CISO Tradecraft

Welcome to CISO Tradecraft. A podcast designed to take you through the adventure of becoming a Chief Information Security Officer (CISO) and learning about cyber security. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

Listen on:

  • Apple Podcasts
  • Google Podcasts
  • Podbean App
  • Spotify
  • Amazon Music
  • Pandora
  • TuneIn + Alexa
  • iHeartRadio
  • PlayerFM
  • Listen Notes
  • Samsung
  • Podchaser


2 days ago

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we are going to discuss how nation state conflict and sponsored cyberattacks can affect us as non-combatants, and what we should be doing about it.  Even if you don't have operations in a war zone, remember cyber has a global reach, so don't think that just because you may be half a world away from the battlefield that someone is not going to reach out and touch you in a bad way.  So, listen for what I think will be a fascinating episode, and please do us a small favor and give us a "like" or a 5-star review on your favorite podcast platform -- those ratings really help us reach our peers.  It only takes a click -- thank you for helping out our security leadership community. I'm not going to get into any geopolitics here; I'm going to try to ensure that this episode remains useful for quite some time.  However, since the conflict in Ukraine has been ongoing for over two hundred days, I will draw examples from that. The ancient Chinese military strategist Sun Tzu wrote: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.  If you know neither the enemy nor yourself, you will succumb in every battle.” That's a little more detailed than the classic Greek aphorism, "know thyself," but the intent is the same even today.  Let me add one more quote and we'll get into the material.  Over 20 years ago, when he was Secretary of Defense, Donald Rumsfeld said: "As we know, there are known knowns; there are things we know we know.  We also know there are known unknowns; that is to say we know there are some things we do not know.  But there are also unknown unknowns—the ones we don't know we don't know.  And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones. So, knowledge seems extremely important throughout the ages.  Modern governments know that, and as a result all have their own intelligence agencies.  Let's look at an example.  If we go to the CIA's website, we will see the fourfold mission of the Central Intelligence Agency: Collecting foreign intelligence that matters Producing objective all-source analysis Conducting effective covert action as directed by the President Safeguarding the secrets that help keep our nation safe. Why do we mention this?  Most governments around the world have similar Nation State objectives and mission statements.  Additionally, it’s particularly important to understand what is wanted by "state actors" (note, I'll use that term for government and contract intelligence agents.). What are typical goals for State Actors?  Let's look at a couple: Goal 1: Steal targeting data to enable future operations.  Data such as cell phone records, banking statements or emails allow countries to better target individuals and companies when they know that identifying information.  Additionally, targeting data allows Nation state organizations to understand how individuals are connected.  This can be key when we are looking for key influencers for targets of interest.  All targeting data should not be considered equal.  Generally, Banking and Telecom Data are considered the best for collecting so be mindful if that is the type of company that you protect.  State Actors target these organizations because of two factors:The Importance of the Data is the first factor.  If one party sends a second party an email, that means there is a basic level of connection.  However, it’s not automatically a strong connection since we all receive emails from spammers.  If one party calls someone and talks for 10 minutes to them on a phone call, that generally means a closer connection than an email.  Finally, if one party sends money to another party that either means a really strong connection exists, or someone just got scammed. The Accuracy of the Data is the second factor.  Many folks sign up for social media accounts with throw away credentials (i.e., fake names and phone numbers).  Others use temporary emails to attend conferences, so they don’t get marketing spam when they get home.  However, because of Anti Money Laundering (or AML) laws, people generally provide legitimate data to financial services firms.  If they don’t, then they risk not being able to take the money out of a bank -- which would be a big problem. A second goal in addition to collecting targeting data, is that State Actors are interested in collecting Foreign Intelligence.  Foreign Intelligence which drives policy-making decisions is very impactful.  Remember, stealing secrets that no one cares about is generally just a waste of government tax dollars.  If governments collect foreign intelligence on sanctioned activity, then they can inform policy makers on the effectiveness of current sanctions, which is highly useful.  By reporting sanctioned activity, the government can know when current sanctions are being violated and when to update current sanctions.  This can result in enabling new intelligence collection objectives.  Examples of this include:A country may sanction a foreign air carrier that changes ownership or goes out of business.  In that case, sanctions may be added against different airlines.  This occurred when the US sanctioned Mahan Air, an Iran’s airline.  Currently the US enforces sanctions on more than half of Iran's civilian airlines. A country may place sanctions on a foreign bank to limit its ability to trade in certain countries or currencies.  However, if sanctioned banks circumvent controls by trading with smaller banks which are not sanctioned, then current sanctions are likely ineffective.  Examples of sanctioning bank activity by the US against Russia during the current war with Ukraine include:On February 27th sanctions were placed against Russian Banks using the SWIFT international payment systems On February 28th, the Russian Central Bank was sanctioned On March 24th, the Russian Bank Sberbank CEO was sanctioned On April 5th, the US IRS suspended information exchanges with the Russian tax authorities to hamper Moscow’s ability to collect taxes. On April 6th, the US sanctioned additional Russian banks. These sanctions didn't just start with the onset of hostilities on 24 February 2022.  They date back to Russia's invasion of Crimea.  It's just that the US has turned up the volume this time. If sanctions are placed against a country’s nuclear energy practices, then knowing what companies are selling or trading goods into the sanctioned country becomes important.  Collecting information from transportation companies that identify goods being imported and exported into the country can also identify sanction effectiveness. A third goal or activity taken by State Actors is covert action.  Covert Action is generally intended to cause harm to another state without attribution.  However, anonymity is often hard to maintain.If we look at Russia in its previous history with Ukraine, we have seen the use of cyber attacks as a form of covert action.  The devastating NotPetya malware (which has been generally accredited to Russia) was launched as a supply chain attack.  Russian agents compromised the software update mechanism of Ukrainian accounting software M.E. Doc, which was used by nearly 400,000 clients to manage financial documents and file tax returns.  This update did much more than the intended choking off of Ukrainian government tax revenue -- Maersk shipping estimates a loss of $300 million.  FedEx around $400 million.  The total global damage to companies is estimated at around $10 billion. The use of cyberattacks hasn’t been limited to just Russia.  Another example is Stuxnet.  This covert action attack against Iranian nuclear facilities that destroyed nearly one thousand centrifuges is generally attributed to the U.S. and Israel. Changing topics a little bit, we can think of the story of two people encountering a bear. Two friends are in the woods, having a picnic.  They spot a bear running at them.  One friend gets up and starts running away from the bear.  The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching.  “Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend.  “You can’t outrun a bear!”  “I don’t have to outrun the bear,” said the second friend.  “I only have to outrun you.” So how can we physically outrun the Cyber Bear? We need to anticipate where the Bear is likely to be encountered.  Just as national park signs warn tourists of animals, there’s intelligence information that can inform the general public.  If you are looking for physical safety intelligence you might consider:The US Department of State Bureau of Consular Affairs.  The State Department hosts a travel advisory list.  This list allows anyone to know if a country has issues such as Covid Outbreaks, Civil Unrest, Kidnappings, Violent Crime, and other issues that would complicate having an office for most businesses. Another example is the CIA World Factbook.  The World Factbook provides basic intelligence on the history, people, government, economy, energy, geography, environment, communications, transportation, military, terrorism, and transnational issues for 266 world entities. Additionally you might also consider data sources from the World Health Organization and The World Bank If we believe that one of our remote offices is now at risk, then we need to establish a good communications plan.  Good communications plans generally require at least four forms of communication.  The acronym PACE or Primary, Alternate, Contingency, and Emergency is often usedPrimary Communication: We will first try to email folks in the office. Alternate Communication: If we are unable to communicate via email, then we will try calling their work phones. Contingency Communication: If we are unable to reach individuals via their work phones, then we will send a Text message to their personal cell phones. Emergency Communication: If we are unable to reach them by texting their personal devices, then we will send an email to their personal emails and next of kin. Additionally, we might purchase satellite phones for a country manager.  Satellite phones can be generally purchased for under $1,000 and can be used with commercial satellite service providers such as Inmarsat, Globalstar, and Thuraya.  One popular plan is Inmarsat’s BGAN.  BGAN can usually be obtained from resellers for about $100 per month with text messaging costing about fifty cents each and calls costing about $1.50 per minute.  This usually translates to a yearly cost of $1,500-2K per device.  Is $2K worth the price of communicating to save lives in a high-risk country during high political turmoil?  Let your company decide.  Note a great time to bring this up may be during use-or-lose money discussions at the end of the year. We should also consider preparing egress locations.  For example, before a fire drill most companies plan a meetup location outside of their building so they can perform a headcount.  This location such as a vacant parking lot across the street allows teams to identify missing personnel which can later be communicated to emergency personnel.  If your company has offices in thirty-five countries, you should think about the same thing, but not assembling across the street but across the border.  Have you identified an egress office for each overseas country?  If you had operations in Ukraine, then you might have chosen a neighboring country such as Poland, Romania, or Hungary to facilitate departures.  When things started going bad, that office could begin creating support networks to find local housing for your corporate refugees.  Additionally, finding job opportunities for family members can also be extremely helpful when language is a barrier in new countries. If we anticipate the Bear is going to attack our company digitally, then we should also look for the warning signs.  Good examples of this include following threat intelligence information from: Your local ISAC organization.  ISAC or Information Sharing Analysis Centers are great communities where you can see if your vertical sector is coming under attack and share your experiences/threats.  The National Council of ISACs lists twenty-five different members across a wide range of industries.  An example is the Financial Services ISAC or FS-ISAC which has a daily and weekly feed where subscribers can find situational reports on cyber threats from State Actors and criminal groups. InfraGard™ is a partnership between the Federal Bureau of Investigation and members of the private sector for the protection of US Critical Infrastructure.  Note you generally need to be a US citizen without a criminal history to join AlienVault offers a Threat Intelligence Community called Open Threat Exchange which grants users free access to over nineteen million threat indicators.  Note AlienVault currently hosts over 100,000 global participants, so it’s a great place to connect with fellow professionals. The Cybersecurity & Infrastructure Security Agency or CISA also routinely issues cybersecurity advisories to stop harmful malware, ransomware, and nation state attacks.  Helpful pages on their websites include the following:Shields Up which provides updates on cyber threats, guidance for organizations, recommendations for corporate Leaders and CEOs, ransomware responses, free tooling, and steps that you can take to protect your families. There’s even a Shields Technical Guidance page with more detailed recommendations. CISA routinely puts out Alerts which identify threat actor tactics and techniques.  For example, Alert AA22-011A identifies how to understand and mitigate Russian State Sponsored Cyber Threats to US Critical Infrastructure.  This alert tells you what CVEs the Russian government is using as well as the documented TTPs which map to the MITRE ATT&CK™ Framework.  Note if you want to see more on the MITRE ATT&CK mapped to various intrusion groups we recommend going to slant groups. CISA also has notifications that organizations can sign up for to receive timely information on security issues, vulnerabilities, and high impact activity. Another page to note on CISA’s website is US Cert.  Here you can report cyber incidents, report phishing, report malware, report vulnerabilities, share indicators, or contact US Cert.  One helpful page to consider is the Cyber Resilience Review Assessment.  Most organizations have an IT Control to conduct yearly risk assessments, and this can help identify weaknesses in your controls. Now that we have seen a bear in the woods, what can we do to put running shoes on to run faster than our peers?  If we look at the CISA Shield Technical Guidance Page we can find shields up recommendations such as remediating vulnerabilities, enforcing MFA, running antivirus, enabling strong spam filters to prevent phishing attacks, disabling ports and protocols that are not essential, and strengthening controls for cloud services.  Let’s look at this in more detail to properly fasten our running shoes. If we are going to remediate vulnerabilities let’s focus on the highest priority.  I would argue those are high/critical vulnerabilities with known exploits being used in the wild.  You can go to CISA’s Known Exploited Vulnerabilities Catalog page for a detailed list.  Each time a new vulnerability gets added, run a vulnerability scan on your environment to prioritize patching. Next is Multi Factor Authentication (MFA).  Routinely we see organizations require MFA access to websites and use Single Sign On.  This is great -- please don’t stop doing this.  However, we would also recommend MFA enhancements in two ways.  One, are you using MFA on RDP/SSH logins by administrators?  If not, then please enable immediately.  You never know when one developer will get phished, and the attacker can pull his SSH keys.  Having MFA means even when those keys are lost, bad actor propagation can be minimized.  Another enhancement is to increase the security within your MFA functionality.  For example, if you use Microsoft Authenticator today try changing from a 6 digit rotating pin to using security features such as number matching that displays the location of their IP Address.  You can also look at GPS conditional policies to block all access from countries in which you don’t have a presence. Running antivirus is another important safeguard.  Here’s the kicker -- do you actually know what percentage of your endpoints are running AV and EDR agents?  Do you have coverage on both your Windows and Linux Server environments?  Of the agents running, what portion have signatures updates that are not current?  How about more than 30 days old.  We find a lot of companies just check the box saying they have antivirus, but if you look behind the scenes you can see that antivirus isn’t as effective as you think when it’s turned off or outdated. Enabling Strong Spam Filters is another forgotten exercise.  Yes, companies buy solutions like Proofpoint to secure email, but there’s more that can be done.  One example is implementing DMARC to properly authenticate and block spoofed emails.  It’s the standard now and prevents brand impersonation.  Also please consider restricting email domains.  You can do this at the very top.  Today, the vast majority of legitimate correspondents still utilize one of the original seven top-level domains:  .com, .org, .net, .edu, .mil, .gov, and .int, as well as two-letter country code top-level domains (called ccTLDs).  However, you should look carefully at your business correspondence to determine if communicating with all 1,487 top-level domains is really necessary.  Let’s say your business is located entirely in the UK.  Do you really want to allow emails from Country codes such as .RU, .CN, and others?  Do you do business with .hair, or .lifestyle, or .xxx?  If you don’t have a business reason for conducting commerce with these TLDs, block them and minimize both spam and harmful attacks.  It won’t stop bad actors from using Gmail to send phishing attacks, but you might be surprised at just how much restricting TLDs in your email can help.  Note that you have to be careful not to create a self-inflicted denial of service, so make sure that emails from suspect TLDs get evaluated before deletion. Disabling Ports and Protocols is key since you don’t want bad actors having easy targets.  One thing to consider is using Amazon Inspector.  Amazon Inspector has rules in the network reachability package to analyze your network configurations to find security vulnerabilities in your EC2 Instances.  This can highlight and provide guidance about restricting access that is not secure such as network configurations that allow for potentially malicious access such as mismanaged security groups, Access Control Lists, Internet Gateways, etc. Strengthening Cloud Security- We won’t go into this topic too much as you could spend a whole talk on strengthening cloud security.  Companies should consider purchasing a cloud security solution like Wiz, Orca, or Prisma for help in this regard.  One tip we don’t see often is using geo-fencing and IP allow-lists.  For example, one new feature that AWS recently created is to enable Web Application Firewall protections for Amazon Cognito.  This makes it easier to protect user pools and hosted UIs from common web exploits. Once we notice there’s likely been a bear attack on our peers or our infrastructure, we should report it.  This can be done by reporting incidents to local governments such as CISA or a local FBI field office, paid sharing organizations such as ISAC, or free communities such as AlienVault OTX. Let's walk through a notional example of what we might encounter as collateral damage in a cyberwar.  However, to keeps this out of current geopolitics, we'll use the fictitious countries Blue and Orange. Imagine that you work at the Acme Widget Corporation which is a Fortune 500 company with a global presence.  Because Acme manufactures large scale widgets in their factory in the nation of Orange, they are also sold to the local Orange economy.  Unfortunately for Acme, Orange has just invaded their neighboring country Blue.  Given that Orange is viewed as the aggressor, various countries have imposed sanctions against Orange.  Not wanting to attract the attention of the Orange military or the U.S. Treasury department, your company produces an idea that might just be crazy enough to work.  Your company is going to form a new company within Orange that is not affiliated with the parent company for the entirety of the war.  This means that the parent company won’t provide services to the Orange company.  Additionally, since there is no affiliation between the companies then the legal department advises that there will not be sanction evasion activity which could put the company at risk.  There’s just one problem.  Your company has to evict the newly created Orange company (Acme Orange LLC) from its network and ensure it has the critical IT services to enable its success. So where do we start?  Let’s consider a few things.  First, what is the lifeblood of a company?  Every company really needs laptops and Collaboration Software like Office 365 or GSuite.  So, if we have five hundred people in the new Acme Orange company, that's five hundred new laptops and a new server that will host Microsoft Exchange, a NAS drive, and other critical Microsoft on premises services. Active Directory: Once you obtain the server, you realize a few things.  Previous Acme admin credentials were used to troubleshoot desktops in the Orange environment.  Since exposed passwords are always a bad thing, you get your first incident to refresh all passwords that may have been exposed.  Also, you ensure a new Active Directory server is created for your Orange environment.  This should leverage best practices such as MFA since Orange Companies will likely come under attack. Let’s talk about other things that companies need to survive: Customer relations management (CRM) services like Salesforce Accounting and Bookkeeping applications such as QuickBooks Payment Software such as PayPal or Stripe File Storage such as Google Drive or Drop Box Video Conferencing like Zoom Customer Service Software like Zendesk Contract Management software like DocuSign HR Software like Bamboo or My Workday Antivirus & EDR software Standing up a new company’s IT infrastructure in a month is never a trivial task.  However, if ACME Orange is able to survive for 2-3 years it can then return to the parent company after the sanctions are lifted. Let’s look at some discussion topics. What IT services will be the hardest to transfer? Can new IT equipment for Acme Orange be procured in a month during a time of conflict? Which services are likely to only have a SaaS offering and not enable on premises during times of conflicts? Could your company actually close a procurement request in a one-month timeline? If we believe we can transfer IT services and get the office up and running, we might look at our cyber team's role in providing recommendations to a new office that will be able to survive a time of turmoil. All laptops shall have Antivirus and EDR enabled from Microsoft. Since the Acme Orange office is isolated from the rest of the world, all firewalls will block IP traffic not originating from Orange. SSO and MFA will be required on all logins Backups will be routinely required. Note if you are really looking for effective strategies to mitigate cyber security incidents, we highly recommend the Australian Essential Eight.  We have a link in our show notes if you want more details. Additionally, the ACME Orange IT department will need to create its own Incident Response Plan (IRP).  One really good guide for building Cyber Incident Response Playbooks comes from the American Public Power Association.  (I'll put the link in our show notes.)  The IRP recommends creating incident templates that can be used for common attacks such as: Denial of Service (DoS) Malware Web Application Attack (SQL Injection, XSS, Directory Traversal, …) Cyber-Physical Attack Phishing Man in the middle attack Zero Day Exploit This Incident Response Template can identify helpful information such as Detection: Record how the attack was identified Reporting: Provide a list of POCs and contact information for the IT help desk to contact during an event Triage: List the activities that need to be performed during Incident Response.  Typically, teams follow the PICERL model.  (Preparation - Identification - Containment - Eradication - Recovery - Lessons Learned) Classification: Depending on the severity level of the event, identify additional actions that need to occur Communications: Identify how to notify local law enforcement, regulatory agencies, and insurance carriers during material cyber incidents.  Additionally describe the process on how communications will be relayed to customers, employees, media, and state/local leaders. As you can see, there is much that would have to be done in response to a nation state aggression or regional conflict that would likely fall in your lap.  If you didn't think about it before, you now have plenty of material to work with.  Figure out your own unique requirements, do some tabletop exercises where you identify your most relevant Orange and Blue future conflict, and practice, practice, practice.  We learned from COVID that companies that were well prepared with a disaster response plan rebranded as a pandemic response plan fared much better in the early weeks of the 2020 lockdown.  I know my office transitioned to remote work for over sixty consecutive weeks without any serious IT issues because we had a written plan and had practiced it.  Here's another one for you to add to your arsenal.  Take the time and be prepared -- you'll be a hero "when the bubble goes up."  (There -- you've learned an obscure term that nearly absent from a Google search but well-known in the Navy and the Marine Corps.) Okay, that's it for today's episode on Outrunning the Bear.  Let's recap: Know yourself Know what foreign adversaries want Know what information, processes, or people you need to protect Know the goals of state actors:steal targeting data collect foreign intelligence covert action Know how to establish a good communications plan (PACE)Primary Alternate Contingency Emergency Know how to get out of Dodge Know where to find private and government threat intelligence Know your quick wins for protectionremediate vulnerabilities implement MFA everywhere run current antivirus enable strong spam filters restrict top level domains disable vulnerable or unused ports and protocols strengthen cloud security Know how to partition your business logically to isolate your IT environments in the event of a sudden requirement. Thanks again for listening to CISO Tradecraft.  Please remember to like us on your favorite podcast provider and tell your peers about us.  Don't forget to follow us on LinkedIn too -- you can find our regular stream of low-noise, high-value postings.  This is your host G. Mark Hardy, and until next time, stay safe. References 

