PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS



Similar documents
Defending Against Data Beaches: Internal Controls for Cybersecurity

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

U. S. Attorney Office Northern District of Texas March 2013

Incentives for Improving Cybersecurity in the Private Sector: A Cost-Benefit Perspective

How To Understand And Understand Risk Management

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Security Practices for Online Collaboration and Social Media

US House Energy and Commerce Committee. Commerce, Manufacturing, and Trade Subcommittee

Data Management & Protection: Common Definitions

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Managing Security and Privacy Risk in Healthcare Applications

OCIE Technology Controls Program

The FBI and the Internet

Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS)

TUSKEGEE CYBER SECURITY PATH FORWARD

I N T E L L I G E N C E A S S E S S M E N T

Cybersecurity for the C-Level

Cybersecurity: What CFO s Need to Know

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

National Cyber Security Strategies: United States

ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY

Cyber Security. John Leek Chief Strategist

CYBERSPACE SECURITY CONTINUUM

Actions and Recommendations (A/R) Summary

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

The Information Security Problem

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

4 Ways an Information Security Analyst Improves Business Productivity

2012 Bit9 Cyber Security Research Report

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

How are we keeping Hackers away from our UCD networks and computer systems?

INFORMATION SECURITY FOR YOUR AGENCY

CYBER SECURITY GUIDANCE

Cybersecurity. Are you prepared?

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

OCR LEVEL 3 CAMBRIDGE TECHNICAL

University System of Maryland University of Maryland, College Park Division of Information Technology

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

The Impact of Cybercrime on Business

Small Business Cybersecurity Dos and Don ts. Helping Businesses Grow and Succeed For Over 30 Years. September 25, 2015 Dover Downs

2012 Endpoint Security Best Practices Survey

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

White Paper on Financial Industry Regulatory Climate

Executive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6

Cyber Risks and Insurance Solutions Malaysia, November 2013

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

Cybersecurity and the Threat to Your Company

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

NATIONAL CYBER SECURITY AWARENESS MONTH

Cybersecurity Primer

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

THE WHITE HOUSE Office of the Press Secretary

Information Security Awareness Training and Phishing

Data Breach Response Planning: Laying the Right Foundation

Advanced Cyber Threats in State and Local Government

OCIE CYBERSECURITY INITIATIVE

SMALL BUSINESS PRESENTATION

INVESTING IN CYBERSECURITY:

Network Security Policy

PACB One-Day Cybersecurity Workshop

Cybersecurity Global status update. Dr. Hamadoun I. Touré Secretary-General, ITU

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

CYBER SECURITY INFORMATION SHARING & COLLABORATION

ITAR Compliance Best Practices Guide

DeltaV System Cyber-Security

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Top tips for improved network security

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

September 20, 2013 Senior IT Examiner Gene Lilienthal

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Middle Class Economics: Cybersecurity Updated August 7, 2015

Nuclear Security Requires Cyber Security

What is Management Responsible For?

Presented By: Corporate Security Information Security Treasury Management

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

US-CERT Overview & Cyber Threats

Data Security. The dominant business communication tool

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Data Security Incident Response Plan. [Insert Organization Name]

Category: Title of Nomination. Project Manager: Job Title: Agency: Department: Address: City: State:

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Cybercrime in the Automotive Industry How to improve your business cyber security

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

A Small Business Approach to Big Business Cyber Security. Brent Bettis, CISSP 23 September, 2014

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW TECHNOLOGY AND TELECOM COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

IIABSC Spring Conference

PROPOSED INTERPRETIVE NOTICE

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

CHIS, Inc. Privacy General Guidelines

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

WRITTEN TESTIMONY BEFORE THE HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, :30 PM

State of Security Survey GLOBAL FINDINGS

2014: A Year of Mega Breaches

A Systems Engineering Approach to Developing Cyber Security Professionals

Transcription:

CYBERSECURITY PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS by Dr. Lawrence A. Gordon (Lgordon@rhsmith.umd.edu) EY Professor of Managerial Accounting and Information Assurance Affiliate Professor in University of Maryland Institute for Advanced Computer Studies Robert H. Smith School of Business, University of Maryland, College Park, MD The cyber threat is one of the most serious economic and national security challenges we face as a nation and America's economic prosperity in the 21st century will depend on cybersecurity (from: Foreign Policy, the White House, President Barack Obama, see: http://www.whitehouse.gov/issues/foreign-policy/cybersecurity, italics added) April 11, 2014 1

FRAMEWORK FOR VIEWING CYBERSECURITY Hackers Sources of Threats Terrorists Cyber Criminals Insiders Nation States CYBERSECURITY * Key Disciplines Impacting Cybersecurity Attributes of Cyberspace & Computer Networks *Cybersecurity = Protection of information transmitted via computer networks, including the Internet. Cybersecurity objectives are: (1) to protect the confidentiality of private information, (2) assure the availability of information to authorized users on a timely basis, and (3) protect the integrity (i.e., accuracy, reliability and validity) of information (Gordon, L. A. and M. P. Loeb, MANAGING CYBERSECURITY REOURCES: A Cost-Benefit Analysis, McGraw-Hill, Inc., 2006, p. 10). Authentication and nonrepudiation are considered subsets of availability. 2

EXAMPLES OF CYBERSECURITY TACTICS USED BY SOURCES OF THREATS 1. Malware Attacks (i.e., malicious software, that includes viruses, worms, spyware, etc.) 2. Spear Phishing (message that appears to be coming from a known firm or friend, trying to get unauthorized access to confidential information) 3. Social Engineering (tricking people into revealing confidential information, such as a password) 4. Hijacking Domain Name System-DNS is like an Internet phone book changing the comp. hostname into an IP address (i.e., numerical label) 5. Theft of Intellectual Data or Property 6. Theft of Desktop & Laptop Computers 7. Theft of Mobile Devices 3

SECURITY PROCESSES TO PREVENT AND DETECT CYBERSECURITY BREACHES 1. Annual cybersecurity training for employees 2. Anti-malware systems for prevention and detection 3. Network segmentation with use of firewalls 4. Encryption Techniques 5. Behavioral network analysis and monitoring 6. Access controls (e.g., 2-factor authentication for remote access) 7. Tokenization to protect information stored in system 8. Intrusion detection systems Above processes were all in place at Neiman Marcus prior to security breach, as noted by Michael Kingston, firm s Senior VP & CIO (see: http://www.c-span.org/video/?317614-1/houseenergy) 4

QUESTIONS for John Mulligan (TARGET S EXECUTIVE VP & CFO) & Michael Kingston (Neiman Marcus Senior VP & CIO) at CONGRESSIONAL TESTIMONY (2/5/14) 1. How Much Does Your Company Invest in Cybersecurity? Answer: Hundreds of Millions and Tens of Millions over past several years. Comment: No discussion on how these amounts were determined. 2. How Much Did the Recent Cybersecurity Breach Cost the Company? Answer: Too early to tell. Comment: Full economic cost of a breach needs to consider implicit, as well as explicit, private costs and externalities. 3. What Security Processes Were in Place Prior to Recent Security Breach? See previous slide. Comment: 100% security is not possible. 4. How much Information Sharing of Cybersecurity Issues Takes Place in Industry? Answer: Some, but no ISAC for Retail Industry. Comment: There should be an ISAC for the Retail Industry. 5

MARYLAND s PRIORITIES AND RECOMMENDATIONS (see: CYBERMARYLAND at: http://www.choosemaryland.org/aboutdbed/documents/finalcyberreport.pdf) Priority I: Support the Creation and Growth of Innovative Cyber Security Technologies Priority II: Develop a Maryland Pipeline for New Cyber Security Talent and Workforce Development Priority III: Advance Cyber Security Policies to Position Maryland for Enhanced National Leadership Priority IV: Ensure the Sustained Growth and Future Competitiveness of Maryland s Cyber Security Industry 6

