IATC - Target Rich Cyber Poor

okay so uh welcome good afternoon welcome to b-sides las vegas this is the i am the cavalry room uh this talk is target rich cyber poor with tom milar and don banak um so i have some housekeeping issues i want to go over really quickly first we want to thank our sponsors especially the diamond sponsors uh lastpass and palo alto networks and our gold sponsors amazon intel google for their support along with all of our other sponsors donors and volunteers that make this event possible cell phones so as we all know please uh silence your cell phone so it's not disruptive to the uh to the presentation these talks will be live streamed uh and recorded for youtube so please make sure you uh silence your cell phones um the mics we are live streaming and recording so at the point where there may be questions we would ask people to use the mic which we can hand around also speak into the mic you might have to pull it close to you um let's see photo policy i just want to remind everybody that besides has a photo policy that strictly prohibits taking photos of anybody if you do not have their express permission to be in that photo so if you're unsure about who is in your photo frame please do not take that picture these these talks will be recorded and streamed so if you want to recall information later you'll have the opportunity to do so uh to do masks please keep your masks on at all times great and uh with that i will turn it over to josh corman who's going to say a couple of words and then we'll kick it off hello um earlier i asked you guys all applaud for a bunch of volunteers that tried to make the world a safer place during the pandemic two of the career assistants that do it every day not just as visiting people for a year or two are going to be joining us on stage today tom milar and don banak great friends of the cavalry movement before the pandemic and hopefully still after and maybe now even members but what i want to do is bridge that really bad news session that you're in where stops on fire we want to give you a tour de force through many of the existence proofs because now people know these things are flammable it's on john oliver you know on hbo my my neighbors are now asking me about these attacks but the really sobering and overwhelming part including the public-private partnership with government agencies like sysa is that the overwhelming majority of these targets are below the security poverty line they're the target rich cyber poor so a lot of the platitudes advice in this cyber security frameworks we give them are foreign to them eighty-five percent of the hospitals of a single security person and if you listen to michelle hulko about our ball bearings the most strategic weak link in the whole supply chain for most of our species had two it people no security talent and any minute could have had a denial service attack that would have killed another couple hundred thousand americans uh so we tried to get cis out of their comfort zone we came up with a suite of pragmatic security suites they're to review this part of this is to educate you but part of this is to ask and inspire you what else can we do to meet people where they are when they have no talent no experience but cyber physical consequences that affect maslow's hierarchy so they have a short amount of time to show what they've been starting and what they've been doing that you can advocate for but also try to take this as an inspiration of what more could the cavalry do to help them help the cyber poor thanks all right y'all hear me move this a little closer okay so um yeah i told josh i would start off with a joke that he might enjoy this joke does not represent the position of my agency um or any other employer although i can't remember an employer before this one i've been in scissor way too long um so i was uh i was on signal with santa claus the other night i considered you know it's always good if you have a good idea just go ahead and signal santa claus and uh maybe you'll get it for for christmas um and i asked him for a unicorn he said i'm sorry kiddo we can't do that so i asked him i said i would like the um the interagency to work together seamlessly to solve the cyber security crisis in american critical infrastructure and he responded a few minutes later with what color unicorn would you like hey and it's a joke that works for everything right you can just put whatever in the middle in it and it works um so always open with the joke and forget what the rest of your agenda was um what we're going to do here we're going to talk a little bit about how we knew how bad things were before the pandemic even started give you a little bit of insight into actually i think these are 2019 so this is right after sort of the the birth of as an agency these are these are results from 2019 vulnerability assessments that we performed at no cost for critical infrastructure organizations all across the country including state local territorial tribal municipal governments um and we lined up all the different ways we knew how to you know without fail when we do these assessments we find a way in without fail it's the same stuff over and over and over again so we created this infographic which i will now read every word of to um to explain sort of you know like what our findings were and how they were mapped to mitre attack um but um and this is something obviously tlp clear um that uh that you can now get uh for free from somewhere on this as a website and uh you know i'll hand you a business card and find it for you later i'm not exactly sure what the search term is um but here are some links to uh to also get you started and i want to um by the way we had the joke earlier the classic ronald reagan line of i'm from the government and i'm here to help and why those are terrifying words i want to tweak that it's from the government help yourself because that's what this i mean when people ask me about our services our resources and the tools that uh that says offers to help critical infrastructure but really anybody because guess what if you are an smb in the united states you are probably involved in some delivery of a national critical function um this has generally been my understanding of things the more and more i've learned about how our economy works and our way of life is um is thought of and uh and so these are great places to start looking at exactly like what we've made available when people ask me about them and they ask you know like oh are these available you know what's the cost i'm like guess what you already paid for it um thank you for