CISO Tradecraft®
Welcome to CISO Tradecraft®, your guide to mastering the art of being a top-tier Chief Information Security Officer (CISO). Our podcast empowers you to elevate your information security skills to an executive level. Join us on this journey through the domains of effective CISO leadership. © Copyright 2024, National Security Corporation. All Rights Reserved
Episodes
Saturday Jul 03, 2021
Saturday Jul 03, 2021
This episode of CISO Tradecraft is all about IPv6, featuring Joe Klein. IPv6 is becoming the dominant protocol on the Internet, and CISOs should understand the implications of how their enterprise is potentially vulnerable to attacks that may come from that vector, as well as be aware of defenses that may originate from an effective IPv6 deployment. This broadcast will cover the business cases for IPv6, the technical differences between IPv4 and IPv6, and the security implications of implementing this protocol correctly and incorrectly.
Friday Jun 25, 2021
Friday Jun 25, 2021
On this episode of CISO Tradecraft, you can learn how to build an Application Security program.
Start with Key Questions for
Security
IT Operations
Application Development/Engineering Groups
Identify Key Activities
Asset Discovery
Asset Risk Prioritization
Mapping Assets Against Compliance Requirements
Setting up a Communications Plan
Perform Application Security Testing Activities
SAST
DAST
Vulnerability Scanners
Software Composition Analysis
Secrets Scanning
Cloud Security Scanning
Measure and Improve Current Vulnerability Posture through metrics
The number of vulnerabilities present in an application
The time to fix vulnerabilities
The remediation rate of vulnerabilities
The time vulnerabilities remain open
Defect Density - number of vulnerabilities per server
We also recommend reading the Microsoft Security Developer Life Cycle Practices Link
For more great ideas on setting up an application security program please read this amazing guide from WhiteHat Security Link
If you would like to improve cloud security scanning by automating Infrastructure as Code checks, then please check out Indeni CloudRail Link
Friday Jun 18, 2021
Friday Jun 18, 2021
What is measured gets done. However before you measure you need to think about how best to measure. On this episode of CISO Tradecraft, we provide you new insights into optimizing metrics that matter.
What is a Metric?
Metrics drive outcomes. Before picking a metric consider the following:
What data is required?
What stories can it tell?
What questions does it invite?
How sustainable is it?
When you report metrics highlight three things:
Status or Measure- Where is your company right now?
Trends- What direction is your company headed?
Goals- A description of where your company wants to be
Goals or Metrics should be SMART:
Specific, Measurable, Achievable, Realistic, and Time-based
For a helpful list of metrics that you might consider please check out the following list from Security Scorecard Link
Thank you again to our sponsor CyberArk, please check out their CISO Reports.
Friday Jun 11, 2021
Friday Jun 11, 2021
On this episode of CISO Tradecraft, you can learn the 10 steps to Incident Response Planning:
Establish a Cyber Incident Response Team
Develop a 24/7 Contact list for Response Personnel
Compile Key Documentation of Business-Critical Networks and Systems
Identify Response Partners and Establish Mutual Assistance Agreements
Develop Technical Response Procedures for Incident Handling that your team can follow:
External Media - An alert identifies someone plugged in a removable USB or external device
Attrition - An alert identifies brute force techniques to compromise systems, networks, or applications. (Examples Attackers trying thousands of passwords on login pages)
Web - A Web Application Firewall alert shows attacks carried out against your website or web-based application
Email - A user reports phishing attacks with a malicious link or attachment
Impersonation - An attack that inserts malicious processes into something benign (example Rogue Access Point found on company property)
Improper Usage - Attack stemming from user violation of the IT policies. (Example employee installs file sharing software on a company laptop)
Physical Loss- Loss or theft of a physical device (Example employee loses their luggage containing a company laptop)
Classify the Severity of the Cyber Incident
Develop Strategic Communication Procedures
Develop Legal Response Procedures
Obtain CEO or Senior Executive Buy-In and Sign-off
Exercise the Plan, Train Staff, and Update the Plan Regularly
To learn more about Incident Response Planning, CISO Tradecraft recommends reading this helpful document from the American Public Power Association
If you would like to automate security reviews of infrastructure-as-code, then please check out Indeni CloudRail Link
Friday Jun 04, 2021
Friday Jun 04, 2021
Special Thanks to our podcast Sponsor, CyberArk.
