Target Rich Cyber Poor

okay so uh welcome good afternoon welcome to b-sides las vegas this is the i am the cavalry room uh this talk is target rich cyber poor with tom milar and don banak um so i have some housekeeping issues i want to go over really quickly first we want to thank our sponsors especially the diamond sponsors uh lastpass and palo alto networks and our gold sponsors amazon intel google for their support along with all of our other sponsors donors and volunteers that make this event possible cell phones so as we all know please uh silence your cell phone so it's not disruptive to the uh to the presentation these talks will be live streamed uh and

recorded for youtube so please make sure you uh silence your cell phones um the mics we are live streaming and recording so at the point where there may be questions we would ask people to use the mic which we can hand around also speak into the mic you might have to pull it close to you um let's see photo policy i just want to remind everybody that besides has a photo policy that strictly prohibits taking photos of anybody if you do not have their express permission to be in that photo so if you're unsure about who is in your photo frame please do not take that picture these these talks will be recorded and streamed so

if you want to recall information later you'll have the opportunity to do so uh to do masks please keep your masks on at all times great and uh with that i will turn it over to josh corman who's going to say a couple of words and then we'll kick it off hello um earlier i asked you guys all applaud for a bunch of volunteers that tried to make the world a safer place during the pandemic two of the career assistants that do it every day not just as visiting people for a year or two are going to be joining us on stage today tom milar and don banak great friends of the cavalry movement before the pandemic and hopefully still

after and maybe now even members but what i want to do is bridge that really bad news session that you're in where stops on fire we want to give you a tour de force through many of the existence proofs because now people know these things are flammable it's on john oliver you know on hbo my my neighbors are now asking me about these attacks but the really sobering and overwhelming part including the public-private partnership with government agencies like sysa is that the overwhelming majority of these targets are below the security poverty line they're the target rich cyber poor so a lot of the platitudes advice in this cyber security frameworks we give them are foreign to

them eighty-five percent of the hospitals of a single security person and if you listen to michelle hulko about our ball bearings the most strategic weak link in the whole supply chain for most of our species had two it people no security talent and any minute could have had a denial service attack that would have killed another couple hundred thousand americans uh so we tried to get cis out of their comfort zone we came up with a suite of pragmatic security suites they're to review this part of this is to educate you but part of this is to ask and inspire you what else can we do to meet people where they are when they have no

talent no experience but cyber physical consequences that affect maslow's hierarchy so they have a short amount of time to show what they've been starting and what they've been doing that you can advocate for but also try to take this as an inspiration of what more could the cavalry do to help them help the cyber poor thanks all right y'all hear me move this a little closer okay so um yeah i told josh i would start off with a joke that he might enjoy this joke does not represent the position of my agency um or any other employer although i can't remember an employer before this one i've been in scissor way too long um so i was uh i was on signal with santa

claus the other night i considered you know it's always good if you have a good idea just go ahead and signal santa claus and uh maybe you'll get it for for christmas um and i asked him for a unicorn he said i'm sorry kiddo we can't do that so i asked him i said i would like the um the interagency to work together seamlessly to solve the cyber security crisis in american critical infrastructure and he responded a few minutes later with what color unicorn would you like hey and it's a joke that works for everything right you can just put whatever in the middle in it and it works um so always open with the joke and forget

what the rest of your agenda was um what we're going to do here we're going to talk a little bit about how we knew how bad things were before the pandemic even started give you a little bit of insight into actually i think these are 2019 so this is right after sort of the the birth of as an agency these are these are results from 2019 vulnerability assessments that we performed at no cost for critical infrastructure organizations all across the country including state local territorial tribal municipal governments um and we lined up all the different ways we knew how to you know without fail when we do these assessments we find a way in without fail it's the same

stuff over and over and over again so we created this infographic which i will now read every word of to um to explain sort of you know like what our findings were and how they were mapped to mitre attack um but um and this is something obviously tlp clear um that uh that you can now get uh for free from somewhere on this as a website and uh you know i'll hand you a business card and find it for you later i'm not exactly sure what the search term is um but here are some links to uh to also get you started and i want to um by the way we had the joke earlier the classic

