Judul : bikram yoga upper east side
link : bikram yoga upper east side
bikram yoga upper east side
i'm steve friedman i'm president of pace university, for those of you who are not from pace welcome to pace and welcome to the third meeting of our annual symposium on cybercrime. pace is a center of discussion and debate on the most important public policy issues of ourtime and certainly few issues in this fast-changing world are asimportant as cybercrime, cyberwarfare
bikram yoga upper east side, and cybersecurity. the costs of cyberattacks are huge, the threats to our critical infrastructure in governmentsecurity seemed very real and to some of us appalling and it's extremelydifficult for even well read general public, which i put myself in that category,to have any real sense of the adequacy
of our country's defensive and offensivetools to deal with this battle that takes place in the ether, we simply don'tknow how well prepared we are and the lines between cybercrime and cyberwarfare become increasingly blurred with newspaper reports that governments aresponsoring private intrusions. the fbi said cybercrime is the number onethreat to our nation's security, the new york times had a headline the other daythat said president obama has confounded by cybercrime and cyber warfare and ithought well he and i are in the same boat and that is why discussions likethis are so critically important. i'd like to thank the association ofchartered certified accountants for
co-sponsoring this important abandonedraising the visibility of this important issue. we don't discuss it enough and theuncertainty and lack of confidence that secrecy andgenders transforms the impact of this kind of crime into a kind of terror.higher education plays an important role in cybersecurity at pace that work ismore than just the right thing to do we said blocks from some of the mostcritical financial and communications companies in our country and when theyare attacked or crippled the whole country is crippled. at pace we work hardto stay on the cutting edge of cybersecurity innovation, we're veryproud of the faculty members and the
students who work in this area. thenational security agency and the department of homeland securitydesignated pace a national centre of academic excellence in informationassurance education fifteen years ago and we're very proud of that raredesignation and we retained it today. the national science foundation just a fewweeks ago awarded a two and a half million dollar grant to pace following a previous one million dollar grant that will support our work and ourstudents who study and research in this area for a number of years. firms and government agencies recruitour seidenberg computer scientists and
analysts, our alumni work at the cia, thefbi, manhattan district attorney's office, our students intern at the department ofhomeland security said we're in this with both feet, we've watched the numberof undergraduate and graduate students in the seidenberg school in new york cityincrease every year for the past few years, the number of graduate students inthe masters of science program doubled in a single year this year. this year there are simply not enough qualified cyber experts to fill the need. this year's conference highlightsinnovations in the world of cybersecurity with a focus on newtechnologies. we're very fortunate to
have an interesting and highly expertand experienced panel of experts, i know this is going to be a fascinatingdiscussion. it's now my pleasure to introduce mr warner johnson the ceo of acca usa. mr johnson's an accomplished marketing and publicaffairs professional, he identifies critical issues, he engages theright strategic partners and creates opportunities for people to talk aboutthe most important issues. pace is grateful to have partners like mr johnson andacca and we're delighted that all of you are here, thank you very much. pleasejoin me in welcoming mr johnson [applause]. thank you so much. well, good morning. good morning [laughter]. i was looking around the crowd and what i really love is
you know we had such a good mix ofobvious some professionals wearing business suits and ties who are probably headingto their jobs right after this and a number of students who are wearingt-shirts and shorts and i'm assuming hopefully going back to bed but eitherway we very much thank you and welcome you all for being here at our thirdannual cybercrime symposium. we have a great number of panelists, we have some fantastic reputations and some real specific ideas and expertise on ways to contribute to this issue and wehave a fantastic moderator who i will be introducing shortly. i'd like to thankpace university for supporting us at
this event, i'd also specificallybesides president friedman i'd also like to thank the seideberg school ofcomputer science and information systems, almost got it, pretty close right? and i'd also like to thank the lubin school of business, both of these schools in pace overall have been great partners to accaand great contributors to this issue. acca, many of you probably unless you have attended this event in the past or some of our other thought leadership events in newyork, acca is a global body for financial professionals and accountants. we havemembers in a hundred and eighty countries we have national offices inninety three my team who are seated
throughout the audience includingruth vassault who really took the lead on today's event, we run the us operationshere in new york. we not only support our members throughout the united states but we also work to further the industry of financeand accounting professionals. cybercrime has always been a real issue ofconsiderable interest to our members around the world and it's only ourapropos that when we selected pace to partner with we chose pace whooriginally started on hatten as the school of accountancy but also soclose to the financial sector and where these issues really have such a bigimpact.
we've also worked with one of ourpanelists dr jonathan hill who we'll introduce formerly later on, a survey of which he willdiscuss later today which is a real wake up call on these issues. my hope is that by shedding light onthis ever increasing criminal scourge we can contribute to the dialogue as ourgovernment leaders and business industries strive to implement strongercontrols and improve our security. as you listen today i encourage you, and when i say i also mean the people who wrote this speech, encourage you to use the hashtagcybercrime 2015 to continue this conversation on twitter which is notonly being followed by the people in the
audience but also by hundreds ofthousands of our members throughout the world. i'd also be a miss if i didn't thank pace for an earlier collaboration thatwe made together this year. beginning this year students at the lubin schoolof business can actually work towards their acca qualification while attendingschool at lubin. this is really phenomenal for us and historical for ourorganization as this is the first american university that we partner withand it really opens the doors to some of our hundreds of thousands of studentsaround the world who are interested in studying here in the us. i now would liketo take the opportunity to introduce our
moderator, one of the first faces thati'm i'm assuming you all see when you turnon new york one every morning and if you don't turn on new york one i highlyrecommended it. annika pergament is the senior business anchor for new york one news and timewarner cable's other news channels around the united states. in her role annika leads the business news coverage from the new york stock exchange. she has also worked in other news roles with wcbs-tv here in new york, court tvand trutv but many of you will also recognise her from her reocurring rolesas a news anchor on hbo's acclaimed 'the sopranos' and cameos in wall street:money never sleeps, non-stop, jack ryan:
shadow recuit and most recently mrrobot and if you haven't seen mr robot i think it's on usa i believe? [crowd shouts out]. i wish there was a device that we could pull out of our pocket. ok, find it, it's honestly a phenomenal show and it's actually i'm going to use the termapropos again today, if i use it another time i own the term, it's very aproposbecause it's about cyberhacking so let me please join me in applauding and welcoming annika to the podium where she will begin today's program. oh no i'm sorry, thankyou, she will stay seated. alright thank you very much. thank you so much warner, [applause] thank you warner and thank you president friedman, and also i want to thank pace university and the seidenberg school for hosting today's event in the third annual, as we've just heard cyber summitand just two for the third time repeated
