+ All Categories
  • @ApartmentWire#OPTECH17


    Cybersecurity Town Hall

    FacilitatorThomas Dryden

    Chief Information Security Officer Berkadia

  • @ApartmentWire#OPTECH17

    Download the Conference App on your smartphone or tablet!

    Highlights Include:• Access vital conference information 24 hours/day – Agenda,

    Speaker Bios, Exhibitor List, Exhibit Hall Floor Plan, Attendee List & more.

    • Schedule meetings with attendees• Share comments & photos in the Activity Feed• Find Places to Eat and Things to Do in Dallas

    To Download the App: Search for “NMHC Meetings” in your app store. Download the NMHC Meetings app, then select OPTECH Conference & Exposition.

  • @ApartmentWire#OPTECH17

    Audience Poll #1

    • How would you rate your current cybersecurity defenses?– Excellent– Very Good– Good– Fair – Poor

  • @ApartmentWire#OPTECH17

    Audience Poll #2

    • How likely is it that confidential information has been divulged or stolen from your company by criminals or criminal organizations or by current or former employees?– Very Likely– Likely – Possibly – Not Likely

  • @ApartmentWire#OPTECH17

    Audience Poll #3

    • Do you (or a consultant) engage in social engineering (testing people to divulge confidential information) and conduct cybersecurity training with company employees?– Yes– No– I Don’t Know

  • @ApartmentWire#OPTECH17

    Audience Poll #4

    • How much have you increased your cybersecurity expenses in the last year?– We haven’t increased our expenses– 1-10%– 10-25%– 25-50%– More than 50%

  • @ApartmentWire#OPTECH17

    Audience Poll #5

    • Have you added staff dedicated specifically to cybersecurity?– Yes– No

  • @ApartmentWire#OPTECH17

    Audience Poll #6

    • Do you have an incident response plan that includes cybersecurity?– Yes– No– I Don’t Know

  • Framework for Improving Critical Infrastructure Cybersecurity

    OPTECH 2017October 25th, 2017

    [email protected]

    mailto:[email protected]

  • Cybersecurity Framework CharterImproving U.S. Critical Infrastructure Cybersecurity

    February 12, 2013

    “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that

    encourages efficiency, innovation, and economic prosperity while promoting

    safety, security, business confidentiality, privacy, and civil


    Executive Order 136362

    December 18, 2014Amends the National Institute of Standards and

    Technology Act (15 U.S.C. 272(c)) to say:

    “…on an ongoing basis, facilitate and support the development of a

    voluntary, consensus-based, industry-led set of standards,

    guidelines, best practices, methodologies, procedures, and

    processes to cost-effectively reduce cyber risks to critical infrastructure”

    Cybersecurity Enhancement Act of 2014 (P.L. 113-274)

  • 3

    Development of the Framework

    Engage the Framework


    Collect, Categorize, and

    Post RFI Responses

    Analyze RFI Responses

    Identify Framework Elements

    Prepare and Publish


    EO 13636 Issued – February 12, 2013 NIST Issues RFI – February 26, 20131st Framework Workshop – April 03, 2013

    Completed – April 08, 2013Identify Common Practices/Themes – May 15, 2013

    2nd Framework Workshop at CMU – May 2013Draft Outline of Preliminary Framework – June 2013

    3rd Workshop at UCSD – July 20134th Workshop at UT Dallas – Sept 2013

    5th Workshop at NC State – Nov 2013Published Framework – Feb 2014

    Ongoing Engagement:

    Open public comment and review encouraged

    and promoted throughout the

    process…and to this day

  • Key AttributesIt’s voluntary• Is meant to be customized.It’s a framework, not a prescriptive standard• Provides a common language and systematic methodology

    for managing cyber risk. • Does not tell an organization how much cyber risk is tolerable,

    nor provide “the one and only” formula for cybersecurity.It’s a living document• Enable best practices to become standard practices for


    • Evolves faster than regulation and legislation• Can be updated as stakeholders learn from implementation• Can be updated as technology and threats changes. 4

  • Cybersecurity Framework Components

    Describes how cybersecurity risk is managed by an organization

    and degree the risk management practices exhibit key characteristics

    Aligns industry standards and best practices to the Framework Core in an implementationscenario

    Supports prioritizationand measurementwhile factoring inbusiness needs

    Cybersecurity activities and informative

    references, organized around particular


    Enables communication of cyber risk across

    an organization

    Framework Core

    Framework Implementation


    Framework Profile


  • Implementation Tiers


    1 2 3 4Partial Risk

    InformedRepeatable Adaptive

    Risk Management


    The functionality and repeatability of cybersecurity risk management

    Integrated Risk Management


    The extent to which cybersecurity is considered in broader risk management decisions

    External Participation

    The degree to which the organization benefits my sharing or receiving information from outside parties


  • Intel Adaptation of Implementation Tiers


    1 2 3 4Partial Risk

    InformedRepeatable Adaptive

    People Whether people have assigned roles, regular training, take initiative by becoming champions, etc.

