As a new ISSA member as of late last year, I attended my first ISSA conference, conveniently located (for me) in Dallas Texas. Being used to academic conferences myself, I was not quite sure what to expect. I knew it was going to be more practitioner based and practitioner based it was...largely from a fairly managerial perspective. So, that was in my favor. So, here's a recap of the session I attended.
For me, the first day was the weaker of the two days but the first session of the day was the strongest. It was titled "Architecting Your Cyber-security Organization For Big Data, Mobile, Cloud, and Digital Innovation" by Mr. David Foote. He discussed the importance of aligning business and security objectives and that part of making sure that happens is having CISOs report to Boards of Directors rather than to CIOs. He argued that part of what makes managing so difficult is due to churn within the field. This is a result, he argued, of being spread too thin and burnout as experienced cyber-security specialists are constantly having to re-tune because of disruptive technologies such as Cloud, Big Data, IoT, etc.). According to his research, cyber-security jobs require more certifications than other IT jobs and that there are roughly only 1000 top level security experts compared to a need for 10,000 to 30,000. This brought him to the point that we are in deep need of "people architecture", an alignment of people, programs, practices, and technology. The benefit is an optimization of assets, improved decision making, minimizing unwanted circumstances, etc. Finally, Mr. Foote, discussed the need for consistent job titles and skills across organizations and industries. The lack of such a consistent job definition makes it hard to compare, for exam, a system administrator for one organization to a system administrator for another organization. Mr. Foote did an excellent job presenting and I would highly recommend attending other presentations he puts on.
The second session I attended was not quite as good but I did still come away with some good content. It was titled "Improving Incident Response Plan With Advanced Exercises" by Chris Evans. He stressed the need for "pre-incident" training in order to develop muscle memory. The goal is to stretch beyond just compliance. He described several ways of doing this: workshops, table top exercises, games, simulations, drills, and full scale exercises from least to most complex with the more complex yielding more tangible benefits but require more investment of time, resources, and expertise. The first step is to develop the objectives so that the people that need to participate can be identified. The key take away was that we need to evaluate > test > assess > drill.
The third session on day one was titled "Cyber Law Update". The presenter struggled on this one. She was neither a technical person nor a manager of technical people. She was, I believe, an insurance person. But, she found herself being corrected several times by the audience. Nevertheless, there was some good content to come out of the presentation. One of the key points was regarding the establishment of FTC authority as it relates to cyber-security breaches. She discussed LabMD who was not liable for the breach but rather, for the failure to take "reasonable" security measures. Another valuable contribution from this presentation was that the inability to show injury is what stops most law suits against companies from being successful. Emotional distress does not count. You must show some sort of physical injury. If you cannot show what or how much you lost, you have no case.
The forth session of the day was titled " Posture Makes Perfect: Cyber Residual Risk Scoring". This one was interesting. The presenter was a little unclear in terms of specifics on his scoring model but the general idea was a calculation that gave you a residual which represented risk. He briefly mentioned threat maps and displayed one by Kaspersky and mentioned the Norse Map. I have seen these before but never spent much time looking at them. Having said that, in looking through my notes for this blog post, I Googled them and ran across a site that lists both of these as well as several others. These are pretty slick and can be interesting and compelling when trying to discuss how pervasive security issues are. He also reference the over referenced (his words) Sun Tzu's quote about know your enemy, know yourself, ... While he made the argument through the process he was advocating that you could know your enemy, he started off stating that given the complex threat environment, that you could not know your enemy. This seemed more realistic to me. There are nation states, organized crime, hacktivists, cyber criminals, etc. This make make it seemingly impossible to know your enemy with certainty, at least without a delay to properly investigate. There are just too many possibilities. But, it does suggest that we need to develop methods to more quickly identify these sources so that we can more adequately combat threats. He finished up talking about there being lots of standards and lots of certifications that demonstrate or express proficiency as it relates to assessing, developing, and implementing security in organizations. Despite all of this, breaches continue to occur. Touche!
