SlideShare a Scribd company logo

Webinar - Reducing Your Cybersecurity Risk

W
WPICPE

This document provides an overview of reducing cybersecurity risks for business leaders. It discusses the growing threat of cyber attacks and how attackers' motives include espionage, financial gain, and disruption. The document recommends starting with behaviors to reduce risk, such as training employees and installing software patches. It also suggests implementing two-factor authentication, intrusion detection, and incident response plans. The document references frameworks for covering all cybersecurity specialties and provides examples of questions board members may ask about an organization's cybersecurity program.

1 of 27
Download to read offline
Reducing Your Cybersecurity Risk A (slightly) Behavioral and Technical Overview for Business Leaders
About the Author- Mike Ahern Director, Corporate and Professional Education Worcester Polytechnic Institute Leads the development of WPI’s Corporate and Professional Graduate Education Programs in: Cybersecurity; Electrical and Computer Engineering and Power Systems Previous Experience: – Vice-President, Northeast Utilities (responsibilities included: Distribution Engineering; Training; Planning, Performance and Analysis) – Member, Executive Compliance and Internal Controls Committee – Member, Executive Steering Committee for Cyber Security – Director, Transmission Operations and Planning – Director, Distribution Engineering – Director, Nuclear Oversight, Millstone Nuclear Power Station B.S. from Worcester Polytechnic Institute M.S. and M.B.A. from Rensselaer Polytechnic Institute Professional Engineer - Connecticut NERC Certified System Operator - Transmission (2005 to 2010)
About WPI  Fully accredited, non-profit, top quartile national university (U.S. News and World Report ranking)  Founded in 1865 to teach both “Theory and Practice”  Strong Computer Science, Engineering and Business Schools  DHS/NSA Designated Center of Excellence in Information Security Research
Cybersecurity Risk Reduction Outline: • The Growing Menace • How Do Business Leaders Reduce the Risk? • Where Do We Start? • What Else? • Covering All the Bases • Questions and Answers
The Growing Menace We’ve been seeing news articles about the threat of hackers for quite a while JPMorgan and other banks struck by cyberattack Nicole Perlroth Wednesday, 27 Aug 2014 | New York Times U.S. notified 3,000 companies in 2013 about cyberattacks By Ellen Nakashima March 24, 2014 The Washington Post DOD Needs Industry’s Help to Catch Cyber Attacks, Commander Says By Lisa Daniel March 27, 2012 American Forces Press Service, DoD News
The Growing Menace Remember Target? Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It By Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14
Target’s Story . . . Continued Cyber attack takes toll on Target By Elizabeth Paton in New York Financial Times 8/20/14  Cyber attack cost Target $148M  To win back sales, Target took another $234M charge for discounting The new CEO was announced on 8/1/14 The new CEO lowered the annual earnings forecast by ~15%
Cybersecurity Risk Reduction With cybersecurity attacks and threats growing . . . How do business leaders reduce the risk to their organization? Let’s start by understanding attackers motives and methods . . .
Attacker Motives Source: http://www.slideshare.net/NortonSecuredUK/cybercrime-attack-of-the-cyber-spies
Attacker Methods The Most Recent Verizon Data Breach Investigations Report* gives us some insights into methods attackers use Top “attack vectors”: 1. Behavioral – 80%+ of the attackers are external people but insiders can cause the extensive damage 2. Behavioral – Phishing in 2/3 of attacks, used all by itself in 20% of attacks 3. Technical – 80% of attacks use malware; almost always exploiting known vulnerabilities *http://www.verizonenterprise.com/DBIR/2015/
Cybersecurity Risk Reduction – Where to Start How do business leaders reduce the risk to their organization? Start with Behaviors! Training for basic cyber defense - For all your people - how to be “human firewalls” - For IT people - use trained, certified cybersecurity professionals - For HR people – do we check backgrounds? Do we promptly revoke access when people leave? - For Leadership – who has what access? How often is this reviewed? Education to understand the evolving threats - Better educate your cyber workforce to prevent, detect and effectively respond to cyber intrusions
What Else? Install the Software Patches to remove known vulnerabilities Use Anti-virus to protect against known malware Require two-factor authentication for financial transactions and sensitive data downloads Supplement Perimeter Defense with Intrusion Detection - Use your people as a “sensor network” to detect and report phishing attacks - Do your people know to report unexplained failed login attempts? - Ask IT people how they detect intruders including how often system administrative logs are checked - Does your organization share threat intelligence? Develop, Train, Practice and Execute Incident Response Plans - Business continuity plans should include a “loss of IT” scenario
What Else? Questions from Board Members* • Are profit-generating assets adequately secured? • How well-protected is high-value information? • Is the organization’s cybersecurity strategy aligned with its business objectives? • How is the effectiveness of the cybersecurity program measured? • Is the organization spending appropriately on security priorities? • Would the organization be able to detect a breach? • Does the cybersecurity area have access to adequate resources? • How does the organization’s security program compare to that of its peers? * https://securityintelligence.com/what-cybersecurity-questions-are-boards-asking-cisos/ Added Question: What are the industry-specific compliance requirements?
