WELCOME TO THE 21 ST ANNUAL DEFENSE SECURITY SERVICE JULY 21, 2017 ALEXANDRIA, VIRGINIA. Partnering with Industry to Protect National Security

Transcription

1 WELCOME TO THE 21 ST ANNUAL DEFENSE SECURITY SERVICE JULY 21, 2017 ALEXANDRIA, VIRGINIA

2 Like us on Facebook at DSS.stakeholders

3 Setting the Stage Mr. Fred Gortler III, DSS

4 Agenda (AM) 8:00 AM 8:10 AM Administrative Notes Mr. Jeff Cavano, DSS 8:10 AM 8:40 AM Setting the Stage Mr. Fred Gortler III, DSS 8:40 AM 9:15 AM Keynote: DSS in Transition Mr. Dan Payne, DSS Director 9:15 AM 10:00 AM Applied Case Study Mr. Gus Greene, DSS Mr. Andrew Winters, DSS Mr. Brian Prioletti, Industry 10:00 AM 10:15 AM Break Refreshments in the lobby 10:15 AM 11:45 AM Sharpening OD/PH Roles Roundtable Discussion Mr. Chris Griner, Industry The Honorable Dov Zakheim, Industry Ms. Giovanna Cinelli, Industry Mr. David Langstaff, industry Mr. Frank Finelli, Industry Moderator: Ms. Nicoletta Giordani, DSS 11:45 AM 1:00 PM Lunch Cafeteria/Local Area (pay as you go)

5 Agenda (PM) 1:00 PM 2:15 PM FSO and OD/PH Panel: GSC Cooperation, Best Practices and Challenges The Honorable Dean Popps, Industry Lt. Gen. William Donahue, USAF (Ret.), Industry Mr. Richard Ray, Industry Mr. Alexander Layser, DSS Mr. William Cooper, DSS Moderator: Ms. Allyson Renzella, DSS 2:00 PM 3:00 PM Supply Chain Threat Challenges Mr. William Stephens, DSS 3:00 PM 3:15 PM Break Refreshments in the lobby 3:15 PM 3:45 PM Insider Threat Best Practices Panel Mr. Phil Robinson, Industry Mr. Thomas Langer, Industry Mr. JC Dodson, Industry Mr. Booker Bland, DSS Mr. Keith Minard, DSS 3:45 PM 4:15 PM Addressing the Cyber Threat: An OD s Perspective on What can be Done in the Board Room Mr. Robert Reynolds, Industry 4:15 PM 4:30 PM Summary/Closing Mr. James Kren, DSS Deputy Director

6 DSS in Transition Mr. Daniel Payne, DSS Director

7 New DSS Methodology

8 Applied Case Study Mr. Gus Greene, DSS Mr. Andrew Winters, DSS Mr. Brian Prioletti, Industry

9 New DSS Methodology

10 Sharpening OD/PH Roles Roundtable Discussion Mr. Chris Griner, Industry The Honorable Dov Zakheim, Industry Ms. Giovanna Cinelli, Industry Mr. David Langstaff, Industry Mr. Frank Finelli, Industry Moderator: Ms. Nicoletta Giordani, DSS

11 OD/PH Panel: GSC Cooperation, Best Practices and Challenges The Honorable Dean Popps, Industry Lt. Gen. William Donahue, USAF (Ret.), Industry Mr. Richard Ray, Industry Mr. Alex Layser, DSS Mr. Will Cooper, DSS Moderator: Ms. Allyson Renzella, DSS

12 Supply Chain Threat Challenges Mr. William Stephens, DSS

13 We Are In A Fight The Prize: Technology in the National Industrial Security Program The Front Line: Your Firms Disposition: Our adversaries have the initiative

14 Our Adversaries Have The Initiative i.e., WE ARE LOSING!

15 What Can You Do? Know the threats and vulnerabilities reported by your firm, how they relate to the larger threat picture and ensure your firm moves to mitigate Your reporting has been stronger than ever, but Embrace CI & Security as a Business Discriminator Best Practices Ensure a skilled professional is leading your CI & Security effort Have them report directly to the CEO Commit to a robust insider threat capability Commit to a continuous monitoring of your supply chain Do you know?

