We are experiencing unprecedented exponential change. In 2013, approximately 3 billion people were connected to the internet. By 2025, ideally 7 billion people will be connected to the internet. Changes on this scale will dramatically impact how people will interact and thrive in the global digital economy. Organizations need to be more resilient in the face of all the challenges that will continue to grow. Positive #ChangeAgents are needed across organizations, sectors, and communities to help make this happen, will you answer the call?
This session will provide a rapid overview of existing and emergent challenges for all organizations regarding cyber-resiliency, and then look towards the future regarding what challenges organizations will confront with resiliency given the rise of machine learning, quantum computing, and unintended misuses of systems to spread misinformation or confusion. Cyber-resiliency is more than just cybersecurity. While it does include the usual “organizational hygiene” steps such as prevention, early detection, and rapid mitigation – resiliency also includes other organizational activities focused on adapting quickly and overcoming unforeseen events. The pace of unprecedented exponential changes require us all to be positive leaders in this important area. This session will emphasize and empower all participants to be positive #ChangeAgents within their organizations, sectors, and communities.
Automating Google Workspace (GWS) & more with Apps Script
David Bray - Why Cyber-Resiliency Matters: Unprecedented Exponential Changes
1. A Positive #ChangeAgent’s
Guide to
Improving Cyber-Resiliency in
Our Exponential Times
dr. david a. bray, changeagents@peoplecentered.net
executive director, people-centered internet
2.
3. Where We Are:
(1) Positive #ChangeAgents Need Flak Jackets
(2) Cyber-Resiliency & Our Exponential Era
(3) Three Cyber-Resiliency Axioms for Any Leader
(4) Cyber-Resiliency 101 & 201
(5) Light & Dark Sides of Exponential Trends
(6) Cyber-Resiliency 301 & 401
(7) Rapid “Graduate Course” on Coming Trends
(8) Why This All Matters
4. #ChangeAgents = Leaders who
“illuminate the way” and manage friction
of stepping outside the status quo
10. next 7 years (2018-2025)
will see more change
than the last 20 years combined
exponential tends of current technologies
+ internet of everything + machine learning
+ longer-term advances in quantum
11. The #Exponential Storm
2013: 7B network devices
4 billion TB of digital data on the planet
~3B (out of 7.1B) people online
12. The #Exponential Storm
2013: 7B network devices
4 billion TB of digital data on the planet
~3B (out of 7.1B) people online
2025: 100B+ network devices
200+ billion TB of digital data on the planet
plus ~7B (out of 8B) people online
13. If We Put the 232 (~4.3 billion) Numbers
Addressable by IPv4 into a Beach Ball
14. The 2128 (~340 followed by 36 zeros) Numbers
Addressable by IPv6 Equal the Volume of our Sun
16. Where We Are:
(1) Positive #ChangeAgents Need Flak Jackets
(2) Cyber-Resiliency & Our Exponential Era
(3) Three Cyber-Resiliency Axioms for Any Leader
(4) Cyber-Resiliency 101 & 201
(5) Light & Dark Sides of Exponential Trends
(6) Cyber-Resiliency 301 & 401
(7) Rapid “Graduate Course” on Coming Trends
(8) Why This All Matters
17. Cyber-Resiliency Axiom #1:
Leadership vs. Management
if all you do is only manage expectations,
you will fall behind in a changing world
à need #ChangeAgents to go beyond “status quo”
18. Cyber-Resiliency Axiom #2: The Current TCP/IP Stack
is Easier to Exploit vs. Harder to Defend
right now it much easier to launch cyber exploits than
prevent them à computer scientists & engineers know
this, yet most lawyers & policymakers don’t
19. Cyber-Resiliency Axiom #3: The Moment Resiliency &
Security are Jobs of Only One Division, You’ve Lost
greatest risks for exploits span how your organization
operates, including what people are:
(1) to do, (2) not to do, (3) not to forget to do
20. Cyber-Resiliency is More than Just Cybersecurity
It’s Risk Management
no one would claim they’d never get sick, so to
nothing ever 100% secure – we can strive for:
(1) prevention, (2) early detection, (3) rapid mitigation
21. Cyber-Resiliency is More than Just Cybersecurity
It’s Risk Management
1500s = physical parameter defense is outdated
2010 = digital parameter defense is outdated
22. Improving Cyber-Resiliency 101:
Good “Organizational Hygiene” Fundamentals
follow the Australian Signals Directorate’s “Top 8”
= solid foundation for a rapidly changing world
+ if you want extra credit, can do the SANS 20
85% of Incidents Occur
When Someone Does
Not Do One of “Top 8”
23. Cyber-Resiliency 101: Australian Signals Directorate’s
1st Part of the “Top 8” Prevent Malware Infections
1. Application Whitelisting 2. Patch Applications
3. Disable untrusted macros 4. Harden user apps
24. Cyber-Resiliency 101: Australian Signals Directorate’s
2nd Part of the “Top 8” Limit Extent of Any Incident
5. Reduce Admin Privileges 6. Patch Op. Systems
7. Use Multi-Factor Logons 8. Backup Vital Data Daily
25.
