used to block sites that send spam or malware through email. The third is used by firewalls to stop known malware from starting on a network or attached devices.

CIA Triad – Confidentiality, Integrity, Availability

Has nothing to do with the Central Intelligence Agency. In this case, C is for confidentiality, I is for integrity, and A is for availability, three critical properties of any computer system that bad actors attack. This is a term used for decades by security professionals to assess the risk in the design of security systems. Most systems designed with a heavy emphasis on confidentiality, protect the private information of the organization and its customers. Lately, the trend is turning toward an emphasis on integrity as managers begin to realize that if it is compromised, they may lose control of operations completely.

CIO

Chief Information Officer, usually the highest-ranking computer executive in an organization.

CSIO/CSO

Chief Security Information Officer/Chief Security Officer are titles that are somewhat overlapping. In some organizations, the CSO manages physical as well as cyber security. The CSIO generally only manages cybersecurity, working in conjunction with a CSO managing physical security.

Cyber

Refers to computers and anything that can be attached to and participate on a computer network as well as all information contained.

Cyber-attack

An assault on cyber resources.

Cyberscape or Cyber resources

All computers, networked devices, and the information contained in them in a particular physical or virtual area. The cyberscape of cyberspace is the superset of all cyber resources.

Cybersecurity

 

Dos or DDos

Denial of Service or Distributed Denial of Service – These are attacks designed to make web sites unavailable to their customers. They can block a conventional web site or invisible endpoints that make applications and web sites work. Most of these are the distributed variety today, hijacking public and private servers or other devices with malware, creating botnets. They try to either overload the site with traffic or exploit vulnerabilities in the software running the site to make it freeze or crash completely. Some have colorful names: ICMP Flood (Smurf Attack, Ping of Death), SYN Flood, Buffer Overflow.[30]

DNS

There are Domain Name Servers (DNS servers) throughout the Internet and on private LANs to translate domain names into alphanumeric addresses. These are server-class computers that translate friendly names into actual alpha-numeric network addresses so the referenced sites can be found.h

DNSBL – Domain Name Server Black List

Some of these servers, along with mail servers, also use a copy of the black list to refuse to route addresses that are identified in the list as being associated to bad actors.

Edge protection

A synonym for endpoint or perimeter security or protection. Refers to the concept of not letting malware or bad actors to advance from the outside of the network to the inside. This has become impractical with proliferation of email, messaging, Internet surfing, etc.

Inspector General

A relatively new position in the IT realm that is responsible for monitoring an organization’s network for breaches and investigating them to aid in hardening defenses.

Exploits

Exploits are points of vulnerability, so named because they may be exploited by bad actors.

1.      Firewall breaches

2.      Distributed Denial of service attacks (DDOS)

3.      Ransomware

4.      Identity theft

5.      Worms

6.      Human Engineering, including Phishing

7.      Hacking

IoT –Internet of Things

In the old days, the only allowed Internet devices were computers. Then along came cameras, and radios, and refrigerators and so many other gadgets that they defied categorization. So they just called them “things”. All of them together are the Internet of Things. From a cybersecurity perspective, every one of them represents a threat, because they are participants in Internet traffic, and may be under the control of bad actors.

LAN – Local Area Network

 

LAN is an acronym for Local Area Network, which technically refers to all devices connected together in a single area, like a building. For the purpose of this article, LAN refers to all networked devices belonging to a single organization, even if they geographically diverse.

malware

Software or firmware that attempts to load on your network devices to fulfill the goals of a hostile outside entity (bad actor). Malware includes viruses, Trojans, worms, ransomware, any software that is not purposely installed for the good of the organization.

NIST – National Institute of Standards and Technology

The federal government agency whose task is to establish standards for strengthening the cybersecurity of the nation, among other things.

cyber hygiene

Maintaining good personal habits for computer usage. This means using malware preventative software, a firewall, and secure credentials at a minimum. It also includes good practices like never clicking on unknown email attachments and resisting phishing attacks. Practicing good cyber hygiene applies to both personal and institutional use.

OWASP – Open Web Application Security Project

An unbiased source of best practices and open standards for security in software development.

Phishing

A method of acquiring information or injecting malware through deception. Phishing attacks are usually delivered through email or text messages. They sometimes provide a link to fake web sites that appear authentic that prompt for the entry of sensitive information, to use it for illegal purposes. Also frequently used to install malware by convincing the user to download and open files.

