State and local information security leaders continue to be challenged with the “new norm,” to do more with less, while remaining on top of technology trends driving the marketplace. Traditional information security approaches often have limited impact and require more attention and resources.
Please join Grayson Walters, Information Security Officer of Virginia Department of Taxation, and Eric Cowperthwaite, Vice President of Advanced Security and Strategy at Core Security as they discuss some of the top IT security trends and developments in the public sector, more specifically, within state and local governments.
1. The “New Norm” in Cyber Security:
What’s Trending Now in Public Sector
2. “…we should always be
evaluating how we can
work smarter...”
ERIC COWPERTHWAITE
VP Advanced Security and Strategy
Core Security
GRAYSON WALTERS
Information Security Officer
Virginia Department of Taxation
4. 1. Access to targets
• Beware of “low-value targets” connected to larger,
more interesting entities
• Lower budgets and small staffs make evading
security a bit easier
How many vulnerabilities? How many applications? How many possible attack paths?
Are the vulnerabilities exploitable?
Does the attack path lead to sensitive data?
5. 2. Where are your network boundaries?
• Commercial tech has always outpaced
business…and in government it is twice as bad
• BYOD – Connected personal device overload
• How many of your users are using web apps
that you don’t know about?
The Zero-Trust Model
6. 3. Remember password theft
Password theft is real
• Phishing attacks work, they are easy to set up and
have very low risk - 12% will click!
• Users fail to report when they do something wrong
• Users have access to things they should not
7. 4. Enforcing controls. Always.
Balancing policies and controls
• You don’t necessarily want to be the “enforcer,”
but it’s our role as security professionals
8. 5. Overload…oh my!
Security teams are overloaded:
• Data – vulnerabilities, networks, viruses, SIEM, IoT, etc.
• Regulations – Required security, reports, mandatory activity
Security teams are, generally, too small, have the wrong skills
Many different regulations and security frameworks to satisfy
9. So, what can we do to mitigate some of these
#“new_norm”_threat_trends?
11. Cut through the noise…
• Engage new and different security skills, outsource critical skills
• Success is going to require innovation
• Must understand what the bad guy will do
• Must know where to expend resources
• Implement new technologies
o Analytics
o Automation
o Integration
Change the game to intelligent defense