The Myth of Cloud Insecurity

October 31st, 2017 | Posted by Alexa Magdalenski in Capital Cybersecurity Summit | Cloud | Guest Blogs - (Comments Off)

Telos Corporation CEO and Chairman of the Board John Wood addresses cloud security in his new guest blog. Wood will be moderating the State of Cloud Security and Compliance panel at the Capital Cybersecurity Summit on Nov. 14-15 at The Ritz-Carlton, Tysons Corner.


John-WoodIt’s not exactly clear when the term “cloud” was first used to describe shared pools for configurable IT resources. However, it’s safe to say that it started creeping into our lexicon less than ten years ago.

Back then, the official definition of cloud was even less clear than it is today. Regardless of what the cloud actually was, this mysterious cloud entity was widely assumed to be unsafe.

That said, even from the beginning, I saw that the cloud offered many security advantages, especially to smaller companies that couldn’t afford to make infrastructure investments and hire many highly-skilled staff to manage complex IT systems in their own on-premises data centers. Still, doubts about cloud security swirled.

But in 2014, a crazy thing happened. Defying conventional wisdom, the CIA, arguably the most security conscious organization in the world, announced their plan to work with Amazon Web Services (AWS) to adopt commercial cloud services. Shortly thereafter, C2S was born.

Even though countless other agencies had already adopted the cloud by 2014 – the CIA and C2S gave the cloud instant credibility. It made federal agencies and highly-regulated commercial organizations realize that if cloud technology is good enough, and secure enough for the CIA, then it must be secure enough for them. Granted, the C2S is an isolated environment, it was noteworthy that CIA made the often trumpeted “cloud first” policy a reality.

AWS recognized early on that security was important to ensure continued, widespread adoption of cloud services. For this purpose they introduced a shared responsibility model to help explain the security benefits you derive simply by hosting your workloads within AWS. Under this model, the customer is responsible for security in the cloud, and AWS is responsible for security of the cloud.

Not only does this shared responsibility model help address a number of security questions, especially in the areas of infrastructure and physical security, it also helps clients demonstrate compliance requirements more quickly and efficiently, because they can inherit results directly from AWS.

AWS certainly isn’t the only cloud service provider (CSP) in the game – Azure and Google also understand how important the message of cloud security and compliance is to drive further cloud adoption.

Despite all of this it is essential for organizations to understand the potential security pitfalls of cloud adoption. It’s essential to know where your cloud service provider responsibility stops and customer responsibility starts. There have been a number of recent breaches resulting from unsecured cloud-based database deployments. Customers need to understand, and take seriously, their responsibility in protecting their systems, their applications and their data.

The cloud has come a long way over the last ten years. Much progress has been made to enhance security and promote these security and compliance benefits. However, there is still work to be done to address lingering security concerns, questions and perceptions to help drive even broader adoption of cloud services.

If you’d like to hear what CSPs have to say about the myth of cloud insecurity, join me on Wednesday, November 15 at NVTC’s Capital Cybersecurity Summit. I will be moderating a panel that will discuss the current state of cloud security and compliance, featuring prominent voices from the big three cloud providers: Google, Microsoft and AWS. I hope to see you there!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

National security is now the number one security concern for Americans, according to the recently-released global 2017 Unisys Security Index, replacing financial security as the top fear from the 2014 survey. Americans’ concerns about internet security, specifically viruses and hacking, rose most dramatically over the last three years, coming in as the number two security concern in this year’s index.

In a world more interconnected by technology than ever, the cyber threat landscape has never been more daunting. Alarmingly, one in three website visitors last year were attack bots and over 94 percent of 100,000 websites analyzed over a 90-day survey period experienced at least one bot attack, according to Imperva’s Bot Traffic Report 2016. Companies and agencies at the frontline of protecting the country and consumers from cyber-attack face countless challenges beyond the cybersecurity threats themselves.

2017 Cybersecurity Infographic v102317

NVTC 2017 Cybersecurity SitRep

NVTC’s newest infographic provides an updated look into NVTC members’ cybersecurity hiring and resource allocation trends while reiterating the key takeaway of last year’s cyber infographic: The human element exposes us to the greatest cyber risk, from cyber talent to employee training to insider threats.

Acquiring top cyber talent remains a priority to NVTC members, with 50 percent reporting they will hire cyber professionals over the next 12 months, a five percent decrease from last year. Employee training is the single greatest focus for our members with 50 percent reporting it as their greatest cyber resource allocation, while 42 percent are targeting a technical solution first. The human element – both human error and insider threats – was acknowledged as the greatest cyber threat facing the country today.

