After an onslaught of hacking, breaches and malware this year, and the resultant waves of publicity, National Cybersecurity Awareness Month should be a bit anticlimactic.
But for some people, the message never gets old.
One of the organizations most aware of cyberthreats and most active in countering them is CIS, a non-profit steadily expanding its client base and 130-person workforce. Along with creating benchmarks and protocols by which organizations large and small can secure their computer systems, CIS serves public entities as a cybersecurity partner, including all 50 states and 1,400-plus municipalities containing more than 80 percent of the U.S. population.
CIS — formerly the Center for Internet Security — is officially designated by the U.S. Department of Homeland Security as the go-to source for free cybersecurity services for state, local, territorial and tribal governments. It is hired by private organizations and companies for similar tasks.
CIS is keeping busy.
“Each year I think it can’t get any worse, and then it gets progressively worse,” said Curtis Dukes, executive vice president and general manager of the CIS Best Practices and Automation Group.
October is Cybersecurity Month, a Department of Homeland Security promotion that gives prominence to issues CIS deals with every month.
Too many organizations, Dukes said, are not taking the critical steps of setting up a secure system, then reducing what areas are vulnerable to attack, then working to stay secure by following an industry-accepted protocol of best practices.
CIS has developed CIS Controls and CIS Benchmarks as its defense against cyberthreats. There are other protocols, each with their own supporters, Dukes said, and while it would be nice for government and industry to all agree on a single standard, “we’re not there yet.”
Steven Spano, president and chief operating officer of CIS, spoke Monday at the annual meeting of the Business Council of New York State about the importance of taking preventative steps before a cyberattack.
Having a chief information security officer in the company doesn’t guarantee there won’t be a breach, he said, but not having a CISO will likely make the breach worse.
“Now you have a PR nightmare on top of the breach,” Spano explained.
He advises companies to look at the cost of a breach, or of an “extinction-level event.”
The $150,000 salary of a CISO seems small in comparison.
Not enough business leaders see this, he said.
“There’s a disconnect to how a lot of businesses approach cybersecurity. I sense an intrinsic ignorance about the topic.”
Rather than admit ignorance, he said, they hand the problem off and hope it gets fixed.
“Cyber is not static,” Spano said. “Trying to keep pace with the art and the science is a big challenge.”
He also cautioned against outsourcing cybersecurity and forgetting about it. Oversight is still needed. If there’s a breach, ultimately it’s the business and its customers who will suffer, regardless of who was supposed to be standing guard at the gate.
In 2011, CIS took over the Multistate Information Sharing and Analysis Center, which was created by New York state. The MS-ISAC remains a close partner with New York state but also serves the other 49 states, the District of Columbia and the five U.S. territories. There is no cost to government users — Homeland Security picks up the tab for the states and for more than 1,400 municipal entities.
The focus is on cyberthreats such as malware, but the MS-ISAC has also warned its municipal partners about hacktivists — those who try to shut down a government website in response to a local incident such as a police shooting.
Such threats are more of a nuisance than a danger. Cyberterrorists and cyberwarriors, by contrast, might want to damage critical infrastructure such as the power grid.
The MS-ISAC can’t detect incoming attacks from unknown sources; its function is to respond to known threats and weaknesses by recommending security updates, and to help entities that have been attacked understand how and why the attack was able to succeed.
If needed, its Computer Emergency Response Team can travel to the scene of an attack to do forensics.
In their work, MS-ISAC personnel find varying levels of cyber vigilance among municipal entities. This is a critical detail, because most attacks target known weak spots.
The MS-ISAC’s Security Operations Center is staffed around the clock by cybersecurity experts who respond to state and local government inquiries, provide network monitoring for these governments, and watch for data dumps that could compromise members’ websites. An intelligence team within the SOC investigates attacks and looks for trending indications of threats, though it does not work around the clock.
On Tuesday, the SOC was fairly quiet. The total number of tickets — any request for action by a member — stood at one. Network monitoring and bug tracking indicators were both zero. Advanced persistent threats — state-sponsored attacks — also registered zero.
The scraper — an automated sweep of open-source websites for anything potentially threatening to a municipal member — periodically bounced from zero to one and back to zero.
The threat level was blue, or guarded — second-lowest on the five-step scale from green (low) to red (severe). Multiple vulnerabilities in Google Chrome and Joomla! were the latest threat warnings.
Blue indicates there are potentially significant vulnerabilities that haven’t been exploited, or have been exploited without impact.
CIS has never gone to red threat. In 2014, the HeartBleed bug sent CIS to the second-highest threat level, orange, which indicates high risk of increased hacking, virus, or other malicious cyber activity that targets or compromises core infrastructure, causes multiple service outages, causes multiple system compromises, or compromises critical infrastructure.
The private client roster of CIS ranges from single-person companies to Fortune 100 firms and stretches around the world. The fee-for-service offerings include vulnerability assessments, consulting and training.
Also Tuesday, CIS issued a news release saying the breach at the credit reporting agency Equifax — in which 143 million Americans’ personal information was exposed — could have been prevented with implementation of CIS Controls. The breach was an exploitation of a known vulnerability, exactly the kind of situation CIS works to prevent.
Equifax’s CEO was ousted and its stock value plunged 35 percent in six trading days in mid-September, erasing $6 billion in value — exactly the kind of collateral damage Spano warned about.
Equifax is a particularly bad breach for consumers, Dukes said, because it potentially provides all the information needed to validate a transaction with a stolen identity.
“Once that information is lost, the criminal network can easily take that.”
Credit agencies’ relationship is with businesses selling or lending to consumers, rather than with consumers themselves, Dukes said, so they are a step removed from the people affected.
“Organizations that are holding this information need to be accountable to us,” he said, suggesting that standards be set and federal regulations implemented.
In the meantime, consumers should not wait for anyone to protect them, Dukes recommended.
“I think it is now incumbent … to do some amount of the due diligence yourself,” he said.
For starters, people should take advantage of the right to a free credit report every quarter, and make note of who is checking their credit and why.
Dukes expressed optimism that the business world will move away from collecting such sensitive material as social security numbers.
And he urged people to stop giving out such personal identifying information freely whenever asked.
“I think you have to be mindful each and every time you do an online purchase,” he said.
CIS Benchmarks and CIS Controls are the centerpiece of the cybersecurity program offered by CIS, formerly the Center For Internet Security.
Benchmarks is 100-plus configuration guidelines for various technology groups to safeguard systems against evolving cyber threats.
Controls is 20 specific actions that can be used to implement the objectives of cybersecurity frameworks created by the National Institute of Standards and Technology, International Organization for Standardization, Institute of Electrical and Electronics Engineers and Payment Card Industry Security Standards Council. It is free, and to date has been downloaded more than 85,000 times.