What you gonna do when they come for you? Being Proactive rather - - PowerPoint PPT Presentation

What you gonna do when they come for you?

October 23rd, 2019

Tennessee Pollution Prevention Webinar

Being Proactive rather than Reactive for CyberSecurity in the Manufacturing Industry

Ben Bolton

Ben manages activities related to energy security planning, preparedness, and response, as well as the energy-water nexus. He currently serves as Co-Chair of the National Association of State Energy Officials’ Energy Security Committee and represents Tennessee on FEMA’s Mitigation Framework Leadership Group. Prior to joining the State, he was an environmental scientist providing technical support to public and private sector

• clients. He holds B.S. in Biology and a B.A. in English

from Birmingham-Southern College.

Energy Programs Administrator for TDEC’s Office of Energy Programs

James Cotter

Special Agent Cotter joined TDSHS in 2008 and was promoted in 2012 to Supervisory Intelligence Officer and Co-Director of the Tennessee Fusion Center. He is a graduate of the Naval Post Graduate School Fusion Center Leaders Program, the Southeastern Command and Leadership Academy, and holds a B.S. in Criminal

• Justice. Special Agent Cotter is a veteran of the U.S.

Marine Corps.

Special Agent, Cyber Operations Program Manager at the Tennessee Department of Safety and Homeland Security (TDSHS).

4

Changing How We View Cybersecurity

5

WE DON’T HAVE A CHOICE TO DIGITALLY TRANSFORM THE CHOICE IS HOW WELL WE DO IT.

Erik Qualman

6

Cybersecurity is our shared responsibility – everyone is part of the security team.

7

Areas of Change

• Focus on prevention then mitigation
• Organizational priority
• Culture of security
• Mobile workforce
• Minimize internal threats

▫ Educate, Empower, Enforce

8

9

• Cyber issues are not theoretical – they are real!

▫ Cyber affects us all professionally and personally ▫ Interconnectivity – Vulnerability – Liability

– Vehicles, Medical Devices, Appliances, Sensors, etc.

▫ Internet of Things (IoT)

10

11

Threat Landscape

• Hacktivists – Manipulate cyberspace to achieve political goals and/or social change
• Criminal – Makes up the bulk of threat activity, up to $1 trillion globally

▫ Phishing, 3rd party hosting, fraud, money laundering – ebooks

• Insiders/Users – Both malicious and unintentional; possibly biggest threat

▫ National Insider Threat Task Force – The insider threat is a dynamic problem set, requiring resilient and adaptable programs to address an evolving threat landscape, advances in technology, and organizational change.

• Espionage/Spies – 2nd oldest profession known to man (friends and foes)
• Nation State Actors/Militaries – Espionage v. Warfare; very ambiguous and complex; requires highly

adaptive and innovative approaches to maneuver and transition in this spectrum; world events

• Terrorists – Receives a lot of attention, but not quite there yet
• Natural, Accidental and Failure – Mother Nature & Manmade Events

12

Items of Interest

• The most popular cyberattack methods according to study by Positive Technologies for 2018.
• Malware - Common malware infection methods were compromising servers and workstations by accessing a

targeted system using vulnerabilities, social engineering, or bruteforced passwords, planting malicious software on victims' devices via infected websites, and sending malicious attachments or links by email.

• Social engineering: Cybercriminals continue develop new methods to manipulate users into believing a

message, link, or attachment is from a trusted source, and then infecting targeted systems with malware, stealing money, or accessing confidential information. (Social Media and Deep Fake)

• Hacking: Hacking is exploiting vulnerabilities in software and hardware. Hackers currently cause the most

damage to governments, banks, and cryptocurrency platforms.

13

Items of Interest

• Credential compromise: Usernames and Passwords
• A recent report by WhiteHat Security indicates that 85% of mobile apps violate recognized security
• standards. Tested 15,000 apps and 85% contained at least one common security vulnerability that

can be exploited. Takeaway – be mindful of what you are allowed to download on your devices, what kind of data the apps share, and restrict what apps can access on your devices.

• Most Prevalent Phishing Subject Lines - Assist Urgently, Invoice, Bank of or New Notification, Verify

Your Account, Copy or Document Copy, Action Required: Pay your seller account balance, AMAZON: Your Order no #812-4623 might ARRIVED. ***Be mindful of Current Events***

14

15

16

17

18

Some Do’s

• DO - Perform updates or use site for downloads if unsure
• DO - Passwords (complex – more than 8)

▫ 80% of all confirmed breaches had weak, default, or stolen PWs*

• DO – The principle of least privilege – only what is necessary
• DO – Completely disconnect from networks/Apps/clear caches
• DO – Monitor logs (incoming and outgoing)
• DO - Minimize footprint, do not link accounts – SM especially

▫ 43% of breaches started on social media*

• DO – Check yourself https://haveibeenpwned.com/ and Shodan for devices

https://www.shodan.io/

• DO – Join information and intelligence sharing networks
• DO – Think like a hacker or use/hire/train one

* Verizon 2018 Data Breach Report

19

Some Don’ts

• DON’T - Open E-Mail from unknown senders – use preview option – review before
• pening attachments – beware macros
• DON’T – Use free or unsecured WiFi – use VPN or Cellular
• DON’T – Share credentials or use on multiple platforms
• If it seems too good to be true, it probably is!! Don’t be afraid to question.

