2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure...
-
Upload
isalliance -
Category
Documents
-
view
219 -
download
0
Transcript of 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure...
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
1/43
Larry Clinton
703-907-7028
202-236-0001
Barry FoerDirector of Policy & Membership
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
2/43
ISA Board of Directors
Ty Sagalow, Esq., ChairmanPresident Product Development, AIG
Dr. Sagar Vidyasagar, 2nd Vice Chair
Exec VP, Tata Consulting Services
J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon
Marc-Anthony Signorino, TreasurerDirector Technology Policy, National
Association of Manufacturers
Tim McKnight, CSO, Northrop GrummanJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, Bank of New YorkKen Silva, Chief Technology Officer, VeriSignLawrence Dobranski, Chief Strategic Security, Nortel
Charles Croom, Vice President, Cyber Security Strategy, Lockheed MartinPradeep Khosla, Dean Carnegie Mellon School of Computer SciencesJoe Buonomo, CEO DCR Software Inc.
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
3/43
Our Partners
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
4/43
The Web is InherentlyInsecure---and getting more so
The problems we see in cyber security are about to get muchworse because we continue to deploy base technologies
that were developed 30 years ago when security was notan issue.TCP/IP was not designed to control power grids,
financial networks and critical infrastructure. It will be used
in future networks (particularly wireless) but it lacks thebasic security controls to properly protect the network.
Source: Hancock, Cutter Technology Journal 06
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
5/43
The Changing ThreatFaces of Attackers Then
Chen-Ing Hau
CIH Virus
Joseph McElroy
Hacked US Dept of Energy
Jeffrey Lee Parson
Blaster-B Copycat
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
6/43
Faces of Attackers Now
Andrew Schwarmkoff
Russian Mob Phisher
Jay Echouafni
Competitive DDoS
Jeremy Jaynes
$24M SPAM KING
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
7/43
The Changing Threat
Today, attackers perpetrate fraud, gather intelligence, or conductblackmail
Vulnerabilities are on client-side applications word, spreadsheets,printers, etc.
The problem is much more severe than the release of personaldata, modern attackers are stealing source code, corporate
intellectual property, entire business operations systems are being
vacuumed and transplanted
Our physical security is reliant on our cyber security
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
8/43
Newer Threats
Designer malware: Malware designed for a specific target or small setof targets
Spear Phishing: Combines Phishing and social engineering
Ransomware: Malcode packs important files into encrypted archive &deletes original then ransom is demanded
RootKits: shielding technology to make malcode invisible to the op
system
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
9/43
Characteristics of the New Attackers
Shift to profit motive
Zero day exploits
Increased investment and innovation
in malcode
Increased use of stealth techniques
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
10/43
Digital Growth?
Companies have built into their business models theefficiencies of digital technologies such as real time
tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital
lifestyle is already built into almost every companys
assumptions for growth.
---Stanford University Study, July 2006
Sure
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
11/43
Not so much
Only 56% of respondents employ a security executive atthe C-level---down 4% from the previous survey
Only 43% audit or monitor compliance with securitypolicies (if they have them)
Just over half of companies (55%) use encryption 1/3 of respondents dont even use firewalls Only 22% of companies keep an inventory of all outside
parties use of their data
Digital Defense?
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
12/43
Not so much
23% of CTOs did not know if cyber losses were covered by
insurance.34% of CTOs thought cyber losses would be covered by
insurance----and were wrong.
The biggest network vulnerability in American corporations
are extra connections added for senior executives withoutproper security.
---Source: DHS Chief Economist Scott Borg
Digital Defense?
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
13/43
CSO Magazine Study 10/087,000 companies world wide
Only 59% of respondents attest to even having an overall securitypolicy
Nearly half of all respondents said cant identify the source ofinformation security incidents they have suffered in the past year
Employees and former employees are the biggest source of securityincidents accounting for half of the ones we can trace
* Only half of respondents provide employees with security awareness
training
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
14/43
The Good News: We know(mostly) what to do
2005 CIO/Priceaterhouse study of 7,000organizations world-wide found 20% best
practices group (although attacked more) sufferedless downtime, less financial lossnone at times.