Covering All The Bases The US National Cybersecurity Workforce Framework* * http://csrc.nist.gov/nice/framework/ The U.S. National Initiative for Cybersecurity Education (NICE) issued the National Cybersecurity Workforce Framework (“the Framework”) – Developed with more than 20 Federal departments and agencies and numerous national organizations from within academia and general industry. – The categories, serving as an overarching structure for the Framework, group related specialty areas together. – Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided. You can use the Framework to make sure your organization is “covering all the bases”
US National Cybersecurity Workforce Framework Covers All the Bases Framework Category Specialty Areas Include: Securely Provision Systems Security Architecture Software Assurance and Security Engineering Secure Acquisition Test and Evaluation Systems Development Operate and Maintain System Administration Systems Security Analysis Network Services Protect and Defend Computer Network Defense Analysis Incident Response Vulnerability Assessment and Management Investigate Digital Forensics Cyber Investigation Collect and Operate Federal Government Role Collection Operations Cyber Operations and Planning Analyze Federal Government Role All Source Intelligence Exploitation Analysis / Targets / Threat Analysis Oversight and Development Legal Advice and Advocacy Strategic Planning and Policy Development Training, Education and Awareness Security Program Management Knowledge Management http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdf Draft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx
Risk Reduction Action Plan Threat Actions Measures Insider ? Background Checks ? Training – Everyone, IT, HR, Leadership ? Remove Access Promptly Regular Exception Reports External Hacker ? Patches to Keep Software Updated ? Anti-Virus for Known Malware ? Limited Administrative Rights ? Two-factor Authentication Regular Time Delay Reports and Rights Reviews Successful Intrusion ? Certified IT Professionals ? Access Log Reviews ? Intrusion Detection Software ? Exfiltration Software ? “White-listing” for Control Systems Frequent (Daily?) Results Reports Successful Attack ? “Loss of IT” Business Continuity Exercises ? Engage/Develop Forensic Capability Exercise Frequency and Results
Cybersecurity Webinar Series
Free, 1 Hour Webinar: Reducing the Risk of a Cyber Attack on Utilities Thursday, March 17, 2016 / 2pm-3pm (ET) Free, 1 Hour Webinar: Cyber Hygiene: Stay Clean at Work and at Home! Thursday, March 24, 2016 / 10am-11am (ET) Cybersecurity Webinar Series
Thank you Mike Ahern Director, Corporate and Professional Education 508-831-6563 mfahern@wpi.edu What do you think? Your feedback is welcome!
