Thank You To Our Sponsors
|
|
- Beryl Fleming
- 8 years ago
- Views:
Transcription
1
2 Thank You To Our Sponsors
3 Thank You To Our Sponsors
4 Thank You To Our Sponsors
5 Cybersecurity Panel Managing Risk in the Aerospace and Defense Industry Peter S. Chiou Principal Strategist and Business Development Manager for Azure DoD, Microsoft Isaac Potoczny-Jones Research Lead, Computer Security, Galois Special Agent Joshua Michaels FBI, Cyber Task Force
6 Aerospace & Defense Symposium Josh Michaels Special Agent Bomb Technician Cyber Task Force FBI Seattle Division
7 6/2/2015 UNCLASSIFIED
8 Cyber as an FBI Priority To protect the United States against: Terrorist attack Foreign intelligence operations and espionage Cyber-based attacks and high technology crimes Unique role as the only US agency with the authority to investigate both criminal and national security cyber security threats. 6/2/2015 UNCLASSIFIED
9 FBI Geography
10 Focus of Cyber Program Criminal and National Security Computer/Network Intrusions Botnets, Malware, Spear-phising, Viruses, Trojans, Spyware, Ransomware, Worms Differentiate intrusion from cyber enabled crimes Innocent Images National Initiative Intellectual Property Rights Internet Fraud Identify Theft 6/2/2015 UNCLASSIFIED
11 The Cyber Threats Landscape Cyber Threats Hacktivist Criminal Espionage Terrorist Warfare Computer network exploitation or attack to advance a political or social cause Financiallymotivated criminal enterprises conducting computer intrusions Nation-state actors conducting computer intrusions to illegally obtain information Use of computer network attack by terrorist groups to harm the U.S. critical infrastructure Nation-state actors using computer network operations to commit sabotage or disrupt critical systems Criminal National Security 6/2/2015 UNCLASSIFIED
12 Intended Targets Government Cleared Defense Contractors Universities High Tech/Research Financial Sector Natural resources Retail Litigation/Negotiation 6/2/2015 UNCLASSIFIED
13 Investigative Challenges Investigation vs. Mitigation Victim Incident Response Capabilities Volatility of Digital Evidence Volume of Digital Evidence Velocity of Legal Process Reliable cyber attack attribution Actors are usually overseas 6/2/2015 UNCLASSIFIED
14 attacker Web Proxies Onion Routers Botnets Compromised hosts VPS services Foreign ISPs Encryption ` 6/2/2015 UNCLASSIFIED victim
15 Biggest Security Risk? Personnel Opening an unexpected attachment or link from a colleague Using personal Web for work Posting job details on social networking sites New personal gadgets on the corp network 6/2/2015 UNCLASSIFIED
16 6/2/2015 Personal computer use habits: Don t use Administrative User Account When Internet surfing or checking s Always virus scan attachments Don t update software at untrusted wi-fi networks Social Media site habits: Be selective with what you share with whom Frequently review privacy settings International Travel habits: Don t take your phone or laptop UNCLASSIFIED
17 Private Sector Partnerships & Resources InfraGard ( Domestic Security Alliance Council ( National Cyber-Forensics Training Alliance ( Cyber Initiative and Resource Fusion Unit Information Sharing Analysis Centers ( Internet Crime Complaint Center ( 6/2/2015 UNCLASSIFIED
18 Questions? Josh Michaels Special Agent Bomb Technician Seattle FBI Cyber Task Force (206) /2/2015 UNCLASSIFIED
19 Computer Science R&D and Cybersecurity Consulting Leaders in high assurance research and development Creating trustworthiness in critical systems Solving your hardest computer science problems Galois [gal-wah] Named after French mathematician Évariste Galois
20 Galois, Inc. Overview Outline Problems: Why the government is so involved in cybersecurity Challenges: Interests and needs sometimes conflict Policy: The government is making policy on cybersecurity every day And it s impacting you! Page Galois, Inc
