The 21st Annual New York State Cyber Security Conference
On June 5th, 2018, I was fortunate enough to attend day one of the annual New York State Cyber Security Conference. The conference was held in the Convention Hall and Meeting Rooms at the Empire State Plaza in Albany, New York. Day two was held on the 6th of June, with a third day on June 7th set for hands-on training for those who wished to get more in depth on the topics covered during the first two days.
Each day offered four time slots, for a total of eight possible sessions to attend over the two days. The conference’s sessions were separated into seven distinct categories on day one, and eight categories on day two. The only repeat was that of the Annual Symposium on Information Assurance, or ASIA,¹ which was held concurrently within the overall conference. On the agenda for day one, we had sessions covering; Supply Chain Strategy, Securing our Digital Wallet, Controls and Frameworks, Managing Artificial Intelligence, Security Evolution, and Identity and Access Management. Day two’s sessions continued with; Case Studies, Legal, Threat Landscape, Risk and Resiliency, Cyber Defense Tactics, Internet of Things, and Security Testing.²
During his opening address, New York State’s Chief Information Officer Robert H. Samson, better known simply as Bob, stated that New York is, “a recognized leader in the field of cybersecurity.” He brought along his favorite example, the transistor, and offered many opportunities to increase the attendees’ cybersecurity awareness. He outlined in general terms the content that would be covered through the individual sessions, workshops, and trainings.
The aim of the conference, as Bob said, is “to empower state and local governments, academia, organizations and citizens to take better control of their digital security” and was very well planned for its 21st consecutive year. He also laid out the current vision of New York State’s consolidation projects,³ of which I play a personal role in executing as one of the newest members of the state’s Data Center Networks team.
After the opening address, the keynote speech was given by retired Air Force Brigadier General Steven J. Spano. From his position as President and Chief Operations Officer of the Center for Internet Security, he outlined the development of the current state of the United States’ Cyber Command. Mr. Spano detailed his integral role in rolling out the Federal government’s enhanced voice-over-IP phone system just before ending his tenure with the Air Force. He praised New York’s Governor, Andrew Cuomo, and Mr. Samson for adopting a centralized approach to providing information technology
services. He also lauded the state’s new Chief Information Security Officer, Deborah A. Snyder, for her office’s excellent approach to a unified cybersecurity infrastructure.⁴
Mr. Spano went on to dole out some harsh critiques on the nation’s decentralized model, stated as operating four distinct cyber commands; Army Cyber Command, Fleet Cyber Command for the Tenth Fleet, Air Forces Cyber for the Twenty-Fourth Air Force, and the Marine Corps Forces Cyberspace Command.⁵ He contrasted his view of these disparate institutions, rather sharply, with New York State’s unified and centralized model, which I note as still very much under construction.
At the close of Mr. Spano’s remarks, breakfast was served, and the attendees went their separate ways to learn about threats, vulnerabilities and defenses, both new and old. Vendors were on hand to assist the participants in learning about new cybersecurity products, as well as to take advantage of on-site training opportunities. The conference offered a little something for everyone; end-users, information technology professionals, government employees, and proprietors of businesses of all sizes.
My graduate major of cybersecurity at the SUNY Polytechnic Institute⁶ influenced my workshop schedule heavily, leading me to attend alternating sessions on Security Evolution, and Controls and Frameworks. My first session, in Meeting Room 5 on Security Evolution, was directed by Michael Corby, of M Corby & Associates, Inc.,⁷ and was aptly titled, Where Have We Been - Where Are We Going? It was an excellent way to kick off the day, talking about the ways in which the definition of security has changed over the last four decades or so.
The name cybersecurity is possibly the newest concept itself, having been called computer security back in the late seventies, progressing through information security, and systems security, before arriving at its current iteration. Mr. Corby further outlined the addition of business continuity, disaster recovery, and how data loss prevention, privacy and information protection all fit rather comfortably under the umbrella of modern day cybersecurity strategy.
Through generalized examples and a myriad of ever changing compliance regulations and security models, Mr. Corby detailed New York State and the nation’s current paths. Both paths were astutely merged in his speech, as he led us through the steps to make both the private and public sectors more effective and receptive to new cultural and performance-based expectations.
The second session of my day was held in the same room, this time lead by Christina D'Antonio of GreyCastle Security⁸. The change in tone from the previous session was welcomed, as Ms. D’Antonio’s affect was very energizing. Her mood was captivating, and visibly engaged the entire room as she launched into her presentation, Classified or Just Classy? - Kicking Assets with Data Classification.
