CISO Tradecraft®

On this episode CISO Tradecraft we dive into the world of blockchain.  As a CISO you may be expected to explain to executives what the technology does and possibly how it works.  Here's your briefing to make you successful.  We'll cover:
History of money and birth of bitcoin
Why blockchain uniquely solves an age-old trust problem
Potential business uses of blockchain technology
Smart contracts and why they work
Blockchain variants such as private and permissioned
https://www.cisotradecraft.com

This episode CISO Tradecraft continues the Ransomware Discussion.  Do you slay the dragon (avoid the ransom) or save the princess (recover your files)? 
Talking points include:
Background on Ransomware
What if we choose to pay a ransom?
Is the Ransomware on the sanctions list?
Negotiation/Payments
Involving Law Enforcement
Involving Legal Council
Dealing with Cryptocurrencies

Would you like to know more about Ransomware?  On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide an in-depth discussion on Ransomware.  Key discussions include:
What is ransomware?
Why does it work?
Ransomware Types (Client-Side, Server-Side, & Hybrid)
How each of these enter a target environment
Ransomware Incidents
The Economics of Ransomware
How is Ransomware Evolving?
Why Ransomware continues to work :(
Ethical Issues to consider before paying
Ransomware Defenses
Please subscribe to the CISO Tradecraft LinkedIn Group to get even more great content
CISA Ransomware Guide Link

If there's one place that knows how Advanced Persistent Threat (APT) actors work, it's the National Security Agency (NSA).  On this episode of CISO Tradecraft G Mark Hardy and Ross Young discuss NSA's Top Ten Cybersecurity Mitigation Strategies and how to use them to secure your company.
Since the mitigation strategies are ranked by effectiveness against known APT tactics, they can be used to set the priorities for organizations to minimize mission impact from cyber attacks.
Update and Upgrade Software Immediately
Defend Privileges and Accounts
Enforce Signed Software Execution Policies
Exercise a System Recovery Plan
Actively Manage Systems & Configurations
Continuously Hunt for Network Intrusions
Leverage Modern Hardware Security Features
Segregate Networks using Application-Aware Defenses
Integrate Threat Reputation Services
Transition to Multi-Factor Authentication
Link to NSA's Material

Would you like to know the best practices in modern software development?  On this episode G Mark Hardy and Ross Young overview the 12 Factor App and its best practices:
Codebase: One codebase tracked in revision control with many deploys.
Dependencies: Explicitly declare and isolate dependencies.
Config: Store configurations in the environment.
Backing Services: Treat backing services as attached resources
Build, Release, Run: Strictly separate build and run stages 
Processes: Execute the app as one or more stateless processes.
Port Binding: Export services are via port binding.
Concurrency: Scale out via the process model.
Disposability: Maximize robustness with fast startups and graceful shutdowns.
Dev/Prod parity: Keep development, staging, and production as similar as possible.
Logs: Treat logs as event streams.
Admin Processes: Run admin/management tasks as one-off processes.
The episode of CISO Tradecraft discusses important software development concepts such as Extreme Programming, Lean Product Development, and User Centered Design Methodologies.  To learn more about these important concepts please look at the Pivotal Process

This special episode features Mark Egan (Former CIO of Symantec as well as VMWare).  Mark discusses what he looks for during interviews with CISOs, what executives need to demonstrate during their first 90 days to be successful, and how he helps the next generation of cyber professionals at Merritt College.
Three Questions to ask during any interview:
What do you like best about this role?
What are the most challenging pieces of this role?
What does success look like for this role one year into the future?
Five Step Plan for New CISOs:
Start with an assessment of the current “As-Is” IT architecture
Perform Business Requirements Analysis (What are the strategic objectives, tactical issues, and business environment).
Design of the Future “To Be” IT architecture (application architecture, organization architecture, network architecture, infrastructure architecture)
Gap Analysis = (Future - Present).  This is the most important step as you need to determine a good list of alternatives for management.  Talk to consultants and peers in other companies to see how you can come up with a wide range of solutions.
Options to Bridge the Gaps = (Cost, Time, & Business Environment).  Present management with alternative approaches for transforming the organization.  Remember speak in business terms and specify ways that align with business objectives.  In terms of cyber it might be Ensuring Financially Significant Applications don’t have operational disruption, ensuring revenue and brand protection by securing internet facing applications, meeting compliance and regulatory concerns, etc.
Merritt College Overview Link
Volunteer to Help Merritt College Link
Contact Merritt College Link
Mark Egan LinkedIn Profile Link

