Cyber Security Radio Interview

When or how did you get into cyber security?

Hi this is William ABC president of Covenant business Concepts sitting in once again for John Harmon he’s out there in the world somewhere making extraordinary things happen for good people helping us build businesses build Bridges right and build revenue it’s even better so we have we just finished speaking with Michelle Walker Davis and now we get to get into Tony’s business now I’m Tony is the owner and director of cybersecurity Consulting Ops is that correct Tony and you are a career entrepreneur that is correct you only been have you ever worked for Comcast from 1996 until 2013 and then I’m working Cisco and that’s how you perfect your craft and now year I install a DVR camera system and the one they ever try to you know see what was going on at home and I was able to see it did some research and found out I and what the heck is the time they you know when you have a camera inside your home or inside your business listing carports to be able to be no change my ports to the port that they wanted to be to be able to watch her what I was doing so they were watching your home watching what I type in my computer until so absolutely staying a lot more about networking understand how the landscape you know was with you getting something like this to work so I can I work for Comcast as I said before from 1996 until 2013 I was able to build a lab wherever I went in Comcast was able to make my own lab and I gave me great experience in terms of what it takes to setup networks and understand how device talk to each other video camera on her laptop and I was in a teacher about that but there’s ever a good reason to do that right now because if I had access to your Network he can do anything you want to do if you don’t have the correct segmentation and protection it doesn’t take much because they have the program and then they have the dumb one.

Where can I purchase the program so you don’t have to be a genius to operate the Network?

And I would work, but anything that’s smart and what are these allow them to get to your devices without you knowing it. Hackers are malicious and intent on getting the government to get to your telephone report 2018 data breach investigation report. We’ll talk about the information skipped when you tell us what’s happening in Palmer Spring biting me here. I appreciate it. I think they think the organization is doing a great job and just got involved,d and I’m Blown Away in terms of all the opportunities. That’s provided and I just wanted to bring you thinking about too much I’m yours too much probably make maybe seven or eight what is in college for criminal justice and enjoyed in the excellent School cuz you got your body I said nobody would have two girls and two boys allowed everyone attended Syracuse University good so how do you tell us a little bit how you recently got involved they came from a pain point and I really believe that it’s worse than when you have your own business you serve best out of your points of Brokenness absolutely out of there and not wanting this to happen to anyone else but what’s the goal of cyber security Consulting bring awareness to customers $150 to his mind you know something from his credit card so what do you think about it and they’re linked in your home for example if I didn’t realize that I could not look at my camera and then did some investigation was my identity precisely what happened they’re connected with something called an IP address so everyone is a name and so you know they call the internet and if you had Tobin the internet’s and are you saying you had your camera on or that you like and on Google.

A hacker can steal information without touching your computers.

on Google and open so the way things work if you have a system here in this system so you have to open a door to that route that you have set up in this building stays open is a router dependent you don’t have to help you from a hacker because you know I can come into your network and never touch your computer but I’m still able to get information that you can hire that supposed to keep you off the black web dark web or whatever is on the dark web so that’s after the fact what is your take on social media social media to ask I know we talked about Facebook and Target I told I don’t know exactly the root cause I buy Facebook hack but I can tell you what happened with Target hack was they had a vendor who I was coming back and forth on the network off Target and somehow no one checked to see if he was Secure so the hackers with friends and if you have a doctor’s office and you allow your cousin to come in and you don’t know if that accountant is coming from and whether or not is a secure place or if they’re secure you are allowing someone to come into your network that makes the information and so you have to be done in this is something that we try to teach people is that this is very, and in a lot of people get a company that has been no sew the difference between Haiti and cybersecurity is that there’s something but we do prices together right that’s what I T guy would only do not there are vulnerable the government release thousands of every day on software the IT guy never look at that that’s what they do inside to see if you wanted to hire you answer okay you know what I’ve got some weird stuff that’s happening on my laptop is running slow can you what’s the basic Services you can provide them we’re going to go to break first but I want to give you two opportunities to tell people how to reach you and then the specific services that you provide and then we’re going to come back and talk about a little bit more so we can be reached at +88-858-895-9951 or email us at support at CSCO – i t., let me repeat it again so please call us at 888-588-9951 and email us at support at CSCO dash.com what are the top three things you can do for people off the bat I’m reaching out to you that they should be thinking about in terms of hiring you why should they hire the first thing I would do for them is still in from the outside what the heck is actually see it on their system so we will be able to tell you I know you not going to have me because we have to cry because we’ve been that protect them and then so we’re going to go to work in one minute what do you want to hear about Michelle I wanted to know if it’s a one-on-one relationship or do you go into companies we going to companies okay so not so much private people residence done private people and then we can talk about that but private people is a little bit different is the same strategy where you actually you know check whether or not they’re vulnerable and help them to become the tomb was coming breech sectors right and some data around that and then get into a little bit more about your business your audience right we’ll be back in a moment  get over here and give you a hug like hot is that they noticed unusual activity on my debit card I can respond right now be a text then to call me and help me get things back on track plus I can swing by my bank and get a temporary card issue right away oh that’s Wells Fargo calling to follow up but I put a word in for you at the shop activity alert you and help you handle it so you can keep your life moving forward suspicious card activity alerts security convenience together Wells Fargo together we’ll go far Wells Fargo Bank NA member FDIC.

