Larry Clinton Barry Foer President Director of Policy & - - PowerPoint PPT Presentation

larry clinton barry foer president
SMART_READER_LITE
LIVE PREVIEW

Larry Clinton Barry Foer President Director of Policy & - - PowerPoint PPT Presentation

Mar 23, 2024 16 likes •450 views

Larry Clinton Barry Foer President Director of Policy & Membership lclinton@isalliance.org bfoer@isalliance.org 703-907-7028 703-907-7799 202-236-0001 ISA Board of Directors J. Michael Hickey , 1st Vice Chair Ty Sagalow, Esq ., Chairman

slide-1
SLIDE 1

Larry Clinton President lclinton@isalliance.org 703-907-7028 202-236-0001 Barry Foer

Director of Policy & Membership

bfoer@isalliance.org 703-907-7799

slide-2
SLIDE 2

ISA Board of Directors

Ty Sagalow, Esq., Chairman

President Product Development, AIG

  • Dr. Sagar Vidyasagar, 2nd Vice Chair

Exec VP, Tata Consulting Services

  • J. Michael Hickey, 1st Vice Chair

VP Government Affairs, Verizon Marc-Anthony Signorino, Treasurer

Director Technology Policy, National Association of Manufacturers

  • Tim McKnight, CSO, Northrop Grumman
  • Jeff Brown, CISO/Director IT Infrastructure, Raytheon
  • Eric Guerrino, SVP/CIO, Bank of New York
  • Ken Silva, Chief Technology Officer, VeriSign
  • Lawrence Dobranski, Chief Strategic Security, Nortel
  • Charles Croom, Vice President, Cyber Security Strategy, Lockheed Martin
  • Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences
  • Joe Buonomo, CEO DCR Software Inc.
slide-3
SLIDE 3

Our Partners

slide-4
SLIDE 4

The Web is Inherently Insecure---and getting more so

The problems we see in cyber security are about to get much worse because we continue to deploy base technologies that were developed 30 years ago when security was not an issue….TCP/IP was not designed to control power grids, financial networks and critical infrastructure. It will be used in future networks (particularly wireless) but it lacks the basic security controls to properly protect the network.”

Source: Hancock, Cutter Technology Journal 06

slide-5
SLIDE 5

The Changing Threat Faces of Attackers… Then

Chen-Ing Hau CIH Virus Joseph McElroy Hacked US Dept of Energy Jeffrey Lee Parson Blaster-B Copycat

slide-6
SLIDE 6

Faces of Attackers… Now

Andrew Schwarmkoff Russian Mob Phisher Jay Echouafni Competitive DDoS Jeremy Jaynes $24M SPAM KING

slide-7
SLIDE 7

The Changing Threat

  • Today, attackers perpetrate fraud, gather intelligence, or conduct

blackmail

  • Vulnerabilities are on client-side applications word, spreadsheets,

printers, etc.

  • The problem is much more severe than the release of personal

data, modern attackers are stealing source code, corporate intellectual property, entire business operations systems are being vacuumed and transplanted

  • Our physical security is reliant on our cyber security
slide-8
SLIDE 8

Newer Threats

Designer malware: Malware designed for a specific target or small set

  • f targets

Spear Phishing: Combines Phishing and social engineering Ransomware: Malcode packs important files into encrypted archive & deletes original then ransom is demanded RootKits: shielding technology to make malcode invisible to the op system

slide-9
SLIDE 9

Characteristics of the New Attackers

Shift to profit motive Zero day exploits Increased investment and innovation in malcode Increased use of stealth techniques

slide-10
SLIDE 10

Digital Growth?

“Companies have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on- line commerce. The continued expansion of the digital lifestyle is already built into almost every company’s assumptions for growth.”

  • --Stanford University Study, July 2006

Sure

slide-11
SLIDE 11

Not so much…

  • Only 56% of respondents employ a security executive at

the C-level---down 4% from the previous survey

  • Only 43% audit or monitor compliance with security

policies (if they have them)

  • Just over half of companies (55%) use encryption
  • 1/3 of respondents don’t even use firewalls
  • Only 22% of companies keep an inventory of all outside

parties use of their data

Digital Defense?

slide-12
SLIDE 12

Not so much…

23% of CTOs did not know if cyber losses were covered by insurance. 34% of CTOs thought cyber losses would be covered by insurance----and were wrong. “The biggest network vulnerability in American corporations are extra connections added for senior executives without proper security.”

