Cyber Security and Privacy Event Recap
By: Terry Dear, Program Chair for WITI OC and VP of Software Development for BMS, Inc.
In recognition that October is National Cyber Security month, WITI Orange County hosted a 'Cyber Security and Privacy' event on October 20, 2016. We were honored to have Haiyan Song, Senior Vice President for Spunk's Security Markets, and Sheryl A. Hanchar, Vice President and CISO for HireRight, as panelists. Moderating this event was Lenka Vanek, Senior Director of SW Development for Dell. We knew the evening was going to be impactful with these high powered women. Haiyan was recently recognized as one of National Diversity Council's 50 Most Powerful Women in Technology 2016. Sheryl started hacking at 8 years old and got kicked out of college when she publicly distributed PII information (name, address) of every student at her college. Note: Sheryl did go on to join the US Navy and then graduate school.
A special callout and thank you to our premier sponsor, Splunk (https://www.splunk.com/), known as the 'google' for IT Operations turning machine data into insights; and sponsor Cyphort (https://www.cyphort.com/), a startup company offering an adaptive detection fabric closing the network security gap. Both companies provide tools used for monitoring and analyzing the cyber security space.
If you are looking for a career opportunity, now is the time to join the cyber security team. It is a growth area for Corporate America as the number of experienced cyber security personnel is limited. You do not have to be an extreme coder to be part of the cyber security team. When you think security, one thinks about physical security (guns, large physical bodies, etc.). Cyber security is not that. It is about risk management, regulatory compliance, and securing the crown jewels (in this case, data). Women are actually better suited for the security team as they are better at pattern recognition and finding the anomalies, spotting potential penetration breaches before they occur. They also like to document
Unfortunately Security = COST while Hackers = PROFIT. Corporations must identify the crown jewels and build the appropriate controls around that which is important. Sheryl stated: 'It is not rocket science. Just put in enough trip wires.' Busting hackers does not have to break your budget. Constantly review and test new tools with Proof of Concepts. The security market has several startup companies introducing better mousetraps. Hackers do not sit idle. Need to get funding? Consider the 'loss of potential revenue' angle as customers now look to cyber security for creditability and confidence of doing business over the Internet. Statistically, one big company gets hacked every week. If your company gets hacked, will your customers continue to do business with you? When you do get hacked, it is about survivability. Counter intuitively, segregate crown jewels and break up losses. Consider planting a 'honey pot'. A fake folder containing perceived valuable information like SSNs. Hide the real data in another folder (e.g. recipes). Don't forget to monitor the honey pot.
Did you know that hackers have personalities? They are not all the same. China is slow and methodical. They gather intellectual information and go through stages before moving forward. They are considered to be nation sponsored. Russia, on the hand, is completely focused on the theft of financial resources. There is no shame and no laws. It is completely acceptable to be a hacker. Amateurs attack systems. Professionals attack people. Best defense is to look at anomalies. Don't drown focusing on the alerts. Detect and remediate. Look at user behavior patterns. Why is Mary Jane's account accessing a computer she normally does not access?
To tackle hackers, it takes a village. It is not a one man job nor one corporation. There is no single solution. We need to create industry sharing spaces and cyber security frameworks for defense, health services, financial services, etc. Defense is definitely ahead of everyone else where the large defense corporations (e.g. Boeing, Lockheed Martin, etc.) developed an industry sharing portal.
Privacy? What is that? For Millennials raised during the Facebook rise, it is nonexistent. Our behavior is the product for all the free software apps that we use. Did you know that there are two Sheryl Hanchar in the world? One is a CISO. The other is a drug addict. Which one are you talking to? Haiyan grew up in China where everything is monitored and you assumed no privacy. With today's mentality, be mindful of what you share. Your name and address is public information, but you do not have to post everything about yourself. All system interfaces should have multi-factor authentication.
The interaction between the audience and panelists was quite engaging. We talked about politics, emails, European laws, stolen SSNs, DEFCON for kids, real estate (and mortgage) industry needing to get their security act together, surviving the Sony fallout, nuclear program, and colleges informing parents not to google their freshman child's roommates. You had to be there.
Signing off, Mission Impossible 1966 style: "As always, should you or any of your WITI Force be caught attending, the Secretary will disavow any knowledge of your actions. This recap will self-destruct in five seconds. Good luck, Jane".