Cyber Security Consulting Manager

 an hour and we’re here in the studio with Tony Richard owner and director of cyber security Consulting out he’s been telling us some amazing information about how we can protect ourselves from hackers what about the two most common breach sectors right and then I think you will also sharing something about how long it takes them and is real quick because a lot of people you know they don’t really know how serious this is so the mean time to identify if your back is 197 days I just want you to think about that for a minute right so think about it on the things that can happen 197 days before college right to the top of level privilege and then get all the information that they need because what they can do on your network virus protection are not what they have it or not and take all the information that they need email to my wife call my wife name and I am I knew that my wife was on the internet person and I realized something is wrong and then every time I try to go to a website somewhere else okay is what’s the effect your system into their destination you’re giving it to it willingly so what happens once you say you want to go to Google go to Google and then but then you see all these pop-ups are you going to a network that they want you to go to I was able to realize something is wrong at a time to actually show me that they were going that that was breached now every device that’s connected to the internet especially Unix or even Windows they have a login system when I say l o g g i n g which is actually touching your system logs to a file and I saw that the IP address that was actually on my system was from Ukraine if you got hacked from somebody in Ukrainian someone in your great really about that we didn’t know much know much about how much would that cost for each cost today if it’s a big company they have read according to this is the IBM data breach report that is Verizon is about 3.6 million dollars 3.6 million dollar off of $500,000 let me share something with you first before you do that is it the clown about the cloud right into Cloud the problem is once you install a router something in our minds tell us that the route is going to be good for the rest of our lives matter is that router firmware need to be updated okay I’m part of the antique cybersecurity cell and different things from the government will there be high all Knight security and it was something that came out about reboot their routers because you know if you need a reboot your router something could happen to you if you get hacked so most consumers are not aware of these alerts Super 8 in Norma see when in reality there from where may be out of date so nine times out of ten your firmware without a date on your router because you never updated it and so how often should I be updating my router and that’s where we come in because don’t know about the alert but our software updater software that is the standard & R Us in terms of all the information and we are able to scan and actually tell you if they’re on a date because we’re honest we believe that the best job that we can do for you I will best cyber security company in the United States we have a partner with Cisco with partner with some important protection endpoint protection companies and we’re just honest people we’re not hear the money is good but at the same time we want to help people helping people is more important to us my target audience would be based on the two most brief sector and everyday eye doctor office get free okay because if you look at the hotel’s 38 right so they have you give me look at how many incidents right and the bridge the bridge is pretty high for the incident did 750 + 536 actually breach they tried 750 times and then they succeeded 536 people don’t understand is that because it’s a long as you can keep that social security number and they’re not using it but then you’re good for 18 years so the professional sector did they are doing really well 542 bridges that is correct why are they so good at protecting their stuff and they’re in a state of disbelief right because the lights and there soon that the it guys taking care of them we had a doctor that we scanned and we scanner system we saw that a router was extremely vulnerable and she called her it guy that she said and I said well I’m not a cyber security guy be honest but most customers believe that I T and cyber-security the same statistics out there you realize that there’s more to cybersecurity that would protect them and I was thinking probably Professional Services don’t have the extent of data unless you want to steal information like confidentiality stuff other than that health records with where you would want to Target public Wi-Fi is because I acted can get into that system the system until the system that information and steal your information so you shouldn’t use public should never use public or private is Network because if you infect the phone while it’s in the private domain I have a bad habit of bad habit but my grandkids does my phone say download these games and they can definitely that’s a stick where someone downloaded a program they called his side load so that person and what’s a VPN virtual private network has so many bad habits and it’s amazing what can be done so in terms of where you want to grow your business right cyber security consulting jobs what do you want to come was just an organization with the next 5 years and helping medical providers for that right lights and if you look at the rate of breeches something needs to be done and you know what’s going on and when they get to be 18 years old that could you not have bad credit and that’s something that I don’t like but let’s go back to firestick think should I get rid of my firestick no thanks just put it on a separate network from you private Network put it on a separate network that you have your regular Wi-Fi and you’re doing business pleasure speaking with you is the owner and director of cybersecurity Consulting Ops how can people get in touch with you. You can call us at 888-588-9951 or email us at support.com. Thank you so much, honey it’s been a pleasure. Thank you for all the incredible work you do and Michelle The Incredible work that you do I want to remind everyone that this is the empowerment hours sitting in for John Harmon, and please, if you can, make sure that you attend their events, the State of black New Jersey to 2019 on April 10th

 

The Internet And Cyber Security
The past, present, and future of the internet, network security.