  • --Source: DHS Chief Economist Scott Borg

Digital Defense?

slide-13
SLIDE 13

CSO Magazine Study 10/08 7,000 companies world wide

  • Only 59% of respondents attest to even having an overall security

policy

  • Nearly half of all respondents said can’t identify the source of

information security incidents they have suffered in the past year

  • Employees and former employees are the biggest source of security

incidents accounting for half of the ones we can trace * Only half of respondents provide employees with security awareness training

slide-14
SLIDE 14

The Good News: We know (mostly) what to do

  • 2005 CIO/Priceaterhouse study of 7,000
  • rganizations world-wide found 20% best

practices group (although attacked more) suffered less downtime, less financial loss—none at times.

  • 2008 Verizon study 500 forensic cases and

thousands of data points found following best practices could stop 90% of breaches

  • CIA due diligence can stop 90% of attacks,

implementation is the key.

slide-15
SLIDE 15

How do we really protect

  • urselves?
  • 1. Adopt an enterprise wide, risk management

approach

  • 2. Since this is an enterprise wide problem, you

have to get all the critical “silos” at the table

  • 3. Determine who really is involved (other than IT)
  • 4. Determine what you are going to answer
  • 5. THEN decide what to do (software? training?

contracts w/affiliates? Insurance? outreach?)

slide-16
SLIDE 16

Legal/Regulatory Issues

  • Have cyber liabilities been analyzed?
  • What regulations apply to lines of business?
  • Exposed to class action/shareholder suits?
  • Is org protected from business interruptions?
  • Org protected from fed/state govt. investigations?
  • What jurisdictions does date move through?
  • What is in our contracts?
  • What does our privacy policy say?
slide-17
SLIDE 17

Compliance/Regulatory

  • Have an inventory of what regs apply to us?
  • Know what reg data is and where its located?
  • Valid reasons for keeping this data?
  • What have we done to protect the data?
  • Incident response program/notification program?
  • What is impact of possible data loss?
  • Procedures in place for tracking compliance?
  • How are we tracking vendors procedures?
slide-18
SLIDE 18

External Rel & Comm.

  • Analyzed impact of events on reputation/

stakeholders/customers etc?

  • Plan for communicating with stakeholders?
  • Identified resources/budget needed for plan?
  • Clear roles and responsibilities for comm?
  • Thought through segmenting messages for different

stakeholders?

  • Legal requirements for notification? Tested it?
slide-19
SLIDE 19

Risk transfer

  • What is exposure (brand/confidence/physical

loss?—how do we measure?

  • Are you already covered? D&O?
  • Do we need to bring in expertise? Who?
  • Is insurance available?
  • What is the ROI for insurance and other risk

transfer approaches?

slide-20
SLIDE 20

09 Securing the VOIP Platform

  • VOIP is the paradigm case for corporate economics
  • vercoming security concerns
  • Platform itself not a profitable as products sold to use it
  • ISA/NIST program to use SCAP (Security Content

Automation Protocol) and National Vulnerability Database to create a free customizable framework.

  • Companies can build products on the more secure platform

(ones that participate get to know the standards first)

  • Better security and better markets
slide-21
SLIDE 21

09 Securing the Global IT Supply Chain

  • IT supply chain is inherently global
  • This immutable reality brings new risks
  • If not addressed Congress will do it for us,

probably through protectionism

  • 07-08 ISA/CMU/industry 3-phase program to

create a framework that takes into account market, business and policy reality

  • New phase to begin first quarter 09
slide-22
SLIDE 22

What to Tell President Obama?

  • 1. We need to increase our emphasis and

investment on cyber security

  • 2. Cyber Security must be recognized as critical

infrastructure maintenance

  • 3. Cyber Security is not a “IT” problem.
  • 4. Cyber security is a enterprise wide risk

management problem

  • 5. Government and Industry need new relationship
slide-23
SLIDE 23

Obama: Inconvenient truths

  • 1. All security is reliant on cyber systems
  • 2. Cyber systems are inherently in the private sectors

hands

  • 3. US cannot tackle the cyber security issues

unilaterally

slide-24
SLIDE 24

Cyber Social Contract

  • Similar to the agreement that led to public utility

infrastructure dissemination in 20th century

  • Infrastructure development through market

incentives

  • Consumer protection through regulation
  • Gov role to motivate is more creative—harder
  • Industry role is to develop practices and standards

and implement them

slide-25
SLIDE 25

Member Communications Loop

slide-26
SLIDE 26

Content Sources

  • Critical Infrastructure Partnership Advisory Council (CIPAC)
  • Cross-Sector Cyber Security Working Group (CSCSWG)
  • Daily Open Source Infrastructure Report
  • Homeland Security Information Network (HSIN)
  • United States Computer Emergency Readiness Team (US-

CERT)

  • National Infrastructure Partnership Plan (NIPP)
  • Partnership for Critical Infrastructure Security (PCIS)
  • Protective Programs and Research and Development

