CIS 2013 Annual Report

Table of Contents

 

 

 

 

 

View the PDF Version

Message from the Chairman
Message from the CEO
Who We Are
CIS Leadership
2013 at a Glance
Highlights of Our Year
Reducing Risk Through Collaboration, Consensus and Practical Security Management
Serving as a Catalyst for Integration to Improve SLTT Government Cyber Preparedness and Response
Providing a National Picture of SLTT Government Cyber Security Readiness and Response
Building Relationships
Building an Alliance Toward a More Secure Future
Sharing Knowledge and Raising Awareness
CIS Employees: Committed to Excellence

 

 

Message from the Chairman


JOHN M. GILLIGAN | Chairman
President, Gilligan Group, Inc.

The cyber risks facing governments, businesses and consumers continue to increase. Addressing these challenges requires strong partnerships both between and among government and industry to facilitate enhanced preparedness and rapid response.

The Center for Internet Security, Inc. (CIS) has established itself as a premier and trusted partner for both the public and private sectors since our establishment in 2000. Simply put, CIS brings organizations and individuals together for the purpose of improving our collective cyber security posture.

In 2013, CIS built upon its highly successful collaborative model to expand our partnerships in two vitally important areas. In the first, CIS facilitated significant enhancements to intelligence gathering and information sharing with the creation of a new nation-wide partnership with the various fusion centers and the homeland security advisors. In addition, CIS expanded focus on protection for the critical infrastructure sector by offering a range of new products and services that address specific needs.

The board is proud of the continued breakthrough accomplishments of the CIS management team and all of our employees. Through their dedication and the efforts of our many partners we are fulfilling our mission to improve cyber security.


Message from the CEO


WILLIAM F. PELGRIN
President & CEO, Center for Internet Security, Inc.

CIS continued its momentum this year as a thought leader and driving force in cyber security. The outcomes of our effort have made significant positive impacts on the cyber security posture of organizations and individuals across the public and private sectors.

As part of this momentum, we realigned our organization, further positioning ourselves to be responsive to the ever-changing security threat landscape and leverage cross-organizational expertise and resources to better serve our partners.

Although we are proud of our accomplishments, there is still much to be done. CIS is seeing an unprecedented growth in attacks ranging from simple to complex. The actors (hacktivist, hackers, nation states) are increasingly more sophisticated and clever; the attacks are constant and without warning. Heightened importance must be placed on defending our collective assets, and the effort demands continuous and focused attention.

In order to defend against cyber risks, government, businesses and citizens alike need to change behaviors to improve our cyber hygiene. The cornerstones of sound cyber hygiene are: know your environment; secure your environment; control your environment; and monitor your environment.

CIS is committed to taking a practical approach in addressing the cyber challenges facing us, and we will continue to support incremental and tangible measures that effect positive change. Now is the time to be tactical; we must take clear action steps forward in improving our cyber health.

I am privileged to be part of such a great team at CIS, and collectively, we are honored to play a part in helping secure our nation.


WHO WE ARE: CIS Mission


The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization whose mission is to enhance the security readiness and response of public and private sector entities, with a commitment to excellence through collaboration.

CIS serves as the key cyber security resource for state, local, tribal and territorial governments, including chief information security officers, homeland security advisors and fusion centers; produces consensus-based, best practice secure configuration benchmarks and security automation content; and provides products and resources that help partners achieve security goals through expert guidance and cost-effective solutions.

Recognizing the importance of two major converging domains, cyber and physical, CIS seeks to evolve from an organization focused solely on Internet security to be a significant force in improving the security posture of public and private sector organizations with particular attention on critical infrastructures where the cyber domain intersects with the physical domain.


CIS Leadership


Board of Directors
Officers

John M. Gilligan, Chairman
President
Gilligan Group, Inc.

Jack Arthur, Treasurer
Executive Vice President
Octo Consulting Group

William F. Pelgrin
President & CEO
Center for Internet Security

Deirdre O'Callaghan
Secretary
Center for Internet Security

Directors

Dr. Ramon Barquin
President & CEO
Barquin International

Karen S. Evans
Partner
KE&T Partners, LLC

Maureen O. Helmer
Partner
Hiscock & Barclay, LLP

Clint Kreitner

Bruce Moulton
Vice President, Information Technology
National Grand Bank

Alan Paller
Founder and Director of Research
SANS Institute

Franklin Reeder

Phil Venables
Managing Director and Chief Information Risk Officer, Goldman Sachs & Co.

