Cybersecurity Leader of the Week, Chuck Brooks, General Dynamics Mission Systems
Chuck Brooks is the Principal Market Growth Strategist – Cybersecurity and Emerging Technologies for General Dynamics Mission Systems. Chuck is also an Adjunct Faculty member at Georgetown University in their Applied Intelligence Program. LinkedIn named Chuck as “a Top Tech Person To Follow” and he has been widely published on cybersecurity and emerging technology topics in FORBES, Huffington Post, InformationWeek, MIT Sloan Blog, Computerworld, Federal Times, Homeland Security Today (Visiting Editor), and many other publications. Chuck helped “stand up” Office of Legislative Affairs at the US Department of Homeland Security and served as first Director of Legislative Affairs at the DHS Science & Technology Directorate. He has an MA in International Relations from the University of Chicago and a BA in Political Science form DePauw University.
Are There Any Common Traits To What Makes a Successful Security Program? For example, incorporating the Three Pronged Approach of People, Processes and Technology?
A security strategy to meet these growing cyber-threat challenges needs to be both comprehensive and adaptive. It involves people, processes, and technologies. Defined by the most basic elements in informed risk management, cybersecurity is composed of:
- Layered vigilance (intelligence, surveillance);
- Readiness (operational capabilities, visual command center, interdiction technologies);
- Resilience (coordinated response, mitigation and recovery).
The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency. These guidelines are represented in The U.S. government’s National Institute of Standards and Technology (NIST) mantra for industry: “Identify, Protect, Detect, Respond, Recover”.
Specifically, there are a variety of steps involving people, processes, and technologies that can make a security program successful. Recently, a not-for-profit organization the # CyberAvengers (of which I am a member along with cyber experts Paul Ferrillo, Kenneth Holley, George Platsis, Shawn Tuma, George Thomas, and Christophe Veltsos) published a basic cyber-hygiene formula that provides a good nine point checklist for cyber protection that any company can follow:
1) Update and patch your networks, operating system and devices promptly. “Critical” is “critical” for a reason. Do it within 72 hours of release.
2) Train your employees on how to detect spear and whale-phishing attempts and what best social media practices are. Quarterly training can reduce the risk by up to 90 percent in most cases.
3) Use multifactor authentication. We have effectively reached the age of password uselessness due to our poor habits. Passwords slow down bad guys who do not know what they are doing. Biometric solutions are great, but proceed with caution if you go this route because you now have data management and privacy concerns that must be addressed.
4) Back up regularly (daily if feasible). Where possible, use the “1, 2, 3” backup rule: 1. a segmented backup on-site; 2. one off-site; and 3. one in the cloud. No need to pay the ransom if you have a clean backup ready to be uploaded to your system.
5) Be cautious with older systems. Yes, older systems can be repaired. However, the upfront capital cost is not always affordable. The critical issue becomes support (patches) for these system stops. If these systems are past their “patch life” they become tempting targets for hackers.
6) Follow-on to the last point, sometimes the best answer is the cloud. Cloud service providers have state of the art hardware and software and cloud migrations have become easier, especially over the last two years. The cloud is not a savior—it comes with other issues, such as needing to learn what your obligations and responsibilities are, ensuring you have robust agreements with your vendors, and knowing what third-party sources will have access to your information.
7) Know how your intrusion detection and prevention system works. Is it signature-based? Perhaps it is behavioral-based? Maybe it is both? New cyber threats require new tools. This is where machine learning, cognitive computing, AI, automation, and orchestration all come into play (but only when done in tandem with all other techniques discussed here). Internet data traffic has reached the stage where humans aren’t able to do this on their own.
8) Consider a Managed Service Provider (MSP) or a Managed Security Service Provider (MSSP). Cybersecurity is not everybody’s strength, but one ransomware attack could be crushing. There are options out there to help you. Sure, it costs money, but you are buying peace of mind. Do your homework and find the right solution for you.
9) Do you drive your car without insurance? Cyber insurance is not mandatory yet, but it may be in the future. Chances are if you are doing a lot of what is suggested here, premium payments will be at the lower end.
