Keynote - Andrew Buschbom - CISA

okay so I'd like to take this moment to to introduce our first keynote speaker Andrew bushong Andrew currently serves as the state cyber security coordinator for sisa please welcome Andrew thank you yeah Andy Bush bomb I guess my official title is a cyber security State coordinator for sisa I talked to a few people this morning I used to say it's cisa it's sisa if want to go look sisa has a pretty funny YouTube channel how do you say sisa and it has a little dictionary exer you click on it says sisa sisa seriously sisa but there's a lot of funny videos there plus a lot of good content so I've been in this role a

little over a year now I came to the first bides it's awesome to see everybody here develop those connections those relationships I've met a few of you in the past a few of you today I hope you come find me after this so how many people are familiar with sisa all right so quite a few so Sis's mission right uh Mark spoke to it a little bit there's you I like listening to Mark talk he'll uh provide some random statistics I've heard him talk a few times Albuquerque 33 largest 33rd largest city didn't know that fifth largest state didn't know that but only what 2 million people very rural so there's a lot of challenges there is a

librarian out there that's running cyber Securities a CIO trying to do everything and sisa came about to try to help those people not try to actually help those people uh Mark mentioned a lot of things I want to talk about tabletops assessments knowing what you have uh so sisa's mission is to lead the national effort to understand and manage cyber and physical security you know manage that risk to critical infrastructure and that's to create secure and resilient infrastructure for the American people and you know first I have to know where those people are how they exist so I think it's awesome we have this bsides conference to develop those connections those R relationships make people aware

of what services sisa has so I get to travel a lot around New Mexico I am dedicated to New Mexico uh I have a colleague that helps support southern New Mexico Felix but um I was at a conference in Orlando the msis saac conference how many people are familiar with msis saac less than sisa so not everybody can qualify but the multi-state information sharing and Analysis Center funded by sisa and the eiis the election but in Orlando I got asked how did I get into cyber security I grew up in Iowa on a farm I didn't live in town town was 900 people I graduated with 23 people people not a ton of cyber security going

on so 1995 I saw the movie hackers how many people I've seen hackers all right this is more than an Orlando at the MS I hack I was very disappointed when no one had seen Angelina Jolie's best movie I recommend you all go check out hackers now hackers had a tech consultant Emanuel Goldstein pin name I think his real name is Eric something with a c but anybody familiar with ual Goldstein from any book what book 1984 I guess I'm here for the federal government that's kind of an anti authoritarian book don't know if I should bring that up but manual gold scene help with hackers so I you know I looked into that had dial up internet

getting that 24.4 kilobits found out about 2600 hackly court or what is it the quarterly yeah how many people familiar with 2600 ever about that all right reading that learning more so I'm 189 I find out about the Hope conference h2k 2 so this was 2002 so 22 years ago in some change I went to my first cyber security conference uh in Manhattan just after 911 happened kind of a weird time the threat landscape is changing I walked around New York just nine months after that occurred but going to that conference making those connections as an 18 19 year old kid seeing all the lock picking learning all the information that cemented what I wanted to do and that was being in cyber

security go back I went to Community College and I find out about the Cyber core scholarship for service so I was able to get my Master's Degree paid for by the federal government which uh University of New Mexico also has this program I recommend you check it out uh they'll pay for three or four semesters you get your tuition covered you get um a little spending money so that you can just focus on cyber security you get an internship out of it and I had a cyber security job right out of college I ended up working for the Federal Reserve doing incident response I really recommend anybody who's looking into continuing their education for cyber

security checkout University of New Mexico scholarship for service fantastic fantastic program so got to check my notes Here my laptop was working so well this morning uh so you know I I pursued the cyber security the threat landscape was changing as 911 occurred things got locked down more First Responders all of a sudden were in charge of being preventative they had to not just respond to inance they were kind of looked at on helping people be prepared preventative uh this led to the creation of fusion centers 2003 2004 anybody familiar with the fusion ERS a little bit so um they're in all states and that's a way for federal agencies to interact with State local