Cybersecurity Talent Gap Continues to Widen in 2017

Organizations are experiencing tremendous difficulties filling cybersecurity positions and retaining skilled talent in these positions. By 2022, it is predicted there will be a shortfall of 1.8 million cybersecurity professionals in the U.S. In Greater Washington alone, there are over 44,000 open cybersecurity positions.

The 50 percent of NVTC members reporting cyber hiring needs are in stiff competition to attract the cyber talent with the experience, skills and certifications they require to be competitive in today’s marketplace. Local tech employers are looking for creative ways to engage new talent pools to fill their cyber workforces, using models such as NVTC’s own Tech Talent Employer Collective, which uses the U.S. Chamber of Commerce Foundation’s Talent Pipeline Management methodology to put employers into the driver’s seat, setting the workforce development requirements around shared employer needs.

Cybersecurity Venture Funding In the Region Remains Steady

While it is unlikely we will again see cyber ventures play such an outsized role in venture funding such as in 2015 when 46 percent of all funding went to cybersecurity services and products, a steady stream of cyber venture funding continues in Greater Washington, with $210 million collected in calendar year 2016 and $173.2 million from Q4 2016 through Q3 2017.

This support network, including incubators and innovators from MACH37 to In-Q-Tel to CYBERCOM at Ft. Meade, enables a community with innovation capacity and the agility to rapidly evolve to meet the ever-growing cyber threat.

Evolving Cyber Threat Vectors

Internet crimes reported to the FBI’s Internet Crime Complaint Center (IC3) in 2016 represented more than $1.3 billion in losses. Those nearly 300,000 reported crimes are only estimated to be 15 percent of all internet crimes that took place. This year’s numbers so far show that things continue to rise – distributed denial of service (DDoS) attacks alone showed a 380 percent increase in Q1 2017 over Q1 2016.

Even with the rise of more sophisticated bot attacks and ransomware, 63 percent of NVTC members rank the human element as the cyber threat requiring their greatest focus. A recent study on email threats estimates that one in four emails appearing to come from a dot-gov domain is a phishing attempt and three out of four organizations reported being the victim of a phishing attack in 2016.

The threat landscape seems even more ominous when you add in the increasing sophistication of the methods used in spear phishing, a more targeted attack that often spoofs more realistic identities known to the victim; the days of being asked to help move royal gold reserves out of Africa are being replaced by seemingly innocuous requests from “Randy in accounting” to take a look at an attached spreadsheet. Despite this increasing threat, progress is being made through awareness and training programs teaching how to stay secure and safe in the current environment, an approach being adopted by all industry sectors, not just IT.

Community Threats Need a Community Response

We are lucky to reside in the nation’s cyber capital, where the resources and environment support cyber innovation and where the nation’s most qualified cyber workforce lives and works. Perhaps Greater Washington’s biggest advantage in cybersecurity is the collaboration happening in the region. Each day stakeholders from the private, public, incubator and academic communities come together to work on the biggest cyber threats.

To deepen cyber collaboration in the region, NVTC will be hosting the second annual Capital Cybersecurity Summit on November 14-15, 2017 at The Ritz-Carlton, Tysons Corner. At the Summit, the nation’s cyber leaders will share their unique insights and best practices into topics such as attracting top cyber talent, cloud security, cyber risk management, strengthening cybersecurity through public-private partnerships and more. Attendees will have unmatched networking opportunities to discuss their latest innovations and the cyber challenges they face. Get the latest Summit agenda here.

View NVTC’s 2017 cybersecurity infographic at www.NVTC.org/2017CybersecurityInfographic

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How will modernizing Virginia’s power grid will be essential for a stronger, smarter and greener energy future? Virginia Secretary of Technology Karen Jackson and Dominion Energy Vice President Technical Solutions Kevin Curtis provide their expert insights on the topic in a new webinar sponsored by the NVTC Data Center and Cloud Infrastructure Committee. Get a recap below.


On October 25, NVTC members had the opportunity to participate in a webinar sponsored by NVTC’s Data Center and Cloud Infrastructure Committee where they heard from Virginia Secretary of Technology Karen Jackson and Dominion Energy Vice President Technical Solutions Kevin Curtis as they discussed the smart energy grid and steps needed to prepare for Virginia’s high-tech economy, future growth and business, and consumer expectations.

The webinar, which was moderated by RagingWire Data Centers Vice President Data Center Operations Phillip Sandino, focused on the changing expectations Virginia businesses and consumers have around energy and new infrastructure and the ongoing efforts to maintain reliability, address resiliency, protect physical and cybersecurity, and integrate more renewable resources.