Ms. D’Antonio displayed a laser-like focus on the topic of information classification, explaining that most organizations in general don’t engaged in it, and thus, don’t know which assets to prioritize or to protect. Her disdain for organizational spending, usually in the thousands of dollars, to protect otherwise replaceable information was obvious from the third or fourth slide in her presentation. She contrasted this against spending relatively minuscule amounts to protect invaluable data, which most companies seem to do as a regular course of business.
She clearly defined the processes of inventorying, labeling, and defining policies for handling of digital and physical assets according to their importance, replaceability, and sensitivity. She expounded on the benefits of data classification, highlighting practicality and institutional visibility as keys to success. Ms. D’Antonio also helped us through the esoteric process of classification, showing the room how the continuous cycle can save time and money. I learned a great deal from this session, especially as it plays into my enrollment in Information Assurance Fundamentals for the upcoming fall semester.
During the lunch break I visited two vendor booths; VMWare and Splunk, both integral pieces of industry standard software that are used in my position of Information Technology Specialist II with New York State’s Office of Information Technology Services. The vendors themselves were highly knowledgeable about our office’s use of their products, and sent me back with some nice under-fifteen-dollar schwag for my coworkers and I to enjoy without potentially violating ethics rules.
VMWare, from a high-level perspective, is a server and workstation virtualization company⁹. Their various software packages take large powerful computers and divide them into smaller units suitable for individual user desktops, and dedicated services such as email, and file sharing.
Splunk on the other hand, is a monitoring and logging system that keeps track of almost any kind of networkable equipment, from switches and routers, to servers and workstations.¹⁰ The team I work with uses Splunk to collect and monitor New York State’s most important routers, switches, and firewalls. Other teams in the organization use it for keeping up with hardware and virtualized servers, even VMWare.
Lunch, I must mention, consisted of visiting Bombers Burrito Bar in the Taste of the Plaza Food Court, on the Concourse level of the Empire State Plaza.¹¹ I hadn’t realized they opened the new location in September of 2016,¹² and I was pleasantly surprised at my ability to grab a gigantic Red Stripe Jerk Pork Burrito during my brief foray outside the Conference Hall. I always give kudos to their quick service and delicious food.
For a change of scenery after lunch, the Controls and Frameworks session was held in Meeting Room 6, the largest of the available rooms. There, Colin Soutar and Kevin Heckel, both of Deloitte Touche Tohmatsu Limited,¹³ gave an in-depth presentation on Tailoring the Cybersecurity Framework for Government Agencies. Their focus throughout was on the adoption of the Cybersecurity Framework developed by the National Institute of Standards and Technology. The stated goal of the framework is to help “organizations to better understand and improve their management of cybersecurity risk.”¹⁴ The presenters’ focus was to express the importance of developing risk profiles to tailor the framework implementation to the needs and unique set of risks for client organizations.
Participants learned the structures that can utilized in enabling cyber risk management, as well as the executive components required to help enact those structures. Often, they said, without backing from the highest level of executives, agencies and institutions will lack a consistency, and struggle to justify the decisions needed to carry out their missions. A constant through each of the sessions I attended was also the need to continuously verify and adjust the execution of organizational risk strategies. Therefore, as they explained, the biggest key to success is involving executives in the process to ensure the proper support, both financially and through management, in the prioritization of cyber risk efforts.
The final session of my visit took me back to Meeting Room 5 for Jeffrey Baez of Palo Alto Networks¹⁵ and his presentation, Making the Case - How to Overcome Cultural Barriers to Adopt a Cyber Prevention Strategy. Like Ms. D’Antonio, the previous presenter in room five, Mr. Baez’s presentation was energetic and engaging. Palo Alto Networks provides key infrastructure to New York State through the offices where I work, and I was very interested to hear from him about overcoming known and unknown threats. Stating that the “challenge is closer to home than you think,” is not lost on me or the rest of the audience; which was composed of various high-level individuals from within our same state government. Mr. Baez spoke of organizational culture, leadership, and approaches to implementation and strategy.
Palo Alto Networks’ products, as Mr. Baez explained, enable an organization to assess their current cybersecurity stance, and implement a proactive strategy to protect its digital assets. He used real customer examples and relevant use cases to ‘making the case’ for his employer’s products. His efforts in convincing the room became even more evident after the conference when I realized my office was in the process of adopting their Internet filtering platform on a statewide basis. He left a very lasting impression on me by ending the day with a great question and answer portion, where we got to listen to questions from state executives from the Department of Health and the Department of Labor.
After such a full day of learning experiences, I must give major thanks to our hosts for doing such a spectacular job; the University at Albany's School of Business, The New York State Forum, Inc. and of course my employer, the New York State Office of Information Technology Services.