Would you actually like to learn about what Zero Trust is without a bunch of marketing jargon?  On this week's episode G Mark Hardy and Ross Young provide a thoughtful discussion on Zero Trust from NIST and Microsoft:
Microsoft's Zero Trust Principles
Verify Explicitly
Use Least Privileged Access
Assume Breach
NIST 800-207 Seven Tenets of Zero Trust
All data sources and computing services are considered resources
All communication is secured regardless of network location
Access to individual enterprise resources is granted on a per-session basis
Access to resources is determined by dynamic policy
The enterprise monitors and measures the integrity and security posture of all owned and associated assets
All resource authentication and authorization are dynamic and strictly enforced before access is allowed
The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communication and uses it to improve its security posture
Six Foundational Elements of Zero Trust
Identities
Devices
Applications
Data
Infrastructure
Networks

Every leader needs to know how to lead and manage a team.  On this episode G Mark Hardy and Ross Young share tradecraft on team building.
Pitfalls to team building with becoming a hero
Organizational Maturity Models (Levels 1-5)
Tuckman Teaming Model (Forming, Storming, Norming, and Performing)
Leadership Styles (Telling, Selling, Participating, & Delegating)
Aligning your Team and Regaining former employees

Having the ability to inspire confidence is crucial to lead others and allows you the opportunity to gain access to executive roles.  On this episode G Mark Hardy and Ross Young discuss executive presence:
What is it
Why you need it
How to get it
We will discuss Gerry Valentine's 7 Key Steps to building Your executive presence:
Have a vision, and articulate it well
Understand how others experience you
Build your communication skills
Become an excellent listener
Cultivate your network and build political savvy
Learn to operate effectively under stress
Make sure your appearance isn't a distraction

If you use email, this episode is for you.  Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.)
These three tools all involve placing simple entries in your DNS records.  To work effectively, the recipient also needs to be checking entries.  They are:
SPF = sender policy framework; designates only mail from designated IP address(es) or mail server(s) are valid.  For example:  v=spf1 include:spf.protection.outlook.com 
DKIM = domain keys identified mail; advertises a public key that can be used to validate all mail sent was signed with corresponding private key.  For example:  v=DKIM1\; k=rsa\; 0123456789ABCDEF…
DMARC = domain-based message authentication, reporting, and conformance; establishes policy of what recipient should do when message fails an SPF or DKIM check.  For example:  v=DMARC1; p='quarantine'
Check your settings at MXToolbox
Learn DMARC Link
Implementing these protections require a small amount of work but can yield outsized benefits.  In addition to allowing recipients of your mail to validate SPF, DKIM, and DMARC, ensure your incoming mail is checked for conformance as well, labeling, quarantining, or rejecting any that fail.
Lastly, blocking top-level domains (TLDs) with which you do not do business can significantly improve your security by short-circuiting many ransomware, command-and-control, and malware URLs that will be unable to resolve through your DNS.  Get the latest list from IANA
Great Background Reading from Australian Signals Directorate Link
Email Authenticity 101 Link

The Australian Cyber Security Center (ACSC) believes that not all cyber security controls are created equal.  The have assessed various strategies to mitigate cyber security incidents and determined there are eight essential cyber security controls which safeguard any organization more than another control. These controls are commonly known as, "The Essential Eight" are highly recommended.
Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Patch applications (e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers). Patch/mitigate computers with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest version of applications.
Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
Strategies to mitigate cyber incidents Link
Strategies to mitigate cyber incidents poster Link
Essential Eight Maturity Model Link Link

As a CISO, one of the key functions you will be responsible for is IT Governance.  On this episode we discuss what the intent is for a wide variety of cybersecurity documentation that you can leverage, influence, and enforce. 
Examples include:
Policies
Control Objectives
Standards
Guidelines
Controls
Procedures
...
Helpful visual from ComplianceForge which shows how various documentation standards can be integrated Link