    Process NIST Risk Management Process +NIST Integrated Risk Management Program

    Technology Whether tools are implemented, maintained, evolved, provide effectiveness metrics, etc.

    Ecosystem NIST External Participation +Whether the organization understands its role in the ecosystem, including external dependencies with partners


  • CoreA Catalog of Cybersecurity Outcomes


    What processes and assets need protection?

    Identify• Understandable by

    everyone• Applies to any type of risk

    management• Defines the entire breadth

    of cybersecurity• Spans both prevention and


    What safeguards are available? Protect

    What techniques can identify incidents? Detect

    What techniques can contain impacts of


    What techniques can restore capabilities? Recover


  • CoreA Catalog of Cybersecurity Outcomes

    Function Category

    What processes and assets need protection?


    Asset ManagementBusiness EnvironmentGovernanceRisk AssessmentRisk Management Strategy

    What safeguards are available? Protect

    Access ControlAwareness and TrainingData SecurityInformation Protection Processes & ProceduresMaintenanceProtective Technology

    What techniques can identify incidents? Detect

    Anomalies and EventsSecurity Continuous MonitoringDetection Processes

    What techniques can contain impacts of


    Response PlanningCommunicationsAnalysisMitigationImprovements

    What techniques can restore capabilities? Recover

    Recovery PlanningImprovementsCommunications 9

  • A Common LanguageFoundational for Integrated Teams





    Highly technical and specialized language


    IT, Contracts, Marketing,


  • Core – ExampleCybersecurity Framework Component


    Function Category Subcategory Informative Reference

    Identify Business Environment

    ID.BE-3: Priorities for organizational

    mission, objectives, and activities are established and communicated

    COBIT 5 APO02.01, APO02.06, APO03.01ISA 62443-2-1:2009, SP 800-53 Rev. 4 PM-11, SA-14


  • 12

    Core – ExampleCybersecurity Framework Component

    Function SubcategoryCategory Informative Reference

  • ProfileCustomizing Cybersecurity Framework







    Ways to think about a Profile:• A customization of the Core for a

    given sector, subsector, or organization

    • A fusion of business/mission logic and cybersecurity outcomes

    • An alignment of cybersecurity requirements with operational methodologies

    • A basis for assessment and expressing target state• A decision support tool for cybersecurity risk


  • Cybersecurity Program ObjectivesThree Things All Cybersecurity Programs Must Do

    • Support Mission/Business Objectives

    • Fulfill Cybersecurity Requirements

    • Manage Vulnerability and Threat Associated with the Technical Environment


  • Profile Foundational InformationA Profile Can be Created from Three Types of Information





    Internal & External Policy

    Technical Environment



    2 3

    Business Objectives

    Objective 1Objective 2Objective 3


    Controls CatalogsTechnical Guidance

  • Framework Seven Step ProcessGap Analysis Using Framework Profiles

    • Step 1: Prioritize and Scope• Step 2: Orient• Step 3: Create a Current Profile• Step 4: Conduct a Risk Assessment• Step 5: Create a Target Profile• Step 6: Determine, Analyze, and Prioritize Gaps• Step 7: Implementation Action Plan


  • Resource and Budget DecisioningWhat Can You Do with a CSF Profile


    Sub-category Priority Gaps Budget

    Year 1 Activities

    Year 2 Activities

    1 moderate small $$$ X2 high large $$ X3 moderate medium $ X… … … …98 moderate none $$ reassess

    As-Is Year 1To-Be

    Year 2To-Be

    …and supports on-going operational decisions too

  • Supporting Risk Management with Framework


  • Next StepsFramework Update

    Key features of this second draft will include:• Update to the measurement section to refine and summarize

    self-assessment concepts (Section 4)• Integration of the proposed Cyber Supply Chain Risk

    Management Implementation Tier language into some combination of the other three Implementation Tier properties

    • Refinement and clarification within Communicating Cybersecurity Requirements with Stakeholders (Section 3.3)

    • Removal of U.S. federal government applicability statements (Section 3.7)

    • An additional subcategory in the PR - Access Control subcategory to address authentication


  • Next StepsProgram Focus

    • Federal agencies

    • Small- and Medium- sized Businesses (SMBs)

    • International organizations, including: • Companies with presence or business outside the U.S.• Other governments• International organizations

