The URL can be used to link to this page

Home My WebLink AboutAGENDA REPORT 2020 0902 CCSA REG ITEM 10ECITY OF MOORPARK,  CALIFORNIA City Council Meeting of September 2, 2020 ACTION Approved Staff Recommendation. BY B.Garza. E. Consider Response to the Ventura County Grand Jury 2019-2020 Final Report on Cybersecurity Strategies for Cities in Ventura County. Staff Recommendation: Approve the draft response to the Grand Jury report findings and recommendations and authorize the Mayor to sign and submit the response to the Presiding Judge of the Superior Court. (Staff: Kambiz Borhani) Item: 10.E. MOORPARK CITY COUNCIL AGENDA REPORT TO: Honorable City Council FROM: Kambiz Borhani, Finance Director BY: Chris Thompson, Senior Information Systems Analyst DATE: 09/02/2020 Regular Meeting SUBJECT: Consider Response to the Ventura County Grand Jury 2019-2020 Final Report on Cybersecurity Strategies for Cities in Ventura County SUMMARY On May 21, 2020, the City received the 2019-2020 Grand Jury Final Report on Cybersecurity Strategies for Cities in Ventura County. This report requires a response from the City on a specific form included in the documents received. BACKGROUND / DISCUSSION The Ventura County Grand Jury investigated the cybersecurity strategies of the 10 incorporated cities (Cities) of Ventura County. The review was initiated as recent national and local news reported cities falling victim to hacking attacks with increasing frequency. Often attackers used malware to block access to a city’s computer systems and demanded payment to unblock them. The Grand Jury assessed how prepared each city was to defend against data breaches and ransomware and identified opportunities to implement improvements. The Grand Jury was mindful not to disclose vulnerabilities or otherwise increase the potential for an attack on an information technology system of a city. The Grand Jury recognized that each city had varying circumstances, resources, and readiness and that there is no perfect solution to cybersecurity or defense against cyberattacks. The Grand Jury recommended the following measures: •Implement trustworthy website addresses •Use free federal services for cyber risk assessments, cybersecurity evaluations, incident assistance coordination, and cyber exercises/training •Use cooperative group purchase programs Item: 10.E. 264 Honorable City Council 09/02/2020 Regular Meeting Page 2 •Partner with local educational institutions and federal programs to recruit cybersecurity interns or graduating students •Require cyber liability insurance of the Cities’ IT vendors •Develop and test cyber incident response, disaster recovery, and business continuity plans •Implement federal cybersecurity best practices •Implement the California Cyber Security Integration Guidance for Teleworkers The City’s draft Response to the Grand Jury Report is attached for review and approval. FISCAL IMPACT There is no fiscal impact associated with providing a response to the Grand Jury or implementing any of the recommendations provided in the report. COUNCIL GOAL COMPLIANCE This action does not support a current strategic directive. STAFF RECOMMENDATION Approve the draft response to the Grand Jury report findings and recommendations and authorize the Mayor to sign and submit the response to the Presiding Judge of the Superior Court. Attachment 1: Response to Grand Jury Report Form - Cybersecurity Attachment 2: 2019-2020 Ventura County Grand Jury Final Report Cybersecurity Strategies for Cities in Ventura County 265 Response to Grand Jury Report Form Report Title: Cybersecurity Strategies for Cities in Ventura County Report Date: September 2, 2020 Response by: Janice S. Parvin Title: Mayor – City of Moorpark FINDINGS/ CONCLUSIONS •I (we) agree with the Facts/ Conclusions numbered: C 01-08 and FA 01-31 •I (we) disagree wholly or partially with the Facts/ Conclusions numbered: (Attach a statement specifying any portions of the Facts/ Conclusions that are disputed; including an explanation of the reasons.) RECOMMENDATIONS •Recommendations numbered R-01, 02, 03, 04, 05, 06, R07, 08, 10 have been implemented. (Attach a summary describing the implemented actions and date completed.) •Recommendations number R-09 have not yet been implemented, but will be implemented in the future. (Attach a time frame for the implementation. •Recommendations numbered requires further analysis. •Recommendations numbered will not be implemented because they are not warranted or are not reasonable. Date: Signed: Janice S. Parvin, Mayor City of Moorpark Number of pages attached: ATTACHMENT 1 266 Response to Conclusions Conclusion C-01. While the Grand Jury recognizes each city is taking steps to implement cybersecurity and to defend against cyber-attacks, it concludes there is no perfect solution to cybersecurity or defense against cyber-attacks. (FA-01, FA-02, FA- 03, FA-04, FA-05, FA-06, FA-07) City Response to C-01. The City of Moorpark agrees with this conclusion and continuously strives to improve upon our cyber security systems. Conclusion C-02. The Grand Jury concluded eight Cities are currently using suboptimal web addresses for their websites. (FA-08, FA-09) City Response to C-02. The City of Moorpark agrees with this conclusion and has already implemented a .gov domain which aligns with the recommendation. Conclusion C-03. The Grand Jury concluded generally Cities are not utilizing free federal and discounted federally aligned resources available to Cities to bolster their cybersecurity defenses. (FA-10, FA-11, FA-12, FA-13, FA-14, FA-15, FA-16, FA-17, FA- 18, FA-19, FA-20) City Response to C-03. The City of Moorpark agrees with this conclusion and will investigate our options to take advantage of resources available. We are already a member of MISAC and receive notifications from CISA. Conclusion C-04. The Grand Jury concluded cybersecurity staffing could be improved with more effective recruiting and staff retention practices. (FA-21, FA-22, FA-23) City Response to C-04. The City of Moorpark agrees with this conclusion and has limited budget and resources available. We are exploring our options for internship programs by September 30, 2020. Conclusion C-05. The Grand Jury concluded Cities should manage cyber risks associated with vendors by requiring they provide annual documentation regarding cybersecurity insurance and cybersecurity practices. (FA-24, FA-25, FA-30, FA-31) City Response to C-05. The City of Moorpark agrees with this conclusion and already requires Cyber liability insurance from IT vendors. Conclusion C-06. The Grand Jury concluded some Cities do not clearly identify expenditures regarding information technology or cybersecurity in their budgets. (FA-26, FA-27)” City Response to C-06. The City of Moorpark agrees with this conclusion and does identify information technology expenditures within our approved annual budget. 267 Conclusion C-07. The Grand Jury concluded all Cities would benefit from comprehensive cyber incident response, recovery, and business continuity plans. (FA- 28, FA-29) City Response to C-07. The City of Moorpark agrees with this conclusion and plans to address and compile a comprehensive written plan by December 31, 2020. Conclusion C-08. The Grand Jury concluded some Cities are not following the recommended best practices for teleworking published by California Cyber Security Integration Center. (FA-03, FA-04) City Response to C-08. The City of Moorpark agrees with this conclusion. Before the “Stay Safe at Home” orders due to the COVID-19 outbreak, the city did not have any telework staff. We have since began implementing remote work for select staff and have developed a Telecommute policy that adheres to the recommended best practices. Response to Recommendations Recommendation R-01. The Grand Jury recommends Cities establish secure web addresses through the use of HTTPS or other such protocols. (C-02) City Response to R-01. The City of Moorpark uses HTTPS (Hypertext Transfer Protocol Secure) for all internal and external web sites. This practice began prior to 2011. Recommendation R-02. The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02) City Response to R-02. The City of Moorpark uses a .gov domain name and has registered https://www.moorparkca.gov/ through the dotgov.gov registry. This practice began in 2011. Recommendation R-03. The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in Appendix 02 to supplement internal staff and/or replace vendor services whenever possible. (C-03) City Response to R-03. The City of Moorpark uses free cybersecurity tools and will expand on the tools and offerings as recommended. Timeline: December 31, 2020. 