it couldn't be a more apropos topic sothis is we hope to have some very interesting and lively discussion comingup. the department of justice call cybercrime one of the greatest threatsto our country, it's a threat to our national security, to our economicprosperity and also as we learn every day in the news to our individual safety. the threat is growing, cyber criminals attacking at a faster pace than manycompanies can keep up with and even our government can defend itself against.we've all read the headlines recently there's sony, target, home depot, blue cross, blue shield, the government's office of personnel management, ashley madison morerecently and the cia website and then
even the white house so when i wasresearching this massive increase in cyberattacks i don't know if any of youwatch the game of thrones but i just had this sense of the white walkers coming inand coming in and coming in and it's the same sort of feeling that you get the moreyou learn about the threats that we're facing. just consider some of thefollowing. energy company bp says that it gets hit with 50,000 attempt at cyberintrusion every single day. the pentagon reports getting ten million attempts a day and i know it'sjust the morning but if you want to lose sleep tonight you can think about this one - hackers try to gain access to the
national nuclear security administration,that is the agency charged with protecting our stockpile of nuclearweapons, ten million times every single day of theyear. experts estimate that the us networksface hundreds of millions of hacks and attempted hacks every day. themotivation behind those attacks tend to fall into three categories; there'scybercrime, there's hacktivism and there's cyber espionage. so just last week jamesclapper the director of national intelligence testified before congressthat china and russia, and we've heard this before, they carry out the most advancedcyber attacks they have the capability to do
that on an advanced level but this isanother thing that he warned that iran and north korea are also capable oflaunching serious cyber attacks despite having much less sophisticatedtechnology. i'm just going to read to you a quote from him and his testimony, here's what he said; "we foresee anongoing series of low to moderate level cyberattacks from a variety of sourcesover time which will impose cumulative costs on us economic competitivenessand national security". so that leaves us with a question; what can be done, how can individuals how can governments and how can companies defend themselves againstcyber attacks? can technological advances
help in that defense or will thecybercriminals as they have done continue to find new ways to attack. can laws be passed? is that a help or is that just a patchwork approach? these are just afew of the questions that our panel of experts will attempt to address andanswer for you this morning and as i introduce each panel member and goingdown the line i'll follow up with a question and then go tothe next member and then we'll open it up for a discussion. i have severalquestions and then as you see the microphone there we're gonna invite youin the audience to come up and ask any questions that you may have specificallyand i'm going to start with our first
panelist dr hill, dr johnson hill. he'sjoining us today, he is the interim dean of pace's seidenberg's school ofcomputer science and information systems. in this role he oversees an activeresearch group and a number of interdisciplinary educationalinitiatives, dr hill combines twenty years in higher education withmanagerial experience at consumer facing internet ventures includingtravelocity.com. his higher education experience includes 15 years on thefaculty of the city university of new york where he developed successfuleducational programs and technology and entrepreneurship. in addition to histeaching responsibilities at pace, dr
hill oversees the work of the seidenberg creative labs research group which provide security and softwaredevelopment consulting to both non-profit as well as to corporatepartners. he also coordinates corporate partnerships with major tech companiesincluding microsoft, verizon, hp and apple. his research interests includetechnology entrepreneurship as well as web development in cybersecurity andover the last few months he's conducted new research at the behest of acca tobetter understand the scale of awareness and efforts among acca members andmember companies, a new survey that's being released here today. so doctor hill wewant to start with that survey because
there are a number of new findings, so why don't you tell us sir the standouts of that report. well, it is a zombie movie annika, i thinkfor the financial professionals and students here who are aspiring to gointo cyber security work you can't be anything other than truly alarmed. what we've found in our survey of acca members in the united states and europe and themiddle east is that there is a fairly wide gap between practice and what the corporate and industrial regulations like cobit 5 say and i think that gap is what we refer tosometimes as the human factor where
there a lot of weaknesses betweenfollowing corporate policies for cyber security and information protection andthe actual reality and the technology is fuel on the fire in the sense that evenfor financial professionals who are charged with protecting our mostimportant personal information there's still this drive for expediency, you'vegot to respond to that email, you've got to get to the boss if you are standing inthe airport in beijing you have to respond to that email you've got to finish that report. there are vulnerabilities in the hardware in the personal smartphones andtablets and laptop computers that we carry so the hardware vulnerabilitiesare very profound. there are vulnerabilities
in the software and in the connectivityin the wifi and so despite best intentions that expediency is drivingfolks to perhaps not be as safe and protective as they might be knowing thatthere are bad folks out there trying to suck down your information tap into your wifi and so on. so that's ahuge concern you know nobody takes this more seriously than financialprofessionals because again they are entrusted with this information and we're at apoint now where with those huge break-ins that are so prevalent in themedia barely a day goes by that we don't learnof a fortune 500 company or government
agency that has had some kind of a cyberbreak-in. state legislators for example are you know they're they're driven tofind someone to hold accountable and they're looking at those very samefinancial professionals so there is a great deal of concern and there is this wide gap betweenpolicy and practice that is driven by the technology and that's what we needto find solutions to, and its what we're doing here at pace university at the seidenberg school. we've got very active research between our accountingdepartment and our information systems department for example trying to findways that allow financial professionals
to leverage technology but do it inbetter safer ways that create fewer vulnerabilities and fewer opportunitiesfor government regulators to say 'gotcha'. ok dr hill thank you we're going to come back to you for more on that thought in just a second. i want to introduce our second panelist now drtimothy, sorry colonel timothy lunderman. colonel lunderman is the national guard bureau j 36 cyber division lead, his responsibilities include initiatingforce structure and advising national federal state and local internationaland private industry leaders on the capabilities, authorities, legislativeresponses and building force capacity in the national guard for cyberwarfare.colonel lunderman first of all tell us how
you got involved in this realm and howyou see cyber defense evolving. absolutey, first i'd like to start off and say it's pretty humbling to be on a panel such as withthese esteemed colleagues as the president said all of us on the panel areinteresting and experts and i'm the interesting one and these are theexperts on the outside of that but i've been doing cyber before cyber was cool backin 1989 i started off as a programmer and you might wonder why someone in amilitary uniform would come to someone in cybercrime. i'm here to tell you thati have been on both sides of the fence, i've worked with larkin morinez, a programming networker and then i've come back in the national guard to start workwith state local territorial government.