Ransomware

Software that renders documents, files, databases and other critical data unusable until a ransom is collected. There are many different methods of achieving this purpose, but the most common one is encrypting all of the data and providing the tools to unencrypt only after the ransom has been paid.

Solutions

A.      Identity-based software-defined networking

B.      Whitelists

C.      Blacklists

D.     Firewalls, including smart firewalls

E.      Security cloud

F.       Cybersecurity insurance

G.     https://inspiredelearning.com/security-awareness/

SOMM - Security Operations Maturity Model

Micro Focus

Stuxnet

Malware that was used to interfere with nuclear fuel processing in Iran. The malware was introduced into the network, probably using USB drives, because it was strongly protected from infection from the Internet. The malware caused control devices to provide inaccurate readings, making production impossible and causing material damage.

WAN – Wide Area Network

 

A Wide Area Network usually refers to the Internet, but any network that spans multiple organizations and locations, such as a phone system might be a WAN.

 


 

 

Appendix B – Web Sites

Examples of solutions (not recommendations) – not an exhaustive list

Readiness Web Sites

US-CERT - United States Computer Emergency Readiness Team

Homeland Security - Combating Cyber-Crime

SANS Ouch! Security Awareness Training

SANS Internet Storm Center

Newsfusion Twitter Cybersecurity Alerts

Denial of Service Attack Products

Google Now offers free DDOS protection

AT&T DDos Defense

CloudFlare DDos Attack Prevention

radware Dynamic DDos Protection

Firewalls – Cloud-Based

AT&T Cybersecurity Solutions

Microsoft Cloud Security

Oracle Cloud Access Security Broker

Hewlett Packard Enterprise

Firewalls – Network-Based

Palo Alto Networks

Cisco Firewalls

SonicWall SonicGuard Firewalls


 

 

Appendix C – Colorado Breach Law

C.R.S. 6-1-716

Copy Citation

Current through all Laws passed and signed in the First Regular and First Extraordinary Sessions of the 71st General Assembly (2017)

·         Colorado Revised Statutes

·         TITLE 6. CONSUMER AND COMMERCIAL AFFAIRS

·         FAIR TRADE AND RESTRAINT OF TRADE

·         ARTICLE 1.COLORADO CONSUMER PROTECTION ACT

·         PART 7. SPECIFIC PROVISIONS



6-1-716. Notification of security breach

·         (1)  Definitions. As used in this section, unless the context otherwise requires:

o    (a)  "Breach of the security of the system" means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or commercial entity for the purposes of the individual or commercial entity is not a breach of the security of the system if the personal information is not used for or is not subject to further unauthorized disclosure.

o    (b)  "Commercial entity" means any private legal entity, whether for-profit or not-for-profit.

o    (c)  "Notice" means:

§  (I)  Written notice to the postal address listed in the records of the individual or commercial entity;

§  (II)  Telephonic notice;

§  (III)  Electronic notice, if a primary means of communication by the individual or commercial entity with a Colorado resident is by electronic means or the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. sec. 7001 et seq.; or

§  (IV)  Substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed two hundred fifty thousand dollars, the affected class of persons to be notified exceeds two hundred fifty thousand Colorado residents, or the individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:

§  (A)  E-mail notice if the individual or the commercial entity has e-mail addresses for the members of the affected class of Colorado residents;

§  (B)  Conspicuous posting of the notice on the website page of the individual or the commercial entity if the individual or the commercial entity maintains one; and

§  (C)  Notification to major statewide media.

o    (d)  (I) "Personal information" means a Colorado resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:

§  (A)  Social security number;

§  (B)  Driver's license number or identification card number;

§  (C)  Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account.

