Cyber Security for Board of Directors and Senior Management

Slides:



Advertisements
Similar presentations
AFCEA DC Cyber Security Symposium Military Joint Cyber Command Panel Harry Raduege Lieutenant General, USAF (Ret) Chairman, Center for Network Innovation.
Advertisements

© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Password District Data Breach Exercise [District Name] [Date] [Logo]
Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Fast, Friendly, Secure Authentication. Hackers favor authentication-based attacks, report shows. Summary: A suitable password replacement could disrupt.
Amdocs Services Reach New Heights of Success
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
© 2014 IBM Corporation Smarter Workforce Services Business Process Innovation.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Lori Smith Vice President Business Intelligence Universal Technical Institute Chosen by Industry. Ready to Work.™
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Class 8 The State of Cybercrime Today- Threads & Solutions.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
EECS 710: Information Security and Assurance Assignment #3 Brent Frye 10/13/
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Aligning HR & Business Strategy. “The long-held notion that HR would become a truly strategic function is finally being realized.”
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
CYBER CRIMES PREVENTIONS AND PROTECTIONS Presenters: Masroor Manzoor Chandio Hira Farooq Qureshi Submitted to SIR ABDUL MALIK ABBASI SINDH MADRESA TUL.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Resilience as a Service CAP as the foundation for Situational Intelligence PRESENTATIO N September 2015.
111 © 2005 EMC Corporation. All rights reserved. Achieving Business Resilience 2005 Business Continuity and Corporate Security Show & Conference Stephen.
Placing Information Security within an Organization
Sapient Insurance Partners. Overview & Services We have almost four decades of combined experience in the property & casualty insurance and reinsurance.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.
CYBER SECURITY & ITS IMPACT ON FINANCIAL STATEMENTS AUDITS BOB WAGNER TUESDAY, NOVEMBER FLORIDA SCHOOL FINANCE OFFICERS ASSOCIATION CONFERENCE.
Impact Research 1 Enabling Decision Making Through Business Intelligence: Preview of Report.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Leadership Guide for Strategic Information Management Leadership Guide for Strategic Information Management for State DOTs NCHRP Project Information.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.
1 AFCOM Data Center World March 15, 2016 Moderator: Donna Jacobs, MBA Panel: Greg Hartley Bill Kiss Adam Ringle, MBA ITM 9.2 The New Security Challenge:
SaaS or a Customized Solution: Which is right for your recognition program?
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Activu-Powered Video Wall Prominently Featured during President Obama’s Visit to the National Cybersecurity and Communications Integration Center On January.
WEBINAR Review- “Advanced Threat Protection – Can Technology alone deliver what’s needed?” Patrick Grillo, Senior Director, Security Strategy 1.From my.
Presented by: Mike Gerdes Director, Information Security Center of Expertise Cybersecurity State of the Union.
The time to address enterprise mobility is now
Cybersecurity, competence and preparedness
Enterprise Mobility Suite Technical and Business Briefing
Case Study - Target.
Business At the Speed of Cyber
Introduction to a Security Intelligence Maturity Model
Leverage What’s Out There
Making a Holiday Special For All The Right Reasons
Joe, Larry, Josh, Susan, Mary, & Ken
Cyber Threat Intelligence Sharing Standards-based Repository
I have many checklists: how do I get started with cyber security?
Securing Your Digital Transformation
Keeping your data, money & reputation safe
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
Strategic threat assessment
MAZARS’ CONSULTING PRACTICE
Cyber Security in a Risk Management Framework
16. Account Monitoring and Control
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
Microsoft Data Insights Summit
Anatomy of a Common Cyber Attack
Presentation transcript:

Cyber Security for Board of Directors and Senior Management Peter O’Dell Author: Cyber 24-7: Risks, Leadership, Sharing

Introduction – Pete O’Dell Author: Cyber 24-7: Risks, Leadership and Sharing , Sound advice for Boards, the C-Suite, and non-technical executives Background: Technology and manufacturing, CIO, COO, CEO, board member, entrepreneur, consultant www.swanisland.net – TIES Azure based situational awareness/cyber-intelligence capability, Microsoft CityNext Fellow: National Cybersecurity Institute

Today’s Cyber Situation Victims of our own success Opportunity expands the attack surface: Clouds linked to legacy systems Internet of Things (IOT) means more entry points Bring Your Own Devices (BYOD) We’re not doing all we can: Boards and C-Suite largely delegating/ignoring Poor info sharing even at basic levels, not real-time Eliminating/upgrading legacy systems “Tone at the Top” by the board and C-Suite Government – no legislation since 2002, poor grades

Carnegie Mellon CYLAB Research 2012

Cyber is not a Normal Risk! Cyber defies conventional metrics Non-quantifiable Non-predictable Global, not local Can put the entire organization at complete risk Examples of normal risks: Weather - business interruption Employee and customer lawsuits Theft of a trailer full of cell phones

