It was apropos that Ray Yepes, newly appointed CISO for the State of Colorado, opened the 2022 SecureWorld Denver conference on October 6th. His morning keynote was all about cooperation—the state cooperating with municipalities and counties; working side-by-side with federal agencies; and involving law enforcement agencies from all levels when it comes to cybersecurity. And don't forget the private sector.
"When 911 happened, the federal government realized one thing—and we have folks from the Secret Service and FBI here today who can tell you this—the federal government realized we need a better way to share information among us," said Yepes, who was appointed CISO of the Centennial State in April 2022. "And they also realized we need to invest in threat intelligence. The federal government invested billions of dollars doing just that. So we have that whole-of-nation model. We can just copy that model, replicate it, and do it for the state."
And so Yepes, in his short time in his role, has led a whole-of-state approach to cybersecurity in Colorado (the title of his keynote) with "no government left behind."
Yepes' approach has been refreshing, and surprising, to many of the smaller agencies throughout Colorado whom he and his team have reached out to offering help—including helping a Colorado county identify and recover from a recent cyberattack.
His keynote set the tone for the day, with cybersecurity professionals and solution vendors rubbing elbows and sharing knowledge at the 10th annual SecureWorld Denver conference at The Cable Center on the campus of Denver University.
A few panel discussions featured speakers from vendors competing in similar spaces, but the goal was clear: let's work together to help each other thwart the bad actors.
Ray Yepes, CISO for the State of Colorado, presents the opening keynote.
Takeaways and quotes from the day's presentations
Karen Worstell, CEO and Founder of W Risk Group LLC, an author, and proponent of "not putting steel doors on grass shacks," spoke on "Was Mudge Right? Exploring Moral Injury in Cybersecurity." She talked about Peter Zatko, better known as "Mudge," who was terminated by Twitter as its head of security after he blew the whistle on what he saw as "extreme, egregious deficiencies" in the company's handling of user information and spam bots.
Mudge felt it was his duty to act on his values, his personal values, and not kowtow to the whims of Twitter leadership.
"I always tell my team, I said I need you take a stance; don't just change with the wind, but take a stand," Worstell said. "But before you do that, make absolutely certain you know what you are standing on. What are the things you are willing to fall on your sword for? It's okay to fall on your sword. But you got to know you're doing it for the right thing. And that's what protects us from having, essentially, the outcome of a moral injury."
Karen Worstell, W Risk Group LLC
Down the hall, Brenden Smith, CISO at FirstBank, presented "Revisiting Deception Systems: Enterprise Use Cases." He spoke about protecting vulnerabilities that might not be top of mind, such as chat systems like Slack or Teams, or sensitive commands that not everyone uses.
"Sensitive commands is interesting to me," Smith said. "Basically, they (bad actors) are starting to offer the ability to turn operating system commands into deception systems. So you can do things like take who I am or someone else running that in your environment… you can trigger that as a deception system, right? So that's a case where you're going to have to evaluate that in your own enterprise. You have to make a decision about which commands are ones that we allow you to try, which are the ones that nobody should ever run, and we want to be alerted when that's the case.
"They make a compelling argument here. I think ransomware, they see attackers running a series of very predictable commands. Again, it's taking attacker behavior and turning it into a defense for us."
At the bank, for instance, no teller should ever be running commands that could be compromised.
Donald Ikhtiari, Principal Security Architect at Insight, spoke on "Building an Effective Vulnerability Management Strategy and Program." Sticking to the day's theme of cooperation, he said communication is critical—between all partners, vendors, and internal and external teams.
"You have maybe European requirements that are out there if you're a global organization; you have your U.S., you might have Canadian requirements, state requirements," Ikhtiari said. "Make sure everybody knows where they stand. What's important to them? Make sure that's part of your dashboards as well."
"You want to make sure you're not only looking at say Microsoft patching across your organization; you want to make sure you're looking holistically. It could be your IT systems, your operation technology, your IoT, your industrial control systems, or SCADA environments."
For public utilities and/or healthcare systems, the last thing anyone wants is a life critical system failure because of a security vulnerability, he added.
Dr. Jacob Rubin is the former CISO at Red Robin who has joined EVOTEK as an executive advisor. He joined Danielle Good from partner company Thales to present on "A CISO Perspective: Discover, Protect, and Control Your Organization's Most Critical Assets."
Taking healthcare as a use case, Rubin said healthcare data for about 300 million Americans is encrypted and riding on the back of a Thales protection plan.
