On April 5th the first annual Alabama Cyber Now conference will be held at Regions Field to “Bring Cybersecurity to the Forefront of Business.” The concept for ACN came about over a year ago when three technology/cybersecurity professionals – me, Heather McCalley, and Jennifer Skjellum – brainstormed the idea during a security panel presentation at Alabama Power Headquarters. During the past year or so, we continued to foster this idea with our respective organizations, Central Alabama Information Systems Security Association, Birmingham Infragard Members Alliance, and TechBirmingham, to make ACN a reality and, as of today, we have over 200 attendees registered for the conference.

ACN is patterned after similar event whose origins go back about 10 years ago. The North Alabama ISSA Chapter, where I served as President, sponsored an Information Security Seminar in Huntsville, a half day meeting. That event has continued for 9 consecutive years and has grown in attendance from around 50 at the first one to over 950 last year at the Von Braun Civic Center spanning 2 days. Similarly, the North Alabama ISSA Chapter joined with Cyber Huntsville a few years ago gaining a strong interest from the Defense Industrial Base (private contractors) supporting the US Army and NASA at Redstone Arsenal.

The conference committee has put together 19 sessions in three tracks with two keynote speakers (Brian Krebs and Josh Goldfarb) which we feel will appeal to both cybersecurity practitioners and professionals, C-level executives, and other business leaders. There will also be an exhibit hall showcasing the technologies available from over 30 vendors. An exciting day is awaiting all who attend. As conference chair, I look forward to meeting everyone who attends, attending several track sessions, talking to all the vendors, and hearing the latest in cybersecurity from our keynote speakers. Please plan to attend Alabama Cyber Now as I am convinced that you will learn much throughout the day.

See you on April 5th.

Dr. Joseph W. Popinski

Alabama Cyber Now Conference Chairman

CISSP CPP CFE CISM

ISSA Fellow

Have you registered for the conference? Click HERE to join up on April 5.

read more

Cyber Field Report

As we approach the Alabama Cyber NOW Conference on April 5th, we will highlight some of the companies and individuals making this event possible. We recently caught up with David Forrestall with SecurIT360, a Platinum sponsor of ACN. David provided us with a Cyber Field Report leading up to the conference.

We all need information to make decisions and to build plans to protect ourselves and the people we serve.  This information includes strategies, risks, threats, vulnerabilities, actors, technologies, etc.  Alabama Cyber Now (ACN) is a few weeks away and is a great forum to continue the discussion so that you are informed and can sleep better at night.  We have served clients all over the U.S. for the past seven years performing audits, penetration tests, risk assessments, and security-program development.  During this time, we have seen a persistent theme: people get lost in the details.  We all know that security is not “set-it-and-forget-it.”  So, what is the plan?

Cyber Action Plan

Focus on the basics first, it is a Process not a Product

There is no silver bullet, and advertisers are investing millions of dollars to convince you to buy their widget that will handle all of your security needs.  But guess what?  Even security products have vulnerabilities that hackers take advantage of.  To be clear:  You need quality security products to keep yourself safe.  They are required to add layers of security, but it is the process around these that keeps you secure.  They must be updated and maintained.  If you do not check on their performance, you have no idea of whether they are still functioning properly. 

Basic Blocking and Tackling

Studies show that over 90% of breaches happen because something simple was missed.  So, before you run out and invest in new security solutions, it is important to make sure the basics are covered by solid products and the processes supporting them.  Making sure these basics are covered reduces much of your risk:

Security patching for all hardware/software – This is where many of your vulnerabilities lie.  The desktops are a place to start, but don’t forget the applications.  All applications (office, Adobe, Java, browsers, etc.) need to be up to date.  Switches, routers, firewalls, and infrastructure systems need updates too.  You need to independently check to make sure that this is happening.

Endpoint protection – Antivirus/Malware solutions – Make sure these are working.  Pull a report and do an inventory of systems.  Not the most glamorous thing in the world, but simple and effective.

Review all accounts and passwords regularly – I don’t have to hack if I can just log in.  You should also limit privileged accounts and prevent the use of shared accounts.

Constantly inventory devices on your network – If you don’t know what is on the network, how do you know whether it is allowed or protected?

Encrypt all portable devices – Smartphones, tablets, laptops, USB drives: anything that may carry sensitive data, which can easily “walk off”.

Provide security training for users and IT staff – Your users are the target and need to make well informed decisions.  As for IT, yes they are smart, but typical IT training does not always include security processes (there is that word again…).  And what IT folks hear most is faster, cheaper, and more reliable.  Oh, and by the way, can you make it secure too?

Review firewall, remote access/VPN, and wireless solutions regularly.  Another way to get in…

Implement a proactive monitoring/logging/alerting solution – There are millions of events produced in your network each day.  They need to be collected and analyzed.  There are many options available that will alert you when something bad is happening, so that you can react. 

Check your email gateway (Spam filter).  Make sure it has virus and malware capability.  Email is one of the most common attack vectors.  Most of you should have this, but you need to double-check that this is in place and functioning.

Additional basic perimeter protections.  Make sure that your firewall has IDS/IPS capabilities – not all do.  Internet content filtering software also keeps users from going to dangerous websites.  Some firewalls include both of these features, but they may require additional licensing or products AND you need to make sure they are updated and functioning properly.  You need to ask if you are not sure.

What do leaders need to do?

Leaders do not need to become experts or spend millions on cyber security to protect their organizations and customers.  BUT, you do need to know enough to oversee and carry on the conversation. 

Where to start:

Educate yourself – The buck stops with you.  When something happens, answers will be demanded.  Get in the conversation and ask questions of those that you trust to handle cyber security for you. 