So I wanted to ask you when you first started the project to think about the communications that they’re really have become the internet what were your goals what were you are hoping to achieve at that point it demonstrated the utility and effectiveness of packet switching in a heterogeneous environment where multiple computers with different operating systems were able to communicate over a homogeneous Network the Internet Was A Step Beyond that to include heterogeneous packet switching networks radio base satellite-based optical fiber baseball that came later and so on then the question was can we build this arbitrarily large network of networks linking a whole bunch of heterogeneous systems together and so that was our initial objective we knew this was going to be useful for command-and-control and so we incorporated into our thinking they need for mobile operation for voice and video and for security so that was all part of the general framework in which this development took place today well one argument is yes because we were worried about the address space for one thing and we did a calculation and we came to the conclusion in 1973 that we needed 4.3 billion terminations on this network now for a small-scale experiment with only three or four networks at that time that was a pretty ambitious goal but we wanted this to be expandable when you would had to operate on a global scale because the military has to operate on a global scale security what kinds of conversations occurred at that time we’re going to have to secure the communications and to and because we’re going to be going through a variety of network some of which might not be internally secured it also and doing cryptos important the ability to Route traffic arbitrarily through networks that might not be secured this important so we knew all of that and when we have this other problem which is Packet crypto didn’t exist at the time wine and Krypton was coming but packet crypto where you have to essentially decrypt things out of order was a new thing and that caused all kinds of artwork that happen we had a whole program for developing packet cryptography so that was all part of our model the other part of the model thought was that every device that was on the internet would have to defend itself we didn’t have any notion to Perimeter we didn’t really have a notion of firewall every device was out on its own that meant that if it receive traffic and had to design am I going to respond to this or not and so we had to have an occasion is part of a notion in the design of the system seventies about the breath in the scale with the architecture in the design and people to be able to work on it where do you see Innovation today what where do you see not just the internet going but where do you see Innovations going that said having an effect on the Internet is an example in the case of Internet one thing we very carefully thought our way through is it the Internet Protocol layer has the characteristic did the package don’t know how they’re being carried that was an important ignorance and they don’t know what they’re carrying buy postcards if they were transported and they don’t know what is ignorance turns out to be the key to Innovation as new transmission technology came along the packets could be carrying on anything so an optical fiber became, just put the packet switching system on top of that similarly when people had new ideas for applications all they had to do was to put them on the net we didn’t change the network cuz all the network middle is it switching packets around containing old paint content so that in ignites opportunity for Innovation but there’s more to it than that especially if you go out into the private sector Innovation generally requires taking risk that could be a startup which is risky or I could be an established company trying something out there might not work unless you have an environment where you’re permitted to dry things out and fail you have a no likelihood of true Innovation so Innovation is happening all around the world the internet. Stewart in part because of its architecture but it requires I would say a business out of tube of willingness to take risks that’s why he is so because the Venture Capital guys are willing to take risks and they know that some painting percent of their Investments make failed so that’s part of the story you have to let people try stuff out and the higher they shoot the better they may not get to that Target but you know who wants to 10% increase when you can probably get 50-60 10x the great platform of the internet to build on and has kind of that creative tool that that allows you to think out where do you see things going but with one thing we can see his new platforms keep coming along let’s take mobiles and example develop the handheld Mobile in 1973 until 1983 ironically that’s exactly the decade when Bob, and I started the internet and I got turned on in January of 83 but those two technologies didn’t quite join each other until 2007 when Steve Jobs came along with the iPhone and caught everybody’s attention to things happen they are both of these Technologies instead of having to be in a fix location you could be anywhere and the second thing is that the mobile had access to all the computing power and content to the Internet so these two things are mutually reinforcing Wells worked this in it in a way similar to the way the Internet Protocol layer does this API in this application programming interface in the mobile means if you’re writing an application you don’t actually have to know how the heart works all you have to know is if you meet this interface then your application should work it sends and receives data from the house up to the Internet so this platform like in this layer in the protocols induces a great deal of creativity World Wide Web being a perfect example of that the internet is this platform World Wide Web is some more layers of protocol for HDTV HDMI also on people have been building all kinds of applications on top of that infrastructure and so you can see this repeat over and over again of invention where new platforms come on inviting people to try out new applications security check so it’s not just security when you think about the devices that were using it when we hear this phrase internet-of-things appliances at the house in the office in the car or the week Arie on our persons are even in our person so let’s imagine all these appliances everywhere. Where we want them to be a reliable be safe 3 secure for interoperability yes I’m resilient all of those things so this really talking about software reliability and resilience and safety and everything else is what animates all of these devices is software the hardware is there a soft word but it’s the animation part that’s important and that’s the thing which is the most troubling because in the 70 years or so where we have been programming we haven’t figured out how to write software that doesn’t have bugs we don’t even have environment through software creation we make mistakes so that’s the most serious concern I have Securities part of that because bugs get exploited and Nova System gets penetrated and some bad thing happens that’s insecure but there’s more to it than just security it’s the only other reliability some things that we should worry about so we should be really concerned about this because our world is going to be filled with software running all the time how do we Ford to continue to play whack-a-mole with vulnerability so how do we create an environment where we do have quality in software that that that’s a requirement in expectation happened in finding ways to fix in a third one is trying to deal with the fact that software even when it works correctly it may not work all the time now there is situations where the software didn’t know what to encounter is a state that it wasn’t expecting you could call that a bug but the idea here is that we need resilience in these systems we need backup we need the ability of the system to operate even when things are broken you almost want something kind of sitting on your shoulder watching while you’re writing the code saying excuse me you just created a buffer overflow there or you might want to be able to say it truly environment that’s supporting her software where can you find any places where I’ve used a very already been accepted otherwise I’m getting random value and branching off into cyberspace somewhere give advice Fitness field I would want kids to understand as early as possible is that when they’re trying to design software they have to cover all the cases that they can possibly think of that might need that that’s offering might be confronted by what that means is deliberate attack which by the way we didn’t pay a lot of attention to in the original internet design we’re all a bunch of Engineers and we expected to get there are bad guys out there that want to interfere with the system they wanted to harm you or for somebody else do we have to think I went through all of that so these kids down to know how to write software which means I have to learn how to break down problems in and solve neon smaller pieces and then put the pieces back together in an architecture that works but we also have to expect them to deliberately ask themselves How would attack the system how would I destroy its Integrity how would I interfere with this operation and some people don’t agree with me but I think kids should learn how to write malware write it not just to study it but actually how to write a nation experience what the bad guy does in order to interfere with secure operation at or safe operation and until you have thought your way through how you would attack the system you don’t really understand how you’re going to defend it and so some people say while you’re creating a bunch of hackers in my reaction to that is no one creating a bunch of people who know how hackers work and so that’s part of the story I think if we want software in the future to be more reliable than it is today in the networking space for a. Of time we actually used Hardware as part of the security infrastructure and then we started got distracted into the software space and focused mostly on software and its resilience the thing is that we can use Hardware to reinforce software security and I like this a lot I like the idea of the boot phase checking the checks own or are you know the digital signature to make sure that the software you’re about to boot up is in fact Allied or at least somebody thinks exactly so there’s a there’s a partnership that we should be explaining which I think we have not exploited much and that is an area with working at attention so now it’s cool to try to answer your other classes coming in this face I think they were friends that we can identify and they’re pretty obvious one of them is increasing amounts of Radio based communication devices that are scattered around an aardvark blues radio rather than wires up for many of their applications the second one is speed we’re seeing increasing amounts of Gatorade whether it’s optical fiber or higher frequencies and things that everything in the radio space is an increased attention to cohabitation in common bands at this is a good thing because it allows us to make better use of the radio resources but it also puts challenges in front of us because there’s potential for interference so we have to be smart about how we modulate the signal or maybe even dynamically do that so those Trends are very clear the other one which is pretty obvious is the population of sensors and controls systems that will be part of our daily lives whether it’s in the very virtual environment where you have intelligent assistance that respond to voice commands help put this on the calendar make a reservation than to go to San Francisco and having the system actually behave properly all the way down to the things that are security systems in the house and I’ll do the same thing whether the windows are open or closed the story of controlling the environment all of those things are going to be part of our world and we need people who live in that world to appreciate first that we don’t know how to guarantee everything so you should anticipate things might not work and second we have to help people understand how to make it work better than giving this the potential complexity of interaction among these devices they never met each other until you pulled him into your house another thing which I worry about in this physical space is scaling and imagine just to make this feeling sort of attitude you know it engineering degree to do that during school and then you move and you move into a house that has another hundred devices in it then you bring your other gadgets with you and suddenly you’re confronted with getting all that stuff to configure it properly you don’t want to spend the entire week typing IPv6 addresses into some control program you don’t want the fifteen-year-old next door to notice you’re in configuration mode and grab control over your entertainment system you don’t want to accidentally grabbed control over your neighbors systems as well this is this configuration and management thing is really top and finally think about devices are going to be installed 4 years maybe water heaters and other major appliances you don’t swap those out at the same rate we swap out Mobile’s what that means is that if the software is animating then has a bug and it needs to be fixed how do we make sure that a we know about that being we get the right update into that piece of equipment how does he put them know that it’s a valid update not a bad guy trying to say so all that stuff adds up to this is hard and that’s why we need folks like you and your team to make sure that we got it did not exactly right at least more right.