§  (II)  "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

·         (2)  Disclosure of breach. (a) An individual or a commercial entity that conducts business in Colorado and that owns or licenses computerized data that includes personal information about a resident of Colorado shall, when it becomes aware of a breach of the security of the system, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The individual or the commercial entity shall give notice as soon as possible to the affected Colorado resident unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

o    (b)  An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Colorado resident occurred or is likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach; except that such cooperation shall not be deemed to require the disclosure of confidential business information or trade secrets.

o    (c)  Notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and the law enforcement agency has notified the individual or commercial entity that conducts business in Colorado not to send notice required by this section. Notice required by this section shall be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation and has notified the individual or commercial entity that conducts business in Colorado that it is appropriate to send the notice required by this section.

o    (d)  If an individual or commercial entity is required to notify more than one thousand Colorado residents of a breach of the security of the system pursuant to this section, the individual or commercial entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. sec. 1681a (p), of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. Nothing in this paragraph (d) shall be construed to require the individual or commercial entity to provide to the consumer reporting agency the names or other personal information of breach notice recipients. This paragraph (d) shall not apply to a person who is subject to Title V of the federal "Gramm-Leach-Bliley Act", 15 U.S.C. sec. 6801 et. seq.

·         (3)  Procedures deemed in compliance with notice requirements. (a) Under this section, an individual or a commercial entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information and whose procedures are otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notice requirements of this section if the individual or the commercial entity notifies affected Colorado customers in accordance with its policies in the event of a breach of security of the system.

o    (b)  An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this section.

·         (4)  Violations. The attorney general may bring an action in law or equity to address violations of this section and for other relief that may be appropriate to ensure compliance with this section or to recover direct economic damages resulting from a violation, or both. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.

History

Source: 
L. 2006: Entire section added, p. 536, § 1, effective September 1. L. 2010: (2)(d) amended, (HB 10-1422), ch. 419, p. 2064, § 9, effective August 11.

COLORADO REVISED STATUTES

Appendix D – Cybersecurity Executive Order

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

INFRASTRUCTURE & TECHNOLOGY | Issued on: May 11, 2017

EXECUTIVE ORDER

– – – – – – –

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

By the authority vested in me as President by the Constitution and the laws of the United States of America, and to protect American innovation and values, it is hereby ordered as follows:

Section 1. Cybersecurity of Federal Networks.

(a) Policy. The executive branch operates its information technology (IT) on behalf of the American people. Its IT and data should be secured responsibly using all United States Government capabilities. The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises. In addition, because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise.

(b) Findings.

 (i) Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents. Information sharing facilitates and supports all of these activities.

(ii) The executive branch has for too long accepted antiquated and difficult–to-defend IT.

(iii) Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity.

(iv) Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.

(v) Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.

(c) Risk Management.

(i) Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data. They will also be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code.

(ii) Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order. The risk management report shall:

 (A) document the risk mitigation and acceptance choices made by each agency head as of the date of this order, including:

(1) the strategic, operational, and budgetary considerations that informed those choices; and

(2) any accepted risk, including from unmitigated vulnerabilities; and

(B) describe the agency’s action plan to implement the Framework.

(iii) The Secretary of Homeland Security and the Director of OMB, consistent with chapter 35, subchapter II of title 44, United States Code, shall jointly assess each agency’s risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate (the determination).

(iv) The Director of OMB, in coordination with the Secretary of Homeland Security, with appropriate support from the Secretary of Commerce and the Administrator of General Services, and within 60 days of receipt of the agency risk management reports outlined in subsection (c)(ii) of this section, shall submit to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the following:

(A) the determination; and

(B) a plan to:

(1) adequately protect the executive branch enterprise, should the determination identify insufficiencies;

(2) address immediate unmet budgetary needs necessary to manage risk to the executive branch enterprise;

(3) establish a regular process for reassessing and, if appropriate, reissuing the determination, and addressing

future, recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise;

(4) clarify, reconcile, and reissue, as necessary and to the extent permitted by law, all policies, standards, and guidelines issued by any agency in furtherance of chapter 35, subchapter II of title 44, United States Code, and, as necessary and to the extent permitted by law, issue policies, standards, and guidelines in furtherance of this order; and

(5) align these policies, standards, and guidelines with the Framework.

(v) The agency risk management reports described in subsection (c)(ii) of this section and the determination and plan described in subsections (c)(iii) and (iv) of this section may be classified in full or in part, as appropriate.

(vi) Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.

(A) Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.

(B) The Director of the American Technology Council shall coordinate a report to the President from the Secretary of Homeland Security, the Director of OMB, and the Administrator of General Services, in consultation with the Secretary of Commerce, as appropriate, regarding modernization of Federal IT. The report shall:

(1) be completed within 90 days of the date of this order; and

(2) describe the legal, policy, and budgetary considerations relevant to — as well as the technical feasibility and cost effectiveness, including timelines and milestones, of — transitioning all agencies, or a subset of agencies, to:

(aa) one or more consolidated network architectures; and

(bb) shared IT services, including email, cloud, and cybersecurity services.