Experienced CISOs know that it's not a matter of if, but when. Incidents happen, and there is an established response strategy nicknamed PICERL that works:
(P)reparation
(I)dentification
(C)ontainment
(E)radication
(R)ecovery
(L)essons Learned
If we "shift left" with our incident planning, we can minimize our organizational risk -- thorough preparation, including establishing an environment of least privilege, significantly increases the challenge for an attacker, buys us time to identify early, and limits the damage potential from an incident.
This episode features Bryan Murphy, the Incident Response team leader at CyberArk. His insights from managing dozens of responses are invaluable, and they are now yours through this special episode
Friday May 28, 2021
Friday May 28, 2021
On this episode of CISO Tradecraft, you can learn about the new Executive Order on Improving the Nation's Cyber Security. The episode provides a brief background on three security incidents which have influenced the Biden administration:
SolarWinds
Microsoft Exchange Servers
Colonial Pipeline Attack
The episode then overviews the various sections of the new Executive Order:
Policy
Removing Barriers to Sharing Threat Information
Modernizing Federal Government Cybersecurity
Enhancing Software Supply Chain Security
Establish a Cyber Safety Review Board
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Improving the Federal Government’s Investigative and Remediation Capabilities
National Security Systems
Thanks to CyberArk for sponsoring this episode. Please check out CyberArk's new conference
Friday May 21, 2021
Friday May 21, 2021
This episode is sponsored by Indeni.
On this episode of CISO Tradecraft, G Mark Hardy discusses with Yoni Leitersdorf (CEO and CISO of Indeni) the risks which can occur in a cloud environment after it has been provisioned. Essentially it's quite common for organizations to change their cloud environment from what was declared in a Terraform or Cloud Formation Script. These unapproved cloud changes or Cloud Drift often create harmful misconfigurations and have the potential to create data loss events.
The podcast discusses the pros and cons of two key approaches to solve the Cloud Drift problem:
Static Security Testing in a build pipeline
Runtime Inventory Approaches
The podcast features Yoni Leitersdorf. Yoni founded a company (Indeni) to address Cloud Drift and discusses the business point of view of why this is a critical concern for the business. If you would like to learn more about what Yoni is working on please check out Indeni
Yoni Leitersdorf can also be found on:LinkedIn
Twitter
Friday May 14, 2021
Friday May 14, 2021
Identity is the New Perimeter. On this episode of CISO Tradecraft you will increase your understanding of Identity and Access Management. Key topics include:
Audit Trail
Authentication
Authorization
Identity Compromise
Least Privilege
Microsegmentation
Multi Factor Authentication (MFA)
Privileged Access/Account Management (PAM)
Role Based Access Control (RBAC)
Single Sign On (SSO)
Saturday May 08, 2021
Saturday May 08, 2021
Have you ever heard a vendor has software features such as Artificial Intelligence (AI) or Machine Learning (ML)? What does that mean? On this episode we answer those questions so you know when vendors are full of it.
Common reasons to use Artificial Intelligence
Types of Artificial Intelligence
What Machine Learning is
How Machine Learning works
How to select the right algorithm
References
How to Select Machine Learning Algorithms
ML Algorithm Cheat Sheet
63 Machine Learning Algorithms
Saturday May 01, 2021
Saturday May 01, 2021
Today, CISO Tradecraft hosts a 5 minute discussion to talk about reflection. The concept is Roses, Buds, and Thorns. It’s an exercise designed to identify opportunities to make positive change.
Roses- What’s working
Buds - What are new ideas
Thorns- What do we need to stop
If you would like to learn more please check out the article from MITRE
We would love to hear your feedback here.
Thank you,CISO Tradecraft
Friday Apr 23, 2021
Friday Apr 23, 2021
On this episode CISO Tradecraft we dive into the world of blockchain. As a CISO you may be expected to explain to executives what the technology does and possibly how it works. Here's your briefing to make you successful. We'll cover:
History of money and birth of bitcoin
Why blockchain uniquely solves an age-old trust problem
Potential business uses of blockchain technology
Smart contracts and why they work
Blockchain variants such as private and permissioned
https://www.cisotradecraft.com
Friday Apr 16, 2021
Friday Apr 16, 2021
This episode CISO Tradecraft continues the Ransomware Discussion. Do you slay the dragon (avoid the ransom) or save the princess (recover your files)?