Monday Sep 26, 2022

Special Thanks to our podcast sponsor, NowSecure.  On this episode, Brian Reed (Chief Mobility Officer at NowSecure) stops in to provide a world class education on Mobile Application Security.  It's incredible to think that 70% of internet traffic is coming over mobile devices.  Most of this traffic occurs via mobile applications so we need to understand mobile application security testing, before attackers show us how important it is. This episode will help you understand: What should you be doing to secure your mobile applications? Why managing a mobile device doesn't secure your application layer? How should you vet your mobile applications according to recommendations from OWASP References: NowSecure Academy provides free mobile application security training and certificate programs- Mobile app growth trends and security issues in the news-  Snapshot of the current risk profile for mobile apps in your industry- App Defense Alliance  Google Play Data Safety-   OWASP CycloneDX-  OWASP MASVS- 

Monday Sep 19, 2022

Ahoy! and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we’re going to -- talk like a pirate.  ARRR As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. On today’s episode we are going to talk about the 9 Cs of Cyber Security.  Note these are not the 9 Seas that you might find today, the 19th of September, which happens to be the 20th annual International Talk like a Pirate Day.  They are the nine words that begin with the letter C (but not the letter ARRR): Controls, Compliance, Continuity, Coverage, Complexity, Competency, Communication, Convenience, Consistency. Please note that this talk is inspired by an article by Mark Wojtasiak from Vectra, but we have modified the content to be more aligned with our thoughts at CISO Tradecraft. Now before we go into the 9 Cs, it’s important to understand that the 9 Cs represent three equal groups of three.  Be sure to look at the show notes which will link to our CISO Tradecraft website that shows a 9-box picture which should make this easier to understand.  But if you're listening, imagine a three-by-three grid where each row corresponds to a different stakeholder.  Each stakeholder is going to be concerned with different things, and by identifying three important priorities for each, we have our grid.  Make sense?  Okay, let's dig in. The first row in our grid is the focus of Executive Leaders. First, this group of executives such as the CEO, CIO, and CISO ensure that the IT controls and objectives are working as desired.  Next, these executives want attestations and audits to ensure that compliance is being achieved and the organization is not just paying lip service to those requirements.  Thirdly, they also want business continuity.  IT systems must be constantly available despite attacks from ransomware, hardware failures, and power outages. The second row in our grid is the focus of Software Development shops. This group consists of Architects, Developers, Engineers, and Administrators.  First, they need to ensure they understand the Coverage of their IT systems in asset inventories -- can we account for all hardware and software.  Next, developers should be concerned with how Complexity in their environment can reduce security, as these tend to work at cross-purposes.  Lastly, developers care about Competency of their teams to build software correctly; that competency is a key predictor of the end quality of what is ultimately produced. The third and final row in our grid is the focus of Security Operations Centers. This group consists of Incident Handlers and Responders, Threat Intelligence Teams, and Business Information System Officers commonly known as BISOs.  They need to provide clear communication that informs others what they need to do, they need processes and tools that enable convenience so as to reduce friction.  Finally, they need to be consistent.  No one wants a fire department that only shows up 25% of the time. So now that we have a high-level overview of the 9 C’s let’s start going into detail on each one of them.  We'll start with the focus of executive leaders.  Again, that is controls, compliance, and continuity. Controls- According to James Hall's book on Accounting Information Systems[i], General Computer Controls are "specific activities performed by persons or systems designed to ensure that business objectives are met." Three common control frameworks that we see inside of organizations today are COBIT, COSO, and ITIL. COBIT®, which stands for The Control Objectives for Information Technology was built by the IT Governance Institute and the Information Systems Audit and Controls Organization, better known as ISACA®.  COBIT® is primarily focused on IT compliance, audit issues, and IT service, which should not be a surprise given its roots from ISACA® which is an Audit and Controls organization.  Overall, COBIT® 2019, the latest version, is based on the following six principles[ii] (note that the prior version, COBIT® 5[iii], had five): Provide stakeholder value Holistic approach Dynamic governance system Governance distinct from management Tailored to enterprise needs End-to-end governance system COSO  stands for The Committee of Sponsoring Organizations of the Treadway Commission.  Their latest version is the 2017 Enterprise Risk Management - Integrated Framework, which is designed to address "enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment.[iv]"  COSO states that internal controls are a PROCESS, effected by leadership, to provide reasonable assurance with respect to effectiveness, reliability, and compliance[v].  The framework consists of five interrelated principles[vi]: Governance and culture Strategy and objective-setting Performance Review and revision, and Information, communication, and reporting To support these principles, COSO defines internal controls as consisting of five interrelated components: Control environments, Risk Assessments, Control Activities, Information and Communication, and Monitoring Activities. The third framework is ITIL®, which stands for Information Technology Infrastructure Library. First published in 1989 (the latest update is 2019/2020), ITIL® is managed and maintained by AXELOS, a joint venture between the Government of the United Kingdom and PeopleCert, which acquired AXELOS in 2021. According to their website[vii], "ITIL 4 is an adaptable framework for managing services within the digital era.  Through our best practice modules, ITIL 4 helps to optimize digital technologies to co-create value with consumers, drive business strategy, and embrace digital transformation." (Talk about buzzword compliance).  ITIL® 4 focuses on process and service management through service strategy, service design, service transition, service operation, and continual service improvement.  What is interesting is that there is no third-party assessment of ITIL® compliance in an organization, only individual certification. At the end of the day an organization needs to pick one of these popular control frameworks and show controls are being followed.  This isn’t just a best practice; it’s also required by Sarbanes Oxley.  SOX has two sections that require control attestations that impact cyber.  Section 302 requires corporate management, executives, and financial officers to perform quarterly assessments which: Evaluate the effectiveness of disclosure controls, Evaluate changes in internal controls over financial reporting, Disclose all known control deficiencies and weaknesses, and Disclose acts of fraud. Since financial services run on IT applications, cybersecurity is generally in scope for showing weaknesses and deficiencies.  SOX Section 404 requires an annual assessment by both management and independent auditors.  This requires organizations to: Evaluate design and operating effectiveness of internal controls over financial reporting, Disclose all known controls and significant deficiencies, and disclose acts of fraud. Once we understand the requirements for controls, we need to be Compliant. Compliance is the second C we are discussing today.  Remember the CFO and CEO need to produce annual and quarterly reports to regulators such as the SEC.  So, if you as a CISO can help them obtain a clean bill of health or fix previous audit findings, you help the business. A useful tool to consult in terms of compliance is a concept from the Institute of Internal Auditors known as the three lines model or three lines of defense[viii].  This model has as a foundation six principles: Governance Governing body roles Management and first- and second-line roles Third line roles Third line independence, and Creating and protecting value The first line of defense is the business and process owners who maintain internal controls.  You can think of a software developer who should write secure software because there is an IT Control that says so.  That developer is expected to run application security scans and vulnerability scans to find bugs in their code.  They are also expected to fix these issues before releasing to production.  The second line of defense are elements of an organization that focus on risk management and compliance.  Your cyber team is a perfect example of this.  If the developer doesn’t fix the application vulnerabilities before sending code to production, then the company is at risk.  Cyber teams generally track and report vulnerability findings to the business units to ensure better compliance with IT controls. Finally, the third line of defense is internal audit.  Internal audit might assess an IT control on secure software development and say we have an issue.  The developers push out bad code with vulnerabilities.  Cyber tells the developers to fix, yet we are observing trends that the total vulnerabilities are only increasing.  This systemic risk is problematic, and we recommend management comply with the IT controls by making immediate fixes to this risky situation. Now, other than the observation that the ultimate line of defense (internal auditors) is defined by the Institute of Internal Auditors (no conflict of interest there), note that internal auditors can report directly to the board.  Developers and CISOs typically cannot.  One of the most powerful weapons in an auditor's toolbox is the "finding."  The U.S. Code defines what represents a finding[ix] in the context of federal awards, to include: Significant deficiencies and material weaknesses in internal control and significant instances of abuse Material noncompliance with the provisions of Federal statutes or regulations Known questioned costs, specifically identified by the auditor, greater than $25,000 for a type of compliance requirement Internal auditors have both a mandate from and access to the board to ensure that the organization meets compliance requirements.  So, if you've been unsuccessful in getting funding for what you consider a critical security asset, maybe, just maybe, you casually point that out to the auditors so that it ends up in a finding.  After all, findings get funded.  Don't get caught, though, or you'll have some explaining to do to your boss who previously turned you down. Management cares a lot about Continuity. Remember, if the business is down, then it’s not making money, and it's probably losing money by the hour.  If the business isn’t making money, then they can’t pay for the cyber department.  So, among your goals as a cyber executive is to ensure the continuity of revenue-generation services.  To start, you must identify what those activities are and find ways to protect the services by reducing the likelihood of vulnerabilities found in those systems.  You also need to ensure regular backup activities are occurring, disaster recovery exercises are performed, Business Continuity Plans are tested, and tabletops are executed.  Each of these activities has the potential to identify gaps which cause harm to the continuity that executives care about. How do you identify revenue-generating elements of the business?  Ask.  But do your homework first.  If you're a publicly traded company, the annual report will often break out lines of business showing profit and loss for each.  Even if it's losing money today, it still may be vital to the organization.  Think, ahem, about your department -- you're probably not making a profit for the company in the security suite, but your services are definitely important.  Look at the IT systems that support each line of business and assess their criticality to the success of that business component.  In today's digitized workplace, the answer will almost always be "yes," but since you don't have unlimited resources, you need to rack and stack what has to be protected first.  A Business Impact Analysis, or BIA, involves meeting with key executives throughout the organization, assessing the importance and value of IT-supported business processes, ranking them in the order in which they need to be assured, and then acting on that knowledge.  [I thought we had done an episode on BIA, but I checked back and couldn’t find one.  So, expect to learn more about that in a future episode.] Backups and disaster recovery exercises are a must in today's world of ransomware and surprise risks, but make sure that you're not just hand-waving and assuming that what you think is working really is working.  Do what I call "core sampling" -- get with your team and dig way down until you reach some individual file from a particular date or can observe all logs collected for some arbitrary 5-minute period.  It's not that that information is critical in and of itself, but your team's ability to get to that information quickly and accurately should increase your confidence that they could do the same thing when a true outage occurs. Lastly, tabletop exercises are a great way to ensure that your team (as well as others from around the organization, up to and including senior leadership) know what to do when certain circumstances occur.  The advantage of tabletops is that they don't require much time and effort from the participants to go through emergency response procedures.  The disadvantage of tabletops is that you risk groupthink when everyone thinks someone else took care of that "assumed" item.  Companies have been caught flat-footed when the emergency diesel generator doesn't kick in because no one in the tabletop tests ever thought to check it for fuel, and the tank was empty.  Things change, and there's nothing like a full-scale test where people have to physically go to or do the things they would in a true emergency.  That's a reason why kids in school don't discuss what to do in a fire drill, they actually do what needs to be done -- get out of the building.  Be careful here you don't have a paper tiger for a continuity plan -- it's too late when things start to come apart to realize you hadn't truly done your homework. Those are the three Cs for executives -- controls, compliance, and continuity.  Now let's move on to developers. If you remember, the three Cs for developers are coverage, complexity, and competency. Developers need to care about Coverage. When we talk about coverage, we want to ensure that we know everything that is in our environment.  