welcome to the 21st annual defense … to the 21st annual defense security service july 21, 2017...

WELCOME TO THE 21ST ANNUAL

DEFENSE SECURITY SERVICE

JULY 21, 2017

ALEXANDRIA, VIRGINIA

Partnering with Industry to Protect National Security

Social Media


@DSSPublicAffair

@TheCDSE

Like us on Facebook at

DSS.stakeholders

Setting the Stage

Mr. Fred Gortler III, DSS


Agenda (AM)


8:00 AM – 8:10 AM Administrative Notes Mr. Jeff Cavano, DSS

8:10 AM – 8:40 AM Setting the Stage Mr. Fred Gortler III, DSS

8:40 AM – 9:15 AM Keynote: DSS in Transition Mr. Dan Payne, DSS Director

9:15 AM – 10:00 AM Applied Case Study Mr. Gus Greene, DSS

Mr. Andrew Winters, DSS

Mr. Brian Prioletti, Industry

10:00 AM – 10:15 AM Break Refreshments in the lobby

10:15 AM – 11:45 AM Sharpening OD/PH Roles Roundtable

Discussion

Mr. Chris Griner, Industry

The Honorable Dov Zakheim, Industry

Ms. Giovanna Cinelli, Industry

Mr. David Langstaff, industry

Mr. Frank Finelli, Industry

Moderator: Ms. Nicoletta Giordani, DSS

11:45 AM – 1:00 PM Lunch Cafeteria/Local Area

(pay as you go)

Agenda (PM)


1:00 PM – 2:15 PM FSO and OD/PH Panel:

GSC Cooperation, Best Practices

and Challenges

The Honorable Dean Popps, Industry

Lt. Gen. William Donahue, USAF (Ret.),

Industry

Mr. Richard Ray, Industry

Mr. Alexander Layser, DSS

Mr. William Cooper, DSS

Moderator: Ms. Allyson Renzella, DSS

2:00 PM – 3:00 PM Supply Chain Threat Challenges Mr. William Stephens, DSS

3:00 PM – 3:15 PM Break Refreshments in the lobby

3:15 PM – 3:45 PM Insider Threat Best Practices Panel Mr. Phil Robinson, Industry

Mr. Thomas Langer, Industry

Mr. JC Dodson, Industry

Mr. Booker Bland, DSS

Mr. Keith Minard, DSS

3:45 PM – 4:15 PM Addressing the Cyber Threat: An OD’s

Perspective on What can be Done in the

Board Room

Mr. Robert Reynolds, Industry

4:15 PM – 4:30 PM Summary/Closing Mr. James Kren, DSS Deputy Director

DSS in Transition

Mr. Daniel Payne, DSS Director



New DSS Methodology

Applied Case Study

Mr. Gus Greene, DSS

Mr. Andrew Winters, DSS

Mr. Brian Prioletti, Industry



New DSS Methodology

Sharpening OD/PH Roles

Roundtable Discussion

Mr. Chris Griner, Industry

The Honorable Dov Zakheim, Industry

Ms. Giovanna Cinelli, Industry

Mr. David Langstaff, Industry

Mr. Frank Finelli, Industry

Moderator: Ms. Nicoletta Giordani, DSS


OD/PH Panel:

GSC Cooperation, Best Practices

and Challenges

The Honorable Dean Popps, Industry

Lt. Gen. William Donahue, USAF (Ret.), Industry

Mr. Richard Ray, Industry

Mr. Alex Layser, DSS

Mr. Will Cooper, DSS

Moderator: Ms. Allyson Renzella, DSS


Supply Chain

Threat Challenges

Mr. William Stephens, DSS



The Prize: Technology in the National Industrial Security

Program

The Front Line: Your Firms

Disposition: Our adversaries have the initiative

We Are In A Fight


Our Adversaries Have The Initiative

i.e., WE ARE LOSING!


What Can You Do? • Know the threats and vulnerabilities reported by your firm, how

they relate to the larger threat picture and ensure your firm moves

to mitigate

• Your reporting has been stronger than ever, but…

• Embrace CI & Security as a Business Discriminator

• Best Practices • Ensure a skilled professional is leading your CI & Security effort

• Have them report directly to the CEO

• Commit to a robust insider threat capability

• Commit to a continuous monitoring of your supply chain • Do you know…?


Questions?

