Download - Webinar - Reducing Your Cybersecurity Risk
Reducing Your Cybersecurity Risk
A (slightly) Behavioral and Technical Overview for Business Leaders
About the Author- Mike Ahern
Director, Corporate and Professional EducationWorcester Polytechnic Institute
Leads the development of WPI’s Corporate and Professional Graduate Education Programs in: Cybersecurity; Electrical and Computer Engineering and Power Systems
Previous Experience:– Vice-President, Northeast Utilities (responsibilities included: Distribution
Engineering; Training; Planning, Performance and Analysis)– Member, Executive Compliance and Internal Controls Committee– Member, Executive Steering Committee for Cyber Security– Director, Transmission Operations and Planning– Director, Distribution Engineering– Director, Nuclear Oversight, Millstone Nuclear Power Station
B.S. from Worcester Polytechnic Institute
M.S. and M.B.A. from Rensselaer Polytechnic Institute
Professional Engineer - Connecticut
NERC Certified System Operator - Transmission (2005 to 2010)
About WPI
Fully accredited, non-profit, top quartile national university (U.S. News and World Report ranking)
Founded in 1865 to teach both “Theory and Practice”
Strong Computer Science, Engineering and Business Schools
DHS/NSA Designated Center of Excellence in Information Security Research
Cybersecurity Risk Reduction
Outline:
• The Growing Menace
• How Do Business Leaders Reduce the Risk?
• Where Do We Start?
• What Else?
• Covering All the Bases
• Questions and Answers
The Growing Menace
We’ve been seeing news articles about the threat of hackers for quite a while
JPMorgan and other banks struck by cyberattackNicole PerlrothWednesday, 27 Aug 2014 | New York Times
U.S. notified 3,000 companies in 2013 about cyberattacksBy Ellen Nakashima March 24, 2014The Washington Post
DOD Needs Industry’s Help to Catch Cyber Attacks, Commander SaysBy Lisa Daniel March 27, 2012American Forces Press Service, DoD News
The Growing Menace
Remember Target?
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew ItBy Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14
Target’s Story . . . Continued
Cyber attack takes toll on TargetBy Elizabeth Paton in New York Financial Times 8/20/14
Cyber attack cost Target $148M
To win back sales, Target took another $234M charge for discounting
The new CEO was announced on 8/1/14
The new CEO lowered the annual earnings forecast by ~15%
Cybersecurity Risk Reduction
With cybersecurity attacks and threats growing . . .
How do business leaders reduce the risk to their organization?
Let’s start by understanding attackers motives and methods . . .
Attacker Motives
Source: http://www.slideshare.net/NortonSecuredUK/cybercrime-attack-of-the-cyber-spies
Attacker Methods
The Most Recent Verizon Data Breach Investigations Report* gives us some insights into methods attackers use
Top “attack vectors”:
1. Behavioral – 80%+ of the attackers are external people but insiders can cause the extensive damage
2. Behavioral – Phishing in 2/3 of attacks, used all by itself in 20% of attacks
3. Technical – 80% of attacks use malware; almost always exploiting known vulnerabilities
*http://www.verizonenterprise.com/DBIR/2015/
Cybersecurity Risk Reduction – Where to Start
How do business leaders reduce the risk to their organization?
Start with Behaviors!
Training for basic cyber defense
- For all your people - how to be “human firewalls”
- For IT people - use trained, certified cybersecurity professionals
- For HR people – do we check backgrounds? Do we promptly revoke access when people leave?
- For Leadership – who has what access? How often is this reviewed?
Education to understand the evolving threats
- Better educate your cyber workforce to prevent, detect and effectively respond to cyber intrusions
What Else?
Install the Software Patches to remove known vulnerabilities
Use Anti-virus to protect against known malware
Require two-factor authentication for financial transactions and sensitive data downloads
Supplement Perimeter Defense with Intrusion Detection
- Use your people as a “sensor network” to detect and report phishing attacks
- Do your people know to report unexplained failed login attempts?
- Ask IT people how they detect intruders including how often system administrative logs are checked
- Does your organization share threat intelligence?
Develop, Train, Practice and Execute Incident Response Plans
- Business continuity plans should include a “loss of IT” scenario
What Else?
Questions from Board Members*
• Are profit-generating assets adequately secured?
• How well-protected is high-value information?
• Is the organization’s cybersecurity strategy aligned with its business objectives?
• How is the effectiveness of the cybersecurity program measured?
• Is the organization spending appropriately on security priorities?
• Would the organization be able to detect a breach?
• Does the cybersecurity area have access to adequate resources?
• How does the organization’s security program compare to that of its peers?
* https://securityintelligence.com/what-cybersecurity-questions-are-boards-asking-cisos/
Added Question: What are the industry-specific compliance requirements?
Covering All The BasesThe US National Cybersecurity Workforce Framework*
* http://csrc.nist.gov/nice/framework/
The U.S. National Initiative for Cybersecurity Education (NICE) issued the National Cybersecurity Workforce Framework (“the Framework”)
– Developed with more than 20 Federal departments and agencies and numerous national organizations from within academia and general industry.
– The categories, serving as an overarching structure for the Framework, group related specialty areas together.
– Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided.