ronald reagan line of i'm from the government and i'm here to help and why those are terrifying words i want to tweak that it's from the government help yourself because that's what this i mean when people ask me about our services our resources and the tools that uh that says offers to help critical infrastructure but really anybody because guess what if you are an smb in the united states you are probably involved in some delivery of a national critical function um this has generally been my understanding of things the more and more i've learned about how our economy works and our way of life is um is thought of and uh and so these are great places to start

looking at exactly like what we've made available when people ask me about them and they ask you know like oh are these available you know what's the cost i'm like guess what you already paid for it um thank you for your contribution to the united states treasury um and so yeah so these are great links to just get you started and now what i'm going to do is i'm going to give you an example of the spiel i've been using specifically to cover down on health care delivery organizations and i know spiel like what is he doing up there you're not supposed to do this at these types of things but i do want to talk

about these because of all the problems we've been talking about today these are the ways we're trying to approach that and tackle it as a scale in a scalable fashion one of the big challenges we've discovered is that the stuff that sort of scaled when we were focused um primarily on the federal constituency that's the federal civilian executive branch which for a long time was sort of our core audience for a lot of stuff we did when we expand that to critical infrastructure and we start talking about numbers in you know the uh the mid-four figures just for hospitals and uh hospital networks alone and then we look at all the other critical infrastructure sectors those

approaches that work for 125 agencies across the government don't work at uh at that scale obviously um so let's talk about did i move back okay all right okay i have to be like a podcaster don't i okay nobody can see my face on the camera but i can they can hear me so that's fine um so um somebody get i i asked for a pop star mic and they didn't have one uh so our cyber hygiene services um you know what i'm not gonna read this whole thing because i know this by memory and uh and i hate when people read slides to other people it's the worst but um let me start with the simplest

thing that you can probably take advantage of right now that i think is a tremendous value that says it offers and it's not on the slide it's the known exploited vulnerabilities catalog uh who here has already heard of the kev catalog that's outstanding okay do you know where to go to get updates whenever we put new stuff in the kev catalog all right that is the national cyber awareness system so whenever we so granted you will probably get a slight a slight uptick uptick in email volume when you sign up for the national cyber awareness system but i tell you it's absolutely worth the bother um i personally have been i mean i work for sizza i still subscribe to to

endcass as we call it um at my personal account just so i know when you know like when there's new apple ios updates that i really need to tell my family about for example anything like that and also whenever that kev is updated the kev catalog gets updated it comes out and is announced on the national cyber awareness system it's really easy um to sign up for the only thing that i think is perhaps a possible ux design challenge is if you go look for the national cyber awareness system on the scissor.gov site you'll find the page that describes all the things that it can do for you at the bottom of the page is where you

sign up to subscribe which i'm like i might have put that on the top but anyway a little editorializing for everybody uh everybody who's watching this from my own agency and wondering how we can improve the web page um there's um there's also a free open source tool to do your own self assessments which i don't think a lot of people know about i mean we we're pretty proud of our download numbers but at the same time when i again when i look at the scale of what critical infrastructure is um and the number of people we could be reaching i wonder if we're not hitting the target um cyber security evaluation tool or the c-set

uh and this is if you've got the time to go online and do one of those goofy personality quizzes you've got the time to go download the c set it's on this is a github um so scissors own github site has the c set on there it's a standalone application you run it and here's the best part for a lot of folks we don't see any of that data unless you make it available to us you can keep the data on your own do your assessment we don't have to learn anything from it per se we'd like to but it's your information and it gives you sort of pathways to improving your cyber security posture it

also has modules for all sorts of different standards and it has a ransomware readiness assessment any of this stuff that you can use to support your customers um or whoever you know if you volunteer for for someone like the organizations we've been talking about today um any of that i think is a possibly an appropriate application of this tool um there's also i'm gonna let don cover this in greater detail we have representatives we're not just a washington dc agency we have representatives in all 50 states and six territories um covering the entire united states we have a cyber security advisor in alaska so we've got it covered down and um and i think we are up to