    • Regulators at federal and state levels


  • Next StepsStakeholder Recommended ActionsStakeholders should consider activities to:• Customize Framework for your sector or community• Publish a sector or community Profile or relevant

    “crosswalk” • Advocate for the Framework throughout your sector

    or community, with related sectors and communities. • Publish “summaries of use” or case studies of your

    Framework implementation.• Submit a paper during the NIST call for abstracts• Share your Framework resources with NIST at

    [email protected].


    mailto:[email protected]

  • The National Institute of Standards and Technology Web site is available at http://www.nist.gov

    NIST Computer Security Division Computer Security Resource Center is available at http://csrc.nist.gov/

    The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework

    NISTIR 7621-r1 Small Business Information Security: The Fundamentalshttp://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

    For additional Framework info and help [email protected]

    ResourcesWhere to Learn More and Stay Current

    http://www.nist.govhttp://csrc.nist.gov/http://www.nist.gov/cyberframeworkhttp://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdfmailto:[email protected]

  • @ApartmentWire#OPTECH17



  • @ApartmentWire#OPTECH17

  • @ApartmentWire#OPTECH17

  • @ApartmentWire#OPTECH17

  • @ApartmentWire#OPTECH17

    JetBlues We sent a phish that coincided with the timeframe when many people were making flight arrangements to attend the annual Windsor Operations conference. This is a classic phishing strategy- send a topical note and hope the recipient lets their guard down enough to have them open it.

    What the email would have looked like in the email program:

  • @ApartmentWire#OPTECH17

    Campaign Results:Of 334 sent:

    84 (25%) looked at it in their native inbox (not the preview pane)

    16 (5%) clicked on the image

    5 (1%) clicked on the image more than once

    What the image would have looked like if you clicked on it:

  • @ApartmentWire#OPTECH17

    Johnny Walker 1/13/16

    Happy 2016!!! Thanks to Lincoln Property Company Rent Aliens became the fastest growing Internet Listing Service (ILS) company in the United States in 2015!!!

    To show our gratitude to Lincoln, we are so excited to offer the first 15 people that sign up 2 Justin Bieber concert tickets for the SOLD OUT SHOW on April 10 at the American Airlines Center in Dallas.

    The first 15 people that sign up will get the tickets but we also have a Grand Prize drawing for 2 tickets near the front row insection 14 at the AAC. So even if you don't win the first 15 sets of tickets you are eligible for the Grand Prize drawing on Jan. 29.

    Click HERE to sign up for a chance to win tickets. We will call winners today so be closeto your phone! If you don’t win we’ll email you with a list of the winners but rememberyou are still entered in the Grand Prize contest.

    Good luck!Johnny WalkerPresident – Rent Aliens

  • @ApartmentWire#OPTECH17

  • @ApartmentWire#OPTECH17

  • @ApartmentWire#OPTECH17

    Other PhishableTrouble Topics• Banking• Dropbox limits• Email Full• “from the Boss”

    • Sporting Events• Holidays• Current event-related• Fake urgency

    Sample sports- related phish, 32% open, 8% clickthru

  • @ApartmentWire#OPTECH17

    Urgent - Suspicious Login Identified on your Yardi Account

    Cyber Security

    The Yardi Cyber Security team has identified a suspicious login using your login credentials. We need to validate your account has not been compromised; click here to verify your identity.

    Thank You.

    The Yardi Cyber Security Team


  • @ApartmentWire#OPTECH17

  • @ApartmentWire#OPTECH17

  • @ApartmentWire#OPTECH17

    How to Educate Repeat Offenders

    • Teachable Moment at the time of phishing error• Keep detailed statistics and report to supervisor if the person:

    • Clicks on two in a row• Falls for a “special phish”

    • Send them a personal note with a one page refresher:

    • Personal call from the Boss• Termination

  • @ApartmentWire#OPTECH17

    Courtesy https://www.knowbe4.com/what-is-social-engineering/

    How to Educate Repeat Offenders

    One page refresher:

  • @ApartmentWire#OPTECH17

    Securing and Protecting Your Users

    1.8 Million linksand attachments

    blocked YTD



    SystemsEnter Code

  • @ApartmentWire#OPTECH17



    Kirk DowneyManaging Partner

  • Brief history of ransomware

    Source: “The History of Ransomware”,Ryan Francis, CSO Magazine, July 2016

    First one:

    AIDS Trojan

    Biggest one to date:

    CryptoLockerSpread via Zeus bot-net

    JavaScript only:

    RAA and Locky JSDifficult to detect by Antivirus

    WannaCry, Petya/NotPetya: based on stolen NSA tools

    Doxware: pay us or we’ll expose all your private data

    Ransomware accomplice: you don’t have to pay us if you help spread malware

    Emergingtrends:2017 &beyond

  • Ransomware: what does it do?• Usually launched through phishing email.

