Cybersecurity Town Hall - National Multifamily Housing Council · Cybersecurity Framework Charter. Improving U.S. Critical Infrastructure Cybersecurity. February 12, 2013 “ It is

@ApartmentWire#OPTECH17


Cybersecurity Town Hall

FacilitatorThomas Dryden

Chief Information Security Officer Berkadia


Download the Conference App on your smartphone or tablet!

Highlights Include:• Access vital conference information 24 hours/day – Agenda,

Speaker Bios, Exhibitor List, Exhibit Hall Floor Plan, Attendee List & more.

• Schedule meetings with attendees• Share comments & photos in the Activity Feed• Find Places to Eat and Things to Do in Dallas

To Download the App: Search for “NMHC Meetings” in your app store. Download the NMHC Meetings app, then select OPTECH Conference & Exposition.


Audience Poll #1

• How would you rate your current cybersecurity defenses?– Excellent– Very Good– Good– Fair – Poor


Audience Poll #2

• How likely is it that confidential information has been divulged or stolen from your company by criminals or criminal organizations or by current or former employees?– Very Likely– Likely – Possibly – Not Likely


Audience Poll #3

• Do you (or a consultant) engage in social engineering (testing people to divulge confidential information) and conduct cybersecurity training with company employees?– Yes– No– I Don’t Know


Audience Poll #4

• How much have you increased your cybersecurity expenses in the last year?– We haven’t increased our expenses– 1-10%– 10-25%– 25-50%– More than 50%


Audience Poll #5

• Have you added staff dedicated specifically to cybersecurity?– Yes– No


Audience Poll #6

• Do you have an incident response plan that includes cybersecurity?– Yes– No– I Don’t Know

Framework for Improving Critical Infrastructure Cybersecurity

OPTECH 2017October 25th, 2017

[email protected]

mailto:[email protected]

Cybersecurity Framework CharterImproving U.S. Critical Infrastructure Cybersecurity

February 12, 2013

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that

encourages efficiency, innovation, and economic prosperity while promoting

safety, security, business confidentiality, privacy, and civil

liberties”

Executive Order 136362

December 18, 2014Amends the National Institute of Standards and

Technology Act (15 U.S.C. 272(c)) to say:

“…on an ongoing basis, facilitate and support the development of a

voluntary, consensus-based, industry-led set of standards,

guidelines, best practices, methodologies, procedures, and

processes to cost-effectively reduce cyber risks to critical infrastructure”

Cybersecurity Enhancement Act of 2014 (P.L. 113-274)

3

Development of the Framework

Engage the Framework

Stakeholders

Collect, Categorize, and

Post RFI Responses

Analyze RFI Responses

Identify Framework Elements

Prepare and Publish

Framework

EO 13636 Issued – February 12, 2013 NIST Issues RFI – February 26, 20131st Framework Workshop – April 03, 2013

Completed – April 08, 2013Identify Common Practices/Themes – May 15, 2013

2nd Framework Workshop at CMU – May 2013Draft Outline of Preliminary Framework – June 2013

3rd Workshop at UCSD – July 20134th Workshop at UT Dallas – Sept 2013

5th Workshop at NC State – Nov 2013Published Framework – Feb 2014

Ongoing Engagement:

Open public comment and review encouraged

and promoted throughout the

process…and to this day

Key AttributesIt’s voluntary• Is meant to be customized.It’s a framework, not a prescriptive standard• Provides a common language and systematic methodology

for managing cyber risk. • Does not tell an organization how much cyber risk is tolerable,

nor provide “the one and only” formula for cybersecurity.It’s a living document• Enable best practices to become standard practices for

everyone

• Evolves faster than regulation and legislation• Can be updated as stakeholders learn from implementation• Can be updated as technology and threats changes. 4

Cybersecurity Framework Components

Describes how cybersecurity risk is managed by an organization

and degree the risk management practices exhibit key characteristics

Aligns industry standards and best practices to the Framework Core in an implementationscenario

Supports prioritizationand measurementwhile factoring inbusiness needs

Cybersecurity activities and informative

references, organized around particular

outcomes

Enables communication of cyber risk across

an organization

Framework Core

Framework Implementation

Tiers

Framework Profile

5

Implementation Tiers

6

1 2 3 4Partial Risk

InformedRepeatable Adaptive

Risk Management

Process

The functionality and repeatability of cybersecurity risk management

Integrated Risk Management

Program

The extent to which cybersecurity is considered in broader risk management decisions

External Participation

The degree to which the organization benefits my sharing or receiving information from outside parties

6

Intel Adaptation of Implementation Tiers

7

1 2 3 4Partial Risk

InformedRepeatable Adaptive

People Whether people have assigned roles, regular training, take initiative by becoming champions, etc.