Talking points include:
Background on Ransomware
What if we choose to pay a ransom?
Is the Ransomware on the sanctions list?
Negotiation/Payments
Involving Law Enforcement
Involving Legal Council
Dealing with Cryptocurrencies
Thursday Apr 08, 2021
Thursday Apr 08, 2021
Would you like to know more about Ransomware? On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide an in-depth discussion on Ransomware. Key discussions include:
What is ransomware?
Why does it work?
Ransomware Types (Client-Side, Server-Side, & Hybrid)
How each of these enter a target environment
Ransomware Incidents
The Economics of Ransomware
How is Ransomware Evolving?
Why Ransomware continues to work :(
Ethical Issues to consider before paying
Ransomware Defenses
Please subscribe to the CISO Tradecraft LinkedIn Group to get even more great content
CISA Ransomware Guide Link
Friday Apr 02, 2021
Friday Apr 02, 2021
If there's one place that knows how Advanced Persistent Threat (APT) actors work, it's the National Security Agency (NSA). On this episode of CISO Tradecraft G Mark Hardy and Ross Young discuss NSA's Top Ten Cybersecurity Mitigation Strategies and how to use them to secure your company.
Since the mitigation strategies are ranked by effectiveness against known APT tactics, they can be used to set the priorities for organizations to minimize mission impact from cyber attacks.
Update and Upgrade Software Immediately
Defend Privileges and Accounts
Enforce Signed Software Execution Policies
Exercise a System Recovery Plan
Actively Manage Systems & Configurations
Continuously Hunt for Network Intrusions
Leverage Modern Hardware Security Features
Segregate Networks using Application-Aware Defenses
Integrate Threat Reputation Services
Transition to Multi-Factor Authentication
Link to NSA's Material
Friday Mar 26, 2021
Friday Mar 26, 2021
Would you like to know the best practices in modern software development? On this episode G Mark Hardy and Ross Young overview the 12 Factor App and its best practices:
Codebase: One codebase tracked in revision control with many deploys.
Dependencies: Explicitly declare and isolate dependencies.
Config: Store configurations in the environment.
Backing Services: Treat backing services as attached resources
Build, Release, Run: Strictly separate build and run stages
Processes: Execute the app as one or more stateless processes.
Port Binding: Export services are via port binding.
Concurrency: Scale out via the process model.
Disposability: Maximize robustness with fast startups and graceful shutdowns.
Dev/Prod parity: Keep development, staging, and production as similar as possible.
Logs: Treat logs as event streams.
Admin Processes: Run admin/management tasks as one-off processes.
The episode of CISO Tradecraft discusses important software development concepts such as Extreme Programming, Lean Product Development, and User Centered Design Methodologies. To learn more about these important concepts please look at the Pivotal Process
Friday Mar 19, 2021
Friday Mar 19, 2021
This special episode features Mark Egan (Former CIO of Symantec as well as VMWare). Mark discusses what he looks for during interviews with CISOs, what executives need to demonstrate during their first 90 days to be successful, and how he helps the next generation of cyber professionals at Merritt College.
Three Questions to ask during any interview:
What do you like best about this role?
What are the most challenging pieces of this role?
What does success look like for this role one year into the future?
Five Step Plan for New CISOs:
Start with an assessment of the current “As-Is” IT architecture
Perform Business Requirements Analysis (What are the strategic objectives, tactical issues, and business environment).
Design of the Future “To Be” IT architecture (application architecture, organization architecture, network architecture, infrastructure architecture)
Gap Analysis = (Future - Present). This is the most important step as you need to determine a good list of alternatives for management. Talk to consultants and peers in other companies to see how you can come up with a wide range of solutions.
Options to Bridge the Gaps = (Cost, Time, & Business Environment). Present management with alternative approaches for transforming the organization. Remember speak in business terms and specify ways that align with business objectives. In terms of cyber it might be Ensuring Financially Significant Applications don’t have operational disruption, ensuring revenue and brand protection by securing internet facing applications, meeting compliance and regulatory concerns, etc.