(C) The report described in subsection (c)(vi)(B) of this section shall assess the effects of transitioning all agencies, or a subset of agencies, to shared IT services with respect to cybersecurity, including by making recommendations to ensure consistency with section 227 of the Homeland Security Act (6 U.S.C. 148) and compliance with policies and practices issued in accordance with section 3553 of title 44, United States Code.

All agency heads shall supply such information concerning their current IT architectures and plans as is necessary to complete this report on time.

 (vii) For any National Security System, as defined in section 3552(b)(6) of title 44, United States Code, the Secretary of Defense and the Director of National Intelligence, rather than the Secretary of Homeland Security and the Director of OMB, shall implement this order to the maximum extent feasible and appropriate. The Secretary of Defense and the Director of National Intelligence shall provide a report to the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism describing their implementation of subsection (c) of this section within 150 days of the date of this order. The report described in this subsection shall include a justification for any deviation from the requirements of subsection (c), and may be classified in full or in part, as appropriate.

Sec. 2. Cybersecurity of Critical Infrastructure.

(a) Policy. It is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure (as defined in section 5195c(e) of title 42, United States Code) (critical infrastructure entities), as appropriate.

(b) Support to Critical Infrastructure at Greatest Risk. The Secretary of Homeland Security, in coordination with the Secretary of Defense, the Attorney General, the Director of National Intelligence, the Director of the Federal Bureau of Investigation, the heads of appropriate sector-specific agencies, as defined in Presidential Policy Directive 21 of February 12, 2013 (Critical Infrastructure Security and Resilience) (sector-specific agencies), and all other appropriate agency heads, as identified by the Secretary of Homeland Security, shall:

(i) identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities identified pursuant to section 9 of Executive Order 13636 of February 12, 2013 (Improving Critical Infrastructure Cybersecurity), to be at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security (section 9 entities);

(ii) engage section 9 entities and solicit input as appropriate to evaluate whether and how the authorities and capabilities identified pursuant to subsection (b)(i) of this section might be employed to support cybersecurity risk management efforts and any obstacles to doing so;

(iii) provide a report to the President, which may be classified in full or in part, as appropriate, through the Assistant to the President for Homeland Security and Counterterrorism, within 180 days of the date of this Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure order, that includes the following:

(A) the authorities and capabilities identified pursuant to subsection (b)(i) of this section;

(B) the results of the engagement and determination required pursuant to subsection (b)(ii) of this section; and

(C) findings and recommendations for better supporting the cybersecurity risk management efforts of section 9 entities; and

(iv) provide an updated report to the President on an annual basis thereafter.

(c) Supporting Transparency in the Marketplace. The Secretary of Homeland Security, in coordination with the Secretary of Commerce, shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, that examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities, within 90 days of the date of this order.

(d) Resilience Against Botnets and Other Automated, Distributed Threats. The Secretary of Commerce and the Secretary of Homeland Security shall jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets). The Secretary of Commerce and the Secretary of Homeland Security shall consult with the Secretary of Defense, the Attorney General, the Director of the Federal Bureau of Investigation, the heads of sector-specific agencies, the Chairs of the Federal Communications Commission and Federal Trade Commission, other interested agency heads, and appropriate stakeholders in carrying out this subsection. Within 240 days of the date of this order, the Secretary of Commerce and the Secretary of Homeland Security shall make publicly available a preliminary report on this effort. Within 1 year of the date of this order, the Secretaries shall submit a final version of this report to the President.

(e) Assessment of Electricity Disruption Incident Response Capabilities. The Secretary of Energy and the Secretary of Homeland Security, in consultation with the Director of National Intelligence, with State, local, tribal, and territorial governments, and with others as appropriate, shall jointly assess:

 (i) the potential scope and duration of a prolonged power outage associated with a significant cyber incident, as defined in Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination), against the United States electric subsector;

(ii) the readiness of the United States to manage the consequences of such an incident; and (iii) any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident.

The assessment shall be provided to the President, through the Assistant to the President for Homeland Security and Counterterrorism, within 90 days of the date of this order, and may be classified in full or in part, as appropriate.

