Page 1

MAR-APR 2019 Cybersecurity Edition

VOLUME 17 • NUMBER 2

Serving as the bridge since 1997…

Industry • Academic • Government

CIO Council • CEO Council • Cybersecurity • Data Analytics Infrastructure/Cloud • Municipality IT • Women 4 Technology

Technology… the foundation and future of every business. technologyfirst.org


LEADERSHIP

The Responsibility of Everyday Cybersecurity

By: Tim Ewart, Former Technical Director-Air, Space, and Cyberspace HQ Materiel Command, WPAFB

Cybersecurity is a common word in today’s vocabulary. It seems you can’t go a day without hearing about some sort of data breach. While vulnerabilities exploited at the Office of Personnel Management, Target, Blue Cross and Blue Shield grabbed the people’s attention, the problem is still rampant today. Everybody has information needing protecting. It could be health records, financial information, intellectual property or a Facebook account. Everyone has a responsibility to practice cybersecurity. Protecting your sensitive information seems a daunting task. It is not easy creating an impenetrable fortress against every threat, every hour of every day. There always seems to be an unseen foe able to find our weakest link. We improve our defenses. Our foe finds a different exploit. It seems like an endless cycle. The challenge is recognizing the need to balance protection and accessibility. The conundrum is allowing the flow of information to appropriate individuals, while denying access to unauthorized

CONTENTS 2

The Responsibility of Everyday Cybersecurity

3

OISC19 Keynote Speakers

4

Meeting the Cybersecurity Challenge

5

UPCOMING EVENTS

6

Company Email vs Personal Email – A Necessary Separation

8

Understanding the Cybersecurity Threat

9

IT Leader Spotlight

10

OISC 2019 Breakout Sessions

13

Are Information Security Management Systems Helpful?

14

What to Look For in a Cyber Insurance Policy

16 Matrix and Emotet: What You Need to Know About These Two Types of Cyber Attacks 18

Board Members

19

Board of Directors

20

2019 Events

2

Technology First | MAR-APR 2019

people. Provide too much access and information ends up in the wrong hands. Provide too much protection and you create a selfdenial of service. The difficulty is finding the sweet spot and staying there. Allow me to try an analogy. What precautions do you take to prevent catching the flu each winter? How do you protect yourself from this virus? Do you get a flu shot? The health care and insurance industries have made it easily accessible to most people. Are you afraid you will be under the weather for a few days after the shot? Getting the flu shot does not guarantee preventing of the flu. Medical professionals claim the flu shot helps prevent contracting the disease. Yet, we must get the flu shot annually because the virus strain changes each year. The specific virus strain changes annually. What other precautions do you take? Do you have a layered defense against the flu? Frequent hand washing is another recommendation from medical professionals. Limiting your exposure to sick people is yet another positive step toward flu avoidance. Yet, none of this guarantees you not getting the flu. I don’t know the success rate of living in a plastic bubble to protect yourself. However, my guess is it will prevent you catching the flu and dampen your social interactions. My point is this, cybersecurity requires constant attention, due diligence and a layered defense. Performing all the right actions provides the best protection, but adversaries can still penetrate our fortresses. We all know the appropriate precautions to take, keeping up with patches, performing system backups, limiting access and ensuring those with access are who they say they are. These methods are tried and true. These techniques provide the necessary protection and maintain the appropriate accessibility to provide the needed service. Use the 16th Annual Ohio Information Security Conference as an opportunity to get your annual cybersecurity flu shot. Think of it as your chance to learn the latest protection techniques. This is your opportunity to build your layered defenses. Together, our community can protect our vital information. Together we can build our impenetrable fortress.


16TH ANNUAL OISC

OISC 2019 Keynote Speakers 16th Annual Ohio Information Security Conference March 13, 2019 | Sinclair College Ponitz Center, Dayton, OH BREAKFAST KEYNOTE: US Secret Service Threat Overview and what that means for Ohio Presented by: Kevin Dye, Resident Agent in Charge – United States Secret Service/Dayton Kevin is the manager of the Southern District of Ohio Financial and Electronic Crimes Task Force. The Task Force is responsible for criminal investigations of electronic and financial crimes from Columbus, Ohio to Northern Kentucky and partners with hundreds of task force members from numerous federal, state and local law enforcement agencies. He returned to Ohio in May 2016 from Washington DC where he was assigned as a supervisor and Spokesperson for the Secret Service in the Office of Government and Public Affairs.

He is an Adjunct Professor at the University of Dayton and he has been previously assigned to the London Police Department, New Scotland Yard and the Romanian National Police Force as a liaison expert for the Secret Service in computer forensics and computer security. LUNCH KEYNOTE: The Internet of Invisible Things Presented by: Bryan K. Fite, Global Account CISO, BT

A former member of the Presidential Protective Division from 2005 – 2010, he returned to investigative duties and was promoted in 2013.

A committed security practitioner and entrepreneur, Bryan is currently an Account Chief Information Security Officer (CISO) at BT. Having spent over 25 years in mission-critical environments, Bryan is uniquely qualified to advise organizations on what works and what doesn’t. Bryan has worked with organizations in every major vertical throughout the world and has established himself as a trusted advisor.

GOLD SPONSORS:

ANNUAL PARTNERS:

SILVER SPONSOR:

BRONZE SPONSORS:

3

Technology First | MAR-APR 2019


ACADEMIA

Meeting the Cybersecurity Challenge The cyber threat may be the scariest of all the threats faced by organizations today. It is unmistakably real, constantly looming, and potentially even existential. What is it about cyberspace that makes it so risk-laden? Part of the answer is that cyberspace is very different from physical space, and unfortunately, most of the differences encourage criminal activity to run amok. One critical difference is that cyberspace is distanceless, meaning that everybody is within instant reach of everything and everybody else. In physical space, the laws of physics graciously limit the number of malicious people capable of harming someone, but in cyberspace, every bad actor is an imminent threat to every single online enterprise. Also, cyberspace is a digital world, making it easy to duplicate (i.e., steal), destroy, and manipulate the assets of cyberspace (i.e., data). For example, in the analog world creating a perfect forgery or impersonating somebody requires sophistication, but in cyberspace these things are trivial. Cryptography is the best defense against most of these types of attacks, but it is not as pervasive as it needs to be, and even in places where it is found, it is frequently used or implemented imperfectly.

Cedarville University

battlefield. But this type of education, especially when it is combined with the privileged access grads will require, is also a cause for concern. Will the good guys not also face temptations and moral ambiguity in this maliciously-bent world? Can they be trusted to make the right choices every time even when nobody will probably ever know the difference? For this reason, the best cyber higher ed programs will stress character development alongside the hard skills they teach. The most prized cyber defenders and cyber operators will have the integrity to match their technical expertise. Cybersecurity education programs must embrace this reality in order to ensure they are contributing to the solution and not to the problem. Someone in the past has said that a person’s character is who they are when nobody is looking; today it may be better said that a person’s character is who they are in cyberspace.