Process NIST Risk Management Process +NIST Integrated Risk Management Program

Technology Whether tools are implemented, maintained, evolved, provide effectiveness metrics, etc.

Ecosystem NIST External Participation +Whether the organization understands its role in the ecosystem, including external dependencies with partners

7

CoreA Catalog of Cybersecurity Outcomes

Function

What processes and assets need protection?

Identify• Understandable by

everyone• Applies to any type of risk

management• Defines the entire breadth

of cybersecurity• Spans both prevention and

reaction

What safeguards are available? Protect

What techniques can identify incidents? Detect

What techniques can contain impacts of

incidents?Respond

What techniques can restore capabilities? Recover

8

CoreA Catalog of Cybersecurity Outcomes

Function Category

What processes and assets need protection?

Identify

Asset ManagementBusiness EnvironmentGovernanceRisk AssessmentRisk Management Strategy

What safeguards are available? Protect

Access ControlAwareness and TrainingData SecurityInformation Protection Processes & ProceduresMaintenanceProtective Technology

What techniques can identify incidents? Detect

Anomalies and EventsSecurity Continuous MonitoringDetection Processes

What techniques can contain impacts of

incidents?Respond

Response PlanningCommunicationsAnalysisMitigationImprovements

What techniques can restore capabilities? Recover

Recovery PlanningImprovementsCommunications 9

A Common LanguageFoundational for Integrated Teams

ID PR DE RS RC

10

IDPRDERSRC

CybersecurityProfessionals

Highly technical and specialized language

SeniorExecutives

IT, Contracts, Marketing,

BusinessProfessionals

Core – ExampleCybersecurity Framework Component

11

Function Category Subcategory Informative Reference

Identify Business Environment

ID.BE-3: Priorities for organizational

mission, objectives, and activities are established and communicated

COBIT 5 APO02.01, APO02.06, APO03.01ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6NIST SP 800-53 Rev. 4 PM-11, SA-14

11

12

Core – ExampleCybersecurity Framework Component

Function SubcategoryCategory Informative Reference

ProfileCustomizing Cybersecurity Framework

14

Identify

Protect

Detect

Respond

Recover

Ways to think about a Profile:• A customization of the Core for a

given sector, subsector, or organization

• A fusion of business/mission logic and cybersecurity outcomes

• An alignment of cybersecurity requirements with operational methodologies

• A basis for assessment and expressing target state• A decision support tool for cybersecurity risk

management

Cybersecurity Program ObjectivesThree Things All Cybersecurity Programs Must Do

• Support Mission/Business Objectives

• Fulfill Cybersecurity Requirements

• Manage Vulnerability and Threat Associated with the Technical Environment

15

Profile Foundational InformationA Profile Can be Created from Three Types of Information

17

Subcategory12…98

CybersecurityRequirements

LegislationRegulation

Internal & External Policy

Technical Environment

ThreatsVulnerabilities

1

2 3

Business Objectives

Objective 1Objective 2Objective 3

OperatingMethodologies

Controls CatalogsTechnical Guidance

Framework Seven Step ProcessGap Analysis Using Framework Profiles

• Step 1: Prioritize and Scope• Step 2: Orient• Step 3: Create a Current Profile• Step 4: Conduct a Risk Assessment• Step 5: Create a Target Profile• Step 6: Determine, Analyze, and Prioritize Gaps• Step 7: Implementation Action Plan

18

Resource and Budget DecisioningWhat Can You Do with a CSF Profile

19

Sub-category Priority Gaps Budget

Year 1 Activities

Year 2 Activities

1 moderate small $$$ X2 high large $$ X3 moderate medium $ X… … … …98 moderate none $$ reassess

As-Is Year 1To-Be

Year 2To-Be

…and supports on-going operational decisions too

Supporting Risk Management with Framework

20

Next StepsFramework Update

Key features of this second draft will include:• Update to the measurement section to refine and summarize

self-assessment concepts (Section 4)• Integration of the proposed Cyber Supply Chain Risk

Management Implementation Tier language into some combination of the other three Implementation Tier properties

• Refinement and clarification within Communicating Cybersecurity Requirements with Stakeholders (Section 3.3)

• Removal of U.S. federal government applicability statements (Section 3.7)

• An additional subcategory in the PR - Access Control subcategory to address authentication

30

Next StepsProgram Focus

• Federal agencies

• Small- and Medium- sized Businesses (SMBs)

• International organizations, including: • Companies with presence or business outside the U.S.• Other governments• International organizations

• Regulators at federal and state levels

31

Next StepsStakeholder Recommended ActionsStakeholders should consider activities to:• Customize Framework for your sector or community• Publish a sector or community Profile or relevant

“crosswalk” • Advocate for the Framework throughout your sector

or community, with related sectors and communities. • Publish “summaries of use” or case studies of your

Framework implementation.• Submit a paper during the NIST call for abstracts• Share your Framework resources with NIST at

[email protected].