20

Cybersecurity is our shared responsibility Question and report Nothing is too outlandish to attempt

21

THANK YOU

22

James Cotter TN Department of Safety & Homeland Security James.cotter@tn.gov

Questions?

October 23rd, 2019

Tennessee Pollution Prevention Webinar

Eric Brown

Eric currently serves as Assistant Director for the Cybersecurity Education, Research and Outreach Center at Tennessee Tech University. Among other duties, Eric leads the cyber risk assessment program conducted in cooperation with the Tennessee 3-Star Industrial Assessment Center at Tennessee Tech University. CEROC focuses on extra-curricular training opportunities in cybersecurity, research across multiple cyber domains, and outreach to K20 students and stakeholders with an

• verarching goal of workforce pipeline development.

Assistant Director Cybersecurity Education, Research, and Outreach Center Tennessee Tech University

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

“What ya gonna do when the come for you?” Being Proactive Rather than Reactive for CyberSecurity in the Manufacturing Industry

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

CEROC Quick Facts

• Founded in January 2016
• NSA/DHS designated Center of Academic Excellence in Cyber Defense Education (1 of 200+)

https://www.caecommunity.org/content/cae-institution-map

• First and Largest CyberCorps SFS Program in the State of Tennessee (1 of 70)

https://www.cybersecuritymastersdegree.org/cybercorps/ - Community College Pathway (1 of 10 in

nation)

• Only Cybersecurity Scholarship Program (CySP, formerly DoD IASP) in the State of Tennessee
• Only NSA GenCyber Program in Tennessee
• Partner

■ Tennessee 3-Star Industrial Assessment Center providing cyber risk assessment services for

power assessment clients

■ Academic Alliance Partner with DHS in the STOP. THINK. CONNECT! Initiative

• Founder of the Women in Cybersecurity

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

Only Program in Tennessee to Offer CyberSecurity Specialization at the Bachelor, Masters and Ph.D. levels K12 Outreach Events supporting cybersecurity awareness and competition

• pportunities

Only NSA-Designated Center of Academic Excellence in Cyber Defense Education Four-Year Program in Tennessee Only DoD Cyber Scholarship Program in Tennessee Active Cybersecurity Club with 3 skill training groups in

• ffense, defense, and

CTF First and Largest CyberCorps SFS Scholarship Program in Tennessee Research areas in cyber physical systems, smart grid, vehicular networks, formal methods, graph-based anomalies, risk assessment Only GenCyber Student summer Program in Tennessee Central Region Host

• f Collegiate

Penetration Testing Competition

CEROC at a Glance

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

National Cybersecurity Awareness Month (NCSAM) 2019

Held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. More information can be found at https://niccs.us-cert.gov/national- cybersecurity-awareness-month-

• 2019. This year’s message is “Own
• IT. Secure IT. Protect IT.

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

Background Information for Today’s Talk

The following information is provided by the 2019 Data Breach Investigations Report from Verizon (https://enterprise.verizon.com/resources/reports/dbir/). Consider the following.

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

Manufacturing Notes from the 2019 Verizon Report

2019 Verizon Report: “Manufacturing has been experiencing an increase in financially motivated breaches in the past couple of years, but espionage is still a strong motivator. Most breaches involve phishing and the use of stolen credentials.”

• 352 incidents, 87 with confirmed data

disclosures

• Web Applications, Privilege Misuse, and Cyber-

Espionage represent 71% of the breaches

• Threats came from external (75%), internal

(20%), multiple parties (6%), and partners (1%)

• The attacks were influenced by financial (68%),

espionage (27%), grudges (3%), and fun (2%) motives.

• The data comprised in these attacks included

credentials (49%), internal (41%), and secrets (36%).

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

Common Cyber Attacks on Manufacturing

Acknowledging that cyber attacks are possible is the very first step to towards dealing with the issue. There are some small companies that still believe that they are not susceptible to attack because “we are just a little company in a rural area… nobody even knows that we are here.” If you are plugged in, they know you are there!

