This document provides an overview of reducing cybersecurity risks for business leaders. It discusses the growing threat of cyber attacks and how attackers' motives include espionage, financial gain, and disruption. The document recommends starting with behaviors to reduce risk, such as training employees and installing software patches. It also suggests implementing two-factor authentication, intrusion detection, and incident response plans. The document references frameworks for covering all cybersecurity specialties and provides examples of questions board members may ask about an organization's cybersecurity program.
2. About the Author- Mike Ahern
Director, Corporate and Professional Education
Worcester Polytechnic Institute
Leads the development of WPI’s Corporate and Professional Graduate
Education Programs in: Cybersecurity; Electrical and Computer
Engineering and Power Systems
Previous Experience:
– Vice-President, Northeast Utilities (responsibilities included: Distribution
Engineering; Training; Planning, Performance and Analysis)
– Member, Executive Compliance and Internal Controls Committee
– Member, Executive Steering Committee for Cyber Security
– Director, Transmission Operations and Planning
– Director, Distribution Engineering
– Director, Nuclear Oversight, Millstone Nuclear Power Station
B.S. from Worcester Polytechnic Institute
M.S. and M.B.A. from Rensselaer Polytechnic Institute
Professional Engineer - Connecticut
NERC Certified System Operator - Transmission (2005 to 2010)
3. About WPI
Fully accredited, non-profit, top
quartile national university (U.S.
News and World Report ranking)
Founded in 1865 to teach both
“Theory and Practice”
Strong Computer Science,
Engineering and Business Schools
DHS/NSA Designated Center of
Excellence in Information Security
Research
4. Cybersecurity Risk Reduction
Outline:
• The Growing Menace
• How Do Business Leaders Reduce the Risk?
• Where Do We Start?
• What Else?
• Covering All the Bases
• Questions and Answers
5. The Growing Menace
We’ve been seeing news articles about the threat of hackers for quite a while
JPMorgan and other banks struck by
cyberattack
Nicole Perlroth
Wednesday, 27 Aug 2014 | New York Times
U.S. notified 3,000 companies in 2013
about cyberattacks
By Ellen Nakashima March 24, 2014
The Washington Post
DOD Needs Industry’s Help to Catch Cyber
Attacks, Commander Says
By Lisa Daniel March 27, 2012
American Forces Press Service, DoD News
6. The Growing Menace
Remember Target?
Missed Alarms and 40 Million Stolen Credit Card Numbers: How
Target Blew It
By Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14
7. Target’s Story . . . Continued
Cyber attack takes toll on Target
By Elizabeth Paton in New York Financial Times 8/20/14
Cyber attack cost Target $148M
To win back sales, Target took another $234M charge for discounting
The new CEO was announced on 8/1/14
The new CEO lowered the annual earnings forecast by ~15%
8. Cybersecurity Risk Reduction
With cybersecurity attacks and threats growing . . .
How do business leaders reduce the risk to their
organization?
Let’s start by understanding attackers motives and methods . . .
10. Attacker Methods
The Most Recent Verizon Data Breach Investigations Report* gives us some
insights into methods attackers use
Top “attack vectors”:
1. Behavioral – 80%+ of the attackers are
external people but insiders can cause
the extensive damage
2. Behavioral – Phishing in 2/3 of attacks,
used all by itself in 20% of attacks
3. Technical – 80% of attacks use malware;
almost always exploiting known
vulnerabilities
*http://www.verizonenterprise.com/DBIR/2015/
11. Cybersecurity Risk Reduction – Where to Start
How do business leaders reduce the risk to their organization?
Start with Behaviors!
Training for basic cyber defense
- For all your people - how to be “human firewalls”
- For IT people - use trained, certified cybersecurity professionals
- For HR people – do we check backgrounds? Do we promptly revoke
access when people leave?
- For Leadership – who has what access? How often is this reviewed?
Education to understand the evolving threats
- Better educate your cyber workforce to prevent, detect and effectively
respond to cyber intrusions
12. What Else?
Install the Software Patches to remove known vulnerabilities
Use Anti-virus to protect against known malware
Require two-factor authentication for financial transactions and sensitive
data downloads
Supplement Perimeter Defense with Intrusion Detection
- Use your people as a “sensor network” to detect and report phishing
attacks
- Do your people know to report unexplained failed login attempts?
- Ask IT people how they detect intruders including how often system
administrative logs are checked
- Does your organization share threat intelligence?
Develop, Train, Practice and Execute Incident Response Plans
- Business continuity plans should include a “loss of IT” scenario
13. What Else?
Questions from Board Members*
• Are profit-generating assets adequately secured?
• How well-protected is high-value information?
• Is the organization’s cybersecurity strategy aligned with its business
objectives?
• How is the effectiveness of the cybersecurity program measured?
• Is the organization spending appropriately on security priorities?
• Would the organization be able to detect a breach?
• Does the cybersecurity area have access to adequate resources?
• How does the organization’s security program compare to that of its
peers?
* https://securityintelligence.com/what-cybersecurity-questions-are-boards-asking-cisos/
Added Question: What are the industry-specific compliance requirements?
14. Covering All The Bases
The US National Cybersecurity Workforce Framework*
* http://csrc.nist.gov/nice/framework/
The U.S. National Initiative for Cybersecurity Education (NICE) issued the
National Cybersecurity Workforce Framework (“the Framework”)
– Developed with more than 20 Federal departments and agencies and
numerous national organizations from within academia and general industry.
– The categories, serving as an overarching structure for the Framework, group
related specialty areas together.