You can use the Framework to make sure your organization is “covering all the bases”
US National Cybersecurity Workforce FrameworkCovers All the Bases
Framework Category Specialty Areas Include:
Securely ProvisionSystems Security ArchitectureSoftware Assurance and Security EngineeringSecure AcquisitionTest and EvaluationSystems Development
Operate and MaintainSystem Administration
Systems Security AnalysisNetwork Services
Protect and DefendComputer Network Defense Analysis
Incident ResponseVulnerability Assessment and Management
InvestigateDigital ForensicsCyber Investigation
Collect and OperateFederal Government Role
Collection OperationsCyber Operations and Planning
AnalyzeFederal Government Role
All Source IntelligenceExploitation Analysis / Targets / Threat Analysis
Oversight and DevelopmentLegal Advice and AdvocacyStrategic Planning and Policy DevelopmentTraining, Education and AwarenessSecurity Program ManagementKnowledge Management
http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdf
Draft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx
Risk Reduction Action Plan
Threat Actions Measures
Insider? Background Checks
? Training – Everyone, IT, HR, Leadership? Remove Access Promptly
RegularException Reports
External Hacker
? Patches to Keep Software Updated? Anti-Virus for Known Malware? Limited Administrative Rights? Two-factor Authentication
Regular Time Delay Reports and
Rights Reviews
Successful Intrusion
? Certified IT Professionals? Access Log Reviews
? Intrusion Detection Software? Exfiltration Software
? “White-listing” for Control Systems
Frequent (Daily?) Results Reports
Successful Attack
? “Loss of IT” Business Continuity Exercises? Engage/Develop Forensic Capability
Exercise Frequency and
Results
Free, 1 Hour Webinar:
Reducing the Risk of a Cyber Attack on Utilities
Thursday, March 17, 2016 / 2pm-3pm (ET)
Free, 1 Hour Webinar:
Cyber Hygiene: Stay Clean at Work and at Home!
Thursday, March 24, 2016 / 10am-11am (ET)
Cybersecurity Webinar Series
Thank you
Mike AhernDirector, Corporate and Professional [email protected]
What do you think?Your feedback is welcome!
What to Look for in a University Partner -Accreditations
Computer Science Engineering
Business Whole University
What to Look For - Strong Capability in Cyber Security
For example, at WPI:
NSA/DHS Designated Center of Excellence
Core Faculty Performing Current Research• Trusted Computing Platforms
• Algorithms & Architectures for Cryptography
• Security of Interoperable Wireless Medical Devices
• Analysis of Access-Control and Firewall Policies
• Wireless Network Security
• Cyber-Physical System Security
Adjunct Faculty are Current Practitioners, Vetted by the Appropriate Department Faculty both for Knowledge and Capability to Teach
What to Look For – Program Tailored to Your Needs
The National Framework Covers the Entire
Workforce with Generic Categories
To Maximize Your Benefit for an Education
Investment:
• Your Program Should be Tailored to Include Your Organization’s Specific Requirements
• Your Program Should Teach the Roles Your Students Will Perform
• Your Program Should be Convenient for Your Students
POWER TRANSMISSION EDUCATIONAL INITIATIVE – CYBERSECURITY FOR COMPUTER SCIENTISTS
Overall Goal: Build capability to Prevent, Detect and Effectively Respond to cyber attacks
Learning Objectives Include:
General Understanding of Cybersecurity
Specific Knowledge of Power Industry Requirements - NERC Critical Infrastructure Protection (CIP) Standards
Ability to Write and Test to Assure Secure Code (e.g. “All Commands are Authenticated and Authorized”)
Operations Risk Management – Avoiding Social Media Phishing Attacks by Managing Human Behavior
Supply Chain Risk Management to Avoid Embedded Malware
Ability to Detect Cyber Intrusions and Immediately Respond to Incidents
Ability to Investigate, Identify Attacker(s) and Build a Legal Case Against Them
Ability to Effectively Communicate Risks and Countermeasures
Ability to Integrate all of the Elements to Deliver a Secure Computer Network with Information Assurance
Example of Program Tailoring:
Cybersecurity Graduate Program for Computer Scientists
• CS 525S - Computer and Network Security
•OIE 541 - Operations Risk Management
• CS 525# - Special Topics: Digital Forensics
• CS 557 - Software Security Design and Analysis
• CS 525# - Special Topics: Intrusion Detection
• CS 571 - Case Studies in Computer Security
The Courses Were Customized for the Power Industry
Computer and Network Security –Includes CIP Standards
Operations Risk Management –
Focus on Social Media Phishing Risks and includes risk from Embedded Malware
Case Studies in Computer Security –Examples from the Power Industry
National Cybersecurity Workforce Framework -Compared to WPI’s Customized Graduate Program
Framework Category WPI’s Current Cyber for Computer Scientists Program
Securely Provision 1. Computer and Network Security2. Software Security Design and Analysis
Operate and Maintain Computer and Network Security
Protect and Defend Intruder Detection
Investigate Digital Forensics
Collect and Operate Not in Program – Government Role
Analyze Not in Program – Government Role
Oversight and Development 1. Operations Risk Management 2. Case Studies in Computer Security
WPI’s Program Addresses All the Relevant Categories