Executive Team

Julie Evans
Chief Operating Officer

Rick Comeau
Strategic Advisor

Thomas Duffy
Senior Vice President
Operations and Services

Laura Iwan
Senior Vice President
Programs

Deirdre O'Callaghan
Chief Counsel

Al Szesnat
Chief Financial Officer

Krista Montie
Director of Communications

Rick Stegmann
Chief Information Officer

Kerry Coffey
Controller

Carolyn Comer
Director of Human Resources


2013 At A Glance


Highlights of Our Year

Reducing Risk Through Collaboration, Consensus and Practical Security Management

For more than a decade, CIS has developed and distributed consensus-based and internationally recognized solutions that help organizations improve their cyber security and compliance posture. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications.

In 2013, CIS expanded its catalogue of resources through the release of new and updated benchmarks, enhanced features to the automated Configuration Assessment Tool (known as CIS-CAT), and other consensus-based products.

CIS Security Benchmarks Membership

Membership in CIS Security Benchmarks provides the most comprehensive access to all of the CIS configuration tools and resources, including a members-only collaboration portal. Benchmarks membership comprises organizations and users from virtually every industry sector and every size, ranging from independent consultants to Fortune 500 companies.

Membership grew by 30% during 2013 to 383 enterprise members, representing businesses, governments, universities and others from across the United States and around the world. In fact, one-third of the membership consists of international entities.

CIS Secure Configuration Benchmarks

Many devices and system technologies are configured to default settings "out-of-the-box," which are often geared toward ease of use and deployment rather than security. This results in vulnerabilities that are easy targets for hackers to exploit. Similarly, if systems and applications aren't being patched on a regular basis, they are vulnerable. Proper security controls and patching are critical, and should be a key layer in any organization's defense-in-depth strategy.

The CIS Benchmarks provide security-focused configuration controls that should be applied for a wide range of technologies, specific procedures on how to implement those recommendations and audit procedures to then verify that those controls were correctly implemented. The technologies that are prioritized for new and updated CIS Benchmarks each year are those that are most needed by CIS Benchmarks members, as well as the entire global IT user community.

The CIS Benchmarks are developed in collaboration with a community of users, vendors and subject matter experts through a unique consensus-based process for which CIS has become internationally recognized.


CIS currently offers more than 80 benchmarks across a broad array of technologies, including desktop and server operating systems, mobile devices and web browsers, all of which are available for free in PDF format on the CIS website. In 2013, these resources were downloaded more than 300,000 times.

Twenty-four new and updated benchmarks were released in 2013, including those for Microsoft Windows 8, Windows Server 2012 and Internet Explorer 10, which were developed in partnership with Microsoft to provide comprehensive guidance to enhance the configuration security of those deployments.

Another key benchmark released was the CIS Apple iOS 7 Benchmark, which provides specific, step-by-step recommendations for securing numerous settings on millions of devices running iOS 7, including the iPhone, iPad, iPad Mini and iPod Touch.

Server operating systems, including Microsoft, Linux (Red Hat and CentOS) and UNIX (Oracle Solaris and IB AIX), were the predominant technology group covered by new and updated Benchmarks in 2013.

"We are using CIS more than ever since the policy templates were added for the baselines. The templates plus CIS-CAT scoring make it a complete solution which is extremely easy to begin and consistently maintain the hardening process on existing or new operating systems/applications. We are looking to use it more and more."
Jason Dasher | Department of Information Technology Services
Prince William County Public Schools | Virginia
 


Forty-nine CIS Benchmarks are included as official configuration guidance in the National Checklist Program within the National Vulnerability Database for use by federal agencies and other entities that are subject to federal compliance requirements.

The CIS Benchmarks are widely used to attain compliance with a number of recognized security standards, including PCI, HIPAA and others.

Medical Device Benchmark Initiative

Doctors and other healthcare providers are beginning to routinely communicate with implanted medical devices such as insulin pumps, pacemakers and defibrillators using Internet-based technologies. This process enables doctors to manage the device and continuously monitor and treat the patient remotely.

As with any system or device connected to the Internet, the inherent risk of cyber attack is real. In recognition of the growing risk, and in light of safety notices issued by the FDA and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), indicating hardcoded password vulnerabilities were found in approximately 300 medical devices, CIS leveraged its consensus-based approach to team up with the healthcare community and other stakeholders to help bolster the protection of Internet-enabled medical devices from cyber attacks.

CIS is partnering with industry leaders on a new initiative to develop secure configuration benchmarks for mobile medical devices and network connected health care systems.

