BSidesNYC 2018 - 01 Opening Remarks

weren't for the women's March we'd have a lot more women and the field needs more I'm Richard lovely I'm a professor here at John Jay and people ask me how long have you been here and I say too long I was the I have the distinction of being the co-founder and long time director of the digital forensics program here and believe it or not John Jay was the first in the United States to have a degree granting graduate program in computer forensics um it's hard to imagine because we're not we're really not known for technical stuff but I do recommend our program to you the new director is a fellow named Doug salane he'd be happy to hear from

you if you have younger people who are interested in the field certainly have them look us up we have a actually an interesting bridge program for people who don't have a technical background who'd aspire to get into the field we call it cybridge and we provide a crash training in computer science because we are a computer science based program and that's kind of an oddity because I'm a sociologist and what does that say well it says that when we first started this program actually it was founded at the behest of a suggestion from the electronic crime task force leader uh after 9 11 who said that we needed to be involved in in this business and he and the college

recognized that cyber stuff is only half technical the real conundrum is is either social organizational or cultural and I want you to remember that we have a lot of good technical uh sessions here but there's a lot of other stuff that is dealing with human aspects of cyber security um my earliest involvement in this field was uh way back in the Vietnam era I was a fixed siphany repairman and I had the opportunity to work on the first integrated circuit cryptography machines they were the machines that were on the USS Pueblo when the North Koreans captured it those of you who aren't history Buffs that happened quite some time ago and a guy named Commander

Bucher was court-martialed as a result of that the machines on that vote had on top of them incendiary devices which were supposed to be ignited to melt the machine at that time the cryptography was controlled by IBM cards which it would have to be carriered around the world so they would have matching cards and Alice and Bob had to be in two different places at the same at the same time and they did it by by the cards the North Koreans and of course then the Russians and the the Chinese got the whole thing they captured the machines they captured the cards they captured the whole thing why human error human error didn't matter how slick the technology was human error

Trump's sex stuff all the time so just keep that in mind one of the Hallmarks of our program is that we call ourselves a hybrid program we integrate the soft side of cyber security and forensics with with the hard technical stuff and that that's the message I have for you that's what we can deliver and I recommend our program to you if for uh if you have internship possibilities with at your place of employment think of us uh and think of us for hiring graduates anyway I want to welcome you on the behalf of John Jay uh City University of New York and the digital forensics and cyber security program which we call d4cs here at the college a

lot of good stuff I want to share with you uh actually another kind of human aspect the password for your guest email or Wi-Fi is CUNY CUNY lowercase I had tried to get a special password for the conference it didn't work every student at John Jay knows that password because when they they can't get on the student they go to The Faculty or whatever so that CUNY CUNY lowercase again to remind you six four elevators are down the hallway up there the moot court is a place where we can set it up as a courtroom to have mood Courts for student purposes it should be lots of good fun up there lunches is just up

above two levels the food and coffee is up there in a place called Hound Square the nickname of John Jay's teams are the Greyhounds so I welcome you enjoy the conference uh I'm a guy with a sports jacket I'll probably take it off sooner or later I wanted to make sure you knew I was faculty and not not one of you guys um but anyway welcome to John Jay and have a great time partner yeah I haven't worn them out yet but so actually this is only two years old I have one in my office that's actually 30 years old so anyway welcome and joy let the wild rumpus start

all right next up from the New York City cyber command is uh key Essence um she is going to talk a little bit about what's going on uh with the city of New York uh and what they're doing uh in terms of cyber security

uh good morning so packed house this is great um so like Brad just mentioned my name is kiasis Phillips I am the deputy CEO of direct management for the New York City cyber command and I realized that might be the first time many of you have heard of it but I felt as though it was very apropos to be here at b-sides NYC and amongst many of you who are probably residents or at least frequent the largest and arguably greatest city in America to really talk about what New York City cyber command is we refer to ourselves as nyc3 uh who we are how we came about and what we're looking to do so NYC 3 was born out of the in

executive order some by signed by Mayor de Blasio July of 2017. and with that it has given us the charge to be in charge of all things cyber-related uh Citywide and that's a pretty arduous feat and that's pretty much anything from data security to setting policies and uh what that pretty much means to us at a high level is that we are in charge of over a hundred agencies and Offices here in New York City and that equates to about 8.4 million residents critical infrastructure and city services now if you're anything like me um I took advantage or at least took um or didn't really recognize what that meant until I joined the city so I'm

sure a lot of you kind of take for granted all of the infrastructure that we have and services that we have at our disposal here in New York city so for example within uh NYC 3 we are in charge of all the agencies from anywhere from Human Resources to critical infrastructure so when we're looking at an attack when I came into this role I kind of just started looking at the threat landscape and risk profile very differently so if we're Whenever there is you know an adversary that breaches a network you know you always want to kind of assess that system and see what's the criticality so for us if it's it's not just about uh is was there data stolen

or you know is this pii that was released or anything exfiltrated from the system but it's more about uh how critical is this service and what is the impact if the services is uh has to be taken offline et cetera and what does what does that mean for the citizens of this fine City so some of the things that I think about from a human services perspective is if there is an attack and let's say a service has to be taken offline and that service provides welfare benefits to a single mom let's say and she can't provide or she won't get her benefits to be able to get a formula for her newborn baby and

flipping that all the way on his head looking at critical infrastructure we have some of the greatest water ever you know there was even a New York Times article talking about how New York City is bolstering the operation of its flow of water to New York City because we don't have to use a bunch of filtration plants Etc but we take that for granted like when I travel to other places I don't even drink the tap water but if our systems are let's say our our IC Systems or our OC systems were compromised you know what does that mean for the operating the dams here in New York City or the flow of that water from

from upstate or how much fluoride gets put into that water a lot of that stuff we take for granted uh so those are two of the things that really stick out to me when I think about the threat landscape and the risk profile of New York City so how is NYC 3 doing to combat all of that for one we are moving away from much of a Federated and decentralized network to giving ourselves the ability to have full visibility and control of all of the agencies across the city and then also we are building somewhat of a responder environment that pretty much removes us or separates us from the networks for which we protect within

that that environment we're enabling ourselves to be able to amass a large set of data data Lake and and to be able to do predictive analysis on that data and then also just put ourselves in a position where we're able to do Advanced analytics etc for the cities before before the agencies of the city um going forward I would just like to leave you with two calls of action so one obviously our mission part of our mission is to prevent detect and respond so if any of you are interested in bringing your fine skills to New York City um you know talk to me afterwards we're going to be hiring for roles and Cloud engineering as we're moving to the cloud

security operations instant response phone phone management pen testing Etc so and even from from the softer side from a policy standpoint governance compliance auditing Etc and then also my second call to action is we can't do much of this alone so Partnerships are very important to us so if you find that your organization your company Etc and you have some Synergy with hours we're definitely looking to establish strong Partnerships so if there is any Synergy definitely talk to us afterwards and then lastly we will be publishing a website at nyc.gov cyber it's not up yet but it will become to a screen near you very soon so look out for more information there about what we're doing some

exciting things that we have in a pipeline how we're kind of being very actually not kind of but very Innovative in this space very non-conventional and untraditional for local government basically pushing a lot of boundaries and changing the culture of local government here in New York City and we are looking to be an industry leader within local government so other cities we can give other cities a blueprint to stand up more cyber security operations within their cities so thank you and I'll leave you to more interesting talks questions all right thank you Essence um I was just thinking like you know I'm a conference organizer because I'm running around with a roll of tape in my

hand