Interactive Tabletop Exercise from the view of a

Interactive Tabletop Exercise from the view of a CXO - Marty Gephart (a. k. a. GEP) - @mgep 104 on twitter

2 Background of the speaker In the IT industry since 1988 Various industries Defense Transportation/Airline Hospitality Online Retail Financial services Healthcare/Digital Publishing Healthcare/Payer Currently Enterprise Architect for a large health insurance company - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

3 Why should you listen to this wing nut? Lived through multiple scenarios similar to what we will do today Some as a software engineer on critical systems Some as a mid level manager on the BCP/Incident response team Some as an executive - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

4 Recent events Sony Staples Home Depot Anthem Merck - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

5 Quick survey of the room What is your role in an event today What do you think about during an event - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

6 Traditional Table top at a small to mid sized business BCP team, Individual roles, or department heads Tactical – how to manage the event Does it include every executive, or do they send their designee? - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

7 For today – we are all on the dark side. We are all in executive leadership We will discuss the following Role of each executive in an event How can each CXO lead during an event Everyone has a role to play I hope you take away from today the following: Think about how the boots on the ground tech team can understand the executive perspective when framing status and actions - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

8 My thoughts on each CXO and their role CEO – outside communication, board communication, shareholders COO – Get the business operations running again, and understand before/during/after impact CFO – Financial impact, Earnings per share impact, insurance, legal, human resources impacts CIO – Get the systems up and running again CMO (Marketing) – customer communications CISO – Lead the tactical event for the executive team. Post event lessons learned/process change agent - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

9 Size matters Small, medium, large businesses The responses and roles are different! - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

10 Would you like to play a game? <ins ert gra phic > - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

11 RPG - teaching infosec using D and D From Black Hat 2016 – Tiphaine Romand-Latapie’s presentation https: //www. blackhat. com/docs/us-16/materials/us-16 -Romand-Latapie. Dungeons-Dragons-And-Security. pdf You need: One meeting room and one paperboard / drawing board 4 to 8 players • Energy 90 to 120 minutes (more if you’re up to it) No Dice / No Dragon You (The Security something): - Are the Game Master Conduct the game during 30 to 45 minutes Then explain the parallel between what happened in the game and the Info. Sec world - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

12 Our game is a little different! Volunteers One Black Hat to play the bad actor 5 -6 others CEO, COO, CFO, CIO, CMO, (CISO – optional) We will go through Action/Reaction for each volunteer You can only make one move at a time…. . Attacker goes first Run for 15 -20 mins Recap for round table discussion - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

13 Scenario 1 – SHTF day You have arrived to work at 8 am. At 8: 05 am, 6 buildings, all PC’s have a ransomware screen…. precisely at 8: 05 am No one can work. - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

14 Scenario 2 – The really angry ex 10 am on a Tuesday, CIO is informed that an employee sys admin with root level access has been terminated for cause When the employee received the notice of termination, they became belligerent, and were escorted from the building All IT access for that employee was revoked. Friday 5 pm, the CIO is informed that there are now active credentials for the terminated employee with “keys to the kingdom” access. - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

15 Scenario 3 (if we have time) – You found what!? ! 3 pm on Wed, help desk has discovered questionable content on an finance employee’s laptop and informs supervisor Laws may have been broken - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

16 Scenario 4 (if we have time) – The data thief Friday, 5 pm. Key operations employee prints company secret formula and a full list of clients/prospects Employee writes and sends “I quit” email to their supervisor Leaves at 5: 01 pm - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

17 Recap Thank you for coming! Was this useful? Hopefully you leave today with a new perspective Take your new perspective back to your BCP teams and discuss Send me feedback on how to make this better @mgep 104 on twitter Email: psudsp 1@yahoo. com - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017

18 Resources Teaching infosec with D n D Powerpoint https: //www. blackhat. com/docs/us-16/materials/us-16 -Romand-Latapie-Dungeons-Dragons-And. Security. pdf White paper: https: //www. blackhat. com/docs/us-16/materials/us-16 -Romand-Latapie-Dungeons-Dragons-And. Security-wp. pdf Usenix presentation video https: //www. usenix. org/conference/srecon 16/program/presentation/goldfuss FEMA ICS training https: //training. fema. gov/is/courseoverview. aspx? code=IS-100. b - M. Gephart - Opinions are my own, and not that of my employer 8/28/2017