Fasoo and the New Jersey Technology Council sponsored “Closing the Threat Gap: Executive Perspectives on the Cybersecurity Landscape” at the Stevens Institute Of Technology in Hoboken, New Jersey on October 26, 2016. The event featured cyber security leaders discussing the effects of internal and external threats to businesses. There was a great turnout with some existing Fasoo customers, executives, attorneys, risk officers, CISOs, IT and security professionals from numerous organizations in the greater NY area. Common feedback from the event was an appreciation for understanding the larger cyber security landscape and how everything from drones to DDOS attacks can affect their companies and personal lives.
Dr. Larry Ponemon, Chairman of the Ponemon Institute, was the first keynote speaker. He talked about the increased threat landscape and how trusted insiders are fast becoming one of the main threats to organizations. Citing from the recent study “Risky Business: How Company Insiders Put High Value Information at Risk“, he emphasized how ill prepared many companies are to detect and prevent data breaches from trusted insiders with over 70 percent of companies not confident they can manage and control employee access to confidential files. Dr. Ponemon also talked about results from “The Rise of Nation State Attacks” citing organizations’ lack of readiness to respond to nation state attacks due to an uncertainty as to what a nation state attack is and how to identify the key characteristics, methods and motives of these attacks.
Mark Lobel, US and Global TICE Cybersecurity Leader at PwC focused his keynote on results of the recent PwC “Global State of Information Security Survey 2017”. Mark mentioned that spending on security is increasing in most organizations and many are realizing that they have to concede the perimeter. With increasing threats and the landscape constantly shifting to include IoT devices and greater mobility of the workforce, the need for better threat intelligence, monitoring and protection of high value assets is greater than ever. We still need perimeter security, but companies need to focus on preventing the exfiltration of sensitive information from either hackers or insiders through sophisticated means. Mark used the analogy of cyber security being like a game of chess with the kings removed. You can never win and it’s a constant battle to keep ahead of the exploits and vulnerabilities.
A panel discussion moderated by Dr. Paul Rohmeyer, Associate Professor Information Security Management, and Risk Assessment at Stevens, discussed recent cyber security events and some major trends going forward. The panel consisted of Mark Lobel, Dr. Larry Ponemon, Michael Frank, President at Secure Business Strategies, and Mike Miracle, an executive at BlackRidge Technology. There was a lively discussion of the recent DDOS attack that crippled major websites, like Netflix and Twitter. This lead to audience interaction as the panel and audience members discussed who is responsible for security related to a product. Should the manufacturer build security into the product or is it the responsibility of the organization implementing the product to ensure the network and access to the product and it’s data is secure? Or in the case of DDOS is it up to the telecoms to block that traffic?
In the case of IoT devices, like those used for the DDOS attack, the consensus was the manufacturer needs to build security in, but in many cases there are no standards or certifications available to ensure security. One panelist mentioned wanting something similar to the Underwriters Labs (UL) mark to ensure safety and security. There were discussions about the increasing sophistication of attacks from hackers and how best to prevent taking down your systems or more commonly stop someone from stealing your most sensitive information. It is most important to secure the data so that if it gets into the wrong hands, it is protected.
There was one question from the audience about legal responsibility when organizations share information on attacks with the goal of improving their security. The guidelines of what to share and how are still being developed and debated. Numerous Information Sharing and Analysis Organizations (ISAO) do exist, but the sharing of attack and vulnerability information is still a work in progress. It may make sense technically to share, but if you are sharing sensitive data with a competitor that might potentially use it against you, you are less likely to share it.
There was also a lot of discussion on how process and policy needs to go hand in hand with technology. While the goal is to simplify security so that the user is unaware of it, the reality is that policy and process are needed to guide technology. I can have the best technology, but if it’s not used properly and people ignore security basics, they will ultimately get in trouble. Organizations need a combination of good policy, process and technology. While the goal is to improve our machine learning capabilities to take the human out of the cyber security decision tree, people are still at the heart of the problem and solution.