CISO Tradecraft®

When you first start a cybersecurity job, or hire someone into a cybersecurity job, there is a window of opportunity to see things with a new perspective.  In this episode, we’re privileged to share ideas with Rebecca Mossman, a successful cybersecurity leader who has led successfully a number of teams in her career.  We’ll examine relationships, stakeholders, setting priorities, communication, and knowing when to call something “done” and move on to the next task.

A Border Gateway Protocol (BGP) misconfiguration is what took out Facebook on 4 October.  Most IT folks don't understand how BGP works.  This episode helps you gain a better understanding of the protocol that creates routing tables to move information from one end of the Internet to the other.  We'll explain how Autonomous Systems (AS) share BGP route information, what should happen when things go right, and then examine what likely went wrong at Facebook and how you might be able to prepare for potential problems in advance before they occur.

This is a special treat.  On this episode of CISO Tradecraft you can hear Mark D. Rasch, JD, discuss legal and security topics that he's encountered in his more than 30 years of experience in cybersecurity law.  We look into ransomware, reportable breaches, the appropriateness (or lack thereof) of certain legal statues, and finish with some actionable advice for CISOs and security leaders that you really need to hear.

We've all suffered through horrible meetings that felt like a total waste of time.  As a security leader, you'll be convening your fair share of meetings with your staff.  Don't be "that boss" who can't run an effective meeting.  This episode shows ways you can ensure your meetings are both efficient and effective, result in actionable tasking, and keep people coming back for more because you showed respect for their time and their ideas.  And we even practice what we preach -- this episode ends early.
 
Harvard Meeting Cost Calculator Link
OSS Simple Sabotage Manual Link

In our 31 July 2021 Episode 42, Risky Business, we covered the basics of risk and risk assessment. This part 2 episode gets into the practical application of risk management using the FAIR model, or Factor Analysis of Information Risk. We explain key risk terminology and walk through examples of how to express risk using this model, as well as creating a meaningful way to explain to executives that is actionable.
 
Risk Matrix Example: Link
One Page FAIR Model: Link
Measuring & Managing Information Risk: Link
FAIR Wiki: Link

Have you ever faced a crisis?  How well did you do?  You should always want to improve your skills in case another happens.  On the 20th anniversary of 9/11, G. Mark Hardy shares some of his experiences as the on-scene commander for the military first responders at the World Trade Center, and expands that into a set of skills and attributes that you can cultivate to become a more effective crisis response leader in your role as a cybersecurity professional.
 
References:
5 Leadership Skills Link
How to Combat a Crisis Link
Manage a Crisis Link
Lessons in Crisis Leadership Link
Creative Leadership Guidebook Link
Financial Interest in Situations Link
G Mark Hardy Ground Zero Video 1 of 2 Link
G Mark Hardy Ground Zero Video 2 of 2 Link

Traditional risk models focus on calculating loss frequency and magnitude, but don't go far enough in terms of modeling the most important assets in our organization, known as "crown jewels." This episode of CISO Tradecraft is a fascinating interview with the CEO and founder of a startup focusing on crown jewel analysis -- Roselle Safran. We'll look into how making this a part of your portfolio helps put the "C" in CISO by showing your understanding of the business in which you work. We'll also extend our discussion to challenges faced by women in cybersecurity, and encouragement for women (and others) to enter our exciting profession.

Containers are a lightweight technology that allows applications to deploy to a number of different host Operating Systems without having to make any modifications at all to the code.  As a result, we're been seeing a big increase in the use of Docker, Kubernetes, and other tools deployed by enterprises.  In this episode, we'll cover the fundamentals of containers, Docker, orchestration tools such as Kubernetes, and provide you with knowledge to understand this environment, and maybe even tempt you to create your own container to test your skill.
Major links referenced in the show
Container Architecture Link
Kubernetes Diagrams Link
Kubernetes Glossary Link
Kubernetes Primer Link
Special Thanks to our podcast Sponsor, CyberGRX