Merritt College Overview Link
Volunteer to Help Merritt College Link
Contact Merritt College Link
Mark Egan LinkedIn Profile Link
Friday Mar 12, 2021
Friday Mar 12, 2021
Would you actually like to learn about what Zero Trust is without a bunch of marketing jargon? On this week's episode G Mark Hardy and Ross Young provide a thoughtful discussion on Zero Trust from NIST and Microsoft:
Microsoft's Zero Trust Principles
Verify Explicitly
Use Least Privileged Access
Assume Breach
NIST 800-207 Seven Tenets of Zero Trust
All data sources and computing services are considered resources
All communication is secured regardless of network location
Access to individual enterprise resources is granted on a per-session basis
Access to resources is determined by dynamic policy
The enterprise monitors and measures the integrity and security posture of all owned and associated assets
All resource authentication and authorization are dynamic and strictly enforced before access is allowed
The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communication and uses it to improve its security posture
Six Foundational Elements of Zero Trust
Identities
Devices
Applications
Data
Infrastructure
Networks
Friday Mar 05, 2021
Friday Mar 05, 2021
Every leader needs to know how to lead and manage a team. On this episode G Mark Hardy and Ross Young share tradecraft on team building.
Pitfalls to team building with becoming a hero
Organizational Maturity Models (Levels 1-5)
Tuckman Teaming Model (Forming, Storming, Norming, and Performing)
Leadership Styles (Telling, Selling, Participating, & Delegating)
Aligning your Team and Regaining former employees
Friday Feb 26, 2021
Friday Feb 26, 2021
Having the ability to inspire confidence is crucial to lead others and allows you the opportunity to gain access to executive roles. On this episode G Mark Hardy and Ross Young discuss executive presence:
What is it
Why you need it
How to get it
We will discuss Gerry Valentine's 7 Key Steps to building Your executive presence:
Have a vision, and articulate it well
Understand how others experience you
Build your communication skills
Become an excellent listener
Cultivate your network and build political savvy
Learn to operate effectively under stress
Make sure your appearance isn't a distraction
Friday Feb 19, 2021
Friday Feb 19, 2021
If you use email, this episode is for you. Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.)
These three tools all involve placing simple entries in your DNS records. To work effectively, the recipient also needs to be checking entries. They are:
SPF = sender policy framework; designates only mail from designated IP address(es) or mail server(s) are valid. For example: v=spf1 include:spf.protection.outlook.com
DKIM = domain keys identified mail; advertises a public key that can be used to validate all mail sent was signed with corresponding private key. For example: v=DKIM1\; k=rsa\; 0123456789ABCDEF…
DMARC = domain-based message authentication, reporting, and conformance; establishes policy of what recipient should do when message fails an SPF or DKIM check. For example: v=DMARC1; p='quarantine'
Check your settings at MXToolbox
Learn DMARC Link
Implementing these protections require a small amount of work but can yield outsized benefits. In addition to allowing recipients of your mail to validate SPF, DKIM, and DMARC, ensure your incoming mail is checked for conformance as well, labeling, quarantining, or rejecting any that fail.
Lastly, blocking top-level domains (TLDs) with which you do not do business can significantly improve your security by short-circuiting many ransomware, command-and-control, and malware URLs that will be unable to resolve through your DNS. Get the latest list from IANA
Great Background Reading from Australian Signals Directorate Link
Email Authenticity 101 Link
Friday Feb 12, 2021
Friday Feb 12, 2021
The Australian Cyber Security Center (ACSC) believes that not all cyber security controls are created equal. The have assessed various strategies to mitigate cyber security incidents and determined there are eight essential cyber security controls which safeguard any organization more than another control. These controls are commonly known as, "The Essential Eight" are highly recommended.
Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Patch applications (e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers). Patch/mitigate computers with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest version of applications.
Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
Strategies to mitigate cyber incidents Link
Strategies to mitigate cyber incidents poster Link
Essential Eight Maturity Model Link Link
Friday Feb 05, 2021
Friday Feb 05, 2021
As a CISO, one of the key functions you will be responsible for is IT Governance. On this episode we discuss what the intent is for a wide variety of cybersecurity documentation that you can leverage, influence, and enforce.
Examples include:
Policies
Control Objectives
Standards
Guidelines
Controls
Procedures
...