16 Questions?

17 Insider Threat Best Practices Panel Mr. Phil Robinson, Industry Mr. Thomas Langer, Industry Mr. JC Dodson, Industry Mr. Booker Bland, DSS Mr. Keith Minard, DSS

18 Addressing the Cyber Threat: An OD s Perspective on What can be Done in the Board Room Mr. Robert Reynolds, Industry

19 Managing Company Cyber Security Some thoughts

20 Threat, Vulnerability, Impact, Risk (TVIR) Threat to networks: Nation-state driven (purchase criminal gang support) Persistent, deep bench But not unlimited (we all have budgets, need to show results) So far, little in the way of sophisticated attacks (zero day; specific code) Attacks based on simple techniques, hinging on our exploitable weaknesses for success Phishing malware; weak or no passwords; vendor network access; connected home computers; company laptops overseas, etc. Vulnerabilities: see above

21 Threat, Vulnerability, Impact, Risk (Continued) Impact To determine the level of protection needed, look at what there is to lose of value to customer, company Company proprietary data of great interest Company personnel info (SSN, level of clearance, wage garnishments, etc.) RFPs, Proposals on sensitive work What data would the customer hate to lose Ship drawings; communications frequencies, usage, etc.; ITAR; FOUO Risk: How weak are cyber protections against standard cyber techniques, and what is the impact of losing the data under company protection

22 Thanks, but I knew that Now what? Steps the GSC, Board can take to reduce risk Company to complete risk assessment, assign a score Be prepared for everything s great Focus only on protecting the border, or also on detecting and stopping intrusions? Probe risk score by: Identifying the company in-house or external cyber expertise; how strong, how is it used? IA, patching, software upgrades, network analysis; employee training; penetration testing; data analytics Reviewing policies/procedures on phishing, laptops; employee training Comparing risk to resources expended Does company currently comply with DFAR, FAR, NIST requirements?

23 If risk viewed as too great, after review Develop a plan to decrease risk, with a way to measure improvement, keep focus on issue Plan needs to include assumption that intruder gets in the network Detect, mitigate damage, remove from network Follows some thoughts on ideas to determine and reduce the risk, presented with increasing complexity, cost and resource needs

24 Additional questions to ask Is the company using at least 2-factor authentication and strong passwords? Consider removing unneeded data (closed contracts, ships drawings, ITAR, old government data, etc.) from the network to archives, thinning out what would be available to a cyber attack. Consider encrypting-at-rest data on the network that is deemed sensitive to the company or the government customer. (Personnel information, major bid efforts, active ITAR, etc.) Consider changing file names on the network that help target information of interest to the hacker, who needs ways to identify info of value for exfiltration ("F-22" becomes "Project Blue") Over the top: put in a host of encrypted useless files with very attractive names. Give discussion of network security a regularly scheduled timeslot at the quarterly GSC meeting. Does the company have or need a specific budget for network security? Do procedures exist to limit vendor and other outside access to the network, and to remove that access when no longer needed? Are vendors evaluated for their own robustness in cyber?

25 Additional questions to ask Does security training incorporate on a real-time basis actual phishing and other attacks on the network, to highlight the issue for the first line of defense-our employees? Is VPN required for all employees signing in remotely? What are company policies on traveling overseas with a company laptop? Encryption of data? Onetime use of a laptop cleaned upon return? Does the threat/vulnerability of the network, combined with the sensitivity of client data warrant a company CISO position? Does the company cyber protection plan only focus on preventing a breach (protecting the front door), or does it also include an approach to quickly detecting and blocking exfiltration of data? What devices are used for these purposes, and are they sufficient? Does the company periodically conduct an independent evaluation of the network, using outside experts? Is there sufficient risk to warrant the creation of a security operations center or network operations center, collecting real-time data on attacks, breaches, etc. If the company has such, is there a clear and defined method to analyze the data and respond?

26 Summary/Closing Mr. James Kren, DSS Deputy Director