32

mailto:[email protected]

The National Institute of Standards and Technology Web site is available at http://www.nist.gov

NIST Computer Security Division Computer Security Resource Center is available at http://csrc.nist.gov/

The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework

NISTIR 7621-r1 Small Business Information Security: The Fundamentalshttp://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

For additional Framework info and help [email protected]

ResourcesWhere to Learn More and Stay Current

http://www.nist.govhttp://csrc.nist.gov/http://www.nist.gov/cyberframeworkhttp://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdfmailto:[email protected]



PHISHIN’


JetBlues We sent a phish that coincided with the timeframe when many people were making flight arrangements to attend the annual Windsor Operations conference. This is a classic phishing strategy- send a topical note and hope the recipient lets their guard down enough to have them open it.

What the email would have looked like in the email program:


Campaign Results:Of 334 sent:

84 (25%) looked at it in their native inbox (not the preview pane)

16 (5%) clicked on the image

5 (1%) clicked on the image more than once

What the image would have looked like if you clicked on it:


Johnny Walker 1/13/16

Happy 2016!!! Thanks to Lincoln Property Company Rent Aliens became the fastest growing Internet Listing Service (ILS) company in the United States in 2015!!!

To show our gratitude to Lincoln, we are so excited to offer the first 15 people that sign up 2 Justin Bieber concert tickets for the SOLD OUT SHOW on April 10 at the American Airlines Center in Dallas.

The first 15 people that sign up will get the tickets but we also have a Grand Prize drawing for 2 tickets near the front row insection 14 at the AAC. So even if you don't win the first 15 sets of tickets you are eligible for the Grand Prize drawing on Jan. 29.

Click HERE to sign up for a chance to win tickets. We will call winners today so be closeto your phone! If you don’t win we’ll email you with a list of the winners but rememberyou are still entered in the Grand Prize contest.

Good luck!Johnny WalkerPresident – Rent Aliens


Other PhishableTrouble Topics• Banking• Dropbox limits• Email Full• “from the Boss”

• Sporting Events• Holidays• Current event-related• Fake urgency

Sample sports- related phish, 32% open, 8% clickthru


Urgent - Suspicious Login Identified on your Yardi Account

Cyber Security

The Yardi Cyber Security team has identified a suspicious login using your login credentials. We need to validate your account has not been compromised; click here to verify your identity.

Thank You.

The Yardi Cyber Security Team

https://urldefense.proofpoint.com/v2/url?u=https-3A__oprchmvnnw.formstack.com_forms_yardi&d=DwMFaQ&c=xuWUgJroJguSW8M0GUujMm-5t-xOBHaXU_PgeSXOGSk&r=tEzbksRdXeA1tnmlcFpnbQ&m=g8pXkgZc73spJEkE_A8EU58vWN0b05T55uv4mXFe6rQ&s=Aw7JXczuDqIlvja7McMfeuBe-vknoNP7aYI2z9jgpT4&e=


How to Educate Repeat Offenders

• Teachable Moment at the time of phishing error• Keep detailed statistics and report to supervisor if the person:

• Clicks on two in a row• Falls for a “special phish”

• Send them a personal note with a one page refresher:

• Personal call from the Boss• Termination


Courtesy https://www.knowbe4.com/what-is-social-engineering/

How to Educate Repeat Offenders

One page refresher:


Securing and Protecting Your Users

1.8 Million linksand attachments

blocked YTD

SuccessfulLogin

IT

SystemsEnter Code


PHISHIN’

THE RANSOMWARE THREAT

Kirk DowneyManaging Partner

Brief history of ransomware

Source: “The History of Ransomware”,Ryan Francis, CSO Magazine, July 2016

First one:

AIDS Trojan

Biggest one to date:

CryptoLockerSpread via Zeus bot-net

JavaScript only:

RAA and Locky JSDifficult to detect by Antivirus

WannaCry, Petya/NotPetya: based on stolen NSA tools

Doxware: pay us or we’ll expose all your private data

Ransomware accomplice: you don’t have to pay us if you help spread malware

Emergingtrends:2017 &beyond

Ransomware: what does it do?• Usually launched through phishing email.