What to Look for in a University Partner - Accreditations Computer Science Engineering Business Whole University
What to Look For - Strong Capability in Cyber Security For example, at WPI:  NSA/DHS Designated Center of Excellence  Core Faculty Performing Current Research • Trusted Computing Platforms • Algorithms & Architectures for Cryptography • Security of Interoperable Wireless Medical Devices • Analysis of Access-Control and Firewall Policies • Wireless Network Security • Cyber-Physical System Security  Adjunct Faculty are Current Practitioners, Vetted by the Appropriate Department Faculty both for Knowledge and Capability to Teach
What to Look For – Program Tailored to Your Needs The National Framework Covers the Entire Workforce with Generic Categories To Maximize Your Benefit for an Education Investment: • Your Program Should be Tailored to Include Your Organization’s Specific Requirements • Your Program Should Teach the Roles Your Students Will Perform • Your Program Should be Convenient for Your Students
What to Look For – Program Tailored to Your Needs For example, here is WPI’s Process:
POWER TRANSMISSION EDUCATIONAL INITIATIVE – CYBERSECURITY FOR COMPUTER SCIENTISTS Overall Goal: Build capability to Prevent, Detect and Effectively Respond to cyber attacks Learning Objectives Include:  General Understanding of Cybersecurity  Specific Knowledge of Power Industry Requirements - NERC Critical Infrastructure Protection (CIP) Standards  Ability to Write and Test to Assure Secure Code (e.g. “All Commands are Authenticated and Authorized”)  Operations Risk Management – Avoiding Social Media Phishing Attacks by Managing Human Behavior  Supply Chain Risk Management to Avoid Embedded Malware  Ability to Detect Cyber Intrusions and Immediately Respond to Incidents  Ability to Investigate, Identify Attacker(s) and Build a Legal Case Against Them  Ability to Effectively Communicate Risks and Countermeasures  Ability to Integrate all of the Elements to Deliver a Secure Computer Network with Information Assurance Example of Program Tailoring:
Cybersecurity Graduate Program for Computer Scientists • CS 525S - Computer and Network Security • OIE 541 - Operations Risk Management • CS 525# - Special Topics: Digital Forensics • CS 557 - Software Security Design and Analysis • CS 525# - Special Topics: Intrusion Detection • CS 571 - Case Studies in Computer Security
The Courses Were Customized for the Power Industry Computer and Network Security – Includes CIP Standards Operations Risk Management – Focus on Social Media Phishing Risks and includes risk from Embedded Malware Case Studies in Computer Security – Examples from the Power Industry
National Cybersecurity Workforce Framework - Compared to WPI’s Customized Graduate Program Framework Category WPI’s Current Cyber for Computer Scientists Program Securely Provision 1. Computer and Network Security 2. Software Security Design and Analysis Operate and Maintain Computer and Network Security Protect and Defend Intruder Detection Investigate Digital Forensics Collect and Operate Not in Program – Government Role Analyze Not in Program – Government Role Oversight and Development 1. Operations Risk Management 2. Case Studies in Computer Security WPI’s Program Addresses All the Relevant Categories

More Related Content

Webinar - Reducing Your Cybersecurity Risk

  • 1. Reducing Your Cybersecurity Risk A (slightly) Behavioral and Technical Overview for Business Leaders
  • 2. About the Author- Mike Ahern Director, Corporate and Professional Education Worcester Polytechnic Institute Leads the development of WPI’s Corporate and Professional Graduate Education Programs in: Cybersecurity; Electrical and Computer Engineering and Power Systems Previous Experience: – Vice-President, Northeast Utilities (responsibilities included: Distribution Engineering; Training; Planning, Performance and Analysis) – Member, Executive Compliance and Internal Controls Committee – Member, Executive Steering Committee for Cyber Security – Director, Transmission Operations and Planning – Director, Distribution Engineering – Director, Nuclear Oversight, Millstone Nuclear Power Station B.S. from Worcester Polytechnic Institute M.S. and M.B.A. from Rensselaer Polytechnic Institute Professional Engineer - Connecticut NERC Certified System Operator - Transmission (2005 to 2010)
  • 3. About WPI  Fully accredited, non-profit, top quartile national university (U.S. News and World Report ranking)  Founded in 1865 to teach both “Theory and Practice”  Strong Computer Science, Engineering and Business Schools  DHS/NSA Designated Center of Excellence in Information Security Research
  • 4. Cybersecurity Risk Reduction Outline: • The Growing Menace • How Do Business Leaders Reduce the Risk? • Where Do We Start? • What Else? • Covering All the Bases • Questions and Answers
  • 5. The Growing Menace We’ve been seeing news articles about the threat of hackers for quite a while JPMorgan and other banks struck by cyberattack Nicole Perlroth Wednesday, 27 Aug 2014 | New York Times U.S. notified 3,000 companies in 2013 about cyberattacks By Ellen Nakashima March 24, 2014 The Washington Post DOD Needs Industry’s Help to Catch Cyber Attacks, Commander Says By Lisa Daniel March 27, 2012 American Forces Press Service, DoD News
  • 6. The Growing Menace Remember Target? Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It By Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14
  • 7. Target’s Story . . . Continued Cyber attack takes toll on Target By Elizabeth Paton in New York Financial Times 8/20/14  Cyber attack cost Target $148M  To win back sales, Target took another $234M charge for discounting The new CEO was announced on 8/1/14 The new CEO lowered the annual earnings forecast by ~15%
  • 8. Cybersecurity Risk Reduction With cybersecurity attacks and threats growing . . . How do business leaders reduce the risk to their organization? Let’s start by understanding attackers motives and methods . . .
