Embed Size (px)
Citation preview
What you gonna do when they come for you?
October 23rd, 2019
Tennessee Pollution Prevention Webinar
Being Proactive rather than Reactive for CyberSecurity in the Manufacturing Industry
Ben Bolton
Ben manages activities related to energy security planning, preparedness, and response, as well as the
energy-water nexus. He currently serves as Co-Chair of the National Association of State Energy Officials’ Energy
Security Committee and represents Tennessee on FEMA’s Mitigation Framework Leadership Group. Prior to joining the State, he was an environmental scientist
providing technical support to public and private sector clients. He holds B.S. in Biology and a B.A. in English
from Birmingham-Southern College.
Energy Programs Administrator for TDEC’s Office of Energy Programs
James Cotter
Special Agent Cotter joined TDSHS in 2008 and was promoted in 2012 to Supervisory Intelligence Officer
and Co-Director of the Tennessee Fusion Center. He is a graduate of the Naval Post Graduate School Fusion
Center Leaders Program, the Southeastern Command and Leadership Academy, and holds a B.S. in Criminal
Justice. Special Agent Cotter is a veteran of the U.S. Marine Corps.
Special Agent, Cyber Operations Program Manager at the Tennessee Department of Safety
and Homeland Security (TDSHS).
4
Changing How We View Cybersecurity
5
WE DON’T HAVE A CHOICE TO DIGITALLY
TRANSFORM
THE CHOICE IS HOW WELL WE DO IT. Erik Qualman
6
Cybersecurity is our shared responsibility –
everyone is part of the security team.
7
Areas of Change
• Focus on prevention then mitigation • Organizational priority • Culture of security • Mobile workforce • Minimize internal threats
▫ Educate, Empower, Enforce
8
9
• Cyber issues are not theoretical – they are real! ▫ Cyber affects us all professionally and personally ▫ Interconnectivity – Vulnerability – Liability
– Vehicles, Medical Devices, Appliances, Sensors, etc. ▫ Internet of Things (IoT)
10
11
Threat Landscape • Hacktivists – Manipulate cyberspace to achieve political goals and/or social change • Criminal – Makes up the bulk of threat activity, up to $1 trillion globally
▫ Phishing, 3rd party hosting, fraud, money laundering – ebooks
• Insiders/Users – Both malicious and unintentional; possibly biggest threat ▫ National Insider Threat Task Force – The insider threat is a dynamic problem set, requiring resilient and adaptable
programs to address an evolving threat landscape, advances in technology, and organizational change.
• Espionage/Spies – 2nd oldest profession known to man (friends and foes) • Nation State Actors/Militaries – Espionage v. Warfare; very ambiguous and complex; requires highly
adaptive and innovative approaches to maneuver and transition in this spectrum; world events • Terrorists – Receives a lot of attention, but not quite there yet • Natural, Accidental and Failure – Mother Nature & Manmade Events
12
Items of Interest • The most popular cyberattack methods according to study by Positive Technologies for 2018. • Malware - Common malware infection methods were compromising servers and workstations by accessing a
targeted system using vulnerabilities, social engineering, or bruteforced passwords, planting malicious software on victims' devices via infected websites, and sending malicious attachments or links by email.
• Social engineering: Cybercriminals continue develop new methods to manipulate users into believing a
message, link, or attachment is from a trusted source, and then infecting targeted systems with malware, stealing money, or accessing confidential information. (Social Media and Deep Fake)
• Hacking: Hacking is exploiting vulnerabilities in software and hardware. Hackers currently cause the most damage to governments, banks, and cryptocurrency platforms.
13
Items of Interest
• Credential compromise: Usernames and Passwords
• A recent report by WhiteHat Security indicates that 85% of mobile apps violate recognized security standards. Tested 15,000 apps and 85% contained at least one common security vulnerability that can be exploited. Takeaway – be mindful of what you are allowed to download on your devices, what kind of data the apps share, and restrict what apps can access on your devices.