specifically the state cyber security advisors that last time i checked we had 40 out of 50 were hired and uh and that was progressing very well for us so those are where you can get a lot of other different types of assessments from people who actually will come and visit you in your own operating environment and um did i do it again oh 10 minutes okay and i really wanted to have a discussion so here's some stuff cyber hygiene services um one one thing real quick these are no cost assessment services they are utilized by um there are a variety of things i will let you look it up in your own time a bunch of this stuff is i just want you

to encourage you can encourage you to take a look at scissor.gov search around for some of these key terms and find out what the services are and if they're a good fit um and uh and yeah the cyber hygiene services are a great way to start if you know an organization for example that has an asset management problem they just don't even know what they have um using cyber hygiene services is a great way to get started just like finding out at least what's the interface internet facing stuff along with the stuff off search um toolkit which gives you a way to find the things that were already on census and showdown that maybe you didn't know

were internet facing and discoverable um and that gives you a great start i believe in at least solving part of the asset management challenge we know so many of these organizations are facing with that i want to turn it over to more of a discussion um and a little bit of q a but mostly i would love to hear your ideas for what else we could be doing especially to help smbs um and critical like the critical national infrastructure that you all have experience with and also let don talk for a minute a minute that's outstanding um closer okay so i've spent the last 15 years in government developing services to help organizations manage their risk

from the cyber hygiene suite which is ostensibly focused on attack surface management identification of exposed web web applications system vulnerabilities um pen testing services being available to all and the real question is what do we what do we do next because we have things that worked great federally and they they were kind of bespoke you know kind of like bentleys um we had some services that are kind of like bicycles they were great for the masses so on that spectrum of bikes to bentleys where you know we can use the bikes and they should be public goods what can i do to help or what can we do to help develop services that the field forces

can deliver that cisco can deliver from headquarters that help the masses understand the scope the magnitude of the risk what's missing from our current suite of cyber hygiene services um and then for the more bespoke sets where we we operationally engage with known nodes vital vital vital junctures around krog infrastructure what are kind of the more bespoke services that would help when there's our eye on that and that's two different muscle movements one available to the masses one available to a smaller set of very focused important organizations um and i'm looking for ideas from you what could we do that we're not doing i don't want to just tell you my ideas i just want to listen to yours so that was why

i tried to stay silent for a change anybody who's ever done a meeting with me knows i talk too much so one a third a third muscle movement is also the uh the uh the tide that lifts off ships option and that's uh my friend allen is wearing the shirt representative of his major effort in that rail the software bill of materials um [Music] yay and i want to bring up like an example of the bad practices because i know josh is probably going to uh have words with me if i don't bring up the bad practices um there's only three bad practices that we published on this is a website they're really simple and i

think they're non-controversial until i talk to somebody who actually works in healthcare but um but uh one of them the first one is don't use end of life don't use unsupported stuff second one is don't use stuff with um with known default fixed passwords and the third one is don't use single factor authentication for remote or administrative access and again all of these are non-controversial right but we provided them to give people ammunition to start winning arguments it's like hey these are the scissor bad practices we shouldn't be doing this so and the bad practices were always supposed to be a living document they were always supposed to provide you know a dialogue space where we could talk to

experts like yourselves what else should be in that list of bad practices or what else which should we be looking out for again another place where your ideas would be absolutely welcome we also find those on our great hub site we'd love public actual q a time sorry you're fine

uh well it would be nice to have something like your cyber resilience uh graphic novel series i'd love to see something that's uh effectively like uh captain planet right like that made environmental awareness uh a huge thing for me when i was a kid it'd be nice if we had something that taught children about cyber security mdm like something that made it uh more accessible entertaining that would be really nice the second thing is uh maybe impossible but a tiger team of sorts uh i forget which presenter was talking about it maybe it was bryce how uh the entities that are large enough to ask for your services are not necessarily the ones that need them

