Hi Everyone,
As a follow up to our May 28, 2015 meeting, we would like to extend a special thank you to our key note speaker, Matt Chung, Managing Director and Chief Information Officer of Technology & Information Risk of Morgan Stanley, who provided his view on the current state of cybersecurity. Thanks very much to Julia Poepping, Director for Information Security, Compliance and Operational Excellence for sharing her experience in creating the proper cybersecurity processes at Axiall Corporation. Thanks again to Damian Schwartz, of the United States Secret Service and manager of the Electronic Task Force who shared his insights and identified current vulnerability trends. Last but not least, thanks very much to Reuven Aronashvili, CEO of Prosecs, who flew in from Israel and provided the audience with a view of a financial hacking from the perspective of the criminal.
Special thanks to MSD Capital for hosting our event and for all their ongoing support.
The following companies were registered for the May 2015 meeting:
MSD Capital, Morgan Stanley, Axiall, United States Secret Service, Prosecs LTD., Moore Capital Management, AEGIS, Promontory Financial Group, MSCI, SBLI USA Mutual Life Insurance, Thomson Reuters, McCann-Erickson Advertising, JP Morgan Chase and Co., NYSE Euronext, Broadridge Financial Solutions, Inc., Richard Bernstein Advisors LLC, Merck, Equinox, HSBC, Moody’s, Apollo Global Management LLC, Wiley & Sons, BHI USA Bank Hapoalim, Pentegra Retirement Services, Standard and Poors, World Education Services, Inc., iQ Venture Advisors, L.P., St. John’s University, Intercept Pharmaceuticals Inc., Kita Capital Management, LLC, Contrarian Capital, Imagineer Technology Group, Tannenbaum, Helpern, Syracuse & Hirsch, Fir Tree Partners, Viking Global Investors LP, Societe Generale, Kokino LLC, Flushing Bank, Weight Watches, Warby Parker, MBIA, Financial Guaranty Insurance Company, Remedy Health Media, Fair American Insurance and Reinsurance Company, HazelTree, New York City Police Department, Long Island Jewish Hospital and GoodEarth Products, LLC.
Meeting Summary:
Matthew Chung: Morgan Stanley
Matt started his talk by explaining that the cyber landscape has everyone’s attention and is worsening with events more in the public eye and in the news on a regular basis. These events erode consumer confidence and make regulators nervous.
He continued by categorizing for us the four main types of Bad Actors who perpetrate these breaches – Fraudsters, Hackers, Nation-state (e.g. China, Russia, Eastern European countries) and Nation-stateless. This fourth group is very hard to defend against because they are motivated by their opinions and are often boundary-less. The top three industries that are targeted are 1) Aerospace 2) Energy 3) Finance. The most common approach for the initial breach is phishing, infecting a computer to gain access. Once in, the Bad Actor will sit and wait, watching and waiting to elevate privileges and gaining access to navigate to get what they are looking for.
Here are some good cyber security practices to prevent them from getting data out, minimizing the damage they can do, and catching them quickly.
- Practice good hygiene – patch your stuff, harden your system, retire your old systems
- Implement a data leakage program so you can monitor and prevent exfiltration of data
- Threat intelligence – subscribe to the feeds that are important to your industry, share information within your industry, spot the trends and anomalies early
- Create connections with the US Government – they can help, if you have the relationships in place it is very useful and expedient for faster response and recovery
- Practice and assess – how you react is key, prepare and be ready
- Apply Big Data Analytics – assume you have been breached and hunt for the bad guys, analyze behavior in peer groups, the bad guys will be using user your IDs. Organizations often protect the perimeter and don’t watch what is happening inside closely enough, insiders can do a lot of damage
- Focus on recovery – disaster recovery concepts are key
Julie Poepping: Axiall Corporation
Julia gave the group a walk-through of her experience of building a cyber security program from the ground up. She was charged with “doing something” about security after two large chemical groups merged. She formed a cross-functional executive steering committee to support her efforts. They assessed security program maturity following the ISO 27000 framework. In the chemical industry safety is paramount and security goes hand in hand. Her team built a 24-month road map, got board approval and followed the roadmap to build the security program with skilled practitioners, policies, procedures and best practices to improve program maturity.