The initial focus of the group is to leverage the latest CIS Windows XP Professional Benchmark (v3.1.0) as a beginning baseline of configuration security controls for medical system(s) with Windows XP Pro installed, based on use cases and risk-based needs for system and data security.As XP will no longer be a supported platform as of April 2014, the additional security guidance provided through this initiative will help reduce the attack surface and assist healthcare delivery organizations in addressing this challenge.

Efforts will continue throughout 2014 to leverage the expertise and resources of the stakeholders in developing practical solutions for other areas of critical need, including those outside the healthcare sector.

"Cybersecurity threats and vulnerabilities continue to represent increasing concerns for medical devices. The Center for Internet Security's initiative provides healthcare stakeholders with a defining voice to help protect medical device confidentiality, integrity and availability and public health safety. The National Health ISAC is excited to help support this important initiative."
Deborah Kobza| Executive Director of the National Health ISAC

Leadership Role in Industry Efforts to Enhance Security Content Automation

Security content automation is gaining momentum, as organizations require faster, more cost-effective and highly scalable mechanisms to defend against the ever-changing cyber threat landscape, along with standardized solutions for implementing controls and assessing their effectiveness.

CIS continued its efforts this year to further the development of international standards for security automation through a number of activities, including serving as co-chair of the IETF's new Security Automation and Continuous Monitoring (SACM) Working Group, a voluntary community of security experts working to develop a roadmap for establishing and extending existing security automation specifications as international standards; and serving on the Open Vulnerability and Assessment Language (OVAL) Board, a community focused on promoting an international standard language for open and publicly available security content.

In 2013, CIS developed new schema enhancements to OVAL and presented them to the OVAL community during the MITRE OVAL Developer Days conference in July. The enhancements will significantly reduce the complexity that currently exists in collecting and assessing configuration information stored using states of INI files (structured text files used to store application settings).

CIS Configuration Assessment Tool (CIS-CAT)

The CIS Configuration Assessment Tool, known as (CIS-CAT), is a powerful resource for analyzing and monitoring the security status of information systems/applications and the effectiveness of internal security processes. CIS-CAT, available to Security Benchmarks members, is a Java-based tool that compares the configuration of target IT systems to corresponding CIS Benchmarks. It provides fast, detailed assessments of enterprise deployments, and aggregate reports of configuration security posture across such environments.

In 2013, CIS further enhanced CIS-CAT functionality that allows for more tailored reporting, improved performance and reduction in required bandwidth, as well as direct use of more security automation content.

CIS-Hardened Server Instances in the Amazon Web Services (AWS) Cloud

In 2013, CIS developed Amazon Machine Images (AMIs), preconfigured according to the applicable CIS Benchmarks, for Red Hat Enterprise Linux (RHEL) 5 and SUSE Linux Enterprise Server 11. These AMIs are available to CIS Security Benchmark members in the AWS Elastic Compute Cloud and are in addition to the existing CIS AMIs for Microsoft Windows Server 2008 R2 and RHEL 6.

An Internationally Recognized Sign of Quality — CIS Product Certifications

CIS Certified Security Software Products are tested and certified by CIS to accurately measure and report conformity of system configurations with the technical settings defined in CIS Benchmarks. The CIS "Certified" logo is used by CIS Members to demonstrate a strong commitment to consensus-based configuration security recommendations.

In 2013, the number of CIS Security Software Vendor members awarded CIS product certifications increased by 44%.

2013 CIS-CAT Enhancements
Assessment Engines:
  • CIS Proprietary (ECL)
  • SCAP 1.2 Authenticated Configuration Scanner
  • FDCC Scanner
  • USGCB Scanner
  • SCAP 1.2 Vulnerability Scanner (CVEs)
Reporting Features:
  • Proprietary HTML, CSV, XML
  • Proprietary "Dashboard"
  • Standards-Based "Dashboard" (Asset Reporting Format)
  • Standards-Based Vulnerability Report (OVAL)
Compatible Policy Providers:
  • CIS
  • NIST (USGCB, FDCC)
  • DISA (STIGs)
  • MITRE (Vulnerability data)
  • Major vendors
  • Tier 3 and Tier 4 content in the NIST NVD running on Windows or Red Hat Linux

Serving as a Catalyst for Integration to Improve SLTT Government Cyber Preparedness and Response


The Multi-State Information Sharing and Analysis Center and Integrated Intelligence Center

The relationships between cyber and physical security, government and the private sector, and law enforcement entities are critical for establishing a comprehensive view of the threat landscape, and enabling more efficient and effective detection and response.