The speakers discussed how modernizing the power grid will be essential for a stronger, smarter and greener energy future. Kevin Curtis shared Dominion Energy’s perspective on grid modernization and the need to integrate renewables and distributed energy resources, help customers optimize energy use and save money, improve resiliency and reliability, and strengthen physical and cybersecurity. He observed that Dominion Energy has significantly grown its renewable energy generation in Virginia, with solar in particular growing from 1.18 MW in operation at the beginning of 2015 to 744 MW in operation or under development as of August 2017, with plans to add at least 5,200 MW of solar over the next two decades.

Secretary Jackson discussed the reliance many new technologies and applications will have on the smart energy grid, including applications to support Internet of Things (IoT), smart cities, and autonomous vehicles. She observed that service demand patterns are changing from Virginia businesses and consumers with increased emphasis on higher capacity, increased reliability and more security for power and the grid. The session also featured Q&A between the webinar participants and presenters.

Replay the full webinar here or below:

View slides from the webinar or below:

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Fortalice Solutions President and CEO and Dark Cubed Co-Founder Theresa Payton sheds light on the gender gap in cybersecurity and discusses ways to engage more women in cyber careers. Fortalice Solutions Chief Information Security Officer Ken Bailey will be speaking on the The Life of a Hack: A Business Survival Guide panel at the second annual Capital Cybersecurity Summit on Nov. 14-15, 2017 in Tysons Corner.


Fortalice logo blueWhat image flashes in your mind when you hear the word “cybersecurity?” Is it a room filled with happy, diverse, productive people making a difference in the world around them? Sadly no. More than likely, it’s a guy hunched over his computer wearing a dark hoodie with some ones and zeros floating above his head. Or maybe it’s a cold room in a basement filled with rows and rows of computer servers. If you’re a woman looking at the next 30-40 years of your life, would you pick a career that looks so ominous? Probably not.

Optics is one of the biggest hurdles we face as cybersecurity professionals and the hurdle is even greater for women in security. Generally speaking, women are more drawn to careers where they can use their intellectual, emotional and interpersonal skills and cybersecurity does a terrible job promoting itself in those areas. What if I told you that cyber can be an extremely emotionally charged field? Yes, it’s logical and yes, it’s technical – but the beauty is that we use those skills in conjunction with softer skills to truly help people.

In my daily life as CEO of Fortalice Solutions, I work directly with the government, corporations and people to protect what’s most important to them, including intellectual property, financial assets and healthcare information. And perhaps the most rewarding of all, I work frequently with law enforcement to use innovative technology to combat human trafficking and childhood sexual exploitation. We need to demystify cybersecurity and talk plainly about how our field helps people, in real tangible ways.

For example, I’ve often said that security is inherently flawed because it is not designed for the human psyche. Today security is not only an afterthought, security designs have zero empathy for the human. Do you know any non-technical professionals that profess a deep fondness for strong passwords? You don’t. Passwords are designed for the technology and we ask the human to conform. According to cybersecurity best practices, people will share and forget passwords and they will do unsafe things to get their jobs done, such as use free, unsecure Wi-Fi. Haven’t you? Women’s natural intuition and emotional intelligence to see themselves in someone else’s shoes is exactly what we need to combat this problem!

In order to be more inclusive of women in cybersecurity, at least three things need to happen.

First, hiring managers need to expand their criteria and qualifications. Many hiring managers are leaving women and minority candidates on the sidelines by chasing the same resumes, the same degrees and the same alphabet soup of certifications in future employees. While this might be one indicator of a successful hire it is not the only indicator. The best cybersecurity professionals are insatiable learners and highly skilled problem solvers who think about the user while never underestimating the adversary. Take a chance on a different degree and background and invest in cross training. Some of my best cybersecurity team members started out in a different field and are now some of the best, most well rounded cybersecurity professionals we have on the front lines of fighting cybercrime.

Second, an April 2013 survey of Women in Technology, found that 45% of respondents noted a “lack of female role models or [the encouragement to pursue a degree in a technology-related field].” It’s been proven that professional mentorship and development dramatically increase participation in any given field, so the lack of women in cybersecurity is really a compounding problem – we don’t have enough women in cyber because there aren’t enough women role models in cyber. While connecting with other women has had its challenges, there are wonderful women in cyber today… look at KT McFarland, Deputy National Security Advisor and Ambassador to Singapore, and Keren Elazari, a global speaker on cybersecurity and ethical hacker out of Israel. They are rock stars.