NIST Framework For Improving Critical Infrastructure

Today we’re going to be talking about nist framework for improving critical infrastructure cybersecurity which just had its 5th anniversary in February we’re going to look back at the previous five years and how the framework has evolved since its launch or else going to talk about what’s in store was coming next our panelists are going to share their experience experiences how they’ve supported the communities use of the cybersecurity framework and discuss the updated framework roadmap that was posted just yesterday we’re also going to be accepting questions from two different ways one way is through Twitter using the hash tag cyber framework during the webcast and also we’re going to be using these slide app to receive questions and there’s information on how to do that on the event page you likely just clicked on a note that the traditional 5th anniversary gift is wood so we can accept donations here in this but please think about that as your framing your questions and with that I’m going to turn it over to Kevin can you give us the history in the development of the cybersecurity framework what really were the roots of this effort you’re happy to thanks Adam and thanks everybody for joining us today so yeah we started this journey just a little bit over 6 years ago when we as a community came together prompted by an executive order year 13636 to do a few things one was to develop a voluntary approach based on existing standards guides and practices for organizations to better identify access managed and communicate cyber security risks in the context of their missions in their business objectives and end came together we did through a series of public workshops and in a variety of other engagements. It’s really helped to develop the framework an issue version 1.0 in February of 2014 at the same time in February 2014 we issued a companion road map that identified high priority areas for development alignment in collaboration and as those road map areas matured I would consider them for time or Fuller treatment if you will into future revisions of the cybersecurity framework so since that time we’ve continued the extensive collaborations learning and improving all along the way learning from your experiences as users and implementers if you will of the cybersecurity framework in from our own experiences and engagements as well we’ve done that through annual workshops periodic request for information more formal a comment request and other industry-sponsored and hosted meetings and events and certainly we’ve learned that say perhaps most through your implementation experiences you know how have you used the framework in ways that are meaningful to your organization that align with your Mission in your business objectives what are the value propositions of the framework and how those help you to achieve results that have been beneficial to your organization your sector and increasingly the nation and those experiences are very helpful in informing our decisions in terms of he know what are the next steps of resources valuable resources that would provide even greater value to raising awareness of the framework and really encouraging it to you soon in new and different ways all of those experiences and inputs that we received throughout the process from you and based on your experience has really helped us to make a decision just a couple years ago to initiate a process to update the framework so going from version.

Framework and the Broader Cybersecurity

1. Oh, initiating a process going to take inventory of how the framework and the broader cybersecurity space have all evolved, and an indication was that it was time to revisit and update the framework going to do a refresh of that so much like everything we do it in this Tuesday a very open and transparent inclusive process very clever to process Wii released version 1.1 of the cybersecurity framework I just a little bit over a year ago today in April 2018. I’m so happy that it’s a birthday for us. We got you accepted, so what if we give it a bit of flavor on some of the significant updates included in version 1.1? Again, I informed those that the evolution of the framework or after the first several years of its existence based on your experiences and as the Of the Sharpshooter framework was intended to refine to clarify and enhance version 1. O Incorporated a lot of the comments received on draft versions of version 1.1 that were all very informative. It was intended to be implemented by first-time and current framework users so that it could be helpful, not just for folks already familiar with and using one. Oh that’s undoubtedly those newcomers to the community that could pick up 1.1 and begin to implement it was something that we felt very strong and we heard very loudly from the community make sure this is compatible with version 1.2 so that was always a very explicit objective in a critical design criteria for us so there are a few things that that were maybe some of the more significant comments so that we received in ways that we address those within version 1.1 clarified use of the term terms like compliant compliance if you sounds like that can be confusing and can mean many different things to many other individuals and organizations and certainly in a different context to in terms of a framework stakeholders so we had to Clarity around that that concept of compliance really that the framework has utility as a structure and as a language for helping organizations to organize and express compliance within their own cyber security requirements we did a new section on self-assessment certainly measurement has always been a topic coming from no standing from the original executive order 13636 n throughout all of our workshops and engagements that the notion of measurement of cybersecurity is it something that came up quite frequently in the context of the framework we really focus that and got a lot of feedback from the community on self-assessment using the framework and again self assessing in the context of your own organization helping you to understand this as your cybersecurity risk in aligning news to your Mission and business objective so self-assessment critically important we expanded explanations of the framework in areas such as identity and access management in supply chain risk management.