right the small entities don't have cyber security uh they might have i.t people so they really need someone who's a sysadmin net admin exchange admin someone who knows security practices to come in assess their environment and clean things up because they don't have the ability to even do that i like both those ideas and we have a number of staff in the field again i'm looking for ideas for for the field courses so this is this is great there's actually over 130 of them and i think another 40 or 50 that we're hiring so we have a lot of regional forces spread across all 50 states and you know right now it's it's green it's a it's a blank

slate sky's limit on what we can what we can do and think about doing with them

thank you gentlemen thank you for having this open forum i i work specifically with a lot of smbs in digital forensics and incident response uniformly small medium enterprises non-technical decision makers think that information security is an i.t problem and they look to their i.t people who may be great at setting up printers or putting workstations together you know the break fix it outsource people and then information security and incident response gets dumped on them and they are out of their element and broadening the understanding among smbs that information security incident response these are different disciplines than their i.t guy and they they don't know that at all

uh to follow on that it seems like resources that help educate these smb executives that it's a risk management decision and assessment for operating their business it affects bottom line it affects the future viability of the business and just keep bringing it to them so maybe a quarterly report that says hey here's went on last quarter in the language of smbs speaking to the concerns that you know really hit them and here's some free resources for understanding risk management or some really easy to use online tools to get started with this risk management because they're not trained in that they don't they don't really know how to run it but got to be good if they had some

resources to to help them grow there yeah and i think you're going to see a lot over the next year from cisa [Music] if i'm successful and others are engaging at the c-suite and above so board members ceos cios cfos we want to change it from a narrative around information security cyber security into business continuity business resilience um so we'll we'll be doing a lot there that's not going to help with direct services to help the cyber poor but it's going to help get i think the right buy-in yep so i'm 100 gonna echo what this gentleman just said your target audience it sounds like it needs to come from the top down as well

as the bottom up i think the bottom up gets it the top down doesn't necessarily understand all the complexities so if there's always gonna sound really bad dumbing it down to the level that somebody can look at and go i don't get the technical but i now got a better understanding of the risk the money and i got a better understanding of what the environment looks like they speak a different language well and i think there's a there's a thread i want to pull on between what you said and what you brought up as well i think one problem is that at some point you know there was when i t was a way to

be competitive you would invest in i.t that would make you more competitive than the guy down the street then at some point in our history it became purely a cost center in the way that they look at it and that means you know like all these investments we're talking about and risk management get lost because you know we're we're not having that conversation we're just talking about it as a cost center and all these problems are i t related therefore you get you get the picture and we need to have you know like no this is basically just like insurance or anything else where you would you would invest to make sure that your business stays

afloat down the line so you've mentioned that you have a variety of different services that are available and you know once again organizations can go ahead and you know run them run them locally choose to either share or not share the results question for you um you know your first slide that you had when we all came in here essentially had your common vulnerabilities and the miter attack framework have you looked at potentially going ahead and building essentially an integration between that and your various different services so that you know if you're supporting you know a joe blow you know i t focused ciso who really you know he's focused on compliance whack-a-mole and that's about it

when it comes down to it you can go ahead and have one of these services run and then put it into that framework to go ahead and basically benchmark essentially that organization's capabilities against various different threat actors so that you can profile this right because a threat profile to a small business that's doing software development versus a healthcare business versus a fed civ organization has very different threat profiles and in the grand scheme of things you know it's part of an education factor for the senior decision makers to actually understand what's important and what you know i mean what are their crown jewels and and ultimately what could be the actual impacts if they had a breach or if they

actually found out they had a breach so so yes we're definitely headed in that direction i will spill a little bit of tea and reveal that one of the challenges is conway's law related the people that are like super good at understanding and doing the threat stuff are not in the same org chart bubble as me and alan for example so it's like the pro the proactive preventative focused folks are not always having the most we could be having more conversations with all of our threat folks and that's probably true almost everywhere i think that there's not a hammer right like i worked for the state um the great state and there was a hammer there with state

