170 likes | 274 Views
Learn about the alarming cyber risks faced by small businesses, the costs of data breaches, and the impact of cyber attacks on business sustainability. Dive into the realities and implications of cyber espionage, backed by real-world examples and statistics. Explore how regulations like NIST 800-171 and DFARS affect the supply chain. Discover essential controls, incident response plans, and security measures needed to protect your organization.
E N D
Supply Chain and Cyber Security January 30th, 2018 Presented by Richard Bergs
Cyber Security: Small Businesses, you are NOT SAFE Image courtesy of: https://www.quadmetrics.com/blog/posts/small-business-cybersecurity
Cyber Security: Small Businesses, you are NOT SAFE However, Symantec (most commonly known as the makers of Norton brand of security software) and BigCommerce, an e-commerce platform, have attempted to quantify the costs of such crime. Based on their data, the cost of a data breach to an online retailer is roughly $172 per impacted record. It’s no surprise that 60% of businesses go out of business within six months of a cyber attack. Read more: https://digital.com/blog/small-business-statistics/#ixzz4wYjVxSgB
Cyber Security Reality Interestingly, when it comes to the phishing attacks that so often start a major targeted incursion, Mandiant found that the vast majority (78%) were IT or security related. That is, the messages were spoofed to appear as if they came from the victim company’s IT department or AV vendor. Data courtesy of: https://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/
Cyber Security Reality The world is watching. Websites, videos, posts are being scoured for information everyday. Something you may think is safe, say a military action, if there is a picture or video, people will figure it out. Stuxnet, one of the most infamous control system viruses was developed from Iranian national TV coverage.
Which is bigger CHINA’S CYBER WARRIORS U. S. MARINE CORPS “State-sponsored cyber espionage is ubiquitous, with more than 100 countries actively hacking the systems of other countries and businesses. China alone has developed an army of 180,000 cyber spies and warriors.” (Goodman, 2015, p. 31) End of FY 2018 – Authorized End Strength of 185,000 Active Personnel* End Strength from US Hertiage.Org at https://www.heritage.org/military-strength/assessment-us-military-power/us-marine-corps Reference: Goodman, M. (2015). Future Crimes: Everything Is Connected, Everyone Is Vulnerable, and What We Can Do About It. Doubleday ISBN: 978-0-53900-5. China could have more Cyber Warriors than Active Duty in the U.S. Marines Corp
What is all the Fuss About? Notice any similarities? A criminal complaint filed in 2014 and subsequent indictments filed in Los Angeles charged Su, a China-based businessman in the aviation and aerospace fields, for his role in the criminal conspiracy to steal military technical data, including data relating to the C-17 strategic transport aircraft and certain fighter jets produced for the U.S. military. These plans were from a small manufacturer in the supply chain. NIST 800-171 and DFAR change was US response
DFAR Sections of Interest • PGI 204.7303-3 specifies the cyber incident and compromise reporting • PGI 204.7303-4 specifies the DoD damage assessment activities • 252.204-7008 specifies compliance with safeguarding covered defense information controls • 252.204-7012 is what covers the safeguarding covered defense information and cyber incident reporting
DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting When Contractors are faced with implementing multiple versions of the clause, Contracting Officers may work withContractors, upon mutualagreement,to implement the latest version of theclause
CTIDEFINITION Controlled Technical Information means technical informationwith military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.” (NARA,2017)
NOT Just DoD • Automotive first big industry to go public with a plan • More complex than DoD • Not implemented yet…
NIST 800-171 • 14 Families • 110 Controls • THERE IS NO CERTIFICATION! • If vendor offers, RUN! • Compliance is based off of self valuation • Be honest
What DoD is looking for, generally • Gap Analysis – how are you doing vs the 110 controls? • Free tools are available (CSET) • IT vendors will offer this – buyer beware • Plan of Action and Milestones (PoAM) – so, what is the plan to close the gap? • Incident Response Plan – when shtuff hits the fan, what do you do? • Site Security Plan – how are things physically secured? • Treat this as national secrets – it is a how to guide for compromising you! • There are other parts to this, but the above are key TMAC can help with all the above
NIST 800-171 ‘Lite’: NIST Cyber Framework • Identify • Who / What / Where • Protect • Firewalls, patches • Detect • Anti-software • Respond • Think fire drill • Recover • Have backups and use them • Search for NIST 7621 for guide
Wrap-up • NIST 7621 is a good place to start • Much of the framework fits into NIST 800-171 • May want to do this for home as well as work • NIST 800-171 is as painful as you make it • Really sets a destination, how you get there is up to you • DoD has started and will only do more audits • Don’t be caught unprepared • Remember, TMAC is here to help!
Richard Bergs • Richard.Bergs@TMAC.org • (214) 577-8737 • www.TMACdfw.org