The document summarizes a presentation given by William H. Miller Jr. on enterprise security from a C-level perspective to the Information Systems Security Association Space Coast Florida Chapter. Some key points discussed include the inevitability of cyber attacks, the need for public-private partnerships in cybersecurity, guidelines for effective security policies, and components of a comprehensive security framework for organizations.

1. “ Enterprise Security from a C-Level Perspective” Information Systems Security Association (ISSA) Space Coast Florida Chapter William H. Miller, Jr. Industry IT Executive & Independent Consultant Hosted at Florida Institute of Technology December, 2010 Feb 11, 2011

2. We are in the Right Profession Today! An engineer dies and reports to the pearly gates. St. Peter checks his dossier and says, " Ah, you're an engineer -- you're in the wrong place." So, the engineer reports to the gates of hell and is let in. Pretty soon, the engineer gets dissatisfied with the level of comfort in hell, and starts designing and building improvements. After awhile, they've got air conditioning and flush toilets and escalators, and the engineer is a pretty popular guy. One day, God calls Satan up on the telephone and says with a sneer, " So, how's it going down there in hell? " Satan replies, " Hey, things are going great. We've got air conditioning and flush toilets and escalators, and there's no telling what this engineer is going to come up with next." God replies, " What??? You've got an engineer? That's a mistake -- he should never have gotten down there; send him up here." Satan says, " No way. I like having an engineer on the staff, and I'm keeping him ." God says, " Send him back up here or I'll sue ."

3. We are in the Right Profession Today! Satan laughs uproariously and answers, "Yeah, right. And just where are YOU going to get a lawyer?"

4. Headlines ………….. Former Intelligence Chief Says A Cyber Attack Is Inevitable By Brian Wingfield, Business in the Beltway, November 23, 2010 “ Admiral J. Michael McConnell, the former Director of National Intelligence now at Booz Allen Hamilton was interviewed recently by Forbes. He indicated that a cyber attack is inevitable. When he was asked, "Are we at a greater disadvantage than any of our adversaries?" He answered, “Yes, and there’s a very simple reason: We’re more vulnerable because we’re more dependent [on technology].“ Mr. McConnell said change will only come about through dialogue otherwise it will happen after a catastrophe. Mr. McConnell noted that intellectual capital is also at risk, not just information and money.” New Cybersecurity Center planned for Univ. of MD From Baltimore Examiner on line, October 20, 2010 “ The University of Maryland is launching a new cybersecurity initiative that aims to stimulate public-private partnerships and address national vulnerabilities, including those facing industry. The idea is to help "connect the dots" in the region's fast growing federal and private cyber sector. The focal point of the initiative, the new Maryland Cybersecurity Center (MC-squared, or MC2), will adopt a holistic approach to cybersecurity education, research and technology development, stressing comprehensive, interdisciplinary solutions. First pan-European cyber security simulation From European Commission - Joint Research Centre, April 11, 2010 “ Europe's cyber security experts are putting their skills to the test today in the first ever pan-European exercise. In "Cyber Europe 2010", experts will try counter simulated attempts by hackers to paralyse critical online services in several EU Member States. The event is organised by EU Member States with support from the European Network Security Agency (ENISA) and the JRC's Institute for the Protection and Security of the Citizen (IPSC). Feb 11, 2011

5. Cyber Threat Status: “Red” Feb 11, 2011 Offshore resources are likely targeting your company IP today Origins of cyber attacks vary greatly (from crime syndicates, to national interest groups, to foreign agencies, to foreign military) Adversary’s objective is to short-cut R&D dollars and time Data exfiltration is rarely intended to be highly visible Barriers to entry for our adversaries are extremely low Public is vaguely aware but largely ignorant of realities Attacks come in “gradations of sophistication” Cyber threats are of great concern to informed company management

6. Who’s Concerned Today? Government Agencies Government Contractors & Aerospace Chemical Industry/Oil & Gas Banking and Investment Houses High Tech, IP-Generating Firms Healthcare Concerns Network Carriers Emerging eBusiness Enterprises Transportation Power Generation and Distribution Other Forms of Utilities

7. DoD DIB – Government Organized Feb 11, 2011 DoD DIB = U.S. Department of Defense, Defense Industrial Base; Critical Infrastructure Protection Comprised of largest U.S. Defense contracting firms today “ Contractual Arrangement” with the Federal Government Focus on “ sensitive but unclassified ” data Both Classified & Unclassified components of the program Focused on sharing of critical information to thwart global threats U.S. National Interest is at stake CIOs and CEOs involved with Armed Forces and National Intelligence Practices may lead to additional Federal Acquisition Guidelines Some structural changes in core information flow are being suggested Committees formed to divide into manageable working groups Challenges: International firms participating Smaller company engagement Motivate vs. Legislate

