, ,

What’s the Latest in Cybersecurity? 8 Key Takeaways from The University of Miami’s First Annual Cybersecurity Conference

latest in cyber security

Written By

Michael Neher

Capsicum was proud to sponsor and participate in the University of Miami’s first annual Cybersecurity Conference. The Inaugural Conference was part of the Miami Herbert Business School's 2019 Homecoming Reunion events and festivities.

The conference examined the emerging trends and technologies needed to drive innovation and success in the Cybersecurity space. Events included a variety of dynamic and engaging panel discussions, as well as an inspiring keynote by Manny Medina, CEO of Cyxtera Technologies. The conference allowed attendees direct access to experts fueling the intersection of Cybersecurity and Fintech, including speakers from the CIA, FBI, and major corporations, as well as Capsicum’s own CEO Sandy Goldstein, who offered practical insights into the steps companies can take to ensure the integrity of data.

Read on to learn about 8 key Cybersecurity themes that were repeated throughout the conference!

1. How do you educate your CEO on the value of security?

In a modern organization, taking steps to bolster data across an enterprise requires the informed consent of the leadership team – but how can security professionals within an organization communicate the need for investment in security to C-Suite? Many panelists concluded that security professionals must speak in terms that decision-makers will understand; in other words, it’s about the business’ bottom line. 

While a CEO might not understand abstract cyber threats (DDoS, Phishing, etc.), they will likely understand risk management and the threat of monetizable damage to operations and reputation. Security professionals need to position themselves as advocates who are protecting the longevity of the business, the product, and the enterprise. Take steps to have a conversation with the board, and involve decision-makers in the strategy, successes, and challenges inherent in building a Cybersecurity plan.

2. What are the essential responsibilities of the modern Chief Security Officer (CSO)?

The panelists offered their input and opinions about the most essential steps a security officer in an organization can take to secure data. Kevin Gowen, Chief Security Officer of Synovus highlighted the foremost need to protect user data, to understand where critical assets are, to know who is responsible for security in an organization, to teach people what to pay attention to, what are likely threats, and to know the maturity of your security program. Scott Croskey, Global Chief Security Officer at Cipher, emphasized the need to understand your third-party relationship and realize how much data third parties have access to.

Juan Gomez-Sanchez, Chief Security Officer at Lennar Corporation, highlighted the importance of basic systems hygiene such as patching, access control, server access, and change management. He also emphasized “defense and depth”: the concept of multiple defenses around an organization, people, processes, technology. In sum, there really is no one thing that solves all cyber concerns, so modern security officers need to employ a combination of strategies that complement the organization’s risk tolerance.

3. How Do Cybersecurity Experts Approach and Scrutinize the Litany of Tech Solutions Available In The Market?

With a vast market of technology products available, how can one navigate the utility against the hype? At its most basic level, any tech product implemented by an organization must accomplish two concrete outcomes: (1) reduce risk and (2) be cost-effective. That said, most panelists tended to agree: No one size fits all. Instead, companies should be strategic and use the right technology solution to address a given problem and ensure that it addresses the issue adequately. By taking a more focused approach to technology products, you can better position your organization to minimize the cost invested into technology products and maximize the value and utility gained from it. 

4. Red Team v. Blue Team: Are Independent Hacking Assessments Mandatory Today?

With disparate standards for cybersecurity across different industries, organizations, and entities, resting on the laurels of your cybersecurity strategy simply is not enough anymore. In order to have an accurate picture of the effectiveness of your organization’s security policies and procedures, you must test the waters. Frequently bringing in an independent third party of both technical and functional individuals can provide your organization with a fresh perspective. And to the panelists, independent hacking assessments have become a mandatory necessity.

The “Red Team” vs. “Blue Team” protocol has existed in law enforcement along with the military for some time and speaks to the notion of enlisting a white hat hacker to test the resiliency of your organization’s cyber defenses. Otherwise, organizations stand to await the risk of destroying the brand and financial consequences.

5. Will Cybersecurity always be a catch-up game?

Cybersecurity has evolved both on the offensive and defensive sides, as have regulations. While law enforcement and regulatory agencies like the FBI and SEC are striving to make sure private and business entities have the capabilities to protect themselves and their customers, they can only educate the public once they have identified and addressed a given threat. Considering this pattern, the panel was asked: “will we always be one step behind bad actors in cyberspace?

Most experts said yes. Although the general public is growing more and more aware of the reality of the risks associated with data breaches and compromised security, so too are malicious actors growing increasingly sophisticated and complex. While it is not out of the question that cybersecurity will reach a point where the safety has outpaced the scoundrels, the current pattern has shown no signs of letting up. Particularly with the forthcoming onset of 5G and the additional threat surface that comes with it, for the foreseeable future, the name of the game is upkeep and continuing diligence.

6. The Key to Understanding the Threat Landscape is to Understand that it is Constantly in Flux

Today’s technology is driven by the concept of convenience, yet today’s risk landscape is shaped by the reality that convenience and security do not always go hand in hand. Information technology (the application of computers to process, transmit, and store data, typically in a business or enterprise environment) and operational technology (hardware and software systems that monitor and control physical equipment and processes) are not distinct any more. IT is not isolated; rather, it is interconnected.