Insider Threat

Best Practices Panel

Mr. Phil Robinson, Industry

Mr. Thomas Langer, Industry

Mr. JC Dodson, Industry

Mr. Booker Bland, DSS

Mr. Keith Minard, DSS


Addressing the Cyber Threat: An

OD’s Perspective on What can be

Done in the Board Room

Mr. Robert Reynolds, Industry



Managing Company Cyber Security

Some thoughts


Threat, Vulnerability, Impact, Risk (TVIR)

• Threat to networks:

• Nation-state driven (purchase criminal gang support)

• Persistent, deep bench

• But not unlimited (we all have budgets, need to show

results)

• So far, little in the way of sophisticated attacks (zero day;

specific code)

• Attacks based on simple techniques, hinging on our

exploitable weaknesses for success • Phishing malware; weak or no passwords; vendor network access;

connected home computers; company laptops overseas, etc.

• Vulnerabilities: see above


Impact

• To determine the level of protection needed, look at what there is

to lose of value to customer, company

• Company proprietary data of great interest

• Company personnel info (SSN, level of clearance, wage garnishments, etc.)

• RFPs, Proposals on sensitive work

• What data would the customer hate to lose

• Ship drawings; communications frequencies, usage, etc.; ITAR; FOUO

• Risk: How weak are cyber protections against standard

cyber techniques, and what is the impact of losing the data

under company protection

Threat, Vulnerability, Impact, Risk (Continued)


Thanks, but I knew that… Now what? • Steps the GSC, Board can take to reduce risk

• Company to complete risk assessment, assign a score

• Be prepared for “everything’s great”

• Focus only on protecting the border, or also on detecting and

stopping intrusions?

• Probe risk score by:

• Identifying the company in-house or external cyber expertise;

how strong, how is it used? IA, patching, software upgrades,

network analysis; employee training; penetration testing; data

analytics

• Reviewing policies/procedures on phishing, laptops; employee

training

• Comparing risk to resources expended

• Does company currently comply with DFAR, FAR, NIST

requirements?


If risk viewed as too great, after review…

• Develop a plan to decrease risk, with a way to

measure improvement, keep focus on issue

• Plan needs to include assumption that intruder gets in

the network

• Detect, mitigate damage, remove from network

• Follows some thoughts on ideas to determine and

reduce the risk, presented with increasing complexity,

cost and resource needs


Additional questions to ask • Is the company using at least 2-factor authentication and strong passwords?

• Consider removing unneeded data (closed contracts, ships drawings, ITAR, old

government data, etc.) from the network to archives, thinning out what would be

available to a cyber attack.

• Consider encrypting-at-rest data on the network that is deemed sensitive to the

company or the government customer. (Personnel information, major bid efforts,

active ITAR, etc.)

• Consider changing file names on the network that help target information of

interest to the hacker, who needs ways to identify info of value for exfiltration ("F-22"

becomes "Project Blue")

• Over the top: put in a host of encrypted useless files with very attractive

names.

• Give discussion of network security a regularly scheduled timeslot at the quarterly

GSC meeting.

• Does the company have or need a specific budget for network security?

• Do procedures exist to limit vendor and other outside access to the network, and to

remove that access when no longer needed? Are vendors evaluated for their own

robustness in cyber?


• Does security training incorporate on a real-time basis actual phishing and other

attacks on the network, to highlight the issue for the first line of defense-our

employees?

• Is VPN required for all employees signing in remotely?

• What are company policies on traveling overseas with a company laptop?

Encryption of data? Onetime use of a laptop cleaned upon return?

• Does the threat/vulnerability of the network, combined with the sensitivity of client

data warrant a company CISO position?

• Does the company cyber protection plan only focus on preventing a breach

(protecting the front door), or does it also include an approach to quickly detecting

and blocking exfiltration of data?

• What devices are used for these purposes, and are they sufficient?

• Does the company periodically conduct an independent evaluation of the network,

using outside experts?

• Is there sufficient risk to warrant the creation of a security operations center or

network operations center, collecting real-time data on attacks, breaches, etc. If

the company has such, is there a clear and defined method to analyze the data

and respond?

Additional questions to ask

Summary/Closing

Mr. James Kren, DSS Deputy Director


welcome to the 21st annual defense … to the 21st annual defense security service july 21, 2017...

Documents