• Most Prevalent Phishing Subject Lines - Assist Urgently, Invoice, Bank of or New Notification, Verify Your Account, Copy or Document Copy, Action Required: Pay your seller account balance, AMAZON: Your Order no #812-4623 might ARRIVED. ***Be mindful of Current Events***
14
15
16
17
18
Some Do’s • DO - Perform updates or use site for downloads if unsure • DO - Passwords (complex – more than 8)
▫ 80% of all confirmed breaches had weak, default, or stolen PWs*
• DO – The principle of least privilege – only what is necessary • DO – Completely disconnect from networks/Apps/clear caches • DO – Monitor logs (incoming and outgoing) • DO - Minimize footprint, do not link accounts – SM especially
▫ 43% of breaches started on social media*
• DO – Check yourself https://haveibeenpwned.com/ and Shodan for devices https://www.shodan.io/
• DO – Join information and intelligence sharing networks • DO – Think like a hacker or use/hire/train one
* Verizon 2018 Data Breach Report
19
Some Don’ts • DON’T - Open E-Mail from unknown senders – use preview option – review before
opening attachments – beware macros • DON’T – Use free or unsecured WiFi – use VPN or Cellular • DON’T – Share credentials or use on multiple platforms • If it seems too good to be true, it probably is!! Don’t be afraid to question.
20
Cybersecurity is our shared responsibility
Question and report
Nothing is too outlandish to attempt
21
THANK YOU
22
James Cotter TN Department of Safety & Homeland Security
Questions?
October 23rd, 2019
Tennessee Pollution Prevention Webinar
Eric Brown
Eric currently serves as Assistant Director for the Cybersecurity Education, Research and Outreach Center at Tennessee Tech University. Among other duties, Eric leads the cyber risk assessment program conducted in
cooperation with the Tennessee 3-Star Industrial Assessment Center at Tennessee Tech University. CEROC
focuses on extra-curricular training opportunities in cybersecurity, research across multiple cyber domains, and outreach to K20 students and stakeholders with an
overarching goal of workforce pipeline development.
Assistant Director Cybersecurity Education, Research, and Outreach Center
Tennessee Tech University
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
“What ya gonna do when the come for you?” Being Proactive Rather than Reactive for CyberSecurity in the Manufacturing Industry
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
CEROC Quick Facts ● Founded in January 2016 ● NSA/DHS designated Center of Academic Excellence in Cyber Defense Education (1 of 200+)
https://www.caecommunity.org/content/cae-institution-map ● First and Largest CyberCorps SFS Program in the State of Tennessee (1 of 70)
https://www.cybersecuritymastersdegree.org/cybercorps/ - Community College Pathway (1 of 10 in nation)
● Only Cybersecurity Scholarship Program (CySP, formerly DoD IASP) in the State of Tennessee ● Only NSA GenCyber Program in Tennessee ● Partner ■ Tennessee 3-Star Industrial Assessment Center providing cyber risk assessment services for
power assessment clients ■ Academic Alliance Partner with DHS in the STOP. THINK. CONNECT! Initiative ● Founder of the Women in Cybersecurity
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
Only Program in Tennessee to Offer
CyberSecurity Specialization at the Bachelor, Masters and Ph.D. levels
K12 Outreach Events supporting
cybersecurity awareness and
competition opportunities
Only NSA-Designated Center of Academic Excellence in Cyber Defense Education
Four-Year Program in Tennessee
Only DoD Cyber Scholarship Program
in Tennessee
Active Cybersecurity Club with 3 skill
training groups in offense, defense, and
CTF
First and Largest CyberCorps SFS
Scholarship Program in Tennessee
Research areas in cyber physical
systems, smart grid, vehicular networks,
formal methods, graph-based
anomalies, risk assessment
Only GenCyber Student summer
Program in Tennessee
Central Region Host of Collegiate
Penetration Testing Competition
CEROC at a Glance
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
National Cybersecurity Awareness Month (NCSAM) 2019
Held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. More information can be found at https://niccs.us-cert.gov/national-cybersecurity-awareness-month-2019. This year’s message is “Own IT. Secure IT. Protect IT.
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
Background Information for Today’s Talk The following information is provided by the 2019 Data Breach Investigations Report from Verizon (https://enterprise.verizon.com/resources/reports/dbir/). Consider the following.
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
Manufacturing Notes from the 2019 Verizon Report
2019 Verizon Report: “Manufacturing has been experiencing an increase in financially motivated breaches in the past couple of years, but espionage is still a strong motivator. Most breaches involve phishing and the use of stolen credentials.”
• 352 incidents, 87 with confirmed data disclosures
• Web Applications, Privilege Misuse, and Cyber-Espionage represent 71% of the breaches
• Threats came from external (75%), internal (20%), multiple parties (6%), and partners (1%)
• The attacks were influenced by financial (68%), espionage (27%), grudges (3%), and fun (2%) motives.
• The data comprised in these attacks included credentials (49%), internal (41%), and secrets (36%).
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
Common Cyber Attacks on Manufacturing
Acknowledging that cyber attacks are possible is the very first step to towards dealing with the issue. There are some small companies that still believe that they are not susceptible to attack because “we are just a little company in a rural area… nobody even knows that we are here.” If you are plugged in, they know you are there!
