Executive (dis)Orders: Cognitive and Systemic Risk in the Boardroom with SecurityScorecard

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to today's special webinar event on executive disorders cognitive and systemic risk in the boardroom today's webinar is sponsored by security scorecard and produced by actual tech media my name is scott becker i'm from actual tech media and i'm excited to be your moderator for this special event now before we get to today's great content there are a few things you should know about this webinar first off we want this to be a very educational event for you so we encourage any and all questions in the questions box in our webinar control panel not only will we have team members responding to questions during the live event but we'll also have a dedicated q a session at the end of the presentation where we'll discuss in greater detail some of the top questions that you ask second in the handouts section of your webinar control panel you'll find that we're offering a few resources those include a link to the gorilla guide book club where you can get access to actual tech media's great printed resources on technology topics we also have a link to the atm events center where you can find more fantastic events like this one third at the end of this webinar event we'll be awarding a 300 amazon gift card to one lucky attendee on the live event so if you're watching this webinar on demand i'm sorry but the drawing has already occurred and if you are the winner you can choose to keep the card for yourself handy in this holiday season or you can also choose to donate the value of that gift card to one of our selected charities thanks to generous prize winners on previous actual tech media events thousands of dollars have been donated to charity so thank you in advance if you make that choice today the official terms and conditions of today's prize drawing can be found in your handouts section at the at the bottom there of the handout section and finally one of the best benefits of this event is the opportunity to ask a question of our expert presenter so to help encourage your question we have a special additional prize for you that's another amazon gift card this one for fifty dollars for the best question at the end of the event we'll look at all the questions pick out the very best one and contact that prize winner and with that let's get to today's fantastic content so it's my pleasure to introduce to you our presenter today mike wilkes he's chief information security officer at security scorecard so now i'm going to turn things over to mike hello good afternoon and welcome to my presentation on executive disorders cognitive and systemic risk in the boardroom my name is mike wilkes and i am the cso at security scorecard uh and you may notice that this headshot is a little bit out of date um i've got a little bit of gray hair since this was taken but i'm also not this guy either which is a oldify filter on the face app um but so i'm somewhere in between and uh let's see a little bit about myself so i have been doing this a long time i've been building infrastructure on the internet uh since before the world wide web was a protocol actually uh and uh i wrote a book for cisco press back in 2002 um i gave starbucks his first website back in 1998. i launched playstation.com for the sony ps2 back in uh and also uh put uh klm behind akamai when i lived and worked in europe uh i also launched blockbuster.com during the whole dot com rise and fall kind of the roaring 20s of my generation um after living and working in europe uh for many years building rabobank direct banks uh nuance and fall energy management systems i moved back to the us in 2013 and uh began running the chicago mercantile exchange enterprise server group with a quadrillion dollars in contracts traded back in 2014 uh but usually people are most interested in my work at marvel where i was the head of devops infosec and enterprise architecture and uh i like to joke that it was my job to keep iron man safe and lots of great stories to tell about my time there working with disney security officers from abc espn disney plus lucasfilm pixar after that i was the cso at ascap the american society of composers authors and publishers a small 1.2 billion dollar revenue or organization uh that gives money you know collects royalties for the writers of the songs that stitch together the fabric of our society so a really great member based and values driven organization there i'm an ascap member myself i play drums i'm a jazz musician and uh i was very happy to build and protect that infrastructure for example paul williams is the chairman of the board for ascap and he wrote uh the song uh the rainbow connection for the muppet movie so you can't imagine a more soft and um fuzzy you know uh clientele and then membership to protect uh about eight hundred thousand members of ascap but that takes me up to my current position at security scorecard where we're making the world a safer place and we're scanning the internet every day and giving security ratings i'll talk a little bit more about that in a moment but a little enough about me let's talk about the agenda for today i'd like to go through the definitions and dimensions of risk and also discuss um a couple of kinds of risks that i think aren't getting a lot of attention lately uh cognitive risk and systemic risk then i'll continue uh talking about how we solve some of these problems uh my section on this is the way a reference to the mandalorian and then conclude with a quick summary so definitions and dimensions of risk so this is your typical risk matrix people look at things as being on a one to five scale and they look at the risk as equal to probability of an event happening times the impact and for most cases you know five is bad uh although technically if you think of defcon defense condition readiness this is the uh you know reverse where defcon one is maximum alertness and defined five is normal or peacetime readiness but basically people look and analyze you know their risk across these two dimensions but before we go too far into that i want to talk about a couple other dimensions and measures of risk and before i can do that i wanted to throw out a definition of cyberspace a concept describing a widespread interconnected digital technology and so the term cyberspace first appeared in fiction in the 1980s in the work of cyberpunk author william gibson uh in his 1982 short story burning chrome and then later in his 1984 novel neuromancer in the next few years after that the world became or the word became prominently identified with online computer networks and i have a quote here gibson commented on the origin of the term in the 2000 documentary no maps for these territories and i quote all i knew about the word cyberspace when i coined it was that it seemed like an effective buzzword it seemed evocative and essentially meaningless it was suggestive of something but had no real semantic meaning even for me as i saw it emerge upon the page and so i like to break down this concept of cyberspace into three different dimensions myself instead of the typical you know physical and virtual or hardware and software i actually roll that up into just the physical dimension so in the case of the physical um you know you have some hard ram software why uh because uh you know software needs somewhere to run uh