auditor's office there was a hammer there with a legislative budget board i think with the municipalities and the smbs unless you tie it to money and we gave a ton of money out during the pandemic like i almost felt like there should be a bar before before more free stuff's given because otherwise they just take it and they don't do anything with it if that makes any sense [Music]

and lastly will hurt was the only congressman that i know that would come out and talk about cyber security and he left because of his issues with the former president there's nobody there now that i know of right and even at the state level there's like one guy and he admittedly says the only reason i'm cyber security guys because i worked at radio shack in the 80s right who who's our who are our elected officials that we could you know lobby if you will by writing to them and getting more involved okay i think we are out of formal time but because we have a break please keep this conversation going uh and while they can't speak on behalf of

their agency about litigations and whatnot i can tell you that i've been telling the senate that these freely available services should probably be on the short list that if you want to claim safe harbor you probably should have been doing these things so you could do the similar thing so um please help them please advocate and the last one all nudged and someone brought it up is very few people know about these free services so i would encourage a budget for adoption and awareness that is sector specific to these target rich cyber poor across the 16 critical infrastructure sectors just remember they're not free they are no cost prepaid [Music]

so when i hear uh safe harbor it harkens back to the pci dss days where they came in and said hey you know you don't have to comply but if you something happens you're you're completely out of luck and so complying brought you some of that peace of mind which brings me to my next question is has thought been put into play uh regarding creation or expansion of business cases that can be handed to the it department who's going i don't know this stuff and i know i don't know so let me take this and i can pass this up i don't have to develop it i mean we see it for conferences where a conference says here's your

business case for you to you only have to create it hand it to your boss and say where's my money to go learn which gives me this value if the fed gov provided something like that it takes it empowers those individuals that know they don't know which is the first step and be able to not have to spend their valuable time trying to figure out how to write this proposal in such a way that an executive might be interested and then doing it at some level of cyber security maturity model i mean it's a little advanced but saying like hey you know mom and pop smb versus next you know one two three four you know by the time you get four i

don't need it but just a thought yeah i really like this idea it kind of takes and turns the bad practices on its head the bad practices are ammunition to start having difficult conversations about let's get all of you like we've got to figure out how we're going to plan to rip and replace the end of life stuff um for one example but to provide that you know more detailed business case than just being able to point to a page and say it's on the bad practices list we could say like and here's the document you know more or less the boilerplate language to carry that forward and one of the accompanying documents to the bad

practices preceded bad practices is there's cis cyber essentials and the cyber essentials the genesis for them came from multiple years we looked across five years of data every incident reported to us sir to the end kick to dhs over five years every assessment we did over five years which was thousands we do about 500 a year every bit of data we had from our public cyber hygiene services which is about 4 000 customers getting continuous ongoing uh tax service management type services looking across all that data um doing reverse mapping of root causes what's what was successful what was on what was what was it the root cause of incidence what was always successful for the for

the assessment teams um mapping that to the attack minor attack framework then looking for corresponding controls and percolating out a kind of a heat map of the top cyber essential controls that would mitigate most of that risk that's what's embodied in the cyber essentials so when you're buying into those when we say assista these are the essential practices and it's only about 10 to 15. i can't remember we we did it in response to ransomware so it started a couple years ago um turns out the general case for ransomware there was one additional capability to make it general to everything that wasn't ransomware as well so ransomware an attack is an attack at this point

and those practices embody the most important things you can do cost effectively to buy down there's a couple do immediately run don't stop you know do not pass go collect 200 type things and that's you know protective dns multi-factor authentication turn on auto updates um so there are there are a couple really simple things you can do as an organization that buy down a tremendous amount of risk and continuous backups to cloud you know with with rollback capability all right to build on this one this is an area that there will be constraints on what federal employees can say especially when it's not a regulator of these sectors and that has to fight conway's law and other turf

wars with like health and human services or epa environmental protection agency for water so there's going to be some turf wars that you know our team focus on the outcome of the mission instead of the org chart but the natural muscle memory is going to be a little more territorial so this is an area i think perhaps the cavalry could do in the next phase which is could we start to write fit for purpose sector specific advice that isn't just here's bad practices across these sectors but yeah you've got a bunch of unsupported and end of life devices in medical uh and we know you can't replace them all what do we do about it can we have a