there is a period in time where we havethe best technology that's out there and i'll take you back to 2007 when i was in iraqflying f16's, bear with me a little bit for the story because it's going to have well i'll show you the relevance here shortly. the f16's a great airplane, it uses atargeting pod and the targeting pod it senses changes in heat, and that changes in heat can see things like tanks and people and things that are on the ground. my mission that day to fly you know thismulti-million dollar airplane was to protect soldiers that were going from point a topoint b and they what they were doing is giving supply routes from point a topoint b to make sure that the port
operating bases have water food etc. the targeting pod was great technology andwhat my job was to do is to look for the improvised explosive devices that areburied into the ground that were targeting the convoys that would go out there so basically the terrorists or whoever the bad the folks who wanted to do us badwill would bury these these devices and then as vehicles would go over them they would blow up and you've probably seen that on the tv. i did everything that i possiblycould to take the technology that i was given, which was the best technology forf16's that could be given at the time, and my crosshairs as i was lookingup and down the road for the
explosive devices the only way that youwould see that explosive device is if you recently dug up the dirt meaningthat the temperature below the surface would be cooler than a temperature ofthe surface and that would show that on a targeting pod. well this id had beenburied obviously hours beforehand and i had no idea that it was there so mycrosshairs were on their third vehicle of the convoy that i was supposedto be protecting and that vehicle blew up and killed some soldiers. that thegood and the bad of that is that the people who were injured flew into the base thati was in in iraq and i went next day to get to that person and and look at them inthe eye and say hey you know where you
on the ground i'm sorry that thathappened and the soldier looked at me and he goes how come you didn't you protect me? right, so there is a case where we have a great technology that's out there, the best that is given to the military and yet we still couldn't do it because it was misapplied.and i wanna go on dr hill's comment a little bit is to say that you know whenyou look at cybersecurity and especially the criminal element that isthere and that's kind of what we're talking about today and cybercrime,it's a whole of government approach the thing that's in common with everybody ina whole of nation approach is that the i.t technologies, the government uses i.t
it's the first time that we in themilitary acquire things that are primarily built the civilian sector andthen used by the military. usually we will fund research and planesand tanks and guns and then that gets spun off in the civilian sector, but now we're using the leaders of civilian sector to build this technology and thenuse it by the military. this this is the comment process anapproach that's to all of us that are out there and there is no golden gem, andthe more you get involved in cybersecurity you realise that it's not thetechnology that's going to save us, there is it's a triad and maybe you'veseen the triad before but as people
as processes and technology as dr hillalluded to it, you could have the best technology that's out there but if youhave someone who is more prone to spear fishing or you know there's kevinmitnick's book that's out there, ghost in the wire, puts a great explanation ofhow he got into a computing area into a network by walking into the receptionistand saying 'hey you know what i was trying to print my resume i'm here foran interview can you take my thumb drive and print out my resume', as soon as they put that thumb drive in it downloads his access and then he goes so it doesn't matter what technologiesand firewalls and what that you have up and we'll get into a little bit
more on that later, but it is a triad ofthings that are working through there so it's the human element it also is theprocesses in which you put place in front of your companies and then thetechnology underpins all of that so thank you. ok, thank you colonel lunderman. our next panelist i want to introduce is emilymossburg, she leads the resilient portion of deloitte and touche's cyber risks services portfolio, including the technic, logical and organisational aspects oftechnology resilience, cyber incident response and post incident crisismanagement for rapid recovery of operations, valuation and reputation. shehas served a range of clients in the areas of technology risk management, dataprotection, data breach management,
technology resilience and most recentlyshe is focused on financial services as well as the federal sectors. missmossburg in a recent deloitte posting on the wall street journal cfo journalexperts recommended that a number of steps that cio should take to improveexecutive leaderships interest in and oversight of cyber risk, one of thosesteps was to simulate a cyber incident. talk a little bit about why that's soimportant. absolutely. first i'd like to say thank you so much for the opportunity to behere there's a tough act to follow with these two but i'm going to do my best andtalk a little bit about cyber simulation and why it's so important. annika you did agreat job in talking about the fact
that it's not necessarily if you'regoing to be attacked or if you're going to have a cyber incident it's when, andin many cases the most important thing that you can do is to be prepared for thatincident. and, being prepared means a range of things; it means having theappropriate governance and roles and responsibilities in place to understand who's going to be on point for whatdecisions and what actions when an incident occurs, it means having thedetailed processes and plans in place that talk about what's going to happen, again who's going to be responsible and it'snot just a technology response plan that
you need to have. the technical componentis how the adversary gets into your environment but the impact is an impactto an enterprise's business and in many cases their mission and that means thatyou need to have risk management, legal, regulatory business operations and ahost of others from across the enterprise engaged in your incidentresponse plan. and one of the most important things as you're developingthis plan is testing it, making sure that you understand what really is going tohappen in the face of an incident and testing out is it going to occur, are yougoing to take the actions that your plan says that you're going to take, are yougoing to be ready when the time comes
and we're seeing more and more incorporate america today that going through that simulation, going throughthat testing is what's getting them ready for when they actually have anincident. it's allowing them to understand the holes that they have intheir plan, it's allowing them to understand ways in which may be there vulnerable or that they may bethreatened that they currently don't think about and haven't contemplated intheir plans and it allows them to not be in the midst of the fire trying todecide what they're going to do because they've been there before they've testedit out during those simultions.
it brings sony to mind a little bit doesn't it. thank you so much emily. our finalpanelists who i want to introduce you to is retired lieutenant colonel davidholla. mr holla serves as the director of operations for the electricity sectorinformation sharing and analysis centre. in this capacity he provides cyber andphysical threat information to the more than 4,500 entities that generate,transmit and distribute the bulk of the power system throughout north america. he recently completed a three-year military assignment at us cyber command as the command's exercise division chief, most notably developing the whole of nation's cyberguard exercise that incorporates private,
state and federal cyber incidentresponse to a large-scale cyber attack against critical infrastructure. mr hella, at last year's acca pace cyber summit, one panelist predicted a horizon populated by a number of infrastructure cyber breaches including ourtransportation as well as our energy networks. tell us how vulnerable thesesystems are. that's a fairly loaded question so let me break it down into smaller parts. the bottom line is are we vulnerable? yes, we're all vulnerable. one of things that the information sharing and analysis centre talk about is you know when it comes to criticalinfrastructure we all have our enterprise network that were operatingon, the financial sector,
transportation sector, its their businessnetwork and they're all the same they all use windows they all have windowsservers, linux servers, web servers, database servers, they're all the same.the configurations might be different but we use all the same equipment on it andthe bottom line is a vulnerability to one is a vulnerability to all, so a zeroday against a certain windows server it doesn't matter what sector you're goingto its availability against it. the other part of that is then you start lookingat the control system networks; that can be a little bit different but a lot ofthe control system networks are also very similar, for example there's autility on the west coast that uses a
single plc to control the watertreatment side as well as the power generation. these are the same plcs that are used in manufacturing, they're also used in natural gas so once you get intothat control system network that's where you can do a little bit more damage andthe reason is because you know so we have two examples of actual destructiveattacks; we have stuxnet with the centrifuges and then we have the germansteel mill that was attacked near the german release was pretty much sayingthat they were very knowledgeable about the systems and were able to cause somedestructive damage to the furnace there, there is capability. so when we look athow, how vulnerable are we are? are we
vulnerable? yes. part of the how dependsupon what the attackers intent is. is he trying to go in there and just exfiltrate information take things out of your network or is actually trying to goin there and do destruction, so sony is a great example of destruction against anenterprise network. vulnerability as we just talked about with colnel lennerman just talked about with people, technology and processes. when it comes totechnology, humans throughout our revolution when it comes to technologywe've always found ways around technology so we can have the greatesttechnology but humans will always find a way around it.