even virtual servers run on something physical at some point and uh i'm gonna break these down for a minute uh and just sort of explode them uh to make sure we have common definitions in use here an interesting way of describing though cyberspace is to ask the question where are you when you're on the phone shown here is a frame from a hyperbolic space tiled with dodecahedra from a 1990 film entitled not not which was from the university of minnesota talking about mathematics and not theory and so i often think of cyberspace as kind of being like hyperspace and hyperbolic space where you're flying around and if you find the video for this it's in my slides um it's quite the interesting video that talks about math and uh um lobochevskian and hyperbolic space uh but the next piece uh here physical this is basically the core technical infrastructure of all of our network hardware and software and this comprises you know things across land sea air and space and various exploits to the electromagnetic spectrum to enable the flow of information between producers consumers audiences and systems and cyberspace of course has a informational component and this is content uh or data at rest or in transit and in this case um this is generally referred to as information of course but uh in this case we're talking about machine readable content numbers text audio pictures video all of this and this is where your cyber persona actually resides digital representations of individuals or other entities that use cyberspace and have one or more identities that can be identified attributed and acted upon i know i have as a security officer i have a couple of um personas that i use for different subscriptions and access to different platforms then lastly this third piece of cyberspace's dimension is the cognitive this is the one that i think is not like i said paid attention to enough and i want to spend a little time talking with you about today cognitive dimension is our knowledge our values our beliefs you know concepts intentions and perceptions of individuals and groups and so these are the actors you know these actors are the creators and users of the content that moves through the physical layer and this dimension it provides the societal cultural religious and historical contexts that influence the perceptions of those producing the content and those consuming it so in this case governments criminals activists hackers we all think perceive visualize understand and decide within this dimension all right so now that i've gone through some of the dimensions i wanted to talk about uh first part second party third party and end party uh we often talk about uh third-party risk but we don't um often define what's first party or second party uh so i wanted to go four dimensions here for each of these so in first party you have self-attestation you know what your infrastructure is presumably because you have direct control over it you have complete internal awareness and trust is manifested through control because it's your infrastructure and the domain of management is enterprise risk management so in this case um this is your typical you know uh you know first-person um you know uh data center that you operate yourself for example uh or or lease out to a third party uh in this case um second party risk is your customers um people that are consuming your products you know potentially on the internet or or in real life and in this case some customer attestation is is holding sway and you the customers have firsthand but only partial awareness of your platform and of your infrastructure uh they're they're putting things into a shopping cart they're there looking at error messages potentially when things don't go well on a transaction for example trust is exhibited through familiarity and brand loyalty and contract contractual risk management is is how we manage risk there's terms and conditions of course on our sales products and the return of them and things like that now third party this has been pretty much the sweet spot of people understanding risk for the last year and a half with some of the um compromises that took place like solarwinds and the backdoor you know attack of cassaya and colonial pipeline being hacked people realize now that the third party risk is significant because it can have really big impacts um on the rest of the supply chain in third party we operate under external attestation so often when we do a pen test for example we go to a third party and ask them to pen test us why because we don't want to be biased about what we're testing or what we're not testing and so a third party is considered impartial we have definitely an incomplete awareness of what's running on our third-party stacks and their infrastructure and trust of course is exhibited through impartiality meaning we have um assessors and auditors that perform third party assessments for us all the time this is of course the sweet spot of what we call vendor risk management vrm or third-party risk analysis and uh of course your third parties have providers as well and that's what we call uh fourth party or nth party risk in this case um you have peer attestation uh that's going on things like crowdsource you know and yelp reviews and other types of information you know better business bureau that help us understand the reputations of these fourth parties you have very minimal awareness what that application stack is and trust is essentially exhibited through proxy you're trusting that fourth party or nth party because the third party selected them the one that you're using your content having a contract with and then lastly this is what i call ecosystem risk management where you have the entire universe of um supply chain uh not just one degree upstream provider and one degree downstream you know consumer a supply chain is not made up of three nodes it's made up of the entire chain and so we need to think about the health of the entire ecosystem of supply chain risk and not just one or two nodes on that link some of those dimensions that i mentioned attestation awareness and trust if colonial pipeline for example had performed a self-assessment back in 2020 you know what might have changed with that breach i would say probably nothing we need tools that can validate these assertions of compliance um colonial pipeline we said yeah we have all of the controls in place that we believe we need to have in place uh but it turns out of course they didn't because they were compromised um and it caused a really big impact uh to the entire eastern seaboard in the energy sector for several weeks um and people lost their lives because of some of the impacts and fear that was caused for uh hoarding of fuel and driving around with um a swimming pool in the back of your truck full of gas what else awareness who can afford to scan and monitor all of your vendor apis all of their websites all of their ssl certificates and all of their services um no one can and that's why it's useful to have a company like security scorecard that can scan all of the internet for you uh and sort of outsource that awareness aspect and then trust if zero trust architecture means always you know never trust always verify then for what values of always are practical uh do we simply insert three factor authentication four-factor authentication add infinitum it feels like uh inflation right some like those razer