There was a fifth session for the day but I had to leave. Day two was really pretty solid. All the session were quite good I would say. For my first session on day two, I attended Advances in Security Risk Assessments". Presented by Mr. Doug Landoll, he started with an Einstein quote: "We cannot solve our problems with the same thinking we used when we created them." He talked about the threat calculation, which ever one you use, needs some sort of data. You can get that data from many different places. This may be as simply as a survey; "Do you have a firewall in place?" ... He stated that CISO's are in high demand and that if you examine job requirements on job posting sites, the requirements can all be boiled down to "reducing risk." In order to determine risk, the process for determining a risk score is important. You have to examine controls that are in place. For example, what is the hiring process like? You need to establish physical and logical boundaries to your assessment. You also need to apply a legitimate framework. In his opinion, some "frameworks" are not frameworks but are really just a collection of a few best practices (i.e. SOX, HIPPA, PCI, etc.). Legitimate frameworks include COBIT, NIST, ISO 27001, Cyber-Security Framework, FISMA, etc. With a framework identified, you need to have it mapped (hopefully it is already mapped by a good source) to a standard such as PCI. His point here was that standards and regulations are not frameworks. He then pointed to an article he published on LinkedIn. For assessment, he mentioned RIIOT: review documents, inspect, interview, and observe. Combine multiple approaches. To do good assessment, you need objectivity, expertise, and quality data. Finally, he plugged another person's book on quantitative assessment (Doug Hubbard). Follow this presenter on LinkedIn.
The second presentation on day two was titled "Culture Changes, Communicating Cyber Risk in Business Terms." One of the panelists stated that technology was similar to dog years, referring to the speed of change. The concept of nation states launching cyber attacks is recent. attack surfaces have mushroomed. It was also pointed out that the boundary of the enterprise is becoming harder to define as we rely more and BYOD devices, cloud services, etc. When asked about some of the recent drivers of culture change, the data breach at the Office of Personnel Management was brought up as was the Mirai DDoS attack and Dewall. The interesting thing about this last one was they were held responsible, not for a data breach, but rather for claiming through advertising that their systems were more secure than they actually were. Another example of driving a culture of change was ransom-ware and the interaction between victims and hackers. The panel concluded by discussing some of the existing standards (NIST, ISO 27005, etc.) and the focus on IT security risk and that we need to refocus on enterprise risk instead. I read into this an alignment of security and business objectives.
The third session I attended for the day was titled "Stepwise Security - A Planned Path to Reducing Risk" by Wade Tongen. He described the "de-perimeterization" of organizations and how that makes securing them difficult. Per the 2016 Verizon Data Breach Report, 63% of breaches occur as a result of weak, default, or stolen passwords. He mentioned the need for identity assurance because users have multiple identities (i.e. personal, professional, privileged, non-privileged). There is a need for consolidated identities. Fragmented identities result in sticky notes, use of same password for multiple systems, spreadsheets, etc. Use multifactor authentication EVERYWHERE. Organizations need role based provisioning so that applications, services, licenses etc. are all associated with a role so that when that role changes, access changes accordingly. Finally, the speed with which we can identify perpetrators, maximizes the chance of being able to do something about it. He used a convenience store robbery as an example. If it is robbed and you can give the police and accurate description quickly, they are more likely to be able to do something about it than if you can't provide them with evidence (such as video surveillance) for several days.
The final session I attended on day 2 was over Mr. Robot and whether or not it was an accurate depiction of a hacker's perspective. A panel session, the consensus was that it was. I left this session as I did not really see much value in the discussion. Overall, it was a good experience. It was new to me. As I mentioned, I am used to academic conferences. But, this was a nice conference to attend; one that I can do some further research about some of these concepts and take bake and use in my classes.
#BCIS5304 #BCIS3347 #ISSEConf
No comments:
Post a Comment