1 / 36

Colorado’s Cybersecurity Assessment Approach

Matt Devlin, CISA, CISM Deputy State Auditor September 30, 2014. Colorado’s Cybersecurity Assessment Approach. Overview. Colorado OSA and IT Audit Background State of Colorado IT and InfoSec Organizational Structures OSA’s Cybersecurity Assessment Approach

early
Download Presentation

Colorado’s Cybersecurity Assessment Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Matt Devlin, CISA, CISM Deputy State Auditor September 30, 2014 Colorado’s Cybersecurity Assessment Approach

  2. Overview • Colorado OSA and IT Audit Background • State of Colorado IT and InfoSec Organizational Structures • OSA’s Cybersecurity Assessment Approach • General description of what we have done in the past and what we are doing now • Prior VA / Pen Test Audit (Nov. 2010) • Current VA / Pen Test Audit (Dec. 2014 ) • Not a detailed or technical “How To” on VA / pen testing

  3. Colorado OSA: Background Info • OSA is under the Legislative Branch • Reports to a nonpartisan Legislative Audit Committee (LAC) • State Auditor is appointed to a 5 year term • 3 Audit Divisions: • Financial, Performance, and IT • Approx. 70 auditors • Produce about 50 to 55 products/reports year

  4. Colorado OSA: Organizational Chart

  5. Colorado OSA: Statutory Authority • OSA has statutory authority to: • Conduct audits of all state departments and agencies (Sec. 2-3-103, C.R.S) • “Access at all times…all of the books, accounts, reports, vouchers, or other records or information in any department, institution, or agency, including but not limited to records or information required to be kept confidential or exempt from public disclosure…” (Sec. 2-3-107(2), C.R.S.)

  6. Colorado OSA: IT Audit Division • IT Audit Division: • Est. in February 2006 (8 yrs., 8 mos. young!) • 4 IT Audit Staff, Mainly Senior-level Auditors • IT Audit Engagement Types: • Financial Audit Support (Statewide Single Audit) • E.g., Fin. system ITGCs, SSAE 16 reviews, contractor audit reviews • Performance Audit Support • E.g., MMJ, Vocational Rehab, Health Exchange, etc. • Standalone IT and InfoSec Audits (Technologies / Systems / Processes / Projects / Org. Unit)

  7. FY 2014 Allocation of Audit Staff

  8. State of Colorado: IT Org. Structure • Executive Branch • Office of Information Technology (OIT) • Est. in 2008 through legislation (SB 08-155) • Consolidation of IT from a decentralized model • OIT sits under the Governor’s Office • Judicial Branch • Separate IT (i.e., ITS) • Legislative Branch • Separate IT (i.e., LIS)

  9. State of Colorado: InfoSec Org. Structure • Executive and Judicial Branch • Office of Information Security (OIS) • Est. in 2006 through legislation (HB 06-1157) • Consolidation of InfoSec (from a decentralized model?) • OIS sits under OIT (i.e., the Exec. Branch IT Unit) • Legislative Branch & Higher Ed. Institutions • Excluded from OIS oversight, but have info. sec. reporting requirements

  10. State of Colorado: IT & InfoSec Org Charts

  11. Cybersecurity Approach: The 2010 Pen Test Audit

  12. Audit Objectives • Objective #1 • To review the Governor’s Office of Cyber Security’s progress in fulfilling the requirements of the Colorado Cyber Security Program (Section 24-37.5-401 through 406, C.R.S.)

  13. Audit Objectives • Objective #2 • To perform a “covert” penetration test of state networks, applications, and information systems • Gain unauthorized access to state systems and data • Simulate hacking attempts • Test incident response

  14. Audit Scope

  15. VA vs. Pen Test • Vulnerability Assessment – assessment approach used to identify system weaknesses or vulnerabilities. • Penetration Test – assessment approach used to gain access to systems by exploiting or circumventing system weaknesses or vulnerabilities. • Hacking vs Pen Test Difference • Get Permission!!! • Authorized by Governor’s Office, State CISO, and other Dept. Mgt.

  16. Audit Methodology • In-house & Contract Audit – OSA Partnered with 2 Contractors specializing in VA/pen testing • Nonrisk-Based Approach – Open to all state networks, applications, and systems • Black Box – no advance information on systems/networks/departments/agencies, etc. • All attacks available; Nothing off limits!

  17. Audit Methodology (cont.) • Tests performed included: • Network Scans (external /internal) – Ports and Services • Application/DB/OS Scans – Patch Levels, Configuration Settings/Hardening Standards, Vendor Defaults, Brute Force, • Website Security - Attacks to gain access to backend apps and DBs • Social engineering – Spam, Impersonation • Physical-based attacks – gaining unauthorized access to facilities and DCs • What did we find??

  18. Office of Cyber Security “Overall, the results of the Pen Test demonstrate that the State is at high risk of a system compromise and/or data breach.”

  19. Audit Results Relating to Objective #1: • The Office of Cyber Security failed to successfully implement the Colorado Cyber Security Program, as required by statute. • Info Sec Program Governance & Org. Structure • Policy, procedures, and plans lacked definition, implementation, and enforcement • InfoSec Operations & Controls • InfoSec processes and controls lacked definition, implementation, and compliance • All findings and recommendations were agreed to (or partially agreed to).