blade commercials where they have you know five blade razors now that's really not the way to get a handle on trust we need better tools for this and then lastly management of course when the um when the ever given uh that 2000 teu super tanker launched itself sideways in the suez canal in march for six days how many markets were affected uh supply chain like i said is not just about first degree neighbors in the upstream and downstream relationships of goods and services it needs to be about the entire ecosystem so how do we make things more resilient and fault-tolerant for the entire ecosystem well we need to think about some of the risks that we're stuck with and i wanted to focus on cognitive risk so what are the things that we're stuck with today some of the risks that we don't really try to address because they feel too deep seated or they feel insurmountable or maybe they just feel improbable and so i think perhaps the biggest risk right now is a lack of cyber risk understanding at the executive level the space shuttle challenger for example the disaster in 1986 that was a result of cognitive risk there was a culture of launch is a go and that managed to keep engineers who knew that o-rings were subject to cold temperatures overnight the previous night uh from stopping the launch and management failed not for a lack of knowledge or technique or control of the systems engineering but they failed for a belief and some engineers uh bob ebeling for example was one of the five booster rocket engineers and he tried to bring this fact up light to light prior to launch but the cognitive risk uh was was prevalent and uh they did not stop it so let's dive into some different types of cognitive risk and in this case i've got a few examples to share confirmation bias and data prevention bias in budgets too big to fail and tired old concepts so let's take a look at some of these so confirmation bias is a phenomena where analysts basically seek out and assign more weight to evidence that confirms their hypothesis and they ignore evidence that could refute it analysts of course display this when they gather or they remember information selectively or when they interpret it in a biased way and they also tend to interpret ambiguous evidence as supporting their existing position this results in statistical errors that can turn into flawed intelligence and of course it's not just analysts that exhibit this behavior the definition of a term and the creation of a board subcommittee or the omission of a word from a document these can also convey confirmation bias the may 12th executive order on cyber security i might point out does not contain the word resilience in its 8 000 plus words and so the locus of debate is defined by our choice of words and our selection of data sets and our understanding of risk [Music] prevention bias so this is a tendency in cyber security to focus on preventative measures at the expense of detection and response um due in part to beliefs and feelings rather than facts uh it could just be that we've all internalized the mean that an ounce of prevention is worth a pound of cure but a recent review of it and ot standards regulations and best practices by dragos.com clearly demonstrates that we have managed to codify prevention bias they calculated that 75 of controls across various frameworks are focused on prevention leaving only 25 percent for detection response and recovery now benjamin franklin coined this timeless phrase in 1736 in order to remind the citizens of philadelphia to remain vigilant about fire awareness and prevention but i don't think it was meant to keep them from knowing how to detect a fire and how to quickly put it out too big to fail in this case the cognitive risk is is related to a theory in banking that asserts that certain corporations are so large that their failure would be disastrous to the greater economic system and that they therefore need to be supported by governments when they face potential failure with bailouts uh even the mighty and super scaled amazon web services have demonstrated that they too are not too big to fail a november 2020 outage for example and you can choose from several was eventually attributed to a fleet of front-end servers all reaching their default max threads limit for linux a good number of companies realized just what the phrase concentration risk means when thinking about how dependent so many businesses were on the u.s east region when i went down or at least when a lot of the infrastructure in u.s east went down so shown here are randolph and mortimer duke the main antagonist characters from the 1983 film trading places which are stereotypes of course of white male boards of directors and some of the cognitive risk that might be engendered in the institutions themselves these days and then tired old concepts was one other piece i wanted to share these are terms that are normalized on the technical level but they're oppressive on a societal level such as whitelist blacklist master and slave man in the middle why are all attackers men right women can be attackers as well so these are seemingly entrenched technical terminology but it's relatively recent and they can be replaced uh with alternative metaphors that are more accurate that are clearer that are less distracting and that do not offend their readers or imply power relationships that reinforce stereotypes and and cultural limitations so shown here is a reminder uh that blue for boys and pink for girls was not always the gender norm michael wore pink and wendy wore blue when j m berry wrote peter pan uh so we should be using these other terms instead uh allow list block list primary replica and on path attack and so these are just helpful ways for us to get around some of the cognitive risks that have emerged in the technology sector next up i wanted to talk a little bit about systemic risk systemic risk is an emergent property of complex systems the systemic risk it actually emerges from no one specific component of a system but rather is an unpredictable aggregate risk factor that's fluid and evolving so how can we address the uncertainty of increasingly complex systems which we do not fully understand shown here is a satellite image from a 2003 northeastern power blackout the blackout's proximate cause was a software bug an alarm system at the control room of first energy in akron ohio uh it rendered the operators unaware of the need to redistribute load after some transmission lines drooped into foliage and caught fire uh what would have been a manageable local blackout cascaded into the collapse of much of the northeastern regional electricity distribution system uh let's see oh this is my favorite quote i love to mention uh heraclitus this ancient greek philosopher and historian he once said something along the lines of you can never step into the same river twice and this is not ai or machine learning hype right this is like og infosec uh and the river analogy i think works really well for infosec some folks they want to sit in an inner tube with a six pack of beer and float lazily along a whiny oxbow of the river of digital transformation others of course strap on a helmet and head straight for the class five rapids in order to get to the next stretch of their digital journey so what are we actually doing when we're engineering systems in 2001 are we actually building them or engineering and designing