Ballroom Sunday 8:00 – 9:00 AM
Presenter:Shawn Henry, CrowdStrike Services
CrowdStrike engages in significant proactive and incident response operations across every major commercial sector and critical infrastructure, protecting organizations' and governments' sensitive data and networks around the world. Hear expert perspectives on the current state of cyber threats to critical and election infrastructure…and what is being done about those.
Projects – From Design through Operation
Specifying Integrated Systems vs. Components
CSI MasterFormat as it relates to security (Div 08 and Div 28) is largely structured around components – cameras, readers, etc. Increasingly, however, systems are specified as a unified or integrated collection of sub-systems. There is some newer provision for this in Div. 28 (see 28 05 45, Systems Integration and Unified Systems) and added flexibility within the MasterFormat framework. Is this adequate or should a rethinking of MasterFormat be considered. Hear from several consultants who are wrestling with this issue and from CSI with a broader construction industry perspective.
Scenario Based Testing/System Validation
Following a system installation, but prior to acceptance and sign-off, what is the most effective way to reasonably assure that the system works as intended. Is it through a checklist of functional criteria? Through an evaluation of pre-designed scenarios? Should 100% of devices be tested or random sampling be employed based on pre-determined criteria? When is it practical for Client operators to be involved? How might such testing/validation impact completion of the construction project? This session will discuss these issues and the approaches security consultants should take throughout the project to improve the end result and Client satisfaction, whether or not they are involved in the actual system commissioning.
Planning for the Operational Phase of the Life Cycle
Operational issues associated with achieving the risk reducing goals of the original system procurement may be obscured because the Client is not a security expert. What is the consultant/integrator responsibility to the Client post-commissioning when the contractual agreements have been concluded, and who then owns security through a solution's retirement? Value-add services, extended warranty, all-inclusive support contracts, and upgrades are often overlooked or rejected, but would ultimately benefit the Client. Further, the Client's overall corporate structure, leadership, and personalities may impact such contracts. Is there a conceptual or organizational separation between devices and data, and, if so, who is responsible for each? What about network operation after installation? Is security notified and/or consulted when minor/major network outages are planned for maintenance and upgrades? As "trusted advisors" to the Client, consultants have the opportunity to both shape and meet Client expectations for reliable system operation, cementing relationships in the process.
Design-Build - Threat or Opportunity
To what extent does an integrator's efforts to serve as both system designer and installer create a competitive threat to the security consultant? Can a proper design really be accomplished without an enlightened assessment of a facility's risk? Is security being compromised for the sake of cost? Or, is there an opportunity for consultants and integrators to partner where a solid, risk-responsive design can be accomplished and installation by a known competent integrator be assured? If so, does an involved security consultant act as a voice for the Client, or will the operational requirements of the Client be sacrificed partially or completely to meet a construction cost goal? Hear both sides of this situation from a panel representing both designers and installers.
Approaches to Penetration Testing
Presenter:Michael Glasser, Glasser Security Consulting
Penetration Testing ("pen testing") is a set of security tests and evaluations that simulate attacks by a hacker or other malicious actor. It goes beyond vulnerability assessment which is designed to find and document vulnerabilities which may be present in an organizations public or private network but is controlled so as to not interrupt normal business operations. Pen testing is usually conducted by an outside entity to see how far it can get into a system by simulating an attacker. In this session, you will learn about pen testing techniques and how to appropriately adjust the scale and scope of the pen test to accommodate various client situations and scenarios. Of particular note are "Red Team- Blue Team" exercises which simulate attack (red team) and defense (blue team) scenarios to strengthen overall security.
Preserving the security of an identity has the objectives of (1) uniquely tying one's credentials to an individual to validate who they say they are, and (2) to maintain the security of those credentials to prevent someone else from stealing them to access information or services tied to the credential holder. No longer are user names and passwords considered adequate. This session will review current and proposed techniques to provide more highly secured credentials. These will include FIDO ("Fast Identity Online"), PIV ("Personal Identity Verification"), CIV ("Commercial Identity Verification") smart cards, and mobile credentials
CMMC - An Integrator Qualification with Teeth
The Department of Defense ("DoD") recently announced the development of the "Cybersecurity Maturity Model Certification" ("CMMC"), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base ("DIB"), particularly as it relates to controlled unclassified information ("CUI") within the supply chain. The CMMC is expected to designate maturity levels ranging from "Basic Cybersecurity Hygiene" to "Advanced." For a given CMMC level, the associated controls and processes, when implemented, are intended to reduce risk against a specific set of cyber threats. While initially targeted at DOD, this will expand to the entire Federal Government and into critical infrastructure. Learn the importance and details of this program as it applies to integrator/contractor qualifications and ability to work on specific types of projects.
Underlying Elements of Cyber Security Certification and Specifications
Most project specifications incorporating cyber security elements put the onus for implementing a cyber secure system on the integrator. But what is reasonable to require of an integrator and how can integrators be evaluated on their ability to perform what is expected of them? This is the premise behind SIA's forthcoming cyber security certification for integrator technicians. This session will embody a discussion of tasks and areas of competence which should underlie both this certification and specifications incorporating cybersecurity. Learn how this certification is planned to bring value to the end user, integrator, and manufacturers.
Questions or comments? Contact us at info@AttendConsult.com.
CONSULT is a security industry event sponsored by SecuritySpecifiers. SecuritySpecifiers is an online community and network of security professionals established to address the need for the physical security industry to more effectively engage with designers and consultants.