21 ritical Galois, Inc. Overview Infrastructure is Vulnerable Chris Roberts has been working on The FBI says he sent airplane hacking commands to a plane for years. in flight via entertainment system. Supposedly his commands caused the plane to fly sideways. The security community doesn t believe him. Boeing says it s not possible. But no one is sure! Page Galois, Inc
22 No Serious Critical Infrastructure Galois, Inc. Overview Attacks Yet What s the formula for a serious attack? Motivation + Skill > Barrier to entry + Risk There s no money in it State-level / organized crime Systems are unusual Kinetic response Page Galois, Inc
23 orth Galois, Inc. Korea Overview took out Sony Pictures We know because we saw them do it. Motivation + Skill > Barrier to entry + Risk Politically Motivated Statelevel attack Plain old Windows Economic Sanctions Page Galois, Inc
24 If it hasn t happened, why are we Galois, Inc. Overview worried? Incidents can be dangerous Russia is accused of blowing up an oil pipeline in 2008 Cybersecurity hurts the economy The recent cyber attack cost Target $148 Million IP is stolen by industrial espionage Unit from Chinese People's Liberation Army (PLA) Incidents can have political / national security consequences Whitehouse and State Department hack Incidents can be embarrassing Iran shut down a US casino because of its owners political views Page Galois, Inc
25 Users Free sites, apps, content Personal info kept confidential Limited financial risk Tension: Privacy vs. Profit Personal info: Marketing Tension: Regulation vs. Mediocre security: Costs Growth Limit liability: Risk Hide attacks: Brand Industry Protected from cyber attack, terrorists and illegal surveillance Access to legal security technology Industry held accountable Tension: Security vs. Surveillance Protect users with crypto Resist regulation: Costs Maintain access to PII Protect users from attackers Protect national security Legal framework for intercept Reelection Government Protect industry with law (e.g. CFAA, CISA) Protect users with regulation (e.g. HIPAA) Encryption challenges Backdoors for lawful intercept Protect national security interests User PII Botnets Intellectual property Identity theft Financial theft Other nations interests Espionage Cyber war Attackers
26 Federal Galois, Inc. Overview Cybersecurity Priorities Administration Priorities Protecting critical infrastructure and federal networks Solving strategic long-term problems around workforce DoD Strategy Build and maintain forces for cybersecurity operations Defend the homeland from cyber attack and deter threats Page Galois, Inc
27 Galois, Inc. Overview Cybersecurity Bills COICA (2010) - Combating Online Infringement and Counterfeits Act PIPA ( ) - PROTECT IP Act SECURE-IT (2012) - Strengthening and Enhancing Cybersecurity SOPA ( ) - Stop Online Piracy Act Big protests CISPA ( ) - Cyber Intelligence Sharing and Protection Act CISA (2014) - Cybersecurity Information Sharing Act Page Galois, Inc
28 Cybersecurity Bills: Types of Galois, Inc. Overview legislation Requirements to secure critical infrastructure Optional cyber threat information sharing Government -> Companies Companies -> Government Immunity for companies sharing information Limiting surveillance / hacking tools (CFAA, Wassenaar) Surveillance laws PATRIOT Act Requirements to inform customers of attacks Mandatory backdoors in consumer products Increased penalties for hacking Increased anti-piracy / intellectual property laws Page Galois, Inc
29 Cybersecurity Galois, Inc. Overview Bills: Crystal Ball Increased requirements to secure critical infrastructure Why? An administration priority; it s already required for contractors Optional cyber threat information sharing with limited immunity Why? Congress has been trying to pass this for years Limiting export and sale of 0-Days and Intrusion Software Why? Draft rules already passed PATRIOT Act bulk data collection will expire May 31 Why? They ve started to shut it down Page Galois, Inc