That includes having a complete and up-to-date asset inventory, knowing our processes are free from security oversight, as well as ensuring that our security controls are deployed across all of our potential attack surfaces.  "We've got your covered" is usually considered reassuring -- it's a statement that someone has thought of what needs to be protected. Specifically, our technical team members are the only ones who can generally tell if the IT asset inventory is correct.  They are the ones who run the tools, update the agents (assuming we're not agentless), and push the reporting.  If the scanning tools we use are missing hardware or software, then those gaps represent potential landing zones for enemy forces.  The Center for Internet Security's Critical Controls start with these two imperatives.  Essentially, if you don't know what you have, how can you secure it? Knowing our processes is key.  For developers today, it's much more likely that they're using a DevOps continuous integration / continuous delivery, or CI/CD process, rather than the classic waterfall methodology.  Agile is often an important part of what we do, and that continuous feedback loop between developer and customer helps to ensure that we cover requirements correctly (while being careful to avoid scope creep.)  Throughout our development cycle, there are numerous places where security belongs -- the art we call DevSecOps.  By putting all of our security processes into version control -- essentially automating the work and moving away from paper-based processes, we create a toolchain that automates our security functionality from pre-commit to commit to acceptance to production to operations.  Doing this right ensures that security in our development environment is covered. Beyond just the development pipeline, we need to cover our production environment.  Now that we've identified all hardware and software and secured our development pipeline, we need to ensure that our security tools are deployed effectively throughout the enterprise to provide protective coverage.  We may know how many servers we have, but if we don't scan continuously to ensure that the defenses are running and up to date, we are effectively outsourcing that work to bad actors, who fundamentally charge higher billing rates than developers when they take down critical systems via ransomware. In his book Data and Goliath, Bruce Schnier wrote, "Complexity is the worst enemy of security, and our systems are getting more complex all the time.[x]" Complexity is inversely correlated to security. If there are two hundred settings that you need to configure properly to make containers secure, that’s a big deal.  It becomes a bigger deal when the team only understands how to apply 150 of those settings.  Essentially, your company is left with fifty opportunities for misconfiguration to be abused by bad actors.  Therefore, when possible, focus your understanding on how to minimize complexity.  For example, instead of running your own containers on premises with Kubernetes, try using Amazon Elastic Container Services.  There’s a significant amount of configuration complexity decrease.  In addition, using cloud-based services give us a lot of capabilities -- elastic scaling, load balancers, multiple regions and availability zones, and even resistance to DDoS attacks.  That’s a lot of overhead to ensure in a high-availability application running on servers in your data center.  Consider using AWS lambda where all of that is already handled as a service for our company.  Remember that complexity makes security more difficult and generally increases the costs of maintenance.  So only increase complexity when the business benefit exceeds the costs. From a business connectivity perspective, consider the complexity of relationships.  Many years ago, data centers were self-contained with 3270 green screens (or punched card readers if you go back far enough) as input and fan-fold line printer generated paper as output.  Essentially, the only connection that mattered was reliable electrical power. Today, we have to be aware of what's going on in our industry, our customers, our suppliers, consumers, service providers, and if we have them, joint ventures or partners.[xi]  This complex web of competing demands stretches our existing strategies, and sometimes rends holes in our coverage.  I would add to that awareness, complexity in our workforce.  How did COVID-19 affect your coverage of endpoints, for example?  Most work-from-home arrangements lost the benefit of the protection of the enterprise security bubble, with firewalls, scanners, and closely-manage endpoints.  Just issuing a VPN credential to a developer working from home doesn't do much when junior sits down at mom's computer to play some online game and downloads who-knows-what.  Consider standardizing your endpoints for manageability -- remove the complexity.  When I was in the Navy, we had exactly two endpoint configurations from which to choose, even though the Navy-Marine Corps Intranet, or NMCI, was the largest intranet in the world at the time.  Although frustrating when you have to explain to the admiral why his staff can't get fancier computers, the offsetting benefit is that when an emergency patch has to get pushed, you know it's going to "take" everywhere. Number six is Competency -- another crucial skill for developers. If your organization doesn’t have competent developers, then more vulnerabilities are going to emerge.  So how do most other industries show competencies?  They use a licensure and certification process.  For example, teenagers in the United States must obtain a driver’s license before they are legally approved to drive on their own.  Nearly all of us have been through the process -- get a manual when you get a learner's permit, go to a driving school to learn the basics, practice with your terrified parents, and after you reach the minimum age, try not to terrify the DMV employee in the passenger seat.  In the UK, the Driver and Vehicle Standards Agency recommends a minimum of 47 hours of lessons before taking the driving test, which still has only a 52% pass rate on the first attempt[xii]. Now ask yourself, is developing and deploying apps riskier than driving a car?  If so, consider creating a Developer Driver’s License exam that identifies when developers are competent before your company gives them the SSH keys to your servers.  Before your new developer sits for the exam you also need to provide the training that identifies the Rules of the Road.  For example, ask: When a new application is purchased, what processes should be followed? When are third party vendor assessments needed?  How does one document applications into asset inventory systems and Configuration Management Databases? If you can build the Driver’s Education Training equivalent for developer and measure competency via an exam, you can reduce the risk that comes from bad development and create a sense of accomplishment among your team. So, to summarize so far, for executives we have controls, compliance, and continuity, and for developers we have coverage, complexity, and competency.  It's now time to move to the last three for our security operations center:  clarity, context, and community. The seventh C is Communication. Let’s learn from a couple quotes on effective communication. Peter Drucker said, “The most important thing in communication is hearing what isn’t said.”  When you share an idea do you look at the person you are informing to see if they understand the idea?  What body language are you seeing?  Are they bored and not facing you, are they engaged and leaning in and paying close attention, or are they closed off with arms crossed?  We've probably all heard the term "active listening."  If you want to ensure the other party understands what you're saying (or if you're trying to show them you understand what they are saying), ask the listener to repeat back in their own words what the speaker has just said.  You'd be amazed how few people are needed to play the game of "telegraph" and distort a message to the point it is no longer recognizable. George Bernard Shaw said, “The single biggest problem in communication is the illusion that it has taken place.”  When you present a technical topic on a new risk to executives, ask questions to ensure they understand what you just shared.  If you don't do so, how do you know when you might be overwhelming them with information that goes right over their heads.  There's always the danger that someone will not want to look stupid and will just nod along like a bobblehead pretending to understand something about which they have absolutely no clue.  Richard Feynman had said, "If you can't explain it to a six-year-old, you don't understand it yourself."  Well, let me offer G Mark's corollary to that quote:  "If you can't explain it to a six-year-old, you can't explain it to your board."  And sometimes the big boss.  And sometimes your manager.  And sometimes your co-worker.  Ask for feedback; make sure the message is understood. Earl Wilson said, “Science may never come up with a better office communication system than the coffee break.”  When you want to launch a really important initiative that needs group buy-in, did you first have one-on-ones to solicit feedback?  Did you have an ear at the water cooler to understand when people say yes but really mean no?  Do you know how to connect with people so you can ask for a favor when you really don’t have the resources necessary to make something happen?  Unless you are in the military, you can't issue lawful orders to your subordinates and demand that they carry them out.  You have to structure your communication in such a way that expectations are made clear, but also have to allow for some push-back, depending on the maturity of the relationship you've developed with your team.  [War story:  Just this past week, Apple upgraded to iOS 16.  We use iPhones exclusively as corporate-issued handsets, so I sent a single sentence message to my senior IT team member:  "Please prepare and send an email to all who have an iPhone with steps on how to update the OS soonest.  Thank you."  To me, that seemed like clear communication.  The next day I get a response, "People are slowly updating to 16.0 on their own and as the phone prompts them."  After a second request where I point out "slowly" has not been our strategy for responding to exploitable security vulnerabilities, I get a long explanation of how Apple upgrades work, how he's never been questioned in his long career -- essentially the person spent five times as much time explaining why he will NOT do the task rather than just doing it.  And today 80% of the devices are still not updated.  At times like this I'm reminded of Strother Martin in Cool Hand Luke:  "What we have here is failure to communicate."  So, my lesson for everyone is even though you think your communications are crystal clear, they may not be perceived as such.] Our last quote is from Walt Disney who said, “Of all our inventions for mass communication, pictures still speak the most universally understood language.”  If you believe that pictures are more effective than words, think about how you can create the best pictures in your emails and slide decks to communicate effectively.  I remember a British officer who had visited the Pentagon years ago who commented, "PowerPoint is the language of the US military."  I think he's right, at least in that context.  Ask yourself, are pictures part of your language? Convenience is our eighth C that we are going to talk about. How do we make something convenient?  We do it by automating the routine and removing the time wasters.  In terms of a SOC, we see technology in this space emerging with the use of Security Orchestration, Automation, and Response, or SOAR technologies.  Convenience can come in a lot of ways.  Have we created helpful playbooks that identify a process to follow?  If so, we can save time during a crisis when we don’t have a minute to spare.  Have we created simple processes that work via forms versus emails?  It’s a lot easier to track how many forms have been submitted and filter on field data versus aggregating unstructured emails.  One thing you might consider as a way to improve convenience are Chatbots.  What if someone could ask a Chatbot a Frequently Asked Question and get a quick, automated, and accurate response?  That convenience helps people, and it saves the SOC time.  If you go that route, as new questions get asked, do you have a way to rank them by frequency and add them as new logic to the chatbot?  If you do, your chatbot gets more useful and provides even greater convenience to the workforce.  How great would it be to hear your colleagues saying it was so convenient to report an incident and see that it was handled in such a timely manner.  Find ways to build that experience and you will become the partner the business wants. Last, but not least, is the 9th C of Consistency. Want to know how to create an audit finding?  Try not being consistent.  Auditors hate that and love to point out inconsistencies in systems.  I’m sure there are auditors right now listening to this podcast smiling with joy saying, "yup, that’s me."  Want to know how to pass every audit standard?  Try passing the CARE Standard for cyber security.  CARE is a Gartner acronym that means Consistent, Adequate, Reasonable and Effective.  Auditors look at the Consistency of controls by performing tests to determine if the control is working the same way over time across the organization.  Auditors also look for Adequacy to determine if you have satisfactory controls in line with business needs.  Auditors ensure that your practices are Reasonable by identifying if there exist appropriate, fair, and moderate controls.  Finally, auditors look at Effectiveness to ensure the controls are producing the desired or intended outcomes.  So, in a nutshell, show Auditors that you CARE about cyber security. Okay, let's review.  Our nine Cs are for executives, developers, and SOC teams.  Executives should master controls, compliance, and continuity; developers should master coverage, complexity, and competency; and SOC teams should focus on clarity, communications, and consistency.  If you paid careful attention, I think you would find lessons for security leaders in all nine boxes across the model.  Essentially, don't conclude because boxes four through nine are not for executives that you don't need to master them -- all of this is important to being successful in your security leadership career. Well thanks again for listening to the CISO Tradecraft podcast as we discussed the 9 C’s.  And for International Talk Like a Pirate Day, I do have a rrr-request:  if you like our show, please take a few seconds to rate us five stars on your favorite podcast provider.  Another CISO pointed out to me this past week that we came up first on Spotify when searching for C-I-S-O, and that's because those rankings are crowd-sourced.  It's a great way to say thank you for the time and effort we put into our show, and I thank you in advance.  This is your host G. Marrrrk Hardy, and please remember to stay safe out there as you continually practice your CISO Trrrradecraft. References   [i] Hall, James A. (1996).  Accounting Information Systems.  Cengage Learning, 754 [ii] [iii] [iv] [v] [vi] [vii] [viii] [ix] [x] [xi] [xii]