information they collect information they disseminate information and uh that's also led to the MSI set creation in 2003 because people realize they need that local information New Mexico definitely different than California right different threats occur here there's different situations I should mention sis is also physical too so the wildfires that were going on sis was helping to support those look at the broader picture share information through the fusion Center New Mexico's Fusion Center is up in Santa Fe but that's where these conferences help to meet you there's no since is a voluntary organization sorry about my PO Ming skills um there's no requirement to report but if you can reach out to me and let me know what you're seeing if

you suffer an incident I'm able to share that information with others correlate data Maybe provide some assistance to you uh we can discuss the different traffic light protocol is what I use different ways to share information let me check my notes again so we got the fusion Center the multi-state information if you are a state local territorial or tribal highly recommend you sign up to msis they can do inst response you're going to get threat information uh it's a two-way street with sis uh sisa funds msac there's a Cooperative agreement so they share information with sisa we share information with them sisa tries to operate on left of boom right before things go bad we want to work with you

to be preventative as Mark mentioned do tabletops there's different assessments we could do there's a limited ability to help when something happens which I feel about feel bad when I talk to people and they've already been hit the compromises occurred ran somewhere um it's difficult msac does have some ability to help support that response but as we've seen today with uh crowd strike everything has become interconnected uh cyber security is really not a technology issue anymore it's everybody problem flights are delayed healthc care uh what else anybody know what else is affected by this what's that 911 911 yeah that's something thing that happened a few weeks ago too speaking of interconnectedness um uh was April I

think April 16th 911 went down in Texas North Dakota maybe Nevada one other state they said that that was a a street light install hit fiber and took out 911 in four different states I don't know but we are living in a very connected environment things that were never expected to be connected are now connected operational technology water plants Wastewater technology The Internet of Things um just everything is so connected now and intertwined that's why you need to know your dependencies and those are things sisa can help with we do have assessments external dependency management are you aware of what you rely on do you know your critical assets if something like today occurred say

you're a hospital Healthcare what do you have to bring up immediately to continue uh what I want to say life saving operations there's things that are it's not just someone can't work people's Liv lives are relying on this um and that's really what sis was about or created for to help people be resilient be ready to respond if something occurs and not just a Cyber attack if something like the crowd strike situation occurs also msac EI ISAC I had to this was a rough sell this morning sisa funds full crowd strike for election infrastructure so I had a question about elections what can you do to help I had to stay crowd strike I do

think Crow strike is a fantastic product things happen you know it's unfortunate so the threat landscape continues to change I'd say in the last 5 years more critical infrastructure getting H hit foreign nations are looking to undermine the US cause disinformation so mistrust um really the the threat landscape has changed and thread actors more so nation states like when I went to that First Security conference in 2002 i' go to deathcon after that they played spot the FED right you find who The Fed is now I'm here I'm a Fed speaking I feel like that's helped We Grown um I'm not here to look for like some kid just messing around learning right this is to protect America against

nation states uh to help secure those critical things that we all rely on electricity water infrastructure manufacturing uh Sis's priority this year is elections that's the number one priority K through 12 health care and Water waste water are behind that so there's a lot of additional services that sisa provides that you can get and if you're not critical infrastructure or key resources go to cisa.gov everything there is free like 98% of what I do you can find on that website there's some comparative data there's some other things that I can offer you can do but really they put out a ton of products I would check out CET a cyber security evaluation tool go through

there's all sorts of Assessments you can go through it links to the m cyber security framework the miter attack framework provides you recommendations things you can Implement to help solve any or bring up the security posture sis puts out tons of information articles um even like houses of worship that's another big thing SWAT you know s sis deals with that physical um aspect along with cyber I just want to make sure everybody is aware of that and these are tools that are already federally funded and uh I recommend you definitely definitely use so again I mentioned we want to operate left the boom a lot of what I do is go out meet people do assessments I

