Post on 11-Aug-2020
Cyber 24/7: Risks, Leadership,
SharingPete O’Dell
Pete.odell@SwanIsland.net
202-460-9207
A stranger will soon enter your network
• Author: Cyber 24-7: Risks, Leadership, Sharing:Sound advice for Boards, the C-Suite, and non-technical executives (+2 other books)
• Background: Technology, manufacturing, services, CIO, COO, CEO, board member, entrepreneur, consultant, author, veteran, poor golfer, avid fly fisherman
• www.swanislandnetworks.com – TX360 cyber/physical situational intelligence service (Founder/Board)
• Fellow: National Cybersecurity Institute
Introduction: Pete O’Dell
Organizations face diverse risks…
Social Media Civil Unrest
Terrorism Travel Disruption & Delays
Natural Disasters Severe Weather
Hazardous Materials
Disease
Cyber ThreatsCyber Threats
Supply Chain Disruption
Blackouts
Crime
Source: Chertoff Group
• Victims of own success; spectacular attacks in the news
• New business opportunities expand the attack surface: Clouds, IoE, Bring
your own devices (BYOD), M&A, SmartGrid
• We’re not doing all we can:
Boards and C-Suite are not leading and aligning strategy and resources enough
Poor info sharing even at basic levels, not real-time
“Tone at the Top” by the board and C-Suite – cyber awareness
Government – fragmented efforts, confusing rules, poor grades
International law enforcement challenges – jurisdictions/extradition
Setting the Cyber Stage
Highly ComplicatedJust the IT portion!
• Computing – 1950’s to present – revolutionary, world changing
• Internet and WWW has connected almost everything
• Moore’s law and price/performance – what’s in your pocket?
• Multiple generations of solutions by different groups/vendors
• IT priesthood – little governance/certification/talent trap
• Competitive pressure has often trumped security
• Result: delicate, vulnerable, unique IT infrastructures that will not be
healed by a new gadget
How did we become so vulnerable?
“Cyberspace is a single point of failure and we've
hooked everything up to it!”
- Jeff Gaynor
JOE
SALLY
ERICBILL
The IT/CIO Revolving Door
• Cyber defies conventional risk metrics:
• Non-quantifiable & non-predictable: not the 100 year flood
• Global, not local: traditional physical separation less effective
• Puts the entire organization at risk
• Multi-faceted and multiple types of attackers
• You may be under attack while you are analyzing
• Examples:
• Payment breach (Target): immediate impact on all
• IP theft (DOD Contractors): 20 year impact
• DDOS: immediate business degradation
Cyber is not a Normal Risk!
Today’s Cyber Context
Good News
• World paying attention
• Boards at least discussing
• Vendors – solutions/tools
• Investment –R&D/Solutions
• Info sharing value/discussion
• Cloud – excellent promise
• Insurance options emerging
Bad news
• Same attacks happening
• Attacks increasing
• More sophisticated attackers
• New threats emerging daily
• Shortage of great people
• Bad guys share methods
• Growth areas expand risks
• Threats trump forward progress
Board & C-Suite Prep/Proactive Efforts
• Set the “Tone at the Top” – live it and enforce it (leadership)
• Align all internal/external resources with defined priorities
• Hire and validate great people and partners
• Validate strategy/team using hard-core outsiders
• Detailed risk, resilience and plan reviews
• Understand executive specific vulnerabilities
• Technical board member or committee
• Exercise full response plan across the enterprise – GridEx?
“By the time you hear the thunder, it’s too late to build the ark”
- Unknown
Competing pressures
Board/Management• Are we safe?• Are we prepared?• Can we count on our
people?• What is our strategy?• We can’t we afford it!• I don’t understand!• We can’t stop!• We don’t like bad news!
CIO/CISO/IT Team• Rogue IT projects• SAAS w/credit card• BYOD,USB sticks• Data everywhere• Budget constraints• Legacy systems • New demands: cloud & IOT• Nobody likes to deliver bad
news!
Cyber-Resilience
“There are two kinds of people in America today: those who have experienced a cyber attack and know it, and those who have experienced a cyber attack and don't know it.”
- Industry Pundits - about 27 variations
“It takes a licking and keeps on ticking”– TIMEX Commercial
Cyber Resilience: 24/7 Continuous Effort
Proactive Protection Measures
Cyber Intelligence
Response Plan & Exercises
Breach Response
Lessons Learned
• Bigger than your organization
• Understanding interdependencies critical
• Proactive planning—avoid crisis introductions
• Cross organizational information sharing (cross silo as well)
• SURGE capabilities
• We’re stronger together than separate
Resilience: One Continuity Factor
16
• Entire organization focus – this is not just an IT issue!
• IT & cyber industry shortage means marginal execs and employees,
turnover, and rapid obsolescence
• Train the entire organization
• Finding, training, retaining and motivating – hard but worth it
• Validate through vetted outside expertise
• Trusted people can turn malicious for outside reasons
• Board/Exec knowledge is critical
People: Critical at all Levels
• Proactive effort required: Worst time to engage is in the middle of a crisis
• Embrace reality: You can’t staff to an unknown level or timeframe – outside services vital
• Teaming: Great partners will help on the prevention and preparation plus incident response surge
• Broad set of offerings available – choose carefully
• Set and enforce service level agreements
• Exercise and integrate ahead of time
Cyber Partners: who will stand with you?
How do handle SURGE operations?