268 Recommendation R-04. The Grand Jury recommends Cities' IT staff subscribe to CISA updates online. (C-03) City Response to R-04. The City of Moorpark Information System staff currently subscribes to CISA updates. This practice began in 2008. Recommendation R-05. The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03) Response to R-05. The City of Moorpark leverages cooperative purchase agreements whenever possible. This practice began prior to 1999. Recommendation R-06. The Grand Jury recommends Cities develop personnel cost- saving opportunities and create a cybersecurity talent pool by recruiting interns or graduating students using: (C-04) •The Scholarships for Service program described in Appendix 02 •Local education institutions (high school, community college, private college and state university) City Response to R-06. The City of Moorpark began the process to accept internships from the Ventura County Community College District and will consider a candidate when a position opens up that requires cybersecurity skills. This practice began in February 2020. Recommendation R-07. The Grand Jury recommends Cities maintain good vendor management by: (C-03, C-05) a.Obtaining CISA assistance to conduct risk management assessments on all third-party vendors that have access to any confidential data or that interact with City networks and systems b.Requiring all vendors provide cybersecurity documentation. As part of their ongoing third-party due diligence, Cities should evaluate vendors for compliance and risk on an annual basis c.Requiring IT vendors obtain cybersecurity insurance. City Response to R-07. The City of Moorpark agrees with this recommendation and will explore CISA assistance in risk management of IT vendors and begin reviewing on an annual basis. The City already requires all IT service vendors to obtain cybersecurity insurance. The practice began prior to 2018. Recommendation R-08. The Grand Jury recommends Cities clearly identify expenses for their Information Services (Technology) Departments in their approved budgets. (C 06) City Response to R-08. The City of Moorpark identifies expenses for Information Services in the approved budget and uses an ERP Financial Software to track and record expenditures. 269 Recommendation R-09. The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07) City Response to R-09. The City of Moorpark will develop and test a cyber- incident response. Timeline: December 31, 2020. Recovery and business continuity plan are currently tested on a regular and ongoing-basis. Recommendation R-10. The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08) City Response to R-10. The City of Moorpark has initiated best practices into our telecommuting agreement and guidelines. This practice began in April 2020. Recommendation R-11. The Grand Jury recommends Cities develop a written plan for implementation of R-01 through R-10 prior to December 31, 2020. City Response to R-11. The City of Moorpark agrees with this recommendation and will develop a written plan for any of the recommended items that are not already in place. Timeline: December 31, 2020. 270 county of ventura May 21 , 2020 Confidential Janice Parvin, Mayor City Council, City of Moorpark 799 Moorpark A venue Moorpark, CA 93021 Dear Mayor Parvin: Grand Jury 800 South Victoria Avenue Ventura , CA 93009 (805 ) 477-1600 Fa x: (805 ) 658-4523 grandjury .countyofventura .org RECEIVED MAY 2 1 2020 ClTY CLERK'S DIVISIOij CITY OF MOORPARK The Ventura County Grand Jury has completed the attached report titled Cybersecurity Strategies for Cities in Ventura County. This copy of the report is being provided to you two days in advance of its public release, as required by California Penal Code §933.05 (f), which states: A grand jury shall provide to the affected agency a copy of the portion of the grand jury report relating to that person or entity two working days prior to its public release and after the approval of the presiding judge. No officer, agency, department, or governing body of a public agency shall disclose any contents of the report prior to the public release of the final report. Please check the last page of text of the report for the timing of your response, if any, as required by the Penal Code. Section 933.05 of the Penal Code is attached for your reference. Also attached is a form for your responses to Grand Jury findings, conclusions and recommendations. Please keep in mind that this report must be kept confidential until its public release by the Grand Jury . Respectful 1 y , '- Anida Margolis , Foreperson 2019-2020 Ventura County Grand Jury ATTACHMENT 2 271 California Penal Code Section 933.05 (a) For purposes of subdivision (b) of Section 933, as to each grand jury finding, the responding person or entity shall indicate one of the following: (1) The respondent agrees with the finding. (2) The respondent disagrees wholly or partially with the finding, in which case the response shall specify the portion of the finding that is disputed and shall include an explanation of the reasons therefor. (b) For purposes of subdivision (b) of Section 933, as to each grand jury recommendation, the responding person or entity shall report one of the following actions: (1) The recommendation has been implemented, with a summary regarding the implemented action. (2) The recommendation has not yet been implemented, but will be implemented in the future, with a timeframe for implementation. (3) The recommendation requires further analysis, with an explanation and the scope and parameters of an analysis or study, and a timeframe for the matter to be prepared for discussion by the officer or head of the agency or department being investigated or reviewed, including the governing body of the public agency when applicable. This timeframe shall not exceed six months from the date of publication of the grand jury report. ( 4) The recommendation will not be implemented because it is not warranted or is not reasonable, with an explanation therefor. (c) However, if a finding or recommendation of the grand jury addresses budgetary or personnel matters of a county agency or department headed by an elected officer, both the agency or department head and the board of supervisors shall respond if requested by the grand jury, but the response of the board of supervisors shall address only those budgetary or personnel matters over which it has some decision-making authority. The response of the elected agency or department head shall address all aspects of the findings or recommendations affecting his or her agency or department. (d) A grand jury may request a subject person or entity to come before the grand jury for the purpose of reading and discussing the findings of the grand jury report that relates to that person or entity in order to verify the accuracy of the findings prior to their release. (e) During an investigation, the grand jury shall meet with the subject of that investigation regarding the investigation, unless the court, either on its own determination or upon request of the foreperson of the grand jury, determines that such a meeting would be detrimental. (f) A grand jury shall provide to the affected agency a copy of the portion of the grand jury report relating to that person or entity two working days prior to its public release and after the approval of the presiding judge. No officer, agency, department, or governing body of a public agency shall disclose any contents of the report prior to the public release of the final report. 