30 ontractor Security Requirements Galois, Inc. Overview Based on NIST Safeguarding Of Unclassified Controlled Technical Information It s a relatively new contracting rule that will be in most contracts Report cybersecurity incidents within 72 hours Assist the DoD in damage control New cybersecurity requirements Applies to anyone with technical information with this label: Distribution authorized to U.S. Government Agencies and their contractors... Other requests for this document shall be referred to Page Galois, Inc
31 ontractor Galois, Inc. Overview Security Requirements AC-2 ACCOUNT MANAGEMENT AC-3 (4) DISCRETIONARY ACCESS CONTROL AC-4 INFORMATION FLOW ENFORCEMENT AC-6 LEAST PRIVILEGE AC-7 UNSUCCESSFUL LOGON ATTEMPTS AC-11 (1) PATTERN-HIDING DISPLAYS AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION AC-18 (1) AUTHENTICATION AND ENCRYPTION AC-19 ACCESS CONTROL FOR MOBILE DEVICES AC-20 (1) LIMITS ON AUTHORIZED USE AC-20 (2) PORTABLE STORAGE DEVICES AC-22 PUBLICLY ACCESSIBLE CONTENT AT-2 SECURITY AWARENESS TRAINING AU-2 AUDIT EVENTS AU-3 CONTENT OF AUDIT RECORDS AU-6 (1) PROCESS INTEGRATION AU-7 AUDIT REDUCTION AND REPORT GENERATION AU-8 TIME STAMPS AU-9 PROTECTION OF AUDIT INFORMATION CM-2 BASELINE CONFIGURATION CM-6 CONFIGURATION SETTINGS CM-7 LEAST FUNCTIONALITY CM-8 INFORMATION SYSTEM COMPONENT INVENTORY CP-9 INFORMATION SYSTEM BACKUP IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) IA-4 IDENTIFIER MANAGEMENT IA-5 (1) PASSWORD-BASED AUTHENTICATION IR-2 INCIDENT RESPONSE TRAINING IR-4 INCIDENT HANDLING IR-5 INCIDENT MONITORING IR-6 INCIDENT REPORTING MA-4 (6) CRYPTOGRAPHIC PROTECTION MA-5 MAINTENANCE PERSONNEL MA-6 TIMELY MAINTENANCE MP-4 MEDIA STORAGE MP-6 MEDIA SANITIZATION PE-2 PHYSICAL ACCESS AUTHORIZATIONS PE-3 PHYSICAL ACCESS CONTROL PE-5 ACCESS CONTROL FOR OUTPUT DEVICES PM-10 SECURITY AUTHORIZATION PROCESS RA-5 VULNERABILITY SCANNING SC-2 APPLICATION PARTITIONING SC-4 INFORMATION IN SHARED RESOURCES SC-7 BOUNDARY PROTEC SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION SC-13 CRYPTOGRAPHIC PROTECTION SC-15 COLLABORATIVE COMPUTING DEVICES SC-28 PROTECTION OF INFORMATION AT REST SI-2 FLAW REMEDIATION SI-3 MALICIOUS CODE PROTECTION SI-4 INFORMATION SYSTEM MONITORING Page Galois, Inc
32 Example: AC-6: Principle of Least Galois, Inc. Overview Privilege Only authorized accesses for users which are necessary to accomplish assigned tasks. I call it the Need to Know rule Page Galois, Inc
33 IST Galois, Inc. Risk Overview Management in Practice It s required across the federal government Categorize: Determine the level of Impact Low, Medium, High Select security controls: From NIST New rules basically create a minimum standards Implement security controls: According to the plan Assess security controls: Are they sufficient? Authorize information system: Take accountability Monitor security controls: Adjust accordingly Page Galois, Inc
34 Galois, Inc. Overview What You Can Do Prepare for coming legislation with a good security plan Incident response plans, disclosure policies, threat sharing plans Implement Controlled Unclassified Technical Information rules These are now required for contractors Go beyond these to use the NIST Security Frameworks: Framework for Improving Critical Infrastructure Cybersecurity Risk Management Framework Use these to develop your plans so you re in alignment Page Galois, Inc
35 Galois, Inc. Overview Opportunities Obama s 2016 budget has $16 Billion for defensive cybersecurity 10% increase over 2015 $5.5 Billion of that is DoD Align with Federal priorities Protect your parts of Federal networks and data Align with DoD priorities Help the DoD maintain dominance in the cyber domain Build cybersecurity into your products as a differentiator Not an afterthought Page Galois, Inc
36 Galois, Inc. Overview Thank you! Isaac Potoczny-Jones Page Galois, Inc
How to get from laws to technical requirements
How to get from laws to technical requirements And how the OPM hack relates technology, policy, and law June 30, 2015 Isaac Potoczny-Jones ijones@galois.com www.galois.com Galois, Inc. Overview Outline!
More informationKeynote: FBI Wednesday, February 4 noon 1:10 p.m.