Enterprise risk management

I’m really the broader Enterprise risk management Arena as well and certainly other refinements if you will and in and tweaks to update and reflect and evolution of informative references in the framework core that fit the category and subcategory levels can one of the other things that we we’ve had over the last several years that we’ve really focused on trying to have that we’ve been very pleased with a diverse use of the cybersecurity framework from the community and then we start to build an amplifier awareness of the body of resources better industry developed or organization developed that can help organizations use the cybersecurity framework and more meaningful ways and one such a resource that we have me try to highlight because it we find a lot of excitement in it is this Visa success stories that we post where we provide at working with individual organizations or sectors features of an organization or sectors use of the framework the different approaches and the benefits to their use what are the results of the achieved lessons learned another next steps and new opportunities that they see based on their use of the framework we certainly encourage folks to check out the success stories and other resources that bail bond the framework website and consider sharing a success story of your own we’re happy to engage with you on that the final piece to segue into the next part of our conversation is that as a dimension yesterday we issued the companion roadmap version 1.12 framework version 1.1 and if you recall from kind of our discussions at workshops really version one that it was a roadmap several years ago the roadmap is intended to identify key areas of development alignment in collaboration that as they evolve will I be considered for greater inclusion and in help to improve future versions of the cybersecurity framework they can we just released update final version 1.1 of the cyber security framework Road thanks Kevin and I hope those out there thinking of questions for a panelist but I have a few and store here so now we just heard from Kevin about the background of the overall cybersecurity effort we heard about the changes in the last year to 1.1 and heard a little bit about the roadmap can you can you talk a bit more about the roadmap that was released yesterday I was his efforts were to branching out and one of the things we’re doing to support use of the cybersecurity framework sure so good afternoon everybody thank you for joining us on our webinar Mister all throughout this framework has been defined in a couple of different places starting in the initial executive order than carrying on through some more policy and legal developments as it’s gone on and as our role has continued and working with industry in development of the framework we have worked with you collaboratively on identifying to areas that Kevin mentioned Gap areas and roadmap areas things for which we think are important enough that they should somehow be included or referenced somewhere in the framework either in the court sell for in a informative reference depending on the specific item but perhaps the area is not yet developed enough to have a reference which is understood actionable specific or acceptable so that it could be included and be something that could be considered useful immediately to our communities so as we work together both receiving your feedback and your implementations hearing you’re not just success stories that Kevin talked about but also some of the challenge areas looking at some of the profile implementations for your different sectors your different business Mission areas your different contexts and then hosting and meeting together at workshops and conferences we’ve gathered and identified some of these areas together Kevin mentioned that the one. One roadmap was published was that today Kevin yesterday that was published publicly on the website yesterday so I’m sure you’ve all had time to read it in depth but take a look at it give us your feedback to ensure that we’ve got those areas correct that these are areas that are important to you and priority for your mission space that needs to get flushed out and that these are the areas of concern that we have heard correctly in the government side is part of these policy changes initially the cybersecurity framework was intended and designed for use by the US critical infrastructure and there’s been a focus initially and we heard this and some of our first Workshop six years ago was the haug this could be applied into some of the operational technology spaces that those critical infrastructures operate one of the things we’ve learned over time is in the utility of the framework is that is useful not just for OT or Industrial Systems but also for it and information systems as well and so what we’re doing and across the government is expanding its use from critical infrastructure from operational technology from industrial control technology into information and information systems and one of the things of utility that we’ve learned from our customers is the effectiveness of the framework and communicating especially in communicating to leadership to the business side of operations and of what we trust me I’ve called the c-suite of folks and so as we look internally to our government risk management implementations one of those potential tier levels on how we Implement our risk management process inside in our guides that we want to look at how we take how we express our risk to our c-suite in the government and put that in context of the framework as well so we were using one of the best lesson learned and most utility areas of the framework and expressing risk what are the things that I’m going to highlight a couple areas than in the also the road map that were concerned with looking at some research standards are in the specific Workshop areas in order to flush some of these out we’re always interested in confidence mechanisms Kevin talked about self assessments these are generally internal to your organization understanding what your current profile is but there’s also sometimes need to express to your suppliers or to your vendors in a more stringent matter than a self-assessment exactly what you are doing so how can we leverage some of these other assessment and conformance mechanisms either ISO 27001 quality management qms implementations that come with a 2nd or 3rd party tested for conformance either at the program and organization level we’re even some down to the specific implementation and development how can align and leverage those within the framework to gain better confidence and what we’re doing and how we express that to our partners we’re always interested in supply chain risk management from the technical aspects of it in order to control both product development and product delivery as well as how you manage your overall supply chain ecosystem it’s a big topic we often talked past each other when we talk about supply chain risk so some of this has to do with just normalizing on what we mean when we say specific things about supply chain and supply chain risk we’re very interested in and more I research development and standards and identity is a great joke right now that says we’re at the point we are we are verifying to robots that we are not a robot before we’re allowed to access surround systems this is the current state board and right now as more devices and The Internet of Things comes online and more connectivity becomes the norm we are going to need better and more stringent mechanisms not just for identity of people but identity of things as our ecosystems grow in this is a right place for research and development that were looking for better implementation to help our customers as well and then reference techniques we’re getting more standardized on how we accept some of your Imports so that we can ensure that they are proper correct and that you of help to similar customer so you submit to us a profile today cabin published a document on this is how you do it this is how you submit a profile to us this is how you nominate a reference for a for inclusion in the court to us so that there is a clear transparent traceable and understood method to do this but also to ensure that were capturing the ones that you’re using the ones that you’re using and that are effective and then coming back to some of the original asp we will really also want to hear about your operational technology and your industrial control technology methods in those informative references as well so that were covering the entire gamut of critical infrastructure and it so I think those are kind of my highlights okay great and definitely a lot to pull from for future discussions Amy do you want to take a minute and just discuss the international use of the framework I mean that’s something that came up in the early days of the cybersecurity framework development as other countries and international business really pined for something that would transcend borders so I’m your you work closely with our office International academic Affairs on these topics can you give us sort of an overview on sort of what we’re seeing in the International Space two things were doing in the things that are also just happening out there overseas and how that contributes to better and further use of the cybersecurity framework yes thank you Adam good afternoon everyone thanks again for taking the time to join us a little bit over a international aspects which is what I’ve been primarily helping and supporting with the cybersecurity framework talk a little bit about light International alignment and impacts are still an important part of the roadmap you decide to continue our focus on International since the framework itself is not a US Centric document and doesn’t fact reference Global standards and lot of the cyber security risks that the framework outcomes see to address our challenges that people face all over the world and while there are a lot of different approaches out there it can be a little bit challenging when there are several different and unique approaches out there so a lot of our Focus has been on engaging with the International Community especially since a lot of critical infrastructure is connected and again we’re facing a lot of the same challenges and seeking to try to have more alignment where possible and continue dating the cybersecurity framework to ensure that the line with current and future planned.