With more devices becoming interconnected, the available attack surface is continually expanding. Basically, more data equals more targets. On top of the expanding attack surface, it’s also getting easier and easier to be a cybercriminal. Law enforcement speakers pointed out how cybercriminals are collaborating, organizing, and communicating with increasing sophistication. Increasing connectivity has made “Island hopping” through business or social networks that much easier, and phishing attacks are being socially engineered with remarkable detail and intel.

One speaker recounted how easy it was to access the contact list, text messaging threads, and call history data of seven prior individuals who had connected their cell phone to the speaker’s rental car. Another speaker highlighted the ease of accessing a businesses’ enterprise system via an unpatched integrated HVAC system. Internet-of-Things and other embedded devices are immediately vulnerable when connected to the internet and are thus easily overlooked.  It is important to remember to patch IOT devices (once the patches have been tested and verified) – HVAC, Nest, Ring, elevators, etc. (both the OT systems as well as IT systems).

What’s important for organizations to understand is whether this level of connectivity is necessary. Not every organization is fully cloud-based for security reasons, and likewise, organizations should not hastily embrace IOT unless operations necessitate it. forthcoming advanced technologies provide great convenience but also present unknown risks that we are prepared to address; additional examples to consider are Fin-tech, embedded medical devices and Medical IoT devices, and wireless body area networks technology (a wireless network of wearable computing devices). While it is not plausible for every business, many organizations eliminate this risk by locking down unnecessary technologies: i.e., no USB policies, bans on cross-border communication, prohibiting bring-your-own-device, and eliminating other unnecessary technologies. Even then these policies are not always followed and difficult to enforce.

7. Employees Remain an Integral Part of Any Organization’s Cyber Strategy

“We have two Cybersecurity threats: our employees and then everyone else” – Don Cox – MBA, MSc ITM, CISM, PMP

Employees can be an organization's greatest defense against cyber threats or the first line of liability. Accordingly, it is remarkably important to ensure your employees are trained and comfortable with approaching the reality of cyber threats against your organization. Training your employees is protecting your organization from your employees.

People are still the variable most easy to exploit so having organized programs (such as a suspicious email button) and awareness campaigns (education and faux-phishing tests) ensure employees will stay cognizant and vigilant. Having supplementary training for those who fail faux-phishing tests is highly recommended as well. One speaker suggested stressing the value of cybersecurity and its relationship to the longevity of an organization, and thus that employee’s job. Another emphasized teaching employee’s how to protect their cyber assets at home, which should translate into better work behavior. As for technical solutions to implement to supplement employee behavior, one speaker suggested monitoring behavior analytics to identify and respond to abnormalities with employee device usage.

Permissions, access, and other policies need to strike a delicate balance: If you are too stringent people are going to bypass your security, if you are too lax they are going to introduce threats. The key is to manage risk and utilize the tools that allow employees to achieve their goals while involving and managing the human element.

Perhaps most importantly, employees need to feel they can discuss strange cyber-events without being blamed or getting fired. In sum, the best strategy is awareness and transparency, from both employee and employer.

8. Mergers & Acquisitions are a Vital Area in which Businesses Need to Exercise Safety and Security

Organizations poised for growth are an attractive target to malicious actors, and the numbers speak for themselves. This year, there were 49,000 merger & acquisition transactions worldwide; 83% of them ultimately failed. But even when these complicated and delicate deals are successful, 52% of successful mergers still have security issues following the merger. In some notable cases, targeted phishing campaigns began as soon as 30 minutes after a public announcement of a merger.

What can a party do to minimize this threat? At the outset, CISOs should have a seat at the M&A negotiation table, and cyber risk needs to be talked about as a key component to the merger. At some level, the security team should be engaged. Although executives may hide behind confidentiality, that is no reason to keep the security team out, they’re security and this should be a worthwhile exercise for all involved

The experts also suggest having comprehensive premerger priorities for enterprise security, including going back to basics with a focus on identity, privilege, access, and dual-factor; utilize the NIST framework; reducing risk profile by having vendors audit and test your security; constantly store well-configured backups within secure repositories; teaching employees, making sure both parties to an M&A deal maintain a thorough asset inventory.

If you don’t think cybersecurity is a key factor to an M&A deal, just ask Verizon, who bought Yahoo at a 10% discount following the disclosure of two breaches at Yahoo.  

About Capsicum

With years of experience mitigating cyber-threats, including company insiders, misconfigurations, missing security updates, malware, and programming errors, Capsicum’s team knows how deeply a company suffers when an intruder exploits their network’s vulnerabilities. For companies seeking more robust security in their current network, our team members perform a thorough, top-down assessment to create a unique security profile for your company. 

Our Certified Ethical Hackers (CEH) and Computer Hacking Forensic Investigators (CHFI) provide risk assessment, penetration testing, code review, cloud security, threat hunting, and phishing attack simulation in order to create a unique security profile for your company by flagging vulnerabilities and anticipating weaknesses within your technical infrastructure and verifying that the policies, procedures, and controls you have in place are truly being enforced. With Capsicum at your side, risk assessment, penetration testing, code review, cloud security, threat hunting, and phishing attack simulation are just a few of the services our team of law enforcement and military-trained technology professionals can perform. If your business network has already been compromised, we use state-of-the-art forensic techniques to investigate all possible threats and respond to incidents quickly and effectively. We then work with you to set up world-class solutions that minimize your risk of future incidents. 

If you have additional questions regarding any of our services, please do not hesitate to contact us either by phone or email.