Phishing • Strange file attachments • Sense of urgency in message / immediate
demand • Threat of negative outcome if not action taken • Bad grammar / spelling • Oddly formed email address or reply to
address
Supply Chain Attacks • Weak credentials to external supply systems • Strange redirects to unknown sites • Increase in pop-up • Ransomware threats / messages / false
preventatives • Software freezes or crashes
Malware • Can be introduced via phishing • Can be introduced via “free” USB sticks • Can be contracted and propagated by “out of
maintenance” systems
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
Ransomware ● Ransomware is a very hot industry, making
billions of dollars for its perpetrators. ● Notice that the manufacturing sector was
the second largest affected sector in early 2019.
● Two choices: pay up or restore data (some victims have said enough is enough and did not pay)
● Further ransomware guidance can be found at https://www.us-cert.gov/Ransomware https://blog.trendmicro.com/wp-content/uploads/2019/07/Capture.png
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
The Sky is NOT Falling! The sky is not falling! All businesses throughout the ages have had to deal with very large problems with the potential to interrupt business process and subsequent income. In each circumstance, the business owner took small, reasonable steps to mitigate the issue. Consider the stage coaches of the Old West; one additional driver with shotgun talents could curb some theft threats. Here are some steps!
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
Simple Steps to Improving Cyber Positioning ● Provide cybersecurity awareness training for ALL EMPLOYEES and their
families. The training should address current issues such as phishing and social engineering. Cyber safety at home translates to cyber safety at work. Think that this is not true? How many smartphones enter your workplace everyday?
● Make plans (and actually practice their implementation) ○ Business Continuity Plan ○ Disaster Recovery Plan ○ Incident Response Plan ○ Internal Bug Bounty Plan/Program
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
Simple Steps to Improving Cyber Positioning ● Review Key Business Procedures
○ Employee Onboarding, Offboarding, and Transition Procedures (nerdy version: identification, authentication, authorization)
○ Position-appropriate Technology Training ○ IT and Electronic Device Procurement Procedures ○ Technology Deployment Procedures ○ IT Lifecycle Procedures ○ System Image (software and firmware) and Software Package Management ○ Information Lifecycle Management (archive, backup, restore, and even destroy)
Rule of 3’s – If you perform a activity three or more times the exact same way, create a reproduceable, automated process and document it!
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
The Value and Gamification of Risk Assessments ● Never under-estimate the value of a third-party assessment of your
infrastructure and processes. Such assessments can provide valuable insights to hidden issues as well as provide a complementary assessment to other certification processes.
● Include the C-level members in the process and resulting report. Make them partners and not adversaries. Make sure an IT person sits at the C-level meetings.
● If the talent pool is available (internally or externally), create red teams (penetration test) to internally evaluate vulnerabilities. Create blue teams (protection test) to increase defensive capacities using red team input.
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
NIST Resources for Manufacturing Sector ● NISTIR 8183 – Cybersecurity Framework Manufacturing Profile
https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8183.pdf ● NISTIR 8183A – CFMP Low Impact Level Example Implementations Guide
○ Volume 1 – General Implementation Guidance - https://csrc.nist.gov/publications/detail/nistir/8183a/vol-1/final
○ Volume 2 – Process-based Manufacturing System Use Case https://csrc.nist.gov/publications/detail/nistir/8183a/vol-2/final
○ Volume 3 – Discrete-based Manufacturing System Use Case https://csrc.nist.gov/publications/detail/nistir/8183a/vol-3/final
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
NIST Resources for Manufacturing Sector ● NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information
Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
● NIST SP 800-53A Rev. 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final
● NIST SP 800-171 Rev. 2 & SP 800-171B Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets https://www.nist.gov/news-events/news/2019/06/protecting-controlled-unclassified-information-comment-draft-nist-sp-800
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
Contact Us Dr. Ambareen Siraj, Director [email protected] Mr. Eric L. Brown, Assistant Director’ [email protected] Staff https://www.tntech.edu/ceroc/people/
https://www.tntech.edu/ceroc / @TNTechCEROC / [email protected]
Contact Us 1020 Stadium Dr, PRSC 414 Cookeville, TN 38505 Email: [email protected] Phone: (931) 372-3519 Website: https://www.tntech.edu/ceroc Facebook: https://www.facebook.com/tntechceroc Twitter: @tntechceroc LinkedIn: https://www.linkedin.com/company/tntechceroc
Questions?
October 23rd, 2019
Tennessee Pollution Prevention Webinar