Measure your status – Measure against accepted standards.  This is more than asking your IT guys to check the firewall.  Standards are multi-dimensional, covering all areas.  CIP, NIST, or ISO 27000 are solid standards to compare yourself to – AFTER you have covered the basics.

Develop a plan to close holes – There is no such thing as 100% security which always leaves room for improvement.  The gaps should be ranked by risk and prioritized.  Regular meetings and documented progress against risks will show the level of commitment to security.

Develop a security program – The rapid pace of change does not allow you to set-it-and-forget-it.  Policies need to be written and responsibilities assigned.  The program will require monitoring and regular reporting.

A Note to the CFO:  You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measureable efforts (and funds) devoted to keeping information safe.

About our perspective – SecurIT360 is a knowledge-based, cyber-only firm that also represents various industries concerned with protecting sensitive information, including Financial, Healthcare, Utilities, Legal, Education, and IT Services.  Our recommendations come from working experience with many solutions.  We are independent; a vendor agnostic and a client advocate.  We do not “sell” or broker hardware, software, or a particular vendor.  Ours is a process, not a product.  Yes, you need products, but it is the process and people around those products that keeps the firm secure.

read more

As we approach the Alabama Cyber NOW Conference on April 5th, we will highlight some of the companies and individuals making this event possible. We recently caught up with Jason Asbury, President of Warren Averett Technology Group, the Diamond sponsor of ACN. Jason will be speaking at ACN and agreed to a Q&A highlighting some of his upcoming talk.

Hi Jason! Let’s jump right in – what can a business do to reduce the likelihood of cyber-attack?

Asbury: The notion of reducing the likelihood of an attack is somewhat futile. Any organization with access to the Internet is subject to attack. The key is to be prepared when the attacks occur. Proper planning, controls, monitoring, alerting and overall management of IT security is absolutely necessary in order to turn attacks into failed attempts.

What are the key ingredients for a cyber-security strategy? 

Asbury: Managing a cyber-security strategy begins with a risk analysis. In order to create and implement the proper strategy, risk must be clearly understood. Not all companies share the same risk. Secondly, all effective systems and strategies are governed by good policies. A thorough IT security policy is essential in managing risk. Security policies should not only create a framework for day-today management of risk, though. They should also identify and designate key roles within an organization. For instance, every business should have a security officer or manager as well as a risk officer or manager, and all organizations must plan for the worst. This means that an incident response plan is necessary and someone must be designated to manage the recovery steps taken after a breach has occurred. In my experience, most companies fail to implement a strong cyber-security plan because they don’t start with an analysis of risk paired with a solid IT security policy.

What type of third-party services and products can be used to help prevent a breach and keep sensitive information secure?

Asbury: There are a number of services that can assist in managing risk. We recommend that organizations consider third-party monitoring, logging and alerting services for critical systems and network entry points. The assurance of proper oversight relative to security is essential to preventing an incident. Another good outsourced service to consider is quarterly vulnerability scanning and annual penetration testing in order to regularly assess and remediate risk.

Should a company be concerned with its vendors relative to cyber security?

Asbury: Absolutely. A security plan is only as strong as its weakest component. As a business owner or risk manager, you must address security safeguards and loss prevention relative to vendors and business partners. The highly publicized Home Depot breach of 2014 was the result of weak controls around vendor access. We suggest the development of business associate agreements that clearly define requirements around access control and minimal acceptable levels of security from within the vendors’ IT systems.

How can I assess my company’s risk for a cyber-attack?

Asbury: The most effective process is to have a qualified IT security firm perform a thorough IT risk assessment. If your organization has identified a risk-management officer, that individual should be qualified to oversee this process. Relying on an IT manager to assess risk for a system he or she is responsible to maintain may not yield an unbiased report. Risk assessments should include a review of IT policies, network architecture, roles and security procedures, and physical and logical access controls.

Thanks for taking the time to chat, Jason! Click HERE to learn more about Warren Averett Technology Group.

read more

Guest post by Robert Schiefer, Software Architect at EBSCO

Planning is underway for a brand new technology meetup group in Birmingham. The Birmingham .NET Meetup is for .NET professionals and hobbyists looking to continuously improve their craft. They hope to cover a broad spectrum of topics, from C# language features to software delivery and everything in between.

Robb Schiefer and Blake Helms are co-organizers for the group which has a tentative first meetup scheduled for May of 2016. Over 35 members have already signed up on their Meetup page with little to no advertising, so the group is poised to be heavily attended. When asked about the new group Robb had the following comment:

“C#/.NET is one the most popular programming language in Birmingham with companies, both large and small, employing a large number of developers on the Microsoft stack. We hope to bring those developers together on a monthly basis to network, learn from each other and improve their skills so they can be more effective in the workplace.”

Being first released in 2002, the .NET framework is a mature platform that many companies rely on for the stability of their business. C# (the programming language most often associated with the .NET framework) is consistently listed in the top five most popular programming languages each year in most surveys. A Mashable article last year stated in Alabama C# was the “most tweeted” and had “the most jobs and least competition” based on data from a common programmer Q&A website. So Birmingham and .NET seem like a great fit.

Each meetup event will allow time for networking, provide an informative talk by a knowledge presenter and best of all free food. The group is still trying to work out the details and asks any interested developers to fill out a quick survey to help in the planning process.

“User groups can be tricky to get right. You have to keep the content interesting and find a convenient time/location for the majority of attendees. We are really hoping the survey helps us meet the needs of our local .NET community,” Schiefer said.

The group is also still looking for corporate funding to help pay for the costs of running the group. The funds will primarily be used for food and giveaways at the events. If your company can help in this area, reach out to the Robb or Blake for more information via their Meetup page.

User groups are a great way to engage in the developer community beyond your immediate work environment. If you manage developers, encourage them to find a user group and attend. If you are a developer, go share your experiences and learn from others at the next applicable user group event.

read more