A successful cybersecurity will also require integration of emerging technologies for identity management, authentication, horizon monitoring, malware mitigation, resilience, and forensics. Automation and artificial intelligence are already impacting the capabilities in those areas.
Cybersecurity capabilities in information sharing, hardware, software, encryption, analytics, training and protocols, must keep pace to protect and preempt the increasingly sophisticated threats in both the public and private sectors.
What Advice Do You Have For Security Leaders?
My Advice to security leaders is that cybersecurity is a team sport and everyone needs to be involved. It starts with basic cyber-hygiene and defining the threats for employees. It needs to be systematic and repeatedly offered with reminders and encouragement. This communication process suggestion applies to all industries, especially the financial industry that is being constantly targeted by hackers.
Because of the fact that employees are continually facing a growing amount of sophisticated phishing, ransomware, and DDoS attacks, security leaders must serve as the outer perimeter to monitor and prevent attacks in addition to the cyber-hygiene role.
Assessing vulnerabilities in data protection for any industry requires a working operational cybersecurity framework. For example, my basic list would include:
- Are the latest security patches applied on the operating systems and software?
- Have the servers been monitored and checked and confirmed to be free of malware?
- Do the firm’s firewalls block everything not specifically necessary for business?
- Is anti-virus software loaded and active on all systems?
- Is all sensitive data identified, encrypted and stored securely?
- Is a Virtual Private Network (VPN) used for general browsing on employee laptops and smartphones?
- Are servers and sensitive computer data kept in secure locked areas?
- Are WiFi access-points configured securely?
- Are employees required to learn and adhere to cyber-hygiene policies to prevent social engineering and phishing attacks?
- Is there a clearly written and enforced cyber security framework in place?
- Is there and incident response plan in place?
Of course that list can be expanded and customized. But having a strategic plan in place to deter, protect, mitigate against cyber-threats is the best advice I can offer to other security professionals. And that plan should also include incident response and communications protocols if a breach occurs.
What are the biggest Challenges We Face in the Year ahead?
2017 was the worst year on record for breaches. In 2017, globally there were a total of 5,207 breaches and 7.89 billion information records compromised. Unfortunately, 2018 is following the same trends. The challenges have not diminished.
We live in world of algorithms; 1’s and 0’s. Our digital world is ripe for access and compromise by those who want do harm from just a laptop and server. A myriad of recent breaches have demonstrated that as consumers we are becoming more and more dependent upon digital commerce. Our banking accounts, credit cards, and financial daily activities are interconnected. We are all increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals.
Ransomware has become an serious threat and challenge. In 2017, the use of ransomware has become a preferred method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities, and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. The recent Wannacry, and Petya attacks were certainly wake up calls to the disruptive implications of ransomware.
We can expect to see more such attacks because of the ease of infection and because the vulnerabilities to networks still remain. Also, the availability for hackers to be paid via cryptocurrencies makes ransomware more criminally viable
Ransomware is not a new threat, it has been around for at least 15 years, but it has become a trending one. Experts estimate that there are now 124 separate families of ransomware and hackers have become very adept at hiding malicious code. Success for hackers does not always depend on using the newest and most sophisticated malware. It is relatively easy for a hacker to do. In most cases, they rely on the most opportune target of vulnerability, especially with the ease of online attacks.
Perhaps even more ominous are the Distributed Denial of Service attacks (DDoS). Tech Target provides a succinct definition of A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.
The connectivity of the Internet of Things (IoT) and its billions of connected devices is conducive for DDoS activities. A Gartner report predicts more than 20 billion connected things to the internet by 2020 that can be hacked or compromised. Clearly, it is almost an insurmountable task to monitor and protect IoT.
In 2016 a DDoS attacks were launched against a Domain Name System (DNS) called Dyn. The attack directed a variety of IoT connected devices to overload and take out internet platforms and services. It is an increasingly difficult challenge to keep up with the increasing sophistication of the socially engineered threats and threat actors.
McKinsey & Company and the World Economic Forum published a joint paper a couple of years back projecting that ineffective cybersecurity will result in a cost to the global economy of three trillion dollars by 2020. That estimate may be even greater now that IoT has expanded so rapidly along with the attack surfaces constituted by so many billions of connected devices to the internet.