Phishing

• Strange file attachments
• Sense of urgency in message / immediate

demand

• Threat of negative outcome if not action taken
• Bad grammar / spelling
• Oddly formed email address or reply to

address

Supply Chain Attacks

• Weak credentials to external supply systems
• Strange redirects to unknown sites
• Increase in pop-up
• Ransomware threats / messages / false

preventatives

• Software freezes or crashes

Malware

• Can be introduced via phishing
• Can be introduced via “free” USB sticks
• Can be contracted and propagated by “out of

maintenance” systems

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

Ransomware

• Ransomware is a very hot industry, making

billions of dollars for its perpetrators.

• Notice that the manufacturing sector was

the second largest affected sector in early 2019.

• Two choices: pay up or restore data (some

victims have said enough is enough and did not pay)

• Further ransomware guidance can be

found at https://www.us-cert.gov/Ransomware

https://blog.trendmicro.com/wp-content/uploads/2019/07/Capture.png

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

The Sky is NOT Falling!

The sky is not falling! All businesses throughout the ages have had to deal with very large problems with the potential to interrupt business process and subsequent

• income. In each circumstance, the business
• wner took small, reasonable steps to

mitigate the issue. Consider the stage coaches of the Old West; one additional driver with shotgun talents could curb some theft threats. Here are some steps!

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

Simple Steps to Improving Cyber Positioning

• Provide cybersecurity awareness training for ALL EMPLOYEES and their
• families. The training should address current issues such as phishing and

social engineering. Cyber safety at home translates to cyber safety at work. Think that this is not true? How many smartphones enter your workplace everyday?

• Make plans (and actually practice their implementation)

○ Business Continuity Plan ○ Disaster Recovery Plan ○ Incident Response Plan ○ Internal Bug Bounty Plan/Program

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

Simple Steps to Improving Cyber Positioning

• Review Key Business Procedures

○ Employee Onboarding, Offboarding, and Transition Procedures (nerdy version: identification, authentication, authorization) ○ Position-appropriate Technology Training ○ IT and Electronic Device Procurement Procedures ○ Technology Deployment Procedures ○ IT Lifecycle Procedures ○ System Image (software and firmware) and Software Package Management ○ Information Lifecycle Management (archive, backup, restore, and even destroy)

Rule of 3’s – If you perform a activity three or more times the exact same way, create a reproduceable, automated process and document it!

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

The Value and Gamification of Risk Assessments

• Never under-estimate the value of a third-party assessment of your

infrastructure and processes. Such assessments can provide valuable insights to hidden issues as well as provide a complementary assessment to

• ther certification processes.
• Include the C-level members in the process and resulting report. Make them

partners and not adversaries. Make sure an IT person sits at the C-level meetings.

• If the talent pool is available (internally or externally), create red teams

(penetration test) to internally evaluate vulnerabilities. Create blue teams (protection test) to increase defensive capacities using red team input.

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

NIST Resources for Manufacturing Sector

• NISTIR 8183 – Cybersecurity Framework Manufacturing Profile

https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8183.pdf

• NISTIR 8183A – CFMP Low Impact Level Example Implementations Guide

○ Volume 1 – General Implementation Guidance - https://csrc.nist.gov/publications/detail/nistir/8183a/vol-1/final ○ Volume 2 – Process-based Manufacturing System Use Case https://csrc.nist.gov/publications/detail/nistir/8183a/vol-2/final ○ Volume 3 – Discrete-based Manufacturing System Use Case https://csrc.nist.gov/publications/detail/nistir/8183a/vol-3/final

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

NIST Resources for Manufacturing Sector

• NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information

Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800- 53/rev-4/final

• NIST SP 800-53A Rev. 4 Assessing Security and Privacy Controls in Federal

Information Systems and Organizations: Building Effective Assessment Plans https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final

• NIST SP 800-171 Rev. 2 & SP 800-171B Protecting Controlled Unclassified

Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets https://www.nist.gov/news-events/news/2019/06/protecting-controlled- unclassified-information-comment-draft-nist-sp-800

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

Contact Us

• Dr. Ambareen Siraj, Director

asiraj@tntech.edu

• Mr. Eric L. Brown, Assistant Director’

elbrown@tntech.edu Staff https://www.tntech.edu/ceroc/people/

https://www.tntech.edu/ceroc / @TNTechCEROC / ceroc@tntech.edu

Contact Us

1020 Stadium Dr, PRSC 414 Cookeville, TN 38505 Email: ceroc@tntech.edu Phone: (931) 372-3519 Website: https://www.tntech.edu/ceroc Facebook: https://www.facebook.com/tntechceroc Twitter: @tntechceroc LinkedIn: https://www.linkedin.com/company/tntechceroc

Questions?

October 23rd, 2019

Tennessee Pollution Prevention Webinar