2008 Verizon study 500 forensic cases andthousands of data points found following best
practices could stop 90% of breaches CIA due diligence can stop 90% of attacks,
implementation is the key.
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
15/43
How do we really protectourselves?
1. Adopt an enterprise wide, risk managementapproach
2.
Since this is an enterprise wide problem, youhave to get all the critical silos at the table
3. Determine who really is involved (other than IT)4. Determine what you are going to answer5. THEN decide what to do (software? training?
contracts w/affiliates? Insurance? outreach?)
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
16/43
Legal/Regulatory Issues
Have cyber liabilities been analyzed? What regulations apply to lines of business? Exposed to class action/shareholder suits? Is org protected from business interruptions? Org protected from fed/state govt. investigations?
What jurisdictions does date move through? What is in our contracts? What does our privacy policy say?
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
17/43
Compliance/Regulatory
Have an inventory of what regs apply to us? Know what reg data is and where its located? Valid reasons for keeping this data? What have we done to protect the data? Incident response program/notification program?
What is impact of possible data loss? Procedures in place for tracking compliance? How are we tracking vendors procedures?
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
18/43
External Rel & Comm.
Analyzed impact of events on reputation/stakeholders/customers etc?
Plan for communicating with stakeholders? Identified resources/budget needed for plan? Clear roles and responsibilities for comm? Thought through segmenting messages for different
stakeholders?
Legal requirements for notification? Tested it?
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
19/43
Risk transfer
What is exposure (brand/confidence/physicalloss?how do we measure?
Are you already covered? D&O? Do we need to bring in expertise? Who? Is insurance available? What is the ROI for insurance and other risk
transfer approaches?
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
20/43
09 Securing the VOIPPlatform
VOIP is the paradigm case for corporate economicsovercoming security concerns
Platform itself not a profitable as products sold to use it ISA/NIST program to use SCAP (Security Content
Automation Protocol) and National Vulnerability Database
to create a free customizable framework.
Companies can build products on the more secure platform(ones that participate get to know the standards first)
Better security and better markets
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
21/43
09 Securing the Global ITSupply Chain
IT supply chain is inherently global This immutable reality brings new risks
If not addressed Congress will do it for us,probably through protectionism
07-08 ISA/CMU/industry 3-phase program tocreate a framework that takes into account market,
business and policy reality
New phase to begin first quarter 09
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
22/43
What to Tell PresidentObama?
1. We need to increase our emphasis andinvestment on cyber security
2. Cyber Security must be recognized as criticalinfrastructure maintenance
3. Cyber Security is not a IT problem.4. Cyber security is a enterprise wide risk
management problem
5. Government and Industry need new relationship
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
23/43
Obama: Inconvenient truths
1. All security is reliant on cyber systems
2. Cyber systems are inherently in the private sectorshands
3. US cannot tackle the cyber security issues
unilaterally
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
24/43
Cyber Social Contract
Similar to the agreement that led to public utilityinfrastructure dissemination in 20th century
Infrastructure development through marketincentives
Consumer protection through regulation Gov role to motivate is more creativeharder Industry role is to develop practices and standards
and implement them
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
25/43
Member Communications Loop
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
26/43
Content Sources
Critical Infrastructure Partnership Advisory Council (CIPAC) Cross-Sector Cyber Security Working Group (CSCSWG) Daily Open Source Infrastructure Report Homeland Security Information Network (HSIN) United States Computer Emergency Readiness Team (US-
CERT)
National Infrastructure Partnership Plan (NIPP) Partnership for Critical Infrastructure Security (PCIS) Protective Programs and Research and Development
(PPRD)
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
27/43
Content Sources
