Cyber Security & Risk Mgmt Summit by Technology Executives Club

First timer and was a good day's conference (like the Lake Forrest Grad. location) - well represented by companies and leaders in the area...and good hand full of vendors too

Key cyber topics mentioned:

• Top priorities: End users being phished and the aftermath, yes - Ransomware, Don't know what we don't know (visibility); and 3rd party (vendors requiring remote connection into company and there ability to maintain appropriate security on there own end)
• Vendor identified common thread/threats include: APT, Nation-state and of course phishing clicks
• ISACA top 3 threats: Social Engineering 52%, Insider threat 40% and Advance Persistent Threat 39%Action items: Look for anomalous not just malicious,
• Talent gap another theme in the industry - since automation can only go so far
• Incidents will happen, just don't let the same happen twice - investigate / learn from experience 
• Risk management needs to be integrated and Privacy is required but not necessary the same agenda as Security
• Remember security is behavior and economics

RSAC in a flash – quotes, opinions, trends from some of the preso

No resounding theme this year (compared to last) outside of the words: Ransomware, DDoS, Machine Learning, and over use of “pivot”

• Security by obscurity is not security but a fallacy
• PLC lack programming interfaces for solid password authentication and overall security
• https://www.youtube.com/watch?v=KTKRjvTgTQI&feature=youtu.be
• https://www.youtube.com/watch?v=t4u3nJDXwes&feature=youtu.be
•  Incident Response
• Availability – does not mean a fire extinguisher everywhere
• Budget – there will be unexpected cost
• Collaborate – with all groups and roles, with frequency
• Plan – for chaos
• Pay ransom sometimes (70% do and 20% over $40K), when you don't have backup or can't recover timely
• Security awareness strategy answers who, what and how – make it simple and don’t assume
• Uptick in HealthCare attacks
• Must lead without authority
• Machine Learning is the wave but is enhanced with GPO to speed up reaction
• 7 factors of organizational management
• Gain command of the facts
• Get the business to own risk
• Embrace the change agent role
• Run InfoSec like a business
• Build a technical and business capable team
• Communicate the value
• Organize for success
• CISO Impact Quotient equals 5-7 year journey before trust and value is seen/woven into the organization
• Building confidence is your first objective; and having a plan; as well as tying it back to the most critical business function
• Driver for Maturity is from Compliance to Solution to Vulnerability to Threat modeling/detection focused
• Change your habits and change your life
• 3 critical skills for better decisions and greater influence
• Self-awareness – clarity in thinking and feeling
• Deep work – attention management vs. time management
• Mindfulness and mentalizing
• Mandatory data breach notification is no longer just an option, to include within 72 hours to Data Protection Agency
• Burden of proof lies in the ability to prove (substance) unauthorized access/processing did NOT occur
• EU personal data definition is any information related to an identified or identifiable natural person so varies from US’s SSN and Driver’s License Number
• EU fines are 4% global turnover or €20,000,000
• Practicing fire drills is necessary – hands on exercise to test incident handling
• Variant of important trifecta is Speed, Security and Variability (aka cost)
• MARCI chart plots risks along impact and vulnerability with speed of risk (aka velocity)
• Diversity makes you smart; current role diversity is 31% Boomers, 38% Gex X and 46% Millennials
• Cyber skills shortage continue to rise
• 93% of organziations take just minutes to compromise (Synack)
• Few Good Links
• Nomoreransom.org  for help
• https://github.com/jzadeh/Aktaion GPO and endpoints
• github.com/wickett/lambhack  serverless security
• https://rsa2017.iansresearch.com  survey
• www.iamthecavalry.org  medical devices

C-level Tenure

Study/Pic from the Wall Street Journal - IT Execs are younger and generally at role 1 year less than other Execs

Cloud storage dilemma in a Corporate setting - Top10

How much do you really know about the providers’ encryption key management, or the shared virtualized environment?

Would a 3-tiered model for cloud storage be applicable e.g. Sanctioned, Tolerated and Unsanctioned. Taking into account the following consideration - Top 10:

1. Policy driven - Acceptable Use, Data Classification and Retention
2. Strong password 
3. Multi-factor authentication
4. MDM: Access via managed devices only and limit linked applications or unsupported software connection
5. Granular file security including share provisioning
6. Encryption at-rest, in transit
7. Timely patching – full cycle, all devices
8. Data Loss Prevention enabled
9. Country location based storage
10. Rich feature enabled e.g. user notification for login of new devices

What’s your flavor: SharePoint, Saleforce, Box, IDrive, OneDrive, GoogleDrive, DropBox, JustCLoud, SurgarSync, Prezi, Mega, Zippyshare, Carbonite, BackBlaze, CrashPlan, Mozy

Cisco 2017 Annual Cybersecurity Report

why read when you can look at (lots of) pictures - continuous evolution of cybercrime with expansion of attack surface / threat landscape, paralleling increasing in cost of breach; so holistic approach is necessary to address necessary items with properly vigilance to defend turf in a budget challenged economy in a skill-set challenged area