272 county of ventura Grand Jury 800 Sout h Vi cto ria Avenue Ventura , CA 93009 (805 ) 477-1600 Fa x: (805 ) 658-4523 grand ju ry .countyofventura .org Response to Grand Jury Report Form Report Title-; Report Date : Response by: FINDINGS/ CONCLUSIONS Title: • I (we) agree with the Facts/ Conclusions numbered: _____________ _ • I (we) disagree wholly or partially with the Facts/ Conclusions numbered: (Attach a statement specifying any portions of the Facts/ Conclusions that are disputed ; including an explanation of the reasons .) RECOMMENDATIONS • Recommendations numbered ________ have been implemented. (Attach a summary describing the implemented actions and date completed.) • Recommendations number _______ have not yet been implemented , but will be implemented in the future . (Attach a time frame for the implementation .) • Recommendations numbered ___________ require further analysis. • Recommendations numbered ___________ will not be impl emented because they are not warranted or are not reasonable . Date : -------Signed : ______________ _ Number of pages attached: ___ _ 273 2019 -2020 Ventura County Grand Jury Final Report Cybersecurity Strategies for Cities in Ventura County April 17, 2020 274 This page intentionally blank 275 2019 -2020 Ventura County Grand .Jury Final Report Cybersecu rity Strategies for Cities in Ventura County Summary During 2019 targeted cyberattacks on local governments increased across the nation. Half resulted in ransomware demands. As the reports of these attacks on cities unfolded, it became clear that better preparation could have assisted those cities to avoid major and costly data breaches. Due to the cha[lenges of limited budgets, increasing cybersecurity attacks, the digital revolution and a competitive recruiting environment, cities would benefit from free or low cost federal government backed assistance to defend against these challenges. Within Ventura County (County) there are 10 incorporated cities (Cities). The 2019-2020 Ventura County Grand Jury (Grand Jury) investigated cybersecurity strategies of the Cities to assess the degree each City was prepared to defend against data breaches and ransomware and identify opportunities to implement improvements. The Grand Jury is mindful of the need not to disclose vulnerabilities of, or otherwise increase the potential for an attack on, an information technology system of a City. Therefore, this report does not detail any specific cybersecurity vulnerabilities that may have been discovered during the Grand Jury's investigation. Since each City has varying circumstances, resources and readiness, the Grand Jury recognizes there is no perfect solution to cybersecurity or defense against cyberattacks. The Grand Jury recommends the following measures be adopted to bolster the Cities' cybersecurity and potentially decrease cybersecurity expenditures: • Implement trustworthy website addresses • Use free federal services for cyber risk assessments, cybersecurity evaluations, incident assistance coordination and cyber exercises/training • Use cooperative group purchase programs • Partner with local educational institutions and federal programs to recruit cybersecurity interns or graduating students • Require cyber liability insurance of the Cities' IT vendors • Develop and test cyber incident response, disaster recovery and business continuity plans • Implement federal cybersecurity best practices • Implement the California Cyber Security Integration Guidance for Teleworkers Cybersecurity Strategies for Cities in Ventura County 1 276 2019 -2020 Ventura County Grand .Jury Final Report While the Grand Jury investigation focused on the Cities, it suggests that similar strategies be considered by the County government and its agencies as well as independent districts. These include libraries, community colleges, county hospitals, schools and harbor, airport and water districts. Background Recent national and local news reporting alerted the Grand Jury to cities across the United States falling victim to hacking attacks with increasing frequency. Often attackers used malware to block access to a city's computer systems and demanded payment to unblock them. (Ref-01) Cyberattacks Attackers often target small organizations that have few resources to defend themselves. This can apply to cities, school districts, libraries, water districts, harbors and airports. (Ref-02, Ref-03) In 2019 at least 140 local government agencies nationwide were hit by ransomware. (Ref-04) One published study reported more than 50 ransomware attacks against cities between January and June of 2019. Half of the victims were cities with fewer than 50,000 residents. (Ref-01) Cyberattacks against cities increased during the latter half of the year. In December alone malware attacks resulted in disruption of essential services in the cities of Pensacola, Florida; New Orleans, Louisiana; Galt, California; and St. Lucie, Florida. (Ref-OS) Nationally, 44% of local governments reported that they experienced cyberattacks on an hourly or daily basis. However, 28% of local governments did not know how often they were attacked, 41 % did not know how often they were breached and 54% did not catalog or count attacks. (Ref-02) Cities and attackers are in a never-ending game of cat and mouse as malware techniques constantly change to evade defenses. 2 • As local governments increasingly back-up electronic files to defend against ransomware, more attacks involve Trojan horse malware. Trojan horse malware lies dormant on networks and sets itself up to cause as much damage as possible when the attack is triggered. The latent attack often destroys the back-ups along with the targeted data, requiring IT personnel to rebuild their systems. • For some attackers, the Trojan horse attack is used as a diversionary tactic. The malware enters a victim's network, remaining undetected for weeks, while secretly stealing data and information. Then, the malware launches a ransomware attack to distract incident response teams regarding the attackers other activities. (Ref-06) Cybersecurity Strategies for Cities in Ventura County 277 2019 -2020 Ventura County Grand .Jury Final Report Attackers are expanding their targets to include the managed service providers that many smaller communities use to supply their technology needs. (Ref-07) In 2017 and 2018, an online bill payment services vendor for two Cities was compromised by an outside attacker using malware. As a result, credit card information was stolen and used for fraudulent charges. (Ref-08) Some attackers target electronic devices directly, infecting USB drives during production. When users buy the infected products and plug them into their computers, malware is automatically installed. If a person can physically access a computer, they may use their own USB drive to steal information directly from that computer. Another security risk related to the use of USB drives is they are easily lost or stolen. If the information on the drive was not encrypted, anyone in possession of the USB drive would have access to the data on it. (Ref-09) Costs of Cyberattacks Costs of cyberattacks to victimized cities arise in numerous ways: operational downtime to government services (e.g. police, emergency response, fire and tax collection), citizen frustration with lack of services and financial impact. (Ref-10) With no options left for recovery, some victimized public entities resorted to paying the attackers. The largest known single payout in a ransomware attack in 2019 was by the city of Riviera Beach, Florida. Officials approved a $600,000 payment in Bitcoins to an attacker who seized control of its computers. (Ref-04) In addition to ransom, there can be significant recovery costs. In just one example, Pensacola, Florida was hit with a ransomware attack in early December 2019. Although most of the data was quickly recovered, fearing a Trojan horse malware, city officials paid a professional services firm $140,000 to assess how the attack occurred, whether malware remained in the city's network and if data was compromised during the incident. (Ref-11) As insurance companies for local governments pay ransom demands, attacker ransomware demand amounts are increasing. Higher insurance premiums are expected to follow. (Ref-12) Local taxpayers are concerned. An IBM Security Study in 2019 found that a majority of polled taxpayers throughout the United States see ransomware as a threat to their personal data and their city's data. At the same time, nearly 60% of U.S. citizens surveyed are against their local governments using tax dollars to pay ransoms. (Ref-13) Cybersecurity Strategies for Cities in Ventura County 3 278 2019 -2020 Ventura County Grand .Jury Final Report Cyber Defenses Appendix-04 to this report itemizes federal government recommendations for preventative measures to protect local government computer networks from falling victim to a malware infection. The Federal Government also recommends taking preventative measures for handling USB drives. (Ref-09) Cyber Risk Management Many local government agencies operate in a server environment. As they seek to improve government functions by using state-of-the-art platforms and tools such as cloud computing, mobile devices and big data initiatives, there can be increased exposure to attacks and additional public privacy risks. Local government leaders will need to balance the risks and rewards of adopting cloud, mobile and big data technologies. They also will need adequate cybersecurity defenses if they are attacked, keeping public services running and avoiding paying hefty ransom demands. (App-05) With these issues in mind, the Grand Jury elected to focus on examining the cybersecurity readiness of the Cities as they increasingly digitize government services and functions. The circumstances and challenges for each City are unique, so the solutions will vary. Methodology The Grand Jury obtained information from the following sources: • Internet research to gather relevant information from a variety of authoritative sources • Interviews with local IT subject matter experts from September through November 2019 • Interviews with City officials and IT personnel within the County from October through November 2019 • Related documents provided by City officials The Grand Jury's interview questions and document requests focused on the "Five Functions of the Cybersecurity Framework" (Cybersecurity Framework). This framework represents five key pillars of a successful and holistic cybersecurity program as developed by the U.S. Department of Commerce and used throughout the Federal government. 