Click on the questions below in the Table of Contents for the most recent answers. If you have a question that is not answered here please contact me at jerry@wintsecconsulting.com or 609-576-0348. Thank you Jerry
Non-Framework
Where can I find free stuff and information for my CyberCoverage?
https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools
I have HikVision cameras that are not a part of my network and completely stand alone. Will they affect my CyberCoverage?
As long as your cameras are not detectable by vulnerability and penetration testing then “In terms of coverage or cost, there is no impact to your Cyber Insurance”.
Minimum Security
I am completing the FrameWork Questionnaire and some of my answers will be NO. How will this affect my coverage?
Any NO or incomplete answers may invalidate your deductible standing. All members are required to be in compliance with the Framework for either Minimum or Advanced Security.
How does the CyberJIF determine my deductible eligibility?
At the time of a Cyber loss the CyberJIF will review your answers to the CyberFramework and determine if you were compliant AT THE TIME OF THE LOSS, not at the time of the completion of the questionnaire. In addition there will be additional forms of proof required to accurately determine your correct deductible.
CIS 5 #2 – How do I secure accounts with elevated privileges?
IT Technicians should have multiple logins with Domain Admin, the highest functioning user only used to perform functions at that level. They should also maintain a least privileged account to research problems download information etc. If this account downloads a patch it can be scanned before switching to DA to do the install if needed. Passwords to these accounts should be unique and secure
CIS 7 #1 – What is CVSS and how do I stay in compliance”?
CVSS stands for Common Vulnerability Scoring System. It is a standard by which system vulnerabilities are defined on a scale of low to critical. The exact method of determining is not important. What is important is close attention to alerts when you or your IT advisor receive them. This is why it is important to subscribe to NJCCIC. Their newsletter is very informative. Most systems these days can be patched on a regular basis, especially Microsoft. Work with your IT advisor to do regular updates once per month. When handled this way should only take 5-10 minutes and perhaps a reboot.
CIS 7 #3 – What are examples of “Non-Standard applications”?
Non standard applications are those that have discontinued support, especially vulnerability patching, should be replaced with a suitable more current application some examples include fleet maintenance and construction permitting apps which are out of date.
CIS 7 #4 – What are examples of “vulnerability management tools”?
An example would be the External Network Vulnerability Scanning, which is currently offered through D2 Cyber Security to ACM JIF members.
CIS 9 #1 – There are certain state/county websites that still require access by Internet Explorer which is NOT a “fully supported browser.” What is our move forward here?
That is fine. As noted, there are many situations where unsupported programs are forced to be used.
CIS 14 #1 – Not all of my users completed the Cyber Hygiene training prior the close of the first half program. How does this affect my compliance?
The guideline will be: Members will have until the end of the half-year period that falls 12 months after the member last completed 100% of their training.
CIS 15 #2b – I see pointers to security questionnaire for vendors. Not seeing a “tool.” Unless you mean the questionnaire is the tool.
Yes, the third-party vendor questionnaire is the tool. It is on the MEL website: https://njmel.org/mel-safety-institute/resource-center/public-officials/public-officials-cyber-risk-control/
Advanced Security
CIS 2 #2 – Can you provide an example of a software “automated inventory tool”?
You can find these tools under the category of SAM (Software Asset Manager). Just Googling, here are a few that popped up: Network Inventory Advisor, AssetExplorer, Asset Panda.
CIS 11 #1 – Can you provide an example of a “data loss prevention tool”?
These are labeled DLP (data loss prevention), and a quick Google search generates many.
CIS 6 #1 – Clarification… Every user needs to have a license to an “enterprise password management solution”?
No, the town should use an Enterprise Password Management tool to manage the passwords across the organization.
LastPass is one example. There’s plenty of them out there…..just looking for an EPM that securely stores passwords across an organization and helps users manage their passwords.
CIS 6 #2 – Clarification… Every user needs to have a license within a PAM (Privilege Access Security) system or only those with admin level authority?