26. Improving Cyber-Resiliency 201:
A Choice of Two Paths
the blue pill: document 100+ compliance security
checks – yet still get undone by a new zero-day
or novel social engineering exploit
27. the blue pill: document 100+ compliance security
as cyber tools
improve at bottom
of Open Systems
Interconnection OSI
Model, exploits are
moving up layers
28. the blue pill: document 100+ compliance security
as cyber tools
improve at bottom
of Open Systems
Interconnection OSI
Model, exploits are
moving up layers
29. Improving Cyber-Resiliency 201:
A Choice of Two Paths
the red pill: change the game, strengthen controls
around (1) digital identities, (2) vital data, and
(3) processes tying data access to digital identities
30. Improving Cyber-Resiliency 201:
A Choice of Two Paths
the red pill: change the game, strengthen controls
avoid system-wide
data access rights,
don’t become a
tempting one-stop
“databank”
31. digital identity controls
w/ single sign-on =
view behaviors across
systems, time,
& geography
data access controls
w/ granular access =
limit view or edit
rights to specific
digital identities
perform immutable audits of access tied to identity
monitor for intrusion or insider threat behaviors &
establish “patterns of life” intervene if non-normal
33. Where We Are:
(1) Positive #ChangeAgents Need Flak Jackets
(2) Cyber-Resiliency & Our Exponential Era
(3) Three Cyber-Resiliency Axioms for Any Leader
(4) Cyber-Resiliency 101 & 201
(5) Light & Dark Sides of Exponential Trends
(6) Cyber-Resiliency 301 & 401
(7) Rapid “Graduate Course” on Coming Trends
(8) Why This All Matters
34. Confront An Average Internet Minute:
Light Side
204,000,000+ emails sent globally
4,000,000+ Google search queries
2,460,000+ pieces of Facebook content shared
72+ hours of new YouTube video uploaded
48,000+ iOS apps downloaded
_____________________________________________
stats will grow exponentially in the years ahead
35. Confront An Average Internet Minute:
Dark Side
McAfee: 200+ new threat vectors/minute
FireEye: new malware every 3 mins
DOE/NNSA: receives 6,940+ attacks/min
DoD: 85% of emails received = spam
and receives 13,800+ nefarious emails/minute
_____________________________________________
stats will grow exponentially in the years ahead
36.
37.
38. Improving Cyber-Resiliency 301:
Simplify, Automate, Verify!
(1) get off legacy IT and focus on doing your own IT
only when you must
(2) automate wherever you can
(3) regularity re-verify whatever you trust
39. Improving Cyber-Resiliency 301:
Simplify, Automate, Verify!
(1) get off legacy IT and focus on doing your own IT
only when you must à embrace Software as a Service
simplify, simplify, simplify what you must maintain
40. Improving Cyber-Resiliency 301:
Simplify, Automate, Verify!
(2) automate wherever you can à automate any
required patching, image rebuilds, and monitoring of
identity access & data flow behavioral patterns
Stop Manually Patching
Wherever Possible!
41. Improving Cyber-Resiliency 301:
Simplify, Automate, Verify!