CIS has a long-standing reputation for its focus on collaboration, and for the past four years has served as home to the Multi-State Information Sharing and Analysis Center (MS-ISAC). The MS-ISAC, which includes representation by state Chief Information Security Officers or their equivalents, Chief Information Officers, local governments, tribal entities and U.S. territories, is designated by the U.S. Department of Homeland Security (DHS) as a key resource for cyber threat protection, response and recovery for the nation's state, local, tribal and territorial (SLTT) governments.

The MS-ISAC has fostered a trusted environment between and among its SLTT government partners and with DHS. CIS conducts monthly MS-ISAC membership meetings via webcast that provide an interactive forum for sharing information on cyber security issues important to the SLTT government cyber domain. DHS participates in these webcasts, providing the opportunity for them to connect with SLTT government officials on a monthly basis. The members also participate in a number of issue-specific working groups to target the areas of most concern to the members.

Membership in the MS-ISAC grew nearly 70% in 2013, with 541 SLTT entities participating, including 23 ports and airports, 28 public universities and 5 tribal nations.

In 2013, CIS expanded its monthly meetings to include not only MS-ISAC members, but also fusion centers and homeland security advisors to facilitate cross-sector sharing between and among cyber and physical
security and the law enforcement community.

CIS Integrated Intelligence Center

In 2013, CIS furthered its vision of bringing the cyber and physical domains together by making its Integrated Intelligence Center (IIC) fully operational. The IIC serves as an important resource to facilitate collaboration across multiple levels of government (federal, state, local), relevant domains (both cyber and physical), and key disciplines (law enforcement, military, policy and technical) to improve the responsiveness and efficiency of anticipating and responding to cyber events.

The IIC includes the CIS 24/7/365 security operations center, incident response team, forensics lab and intelligence analysts - all working side-by-side to put the pieces of the puzzle together, and identify patterns that may not have been detected without this collaborative environment.

The IIC leverages the MS-ISAC to gain unique insight into cyber incidents affecting SLTT government networks and acts on behalf of DHS as a resource for the collection and analysis of actionable strategic,
tactical and operational intelligence.

In May 2013, the IIC was designated by DHS as a Cyber Threat Intelligence key resource for the 78 DHS primary and recognized fusion centers. Through this initiative, the CIS IIC provides fusion centers, homeland security advisors and law enforcement entities with access to a broad range of cyber security products, reflecting input from many sources. The goal is to ensure that actionable information, collected and analyzed by both DHS and the IIC, is shared with these partners in a timely manner.

CIS cyber threat intelligence products are distributed to all 78 fusion centers, which then redistribute to the SLTT audience in their respective fusion centers Area of Responsibility [AOR]. CIS is working with all fusion center partners to develop products specific to their unique needs.

In addition to intel products, the CIS IIC provides a number of training initiatives, including supporting the U.S. Secret Service's Fusion Center Cyber Analysis Course at the National Computer Forensics Institute in Hoover, Alabama, and conducting monthly IIC Analyst Seminars at CIS.

In November 2013, New York Governor Andrew M. Cuomo announced the relocation of the New York State Intelligence (Fusion) Center to CIS, "putting the state's primary cyber security protection agency under the same roof as a leading nonprofit organization dedicated to enhancing cyber security readiness and response around the globe."

"Coupling the state's ongoing counter terrorism and intelligence capabilities with the CIS's unique access to real time cyber threats from across the nation, makes this joint venture the first of its kind in U.S. law enforcement."
NEW YORK GOVERNOR ANDREW M. CUOMO | NOVEMBER 18, 2013

CIS uses the US-CERT Traffic Light Protocol to Ensure that Sensitive Information is shared with the correct audience


Fusion centers, operating under the auspices of the U.S. Department of Homeland Security (DHS), are designed to promote information sharing between federal agencies such as the CIA, the FBI and the U.S. Department of Justice, SLTT governments and the private sector.

The level of participation in the IIC by the fusion centers has been tremendous. The IIC is serving a unique role as a reliable resource for the collection and analysis of actionable strategic, tactical and operational intelligence.