(f) Department of Defense Warfighting Capabilities and Industrial Base. Within 90 days of the date of this order, the Secretary of Defense, the Secretary of Homeland Security, and the Director of the Federal Bureau of Investigation, in coordination with the Director of National Intelligence, shall provide a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks. The report may be classified in full or in part, as appropriate.

Sec. 3. Cybersecurity for the Nation.

(a) Policy. To ensure that the internet remains valuable for future generations, it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft. Further, the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.

(b) Deterrence and Protection. Within 90 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, and the United States Trade Representative, in coordination with the Director of National Intelligence, shall jointly submit a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.

(c) International Cooperation. As a highly connected nation, the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy set forth in this section. Within 45 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation. Within 90 days of the submission of the reports, and in coordination with the agency heads listed in this subsection, and any other agency heads as appropriate, the Secretary of State shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, documenting an engagement strategy for international cooperation in cybersecurity.

(d) Workforce Development. In order to ensure that the United States maintains a long-term cybersecurity advantage:

(i) The Secretary of Commerce and the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Secretary of Labor, the Secretary of Education, the Director of the Office of Personnel Management, and other agencies identified jointly by the Secretary of Commerce and the Secretary of Homeland Security, shall:

(A) jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education; and

(B) within 120 days of the date of this order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations regarding how to support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.

(ii) The Director of National Intelligence, in consultation with the heads of other agencies identified by the Director of National Intelligence, shall:

(A) review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness; and

(B) within 60 days of the date of this order, provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism on the findings of the review carried out pursuant to subsection (d)(ii)(A) of this section.

(iii) The Secretary of Defense, in coordination with the Secretary of Commerce, the Secretary of Homeland Security, and the Director of National Intelligence, shall:

(A) assess the scope and sufficiency of United States efforts to ensure that the United States maintains or increases its advantage in national-security-related cyber capabilities; and

(B) within 150 days of the date of this order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations on the assessment carried out pursuant to subsection (d)(iii)(A) of this section.

(iv) The reports described in this subsection may be classified in full or in part, as appropriate.

Sec. 4. Definitions. For the purposes of this order:

(a) The term “appropriate stakeholders” means any non-executive-branch person or entity that elects to participate in an open and transparent process established by the Secretary of Commerce and the Secretary of Homeland Security under section 2(d) of this order.

(b) The term “information technology” (IT) has the meaning given to that term in section 11101(6) of title 40, United States Code, and further includes hardware and software systems of agencies that monitor and control physical equipment and processes.

(c) The term “IT architecture” refers to the integration and implementation of IT within an agency.

(d) The term “network architecture” refers to the elements of IT architecture that enable or facilitate communications between two or more IT assets.

Sec. 5. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:

 (i) the authority granted by law to an executive department or agency, or the head thereof; or

(ii) the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.

(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.

(c) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods. Nothing in this order shall be construed to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence or law enforcement operations.

(d) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

DONALD J. TRUMP

THE WHITE HOUSE,

May 11, 2017.


 

Index


appliances, 3, 11

AT&T, 3, 4, 12, 16

bad actors, 2, 10, 17, 24, 25, 26, 27

Blacklists, 11, 28

Bluetooth, 10

botnet, 16

botnets, 11, 37

cameras, 11, 27

cellular, 10

CFO, 9, 10, 16

CIA, 2, 4, 6, 25

CIO, 7, 15

cognitive dissonance, 3

CSIO, 15

Cyber-attacks, 2

Cybersecurity, 2, 3, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 18, 26, 28, 32, 33, 34, 36, 37, 38