Keynote: FBI Wednesday, February 4 noon 1:10 p.m. Speaker: Leo Taddeo Special Agent in Change, Cyber/Special Operations Division Federal Bureau of Investigation Biography: Leo Taddeo Leo Taddeo is the
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationSecurity and Privacy Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationWorking with the FBI
Working with the FBI WMACCA Data Privacy & Security Conference September 17, 2014 Individuals Organized Crime Syndicates Hacktivist Groups Nation States Nation-States Individuals Industry Law Enforcement
More informationNIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationSTATEMENT OF JOSEPH M. DEMAREST, JR. ASSISTANT DIRECTOR CYBER DIVISION FEDERAL BUREAU OF INVESTIGATION
STATEMENT OF JOSEPH M. DEMAREST, JR. ASSISTANT DIRECTOR CYBER DIVISION FEDERAL BUREAU OF INVESTIGATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM COMMITTEE ON JUDICIARY UNITED STATES SENATE ENTITLED:
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationThe FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED
The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop
More informationU. S. Attorney Office Northern District of Texas March 2013
U. S. Attorney Office Northern District of Texas March 2013 What Is Cybercrime? Hacking DDOS attacks Domain name hijacking Malware Other computer related offenses, i.e. computer and internet used to facilitate
More informationCyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties
Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties Pamela Passman President and CEO Center for Responsible Enterprise And Trade (CREATe.org)
More informationMiddle Class Economics: Cybersecurity Updated August 7, 2015
Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest
More informationCOORDINATION DRAFT. FISCAM to NIST Special Publication 800-53 Revision 4. Title / Description (Critical Element)
FISCAM FISCAM 3.1 Security (SM) Critical Element SM-1: Establish a SM-1.1.1 The security management program is adequately An agency/entitywide security management program has been developed, An agency/entitywide
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationStatement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives
Statement for the Record Richard Bejtlich Chief Security Strategist FireEye, Inc. Before the U.S. House of Representatives Committee on Energy and Commerce Subcommittee on Oversight and Investigations
More informationTHE WHITE HOUSE Office of the Press Secretary
FOR IMMEDIATE RELEASE February 13, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: White House Summit on Cybersecurity and Consumer Protection As a nation, the United States has become highly
More informationSCAC Annual Conference. Cybersecurity Demystified
SCAC Annual Conference Cybersecurity Demystified Me Thomas Scott SC Deputy Chief Information Security Officer PMP, CISSP, CISA, GSLC, FEMA COOP Practitioner Tscott@admin.sc.gov 803-896-6395 What is Cyber
More informationMicrosoft s cybersecurity commitment
Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade
More informationWho s Doing the Hacking?
Who s Doing the Hacking? 1 HACKTIVISTS Although the term hacktivist refers to cyber attacks conducted in the name of political activism, this segment of the cyber threat spectrum covers everything from
More informationSymptoms of a Data Breach in Your Business
Cyber Security: What you need to know to protect your business February 2014 Presented by: Jon Zayicek Vice President Sera-Brynn Topics: The landscape is changing What are the threats? How to protect your
More informationCYBER SECURITY INFORMATION SHARING & COLLABORATION
Corporate Information Security CYBER SECURITY INFORMATION SHARING & COLLABORATION David N. Saul Senior Vice President & Chief Scientist 28 June 2013 Discussion Flow The Evolving Threat Environment Drivers
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationMyths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)
Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA) MYTH: The cyber threat is being exaggerated. FACT: Cyber attacks are a huge threat to American lives, national security,
More informationThe Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.
The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco. 1 Calling All CEOs Are You Ready to Defend the Battlefield of the 21st Century? It is not the norm for corporations to be
More informationThe FBI and the Internet
The FBI and the Internet Special Agent Robert Flaim Federal Bureau of Investigation Presentation Goals To give you a better understanding of: The FBI Cyber Division, its priorities, and its mission The
More informationJanuary IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director
January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security
More informationCMS POLICY FOR THE INFORMATION SECURITY PROGRAM
Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS POLICY FOR THE INFORMATION SECURITY PROGRAM FINAL Version 4.0 August 31, 2010 Document Number: CMS-CIO-POL-SEC02-04.0
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationPRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS
CYBERSECURITY PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS by Dr. Lawrence A. Gordon (Lgordon@rhsmith.umd.edu) EY Professor of Managerial Accounting and Information Assurance Affiliate
More informationI ve been breached! Now what?
I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationAn Overview of Large US Military Cybersecurity Organizations
An Overview of Large US Military Cybersecurity Organizations Colonel Bruce D. Caulkins, Ph.D. Chief, Cyber Strategy, Plans, Policy, and Exercises Division United States Pacific Command 2 Agenda United
More informationAdvanced & Persistent Threat Analysis - I
Advanced & Persistent Threat Analysis - I Burak Ekici ekcburak@hotmail.com Department of Computer Engineering, Yaşar University, Turkey. April 21, 2012 Burak Ekici (Dept. of Comp. Eng.) Advanced & Persistent
More information2012 Bit9 Cyber Security Research Report
2012 Bit9 Cyber Security Research Report Table of Contents Executive Summary Survey Participants Conclusion Appendix 3 4 10 11 Executive Summary According to the results of a recent survey conducted by
More informationWhat is Management Responsible For?
