It Takes a Village: Insights on Building a Successful Cyber Program
As security incidents accelerate in both frequency and severity, the transparency of the aftermath increases as well. Employees, Boards of Directors, and even the public are more aware of the potentially devastating nature of cyber attacks, and they want to know exactly what you're going to do about it. In this session, Phil Ferraro shares insights gleaned from almost two decades working in cyber security for enterprise companies and the federal government. He explores the critical lessons learned over the course of a remarkable career, including his tips on building a world-class global Cyber Security program.
The Riskiness of Risk Framework Selection
COBIT. OCTAVE. FAIR. ISO. NIST. AIE-IT. These are just six of the innumerable competing frameworks that have been developed in an attempt to manage the risk associated with Information Technologies.
Each of these frameworks has its own strengths and weaknesses, but none of them are applicable to all organizational levels of a typical governmental or commercial entity. In this presentation, Frederick Doyle reviews some of these common frameworks, compares their praxis and fidelity to risk theory, and assesses their relevance to the Executive, Strategic, Operational, and Tactical organizational levels.
Cybersecurity: Why We Can’t Get It Right
- The U.S. is losing the Cybersecurity battle - one-third of U.S. GDP every year
- One-third of attacks are successful (only the breaches we are aware of)
- $1 trillion industry 2017-2021 - Cybersecurity Ventures
- Our adversaries have the upper hand and are winning - but why?
- The “new” global competitive model changed long ago - we never caught on
- What every organization must do immediately to survive
The Hole in your Data Security Strategy
In today’s marketplace, IT leaders spend a significant amount of time and money ensuring that their company’s data is secure. Even so, breaches are commonplace. In 2015 alone, the Identity Theft Resource Center reported that in the U.S. there were 781 large-scale data breaches.
The biggest reason? Access to data in non-production test environments. Test data is necessary to support application development, quality assurance, and other mission-critical activities. If this data is not secured internally and from external partners, it poses a huge security and compliance risk, not to mention significant costs.
In this discussion we will outline the essential steps that corporations should include within their overall security strategy to ensure all data; structured and unstructured, is protected.
Looking For A Job In a “0% Unemployment” Industry
With cyber security having a reported unemployment rate of zero percent, one might assume it’s easy to find a dream job in our industry. That’s not the case: job seekers face tremendous struggles navigating the interviewing and hiring processes, and companies struggle finding candidates with skills who also fit their budgets.
How does one attract, hire and retain cyber security talent? How can someone find a position they want to stay in for more than 18 months? What is really going on in the cyber security staffing space? CyberSN CEO and Founder Deidre Diamond will answer these questions and more.
Privacy, Compliance and Cyber-Liability - How One Influences the Other
Every week news media posts information about a hacked company or one experiencing a ransomware event. In 2015, Intellectual Property Theft increased by 53%!
Jeanne Morain and Don Cox will partner to discuss this complex topic and how it impacts businesses.
Laws and regulations have been legislated throughout the world to protect the privacy of citizen's personal identifiable information. Jeanne Morain will discuss Compliance (Security/Business/Regulatory), Export Approvals, HIPAA, NIAP, PCI, SOX, Privacy Shield (formerly Safe Harbor) and other regulatory requirements related to Privacy.
From a cyber liability point of view, what is your company's exposure? What impacts the determination of liability? Don Cox will discuss industry cyber related controls, employee / customer training, cyber protection solutions, and the cyber staffing.
Insider Threats and the Dark Web
Providing an understanding of how malicious employees can use the dark web to sell and transfer sensitive corporate data and Intellectual Property.
This talk will offer an overview of terminology and concepts like Corporate Counterintelligence, dark web, insider threats, amount of intellectual property stolen each year, etc., and two vignettes on Insider Threat:
- Volunteer Insider Threat – describing the case of a disgruntled employee selling Intellectual Property on one of the Dark Web forums dedicated to such trade. I will discuss the type of IP stolen, the approximate value to the company and how the theft was discovered. I will also provide recommendations to prevent, deter, and identify potential malicious employees.
