Over my 13 years working with enterprises at Gartner, I noticed that the companies with the fewest security incidents were rarely the ones with the biggest budgets. Almost invariably, the common denominator was the quality of their information security team, and in particular some person or small group of people that took the initiative to get something done that would improve security rather than look for reasons why it would be too hard.
So, here at SANS Alan Paller and I decided to query the security community to find people who made a difference in security in 2013. We received a long list of nominations and narrowed it down to 12 winners and one honorable mention. It is a mix of individuals, groups and one government agency - very few of whom have been in the headlines this year, but all of them have done the real work of helping change conditions in ways that quantifiably increased security.
The awards will be presented today at the SANS Cyber Defense Initiative conference in Washington DC. Congratulations to all the winners!
SANS 2013" People Who Made A Difference in Cybersecurity" Award Winners
1. Maj. TJ O'Connor, West Point:
Challenge: The military services are the front line in defense of the nation, but because the cyber domain is relatively new, effective cybersecurity doctrine is scarce and there is a sever shortage of military officers with the combination of deep technical skills and strategic thinking to lead cyber planning and operations.
The award-winning initiative:
Maj. O'Connor built a cyber capability in his team that set the standard for his entire organization. He used the existing IA roles in order to build the team, and then provided training for them to have a capability way beyond a normal IA type team. He really did create one of the first Cyber Guardian teams, and showed other organizations how to do it. He has become the go-to advisor to senior leaders who need help thinking about the skills needed for world-class cybersecurity teams. Maj. O'Connor is a leader in other ways, as well. While teaching cyber exploitation classes at the U.S. Military Academy, he was accepted into the SANS graduate degree program where he performed research in cooperation with Microsoft engineers on advanced persistent threats and developed a groundbreaking enterprise-class tool capable of detecting and terminating the attacks. During his final year of studies for the SANS masters degree, TJ wrote and published a book (Violent Python) so popular that it is already in its third print run.
2. Todd Boudreau/SigCoE
Challenge: Meeting the nation's requirement for military personnel with advanced cyber skills for offense and defense
Award-winning program: Developing the U.S. Army Cyber Warrior
Beginning in late 2007 CW5 Todd Boudreau of the Office Chief of Signal began redesigning the Army Signal warrant officer structure to enable establishment of four new key cyber roles: the Army's Expert Cyberspace Content Technician (255A), the Army's Expert Cyberspace Network Management Technician (255N), the Army's Expert Cyberspace Defense Technician (255S), and the Army's Senior Cyberspace Network Operations Technician (255Z). Since then, the Army has graduated over 100 Warrant Officers through an advanced training project to develop people to fill those roles. Today the people developed by the program are seen as Army Cyber Warriors and the gold standard for Army Cyber personnel.
3. Lawrence Wilson, CISO University of Massachusetts
Challenge: Larry Wilson was brought on to lead the UMASS Information Security program after UMASS experienced a breach that exposed the personal information of a large number of users. He found that resources were overly focused on meeting process audit compliance demands, causing data protection to be under-emphasized.
Award-winning program: Larry focused on using the Critical Security Controls as the "inner core" security controls to protect "Critical Information Assets." Management and administrative security controls are based on ISO 27002, while Technical security controls are based on SANS 20 Critical Security Controls. The ISO and SANS controls are documented in the University Written Information Security Plan (WISP). This has allowed UMASS to increase the level of security controls that actively mitigate advanced threats, resulting in both fewer incidents and faster response to incidents that do occur.
4. The Global Industrial Controls Systems Practitioner (GICSP) Team — Tyler Williams, Auke Huistra, Markus Brandle, Graham Speake, Doug Wylie and Michael Chipley and Tim Conway
Challenge: Control system engineers manage a large part of the world's critical infrastructure: the power and oil and gas systems. A second group, IT security professionals are often given responsibility for protecting those systems. Sadly, the two groups have different jargon, different criteria for success, even different objectives. They rarely find it easy or comfortable to cooperate. As a result, a little-known fact is that the vast majority of security projects designed to protect critical control systems are NEVER completed.
