2015 Cyber-security Summit Atlanta

IMG_5067

On July 15, 2015, the US Chamber of Commerce (https://www.uschamber.com) partnered with the Georgia Chamber of Commerce (https://www.gachamber.com), the Georgia Institute of Technology (http://www.gatech.edu), and the Technology Association of Georgia (http://www.tagonline.org), to present the Atlanta Cyber-security Summit (https://www.uschamber.com/event/georgia-2015-cybersecurity-summit).

The event is part of a nationwide tour stopping at various cities throughout the US to promote awareness and preparedness of companies regarding cyber-security risks and threats, as well as resources and strategies to prevent, manage, and recover from them. The half-day event included various speakers from local and national FBI, Secret Service, Department of Homeland Security, NIST, US Army Cyber Protection Brigade, and corporate representatives. Their presentations were full of valuable information – some new and some as refreshers, but all good components of a business cyber security toolkit.

I have put down some highlights and thoughts below, as well as some of the resource URL’s that they shared with us. What are you doing from a business standpoint on the issue of cyber-security? Do you even know where to start? One myth that we should do away with right now is that size does not matter in this arena in terms of being a target – it matters in terms of the resources we have to protect our data and mitigate incidents. But it is not futile. As a business professional you do need to think about how to incorporate some security controls in your operations. Although the message was clear from this event that our adversaries (i.e. hackers, etc.) have their own rules that they play by and will not give up the attacks, it is also clear that there are resources and help out there from the US government, military and private sectors. So read a bit, check them out, and let us know if you have any questions.

Ann M Beauchesne, Senior Vice President of the US Chamber of Commerce began her discussion with a poignant statement “The Internet is infested” and “90% of all cyber attacks are done to private companies.” She added that the focus is now on health records – “that when stolen are worth their weight in gold.”   This was a recurring theme – the records do not weigh physically but they weigh heavily with value. Another recurring message throughout the day was the increased use of social media and social networking tools by cyber-terrorists to get their messages out, recruit new jihadists, and create a cyber-jihad army. One tool spotlighted for them – YouTube.

Ann was followed by Tino Mantella, CEO of the Technology Association of Georgia. Tino indicated that in Georgia alone the cyber-security industry consists of more than 10,000 jobs and has raised $4.7 billion in revenue. His emphasis was that cyber-security is a “growing national security challenge.” Tino introduced Jim Kerr, General Counsel of Southern Company (http://www.southerncompany.com), who spoke about how the electricity industry is approaching the cyber-security threat with cooperation and collaboration. Jim talked about how vital energy was for the “health and happiness” of people and so their systems must be reliable and resilient. The challenge of cyber-security is that “we do not necessarily see them coming” and in essence “we are under attack every day – millions of times a day – in fact, people are in our systems as I speak today.” He emphasized the importance of government and industry communication and collaboration. This message was also reiterated a number of times.

Next on the agenda was Adam Sedgewick, Senior IT Policy Advisor, for The National Institute of Standards and Technology (http://www.nist.gov). Adams spoke about the NIST Cyber-Security Framework (http://www.nist.gov/cyberframework/), describing its components and its usefulness for business of all sizes, but especially small-to-midsize businesses, to ensure cyber-security in their companies. The five main concepts include: identify, protect, detect, respond, and resolve. Adam ended with a brief statement of how the US is now introducing this framework internationally (EU, Japan, etc.) to begin the conversation of worldwide standards.

One of the main objectives of these summits is to introduce local businesses to local law enforcement who can assist them should they experience an incident. Murang Pak and Michael Anaya represented Georgia FBI (https://www.fbi.gov/atlanta), and Alan Davis represented Georgia Secret Service (http://www.secretservice.gov/ectf_atlanta.shtml). An important point brought up by Agent Anaya was the fact that “hacking” technology has progressed so much that you know have “unsophisticated hackers using tools developed by very sophisticated actors.” These actors could be criminals, nation states, individuals, etc. The agents agreed on that information sharing is so important when it comes to cyber-attacks since by reviewing and analyzing the data they can “identify a migration of threats from one company to another” and can warn the company to prevent the attack from happening or from causing extensive damage and/or loss.