five-year five-year plan 10-year plan prioritized list of how to identify and buy down risk for the most egregious ones and even facilitate roundtables and critical conversations maybe capture those and then maybe have a document of these are the things you're going to encounter when you try to do it we've encountered them already here's how we've overcome them so i think there's going to be a certain amount we can ask of cisa and we want to we want to push them and we want to push their sibling agencies to embrace them and there's going to be a line they can't cross and perhaps we could take it a little further if we get creative and there's people in

this room that work in each of those critical infrastructure sectors who might be able to take the pen and start drafting here's the top three things wastewater should understand here's the top three things hospitals should understand here's the top three things and as long as we keep knocking those lists down we might actually get movement so there's a you know a need for the smaller businesses to get help right and then there's a workforce problem where the running joke is a entry level job need 20 years of prior experience cssp and about 40 certificates right so is there a an appetite to build like a dating app where like hey these people need your services and then like a

volunteer volunteer corps we're like hey look i'm trying to get into it or i have some free cycles i'd be willing to help out and do some matching there something like the civil air patrol or coast guard auxiliary right it gets a little tricky for us to do something quite that specific government endorsement and other legalities that we don't we just can't cross into but i i think i don't know it's a a it's a big policy question i would say right now there are there are interesting conversations um that i think are being had around the idea of a civil cyber defense force um thank you because because i read law fair right so but there is the joint

cyber defense collaborative that we're standing up with a partnership with industry there are shared services we're standing up um to provide opportunities for at least government state local tribal and federal to bioshared services i don't know to what extent we'll be able to one day offer that to critical infrastructure or not um but there's also a big narrative for small medium businesses um you know 99 of businesses in the us are small medium um and and the reality is and this this is uh kind of one of the ransomware talking points if you're not resourced maybe you shouldn't try to do it yourself right there's there's a push for by the commodity because you can't compete with the

budgets that federal agencies have or the fortune 500 have or even the fortune 1000 if you're small your best bet may be to just outsource as much of this as you can to someone that is resourced to do it and then at at the scissor level it becomes more scalable for us to pitch in because instead of targeting the storefront and trying to deliver services to all the storefronts out there we go one level upstream to the service providers and make sure the service providers are scared squared away this is a kind of an epiphany i had dealing with um dealing with hdos i was like there's 6 000 of these how am i going to reach

them and let them know about all the stuff that i want to you know give them at no cost and uh and then i realized you know like for some of these things like electronic healthcare record providers there's really only two so we go make sure they're squared away we've actually made a big difference in the in the real attack surface so the one idea that i had responsive to your question is and maybe this is where we have an inter-departmental discussion of missed and cisa and using the nice platform in education regarding cyber security to try to try to work a whole of government for workforce development and that and smaller not not everything should be in the silo we

should try to figure out how to not be so silent that gives me an opportunity to pitch my favorite program in the entire federal government which is not really which is kind of a says a thing but it's really a dhs nsa uh nist and opm thing and nsf so it's actually an interagency thing that's really working out it's called scholarship for service and if you've never heard of that go to sfs.opm.gov and tell that to and share that with anybody who is entering or possibly considering a change of careers or entering college for the first time or trying to get a graduate degree and want somebody to help pay for it basically what it is

we can put money down we will put up i think two up to two years worth um meaning the individual upon graduation and achieving satisfactory all the things will uh will come and be eligible to get um a fast track to a federal hire for two years work as a federal employee and then they are free to do whatever they need to do but um it's a great program for not only for bringing talent for us which is where you know my altruism ends you know whatever i just want smart young you know smart hungry people i shouldn't say young it's all kinds of walks of life and ages but um uh sfs is not only good for that but it

also provides a great stream of people who are done with their federal time and leave to go and be amazing and great at their work wherever they go in the field but yeah i love scholarship for service it's awesome

[Applause]