Award-winning program: The Global Industrial Controls Systems Practitioner Certification Program
This global team includes highly respected control system engineers with cybersecurity knowledge and IT security professionals with deep control systems expertise. People from oil & gas, from electric power, from control systems vendors, and from IT security companies joined together in this project. The combined team developed a body of knowledge that bridges the control systems and IT security communities. They went on to develop a GIAC examination to allow people from both groups to prove (to themselves, their bosses, and to people from the other community) that they have the expertise about security threats, techniques, tools and constraints, the combination of expertise that demonstrates they can be trusted to be part of teams securing industrial control systems. Major oil & gas companies, power companies, and control system manufacturing companies are establishing GISCP as the minimum standard for knowledge for their employees and their suppliers working on control systems security — whether they are control systems engineers or IT security people. The trust that the GICSP engenders is that catalyst that is enabling progress in cybersecurity in control systems to gain momentum around the world.
5. Melanie Woodruff, Experian
Challenge: The vast majority of successful cyber attacks exploit errors made by programmers. Colleges don't teach secure coding; many books on programming include sample code that contains common security flaws. In other words, most programmers have no way to learn how to develop into people who write "defensible code" and as a result they put their companies' users and the companies' customers at risk.
The award-winning project: SecureCORE
Over five years ago, Experian began the initiative to integrate application security testing into the development process of all applications, worldwide. Melanie leads the program, called SecureCORE, and has grown the program to now cover all Experian developed products, whether developed for internal use or for a third party. Her program has educated 3,000 developers across the enterprise and has increased the number of developers participating in the program year over year and number of applications scanned.
6. Jack Nichelson of Graftech, honorable mention
Challenge: Dealing with large numbers of hard-to-block Java-based malware infections
The award-winning project: Virtualizing Java
By leveraging Microsoft App-V Graftech was able virtualize Java for accessing Java content and thereby able to remove Java from 90% of their workstations. For the remaining 10% of their workstations that still had a need for Java to run locally they ensured that Java was disabled in the main browser. The result: lowered malware infection rate by 60% and lowered the number of systems that required re-imaging by 80%.
7. Erica Borggren — Director of the Illinois Department of Veterans' Affairs
Challenge: The United States has a shortage of security people with advanced skills in forensics and vulnerability analysis and other very technical skills. At the same time, nearly one million military men and women will be entering the civilian work force over the coming months at a time when well-paying jobs are scarce. Many of these men and women have technical skills and other characteristics that make them potentially eligible to take on the mission-critical roles in cybersecurity. However there has been no easy way for veterans to test their aptitude and develop the technical skills that prepare them for the advanced roles where pay is high and the need is great.
The Award-Winning Project: The State of Illinois' veteran's recruitment program for the 2013 Cyber Aces competition
Erica Borggren in her role as Director of the Illinois Department of Veterans' Affairs has shown the entire nation how to find cyber talent among return veterans. She has long been a model of tireless leadership in expanding career training work with Veterans in Illinois, But in 2013, she led Illinois to recruit more than 35% (358/1001) veterans for the nation's most respected cybersecurity skills evaluation and development program — Cyber Aces. Thanks to Erica, tremendous progress was made in figuring out what works/doesn't work with this constituency — information that will substantially enhance the number of veterans engaged first in Cyber Aces and ultimately in careers in cybersecurity.
8. Jonathan Trull, CISO — State of Colorado
Challenge: State IT security organizations have substantial responsibility — for security of law enforcement, taxation, health and multiple other elements of government, but they rarely have enough resources to make a difference in effective security of those agencies.
The award-winning project: Colorado's Top Four Security Controls Implementation
Jonathan Trull had been Colorado's state auditor responsible for IT audits for a decade when the Governor asked him to take over as Chief Information Security Office for the state in 2012. As an auditor he knew where the problems lay. His first step was to demonstrate just how vulnerable state agencies were — a task he completed quickly using an outside penetration testing team. The evidence he developed in that test helped him gain legislative and administrative support for an expanded cybersecurity program. He pulled together a cross-industry team and put together the "Secure Colorado" plan that focused on the Critical Security Controls and some early quick wins to drive measurable improvements in the security of the State of Colorado's information systems. His initial changes reduced the number of successful attacks by 75%.
9-11. The next three awards are all related to a common challenge: Finding a way for the United States and other nations to identify cybersecurity talent and to develop that talent into world-class technical cybersecurity professionals. The Department of Homeland Security's Task Force of Cyberskills documented the failure of current education programs to deliver deep technical talent. The DHS Deputy Secretary summed up the problem saying "we have too many frequent flyers and not enough pilots." These three award winners made a difference and are continuing to make a difference in solving that problem.