Consider the dire and eye opening facts: Hackers attack every 39 seconds and around one billion accounts and records were compromised worldwide last year. There are estimates that global Cybercrime damage costs will reach $6 trillion annually by 2021. Cybercrime is growing exponentially and so are the risks.
What Are Key Strategies Toward Addressing The Insider Threat?
The Cyber Insider Threat is one of the most difficult challenges for companies, organizations, and countries. It is often difficult to discover, defend and remediate because such threats can involve a combination human behavioral elements and hardware and software technologies. Many of the threat actors are tech-savvy and are becoming increasingly sophisticated in their methods of infiltration.
For Chief Information Security Officers (CISO), defending against insider threats is one of their biggest challenges. In fact, according to a SANS 2015 Survey on Insider Threats, 74% of CISOs expressed concern about employees stealing sensitive company information. The 2016 Cyber Security Intelligence Index, IBM found that 60% of all cyber- attacks were carried out by insiders. A Verizon 2016 DBIR Report disclosed that that 77 percent of internal breaches were deemed to be by employees, 11 percent by external actors only, 3 percent were from partners and 8 percent involved some kind of internal-external collusion which makes them hard to categorize. And according to Accenture HfS Research 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months.
Negligent behavior is often the result of lack of security awareness due to poor security protocols and updates of patches, and especially compliance, and training, but anyone can be a victim of a spoof or phishing attack. Accidental insider threats can result from a multitude of causes including inadvertent disclosure of sensitive information, lost records, or a portable memory device. Also, employees who bring their own devices (BYOD) to work increase the risk of accidental cross pollination to company networks of malware and viruses from their smartphones.
Insider threats can impact a company’s operational capabilities, cause significant financial damages, and harm a reputation. While there are no complete total solutions to eliminating vulnerabilities from insider threats, Risk management is a prudent mechanism to reduce the likelihood of breaches. Risk management should determine how authorized access is maintained and monitored.
Comprehensive risk management should include cyber-hygiene best practices; education/training, use policies and permissions, configuring network access, device management, application controls, and regular network audits. Also, encryption tools, new network mapping, automated rapid detection technologies and behavioral analytic software tools have also been developed that help mitigate the insider threat landscape of morphing digital and physical threats.
How Can CISOs, CIOS and the C-Suite Work Together?
A key for cybersecurity is creating a collaborative landscape for all parties involved in combating threats and responding to incidents. That includes CISOs, CIOS and the C-Suite.
Often CISOs and CIOs do not speak the same language and the focus of their serious IT concerns often differs. This can be ameliorated by establishing a shared framework between the C-Suite and the IT professionals of operations that includes means for communication and most importantly, a shared strategy. Collaboration is king.
A strategy plan should evolve from that framework should directly name the decision-makers and spell out responsibilities. A primary goal is for the CTO and CIO and SMEs to educate the Board and present the values and potential costs of such IT operational components so they develop a deeper understanding and align all business elements, including marketing and sales, with cybersecurity. It is best if the plan is calibrated by outside SMEs, the CTO, and CIO for specific Cybersecurity requirements.
Developing an understanding and creating an effective cybersecurity operational strategy really depends on a Ying/Yang formula; you need the technical people who understand the street view challenges of industry from an engineering perspective and you need the executives who run P & L to facilitate the operations and go to market efforts, to sign off on a clearly defined plan. The themes of the framework should include protecting data, corporate IP, and establishing governance.
A successful collaborative strategy requires stepping up assessing situational awareness, information sharing, and especially resilience. In C-Suite terms, what is the price tag for staying in business. In IT terms this may include operational components of encryption, biometrics, smarter analytics, and automated network security, informed risk management software, cyber certifications and training, network monitoring, and incorporating NextGen layered hardware/software technologies for the enterprise network, payload, and endpoint security. Also, access and identity management of connected devices need to be strengthened and enforced through new protocols and processes.
Also, it is imperative that any strategy and plan include working mechanisms for operational incident response, gap analysis, resilience, and audits. Cybersecurity is integral to brand reputation and no matter what, breaches will happen and how quickly and effectively a company responds will be a consequence to the bottom line to shareholders.
