31
Virginia Manufacturers Association 2019 Cybersecurity Trends and Ethics Dr. Allen Harper Executive Director Center for Cyber Excellence
Virginia Manufacturers Association2019 Cybersecurity Trends and Ethics
Dr. Allen HarperExecutive Director
Center for Cyber Excellence
Introduction – Dr. Allen Harper
• Dr. Allen Harper, CISSP, PCI QSA, Liberty University • Previously: EVP and Chief Hacker, Tangible Security• PhD IT/SEC - dissertation dealt with security of the Internet of things (IoT)• Retired Marine Officer (2007), IT Officer and CISO MNF-W (Iraq), OIF (2007)• 30 years of seasoned experience in both public and private sectors• Public speaker, teacher, author, mentor of countless security professionals• Quoted in notable magazines and featured on federal news radio (2015)• Published author of 6 best selling security books, including:
• Gray Hat Hacking, the Ethical Hackers Handbook, 5th Edition (May 2018)• Security Information Event Management (SIEM), only published book on SIEM
Threats are Evolving (Then - 1983)
3
Threats are Evolving (Now - 2018)
4
Cybersecurity Threat Landscape
5
$ $$ $$$ $$$$
https://www.slideshare.net/craigmcgill/the-july-2017-cybersecurity-risk-landscape
Some “things” You Should Worry About
http://www.iotmakers.org/articles/roadmap_on_iot_technologies_evolution_3.png
Internet of things…to be hacked
Source: https://www.ottosolutions.sg/single-post/2017/10/06/TRUST-US-YOU-NEED-A-BUILDING-MANAGEMENT-SYSTEM
Risk Specific to Manufacturing• Safety (do you trust your robots?)• Worker’s Comp (due to cyber incident)• Loss of Production (for a day, for a week, for a month)• Product Recalls• Supply Chain Risk (do you trust your suppliers?)• Intellectual Property Theft
• Can you compete with someone/another country if they steal your IP?• What about Employee NDAs and Former Employees using IP…
• Manpower Shortfalls, staggering…we will come back to that
Shodan Fun…or not!
Shodan Fun…or not!
Shodan Fun…or not!
Shodan Fun…or not!
13
Shodan Fun…or not!
14
Shodan Fun…or not!
15
Shodan Fun…or not!
16
Shodan Fun…or not!
Shodan Fun…or not!
http://iotscanner.bullguard.com
Common Attack Scenarios
• Remote attack, through firewall• Insider attack, intentional or not• Vendor attack (You)
19
Remote Attack
• Social engineering – phishing/phone/USB• Shodan scan – google for hackers• Vulnerability scan – check locks/windows• Open firewall – it only takes one port!• Vulnerable device (software) - weakness• Foothold in network • Expansion –> theft –> damage -> loss
20
Insider Threat• Rogue employee, disgruntled • Unknowing user, surfing web – download malware• Unknowing user, opens and clicks on phishing email• Outsider is now inside network…Twix• Lack of proper network segmentation• Sensitive information found• Critical assets discovered and stolen• Expansion –> theft –> damage-> loss
21
Vendor Attack (You)• Why go through front door, back door is open?• Target stores hacked Nov-Dec 2013• Not a direct hack, a social engineering hack• 18 Months prior, mechanical service contractor hacked
(Fazio Mechanical)• Email phishing attack (accounts for 70-90% of breaches)• Found back door into Target – Invoicing System…• Target had weak password policies across company• Expansion –> theft –> damage -> loss
22
Deloitte Study: Cyber Risk in Manufacturing (1 of 2)
https://www2.deloitte.com/us/en/pages/manufacturing/articles/cyber-risk-in-advanced-manufacturing.html
Deloitte Study: Cyber Risk in Manufacturing (2 of 2)
https://www2.deloitte.com/us/en/pages/manufacturing/articles/cyber-risk-in-advanced-manufacturing.html
10 Questions CEOs Should Be Asking1. How do we demonstrate due diligence, ownership, and effective
management of cyber risk? Are risk maps developed to show the current risk profile, as well as timely identifying emerging risks we should get ahead of?
2. Do we have the right leadership and organizational talent? Beyond enterprise systems, who is leading key cyber initiatives related to ICS and connected products?
3. Have we established an appropriate cyber risk escalation framework that includes our risk appetite and reporting thresholds?
4. Are we focused on, and investing in, the right things? And, if so, how do we evaluate and measure the results of our decisions?
5. How do our cyber risk program and capabilities align to industry standards and peer organizations?
https://www2.deloitte.com/us/en/pages/manufacturing/articles/cyber-risk-in-advanced-manufacturing.html
10 Questions CEOs Should Be Asking6. How do our awareness programs create cyber-focused mindset and cyber-
conscious culture organization wide? Are awareness programs tailored to address special considerations for high-risk employee groups handling sensitive intellectual property, ICS, or connected products?
7. What have we done to protect the organization against third-party cyber risks?8. Can we rapidly contain damages and mobilize response resources when a
cyber incident occurs? How is our cyber incident response plan tailored to address the unique risks in ICS and connected products?
9. How do we evaluate the effectiveness of our organization’s cyber risk program?
10. Are we a strong and secure link in the highly connected ecosystems in which we operate?
Be a Hard Target
27
Be a Hard Target Tips: From Deloitte1. Set the Tone from the Top (CISO can’t do it all)2. Assess Risk Broadly (IT/OT/ICS/Cyber Manpower)3. Socialize the Risk Profile (share with leadership and board)4. Build in Security (15 times cheaper to bake it in, than bolt on)5. Remember, Data is an Asset (perhaps your most valuable)6. Assess 3rd Party Risk (supply chain security)7. Be Vigilant with Monitoring (be proactive, not reactive)8. Always be Prepared (Incident Response Drills, PR Statement)9. Clarify Organizational Responsibilities (prior to breach)10.Drive Increased Awareness (self phishing test, weekly)
https://www2.deloitte.com/us/en/pages/manufacturing/articles/cyber-risk-in-advanced-manufacturing.html
29
Closing Thoughts: There is a Shortage of Cyber Experts
Liberty University Cybersecurity Programs: liberty.edu/cyber
30
• Currently 301 thousand open Cybersecurity jobs1 (expecting 2 million by 2019)2
• 5 of 6 Cyber job postings require degree• One of highest paying jobs in Information Technology (IT) Field• There are 3 types of Cyber jobs: GRC, technology, development• Liberty’s Cyber programs prepare for all 3 types of Cyber jobs (differentiator)• Liberty graduates are prepared to meet today’s Cyber challenges
(IS/IT degrees) and those of tomorrow (CS degree)• The first year is mostly the same in all 3 degree paths, so path may be changed up to second year!
GRC
Development Technology
SecurityJobs
Cyber Job Types Job Examples Undergraduate Cyber Degrees Graduate Cyber Degrees
GRC Governance, Risk Management, and Compliance (GRC), Security Manager
B.S. Information Systems (IS) with Information Assurance Cognate
M.S. IS with Information Assurance Cognate
Technology Security Analyst, Penetration Tester, Security Engineer, Threat Hunter
B.S. Information Technology (IT) with DataNetworking and Security Cognate
M.S. IT with Network Design and Security Cognate
Development Software Security Engineer, Reverse Engineer, Malware Specialist
B.S. Computer Science (CS) with Cyber Security Cognate
M.S. Cyber Security
1. http://cyberseek.org/heatmap.html2. https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-job-with-a-huge-skills-gap-cyber-security/#1ce24faf5163
Questions?
?