Helpful visual from ComplianceForge which shows how various documentation standards can be integrated Link
Friday Jan 29, 2021
Friday Jan 29, 2021
At some point in time, a CISO will need to purchase new security technology. Whether it's antivirus, firewalls, or SIEMs you need to understand how to choose a product that will benefit your organization for years to come. This podcast discusses 5 different techniques that CISOs can apply to help with product selection
Perform Market Research to learn the players
Gartner Magic Quadrant
Forrester Wave
Leverage Vendor Comparison Tools to spot the features
Mitre ATT&CK Evaluation
AV-Comparatives
MoSCoW Method (Must Have, Should Have, Could Have, & Will not Have)
Pugh Matrix
Use Predictive Analysis tools to see the trends
Google Trends
OpenHub.Net
Stack Overflow
DB-Engines
Apply Problem Framing to understand the limitations and politics
Define the Problem: List the current problem you are facing.
State the Intended Objective: Identify the goal an organization is trying to achieve so that a consensus can be made when the original problem has been solved
Understand the Status Quo: If you take no action, does the current problem get worse, get better, or remain the same.
List any Implied Solutions: List early solutions that appear to address the initial problem. Likely these solutions may come from your direct boss who has a certain way of doing things.
Identify the Gap- The gap is roughly the difference between the intended objective and the status quo. Essentially this is the opportunity cost your organization must use when comparing this against other problems in the organization.
Identify the Trap- For each of the implied solutions imagine how you might build the product or service as directed and still not solve the intended objective.
Explore Alternatives- Are there other solutions that avoid traps or gaps to address a problem that have not been previously evaluated?
Execute an Analytical Hierarchy Process (AHP) to remove bias
AHP is a structured process that helps remove politics or bias from decision-making. It relies on creating relative weights among decision criteria, and possibly decomposing those into sub-criteria resulting in a weighted formula for all inputs. Those become the equation that is used to evaluate alternatives; each alternative is scored on its sub-criteria then summed up by relative weight, resulting in a relative scoring based on numeric analysis. For example, selecting a new product might involve evaluating three major criteria: cost, functionality, and maintenance. These are ranked pairwise on a relative scale of 1x-9x. For this example, cost is twice as important as maintenance; functionality is twice as important as maintenance; cost is equally important to functionality. From that comes a 40% - 40% - 20% ranking (all must sum to 100%). Next, sub-criteria may be identified and weighted, e.g., initial cost is 1/3 the importance of ongoing cost. Thus, the 40% global weighting for cost would consist of local weighting of 1 part initial cost [25%] to 3 parts ongoing cost [75%] (1:3 ratio). So, initial cost becomes 25% of the 40% of total cost = 10% of overall decision, and ongoing cost becomes 75% of the 40% of total cost = 30% of overall decision. This may be repeated for other criteria at as many levels deep as desired, resulting in an overall weighting of input criteria based on simple pairwise comparisons. Each candidate choice is now be scored for each criterion on a selected scale (e.g., Option A scores 4 of 10 for initial cost, Option B scores 8 of 10 for initial cost), and the weighted products are summed for a final score.
References for Analytic Hierarchy Process (AHP):
Everyman's link
Shorter explanation link (pitches productized version)
Online calculator link
Expensive eBook
Not-so-expensive reference
Friday Jan 22, 2021
Friday Jan 22, 2021
Have you ever wanted to become an executive, but didn’t know what skills to focus on? On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide guidance from the Office of Personnel Management (Chief Human Resources Agency and personnel policy manager for the US government). The podcast discusses the 6 Fundamental Competencies and the 5 Executive Core Qualifications required by all federal executives.
Fundamental Competencies:
Interpersonal Skills
Oral Communication
Integrity/Honesty
Written Communication
Continual Learning
Public Service Motivation
Executive Core Qualifications
Leading Change
Leading People
Results Driven
Business Acumen
Building Coalitions
https://www.opm.gov/policy-data-oversight/senior-executive-service/executive-core-qualifications/#url=Overview
Friday Jan 15, 2021
Friday Jan 15, 2021
Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security.
The three ways of DevOps consist of:
The First Way: Principles of Flow
The Second Way: Principles of Feedback
The Third Way: Principles of Continuous Learning
If you would like to learn more about the three ways of DevOps, G Mark Hardy and Ross Young invite you to read The Phoenix Project by Gene Kim
https://www.amazon.com/Phoenix-Project-DevOps-Helping-Business/dp/0988262592