okay, so he had some really goodtechnology there in the desert but it doesn't necessarily incorporate everything and there's ways around it. and then it comes to people so we mentioned earlier aboutthe target incident, target actually got some notification that there wassomething potentially going on people didn't take action. alright when you lookat the time to discovery of a cyber incident you know it's now going downfrom 240 days to getting a little bit sooner but a lot of times you reallydon't notice it so when you talk to control systems how vulnerable we are ok it'seither going to look like a cyberattack, operating system not found, or it's going to look like a maintenance failure and then it's
you start figuring it out so inpart of the whole of nation we do this cyber guard, if i somehow was able to do acyberattack against a dam and caused the floodgates open that's not youremergency, it's the loss of life the destruction downrange that's your emergency, and in 24 to 48 hours when they start looking into it they find out there's a cyber component to it, so you know sometimesyou don't know why until you have to dig deeper into it and a lot of times if you have someof those failures if it's just you know 'oh hey my plc just failed', what are they going to dothey're going to pull out that plc they'll put a new one in there and then they're back up in operation and you don't know that you
had a cyber attack so that's a little bitof a challenge when it comes to the how. why don't we just go through, i just want to ask each of you, we talk about these massive cyber incidents that we've had lately and obviously there are lessons to belearned of how to manage them how not to manage them what have been some ofthe big lessons learned from these incidents, what have the company's done rightwhat have they done wrong in terms of managing an attack once it happens? i think in following on dave's comments there's got to be a total attitude change in the way we approach these problems. we know that if thegovernment sector, the business sector, the education sector anytechnology system here is attractive to
an attacker and increasingly those arevery very sophisticated military quasi-military entities that are doingthat both for theft and for just pure destruction. we teach our students here seidenberg school at pace university has avery robust cybersecurity program and we are taking these computer scientists,software engineers and we tell our computer science kid they've got a problem they getexcited right, and we teach them to be problem solvers and our students go outinto these positions and all of a sudden they're in a corporate situation whereyou're not allowed to have a problem and if there is a problem you have to bereally careful about who you bring that
problem to, and so i think that we seein these incidents and the results of the survey are very very clear. we knowthere's an issue in the financial side. these amazinglytalented accountants and financial services professionals are not only goodat that part of their job they're also really strong i.t people but we can inso many cases admit there's a problem, we have to be very careful about how wereport it and i think we need to get some of that problem solving thinkingwhich is why we we educate students and why we do corporate training we've got tochange that so that that whole process of education, protection, reaction andresilience is inculcating a new culture
of saying there are seriousvulnerabilities we're never gonna be able to patch them all and we need tochange the way we report it up and down the structure so that we can solve theproblem better and faster. i would offer everything that dr hill has said and i'm going to phrase it just alittle bit differently from a military background you know when we go out anddo things we generally don't focus on what we do right we focus on what we dowrong. when you're flying airplanes and throwing yourself at the ground or when you're working in space right now we're working computers in the cyber security we'realways look focusing on the failures on the part of that is you become somewhatimmune and the idea is thick skinned and i
would offer that companies today whenyou look at information technology people at least with a company that i'vetalked with and worked for united airlines lockheed-martin type ofcorporation insurance etc they are very intolerant of when an itvi hate the server went down down and then all of a suddeneverybody's on the back of the ig professional this there right away tothe server go down that failure really has to be looked at as a what is theprocess is employees who do we have the right people there and the righttechnology to be able to move that around and not be afraid of the failurebecause once you are not afraid of
failure you then can experiment and lookat different things that can really push the edge of the envelopes as was said bythe panelists already have you tested your backup plan like to go if your datawas crushed lake in the target machine did you test your backup plan to go stepback a couple hours and put them back into their well we can't do that cuzwe're too busy we'll we're gonna lose it or something of that nature that's avery important piece of the puzzle to do which will make you more resilient atthe end and clearly that will that will be part of it as it comes in from thereso and the other second effort which again
underlying comment and it is the mainreason kinda way becomes my main effort is to share the information just as itis to say that failed it's also very important to share the technicalinformation with other people without a doubt when people come after thesecurity of the nation they come after the banks they come after the hospitalsthey come after the schools they come after the death comes before they rollinto the national security interests that is the same threat because it'sdave said it's the same technology that's behind it with its a linux serverwhatever in the ability to share that information and and we as a governmenthave to do a better job working on
legislation change that by sharinginformation will protect you and your stockholders within your company we veryvery serious and we're working really hard to try to get to that level i thinkwhen you think about lessons learned as it relates to that of incidents there'sa number of different dimensions that you can think through you know what didwe learn about how to better secure an enterprise organizations so that theywere left vulnerable to attack how do you have better monitoring prophecies technologies solutions inplace so that your earlier identifying the issue and getting in front of thatissue before it become massive or
rushing to the enterprise how do yourespond you know what are the lessons learned as it relates to the responseand then lastly the recovery what are the lessons learned around recovery when you think about thesecure front and how an organization better secure their enterprises i thinkthat the mentality shift that has been talked about this panel is veryimportant and i think that we're in a very interesting placed in the evolutionof information security and cyber security for many years it's been usedas an iit issue an issue that a technologist were left to fix and allthey understood was we need to make our
networks and i and our environment lessvulnerable without a clear understanding of what they were protecting our whythey're protecting it and i think that you're seeing a shift right now in termsof what the role of an information security officer is and there's muchmore focused today on well what would they want from my organization anywayshow would they come after it and how would that impact my business and thoseare the questions that are being asked now and are being put into the planaround securing an organization and helping to drive more risk focused information securityplan and program from a monitoring
perspective this is a space that hasbeen evolving for the last 10 years in terms of tools available to identifynetwork pattern to be able to correlate or fuse events across a network or quitefrankly across the internet to understand what the trends and patternsare i think that again the glue that's missing is understanding when you whenyou know technically what's occurring what does that mean to my environmentand how quickly do i need to be able to respond impacting a server that is a test serverthat somewhere you know when the back closet that really doesn't have anyimplication to profits and financial
transactions or is that some of my poorfinancial transactions servers and the fact that there i'm seeing abnormaltraffic there i need to move very quickly and rapidly from a responseperspective i think one of the biggest lessons learned especially coming out ofwhat we've seen very recently is the fact that business continuity anddisaster recovery plans are great they may not always work in the case ofdestructive malware the original and the backup may all be gone and when you pullthe plug from the internet and you have to rebuild from scratch you need to beable to think quickly on your feet and you probably need to already have abackup to your backup i think we're
starting to learn that the plans that weput in place looked really good on paper but when the rubber meets the road and you got destructive malware thatsproliferating across the network and taking taking out not just you know yourcourse this time as i thought all of the backups you're in a very interestingposition and so i think that what we're starting to see is a lot more movementto cloud providers as it relates to emergency plans how can i technologyvery quickly to be able to rebuild systems very quickly so that i can keepthe lights on and keep my business going those are some of the real hard lessonslearned i think that have come out of
some of the things that have happened inthe last year did you get your chance to get back on some of that are working thequantification of cyber risk that's one of the really tough one because it kindalike trying to put some numbers behind it so that he could with the return oninvestment is that because a lot of times we have low risk high impact highrisk low impact or try to figure out where to put our money because we don'thave unlimited resources going back to the people though one of the things welook at is if we don't share we're just this little island trying to defendourselves hey when it comes to cyber security professionals uit professionalswhere is their main job get everything