– Within each specialty area, typical tasks and knowledge, skills, and abilities
(KSAs) are provided.
You can use the Framework to make sure your organization is
“covering all the bases”
15. US National Cybersecurity Workforce Framework
Covers All the Bases
Framework Category Specialty Areas Include:
Securely Provision
Systems Security Architecture
Software Assurance and Security Engineering
Secure Acquisition
Test and Evaluation
Systems Development
Operate and Maintain
System Administration
Systems Security Analysis
Network Services
Protect and Defend
Computer Network Defense Analysis
Incident Response
Vulnerability Assessment and Management
Investigate
Digital Forensics
Cyber Investigation
Collect and Operate
Federal Government Role
Collection Operations
Cyber Operations and Planning
Analyze
Federal Government Role
All Source Intelligence
Exploitation Analysis / Targets / Threat Analysis
Oversight and Development
Legal Advice and Advocacy
Strategic Planning and Policy Development
Training, Education and Awareness
Security Program Management
Knowledge Management
http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdf
Draft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx
16. Risk Reduction Action Plan
Threat Actions Measures
Insider
? Background Checks
? Training – Everyone, IT, HR, Leadership
? Remove Access Promptly
Regular
Exception Reports
External Hacker
? Patches to Keep Software Updated
? Anti-Virus for Known Malware
? Limited Administrative Rights
? Two-factor Authentication
Regular Time
Delay Reports and
Rights Reviews
Successful
Intrusion
? Certified IT Professionals
? Access Log Reviews
? Intrusion Detection Software
? Exfiltration Software
? “White-listing” for Control Systems
Frequent (Daily?)
Results Reports
Successful
Attack
? “Loss of IT” Business Continuity Exercises
? Engage/Develop Forensic Capability
Exercise
Frequency and
Results
18. Free, 1 Hour Webinar:
Reducing the Risk of a Cyber Attack on Utilities
Thursday, March 17, 2016 / 2pm-3pm (ET)
Free, 1 Hour Webinar:
Cyber Hygiene: Stay Clean at Work and at Home!
Thursday, March 24, 2016 / 10am-11am (ET)
Cybersecurity Webinar Series
19. Thank you
Mike Ahern
Director, Corporate and Professional Education
508-831-6563
mfahern@wpi.edu
What do you think?
Your feedback is welcome!
20. What to Look for in a University Partner -
Accreditations
Computer Science Engineering
Business Whole University
21. What to Look For - Strong Capability in Cyber Security
For example, at WPI:
NSA/DHS Designated Center of Excellence
Core Faculty Performing Current Research
• Trusted Computing Platforms
• Algorithms & Architectures for Cryptography
• Security of Interoperable Wireless Medical Devices
• Analysis of Access-Control and Firewall Policies
• Wireless Network Security
• Cyber-Physical System Security
Adjunct Faculty are Current Practitioners, Vetted by
the Appropriate Department Faculty both for
Knowledge and Capability to Teach
22. What to Look For – Program Tailored to Your Needs
The National Framework Covers the Entire
Workforce with Generic Categories
To Maximize Your Benefit for an Education
Investment:
• Your Program Should be Tailored to Include Your
Organization’s Specific Requirements
• Your Program Should Teach the Roles Your Students Will
Perform
• Your Program Should be Convenient for Your Students
23. What to Look For – Program Tailored to Your Needs
For example, here is WPI’s Process:
24. POWER TRANSMISSION EDUCATIONAL INITIATIVE – CYBERSECURITY FOR
COMPUTER SCIENTISTS
Overall Goal: Build capability to Prevent, Detect and Effectively Respond to cyber
attacks
Learning Objectives Include:
General Understanding of Cybersecurity
Specific Knowledge of Power Industry Requirements - NERC Critical Infrastructure Protection
(CIP) Standards
Ability to Write and Test to Assure Secure Code (e.g. “All Commands are Authenticated and
Authorized”)
Operations Risk Management – Avoiding Social Media Phishing Attacks by Managing Human
Behavior
Supply Chain Risk Management to Avoid Embedded Malware
Ability to Detect Cyber Intrusions and Immediately Respond to Incidents
Ability to Investigate, Identify Attacker(s) and Build a Legal Case Against Them
Ability to Effectively Communicate Risks and Countermeasures
Ability to Integrate all of the Elements to Deliver a Secure Computer Network with Information
Assurance
Example of Program Tailoring:
25. Cybersecurity Graduate Program for Computer Scientists
• CS 525S - Computer
and Network Security
• OIE 541 - Operations
Risk Management
• CS 525# - Special
Topics: Digital
Forensics
• CS 557 - Software
Security Design and
Analysis
• CS 525# - Special
Topics: Intrusion
Detection
• CS 571 - Case Studies
in Computer Security
26. The Courses Were Customized for the Power Industry
Computer and Network Security –
Includes CIP Standards
Operations Risk Management –
Focus on Social Media Phishing Risks and
includes risk from Embedded Malware
Case Studies in Computer Security –
Examples from the Power Industry
27. National Cybersecurity Workforce Framework -
Compared to WPI’s Customized Graduate Program
Framework Category WPI’s Current Cyber for Computer Scientists
Program
Securely Provision 1. Computer and Network Security
2. Software Security Design and Analysis
Operate and Maintain Computer and Network Security
Protect and Defend Intruder Detection
Investigate Digital Forensics
Collect and Operate Not in Program – Government Role
Analyze Not in Program – Government Role
Oversight and Development 1. Operations Risk Management
2. Case Studies in Computer Security
WPI’s Program
Addresses All the
Relevant Categories