Her key areas of risk-based focus for the business were 1) Data and information classification 2) Segregating the Industrial Control and business networks 3) 24×7 log Monitoring and analysis. Her most important learning and advice is that having all the tools is not enough, they must be used and working properly. Follow your roadmap and attend to the details.
Damian Schwartz: U.S. Secret Service
Damian works cases involving identity theft, bank fraud and network intrusions. The task force that he manages has a three-prong approach to building awareness and prevention, the Secret Service works with 1) Law Enforcement Agencies 2) Academia 3) Private Sector (partners). He explained how the Service has been changing the way they work with companies because the companies are stonewalling investigations and are being uncooperative. In the past, the Service has operated by seizing everything and performing “Dead Box Forensics.” However, today they work in a fashion that is collaborative with corporate IT often letting the company’s technology people make the forensic copies which will later be used to perform the forensic analysis. This approach of performing “live” images and pinpointing the forensics to what is deemed critical and relevant helps to speed the process while not disrupting business continuity.
There was some discussion regarding new rules being considered that will help companies and the government work together without fear of penalty (e.g. Safe Harbor laws). These new rules will help companies be more forth-coming with information and protect them with their clients. Several examples were given describing how companies get breached and do not see it for 30, 60 even 90 days. Damian stated that some companies try to be compliant and have the right tools in place, however, they don’t ensure that the tools are kept current, used properly, or are even monitored after the initial setup. Lastly, Damian described the challenges faced with international breaches. The Secret Service is then in a difficult position in trying to obtain cooperation from foreign governments. What is considered illegal in one country, may be considered legal in another.
Reuven Aronashvili: Prosecs, LTD.
Rubi works for companies around the world as a consultant on cyber security issues and topics. He shared with the group one particular assignment his firm was given from the CEO and CIO of a Global Bank. The assignment was to act like a criminal team and “electronically break” into the bank. Only the two executives knew about the assignment, the Security staff was not alerted to the breach attempt.
Rubi explained the steps his team took over the course of the first couple of days to research the assignment. They quickly found their first way into the bank through a test server, followed by entry into a production server, and lastly to an unprotected server (due to its age it was no longer being updated with patches to keep it secure). From here they extracted the first set of usernames and passwords.
His story of their progress to break into the bank was incredible. They were able to access anything and everything they wanted to within a few days, including all ATMs, all security systems, all teller stations, all video cameras, all VoIP telephones, all cameras in video conference rooms. They even followed the electronic path out to a Subsidiary of the bank and breached that company, later notifying them of their insufficient security.
Overall, it was an amazing journey for the Bank to learn that with only 20 day’s work, these “criminals” could have dispensed cash, wired money and recorded phone calls and meetings without the security team noticing. It was quite a shock. The Bank put in place a 3 to 5 year plan to fix the issues, requiring 4 Program Managers and 126 Project Managers.
Final Observations:
It is hard to describe an amazing event with standing room only. The evening was so incredible that we have been receiving multitudes of emails with additional thoughts, tips, and comments.
Tips to share:
- Practice Good Hygiene
- Retire old systems and keep everything patched
- Threat Intelligence
- Be proactive
- Subscribe to security intelligence feeds
- Share information with peers
- Connect with government agencies
- Practice & Assess
- Apply Big Data Analytics
- Peer account analysis
- Hunt for internal threats
- Plan
- Plan for recovery, prepare for a breech
- Containment and isolation
- Segment the network
- Bare metal recovery
- Protect key infrastructure
- Get entitlements correct
Note: To request contact information for any of the speakers, please feel free to send us an email.
Thanks again to all those who traveled from all corners of the U.S. and abroad to join us at this meeting. Your participation was absolutely amazing. To all of our incredible speakers, thanks for creating an exceptional evening to remember. Wishing you all a wonderful and enjoyable summer! Looking forward to seeing you all at our Fall event!
-Malka
Malka Treuhaft
Executive Director East Coast CIO Forum &
President
Truision Inc.