POWERING MARYLAND FORWARD: USM's 2020 Plan for More Degrees, A Stronger Innovation Economy*, A Higher Quality of Life (http://www.usmd.edu/10yrplan/) 1. Helping Maryland achieve its goal of 55-percent college degree completion ; 2. Advancing Maryland's competitiveness in the innovation economy by building on existing levels of research funding and more successfully translating that research in economic activity. The plan calls for the creation of 325 new companies, five internationally recognized research centers of excellence by 2020, and a culture of innovation and entrepreneurship throughout the USM; 3. Transforming the academic model with course redesign strategies that help students understand material, complete their degrees, and become better-qualified for the workforce; 4. Identifying new ways to build on more than $200 million in direct cost savings already achieved through USM's existing efficiency efforts, pledges, & federated capital campaign, ; 5. Achieving and sustaining national eminence through the quality of USM's programs, people, and facilities. *An Innovation Economy focuses on Knowledge, technology, entrepreneurship, and innovation (http://en.wikipedia.org/wiki/innovation_economics). 7

ACTIONS USM s Board of Regents Could Take to Facilitate Maryland Being Viewed as the Epicenter of the Cybersecurity Industry 1. Establish USM CYBERSECURITY EDUCATION AND RESEARCH PROJECT (USM CER Project). Goals of USM CER Project: (a) encourage innovative interdisciplinary, and inter-institutional, cybersecurity education and research programs at USM, emphasizing partnerships among businesses, government agencies, and academia, (b) facilitate the transfer and commercialization of USM cybersecurity research, (c) identify best cybersecurity programs and encourage the adoption of similar programs throughout USM, (d) establish semester long cybersecurity executive-in-residence, and cybersecurity faculty-in-residence, programs among USM institutions and major corporations/government institutions. 2. Establish A CYBERSECURITY BUSINESS CLINIC (see Clinics at Law & Medical Schools) to: (a) provide services to facilitate growth of small and medium size cybersecurity businesses in MD (including assistance with business plan, obtaining venture capital, legal issues, technical issues, etc.), (b) assist MD organizations with decisions regarding the cost-benefit aspects of cybersecurity investments, (c) assist MD organizations with cybersecurity risk management. 8

CYBERSECURITY ECONOMICS (Questions Underlying Gordon/Loeb Research) 1. What is the economic impact of cybersecurity breaches on firms? 2. How much should a corporation invest in cybersecurity activities & how should it be allocated? 3. What economic incentives/regulations are required to encourage firms to invest in cybersecurity and to share cybersecurity related information? 4. What Is the best way to conduct Cybersecurity Risk Management? 5. What are the effects of the Sarbanes-Oxley Act of 2002, and the 2011 SEC s Disclosure Guidance on Cybersecurity Risks and Cyber Incidents, on the cybersecurity activities of corporations? 6. How can we develop a vibrant cybersecurity insurance market? 7. What is the economic process for cybersecurity technology transfer and commercialization? 9

APPENDIX: NATIONAL STRATEGY FOR COMBATING THREATS NATIONAL STRATEGY FOR HOMELAND SECURITY (see: http://www.dhs.gov/xlibrary/assets/nat_strat_homelandsecurity_2007.pdf) 1. Prevent and Disrupt Terrorist Attacks 2. Protect the American People, Critical Infrastructure, and Key Resources (see President Obama s February 12, 2013, Executive Order 13636) 3. Respond to and Recover from Incidents 4. Ensuring Long-Term Success U.S. International Strategy for Cybersecurity (May 2011, https://www.enisa.europa.eu/activities/resilience-and-ciip/national-cyber-security-strategies-ncsss/international_strategy_for_cyberspace_us.pdf) Policy Priorities 1. Economy: Promoting International Standards and Innovative, Open Markets 2. Protecting our Networks: Enhancing Security, Reliability and Resiliency 3. Law Enforcement: Extending Collaboration and the Rule of Law 4. Military: Preparing for 21st Century Security Challenges 5. Internet Governance: Promoting Effective and Inclusive Structures International Development: Building Capacity, Security, and Prosperity 6. International Development: Building Capacity, Security, and Prosperity 7. Internet Freedom: Supporting Fundamental Freedoms and Privacy 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information