"That encryption is absolutely critical. I think anybody here will tell you, they want their data protected," Rubin said. "When I was doing this, I'd have a sense of purpose for what I was doing, knowing my records are in there, my family, my friends… you want to make sure those things are protected properly."
The complexities of healthcare systems—which can range from small mom and pop doctors where mom is the receptionist to mega hospitals with tens if not hundreds of doctors and residents—are unreal. As are government agencies, insurance companies, etc.
"From a criticality perspective, there's nothing that you do on a day-to-day basis that doesn't involve some measure of government infrastructure," he continued. "You wouldn't believe the number of services you consume on a daily basis that are sitting on the back of cyber trust software."
"Demystifying Zero Trust and Its Role in Cybersecurity" was the topic of the lunch keynote given by Chad Maskill, Cyber Hero at ThreatLocker. Through use cases, he spoke about the principle of "never trust, always verify."
Looking back at the early days of malware where the goal of the attacker was simply to make life a little more difficult and be an annoyance, "but it's all led now to where we are today… at one point, somebody got the bright idea of let's weaponize and monetize," Maskill said. "So now instead of fighting the kids in the basement, kids at their parents' house just making things to be annoying and making your life difficult, now we're actually fighting with legitimate damage."
"If you think about right around 2014 when the first bits of ransomware started dealing with harming sophisticated businesses, organized crime was determined to take down business information, hold data for ransom, and profit off of it."
And it has moved beyond just hurting businesses, it's about nation-states taking down infrastructure, he said.
"Zero Trust architecture allows users full access only to the bare minimum they need to perform their jobs. It makes sense, least privilege, right? Allow what you need and block everything else."
Applications are a serious vulnerability, Maskill saaid.
"Anytime you have an application that has access to everything that you have access to, it's the crux of what we're talking about. Zero Trust means not even trusting your applications anymore. Allow what you need and block everything else. From this point on in the presentation, you will hear me say this about 10 or 15 times because that is the crux of Zero Trust."
L-R: Toby Zimmerer, RSM US (moderator); Sean Leach, Fastly; Bill Jessen, Prophecy Americas, Inc.; Dwayne Collier, Open Systems; Derek Washburn, Illumio; and Brad Anderson, Critical Start.
An afternoon panel on "The Current Threat Landscape" featured representatives from Critical Start, Illumio, Open Systems, Prophecy Americas Inc., and Fastly, adeptly moderated by Toby Zimmerer, Director at RSM US LLP.
Critical Start's Brad Anderson said educating an enterprise business's board and executive leadership team about the threat of breaches and that one likely will happen is important.
"I would say assume a breach and try to be as proactive as possible," Anderson said. "And although we all know there's a million things to do every day in security, but just implement controls from that perspective, take a risk-based approach, secure your crown jewels, whatever those may be."
Sean Leach of Fastly said his company did a webinar earlier this year that talked about how the cybersecurity department is often called the "department of no," but in reality it is the department of "know." Leach said it's important to put the focus on enabling the business, not focusing on what not to do.
"How do I make the business move fast while making sure there's good guardrails, making things easy for the developers" Leach said. "That's something we've seen a ton of focus on lately. We call it 'paving the road,' providing environments that are secure by default so that your developers don't have to think so much about it." Help developers be mindful about security without making them worry and think about it all the time, he added.
The "Incident Response!" panel featured reps from three vendors—Expel, Red Canary, and RSM US LLP—moderated by Jay Wilson, CISO of Insurity. Continuing the day's theme, the panelists focused on the need for open communication and cooperation between agencies, teams, and systems.
A lot of the focus was on training so that when incidents do occur, teams, the business, and leadership all are ready and prepared to react.
"Generally, in industry speak, Red Team exercises are focused around penetration breach and those kinds of events," Dave Collins of RSM said. "And I think this goes back to something we were talking about earlier, which is how do we classify something as an incident? The other big thing we're facing in the industry right now is how we've talked about security events and security incidents."
"Back in my day, they were one of the things… now they have different meanings. An event is like the low-level thing; the incident is primarily focused around a breach or data loss. If you're doing a true Red Team test, you're wanting to know how your team is going to react. Are they seeing things in an environment you still have control over? Same thing with an unplanned tabletop; but it's a little bit larger scope because you're bringing in key players that will be involved in the decision making related to the event."
It's all about forcing people to think on their feet, Collins said.