- Recruited Insider Threat – this will detail the case of an insider threat who was recruited from someone outside the company to provide sensitive data. This type of interaction often uses Peer-to-Peer communication platforms which can make the communications and data transfer difficult to trace. I will describe the scenario and offer recommendations to identify external recruitment of employees, explain how P2P communications can be monitored and highlight the importance of restricting access to sensitive data within a corporate network.
Privacy in the Internet of Things: Protection Today & Expectations for the Future
The world is growing ever more connected, but as this trend expands from our laptops and smartphones to our stores, cars, homes, even bodies, businesses will not be able to use existing templates for addressing (or not addressing) privacy.
As customer data becomes your core asset, what do your customers expect from you? What does this mean for companies leveraging sensors and connected products?
This talk explores implications for privacy that impact both consumers and businesses in the Internet of Things. In this presentation, you will learn:
- Drivers and differentiators for why the Internet of Things transforms traditional notions of privacy
- Risks, rewards, challenges, and opportunities for addressing privacy head-on
Role of Vulnerability Assessments and Penetration Testing in Today's Cybersecurity Environment
Vulnerability management, and a key component of any good vulnerability management - penetration testing, makes up the foundation of an effective cybersecurity program. They are also one of the most mis-understood elements of these programs. Mary Siero discusses why running a vulnerability scan and conducting penetration testing are not by themselves, enough for a comprehensive and meaningful vulnerability management program.
"Legally Strengthening" Your Company For the Eventual Cybercrime Attacks
This talk will examine the emerging and growing body of Federal and State laws protective of corporate assets subject to cyberattack. The sources of such laws are many, from intellectual property to tort to privacy laws. Given the newness and complexity of the known and foreseeable threats, attention will be paid to the application of new federal statutes and new case interpretations and how to position to best take advantage of both.
In this session, we present findings from a long term security research study in healthcare, in which we discovered that adversaries can deploy cyber-attacks that result in harm or fatality to patients. Over the course of 24 months, we investigated 12 hospitals, 2 healthcare data facilities, 2 medical devices and host of supporting applications and technologies. Our focus was to (a) determine the feasibility of attacks against patient health, (b) determine the contextual is- sues from both technical and business perspectives, and (c) articulate the solution.
We discovered that the healthcare industry is pursuing the wrong security mission, with an almost exclusive focus on protecting patient data, yet almost no consideration of protecting patient health. We identified a number of security vulnerabilities which, if exploited, would result in patient harm or fatality. We also identified a very wide range of business and industry shortcomings, which lead to the introduction of such security vulnerabilities. Notably, we also published a blueprint, which is an actionable, step-by-step guide to help a healthcare organization of any size migrate to a more robust defense posture.
The presentation will resonate with the audience by exploring issues from their perspective (i.e., that of healthcare business executives and IT managers responsible for protecting digital assets, including patient health and patient records). The content of this talk is calibrated to a high level, intended to be easily digested by an executive audience.
This session provides a high level analysis of what we did, what we discovered, and what we recommend. The source study data can be found here: https://www.securityevaluators.com/hospitalhack/
Operational – Threat Driven Security Program
Unfortunately, many security programs today are driven by compliance. Monitoring is a rote process driven by unknown vendor content and success is an increase in malware detection. This talk will discuss how a program driven by threat intelligence, an understanding of both what is detected and the health and well-being of the network, can drive both a stronger defensive posture and inform a compliance program. Using a data driven approach we will show the discuss how to detect, remediate and report on a system where metrics are less about the number of malware incidents detected and more about time to remediate.
The Matrix as metaphor for Security Frameworks
The universe of cyber security is vast, and ever expanding. Every dimension, every plane, and every vector is in play. Tracking all the relevant objects, the millions of pertinent bits of security information cannot possibly be collected and analyzed in any meaningful way without automation. The management of cyber security controls is a herculean journey requiring persistence, deep insight and infinite diligence. It requires machines … and it requires a Matrix, a governance matrix… a framework that enables an organized approach to maintaining control.
This session will explore the governance of security controls with an emphasis on leveraging frameworks and employing disciplined methodology to free organizations from the overwhelming chaos of controls required to protect the typical information age enterprise.