At some point in time, a CISO will need to purchase new security technology.  Whether it's antivirus, firewalls, or SIEMs you need to understand how to choose a product that will benefit your organization for years to come.  This podcast discusses 5 different techniques that CISOs can apply to help with product selection
Perform Market Research to learn the players 
Gartner Magic Quadrant
Forrester Wave
Leverage Vendor Comparison Tools to spot the features
Mitre ATT&CK Evaluation
AV-Comparatives
MoSCoW Method (Must Have, Should Have, Could Have, & Will not Have)
Pugh Matrix
Use Predictive Analysis tools to see the trends
Google Trends
OpenHub.Net
Stack Overflow
DB-Engines
Apply Problem Framing to understand the limitations and politics 
Define the Problem: List the current problem you are facing.
State the Intended Objective: Identify the goal an organization is trying to achieve so that a consensus can be made when the original problem has been solved
Understand the Status Quo: If you take no action, does the current problem get worse, get better, or remain the same.
List any Implied Solutions: List early solutions that appear to address the initial problem. Likely these solutions may come from your direct boss who has a certain way of doing things.
Identify the Gap- The gap is roughly the difference between the intended objective and the status quo. Essentially this is the opportunity cost your organization must use when comparing this against other problems in the organization. 
Identify the Trap- For each of the implied solutions imagine how you might build the product or service as directed and still not solve the intended objective.
Explore Alternatives- Are there other solutions that avoid traps or gaps to address a problem that have not been previously evaluated?
Execute an Analytical Hierarchy Process (AHP) to remove bias
AHP is a structured process that helps remove politics or bias from decision-making.  It relies on creating relative weights among decision criteria, and possibly decomposing those into sub-criteria resulting in a weighted formula for all inputs.  Those become the equation that is used to evaluate alternatives; each alternative is scored on its sub-criteria then summed up by relative weight, resulting in a relative scoring based on numeric analysis.  For example, selecting a new product might involve evaluating three major criteria:  cost, functionality, and maintenance.  These are ranked pairwise on a relative scale of 1x-9x.  For this example, cost is twice as important as maintenance; functionality is twice as important as maintenance; cost is equally important to functionality.  From that comes a 40% - 40% - 20% ranking (all must sum to 100%).  Next, sub-criteria may be identified and weighted, e.g., initial cost is 1/3 the importance of ongoing cost.  Thus, the 40% global weighting for cost would consist of local weighting of 1 part initial cost [25%] to 3 parts ongoing cost [75%] (1:3 ratio).  So, initial cost becomes 25% of the 40% of total cost = 10% of overall decision, and ongoing cost becomes 75% of the 40% of total cost = 30% of overall decision.  This may be repeated for other criteria at as many levels deep as desired, resulting in an overall weighting of input criteria based on simple pairwise comparisons.  Each candidate choice is now be scored for each criterion on a selected scale (e.g., Option A scores 4 of 10 for initial cost, Option B scores 8 of 10 for initial cost), and the weighted products are summed for a final score.
     References for Analytic Hierarchy Process (AHP):
Everyman's link
Shorter explanation link (pitches productized version)
Online calculator link
Expensive eBook
Not-so-expensive reference

Have you ever wanted to become an executive, but didn’t know what skills to focus on?  On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide guidance from the Office of Personnel Management (Chief Human Resources Agency and personnel policy manager for the US government).  The podcast discusses the 6 Fundamental Competencies and the 5 Executive Core Qualifications required by all federal executives.
 
Fundamental Competencies:
Interpersonal Skills
Oral Communication
Integrity/Honesty
Written Communication
Continual Learning
Public Service Motivation
Executive Core Qualifications
Leading Change
Leading People
Results Driven
Business Acumen
Building Coalitions
https://www.opm.gov/policy-data-oversight/senior-executive-service/executive-core-qualifications/#url=Overview
 

Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security. 
The three ways of DevOps consist of:
The First Way: Principles of Flow
The Second Way: Principles of Feedback
The Third Way: Principles of Continuous Learning
If you would like to learn more about the three ways of DevOps, G Mark Hardy and Ross Young invite you to read The Phoenix Project by Gene Kim
https://www.amazon.com/Phoenix-Project-DevOps-Helping-Business/dp/0988262592

Most organizations generate revenue by hosting online transactions.  Cryptography is a key enabler to securing online transactions in untrusted spaces.  Therefore it's important for CISOs to understand how it works.  This episode discusses the fundamentals of cryptography:
What are the requirements for cryptography?
How long has cryptography been around?
Are there differences between legacy and modern cryptography?
Differences between symmetric and asymmetric encryption
Common use of encryption at rest
Encryption in transit

Understanding how to secure the cloud is a crucial piece of tradecraft that every CISO needs to understand.  This episode provides an in depth discussion of AWS's 7 design principles for securing the cloud:
Implement a strong identity foundation
Enable traceability
Apply security at all layers
Automate security best practices
Protect data in transit and rest
Keep people away from data
Prepare for security events
Please note the AWS Well-Architected Framework Security Design Principles can be found here: https://wa.aws.amazon.com/wat.pillar.security.en.html
Chapters
00:00 Introduction
02:33 Seven design principles for securing the cloud
04:17 Multi Factor Authentication (MFA)
05:59 How to prevent password guessing attacks on the cloud
08:19 How to limit access to your applications
11:05 How to enable traceability in your environment
13:15 The importance of cloud infrastructure
14:47 How to monitor security in the cloud
17:09 How to automate monitoring, alerting, and auditing
19:09 Configuring a strong identity foundation
20:52 How to have an effective real time view of what your developers have produced
22:48 How to automate your security best practices
26:42 How to protect your data in the cloud
28:36 How to limit access to your data
31:36 How to scan your APIs to protect your data
33:41 The importance of permissions in a data science environment
36:06 The importance of identity in cloud computing
41:30 Review of the 7 design principles for securing the cloud

