Conducting Risk Assessments https://www.cisecurity.org/elections-resources/ Dr. Michael Garcia, Director

Conducting Risk Assessments https://www.cisecurity.org/elections-resources/ Dr. Michael Garcia, Director

Conducting Risk Assessments https://www.cisecurity.org/elections-resources/ Dr. Michael Garcia, Director of Elections Best Practices 14 June 2018 Agenda About CIS About the Elections Infrastructure Information Sharing and Analysis Center Thinking about threats and motivations in elections A Handbook for Elections Infrastructure

Security Self- and independent assessments 2 A word about CIS CIS is a technical organization Address the how over the what Backed up by experience and resources CIS history and programs underpin best practices and recommendations Focused on the entire ecosystem Looks at and provides best practices from start to finish

3 CIS Structure C State, Local, Tribal, or Territorial Government Entity 4

Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) Members include: 49 State Elections Offices 2 Territorial Elections Offices >700 Local Elections Offices (growing at ~15/week)

4 Associations 5 How to Become a Member Free and Voluntary No Mandated Information Sharing 1. Visit and complete our registration form 2. Agree to the Terms and Conditions 3. Receive a Welcome Email 4. Provide contact details for key staff 5. Start receiving notifications and products

https://www.cisecurity.org/ei-isac/ 6 EI-ISAC Local Leaderboard (June 19) 1. Florida: 100% 1. Maryland: 58% 2. North Carolina: 87% 2. New Jersey: 52% 3. Washington: 85%

3. Minnesota: 44% 4. Nevada: 76% 4. California: 36% 5. Tennessee: 74% 5. Colorado: 36% 6. South Carolina: 72% 6. Arizona: 33%

7. Rhode Island: 67% 7. Oregon: 33% 8. Delaware: 67% 8. Virginia: 30% 9. Hawaii: 60% 7 An Elections-focused Cyber Defense Suite 24x7x365 network

monitoring Incident response and remediation Threat and vulnerability monitoring Election-specific threat intelligence Training sessions and webinars Promote security best practices DDoS mitigation and web protection services

8 24 x 7 Security Operations Center Central location to report any cybersecurity incident Support: Network Monitoring Services Research and Analysis Analysis and Monitoring: Threats

Vulnerabilities Attacks Reporting: Cyber Alerts & Advisories Web Defacements Account Compromises Hacktivist Notifications To report an incident or request assistance: Phone: 1-866-787-4722 Email: [email protected]

9 The threat environment in elections There have always been threats to elections Theres been a steady progression toward IT-related attacks over the last two decades 2016: a more concerted effort, but just an increase in what had already been occurring 10

Motivation 1. Attackers have one or more goals Information theft, espionage, sabotage Sabotage: destruction, defamation, or blackmail of targets Motivation can be BOTH changing votes AND reputation damage to democracy itself 2. In cybersecurity, risks drive investments Must assess risk and keep a broad view Adversaries will look for a weakness anywhere; so must we strengthen defenses everywhere 11

A Handbook for Elections Infrastructure Security View and download at: https://www.cisecurity.org/elections-resources/ Order free hardcopies at: https://learn.cisecurity.org/ei-handbook 12 The starting point Jumping on a moving train means continual improvement Find mitigations that work with a system in motion Constrained resources means mitigating risk at the margin

Focus on the best way to spend the next dollar, regardless of where it is Provide best practices that can be tailored to different situations 13 What we learned about risk The most substantial risks are to components that have network connections For cybersecurity folks, this puts us in known waters Bigger than paper ballots or RLAs Systems are highly unique, but have many

similarities in structure and, thus, risks Think of uniqueness as following the 80/20 rulemostly the same, some tweaks 14 Handbook Structure Three parts 1. Introduction of elections and risk 2. An architecture of elections systems and their risks 3. Technical best practices Includes recommendations on contracting and procurement, auditing, and incident planning

Contains 88 best practices in the form of security controls 15 Part 1: Introduction Typical stuff: scope, audience, environment Also info about conducting a risk assessment Introduces three classes of connectivity Network connected systems Indirectly connected systems Systems that are not connected Bonus!

