Upload
phungkhanh
View
221
Download
5
Embed Size (px)
Citation preview
WELCOME TO THE 21ST ANNUAL
DEFENSE SECURITY SERVICE
JULY 21, 2017
ALEXANDRIA, VIRGINIA
Partnering with Industry to Protect National Security
Social Media
Partnering with Industry to Protect National Security
@DSSPublicAffair
@TheCDSE
Like us on Facebook at
DSS.stakeholders
Setting the Stage
Mr. Fred Gortler III, DSS
Partnering with Industry to Protect National Security
Agenda (AM)
Partnering with Industry to Protect National Security
8:00 AM – 8:10 AM Administrative Notes Mr. Jeff Cavano, DSS
8:10 AM – 8:40 AM Setting the Stage Mr. Fred Gortler III, DSS
8:40 AM – 9:15 AM Keynote: DSS in Transition Mr. Dan Payne, DSS Director
9:15 AM – 10:00 AM Applied Case Study Mr. Gus Greene, DSS
Mr. Andrew Winters, DSS
Mr. Brian Prioletti, Industry
10:00 AM – 10:15 AM Break Refreshments in the lobby
10:15 AM – 11:45 AM Sharpening OD/PH Roles Roundtable
Discussion
Mr. Chris Griner, Industry
The Honorable Dov Zakheim, Industry
Ms. Giovanna Cinelli, Industry
Mr. David Langstaff, industry
Mr. Frank Finelli, Industry
Moderator: Ms. Nicoletta Giordani, DSS
11:45 AM – 1:00 PM Lunch Cafeteria/Local Area
(pay as you go)
Agenda (PM)
Partnering with Industry to Protect National Security
1:00 PM – 2:15 PM FSO and OD/PH Panel:
GSC Cooperation, Best Practices
and Challenges
The Honorable Dean Popps, Industry
Lt. Gen. William Donahue, USAF (Ret.),
Industry
Mr. Richard Ray, Industry
Mr. Alexander Layser, DSS
Mr. William Cooper, DSS
Moderator: Ms. Allyson Renzella, DSS
2:00 PM – 3:00 PM Supply Chain Threat Challenges Mr. William Stephens, DSS
3:00 PM – 3:15 PM Break Refreshments in the lobby
3:15 PM – 3:45 PM Insider Threat Best Practices Panel Mr. Phil Robinson, Industry
Mr. Thomas Langer, Industry
Mr. JC Dodson, Industry
Mr. Booker Bland, DSS
Mr. Keith Minard, DSS
3:45 PM – 4:15 PM Addressing the Cyber Threat: An OD’s
Perspective on What can be Done in the
Board Room
Mr. Robert Reynolds, Industry
4:15 PM – 4:30 PM Summary/Closing Mr. James Kren, DSS Deputy Director
DSS in Transition
Mr. Daniel Payne, DSS Director
Partnering with Industry to Protect National Security
Partnering with Industry to Protect National Security
New DSS Methodology
Applied Case Study
Mr. Gus Greene, DSS
Mr. Andrew Winters, DSS
Mr. Brian Prioletti, Industry
Partnering with Industry to Protect National Security
Partnering with Industry to Protect National Security
New DSS Methodology
Sharpening OD/PH Roles
Roundtable Discussion
Mr. Chris Griner, Industry
The Honorable Dov Zakheim, Industry
Ms. Giovanna Cinelli, Industry
Mr. David Langstaff, Industry
Mr. Frank Finelli, Industry
Moderator: Ms. Nicoletta Giordani, DSS
Partnering with Industry to Protect National Security
OD/PH Panel:
GSC Cooperation, Best Practices
and Challenges
The Honorable Dean Popps, Industry
Lt. Gen. William Donahue, USAF (Ret.), Industry
Mr. Richard Ray, Industry
Mr. Alex Layser, DSS
Mr. Will Cooper, DSS
Moderator: Ms. Allyson Renzella, DSS
Partnering with Industry to Protect National Security
Supply Chain
Threat Challenges
Mr. William Stephens, DSS
Partnering with Industry to Protect National Security
Partnering with Industry to Protect National Security
The Prize: Technology in the National Industrial Security
Program
The Front Line: Your Firms
Disposition: Our adversaries have the initiative
We Are In A Fight
Partnering with Industry to Protect National Security
Our Adversaries Have The Initiative
i.e., WE ARE LOSING!
Partnering with Industry to Protect National Security
What Can You Do? • Know the threats and vulnerabilities reported by your firm, how
they relate to the larger threat picture and ensure your firm moves
to mitigate
• Your reporting has been stronger than ever, but…
• Embrace CI & Security as a Business Discriminator
• Best Practices • Ensure a skilled professional is leading your CI & Security effort
• Have them report directly to the CEO
• Commit to a robust insider threat capability
• Commit to a continuous monitoring of your supply chain • Do you know…?