Have you ever wanted to learn the basic fundamentals of the cloud?  This podcast provides a 50,000 foot view of the cloud.  Specific discussions include:
What is the cloud?
What types of clouds are there and what are the differences?
What is the term shared responsibility model and what does that mean for securing the cloud?
Chapters
00:00 Introduction
02:10 The Basics of Cloud Computing
06:20 Cloud Computing and Infrastructure as a Service Model
10:17 The different levels of responsibility in an Elastic Compute Cloud Environment
13:18 How to host a server in the cloud
15:33 The differences between IaaS, PaaS, and SaaS
17:30 The consequences of committing to the cloud
19:15 The rise of AWS locations
21:21 The politics of Cloud Provider Infrastructure
24:15 The benefits of the cloud
26:30 AWS's share responsibility model
30:43 The impediments to a high level of security in the cloud
34:46 How to sleep soundly with your data n the cloud
37:18 How to run a hybrid cloud
39:46 The challenges of hybrid clouds
43:03 Seven design principles for securing the cloud

CISOs often encounter situations where everyone has a different opinion, it's a high stakes decision, and emotions are running high.  These situations create crucial conversations opportunities where a CISO needs to be effective.  This podcast discusses how to turn disagreement into dialogue, surface any subject, and make it safe to discuss. Please listen as G Mark Hardy and Ross Young discuss the 8 step process from the book, "Crucial Conversations."
Get Unstuck 
Start With Heart
Master My Stories
State My Path
Learn To Look
Make IT Safe
Explore Others' Path
Move To Action
We recommend you visit the following Crucial Conversations Website to learn more https://www.vitalsmarts.com/crucial-conversations-training/
The Crucial Conversation Book can be found on Amazon https://www.amazon.com/dp/0071771328/ref=cm_sw_em_r_mt_dp_0Cj3FbY9KA429
Chapters
00:00 Introduction
02:13 How to have crucial conversations
06:14 How to make better decisions
09:54 The dangers of talking about business
14:26 The importance of clarifying what you really want
17:51 The importance of mutual respect
25:18 How to achieve a shared goal
29:11 How to partner together to stop terrorism
33:13 How to create a mutual purpose
37:08 How to speak your mind in a safe environment
40:52 The importance of being vulnerable
51:56 The importance of listening to people
54:56 How to be a successful CISO

On this Episode we will explore DevOps as a topic and discuss why you need to care as a CISO.  Key discussions include:
What are the key principles behind DevOps?
What benefits does security see from DevOps?
What is a CI/CD pipeline?
What are common types of DevOps tools that I need to understand as a CISO?
Where does DevSecOps fit in?
What are 4 types of Application Security Testing tools we see in DevOps Pipelines?
What are 3 common ways to make DevOps / DevSecOps go viral in any organization?
Chapters
00:00 Introduction
04:56 DevOps - What are your thoughts?
08:57 Microsoft Super Patch Tuesday
13:03 DevOps - What's it all about?
14:22 What is CALMS (Culture, Automation, Lean, Measuring, & Sharing)
26:32 CI/CD
32:12 Containers & DevOps
33:45 Where does security fit in?
36:26 Application Security Testing
41:54 DevOps & DevSecOps - What are the tools?

If you want to make impact as a leader, then you need to understand how to lead change.  This episode overviews Dr. John Kotter's 8-Step process to accelerating change.
Create a sense of urgency
Build a guiding coalition
Form a strategic vision and initiatives
Enlist a volunteer army
Enable action by removing barriers
Generate short-term wins
Sustain acceleration
Institute change
We highly recommend you read Kotter's ebook to learn more:
https://www.kotterinc.com/8-steps-process-for-leading-change/
Chapters
00:00 Introduction
04:25 Are you creating change without urgency?
07:16 How can we drive security into the mobile app experience?
10:55 How to build a guiding coalition to transform the organization
13:49 The one trick I've learned from public speaking
16:15 What's the 3rd step in creating a strategic vision and initiatives
19:12 A great strategic vision drives direction
20:50 How to accelerate the change in your organization
24:31 Creating partnerships to transform security
28:04 Identifying the barriers that are creating problems in your organization
33:01 How to document short term wins
36:13 The next step is sustained acceleration
39:28 How to anchor change in corporate culture
45:02 Leadership and management from a leadership perspective