Cyberspace is also dynamic. Not only do computers frequently come online, go offline, and change locations, but their users also vary – especially when their security has been compromised. Because of its constant fluctuations, determining who did what when in cyberspace is often an intractable problem. Lastly, cyberspace is dark, and darkness is a friend of evildoers. Light is the great antiseptic to wrongdoing of any kind, but it is difficult to gain visibility into the complex and invisible world of cyberspace. Many criminal activities go undetected for months, and it is possible for cyber criminals to remain anonymous even after suspicious activity is identified. Cyber criminals often feel like they are acting with impunity, and in many cases, they probably are. In summary, cyberspace as a medium is biased. It is the embodiment of a dangerous combination of temptation, opportunity, and plausible deniability (if not outright anonymity). But cyberspace is also the enabler of extraordinary modern conveniences, and it will only continue to intersect more of everyone’s everyday lives. These two facts, cyberspace’s malicious bent and society’s increasing dependence upon it, makes cybersecurity, which seeks to protect the rights of individuals and organizations in cyberspace, a noble challenge. Colleges and universities around the country are creating cybersecurity programs to help meet this challenge. In a nutshell, these programs teach the good guys what the bad guys already know. Cyber students are taught technical knowledge and skills, adversarial thinking, and the tricks of the hacking trade. This is essential for helping to level the cyber

4

Technology First | MAR-APR 2019

Author Bio Seth Hamman is the Director of the Center for the Advancement of Cybersecurity at Cedarville University. He is also an Associate Professor of Computer Science in the School of Engineering and Computer Science. He earned his B.A. degree in Religion from Duke University, his M.S. degree in Computer Science from Yale University, and his Ph.D. degree in Computer Science from the Air Force Institute of Technology. His research interests include helping to shape the growing field of cybersecurity education. Seth can be reached at sethhamman@cedarville.edu. Founded in 1887 and located near Wright-Patterson Air Force Base in Ohio, Cedarville University is an accredited private Christian college with an undergraduate enrollment of over 3,700 students. Cedarville’s cyber program is one of only twenty in the nation designated as a Center of Academic Excellence in Cyber Operations by the National Security Agency. For more information, please visit www.cedarville.edu/ cybercenter.


UPCOMING EVENTS CIO Council (IT Leaders) Meeting Friday, March 29, 2019 | 11:30am – 1:00pm John R. Jurgensen Company 11641 Mosteller Rd, Cincinnati, OH 45241

Data Analytics Special Interest Group Meeting Friday, April 5, 2019 | 8:30am – 10:00am Business Solutions Center 1435 Cincinnati St, Ste 300, Dayton, OH 45417

Infrastructure/Cloud Special Interest Group Meeting Friday, April 5, 2019 | 11:30am – 1:00pm Business Solutions Center 1435 Cincinnati St, Ste 300, Dayton, OH 45417

Tech Thursday – After hours Networking Thursday, April 11, 2019 | 5:00pm – 7:00pm Local Brewery TBD | Sponsoring Partner: TEKsystems

Mark your calendars for the Leadership Awards! Technology First’s annual night of celebration! Wednesday, May 1, 2019 | 4:00pm – 6:00pm The Dayton Club | 40 N. Main St, Dayton, OH 45423

EVENT HIGHLIGHT:

Tech Forum – OPEN to ALL! Kroger; a Tech Company that sells Food Facilitated by: Ryan Kean, VP, Technical Strategy and Architecture, The Kroger Co. Ryan Kean has served in a variety of technology roles for the past 20 years. In his current role, Ryan is the Vice President of Digital Technology for The Kroger Co., based in Cincinnati. His responsibilities include leading the Enterprise Architecture, Cloud Services, Performance Engineering, Data Strategy, PMO, User Experience, and Quality Assurance teams. Ryan recently concluded multi-year assignments leading the rollout of an enterprise item master data management program as well as the development of a strategic technology portfolio management process. Thursday, April 18, 2019 | 11:30am – 1:00pm Business Solutions Center 1435 Cincinnati St, Ste 300, Dayton, OH 45417

WELCOME NEW MEMBERS!

Montgomery County’s Project Hire program can help your business recoup the costs of training new employees. The program offers up to 50 percent reimbursement of an employee’s regular wages for up to six months, allowing you to train new workers with fewer costs. Project Hire has helped dozens of companies in Montgomery County build their workforce, allowing businesses to focus on training new employees without the cost of downtime. One of those companies is Bitec Division of Sample Machining. “Project Hire has been very easy to work with for both the employer and the employee,” said Vera Tangeman, Human Resource Manager at Bitec. “I would advise any business that is looking for employees to utilize Project Hire.” Montgomery County is committed to supporting our businesses and investing in our workforce. Through Project Hire, the county is working toward both of those goals. And with a dedicated staff, companies working with Project Hire have someone to guide them through every step of the application and training process. The funds available through Project Hire make the hiring and training process easier and cost-efficient. “Our employees have benefited from Project Hire in terms of training,” Tangeman said. “We work with the training program to help our employees grow, which in turn helps our company to grow.” Any company interested in reimbursement for training new employees can contact Simone Stone at (937) 225-5433 or stones@mcohio.org.

5

Technology First | MAR-APR 2019


CYBERSECURITY

Company Email vs Personal Email – A Necessary Separation

By: Paul Comfort, Lead Engineer, Chi Corporation

As administrators, we sometimes must deal with as many user issues as we do technology issues. One of those issues is email. We may have employed great spam and phishing solutions, yet the users still receive that occasional email that makes it through our filters and causes issues.

posting or registering with your company email address in forums and services, it gets on more and more lists, and becomes involved in more breaches. Verified corporate email addresses are valuable to people doing spear phishing and blind marketing (also known as unsolicited commercial email.)

Surely you have heard the story of the employee who bought a stack of iTunes gift cards for the "CEO" and sent the codes to the phisher. Despite our best protections, people are always going to find a way to get through. Much of our exposure at work could be limited if the users would take a little more care with their email addresses. One of the best things you can do to minimize the amount of exposure your company gets is to require that employees use their company email address for company business only.

4. It increases attacks against the company and can lead to successful attacks. When a forum or online service is compromised, user and password combinations found are used against other services. If a compromised user has a corporate email address, they'll immediately start trying that same password and derivatives against your corporate email account and other corporate assets. Password reuse is a big problem.