What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationCybersecurity Primer
Cybersecurity Primer August 15, 2014 National Journal Presentation Credits Producer: David Stauffer Director: Jessica Guzik Cybersecurity: Key Terms Cybersecurity Information security applied to computers
More informationCONTINUOUS MONITORING
CONTINUOUS MONITORING Monitoring Strategy Part 2 of 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring (CM) and how
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationPROMOTION // TECHNOLOGY. The Economics Of Cyber Security
PROMOTION // TECHNOLOGY The Economics Of Cyber Security Written by Peter Mills Malicious cyber activity, from hacking and identity fraud to intellectual property theft, is a growing problem within the
More informationSystem Security Engineering and Program Protection Integration into SE
System Security Engineering and Program Protection Integration into SE Melinda Reed Deputy Director for Program Protection Office of the Deputy Assistant Secretary of Defense for Systems Engineering 17
More informationHow To Protect Your Data From Theft
Understanding the Effectiveness of a Data Protection Program IIA: Almost Free Seminar 21 June 2011 Agenda Data protection overview Case studies Ernst & Young s point of view Understanding the effectiveness
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationSecurity Compliance In a Post-ACA World
1 Security Compliance In a Post-ACA World Security Compliance in a Post-ACA World Discussion of building a security compliance framework as part of an ACA Health Insurance Exchange implementation. Further
More informationCybersecurity Global status update. Dr. Hamadoun I. Touré Secretary-General, ITU
Cybersecurity Global status update Dr. Hamadoun I. Touré Secretary-General, ITU Cybercrime takes a toll on the global economy - Online fraud, identity theft, and lost intellectual property; - On governments,
More informationPresented By: Corporate Security Information Security Treasury Management
Presented By: Corporate Security Information Security Treasury Management Is Your Business Prepared for a Cyber Incident? It s not a matter of if, it s a matter of when Cyber Attacks are on the Rise; Physical
More informationCybersecurity Awareness. Part 1
Part 1 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat
More information資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系
資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系 Outline Infosec, COMPUSEC, COMSEC, and Network Security Why do we need Infosec and COMSEC? Security
More informationCyber Security. John Leek Chief Strategist
Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity
More informationInformation Security Policy
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
More informationIdentifying Cyber Risks and How they Impact Your Business
10 December, 2014 Identifying Cyber Risks and How they Impact Your Business David Bateman, Partner, K&L Gates, Seattle Sasi-Kanth Mallela, Special Counsel, K&L Gates, London Copyright 2013 by K&L Gates
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationHow are we keeping Hackers away from our UCD networks and computer systems?
How are we keeping Hackers away from our UCD networks and computer systems? Cybercrime Sony's Hacking Scandal Could Cost The Company $100 Million - http://www.businessinsider.com/sonys-hacking-scandal-could-cost-the-company-100-million-2014-12
More informationDepartment of Computer & Information Sciences. INFO-450: Information Systems Security Syllabus
Department of Computer & Information Sciences INFO-450: Information Systems Security Syllabus Course Description This course provides a deep and comprehensive study of the security principles and practices
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationSMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015
SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory
More informationI N T E L L I G E N C E A S S E S S M E N T
I N T E L L I G E N C E A S S E S S M E N T (U//FOUO) Malicious Cyber Actors Target US Universities and Colleges 16 January 2015 Office of Intelligence and Analysis IA-0090-15 (U) Warning: This document
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationCYBERSECURITY RISK MANAGEMENT
CYBERSECURITY RISK MANAGEMENT Evan Wolff Maida Lerner Peter Miller Kate Growley 233 Roadmap Cybersecurity Risk Overview Cybersecurity Trends Selected Cybersecurity Topics Critical Infrastructure DFARS
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationThe Information Security Problem
Chapter 10 Objectives Describe the major concepts and terminology of EC security. Understand phishing and its relationship to financial crimes. Describe the information assurance security principles. Identify
More informationAND RESPONSE. Continuity Insights Conference Chicago June 18-19, 2013. Unclassified
CYBER THREATS AND RESPONSE Continuity Insights Conference Chicago June 18-19, 2013 Unclassified OBJECTIVES Why it is important Threats, players, and response FBI s Next Generation Cyber Government and
More informationTHE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE
THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE Identity is the unique set of characteristics that define an entity or individual. Identity theft is the unauthorized use of an individual
More informationSecurity and Privacy
Security and Privacy Matthew McCormack, CISSP, CSSLP CTO, Global Public Sector, RSA The Security Division of EMC 1 BILLIONS OF USERS MILLIONS/BILLIONS OF APPS 2010 Cloud Big Data Social Mobile Devices