your contribution to the united states treasury um and so yeah so these are great links to just get you started and now what i'm going to do is i'm going to give you an example of the spiel i've been using specifically to cover down on health care delivery organizations and i know spiel like what is he doing up there you're not supposed to do this at these types of things but i do want to talk about these because of all the problems we've been talking about today these are the ways we're trying to approach that and tackle it as a scale in a scalable fashion one of the big challenges we've discovered is that the stuff that sort of scaled when we were focused um primarily on the federal constituency that's the federal civilian executive branch which for a long time was sort of our core audience for a lot of stuff we did when we expand that to critical infrastructure and we start talking about numbers in you know the uh the mid-four figures just for hospitals and uh hospital networks alone and then we look at all the other critical infrastructure sectors those approaches that work for 125 agencies across the government don't work at uh at that scale obviously um so let's talk about did i move back okay all right okay i have to be like a podcaster don't i okay nobody can see my face on the camera but i can they can hear me so that's fine um so um somebody get i i asked for a pop star mic and they didn't have one uh so our cyber hygiene services um you know what i'm not gonna read this whole thing because i know this by memory and uh and i hate when people read slides to other people it's the worst but um let me start with the simplest thing that you can probably take advantage of right now that i think is a tremendous value that says it offers and it's not on the slide it's the known exploited vulnerabilities catalog uh who here has already heard of the kev catalog that's outstanding okay do you know where to go to get updates whenever we put new stuff in the kev catalog all right that is the national cyber awareness system so whenever we so granted you will probably get a slight a slight uptick uptick in email volume when you sign up for the national cyber awareness system but i tell you it's absolutely worth the bother um i personally have been i mean i work for sizza i still subscribe to to endcass as we call it um at my personal account just so i know when you know like when there's new apple ios updates that i really need to tell my family about for example anything like that and also whenever that kev is updated the kev catalog gets updated it comes out and is announced on the national cyber awareness system it's really easy um to sign up for the only thing that i think is perhaps a possible ux design challenge is if you go look for the national cyber awareness system on the scissor.gov site you'll find the page that describes all the things that it can do for you at the bottom of the page is where you sign up to subscribe which i'm like i might have put that on the top but anyway a little editorializing for everybody uh everybody who's watching this from my own agency and wondering how we can improve the web page um there's um there's also a free open source tool to do your own self assessments which i don't think a lot of people know about i mean we we're pretty proud of our download numbers but at the same time when i again when i look at the scale of what critical infrastructure is um and the number of people we could be reaching i wonder if we're not hitting the target um cyber security evaluation tool or the c-set uh and this is if you've got the time to go online and do one of those goofy personality quizzes you've got the time to go download the c set it's on this is a github um so scissors own github site has the c set on there it's a standalone application you run it and here's the best part for a lot of folks we don't see any of that data unless you make it available to us you can keep the data on your own do your assessment we don't have to learn anything from it per se we'd like to but it's your information and it gives you sort of pathways to improving your cyber security posture it also has modules for all sorts of different standards and it has a ransomware readiness assessment any of this stuff that you can use to support your customers um or whoever you know if you volunteer for for someone like the organizations we've been talking about today um any of that i think is a possibly an appropriate application of this tool um there's also i'm gonna let don cover this in greater detail we have representatives we're not just a washington dc agency we have representatives in all 50 states and six territories um covering the entire united states we have a cyber security advisor in alaska so we've got it covered down and um and i think we are up to specifically the state cyber security advisors that last time i checked we had 40 out of 50 were hired and uh and that was progressing very well for us so those are where you can get a lot of other different types of assessments from people who actually will come and visit you in your own operating environment and um did i do it again oh 10 minutes okay and i really wanted to have a discussion so here's some stuff cyber hygiene services um one one thing real quick these are no cost assessment services they are utilized by um there are a variety of things i will let you look it up in your own time a bunch of this stuff is i just want you to encourage you can encourage you to take a look at scissor.gov search around for some of these key terms and find out what the services are and if they're a good fit um and uh and yeah the cyber hygiene services are a great way to start if you know an organization for example that has an asset management problem they just don't even know what they have um using cyber hygiene services is a great way to get started just like finding out at least what's the interface internet facing stuff along with the stuff off search um toolkit which gives you a way to find the things that were already on census and showdown that maybe you didn't know were internet facing and discoverable um and that gives you a great start i believe in at least solving part of the asset management challenge we know so many of these organizations are facing with that i want to turn it over to more of a discussion um and a little bit of q a but mostly i would love to hear your ideas for what else we could be doing especially to help smbs um and critical like the critical national infrastructure that you all have experience with and also let don talk for a minute a minute that's outstanding um closer