Software Assurance Working Group DHS Business Opportunities Newsletter Cyber Security Monitor Joint Homeland Security Notes (HSN) Critical Infrastructure Information Notice (CIIN) National Telecommunications and Information Administration (NTIA)
Economic Security Work Group (ESWG)
InfraGard Information Technology Sector Coordinating Council (IT-SCC) Critical Functions and Information Sharing (CFIS) Group Plans Working Group Communications Sector Coordinating Council Carnegie Mellon University CyLab (CMU) ISAlliance
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
28/43
Content Examples
DHS Business Opportunities Newsletter
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
29/43
Content Examples
Critical Infrastructure Information NoticeHomeland Security Note
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
30/43
Content Examples
IT-SCC Calendar
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
31/43
Content Examples
DHS Daily Open Source Infrastructure Report
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
32/43
Content Channels
World Wide WebGovDelivery Digital SubscriptionManagement
Excel Electronic Mail MergeOutlook Distribution Lists& Outlook Calendar Invitations
US-CERT Portal Secure CommunicationDirect MailOutlook EmailTelephone
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
33/43
ISAlliance Web Site
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
34/43
ISAlliance Web Site
Member/Prospect ExamplesCalendar of EventsISAlliance NewsProject Information & UpdatesPublic GovDelivery SubscriptionCommon Sense GuidesISAlliance Services
Member Only ExamplesCalendar of EventsMissed It ArchivesComplete GovDelivery SubscriptionSelf Assessment ToolsPapers & ReportsDetailed Project Information &Updates
Enterprise Integration PerspectivesCMU Webinar Archive
Used primarily to generate prospective member interest in ISAlliance and
provide members with information and archives that generate interaction,
integration and reinforce the value of membership.
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
35/43
GovDeliveryDigital Subscription Management
Total Subscription Items hosted byGovDelivery: 47
Average item subscriptions persubscriber: 9
Total Subscribers: 4021New Subscribers 2008: 714 (+ 17%)Total bulletins sent 2008: 364,977Total hits to RSS feeds 2008: 23,783
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
36/43
Examples
Notice for the Private Sector Preparedness Accreditation and Certification ProgramBiometric IdentificationSmall Business IssuesUS-CERT AlertsMeeting Notices & RemindersISAlliance Calendar of EventsISAlliance Daily BriefAccess ControlTechnical, Operations, Public Policy and/or Legal Perspective - All of Above
Used for delivery of targeted messages to broad groups
with interest in specific subject matter.
GovDeliveryDigital Subscription Management
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
37/43
Outlook Distribution Lists & Calendar Invitations
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
38/43
Used to organize work groups involved in
specific projects.
ExamplesWhite House Cyber Security InitiativeIT Sector Risk AssessmentSecuring the IT Supply Chain in the Age of GlobalizationDeveloping Automated VoIP and Converged Network SecurityThe Financial Impact of Cyber Risk
Outlook Distribution Lists & Calendar Invitations
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
39/43
US-CERT Portal SecureCommunications
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
40/43
US-CERT Portal SecureCommunications
Used by members and allies for secure messaging,
often between groups, subgroups and various sector
coordinating councils, ISACs & organizations.
ExamplesSoftware AssuranceCross Sector Cyber Security Work GroupDefense Security Information ExchangeWhite House Cyber Security InitiativeAeroSpace Industries Association
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
41/43
Closing the Loop
Gathering, processing and distributing informationcontent to the right people at the right time is an
important part of what ISAlliance does.
It is often equally important that ISAlliance gather,process and aggregate private sector perspectives
for delivery BACK to appropriate public agencies.
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
42/43
Closing the Loop
Example:
1. White House Cyber Security Initiative Announced2.
ISAlliance Notifies Membership and calls for input usingGovDelivery System
3. ISAlliance forms a work group4. ISAlliance serves as an intermediary communicating
information in both directions using Outlook & the CERTPortal
5. The public sector, members and ISAlliance all benefit
-
7/31/2019 2009 01 08 Barry Foer and Larry Clinton ISA Comprehensive Overview for Critical Infrastructure Partnership Advisory Council CIPAC Presentation
43/43
Larry Clinton
703-907-7028202-236-0001
Barry FoerDirector of Policy & Membership
703-907-7799