  20. Audit Results (cont.) Relating to Objective #2: • The State was at high risk of a system compromise and/or data breach by malicious individuals, including individuals both internal and external to the State. • Hundreds of vulnerabilities identified • Unnecessary and Insecure Ports, Services, and Utilities • Exposed Management Interfaces • Default and Easily Guessable Usernames and Passwords • Unsecured Web Applications • Lack of Internal Network Security Controls (e.g., network segmentation, hardening and patching, use of insecure network protocols, lack of IDS/IPS)

  21. Audit Results (cont.) • Relating to Objective #2 (cont.): • Compromised or gained unauthorized access to: • Numerous State Networks and Systems • Lots of Sensitive and Confidential Information: • Usernames and passwords (belonging to state employees and others non-state individuals) • state employee records • SSNs • income levels • birth dates • contact information—i.e., phone numbers and physical addresses. • A data breach of this magnitude would have cost the State between $7 and $15 million to remediate (based on national averages at the time). • All findings and recommendations were agreed to (or partially agreed to).

  22. Audit Results (cont.)

  23. Audit Results (cont.)

  24. Challenges • “First of It’s Kind” Audit • OSA Authority to Conduct Pen Test? -Not “specific” • Communication/Coordination • All Business Management (as well as IT/InfoSec Mgt.) • Very Complex IT Org, Systems, and Technologies • Took a lot to plan, execute, and report • Reporting • Public vs. Private Info • Diff. contractors partnering with OSA

  25. Successes • Information Security Posture – Identified a Baseline! • Raised Information Security Awareness – within State Ops, the Legislature, and Public • Increased OSA Authority – new statute was created to allow our office to conduct ongoing VA’s, pen tests, and technical security assessments… after consultation and in coordination with, but not requiring the approval of, the CIO (Sec. 2-3-103(1.5) et al, C.R.S.)

  26. Cybersecurity approach: current VA/Pen Test Audit(To be Released Dec. 2014)

  27. Audit Objectives • Objective #1: To conduct a vulnerability assessment, penetration test, and technical information security evaluation on state networks, applications, and systems. • Objective #2: To gain an understanding of the root cause of identified information system security vulnerabilities.

  28. Key Differences (vs. Prior Audit) • Scope Size & Complexity • Risk-based/Targeted (vs. Statewide/All-inclusive) • White/Grey Box (vs. Black Box) • Resulted in Fewer Networks, Systems, & Depts. • No InfoSec Program Review • Root Cause Analysis Focus • Shorter Timeline • Mar.-Dec. 2014 (vs. more than 12 mos.) • One Contractor (vs. 2 Prior) • Simplify Communications & Processes • Reports to Match OSA Style • Communication With Management • Simplified with 2 Entrance Meetings with IT/InfoSec Mgt. (vs. Business Mgt.) • Reporting • Public vs. Private Content • Evaluation vs. Audit – did not have to follow Yellow Book standards

  29. Audit Scope • Left Scope and Schedule Open in RFP • The engaged contractor was required to work with us (OSA) to: • Define the networks, applications, and/or systems to be included in the scope, , based on risk; • Develop the audit schedule (working backwards from our LAC date). • List of Scope Areas • External Network (89,614 IP addresses) • Internal Network (3, across diff. departments) • Firewalls (10, mix of external & internal) • Enterprise Apps (2, across diff. depts.) • Web Apps (5, across diff. depts.) • Social Engineering (spam email to all Executive and Judicial Branch agencies)

  30. Audit Results • TBD – Report to be released in December!!! • Generalization: • Lots of very similar findings as last time, indicating slow progress in maturing the state’s info sec program

  31. Outcomes (Expected) TBD…but we’re hoping to: • Issue Two Reports Again: • Management-levelReport (Public ) • Technical-levelReport (Private) • Provide Transparency & Value • Identify System Vulnerabilities/Findings • Identify Root Causes • Raise Awareness of InfoSec Posture • Provide Accountability • Track Audit Findings & Recs • Annual Report on Recommendations not Fully Implemented

  32. Challenges • New (and few) IT audit staff – 1 contract monitor • Independence – Concern due to prior audit deputy moving into the CISO role • New Contractor – Get up to speed! • Risk-based Scoping - Very complex IT organization and systems: • Outdated technologies and systems • Redundant systems • New system developments

  33. Challenges (cont.) • Lots of Staff Turnover/Reorgs. • Significant IT management turnover during the review, including: • Secretary of Technology & State Chief Information Officer (CIO) • Chief Technology Officer (CTO) • Chief Operating Officer (COO) • Chief Information Security Officer (CISO) • Chief Customer Officer • Director of HR • Director of Enterprise Applications • Communication/Coordination with appropriate management and staff

  34. Challenges (cont.) • Authority to conduct Pen Test Evaluations • 2 separate but similar “Rules of Engagement” (for Exec. And Judicial Branch agencies/systems subject to our evaluation) • Obtaining access to systems for credential testing • Despite statutory authority (to access all state information and records)

  35. Improvement Opportunities • Tie Current Results to Prior Results – to analyze trends about whether InfoSec is improving over time • Multi-year Plan – Continue risk-based coverage? • Simplify Further – smaller audits, dept.-specific • Incident Response Testing • Contractor Consistency – to improve efficiencies in coordination of planning, fieldwork and reporting • Develop In-house Expertise – perform VA/pen tests using available tools and techniques

  36. Questions? • Contact me: • Matt.Devlin@state.co.us • 303-869-2800 • www.state.co.us/auditor

More Related