There's usually only one argument for using company email for your personal email: it is convenient. That is a weak argument considering the significant consequences that could cause. If you use your company's email for personal use, consider the following: 1. Your personal email is archived per the company's standards. This could be potentially forever and subject to eDiscovery searches and disclosures. If you don't want your personal email to end up in a court filing, don't use the company's email. 2. Your personal email should be private. Corporate email is not private. Administrators and other company officials must have access to your unencrypted email in order to provide necessary services. 3. It increases the amount of SPAM the company receives. By

5. It increases the amount of email the company must save. This increase in cost to the business can be significant. Storage costs are one thing, but backup costs, DR, archiving, eDiscovery searches, email migrations, and other efforts made harder by storing non-business email can significantly balloon the costs to the business. 6. Your email and your intellectual property are not your own. Read your company policies. You will likely find that anything created, stored, or processed on company equipment is owned by the company. This means that the idea you had for a startup that you emailed to a friend can be taken and used by the business whose email you used. 7. Job searching may be monitored. Some businesses pay attention to emails from job boards. If you don't want your boss (continued on page 7)

� 5'{ATE {J1yh�

We’re proud to support

Technology First

TASTE 1

��(.;� · [�1.1%7· ���

Master of Information Systems M.S. Logistics & Supply Chain Management Unlock Your Career Potential with A Master's Degree! 12-Month Program 1 Class at A Time 4 Weekends on Campus then All Online Join us at the Taste Your Master's event on Saturday,April 27 , 2019 Receive program information, enjoy a free lunch, meet current students, and observe a class. Event is Free. To Register GoTo Eventorite Taste Your Master's https://bit.ly/tasteyourmasters2019 6

Technology First | MAR-APR 2019


(continued from page 6)

CYBERSECURITY

to know you are hunting, use a different email address. Even if you are not job hunting, you may get these emails and cause concerns. When you do change companies, you have a lot of people to notify about your new email address, and you may lose emails sent to your old address. 8. Your email is only as safe as the company hosting it. If you are let go or the company goes out of business, your email may be gone forever. If the company has any IT infrastructure failures or breaches, your email may be lost or exposed to unknown hackers. 9. When you leave the company, even if you manage to take a copy of your personal email with you, a copy remains behind. It is common practice in many businesses to archive that email and make it available to your replacement(s). Deleting your email and emptying your trash is not enough since many businesses have backups or archiving that you can't delete. Many businesses consider the email you accumulate to be an asset and will recover it if you delete it upon leaving. 10. Corporate Email is often monitored for terms of use abuses including pornography, hate speech, and criminal activity. If you've been on the internet, you know that these things sometimes get emailed to you without your consent. You do not want to have to defend yourself if you happen to get on a particularly bad list. 11. It gives you much-needed downtime. You need to be able to separate work from the rest of your life when you are on vacation, holidays, or even when you are trying to go to sleep at night. Regardless of your involvement in your work around the clock, your email in two buckets gives you the opportunity to decide when to take a break from work. It is a vital component of a work-life balance.

There are things businesses can do to facilitate this policy change and mitigate against employees who will not change. These include: 1. Make and publish a policy that clearly defines how corporate email is to be used. Enough said. 2. Allow access to email providers through your corporate web filter. There is a philosophy that says if you allow this your employees will waste too much time doing personal email. You, as an administrator, should always champion the idea that personnel problems should not be solved with technical solutions. If an employee is spending too much time checking their email instead of working, blocking their email won't suddenly make them a star employee. They will just find something else besides work to occupy their time. Personnel productivity problems should be solved with management and HR, not IT. 3. Enable credential reuse blocking. If your firewall (Palo Alto for example) provides this ability, it can prevent the reuse of your main credential on third-party sites, although it cannot stop every abuse. 4. Extreme measures. After employing the above, you may have to actively block emails from domains that are clearly not related to your business. 5. Create additional email addresses. In some cases, it might be required for an employee to have a corporate email address that is given to a questionable site. Consider creating an additional email address or alias for those people so that messages received on that alias are clearly different. Chi Corporation is a leading networking, data security, storage, and virtualization integration solution provider. For more information visit www.ChiCorporation.com

7

Technology First | MAR-APR 2019


CYBERSECURITY

Understanding the Cybersecurity Threat By: RSM

The age of big data translates to even bigger risk for businesses of all sizes, but middle market companies are particularly vulnerable. While widely reported hacks of large corporations such as Equifax and Uber made headlines in 2017, lesser known was the multitude of breaches into midsize businesses, which are increasingly landing in the crosshairs of cybercriminals. Compared to just three years ago, significantly more middle market companies (13 percent versus 5 percent) contend they experienced data breaches, according to the RSM US Middle Market Business Index. Bigger middle market businesses, with enough scale to attract cybercriminals but typically lacking the defensive resources of their large-cap rivals, have become attractive targets, according to the data from the responses of some 400 middle market executives. From ransomware attacks and identity theft to intellectual property risks and privacy concerns associated with the increased use of digital currency, the security of electronic information is set to remain among the biggest challenges facing companies in the 21st century. There are few signs of crime abatement in the ever-changing cyber landscape. Nearly 50 percent of midsize companies expect they will face unauthorized users attempting to breach their data or systems this year, according to the executives surveyed.

Moreover, despite incidents of rising cybercrime, just half of the businesses surveyed carry cyber insurance policies to protect against internet-based risk. Our study shows that many of those policies may fall short of comprehensive coverage. Meanwhile, the C-level executives we surveyed may be overly confident in their firms’ internal abilities to thwart an attack. Some 93 percent of respondents were confident in their organizations’ ability to safeguard customer data. The reality—based on actual incident reports—is proving that confidence may be misguided. While smaller companies were hardest hit last year, midsize companies with annual revenues of $50 million to $300 million accounted for a fifth of cyber incidents, according to NetDiligence®, which produces a yearly report, sponsored by RSM, that tracks cybercrime. Those companies with higher levels of income suffered significantly fewer incidents. Cybercrime behaves much like a mutable disease, continually evolving, pushing new boundaries, finding vulnerabilities and subsequently exploiting weaknesses. We have developed this report to shed light on some of the important trends related to cyber incidents in the middle market, and the steps that midsize companies can take to mitigate ongoing risk. To learn more, please visit www.rsmus.com/cybersecurityreport

Meet your challenges when they’re still opportunities. RSM and our global network of consultants specialize in working with dynamic, growing companies. This focus leads to custom insights designed to meet your specific challenges. Our experience, combined with yours, helps you move forward with confidence to reach even higher goals.

Explore. Innovate. Expand. With the fiber network built with your future in mind.

rsmus.com/technology Our fiber networks are custom-built to meet your needs today, while preparing you for tomorrow’s most transformative innovations. So no matter what comes next, you’ll be ready—with the strength and assurance that come with working with an S&P 500 company. The pathway to possible. Fiber.CrownCastle.com Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.