4 Cybersecurity Strategies for Cities in Ventura County 279 2019 -2020 Ventura County Grand Jury Final Report The Five Functions of the Cybersecurity Framework (Ref-14) N•S1 National Institute of Standards and Technology U.S. Department of Commerce The Ca li fornia Pub lic Records Act Government Code Section 6254.19 protects from pub l ic d isc losure a record that wou ld revea l vu l nerab ili t ies to, or otherw ise in crease t h e potentia l for an attack on, an i nformation tec hn o logy system of a pub li c agency. Therefore, the Grand Jury's report does not deta il any spec if ic cy bersecurity vu l nerab ili t ies that may have been discovered during the Grand Jury's investigation. (Ref-15) T h e Grand Jury appreciates the cooperation of loca l subject matter experts and City staff i nterviewed in the course of the investigation. Facts City Cybersecurity Awareness & Preparation in the County FA-01. Attackers often target sma ll organizations and cities that have few resources to defend themse lves. (Ref-02, Ref-03) FA-02. Cit i es are aware of the threat of cyberattacks and, to a vary i ng degree, take active measures to reduce the risk in accordance with the Cybersecurity Framework. (Ref-14) FA-03. On March 13, 2020, the Ca lifornia Cyber Security Integration Center issued a cybersecurity adv isory t it led Te leworki ng Qu ick Reference Guide. The gu ide high lights some security concerns and best practices end-users and network administrators shou ld cons ider when imp lementing a te lework i ng program. (App-01) FA-04. Not a ll Cities are imp lementing the te leworki ng best practices recommended by the Ca lifornia Cyber Security Integration Center. (Ref-16) (App-01) FA-05. City managers and IT personne l provide ongoing cyber safety tra i n i ng and encourage personne l to take advantage of that train i ng. Cybersecurity Strategies for Cities in Ventura County 5 280 2019 -2020 Ventura County Grand .Jury Final Report Collaboration within the County FA-06. The Ventura County Executive Office created an informal network of City IT managers, thereby collectively elevating the level of the Cities' IT performance. FA-07. City managers and IT personnel meet with their counterparts from other Cities on a regular basis to collaborate regarding cyberattacks. City Web Addresses (URLs) FA-08. The California Department of Technology and the National League of Cities recommend using .gov domain names and secure internet protocols. (App-01) FA-09. Nine out of ten Cities use HTTPS (Hypertext Transfer Protocol Secure). Two out of ten Cities have .gov domain names. (App-03) Cybersecurity Resources FA-10. Cybersecurity and Infrastructure Agency • The Department of Homeland Security (DHS) designated the Cybersecurity and Infrastructure Agency (CISA) to be the lead federal department to provide cybersecurity assistance to State, Local, Tribal and Territorial (SLTTs) government organizations. (App-02) • CISA provides SL TTs with a "one-stop shop" of free services for cyber risk assessments, cybersecurity evaluations, incident assistance coordination, cyber exercises/training and recommended best practices. (App-02) FA-11. Only one City uses any of the free CISA resources. That City uses only one of the available resources. FA-12. Among its many services, CISA operates the Protective Security Advisor (PSA) Program. PSAs are OHS-trained critical infrastructure protection and vulnerability mitigation subject matter experts. Upon request, these experts provide free cybersecurity advice and assistance to SLTTs. (App-02) FA-13. Nine of the 10 Cities maintain their cyber infrastructure through the use of internal staff and/or hiring vendors, in each case without taking advantage of CISA assistance. FA-14. By using just one free CISA service, the remaining City saved at least $1,000 per month over five years. That City was not aware of the other available free CISA services. 6 Cybersecurity Strategies for Cities in Ventura County 281 2019 -2020 Ventura County Grand .Jury Final Report FA-15. The DHS designated the nonprofit member driven Multi-State Information Sharing & Analysis Center (MS-ISAC) as its partner for sharing cybersecurity information with the SLTT governments. (App-02) FA-16. MISAC also provides some fee-based cybersecurity services. (App-02) FA-17. While all IT managers for the Cities are members of MISAC, less than half are members of MS-ISAC. Furthermore, only three Cities' IT personnel attended the MISAC 2019 Annual Conference. (Ref-17) FA-18. Representatives from MS-ISAC provided information on available Federal cybersecurity resources at the 2019 MISAC conference. (Ref-18) FA-19. More than 90 California cities hold memberships in MS-ISAC~ two Cities in the County are members. (Ref-19) FA-20. Of those Cities that use servers, hybrid cloud and cloud platforms, few take advantage of the cost-saving FedRAMP Moderate program to contract with cloud providers. (App-02) Partnerships with Local Educational Institutions FA-21. Some Cities partner with local educational institutions to develop internship opportunities and create a talent pool for cybersecurity or information technology. Those that do employ cybersecurity interns reported positive experiences and personnel cost savings. FA-22. Three County higher educational institutions offer cybersecurity and internship programs: • California Lutheran University (Ref-20) • California State University Channel Islands (Ref-21, Ref-22) • Moorpark College (Ref-23) Information Technology Department Staffing FA-23. Some Cities have difficulty recruiting and retaining IT staff. Salaries and benefits for City IT staff are not competitive with the private sector. Cybersecurity Liability Insurance FA-24. All Cities have cybersecurity liability insurance through the California Joint Powers Insurance Authority or other insurers. FA-25. In addition to recommending cyber liability insurance for cities, the MISAC Security committee encourages MISAC members require their IT vendors have cyber liability insurance. (Ref-24) Cybersecurity Strategies for Cities in Ventura County 7 282 2019 -2020 Ventura County Grand .Jury Final Report City Budgets for Information Technology Services FA-26. In reviews of budget documents, the Grand Jury found that five Cities have Information Services/Technology Departments line items in their adopted budgets. No City has a publicly viewable budget line item specifically for cybersecurity. (App-03) FA-27. Two of the Cities anticipate spending over $5 million on information services in the upcoming budget year. (App-03) Cyber Incident Response and Disaster Recovery Plans FA-28. In 2018, a major provider of cybersecurity policies conducted a survey of public and private-sector respondents. In that survey 91 % of respondents were confident their companies had implemented best practices to avoid a cyber event. Yet, 55% admitted not completing a cyber-risk assessment, 62% had not developed a business continuity plan and 63% had not completed a cyber-risk assessment on vendors who have access to their data. (Ref-25) FA-29. Not all Cities have comprehensive cyber incident response, recovery and business continuity plans. Vendor Management FA-30. Business and Intellectual Property Attorney Lisa M. Thompson advised in August 2019 that cities should defend against cybersecurity threats by conducting risk management assessments on all third-party vendors that have access to confidential data and interact with municipal networks and systems. In addition, she stated that cities should require all vendors provide security documentation. (Ref-26) FA-31. Most Cities do not manage the cyber risk of third-party vendors. Conclusions C-01. While the Grand Jury recognizes each City is taking steps to implement cybersecurity and to defend against cyberattacks, it concludes there is no perfect solution to cybersecurity or defense against cyberattacks. (FA-01, FA-02, FA-03, FA-04, FA-05, FA-06, FA-07) C-02. The Grand Jury concluded eight Cities are currently using suboptimal web addresses for their websites. (FA-08, FA-09) C-03. 