(PPRD)

slide-27
SLIDE 27

Content Sources

  • Software Assurance Working Group
  • DHS Business Opportunities Newsletter
  • Cyber Security Monitor
  • Joint Homeland Security Notes (HSN)
  • Critical Infrastructure Information Notice (CIIN)
  • National Telecommunications and Information Administration (NTIA)

Economic Security Work Group (ESWG)

  • InfraGard
  • Information Technology Sector Coordinating Council (IT-SCC)
  • Critical Functions and Information Sharing (CFIS) Group
  • Plans Working Group
  • Communications Sector Coordinating Council
  • Carnegie Mellon University CyLab (CMU)
  • ISAlliance
slide-28
SLIDE 28

Content Examples

DHS Business Opportunities Newsletter

slide-29
SLIDE 29

Content Examples

Critical Infrastructure Information Notice Homeland Security Note

slide-30
SLIDE 30

Content Examples

IT-SCC Calendar

slide-31
SLIDE 31

Content Examples

DHS Daily Open Source Infrastructure Report

slide-32
SLIDE 32

Content Channels

  • World Wide Web
  • GovDelivery Digital Subscription

Management

  • Excel Electronic Mail Merge
  • Outlook Distribution Lists

& Outlook Calendar Invitations

  • US-CERT Portal Secure Communication
  • Direct Mail
  • Outlook Email
  • Telephone
slide-33
SLIDE 33

ISAlliance Web Site

slide-34
SLIDE 34

ISAlliance Web Site

Member/Prospect Examples

  • Calendar of Events
  • ISAlliance News
  • Project Information & Updates
  • Public GovDelivery Subscription
  • Common Sense Guides
  • ISAlliance Services

Member Only Examples

  • Calendar of Events
  • “Missed It” Archives
  • Complete GovDelivery Subscription
  • Self Assessment Tools
  • Papers & Reports
  • Detailed Project Information &

Updates

  • Enterprise Integration Perspectives
  • CMU Webinar Archive

Used primarily to generate prospective member interest in ISAlliance and provide members with information and archives that generate interaction, integration and reinforce the value of membership.

slide-35
SLIDE 35

GovDelivery

Digital Subscription Management

  • Total Subscription Items hosted by

GovDelivery: 47

  • Average item subscriptions per

subscriber: 9

  • Total Subscribers: 4021
  • New Subscribers 2008: 714 (+ 17%)
  • Total bulletins sent 2008: 364,977
  • Total hits to RSS feeds 2008: 23,783
slide-36
SLIDE 36

Examples

  • Notice for the Private Sector Preparedness Accreditation and Certification Program
  • Biometric Identification
  • Small Business Issues
  • US-CERT Alerts
  • Meeting Notices & Reminders
  • ISAlliance Calendar of Events
  • ISAlliance Daily Brief
  • Access Control
  • Technical, Operations, Public Policy and/or Legal Perspective - All of Above

Used for delivery of targeted messages to broad groups with interest in specific subject matter.

GovDelivery

Digital Subscription Management

slide-37
SLIDE 37

Outlook Distribution Lists & Calendar Invitations

slide-38
SLIDE 38

Used to organize work groups involved in specific projects.

Examples

  • White House Cyber Security Initiative
  • IT Sector Risk Assessment
  • Securing the IT Supply Chain in the Age of Globalization
  • Developing Automated VoIP and Converged Network Security
  • The Financial Impact of Cyber Risk

Outlook Distribution Lists & Calendar Invitations

slide-39
SLIDE 39

US-CERT Portal Secure Communications

slide-40
SLIDE 40

US-CERT Portal Secure Communications

Used by members and allies for secure messaging,

  • ften between groups, subgroups and various sector

coordinating councils, ISAC’s & organizations.

Examples

  • Software Assurance
  • Cross Sector Cyber Security Work Group
  • Defense Security Information Exchange
  • White House Cyber Security Initiative
  • AeroSpace Industries Association
slide-41
SLIDE 41

Closing the Loop

Gathering, processing and distributing information content to the right people at the right time is an important part of what ISAlliance does. It is often equally important that ISAlliance gather, process and aggregate private sector perspectives for delivery BACK to appropriate public agencies.

slide-42
SLIDE 42

Closing the Loop

Example: 1. White House Cyber Security Initiative Announced 2. ISAlliance Notifies Membership and calls for input using GovDelivery System 3. ISAlliance forms a work group 4. ISAlliance serves as an intermediary communicating information in both directions using Outlook & the CERT Portal 5. The public sector, members and ISAlliance all benefit

slide-43
SLIDE 43

Larry Clinton President lclinton@isalliance.org 703-907-7028 202-236-0001 Barry Foer

Director of Policy & Membership

bfoer@isalliance.org 703-907-7799