  • 10. Attacker Methods The Most Recent Verizon Data Breach Investigations Report* gives us some insights into methods attackers use Top “attack vectors”: 1. Behavioral – 80%+ of the attackers are external people but insiders can cause the extensive damage 2. Behavioral – Phishing in 2/3 of attacks, used all by itself in 20% of attacks 3. Technical – 80% of attacks use malware; almost always exploiting known vulnerabilities *http://www.verizonenterprise.com/DBIR/2015/
  • 11. Cybersecurity Risk Reduction – Where to Start How do business leaders reduce the risk to their organization? Start with Behaviors! Training for basic cyber defense - For all your people - how to be “human firewalls” - For IT people - use trained, certified cybersecurity professionals - For HR people – do we check backgrounds? Do we promptly revoke access when people leave? - For Leadership – who has what access? How often is this reviewed? Education to understand the evolving threats - Better educate your cyber workforce to prevent, detect and effectively respond to cyber intrusions
  • 12. What Else? Install the Software Patches to remove known vulnerabilities Use Anti-virus to protect against known malware Require two-factor authentication for financial transactions and sensitive data downloads Supplement Perimeter Defense with Intrusion Detection - Use your people as a “sensor network” to detect and report phishing attacks - Do your people know to report unexplained failed login attempts? - Ask IT people how they detect intruders including how often system administrative logs are checked - Does your organization share threat intelligence? Develop, Train, Practice and Execute Incident Response Plans - Business continuity plans should include a “loss of IT” scenario
  • 13. What Else? Questions from Board Members* • Are profit-generating assets adequately secured? • How well-protected is high-value information? • Is the organization’s cybersecurity strategy aligned with its business objectives? • How is the effectiveness of the cybersecurity program measured? • Is the organization spending appropriately on security priorities? • Would the organization be able to detect a breach? • Does the cybersecurity area have access to adequate resources? • How does the organization’s security program compare to that of its peers? * https://securityintelligence.com/what-cybersecurity-questions-are-boards-asking-cisos/ Added Question: What are the industry-specific compliance requirements?
  • 14. Covering All The Bases The US National Cybersecurity Workforce Framework* * http://csrc.nist.gov/nice/framework/ The U.S. National Initiative for Cybersecurity Education (NICE) issued the National Cybersecurity Workforce Framework (“the Framework”) – Developed with more than 20 Federal departments and agencies and numerous national organizations from within academia and general industry. – The categories, serving as an overarching structure for the Framework, group related specialty areas together. – Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided. You can use the Framework to make sure your organization is “covering all the bases”
  • 15. US National Cybersecurity Workforce Framework Covers All the Bases Framework Category Specialty Areas Include: Securely Provision Systems Security Architecture Software Assurance and Security Engineering Secure Acquisition Test and Evaluation Systems Development Operate and Maintain System Administration Systems Security Analysis Network Services Protect and Defend Computer Network Defense Analysis Incident Response Vulnerability Assessment and Management Investigate Digital Forensics Cyber Investigation Collect and Operate Federal Government Role Collection Operations Cyber Operations and Planning Analyze Federal Government Role All Source Intelligence Exploitation Analysis / Targets / Threat Analysis Oversight and Development Legal Advice and Advocacy Strategic Planning and Policy Development Training, Education and Awareness Security Program Management Knowledge Management http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdf Draft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx
  • 16. Risk Reduction Action Plan Threat Actions Measures Insider ? Background Checks ? Training – Everyone, IT, HR, Leadership ? Remove Access Promptly Regular Exception Reports External Hacker ? Patches to Keep Software Updated ? Anti-Virus for Known Malware ? Limited Administrative Rights ? Two-factor Authentication Regular Time Delay Reports and Rights Reviews Successful Intrusion ? Certified IT Professionals ? Access Log Reviews ? Intrusion Detection Software ? Exfiltration Software ? “White-listing” for Control Systems Frequent (Daily?) Results Reports Successful Attack ? “Loss of IT” Business Continuity Exercises ? Engage/Develop Forensic Capability Exercise Frequency and Results
  • 18. Free, 1 Hour Webinar: Reducing the Risk of a Cyber Attack on Utilities Thursday, March 17, 2016 / 2pm-3pm (ET) Free, 1 Hour Webinar: Cyber Hygiene: Stay Clean at Work and at Home! Thursday, March 24, 2016 / 10am-11am (ET) Cybersecurity Webinar Series
  • 19. Thank you Mike Ahern Director, Corporate and Professional Education 508-831-6563 mfahern@wpi.edu What do you think? Your feedback is welcome!