8 The Grand Jury concluded generally Cities are not utilizing free federal and discounted federally aligned resources available to Cities to bolster their cybersecurity defenses. (FA-10, FA-11, FA-12, FA-13, FA-14, FA-15, FA-16, FA-17, FA-18, FA-19, FA-20) Cybersecurity Strategies for Cities in Ventura County 283 2019 -2020 Ventura County Grand .Jury Final Report C-04. The Grand Jury concluded cybersecurity staffing could be improved with more effective recruiting and staff retention practices. (FA-21, FA-22, FA-23) C-05. The Grand Jury concluded Cities should manage cyber risks associated with vendors by requiring they provide annual documentation regarding cybersecurity insurance and cybersecurity practices. (FA-24, FA-25, FA-30, FA-31) C-06. The Grand Jury concluded some Cities do not clearly identify expenditures regarding information technology or cybersecurity in their budgets. (FA-26, FA-27) C-07. The Grand Jury concluded all Cities would benefit from comprehensive cyber incident response, recovery and business continuity plans. (FA-28, FA-29) C-08. The Grand Jury concluded some Cities are not following the recommended best practices for teleworking published by California Cyber Security Integration Center (FA-03, FA-04) Recommendations R-01. The Grand Jury recommends Cities establish secure web addresses through the use of HTTPS or other such protocols. (C-02) R-02. The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02) R-03. The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in Appendix 02 to supplement internal staff and/or replace vendor services whenever possible. (C-03) R-04. The Grand Jury recommends Cities' IT staff subscribe to CISA updates online. (C-03) R-05. The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03) R-06. The Grand Jury recommends Cities develop personnel cost-saving opportunities and create a cybersecurity talent pool by recruiting interns or graduating students using: (C-04) • The Scholarships for Service program described in Appendix 02 • Local education institutions (high school, community college, private college and state university) Cybersecurity Strategies for Cities in Ventura County 9 284 2019 -2020 Ventura County Grand Jury Final Report R-07. The Grand Jury recommends Cities maintain good vendor management by: (C-03, C-05) • Obtaining CISA assistance to conduct risk management assessments on all third-party vendors that have access to any confidential data or that interact with City networks and systems • Requiring all vendors provide cybersecurity documentation. As part of their ongoing third-party due diligence, Cities should evaluate vendors for compliance and risk on an annual basis • Requiring IT vendors obtain cybersecurity insurance. R-08. The Grand Jury recommends Cities clearly identify expenses for their Information Services (Technology) Departments in their approved budgets. (C-06) R-09. The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07) R-10. The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08) R-11. The Grand Jury recommends Cities develop a written plan for implementation of R-01 through R-10 prior to December 31, 2020. Responses Responses Required From: City Council, City of Camarillo (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Fillmore (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Moorpark (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Ojai (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Oxnard (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Port Hueneme (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Santa Paula (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) 10 Cybersecurity Strategies for Cities in Ventura County 285 2019 -2020 Ventura County Grand Jury Final Report City Council, City of Simi Valley (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R -01 R-02 R-03 R-04 R-05 R-06 R-07 R-08 R-09 R-10 R-11) f I I I I f I I I I City Council, City of Thousand Oaks (C -01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R -01 R-02 R-03 R-04 R-05 R-06 R-07 R-08 R-09 R-10 R-11) f I I I I I I I I I City Council, City of Ventura (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01 R-02 R-03 R-04 R-05 R-06 R-07 R-08 R-09 R-10 R-11) I I I I I f I I I I References Ref-01. Shi, Flemming. Threat Spotlight: Government Ransomware Attacks. Barracuda blog, August 28, 2019 https: //blog. barracuda .com/2019/08/28/threat-spotliqht-qovernment- ra nsomwa re -attacks/ Accessed April 7, 2020 Ref-02. McGalliard, Tad . How Local Governments Can Prevent Cyberattacks. New York Times, March 30, 2018 https: //www.nytimes .com/2018/03/30/ opinion/local -qovernment- cyberattack. htm I Accessed April 7, 2020 Ref-03. Nelson, Sarah. Report: Local Gov Cyberattacks Reach Critical Level. Government Technology, December 18, 2019 https: //www.qovtech.com/security/Report-Local -Gov -Cyberattacks - Reach -Critica I-Level. html Accessed April 7, 2020 Ref-04. Kim, Allen. In the last 10 months, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks . CNN, October 8, 2019 https: //www.cnn.com/2019/10/08/business/ra nsomware -attacks - trnd/index. html Accessed April 7, 2020 Ref-OS. Patterson, Dan. Four U.S . cities attacked by ransomware this month . CBS News, December 17, 2019 https://www.cbsnews.com/news/ransomware -attack -pensacola - florida -4 -u -s -cities -attacked -by -ransomware -thi s-month -2019 -12-17 / Accessed April 15, 2020 Ref-06. Ng, Alfred. Ransomware froze more cities in 2019. Next year is a toss - up . CNET, December 5, 2019 https: //www.cnet.com/news/ransomware -devastated -cities -in -2019 - officia Is -ho pe -to -stop -a-repeat -i n -20 2 0/ Accessed April 15, 2020 Cybersecurity Strategies for Cities in Ventura County 11 286 2019 -2020 Ventura County Grand .Jury Final Report Ref-07. Freed, Benjamin. Ransomware Attacks Map chronicles a growing threat. Statescoop, October 22, 2019 https://statescoop.com/ran somware -attacks -map -state -local - government/ Accessed April 15, 2020 Ref-08. Whitnall, Becca. City's online payment system falls victim to hackers. Thousand Oaks Acorn, November 8, 2018 https: //www. to acorn. com/articles/ citys -on Ii ne -payment-system -fal ls - victi m -to-hackers/ Accessed April 15, 2020 Ref-09. CISA . Security Tip (ST08-001) Using Caution with USB Drives. November 15, 2019 https: //www.us -cert.gov Incas/ti ps/ST 08 -001 Accessed April 15, 2020 Ref-10. Lohrmann, Dan. 2019: The Year Ransomware Targeted State & Local Governments. Government Technology, December 23, 2019 https: //www.govtech .com/blogs/loh rma n n -on -cybersecurity/2019 -the - yea r -ra nsomwa re -targeted -state --loca I-governments. html Accessed April 15, 2020 Ref-11. Ropek, Lucas. Pensacola Hires Deloitte to Investigate Extent of Cyberattack. Government Technology, December 19, 2019 https: //www .govtech .com/security/Pensacola -H ires -Deloitte -to - I nvestig ate -Extent -of-Cyberattack. htm I Accessed April 15, 2020 Ref-12. Ikeda, Scott. Ransomware Attacks Are Causing Cyber Insurance Rates to Go Through the Roof; Premiums up as Much as 25 Percent. CPO Magazine, February 10, 2020 https: //www.cpomagazine.com/ cyber-security/ra nsomware -attacks - are-causing -cyber-insura nce -rate s-to -go -through -the -roof-premium s- up -as -much -as -25 -percent/ Accessed April 15, 2020 Ref-13. IBM. IBM Security Study: Taxpayers Oppose Local Governments Paying Hackers in Ransomware Attacks. September 5, 2019 https: //newsroom. ibm .com/2019-09-05 -IBM -Security -Study- Taxpayers-Oppose -Local -Governments-Paying -Hackers -in - Ransomware -Attacks Accessed April 15, 2020 12 Cybersecurity Strategies for Cities in Ventura County 287 2019 -2020 Ventura County Grand .Jury Final Report Ref-14. U.S. Department of Commerce, National Institute of Standards and Technology . Cybersecurity Framework, The Five Functions https://www.nist.gov/cyberframework/online-learning/five-functions Accessed April 17, 2020 Ref-15. California Public Records Act Government Code Section 6254.19 http: //leg info . legislature.ca .gov /faces/codes displaySection .xhtml?sec tionNum =6254 .19&IawCode=GOV Accessed April 17, 2020 Ref-16. California Cyber Security Integration Center. CYBERSECURITY ADVISORY Teleworking Quick Reference Guide. March 13, 2020 https: //www .caloes.ca .gov /LawEnforcementSite/Documents/Cal- CSIC Advisory Teleworking%20Guidance.pdf Accessed April 17, 2020 Ref-17. Registration List . 