them or are they actually assembled without an intelligent design inspired by fashion and technology hype cycles solutions looking for problems essentially i think that security chaos engineering is a healthy and emerging process and approach to thinking about ever-increasing complexity and thoughtful experimentation and i think that's the key to finding new ways forward we need to be able to embrace failure and not fear it and so if you've heard of the chaos monkey or the simian army that netflix had this is the same thinking and is evolving from that systems engineering in 2021 is messy uh it's like spumoni ice cream you know mashed together bits of pistachio vanilla chocolate and strawberry and these systems are less engineered these days than kind of assembled quasi-organically by gluing together various components that we want to have involved in the platform uh shown here is a dependency chart uh the runtime graph for mozilla firefox as an example of that uh next up uh what creates this complexity uh the engender systemic risk there's four parameters numerosity non-linearity connectivity and adaptation and so let's see fulcrums fulcrum sometimes exist in complex systems which can pivot the system based on elements which occupy a critical path in some flows whether that's data power communication or influence and something that might be referred to as action at a distance uh shown here is an artist's visualization of quantum entanglement perhaps the best modern example of a complex system of interaction once described by albert einstein as spooky action at a distance all right so numerocity numerosity is many parts and elements uh and it's not just a jar of marbles right they need to be multiple types of elements with relations and connections and here i talk about having a system that is a part of an ecosystem and an ecosystem is part of a biosphere but what is the infosec equivalent of the biosphere shown here is a spiral honeycomb made by bees uh 31 species of tetra canula bees in oceania these bees are often differentiated by the pattern of hives that they create and research researchers suggest that the details of individual worker bees might be genetically encoded to create the complex structure that each species is best at in terms of non-linearity this is multi-level elementary interactions that create feedback loops and the possibility of what are called phase transitions triggered by sensitivity to initial conditions uh for example like a coral reef collapse or a market crash shown here is a picture of the fire coral on the left and a bleached fire coral on the right australia's great barrier reef has lost about half of its corals in the last few years chaos theory tells us that some elements express sensitivity to initial conditions like salt values in crypto or sources of entropy and random number generation and so i just point out that one plus one in some cases is not equal to two one plus one could be zero in the case of canceling inverse sound waves or one plus one can be equal to three uh in the case of synergy where the uh sum is greater than the sorry the whole is greater than the sum of the parts next up connectivity connectivity and the density of connections uh where the emerging properties have more to do with the connections than with the properties of the elements themselves so not all measures of connectivity depend on a pure density or strength of these connections there's also an important network graph concept dealing with the strength of weak connections which helps define your position in the non-nuclear space of the internet shown here is a visualization of the email inboxes that were collected as part of the enron investigation along with the links between those people [Music] and lastly adaptation adaptation and degrees of autonomy of the member elements of a complex system so it's um if only simple rules and logic gates are in operation then the system isn't going to be categorized as complex and is it true this is a question that i have yet to answer is it true that high levels of diversity in a complex system like tidal pools in the sea of cortez do they equate to resilience and good health of a complex system there are likely some complex systems that have low diversity but i'll need to find some examples shown here is an excavation of a giant anthill where they filled all of the passageways with concrete and this is a complex and adaptive system built naturally and then lastly uh on this topic i wanted to point out some sort of my big exemplar for 2021 of systemic risk ercot uh the electricity reliability council of texas uh this was a potential black start event back in february when a cold storm a winter storm snap came into town and and all of texas you know was just a few minutes away from being back into the stone ages with the entire electrical grid um powered down and offline this was a potential what's called a black start event something teams trained for but have never actually experienced and i don't make to make fun of texas and this systemic risk of cascading failure and this massive drop in capacity and generation and imbalancing of the system but the board did discuss the storm for only 40 seconds prior to the to the arrival in their meeting and uh this could have been you know like months long of blackout it wouldn't have just been you know rolling blackouts it would have been the entire grid in all of texas with no electricity for several months uh and i said before don't get me wrong here this this event is in all of our futures given the current state of dependencies on critical infrastructure that's barely held together with duct tape and bailing wire i've built critical infrastructure and i know that it is held together with duct tape and bailing wire um so lastly uh what do we do about all this risk and so i want to talk about some solutions this is the way uh we need to mitigate cognitive risk by working to unbias ourselves we need to address systemic risk by embracing failure and by running experiments uh general techniques to unbiased um create awareness standardize decision processes improve fact presentation increase the accountability of people and involvement and decisions for cognitive risk against confirmation bias well we need to walk up to the data and ask it questions you also need to be prepared to listen to the data and to hear what it wants to tell you combating prevention bias you know it means allocating more time and budget for detection and response tools and not just prevention or sorry yeah for detection and response tools and not just prevention tools and controls uh so identify your concentration risks by thinking about those too big to fail components on your platform and introduce supply chain resilience by having multiple vendors that can provide the same service and then lastly for those old tired tropes just drop them embrace new terminology in your documentation in your word choice and in your names for things let's see the next piece i wanted to share is a little bit about a diagram uh that talks about pacing layers from stuart brand's book the clock of the long now which was written in 1999 and in in it he observes that the pace is faster at the edge and slower at the center or the bottom of this diagram and it's fairly easy to replace fashion in this diagram with the word technology and then throw in some forms you know for technology like