International standards

International standards we’ve been engaging with the International Community since the framer came out the cybersecurity & Hansen Act of 2014 gives us a mandate to continue conversations with International organizations and governments and we found a law that dialogue to be very helpful since specially since we were in Leesburg and one point one last year during some feedback and perspectives from those who views the framework abroad how they’ve been cemented it has been very useful for us as we see to create our own updates there as well and we definitely value having the chance to have those discussions when the framework first came out we did see some International using up take one example is Italy Lambert’s a lot of fat content of version one of the framework in their National cybersecurity strategy we also thought Israel take the framework translated into Hebrew and incorporate into their cyber-defense methodology which is also really good example of how the framework is so adapt one customizable that and that example we seen how is real as able to tailor some the language to be a little bit more sex also seen some uses of the framework in Uruguay who’s now actually on their fourth version of their cybersecurity framework and we’re also aware that Bermuda has a used it within their government and heavily encourages it for you Sam under industry as well and even seen an example in Canada for the Ontario energy for two uses of cybersecurity framework at the basis for self assessment in reporting requirements there electric organization another Stone Partners since the beginning has been Japan who translated the framework into Japanese and continues to collaborate with us and also wanted to take note as Kevin mention the success stories earlier we’re very happy to receive a success story from the Japanese cross-sector for him last fall they talked a little bit about how they were able to use the cybersecurity framework within their organization that consisted of a lot of businesses with operations inside and outside of Japan and the framework really help provide them a shared language for discussing cyber security issues and a way to come to a shared definition of what cyber security missions look like and the kind of skills that a cybersecurity Workforce would need in addition to these adaptations we’ve also had several direct translations of the cybersecurity framework in addition to the ones that I’ve named we also last fall released a Spanish translation of the framework which is telephone number to try to make it more accessible and easier to implement an Arabic translation has also been produced that we are linked to on our website and last fall we had some good engagement with Brazil that was organized by Iran Administration and we were joined by the US Chamber of Commerce who then kindly translated the framework into Portuguese and we just recently linked to that on our side as well it’s been very exciting to see these various adaptations and translations and definitely as we move forward we want to continue having these bilateral and multilateral discussions with International organizations and governments on their used to the framework and we also want to continue encouraging our own industry and their International engagement send course we also want to continue engaging in the standards development effort as well which is the last area that I wanted to highlight they said we are trying to ensure that the cybersecurity framework Alliance International standards and their kin efforts with an ISO and I see to map the different aspects of the cybersecurity framework to existing standards and the culmination of that wasn’t ISO IEC technical report 27103 which leverages a lot of content of the first version of the framework you’ll see the five functions and their some of the language the language from the categories and some of the ISO standards that are referenced in our informative references and several more there’s also current efforts underway to work in the open and transparent collaborative environment of Standards organizations working with our partners to the Delta Technical specification 27101 which also leverages language of the cybersecurity framework as part of guidance for developing cybersecurity framework so it’s our hope that through these efforts we can continue a caging within International Community and try to identify more these adaptations in these translations in continuing line the framework two International standards and of course we always welcome any feedback you might have on that we’re happy to have any type of discussions and see where the framework is being implemented around the world thank you thanks I mean that was a very thorough review and I hopefully if folks have questions about some the international aspects of this work please don’t hesitate to share them through Twitter or to the slider app we have a couple of questions already let’s start tackling them we have a question that asks what is the value of utilizing assessment tools like those resident on Federer amp to control access of artifacts associated with CSF assessment that you talked a little bit about confidence assessments mechanisms a means of achieving confidence do you want to talk a little bit about how you how you view that and I think with fedramp and we were talking about utilizing Cloud so if you want to dress that a little bit too I think that’d be helpful thanks sure so thanks for the questionAnonymousnymou,s anI are’m doing my best to answer it to make sure I understand correctly, so what’s the value are you lysing assessment tools like that resident on the Federal app to control access to artifacts associated with a CSF .