8. Security Policy Guidelines Cyberspace has a completely different physics than any other domain . It is impossible to "take and hold" cyberspace. Cyberspace is a dynamical system that runs at super human speed. A good offense is NOT a good defense. Instead, a good defense is the ONLY defense . Throwing a better, more accurate rock in a glass house is still throwing a rock. Our systems are so permeated with problems that even an untrained child can exploit them. Divide and conquer will not work . Civilian, government, and military systems are so deeply entangled that they cannot be separated and protected distinctly. The nature of the entanglement is the people who interact with the systems. Cyber crime and cyber espionage are more important than cyber war . The (very) bad news is that shiny new cyber weaponry will be repurposed for crime and spycraft — reason enough to take pause before charging ahead with offense. The good news is that fixing the broken stuff will help simultaneously combat crime, war, and espionage. Public/private partnerships pander politically but they do no real good. As it turns out, security is not a game of ops centers, information sharing, and reacting when the broken stuff is exploited. Instead, it is about building our systems to be secure, resilient, survivable. No security is perfect and problems will happen . Even if a large portion of taxpayer money and collective know-how is dedicated to the task of building better, more secure systems, mistakes will still be made and systems will still be attacked and compromised. Cyber security policy must be built on the assumption that risk cannot be completely avoided, meaning that systems must continue to function even in sub-optimal conditions. If it sounds like BS or magic, it's probably not true. Article By Gary McGraw and Ivan Arce , Nov 24, 2010 – “Software [In]security: Cyber Warmongering and Influence Peddling”

9. Some Thoughts on Cyber “Good Guys and Bad Guys” Don’t confuse National Interest with Corporate Objectives Suppliers to the U.S. DoD are global today and have very complex entity structures and ownership models Our adversaries may have drastically different “value systems” and are not necessarily bad guys by the traditional definition Cyber theft is less of an issue of ethics, and more a matter of law and governmental preservation Offensive and Defensive Cyber Capabilities often grow in the same garden …………….

10. What are Some of Our Key Security Framework Components? Comprehensive Security Architecture Security Staffing Plan Incident Response Plans & Ready Teams Self Assessment Models Secure NOC & 7/24 ‘Eyes on Target’ Appropriate Budgeting Models Industry Partnering Agreements Meaningful Metrics and KPI’s Management Communications Plan “ Best Practices ” Communiqués to Employees Prioritized Strategy for Incremental Tool Investments Software Application Code Reviews

11. From the SANS Web Site ……. Application Vulnerabilities Exceed OS Vulnerabilities During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch. Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted. (2009 Data) Figure 1: Number of Vulnerabilities in Network, OS and Applications

12. Security Investment Evolution Measurement processes emerge Reactive Undefined policies, procedures Informal policies, procedures SOX – Initial control structure Enterprise control framework Continuous process improvements 2000 2004 2009 Compliance Proactive Optimized 2010 2012 Security Advisory Group Virus Script Kiddies Insider Threat APTs Nation State Attacks True Cyber Warfare Security Investment $ZM $YM $XM New threats may require additional Investments? 2015 2014

13. Security Tools are Expensive and Burdensome …. DLP/DLM IPS/IDS Vulnerability Assessment/Pen Testing SEIM ( Security Event Information Management) Two Factor Authentication Web Application Scanners Patching Capabilities, Ad-Nauseam SOC Capability … . and only represent part of the solution today

14. Ten Outcomes That Keep CIOs Up At Night Threat of notifications by external customers due to breach Regulatory notifications to external customers due to breach Company embarrassment if confidential data becomes highly visible Loss of company-critical Intellectual Property (loss of competitive advantage via copying of ‘false’ products) Disruption to the business when widespread affects are apparent to the employee base Additional focus from Auditors based upon disclosures Executive management frustration over disruptions Threat to U.S. National Interests Loss if IT organizational credibility SOX Reporting concerns

15. Some Environmental Challenges in Cyber Space in 2010 Lack of “Security Pros” to address the national need Wireless, handheld device variants and networks Dramatic emergence of Cloud Computing Offshore design & CM relationships continue to expand Dichotomy between Federal and Commercial companies Security scales downward poorly to small companies Recent WikiLeaks and the national mindset on data protection vs. openness Zero-Day Vulnerability challenges Healthcare Online – EPR/EMR Migration from HW to SW More Web Apps …..