8

Technology First | MAR-APR 2019

©2019 Crown Castle


IT LEADER SPOTLIGHT

Chief Information Security Officers Christopher Kuhl CISO/Cybersecurity (5 months) Dayton Children's Hospital Tell us about your career path. I entered the field of computers in a nontraditional way. After trying my hand in graphic arts installation, I took the recommendation of a friend to look into computers. I grabbed the Yellow Pages and started making calls. I landed a low paying internship with a small family business in Omaha, Nebraska. I started out building and re-building computers and broken laptops. I really enjoyed the challenges, and things just clicked. I moved from that first company to new opportunities in Nebraska and beyond. I continued to challenge myself with new certifications and technology, as well as earning my Master’s in Information Assurance. Each of those steps, accompanied a new technical position from DBA to Engineer to Architect to CISO.

What’s the best career advice you ever received? The best advice I ever received was to always “focus on the why”. The project or assignment is always changing but staying focused on “why” it matters keeps the true goal in perspective. It is the “why” that inspires and attracts others to make the organization better. When you get a group of people together that all believe in the “why”, you go from being a group of individuals working together to becoming a team that is dedicated, motivated and can be innovative to overcome any obstacle.

What roles or skills are you finding (or anticipate to be) the most difficult to fill? The two skills that are the most difficult to find are critical thinking and communication. Team members with the ability to look at a problem in front of them, understand the potential impact and perform root cause analysis will save the organization from unnecessary downtime and cost. The problem could be technical, such as a server or application unexpectedly going down, a skills gap analysis of your team/department, or employee satisfaction for an organization. The skills required for critical thinking are crucial to the employee, team and organizational success. I believe they should be included in either higher education curriculums or as mandatory employee education offerings at the organization. Good communication skills are just as difficult to find. Communication isn’t just being able to talk to your teammates, but also being able to translate technical needs for business or financial understanding. Now that Sr. leadership and Boards are taking an

interest in cybersecurity with how we can help not only protect data, but also protect financial vitality of the organization or patient safety in healthcare, we are being asked to present at those levels more and more. Through good communication skills, we can demonstrate risks to the organization and how they will impact reputation, finance, patient safety, or compliance. We can also demonstrate the need for funding to support our claims, through return on investment of training classes, new technology, or additional staffing.

Dan O'Callaghan CISO Sinclair College What was your first job? When I was 11, I delivered newspapers in Chelsea, MA. It was a walking route with lots of multi-family tenement units and many stairs.

Did you always want to work in IT? I adopted IT as an end-user looking to improve efficiency. I was Enlisted in the USAF as a Surgical Tech after High School. While stationed at Wright-Patt, a contractor was engaged to “computerize surgical logistics”. I volunteered as a liaison and was appointed “Terminal Area Security Officer” (mainframe environment). For the next 20 years, I had multiple duty assignments. Some of my duties included working on computer-security related operations and systems management.

What’s the best career advice you ever received? Never stop learning and working to improve. Early in my military career, a supervisor advised that upon every new assignment, take time to really learn the job, look for areas that need improvement, then gain the expertise required and drive implementation of the needed fix. The “dot-com boom” era drove my interest in what is now called cybersecurity. One of the things that initially attracted me to Sinclair College is its motto—“Find the need and endeavor to meet it”. It really is a core philosophy.

What advice would you give to aspiring IT leaders? Never forget that technology is at its core a service. Without end-users, there is no need. This especially pertains to cybersecurity—the security controls have to be effectively balanced between requirements of the business and the nature of the data/infrastructure requiring protection.

9

Technology First | MAR-APR 2019


Wednesday, March 13, 2019 – Breakout Sessions Sinclair College Ponitz Center – Dayton, OH “Building a Comprehensive Security Plan on a Shoe-String Budget” Bryan Hogan, Afidence

“Let’s fix this – Leveraging CIS’ Critical Security Controls Metrics to Improve Security” Andy Gill, Western Southern

Everybody wants an extensive cybersecurity plan, but many assume it’s not possible on a limited budget. In this session, you will learn the strategies to building a comprehensive cybersecurity plan using free and/or low-cost solutions that almost any organization can afford.

What are the CSCs? - their Origins/history. How do the "Top 20" decompose into more granular controls? Current version (7) controls. Measures and Metrics and how you might apply them to your environment - how to measure and data sources.

“Building Security to be more than a house of cards” Dan Wilkins, CareSource

“Managing Third Party Risk” Kevin Carpenter, RSM

Many security programs are built without consideration for user abrasion, which leads to unintended consequences. Security controls and training needs to be built around user behavior so that they do not fail us when a user clicks a phish. How does our password policy affect our user’s password choices and how can we improve and test how those consequences play out for our organizations. Password-less seemingly is becoming a buzzword. We will explore different options for going beyond passwords, and how to improve our detection and response capabilities so that we can grow as an industry.

“Creating a Security Conscious Culture” Mike Brooks, SEEPEX Are employees your greatest security threat? Discover how a local manufacturer has created a security conscious culture to mitigate the never ending barrage of malware, phishing, and ransomware that attempt to exploit your employees. Learn how to turn your largest security weakness into your greatest asset with little to no financial spend. Join, Mike Brooks, IT Manager of SEEPEX Inc. to learn about his journey and the tools used in this culture transformation.

“Data Privacy – Attaining and Maintaining Compliance” Bill Kilgallon, Kroger A proposed set of real world “Minimum Viable Product” requirements for the California Consumer Privacy Act (CCPA) and EU General Data Protection Regulation (GDPR) laws, with a discussion on how the two regulatory schemes compare.

“Improving Risk Management Decision Making” Apolonio Garcia, HealthGuard Effective risk management is largely dependent on an individual's or organization's ability to do three things: 1) Identify and understand risk, 2) make rational decisions, and 3) execute those decisions. While this may seem fairly simple, history is filled with individuals and organizations that failed, at great cost, at one or more of these three areas. This talk will explore some of the common risk management decision making pitfalls individuals and organizations face, and provide suggestions on what attendees can do to avoid them.

10

Technology First | MAR-APR 2019

It has become increasingly more common to engage with multiple third parties in today's changing IT landscape. And given the concern around the privacy and security of data that might be shared as part of these relationships, it is more important than ever to ensure your organization is properly prepared for protecting their assets. This presentation will explore topics that include regulatory concerns, contracting, regular compliance checkups, and best practices and solutions required for a robust third party management program.

“The Path to InfoSec Maturity” Jerod Brennen, One Identity “Are we secure?” It’s the most dreaded question that information security and risk management professionals need to answer. Compliance is a useful starting point, but the number of “compliant” organizations who still suffered a data breach is proof positive that compliance simply isn’t enough. That’s where maturity models come into play. In this presentation, I’ll show you how to apply a capability maturity model (CMM) to your identity and access management (IAM) program, using that model to assess where you are today. I’ll also share tools and techniques you can use to accelerate improvements to your program.