as?ssment so first part of the confidence mechanisms roadmap area if when you get a chance to look at it we talked about a couple of different more higher-level assessments that we see starting to emerge from the British standards Institute PSI which is based on the Cyber framework isaca the information system audit Control Association also building some framework focused assessment programs and then nests baldrige performance Excellence program that is provided a self-assessment tool the bottom line is that we use tools and most important reuse assessment results to the greatest extent possible one of those things is if the assessment results are mapped back up into the framework then you can reuse the results of that and how it’s expressing risk back into many other compliance requirements so that’s one of the great utilities of the framework if the question is about the value of the tool in a cloud environment to actually protect an asset such as a CSF assessment result or assessment artifact that’s a different question and then come back to almost the identify step and is that artifact important and if so how and what day does it contain and therefore take a look at in that cloud environment even a fedramp cloud environment is it appropriate to have it there or not so it’s almost two different answers nice thing about fedramp is it has a second or third party assessment of the controls expressed in 853 again math into the framework so that you can have a common understanding of the security being provided by that cloud security provider to you and then you can take a look at what on your side of the cloud what your responsibilities are and ensure that the two are kind of matching up for what your risk tolerance is our so it’s almost a 2 prong okay thanks Matt Kevin taking another question from slido will the CSF be updated again when nist 800-53 rev 5 is finalized, I guess I would take moderators prerogative and expand that question a little bit I’m I know today we were released to the cybersecurity framework online informative references document mr. 8204 which I think is really about informative references and how do we keep that as a living document so can you answer that specific question around red 5 and also just talked generally about the approaching the straight e204 and how it’s going to drive activities moving forward yeah happy to connection maybe I’ll start with the more General because that will lead into the specific answer again the notion of as folks that are familiar with the framework know to help organizations achieve the outcomes that are expressed in the categories and subcategories we have provided mappings in the framework Core 2 informative references existing standards and practices that that are intended to provide more detail to help guide organizations on their implementation journey to achieve those outcomes some of those are ISO standards ISO IEC standards cobit Miss and resources such as 800-53 rev 4 I do not Envision updating the cybersecurity framework to incorporate under 800-53 rev 5 when that goes final the process that will be using is to leverage the online informative reference approach where is we can using a very consistent repeatable methodology instantiate that mapping between rev-5 and the function categories and subcategories in the cybersecurity framework version 1.18 that mapping outside of the framework version 1.1 proper there’s a lot of benefits to that I think one of those is to overtime really help the Sharpshooter framework the basic framework or to be a little bit more stable and allow the informant of references that frequently change and an update certainly more frequently to kind of live outside the framework as additional resources that that agency agency is another organizations can point to in leverage I think the value of the informant of references approach online informative references at it is that standardized repeatable a kind of consistent methodology that cannot only going to Simply Express relationships between controls and other kind of reference documents to the categories and subcategories but really pretty providing this in a format that could also be machine-readable and ingestible indigestible if you will by manufacturers of tools that are providing different types of services to help organizations with their cybersecurity needs Thanksgiving been since I was listening to your response I think we can address this issue a question which is I will future versions of the CSF have mappings for gdpr I would take your answer to be no that is correct we don’t Envision we don’t plan to map gdpr to the cybersecurity framework but that does bring up another opportunity here like I would drop sharply framework we have initiated a process to develop a privacy framework and we envision the Privacy framework to be a voluntary framework I really an Enterprise risk management tool to help organizations understand manage and communicate privacy risks in the context of their missions and business objectives we initiated this process just a little bit over six months ago in October with a kickoff Workshop that end in Austin Texas and I we’ve had a request for information and got some outstanding feedback from the community had significant numbers of in meetings and engagements with folks throughout the last several months and will be convening the community again just in a couple short weeks three short weeks at Georgia Tech on May 13th and 14th to further refine and develop some of the draft materials related that will contribute to the ultimate privacy framework one. I don’t think we’ll be mapping GDPR into the Privacy framework. I think the Privacy outcomes that organizations May seek to achieve again align with their misery Mission. Business objectives can certainly be informative to achieving the relevant and appropriate requirements to be captured in GDPR or other compliance regimes that exist domestically and internationally. Thanks, Kevin and. Iw. In addition to the workshop in May, I was likely to have a series of additional events and other wand workshops, and interested webinar viewers should go to our website at this. Gov/privacy framework to review the material and look for future events. We have another question from a colleague from the south of France: how does one measure the ROI of playing the cybersecurity framework? Matthew wants to take that one another; it has come up a lot. I’ve tried it for the last five years and sought help from my panelist, so it’s a great question. Love from the south of France well hello from the central Maryland I guess so if you look into the document of the framework at that there’s a couple of different processes that that step folks through in the creation Ava security program one of the first two steps is to First create what we call them as is profile take a snapshot of what you are but you’re currently doing what’s your current state is in the context of cyber security this is part of the eye of the identify step the other areas and identify look at what are your assets what’s critically important to your business Mission functions and when you look at these two things your current as his profile what you’re actually doing in cybersecurity and what your critical business Mission functions then you get a good idea of what type of coverage you are providing to those critical business assets that’s where you start the ROI discussion are the important things in my business covered or are they not and so is as much an Roi discussion as it is a what do I put my next dollar to discussion this ensures and helps organizations and both focus and prioritization and there are limited both cybersecurity dollars as well as a expertise personal and time so you create that as his profile you ensure you understand what the critical things are to your business and then you take a look at that Gap space and then you start to prioritize now that prioritization could be different ways to do with the ROI you could transfer that risk through Insurance you could Outsource that wrist to suppliers or you can invest yourself in that risk to including those lifetime cost I’m trying to cover yourself but that Roi then gets looked at in the Gap space of your as is against the value of that asset and if you’re not covering that asset properly that’s when you have to make that Roi decision and am I investing and ensuring the continuation of my business properly throw it over to Mike Alex yeah I think it’s not mention the profile is probably the primary tool that organizations would use I’m really to customize at your organization’s need based on Horton and how that a line to a tear your business objectives in the framework is all about risk management helping organizations to manage risk I think another component of the framework that plays a role here is the implementation tears again implementation tears think of those as kind of a progressive set of characteristics that describe really how an organization approaches risk management not just from a cybersecurity perspective and also cyber security in the context of the larger Enterprise risk management discussion cybersecurity being interviewed and balance if he will alongside other types of wrist that your organization’s are managing Financial safety reputational etcetera when you think about the structure and kind of the principals are properties behind the tears there’s really this notion of kind of that a cost-benefit analysis that goes into determining what’s the most appropriate to your for your organization or for a specific business unit if you will within your organization as well a few things about the tears you know that while there are more tears come with increasing a degree of capability from Tier 1 out of partial risk management level two tier 4 at a much more adaptive level it’s not a race to the top not every organization or not every business unit if you will within an organization has to be at a tier 4 level or two may be appropriate for you and with an understanding that there are also risk consideration to her or resource considerations rather about going from a to Are you considering the characteristics of the properties of the tears to help determine what’s the right place what’s the right level are The Sweet Spot for my organization given my wrist Ok