javascript python o camel functional programming things like that or perl over the last few years and so the fashion is going to always be squiggly moving lines but we really need to focus on what we're doing to improve the governance you know and that's moving at a slower pace a different cadence and these things take time of course to influence and to improve uh the other thing i wanted to mention is the executive order i translated two sections of the executive order from may 12th from the white house section 2c is roughly translated section 1 log your section two make your searchable section three monitor your and section four of that section uh share your in stack sticks and taxi format which are standard formats for threat intelligence and event sharing and then section two f of the executive order roughly translated means number one disclose when happens two close copy sissa when happens and three escalate serious as appropriate and so the executive order essentially admonishes critical infrastructure to do the basic things that we all should have been doing all along and of course now we really mean it because there's an executive order uh but don't get me wrong here as well the ot and industrial control system folks they've been asking for this kind of stuff for years and i know firsthand you know that this stuff is very fragile and critical uh and and can fall over and so we have to be careful uh to understand that um this executive order and this guidance on this governance level is meant to try to do the basics and to do them well uh to patch your servers to monitor them to have log files when people got hit with solar winds uh they didn't mean some of the companies didn't even have log files to determine whether they were still compromised by the russians with the back door that had been injected into it by apt 29 next resilience of course this is a term that i said was missing in a lot of the government's guidance that's coming out and i want to focus on what is resilience resilience is sometimes referred to as an object's ability to return to its normal shape after being subjected to force or extreme conditions but this particular expression of the term that actually originates in an engineering use of the word with things like tensile strength and ductile properties but it was also introduced as a word resilience in ecology and psychology where the concept is much less concerned with returning to a former state than it is with adapting and coping with extreme conditions and forces and so in this case i think there's three elements associated with resilience that we need to focus on robustness adaptability and transformation transformability uh and of course one can infer a degree of diversity as bringing with it some additional resilience as well think of the potato famine in ireland for example and so do we want to have a digital potato famine right where some malware goes crazy has a bug in it and it bricks all of our ot devices and all of our iphones and android phones because someone didn't do proper qa on on their malware uh i think such an event may be coming and then lastly a sense of time scale has to be included what is resilience within minutes might not appear to last you know for decades and vice versa and if we don't agree on the time scale for defining what is resilience then we might see the forest fires as catastrophes and not part of a larger cycle of life death and rebirth could the internet be made more resilient by a massive depopulation event like i was talking about with the uh the digital equivalent of the potato famine and then let's see uh summary how do we address that last quartile of risk because essentially that's what we're in the business of doing as security professionals the first quartile pretty easy to knock out second third quartile you know what it is you know if you spend the money you'll get it but it's that fourth quartile that last quartile of risk that is so such a multi-dimensional problem and it keeps morphing and changing right like heraclitus's river it's a constantly changing threat landscape and we have to be really on our toes and so to address these and to mitigate some of these low probability but highly impactful events such as you know remote monitoring tools installing back doors [Music] remote monitoring tools like cassaya you know that are distributing ransomware we need to teach ourselves how to ask the right questions and to question the boardroom asks these are difficult these are likely going to be difficult conversations and no easy answers i'm afraid but to not address them would likely obviate some of the potential paths to their resolution so we need to ensure that risk is identified and discussed at the executive level and that we understand cognitive bias and systemic risk and that we talk about these things and we come up with ways to address it and so i'd like to finish with a couple of clever quotes this is from greg wood the svp of technology and risk management at walt disney when i was at marvel i worked closely with my peers know in the disney uh and in the background here you can see steamboat willie um who's not mickey mouse uh steamboat willie is set to enter the public domain in 2024. uh the difference between him and mickey mouse is that mickey mouse has white gloves and steve bow willie has black hands but anyway these are some of the things that we have to worry about in the future um you know ambiguity uh scarcity and a lack of planning uh and then lastly talking to the board and to executives is the easy part adding value to their thinking is what is i believe hard and so what value can infosec add to the board's thinking about risk hopefully it's much more than just make sure we don't get hacked uh and so here's a qr code if you're interested in a copy of my presentation i'm happy to take questions now after finished and i'll send you a copy of it because it's got some links and references to some of the things i talked about during the presentation and with that i wish you a good afternoon and look forward to answering your questions okay great stuff mike i always love a good william gibson reference let alone a pair of them and your translation of that recent executive order was was priceless but are you ready for some questions yeah thanks um yeah it was a little tongue-in-cheek but uh at the end of the day uh making those executive orders you know more approachable i think is a good uh definitely a good um uh task to set one's mind to absolutely so this was a great overview of big issues and we have a lot of questions that have come in about some of those but for anyone in our audience who isn't already familiar with security scorecard i just wonder if you can give us some some background on what security scorecard does and how it helps with some of these issues sure so like i mentioned at the beginning security scorecard's in the business of identifying risk and helping people mitigate risk so we're a proactive solution uh we're sort of what's described as a left of boom technology uh boom is of course when uh you know cocka hits the fan and so uh we scan all of ipv4 every day and we find 30 to 40 billion vulnerabilities every week and we map those to score cards so we currently have about 12 million score cards which is a letter grade a through f and if you have an a that means your security posture from our scanning at least um is is good