    • User clicks on an email file attachment or link to malicious Web site.

    • A dropper either installs the malware directly or downloads it from an external site and installs.

    • Obfuscation (hiding the contents) & polymorphism (changing how it looks each time it infects) make it hard to spot by antivirus.

    • Once installed, it begins encrypting (scrambling contents of) your data files.

    Command &ControlServer



  • What ransomware does• Encrypts files with these extensions:

    .doc, .xls, .rtf, .pdf, .jpg,

    .mdb, .png, .csv, .zip, .rar

    • Skips directories with the following:Windows, RECYCLER, Program Files, Program Files (x86), Recycle.Bin, APPDATA, ProgramData, Microsoft

    Why? So that it doesn’t encrypt itself!

    • Encrypted files have new file extension, such as “.encrypted” or “.locked”

    • Demands a payment in some form of cryptocurrency (e.g., Bitcoin) to get decryption key.

    Why? Anonymous and untraceable payments.

  • Other bad stuff ransomware doesEver seen a Windows Blue Screen of Death?

    Windows tries to address this by creating volumesnapshots to allow you to restore back to a certain point before crash occurred.

    Some modern malware tries to stop or delete the Windows built-in backup service called Volume Snapshot Service (VSS)

    Makes it more difficult to revert to a ”clean” (or pre-infected) version.

    Also, some malware installs a keystroke logger or other surveillance software to steal sensitive data.

  • Countermeasures, part 1• Backup regularly and keep a recent backup copy

    off-line and off-site

    i.e., not co-located in the server room!

    • Backups must go back further than six months“Sleeper” ransomware can stay dormant for months

    • Test full backup restoresYou never know if your backups are any good if you don’t attempt to restore them.

    • Encrypt your backupsTake lesson from TriCare/SAIC stolen backup tape case - resulted in $4.9 Billion lawsuit!

  • • Continuous surveillance with Security Information and Event Management (SIEM)

    Looks for malicious behavior both at the host & network level.

    Needs to be watched/babysat 24/7 by trained analysts (consider outsourced SOC services).

    • Train your people not to be phishing victimsContinuous phishing training reduces click-through rate from 25% down to 1%.

    Countermeasures, part 2

    Wed 230-345 PM_Cybersecurity Town Hall_Dryden_MarinersCybersecurity Town Hall Download the Conference App on your smartphone or tablet!Audience Poll #1Audience Poll #2Audience Poll #3Audience Poll #4Audience Poll #5Audience Poll #6

    Wed 230-345 PM_Cybersecurity Town Hall_Fisher_MarinersSlide Number 1Cybersecurity Framework Charter�Improving U.S. Critical Infrastructure CybersecurityDevelopment of the FrameworkKey AttributesCybersecurity Framework ComponentsImplementation TiersIntel Adaptation of Implementation TiersCore�A Catalog of Cybersecurity OutcomesCore�A Catalog of Cybersecurity OutcomesA Common Language�Foundational for Integrated TeamsCore – Example�Cybersecurity Framework ComponentSlide Number 12Profile�Customizing Cybersecurity FrameworkCybersecurity Program Objectives�Three Things All Cybersecurity Programs Must DoProfile Foundational Information�A Profile Can be Created from Three Types of InformationFramework Seven Step Process�Gap Analysis Using Framework ProfilesResource and Budget Decisioning�What Can You Do with a CSF ProfileSupporting Risk Management with FrameworkNext Steps�Framework UpdateNext Steps�Program FocusNext Steps�Stakeholder Recommended ActionsResources�Where to Learn More and Stay Current

    Wed 230-345 PM_Cybersecurity Town Hall_Phishing_MarinersSlide Number 1Slide Number 2Slide Number 3Slide Number 4Slide Number 5�Campaign Results:� Of 334 sent:��84 (25%) looked at it in their native inbox (not the preview pane)��16 (5%) clicked on the image��5 (1%) clicked on the image more than once�Slide Number 7Slide Number 8Slide Number 9Slide Number 10Slide Number 11Slide Number 12Slide Number 13Slide Number 14Slide Number 15Securing and Protecting Your UsersSlide Number 17

    Wed 230-345_Cybersecurity Town Hall_ransomware_threat and best practicesTHE Ransomware THREATBrief history of ransomwareRansomware: what does it do?What ransomware doesOther bad stuff ransomware doesCountermeasures, part 1Slide Number 7

Top Related