to work everything to talk together sothe business process in action and then cybersecurity you look at it from adifferent perspective you know what are all the things that can go wrong withour own abilities so for example when it looks to firewalls uit usually on theinside the idealist the firewall says ok enable enable by exception so alltraffic going in and out of it and then would enable the stuff we don't want thedod looks at it is deny all enable only those processes that need it so you havea little bit of a cyber security perspective they're looking at it fromthat perspective but again that collaboration and sharing he there arethings that can happen over here that
might impact the guy every year butyou're not talking about you can't learn part of that collaboration environmentdoes two things for you 1 accelerates learning ok which is a process greece's experience was the commodity bythat information sharing by people talking about it you know who would havethought that you can go in and you can go into someone's building automatedsystem ok get access to the facilities and start changing the temperature inyour server room and take you up doing it that way it's possible to get peopletalking about all the time right now because as we get more and moretechnology-focused we want efficiencies
and so are building automation systemsare open to the internet now so that contractors can look at it you think wetalked about it he will target and some of the other places third party vendorsyou can have the best security in your business but you're only as good as thepeople you allow access to your network and people that don't necessarily seehow that happens and then we talked about it exercises and we was talking about thatexercises as not to have a successful exercise as far as everything was finethe dod perspective and everything is in even with our critics will talk aboutyou train to failure because that's when
you start having those failures youstart learning in mostar lessons he started asking questions so what if thishappens what if this happens so we're about to go into our our third grade xfor the north american electric reliability corporation we have the last12 years ago we had over 2,200 participants with utilities all overthis year regis planners alone they have a lot ofin the participants yet we have over 1,100 planners throughout north americaplanning for their utilities and also the states and the federal governmentparticipate in this in its me a combination of physical and cyberattacks against the grid and it will be
brought to the point of failure so nowwe're trying to work with each other trying to figure out how to bring thegroup back up in a faster period time you know because obviously you don'twanna be without power for months or weeks you know we need to go to reducethis down and so we start testing some of those failure points and seeing wherewe can learn from it you know we won't know until really happened so the timeto change the time to train for emergency is not when you have theemergency so i'm saying is you like for example talk about active shooters youwant to train for an active shooter when you have an active shooter that you wantat least have some type of policy in
september practicing and that goes backto release in the physical side fired ok we start this training back inschools and elementary schools who go through parliament fire alarm goes offwe go through the fire drill so people are you so that when you get up to thethe adulthood we see that well now we have to look at it from the cyber sitewhere we say and noticing it especially as things get better because asadversaries are trying to get a little bit more a clever look at some of ourdefense is looking for indicators of compromise well actually exercise can get in andout and now we're going to keep ability
to remove any of those indicators behindso lets you catch them in the act you don't even know they were there so fromfrom the financial side ways that work because i'm your intellectual propertyyou pull out your system and you don't even know are you noticing any sort ofcommon thread weak spots among companies a specific area of vulnerability thatyou often notice that they could right off the bat of a more secure system yesso the fbi says that eighty percent of all cyber attacks are using tothree-year-old vulnerabilities that have been notified k the center for internetsecurity says it's actually 85% so the one thing you could do to try to defendagainst everything it has nothing but
the one most important thing to do is ifyou could patch every single system into every single patch knows the focus on everything it's gottabe a hundred percent but if you could do a hundred percent patching of all thesystems connected to your network when it happens you'll reduce your taxservice by 85% and that gives your people the ability the upper hand tostart looking for those the things that are happening right away i mean i wouldsay that's the number one priority right there and that's the best way to putyour resources in there i see emily nodding her head to ya know i wouldagree that that's the number one
priority i think that if i would think what'snext i would focus on training and awareness i think that every singlelarge noon attack that happened in the recent past has had some element ofsocial engineering your fishing what have you and so there is again we've allsaid there's that people think that people weakness that exists and i thinkthat many organizations are focused on continuing to try to educate but i thinkthat that's the other space that we can get people more intelligent on is howcould they potentially be a victim how good they potentially be targeted andwhat are the types of things they should
be looking for and when that happens whois it that they contact what are the steps that they take before they clickthe link before they answer the question over the phone or whatever it might belike to take you down to pass one with a little story how would you feel you knowmaybe right here in the front row how would you feel if i walked in your houseright my grubby little hands touch your director in the door handle my dirtyfeet walk across your floors i put my rear end right behind your computer ipull out the keyboard i leave all my you know fingerprints all over your keyboardi turn your computer on some drive-in i take everything off your hard drive
put out i'm driving don't really justright thing i we've all that there i put my thumb drive out and i clean up all myway back out of the room until i'm out of your house that has some reaction ihope to some people in the physical realm that yes i came in and invadedyour space realizing that this happens everyday people may not come into yourhouse but the coming through the white and they're taking the data out of yourcomputer and taking it forward why hasn't the american public in the worldpopulation really had the same reaction as you would if they physically came inyour house really didn't destroy anything but just took the data to moveon and that's really comes into changing
that people thought process as itcontinues to move forward rate making sure that people understand that this isa horrible thing and you can't just rely on eid professional the technology pieceto that to save it the second piece that irappers that we need to focus away from here by defending everything you defendnothing here to fit everything and i know that financial sector is leadingthe effort to be quite honest and i really applaud the effort for what it'sworth is to focus on who is a threat to you so focused on why would someone comeafter me right is pretty easy as it was said in opening comments when you're afederal government you have the big
countries that come after the federalgovernment but if i'm a specific company what company do what threat actor whatthreat vector would then come after you and then you look at their capabilityand intent what is the capability of that threat actor in it what is intendedpredator they might have huge capability but no intent to maybe another countrywhere they might have a huge intent but no capability in the perfect examplethat like the isis the cybercrime thing is is is very very important that we getour heads around this as not only nation but world because the cybercrime elementis funding these other organizations that affect our national security so allthe information a lot of money that's
being funneled out through the creditcard fraud and other excuse me fraud that's out there is funding things likecomeback to international scrutiny so that's why the whole of national draftthose three very very insightful comments you've got the informationtechnology people you've got the information systems key porn you've gotthese financial services people and accountants who are well-educatedwell-trained and very well aware of responsibility huge responsibility whichis that much greater because of the prevalence of the attacks and thecertain knowledge that everybody big and small is vulnerable and under attack butyou've got these other people coming
into the conversation those three professional groups overlapthey know each other they were roughly speak the same language but you've gotthese intruders who are coming into the party those three professional groupsare used to the occasional visits from the corporate government affairs folksand legal counsel coming in pat on the head and say we understandwhat you're saying and then we'll see you again in six months but you've gotlegislative action again looking to hold my actual professionals accountable ifthere is some kind of threat that only increases the pressure and it's in someways another distraction so you've got
this 360 degrees of awareness that yougotta have because you've got these bad actors trying to get into your systemsand you've got these external forces wanting to know what you're doing toprotect those systems and you can't be everywhere you can't answer everyquestion and you can catch every single vulnerability all the time so we needthat new thinking and we need those processes that emily and her colleaguesput into place to try to make it possible to survive professionally andpersonally and under this kind of scrutiny and pressure and david youbrought up the third party vendor situation with target but that's a bigissue that a lot of companies phase in
terms of hiring vendors to even entertheir i t systems are there specific thing for companies should be doing interms of their relationship with the vendors how should they be scrutinized vendors with it they need to know whatwhat can't they sort of subcontract out at end and how should they be managingthis industry's financial services especially how you manage interact withyour third parties particularly around cyber risk and cybersecurity it isregulated and so there are you know fairly specific programs that talkedabout how you need to prioritize your third party vendors in terms of there'sfive the type of business that they do