and uh we calibrate that uh that uh grading and that algorithm of determining who gets a d or how many vulnerabilities we see every month and so we're constantly tuning and refining it based on breach events and based on you know associated findings and vulnerabilities that are exposed and so this is a zero touch no agent installed you just log into the platform which you can access for free sign in and look at your own scorecard and we show you all of the details that we can see about you and there's a real good discovery function here you find things that are lost or forgotten or pataps you know rogue infrastructure that was provisioned with a credit card you know by a marketing person you know on amazon that you didn't even know was a part of your attack surface and so we also operate a top five sinkhole um on the gathering signals intelligence from malware and so we get about 700 million events of those coming in per day and so if we see active indicators of of compromise coming from your network uh from your network ip address ranges we map that in as a pretty serious finding and so uh you know a company that has a d or an f is going to be 7.7 times more likely to be breached than a company that maintains an aa score and we help people figure out how to get to an a we explain exactly how to remediate some of the findings one of the most common ones for example is just the lack of hsts headers which is a way to pin all of your transactions to ssl or tls and to make sure that it's always encrypted and you'd be surprised at the number of companies that don't think that that's the necessary you know mitigation that they have to apply but a man in the middle attacker as i like to better call it these days an on path attack uh is is very easy to you know inject into an http only uh login flow and so we just need to do the basics and security scorecard helps people do that okay great thanks for that that explanation um so first question here from uh comes from gilbert and he's asking how can we overcome the quantifiability conundrum um you know so it is an example that we place higher value on the things we can measure regardless of how much actual risk they pose any any thoughts on that yeah no that's definitely a bias that we need to pay attention to um the unquantifiable risk you know is is going to be uh sort of uh i don't know you might think of as like the boogie man right uh you're in in this case we're thinking often times about outliers actually on the risk pyramid um think of like a zero day uh a lot of times we pay more attention to a zero-day vulnerability than we do to regular mundane vulnerabilities uh and that's a shame because unless there's exploit code that zero day is just a shiny thing and yes we do actually chase after shiny things sometimes in infosec and that's uh a problem that we need to identify and try to get around quantifying cyber risk is is itself difficult and that's the whole reason security scorecard exists is that we can make some sort of measure uh an outside-in objective and impartial understanding of what is your attack surface and what are your vulnerabilities all the things that the bad guys can see during a reconnaissance phase before you know trying to attack you and uh help you mitigate that risk and so if we do pay attention to the things that are you know you know quantifiable at least we can move on you know to worrying about the luxury of zero-day vulnerabilities that have no exploit code because we've shored up the basics you know we've done proper dns we have spf records in our dns to avoid business email compromise and spoofing we've avoided putting remote desktop protocol rdp port 3389 accidentally exposed to the internet without multi-factor auth you know these are the kinds of things that lead to breaches and we've seen them uh with solarwinds or with cassaya you know we see their score declining over a period of months and then there's a breach event and so that's just a validation i think of our business model to share this information with people and of course you can learn about your third party risk by looking at the scorecard of any of the ones that we've generated and if that company that you want to know something about is not in our platform it only takes about 15 minutes for us to build a provisional score and so it's really helpful to understand you know your attack surface uh because the bad guys they go after the weakest link and you yourself may not be the weakest link right it's gonna be one of your third parties one of your suppliers okay yeah you know in and on that that question of of the you know the ratings uh is a question from bradford did the security scorecard provide the security portion of a risk assessment or or is it a full-blown risk assessment well i would think that a good risk assessment is going to include a view of the inside out as well somebody that's going to ask you what are your controls you know for identity and access management do you have a password vault you know things like that and we can't really discover this by just scanning you know ipv4 space we can see evidence that you have a waff a web application firewall and we will give positive signals for that as well as maybe vulnerability to disclosure program if you work with hacker one which is one of our partners i just did a webinar recently with alex rice their cto and founder and it's great to have them as a partner because we have a marketplace integration that shows whether there's a hacker one vulnerability disclosure report for that third party and anyone that has a vdp right a vulnerability disclosure program is taking seriously you know their security risk and their posture and maybe even having a bug bounty program and so the more that we are transparent about our approach i think you know the more you know we can trust or distrust some of the vendor selections that we make okay um michael was was picking up on the uh the toc references that you made you know to things like man in the middle attacks um and and you suggested some some workarounds for for this but he's asking what's the best way to counter toc in the boardroom um toc yeah i think that was your your reference for for things like uh terms like terms of concern i think it was higher yeah um well get yourself a um copy editor and copywriter who can clean up your language uh and find those outdated references you know github has been doing it right they've changed the defaults uh from master slave to uh replica you know and primary and so i think that would oftentimes find root at least at the executive or c-suite level in talking about a diversity and inclusion initiative and so if you don't have sort of a chief diversity officer that's trying to make sure that you have the best talent you know and that you don't just have a board of directors full of white males right trying to preserve the profits like uh randolph and mortimer duke you know in uh in trading places uh that's that's definitely uh governance evolution and that takes time so you can't just attack it head-on and say oh yeah we wanna we wanna have 50 women on the board and our executive diversity and inclusion you know report is showing that we only have 30 percent you know female let alone people of color you know in positions of authority uh and and management and so i think that's the kind of thing that has to be done you know uh a bit by bit unfortunately