1 / 17

Supply Chain and Cyber Security

Supply Chain and Cyber Security. January 30th, 2018 Presented by Richard Bergs. Cyber Security: Small Businesses, you are NOT SAFE. Image courtesy of: https://www.quadmetrics.com/blog/posts/small-business-cybersecurity. Cyber Security: Small Businesses, you are NOT SAFE.

katheriner
Download Presentation

Supply Chain and Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Supply Chain and Cyber Security January 30th, 2018 Presented by Richard Bergs

  2. Cyber Security: Small Businesses, you are NOT SAFE Image courtesy of: https://www.quadmetrics.com/blog/posts/small-business-cybersecurity

  3. Cyber Security: Small Businesses, you are NOT SAFE However, Symantec (most commonly known as the makers of Norton brand of security software) and BigCommerce, an e-commerce platform, have attempted to quantify the costs of such crime. Based on their data, the cost of a data breach to an online retailer is roughly $172 per impacted record. It’s no surprise that 60% of businesses go out of business within six months of a cyber attack. Read more: https://digital.com/blog/small-business-statistics/#ixzz4wYjVxSgB

  4. Cyber Security Reality Interestingly, when it comes to the phishing attacks that so often start a major targeted incursion, Mandiant found that the vast majority (78%) were IT or security related. That is, the messages were spoofed to appear as if they came from the victim company’s IT department or AV vendor. Data courtesy of: https://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/

  5. Cyber Security Reality The world is watching. Websites, videos, posts are being scoured for information everyday. Something you may think is safe, say a military action, if there is a picture or video, people will figure it out. Stuxnet, one of the most infamous control system viruses was developed from Iranian national TV coverage.

  6. hackerpocalyspe

  7. Which is bigger CHINA’S CYBER WARRIORS U. S. MARINE CORPS “State-sponsored cyber espionage is ubiquitous, with more than 100 countries actively hacking the systems of other countries and businesses. China alone has developed an army of 180,000 cyber spies and warriors.” (Goodman, 2015, p. 31) End of FY 2018 – Authorized End Strength of 185,000 Active Personnel* End Strength from US Hertiage.Org at https://www.heritage.org/military-strength/assessment-us-military-power/us-marine-corps Reference: Goodman, M. (2015). Future Crimes: Everything Is Connected, Everyone Is Vulnerable, and What We Can Do About It. Doubleday ISBN: 978-0-53900-5. China could have more Cyber Warriors than Active Duty in the U.S. Marines Corp

  8. What is all the Fuss About? Notice any similarities? A criminal complaint filed in 2014 and subsequent indictments filed in Los Angeles charged Su, a China-based businessman in the aviation and aerospace fields, for his role in the criminal conspiracy to steal military technical data, including data relating to the C-17 strategic transport aircraft and certain fighter jets produced for the U.S. military. These plans were from a small manufacturer in the supply chain. NIST 800-171 and DFAR change was US response

  9. DFAR Sections of Interest • PGI 204.7303-3 specifies the cyber incident and compromise reporting • PGI 204.7303-4 specifies the DoD damage assessment activities • 252.204-7008 specifies compliance with safeguarding covered defense information controls • 252.204-7012 is what covers the safeguarding covered defense information and cyber incident reporting

  10. DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting When Contractors are faced with implementing multiple versions of the clause, Contracting Officers may work withContractors, upon mutualagreement,to implement the latest version of theclause

  11. CTIDEFINITION Controlled Technical Information means technical informationwith military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.” (NARA,2017)

  12. NOT Just DoD • Automotive first big industry to go public with a plan • More complex than DoD • Not implemented yet…

  13. NIST 800-171 • 14 Families • 110 Controls • THERE IS NO CERTIFICATION! • If vendor offers, RUN! • Compliance is based off of self valuation • Be honest

  14. What DoD is looking for, generally • Gap Analysis – how are you doing vs the 110 controls? • Free tools are available (CSET) • IT vendors will offer this – buyer beware • Plan of Action and Milestones (PoAM) – so, what is the plan to close the gap? • Incident Response Plan – when shtuff hits the fan, what do you do? • Site Security Plan – how are things physically secured? • Treat this as national secrets – it is a how to guide for compromising you! • There are other parts to this, but the above are key TMAC can help with all the above

  15. NIST 800-171 ‘Lite’: NIST Cyber Framework • Identify • Who / What / Where • Protect • Firewalls, patches • Detect • Anti-software • Respond • Think fire drill • Recover • Have backups and use them • Search for NIST 7621 for guide

  16. Wrap-up • NIST 7621 is a good place to start • Much of the framework fits into NIST 800-171 • May want to do this for home as well as work • NIST 800-171 is as painful as you make it • Really sets a destination, how you get there is up to you • DoD has started and will only do more audits • Don’t be caught unprepared • Remember, TMAC is here to help!

  17. Richard Bergs • Richard.Bergs@TMAC.org • (214) 577-8737 • www.TMACdfw.org

More Related