Cybersecurity is Risk Management MICHAEL A. ECHOLS

CEO International Association of Certified ISAOs

& Max Cybersecurity LLC

2

Clear and Present Danger

• Cyber attacks and security breaches are increasing in

frequency and sophistication, with discovery after the fact,

if at all.

• Targeting of organizations and individuals with malware

and anonymization techniques that can evade current

controls.

• Current perimeter-intrusion detection, signature-based

malware, and anti-virus solutions are providing little

defense and are rapidly becoming obsolete—Use

encryption technology to avoid detection.

• Criminals are leveraging innovation and moving at a

pace and security vendors cannot possibly match.

“It's one of the most serious economic and national security challenges we face as a nation. Foreign governments, criminals, and hackers probe America’s computer networks every single day.”

President Obama also noted that protecting thenation’s critical infrastructure is essential to publichealth and safety stating that,

3

“Neither government, nor the private sector can

defend the nation alone. It’s going to have to be a

shared mission — government and industry working

hand in hand, as partners.”

President Barack Obama:

National Security Issue

Concerns for Control Systems

Testimony to House Select Intelligence Committee –

“There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability to enter industrial control systems and to shut down [and] forestall our ability to operate our basic infrastructure.”

4

“All of that leads me to believe it is only a matter of the ‘when,’ not the ‘if’ that we

are going to see something dramatic.”

NSA Director, Michael Rogers

5

A Hub of Information Sharing

Trusted Relationships

8

Modern security challenges are too complex for any single organization, sector, or nation to confront alone.

To enable greater information sharing and develop a common understanding of malicious activity and mitigation options, we must builds and leverages partnerships across:

• Federal, state, local, tribal, and territorial governments

• Private sector

• Academia

• International community

• OUR WORK FORCE

Th

e P

ath

Fo

rwar

d

Future

▪ Baked in security = fewer

vulnerabilities

▪ Near real-time response with more

automated defenses

▪ Many attacks, but less impact

▪ Information sharing and increasingly

collaborative defenses

▪ Consistent security practices

▪ Unauthorized activity quickly identified

▪ Ability to learn and adapt defenses in

near-real time

Today

▪ Many unknown vulnerabilities

▪ Incidents spread at network speed

and defenses are manual

▪ Many attacks are undetected

▪ Independently defended systems

▪ Inconsistent security policies

▪ Users do not follow best practices

▪ Attacks increasing in number and

virulence

10

Current Trend: Bulk PII Theft

Between July 2014 and March 2016,

US-CERT received numerous reports

of incidents from across the U.S.

Government and private sector

involving the theft of large amounts of

PII.

• Analysis from US-CERT and federal

law enforcement partners indicate that

PII was the primary target in intrusions

• Groups responsible for the intrusions

are leveraging a diverse selection of

tools and techniques including stolen

credentials from previous intrusions

11

Bulk PII Theft

Healthcare Business U.S. Government

Anthem(loss of customer data,

up to 80M records)

Sony Pictures (loss of corporate and

customer data, up 1M records)

IRS(loss of taxpayer data,

up to 100K records)

Premera(loss of customer data,

up to 11M records)

OPM (loss of personnel data,

up to 25M records)

Community Health Services

(loss of patient data, up to 4.5M records)

Bulk PII theft from major U.S. organizations dominated headlines

12

Bulk PII Theft

Other Cyber Incidents

• AshleyMadison.com, up to 37M user’s personal data exposed

• Uber, up to 50K driver data accessed

• Twitch.tv, possible unauthorized access to 10M user accounts

• mSpy, up to 400K personal data leaked

Verizon DBIR

Culture Shift

“It is therefore up to security professionals to help their executives become more cybersecurity literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.”

What are the expectations for cyber literacy?

Culture of Cybersecurity

SMB ANALYSISReview of Scalable and Affordable Solutions

• SMBs continue to manage their enterprise-

wide technologies without adequate cyber

security solutions or technical support.

• A potential reason for this SMB apathy is a

lack of understanding about their cyber risk

exposure and negative business

consequences that result from a major data

breaches.

• Reputational Loss

• Loss of Proprietary Data

• Loss of Intellectual Property

• Identity Theft15

The net force on an object is equal to the mass of the object multiplied by the acceleration of the object.

FORCE

Cybersecurity

Top Cyber Threat Attack Vectors

• Spear Phishing / Watering Hole–Organization email, personal webmail

• Web Browsers–Vulnerability exploitation (Adobe, Flash,

Java)

–Application patching

• Web Servers–Application and system patching

• Remote Access–Single factor (password-based)

18

Incident Response

Since announcing their findings in June 2016, CrowdStrike’s Washington, D.C. office has been bustling with business, the number of its million-dollar contracts quintupled from a year ago.

In May 2017, the company became a startup “unicorn,” valued at more than $1 billion after raising $100 million led by return investor Accel Partners.

CROWDSTRIKE

Led the Response to the DNC Hack

WHO IS MANAGING THE BUILD?

Disruptors

Quantum Computing can – in theory – defeat all modern encryption. From secure banking transactions to confidential correspondence to, yes, Blockchain

Breech Reporting – there are different reporting requirements in 47 different States.

Regulation – Sectors such as Financial and Energy are leading the way with regulation, but healthcare is not far behind.

Workforce – WE need a new approach to development and assignment of available resources to support cybersecurity requirements.

Analytics is defined as the scientific process of transforming data into insight for making better decisions.

Data Analytics is critical to meeting the challenge our adversary is launching. We must however, make the data come to life to take advantage of the data.

ANALYTICS

Cyber Education

The Nation’s One Stop Shop for Cybersecurity Careers & Studies!

Resources for everyone –

employees, employers,

students, educators,

parents, policy makers

✓ 5,000+ visitors per

month

✓ 1,500+ training courses

mapped to

the National

Cybersecurity

Workforce Framework

✓ 100+ links to

cybersecurity resources

✓ 15+ tools for managers

✓ 10+ monthly events

✓ 10+ links to customized

job searches

www.niccs.us-cert.gov

National Initiative for Cybersecurity Careers and Studies (NICCS)

The mission of NICE is to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development

NIST

http://csrc.nist.gov/nice/

25

QUESTIONS

Michael Echols International Association of Certified ISAOs

www.certifiedisao.org

mechols@certifiedisao.orgmechols@maxcybersecurity.com

Connect on LinkedIn