2019 MISAC Annual Conference https: //www.misac.org/ events/RSVPlist. aspx?id = 1243109 Accessed April 17, 2020 Ref-18. Vendors . 2019 MISAC Annual Conference https: //www.misac.orq/paqe/VendorConflnfo2019 Accessed April 17, 2020 Ref-19. CIS. MS-ISAC Local Governments https: //www. cisecu rity. orq/partners -local -qovernment/ Accessed April 17, 2020 Ref-20. California Lutheran University. Ca l Lutheran starts cybersecurity program. September 20,2019 https: //www.callutheran.edu/news/story . html?id = 13865#story Accessed April 17, 2020 Ref-21. California State University Channel Islands. Computer Science Program -BS Information Technology https: //compsci.csuci .edu/deqrees/bsit. htm Accessed April 17, 2020 Ref-22. Ca liforni a State University Channel Islands. Computer Science Program -Internships https: // compsci. csuci. ed u/resou rces/internshi ps. htm Accessed April 17, 2020 Ref-23. Moorpark College. Computer Science Curriculum https://www .moorparkcolleqe.edu/faculty -and -staff /curriculum - committee/course-outlines -of-record/computer-science -curriculum Accessed April 17, 2020 Cybersecurity Strategies for Cities in Ventura County 13 288 2019 -2020 Ventura County Grand .Jury Final Report Ref-24. MISAC. MISAC's New Security Committee Up and Running. July 6, 2018 https://www.misac.org/news/407088/MISACs -New-Security- Committee -Up -and -Running.htm Accessed April 17, 2020 Ref-25. Newcome, Tod. Cyber Insurance Evolves to Meet the Ransomware Threat. Government Techno logy, October/November 2019 https: //www.govtech .com/security/Cyberinsurance -E volve s-to -Meet- the -Ransomware -Threat. html Accessed April 17, 2020 Ref-26. Thompson, Lisa. Cybersecurity Best Practices for Municipalities. New Hampshire Municipal Association, August 2019 14 https: //www. n hm u n icipa I .org/town -city -article/ cybersecurity -bes t- practices -mun icipa lities Accessed April 7, 2020 Cybersecurity Strategies for Cities in Ventura County 289 2019 -2020 Ventura County Grand .Jury Final Report Glossary TERM DEFINITION Attacker Any individual or organization who attempts to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset. Big Data A field that treats ways to analyze, systematically extract information from or otherwise deal with data sets that are too large or complex to be dealt with by traditional data-processing application software. Bitcoin(s) A decentralized digital currency without a central bank or single administrator that can be sent from user to user on the peer-to-peer bitcoin network without the need for intermediaries. CIS Center for Internet Security CISA Cybersecurity and Infrastructure Security Agency Cities The 10 incorporated cities in the County County Ventura County Cyberattack Any type of offensive maneuver that targets computer information systems, infrastructures, computer networks, or personal computer devices. Cybersecu rity The protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. DHS Department of Homeland Security Encrypt The process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. FedRAMP The Federal Risk and Authorization Management Program. A U.S. government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP The California administered FedRAMP Moderate Cybersecurity Strategies for Cities in Ventura County 15 290 2019 -2020 Ventura County Grand .Jury Final Report Grand Jury 2019-2020 Ventura County Grand Jury HTTPS Hypertext Transfer Protocol Secure IT The use of computers to store, retrieve, transmit and (Information manipulate data information. Typically used within the Technology) context of business operations as opposed to personal or entertainment technologies. All hardware, software and peripheral equipment operated by a limited group of users, as in "IT Department." Malware Any software intentionally designed to cause damage to a computer, server, client, or computer network. By contrast, software that causes unintentional harm due to some deficiency is typically described as a software bug. A wide variety of malware exists, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware. MISAC The Municipal Information Systems Association of California MS-ISAC Multi State Information Sharing and Analysis Center NIST National Institute for Standards and Technology (U.S. Department of Commerce) NSF National Science Foundation (administers SFS) Server A computer that provides data to other computers. SFS CyberCorps Scholarships for Service SLTT State, Local, Tribal and Territorial Governments; includes special districts (e.g. Libraries, airports, water districts, harbors, etc.) USB Drive A data storage device that includes flash memory with an integrated USB interface. It is typically removable and rewritable. URL Colloquially termed a "web address," is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL (Uniform Resource Locator) is a specific type of Uniform Resource Identifier (URI), although many people use the two terms interchangeably. 16 Cybersecurity Strategies for Cities in Ventura County 291 2019 -2020 Ventura County Grand Jury Final Report Appendices App-01. A Compilation of Best Practices from Authoritative Sources App-02. Cybersecurity Resources App-03. City Budgets App-04. Federal Government Cybersecurity Recommendations for SL TTs App-05. State of the Art Platforms and Tools Cybersecurity Strategies for Cities in Ventura County 17 292 2019 -2020 Ventura County Grand .Jury Appendix 01 A Compilation of Best Practices from Authoritative Sources Final Report 18 Cybersecurity Strategies for Cities in Ventura County 293 2019 -2020 Ventura County Grand .Jury Final Report A Compilation of Best Practices from Authoritative Sources Source Recommendation California DeQartment of Technology Each city government domain name shou ld be "cityof" Internet Domain Name Taxonomy fo llowed by the name of the city OR the name of the city followed by "city.ca.gov" OR in the case that there Preparation instructions in the Statewide is no county with the same name, just the name of the Information Management Manua l -Section city fo ll owed by " .ca.gov". 40A httQS :LLcdt.ca .govLwQ -Each county government domain name should be contentLur2IoadsL2017 L0SLSIMM-40A-"countyof" followed by the name of the county OR the Internet-Doma in -Instructions . Qdf name of the county followed by "county.ca.gov" OR in the case that there is no city with the same name, the name of the county foll owed by ".ca .gov " Nation al League of Cities Convert to .gov domains in order to prevent Protecting Our Data : WHAT CITIES SHOULD impersonators of municipal services from targeting KNOW ABOUT CYBERSECURITY residents . httQS :LLwww .nlc.orgLsitesLdefaultLfilesL2019 - 10LCS%20Cybersecurity%20ReQort%20Final ~ United States Senate The bil l sponsors note that it can be difficult to identify DOTGOV Online Trust in Government Act of a legitimate website when a government uses a .com, 2019 (S .2749 ) .o rg , or .us doma in name . The sponsors note that when local governments don't us e the .gov domain, it al lows httQS: LLwww. hsgac. senate .gov Lmed iaLm inori cybercrimina ls to more easily impersonate government ty-mediaLQeters-johnson -klobuchar-and -officials in order to defraud the pub lic and get people to la n kford-i ntrod uce-bi Qa rtisa n -b i I I-to-share sensitive information . strengthen-cybersecurity-for-loca I- governments The b il l he l ps the transition to a .g ov domain name to be more affordable for loca l governments by making the change an al lowable ex pense under DHS's Homeland Security Grant Program. DHS -CISA Phishing emails and th e us e of un e ncrypted Hypert ext httQ s: LLwww.cisa.gov Li nsights Transfe r Protoco l (HTTP) r emain persiste nt chann e ls through which ma liciou s acto rs can exploit httQS:LLwww .us -cert.gov LncasLt iQsLST18 -vulnerabilities in an organi za t ion's cybersecurity 006 posture . Attackers may spoof a domain to se nd a phishing emai l that looks like a legitimate email. At the same time, users transm itting data via unencrypted HTT P protocol, w hi ch does not p rotect data from inte r cept ion or alteration, are vulnerab le to eavesdropping, tracking and the mod ification of the data itse lf. CISA -Cyber Essentials InfograQhic Cyber Essentials Infographic Guid e for Leade rs and IT httQS: LL www .cisa.gov Ls itesLdefa ultLfil esLr2ub l Professiona Is. icationsL19 1105 cisa CISA-Cyber- Essentia Is. Qdf Cybersecurity Strategies for Cities in Ventura County 19 294 2019 -2020 Ventura County Grand .Jury Final Report CISA -Recommendati o ns for Incide nt . Develop an incident response and d isaster reco very Res[lonse Plans, Reco v e!