"Great information!! This is one of the best tradecraft/intel publications we have seen on this subject, period... I sent this out to all of the [redacted] law enforcement community. Outstanding, kudos to the author."
Director Chuck Cogburn | Oregon Titan Fusion

National Fusion Center Pilot

In August 2013, recognizing the CIS IIC as one of the key cyber intelligence resources for fusion centers, DHS designated CIS as the coordinating entity for the Office of the Director National Intelligence (ODNI) Program Manager-Information Sharing Environment (PM-ISE), and DHS fusion center Pilot (the Pilot). CIS will coordinate this one-year Pilot across a selected number of fusion centers, in partnership with the International Association of Chiefs of Police, the National Fusion Center Association, the ODNI PM-ISE and DHS.

Key objectives of the pilot include the creation of a cyber program model for fusion centers; standardization of distribution and sharing protocols between and among the fusion centers, CIS and stakeholders; and assistance to DHS in development of a training regime to build cyber analytical skills among SLTT governments.

Detection and Prevention: CIS Security Operations Center (SOC)

Through its 24/7/365 Cyber Security Operations Center (SOC), CIS provides real-time network monitoring of the Internet and other sources - including information from its managed security services, netflow monitoring, information from trusted partners and incident reports received from SLTT governments. CIS leverages its intel to distribute early cyber threat warnings, identify vulnerabilities and potential compromises, and provide mitigation recommendations aimed at helping SLTT governments better detect and defend against the latest cyber threats.

DHS Secretary Napolitano, March 2013 remarks to Congress:
"The Multi-State Information Sharing and Analysis Center (MS-ISAC)... has enhanced NCCIC situational awareness at the state and local government level and allows the Federal Government to quickly and efficiently provide critical cyber threat, risk, vulnerability and mitigation data to state and local governments."


The analysis, threat and attack information derived from monitoring activities is shared with all SLTT and federal partners on a weekly and monthly basis.

The SOC issues advisories and alerts to SLTT government partners and stakeholders, and also makes them available to the public online as appropriate. These advisories include customized risk ratings for governments, businesses and home users. In 2013, CIS issued 115 advisories.

CIS Cyber Security Monitoring Services

CIS provides cyber security services through its Managed Security Services (MSS) Program and its Netflow Monitoring. These services offer SLTT governments a cost-effective way to strengthen their security while enabling a more comprehensive view of the threat landscape. The CIS SOC is able to analyze the enormous volume of data and cull out the issues specific to the SLTT environment, thus saving them a great deal of time, and eliminating their need to respond to non-events, such as false positives.

CIS provides MSS and Netflow Monitoring services for 29 states, 1 territory and 14 local governments, and analyzed more than one trillion records in 2013. In partnership with DHS, CIS will expand this collaboration in 2014 to include services for all 50 states and six U.S. Territories.

Managed Security Services (MSS)

MSS includes 24/7 monitoring and/or management of security devices such as firewalls, intrusion detection/prevention systems, web gateway and proxy devices. These services provide a view of system and network activity that enhances situational awareness of SLTT government networks across the country. The MSS enables more timely cyber incident identification and response while providing more data for developing and implementing appropriate mitigation strategies tailored specifically to SLTT government cyber resources. The CIS SOC is staffed with experts who understand the security threat landscape and how it impacts SLTT governments.

In 2013, the number of log lines analyzed through the CIS SOC MSS more than doubled from 2012, with 385 billion log lines analyzed and 10,954 actionable events reported to partners.

Nearly all of the malware infections CIS observed in 2013 were rootkits designed to take over infected machines, or backdoors designed to siphon passwords or other information.

ZeroAccess was the primary malware impacting SLTT governments in 2013, accounting for nearly two-thirds of the malware events. ZeroAccess was aimed at making money through fraudulent pay-per-click advertising.

In December 2013, the ZeroAccess botnet was essentially shut down by a collaborative effort involving government and industry, and the number of ZeroAccess incidents declined drastically.

Incidents involving the Trojan Zbot decreased from 25% in 2012 to 8% in 2013, due in part to improved anti-virus detection.

Network Attacks

The majority of events other than malware that the CIS SOC handled this year involved accepted inbound port scans, SQL injections and peer-to-peer traffic. In 2013, CIS expanded its Netflow Monitoring to additional SLTT governments. This larger and more diverse representative sample of SLTT government network activity provides a more comprehensive picture of the current attack targets and enables the development and maintenance of an SLTT goverment-focused attack/compromise trend model.

Netflow Monitoring Services

In addition to intel received through the MSS and other analysis, CIS further assists SLTT governments through its Netflow Monitoring program. This program is an automated process of collecting, correlating and analyzing computer network security information across government systems. Logs and records detailing the traffic flow of the associated network(s) are continuously analyzed and correlated against known malicious and suspicious patterns, trends and other indicators. Automatic "hits" on potentially malicious software code or other malicious cyber activity are further analyzed by CIS. In analyzing the network flow data, CIS identifies traffic to known malicious IP addresses and domains and issues alerts. This enables partners to rapidly respond to threats and attacks on their infrastructure.