Following the break, the private sector panel was bright up including Matthew Eggers of the US Chamber of Commerce, Dr. Steve Cross, Executive Vice President for Research, Georgia Tech, Sean Franklin, Vice President of Cyber Intelligence for American Express (https://www.linkedin.com/pub/sean-franklin/49/76/695), and Jeff Schilling, Chief Security Office of Firehost (https://www.firehost.com).   Their discussion ended up focusing on specific threat trends and security concerns of the Internet of Things. Dr. Cross offered two great resources form Georgia Tech, their annual emerging threat report (https://www.gtisc.gatech.edu/pdf/Threats_Report_2015.pdf) and APIARY, an automated framework for malware analysis and threat intelligence (http://apiary.gtri.gatech.edu). Jeff talked about the consequence of not knowing your own system as one of the causes of cyber-security failures. “Know they self, know thy enemy” he quoted. “Do you know your own system – its vulnerabilities and its strengths?” Sean took a humorous approach to IoT “my refrigerator keeps threatening my toaster.” But his statement is funny because so many see the future truth in it. We know there are millions of devices connected to the Internet now, what happens when they start talking to each other and telling our secrets?

Before lunch Thad Odderstol, Director of Industry Engagement for the Department of Homeland Security offered a number of tools and resources for combating cyber-attacks (http://www.dhs.gov/topic/cybersecurity) and Col. Donald Bray talked about the Army Cyber Mission Force and the new Cyber Security Branch the Army is starting. Col. Bray also discussed briefly the Army training in cyber-security initiative from the Army Cyber Institute at West Point (http://www.usma.edu/acc/SitePages/Home.aspx), to the US Cyber Command (http://www.arcyber.army.mil) to be consolidated in Fort Gordon, Georgia.

The luncheon keynote brought us Mark Guiliano, Deputy Director of the FBI. He used the recent cyber-attack on SONY as an example of cooperation between government and corporate. He outlined the “dark net” that we are combating and the agility of our adversaries. He also emphasized the importance of information sharing and spoke about the Cyber-security Information Sharing Act (https://www.congress.gov/bill/114th-congress/senate-bill/754) and why the government having access to encryption keys is so important. “Our job is to keep Americans safe. We can’t do that efficiently and effectively if we do not know what is going on” since right now so many criminal actors use encrypted channels to communicate and organize attacks. The Act is still being debated in Congress.

The Summit ended with the presentation of Dr. Phyllis Schneck, Deputy Undersecretary for Cyber security, National Protection, & Programs Directorate of DHS (http://www.dhs.gov/person/phyllis-schneck-nppd). Her message was two-fold. DHS number one priority is building TRUST with the private sector, and one way they will do that is to BUY new technology from them.

This half-day was packed with information and expertise. But what does it all mean. Some skeptics would say this summit was part of an organized propaganda campaign for CISA and DHS – to “educate” the private sector about the need for giving government the keys to their data and to start building the “trust” Dr. Schneck spoke about. Perhaps. But they still offered a lot of good resources and tools for small and midsize businesses, who may not have a political agenda, but do have a bottom line to protect and grow.

Did you attend the Summit in Atlanta or in another city? Share you experience and/or thoughts in the comment box below. One thing is for sure – the conversation about cyber-security will continue.

 

ASIS, ISSA, and Athens: 2014 National Cyber-Security Awareness Month Recap

IMG_3871

As we delve into the security issues of protecting our identity online I got the feeling that October was having an identity crisis of its own – it is known as Anti-Bullying Month, Breast Cancer Awareness Month, and National Cyber-Security Awareness Month to begin with. But it is also Adopt a Shelter Dog Month, Apple Jack Month, Cookie Month, International Drum Month, National Diabetes Month, National Pizza Month, National Popcorn Popping Month, Seafood Month, and National Sarcastic Month, among others. Not sure how many of those you celebrated but here is my recap of some of the events I participated in for National Cyber-Security Awareness Month (#NCSAM).