Privileged Access Management Tool. This control does not discuss MFA. Here is our description: A Privileged Access Management (PAM) tool manages execution of privileges, but especially important for elevated privileges. This extends beyond storage of passwords. PAM tools are able apply granular control of privilege execution beyond what exists in applications and remove privileges after execution is complete. PAM tools can manage accounts with username and passwords or stored secrets. Some examples of PAM are CyberArk, and Thycotic (Fund Underwriter)
PAM tools apply ONLY to those with privileged access. In most cases this is the Administrator, although in some cases other login accounts may have elevated privileges and should be treated accordingly. PAM tools do NOT need to be deployed to every user at this time although this is subject to change. (approved by Fund Underwriter)
PLEASE UNDERSTAND THE UNDERWRITER DOES NOT SPECIFY THE METHOD OF PAM COMPLIANCE HOWEVER AN ACCEPTABLE PAM SHOULD HAVE THE ELEMENTS BELOW.
Key Features of a PAM include:
– Credential Vaulting: Securing and isolating privileged account passwords in a vault.
IT administrators must use an offline product such as IT-Glue or Ninja RMM to maintain the record of critical passwords.
– Session Management and Monitoring: Recording, archiving, and monitoring privileged user sessions for suspicious activities.
Auditing should be enabled for the admin account.
– Multi-factor Authentication: Requiring additional verification before granting privileged access.
IT administrators must deploy MFA such as DUO whenever a privileged is used.
– Role-based Access Controls (RBAC): Assigning access based on roles within an organization.
No users other than the administrator should have admin privileges and the administrator should be renamed.
– Automated Password Rotation: Changing passwords at set intervals or after every use.
Admin passwords should be changed after each use or every 90 days whichever comes first.
THE ABOVE DOES NOT REQUIRE SPECIAL SOFTWARE BEYOND A PASSWORD VAULT AND MFA APPLICATION. THE REMAINING FEATURES ARE BUILT-IN TO THE WINDOWS OPERATING SYSTEM AND JUST NEED TO BE DEPLOYED.
CIS 6 #3 – List of vendors that are suggested/certified for an “email breach service”.
We do not suggest/certify vendors, but most security/antivirus companies can provide the service. HaveIBeenPwned is a very popular one.
CIS 10 #1 – Doesn’t the EDR systems cover “behavior-based anti-malware” or is there a different thought here? An example software would be appreciated.
They should be one-in-the same, but EDR (and like terms) are being stretched very far today, so we want to ensure the behavior-based AM is specifically noted.
CIS 10 #8 – I am told all unused USB ports on my workstations must be disabled to meet this requirement. How can I disable USB for everything except keyboard and mouse?
Open USB ports can be used for removable media which can introduce viruses into the system. Disabling this feature while still maintaining ports for keyboards/mice etc. can be done through Group policy. Here is an easy to follow tutorial. https://superuser.com/questions/1460012/only-allow-mouse-and-keyboard-usb
CIS 13 #2 – Seems like the point is to have 24×7 human response, is that correct?
Yes, the town should be notified and able to respond 24×7.
CIS 15 #2, 3 – Can you provide an example of a monitoring solution with continuous monitoring of a 3rd party service provider.
We do not recommend or approve tools. But for reference, something like SecurityScorecard is what we are looking for to help clients monitor their third party vendors.
CIS 15 #4 – Can you provide an example of a monitoring solution with continuous monitoring of a 3rd party service provider.
We are looking to address vendors you have a connection to or who store/manage your sensitive data, and we do not have to address the mega companies, like Microsoft, Google, AWS, etc. This may mean financial, accounting, payroll, or health, and Axon can be included. Examples of tools would be like what SecurityScorecard or BitSight offer.
CIS 18 #1 – What specific penetration test is required? Guessing internal since D2 does the external one, but would like clarification.
No, specific penetration testing. Also, D2 will continue to provide the penetration testing for ACM JIF Members for 2023. As for 2024, the ACM JIF has the option to renew the contract for one more year. We are hopeful the service will be provided by the Cyber JIF by 2024.