don't want to just leave you with an assessment and a report I would like to develop that relationship maybe every couple months we meet up we prioritize what you need to do can do tabletop exercises we can tailor those so those are specific to your environment you know use threats maybe you've seen uh Mark mentioned it's good not to just have it in the room have legal have HR have your public Outreach officer what are you going to do when an incident occurs how do you get information out to the public to make sure they're not freaking out how do you report potential pii loss Phi loss how do you communicate if an incident occurs

and your infrastructure is compromised you can no longer use your email you have out of band Communications this is a lot of what I speak to people about try to make sure they're prepared again if I don't want to meet you when an incident occurs that's not a cool time to to be introduced uh one other thing sis does is pre- rang smart notifications this came about March of last year so I will call people and say hey we had a third party Source report to sisa that maybe your credentials are Exposed on the dark lab or we're seeing C2 traffic I suggest you look into this sometimes that's a weird way to meet people cold call hey

I'm from the government you're compromised hey why are you in my environment no I'm not and there are certain things I can't share I was pretty sure is there is Gary here pretty sure Gary wanted to fight me in the parking lot when I called him to tell him some information uh but we got through it it took 30 minutes to provide that information whereas if I had that relationship established beforehand that would have went a lot smoother so I don't really how long did I talk anybody know we're ahead of schedule you keep with I'm out of ideas 30 questions about sis so you mention yes sir Water waste waterer my wife

don't hello so I was what's your name my name is Josh van I'm speaking later and I wanted to kind of speak towards like the two things that surprised me while we were talking one was that c control was in is that Nationwide fora on that a little bit and then the second one was really around the future plans for public services right like it's critical infrastructure but it's one of the oldest infrastructures in America next to so the technology and the approaches they use for their architecture is very arcan can you talk to kind like how youy to help that so for the Arcane are you talking about like on the OT side okay I got to ask

hard questions no so all right I'm the cyber security State coordinator here for New Mexico every state has a cyber security State coordinator along with a cyber security adviser so K through 12 yeah any school in the US Territory Puerto Rico they have a cyber security adviser they have a physical security adviser they can reach out to get anything at no cost um along with being a priority sector they free pen testing s we do external pin testing it's a week long there is a queue so like I would have to put put a package together for school here in Albuquerque uh it'd be a pretty easy sell as their a priority often schools also limited resources

right budget constraint people constraint so remote PIN tests there also a remote vulnerability assessment is called which is a onee remote pen test then sisa will fly in on site and spend a week on your network going through provide you a report at the end of it a debrief they'll keep checking with you your cyber security advisor or myself um we'll keep following up to help you improve external vulnerability scanning sisa provides that at no cost and web app scanning so you can sign up web app scanning does limit to 10 URLs or 15 depending on where you are in critical infrastructure anything else you want to K through 12 I could okay so OT little

bit more challenging right maybe never expected to be connected to the internet security is not a priority right operating protecting people making sure safety I guess at the end of it is a priority uh sisa has a Vader it's called validated architecture design or design review validated architecture design review and it says it's for OT and it but it's mainly comes out of the OT environment so if you have the ability to capture packets you have a logical Network diagram you're in the Water waste water or really a lot of OT is going to be critical infrastructure you can reach out to sisa have their team review your your packet captures your network diagrams then they will fly in

and spend a day or two on site providing recommendations on what you should do how you should segment it what are maybe some better ways to configure that environment but it it is I have no easy answer for the Aging infrastructure the outdated products a lot of what I see in New Mexico when I see compromises is end of life Hardware end of support Hardware not patching 99% of the time I see compromise it's not some Advanced technique it's that there was a missing patch you didn't know you had that asset um one thing it's not specific to OT sis is trying to lead secure by Design so there's a big push to those products should come secure by default