“Secure Business Case Management for Supply Chain” Eric Van Hoose, Van Hoose Associates | Dejay Hayn, Universal Technology Corporation Van Hoose Associates (VHA) is working with AFRL and their local supply chain to provide a cyber secure cloud-based solution for doing business with AFRL and their contractors. This is being provided by the government to also help contractors to comply with the DoD cybersecurity contract requirements from a government approved cloud service provider per the DoD Federal Acquisition Regulations (DFAR).

“Securing the Mobile Cloud” Leo Cronin, Cincinnati Bell/CBTS The way we work is changing and future virtual workforces may predominantly work in the mobile cloud. This session will discuss security implications for emerging mobility and cloud technologies and services, focusing on malware, data security and compliance. 10 “essentials” for securing the mobile cloud will be discussed.


(continued from page 10)

Wednesday, March 13, 2019 – Breakout Sessions (continued) “Trusting Machine Learning and Artificial Intelligence in Security” Darren Kall, Sophos Increasingly complex threat landscapes, growing numbers of networks and endpoints, and the shortage of skilled security professionals contribute to the rising investment in ML/AI. More people with less training must protect their environments in an increasingly complex world. We must gracefully augment human capabilities to detect patterns and respond faster to limit threats. This talk will explore the human trust and confidence aspects of ML/AI in security. Are you confident that ML/AI accurately detect threats? How much do you trust ML/AI to act without human involvement?

“An origin-based, fine-grained and user-centric policy enforcement framework for Hybrid mobile applications” Rakesh S V Reddy, University of Dayton | Dr. Phu H. Phung, University of Dayton We have developed a hybrid mobile security framework that allows the developers to define fine-grained policies to control access to the device resources. The policies are injected into the app and can be customized by the end-users through a graphic interface. This enforcement mechanism provides user capability to control the resource access based on the context to prevent privacy breaches or resource abuses. This highly extensible framework is evaluated with various attack scenarios.

“DLP Demystified” Micah Brown, American Modern Insurance Data breaches have become a common fixture of our daily lives. Executives are paying closer attention to their organization’s security posture and funding projects aggressively. Often these projects involve a rollout of flashy new technology and / or devices. These solutions are sold, marketed, and deployed as silver bullet solutions. Technologies such as DLP are open sandbox tools that allow a company to build policies around how data can be stored, processed, and transmitted. It is very easy for a company solely focused on standing up a DLP environment and not provide value to the business

“Pixel Tracking: How it’s used and abused” Barry Kimball, Contractor An intro to what a pixel is and ways it’s used on the web. Pixel tracking from its origins to today’s Facebook pixel. A review of ways it’s being abused and its modern impact on modern tech of cloud and AI. Somethings you can do to reduce being tracked in today’s web.

“The OWASP Top 10 & AppSec Primer” Matt Scheurer, First Financial Bank Are your web applications, web sites, and web servers secure? How do you know, and who makes that determination? We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).

“Beyond the classroom – What are the newest and most compelling higher education cybersecurity outreach and engagement practices going on in the community and with industry partners?” Bob Mills & Mark Reith, AFIT Center for Cyberspace Research | Rusty Baldwin, University of Dayton | Vance Saunders, Wright State University This panel of higher education experts will share some of the best practices and most promising initiatives that have been launched with industry and community partners. Examples of applied research, industry-academia partnerships and compelling initiatives that have strengthened our regional and national outreach efforts will be shared. This panel session will focus on leading practices and lessons learned for optimal industry-higher education strategic partnerships.

“Cyber Ranges: Platforms for Education, Workforce and Economic Development in the 21st century” Dr. Richard Harknett, University of Cincinnati | W. David Salisbury, University of Dayton | Thomas Skill, University of Dayton This panel will look at two highly strategic approaches to the implementation and use of cyber ranges as national models for advancing cybersecurity education and industry workforce readiness. Senior faculty leaders from the University of Cincinnati and the University of Dayton will share their progress on establishing and executing two distinctly different approaches to the cyber range challenge. Colleagues from UC will provide insights into the “State of Ohio Cyber Range” project and colleagues from UD will expand on their work in hosting the ”Dayton Regional Cyber Range.”

“Regional Higher Education’s Innovative approaches to teaching and training the next generation of cybersecurity professionals” Dr. Seth Hamman, Cedarville University | Danis Heighton, Clark State | Kyle Jones, Sinclair College | Dr. James Robinson, University of Dayton This panel of higher education cybersecurity faculty and academic IT leaders from across the region will share their latest efforts to introduce new and innovative cybersecurity educational tools and techniques, experiential learning exercises and creative practices for accelerating workforce development and student success. Our academic experts will share their latest examples of successful engagements with student learning and demonstrate how these innovative practices will strengthen our region's competitiveness and enhance the cybersecurity workforce.

“Sticker Heist – A Cybersecurity Student Challenge” Mike Libassi, Sinclair College A demonstration and explanation of a physical and cyber challenge for students developed by Professor Libassi for the Sinclair Hacking Team. This presentation and demonstration will review the Linked in Article on the design and challenge of the sticker heist (http://www.linkedin. com/pulse/sinclair-college-hacking-team-sticker-heist-prof-mikelibassi-sc-d/). The review and demonstration will hopefully generate other teaching professors to create such challenges for their students.

11

Technology First | MAR-APR 2019


Are you a subject-matter expert? Are you interested in trending technologies? Do you have exciting community news to share? Contribute to our next magazine! Contact Kaitlin Regan at kregan@technologyfirst.org for more information

Thank You New Academic Partner

12

Technology First | MAR-APR 2019


CYBERSECURITY

Are Information Security Management Systems Helpful? The lingo of standards organizations is magnetic, but claims that mastering today’s fashionable standards—ISO 27001, PCI DSS, NIST SP 800-53, and many more—leads to secure information systems should be weighed with skepticism. In some respects, we see more illusion than substance. Consider hiring, for instance. “You say you’re familiar with 800-53? Great! You must be an information security expert!” A concern I have with all of these specifications is they approach cybersecurity from a top-down perspective. They define security from ISO 27000 or Title 44 of the U.S. Code or similar, and they invoke a system of management control abstractions, treating information systems like a collection of opaque boxes that needn’t be looked inside. All that is required of management is to support these boxes with infrastructure that will ensure their “availability,” “integrity,” and “confidentiality.” That infrastructure, of course, is the domain of the “information security management system professionals” that everyone looks to hire because ISO 27000 says it’s their role. The Ohio General Assembly just amended the law to favor companies who take this top-down view of information security by giving them safe harbor against tort claims when their information security management systems screw up. The same bill loosens regulations on casinos, raising more than a shadow over the sobriety of the entire rulemaking. Unfortunately, expert testimony opposing Senate Bill 220 was dominated by law firms. Computer scientists who would have critical insight to contribute don’t tend to follow legislative proceedings. One weakness with top-down approaches to information security management is that cybersecurity is not a peripheral. I can’t take a collection of haphazardly implemented, foolishly chosen components, slap a security module on as an afterthought, and ship an ethical outcome. One of the S.B. 220 proponents wrote tellingly, “the technology we use daily is vulnerable and can be hacked.” Please bear with me while I ask a question from the bottom: Who authorized vulnerable technology for daily use to begin with? It’s my position that cybersecurity is the discipline of scaling automation responsibly. The people we need to make information systems secure are those who create their components in the finest detail, the people who talk directly to users, determine requirements, and deliver the simplest practical solutions. By “simplest practical solutions,” I don’t mean quickest to implement, easiest to purchase, or requiring the least training. For me, “simplest” taps approaches that are most subject to human control, most comprehensible by a single person, easiest to support with in-house personnel, best suited for security audits, least expensive to extend and maintain, require the fewest upgrades, minimize opportunity for defects, and have the longest service life. These attributes which promote information security are hard to procure within the opaque components that vendors routinely offer, but straightforward to implement when qualified personnel can start from ground zero. The need is for brilliant implementers with domain-specific knowledge of computer science and engineering, not necessarily people