Join CISO Tradecraft for a fascinating discussion on how to build cyber traps for the bad guys that really work.  By creating a deceptive environment that "booby-trap" your networks with fake services, enticing resources, and make-believe traffic, we can create a high-fidelity, low-noise intrusion sensor system -- no legitimate user would ever try these.  Improve your SOC efficiency by actively engaging with intruders rather than sifting through false positives.  There's a lot to learn here, and Kevin Fiscus offers a promise of more to come.  By listening to this episode you will learn:
What is cyber deception?
What problem does cyber deception solve?
How do cyber deception technologies work?
Why is deception more effective than other detection and response technologies?
If you would like to learn more about Cyber Deception, then be sure to check out these great resources:
Kevin’s YouTube channel, Take Back the Advantage Link
The Mitre Engage Matrix Link
SANS SEC 550 Link
Special Thanks to our podcast Sponsor, CyberGRX

Special Thanks to our podcast Sponsor, CyberGRX
On today’s episode, we bring in Scott Fairbrother to help tackle key questions with Third Party Risk Management:
How do you identify which vendors pose the highest risk to your business?
How do you see which vendor’s security controls protect against threats? 
How do you validate their risk profiles by scanning, dark web monitoring or other techniques to correlate what attackers are seeing and acting upon?
Do you have an understanding of how to improve risk mitigation in your third-party ecosystem?
Also please subscribe to to the CISO Tradecraft LinkedIn Page to get more relevant content

Cyber Threat Intelligence is an important part of an effective CISO arsenal, but many security leaders don’t fully understand how to optimize it for their benefit.  In this show, we examine why cyber threat intelligence is vital to fielding an effective defense, discuss the intelligence cycle, examine the four types of threat intelligence, and feature a special guest, Landon Winkelvoss of https://nisos.com, who has spent a career mastering this topic and shares a number of important insights you won’t want to miss.

In this episode, we take a deep dive into that four-letter word RISK. Risk is measurable uncertainty. As a component of Governance, Risk, and Compliance (GRC), risk management is an important part of a security leader's responsibility. Risk assessment is conducted for a number of reasons, and measuring risk is an important component of effectively overseeing our IT investments. We'll look at NIST and ISO standards for risk, and define the different types of risk assessments. And, because there is risk inherent in many endeavors, this episode will be continued in a part 2, because we didn't allow for the risk of running over with this much great information.

Being a CISO has been described as the "toughest job in the world."  It comes with a lot of stress, which can lead to early burnout as well as a number of health and relationship problems.  Well, we're going to tackle this elephant in the room and investigate some of the sources of stress and ways we can deal with it.
 
88% of CISOS report being "moderately or tremendously stressed"   We discuss eight everyday situations that can cause CISO stress, and then explore the way of Ikigai, Japanese for "reason for being."  The intersection of what you love, what you are good at, what the world needs, and what you can be paid for represents this ideal state.  Mihaly Csikszentmihalyi describes this as "flow," when work comes seemingly effortlessly because we are in alignment with our actions.  We'll also explore Dave Crenshaw's factors to being invaluable, which can help us better meet the demands of our job by being the best possible fit.
 
Tune in and gain some ideas on how to help yourself. and your staff, deal with stress.
 
CISO Tradecraft By Topic on GitHub 
Csikszentmihalyi
Ikigai
Invaluable: The Secret to Becoming Irreplaceable
The Six Invaluable Factors by David Crenshaw

This episode of CISO Tradecraft discusses CMMC.  The Cybersecurity Maturity Model Certification (CMMC), is the US government response to the massive amounts of defense-related information compromised over the years from contractors and third parties.  The program will be mandatory for all defense contractors by 2025, and has the potential to expand to the entire Federal government, affecting every entity that sells to Uncle Sam.  CMMC has five levels of progressively more rigorous certification with up to 171 controls based on acquisition regulations, NIST standards, and Federal information processing standards. In addition, there will be an entire ecosystem of trainers, consultants, assessors, and the organizations that support them.  We'll cover those in enough detail so that you can decide if expanding your career skill set into CMMC might make sense.