Monday Sep 12, 2022

Special Thanks to our podcast Sponsor, Varonis.  Please check out Varonis's Webpage to learn more about their custom data security solutions and ransomware protection software.  On this episode Brian Vecci (Field CTO of Varonis) stops by CISO Tradecraft to discuss all things Data Security.  He highlights the top 3 things every CISO needs to balance with regards to data security (Productivity, Convenience, and Security).  He also discusses the most important security questions we need to understand: What is Data Security and how does it fit into Data Protection? How do we understand where our company’s data resides? How do we know if our data is exposed? How do we reduce the risk of data exposure without harming the business? Enjoy the show and please share it with others.  Also don't forget to follow the LinkedIn CISO Tradecraft Page to get more great content.  

Monday Sep 05, 2022

Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper.  As always, please follow us on LinkedIn, and subscribe if you have not already done so. Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of engineers the Toyota Production System, and even influenced the creation of Kaizen.  He wrote, "There are four purposes for improvement: easier, better, faster, cheaper. These four goals appear in order of priority." Satya Nadella, the CEO of Microsoft, stated that, “Every company is a software company.  You have to start thinking and operating like a digital company.  It’s no longer just about procuring one solution and deploying one solution… It’s really you yourself thinking of your own future as a digital company, building out what we refer to as systems of intelligence.” The first time I heard this I didn’t really fully understand it.  But after reflection it makes a ton of sense.  For example, let’s say your company couldn’t send email.  How much would that hurt the business?  What if your company couldn’t use Salesforce to look up customer information?  How might that impact future sales?  What if your core financial systems had database integrity issues?  Any of these examples would greatly impact most businesses.  So, getting high-quality software applications that enable the business is a huge win. If every company is a software or digital company, then the CISO has a rare opportunity.  That is, we can create one of the largest competitive advantages for our businesses. What if we could create an organization that builds software cheaper, faster, and better than all of our competitors? Sounds good right?  That is the focus of today’s show, and we are going to teach you how to excel in creating a world class organization through a focused program in Secure Software Development.  Now if you like the sound of better, faster, cheaper, as most executives do, you might be thinking, where can I buy that?  Let's start at the back and work our way forward. We can make our software development costs cheaper by increasing productivity from developers. We can make our software development practices faster by increasing convenience and reducing waste. We can make our software better by increasing security. Let’s first look at increasing productivity.  To increase productivity, we need to under    stand the Resistance Pyramid.  If you know how to change people and the culture within an organization, then you can significantly increase your productivity.  However, people and culture are difficult to change, and different people require different management approaches. At the bottom of the pyramid are people who are unknowing.  These individuals Don’t know what to do.  You can think of the interns in your company.  They just got to your company, but don't understand what practices and processes to follow.  If you want to change the interns, then you need to communicate what is best practice and what is expected from their performance.  Utilize an inquiry approach to decrease fear of not knowing, for example, "do you know to whom I should speak about such-and-such?" or "do you know how we do such-and-such here?"  An answer of "no" allows you to inform them of the missing knowledge in a conversational rather than a directional manner. The middle part of the pyramid is people who believe they are unable to adapt to change.  These are individuals that don’t know how to do the task at hand.  Here, communications are important, but also skills training.  Compare your team members here to an unskilled labor force -- they're willing to work but need an education to move forward.  If you give them that, then the unskilled can become skilled. However, if you never invest in them, then you will not increase your company’s productivity and lowers your costs. At the Top of the resistance pyramid are the people who are unwilling.  These individuals Don’t Want to Change.  We might call these folks the curmudgeons that say we tried it before, and it doesn’t work.  Or I’m too old to learn that.  If you want to change these individuals and the culture of an organization, then you need to create motivation. As leaders, our focus to stimulate change will be to focus on communicating, educating, and motivating.  The first thing that we need to communicate is the Why.  Why is Secure Software Development important?  The answer is money.  There are a variety of studies that have found that when software vulnerabilities get detected in the early development processes, they are cheaper than later in the production phases.  Research from the Ponemon Institute in 2017 found that the average cost to address a defect in the development phase was $80, in the build phase was $240, in the QA/Test Phase was $960, and in the Production phase was $7,600.  Think of that difference.  $80 is about 1% of $7,600.  So if a developer finds bugs in the development code then they don’t just save their time, they save the time of second developer who doesn’t have to do a failed code review, they save the time of an infrastructure engineer who has to put the failed code on a server, they save the time of another tester who has to create regression tests which fail, they save the time of a wasted change approval board on a failed release, and they save the customer representatives time who will respond to customers when the software is detected as having issues.  As you see there’s a lot of time to be saved by increasing productivity, as well as a 99% cost savings for what has to be done anyway.  Saving their own time is something that will directly appeal to every development team member. To do this we need to do something called Shift Left Testing.  The term shift left refers to finding vulnerabilities earlier in development.  To properly shift left we need to create two secure software development programs. The first program needs to focus on is the processes that an organization needs to follow to build software the right way.  This is something you have to build in house.  For example, think about how you want software to create a network diagram that architects can look at in your organization.  Think about the proper way to register an application into a Configuration Management Database so that there is a POC who can answer questions when an application is down.  Think about how a developer needs to get a DNS entry created for new websites.  Think about how someone needs to get a website into the various security scanning tools that your organization requires (SAST, DAST, Vuln Management, Container Scanning, etc.)  Think about how developers should retire servers at the end of life.  These practices are unique to your company.  They may require a help desk ticket to make something happen or if you don't have a ticketing system, an email.  We need to document all of these into one place where they can be communicated to the staff members who will be following the processes.  Then our employee has a checklist of activities they can follow.  Remember if it’s not in the checklist, then it won’t get done.  If it doesn’t get done, then bad security outcomes are more likely happen.  So, work with your architects and security gurus to document all of the required practices for Secure Software Development in your company.  You can place this knowledge into a Wikipedia article, a SharePoint site, a Confluence Page, or some kind of website.  Make sure to communicate this frequently.  For example, have the CIO or CISO share it at the IT All Hands meeting.  Send it out in monthly newsletters.  Refer to it in security discussions and architecture review boards.  The more it’s communicated the more unknowing employees will hear about it and change their behavior. The second program that you should consider building is a secure code training platform.  You can think of things such as Secure Code Warrior, HackEDU (now known as Security Journey), or Checkmarx Code Bashing.  These secure code training solutions are usually bought by organizations instead of being created in-house.  They teach developers how to write more secure code.  For example, "How do I write JavaScript code that validates user input, sanitizes database queries, and avoids risky program calls that could create vulnerabilities in an application?"  If developers gain an education in secure programming, then they are less likely to introduce vulnerabilities into their code.  Make these types of training programs available to every developer in your company. Lastly, we need to find a way to motivate the curmudgeons.  One way to do that is the following:Let’s say you pick one secure coding platform and create an initial launch.  The first two hundred people in the organization that pass the secure developer training get a one-time bonus of $200.  This perk might get a lot of people interested in the platform.  You might even get 10-20% of your organization taking the training in the first quarter of the program.  The second quarter your organization announces that during performance reviews anyone who passed the secure software training will be viewed more favorable than their peers.  Guess what?  You will see more and more people taking the training class.  Perhaps you see that 50% of your developer population becomes certified.  Then the following year you say since so many developers are now certified, to achieve the rank of Senior Developer within the organization, it is now expected to pass this training.  It becomes something HR folks look for during promotion panels.  This gradual approach to move the ball in training can work and has been proven to increase the secure developer knowledgebase. Here's a pro tip:  Be sure to create some kind of badges or digital certificates that employees can share.  You might even hand out stickers upon completion that developers can proudly place on their laptops.  Simple things like this can increase visibility.  They can also motivate people you didn't think would change. Now that we have increased productivity from the two development programs (building software the right way and a secure code training platform), it’s time to increase convenience and reduce waste.  Do you know what developers hate?  Well, other than last-minute change requests.  They hate inefficiencies.  Imagine if you get a vulnerability that says you have a bug on line 242 in your code.  So you go to the code, and find there really isn’t a bug, it's just a false positive in the tool.  This false bug detection really, well, bugs developers.  So, when your organization picks a new SAST, DAST, or IAST tool, be sure to test the true and false positive rates of the tool.  One way to do this is to run the tools you are considering against the OWASP Benchmark.  (We have a link to the OWASP Benchmark in our show notes.)  The OWASP Benchmark allows companies to test tools against a deliberately vulnerable website with vulnerable code.  In reality, testing tools find both good code and bad code.  These results should be compared against the ground truth data to determine how many true/false positives were found.  For example, if the tool you choose has a 90% True Positive Rate and a 90% False Positive Rate then that means the tool pretty much reports everything is vulnerable.  This means valuable developer time is wasted and they will hate the tool despite its value.  If the tool has a 50% True Positive Rate and a 50% False positive rate, then the tool is essentially reporting randomly.  Once again, this results in lost developer confidence in the tool.  You really want tools that have high True Positive Rates and low False Positive Rates.  Optimize accordingly. Another developer inefficiency is the amount of tools developers need to leverage.  If a developer has to log into multiple tools such as Checkmarx for SAST findings, Qualys for Vulnerability Management findings, Web Inspect for DAST findings, Prisma for Container Findings, Truffle Hog for Secrets scanning, it becomes a burden.  If ten systems require two minutes of logging in and setup each that's twenty minutes of unproductive time.  Multiply that time the number of developers in your organization and you can see just how much time is lost by your team just to get setup to perform security checks.  Let's provide convenience and make development faster.  We can do that by centralizing the security scanning results into one tool.  We recommend putting all the security findings into a Source Code Repository such as GitHub  or GitLab.  This allows a developer to log into GitHub every day and see code scanning vulnerabilities, dependency vulnerabilities, and secret findings in one place.  This means that they are more likely to make those fixes since they actually see them.  You can provide this type of view to developers by buying tools such as GitHub Advanced Security.  Now this won’t provide all of your security tools in one place by itself.  You still might need to show container or cloud findings which are not in GitHub Advanced Security.  But this is where you can leverage your Source Code Repository’s native CI/CD tooling.  GitHub has Actions and GitLab has Runners.  With this CI/CD function developers don’t need to go to Jenkins and other security tools.  They can use a GitHub Actions to integrate Container and Cloud findings from a tool like Prisma.  This means that developers have even fewer tools from CI/CD perspectives as well less logging into security tools.  Therefore, convenience improves.  Now look at it from a longer perspective.  If we get all of our developers integrating with these tools in one place, then we can look in our GitHub repositories to determine what vulnerabilities a new software release will introduce.  This could be reviewed at Change Approval Board.  You could also fast track developer who are coding securely.  If a developer has zero findings observed in GitHub, then that code can be auto approved for the Change Approval.  However, if you have high/critical findings then you need manager approvals first.  These approvals can be codified using GitHub code scanning, which has subsumed the tool Looks Good To Me (LGTM), which stopped accepting new user sign-ups last week (31 August 2022).  This process can be streamlined into DevSecOps pipelines that improve speed and convenience when folks can skip change approval meetings. Another key way we can make software faster is by performing value stream mapping exercises.  Here’s an example of how that reduces waste.  Let’s say from the time Nessus finds a vulnerability there’s actually fifteen steps that need to occur within an organization to fix the vulnerability.  For example, the vulnerability needs to be assigned to the right team, the team needs to look at the vulnerability to confirm it’s a legitimate finding, a patch needs to be available, a patch needs to be tested, a change window needs to be available, etc.  Each of these fifteen steps take time and often require different handoffs between teams.  These activities often mean that things sit in queues.  This can result in waste and inefficiencies.  Have your team meet with the various stakeholders and identify two time durations.  One is the best-case time for how long something should go through in an optimal process.  The second is the average time it takes things to go through in the current process.  At the end of it you might see that the optimal case is that it takes twenty days to complete the fifteen activities whereas the average case takes ninety days.  This insight can show you where you are inefficient.  You can identify ways to speed up from ninety to twenty days.  If you can do this faster, then developer time is gained.  Now, developers don’t have to wait for things to happen.  Making it convenient and less wasteful through value stream mapping exercises allows your teams to deploy faster, patch faster, and perform faster. OK last but not least is making software better by increasing security.   At the end of the day, there are many software activities that we do which provide zero value to the business.  For example, patching operating systems on servers does not increase sales.  What makes the sales team sell more products?  The answer is more features on a website such as product recommendations, more analysis of the data to better target consumers, and more recommendations from the reporting to identify better widgets to sell.  Now, I know you are thinking, did CISO Tradecraft just say to not patch your operating systems?  No, we did not.  We are saying patching operating systems is not a value-add exercise.  Here’s what we do recommend.  Ask every development team to identify what ike patching.  Systems that have a plethora of maintenance activities are wasteful and should be shortlisted for replacement.  You know the ones: solutions still running via on-premises VMWare software, software needing monthly java patching, and software if the wind blows the wrong way you have an unknown error.  These systems are ripe for replacement.  It can also be a compelling sell to executives.  For example, imagine going to the CIO and CEO of Acme corporation.  You highlight the Acme app is run by a staff of ten developers which fully loaded cost us about $250K each.  Therefore, developing, debugging, and maintaining that app costs our organization roughly $2,500,000 in developer time alone plus hosting fees.  You have analyzed this application and found that roughly 80% of the time, or $2,000,000, is spent on maintenance activities such as patching. You believe if the team were to rewrite the application in a modern programming language using a serverless technology approach the team could lower maintenance activities from 80% to 30%.  This means that the maintenance costs would decrease from $2 million to $750K each year.  Therefore, you can build a financial case that leadership fund a $1.25 million initiative to rewrite the application in a more supportable language and environment, which will pay for itself at the end of the second year.  No, I didn't get my math wrong -- don't forget that you're still paying the old costs while developing the new system.) Now if you just did a lift and shift to AWS and ran the servers on EC-2 or ECS, then you still have to patch the instance operating systems, middle ware, and software -- all of which is a non-value add.  This means that you won’t reduce the maintenance activities from 80% to 30%.  Don't waste developer time on these expensive transition activities; you're not going to come out ahead.  Now let’s instead look at how to make that maintenance go away by switching to a serverless approach.  Imagine if the organization rewrote the VMware application to run on either: A third party hosted SaaS platform such as Salesforce or Office 365 or A serverless AWS application consisting of Amazon S3 buckets to handle front-end code, an Amazon API Gateway to make REST API calls to endpoints, AWS Lambda to run code to retrieve information from a Database, and Dynamo DB to store data by the application This new software shift to a serverless architecture means you no longer have to worry about patching operating systems or middleware.  It also means developers don’t spend time fixing misconfigurations and vulnerabilities at the operating system or middleware level.  This means you made the software more secure and gave the developers more time to write new software features which can impact the business profitability.  This serverless approach truly is better and more secure.  There’s a great story from Capital One you can look up in our show notes that discusses how they moved from EC-2 Servers to Lambda for their Credit Offers Application Interface.  The executive summary states that the switch to serverless resulted in 70% performance gains, 90% cost savings, and increased team velocity by 30% since time was not spent patching, fixing, and taking care of servers.  Capital One uses this newfound developer time to innovate, create, and expand on business requirements.  So, if you want to make cheaper, faster, and better software, then focus on reducing maintenance activities that don’t add value to the business. Let's recap.  World class CISOs create a world class software development organization.  They do this by focusing on cheaper, faster, and better software. To perform this function CISOs increase productivity from developers by creating documentation that teaches developers how to build software the right way as well as creating a training program that promotes secure coding practices.  World Class CISOs increase the convenience to developers by bringing high-confidence vulnerability lists to developers which means time savings in not weeding out false positives.  Developers live in Source Code Repositories such as GitHub or GitLab, not the ten different software security tools that security organizations police.  World Class CISOs remove waste by performing value stream exercises to lean out processes and make it easier for developers to be more efficient.  Finally, World Class CISOs make software better by changing the legacy architecture with expensive maintenance activities to something that is a winnable game.  These CISOs partner with the business to focus on finding systems that when re-architected to become serverless increase performance gains, promote cost savings, and increase developer velocity. We appreciate your time listening to today’s episode.  If this sparks a new idea in your head. please write it down, share it on LinkedIn and tag CISO Tradecraft in the comment.  We would love to see how you are taking these cyber lessons into your organization to make better software for all of us. Thanks again for listening to CISO Tradecraft.  This is G. Mark Hardy, and until next time, stay safe out there. References  Galpin, T.J. (1996).  The Human Side of Change: A Practical Guide to Organization Redesign.  Jossey-Bass  Ponemon Institute and IBM. (2017) The State of Vulnerability Management in the Cloud and On-Premises 