Partnering with Industry to Protect National Security
Questions?
Insider Threat
Best Practices Panel
Mr. Phil Robinson, Industry
Mr. Thomas Langer, Industry
Mr. JC Dodson, Industry
Mr. Booker Bland, DSS
Mr. Keith Minard, DSS
Partnering with Industry to Protect National Security
Addressing the Cyber Threat: An
OD’s Perspective on What can be
Done in the Board Room
Mr. Robert Reynolds, Industry
Partnering with Industry to Protect National Security
Partnering with Industry to Protect National Security
Managing Company Cyber Security
Some thoughts
Partnering with Industry to Protect National Security
Threat, Vulnerability, Impact, Risk (TVIR)
• Threat to networks:
• Nation-state driven (purchase criminal gang support)
• Persistent, deep bench
• But not unlimited (we all have budgets, need to show
results)
• So far, little in the way of sophisticated attacks (zero day;
specific code)
• Attacks based on simple techniques, hinging on our
exploitable weaknesses for success • Phishing malware; weak or no passwords; vendor network access;
connected home computers; company laptops overseas, etc.
• Vulnerabilities: see above
Partnering with Industry to Protect National Security
Impact
• To determine the level of protection needed, look at what there is
to lose of value to customer, company
• Company proprietary data of great interest
• Company personnel info (SSN, level of clearance, wage garnishments, etc.)
• RFPs, Proposals on sensitive work
• What data would the customer hate to lose
• Ship drawings; communications frequencies, usage, etc.; ITAR; FOUO
• Risk: How weak are cyber protections against standard
cyber techniques, and what is the impact of losing the data
under company protection
Threat, Vulnerability, Impact, Risk (Continued)
Partnering with Industry to Protect National Security
Thanks, but I knew that… Now what? • Steps the GSC, Board can take to reduce risk
• Company to complete risk assessment, assign a score
• Be prepared for “everything’s great”
• Focus only on protecting the border, or also on detecting and
stopping intrusions?
• Probe risk score by:
• Identifying the company in-house or external cyber expertise;
how strong, how is it used? IA, patching, software upgrades,
network analysis; employee training; penetration testing; data
analytics
• Reviewing policies/procedures on phishing, laptops; employee
training
• Comparing risk to resources expended
• Does company currently comply with DFAR, FAR, NIST
requirements?
Partnering with Industry to Protect National Security
If risk viewed as too great, after review…
• Develop a plan to decrease risk, with a way to
measure improvement, keep focus on issue
• Plan needs to include assumption that intruder gets in
the network
• Detect, mitigate damage, remove from network
• Follows some thoughts on ideas to determine and
reduce the risk, presented with increasing complexity,
cost and resource needs
Partnering with Industry to Protect National Security
Additional questions to ask • Is the company using at least 2-factor authentication and strong passwords?
• Consider removing unneeded data (closed contracts, ships drawings, ITAR, old
government data, etc.) from the network to archives, thinning out what would be
available to a cyber attack.
• Consider encrypting-at-rest data on the network that is deemed sensitive to the
company or the government customer. (Personnel information, major bid efforts,
active ITAR, etc.)
• Consider changing file names on the network that help target information of
interest to the hacker, who needs ways to identify info of value for exfiltration ("F-22"
becomes "Project Blue")
• Over the top: put in a host of encrypted useless files with very attractive
names.
• Give discussion of network security a regularly scheduled timeslot at the quarterly
GSC meeting.
• Does the company have or need a specific budget for network security?
• Do procedures exist to limit vendor and other outside access to the network, and to
remove that access when no longer needed? Are vendors evaluated for their own
robustness in cyber?
Partnering with Industry to Protect National Security
• Does security training incorporate on a real-time basis actual phishing and other
attacks on the network, to highlight the issue for the first line of defense-our
employees?
• Is VPN required for all employees signing in remotely?
• What are company policies on traveling overseas with a company laptop?
Encryption of data? Onetime use of a laptop cleaned upon return?
• Does the threat/vulnerability of the network, combined with the sensitivity of client
data warrant a company CISO position?
• Does the company cyber protection plan only focus on preventing a breach
(protecting the front door), or does it also include an approach to quickly detecting
and blocking exfiltration of data?
• What devices are used for these purposes, and are they sufficient?
• Does the company periodically conduct an independent evaluation of the network,
using outside experts?
• Is there sufficient risk to warrant the creation of a security operations center or
network operations center, collecting real-time data on attacks, breaches, etc. If
the company has such, is there a clear and defined method to analyze the data
and respond?
Additional questions to ask
Summary/Closing
Mr. James Kren, DSS Deputy Director
Partnering with Industry to Protect National Security