By: Marc Abel, Wakefield Cybersecurity whose resume mentions NIST SP 800-53 , or even persons familiar with a particular product line or programming language. We need a bestof-planet workforce who will scale our automation responsibly and protect against unanticipated threats, instead of the mere avoidance of anticipated threats that Governor Kasich just signed into law. The ISO 9000 series of quality assurance management standards has done marvels for improving numerical outcomes of product quality, but the methodology does not transfer easily to information security. Two cars can have the same design, but have differences in quality because they were manufactured differently. Quality for the better car didn’t necessarily involve any design changes. Cybersecurity is different, because security improvements entail radical design changes. This means that information security professionals need domain-specific knowledge and direct responsibility over every technical detail of a system. It doesn’t help to know only the high-altitude abstractions of any information security management system, or even know them all thoroughly. Marc Abel is a life member of Caltech Alumni Association and the owner of Wakefield Cybersecurity in Bellbrook.

Healthcare ________ business, You’re in the ___ not the IT business. Focus on what you do best.

You do you. Let us manage the IT. For over a decade, RoundTower has been changing how technology delivers value and service by helping businesses focus on efficiency and digital transformation. Redefine your IT strategy with our crossfunctional, tailored approach that will leave you with more time to focus on your main objectives. www.roundtower.com Copyright © 2019 All Rights Reserved by RoundTower Technologies, LLC

13

Technology First | MAR-APR 2019


CYBER POLICY

What to Look For in a Cyber Insurance Policy By: Brian Mahon, Avatar Brokers

Cyber insurance varies greatly from insurance company to insurance company. There is no standard language or coverages. Some have worldwide coverage, some country specific, some are within limits some are outside limits, some are admitted, some are non-admitted. It truly takes an expert to read and interpret a cyber policy. Here is what your policy should include at a minimum.

1st Party Coverage 1st party is financial loss coverage due to a data breach for the insured. This is for items that directly affect the insured’s business. There are numerous coverages: 1. Computer Forensics – coverage for a computer forensics expert to come investigate a data breach.

and Defense costs. Is the policy written on an admitted or non-admitted basis? Admitted insurance policies are insurance policies written by an admitted insurance company. An admitted insurance company pays the proper taxes, fees, and paper work to achieve admitted status, in exchange for being backed by a state guarantee fund. If the insurance company becomes insolvent and an insured has a claim, the claim will still be paid by the guarantee fund. A non-admitted carrier/policy has no such guarantee. It is wise to check the AM Best rating and admitted status of the insurance company writing your insurance policy here: http://www. ambest.com/ratings/guide.pdf

3rd Party Coverage

2. Reputation Harm – coverage for a public relations firm to restore your brand name from negative effects a data breach may have on your company.

3rd party is financial loss coverage from a data breach for the benefit of others. It could be your customers, partners, supplies, vendors, etc. It includes three separate coverages:

3. Notification Costs –coverage for call center or notification

Privacy Liability - Covers expenses the insured becomes legally obligated to pay due to failure to protect the following classes of information:

services to notify those affected by a data breach.

4. Credit Monitoring – coverage for credit monitoring services to

scan for “bad actors” attempting to open new or use existing credit lines for those affected by a breach.

5. Costs to Defend Claims– coverage for litigations costs

associated with legal proceedings following a data breach.

6. Fines and Penalties – coverage to reimburse the company for

fines or penalties due to a data breach.

7. Business Interruption – coverage for downtime and the

additional cost to get computer systems back up and running after a breach.

8. Replacing electronic data – coverage to replace electronic data. 1st Party Questions to Consider Does the insured have a Say in Choice of Legal Counsel? Can the insured use whatever breach services providers they want or must the insurance company’s pre-selected service provider panel be used? Some policies will consider the insured’s preference for the appointment of counsel, but the insurance company still has the final say. Some policies state the Insured shall not formally appoint counsel without approval from the insurance company. This may be a sticking point if an insured is keen on using their own legal counsel, breach coach, PR firm etc. Cyber policies may offer lower limits of coverage for “non-panel” service providers. Are the above 1st party coverages within policy limits or outside? Essentially, if you have a $1M aggregate policy does every single 1st party coverage fall within this $1M bucket or do some coverages have their own $1M limit bucket. It would be advantageous to either have a higher aggregate or a separate limit on items like Business Interruption 14

Technology First | MAR-APR 2019

PHI (Personal health Information) i.e. health records PII (Personally identifiable information) i.e. Social security #, address information, etc. PFI (Personal Financial Information) i.e. Bank account #s, credit card numbers, etc. Content Liability/Web Publishing Liability/Multimedia Liability – Provides “digital world” personal and advertising injury liability coverage. This includes infringement or violation of another’s copyright, title, slogan, trademark, trade name, trade dress, service mark, and service name. An example would be using unauthorized images or music on a website. This also provides coverage for defamation, libel, and slander like negative comments posted on your website about a competitor’s product. Third party Security Breach Liability – is coverage for if the insured becomes responsible for a virus, security breach, transmittal of malicious code, etc. Essentially, since your system got hacked, the hacker was able to gets access to your customers, vendors, partner, or other third party’s system and it becomes your fault.

3rd Party Questions to Consider Is there Coverage for Rogue Employees? A rogue employee may also be described as a disgruntled employee but is essentially an employee who is purposely causing a data breach or transmits malicious code to sabotage the company. Policy language can explicitly name rogue employees, be implied but not specifically mentioned, exclude coverage all together, or add coverage via endorsement.


(continued from page 15)

What is the Coverage Trigger?

Coverage for Contractual Liability?

Policies are written on one of the following coverage triggers; Occurrence, Claims Made, or Claims Made & Reported.