you don't want to have MFA you have to turn it off you don't want to have logging you have to turn it off those organizations should have WR written secure code it the owners should not be put on you to apply bandaids every week like it should come and now that's a difficult thing to do without regulation rights this is a voluntary thing some people are are getting on board we'll see how that goes that's just the early stages secure by Design system is pushing the other big thing at sisa is AI and Quantum Computing they're trying to get ahead of that provide guidance what's the best way to kind of the Wild West out there right now with those

things coming I don't know if that answered anybody

else so my question isn't anything like that um so we have some students here today um what advice would you have for them trying to break into the cyber security field network no uh really though it is Network it is about who you know I never wrote a resume until I came to New Mexico and uh during the pandemic I had my own I decided I wanted to be a blacksmith I was done with computers this was nonsense then the pandemic happened I decided I really like computers and office jobs so I ended up I worked for the state of New Mexico had to put a resume together to get that job networking though Reach Out learning

continuous learning don't just learn during school um just a thirst for knowledge again the the scholarship for service the cybert was fantastic internships I think really just being a nice person helping right develop those connections help people out New Mexico right fifth largest state 2 million people pretty rur like we all have to help each other out share information if there's something you're really good at like help another you know you have a sister agency or you know somebody else out in another organization or even ask me don't don't be worried about being looking like a fool right nobody knows everything there's so much information out there there's so many things you can know ask questions be inquisitive put

yourself out there be uncomfortable come stand up on stage and speak that answer we got two we need a third question to close this out anywhere

I got assistance now thanks James good job James this is actually just a quick plug for everybody who needs to network if you aren't aware slack channel chil SEC look it up it's all of the New Mexico cyber Security Professionals get in there if you're not already I was just saying there was a question hello Daniel Barac I'm a cyber security engineer for a contractor for space force I was just wondering if uh if you knew of any New Mexico companies that that they can sis as a secure pledge yet or if you're trying to push that out in you I am not aware of anybody in New Mexico that is pledged to do that I mean

I bring it up but I'm not not pushing that as a priority uh my role is I tend to prioritize I guess even St agencies over some of the other sectors some of that are more budget constrainted so a lot of that is more let's do MFA let's get those foundational practices in place let's document policies but it is a huge Push by sisa as a whole and I think that they're looking to get Buy in from the microsofts and things like that and kind of start there so we'll see how it goes have you heard of it before were you aware of scare by Design yeah I I I heard of it I I looked at the pledge and

everything and it seems like you know it's not it's so um I heard of the The Pledge before and I read it and it seems like it's a very um flexible pledge for not just for major corporations but also for small medium businesses as well because you know everybody you know can be potentially hacked if they're connected and these days everybody is right all right any other questions I don't know if you're supposed to ask questions during keynote but here we

[Music] are good I think I think we might be coming to an end on that so part of that scholarship for service program I also had to take a leadership they said when you ask questions you have to make it really uncomfortable after you ask the question so let's see how this go any

questions Andy what's the coolest thing you've done at the coolest that's a hard question Chris has to come with him uh drive around New Mexico is pretty cool there's some rural spots but I think right now working with elections elections is a priority I don't know did anybody see the MIT article about election Security in the States in New Mexico is number one that's right right so that's a cool thing working with the new me New Mexico Secretary of State definitely security is on the radar uh the end of this month all of October is going to be reaching out to all 33 see 33 Albuquerque size there's 33 counties everything's connected but uh this guy like what's

going on so all the election we're going to do tabletops incident response tabletops workshops just I think the amount of people coming together in New Mexico to support elections to be prepared Emergency Management local law enforcement federal agencies FBI is just really impressive and that I think for now I'm a little over a year I'm just off probation so I can't get fired so I can say a lot of crazy things but the elections was probably the coolest thing to do right now I really like doing tabletops I think it's really interesting to see how people respond to those scenarios and it's interesting to realize when they notied there's some big gaps that they weren't prepared

for all right done once twice so thank you so much Andrew

than