Discouraging the Use of Guest and Shared Accounts Use of guest accounts and other generically named or shared accounts should be avoided as an enterprise best practice.

Guest accounts are rarely as secure as most people believe. By allowing guest accounts, a dedicated attacker now has a foot in the door to your systems. While guest modes typically don't allow the installation of software, most do allow the user to surf the web, where they can easily access nefarious web sites that have software designed to bypass the basic security settings that guest accounts have. Some guest accounts also allow the opening of various file types that can have malware or allow attackers to perform intel gathering on your infrastructure that they can then exploit in a subsequent attack.

Guest accounts also anonymize the individual using the system. Because the user is utilizing a guest account, all the actions are initiated as that guest account, and recorded as such in any logs. To track down who the responsible individual is, a review of who was sitting at the machine or connecting to it remotely must be manually initiated. It also adds a level of plausible deniability for the attackers, since they can claim that someone else was sharing the access with them. This lack of accountability generally represents an unacceptable risk and should be avoided in favor of explicitly named accounts, usually following an established naming convention.

This lack of accountability also applies to accounts that are shared amongst users. Not only are the users being anonymized, a user may be gaining privileges to a system that they are not authorized for. However, unlike guest accounts, shared accounts may be a good idea if they are being accessed via a check-out program or process that authenticates users and verifies they are authorized to utilize the account, logs who is using the account for the duration of its use and changes the account’s password once the user completes their actions. If the program or process enables the user to perform their duties without knowing the credentials, even better.

Due to the risks posed, use of guest and generically named accounts should be avoided except for very limited use cases where anonymity is a critical component of the business process being performed. For more information on proper account management, reference NIST 800-53 revision 4, controls AC-2 and IA-4.

NIST link: https://nvd.nist.gov/800-53

How secure are those devices?How many connected devices can you count that you use in your day to day life? Chances are the number is probably higher than you think. Staying connected is the new way of life and the wide array of devices available to satisfy all of your needs offers increased capabilities. But how secure are we? Thomas Duffy of the Multi-State Information Sharing & Analysis Center gives some excellent advice and easy to follow tips on your next connected device purchase. Read about it here https://www.cisecurity.org/newsletter/securing-devices-by-making-simple-changes/

CONTENTS Discouraging the Use of Guest and Shared Accounts.................……P.1

How secure are those devices?....................................P. 1

OCISO Updates......................P.2-3

Upcoming Events......................P.3

ISO Spotlight!.........................P.3-4

2

OCISO Updates A Message from the OCISO Team The OCISO team released a new threat intelligence report in April, the Texas Cybersecurity Weekly. We are pleased to report the feedback has been excellent. To keep your inboxes from overflowing with emails from the OCISO, we will be retiring our monthly Cybersecurity Insight newsletter after this month. This will help us to maintain consistent communication and continually improve content. Rest assured we will continue to keep you up to date on new events, webinars, and pieces of information from our team as they arise. We welcome any feedback or suggestions for improvement.

Information Security Forum Coming Soon! With April out of the way, we are quickly approaching the annual DIR Information Security Forum (ISF) hosted by the Office of the CISO. The two-day ISF will be held May 23-24 at the Palmer Events Center in Austin. We are pleased to announce we have extended the conference on day two to include lunch and round table discussions to enhance collaboration opportunities.

The OCISO team is extremely excited for this year’s lineup of speakers and exhibitors. One of the main focuses of the OCISO this year is our new Cybersecurity Strategic plan. We have aligned all of our break-out sessions in accordance with our five goals: Engagement, Tooling, Staffing, Response, and Outreach. This year ISF will be hosting a legislative panel to kick off the conference. This panel will give an insider’s perspective on the 85th legislature and answer questions regarding the changes we have seen recently.

We will have several sessions hosted by state agency personnel, sharing success stories of projects implemented in their security program. A couple other sessions of note are:

Overview of the IDR Managed Security Services Incident Response hosted by Duwayne Aikins of AT&T. This session will cover DIR Incident Response Services within the Shared Services Program, the role of the Multisourcing Services Integrator and AT&T as the Incident Response Service Provider. This is a perfect opportunity to hear more about the MSS program with AT&T and learn about what it can do to further your organization’s cybersecurity goals;

Cybersecurity Best Practices and Free Tools to Get You There with Kateri Gill of the Multi-State Information Sharing and Analysis Center (MS-ISAC). The session seeks to address key cybersecurity best practices that governments should consider, and information about the free services and resources offered by the MS-ISAC that will help them on the road to implementing those practices in their organizations.

Attendee registration is now open – you can find more information and register to attend the conference on the DIR ISF Website. We look forward to seeing you there!

Infosec Academy Launch Planning in Progress! The OCISO is pleased to announce the InfoSec Academy will be live again by June 1. We are pleased to partner with Learning Tree to provide cybersecurity certification preparation courses. If the student would like to take the exam after the course, DIR will cover the cost of the exam. The Infosec Academy is open to all Information Security Officers and their security staff as long as funding is available.

