Dan Lohrmann, CISO of Michigan, answers readers' questions about cybersecurity.
Q: How do you make sure everyone in the organization knows about cybersecurity?
A: In Michigan, we're addressing cybersecurity awareness using several complementary approaches. To gain executive management buy-in, we've published the results of our enterprisewide risk assessment, titled "The Secure Michigan Initiative." This document provides details on current issues as well as a road map for where we need to be across each department. As CISO, I spend a lot of time briefing management throughout Michigan government, the legislature and our own IT department regarding threats and solutions. Our team also provides awareness briefings to various public and private organizations, such as our credit card user group, financial management users group, auditor and accounting meetings, and IT associations.
We have also built an enterprisewide cybersecurity awareness program for state employees. Since funding has been a big issue for us, we partnered with Walsh College to help build this program. It provides online training as well as a train-the-trainer program. In our training, we provide information about our Michigan acceptable use policy, which can be seen at www.michigan.gov/pcpolicy. The Michigan Online Security Training program has a website with security quizzes and links to other online training and cybersecurity information.
Awareness is an ongoing challenge. We are also trying to address the public side by partnering with InfraGard, the Department of Homeland Security and the National Association of CIOs. Training technical staff is difficult in tough budget times, and we want to provide the necessary training to different audiences. We're looking to form longer-term relationships with local training partners, colleges and universities, and groups like SANS.
Q: Does the MyDoom attack, which was targeted at specific organizations including (The) SCO Group (Inc.) and Microsoft (Corp.), and its subsequent variants signal a new level of sophistication among "bad guys" who are writing and delivering malicious attacks?
A: Yes, I think some attacks are getting more complex and sophisticated. These attacks are also coming at us from all over the globe. Many sources report that foreign governments are either directly involved or are protecting these criminals. Clearly this is at least partially an international relations problem, which is why I believe we are in a cyberwar that will get worse before it improves.
It's interesting to me that despite large bounty awards that companies like Microsoft are offering, no cash has been paid yet for finding one of these "bad guys." On the other hand, there are plenty of simplistic social engineering tricks working for the criminals that underline the need for better end-user awareness.
Q: According to many, the perimeter of the network is either shrinking down to the file level or disappearing all together. Is the perimeter something that can be controlled, or is it just naturally evolving?
A: I agree that traditional flat network architectures are spiraling out of control. Managing numerous external partner relationships through a series of firewall rule exceptions is problematic, and a lack of internal controls can expose all resources on the network to the same level of risk.
As wireless networks and VPNs explode in terms of growth, the physical boundaries of our networks are often gone. Workplaces are not just one local area network where users in one physical location are equally trusted. I want to share information with colleagues in England while keeping that same information from the guy in the next cube.
However, logical network associations are important. I prefer to think of our networks and systems as having "trusted zones." In this model, we create different zones that are "firewalled off." Access to these zones is based on a central policy registry, which maintains your access control lists on a need-to-know basis.
This model can be centrally managed for efficiency, and as new employees or partners are added to the network, they are given access to the required zones. Some areas, such as the training network, will likely have weaker security and access controls than other areas, such as core business operations. However, all these areas would have basic protections against threats such as viruses and worms.