On this episode of CISO Tradecraft, you will hear about the most prominent Cyber Security Laws and Regulations:
The Health Insurance Portability and Accountability Act (HIPAA) advocates the security and privacy of personal health information
Administrative Safeguards
Physical Safeguards
Technical Safeguards
The Sarbanes-Oxley Act (SOX) is designed to provide transparency on anything that could cause material impact to the financials of a company
Cyber Risk Assessment
Identify Disclosure Controls and Policies
Implementing Cyber Security Controls Using a Reliable Framework (NIST CSF / ISO 27001)
Monitor and Test SOX Controls
The Gramm Leach Bliley Act (GLBA) requires Financial Institutions to protect Personally Identifiable Information (PII) 
The Federal Information Security Management Act (FISMA) requires executive agencies in the federal government to address cyber security concerns
Plan for security
Assign responsibility
Periodically review security controls on systems
Authorize systems to Operate
The Payment Card Industry Data Security Standards (PCI-DSS) is a framework required to protect payment card information
The General Data Protection Regulation (GDPR) - Data Compliance and Privacy law for European citizens
Consent
Data Minimization
Individual Rights
The California Consumer Protection Act (CCPA) - Data Compliance and Privacy law for California residents.  This law provides Californians the right to know what data is collected or sold, the right to access data, the ability to request its deletion, and the ability to opt out of it being collected or sold.
The Cybersecurity Maturity Model Certification (CMMC)- combines various cybersecurity standards and best practices and maps these controls and processes across maturity levels for Department of Defense contractors.

This episode of CISO Tradecraft is all about IPv6, featuring Joe Klein.  IPv6 is becoming the dominant protocol on the Internet, and CISOs should understand the implications of how their enterprise is potentially vulnerable to attacks that may come from that vector, as well as be aware of defenses that may originate from an effective IPv6 deployment.  This broadcast will cover the business cases for IPv6, the technical differences between IPv4 and IPv6, and the security implications of implementing this protocol correctly and incorrectly.

On this episode of CISO Tradecraft, you can learn how to build an Application Security program.
 Start with Key Questions for
Security
IT Operations
Application Development/Engineering Groups
Identify Key Activities
Asset Discovery
Asset Risk Prioritization
Mapping Assets Against Compliance Requirements
Setting up a Communications Plan
Perform Application Security Testing Activities
SAST
DAST
Vulnerability Scanners
Software Composition Analysis
Secrets Scanning
Cloud Security Scanning
Measure and Improve Current Vulnerability Posture through metrics
The number of vulnerabilities present in an application
The time to fix vulnerabilities
The remediation rate of vulnerabilities
The time vulnerabilities remain open
Defect Density - number of vulnerabilities per server
We also recommend reading the Microsoft Security Developer Life Cycle Practices Link
For more great ideas on setting up an application security program please read this amazing guide from WhiteHat Security Link
If you would like to improve cloud security scanning by automating Infrastructure as Code checks, then please check out Indeni CloudRail Link

What is measured gets done.  However before you measure you need to think about how best to measure.  On this episode of CISO Tradecraft, we provide you new insights into optimizing metrics that matter.  
What is a Metric?
Metrics drive outcomes.  Before picking a metric consider the following:
What data is required?
What stories can it tell?
What questions does it invite?
How sustainable is it?
When you report metrics highlight three things:
Status or Measure- Where is your company right now?
Trends- What direction is your company headed?
Goals- A description of where your company wants to be
Goals or Metrics should be SMART:
Specific, Measurable, Achievable, Realistic, and Time-based
For a helpful list of metrics that you might consider please check out the following list from Security Scorecard Link
Thank you again to our sponsor CyberArk, please check out their CISO Reports.

On this episode of CISO Tradecraft, you can learn the 10 steps to Incident Response Planning:
Establish a Cyber Incident Response Team
Develop a 24/7 Contact list for Response Personnel
Compile Key Documentation of Business-Critical Networks and Systems
Identify Response Partners and Establish Mutual Assistance Agreements
Develop Technical Response Procedures for Incident Handling that your team can follow:
External Media - An alert identifies someone plugged in a removable USB or external device 
Attrition - An alert identifies brute force techniques to compromise systems, networks, or applications.  (Examples Attackers trying thousands of passwords on login pages)
Web - A Web Application Firewall alert shows attacks carried out against your website or web-based application
Email - A user reports phishing attacks with a malicious link or attachment
Impersonation - An attack that inserts malicious processes into something benign (example Rogue Access Point found on company property)
Improper Usage - Attack stemming from user violation of the IT policies.  (Example employee installs file sharing software on a company laptop) 
Physical Loss- Loss or theft of a physical device (Example employee loses their luggage containing a company laptop)
Classify the Severity of the Cyber Incident
Develop Strategic Communication Procedures
Develop Legal Response Procedures
Obtain CEO or Senior Executive Buy-In and Sign-off
Exercise the Plan, Train Staff, and Update the Plan Regularly
To learn more about Incident Response Planning, CISO Tradecraft recommends reading this helpful document from the American Public Power Association
If you would like to automate security reviews of infrastructure-as-code, then please check out Indeni CloudRail Link