  • 20. What to Look for in a University Partner - Accreditations Computer Science Engineering Business Whole University
  • 21. What to Look For - Strong Capability in Cyber Security For example, at WPI:  NSA/DHS Designated Center of Excellence  Core Faculty Performing Current Research • Trusted Computing Platforms • Algorithms & Architectures for Cryptography • Security of Interoperable Wireless Medical Devices • Analysis of Access-Control and Firewall Policies • Wireless Network Security • Cyber-Physical System Security  Adjunct Faculty are Current Practitioners, Vetted by the Appropriate Department Faculty both for Knowledge and Capability to Teach
  • 22. What to Look For – Program Tailored to Your Needs The National Framework Covers the Entire Workforce with Generic Categories To Maximize Your Benefit for an Education Investment: • Your Program Should be Tailored to Include Your Organization’s Specific Requirements • Your Program Should Teach the Roles Your Students Will Perform • Your Program Should be Convenient for Your Students
  • 23. What to Look For – Program Tailored to Your Needs For example, here is WPI’s Process:
  • 24. POWER TRANSMISSION EDUCATIONAL INITIATIVE – CYBERSECURITY FOR COMPUTER SCIENTISTS Overall Goal: Build capability to Prevent, Detect and Effectively Respond to cyber attacks Learning Objectives Include:  General Understanding of Cybersecurity  Specific Knowledge of Power Industry Requirements - NERC Critical Infrastructure Protection (CIP) Standards  Ability to Write and Test to Assure Secure Code (e.g. “All Commands are Authenticated and Authorized”)  Operations Risk Management – Avoiding Social Media Phishing Attacks by Managing Human Behavior  Supply Chain Risk Management to Avoid Embedded Malware  Ability to Detect Cyber Intrusions and Immediately Respond to Incidents  Ability to Investigate, Identify Attacker(s) and Build a Legal Case Against Them  Ability to Effectively Communicate Risks and Countermeasures  Ability to Integrate all of the Elements to Deliver a Secure Computer Network with Information Assurance Example of Program Tailoring:
  • 25. Cybersecurity Graduate Program for Computer Scientists • CS 525S - Computer and Network Security • OIE 541 - Operations Risk Management • CS 525# - Special Topics: Digital Forensics • CS 557 - Software Security Design and Analysis • CS 525# - Special Topics: Intrusion Detection • CS 571 - Case Studies in Computer Security
  • 26. The Courses Were Customized for the Power Industry Computer and Network Security – Includes CIP Standards Operations Risk Management – Focus on Social Media Phishing Risks and includes risk from Embedded Malware Case Studies in Computer Security – Examples from the Power Industry
  • 27. National Cybersecurity Workforce Framework - Compared to WPI’s Customized Graduate Program Framework Category WPI’s Current Cyber for Computer Scientists Program Securely Provision 1. Computer and Network Security 2. Software Security Design and Analysis Operate and Maintain Computer and Network Security Protect and Defend Intruder Detection Investigate Digital Forensics Collect and Operate Not in Program – Government Role Analyze Not in Program – Government Role Oversight and Development 1. Operations Risk Management 2. Case Studies in Computer Security WPI’s Program Addresses All the Relevant Categories