you can't really smash the hierarchy uh and expect what remains you know to become automatically um you know inclusive diverse and and have proper equity and representation so i would say that if you are going to have that conversation go the angle of hr talk about you know the ability to hire the best talent if you have nothing but you know plain old vanilla leadership as opposed to you know chocolate or strawberry or you know pistachio leadership you actually have a competition deficit uh if you don't have a diverse management team so i think that's one way to tackle it okay and i should mention gilbert wrote in that he uh he loved the uh the trading places reference so um well well done on the presentation there um the uh next one comes from paul paul's saying this presentation covered a lot of important cognitive distortions and biases are there other concepts that should face close scrutiny due to risks and ethics discrimination etc oh yeah there's plenty more that can be discussed think about algorithmic applications of ai i don't really think ai exists but machine learning for example when i was at disney i definitely advocated for the creation of an ethics committee that was the intersection of legal and you know the engineering team talking about is there ethical bias is there bias in these algorithms can you have what's called a um an ethics audit or an ai bias audit and these things will come eventually whether self-inflicted uh self-applied or regulatory i know new york for example is working on legislation to make sure that if you're doing you know housing and human services and someone's bringing in a machine learning algorithm to figure out where to send you know caseworkers because of you know domestic uh disturbances that are called in there's a huge bias built into those algorithms why because the training data is biased and you know even just applying for a credit card i don't know if people remember the furor that went up around goldman sachs's credit card with apple and that two people would apply for the same credit card a husband and a wife the husband would be approved the wife would be denied and yet they're both high income earners they're both you know contained advanced education you know advanced degrees secondary education and it's because the actuarial tables on banking go back many many years right back to the beginning of finance and women weren't allowed in many countries to actually have a bank account in their own name until like the 60s and 70s and so there's just a bias in the data and so we have to do some resets and we have to tackle you know some of these other ethical issues around technology in terms of bias and and self-fulfilling prophecies saying you know all these kinds of people are criminals all these kinds of people are bad security risk you know don't give them a job don't give them credit a line of credit or a bank account and so i think that's part of the nyu has something called alliance for public interest technology that i've been involved with i'm a adjunct professor at nyu teaching cybersecurity and i've gotten involved in some of these alliances as well to try to figure out how do we come up with ethical algorithms and not just go with algorithms that are you know generating more ad revenue for facebook and google right yeah you know really interesting stuff um this next question comes from shelby with the way i t and security has evolved over the years where do you see the smb and education markets over the next uh next few years in regards to risk oh the education space is is all risk and and no joy i ran the streets for nyu and nyu's you know rival is columbia and so as long as nyu is better than colombia you know we're good but they both have like low scores why because lots of professors think that they're system administrators and they universities typically have really large digital footprints meaning they have lots of ip space and someone will just stand up a mysql database and make it open to the internet and you know um intellectual property theft is a big risk for a lot of these universities including nyu and these professors you know just saying oh share and share and like information wants to be free you know a lot of them are maybe tree hugging hippies from this you know california you know that want to uh you know have a um you know and that's true in some regards i love the fact that you can have open data and you can share information and you can grow you know and learn and have the wisdom of the crowds but in many cases the security postures are horrible and they only have like three people to manage the security for the entire university and you're talking billions of dollars of endowment at risk and pii and so i think that these kinds of tools non-profits um smb and education uh and of course medical you know medical can't even upgrade you know some of their appliances off of windows xp because the vendor doesn't support it they haven't tested it on windows 7 or windows 10 and so you have all risk and no joy as i call it and but i do like to try to help and to give i include some security score card you know lectures in my discussions about information security management and help people understand how to quantify the risk and uh use the best open source tools you can find partnerships you know between academia and the public sector and private sector and just help raise the water right all boats rise you know with the rising tide if we get more people involved in infosec uh and from more diverse backgrounds that's why i teach essentially not not because i get well paid to teach but because i want to give back and to bring more people into the space because i think we're about 2 million shy of a full team globally on the infosec world and so there's plenty of room for many people to transition into this space and to learn how to you know use technology you know to make our identities and our economy and our society you know more resilient to the attacks that are being levied against it really interesting answers on the education side another part of that question was was smb um is there an smb play for for security scorecard do small businesses uh benefit from from using the technology definitely because they have to pay zero dollars in order to see their risk all they have to do is have a domain name log in with that domain name sign up for your instant scorecard uh instant.securityscorecard.com and you get to see everything we know about you um we want to share this information we believe of course you'll eventually want to buy a subscription to have slots that are continuously monitoring those of your your vendors and your your core data tier one kind of providers so that you have your finger on the pulse of their attack posture and surface as well but uh it's free for everyone and so if we had you know 500 000 customers using freemium you know that would not be a bad thing you know we want our people to consume this product that's why we don't charge for your own scorecard yeah and i think you've hit on the next i had two more questions here from the audience about security scorecards specifically one was if the information is free how do they make money i think i think you've just covered that uh but do you want to say anything else about it as far as you know the value freemium versus you know some of the value you get once you start paying for that yeah