In 2013, CIS expanded its Netflow Monitoring to additional SLTT governments. This larger and more diverse representative sample of SLTT government network activity provides a more comprehensive picture of the current attack targets and enables the development and maintenance of an SLTT government-focused attack/compromise trend model.

In 2013, the Netflow Monitoring Initiative Program analyzed 696 billion logs, generating 7,315 actionable events. This represents nearly 75% growth in the number of actionable events than in 2012.

Response and Recovery: The CIS Computer Emergency Response Team (CERT)

CIS has a dedicated team available to assist with malware and log analysis, computer forensics, code analysis and mitigation recommendations.

In 2013, the number of incidents the CIS-CERT team responded to more than doubled from 2012, averaging almost one per week. Most of the incidents were related to Advanced Persistent Threat (APT), ransomware and compromised webservers.

2013 Major Types of Incidents
APT
Ransomware
Webserver vulnerabilities


"We so appreciate all that you have done to help! I can't tell you how much it helped to know that you were with us through this. It has been a tremendous learning experience and we appreciate all the effort you made to assist."
Margaret Keck | Assistant Director IT | City of Nashville


Case Study:
Advanced Persistent Threat (APT) Campaign Targeting Airports

Advanced Persistent Threat (APT) remained a consistent threat to SLTT government networks in 2013. In summer 2013, CIS was notified of potential APT activity targeting four airports in the U.S. but had no other details regarding network indicators.

CIS contacted each entity to alert them of the malicious activity and requested their network logs from the previous three weeks to conduct analysis for correlation with APT threat indicators.

CIS then received notification that the same APT actor group was targeting an additional eight entities. By leveraging the CIS security monitoring infrastructure and using the indicators provided by other partners, CIS identified malicious traffic from two states. CIS immediately engaged the states and began analysis, identifying a phishing email that contained a link to one of the malicious indicators and was targeted to individuals working in the aviation industry.

CIS pinpointed a public document that appeared to be the source used by the attackers to select the phishing email victims. CIS sent notifications, including the relevant indicators, to all entities that had a contact listed in the public document and asked the entities to search email gateways for emails containing links to those indicators. CIS also issued a cyber alert to state, local, tribal and territorial governments, as well as CIS federal partners including DHS, FAA and the NCCIC, describing the campaign, including all the network and file system indicators.

CIS also contacted an aviation-affiliated entity and collaborated with them to distribute the CIS alert to all their members, notifying them of the attack and providing them with the indicators of compromise. CIS determined that a total of 75 airports in the U.S. were impacted, and two airports had systems that were compromised. CIS provided assistance and all compromised systems were remediated.


Case Study:
Vulnerable Web Content Management Systems Affecting State and Local Governments

Content Management Systems (CMS) were a very popular attack vector for cyber criminals in 2013 because organizations were not updating their CMS, leaving them vulnerable to exploitation. In spring 2013, CIS was asked to provide assistance regarding a compromised state webserver. The forensic analysis identified files being uploaded to a county webserver in another state. The websites of both the state and county servers used vulnerable versions of a CMS. Further analysis identified 66 additional systems were using a vulnerable version of the CMS software, and confirmed that compromises occurred on 22 of these systems. CIS deployed a team onsite to one of the impacted entities for four days and managed the incident for the state. CIS identified attackers had used the compromised webservers to pivot into other parts of the network. CIS worked with the entity and designed a remediation plan that was successfully implemented. CIS notified all affected SLTT governments and issued an advisory to all federal, state, local government and private sector partners, thus minimizing potential impact to other organizations.


Malicious Code Analysis Platform

In October, CIS launched its Malicious Code Analysis Platform for SLTT governments. This portal enables malware analysis in a sandboxed environment without submitting the code to public websites. It also enables SLTT governments to conduct threat/intel research for malware samples based on Domain, IP, URL, MD5 and SHA1/2 values. More than 300 users are already leveraging the platform for their incident response needs.

"I can honestly say that your organization has made an immediate impact in our overall security readiness. Thank you."
Eric Seagur | Network Security Administrator | City of Sioux Falls, ID


Providing a National Picture of SLTT Government Cyber Security Readiness and Response

Nationwide Cyber Security Review

The NCSR, or Nationwide Cyber Security Review, is a voluntary self-assessment survey designed to evaluate cyber security management within state, local, tribal and territorial governments.