},'. Plans and p lan outlining roles and responsibi lities. Business Continuitl,'. Plans . Test the p lan often . • Leverage business impact assessments to prioritize htt[ls: //www .cisa .gov/sites/def a ult/files/[lubl resources and identify which systems must be ications/ 19 1106 cisa CISA Cl,'.ber Essentia recovered first. Is 5508C 0.[ldf • Learn who to cal l for help (outside partners, vendors, government/i ndustry responders, technical advisors and law enforcement). . Deve lop an internal reporting structure to detect, communicate and contain attacks . Leverage in-house containment measures to l imit the impact of cyber incidents when they occur . California Cl,'.ber Securitl,'. Integration Center Te leworking Quick Reference Guide . Te leworking Guidance for Teleworkers (3/13/20) requires additional network security and user htt[ls: //www. ca loes .ca. gov /Law Enforcement considerations . This document highlights some of the security concerns and best practices end-users and Site/Documents/Ca l-network administrators should consider when CSIC Advisorl,'. Teleworking%20Guidance . [ld implementing a te leworking program . f "Cybersecurity Best Practices for City vendors should provide cybersecurity Municipalities", New Hampshire Municipa l documentation to the cities. As part of their ongoing Association, by Lisa M . Thompson, August third-party due diligence, cities should evaluate vendors 2019 for comp liance and risk on an annual basis. htt[lS://www .nh munici[la l .org/town -citl,'.- article/ Cl,'.bersec u ritl,'.-best-[lra ctices - munici[lalities 20 Cybersecurity Strategies for Cities in Ventura County 295 2019 -2020 Ventura County Grand .Jury Final Report This page intentionally left blank Cybersecurity Strategies for Cities in Ventura County 21 296 2019 -2020 Ventura County Grand .Jury Final Report Appendix 02 Cybersecurity Resources 22 Cybersecurity Strategies for Cities in Ventura County 297 2019 -2020 Ventura County Grand Jury Final Report Cybersecurity Resources Source Service CISA Provides SLTTs with a "one-stop shop" htt12s: Uwww.cisa.gov LsitesL defau ltLfi lesL of free services for cyber risk 12ublicationsL2019 -CSSS-CISA-Regional-assessments, cybersecurity evaluations, Services-508,Rdf, s lide s 10 and 15. in cident assistance coordination, cyber exercises/tra inin g, and best practices . CISA was established within Homeland Security in 2018 by the Cybersecurity and Infrastructure Security Agency Act of 2018 to coordinate efforts to address cybersecurity threats to critical infrastructure by working with private companies as well as state and local governments. htt12s: Uwww.cisa.gov La bout-c isa CISA -Assessments CISA offers a range of free htt12s: Uwww.cisa.gov La bout -cisa cybersecurity assessments that evaluate operationa l resilience, cybersecurity practices, organizational management of external dependencies, and other key elements of a robust cybersecurity framework. CISA 's cybersecurity assessment services are offered solely on a voluntary basis and are available to SL TTs upon request . CISA -Infrastructure Security D ivi s ion PSAs are trained criti cal infrastructure Protect ive Security Advisor (PSA) protection and vulnerability mitigation Program subject matter experts who fac ilitate lo cal fie ld activities in coordination with htt12s: Uwww.dhs.gov LcisaL12rotective -other Department of Homeland Security security-advisors offices. They advise and assist state, local and private sector officials and criti cal infrastructure facil ity owners and operators. Local CISA Protective Security Adv isor The DHS has a free Protective Security htt12s: Uwww .cisa .govLsitesLdefaultLfilesL Advisor in the Camarillo, Ca liforni a, R ubl icati onsLPSA -Prog ram -Fact -Sheet-Office of Homeland Security. 05-15-508,Rdf Cybersecurity Strategies for Cities in Ventura County 23 298 2019 -2020 Ventura County Grand .Jury F i nal Report Cybersecurity Resources Source Service CISA -"Cyber Essentia ls" On No v ember 6, 2019, CISA launched httQs: LLwww.cisa.gov LsitesLdefa ultLfilesL "Cyber Essent ia l s" in an effort to equip QUblicationsL 19 1105 cisa CISA -Cyber-sm a ll organ izat ions w ith bas ic steps and Essentials. Qdf resources to i mprove t heir cybersecurity. CI SA's Cyber Essentia ls In a December 12, 2019 b log on the httQs: LLwww .cisa.gov LblogL 2019L12L12L CISA website Bradford Wil l ke wrote get-your-city -cyber-ready -cisas-cyber-"CISA in te nds for thi s to be the first of essentials many 'Cyber Es s enti als' product re leases. In the coming months, we w ill be deve lop i ng a too l k it that provides httQs: LLwww.c isa.gov LsitesLdefaultLfi lesL us ers w ith additional deta il on each QublicationsL19 1106 cisa CISA Cyber Essential and links them to helpful Essentials S508C 0.Qdf re sources for implementation . We w il l also cont i nue to engage with partn e r organizations to get the word out about the 'Cyber Essent ia ls' and co ll aborate w ith us in deve lopi ng the too l kit." The Nationa l League of Cities The report is i ntended to be a guide to "What Cit ies Shou l d Know About help local governments understand t heir Cybersecurity" cybersecurity vulnerabilities and how they can improve security pra ct i ces. httQs:LL4 1g41s33vxdd2vc05w415sle- wQengine. netdna -ssl. comLwQ- contentLu QloadsL2019L lOLNLC Cy:bersec urityReQort.Qdf CI S A nonprofit, member driven httQS: LLwww .cisecurity.orgLabout-usL organization formed in 2000. Its mission httQs: LLwww.cisa.gov LRartnershi Q-is to identify, develop , validate, engagement-branch promote, and susta i n be st practice so l utions for cyber defen se . CI S operate s the MS-I SAC program which is de signate d by DH S as the cybersecurity Information Shari ng and Ana lysis Center (I SAC) for SL TT govern men ts to share information between government and indu stry. 24 Cybersecurity Strategies for Cities in Ventura County 299 2019 -2020 Ventura County Grand .Jury Final Report Cybersecurity Resources Source Service MS -ISAC In 2018 MS-ISAC's CIS SecureSuite httgs: Uwww .cisecurity:. orgL blogLcis -membership became free to SLTT secu resuite -membersh i g-free -for-u-s -governments in the United States . sltts-what-y:ou -need -to -knowL MISAC Founded in 1980, MISAC is comprised of httgs:Uwww.mi sac.orgL public agency information technology professionals working throughout California. On its website MISAC states it promotes the understanding and strategic use of information technology within local government agencies through sharing of best practices. MISAC is a member based organization that serves as an advisor to the League of California Cities. It does not have a relationship with DHS . MISAC -Security: Committee Promotes three best practices that httgs: Uwww . mi sac.orgLnewsL407088LM municipalities can implement to stay on ISACs -New -Security:-Committee -Ug -top of their organization's cybersecurity: and -Running.htm 1. Cyber liability insurance 2. Cyber for Internet Security (CIS) Controls 3. Multi -State Information Sharing & Analysis Center (MS -ISAC) membership. Joining MS -ISAC is free to municipal government IT operations. Govlaunch A national free, private platform for any httgs:Ugovlaunch.comL verified employees of local government to share details of their projects or initiatives. It is a website where local governments can find out what technology the i r peers are turning to and how they're using it. Cy be r sec u r ity Str ategies for Cit ies i n Ventura County 25 300 2019 -2020 Ventura County Grand .Jury Final Report Cybersecurity Resources Source Service FedVTE FedVTE is a free , on li ne , on-demand ni ccs. us-cert. gov Ltra in i ngL fed era I-cybersecurity tra in ing system managed virtual-training -environ ment -fedvte by OHS that is avai lable to SLTT g overnment person n e l . It con ta in s more than 800 hours of training on top ics such as et h ica l hacking, survei ll ance, risk management and malware ana lysis. Resource benefits i nclude: • Diverse courses -The program offers more than 300 demonstrations and 3,000 related materials, includ ing online lectures a nd h a nds-on vi rtua l labs. • Certification offeri ngs -Offerings i nclude Network+, Security+, Certified Information Systems Security Profess iona l (CISSP ), Windows Operating System Security and Certified Eth ica l Hacker. • Experie n ced instructors -A ll courses are taught by experienced cybersecurity subject matter experts. CIS CyberMarket CIS's co ll aborative purch as i ng program htt12s : LLwww .cisecurity.orgLservicesLcis -that serves SL TT organizations, not-for- cybermarketL profit entities, and public health and education institutions to improve cybersecurity through cost-effective group procurement . The objective of the CIS CyberMarket is to combine the purchasing power of governmental and nonprofit sectors to he lp part icipants improve their cybersecurity environment at a lower cost than they wou ld have been able to attain on their own. 26 Cybersecurity Strategies for Cities in Ventura County 301 2019 -2020 Ventura County Grand Jury Final Report Cybersecurity Resources Source Service General Services Administration Allows SLTTs to purchase IT and Cooperat ive Purchasing Program security products and serv ices offered through GSA's negot iated contracts. The https: LLwww .gsa.gov LtechnologyLtechno advantage for eli g i b le users of t he GSA logy -products-servicesLit-security Cooperat ive Purchasing Program is that https:LLwww.gsa.govLbuying -vendor services and products can be sel Ii ngL purchasi ng -prog ra msLgsa -procured at the lowest possible price schedulesLschedule -buyersLstate -and -with the assurance that contractors are loca I-governmentsL cooperative -qua li fied to se l l to the federa l purchasing government. FedRAMP Moderate A U.S. government program that https:Uwww.fedramp .govL establ ishes a standardized approach for va l idating that cloud services are https :LLcdt.ca .govLwp -secure. FedRAMP offers independent, contentL uploadsL2019L0 1L2018 -An nu al -th i rd -party validation of a cloud Report FINAL accessible.pdf, p. 12 provider's security posture and a https :LLcdt.ca.govLwp-standardized approach to sec u r ity contentLuploadsL2019L09LTA 18-05.pdf assessments, authorizat ion and continuous monitoring for cloud products and services. It is adm i nistered by the states. Avai lable to a ll California cities and counties. This single state contract provides cloud services to government customers at d iscounted prices of up to 9 .5%, with additional volume discounts availab le for se lect providers . Service providers include Amazon, Microsoft and IBM. Cal iforn ia's Cybersecurity Task Force Whi l e not currently providing direct https: LLwww .caloes.ca .govLcal -oes -cybersecurity s upport to Californ ia's divisionsLcybersecurity -task-forceLtask -cities, this t 'ask force may be a future force -s ubcommittees re source . Cybersecu r ity Strateg ies for Cities i n Ve ntura County 27 302 2019 -2020 Ventura County Grand .Jury Final Report Cybersecurity Resources Source Service The Nationa l Sc ience Foundat ion Adm i nisters the Federal SFS program https://www.sfs .opm.gov/ which is an effective recru iting tool for SLTTs. Upon graduation, scho larsh i p rec i p ients are req ui red to work as cybersecurity professiona ls for a period equal to the length of their scholarsh i p. T he CyberCorps scho larship assists in funding the typ ica l costs inc u rred by ful l -time students whi le attending a part icipat i ng i nstitution, including tuition and education and related fees. The scholarships are funded through grants awarded by the Nat iona l Sc ience Foundation in partnership w ith DHS and the Federa l Office of Personnel Management (OPM). City hiring Managers and Human Resources Consu ltants interested i n recruit ing from the SFS program can ga i n access-to this candidate pool by contacting the program office at sfs@opm.gov. 28 Cybersecurity Strategies for Cities in Ventura County 303 2019 -2020 Ventura County Grand Jury Final Report This page intentionally left blank Cybersecurity Strategies for Cities in Ventura County 29 304 2019 -2020 Ventura County Grand .Jury Appendix 03 City Budgets Final Report 30 Cybersecurity Strategies for Cities in Ventura County 305 2019 -2020 Ventura County Grand Jury Final Report City Budgets City of Camarillo Adopted 2018-2020 [2 years] Budget https://www.cityofcamarillo.org/Finance/Budget/City%20of%20Camarillo%2020 18%20-%202020%20Budget.pdf, p. 56 City of Fillmore, CA Adopted Operating Budget 2019-20 https: //www. fil I mo reca .com/home/showdocument?id = 5431 City of Moorpark, CA Operating and Capital Improvement Projects Budget Fiscal Year 2019-2020 https: //www.moorparkca.gov/DocumentCenter/View/9589/F-201920- Budget?bidld =, pp. 87-91 City of Ojai, CA Adopted Municipal Budget 2019-2020 https: //ojaicity. org/the -adopted-m un icipa I-budget-for-fisca l-year-2019-2020 - now -on line/, p. 35 City of Oxnard Adopted Budget Fiscal Year 2019 -2020 https: //www .oxnard .org/wp - content/uploads/2019/10/FINANCE ADOPTED Budget Book 19 20.pdf, pp. 152-155 City of Port Hueneme FY 2019-21 Operating Budget https ://www .ci.port- hueneme. ca. us/DocumentCenter/View/29 53/Operating Budget -19 -20-a nd -20 - 21 ?bidld= City of Santa Paula 2019-2020 Fiscal Year Budget https: //spcity . org/209/Fi na ncia I-Reports City of Simi Valley FY2019-20 Adopted Budget https://www.simivalley.org/home/showdocument?id =21214 , pp. 97, 98 City of Thousand Oaks Adopted Operating Budget Fiscal Years 2019-2020 & 2020 -2021 https://www.toaks.org/home/showdocument?id = 22064 City of Ventura Adopted Budget https: //www .cityofventura.ca .gov /DocumentCenter/View/18416/FY-2019 -20 - Adopted-Budget?bidld = Cybersecurity Strategies for Cities in Ventura County 31 306 2019 -2020 Ventura County Grand .Jury Final Report 32 Appendix 04 Federal Government Cybersecurity Recommendations for SLTTs Cybersecurity Strategies for Cities in Ventura County 307 2019 -2020 Ventura County Grand Jury Final Report Federal Government Cybersecurity Recommendations for SL TTs • Implement an awareness and training program emphasizing awareness of the threat of ransomware and how it is delivered. Because end users are targets, employees and individuals shou ld be aware of the threat of ransomware and how it is delivered. • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) to prevent email spoofing. • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users. • Configure firewalls to block access to known malicious IP addresses. • Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system. • Set anti-virus and anti-malware programs to conduct regular scans automatically. • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary. • Configure access controls-including file, directory, and network share permissions-with least privilege in mind. If a user only needs to read specific files, the user should not have write access to those files, directories, or shares. • Disable macro scripts from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications. • Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware location s, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder. • Consider disabling Remote Desktop protocol (RDP) if it is not being used. • Use application whitelisting, which only allows systems to execute programs known and permitted by security policy. • Execute operating system environments or specific programs in a virtualized environment. • Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units. Source: CISA, "Ransomware, What It Is and What To Do About It" https: //www. us - cert.gov /sites/default/files/publications/Ransomware Executive One - Pager and Technical Document-FINAL.pdf Cybersecurity Strategies for Cities in Ventura County 33 308 2019 -2020 Ventura County Grand .Jury Final Report Appendix 05 State of the Art Platforms and Tools 34 Cybersecurity Strategies for Cities in Ventura County 309 2019 -2020 Ventura County Grand .Jury Final Report State of the Art Platforms and Tools Tool Risks Rewards • Information breach from • Increased accessibility to lost or stolen devices data anywhere and Mobile • Unclear data ownership anytime Devices due to both personal and • Consistent methodologies private usage of devices of data collection • Additional endpoints to manage • Compromised confidential • Improved collaboration data and continuity Cloud • An unauthorized user • Increased accessibility to Computing obtaining information information and resources • Insiders circumventing • More opportunities for security and releasing increased business agility private information • Volumes of data expose • Identifies relationships, organizations to more risks patterns and threats and threats traditionally not seen • Challenging to stay ahead • Real -time data can stop Big Data of attacks fraud and attacks faster • Harder for agencies to be than traditional data Initiatives proactive in spotting big processing data vulnerabilities • Big data can increa se secure operations and meet compliance requirements Source: Government Technology https://media2.govtech.com/images/symantecinfographicnewfinalsmall.jpg Cybersecurity Strategies for Cities in Ventura County 35 310 2019 -2020 Ventura County Grand .Jury Final Report This page intentionally left blank 36 Cybersecurity Strategies for Cities in Ventura County 311