Tangible Announcements

Arlington, VA, October 14, 2015, Tangible Security supported President Obama’s National Cyber Security Awareness Month at the Pentagon, providing tips, trends, and anecdotes to military and civilian personnel. And, many Pentagon cybersecurity personnel engaged us in protracted discussions on many of the hottest cyber issues of the day.

Tangible Security provided participants valuable information on cybersecurity myths that pertain to their everyday experiences. Over a third of the participants acknowledged that they learned a new, compelling point justifying user cyber awareness. It stems from the fact that no budget is large enough to fund the mitigation of all possible cyber risks. Thus, each user must help contribute to the overall cybersecurity of their respective organizations.

You too can view the handout provided to participants of the Pentagon’s Cyber Awareness Day. Click the image below to get it.

Many participants were unaware of the cybersecurity contributions that Tangible Security has made to the Defense and Intelligence communities. Yet, they all logon to Windows workstations and other assets via their Common Access Card (CAC), a PKI-based smart card. And many other participants visit other Department of Defense facilities where they can immediately use local workstations. All they need to do so is to insert their CAC and type their pin. Within seconds, these users suddenly have a local, temporary Windows user account created for them. This enables them to immediately be productive without having to fill out forms or await local personnel to provide them with credentials or equipment. Only the most senior pentagon personnel seemed to know who helped make all of this possible for the millions of DoD users everyday. That changed for many participants who learned that none of that would be so without Tangible Security.

Tangible Security personnel and cybersecurity experts at the event discussed the necessity of and practical considerations for achieving ever higher levels of security maturity and cyber readiness. A consensus rapidly formed regarding cyber readiness. First, it requires organizations to regularly conduct ‘war games’ that enable personnel to practice the execution of their respective
  • Policies
  • Processes
  • Procedures
  • Tool usage.
This must all be done in the context of relevant use-case scenarios. Second, and this point is new to many, readiness would benefit from the systematic measurement (time) of role-specific user-actions within relevant use-case scenarios in
  • Detecting
  • Analyzing
  • Containing
  • Remediating.
For example, enterprise intruders typically move laterally within an enterprise via pass-the-hash attacks, how long does it take your organization to:
  • Detect unauthorized hash usage
  • Identify the endpoints compromised and the other account hashes exposed
  • Capture audit data to assess the intruder’s activities
  • Identify all resources the stolen hash(es) is authorized to access
  • Contain the intruder
  • Remediate the breach
Such metrics within a standard framework, would theoretically enable executives to gauge their organization’s readiness relative to peers. Third, all data sharing and information reporting must NOT aid attackers

No single cyber awareness event can transform an organization’s cyber readiness from one level to a higher one. However, a steady progression of events such as these can substantially improve the overall cybersecurity posture by affecting change in its users, all of which are ultimately a critical part of successfully defending vital cyber assets.

Get Pentagon Handout

{loadmodule mod_inlinecustom,Custom Inline HTML}