646.942.2625 (office)
917.589.1069 (mobile)
718.375.1529 (fax)
www.truision.com
Matthew Chung’s Bio
Matthew Chung is the Managing Director and Chief Information Officer of Technology & Information Risk. Mr. Chung joined Morgan Stanley in August 2014. Mr. Chung has held several senior roles across technology and operations with over 25 years of experience in the global financial services industry. Prior to joining the Firm, Mr. Chung served as the Group Chief Information Security Officer & Global Head of Governance, Risk & Control for Operations and Technology at Barclays Bank from August 2007 to August 2014. In addition, he held several other senior roles while at Barclays, including Chief Operating Officer of EMEA, Chief Architect Officer and Chief Data Officer for the Retail and Business Bank. Mr. Chung was based in the London Headquarters of Barclays Bank. Mr. Chung has worked for several large international firms including Citibank, Nomura Securities International, Societe Generale, Credit Suisse, and Moody’s Investor Services. Matt graduated from Stevens Institute of Technology with a degree in Electrical Engineering.
Julia Poepping’s Bio
Julia Poepping is Axiall’s Director for Information Security, Compliance and Operational Excellence. She is responsible for building the cybersecurity program and for establishing the policies, procedures and controls compliance framework for Axiall, a Georgia-based Chemical company. Axiall was founded in January 2013 with the merger of Georgia Gulf Chemical and PPG Industries’ former Chlor-alkali Chemicals business. Prior to her role with Axiall Julia lead the IT function for two business units and a corporate supply chain function in PPG. She managed IT purchasing at PPG, as well as demand/supply planning and customer service. She started her career as a programmer analyst, which speaks to her love of problem-solving. Julia believes in giving back, she has been a guest panelist at the Executive Women’s Council of Pittsburgh, and a guest lecturer at Carnegie Mellon University Heinz School of Public Policy and for Robert Morris University Information Society. Julia received a BBA in Management Information Systems from University of Wisconsin-Madison and an MBA from the University of Pittsburgh-Katz Graduate School of Business.
Damian Schwartz’s Bio
Damian Schwartz is an accomplished law enforcement professional with over 24 years of experience at the United States Secret Service. He is a senior member of the United States Secret Service and manager of the Electronic Task Force for 10 years contributing to the leadership, technical and investigative skills to the areas of Cyber Security. Damian is a leader in the areas of detection, investigations, prevention, training and creating the standards used in the industry. He has a proven track record of developing and managing a team of highly skilled agents in the field between technology and law enforcement. He has collaborated with U.S. and foreign law enforcement agencies in the field and developed the standards that are used in the forensic collection and reporting of digital evidence for the Electronics Crime Task Force. Damian has prepared and delivered briefings to management as well as the private sector on current digital threat assessments, current vulnerabilities, fraud schemes and emerging cyber security trends.
Reuven Aronashvili’s Bio
Reuven is the Founder and CEO of Prosecs. Prosecs LTD is the powerful combination of government level security experts forged together while serving in a top secret Israeli army unit entrusted with the Israeli cyber defense realm. While serving in the Israeli army the team encountered cyber threats ranging in level from amateurs and script kiddies through expert hackers and government level attackers. As such, the team has developed a combination of hands-on experience in both offensive and defensive attack methods developing unique attack vectors and discovering numerous zero-day vulnerabilities in widely deployed commercial products. In addition, The Prosecs team developed unique methodologies based on their diverse experience in real-time crisis management, security assessments, penetration testing, architecture, design and code reviews.
Reuven had his B.Sc and M.Sc in computer science and math in Tel Aviv University, and graduated with honors. Reuven acquired his professional skills and deep passion, as a security expert, during his 7 years military service in the Israeli Defense Force Infosec unit. Later, Reuven joined the business sector, and designed and developed quality security solutions mainly for large scale global concerns. Over the years, he conducted over a hundred penetration tests and security assessments developing an in-depth understanding of clients’ needs. Reuven was certified by the US Department of Homeland Security as an international industrial control systems cyber security expert.