(3) regularity re-verify whatever you trust à are
humans, systems, and automated monitors operating
as intended? use independent testing to confirm
Verify What You
(Have To) Trust
42. Improving Cyber-Resiliency 401:
Assume You Cannot Trust Even Your Hardware
Meltdown = attacker "melts" security boundaries
normally enforced by hardware
can gain access to data that program
shouldn't normally be able to see,
including Admin-only data
43. Improving Cyber-Resiliency 401:
Assume You Cannot Trust Even Your Hardware
Spectre = attacker make a program reveal data
that should have been kept secret
exploits "speculative execution" branches
multiple variations & trickier to patch;
will be haunting us for some time
44. Improving Cyber-Resiliency 401:
Embrace the Exponential Future
Be Nimble! (Because the Attackers Will Be Too)
present a changing “attack surface”,
use ambiguity to your advantage à make it hard to
recon your digital enterprise
45. Improving Cyber-Resiliency 401:
Embrace the Exponential Future
Attackers Not Just Taking Data, Now Destroying Data
orgs need to bounce back much faster than before
from a destructive event à entire org needs to plan +
deploy IT + train everyone with this in mind
47. Where We Are:
(1) Positive #ChangeAgents Need Flak Jackets
(2) Cyber-Resiliency & Our Exponential Era
(3) Three Cyber-Resiliency Axioms for Any Leader
(4) Cyber-Resiliency 101 & 201
(5) Light & Dark Sides of Exponential Trends
(6) Cyber-Resiliency 301 & 401
(7) Rapid “Graduate Course” on Coming Trends
(8) Why This All Matters
48. Rapid “Graduate Course” on Coming Trends
(1) Machine-Learning & AI Challenges
smart algorithms can be fooled with noise added
50. Rapid “Graduate Course” on Coming Trends
(2) Broader Definition of “Cybersecurity”
organizations could do everything right regarding
digital security and still loose trust overall
52. Rapid “Graduate Course” on Coming Trends
(3) Internet of Everything = Looming Train wreck?
the IoE could amplify potential “attack surface”
with billions of devices that are never patched
53. Rapid “Graduate Course” on Coming Trends
(3) Internet of Everything = Looming Train wreck?
the IoE could be billions of devices easy to turn
into digital zombies à who will notify individuals if
their refrigerator or thermostat is compromised?
54. Rapid “Graduate Course” on Coming Trends
(4) Potential Quantum Advances in a Decade
quantum computing allows accelerated factorization
of encryption keys à orgs with sensitive data may
want to consider quantum-resistant algorithms now?
55. Rapid “Graduate Course” on Coming Trends
(4) Potential Quantum Advances in a Decade
quantum entanglement, if achieved over distances,
allows “spooky actions at a distance” for unique
secure communications properties
56. Rapid “Graduate Course” on Coming Trends
(5) Boards Start to Require Deep Cyber Expertise?
presently, most board members not expected to go
deep on cyber-resiliency in the same way they would
on a profit and loss sheet à orgs not served well
57. Rapid “Graduate Course” on Coming Trends
(5) Boards Start to Require Deep Cyber Expertise?
boards and other oversight mechanisms better
served if members expected to be able
to go deep on cyber-resiliency
58. Rapid “Graduate Course” on Coming Trends
(6) General Data Protection Regulation In Europe
goes into effect in May 2018, has requirements for
data breach notification and penalties for all firms
processing EU data
59. Rapid “Graduate Course” on Coming Trends
(6) General Data Protection Regulation In Europe
GDPR also has impacts for individual consent
for sharing any personally identifiable information,
including IP addresses .
60. Rapid “Graduate Course” on Coming Trends
(7) New Forms of Organizing to Address Resiliency
growing interest to develop new approaches to
decentralized data to allow individual’s to choose
with whom (and when) they share personal data
61. Rapid “Graduate Course” on Coming Trends
(7) New Forms of Organizing to Address Resiliency
potential need to develop cyber epidemiology
preventive and response approaches to “infection
control” across herds of digital devices
62. Carl Sagan in 1994:
Look again at that dot.
That's here. That's home.
63. That's us.
On it everyone you love,
everyone you know –
Everyone you ever heard of, every human being
who ever was, lived out their lives.
64. To me, it underscores
our responsibility to deal
more kindly with one another –
And to preserve and cherish the pale blue dot,
the only home we've ever known.