Monday Aug 29, 2022

How do you become a Cyber Security Expert? Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to talk about how to provide advice and mentoring to help people understand how to become a cybersecurity expert.  As always, please follow us on LinkedIn, and subscribe to our podcasts. As a security leader, part of your role is to develop your people.  That may not be written anywhere in your job description and will probably never be on a formal interview or evaluation, but after years of being entrusted with leadership positions, I have learned what differentiates true leaders from those who just accomplish a great deal is the making of the effort to develop your people. Now, you may have heard the phrase, "take care of your people," but I'll take issue with that.  I take care of my dog.  I take care of a family member who is sick, injured, or incapacitated.  Why?  Because they are not capable of performing all of life's requirements on their own.  For the most part, your people can do this.  If you are constantly doing things for people who could have otherwise done it themselves, you run the risk of creating learned helplessness syndrome.  People, and even animals, can become conditioned to not do what they otherwise could do out of a belief that someone else will do it for them.  I am NOT going to get political here, so don't worry about that.  Rather, I want to point out that effective leaders develop their people so that they may become independent actors and eventually become effective leaders themselves.  In my opinion, you should measure your success by the promotion rate of the people entrusted to you, not by your own personal career advancement or financial success. That brings me to the subject of today's podcast -- how do you counsel and mentor others on how to become a cyber security expert?  If you are listening to this podcast, there's a very good chance that you already are an expert in our field, but if not, keep listening and imagine that you are mentoring yourself, because these lessons can apply to you without having seek out a mentor.  Some people figure it out, and when asked their secret, they're like Bill Murray in the movie Stripes, "We trained ourselves, sir!"  But most of the time, career mastery involves learning from a number of others. Today on CISO Tradecraft we are going to analyze the question, " How do you become a Cyber Security Expert?"  I'm going to address this topic as if I were addressing someone in search of an answer.  Don't tune out early because you feel you've already accomplished this.  Keep listening so you can get a sense of what more you could be doing for your direct reports and any proteges you may have. Let’s start at the beginning.  Imagine being a high school kid with absolutely zero work experience (other than maybe a paper route -- do kids still do that?)  You see someone that tells you they have a cool job where they get paid to ethically hack into computers.  Later on, you meet a second person that says they make really good money stopping bad actors from breaking into banks.  Somehow these ideas stick into your brain, and you start to say to yourself, you know both of those jobs sound pretty cool.  You begin to see yourself having a career in Cyber Security.  You definitely prefer it to jobs that require a lot of manual labor and start at a low pay.  So, you start thinking, "how I can gain the skills necessary to land a dream job in cyber security that also pays well?" At CISO Tradecraft we believe that there are really four building blocks that create subject matter experts in most jobs.  The four building blocks are: Getting an education Getting certifications Getting relevant job experience, and Building your personal brand So, let’s explore these in detail. Number 1:  Getting an education.  When most people think about getting an education after high school, they usually talk about getting an associate's or a bachelor's degree.  If you were to look at most Chief Information Security Officers, you will see the majority of them earn a bachelor’s degree in Computer Science, an Information Systems or Technology degree from a college of business such as a BS in Management of Information Systems (MIS) or Computer Information Systems, or more recently a related discipline such as a degree in Cyber Security. An associate degree is a great start for many, particularly if you don't have the money to pay for a four-year university degree right out of high school.  Tuition and debt can rack up pretty quickly, leaving some students deeply in debt, and for some, that huge bill is a non-starter.  Fortunately, community colleges offer quality educational opportunities at very competitive rates relative to four-year degree institutions.  For example, Baltimore County Community College charges $122 per credit hour for in-county residents.  A couple of miles away, Johns Hopkins University charges $2,016 per credit hour.  Now, that's a HUGE difference -- over 16 times if you do the math.  Now, Hopkins does have some wonderful facilities and excellent faculty, but when it comes to first- and second-year undergraduate studies, is the quality and content of the education THAT different?  Well, that's up to you to decide. The important take-away is, no one should decide NOT to pursue a cybersecurity education because of lack of money.  You can get started at any age on an associate degree, and that may give you enough to go on to get your first job.  However, if you want to continue on to bachelor's degree, don't give up.  Later I'll explain about a program that has been around since 2000 and has provided over 3,300 students with scholarships AND job placement after graduation. Back to those going directly for a bachelor's degree.  Now, the good news is that your chosen profession is likely to pay quite well, so not only are you likely to be able to pay off the investment you make in your education, but it will return dividends many times that which you paid, for the rest of your career.  Think of financing a degree like financing a house.  In exchange for your monthly mortgage payment, you get to enjoy a roof over your head and anything else you do with your home.  As a cybersecurity professional, in exchange for your monthly student loan payment, you get to earn well-above average incomes relative to your non-security peers, and hopefully enjoy a rewarding career.  And, like the right house, the value of your career should increase over time making your investment in your own education one of your best performing assets. Does this mean that you 100% need a bachelor’s degree to get a job in cyber?  No, it does not.  There are plenty of cyber professionals that speak at Blackhat and DEF CON who have never obtained a college degree.  However, if ten applicants are going for an extremely competitive job and only seven of the ten applicants have a college degree in IT or Cyber, you shouldn’t be surprised when HR shortens the list of qualified applicants to only the top five applicants all having college degrees.  It may not be fair, but it’s common.  Plus, a U.S. Census Bureau study showed that folks who have a bachelor's degree make half a million dollars more over a career than those with an associate degree, and 1.6 times what a high school diploma holder may earn over a lifetime.  So, if you want more career opportunities and want to monetize your future, get past that HR checkbox that looks for a 4-year degree. Now, some people (usually those who don't want to do academic work) will say that a formal education isn't necessary for success.  After all, Bill Gates and Mark Zuckerberg were college dropouts, and they're both worth billions.  True, but that's a false argument that there's a cause-and-effect relationship there.  Both were undergraduates at Harvard University when they developed their business ideas.  So, if someone wants to assert a degree isn't necessary, counter with you'll agree once they are accepted into Harvard, and they produce a viable business plan as a teenager while attending classes. You see, completing four years of education in a field of study proves a few things.  I've interviewed candidates that said they took all of the computer science and cybersecurity courses they wanted and didn't feel a need to "waste time" with fuzzy studies such as history and English composition.  Okay, I'll accept that that person had a more focused education.  But consider the precedent here.  When a course looked uninteresting or difficult, that candidate just passed on the opportunity.  In the world of jobs and careers, there are going to be tasks that are uninteresting or difficult, and no one wants to do them, but they have to get done.  As a boss, do you want someone who has shown the pe  d completed it with an A (or maybe even a B), or do you want someone who passed when the going got a little rough?  The business world isn't academia where you're free to pick and choose whether to complete requirements.  Stuff has to get done, and someone who has a modified form of learned helplessness will most likely not follow through when that boring task comes due.   Remember I said I was going to tell you how to deal with the unfortunate situation where a prospective student doesn't have enough money to pay for college?  There are a couple of ways to meet that challenge.  It’s time to talk to your rich uncle about paying for college.  That uncle is Uncle Sam.  Uncle Sam can easily finance your college so you can earn your degrees in Cyber Security.  However, Uncle Sam will want you to work for the government in return for paying for your education.  Two example scholarships that you could look into are the Reserve Officer Training Corps (ROTC) and Scholarship for Service (SFS).  ROTC is an officer accession program offered at more than 1,700 colleges and universities   across the United States to prepare young adults to become officers in the U.S. Military.  For scholarship students, ROTC pays 100% of tuition, fees, books, and a modest stipend for living expenses.  A successful degree program can qualify an Army second lieutenant for a Military Occupation Specialty (or MOS) such as a 17A Cyber Operations Officer, a 17B Cyber and Electronic Warfare Officer, or a 17D Cyber Capabilities Development Officer, a great start to a cybersecurity career. For the Navy, a graduating Ensign may commission as an 1810 Cryptologic Warfare Officer, 1820 Information Professional Officer, 1830 Intelligence Officer, or an 1840 Cyber Warfare Engineer.  The Navy uses designators rather than MOS's to delineate career patterns.  These designators have changed significantly over the last dozen years and may continue to evolve.  The Marine Corps has a 1702 cyberspace officer MOS.  Note that the Navy and the Marine Corps share a commissioning source in NROTC (Navy ROTC), and unlike the Army that has over 1,000 schools that participate in AROTC and the Air Force that has 1,100 associated universities in 145 detachments, there are only 63 Navy ROTC units or consortiums, although cross-town affiliates include nearly one hundred more colleges and universities. There are a lot of details that pertain to ROTC, and if you're serious about entering upon a military officer career, it's well worth the time and effort to do your research.  Not all ROTC students receive a scholarship; some receive military instruction throughout their four years and are offered a commission upon graduation.  Three- and four-year scholarship students incur a military obligation at the beginning of sophomore year, two-year scholarship students at the beginning of junior year, and one-year scholarship students at the start of senior year.  The military obligation today is eight years, usually the first four of which are on active duty; the rest may be completed in the reserves.  If you flunk out of school, you are rewarded with an enlistment rather than a commission.  These numbers were different when I was in ROTC, and they may have changed since this podcast was recorded, so make sure you get the latest information to make an informed decision. What if you want to serve your country but you're not inclined to serve in the military, or have some medical condition that may keep you from vigorous physical activity, or had engaged in recreational chemical use or other youthful indiscretions that may have disqualified you from further ROTC consideration?  There is another program worth investigating.   The National Science Foundation provides educational grants through the Scholarship For Service program or SFS for short.  SFS is a government scholarship that will pay up to 3 years of costs for undergraduate and even graduate (MS or PhD) educational degree programs.  It's understood that government agencies do not have the flexibility to match private sector salaries in cyber security.  However, by offering scholarships up front, qualified professionals may choose to stay in government service; hence SFS continues as a sourcing engine for Federal employees.  Unlike ROTC, a participant in SFS will incur an obligation to work in a non-DoD branch of the Federal government for a duration equal to the number of years of scholarship provided. In addition to tuition and education-related fees, undergraduate scholarship recipients receive $25,000 in annual academic stipends, while graduate students receive $34,000 per year.  In addition, an additional $6,000 is provided for certifications, and even travel to the SFS Job Fair in Washington DC. That job fair is an interesting affair.  I was honored to be the keynote speaker at the SFS job fair back in 2008.  I saw entities and agencies of the Federal government that I didn't even know existed, but they all had a cybersecurity requirement, and they all were actively hiring.  SFS students qualify for "excepted service" appointments, which means they can be hired through an expedited process.  These have been virtual the last couple of years due to COVID-19 but expect in-person events to resume in the future. I wrote a recommendation for a young lady whom I've known since she was born (her mom is a childhood friend of mine), and as an electrical engineering student in her sophomore year, she was selected for a two-year SFS scholarship.  