9. Jeff Hanson — Damascus High School
Jeffrey Hanson has led the networking education program at Damascus High School for many years and, on his own, built a lab and taught himself cybersecurity. When the Governor of Maryland launched the first state cyber challenge, he assembled a group of students at Damascus, taught them what they needed to know, and encouraged them through the process. They won several of the top slots in the state — including state champion and were celebrated by Governor O'Malley at a ceremony in his office. But that's not the reason for this award. Mr. Hanson generously invested time and expertise in improving the quizzes and tutorials that teach the foundation skills needed for mastery of technical cybersecurity. His guidance made the program, called "Cyber Foundations" substantially better and helped enable it to become the core of the new Cyber Aces Online program that seven governors launched this past fall, drawing 10,600 participants as potential future cyber technologists.
10. Mandy Galante
Mandy Galante is a high school teacher at Red Bank Regional High School in New Jersey. When Governor Christie decided New Jersey would be the first state to launch the Cyber Aces cyber security talent search and training program, Ms. Galante assembled her students and prepared them to win. Using the Cyber Foundation tutorials that Mr. Hanson helped perfect, and adding extensive hands-on exercises, she was able to help her students score higher than 98% of the 600 other contestants despite the fact that those others were college students, college graduates, and even active professionals. She was an inspiration to her students not just because she was a good teacher, but because she participated equally with her students and was one of the 12 New Jersey winners who were accepted into the Cyber Aces Academy — the nation's most intense cybersecurity training program outside the military. Ms. Galante embodies the great trith of cybersecurity education — only people who know how to do cybersecurity are effective teachers and I am confident, that even when she has a major role as a cybersecurity practitioner when she completes the Cyber Aces Academy, she'll still take on teaching responsibilities and be one of the Nation's great teachers in cybersecurity.
11. Mike Qaissaunee — Brookdale Community College
Mike Qaissaunee leads the nation's first Cyber Aces Academy that is allowing Ms. Galante and the other students to master the advanced skills that are needed for mission-critical roles in cybersecurity. Mike is an innovative and widely respected teacher, but he had no deep cybersecurity knowledge when the president of his college decided that Brookdale Community College would be the home of the nation's first Cyber Aces Academy. But he stepped up tall. He developed the program, won National Scienec foundation support, interviewed the eligible winners to see who would be successful and chose the class. He also is taking the courses along with the Cyber Aces Academy students to give Brookdale the capacity to teach the courses in the future and expand Brookdale's leadership in cybersecurity education in New Jersey. He's even made progress in obtaining a separate building where Brookdale's cybersecurity programs can be housed. And he is the ambassador for the Cyber Aces Academy program sharing the lessons he has learned to who help other schools follow in Brookdale's footsteps.
12. Federal Trade Commission — Public Affairs contact Peter Kaplan
Challenge: The FTC is an independent federal agency with a unique dual mission to both protect consumers and promote competition. The FTC is responsible for protecting consumers by stopping unfair, deceptive or fraudulent practices in the marketplace, including privacy and security abuses. Identity theft has had a major impact on consumers and the FTC stepped up to that challenge.
Award Winning Effort: It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and in particular, going after companies that don't protect their customers' information. The FTC doesn't seem to need new laws or more money, it just keeps fighting for its customers.
The most recent example was the FTC's enforcement action against TRENDNet. The FTC's complaint alleges that TRENDNet marketed its cameras for uses ranging from baby monitoring to home security and that TRENDNet told customers that its products were "secure." In fact, however, the devices were compromised by a hacker who posted links on the Internet to live feeds of over 700 cameras. Additionally, TRENDNet stored and transmitted user credentials in clear unencrypted text.
Under the terms of its settlement with the FTC, TRENDnet is prohibited from misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or devices transmit. The company must also establish a comprehensive security program and notify customers about security issues with the cameras and must provide a software update to customers to address security issues.
13. DHS ICE Social Engineering Training Effort — Alex Ruiz DHS
Challenge: Like most organizations, the Immigration and Customs Enforcement agency continued to see users impacted by social engineering attacks through targeted fraudulent emails, often call spear phishing. The challenge was to develop user awareness education and training that would cause real changes in behavior, leading to measurable increases in security.
Award-winning effort: Alex Ruis lead the Immigration and Customs Enforcement (ICE) Social Engineering Training (ISET) Program to provide evaluation and improvement of the operational security posture of ICE personnel. The ISET evaluations assist ICE in understanding the exposure to social engineering threat vectors by evaluating ICE personnel's ability to identify a social engineering attack and report the incident once it has been identified. The ISET team developed a multiphase approach to ensure awareness of social engineering, phishing, and the importance of safeguarding Personally Identifiable Information (PII).