let's say that you're a company you know like intel or something and you want to have a vendor portfolio of like 40 000 vendors um that's where we get a larger subscription right an annual fee from those customers uh but you can also you know some of the ice hacks um the information sharing and and analysis communities um it isac for example i sit in on those meetings every week and we're a member there and we give a self plus five um free subscription to isaac members uh to help them because they're doing the good work as well uh meaning they're doing threat intelligence sharing and we have a really powerful threat intelligence team that we grew um out of some of the folks that were leaving places like mcafee you know on its way to the floor unfortunately as a security company um now i think mcafee was merged with um fireeye was it and so you could call it mcafee eye but anyway mandiant and fireeye kind of feel split because they had an original shotgun kind of wedding that didn't really work out so well and so now they're going back into you know product versus you know incident response and services and so i think that um you know the ability to you know have access to this information and to get threat intelligence the way i look at it our ratings platform is just basically scanning all the internet and consuming all the vulnerabilities that are publicly available and presenting them back to the best of our knowledge as to who owns that piece of risk that particular finding and that's not easy to do because the internet like heraclitus's river is a fast moving place the risk of one ip address today could be different tomorrow especially in the cloud service providers right there's about 70 million ip addresses that are in the cloud service provider network ranges and we scan those 12 times a day because those are really swiftly moving areas of water or areas of the internet but yeah it's important to understand how we can tackle this problem how we can share this information and our threat intelligence team then says okay of all the risks that we've identified we can tell you which ones are actively being targeted by an apt in your industry or against you as an individual company and so we're moving into the area of professional services now to say okay this is my risk so what what do i fix next or what's actively being probed and prodded by the bad guys and that's where threat intelligence comes in and so that's a nice combination additional offering that we have now great hey and the other security scorecard uh specific question that came in that i was hoping to get to was am i able to permit security scorecard through my firewall uh for additional findings and results um are there benefits to to giving you know security scorecard any kind of permissions or is it really the tool is designed for what people can see from outside and then you use something else for internal assessments like that yeah for the for the longest time we really didn't want to get the inside out perspective because it can be really messy um there's already people in that space right qualis rapid seven tenable and we have them as marketplace integrations and but we are working on what you would call a 360 degree view so we do want to help people understand their inside out risk as well because we're really good at scanning and and you know kind of coming up with an algorithm to to judge the risk of certain cbes you know common vulnerability uh enumerations and exposures and so it's important for us to grow that 360 perspective carefully because we don't want to encroach on our marketplace partners you know business but we will be having things in the near future that help round out i like to think of it as in terms of necessary and sufficient uh it's it's absolutely necessary to have an outside-in you know perspective like this and again it's so easy to deploy because there's nothing to deploy we're scanning the internet everywhere anyway every day so you don't have to install an agent or an appliance or anything but we do want to take that telemetry that is available from those existing solutions that are doing you know authenticated scanning on the inside of your network but at the moment there's no solution for that other than to mirror you know our scores into your asset management system and talk about the public assets and the vulnerabilities that we can see and then you look at the inside assets but i suspect you know within the next six you know months or so we'll have some new product offerings that help make that even easier and take it to a new new level augmenting what you can learn not just from a tenable or a qualis or a nessus or uh but from these uh from these other tools um like security awareness and multi-factor authentication you know if somebody failed a fishing test um co-fence or or know before uh if somebody failed a fishing tents that fishing test that month that's an extra risk indicator right and that's the human element we're dealing right now with just the assets that are on the internet right the devices but i can definitely see the value in having a more holistic approach and getting that 360 degree view that includes inside out as well well it looks like we're we're running out of time but but mike if somebody wants to get started with security scorecard or find out more any any um closing thoughts there sure just browse to securityscorecard.com or go straight to instant.securityscorecard.com sign up for your free scorecard and you get to see all of the details there and then someone will of course want to reach out to you and say are you liking what you see do you want to understand more we also do security assessments and frameworks when we help people do the due diligence questionnaires that's a product called atlas that we're folding into the ratings platform that allows you to do event-based assessments so rather than sending out a questionnaire once a year to your vendors you can have an event like a breach and it shows up on the scorecard and it automatically sends a questionnaire to them so that way you can scale to like i said 20 40 000 vendors for some of our customers and not have a 300 person vendor risk management team so that's definitely the place the best place to get started is instant.securityscorecard.com or email me and i'll help you get set up m wilkes security scorecard.com or dot io sorry we use dot io for our uh email gotcha all right well mike thanks very much really appreciate you being on and uh in such a such a thought-provoking presentation and a great discussion here in the q a thanks a lot well thanks a lot scott i was happy to do it and before we wrap up we do have one more piece of business it's the 300 amazon gift card prize drawing and the winner of that gift card is tom manzi from massachusetts so congratulations to tom we'll be in touch to get you your card and with that on behalf of the actual tech media team i want to thank you know mike again for putting together this this presentation and i'd also like to thank security scorecard for making this event possible and last but not least i'd like to thank all of you for attending and for your questions that concludes today's event have a great rest of your day

Info

Channel: ActualTech Media -

Views: 33

Rating: undefined out of 5

Keywords:

Id: HAx6b3sQsIo

Channel Id: undefined

Length: 58min 56sec (3536 seconds)

Published: Fri Dec 10 2021