Good cyber insurance policies have coverage for contractually assumed liability. Often this is subject to a sub-limit and should be scrutinized when purchasing an insurance policy. Check that the limit is sufficient with specific contract requirements.

1. Occurrence Form

Definition: A policy covering claims that arise out of damage or injury that took place during the policy period, regardless of when claims are made.

2. Claims-made Policy

Definition: A policy providing coverage that is triggered when a claim is made against the insured during the policy period, regardless of when the wrongful act that gave rise to the claim took place.

3. Claims-made and Reported Policy

Definition: A type of claims made policy in which a claim must be both made against the insured and reported to the insurer during the policy period for coverage to apply

The above coverage trigger types are in order from most advantageous to lease advantageous form an insured’s prospective.

Cyber Crime Coverage Cyber crime coverage is typically separate from 1st and 3rd party coverages, but not always. It typically covers claims for financial loss from the following: Extortion/Ransom – A hacker is holding your business’s computer system hostage, everything is locked with a message that says pay 10 Bitcoins in 24 hours or computer system will be destroyed. Cyber insurance can help pay to restore or replace a system held hostage. Social Engineering/E-Mail Phishing – An e-mail that looks like it’s from the CFO with instructions to wire $50,000 to a bank account is sent to a new controller, the controller wires the funds not knowing the CFO’s e-mail was really a hacker. Cyber Crime insurance can cover the loss resulting from this unintended parting of money/funds due to fraudulent instruction/impersonation.

Cyber insurance polices are typically written on claims-made or claims made and reported forms. Claims-made is more advantageous from the insured’s prospective than claims-made and reported.

GENERATING THE KIND OF TRAFFIC YOU WANT.

THE CREATIVE RESOURCE FOR MARKETING ENERGY AND TECHNOLOGY Are you generating high web traffic but low conversion rates? You need to increase income, not just statistics. Contact Bitstorm Connect for a free analysis of the situation.

Sinclair’s new Centerville campus offers many degree and certificate programs including:        

Cyber Investigation Secure System Administration Information Systems Security Network Engineering Security Linux Security and Networking Essentials IT Fundamentals Network Engineering User Support Centerville@Sinclair.edu 937-512-2362 www.sinclair.edu/centerville

937-353-2320 | info@bitstormconnect.com

15

Technology First | MAR-APR 2019


CYBERSECURITY

Matrix and Emotet: What You Need to Know About These Two Types of Cyber Attacks Secure Content Technologies

When people talk about cyber attacks, they’re often talking about widespread, common threats like phishing attacks deployed by low-skilled criminals. We’ve grown used to the idea of throngs of opportunistic cybercriminals sending out high-volume attacks, like email flooding, hoping that some might take root and score them a quick buck.

Since 2014, Emotet has evolved from primarily being a credential stealer and banking Trojan into a modular, polymorphic platform for distributing other kinds of malware. The worm has three main goals: spread onto as many machines as possible, send malicious emails to infect other organizations, and download a malware payload.

But as tools have been put in place to block those attacks, cybercriminals have evolved in turn. Targeted ransomware attacks are on the rise, with higher skilled cybercriminals carefully selecting targets to hack manually. And other malware attacks have grown more and more sophisticated, to keep evading security tools.

It’s also incredibly dangerous. The US Department of Homeland Security considers it one of the most costly and destructive threats to businesses today.

Recent threats like Matrix and Emotet demonstrate the various ways that cybercriminals have changed their tactics to stay effective and profitable in today’s marketplace. We’ll dig into what makes Matrix and Emotet unique and so dangerous, and what enterprises should be doing to protect against these and other similar threats. Matrix: The Niche Targeted Ransomware With many advanced cyber threats, usually “who you are” is what makes you a target. With targeted ransomware like Matrix, though, the “what” is what makes you a target. Cybercriminals are looking for a vulnerability – things like unpatched web servers or an exposed Remote Desktop Protocol (RDP) host – and if you have one, you’re a target. Targeted ransomware takes advantage of exposed or vulnerable hosts on the internet to manually, deliberately hack into a system and deliver ransomware. What sets targeted ransomware apart from other threats is that it’s manually implemented – there’s a human making decisions and adapting to roadblocks along the way. Attackers using Matrix, a niche targeted ransomware, are known to infiltrate a company’s network by brute forcing their way into exposed RDP hosts. Once inside the network, attackers will escalate their privileges to become an administrator or domain administrator, and use any number of techniques to deploy the ransomware, demanding ransoms around $3,500.

What makes Emotet so dangerous compared to many of the other opportunistic threats is its ability to change shape and spread without the aid of a user. That means that once it infects one computer in an organization, it can quickly spread across the entire network. And as it’s cleaned up, it has the ability to morph and re-infect the same machines. To make matters worse, Emotet often also tries to turn a malware infection into a data breach by stealing email addresses, web histories, or even usernames and passwords. And we’ve also seen targeted ransomwares like BitPaymer use Emotet as a delivery mechanism. How can enterprises defend themselves? Sophisticated threats like Emotet and Matrix can be utterly devastating to infected organizations. Once a cybercriminal gains control over the network, there’s no limit to the damage they can inflict. The most important thing organizations can do to reduce the likelihood of becoming a target is build a strong security foundation to protect against all manner of attacks. Think of it this way: Imagine a thief walking down the street at night in your neighborhood trying to open car doors. If a car door is locked, they’ll move on. But if they find one that’s unlocked, they’ll open the door and steal all the contents of the car. That’s what’s happening with these attacks. Enterprises need to be doing everything they can to lock the door, so to speak, and that starts with security fundamentals. Patch your systems, especially those exposed to the internet. Take RDP machines and put them behind a VPN with two-factor authentication.

The unfortunate truth is that many organizations still permit Windows computers with weak passwords to be exposed to the internet, creating a massive opportunity for targeted ransomware groups to exploit. That’s how Matrix has been able to cause damage and mayhem recently – by attacking that low-hanging RDP fruit.

Beyond that, make sure you’re using all the best security tools at your disposal, like exploit prevention tools that provide protection from endpoint to firewall. Innovative technology like deep learning can help protect against a polymorphic threat like Emotet, with the ability to recognize and block new variants.

Emotet: The Shape-Shifter

Here’s the bottom line: If your enterprise is connected to the internet, the risks may be both broader and deeper than you realize. It’s time to invest in innovative security software that’s easy and intuitive to use.

Compared to Matrix, Emotet is more of the opportunistic type of threat we’re used to seeing. This network worm is typically sent out with a “spray and pray” mentality, where cybercriminals send out large volumes of attacks and hope to infect as many people as possible. That’s vastly different from the slow, deliberate, manual approach that targeted ransomware takes. Emotet is a great example of how a threat can evolve in order to stay relevant and maintain a revenue stream.