for you the volume of data that you share withthem the type of data that is and then based upon that prioritisation how youshould be basically managing then in terms of their alignment with your cyberrisk and cybersecurity program and posture and so in many cases this meansorganizations doing on-site assessment for their third parties one of my clientis a large financial services institution and one of the the largeprojects that we do for them is that third-party assessment work and so theyhave thousands of third-party vendors and we work with them on an ongoingbasis through that prioritization again
through a business lines of what arethey doing for you what type of data do they have how critical is that data toyou and your organization and then we go on site and we basically are on site atone of their third party vendors every day in the year conducting almost 500 distinct cessnaon-site assessments each year and i think that one of the things that theindustry quite frankly is struggling with is how do you keep that up how doyou continue to have that level of rigor and that level of investment across yourthird party and there's been various different industry groups where they'velooked at
when we come up with a framework andassessment framework that we can all agree with and then we can all have wona second of that vendor and we'll all be satisfied in terms of their level ofcontrols but as you can imagine with organizations that are that big and withsuch stringent focus from a regulatory perspective and such in some casesdifferent risk profiles as it relates to different vendors it hasn't gotten thereyet but i do think that it's something that if we are going to continue to havethat level of rigor we've got to find a way in order to manage and monitor thosethird parties in a more efficient and effective manner
one of the really concerning things thatcame out of the survey that we did with the sec a membership is that fully fiftypercent of the respondents said that they only rely on outside consultants ona series of three bases after there's been an incident so it's almost we hadwe had an attack we had an incident we gotta bring in a consultant to gothrough a process in check the box so its reactive rather than preparednessand you know that's that's pretty clear be closing the barn door after thehorses of 10 situation that we should all know better than that part of that process needs to be getthose folks in early if you use of
military terms to this this thing wetalked about key terrain like so what is the key chain of the business is it theemail server you know you might be attached to your email server and that'show you communicate to the world but if the email server goes down is thatreally gonna affect your business at the end of the day that's where you can lookat that kinda prioritize where you go into i have a deep appreciation forcompanies that are struggling experiencing different in the boardroomwhen how much money do i spend and help where do i spend it at because i talk topeople like cisco in the people who are actually writing the router and they saythat if i put security in my router my
router might be two cents more than mycompetitor and at that point i'm because routers and switches are viewed as acommodity that puts me out of the market share that isn't profitable so it's avery robust discussion to work with colleagues like the folks on the stageto be able to understand what is the risk but what is the key to rain and howto protect it at the end of the day the other thing that goes back to that ispart of the contract with third-party vendors so for example there is autility out in the midwest ahead and turban install and in order to have thewarranty and went to contracting and they basically the company said we need24 7 access to the system and oh by the
way what it didn't say was they weregonna the installer was gonna put an antivirus on there but there's nowherein the contract that is said who is responsible for updating the antivirussignatures so you know two years of the day that the contract expired you know the company went ahead and justerased the antivirus on their put their own any virus system on there andimmediately found a virus inside a german fortunately the virus did not doanything to that particular environment but it goes back to show you how anothercompany looked at it differently they
had some smart people from the itncybersecurity side this will give you 24 7 access however you have to call usfirst and we will give you a one-time vpn in the network and it lasted onehour if you need more than that let us know ok so just that technique right intheir shutdown that vendor for only up her time so whenever you need it will goahead and give it to you call us up and we'll go set it up but you know it'sjust not automatically just can't get into my network anytime you want to and that tightens security thatway but that beat that just goes back to when it comes to the contracting if youdon't have the subject matter experts
walking the process of the whole waythat we can get some process part of a triangle ever talk about peopleprocesses technology one other thing that i would add to thatis the concept of data minimization because i think that's another thingthat organizations particularly around third parties are very focused onbecause in many cases they may have had a contractor relationship for five yearsand years and this third party has been doing whatever processing servicing forthem and they've sent the same file same data and the same fields for that entiretime and in many cases organizations are now starting to look at it and say we'lldo we really need to send that entire
file do you really need to know socialsecurity number or could i give you a token eyes social security number or cani give you another identifier that it will allow you to process and the sameway but you wouldn't have as much sensitive information of mine in like myclients and customers coming over and so i think thats another component of howyou continue to manage and rain in the vendors as well as your own environmentquite frankly is looking at the data that you have and figuring out you knowmore is not necessarily better anymore how can i minimize the amount of datathat i have particularly the sensitive data that i have and how sharon that'svery interesting because that's one of
the biggest problem electrical sector ispeople don't want to share their information like what you mean i don'twant your personal information i just want to know what you find in yournetwork you know what was the malware was the hash signature that went with it ok what directory did you find it inkeep all your personal data don't share that with me this is the specifics ineed and i think people get mixed up in that understanding of what did you wantto be shared if you don't get the requirements out there then people sayoh i can sure that that's no big deal nothing about my business processes oranything out there and and that's what
that's what the conversation needs tohappen talking about information sharing howmuch of a problem is that how much more do companies need to be sharing theirinformation and sort of presenting paradox for them because the more theyshare the more they feel they're risking putting themselves out there so how ishow important is that it should that be something that is really focused ongetting started mandated what what is the solution the best answer to that so this is kind of like the root of kindof everything that i've been working for the past seems like 10 years now there'sthe carrot and stick approach you could
regulate it right and as soon as theysay regulated business owners walk out the back of the door we don't want amore regulation i totally get that or you can create the care that's out therethere are organizations that are out there right now and i will mention a csethe security center in boston and what this was was a group in boston that kindof sit down together and said hey you know what we all share the sametechnology we're all have the same something in common the commonality of that is the bostonarea companies and you can look it up like boston fidelity and mit bostonuniversity mitre is involved with that
things of that nature and what they doevery tuesday is is just like they was saying they take away the you know thefinancial aspects are you know whatever their personal information in a reallyget down to the root cause of the technology what is the threat vectorthat you're seeing this week and it's the ideal professionals that sit downand play and there is a place big companies i think her fifty don't quoteme on this but it doesn't it's midsized 30,000 if you smoke up maybe it's only acouple thousand dollars but if you don't participate in cyber tuesday's you'reasked to leave and what that does is it built a level of trust in and amongstthat group that here to share the sun
same company that is able to then dothat now they have claimed 15 saves meaning that somebody maybe somebody hitelodie minor was saved or vice versa under thatand that really is kind of the model why because it gets government out of yourbusiness and government doesn't want to be in the cyber security business we arebecause we need to continue to share what we continue to do that gets aprivately owned and ensuring that type of information across in a few momentswere gonna start taking some questions from you in the audience i want toinvite anybody who has a question for one of our panelists to make your way upto the microphone and as you do i i have
a question is a little bit of gear shiftbut it's more of a consumer question which is we we've been hearing a lotlately about the internet of things about nast your home and the samsung tvsthat can hear what you're talking about how how big of a risk is this to thepublic in our testing wearables are incredibly vulnerable know they havebeen built again like so many technologies for openness or accessworking with multiple access points so they have been built for expediency theyhave built for security and while i don't think anyone is worried aboutthese hackers finding out the ingredients in their refrigerator on agiven morning you know health data
personal financial data and lots andlots of things are vulnerable to those wearable and another example is beenproven that these new computer-controlled automobiles systemsare vulnerable to hackers and that puts folks who are in the limelight liketelevision celebrated television reporters at additional risk and also interms of what can the public then be doing to protect themselves because it'snot really possible to live off line but you know we hear these stories ofpeople's accounts being held ransom for example how much are you seeing that arethere any measures that people can be taking on a direct basis to protectthemselves as as consumers but they're