Simple Risk Metaphors Medieval Fire: Concentrated building w/legacy materials No automated controls, manual watch/warning Interconnections allowed rapid spread Malicious or inadvertent spark had same impact Wolves, Elk, and Buffalo – Yellowstone: Buffalo communicate threat info and circle herd Elk scatter – every elk for themselves Who would you eat if you were a wolf? Titanic & Costa Concordia: Huge, valuable assets Known threat and risk picture Total preventable loss

Cyber Pressure at all levels Board, management: Are we safe? Are we prepared? Can we count on our people? Can we afford it? What is our strategy? I don’t understand! I don’t want liability! We can’t stop! We don’t like bad news! CIO, CISO, IT team: Rogue IT projects SAAS w/credit card BYOD USB sticks Data everywhere Budget constraints Legacy systems New demands - cloud and IOT Nobody likes to deliver bad news

Cyber Dialogue - Techspeak “The APT slipped through the DMZ and the IDS missed it” “CERT, part of DHS NCCIC released some IOCs using STIX and TAXII” “Stuxnet was targeted by USB into an ICS utilizing Siemens PLCs” Is your management going to understand this? Understandable dialogue critical.

Board & C-Suite Preparation/Proactive Efforts Set the “Tone at the Top” Set the organizational priorities Consider a technical board member/committee creation and outside expertise Hire and validate right people and partners Detailed risk, resilience and plan review Exercise full response plan across the enterprise Work with all levels of the organization

People – Critical at all Levels Industry shortage means marginal employees, turnover, and rapid obsolescence Validate through outside expertise Finding, training, retaining and motivating Standing guard 24/7 difficult and boring Trusted can turn malicious for outside reasons 360 degree communications for team success Entire organization – this is not just an IT issue

What can IT pros do to work with board and C-suite? Communicate in clear, concise terms (non-tech) Write it down! Analyze impact on entire organization Suggest proactive measures Identify threat reduction areas – e.g. elimination of legacy technology Involve and train the entire organization on defense Design cross-organizational incident response

Planning and Prevention 1735 : “An ounce or prevention is worth a pound of cure” - common sense applies Cyber hygiene - attending to the basics SANS Top 20 Controls - excellent “Defense in Depth” & “Kill Chain” efforts Prioritized approach – Tower of London Outside validation – avoid myopic view Strategic budgeting - pay not, pay later Continual reassessment /examination Push the attackers to someone else

Partners – Who will stand with you? Proactive effort: Worst time to engage is in the middle of a crisis Reality: You can’t staff to an unknown level or timeframe – outside services vital Great partners will help on the prevention and preparation plus incident response Broad set of offerings – choose carefully Exercise and integrate ahead of time Set service level agreements/expectations

Enterprise ready to respond?

Breached – now what? Preparation will reflect response Immediate actions Mobilizing outside partners Ramping incident response Cross organizational involvement Documenting throughout Disclosures and insurance claims Reset to normal operations Post incident analysis

Sharing – underutilized defense US-CERT and other governments trying Classified programs unknown quality but worth pursuing for large organizations ISACs – Information Sharing and Analysis Centers – sector specific Fusion Centers – some are trying cyber GRN – Global Risk Network – NYU hosted Worth the effort – share the risk

Scared of Sharing?

Sharing - Standards DHS: TAXII and STIX RSA/IETF: MILE and IODEF Mandiant (FireEye): OpenIOC Issues: Maturity model Volume use important Real time Machine to Machine (M2M) Market adoption/incorporation

Highly Leveraged Areas Authentication BYOD – Bring your own devices Encryption Cloud ICS – Industrial Control Systems Payment collection systems

Promising efforts European format credit cards (chip vs stripe) M2M sharing of threat indicators - OpenIOC Serious global sharing initiative – likely private sector based Better software creation and testing International law enforcement improvements Cloud – good security implications IOT – devices will help detect attacks

Conclusions for the C-Suite Board responsibility to lead continuously Growing threats, no easy fixes or panaceas Shortage of talented defenders – choose wisely People, partners, planning, prevention critical Continual learning and adapting required Far bigger than just the IT organization Recommended: National Association of Corporate Directors (www.nacdonline.com)

Book – Available Now! Cyber 24/7: Risks, Leadership and Sharing: Sound advice for board members, the C- Suite and non-technical executives Kindle and softcover Easy to read Comprehensive look at issues

Pete O’Dell peterlodell@gmail.com Questions? Pete O’Dell peterlodell@gmail.com

Thoughts How many people keep all their money at home? How many of your organizations keep all your data on site? How many or

Audience Polling Know of major breach? Thinks they are secure? Discussions w/board? Sharing today? Utilizing ISACs? CERT alerts? Software all up to date? Background checks? Outside validation? Full exercises? Strong plan?