How has Industry Cooperation Made an Impact on Cybersecurity ?
There are three key areas in industry partnering has reaped innovation and cybersecurity benefits:
1) open collaboration and information sharing of threats;
2) best practices/lessons learned (gap analysis);
3) accessing research development (“R & D”) and innovation. Industry has focused on those three areas to identify products and product paths, evaluate technology gaps, and help design scalable architectures that will lead to more efficiencies and positive changes.
The financial industry has been at the forefront of strengthening industry cooperation through open collaboration, best practices, and shared research and development. As a result, he industry has accelerated innovation and helped meet the challenges we all face as citizen/consumers in this evolving technological era.
In macro terms, open collaboration and information-sharing among industry stakeholders has simplified operations and help reduce duplicative IT portfolios, administrative complexity, and technological redundancy.
A continued industry partnership involving information-sharing and risk-sharing will exponentially benefit innovation in many key areas including homeland/national security, health and human services, energy, public safety and transportation. Such information sharing will become even more of an imperative as connectivity in industry grows with the emergence of the Internet of Things.
The growing complexity and magnitude of cyber-threats has created an unprecedented level of transparent collaboration between private stakeholders. Cooperation in Innovation also has enabled the application of expertise and planning to maximize and leverage capabilities to build faster, smarter, and better outcomes. And that cooperative trend needs to continued and be expanded.
In the future, industry and public/private sector cooperation should follow an impact framework that incorporates emerging technology areas, organization & policy priorities, and cybersecurity trends:
Emerging Technology Areas:
- Internet of Things (society on new verge of exponential interconnectivity
- Artificial intelligence and Machine Learning
- Smart Cities
- Connected transportation
- Virtual and Augmented Reality
- Super Computing
- Quantum Computing and Encryption
- Big Data
Organization & Policy Priorities:
- Protecting critical infrastructure through technologies and Public/Private cooperation
- Better identity management via encryption and biometrics
- Automated network-security correcting systems (self-encrypting drives)
- Technologies for “real time” horizon scanning and monitoring of networks
- Diagnostics and forensics (network traffic analysis, payload analysis, and endpoint behavior analysis)
- Advanced defense for framework layers (network, payload, endpoint, firewalls, and anti-virus)
- Mobility and BYOD security
- Predictive and Forensic Analytics
- Informed risk management to mitigate cybersecurity threats
- Emergence of formalized Public/Private sector cybersecurity partnerships
- More information and threat sharing and collaboration between the public and private sectors
- Shared R & D cybersecurity spending
- Increased spending for cloud security computing
- Consolidation and protection of on premise data centers from cyber threats
- Expansion of hiring and training of cybersecurity workforce
- Tech foraging
It is a special honor for me to be selected as the Cybersecurity Leader of the week. Cybersecurity is a critical path to mitigate the growing global threat of cyber-attacks that has targeted the financial services community. To stay safer, I requires strategic collaboration and open dialogue. I hope that sharing insights for this interview has helped serve in those areas. I want to convey my personal thanks and appreciation to Cyber Start Up Observatory for allowing me to provide my inputs to this important forum and for choosing me for the award.
Chuck Brooks Short Bio
Chuck Brooks is the Principal Market Growth Strategist — Cybersecurity and Emerging Technologies for General Dynamics Mission Systems. Chuck is also an Adjunct Faculty member at Georgetown University in their Applied Intelligence Program. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 550 million members. He has published more than 150 articles and blogs on cybersecurity and technology issues. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. Chuck’s professional industry affiliations include being the Chairman of CompTIA’s New and Emerging Technology Committee, as a member of The AFCEA Cybersecurity Committee, and as a Technology Partner Advisor to The Bill and Melinda Gates Foundation. In government, Chuck has served at The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. In academia, he was an Adjunct Faculty Member at Johns Hopkins University where he taught a graduate course on homeland security for two years. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague
Please follow Chuck on Linked In: www.linkedin.com/in/chuckbrooks/ and on Twitter @ChuckDBrooks