Reducing Your Cybersecurity Risk

A (slightly) Behavioral and Technical Overview for Business Leaders

About the Author- Mike Ahern

Director, Corporate and Professional EducationWorcester Polytechnic Institute

Leads the development of WPI’s Corporate and Professional Graduate Education Programs in: Cybersecurity; Electrical and Computer Engineering and Power Systems

Previous Experience:– Vice-President, Northeast Utilities (responsibilities included: Distribution

Engineering; Training; Planning, Performance and Analysis)– Member, Executive Compliance and Internal Controls Committee– Member, Executive Steering Committee for Cyber Security– Director, Transmission Operations and Planning– Director, Distribution Engineering– Director, Nuclear Oversight, Millstone Nuclear Power Station

B.S. from Worcester Polytechnic Institute

M.S. and M.B.A. from Rensselaer Polytechnic Institute

Professional Engineer - Connecticut

NERC Certified System Operator - Transmission (2005 to 2010)

About WPI

Fully accredited, non-profit, top quartile national university (U.S. News and World Report ranking)

Founded in 1865 to teach both “Theory and Practice”

Strong Computer Science, Engineering and Business Schools

DHS/NSA Designated Center of Excellence in Information Security Research

Cybersecurity Risk Reduction

Outline:

• The Growing Menace

• How Do Business Leaders Reduce the Risk?

• Where Do We Start?

• What Else?

• Covering All the Bases

• Questions and Answers

The Growing Menace

We’ve been seeing news articles about the threat of hackers for quite a while

JPMorgan and other banks struck by cyberattackNicole PerlrothWednesday, 27 Aug 2014 | New York Times

U.S. notified 3,000 companies in 2013 about cyberattacksBy Ellen Nakashima March 24, 2014The Washington Post

DOD Needs Industry’s Help to Catch Cyber Attacks, Commander SaysBy Lisa Daniel March 27, 2012American Forces Press Service, DoD News

The Growing Menace

Remember Target?

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew ItBy Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14

Target’s Story . . . Continued

Cyber attack takes toll on TargetBy Elizabeth Paton in New York Financial Times 8/20/14

Cyber attack cost Target $148M

To win back sales, Target took another $234M charge for discounting

The new CEO was announced on 8/1/14

The new CEO lowered the annual earnings forecast by ~15%

Cybersecurity Risk Reduction

With cybersecurity attacks and threats growing . . .

How do business leaders reduce the risk to their organization?

Let’s start by understanding attackers motives and methods . . .

Attacker Motives

Source: http://www.slideshare.net/NortonSecuredUK/cybercrime-attack-of-the-cyber-spies

Attacker Methods

The Most Recent Verizon Data Breach Investigations Report* gives us some insights into methods attackers use

Top “attack vectors”:

1. Behavioral – 80%+ of the attackers are external people but insiders can cause the extensive damage

2. Behavioral – Phishing in 2/3 of attacks, used all by itself in 20% of attacks

3. Technical – 80% of attacks use malware; almost always exploiting known vulnerabilities

*http://www.verizonenterprise.com/DBIR/2015/

Cybersecurity Risk Reduction – Where to Start

How do business leaders reduce the risk to their organization?

Start with Behaviors!

Training for basic cyber defense

- For all your people - how to be “human firewalls”

- For IT people - use trained, certified cybersecurity professionals

- For HR people – do we check backgrounds? Do we promptly revoke access when people leave?

- For Leadership – who has what access? How often is this reviewed?

Education to understand the evolving threats

- Better educate your cyber workforce to prevent, detect and effectively respond to cyber intrusions

What Else?

Install the Software Patches to remove known vulnerabilities

Use Anti-virus to protect against known malware

Require two-factor authentication for financial transactions and sensitive data downloads

Supplement Perimeter Defense with Intrusion Detection

- Use your people as a “sensor network” to detect and report phishing attacks

- Do your people know to report unexplained failed login attempts?

- Ask IT people how they detect intruders including how often system administrative logs are checked

- Does your organization share threat intelligence?

Develop, Train, Practice and Execute Incident Response Plans

- Business continuity plans should include a “loss of IT” scenario

What Else?

Questions from Board Members*

• Are profit-generating assets adequately secured?

• How well-protected is high-value information?

• Is the organization’s cybersecurity strategy aligned with its business objectives?

• How is the effectiveness of the cybersecurity program measured?

• Is the organization spending appropriately on security priorities?

• Would the organization be able to detect a breach?

• Does the cybersecurity area have access to adequate resources?

• How does the organization’s security program compare to that of its peers?

* https://securityintelligence.com/what-cybersecurity-questions-are-boards-asking-cisos/

Added Question: What are the industry-specific compliance requirements?

Covering All The BasesThe US National Cybersecurity Workforce Framework*

* http://csrc.nist.gov/nice/framework/

The U.S. National Initiative for Cybersecurity Education (NICE) issued the National Cybersecurity Workforce Framework (“the Framework”)

– Developed with more than 20 Federal departments and agencies and numerous national organizations from within academia and general industry.

– The categories, serving as an overarching structure for the Framework, group related specialty areas together.

– Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided.

You can use the Framework to make sure your organization is “covering all the bases”

US National Cybersecurity Workforce FrameworkCovers All the Bases

Framework Category Specialty Areas Include:

Securely ProvisionSystems Security ArchitectureSoftware Assurance and Security EngineeringSecure AcquisitionTest and EvaluationSystems Development

Operate and MaintainSystem Administration

Systems Security AnalysisNetwork Services

Protect and DefendComputer Network Defense Analysis

Incident ResponseVulnerability Assessment and Management

InvestigateDigital ForensicsCyber Investigation

Collect and OperateFederal Government Role

Collection OperationsCyber Operations and Planning

AnalyzeFederal Government Role

All Source IntelligenceExploitation Analysis / Targets / Threat Analysis

Oversight and DevelopmentLegal Advice and AdvocacyStrategic Planning and Policy DevelopmentTraining, Education and AwarenessSecurity Program ManagementKnowledge Management

http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdf

Draft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx

Risk Reduction Action Plan

Threat Actions Measures

Insider? Background Checks

? Training – Everyone, IT, HR, Leadership? Remove Access Promptly

RegularException Reports

External Hacker

? Patches to Keep Software Updated? Anti-Virus for Known Malware? Limited Administrative Rights? Two-factor Authentication

Regular Time Delay Reports and

Rights Reviews

Successful Intrusion

? Certified IT Professionals? Access Log Reviews

? Intrusion Detection Software? Exfiltration Software

? “White-listing” for Control Systems

Frequent (Daily?) Results Reports

Successful Attack

? “Loss of IT” Business Continuity Exercises? Engage/Develop Forensic Capability

Exercise Frequency and

Results

Cybersecurity Webinar Series

Free, 1 Hour Webinar:

Reducing the Risk of a Cyber Attack on Utilities

Thursday, March 17, 2016 / 2pm-3pm (ET)

Free, 1 Hour Webinar:

Cyber Hygiene: Stay Clean at Work and at Home!

Thursday, March 24, 2016 / 10am-11am (ET)

Cybersecurity Webinar Series

Thank you

Mike AhernDirector, Corporate and Professional Education508-831-6563mfahern@wpi.edu

What do you think?Your feedback is welcome!

What to Look for in a University Partner -Accreditations

Computer Science Engineering

Business Whole University

What to Look For - Strong Capability in Cyber Security

For example, at WPI:

NSA/DHS Designated Center of Excellence

Core Faculty Performing Current Research• Trusted Computing Platforms

• Algorithms & Architectures for Cryptography

• Security of Interoperable Wireless Medical Devices

• Analysis of Access-Control and Firewall Policies

• Wireless Network Security

• Cyber-Physical System Security

Adjunct Faculty are Current Practitioners, Vetted by the Appropriate Department Faculty both for Knowledge and Capability to Teach

What to Look For – Program Tailored to Your Needs

The National Framework Covers the Entire

Workforce with Generic Categories

To Maximize Your Benefit for an Education

Investment:

• Your Program Should be Tailored to Include Your Organization’s Specific Requirements

• Your Program Should Teach the Roles Your Students Will Perform

• Your Program Should be Convenient for Your Students

What to Look For – Program Tailored to Your Needs

For example, here is WPI’s Process:

POWER TRANSMISSION EDUCATIONAL INITIATIVE – CYBERSECURITY FOR COMPUTER SCIENTISTS

Overall Goal: Build capability to Prevent, Detect and Effectively Respond to cyber attacks

Learning Objectives Include:

General Understanding of Cybersecurity

Specific Knowledge of Power Industry Requirements - NERC Critical Infrastructure Protection (CIP) Standards

Ability to Write and Test to Assure Secure Code (e.g. “All Commands are Authenticated and Authorized”)

Operations Risk Management – Avoiding Social Media Phishing Attacks by Managing Human Behavior

Supply Chain Risk Management to Avoid Embedded Malware

Ability to Detect Cyber Intrusions and Immediately Respond to Incidents

Ability to Investigate, Identify Attacker(s) and Build a Legal Case Against Them

Ability to Effectively Communicate Risks and Countermeasures

Ability to Integrate all of the Elements to Deliver a Secure Computer Network with Information Assurance

Example of Program Tailoring:

Cybersecurity Graduate Program for Computer Scientists

• CS 525S - Computer and Network Security

•OIE 541 - Operations Risk Management

• CS 525# - Special Topics: Digital Forensics

• CS 557 - Software Security Design and Analysis

• CS 525# - Special Topics: Intrusion Detection

• CS 571 - Case Studies in Computer Security

The Courses Were Customized for the Power Industry

Computer and Network Security –Includes CIP Standards

Operations Risk Management –

Focus on Social Media Phishing Risks and includes risk from Embedded Malware

Case Studies in Computer Security –Examples from the Power Industry

National Cybersecurity Workforce Framework -Compared to WPI’s Customized Graduate Program

Framework Category WPI’s Current Cyber for Computer Scientists Program

Securely Provision 1. Computer and Network Security2. Software Security Design and Analysis

Operate and Maintain Computer and Network Security

Protect and Defend Intruder Detection

Investigate Digital Forensics

Collect and Operate Not in Program – Government Role

Analyze Not in Program – Government Role

Oversight and Development 1. Operations Risk Management 2. Case Studies in Computer Security

WPI’s Program Addresses All the Relevant Categories