• Realities: Budgets are tight - Threats are numerous - Change is constant
• How to multiply your response resources?
oWork more hours (that always works!)
oRepurpose internal assets (planned)
oContract in advance (proactive)
oSupply chain partners?
oPublic/Private support?
oProactive Mutual Assistance!
SURGE! (prepared and unprepared)
20
• “Take a licking and keep on ticking”
• Human Centric – no magic solution
• CSIRP – Cyber Security Incident Response Plan
• Demands:
• Planning & Preparedness
• Agility and adaptability
• Creativity
• Cross organization and external – partners, customers
21
Cyber Resilience
• Silos, rice bowls, internal fragmentation
• Lack of broad based personnel/leadership
• Budgets – the smallest things not done can wreak havoc
• Other priorities
• Disbelief in investment – “we’ll be okay”
• Preparedness is deemed boring work by most
22
Barriers to Resilience
• Apply common sense to preparation
• Plan/prepare to be attacked/breached
• Identify your response partners ahead of time
• Exercise tirelessly/fix identified issues (Gridex III?)
• Study others where possible and make adjustments
23
5 Resilience Efforts
Resilience Planning – A Cross/Org Effort
Cyber Situational Intelligence
• Many breaches are known exploits!
• Advance notice critical – real time monitoring 24/7
• Many sources available – government, industry, non-profits, media, vendors, internal tools, employees
• Blend Open Source, proprietary, internal to create a customized threat intelligence picture
• Alerts and alarms to multiple levels in organization – more than IT
• Finding out intelligence was available after the attack is painful
• Combining on physical threats a good use of resources
Example: Cyber Intelligence
26
Cloud based resiliency systems
• “All-hazards” high-assurance system to help proactively and during response/recovery
• Cloud based, redundant during a prolonged outage
• Cross organizational—link in established & new partners
• Scalable during a major training cycle or incident
• Combine many different information elements that can be distributed in multiple ways
• Proven solutions which can be rapidly deployed
Future Directions &
Wrap-up
• Unprecedented adoption of new technology
• Connectivity expanding everywhere
• Costs dropping, capabilities rising
• Disruptive business models (Uber, AirBnB)
• Worldwide Silicon Valley emulation—US and International
The future is here now!
• IOT: Sensors, collectors and adjusters
• Drones and robots
• Driverless cars and trucks
• Advanced batteries (resilience!)
• Virtual and Augmented Reality
• Big Data and predictive analytics
• Cloud as primary and redundant platform
The future is accelerating!
• Smaller and more numerous (billions) devices
• Autonomous operation, both active and passive
• Sensors, Collectors, Adjusters, Aggregators
• Collected data can be multi-purpose, cross org
• Many policy and governance issues still unsolved
• Some think IoE is bigger than today’s internet impact
• Security concerns abound – opportunity brings risk
Internet of Things/Everything/Systems
• “Internet of Systems” a more inclusive term for security
• Massive, worldwide impact over next 30+ years
• Sensor cost differential and communications will be key drivers
• Power, health, transportation, manufacturing, maintenance, security
• Integrated, multi-point data flows are a risk/opportunity
• Car attacks – 50+ computers in modern vehicle
• IoT a security problem and a security opportunity
IoT Cyber Implications
• Many have been created
• Some have good reputations: FS-ISAC, SANS
• Option to pool resources at low cost
• Some more narrowly focused – regional or industry
• Not a panacea, but an excellent tool when used
33
Public/Private Efforts
NYC’s Metropolitan Resilience Network
• Public/Private Initiative – “All Hazards”
• NYU/INTERCEP, Championed by PANYNJ
• Assist business, government and other stakeholders
• Real time communications and collaborative platform
• Regional Common Operating Picture
• High value information sharing/best practices
• Info on request – something to monitor
Wrapping up
• Electrical Grid: regional outage for months
• Data Integrity: massive change attack to disrupt systems
• Firmware or silicon based exploits
• Large scale ransomware encryption attacks
• GPS: High use, high vulnerability
• Control devices: pacemakers, transportation
• Will it take “Cyber Pearl Harbor” to get urgency accelerated?
Personal concerns/opinions
• Corporate leadership responsibility to drive alignment
• Growing threats, no easy fixes or silver bullet for years
• Shortage of talented defenders; but no shortage of stuff to buy
• People, partners, planning, prevention, response critical
• Continual learning and adapting a necessity
• All hands issue versus just the IT organization
• Civilization will prevail, but will require global effort
• Push government to help in the right ways
In Review…
• SANS institute: www.sans.org
• Ponemon Institute: www.ponemon.org
• Cisco 2015 Annual Security Report: www.cisco.com
• PWC: www.pwc.com (Cybermetrics Sep2015 report)
• OWASP: www.owasp.org
• World Economic Forum: www.weforum.org
• www.informationisbeautiful.com (cyber)
Excellent Resources
39
• Complimentary e-book: peterlodell@gmail.com
• Ask me about integrated situational intelligence -www.swanislandnetworks.com
Thank You! Questions?
Questions
• Assessments?
• Multi-factor auth?
• Enforced password changes?
• Tone at the top or IT for awareness?
• Phishing training?
• Continuous background checks?
• Separation of duties?
• Outside audits/penetration testing
• Aligned BC/IR/Cyber/Physical?
• Situational intelligence – how doing?
• Who most concerned about from outside?
• Is the government helping?
• Shared accounts?
• Default passwords?
• Rogue IT
• Info sharing?
• ISAC good?
• Trusted sharing?