I’ve been very lucky to work with wonderful, inspiring women in cyber, but I recognize that my exposure might be more than women starting their career. This brings me to my third point: I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED talks, and even YouTube. You can watch speeches from veteran cybersecurity professionals about their careers, hear their advice on how to succeed, and learn new skills to keep you competitive in the workplace. Consider free online courses in cybersecurity or popular programming languages like Python. Ask your colleagues to show you their favorite geek gadget or ethical hack. There are some excellent security frameworks and guidance available for free online such as the NIST framework, CIS Critical Security Controls, SSÅE 16, and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts. In this field, be a constant student of your profession.

It’s true there is a shortage of women in cybersecurity but there is not a lack of talented and strong women in this world. Cybersecurity requires a general shakeup and perhaps women are the ones to do it. I’m grateful that I can talk about my industry and I hope more women join this exciting field… and they can even wear their favorite hoodie.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Hear why modern day supply chain risk management is requiring new architectural paradigm shift in NVTC’s latest Capital Cybersecurity Summit guest blog by Strategic Cyber Ventures CEO Tom Kellermann. Kellermann will be moderating the What Keeps CISOs Up At Night? panel at the second annual Capital Cybersecurity Summit on Nov. 14-15.


SCV Logo2017 has been a reality check for corporations. The reality is that cyberspace has become a free-fire zone with a multiplicity of actors who are determined to wreak havoc. The dark-side of globalization resides in cyberspace. Corporations are regularly under siege from a multiplicity of threat actors. The cyber arms bazaar that flourishes around the world has allowed for criminals and nations to wage long-term campaigns against corporations and government agencies. These cybercriminals stalk businesses and consumers from the fog of the Dark Web. Evidence suggests that the Dark Web has become an economy of scale wherein the cyber-crime syndicates have begun to target the interdependencies of our networks. 2017 has ushered in a foreboding era of digital colonization of American cyberspace.

As the cybercriminal community burrows into our networks we must appreciate that after the initial theft of data they tend to hibernate. This hibernation allows for secondary schemes of monetization. Some of these criminal endeavors include reverse business email compromise against your customers and/or selective Wateringhole attacks. Cybercriminals realize that there is implicit trust in your brand; trust that can and will be exploited. The modus operandi of cybercriminals has been modernized and thus we should allow their offense to inform our defense.

SCV Image 2In 2017, CSOs must enhance the scope and diligence of their supply chain security assessment. First, security strategies must encompass more than technology vendors. Law firms and marketing firms should be included in all annual security assessments. Second, any merger or acquisition must include a compromise assessment. Such a compromise assessment should include a penetration test from within your network to the outside world. Finally, service level agreements (SLAs) must be modernized to mitigate the cyber threats of 2017, therefore the rigor of the security controls required must encompass elements of intrusion suppression like the proactive use of deception grids and adaptive authentication.

Managing cyber exposures to your supply chain is a function of conducting business in 2017. Beyond mere compliance with existing standards corporations must protect their brand before it is hijacked. Supply chain risk management requires an architectural paradigm shift to intrusion suppression. Modernizing defense in depth will allow an organization to thwart the burgeoning digital invasion of their network. It is imperative that we reevaluate vendor relationships and institute increased safeguards and oversight as information supply chain risk is here to stay. Cybersecurity investment begets brand protection which in turn mitigates third-party risk. Those companies who embrace brand protection as a function of comparative advantage will be better prepared to combat the inevitable attacks that will occur, and will become the titans of industry.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Your company has just encountered a data breach? Now what? In NVTC’s guest blog, Veronica Jackson, associate at Miles & Stockbridge, provides immediate steps a company should take upon discovery of a data breach. Jackson will be participating on the Life of a Hack: A Business Survival Guide panel at the Capital Cybersecurity Summit on Nov. 14-15, 2017.


MS Logo (.JPG)In the wake of the latest massive data breach, this one involving Equifax, more and more companies are likely wondering what they should do in the event that they are faced with a data breach that exposes the personal data of their employees or customers. Data security incidents involve complex legal issues that must be navigated carefully to reduce the risk of improper (or unnecessary) breach notification, attention from state and federal regulators, and potential class actions related to the exposure of personal information. There are several key steps a company should take upon discovery of a data breach. While these steps are numbered, many of them must happen both immediately and simultaneously.

