Challenges to Better Security in U.S. Elections: The Last Mile
|
|
- Barbara Dorcas Cox
- 6 years ago
- Views:
Transcription
1 Challenges to Better Security in U.S. Elections: The Last Mile 2017 State Certification Testing National Conference Austin, TX June 19, Merle King, Kennesaw State University -Brian Hancock, US Elections Assistance Commission 6/19/2017 1
2 Introduction Election history is cumulative and repetitive no issue ever goes away 2000 Interpretation of voter intent and ballot design 2004 Emergence of DRES and concerns of vote tampering 2008 Voter ID 2012 Long lines 2016 Cybersecurity A quick web search of the strings cybersecurity + elections = over 12 million hits Pages, videos, blogs will be there in 2020 and beyond for rediscovery, recirculation, and interpretation by partisans, activists, and commercial interests. 6/19/2017 2
3 Challenges to Better Security in Elections Cybersecurity concerns will stalk future elections and campaigns and become part of the fact and fiction of election lore It will also become integral to election clean-up legislation and preparation State level Statute, rule revision Contracts Policies and procedures Local level Review policies and procedures for securing systems Double down on what they Know how to do Can afford to do Have time to do 6/19/2017 3
4 Challenges to Better Security in Elections Federal level Changing roles for Federal agencies like DHS and EAC Creating effective, uniform, and scalable policies at federal and state levels is not easy, but perhaps doable. Securing the last mile the domain of the local election official, may be our greatest challenge. This last mile leads from state systems to thousands of election offices scattered throughout the U.S. Security is not new to local election officials, but cybersecurity is. 6/19/2017 4
5 Challenges to Better Security in Elections LEOs are still transitioning from focus on paper-based and physical security practices to cyber-based Locks to login access Seals to encryption Paper logs to digital logs Manual audits to computerized audits Designing better cybersecurity policies for election offices begins by better understanding what makes the last mile distinctive Securing elections last mile will not be easy, cheap, or fast. 6/19/2017 5
6 The Last Mile 1. Election Administration is Distributed and Heterogeneous One federal certification authority/standards Two VSTLS Seven voting system vendors Fifty-five SVRS Hundreds of election system and service vendors Thousands of counties Ten thousand election jurisdictions Hundreds of thousands poll workers and volunteers Systems are not uniform Policies are not uniform Resources are not uniform Skill sets are not uniform 6/19/2017 6
7 The Last Mile 2. A Chain is as Strong as its Weakest Link Over 600K bridges in the U.S. If maintenance is only done where it is best afforded, then our highway infrastructure and functionality is compromised. Securing login and credential access in large, technologically sophisticated counties may not improve the overall security of our systems. Cybersecurity election vulnerabilities may be concentrated in medium to smaller counties Many elections determined by small number of votes 6/19/2017 7
8 The Last Mile 3. Follow the Law - and the Law Requires Accessibility Election officials are trained to follow vetted rules and procedures not improvise. Legal accessibility Rehabilitation Act, ADA, HAVA Political accessibility Access to polling locations, services, the ballot Last-minute introduction and implementation of cybersecurity procedures are problematic at best; impossible in many cases. Election technologies may be locked down months in advance of an election Training scope, topics, and recipients, is dictated by code, rule and practice 6/19/2017 8
9 The Last Mile 4. Static Testing in a Dynamic World Testing of voting and election systems make assumptions about the static nature of risks Long history of human-generated errors are anticipated and mitigated Tabulation Capturing voter intent L&A testing is formulaic Acceptance Testing will mirror strengths and weaknesses of certification testing 6/19/2017 9
10 The Last Mile 5. LEOS are IT Managers, But are They Cyber Warriors? LEOS are managing extensive technology portfolios but are dependent upon County IT resources Vendors State-level support Cyber Warrior An IT professional engaged in the infiltration or sabotage of IS, or the defense of IS against outside attack. Cyber Warriors typically have substantial academic preparation and persistent professional development activities Salaries in low $100K vs. low $30K for election officials The same workstation uses to validate and update SVRS records, doubles as an Amazon.com shopping portal and gallery of grandchildren photos on Facebook. 6/19/
11 The Last Mile 6. Legacy Systems are Secure Against Legacy Threats Voting Systems perform legacy functions vote capture and tabulation Innovation has not, and for the most part, cannot directly touch these core functions Cybersecurity is a goal with moving targets and moving methods to hit those targets. Testing methods must reflect the dynamic environment dictated by cyber threats Voting systems are resistant to the kinds of updates that define modern technology maintenance 6/19/
12 The Last Mile 7. There is No Downtime to Reconfigure Systems Elections are continuous, with overlapping start and stop points Many states have published election calendars but then augment with specials An election is typically 120-day event (90 days prior and 30 days post) There is no convenient downtime where systems can be pulled, updated, tested and returned to service 6/19/
13 The Last Mile 8. Election are Vendor Supported in Profound Ways The involvement of vendors in elections is deep and varied Manufacture systems hardware and software Provide support - prepare elections, L&A, conduct elections, print ballots, mail ballots Audits Support SVRS The LEO is often a manager of a portfolio of vendor contracts Vendors have built their service and QA models around the needs and resources of their customers not around more abstract goals of cybersecurity. Focus in on affordable, predictable service with attention to the needs of the LEO including confidentiality These vendors work at election speed May not have Cybersecurity DNA 6/19/
14 The Last Mile 9. Elections Move at Their Own Speed The election calendar is established by law They start as glaciers and end as raging rivers Once they begin, short of a court order, they will proceed Hardening a component, once an election begins, may not legally permissible or operationally feasible There is never a good time to address election issues you are either too early, or too late. 6/19/
15 The Last Mile 10. Elections Focus on Detection and Correction Controls Not Preventative Controls Preventative Controls methods of preventing anomalies from occurring can be expensive and require predictive knowledge. This is why your workstation malware 1) costs money, and 2) is updated frequently LEOs have traditionally relied upon paired detective and corrective controls things like broken seals. Identify that an anomaly has occurred, isolate the anomaly from the election, correct with after-event mitigation 6/19/
16 Implications for Testing 1. Election Administration is Distributed and Heterogeneous Testing is as well: Federal certification testing to VVSG. State testing to specific requirements. Local acceptance testing for RFP and jurisdictional specs. Pre & post election L&A. 6/19/
17 Implications for Testing 2. A Chain is as Strong as its Weakest Link Benefits of EAC program may be most profound in smaller counties. EAC certified systems give LEOs in the Last Mile a minimum floor and confidence that these systems have been carefully reviewed. Also provides confidence in some form of oversight and accountability for the vendor/manufacturer. Last Mile may be most useful focus of EAC work in Managing Election Technology, checklists, etc. 6/19/
18 Implications for Testing 3. Follow the Law - and the Law Requires Accessibility EAC has a long history of close cooperation with the accessibility community. Accessibility has been the greatest area of improvement in each and every iteration of the VVSG. We are striving to achieve this level of cooperation and trust in the security community 6/19/
19 Implications for Testing 4. Static Testing in a Dynamic World Remains to be seen how emerging cybersecurity threats will impact the EAC testing program. In order to counter constantly emerging (and, perhaps, unimagined) threats, our program needs to become even more flexible yet increase rigor to some degree. Prioritize testing Move towards increasing use of some form of penetration testing. We need to develop an even stronger partnership with State and local election officials. Use this conference as a springboard?? 6/19/
20 Implications for Testing 5. LEOS are IT Managers, but are They Cyber Warriors? There will always be limitations to what conformance testing will provide from a cybersecurity standpoint. Because most Leos are not cyber warriors, we will need a strong and reliable connection between the last mile, and those who are cyber warriors. EAC must cultivate Federal relationships and partnerships with the goals of voicing the opinions and needs of election officials up to DHS/FBI/NIST and keeping a line of communication on clear and actionable information open from those agencies down to the people who can use it. 6/19/
21 Implications for Testing 6. Legacy Systems are Secure Against Legacy Threats At some point, legacy systems will need to be replaced. The interval between new and obsolete systems will likely narrow even more in the coming years. Sufficient new funding is unlikely. The challenge then is how to make legacy systems future proof? Several possibilities: New functionally based standards with flexible and updatable requirements and test assertions. CDF and interoperability to provide additional new options in security and other areas. Other ideas? Future proofing may be difficult in the extreme, but replacing systems is, as well. 6/19/
22 Implications for Testing 7. There is No Downtime to Reconfigure Systems How do we balance the need for almost constant system modifications with the election calendar?? Faster modification testing process at both Federal and State level. Define/expand the use of de minimis review of engineering change orders (including software??). Provide for emergency certification process if you do not already have one. 6/19/
23 Implications for Testing 8. Election are Vendor Supported in Profound Ways Nowhere is this more true than in the last mile. Few if any current vendors have deep cybersecurity in their DNA. Treat all new vendors with care, but welcome new players who may have an incentive to break into the marketplace by providing excellent service at a reasonable cost. Best defense against being taken advantage of is knowledge: Research new companies. Call fellow election officials. Ask for their company Quality Manual. (Are they accredited to any international standards (ISO ?) 6/19/
24 Implications for Testing 9. Elections Move at Their Own Speed Which moves faster, the elections glacier or cyber-criminals? While there is never a great time to. Hard questions will be asked from multiple areas unless an attempt is made to address issues. Luckily, in many instances, procedural mitigations may be enough, at least temporarily, to continue moving along with the glacier in a responsible manner. 6/19/
25 Implications for Testing 10. Elections Focus on Detection and Correction Controls Not Preventative Controls Preventative controls should be included where possible, but traditional detection may be the best we can hope for in the near future. Let other professionals worry about what they (hopefully) do best: Let DHS provide information and resources where they can. Let the FBI catch the criminals. Keep running great elections. 6/19/
26 Future Efforts The highly distributed nature of elections and voting system deployment makes hacking voting systems difficult; It also does not prevent erosion of public confidence in systems and outcomes. The battle to secure systems is being fought on several levels: Technological working with vendors to build better, more secure, more auditable systems Operational working with states and counties to improve awareness and training of work force in order to establish a baseline of security Communication Sharing usable information in timely fashion to prepare election officials and communicate risks to public and to campaigns Social and psychological maintaining confidence in systems and processes will maintain confidence in outcomes. Transparency of process. Cyber defense Coordinated efforts between states, vendors and DHS to prevent and detect intrusion and have rapid incident response. 6/19/
27 Future Efforts Given our new reality is there a need to reevaluate the election system risk profile? NIST Cybersecurity Framework could provide outline for risk assessment and mitigation Allows IT operators to raise risks and possible mitigations to executive decision makers to make risk choices Concern from some states that it could be used as a leverage point for additional regulation from federal government Election officials are natural risk managers but may need assistance in determining new risk environment. State testing officials may be best positioned to identify and communicate new risk environment Human element still remains biggest risk in process. 6/19/
28 Conclusions and Next Steps Training of election officials at all levels especially locals Principles of IT Cybersecurity Improve the design, implementation and maintenance of election technologies with attention to security and cybersecurity Make risk based decisions based on new risk analysis of election systems Leverage vendor QA processes to better ensure security of their systems & incident response processes. Better coordination of local, state and federal efforts including improving the timeliness & distribution of intelligence to election officials Build securable systems that integrate procedures 6/19/
29 Questions and Comments? 6/20/
State Certification Roundtable
United States Election Assistance Commission State Certification Roundtable - September 23, 2011 1 Overview Conformance Testing Voting Standards Out of Scope Items 2005 VVSG Program Operations 2 Conformance
More informationTestimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON
Testimony Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON Defending Our Democracy: Building Partnerships to Protect America
More informationThe Unity v4 Voting System and Unity Voting System are comprised of previously VSTL tested components and state certified components.
1 Introduction The purpose of this Test Report is to document the procedures that Pro V&V, Inc. followed to perform certification testing of the ES&S Unity 4.0.0.3v4 Voting System to the requirements set
More informationDHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017
DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationCybersecurity Risk Mitigation: Protect Your Member Data. Introduction
Cybersecurity Risk Mitigation: Protect Your Member Data Presented by Matt Mitchell, CISSP Knowledge Consulting Group Introduction Matt Mitchell- Director Risk Assurance 17 years information security experience
More informationTwilio cloud communications SECURITY
WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationAdvanced Security Tester Course Outline
Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,
More informationElection Infrastructure Security: The How and Why of It
Election Infrastructure Security: The How and Why of It Minnesota County Auditor Election Training Conference May 3, 2018 Contents Election Infrastructure Security Overview Cyber and Physical Security
More informationDEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.
DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationNew Guidance on Privacy Controls for the Federal Government
New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationSoftware Verification Procedures Voting Systems vs. Slot Machines
Software Verification Procedures Voting Systems vs. Slot Machines Annual State Certification Testing of Voting Systems National Conference Raleigh, NC 6/19/2018 SLI and GLI SLI Compliance has insight into
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationBringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016
Bringing cyber to the Board of Directors & C-level and keeping it there Dirk Lybaert, Proximus September 9 th 2016 Dirk Lybaert Chief Group Corporate Affairs We constantly keep people connected to the
More informationManaging IT & Election Systems. U.S. Election Assistance Commission 1
Managing IT & Election Systems U.S. Election Assistance Commission www.eac.gov 1 Election Administrators are IT Managers Election Officials and their constituencies must understand that they are complex
More informationVulnerability Assessments and Penetration Testing
CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationWORKSHARE SECURITY OVERVIEW
WORKSHARE SECURITY OVERVIEW April 2016 COMPANY INFORMATION Workshare Security Overview Workshare Ltd. (UK) 20 Fashion Street London E1 6PX UK Workshare Website: www.workshare.com Workshare Inc. (USA) 625
More informationVoting System Security as per the VVSG
Voting System Security as per the VVSG Austin Conference on State Certification Testing for Voting Systems (2017) Michael Santos Test Manager SLI Compliance Elements of Security Outside Vendor Control
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationStephanie Zierten Associate Counsel Federal Reserve Bank of Boston
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation
More informationAn ICS Whitepaper Choosing the Right Security Assessment
Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationSOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:
(Solutions Brief) An integrated cybersecurity Administration solution for securing any Large Enterprise. The Industry s most complete protection for the Large Enterprise and Cloud Deployments. KEY SERVICES:
More informationA Taxonomy and a Knowledge Portal for Cybersecurity
A Taxonomy and a Knowledge Portal for Cybersecurity David Klaper Adviser: Eduard Hovy 19.06.2014 DG.O 2014 1 Outline Why Cybersecurity Education for Smart Governments? Taxonomy: Technical Aspects Impact
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Port Security Port Security helps to control access to logical and physical ports, protocols, and services. This
More informationREAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY
SEPTEMBER 11 13, 2017 BOSTON, MA REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY HealthcareSecurityForum.com/Boston/2017 #HITsecurity Brian Selfridge Partner, Meditology Services https://www.meditologyservices.com/
More informationInternet of Things Toolkit for Small and Medium Businesses
Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationCombating Cyber Risk in the Supply Chain
SESSION ID: CIN-W10 Combating Cyber Risk in the Supply Chain Ashok Sankar Senior Director Cyber Strategy Raytheon Websense @ashoksankar Introduction The velocity of data breaches is accelerating at an
More informationNCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen
NCUA IT Exam Focus By Tom Schauer, Principal CliftonLarsonAllen My Background and Experience Computer Science Degree - Puget Sound Information Security Professional for 30 years Consultant: Ernst & Young,
More informationDHS Cybersecurity: Services for State and Local Officials. February 2017
DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationTraining and Certifying Security Testers Beyond Penetration Testing
Training and Certifying Security Testers Beyond Penetration Testing Randall W. Rice, CTAL (Full), CTAL-SEC Director, ASTQB Board of Directors www.astqb.org Most organizations do not know the true status
More informationCybersecurity 2016 Survey Summary Report of Survey Results
Introduction In 2016, the International City/County Management Association (ICMA), in partnership with the University of Maryland, Baltimore County (UMBC), conducted a survey to better understand local
More informationCyber Security Requirements for Supply Chain. June 17, 2015
Cyber Security Requirements for Supply Chain June 17, 2015 Topics Cyber Threat Legislation and Regulation Nuts and Bolts of NEI 08-09 Nuclear Procurement EPRI Methodology for Procurement Something to think
More informationNIS Standardisation ENISA view
NIS Standardisation ENISA view Dr. Steve Purser Brussels, 19 th September 2017 European Union Agency for Network and Information Security Instruments For Improving Cybersecurity Policy makers have a number
More informationASD CERTIFICATION REPORT
ASD CERTIFICATION REPORT Amazon Web Services Elastic Compute Cloud (EC2), Virtual Private Cloud (VPC), Elastic Block Store (EBS) and Simple Storage Service (S3) Certification Decision ASD certifies Amazon
More informationData Security Standards
Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More informationAre we breached? Deloitte's Cyber Threat Hunting
Are we breached? Deloitte's Cyber Threat Hunting Brochure / report title goes here Section title goes here Have we been breached? Are we exposed? How do we proactively detect an attack and minimize the
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationToday s cyber threat landscape is evolving at a rate that is extremely aggressive,
Preparing for a Bad Day The importance of public-private partnerships in keeping our institutions safe and secure Thomas J. Harrington Today s cyber threat landscape is evolving at a rate that is extremely
More informationCYBERSECURITY MATURITY ASSESSMENT
CYBERSECURITY MATURITY ASSESSMENT ANTICIPATE. IMPROVE. PREPARE. The CrowdStrike Cybersecurity Maturity Assessment (CSMA) is unique in the security assessment arena. Rather than focusing solely on compliance
More informationISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015
ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO 27001 FRAMEWORK AUGUST 19, 2015 Agenda Coalfire Overview Threat Landscape What is ISO Why ISO ISO Cycle Q&A 2 Presenters
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationLes joies et les peines de la transformation numérique
Les joies et les peines de la transformation numérique Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA Professor, Solvay Brussels School of Economics and Management Academic Director, IT Management Education
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationSO OS Secure Online Voting System
Johns Hopkins Engineering for Professionals Secure Online Voting System Systems Engineering Project Oral Presentation Haijing Henry Chen May 1, 2018 Agenda Introduction Proposed System Deliverables Requirement
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 12.16 EB7178 DATA SECURITY Table of Contents 2 Data Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationCYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW
CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW May 2018 Ed Plawecki General Counsel & Director of Government Relations UHY LLP Jamie See Manager UHY LLP Iowa Public
More informationThe Value of Automated Penetration Testing White Paper
The Value of Automated Penetration Testing White Paper Overview As an information security expert and the security manager of the company, I am well aware of the difficulties of enterprises and organizations
More informationVerizon Software Defined Perimeter (SDP).
Verizon Software Defined Perimeter (). 1 Introduction. For the past decade, perimeter security was built on a foundation of Firewall, network access control (NAC) and virtual private network (VPN) appliances.
More informationGUIDANCE ON ELECTRONIC VOTING SYSTEM PREPARATION AND SECURITY
September, 2016 GUIDANCE ON ELECTRONIC VOTING SYSTEM PREPARATION AND SECURITY As a reminder for counties, and refresher on good cyber hygiene practices, DOS recommends the following procedures in the preparation
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationSecure Development Lifecycle
Secure Development Lifecycle Strengthening Cisco Products The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness.
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationBoston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018
Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security BRANDEIS UNIVERSITY PROFESSOR ERICH SCHUMANN MAY 2018 1 Chinese military strategist Sun Tzu: Benchmark If you know your
More informationMachine-Powered Learning for People-Centered Security
White paper Machine-Powered Learning for People-Centered Security Protecting Email with the Proofpoint Stateful Composite Scoring Service www.proofpoint.com INTRODUCTION: OUTGUNNED AND OVERWHELMED Today
More informationNATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium
NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium Securing Cyber Space & America s Cyber Assets: Threats, Strategies & Opportunities September 10, 2009, Crystal Gateway Marriott, Arlington,
More informationEEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,
EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1, 2008 www.morganlewis.com Overview Reliability Standards Enforcement Framework Critical Infrastructure Protection (CIP)
More informationFeatured Articles II Security Research and Development Research and Development of Advanced Security Technology
364 Hitachi Review Vol. 65 (2016), No. 8 Featured Articles II Security Research and Development Research and Development of Advanced Security Technology Tadashi Kaji, Ph.D. OVERVIEW: The damage done by
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More informationJune 2 nd, 2016 Security Awareness
June 2 nd, 2016 Security Awareness Security is the degree of resistance to, or protection from, harm. if security breaks down, technology breaks down Protecting People, Property and Business Assets Goal
More informationCyber Security Strategy
Cyber Security Strategy Committee for Home Affairs Introduction Cyber security describes the technology, processes and safeguards that are used to protect our networks, computers, programs and data from
More informationYou will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.
IDPS Effectiveness and Primary Takeaways You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent. IDPS Effectiveness and Primary
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationCONE 2019 Project Proposal on Cybersecurity
CONE 2019 Project Proposal on Cybersecurity Project title: Comprehensive Cybersecurity Platform for Bangladesh and its Corporate Environments Sector or area: Cybersecurity for IT, Communications, Transportation,
More informationGDPR Update and ENISA guidelines
GDPR Update and ENISA guidelines 2016 [Type text] There are two topics that should be uppermost in every CISO's mind, how to address the growing demand for Unified Communications (UC) and how to ensure
More informationSecurity and resilience in Information Society: the European approach
Security and resilience in Information Society: the European approach Andrea Servida Deputy Head of Unit European Commission DG INFSO-A3 Andrea.servida@ec.europa.eu What s s ahead: mobile ubiquitous environments
More informationCritical Hygiene for Preventing Major Breaches
SESSION ID: CXO-F02 Critical Hygiene for Preventing Major Breaches Jonathan Trull Microsoft Enterprise Cybersecurity Group @jonathantrull Tony Sager Center for Internet Security @CISecurity Mark Simos
More informationRansomware A case study of the impact, recovery and remediation events
Ransomware A case study of the impact, recovery and remediation events Palindrome Technologies 100 Village Court Suite 102 Hazlet, NJ 07730 www.palindrometech.com Peter Thermos President & CTO Tel: (732)
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationIBM Security Services Overview
Services Overview Massimo Nardone Senior Lead IT Security Architect Global Technology Services, IBM Internet Security Systems massimo.nardone@fi.ibm.com THE VEHICLE THE SKILL THE SOLUTION Today s Business
More informationCyber Security Technologies
1 / Cyber Security Technologies International Seminar on Cyber Security: An Action to Establish the National Cyber Security Center Lisbon, 12 th September 2013 23 / Key highlights - Thales Group Thales
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationA GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING
A GUIDE TO 12 CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING There is a major difference between perceived and actual security. Perceived security is what you believe to be in place at
More informationDHS Election Task Force Updates. Geoff Hale, Elections Task Force
1 DHS Election Task Force Updates Geoff Hale, Elections Task Force Geoffrey.Hale@hq.dhs.gov ETF Updates Where we ve made progress Services EI-ISAC/ National Cyber Situational Awareness Room What we ve
More informationDigital Health Cyber Security Centre
Digital Health Cyber Security Centre Current challenges Ransomware According to the ACSC Threat Report 2017, cybercrime is a prevalent threat for Australia. Distributed Denial of Service (DDoS) Targeting
More informationPreempting Cyber Fraud: SWIFT Threat Indicator Sharing Tool. Cyber Security 3.0 Better Together August 18, 2017
Preempting Cyber Fraud: SWIFT Threat Indicator Sharing Tool Cyber Security 3.0 Better Together August 18, 2017 Research Overview Problem Statement Research Goals & Methodology Defining Insider Cashout
More informationA Strategy for a secure Information Society Dialogue, Partnership and empowerment
A Strategy for a secure Information Society Dialogue, Partnership and empowerment Gerard.Galler@ec.europa.eu European Commission DG Information Society & Media Unit INFSO/A3: Internet; Network & Information
More informationCybersecurity: Incident Response Short
Cybersecurity: Incident Response Short August 2017 Center for Development of Security Excellence Contents Lesson 1: Incident Response 1-1 Introduction 1-1 Incident Definition 1-1 Incident Response Capability
More informationThe Value of ANSI Accreditation. Top 10 Advantages. of accredited third-party conformity assessment
The Value of ANSI Accreditation Top 10 Advantages of accredited third-party conformity assessment The American National Standards Institute (ANSI) offers highly recognized accreditation programs globally
More informationGujarat Forensic Sciences University
Gujarat Forensic Sciences University Knowledge Wisdom Fulfilment Cyber Security Consulting Services Secure Software Engineering Infrastructure Security Digital Forensics SDLC Assurance Review & Threat
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More informationCYBER SOLUTIONS & THREAT INTELLIGENCE
CYBER SOLUTIONS & THREAT INTELLIGENCE STRENGTHEN YOUR DEFENSE DarkTower is a global advisory firm focused on security for some of the world s leading organizations. Our security services, along with real-world
More information