not doing the regular see people notdoing well for example right now in my wallet i have in i have an rfidresistant well my credit cards because someone can walk right by you with anrfid reader and pick up all the data so just as a little simple i carry thataround it with my credit card just the limit that they have to really reallyclose and then worry about them in my pocket so same thing can happen therebut the point is let's go back to facebook especially youstudents ok anything you post on the internet ok it's not like me taking a photo ofmyself heading to emily so they know
there's only one out there you know ipost something on the internet it's gonna hang around for a long time anddepending on where you post it you may not even known that data sothings that you do in the worst part is for students is understanding that guesswhat ten years from now anything you share ten years ago i comeback and haunt you so you know that little party you had to get super drunkpeople who are taking pictures of you know when you're running for us senatoryeah so that's because the stuff on the internet doesn't go away it's some ofthe stuff is everlasting so if you wouldn't do it in your own home you mayknow what to do about their own by the
way in your own home if you have thatlaptop context of the internet you get that little camera up there that'sfallible and one of the cheapest thing to do there take a little piece of paperpiece of paper just covered up because your computer you don't worry aboutbeing seen in your underwear in like that so part of this is just some isthis new technology helps taking the proper precautions internet things youdon't have to connect see your if you have it is capable you don't haveselected connected so you have to go back to really it's all tied together ithink so it's not just your personal and how you view but also puts it in yourprofessional life and it really gets
into the privacy versus security me ihave a $2 1 1921 and they view privacy much differently than i do you privacyespecially when it comes out here and it still is it really important to be ableto have these wearable that are out there or it's really important that ihave to do my banking open wifi comment at the airport right i meanthose are some things that you just need to continually be thinking about forexample you know and i think everybody does now but not too long ago peoplewere afraid to put passwords on their wifi accounts are theirs were drivingyou know it's somewhat have gone by the past but we're driving is where a childpornographer would come outside your
house looking for open wifi and theywould download all the child pornography the fbi's monitoring that by next youget a knock on the door and you're rested as a child pornographer youdidn't do that obviously the person who is there but then undo that the publicpersona so it's really smart and cautious and you know even at home isyour ios on your phone up to date and it's kind of a colleague said before isyour routers and switches that the date is the firmware update you know all ofthose types of things clearly play in it i think so you know just because someoneonline and she was surveyor wants to give you a free t-shirt if you answerthese questions i mean i think you need
to think pretty carefully about whatyou're willing to answer and how much information you're willing to give aboutyourself understanding that on the back and it'snot just connected to a database associated with that survey by itself inmany cases there are ways in which they're compiling massive the truthabout individual you know it's not necessarily with criminal intent in mindit's in many cases because they want to be able to better target consumersbetter market to you but at the end of the day that sure exists and that datais vulnerable and there are others that will have access to that data and we'llfind a way to find
and to get access to it and then i thinkthe other pieces being vigilant about your own your own account and beingvigilant about your own credit making sure that you are constantly watchingyou know how i got him something in the mail doesn't look quite right i've nevershocked you know hole but now i'm starting to get things from kohls in themail it looks like maybe there's an account in my name associated and justbe vigilant about those types of things i think often that's where you find thatsomething has gone awry do we have any questions this has been a fantasticthing that i i've actually got a question if i was fifty years younger
it seems to me that i should learn aboutthis cyber problem and become a cyber hacker because it it it seems like thecyber hackers on the winning side and i could make a huge so my question is whatis happening to me as a young person in jail or otherwise cents a minute for behaving badlyrelative to the problem so one of the most difficult problems that face if youwere ever exploded in the technology rain isattribution trying to find a hacker that has bounced all over the world andfigure out exactly who that person is and then generate that extraditionrights to bring them back is an
extraordinarily difficult problem thatthat is something that we struggle with every day and the federal governmentside and i'm sure that you and civilian sector are dealing with us also so theidea there is you know do we send people to jail or not and you use the stickapproach or do you rise to the level of the sets and and that's kind of theeffort is to you cost them meaning that to be that higherperson and you know truth be told in the world there are truly only about maybe ahundred to two hundred really really talented people that can get into anysystem the problem is that all the systems is report about are patched tothe level that they're actually don't
have to be very sophisticated at the endof the day and and when a company companies in general what i've read inno means an expert on this but would go if i only give them five thousanddollars that is acceptable risk without broadcasting then sharing thatinformation together it goes back to the common core value of this is why we needto work together both from the federal government to the state government tolocal government and into business and industry and also across the country theworld understand information sharing piece today very basic dangers you'renot too old with your experience your knowledge of people and processes and alittle bit of acca expedited training
you could contribute very much to dowith this conversation peace treaty poor this stage or what allows me to sleep alittle bit night all of our top top level dave that their careers in themilitary and they could have made buckets and buckets of money in thecorporate sector and they've chosen to serve our country in wonderful ways andemily is on the corporate side but she has a real sense of mission to what shedoes and she's working with companies that have my in your financial andhealthcare information she could do other things and for more compensationbut she's doing what she believes we
have lots and lots of students thetechnology sector in this city in this country in the world and we have dozensof students who have been funded scholarships by the government theycould pronounce those and go to work for one of the big companies andjaw-dropping salaries but they are choosing to go into government servicefor this very reason we are we're at a pearl harbor right now in terms of ourcyber vulnerability that is changing because of the work that these folks aredoing and because of the work that our faculties doing with these reallycommitted very bright young people who are we're we're going to change thissituation together all of us as we
increase our technology or technology isis basically something to help us facilitate doing things more efficientlyexpand our communication and as we embrace these things you know what hashappened is it's great it's you know we can talk and as a forward we didn'treally think about you know how do we keep ourselves safe so for example youknow you learn pretty good about you know when you have kids you know lookingaround making sure you're aware of your surroundings don't talk to strangerscarry-over in the in the cyber world where technology world yet we justembraced rangers we tell pretty much anything and so some of those thingsthat we wouldn't do
do in the physical world we're willingto do in the cyber world and as technology has jumped up now returningto utep back to the world of people in taking take advantage of each other wewouldn't have any of these issues but we don't live in a perfect world and as wejust we're trying to play catch up on the defensive side are looking at that imean it's just amazing i mean how many people in the audience have an iphoneprobably most of us and the iphones only been up for seven years and it's likeubiquitous society now it gives you a pretty good idea of where we've beenliving at the iphone at seven years ago people were close with one real quickcomment and that is that the
cybersecurity be and the careers andcybersecurity are you know skyrocketing in the opportunity is there forindividuals whether it's on the federal side the commercial side are there andsome pretty exciting things maybe not quite the salary of the the hacker butwith some pretty interesting compensation so i would i would hopethat those individuals that were interested in learning more about cybersecurity and hacking would would come to the to the white hacking five worst ofthe dark side of you to get them i think you have to be here and not on the stagethis time don't have to wear a suit today with innovation and since lastyear
progressing and what we're trying to toto ask people to go through risk management process now for ten twentytwenty-five years and it just doesn't work people and they don't go to work soi think that we have to take into account with people maybe innovation aswell as a little bit from natural evolution and just say ok we are workingand you know what you said this people need to be smarter is maybe people justdon't and we can tell them is 20 times do the same thing today and they justdon't do it so maybe instead of trying to to continue doing that we should makeout systems more foolproof if you would like for example is who he is not onfacebook once or twice or three times a
day do things that bring why don't wehave in our offices two systems where people can switch where you have an opensystem where people can do and then only for the small things that you want to bea different system that always always used the same old the same same changethings it's the same like having apple tree with all the same kind of diseaseyou know all deputies will die at one point why do we do it by don't know ifhe's like and a heck our millions and millions in the daytime so that peoplecan just like a ship you know you build 12 portions and maybe so i think we try to do think naturalway so i would accept that people and