From September 29 – October 2, ASIS International celebrated its 60th Annual Seminar and Exhibits Conference in Atlanta, Georgia (www.securityexpo.org). From the ASIS website: “ASIS International is the preeminent organization for security professionals, with more than 38,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests.” In addition, ASIS administers three internationally accredited certifications: the Certified Protection Professional (CPP), Professional Certified Investigator (PCI), and the Physical Security Professional (PSP). I was not able to take in any of the seminars but had time to browse in the exhibit hall(s) in between meetings. It seemed every security vendor was represented with displays, demos, literature, and give-a-ways, for those who like to collect security tech stress balls and pens. But among the throng there were some tidbits worth noting – I focused on the security publications and degree programs. As an author who has written about the security skills shortage, I am always on the lookout for how we are preparing the next generation of security professionals. A few that stood out for me were:

Next on my agenda was the Information Systems Security Association (ISSA) International Conference held at the Disney World Contemporary Resort in Florida from October 22 – 23. I was honored to be asked to be the inaugural ISSA Women in Security SIG breakfast keynote. The title of my presentation was “Women and the Future of Security Leadership” but it delved into a number of current, near and mid-term security challenges and how leadership can fill the gap. The handout is available below. Besides my presentation I was able to attend two others. Here are some highlights from each:

DGonzalez_ISSA_WIS_2014 copy

  • Raj Goel (http://www.rajgoel.com) gave a talk on “Panopticon” with a focus on the architecture of global surveillance. His basic premise is that of a cyber-civil rights activist. He believes any surveillance is suspect and did not hesitate to include Disney and the House of the Mouse as major culprits in league with the government and privacy saboteurs. He had some interesting examples of how far certain tactics can reach but we had a little disagreement about balancing irrational panic and dealing with real threats that an organization can do something about.
  • The other session I attended was the ISSA WIS Lightening Talks with Samantha Menke, Anne Rogers, and Amber Shroader. All three of these highly successful security professionals and leaders took turns discussing the current state of security concerns including mobile apps, digital forensics, the current threat-scape, the difference between fire inspectors and firemen, and growing concerns regarding the Internet of Things including what may happened when these devices begin to be connected to each other. They offered fascinating insights as well as thought-provoking questions. (http://www.issa.org/?page=sigs&terms=%22sig%22).

The last event was held at Athens Regional Library in Athens, Georgia, to celebrate National Cyber-Security Awareness Month (#NCSAM). I gave an author discussion regarding “online privacy, security and safety” on October 28. During the event a number of issues were explored with the participants:

  • The new world full of digital threats: breaches, hacks, social engineering and thefts, well as “Online Risks”: reputational, operational and legal plus “Consequences”: financial, penalties, loss of trust and loss of jobs.
  • Privacy defines as “a person’s right to control access to his or her personal information.” “If you put it out there on social media, consider it public.” Information collected is as much as you give them and consider about security of smart phones, tablets, cloud computing and passwords.
  • Identity theft, what to do if you are a victim of identity theft and gave resources including the Federal Trade Commission (FTC) website including consumer information. How to protect your online identity and cyber bullying.
  • Last, Cyber-bullying, the use of the Internet and related technologies, such as cell phones, to harm other people, in a deliberate, repeated and hostile manner. Tips were shared for victims of cyber bullying, both personal and in the workplace.

You can download the PowerPoint below.

AthensLibrary_OnlineSecurity_2014b

As you can see it was a busy month but there were tons of events focusing on cyber-security awareness. To learn more see: http://www.dhs.gov/national-cyber-security-awareness-month-2014. It is never too early to plan for NCSAM 2015 – contact us to organize an event in your area.