Transmission risks 16 Part 2: Architecture and Risk Generalized architecture Describe each component, its risks, and its connectedness 17 Part 3: Mitigating Risk Summarize and mitigate risks Best practices have

Asset class: device, process, software, user Priority: high, medium Known security controls Estimates of Potential resistance, upfront cost, ongoing maintenance cost Resources to help implementation Links to online resources, NIST guidance, tools 18 A takeaway Elections have some unique aspects, but the

broad set of risks a similar to those in other domains. This is good news: we can apply what we already know from other industries and sectors to elections, achieving better results faster and cheaper. 19 Uses of the handbook Using as a baseline in developing training and assessment tools Drawing connections between non-technical understanding of risk and technical approaches to mitigation

Prioritizing additional security work Showing how investments have been used and future investment will be used Conducting an assessment of current practices 20 Why assessments matter Throw away what you have and start over No assessment needed Otherwise Assessment needed 21

Assessments types Full, independent risk assessment: best Involves substantial analysis of the environment to identify threats, vulnerabilities, and consequences Independent assessment of practices: good Reviews against known sets of best practices and controls Self-diagnosis, even best intentioned, can be biased Self-assessments of practices: effective

Low budget, quick, useful for a reasonably wellknown threat environment 22 Assessments: when, how, how often During pre-planning, after a system freeze Involve entire technical team After major system changes Annually, ideally semi-annually Share results with non-technical leaders Use as a tool for comms, resourcing, accountability; not just technical 23 Whats next?

Self-assessment tool against handbook Pilot phase underway, full launch in July Training for independent assessors In early development, hoping to begin training in fall Procurement guidebook Based on handbook, provides sound approaches to procurement as well as model contract clauses 24 Self-assessment tool

Online interface to walk through implementation of handbook best practices Provides dashboard summary of results Can be shared across organization and with state ED Default is no sharing Tracks progress over time 25 Thank you! Main page: www.cisecurity.org/elections-resource EI-ISAC registration: https://www.cisecurity.org/ei-isac/ Handbook hardcopies: https://learn.cisecurity.org/ei-handbook

Mike Garcia [email protected] www.cisecurity.org/elections-resources

Recently Viewed Presentations

  • October 6, 2011 Remote Sites Joining Us Today

    October 6, 2011 Remote Sites Joining Us Today

    From the TAKS question, formative assessment would have focused on the ability to identify and name the vertex of the given graph. Now, the questioning must be deeper, for example, asking students to use the academic vocabulary to name four...
  • E-Learning Support for T&L Feel free to download

    E-Learning Support for T&L Feel free to download

    K-12 Resources. VET Resources. Free learning objects and content. Sample "Try it for 5" career video. WestOne provide a host of electronic and print resources for K-12 and the VET Sector. WestOne are also able to provide fee for service...
  • ElectraNet Public Forum07 June 2017 - Australian Energy Regulator

    ElectraNet Public Forum07 June 2017 - Australian Energy Regulator

    The mid-point of the RBA's inflation target for subsequent years (year 3 - 10) ElectraNet's forecast of 1.97% is based on the difference in yields on indexed and nominal bond yields ('implied inflation') 1.97% is low compared to the RBA's...
  • English Jeopardy

    English Jeopardy

    English Jeopardy Macbeth Begin Who are Malcom and Donalbain? Final Jeopardy Title Concentrated language consisting of rhyme and sound Answer OE 200 What is poetry? OE 200 The name for a syllable grouping in poetry OE 400 Answer What is...
  • Figure 3. (a) Distribution of errors (degrees from

    Figure 3. (a) Distribution of errors (degrees from

    Figure 3. (a) Distribution of errors (degrees from gravitational vertical) recorded during computerized rod and frame (CRAF) test for subjective visual vertical for patients with Parkinson disease (PD) and controls when frame was untilted.
  • Diseño de estudios en Epidemiología

    Diseño de estudios en Epidemiología

    U.S. National Library of Medicine, 2004 Songer T. Study designs in epidemiological research. In: South Asian Cardiovascular Research Methodology Workshop. Aga-Khan and Pittsburgh universities.
  • Product and Services Concepts

    Product and Services Concepts

    Product and Services Concepts Prepared by Deborah Baker ... of Consumer Products ©2000 South-Western College Publishing Specialty Products Convenience Products Shopping Products Unsought Products ©2000 South-Western College Publishing The Importance of Services to the U.S. More than eight in ...
  • Are we there yet? 15 Years of Introducing

    Are we there yet? 15 Years of Introducing

    However - we know from a lot of research that maybe the public sector is not the best setting for a method like EC. Women like pharmacies - they are quick and anonymous. We know that women who repurchase EC...