As requested by the Senate Appropriations Committee, the 2013 Nationwide Cyber Security Review provides an opportunity to measure progress in the national cyber security posture compared to the initial review in 2011, to identify areas of concern and opportunities for improvement.

DHS partnered with CIS, along with the National Association of State Chief Information Officers (NASCIO), and the National Association of Counties (NACo) to develop and conduct the second Nationwide Cyber Security Review (NCSR), which took place in fall 2013.

Participation in the 2013 NCSR increased by 86% from 2011, with a total of 304 government entities responding. For the first time, all 50 states participated and the number of county and local governments participating increased by 100%.

The NCSR focuses on the security practices adopted within an organization, as well as the degree to which risk is used to select and manage security controls.

The NCSR utilizes a Control Maturity Model to measure how effective an organization's security program is at deploying a given control, in light of identified risks to an organization's operations.

The NCSR is closely aligned with standards and best practices including the Critical Security Controls for Effective Cyber Defense, Control Objectives for Information Technology (CobIT), Statement on Auditing Standards 6 (SAS#6) and National Institute of Standards and Technology (NIST) Special Publications 800 series.

Findings from the NCSR will be issued to Congress in early 2014.

The NCSR can help serve as both a backdrop for which progress for the SLTT community can be measured and drive those initiatives according to the identified needs of the community.

CIS will continue to update the survey instrument and tools, data collection and the subsequent analysis of future NCSR studies. Focus will include assisting SLTT governments in using the NCSR to further their security objectives, and helping them implement the NIST Cyber Security Framework.

CIS Supports the NIST Cyber Security Framework

CIS provided input to and participated in workshops for the Cyber Security Framework, an effort led by NIST as called for by President Obama in an Executive Order issued in early 2013. The goal is to establish, through working directly with critical infrastructure entities and other stakeholders, a voluntary cyber security framework that leverages existing industry best practice security standards and guidelines, and is applicable to all critical infrastructure sectors.

The NIST Cyber Security Framework, to be released in early 2014, will serve as an important new resource for SLTT governments in their efforts to address today's cyber challenges. CIS supports adoption of the Framework as a key guidance tool for enhancing our collective NIST cyber security posture, and will work closely with DHS throughout 2014 to assist SLTT governments with adoption of the Framework.


Building Relationships


Collaborating with Other Organizations

In addition to working collaboratively with SLTT governments through the MS-ISAC, CIS works closely with other organizations to continue to build trusted relationships to further enhance the cyber security posture of the nation. Such outreach and collaboration includes working with the National Governors Association (NGA), the Governors Homeland Security Advisors Council (GHSAC), the National Association of State Chief Information Officers (NASCIO), the National Association of Counties (NACo), National Cyber Security Alliance (NCSA) and many others. CIS also partners with the other national critical infrastructure sector ISACs through the National Council of ISACs (NCI).

CIS CEO Contributes to NATO Book

In September 2013, the North Atlantic Treaty Organization (NATO) convened the Advanced Research Workshop to identify and assess best practices for incident detection and response. A multi-disciplinary team of experts, including CIS President and CEO William Pelgrin, from 16 countries and three international institutions, participated in the Workshop, held in Geneva, Switzerland.

The result of the forum was the development of the book "Best Practices for Computer Network Defense: Incident Detection and Response," authored by the Workgroup participants and available for release in early 2014.

The book presents 10 papers and 21 specific findings on the best practice of industry and government for incident detection and response and examines indicators and metrics for progress along the security continuum.

Building an Alliance Toward a More Secure Future

2013 marked the second year of the CIS purchasing alliance program, created to provide cost-effective procurement of cyber security solutions for the nation's SLTT governments, educational institutions and nonprofit organizations. The program is aggregating the purchasing power of the public sector to allow all participants the ability to improve their cyber security posture at a lower cost than they could achieve individually.

Product and service choices for the aggregate buys are driven by the positive impact on cyber security infrastructure and customer needs. The offerings are also focused on products that address leading security guidelines, including the Critical Security Controls for Effective Cyber Defense and the Australian Defence Signals Directorate's Top 35 Strategies to Mitigate Targeted Cyber Intrusions. CIS oversees a review board comprising government partners to review and select potential offerings, and then engages the vendor community to negotiate volume discount purchasing opportunities.