• User clicks on an email file attachment or link to malicious Web site.

• A dropper either installs the malware directly or downloads it from an external site and installs.

• Obfuscation (hiding the contents) & polymorphism (changing how it looks each time it infects) make it hard to spot by antivirus.

• Once installed, it begins encrypting (scrambling contents of) your data files.

Command &ControlServer

Spearphishing

emailInternet

What ransomware does• Encrypts files with these extensions:

.doc, .xls, .rtf, .pdf, .jpg,

.mdb, .png, .csv, .zip, .rar

• Skips directories with the following:Windows, RECYCLER, Program Files, Program Files (x86), Recycle.Bin, APPDATA, ProgramData, Microsoft

Why? So that it doesn’t encrypt itself!

• Encrypted files have new file extension, such as “.encrypted” or “.locked”

• Demands a payment in some form of cryptocurrency (e.g., Bitcoin) to get decryption key.

Why? Anonymous and untraceable payments.

Other bad stuff ransomware doesEver seen a Windows Blue Screen of Death?

Windows tries to address this by creating volumesnapshots to allow you to restore back to a certain point before crash occurred.

Some modern malware tries to stop or delete the Windows built-in backup service called Volume Snapshot Service (VSS)

Makes it more difficult to revert to a ”clean” (or pre-infected) version.

Also, some malware installs a keystroke logger or other surveillance software to steal sensitive data.

Countermeasures, part 1• Backup regularly and keep a recent backup copy

off-line and off-site

i.e., not co-located in the server room!

• Backups must go back further than six months“Sleeper” ransomware can stay dormant for months

• Test full backup restoresYou never know if your backups are any good if you don’t attempt to restore them.

• Encrypt your backupsTake lesson from TriCare/SAIC stolen backup tape case - resulted in $4.9 Billion lawsuit!

• Continuous surveillance with Security Information and Event Management (SIEM)

Looks for malicious behavior both at the host & network level.

Needs to be watched/babysat 24/7 by trained analysts (consider outsourced SOC services).

• Train your people not to be phishing victimsContinuous phishing training reduces click-through rate from 25% down to 1%.

Countermeasures, part 2

Wed 230-345 PM_Cybersecurity Town Hall_Dryden_MarinersCybersecurity Town Hall Download the Conference App on your smartphone or tablet!Audience Poll #1Audience Poll #2Audience Poll #3Audience Poll #4Audience Poll #5Audience Poll #6

Wed 230-345 PM_Cybersecurity Town Hall_Fisher_MarinersSlide Number 1Cybersecurity Framework Charter�Improving U.S. Critical Infrastructure CybersecurityDevelopment of the FrameworkKey AttributesCybersecurity Framework ComponentsImplementation TiersIntel Adaptation of Implementation TiersCore�A Catalog of Cybersecurity OutcomesCore�A Catalog of Cybersecurity OutcomesA Common Language�Foundational for Integrated TeamsCore – Example�Cybersecurity Framework ComponentSlide Number 12Profile�Customizing Cybersecurity FrameworkCybersecurity Program Objectives�Three Things All Cybersecurity Programs Must DoProfile Foundational Information�A Profile Can be Created from Three Types of InformationFramework Seven Step Process�Gap Analysis Using Framework ProfilesResource and Budget Decisioning�What Can You Do with a CSF ProfileSupporting Risk Management with FrameworkNext Steps�Framework UpdateNext Steps�Program FocusNext Steps�Stakeholder Recommended ActionsResources�Where to Learn More and Stay Current

Wed 230-345 PM_Cybersecurity Town Hall_Phishing_MarinersSlide Number 1Slide Number 2Slide Number 3Slide Number 4Slide Number 5�Campaign Results:� Of 334 sent:��84 (25%) looked at it in their native inbox (not the preview pane)��16 (5%) clicked on the image��5 (1%) clicked on the image more than once�Slide Number 7Slide Number 8Slide Number 9Slide Number 10Slide Number 11Slide Number 12Slide Number 13Slide Number 14Slide Number 15Securing and Protecting Your UsersSlide Number 17

Wed 230-345_Cybersecurity Town Hall_ransomware_threat and best practicesTHE Ransomware THREATBrief history of ransomwareRansomware: what does it do?What ransomware doesOther bad stuff ransomware doesCountermeasures, part 1Slide Number 7

Documents

Cybersecurity Town Hall - National Multifamily Housing Council · Cybersecurity Framework Charter. Improving U.S. Critical Infrastructure Cybersecurity. February 12, 2013 “ It is