The Infosec Academy will offer the following certification preparation courses:

• Certified Information Systems SecurityProfessional CISSP®

• Systems Security Certified Practitioner (SSCP)• Certified Cyber Forensics Professional (CCFP) • Certified Cloud Security Professional (CCSP)• CompTIA Advanced Security Practitioner (CASP) • Certified Information Systems Auditor (CISA)

• Certified Information Security Manager (CISM) • Certified In Risk and Information Systems Control

(CRISC) • CompTIA Security+ • Certified Ethical Hacker (CEH)• EC-Council’s Certified Security Analyst (ECSA) • Licensed Penetration Tester (LPT)

3

• Certified Hacking Forensic Investigator (CHFI) • EC-Council Certified Incident Handler (ECIH)

• Certified Chief Information Security Officer(CCISO)

The Texas Policy and Assurance course is also being reworked to include topics on Texas Legislative Process, Cybersecurity-Relevant Legislation and the Texas Cybersecurity Framework. This will be available as a Computer-Based Training (CBT) course, and will also be offered as a live, instructor-led course on an as-needed basis.

Continuing Education Guidelines As set forth in House Bill 8 (HB 8), DIR created continuing education guidelines for all Information Resources staff regarding cybersecurity training. The guidelines have been reviewed by the Information Technology Council for Higher Education (ITCHE) and are working through the final approval stages before release. Be on the lookout for those soon.

Upcoming Events Agency Security Plan

Webinar May 15 | 11-12 PM

DIR OCISO will be hosting a webinar focusing on the Agency Security Plans, which are due by October 15, 2018. More details,

along with registration information will be coming to

you soon!

The Texas-Israel Cybersecurity Conference

Thursday, May 31 | 9 AM - 5:30 PM Martha Proctor Mach Grand Ballroom,

Southern Methodist University, Dallas, TX

Register Here: http://blog.smu.edu/events/texas-israel-cyber-

security/

Gartner Webinar – Recover from Digital Business Disruption

with Resilience May 30 | 9 AM – 10 AM

To Register: https://www.gartner.com/webin

ar/3871880

ISO Spotlight!Ray Yepes – Information Security Officer What agency do you work for and could you tell us a little bit about it? I serve as the Information Security Officer (ISO) for the

Texas Department of Family and Protective Services (DFPS) where I manage and oversee the information security program to ensure information confidentiality, integrity, and availability in compliance with best industry standards, and state / federal laws. DFPS works with communities to protect children, the elderly, and people with disabilities from abuse, neglect, and exploitation.

What do you like best about your job? Knowing that my job helps support the mission of DPFS to protect children, the elderly, and people with disabilities from abuse, neglect, and exploitation.

Where did you grow up? Caracas, Venezuela

Tell us about your educational and professional background. I possess a Master’s Degree in Criminal Justice and a Bachelor’s Degree in Computer Science, what I believe to be a perfect blend for the field of Information Security. I have 23 years of experience as a security professional. For an organization to survive in today’s competitive world, an organization must adapt and accept changes, and with changes, come risks. Some risks we can predict accurately, some risks we can detect efficiently, some risks we can successfully plan for, and some risks we simply can’t do

4

anything about. It is preparing for these unknowns that differentiates seasoned cybersecurity professionals from the rest.

I believe cybersecurity solutions are valuable tools and “must-haves” for any organization today; however, the gaps and loopholes in these cybersecurity solutions pose the greatest risk to any organization. Therefore, my focus has been to create and manage teams capable of manning these gaps and loopholes by embedding analytics deeply into the business process at the stage where actions are not automated but rather manned by an actual person.

Certifications? CISSP, CISA, CCCI, CCE, CCSP, and others

How did you get into the security field? I entered the security arena in 1995 while assisting the FBI with a case (digital forensics – recovery of deleted images and chat messages).

How has information security changed since you entered the field? One word - “automatization”. For example, back in the days to manually recover 100 or so deleted images from “unallocated space” it would take a week. Today, the task can be accomplished in just a few seconds.

What do you think the biggest changes will be in the future? Artificial Intelligence

What other career field would you have liked to pursue, if not for information security? Veterinary school, I wanted to be a veterinarian.

What are your top three life highlights so far? My daughter, FBI Academy, and solo hiking the Lone Trail

What are your hobbies? Hiking

What would people be surprised to know about you? I have founded several nonprofit groups (environmental and animal welfare) and I currently serve as the Treasurer for Keep Austin Clean https://www.keepaustinclean.org/ and Operation Pets Alive http://www.operationpetsalive.org/

What kind of music or podcasts do you enjoy? Italian music

If you could interview one person, dead or alive, who would it be? Gandhi

What is your hidden talent? I like playing the piano.

What is the best advice you have received? Summarized in this picture.