A good way to make mom and dad happy knowing they're not going to be working until 80 to pay off their kid's education bills. In exchange for a two-year scholarship, SFS will usually require a student to complete a summer internship between the first and second years of school and then work two years in a government agency after graduation.  The biggest benefit to the Scholarship for Service is you can work at a variety of places.  So, if your dream is to be a nation state hacker for the NSA, CIA, or the FBI then this offers a great chance of getting in.  These three-letter agencies heavily recruit from these programs.  As I mentioned, there are a lot of other agencies as well.  You could find work at the State Department, Department of Health and Human Services, the Department of Education, the Federal Reserve Board, and I think I remember the United States Agency for International Development (USAID).  Federal executive agencies, Congress, interstate agencies, and even state, local, or tribal governments can satisfy the service requirement.  So, you can get paid to go to college and have a rewarding job in the government that builds a nice background for your career. How would you put all this together?  I spent nine years as an advisor to the National CyberWatch Center.  Founded as CyberWatch I in 2005, it started as a Washington D.C. and Mid-Atlantic regional effort to increase the quantity and quality of the information assurance workforce.  In 2009, we received a National Science Foundation award and grants that allowed the program to go nationwide.  Today, over 370 colleges and universities are in the program.  So why the history lesson? What we did was align curriculum between two-year colleges and four-year universities, such that a student who took the designated courses in an associate degree program would have 100% of those credits transfer to the four-year university.  That is HUGE.  Without getting into the boring details, schools would certify to the Committee on National Security Systems (CNSS) (formerly known as the National Security Telecommunications and Information Systems Security Committee or NSTISSC) national training standard for INFOSEC professionals known as NSTISSI 4011.  Now with the help of an SFS scholarship, a student with little to no financial resources can earn an associate degree locally, proceed to a bachelor's degree from a respected university, have a guaranteed job coming out of school, and HAVE NO STUDENT DEBT.  Parents, are you listening carefully?  Successfully following that advice can save $100,000 and place your child on course for success. OK, so let’s fast forward 3 years and say that you are getting closer to finishing a degree in Cyber Security or Computer Science.  Is there anything else that you can do while performing a summer internship?    That brings us to our second building block.  Getting certifications.   Number Two:  Getting a Certification  Earning certifications are another key step to demonstrate that you have technical skills in cyber security.  Usually, technology changes rapidly.  That means that universities typically don’t provide specialized training in Windows 11, Oracle Databases, Amazon Web Services, or the latest programming language.  Thus, while you may come out of a computer science degree with knowledge on how to write C++ and JavaScript, there are a lot of skills that you often lack to be quite knowledgeable in the workforce.  Additionally, most colleges teach only the free version of software.  In class you don’t expect to learn how to deploy Antivirus software to thousands of endpoints from a vendor that would be in a Gartner Magic quadrant, yet that is exactly what you might encounter in the workplace.  So, let’s look at some certifications that can help you establish your expertise as a cyber professional.  We usually recommend entry level certifications from CompTIA as a great starting point.  CompTIA has some good certifications that can teach you the basics in technology.  For example: CompTIA A+ can teach you how to work an IT Help Desk.  CompTIA Network+ can teach you about troubleshooting, configuring, and managing networks CompTIA Linux+ can help you learn how to perform as a system administrator supporting Linux Systems CompTIA Server+ ensures you have the skills to work in data centers as well as on-premises or hybrid environments. Remember it’s really hard to protect a technology that you know nothing about so these are easy ways to get great experience in a technology.  If you want a certification such as these from CompTIA, we recommend going to a bookstore such as Amazon, buying the official study guidebook, and setting a goal to read every day.  Once you have read the official study guide go and buy a set of practice exam questions from a site like Whiz Labs or Udemy.  Note this usually retails for about $10.  So far this represents a total cost of about $50 ($40 dollars to buy a book and $10 to buy practice exams.)  For that small investment, you can gain the knowledge base to pass a certification.  You just need to pay for the exam and meet eligibility requirements. Now after you get a good grasp of important technologies such as Servers, Networks, and Operating Systems, we recommend adding several types of certifications to your resume.  The first is a certification in the Cloud.  One notable example of that is AWS Certified Solutions Architect - Associate.  Note you can find solution architect certifications from Azure and GCP, but AWS is the most popular cloud provider, so we recommend starting there.  Learning how the cloud works is extremely important.  Chances are you will be asked to defend it and you need to understand what an EC-2 server is, types of storage to make backups, and how to provide proper access control.  So, spend the time and get certified.  One course author who provides a great course is Adrian Cantrill.  You can find his course link for AWS Solutions Architect in our show notes or by visiting  The course costs $40 and has some of the best diagrams you will ever see in IT.  Once again go through a course like this and supplement with practice exam questions before going for the official certification. The last type of certifications we will mention is an entry cyber security certification.  We usually see college students pick up a Security+ or Certified Ethical Hacker as a foundation to establish their knowledge in cyber security.  Now the one thing that you really gain out of Security+ is a list of technical terms and concepts in cyber security.  You need to be able to understand the difference between Access Control, Authentication, and Authorization if you are to consult with a developer on what is needed before allowing access to a site.  These types of certifications will help you to speak fluently as a cyber professional.  That means you get more job offers, better opportunities, and interesting work.  It’s next to impossible to establish yourself as a cyber expert if you don’t even understand the technical jargon correctly. Number Three:  Getting Relevant Job Experience OK, so you have a college degree and an IT certification or two. What's next?  At this point in time, you are eligible for most entry level jobs.  So, let’s find interesting work in Cyber Security.  If you are looking for jobs in cyber security, there are two places we recommend.  The first is LinkedIn.  Almost all companies post there and there’s a wealth of opportunities.  Build out an interesting profile and look professional.  Then apply, apply, apply.  It will take a while to find the role you want.  Also post that you are looking for opportunities and need help finding your first role.  You will be surprised at how helpful the cyber community is.  Here's a pro tip:  add some hashtags with your post to increase its visibility. Another interesting place to consider is your local government.  The government spends a lot of time investing in their employees.  So go there, work a few years, and gain valuable experience.  You can start by going to your local government webpage such as USAJobs.Gov  and search for the Career Codes that map to cyber security.  For example, search using the keyword “2210” to find the job family of Information Technology Management where most cyber security opportunities can be found.  If you find that you get one of these government jobs, be sure to look into college repayment programs.  Most government jobs will help you pay off student loans, finance master's degrees in Cyber Security, or pay for your certifications.  It’s a great win-win to learn the trade. Once you get into an organization and begin working your first job out of college, you then generally get one big opportunity to set the direction of your career.  What type of cyber professional do you want to be?  Usually, we see most Cyber Careerists fall into one of three basic paths.   Offensive Security Defensive Security Security Auditing The reason these three are the most common is they have the largest amount of job opportunities.  So, from a pure numbers game it’s likely where you are to spend the bulk of your career.  Although we do recommend cross training.  Mike Miller who is the vCISO for Appalachia Technologies put out a great LinkedIn post on this where he goes into more detail.  Note we have a link to it in our show notes.  Here’s some of our own thoughts on these three common cyber pathways: Offensive Security is for those that like to find vulnerabilities in things before the bad guys do.  It’s fun to learn how to hack and take jobs in penetration testing and the red team.  Usually if you choose this career, you will spend time learning offensive tools like Nmap, Kali Linux, Metasploit, Burp Suite, and others.  You need to know how technology works, common flaws such as the OWASP Top Ten web application security risks, and how to find those vulnerabilities in technology.  Once you do, there's a lot of interesting work awaiting.  Note if these roles interest you then try to obtain the Offensive Security Certified Professional (OSCP) certification to gain relevant skill sets that you can use at work. Defensive Security is for the protectors.  These are the people who work in the Security Operations Center (SOC) or Incident Response Teams.  They look for anomalies, intrusions, and signals across the whole IT network.  If something is wrong, they need to find it and identify how to fix it.  Similar to Offensive Security professionals they need to understand technology, but they differ in the types of tools they need to look at.  You can find a defender looking at logs.  Logs can come from an Intrusion Detection System, a Firewall, a SIEM, Antivirus, Data Loss Prevention Tools, an EDR, and many other sources.  Defenders will become an expert in one of these tools that needs to be constantly monitored.  Note if you are interested in these types of opportunities look for cyber certifications such as the MITRE ATT&CK Defender (MAD) or SANS GIAC Certified Incident Handler GCIH to gain relevant expertise. Security Auditing is a third common discipline.  Usually reporting to the Governance, Risk, and Compliance organization, this role is usually the least technical.  This discipline is about understanding a relevant standard or regulation and making sure the organization follows the intent of the standard/regulation.  You will spend a lot of time learning the standards, policies, and best practices of an industry.  You will perform risk assessments and third-party reviews to understand how we certify as an industry.  If you would like to learn about the information systems auditing process, governance and management of IT systems, business processes such as Disaster Recovery and Business Continuity Management, and compliance activities, then we recommend obtaining the Certified Information Systems Auditor (CISA) certification from ISACA.   Ok, so you have a degree, you have certifications, you are in a promising job role, WHAT’s Next?  If you want to really become an expert, we recommend you focus on… Number Four: Building your personal brand.   Essentially find a way to give back to the industry by blogging, writing open-source software, creating a podcast, building cybersecurity tutorials, creating YouTube videos, or presenting a lecture topic to your local OWASP chapter on cyber security.  Every time you do you will get smarter on a subject.  Imagine spending three hours a week reading books in cyber security.  If you did that for ten years, think of how many books you could read and how much smarter you would become.  Now as you share that knowledge with others two things happen:   People begin to recognize you as an industry expert.  You will get invited to opportunities to connect with other smart people which allows you to become even smarter.  If you spend your time listening to smart people and reading their works, it rubs off.  You will absorb knowledge from them that will spark new ideas and increase your understanding The second thing is when you present your ideas to others you often get feedback.  Sometimes you learn that you are actually misunderstanding something.  Other times you get different viewpoints.  Yes, this works in the financial sector, but it doesn’t work in the government sector or in the university setting.  This feedback also helps you become smarter as you understand more angles of approaching a problem. Trust us, the greatest minds in cyber spend a lot of time researching, learning, and teaching others.  They all know G Mark's law, which I wrote nearly twenty years ago:  "Half of what you know about security will be obsolete in eighteen months." OK so let’s recap a bit.  If you want to become an expert in something, then you should do four things. 1) Get a college education so that you have the greatest amount of opportunities open to you, 2) get certifications to build up your technical knowledge base, 3) find relevant job experiences that allow you to grow your skill sets, and 4) finally share what you know and build your personal brand.  All of these make you smarter and will help you become a cyber expert.   Thanks again for listening to us at CISO Tradecraft.  We wish you the best on your journey as you Learn to Earn.  If you enjoyed the show, tell one person about it this week.  It could be your child, a friend looking to get into cyber security, or even a coworker.  We would love to help more people and we need your help to reach a larger audience.  This is your host, G. Mark Hardy, and thanks again for listening and stay safe out there. References:  

Monday Aug 22, 2022

Show Notes Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to offer tips and tools for briefing your executive leadership team, including the four major topics that you need to cover.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. Imagine you have been in your role as the Chief Information Security Officer for a while and it is now time to perform your annual brief to the Executive Leadership Team.  What should you talk about?  How do you give high level strategic presentations in a way that provides value to executives like the CEO, the CIO, the CFO, and the Chief Legal Officer? Story about Kim Jones at Vantiv – things have changed Let's first talk about how you make someone satisfied -- in this case your executives. Fredrick Herzberg (1923-2000) introduced Motivator-Hygiene theory, which was somewhat like Maslow's hierarchy of needs, but focused more on work, not life in general. What a hygiene factor basically means is people will be dissatisfied if something is NOT there but won't be motivated if that thing IS there, e.g., toilet paper in employee bathroom. Or, said more concisely, satisfaction and dissatisfaction are not opposites.  The opposite of Satisfaction is No Satisfaction.  The opposite of Dissatisfaction is No Dissatisfaction. According to Herzberg, the factors leading to job satisfaction are "separate and distinct from those that lead to job dissatisfaction." For example, if you have a hostile work environment, giving someone a promotion will not make him or her satisfied. So, what makes someone satisfied or dissatisfied? Factors for Satisfaction Achievement Recognition The work itself Responsibility Advancement Growth Factors for Dissatisfaction Company policies Supervision Relationship with supervisor and peers Work conditions Salary Status Security So, what will make a board member satisfied?  Today, cyber security IS a board-level concern.  In the past, IT really was only an issue if something didn't work right – a hygiene problem.  If we learn from Herzberg, we may not be able to make the board satisfied with the state of IT security, but we can try to ensure they are not dissatisfied.  Hopefully you now have context for what might otherwise be considered splitting hairs on terminology – essentially, we want our executive audience to not think negatively of your IT security program and how you lead it. Remember, boards of directors generally come from a non-IT backgrounds .  According to the 2021 U.S. Spencer Stuart Board Index, of the nearly 500 independent directors who joined S&P 500 boards in 2021, less than 4% have experience leading cybersecurity, IT, software engineering, or data analytics teams.  And that 4% is mostly confined to tech-centric companies or businesses facing regulatory scrutiny. So, there is essentially a mismatch between a board member's background and a CISO's background.  That extends to your choice of language and terminology as well.  Never go geeky with your executives – unless you have the rare situation where your entire leadership team are all IT savvy.  Otherwise, you will tune them out by talking about bits and bytes and packets and statistics. Instead, communicate by telling stories – show how other companies in similar industries have encountered security issues and what they did about them (either successfully or unsuccessfully).  Show how your cybersecurity initiatives and efforts reduce multiple forms of risk:  financial risk, reputational risk, regulatory risk, legal risk, operational risk, and strategic risk.  You can show that the threat landscape has changed – nation states and organized crime has supplanted lone hackers and disgruntled employees as the major threats  .  Regulatory environment changes such as the California Consumer Privacy Act (CCPA) and ultimately the follow-on legislation from 49 other states will impact strategic business planning.  Show your board how to avoid running afoul of these emerging requirements.  And, of course, there is the ever-present threat of ransomware, which has evolved from denial-of-access attacks to loss of customer and internal data confidentiality.  That threat requires top-level policy and response plans in advance of an incident -- it's too late to be making things up as you go along. Now, before we go into the Four Major Topics executives need to hear (after all, that's what I promised at the beginning of the show), let's ask, "Why are we briefing executives on our cyber program?"  Any company that is publicly traded falls under the scope of the Securities and Exchange Commission or SEC. The SEC has published Cybersecurity Guidance that offers suggestions for investment companies and investment advisors.  They recommend investment firms "create a strategy that is designed to prevent, detect, and respond to cybersecurity threats". The creation of a security strategy and education of employees on the strategy is at the core of what CISOs do.  So, a translation of the SEC's guidance is to hire a CISO, have that individual create and execute a cybersecurity strategy.  In fact, the SEC's quote above calls out three of the Five Functions of the NIST Cybersecurity Framework which are: (1) identify, (2) protect (prevent), (3) detect, (4) respond, and (5) recover. Our second question is, how often should we be updating the Executive leadership team?  Since the SEC requires companies to disclose risks in their 10-K statements on a yearly basis then you should be briefing cyber updates to the Executive Leadership team at least on an annual basis.  We recommend quarterly or semi-annual updates to give more touch points on important topics.  You can draw parallels to quarterly financial statements. Let's say the Risk Committee chaired by the CEO has agreed to hear the status of the Cyber Program twice a year.  What should we brief the executive leadership team? Let's look at what's required by law. The State of New York requires financial services organizations to follow New York Department of Financial Services (NYDFS) regulations.  Section 500.04 provides additional information about CISOs.  It states: Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, "Chief Information Security Officer" or "CISO"). The regulations also state: The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity's cybersecurity program. The CISO shall report on the Covered Entity's cybersecurity program and material cybersecurity risks. These types of requirements aren't confined to Wall Street.  The Bermuda Monetary Authority requires insurance companies to follow their Cyber Risk Management Code of Conduct.  It states that: The board of directors and senior management team must have oversight of cyber risks. The board of directors must approve a cyber risk policy document at least on an annual basis. So, both the State of New York and the Bermuda Monetary Authority want CISOs to provide risk management and perform at least yearly reporting on material cyber security risks.  Many more regulatory bodies do; these are just offered as examples. If you are going to function effectively as a leader, you should find some way to create a win-win from most any situation.  You likely have a regulatory requirement to brief your board or leadership on a periodic basis.  That's fine.  But have you ever asked yourself, what do I want in return? Hmm. What you want is for your board to set the security culture from the top.  Boards hold senior leadership (think C-level executives) accountable, and you want the board to ensure the CEO makes cybersecurity a priority for the organization.  ISO 27001 has a nice tool – the Information Security Management System (ISMS) Policy Statement – which is senior leadership's declaration of the importance of cybersecurity within the organization. One example I found is that of GS1 India, a standards organization that helps Indian industry align with global best practices.  Their ISMS Policy statement begins with: The Management of GS1 India recognizes the importance of developing and implementing an Information Security Management System (ISMS) and considers security of information and related assets as fundamental for the successful business operation. Therefore, GS1 India is committed towards securing the Confidentiality, Integrity, and availability of information for the day-to-day business and operations. If you can get a formal declaration of support from the top, your job is going to be a whole lot better.  Otherwise, you might just end up being the Chief Scapegoat Officer. Now let's define the four things that an executive leadership team should hear from their security leader that will convey the message that you have a handle on your scope of authority and are executing your responsibilities correctly.  Those four focuses are: Cyber Risks and Responses Cyber Metrics A Cyber Roadmap that Identifies High Profile Programs and Projects Cyber Maturity Assessment Let's dig in.  With respect to "cyber risks and responses," create a slide for executives that shows the top cyber risks.  Examples may include things like ransomware, business email compromise, phishing attacks, supply chain attacks, third party compromise, and data privacy issues. As a practical matter when briefing cyber risks, never just share a risk and walk away.  Executives hate that.  Be sure to talk about what you are doing as a CISO to mitigate this risk.  Usually in Risk Meetings executives look for a few things about any risk. What is it? What is the likelihood of it to occur? What is the impact if it does occur? What are we doing about it? How much does it cost to fix? However, this isn't a risk approval meeting where we need to go into that level of detail.  So, let's keep our cyber risk reporting at an executive level by identifying our top three to five material risks and showing our cyber responses to each risk. For example, if you believe phishing is your number one cyber risk, then highlight it and talk about how you have created a phishing education program that lowers click rates and increases phishing reporting to the Cyber Incident Response Team.  When phishing attacks are reported, your team has a Service Level Agreement (SLA) to respond to phishing reports within four hours to minimize any potential harm.  You can also highlight that your organization also has email protection tools in place such as Proofpoint that stopped thousands of phishing attacks during the last quarter. In summary you are acknowledging that your company has Cyber Risks which can harm the organization.  You are protecting the organization the best you can given the resources available to your team.  If someone doesn't like your four-hour SLA, then you might offer up that you could decrease the response time to a one-hour SLA if you had one additional headcount.  This creates a business decision to give you additional headcount, which is a great discussion to have. Once you have talked about the top three to five risks your organization faces, we recommend talking about key metrics to measure the Cyber Program.  You could call these the metrics that matter.  Essentially, they are tactical metrics that you measure month to month because they show risks that could result in major cyber-attacks.  Our favorite place for metrics that matter is the OWASP Threat and Safeguard Matrix or TaSM (pronounced like Tasmanian Devil).  Please note we have a link to it in our show notes.  Please, please, please read about the OWASP Threat and Safeguard Matrix.  It's a short five-minute read, and you will be glad that you did. What does the Threat and Safeguard Matrix teach us about cyber metrics?  It says all good metrics show a status, a trend, and a goal. Status shows where we are right now Trends show if the project, program, or company is getting better or worse Goals show the end state so we know when we are done and if we should be happy with our current progress The OWASP Threat and Safeguard Matrix then categorizes cyber metrics into four major areas:  technology, people, process, and environment. Technology-based metrics show things like how fast we are patching devices and how well are our servers and laptops configured.  Think about it, if you have servers that are internet-facing which are not patched then it's just a matter of time until bad actors will cause your company (and you) a really bad day.  This isn't something that you can wait on.  So, your organization needs to continually track progress and burn these numbers down as quickly as possible.  So, let's do something about it.  Start by looking at your company's security policy that defines the patch timelines for high and critical vulnerabilities.  It might say something such as we require critical vulnerabilities to be patched in 15 days and high vulnerabilities to be patched in 30 days.  From that security policy you create a Service Level Agreement for the IT department to meet.  So, you measure the percentage of your servers that have zero high and critical vulnerabilities greater than that 15 or 30-day window.  Yeah, it's going to look terrible in the beginning when your IT department shows that only 30% of its servers are patched according to the enterprise service level agreements.  But transparency brings reform.  When the CIO sees that these metrics are routinely being briefed to the CEO and executive leadership team, then things will change.  The CIO will say "not on my watch" and usually lead the IT team to make the changes needed to improve patching. Another metric category we see from the OWASP TaSM is People.  When we think about cyber threats to people we usually think about phishing.  So, during your monthly phishing exercises record your click rates and your reporting rates.  Since each phishing exercise is different you should benchmark your organization against other organizations who took the same phishing exercise.  You can say we had 5% click-through compared to our industry vertical that scored 7%.  If you are doing better than your peers, then you can show you are following best practices and meeting the legal term of due care.  These metrics might lower your cyber insurance costs.  These metrics could also be extremely helpful if your company were sued as a result of a data breach that begin with successful phishing attacks.  So, measure them each month and make good progress. The third metric category is Process-based metrics.  Here you can monitor things like your third-party risks by looking at your processes that track how many of your third parties pass a review, have active ISO 27001 or SOC 2 Type 2 reports, and have recently passed penetration tests.  Another process you might look at is what percentage of your critical applications performed adequately during both a Disaster Recovery exercise and a Business Continuity Plan exercise.  These metrics are helpful during Sarbanes-Oxley (SOX) attestations and other regulatory reviews. The fourth and last metric category defined by the OWASP TaSM is Environment-based metrics.  This refers to things outside of your organization that you don't control.  Even though you don't control them they can have a substantial impact on your organization.  You can think of countries passing new cyber or data privacy laws, regulators asking for new information and compliance activities, and malicious actors and fraudsters taking interest in your company all as examples of environment-based factors.  Please don't confuse environmental factors with saving the Earth.  This is not the context you are looking for.  Environment metrics could be used to show how many legitimate phishing attacks your organization stopped when someone reported a phishing attack, and the Incident Response Team confirmed it wasn't a false positive.  Note these are actual phishing attacks not phishing exercises.  This is an important metric because it shows that despite email protection tools in place, things got passed it.  If you notice a 500% increase in confirmed phishing attacks you might need to buy additional tooling to interdict them.  Another metric you might look at is how many reported help-desk tickets your organization responded to that were caused by a cyber incident.  These types of metrics can help inform management just how big the malicious attacker threat is and can be used by you to justify additional resources. Well, that's a good overview on Cyber Metrics that you can look at each month, but we still have two more categories to go over in our cyber update.  Remember if you want to learn more on cyber metrics, please look at the OWASP Threat and Safeguard Matrix. The third broad category of slides to include in your board deck is A Cyber Roadmap that Identifies High Profile Programs and Projects.  Executives want to see the big picture on how you are evolving the program.  So, show them a roadmap that says over the next three years here is the big picture. For example, in 2022 we are focusing on improving ransomware defenses by enhancing our backup and data recovery process.  We will also improve our ability to prevent malware execution in our environment by adding new Windows group policies. In 2023, we will shift our focus towards improving our website security.  We will be launching a bug bounty program that allows smart and ethical hackers to find vulnerabilities in our websites before malicious actors do.  We will be upgrading our Web Application Firewall after we finish our three-year contract with our current vendor.  We will also be adding a botnet protection tool to our internet-facing websites given the recent attacks we have been experiencing. In 2024, we will then shift our focus to improving our software development process.  We will be purchasing a tool to gamify secure software development amongst developers.  This should lower the cost of vulnerability management.  We will also be building custom courses in house that teach developers our company's requirements to build, test, and retire applications correctly. When you present this type of Cyber Roadmap you might show a single slide with a Gantt chart view of when high profile projects occur with the executive summary of the points previously mentioned. The last major category is a Cyber Maturity Assessment.  Essentially you want something that independently measures the effectiveness of the entire Cyber Program.  For example, many organizations use the NIST Cybersecurity Framework, ISO 27001, the FFIEC Cyber Assessment Tool, or HiTrust to benchmark their program.  Consider hiring an independent auditing company to measure your organization's security maturity.  You will get something that says here's the top fifteen domains of cyber security.  Today, on a scale of one to five, your organization measures between a two and four on most of the domains.  Most companies in your same industry benchmark are at a level three compliance so you are currently underperforming vs your peers in four domains.  You can take that independent assessment and say we really want to improve all level two scoring opportunities to be at least a three.  This can be something you show in a spider graph or radar chart.  You can show the top five activities needed to improve these measurements and provide timelines for when those will be fixed.  This shows the executive leadership team that security is never perfect, how you benchmark against your peers, and provides them with the same confidence that they would get from an audit to confirm you are working effectively. So, let's summarize. We talked about Herzberg's hygiene factors, things that aren't perceived as satisfactory when present but are dissatisfactory when absent.  Remember, satisfaction and dissatisfaction are not opposites.  The opposite of dissatisfaction is no dissatisfaction. That helps us understand that when briefing management, we will not be able to delight them with the overall state of our cybersecurity program, but we can cause them not to worry about it.  Focus on risk reduction, and how your program is helping your organization work toward that goal. We talked about why we need to brief management and how often.  Different regulations require executive teams to articulate a cybersecurity strategy and empower the appropriate individuals to execute it.  In addition, most rules require at least annual security briefings; you may want to strive for more frequent meetings to keep your leadership team well-informed. Your goal is to have your board set the security culture from the top and hold C-level executives accountable for funding and maintaining cybersecurity initiatives. We covered the four things you should include in your executive briefings:  cyber risks and responses, cyber metrics, a cyber roadmap that identifies high-profile programs and projects, and a cyber maturity assessment. By addressing risk in multiple forms, showing that you can measure and track your progress toward your security goals, that you have a solid plan for the next couple of years, and that you can demonstrate your maturity relative to peer companies, you will go a long way toward keeping your board happy, or more precisely, not unhappy. Lastly, don't forget to look up the OWASP TaSM model.  It's a really useful tool for mapping threat categories to the NIST cybersecurity framework and showing where you may have gaps in your program (represented by blank cells in the matrix.)  The link to that is in our show notes. Well, we hope that you have enjoyed today's episode on Updating the Executive Leadership team on the Cyber Program and we thank you again for listening to us at CISO Tradecraft.  Please leave us a review (hopefully five stars) if you enjoyed this podcast and share us with your peers on LinkedIn.  We would love to help others with their cyber tradecraft. Thanks again and until next time, stay safe.   References 