First, immediately contact your company’s incident response team pursuant to your Written Information Security Plan (or “WISP”). Second, contact law enforcement and any relevant insurance carriers to assist with coverage of costs for the data breach response effort and to prevent waiver of potential coverage for tardy notice. Third, quickly assess the scope of the breach (i.e., whether the breach is ongoing, whether data was acquired or simply accessed by the hacker, who suffered a breach of their personal information, and what type of information was exposed). Fourth, stop the breach, if possible, through remedial data security measures, possibly with the assistance of a forensic IT consultant to bolster your company’s security systems.

Organizations that have already suffered from a breach especially must consider what additional safeguards (including employee training) should be implemented to avoid another breach in the future. Fifth, analyze data breach compliance requirements by identifying the jurisdictions of residence for the affected population and assessing what notification requirements are triggered by each applicable statute.

Data breach compliance requirements also may be triggered by the regulatory framework covering the type of information that was exposed (i.e., HI-TECH and HIPAA compliance for personal health information). For affected persons residing in Maryland, for example, notification is not required if, after an investigation, the entity determines that personal information has not been or is not likely to be misused (documentation of that conclusion, however, must be retained by the entity for three years). In instances where notification is required, even for just one Maryland resident, notice must first be sent to the Maryland Attorney General’s data breach notification department. In the District of Columbia, on the other hand, there is no “likely harm” exception to notification, and notice to the Attorney General is not required. In instances where 1,000 or more residents are receiving notice at a single time, both Maryland and the District of Columbia require that notice be sent to all nationwide consumer reporting agencies regarding the timing, distribution and content of the notices.

Finally, prepare a data breach response plan that attempts to mitigate potential harm to the affected population and complies with applicable data breach requirement statutes and regulations. Since the Supreme Court’s decision in Spokeo v. Robins attempted (but failed) to clarify the legal standard for what constitutes sufficient harm to a person affected in a data breach for legal standing purposes, a Circuit split has emerged. Because it remains unclear what level of risk for future harm or actual harm is required (short of actual identity theft), efforts to minimize the risk of identity theft and other subsequent harm, as well as providing free preventative services to affected people, are valuable tools that may provide a defense against subsequent litigation stemming from the data breach. Many organizations elect to provide an affected population with identity theft prevention services that monitor their credit and also aid them in any credit repair efforts they may need should they fall victim to identity theft.  Many state attorneys general also look at whether an organization is providing such services to its residents when reviewing data breach response notifications.

This blog was written by Veronica Jackson at Miles & Stockbridge.

 

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

On Sept. 27, the NVTC Tech Innovations Committee and the Embassy of Canada hosted an exciting evening which featured an engaging panel discussion on the latest tech platforms and what their future may look like. Attendees also enjoyed top networking in a beautiful setting at the Embassy after the panel.

Panelists included:

  • Carol Brock, Global Public Sector Strategist, OpenText
  • Juliane Gallina, Partner and Director, U.S. Federal Solutions, IBM Federal
  • Ashish Jaiman, Director, Civic Tech and Services, and AI Evangelist, Microsoft

GeoPay CEO and Tech Innovations Committee Chair Darren Feeley moderated the panel.

Check out photos below from this special evening!

Image 6 Image 3 Image 2Image 5Image 1Image 7

Thank you to the following event sponsors!:

Location & Supporting Sponsor: Embassy of Canada
Networking Sponsor: Drinker Biddle & Reath LLP
Hospitality Sponsor: Verizon
Supporting Sponsors: Blackstone Counsel; Fairfax County EDA

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

VEI Logo SizedIs your organization an NVTC member company dedicated to hiring and developing Veterans?  If so, you’ll want to read on!

The NVTC Foundation and the NVTC Veterans Employment Initiative (VEI) are seeking nominations for its second annual VEI Veteran Service Award, which honors an NVTC member company that has demonstrated a superlative level of engagement with the VEI and support of the Veteran and military community.

The award will recognize an NVTC company that goes the extra mile to hire transitioning military members, Veterans and their spouses into their corporate workforce. The most qualified nominations will come from companies that have not only hired Veterans, but also actively participate in the programs and services of the VEI and other Veteran-focused philanthropic and volunteer endeavours.

Submit a nomination for the VEI Veteran Service Award by November 3! The VEI Veteran Service Award will be presented at NVTC’s annual TechCelebration Banquet on December 11 at The Ritz-Carlton, Tysons Corner.

For questions regarding the award, please contact VEI Executive Director Steve Jordon at 703-268-5145 or by email.

Congratulations to the MITRE Corporation, winner of the inaugural 2016 VEI Veteran Service Award!

MITRE

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS