Tuesday, September 13, 2016

Review: Tarleton School of Criminology Cybersecurity 2016 Summit

Today, I attended the Tarleton School of Criminology Cybersecurity 2016 Summit held at the George W. Bush Presidential Library. I have to say that it was extremely well done. The various speakers brought forth an upbeat, hopeful message about the future of cybersecurity. With presentations from former military, law enforcement, lawyers, professors, and consultants, it was packed full of useful information.



One of the nice little nuggets I ran across was the concept of the "kill chain" presented by Col Jeff Schilling (ret). Naturally, this came from one of the former military presenters. A quick Google and the meaning behind it was clear and the extension to the field of cybersecurity could be easily extrapolated. Essentially, the kill chain is all the steps necessary to successfully eliminate a target. As it relates to cybersecurity, it would simply be all the steps necessary to compromise a target (read data). Remove any step in the kill chain and the objective of compromise cannot be completed. Now, here's the kicker. As security professionals, you can attack the kill chain at each and every stage OR you can focus your efforts on a single stage. Basically, this was the argument made today. The point is not to ignore all the other stages. Patching is still important. So it user education. But focus on the data. Focus on the prize.



The thought process behind this is that if we spread our focus on all steps in the kill chain, it divides our focus and we become less effective. As long as we do not lose sight on our most valuable asset, we can focus our efforts where we can be most efficient and effective.



We also had presentations from the Secret Service as well as the FBI (no photos or names please).



Our keynote during lunch was Mr. Brian Sartin, Managing Director Verizon RISK Services over Verizon's 2016 data breach report. No surprises here. Same thing as last year. Threats continue to grow, particularly as they relate to nation state hacking/espionage.



Then we had Candy Heath, AUSA and Lead Cyber Attorney for the United States Northern District of Texas confirm some of the keynote speaker's findings that the vast majority of those compromised don't know it. Rather, one a perpetrator's is taken into custody and their systems are evaluated, numerous targets (sometimes dozens to hundreds) are discovered. This explains the concept of why it takes so long for organizations to discover that a breach has occurred. They are not discovering the breach. Others are...usually about 9 months after the breach originates.



Then a panel discussion over the state of educating security professionals and meeting the needs of employers occurred. The consensus was that we have a lot of work to do. Security professionals are very mobile. They can afford to be. They have highly sought after skills and few competitors. Depending on the presenter, there is a roughly 200,000 person shortage in this country. And, they predicted the problem would get worse. They also recognized the even within the general field of security, that there are specializations and the sometimes, an organization has security specialists, just not the specific ones they need.



Shawn Tuma, another attorney spoke about representing organizations that were the target of cyber attacks and noted the importance of simply have procedures in place and following them. Failure to protect data in and of itself is not the problem. But, failing to take reasonable precautions and not following established procedures opens up an organization to liability.



The second to last speaker was Chuck Easttom, computer scientist and author. He teaches, consults, testifies (prosecution and defense), etc. Bright guy. Would love to take some of his classes. He outlined an incident response template. The big take away from that was about verifying the credentials of the forensic expert. By that, he meant actually verify. Do not just take their word for it. Make sure they do the work and/or that they supervise those who do.



Lastly, Randell Casey, retired from the Army gave a great presentation. The take away there was "where are your electricians?" His point was that at the turn of the century in 1900, electricity was new. The government and large organizations had electricians on staff. When they needed new lines or a problem fixed, they just got their electricians to do it. Today, we simply expect to be about to flip a switch and for everything to work. If we need an electrician, we outsource it. His point was that security is moving in that direction. As things become more virtualized, more cloud based, organizations should shift to what they do best and leave the commoditization of infrastructure and security to professionals. But, he also restated the issue regarding the limited number of professionals on the market. His point here was was as the government continues to develop and employee many of those with these specialties, that as organizations start to wake up and truly understand how wide spread this issue truly is, that the shortage today could grow substantially before market forces can begin to correct the situation.



Now, I do not know if this was a one off event. I hope not. It was extremely well done. All the speakers were top notch from beginning to end. It has me rethinking our CIS programs at Tarleton to see how we might be able to collaborate with the CJ folks in order to generate some synergies. This was exciting, cool stuff.



Media Relations - Tarleton State University:



'via Blog this'