Special Thanks to our podcast Sponsor, CyberArk.  
Experienced CISOs know that it's not a matter of if, but when.  Incidents happen, and there is an established response strategy nicknamed PICERL that works:
 (P)reparation
 (I)dentification
 (C)ontainment
 (E)radication
 (R)ecovery
 (L)essons Learned
If we "shift left" with our incident planning, we can minimize our organizational risk -- thorough preparation, including establishing an environment of least privilege, significantly increases the challenge for an attacker, buys us time to identify early, and limits the damage potential from an incident.
 
This episode features Bryan Murphy, the Incident Response team leader at CyberArk.  His insights from managing dozens of responses are invaluable, and they are now yours through this special episode

On this episode of CISO Tradecraft, you can learn about the new Executive Order on Improving the Nation's Cyber Security.  The episode provides a brief background on three security incidents which have influenced the Biden administration:
SolarWinds
Microsoft Exchange Servers
Colonial Pipeline Attack
The episode then overviews the various sections of the new Executive Order:
Policy
Removing Barriers to Sharing Threat Information
Modernizing Federal Government Cybersecurity
Enhancing Software Supply Chain Security
Establish a Cyber Safety Review Board
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Improving the Federal Government’s Investigative and Remediation Capabilities
National Security Systems
Thanks to CyberArk for sponsoring this episode.  Please check out CyberArk's new conference

This episode is sponsored by Indeni.  
On this episode of CISO Tradecraft, G Mark Hardy discusses with Yoni Leitersdorf (CEO and CISO of Indeni) the risks which can occur in a cloud environment after it has been provisioned. Essentially it's quite common for organizations to change their cloud environment from what was declared in a Terraform or Cloud Formation Script.  These unapproved cloud changes or Cloud Drift often create harmful misconfigurations and have the potential to create data loss events.
The podcast discusses the pros and cons of two key approaches to solve the Cloud Drift problem:
Static Security Testing in a build pipeline
Runtime Inventory Approaches 
The podcast features Yoni Leitersdorf.  Yoni founded a company (Indeni) to address Cloud Drift and discusses the business point of view of why this is a critical concern for the business.  If you would like to learn more about what Yoni is working on please check out Indeni
 
Yoni Leitersdorf can also be found on:LinkedIn
Twitter

Identity is the New Perimeter.  On this episode of CISO Tradecraft you will increase your understanding of Identity and Access Management.  Key topics include:
Audit Trail
Authentication
Authorization
Identity Compromise
Least Privilege
Microsegmentation
Multi Factor Authentication (MFA)
Privileged Access/Account Management (PAM)
Role Based Access Control (RBAC)
Single Sign On (SSO)

Have you ever heard a vendor has software features such as Artificial Intelligence (AI) or Machine Learning (ML)?   What does that mean?  On this episode we answer those questions so you know when vendors are full of it. 
Common reasons to use Artificial Intelligence
Types of Artificial Intelligence
What Machine Learning is
How Machine Learning works
How to select the right algorithm
References
How to Select Machine Learning Algorithms
ML Algorithm Cheat Sheet
63 Machine Learning Algorithms

Today, CISO Tradecraft hosts a 5 minute discussion to talk about reflection.  The concept is Roses, Buds, and Thorns.  It’s an exercise designed to identify opportunities to make positive change.
Roses- What’s working
Buds - What are new ideas
Thorns- What do we need to stop
If you would like to learn more please check out the article from MITRE
We would love to hear your feedback here.
Thank you,CISO Tradecraft