Jason Miller, CSO of Paper Excellence, tackled an interesting topic in "Physical and Digital Cyber Defense: Building Culture and Collaboration." Known as the "other" security, physical security involves protection and mitigation and uses different tools to keep people safe.
When it comes to loss prevention, the old Paul Blart Mall Cop days are long gone.
"Now we're looking at loss prevention in a different way with these RFID tags and readers," Miller said. "So you've got a $5,000 piece of equipment that you need to keep track of. You can just stick one of those RFID tags and if it leaves through this port, which is the only way to get in or out of the place where it is being held, then you're going to know where it is."
Miller encouraged cybersecurity experts to be involved more closely with their physical security partners, especially when it comes to executive protection.
"There's tremendous nexus between physical and cyber for this functionality. There's social media monitoring of threats, personnel vulnerabilities, digital footprint, other risk. It's not all about big, beefy guys who can shoot and drive a car."
For executive protection, you want a security detail that flies under the radar and does not draw attention to themselves or the executive because they are 6-foot-10 and muscle-bound. The importance of protecting the top person in the company can't be overstated. To take down a company, attackers know they can start by tracking and harming a CEO, for instance.
According to Miller, a CEO who is single and goes out to bars and dates has a far different protection plan than a company leader with a family and teenagers who are on social media (and may alert bad actors to the location of their parent). Technical surveillance countermeasures are an important tool in the fight to keep executives safe.
The closing keynote panel discusses the Mountain West Cyber Fraud Task Force. L-R: Alex Wood, Uplight (moderator); Derek Booth, U.S. Secret Service; Suess Beyer, USSS; and Stephen Dougherty, USSS.
The closing keynote featured three United States Secret Service representatives, moderated by Alex Wood, CISO for Uplight and co-host of the Colorado = Security podcast. Cooperation continued as the thread to close the day, with the members talking about the Mountain West Cyber Fraud Task Force (Colorado and Wyoming) and showing a slide of all the law enforcement partners with whom they work across both states.
Derek Booth, Special Agent with the Secret Service, said they are delighted that Ray Yepes is the new CISO for Colorado and that Yepes has even offered them a full-time person from his office to work in the Denver Secret Service office.
"We're in the process of hiring that person, which we're very excited for, because that just expands our partnership," Booth said. "And don't forget our private partners. There are tons of them out there, and that's what we're all about."
Suess Beyer, a former Durango police officer who is now a Network Intrusion Forensic Analyst for the Secret Service, said training is super important. Their goal is to provide training through the National Computer Forensics Institute to agencies and even private enterprises who can't afford it. And that just adds to the networking and cooperation.
"Our job and my job, and the task force officers, are going to be able to respond out to these [incidents] quickly and efficiently to try to assist as best we can and be first on the scene," Beyer said.
From phishing emails to desktop compromises to software vulnerabilities, they are at the ready to respond—fast—and help. Anyone interested in learning more about the Mountain West Cyber Fraud Task Force can reach out to Booth at derek.booth@usss.dhs.gov.
More sessions with solid content
Other sessions throughout SecureWorld Denver included:
Robert Scott, Managing Partner at Scott & Scott, LLP, spoke on "Negotiating Data Processing Terms":
"I would say that in the limited instance where the customer has not identified that they're subject to certain regulations for the provider, such that the provider can enter an appropriate data processing agreement, then the customer is responsible for any regulatory issues that arise as a result of that," Scott said. "I wouldn't say that it gives the end-user no responsibility, but it does shift the responsibility to the end-user in the context of the situation where there's regulated data that's not identified and there's not a data process agreement entered into."
Mohamed Malki, Director of Enterprise Security Architecture, Colorado Governor's Office of IT, presented on "Planning, Conducting, and Reporting on Cloud Audit Engagements." This session immersed attendees in the new demand to conduct a comprehensive audit in the cloud. Using proven, engaging learning techniques, attendees left the session with a solid understanding of how to plan, conduct, and report on cloud audit engagements.
Mohamed Malki, Colorado Governor's Office of IT
Gregg Braunton, Insider Threat Operations in the banking industry, spoke on "Create a Purpose-Driven 'Cyber Tribe' to Improve Retention":
"If your team knows that you care, you're going to get a lot further down the road with them, and you're going to be able to get a lot more work and establish that longevity," Braunton said. "What's your sweat lodge is just a little play on the tribal thing, where it's like, where do you guys meet? How do you create that synergy in the team? Today, I have a team that is global, so we're not getting together for an in-person team-building event anytime soon. But we share pictures and videos and memes and things like that [through chat channels]."