Data Breach Investigations Report, 3

data breaches, 7, 16

DDoS, 5

defending the perimeter, 3

digital assets, 15

DNS, 11, 12, 26

DNSBL, 11, 26

DoS, 5, 12

Edge Protection, 10

endpoints, 6, 10, 24

Equifax, 2, 4, 13, 19

Federal Bureau of Investigation

FBI, 3, 36, 37, 38, 39

firewall, 9, 11, 12

GDPR

General Data Protection Regulation, 7

Homeland Security, 3, 12, 34, 35, 36, 37, 38, 39, 40

Information Technology, 2

Inspector General, 15

Internet, 10, 11, 13, 18, 26, 27, 28

IT, 2, 5, 6, 8, 9, 10, 13, 14, 15, 16, 18, 33, 34, 35, 36, 40, 41

National Intelligence, 3, 36, 38, 39, 40

Perimeter Security, 10

Petraeus, 2, 10

physical security, 15

President, 7, 33, 34, 35, 36, 37, 38, 39, 40

ransomware, 5, 11, 19

RF, 10

routers, 6, 11

SamSam, 5

security by obscurity, 3

stuxnet, 16

Target, 2, 4, 7, 8, 19

USB device, 10

Verizon, 3, 4, 16, 18

viruses, 11

WannaCry, 5

Whitelists, 11, 28

Wi-Fi, 10

wired devices, 10

wireless, 6, 10

wireless appliances, 6

Yahoo, 2, 4, 7, 19


 



[1] Irish Tech News, Why Cyber Security is a Business Risk, Not Just an IT Problem

[2] Told to LinkedIn’s Devin Banerjee at the Milken Global Conference in Los Angeles.

[3] www.awwa.org, American Water Works Association - Cybersecurity Guidance and Tool, 2018.

[4] AT&T Business, Cybersecurity for today’s digital world,

[5] Huffington Post, Target To Pay $10 Million To Settle Lawsuit From Massive Data Breach, March 18, 2015.

[6] National Council of State Legislatures, Security Breach Notification Laws, March 29, 2018.

[7] BetaNews, Ransomware attacks up 400 percent in 2017 mainly due to WannaCry, May 3, 2018.

[8] Arutz Sheva, West is at the Mercy of Stuxnet, German Analyst Hints, April 26, 2011.

[9] NewYorkTimes.com, Target Missed Signs of a Data Breach, March 13, 2014, By Elizabeth A. Harris and Nicole Perlroth

[10] CSO Online, The buck stops here: 8 security breaches that got someone fired, Josh Fruhlinger, CSO, Dec 6, 2017.

[11] Forbes.com, Target CEO Fired – Can You Be Fired If Your Company is Hacked?, Eric Basu, June 13, 2014.

[12] Whitehouse.gov, Presidential Executive Order on Strengthening the Cybersecurity…, May 11, 2017.

[13] Forbes.com, These are 10 Cybersecurity Myths that must be busted, William H. Saito, April 4, 2017.

[14] Darkreading.com, Despite Risks, Nearly Half of IT Execs Don't Rethink Cybersecurity after an Attack, Marc Wilczek, April 25, 2018.

[15] www2.deloitte.com, CFO Insights - Cybersecurity: Five essential truths, 2018.

 

[16] Calyptix.com, 3 Common DNS Attacks and How to Fight Them, November 14, 2016.

[17] SensorsTechForum.com, https://sensorstechforum.com/top-20-cyber-security-quotes/, April 23, 2016.

[18] Dhs.gov, Cybersecurity Insurance, last published June 30, 2016.

[19] Money.cnn.com,Equifax data breach: What you need to know,September 10, 2017, by Kaya Yurieff.

[20] SANS Institute, Security Spending Trends, February 2016, Barbara Filkins.

[21] SageDataSecurity.com, Four Cybersecurity Myths Organizations Need to Bust, March 6, 2018, Becky Metivier.

[22] GoodReads.com, https://www.goodreads.com/author/quotes/15143264.James_Scott

[23] Chron.com, Roles and Responsibilities of the Chief Security Officer, March 29, 2018, Tony Guerra.

[24] www2.deloitte.com, CFO Insights - Cybersecurity: Five essential truths, 2018.

[25] Nist.gov, NIST Releases Version 1.1 of its Popular Cybersecurity Framework, April, 2018.

[26] CSO Online, Top 5 Cybersecurity Facts, Figures and Statistics, January 23, 2018, Steve Morgan

[27] USAToday.com, Target to Pay $18.5M for 2013 Data Breach That Affected 41 Million Consumers, May 23,2017, Kevin McCoy.

[28] Nytimes.com, To Regain Trust Target Must do More..., January 11, 2014, by Hilary Stout

[29] Money.cnn.com,Uber's Massive Hack: What We Know, November 23, 2017, by Selena Larson

[30] Paloaltonetworks.com, What is a Denial of Service Attack?, visited May 28, 2018.