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationThe Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016
The Future of Data Breach Risk Management Response and Recovery Increasing electronic product life and reliability The Cybersecurity Forum April 14, 2016 Today s Topics About Merchants Information Solutions,
More informationEnvironmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response
Date 06/10/10 Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response 1.0 PURPOSE Implementing Procedure APPROVED: (Signature on File) EMCBC Director ISSUED
More informationFERPA: Data & Transport Security Best Practices
FERPA: Data & Transport Security Best Practices April 2013 Mike Tassey Privacy Technical Assistance Center FERPA and Data Security Unlike HIPAA and other similar federal regulations, FERPA does not require
More informationCYBER SECURITY GUIDANCE
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
More informationFBI CHALLENGES IN A CYBER-BASED WORLD
FBI CHALLENGES IN A CYBER-BASED WORLD Federal Bureau of Investigation Assistant General Counsel Robert Bergida 202-651-3209 Overview Cyber Threats FBI Mission FBI Response Terrorism remains the FBI s top
More informationHow To Protect Your Data From Being Hacked
Cyber Division & Manufacturing Division Joint Working Group Cyber Security for the Advanced Manufacturing Enterprise Manufacturing Division Meeting June 4, 2014 Michael McGrath, ANSER michael.mcgrath@anser.org
More informationThe Department of Homeland Security The Department of Justice
The Department of Homeland Security The Department of Justice to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information
More informationAgenda. Introduction to SCADA. Importance of SCADA security. Recommended steps
Agenda Introduction to SCADA Importance of SCADA security Recommended steps SCADA systems are usually highly complex and SCADA systems are used to control complex industries Yet.SCADA systems are actually
More informationFINAL // FOR OFFICIAL USE ONLY. William Noonan
FINAL // FOR OFFICIAL USE ONLY William Noonan Deputy Special Agent in Charge United States Secret Service Criminal Investigative Division Cyber Operations Branch Prepared Testimony Before the United States
More informationSample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat
Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health
More informationExecutive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6
Securing the State Of Michigan Information Technology Resources Table of Contents Executive Overview...4 Importance to Citizens, Businesses and Government...5 Emergency Management and Preparedness...6
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationCybersecurity Threats, Responses & Best Practices Claudia Rast Butzel Long rast@butzel.com Scott Bailey N1 Discovery scott.bailey@n1discovery.
Cybersecurity Threats, Responses & Best Practices Claudia Rast Butzel Long rast@butzel.com Scott Bailey N1 Discovery scott.bailey@n1discovery.com Stewart Nelson Kapnick Insurance Group Stewart.Nelson@kapnick.com
More informationOFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC 20301-1700
OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC 20301-1700 OPERATIONAL TEST AND EVALUATION AUG 0 1 2014 MEMORANDUM FOR COMMANDER, ARMY TEST AND EVALUATION COMMAND COMMANDER, AIR
More informationActions and Recommendations (A/R) Summary
Actions and Recommendations (A/R) Summary Priority I: A National Cyberspace Security Response System A/R 1-1: DHS will create a single point-ofcontact for the federal government s interaction with industry
More informationTHE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY
THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY DISCLAIMER Views expressed in this presentation are not necessarily those of our respective Departments Any answers to questions are our own opinions
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationNSA Surveillance, National Security and Privacy
NSA Surveillance, National Security and Privacy Ir Roy Ko Former HKCERT Manager 20 August 2014 HKIE Veneree Club 1 Agenda Background Edward Snowden National Security Agency (NSA) What NSA has done PRISM
More informationPractical Steps To Securing Process Control Networks
Practical Steps To Securing Process Control Networks Villanova University Seminar Rich Mahler Director, Commercial Cyber Solutions Lockheed Martin Lockheed Martin Corporation 2014. All Rights Reserved.
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationInformation Security Law: Control of Digital Assets.
Brochure More information from http://www.researchandmarkets.com/reports/2128523/ Information Security Law: Control of Digital Assets. Description: For most organizations, an effective information security
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More informationIT Security Management Risk Analysis and Controls
IT Security Management Risk Analysis and Controls Steven Gordon Document No: Revision 770 3 December 2013 1 Introduction This document summarises several steps of an IT security risk analysis and subsequent
More informationCapabilities for Cybersecurity Resilience
Capabilities for Cybersecurity Resilience In the Homeland Security Enterprise May 2012 DHS Cybersecurity Strategy A cyberspace that: Is Secure and Resilient Enables Innovation Protects Public Advances
More information