16

Technology First | MAR-APR 2019

For more information on Sophos security solutions visit www.securecontenttechnologies.com, for Emotet, Matrix and other cyber threats, go to Sophos.com


Building partnerships for: • cyber research • hands-on education • workforce development Contact Tom Skill, Associate Provost & CIO skill@udayton.edu; 937.229.4307

People are at the heart of every successful business initiative. At TEKsystems, a leading provider of IT staffing and IT services, we understand people. Every year we deploy over 80,000 IT professionals at 6,000 client sites across North America, Europe and Asia. Our deep insights into the IT labor market enable us to help clients achieve their business goals-while optimizing their IT workforce strategies.

17

Technology First | MAR-APR 2019


EVENT SPOTLIGHT

DESIGN

PRINT

PREPARE

MAIL

ABOUT US For 20 years, Beavercreek and Dayton area residents have trusted World Digital Imaging to be their digital printer! WDI offers a wide range of coil binding, large format, invitations, postcards, newsletters, brochures,

Our customer service is beyond compare DESIGN: Bring your vision to life with a customized approach. . PRINT: Turn times as quick as 24 hours for most jobs! PREPARE: Our capabilities include laminating, folding, coil binding, boxing, and more.

Thank you to our 2019 CIO Forecast Panelists for sharing great insights at our January Tech Forum! Pictured Above – Jeff Dice (Winsupply), Dr. Thomas Skill, (University of Dayton), Colonel Rico Johns (HQ Materiel Command WPAFB), Andy Lehman (Kettering Health Network), Moderator Kurtis Lindeman (RoundTower Technologies)

MAIL: We handle your mailing job from concept to delivery. Give us a call today at (937) 431-1982 or call to schedule an appointment for a free tour of our facilities.

Creativity starts here.

Sales@worlddigitalimaging.com

·

(937) 431-1982

WORLDDIGITALIMAGING.COM 1138 RICHFIELD CENTER · BEAVERCREEK, OH 45430

This year’s Digital Mixer was a great success! 172 students from 8 different colleges and universities came together for our annual hiring/networking mixer with area employers. This event focuses on building student-employer relationships and providing students with information about internship and full-time opportunities available to them.

Students left the Digital Mixer with confident smiles and employers left with stacks of resumes! Thank you University of Dayton, Wright State University, and Sinclair College for sponsoring the event.

The Women 4 Technology SIG kicked off the year with their annual Meaningful Mentoring event. Mentors were IT leaders from various backgrounds including infrastructure, cloud, security, analytics, operations, support, academia, and entrepreneurship. Thank you to our mentors and mentees! 18

Technology First | MAR-APR 2019


TECHNOLOGY FIRST BOARD OF DIRECTORS Marcia Albers Executive Director Technology First

Gary Ginter System Vice President, CIO Premier Health

Dave Mezera President DataYard

Diana Bolden Former CIO Teradata

Lisa Heckler VP, Information Security & Privacy CareSource

Paul Moorman Former IT Strategist ND Paper

Jim Bradley - CHAIR Vice President, IT Tecomet

Bryan J. Hogan President / CEO Afidence

Robin Poffenberger Systems Manager Washington Centerville Public Library

Gary Codeluppi Former Regional VP RDX Remote Dba Experts

John Huelsman Director of Business Support Solutions Hobart Service

Dr. Tonjia Coverdale Vice President for Information Technology and Chief Information Officer Central State University

Don Hopkins Interim Director, Adjunct Assistant Professor Wright State University

Timothy Ewart Former Cyberspace Operations Technical Director HQ Air Force Materiel Command WPAFB Treg Gilstorf Chief Information Officer Yaskawa Motoman Robotics

Christopher Roe Vice President, Information Technology Services Speedway LLC Thomas Skill Associate Provost & CIO University of Dayton

Andy Lehman CIO & Senior VP Kettering Health Network

Diana Tullio Principal, North America CC&C Americas

Scott McCollum Chief Information Officer Sinclair Community College

Jeff Van Fleet President Lighthouse Technologies

Monique McGlinch VP, Information Technology & Proj Mgt Office MidMark

Technology First would like to thank and recognize its Board of Directors. They provide input into the strategic direction of the organization and actively lead working committees that drive our programs and services Publisher: Technology First Executive Director: Marcia Albers Director, Member Services: Kaitlin Regan

Design & Production: Courtesy of Bitstorm Connect

Writers: Our mission is to support the growth of Greater Dayton’s information technology industry. Technology First provides a forum for educators, business, and technical professionals to communicate their expertise and lessons learned while working in the field. Please submit the article in Word, preferably with 500 to 700 words, with any graphics in pdf to malbers@technologyfirst.org. Please include your name, business organization, business address, phone number, fax number, e-mail address, and a brief description of any professional accomplishments. Please also include a digital photograph if available. Subscriptions: Non-member business/home delivery of this publication is available at $25/year (6 issues). Mail name, address and check made payable to Technology First.

2019 Technology First; All rights reserved

www.technologyfirst.org

714 E. Monument Avenue; Suite 106 Dayton, OH 45402 p: 937.229.0054 19

Technology First | MAR-APR 2019


714 E. Monument Ave., Suite 106 Dayton, OH 45402 937.229.0054 • TechnologyFirst.org

2019 EVENTS CIO COUNCIL (Executive Leadership Only - 11:30-1pm) January 17 - Tech Forum (Open Event) February 21 March 29 April 18 - Tech Forum (Open Event) May 16 June 14 July 18 August 16 September 12 October 10 - Tech Forum (Open Event) December 5

SIGN UP FOR EMAIL LIST HERE

DATA ANALYTICS (Open to ALL - 8:30-10am) January 11 February 22 April 5 May 17 August 23 October 4 December 6

INFRASTRUCTURE/CLOUD (Open to ALL - 11:30-1pm) January 11 February 22 April 5 May 17 August 23 October 4 December 6

CONFERENCES (Open to ALL) OISC - March 13, 2019 Taste of IT - November 13, 2019

SPECIAL EVENTS

WOMEN 4 TECHNOLOGY

Digital Mixer - February 13, 2019 Leadership Awards - May 1, 2019

January 23 June 5 September 5

(Open to ALL)

TECH THURSDAYS (Open to ALL - 5-7pm) February 7 April 11 June 13 Sept 12 Oct/Nov - TBD

(Open to ALL)

MUNICIPALITY IT NEW! For Municipality Leaders 11:30-1pm Feb/Mar - TBD June - TBD September - TBD December - TBD

For Registration and Membership information, visit www.technologyfirst.org or call 937-229-0054 @technologyfirst.org

@technologyfirst

20

Technology First | MAR-APR 2019

Technology First

Read our Tech First Magazine at issuu.com/technologyfirstdayton

Profile for Technology First Dayton

Technology First 2019 March/April  

Technology First 2019 March/April