okay so i've spent the last 15 years in government developing services to help organizations manage their risk from the cyber hygiene suite which is ostensibly focused on attack surface management identification of exposed web web applications system vulnerabilities um pen testing services being available to all and the real question is what do we what do we do next because we have things that worked great federally and they they were kind of bespoke you know kind of like bentleys um we had some services that are kind of like bicycles they were great for the masses so on that spectrum of bikes to bentleys where you know we can use the bikes and they should be public goods what can i do to help or what can we do to help develop services that the field forces can deliver that cisco can deliver from headquarters that help the masses understand the scope the magnitude of the risk what's missing from our current suite of cyber hygiene services um and then for the more bespoke sets where we we operationally engage with known nodes vital vital vital junctures around krog infrastructure what are kind of the more bespoke services that would help when there's our eye on that and that's two different muscle movements one available to the masses one available to a smaller set of very focused important organizations um and i'm looking for ideas from you what could we do that we're not doing i don't want to just tell you my ideas i just want to listen to yours so that was why i tried to stay silent for a change anybody who's ever done a meeting with me knows i talk too much so one a third a third muscle movement is also the uh the uh the tide that lifts off ships option and that's uh my friend allen is wearing the shirt representative of his major effort in that rail the software bill of materials um [Music] yay and i want to bring up like an example of the bad practices because i know josh is probably going to uh have words with me if i don't bring up the bad practices um there's only three bad practices that we published on this is a website they're really simple and i think they're non-controversial until i talk to somebody who actually works in healthcare but um but uh one of them the first one is don't use end of life don't use unsupported stuff second one is don't use stuff with um with known default fixed passwords and the third one is don't use single factor authentication for remote or administrative access and again all of these are non-controversial right but we provided them to give people ammunition to start winning arguments it's like hey these are the scissor bad practices we shouldn't be doing this so and the bad practices were always supposed to be a living document they were always supposed to provide you know a dialogue space where we could talk to experts like yourselves what else should be in that list of bad practices or what else which should we be looking out for again another place where your ideas would be absolutely welcome we also find those on our great hub site we'd love public actual q a time sorry you're fine uh well it would be nice to have something like your cyber resilience uh graphic novel series i'd love to see something that's uh effectively like uh captain planet right like that made environmental awareness uh a huge thing for me when i was a kid it'd be nice if we had something that taught children about cyber security mdm like something that made it uh more accessible entertaining that would be really nice the second thing is uh maybe impossible but a tiger team of sorts uh i forget which presenter was talking about it maybe it was bryce how uh the entities that are large enough to ask for your services are not necessarily the ones that need them right the small entities don't have cyber security uh they might have i.t people so they really need someone who's a sysadmin net admin exchange admin someone who knows security practices to come in assess their environment and clean things up because they don't have the ability to even do that i like both those ideas and we have a number of staff in the field again i'm looking for ideas for for the field courses so this is this is great there's actually over 130 of them and i think another 40 or 50 that we're hiring so we have a lot of regional forces spread across all 50 states and you know right now it's it's green it's a it's a blank slate sky's limit on what we can what we can do and think about doing with them thank you gentlemen thank you for having this open forum i i work specifically with a lot of smbs in digital forensics and incident response uniformly small medium enterprises non-technical decision makers think that information security is an i.t problem and they look to their i.t people who may be great at setting up printers or putting workstations together you know the break fix it outsource people and then information security and incident response gets dumped on them and they are out of their element and broadening the understanding among smbs that information security incident response these are different disciplines than their i.t guy and they they don't know that at all uh to follow on that it seems like resources that help educate these smb executives that it's a risk management decision and assessment for operating their business it affects bottom line it affects the future viability of the business and just keep bringing it to them so maybe a quarterly report that says hey here's went on last quarter in the language of smbs speaking to the concerns that you know really hit them and here's some free resources for understanding risk management or some really easy to use online tools to get started with this risk management because they're not trained in that they don't they don't really know how to run it but got to be good if they had some resources to to help them grow there yeah and i think you're going to see a lot over the next year from cisa [Music] if i'm successful and others are engaging at the c-suite and above so board members ceos cios cfos we want to change it from a narrative around information security cyber security into business continuity business resilience um so we'll we'll be doing a lot there that's not going to help with direct services to help the cyber poor but it's going to help get i think the right buy-in yep so i'm 100 gonna echo what this gentleman just said your target audience it sounds like it needs to come from the top down as well as the bottom up i think the bottom up gets it the top down doesn't necessarily understand all the complexities so if there's always gonna sound really bad dumbing it down to the level that somebo