16. What Can, and What Can’t, a CIO or CISO Control in Regards to IT Security? Can Control: Existence of a working/adaptive security architecture Employment of knowledgeable personnel Minimally-acceptable set of deployed tools Rate of adoption of new IT operating environments Prioritized spend plan Comprehensive communications across the firm Atmosphere of vigilance amongst staff members Cannot Control: Vectors of attack utilized by adversaries Immediate susceptibility to the latest techniques and malware technologies Emergence of new and vulnerable IT industry operating environments Software “deficiencies” and gaps in vendor-supplied products Unethical behavior of disgruntled employees

17. A Litany of Tough Executive Management Questions Persist Has our firm ever lost data or IP due to successful cyber attacks? What should we be doing differently? How would we know for sure if we had been had ? Who should our firm partner with, and trust , to achieve the most survivable posture? What should we expect to measure to prove success ? What’s the right amount of money to spend on information security today at our company? What are we doing to ensure that our employees do not become a further source of the problem ? Can we guarantee that we are safe from major cyber compromises in the future? Ambiguity is not popular in the Executive Suite

18. Behavioral Drivers for the Executive Staff Maximize Shareholder Wealth Sustainable, Profitable Growth of the Firm Steady, Predictable Economic Results YOY Minimize Spending on G&A Maintain Positive Customer Relationships Close Compliance with BOD Directives Mitigate Various Forms of Risk - Mission of CEO, CFO, COO and Others -

19. These Objectives Translate to ……. Protecting the Brand at All Costs Careful Reinvestment in New Products and Services Penetrating New Markets (Adjacent & Geographic) Perspective that Overhead Costs are Evil Meet Minimum Standards for Compliance Ensure “No Surprises!” Note that Security “Issues” Rarely Come with a Perceived Upside in the C-Suite

20. Executive $$ Investment Priorities New Product Development/R&D Sales Force/Sales Channel Optimization Brand Image and Advertising Cost Reduction Techniques – Gross Margins and OpEx Customer Service & Satisfaction Pursuits Community Relations Compliance Initiatives Decreasing Appetite for Company Spend Security Sarbanes Oxley Business Resumption Planning ERM $$$ $$ S

21. C-Suite and Director Mindset There’s little to be gained by sharing information pertaining to company security challenges Learning of a breach via customer contact would not result in a good outcome Even an ERP eventually settles out, when is this deficiency “ going to be fixed ”? Why is this so difficult to address when we already spend so much money annually? Who do we need to bring in to help? Is the current team part of the solution or part of the problem?

22. Implications for the Security Professional Facts must be readily available to tell the real story Metrics to show progress must be institutionalized* Executive “upward communications” must be a priority Constant Pressure on CIO, CISO, and Chief of Security This is one of several current topics that will get Board-level visibility multiple times annually Warning : there may be some responsibilities that are “delegated downward” and there may be little real opportunity to discuss them openly * Offsets the inevitable ‘ difficult days’ In the C-Suite, Security Concerns = FUD

23. Important Cyber Security Discussion Questions How will smaller companies find and retain trained security personnel to protect the enterprise in the midst of extensive government hiring? How many cyber security tools can the average company afford to invest in, deploy, and subsequently manage? Can we successfully procure enterprise network protection (buy vs. build)? And then there’s the log data .......... how much is enough? As CIO’s/CISO’s, can we safely outsource applications and data from the Cloud? How can we be sure? How do we keep our Boards apprised of threat levels without panic? How do we effectively communicate with employees in this very noisy space? Feb 11, 2011

24. Debate Over “How Much Does This Really Matter”? Have the outcomes of offensive cyber attacks proven to be materially beneficial in times of conflict? Since it is impractical to assume all 8,000+ DoD suppliers will “ see the light ”, what is the grayscale for cyber competencies? Assessments of real effectiveness of espionage Access to information never guarantees tactical superiority (ex. Stuxnet) How will long term relations with China influence this equation? When is “ good enough ” truly good enough? Remember that we are considering non-classified information and the majority of exfiltrated info is metadata.

25. Some Additional Observations External Partners can, unwittingly, make you look bad: Vulnerability Assessments New Supplier Product Validations Agencies and Bureaus Relish the Finding of Weakness General Managers are familiar with “ Risk vs. Reward ” decisions, but security is hard to understand in this context In the Product Portfolio , some offerings succeed and some fail; security is measured by the weakest link Hiding vulnerabilities from the outside world is wise, but full disclosure is essential within the firm

26. And a Few Final Suggestions for Cyber Craftsmen Every technical advance in the war demands some accompanying good press Architecture Investment Education - Training - Awareness Communications Prompt Proactive - Dollars - People/Skills Infrastructure - Priorities - Comprehensive Measurements Consider as ‘ water in the bilge ’ – some minor leakage is OK Educate the workforce mercilessly Educate the senior leadership on how to think about this problem Utilize these threats to illustrate organizational competency

27. Relevant Quotations “ To err is human, but to really foul things up requires a computer.” Farmers' Almanac , 1978 “ Security is mostly a superstition. It does not exist in nature.... Life is either a daring adventure or nothing.” Helen Keller , The Open Door (1957) “ Better be despised for too anxious apprehensions, than ruined by too confident security .” Edmund Burke , Irish orator, philosopher, & politician (1729 - 1797)