Cyber Frameworks help CISOs build, measure, and execute top-notch information security programs. This podcast overviews the differences between Cyber Control Frameworks (CIS Controls & NIST 800-53), Program Frameworks (ISO 27001 & NIST CSF), and Risk Frameworks (FAIR, ISO 27005, & NIST 800-39) as well as provides useful tips on how to implement them.
Chapters
00:00 Introductions
03:29 Creating a Framework for Cyber Security Programs
06:48 What are the Most Important Controls
11:08 Having an Inventory of Your Network Assets
14:01 Patch Tuesday and Remediation
18:20 Penetration Testing - The Last of the 20 SANS Controls
20:58 What's the NIST Cyber Security Framework
29:17 The Evolution of Security Controls
35:03 ISO 27000 Series Gap Analysis
40:03 Cyber is in the Business of Revenue Protection
44:53 The Risk Matrix - Likelihood and Impact
49:32 Risk Management & Continuous Vulnerability Management
51:41 Your four options? (Accept, Mitigate, Avoid, or Assign)

If you want to assess your current level of security, then you should start with an asset management program. Asset management provides the basic building blocks to enable vulnerability management and remediation programs.  
This podcast provides key lessons learned on what is required for effective asset management as well as discuss how asset management evolves with the cloud.  Listeners will also learn important steps to take to create a world class asset management program.
Chapters
00:00 Introduction
02:00 The SANS Top 20 Controls
06:04 What if I don't have an Agent on my Endpoint?
09:08 Cloud Native CMDB Systems
11:35 Shadow IT in the Cloud
14:12 Software Bill of Materials for your Applications
19:33 What's the problem with older versions of software?
22:02 Is there a Vulnerability in Windows 10?
24:34 The Criticality of the Enterprise Patch Cycle
28:43 How do we have a Good Inventory?
31:34 Continuity of Operations & Disaster Recovery
33:17 Is your Asset Inventory Complete?
35:17 Is Asset Management Key for your Organization?

The ability to persuade others is a core tradecraft for every CISO.  This podcast discusses the most common styles of executive decision making (Charismatics, Thinkers, Skeptics, Followers, and Controllers).  After listening to this podcast, you will understand how to more effectively tailor your message to best influence each style of executive. 
If you would like to learn more about this topic, we strongly recommend you read the Harvard Business Review article, “Change the Way You Persuade”, by Gary A. Williams and Robert B. Miller
https://hbr.org/2002/05/change-the-way-you-persuade
Chapters
00:00 Introductions
03:04 How to Persuade a Charismatic Leader
06:49 How do you use Visual Aids to Help Thinkers
10:39 What approaches do you take with Skeptics?
15:47 How do we overcome Skeptics?
17:24 Are Followers Leaders?
20:58 Can we do a Pilot Program?
22:59 Strategic Tools to be more Successful in your Career
24:47 Do you have any experiences with Controllers?
28:03 How to use your Egos and their Past Experiences to your Advantage
31:06 The Pointy Haired Boss
36:35 How to Adapt a Leader's Style

To become an effective CISO you need influence skills.  On this episode we explore Robert Cialdini's book, "Influence" and discuss the psychology of persuasion.  We will explore 6 key areas of influence:
Liking- If people like you - because they sense that you like them, or because of things you have in common - they're more apt to say yes to you
Reciprocity- People tend to return favors.  If you help people, they'll help you.  If you behave in a certain way (cooperatively, for example), they'll respond in kind
Social Proof- People will do things that they see other people doing- especially if those people seem similar to them
Commitment and Consistency- People want to be consistent, or at least to appear to be.  If they make a public, voluntary commitment, they'll try to follow through 
Authority- People defer to experts and to those in positions of authority (and typically underestimate their tendency to do so)
Scarcity- People value things more if they perceive them to be scarce
If you would like to more on this topic, then we recommend you read Cialdini's work:
Website https://www.influenceatwork.com/principles-of-persuasion/
Book https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X
Chapters
00:00 Introduction
03:21 The Principles of Persuasion
05:27 How to be a Great Speaker and Get People to Like You
09:01 How to Win Friends and Influence People
13:45 How does a Mint Influence your Tipping?
15:04 Doing a Favor for Someone is a Good Thing
17:29 The Concept of Social Proof is Security
21:34 How to Defend against Audits
26:15 Getting Small Commitments Out of People Early On
29:20 The Importance of Consistency in Influencing
34:12 The Six Principles of Persuasion
38:57 Is there a Scarcity of Time?
43:13 The Six Chaldini Factors Recap