Monday Aug 15, 2022

On this episode you can hear the tale of three conferences.  Listen and learn about the history of BSides, Black Hat, and DEF CON.  Learn what makes these conferences special and enjoy some of the untold history of each conference.  

Monday Aug 08, 2022

A CISO’s Guide to Pentesting References    **************************** Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.   Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.   What is it Where are good places to order it What should I look for in a penetration testing provider What does a penetration testing provider need to provide What’s changing on this going forward First of all, let's talk about what a pentest is NOT.  It is not a simple vulnerability scan.  That's something you can do yourself with any number of publicly available tools.  However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest.  Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?   Now let’s start with providing a definition of a penetration test.  According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system.  It’s really designed to show weaknesses in a system that can be exploited.  Let’s think of things we want to test.  It can be a website, an API, a mobile application, an endpoint, a firewall, etc.  There’s really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm.  You need to focus on high likelihood and impact because professional penetration tests are not cheap.  Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it’s not unheard of to go up to $100,000.  As a CISO you need to be able to defend this expenditure of resources.  So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year.   My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest.  Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better.  He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies."   Please do not confuse a penetration test with a Red Team exercise.  A red team exercise just wants to accomplish an objective like steal data from an application.  A penetration test wants to enumerate vulnerabilities in a scoped target system so the developer can patch and remediate.  It’s a subtle difference but consider that a red team only needs to find one vulnerability to declare success, whereas a penetration test keeps going to help identify potentially exploitable vulnerabilities.  Now, is a pentest about finding ALL vulnerabilities?  I would say no – there are vulnerabilities that might require a disproportionate amount of resources to exploit for little or no value – something with a CVSS score of 4.0 or the like.  Those can often be left unpatched without consequence – the cost of remediating may exceed the value of the risk avoided.  There really is a “good enough” standard of risk, and that is called “acceptable risk.”  So, when scoping a pentest or reviewing results, make sure that any findings are both relevant and make economic sense to remediate.   Let’s take the example that you want to perform a web application pentest on your public website so you can fix the vulnerabilities before the bad actors find them.  The first question you should consider is do you want an internal or an external penetration test.  Well, the classic answer of "it depends" is appropriate.  If this website is something of a service that you are selling to other companies, then chances are those companies are going to ask you for things like an ISO 27001 certification or SOC 2 Type 2 Report and both of those standards require, you guessed it, a penetration Test.  In this case your company would be expected to document a pentest performed by an external provider.  Now if your company has a website that is selling direct to a consumer, then chances are you don’t have the same level of requirement for an external pentest.  So, you may be able to just perform an internal penetration test performed by your company’s employees.   I'd be remiss if I didn't mention the Center for Internet Security Critical Controls, formerly know as the SANS Top 20.  The current version, eight, has 18 controls that are listed in order of importance, and they include pentesting.  What is the priority of pentesting, you may ask?  #18 of 18 -- dead last.  Now, that doesn't mean pentests are not valuable, or not useful, or even not important.  What it does mean is that pentests come at the end of building your security framework and implementing controls.  Starting with a pentest makes no sense IMHO, although compliance-oriented organizations probably do this more often than they should.  That approach makes the pen testers job one of filtering through noise -- there are probably a TON of vulnerabilities and weaknesses that should have been remediated in advance and could have been with very little effort.  Think of a pentest as a final exam if you will.  Otherwise, it's an expensive way to populate your security to-do list.   OK let’s say we want to have an external penetration test and we have the 10-30K on hand to pay an external vendor.  Remember this, a penetration test is only as good as the conductor of the penetration test.  Cyber is a very unregulated industry which means it can be tricky to know who is qualified.  Compare this to the medical industry.  If you go to a hospital, you will generally get referred to a Medical Doctor or Physician.  This is usually someone who has a degree such as a MD or DO which proves their competency.  They will also have a license from the state to practice medicine legally.  Contrast this to the cyber security industry.  There is no requirement for a degree to practice Cyber in the workforce.  Also, there is no license issued by the state to practice cyber or develop software applications.  Therefore, you need to look for relevant Cyber certifications to demonstrate competency to perform a Penetration Test.  There’s a number of penetration testing certifications such as the Certified Ethical Hacker or CEH, Global Information Assurance Certification or GIAC GPEN or GWAP, and the Offensive Security Certified Professional or OSCP.   We strongly recommend anyone performing an actual penetration test have an OSCP.  This certification is difficult to pass.  A cyber professional must be able to perform an actual penetration test and produce a detailed report to get the actual certification.  This is exactly what you want in a pentester, which is why we are big fans of this certification.  This certification is a lot more complicated than remembering a bunch of textbook answers and filling in a multiple-choice test.  Do yourself a favor and ask for individuals performing penetration tests at your company to possess this certification.  It may mean your penetration tests cost more, but it’s a really good way to set a bar of qualified folks who can perform quality penetration tests to secure your company.   Now you have money, and you know you want to look for penetration tests from companies that have skilled cyber professionals with years of experience and an OSCP.  What companies should you look at?  Usually, we see three types of penetration testing companies.  Companies that use their existing auditors to perform penetration tests – firms like KPMG, EY, PWC, or Deloitte (The Big 4 1/2).  This is expensive but it’s easy to get them approved since most large companies already have contracts with at least one of these companies.  The second type of company that we see are large penetration testing companies.  Companies like Bishop Fox, Black Hills Information Security, NCC Group, and TrustedSec, focus largely on penetration testing and don't extend into other areas like financial auditing.  They have at least 50+ penetration testers with experience from places like the CIA, NSA, and other large tech companies.  Note they are often highly acclaimed so there is often a waitlist of a few months before you can get added as a new client.  Finally, there are boutique shops that specialize in particular areas.  For example, you might want to hire a company that specializes in testing mobile applications, Salesforce environments, embedded devices, or APIs.  This is a more specialized skill and a bit harder to find so you have to find a relevant vendor.  Remember if someone can pass the OSCP it means they know how to test and usually have a background in Web Application Penetration testing.  Attacking a Web application means being an expert in using a tool like Burp Suite to look for OWASP Top 10 attacks like SQL injection or Cross Site Scripting.  This is a very different set of skills from someone who can hack a Vehicle Controller Area Network (CAN) bus or John Deere Tractor that requires reverse engineering and C++ coding.   Once you pick your vendor and successfully negotiate a master license agreement be sure to check that you are continuing to get the talent you expect.  It’s common for the first penetration test to have skilled testers but over time to have a vendor replace staff with cheaper labor who might not have the OSCP or same level of experience that you expect.  Don’t let this happen to your company and review the labor and contract requirements in a recurring fashion.   Alright, let’s imagine you have a highly skilled vendor who meets these requirements.  How should they perform a penetration test?  Well, if you are looking for a quality penetration testing guide, we recommend following the one used by Google.  Google, whose parent company is called Alphabet, has publicly shared their penetration testing guidelines and we have attached a link to it in our show notes.  It’s a great read so please take a look.  Now Google recommends that a good penetration test report should clearly follow an assessment methodology during the assessment.  Usually, penetration testers will follow an industry recognized standard like the OWASP Web Security Testing Guide, the OWASP Mobile Security Testing Guide, the OWASP Firmware Security Testing Guide, the PCI DSS Penetration Testing Guide, The Penetration Testing Execution Standard, or the OSSTMM which stands for The Open Source Security Testing Methodology Manual.  These assessment methodologies can be used to show that extensive evaluation was done, and a multitude of steps/attacks were carried out.  They can also standardize the documentation of findings.  Here you will want a list showing risk severity level, impact from a business/technical perspective, clear concise steps to reproduce the finding, screenshots showing evidence of the finding, and recommendations on how to resolve the finding.  This will allow you to build a quality penetration test that you can reuse in an organization to improve your understanding of technical risks.     If I can get good penetration tests today, perhaps we should think about how penetration testing is changing in the future?  The answer is automation.  Now we have had automated vulnerability management tools for decades.  But please don’t think that running a Dynamic Application Security Testing Tool or DAST such as Web Inspect is the same thing as performing a full penetration test.  A penetration test usually takes about a month of work from a trained professional which is quite different from a 30-minute scan.  As a cyber industry we are starting to see innovative Penetration Testing companies build out Continuous and Automated Penetration Testing tooling.  Examples of this include Bishop Fox’s Cosmos, Pentera’s Automated Security Validation Platform, and Stage 2 Security Voodoo and Mage tooling.  Each of these companies are producing some really interesting tools and we think they will be a strong complement to penetration tests performed by actual teams.  This means that companies can perform more tests on more applications.  The other major advantage with these tools is repeatability.  Usually, a penetration test is a point in time assessment.  For example, once a year you schedule a penetration test on your application.  That means if a month later if you make changes, updates, or patches to your application then there can easily be new vulnerabilities introduced which were never assessed by your penetration test.  So having a continuous solution to identify common vulnerabilities is important because you always want to find your vulnerabilities first before bad actors.   Here’s one final tip.  Don’t rely on a single penetration testing company.  Remember we discussed that a penetration testing company is only as good as the tester and the toolbox.  So, try changing out the company who tests the same application each year.  For example, perhaps you have contracts with Bishop Fox, Stage 2 Security, and Black Hill Information Security where each company performs a number of penetration tests for your company each year.  You can alternate which company scans which application.  Therefore, have Bishop Fox perform a pentest of your public website in 2022, then Stage 2 Security test it in 2023, then Black Hills test it in 2024.  Every penetration tester looks for something different and they will bring different skills to the test.  If you leverage this methodology of changing penetration testing vendors each cycle, then you will get more findings which allows you to remediate and lower risk.  It allows you to know if a penetration testing vendor’s pricing is out of the norm.  You can cancel or renegotiate one contract if a penetration testing vendor wants to double their prices.  And watch the news -- even security companies have problems, and if a firm's best pentesters all leave to join a startup, that loss of talent may impact the quality of your report.   Thank you for listening to CISO Tradecraft, and we hope you have found this episode valuable in your security leadership journey.  As always, we encourage you to follow us on LinkedIn, and help us out by letting your podcast provider know you value this show.  This is your host, G. Mark Hardy, and until next time, stay safe.

Monday Aug 01, 2022

I've been a fan of Sean Heritage for years when I first discovered his blog, "Connecting the Dots."  Today I have the privilege to listen to his thoughts on cybersecurity careers in both the military and the "real world," how to prioritize your life, what careers goals you should (and should NOT) aim for, and the importance of great leadership.   Book reference: Connecting the Dots:  Deliberate Observations and Leadership Musings About Everyday Life

Copyright 2022 All rights reserved.

Podcast Powered By Podbean