During 2013, CIS offered extended buy periods that allow SLTT governments more time to complete their procurement processes. Two hundred and fifteen entities took advantage of eleven separate buy opportunities, a 35% increase in participation from 2012.

Aggregate opportunities across a variety of technology solutions were offered:

  • Training – technical and end user
  • Patch Management
  • Two-Factor Authentication
  • Mobile Device Management

As a result, more than $5.4 million in cost savings through aggregate buys were achieved.

CIS also developed new relationships with a number of national state and local government associations this year to identify opportunities for the public sector to access high quality, cost-effective solutions.

Sharing Knowledge and Raising Awareness

An important part of the CIS mission is to raise awareness and provide resources that help users stay informed about the ever-changing cyber threat landscape. CIS achieves this in a number of ways, including the development and distribution of monthly cyber tips newsletters (which organizations can brand with their own logos); bimonthly educational webcasts, for which more than 7,600 individuals registered during 2013 representing all 50 states, DC, several U.S. territories and 26 countries; a daily cyber tips feed on the CIS public website; and a variety of guides, whitepapers and other resources.

National Cyber Security Awareness Month

One of the key awareness activities takes place each October: CIS serves as a co-sponsor with DHS, NASCIO and NCSA in promoting National Cyber Security Awareness Month (NCSAM), which highlights the importance of empowering citizens, businesses, government and schools to improve their cyber security preparedness. 2013 marked the 10th anniversary of NCSAM.

CIS conducts a number of activities in support of NCSAM, including the development and distribution of Cyber Security Awareness Toolkit materials to all 50 states and U.S. territories. The goal is to promote a consistent message about cyber security education and awareness and provide products for broad distribution. The materials include posters, bookmarks, calendars and other awareness material.

CIS also coordinates a proclamation campaign, inviting each state governor and local elected official to sign a proclamation in support of NCSAM, thus demonstrating at leadership levels the importance of cyber security.

Once again, in 2013, all 50 state governors issued proclamations or letters of support for NCSAM, along with three U.S. territories, the District of Columbia and one tribal government. In addition, 22 local governments issued proclamations. Many officials conducted signing ceremonies, press events or conferences in their state or local government to further promote cyber security.

CIS partnered with DHS, NACo and others to publish a practical guide to safeguarding county information by preventing, detecting and responding to cyber-attacks. It outlines the basic components of cyber security strategy and suggests a number of resources to assist counties at every stage of development.

CIS conducts an online National Cyber Pledge, inviting government, businesses and citizens to take the pledge and affirm their commitment to cyber security, and to using good practices both at home and at work.

More than 14,500 citizens took the pledge, an increase of 31% from 2012.

National Kids Safe Online Poster Contest

One of the most popular awareness activities CIS conducts is the annual Kids Safe Online Poster Contest, which encourages young people to use the Internet safely and securely and engages them in creating messages and images to communicate to their peers the importance of staying safe online.

More than 2,000 students from 16 states and more than 100 schools participated in individual contests, and those winners were submitted to CIS. Thirteen entries were then selected and appeared in the 2014 calendar distributed nationally each October as part of the Toolkit.

SLTT Government Best of the Web Contest

CIS conducts a Best of the Web contest, which aims to recognize state and local governments that use their websites to promote cyber security. The winners are announced each October in celebration of National Cyber Security Awareness Month and are featured on the MS-ISAC public website. The 2013 winners were the State of Michigan and the City of Phoenix, AZ.

CIS Employees: Committed to Excellence

The CIS team is at the heart of what makes the organization so successful. Our employees have incredible expertise, passion and dedication to helping our partners improve their security. CIS ranked #10 in the Small Employers category of The Times Union Top Workplaces 2013. More than 500 companies participated in the survey overall.

CIS continues to grow as its mission space expands. The number of CIS employees increased by 23% in 2013 and new team members will be joining in 2014.

"We're proud to receive this recognition. The dedication, collaborative spirit and commitment to excellence that our staff demonstrate each day are what makes CIS a success."
WILLIAM F. PELGRIN | CIS PRESIDENT AND CEO


CIS employees are dedicated to helping those in need. Through its volunteer program known as CIS Cares, CIS employees participate in a number of activities during the year to support the community, including food and clothing drives, sporting events and other contests, with proceeds going to local charities.

Organizations CIS supported in 2013 include the American Cancer Society, Regional Food Bank of Northeastern New York and Albany County Social Services.

CIS employees participated in the 2013 CDPHP Corporate Challenge, combining their passion for helping the community with their passion for wellness.

"Collectively, we can achieve much more than we can individually."