see translate a little bit into maybesomething that only city where she talked about it dedham medication rightin terms of pushing that out maybe don't put everything out there that you needto do and what you do you just described at least the way i interpret it isreally process mitigation rate is everybody really need to have access toeverything do we really need to have the samesystems in place that you can go access it for example in the military we have asecret level computer system that's others call the siprnet at one point intime if you got where had access to the siprnet you can go anywhere on thesiprnet we found that probably wasn't
the best idea right because if you allyou have to do is get access once and i have access to all and so that's more ofa process now is dave said we go into more weightless thing to say hey youhave to ask for permission to get to that you can also put it behind her togo if you're if you're gonna invest in your company and you are the i tprofessional sitting down there working with your cyber security expert ineverything good in your comments on this to do we want to buy all of the sametype of router or the same type of switch to avert diversify so that wedidn't we create a larger surface area and more complex surface area i wouldalso say to me there it sounds like
there's two pieces here there's what dowe do about the legacy world that we created which in many cases and i thinkwe've talked about this technology was built for efficiency for data sharingfor you know quick innovation and propagation of ideas all very importantand novel things but protection of data was sort of not in the equation italright so to some degree now worked till continuing to figure out how we goback and reconcile some of what has already been built and already beendesigned and already out there in order to get those systems more secure thanyou got what we do forward and that around the fact that many of the thingsthat we're all doing to innovate to
drive continued creativity and growthintroduce new cyber risks and potential security issues and as we go forward ithink now there's been a bit of that aha moment we can't continue to innovatewithout considering what the implications may be called the datathat's included maybe use how can be used again how could be used in waysthat we weren't considering i think that if you look at the entire innovationprocess and the system and product development lifecycle they're shiftingand changing and thinking about security risk and thinking about data risks andthinking about you know how might this actually beaten again does is beingconsidered in those life cycle and it's
changing to your point the way in whichthose products and solutions are being developed it in some cases creatingalternative to going forward i think that we are starting to in bed thatthought process in what we do there's just so much legacy data andlegacy systems out there i mean in many cases the large enterprises as don't even know where all of theirdata is trying to go back into your point guard compartmentalize or you knowbreak some of it up first they've gotta find it and then they have to figure outwhat which he said the vat data which data element
most important about and that quitefrankly is a process that takes years for them to dig their way over thecaptaincy internationally and when you look at the people factor their culturalthings there's certainly no surveys and differences between accounts in northamerica and europe in the middle east in the way that they work with these thingsand received the threat but wherever you are in the world the appetite for totalinformation excesses limitless business business and our own psyches arecompletely expecting that we can get whatever we want when we need it that wecan transfer or bank funds to our kids from the airport in below or wherever weare and that kind of 24 7 rapid access
and expectation that everything is gonnabe there is what's driving those vulnerabilities with these patchworksystems that emily reference and that's that's our challenge and that's whatfolks in this room are working on it also argue that one of things is we usethe people can relate that to keep it simple principle it's like it's cheap ican put it all together quickly and everyone has access that's great it'sonly in the heights as well as i made that wasn't good idea so when talk aboutbusiness mergers and everything where the person i do they want to get asintegrated as fast as possible they just connect systems and then they are goingthrough later on we need to change some
of this everything but the other firstpriority is to get everyone talking and everything integrated right away withoutlooking at all the risk if you look at it that way it takes more time it takesmore men are social resources so i can utility side one of the things they talkabout is you the big utilities they have a little bitof extra resources towards the smaller companies they say you know unless it'sa regulatory requirement i can't go to the state regulators to have rateincreases so that i can implement good ideas or best practices and so that'sone of the challenges as well so it's a resource issue that people look at youknow what's what's the fastest way to do
it especially those small business we'regonna do there's just let the whole thing together it was stalking becauseit's fast it's cheap and they can get sufficient for the process but as theygrow changing the process play never work for me and i have now a broadercopy of which is so sophisticated in its safety features that it no longer talksto my computer so i think our third party service provider and helps me towork around it by turning off my firewall things so you know we can makethings safer than just working and people to handle things we have time forone more question from the audience there will be time to come up with apanelist afterward if if there's
anything that you to find breaking points in their systemsin the past five years there have been ethical hackers such as yourself withwhite hat hacker and i just wanted to see what you thought about this becausethis is a big going on big deal you guys were recently talking about hacktivismearlier how some some actors have something political to say usually but ijust wanted to see what you guys had to say personally really peaks my interest cause i'm doing a lot of research inthis area myself as i have seen it and clearly would i have done is one is tobe incessantly pessimistic everything
that i do i always look back and say heyi probably could have done that and how did i even get to where i am today ihave no idea it is to be staged a moment to be any stage because you're alwayslooking to say what can i do better what can i do think it's great books outthere right how the great falls jim collins you know the first step is torichmond someone starts getting up there and say hey i'm good with that yourfirst step of calling for greater charade that's on there and the secondpart is patiently relentless is what i would say is because you know when thepeople who are out there to do you harm they are patient they will work at theirown pace they only need to find one way
in when if you are on a cybersecuritypart you have to protect everything and that patient relentlessness is something that is needed you when youdon't get frustrated at the end of the day you can work under pressure becauseyou're gonna get pressure by your boss and other buses that are up there andstill go hey i got this let's just continue to work it and not afraid toask for help when you need it as it relates to ethical hacking and sort ofthe career path and opportunity there i mean i would say that right now there istremendous opportunity for that type of a career i think that having thetechnical skills that as well as the
ability from a psychological standpointto think like the attacker to things like the adversary and be able to comeup with the thought patterns related to what the motivation might be and how youmay actually then from a technical perspective move forward with an attacki think that's the kind of thing that is really needed and a skill set that is alot of interest in the marketplace today that mapping of that psychological thisis what the adversary of thinking these are the types of motivations they havethese are the ways in which they make try to come out their particularorganization based on what they the organization has a value to theorganization and then being able to take
it beyond that to the attack that iwould start trying that's what organizations need to then be able todefend themselves again beat the adversary in just a bit too big aprevious question that was out there these attacks can be done by anybodyright you could go to website and download a virus that can then theattacks you don't have to have a technical skills to do this i would sayso the ethical hacking is brick finding vulnerabilities penetration testing yourso we put together maybe you misapplied secure procedure for securing a lot oftimes you when you setup your web page in the deep ball he did disabled it soit's actually less i type in the right
out the they show that you have a web serverup there is not complete so things like that that's cool hackers can find whatisn't always taught in ethical hacking is the adversary mindset so for examplein the west coast there is a municipal gas plant that provides the natural gasto fuel to start throwing the generators were the electrical plant and those aretwo separate entities so if i'm a real adversary looking at it whichever one of the weakest link is thethe generating plant provide power to the natural gas so if i take out one itake out both and so coming from the
upstream i said maybe i don'tnecessarily have to go against you but you know if your organization so forexample great one is government if you don't have water the water he showed upfor several hours ok they let everyone go home officialrules right so you know so i really want to disable government construction thepower supply or the water going to that facility that's easier attack they'retrying to going to go through the entire perimeter of their firewalls anything ormaybe i can affect their power to the building and do it that way so it'sbeyond just the server side when you look at the adversary mindset as youbring that whole big picture to it each
of you on your way out to grab a copy ofdoctor report you'll find it out in the lobby and i want to just once again andalso remind you that all four of you will be up here for a little bit answerany individual questions that you might have a need to get a chance to ask but iwanna just thank all of you once again dr. jonathan hill kernel ondemand thankyou so much and we offer thank you for your really fast
Demikianlah Artikel bikram yoga upper east side
Anda sekarang membaca artikel bikram yoga upper east side dengan alamat link https://healthyyogameditation.blogspot.com/2017/05/bikram-yoga-upper-east-side.html
0 Response to "bikram yoga upper east side"
Posting Komentar