Talk a little bit about noon I think we heard from Matt that definitely organizations outside of critical infrastructure using the cybersecurity framework already and you mentioned the bed about some of the success stories so if there are people that are watching this webcast now and they have a good success story to share they just want to talk with her peers about the cybersecurity framework how would you recommend that organizations that are using the framework share their experiences with nest thanks Adam Noah covered a couple of the tools are things that are available on our website of highlighted some of the success stories which you can find a link on there if you’re interested via template that’s there if there’s an experienced it want to share the composite PayPal with the framework of course have our cyber framer getting this talk of our email address which is probably the best way to directly reach out if you have a question I want to share something because that’s heavily monitored and going to be able to respond to you and put you in touch about the next steps about starting a conversation with other mechanisms are things this on the website things that are like this webcaster things you can participate in and read some of these questions and course we’re always happy to respond if any individuals or organizations out there want to talk and share their stories and we can try to identify appropriate places that we can’t I like that thank you I would make one edition to the question you know that the framework was actually in the context of National Security in critical infrastructure is also in the context of Economic Security in critical infrastructure in this being part of the Department of Commerce that that Economic Security angle or prioritization it is critically important so we’ve all talked a little bit of the wealth of information and resources that are out on our cybersecurity framework website we talked about success story for talked a lot about the international the translations and adaptations that there is a very comprehensive set up and growing by the way set of resources that have been produced by you by industry and government agencies as well not just at the federal level better but at state and local levels even internationally also got a really Community developed sector resources organization specific resources that are intended to help amplify awareness then provide maybe a starting point for your use of the as well so that organizations of any and all sizes across any and all sectors in the economy and domestically internationally can take advantage of the framework and use it in ways that are going to be providing the most the most meaningful value to your organization a dimension small businesses and that that’s if since day one of our at when we started this journey. To develop the framework it we weren’t just focusing on kind of the large multinational to the large critical infrastructure owners and operators are domestically but certainly that the midsize and small and small and medium businesses that that play such a critical role either as owner operators or as a parts of the supply chains of those owner-operators as well it certainly we’ve seen over the last several years that the framework has an increased usage or adoption of the framework has extended well beyond the critical infrastructure and organizations in all different sectors in and of all shapes and sizes just a few months ago we launched at Nesta what we refer to as our small business cybersecurity corner and it’s available on are on this site will make sure to have some links out there available for you to access if you’re not familiar with it already and this site is really intended to be kind of a  curation point or a repository of of relevant resources many of which are aligned to the cybersecurity framework that can be most useful to small businesses in any and all sectors there is a growing repository of these resources something developed by Nestor other government agencies we are going to receiving additional resources I candidate resources now that are applicable to small businesses and digestible by small businesses from nonprofits and even in some cases for profits and as we continue to receive those will amplify awareness of those by reflecting the knot on their site as well so we encourage you if you’re in search of resources like that please visit our site if you have resources and I bet you’d like to submit for consideration and posting please do that as well we’re here to receive thanks an end to that end we have a comment about the University of Chicago that’s listening and sharing that they’ve had great success and I think that is an example of the success stories that we we have up on our website so if you’re curious about how I University environment could use the cybersecurity framework it’s up there we have another question up which is cyber security is people process into schools and in that order is it unfair that nist CSF is strong on processing tools not as strong on people Kevin do you want to take that and you can’t just say yes it is unfair yes I will absolutely take that question thank you and the answer is sure so yes I’m sure these people process and Technology we’ve spent a lot of time under the processing technology side I think people are reflected in the cybersecurity framework they’re not necessarily as we as explicitly as they should be in the context of him some of the the categories and subcategories have people can be considered an asset to the organization and that’s really a risk management decision for organizations on how to best kind of incorporating make sure you have the right Workforce but but I think the point is that there’s more that we can do to kind of draw going to stop at the greater relationship in Fulton were the people side of things or as some of our colleagues here in this the end of the who we talked about the the what and the how of us are best rated perspective but really there’s a Hooter mention of who’s going to help you accomplish the weather in the house we’re fortunate in this to to be the lead for the national initiative. City education at nice as many of you may be familiar with and and part of our approach to nice really that the purpose of the knife program is to really help promote a robust cybersecurity Workforce the through cybersecurity education and Workforce Development approaches not just going to look in your government but certainly well beyond engaging with the with the broader at Community one of the resources that is tremendously valuable and increasing in it and attention and utilization is the nice cybersecurity Workforce framework that is a famous publication I believe it’s 800 – 181 believe that’s the case but we’ll obviously confirm that and that’s the way to kind of get an understanding of your Workforce your service pretty work for it’s what you have today and how a useful tool to help you understand what you made me eat what your future Workforce may need to look like we are actively Beijing these different framework teams under the broader nist umbrella to establish a much more clear and explicit relationship between these different types of Frameworks and by the way I mentioned earlier we were establishing a building a privacy framework and in that one will be part of this discussion as well so thank you for that question and more to come Thanksgiving isn’t mad I think you you had another way to answer that question on people processing technology went away in noticed that cybersecurity Workforce is specifically called out as an item that does need not just more emphasis but more references to for better inclusion in the framework so I would say it is fair your comment there’s also another way to look at it which is something that we haven’t necessarily addressed in the framework which is in controls of people as a Potential Threat or Threat Vector so understanding and identifying and managing The Insider threat Personnel wedding and clearance processes we certainly have identity and access control but there are other people issues not just technology issues in the protect areas that potentially you could be looking at a tab for a room more robust set should that fit either your threat model or your business Mission needs as well so that’s that’s another way to look at people issue as well it’s not just awareness education of your Workforce which is critical but it’s also the risk management of your Workforce both intentional and unintentional thanks Matt I’m going to take him back to a question was asked earlier about 853 red 5 and lift up a little bit and ask more generic question in executive order 13800 departments and agencies were directed to use the cybersecurity framework which obviously compliments the risk management framework in Thief is my sweet of Standards than this has worked on for a few decades at this point Matthew want to talk a little bit more about the work we’re doing on bringing the RMF in the CSF into alignment yeah certainly and here’s a case where we suffer from the ambiguity of the English language so we’re going to be using a lot of terms the same words but that might mean different things and this is where we sometimes get crosswise with ourselves the risk management framework is a process developed at Nest using a series of guidance in order to identify and create a initial set of 30 controls a baseline of controls for a system and then assess those controls and then monitor them to ensure that they are meeting or risk needs when we look at that in context of the framework it is one of the tear implementations in order to generate a security program if you will through the whole process of the risk management framework from 5199 categorization all the way around to 800-137 continuous monitoring it’s a tier 3 or potentially depending on how it’s implemented but two or a for implementation of a risk management program what we need to do here at Nest as we look at those individual pieces of guidance is to again take a look at how those right side of the framework those 800-53 controls are there an Express backup to RC sweet folks and for the risk management framework process inside the government in our corporate internal government corporate methods we have the authorization package which is how we express our risk to our c-suite officials ladies and gentlemen that might be it and warning warning this is for a course the Maryland area if your webcasting from not the Maryland area you’re probably fine downstairs thank you much sorry for the shortcut will make it up to you.