Cybersecurity Steps - How to Prepare for a Cyber Attack

October 21, 2020

The Cyber Rants Podcast

Episode 3 - Building a Security-Conscious Culture

This week - The guys discuss how to build a Security-Conscious Culture in your organization, along with some of the successes and failures that occur in the process. The team also talks about the cybersecurity steps necessary in how to prepare for a cyber-attack. In addition, they talk steps to implement your security program, beginning with leadership support. Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting raving and telling you

the stuff that nobody talks about on their fancy website and trade show giveaways all to help you

protect your company from cyber criminals and now here's your hosts michael rotondo zach fuller and

lauro chavez hello and welcome to the cyber ants podcast this is your co-host zach fuller joined

by mike rotondo and lauro chavez and uh have a good show playing for you today we are going to

follow our normal format mike you want to kick us off with the headlines what's going on in cyber

security today yeah here's just uh the top 10 headlines that i was able to pull out of the news

this week one of them is that ransomware is increasing exponentially uh there's an article out

called ransomware 2020 attack trends affecting organizations worldwide um there's now up to

the point that one in three uh cyber security incidences are basically ransomware so it's just

increasing exponentially one of the other issues which are headlines which i saw which is very

interesting was that you want to stop cyber crimes tearing through your network first check your

privileges analysis has been done that that over 50 percent of the people with elevated privileges

don't need them so we need to refine and we look at who you're giving access to and why one of the

interesting things that's racking up is bluetooth security weaknesses are piling up while patching

remains problematic as we all have smartphones bluetooth is becoming more and more prevalent

in out in the wild and the attacks are becoming more and more probably relevant um

dovetailing into want to stop cyber crimes through your network tearing through your

network um there's an article that says a fifth of all privileged users don't need elevated access

that's just another reinforcement of the fact that you need to refine your users

and and validate that they need the access they have um discouraging one very discouraging

one is the price of stolen remote logging passwords is dropping and that's a bad sign

uh what that basically means is they're just they're out there and they're easy to get

um another good one from microsoft over 61 of exchange servers are vulnerable to CVE 2020-068

attack so that's uh if you go to microsoft exchange server check that CDE out there's

a new ransomware out there called mount locker ransomware and they're demanding multi-million

dollar ransoms they're they're targeting high-profile fortune 100 500 type companies

another disconcerting thing is that new research finds bugs in every anti-malware product tested

so i think you're safe with anti-malware then you're not um there's also an android camera bug

under the microscope which is basically allows remote remote users so you to take over the

camera and even more good news if you're running hp device manager anyone on your network can

get admin on your server apparently some developer trying to make things easy for you

created a weak password and user account that easily is hackable so that's the top 10

headlines in the news today or this week

so anyway lauro cam oh it doesn't surprise me about the anti-malware stuff though there's

it's just all just always something so something for this week for your sev5s these are critical

critical patches that you you just really need to stop what you're doing and so there are four of

them for this week and they're all cisco related so if you're running cisco you got jabber there's

there's there's a command injection for that uh if you're running v manager there's a command

injection for that um if you're running the sd-wan solution there's arbitrary file overwrite and then

there's just kind of a general solution multiple vulnerabilities as they call it right and step

5's that essentially are vulnerabilities that have command injection capabilities so those four check

those four out if you're running cisco um get get that stuff patched uh no microsoft i'm just

getting shocked it's been week two no microsoft that's okay that's a record it's a record

well great you know diving into today's show it will really dovetail in the last week we talked

about building a security conscious culture and and where some of the successes of failures are

seen in that process and so this time we're um uh pulling straight from some information

in cyber rants the book um about the steps to implement your cyber security program and um

like we mentioned last week the biggest failure is is to is to not make a decision to actually

build a formalized cybersecurity program and those are by far the majority of the companies that get

the uh get to become victims of cyber attack those ones that haven't made that decision uh but let's

say you've made the decision um you probably already have if you're listening to this you're

interested in this this stuff you're probably moving forward or already even have a formalized

security program that you're looking to make better um so diving right into it you know i mean

the first step um of course once decisions made is really got to have leadership support across

the board and we're not just talking about the the tech leadership either or the risk management

leadership right it's it's everybody it's it's a board of the board of directors your ceo cfo

ceo everybody in the organization but also at a management level um mike or lauro have you do you

have any good examples you want to share of just leadership successes or failures from what you've

seen out there in various size organizations do you want to go first mike oh no go ahead

well i can i can certainly talk about a we can talk about a failure uh real quick i've got some

success i mean you know i guess we can we can really kind of troll this on with a bunch of

different stories from both categories but i'll talk about a significant failure um you know

so so here here's the thing is that you know like you stated zach you know it's important

to have everybody's everybody at the top of the business support and so there's an organization

i was serving and we had we had a budget for cyber security and uh we were going to implement

a remote VPN solution and we were going to do the basically the deploy the model where

you don't have the dual honey meaning that if you're if you're logged in from home

you're getting forced through the company's architecture and out to the internet where

we had a web filter right so we had a bunch of things blocked well this was you know the it the

VP of it's idea and um you know we thought it you know check some blocks on you know the NIST

worksheet right where we're kind of looking at this you know from a from a compliance perspective

anyway well the board of directors didn't didn't really know about this they had no idea and the

moment that we turned it live they were just extremely angry about the whole situation

and there was not really any amount of explaining that could be done and so what would it have

happened we had to take the solution out or tune it down and um what ended up happening is that we

we were forcing pretty much everybody that didn't have a choice right all the employees through the

solution and all the executives had you know kind of a a contingency around it

so you know we we had an open hole at the time you know and this is this is years ago right we had

we we had this kind of now we've got this hole right because in spear fishing and well fishing

you know those are the those the individuals you're going to try to go for are the are the

heads of the organization and so um at that time you know we we still understood it as a

you know bad thing but you know it was you know again i think if it would have been publicized a

little better and maybe campaigned i guess in the organization a little better we wouldn't have had

such a abrupt failure at the end um but you know to i guess that's one example i'm sure mike maybe

you can can add to that well you know just double failing on that such as the nature of the beast of

our business right since we're doing consulting a lot of times we come in two instances where there

is a failure right and all of a sudden leadership or management or somebody's decided that they want

to fix it so we see the aftermath we're brought in we come in and we fix it and

i think that's really their our model is to come in and do that augment that solution um

you know i've seen um successful small companies that we've helped that you know we've come in

and we've brought in um you know security programs that have allowed companies to

expand get large deals and then eventually get acquired um and then i've also seen actually you

know most of the failings i see are in larger companies although i mean i could think of one

off the top of my head that it was a software company that really just wanted to check boxes

and refused to put more money into it than they needed to refuse to fix things just wanted us to

kind of roll over and play dead and check their box and we refused to do that so um and that was

from the owner of the company on down it was bc owned company and they just wanted someone to

you know check the box and we don't do that um so though and then i think that company's now out of

business we wound up firing them so i mean there's leadership's buy-in is critical to actual security

and listening to the security professionals is also critical um and that's where the disconnect

is i think a lot of times but you know we're starting to see people that are

more into it more willing and that's the people that are engaging silent sectors so

that's a good thing yeah it's really it's really interesting to see the dynamic you know they're

you can kind of tell um among when you're talking with leadership of an organization whether they're

whether they have a long-term outlook or whether they're looking to just you know raise a bunch

of capital and flip the company sell it off right because the ones with the long-term outlook they

look at security a lot differently and in general this is not not always you know but but in general

it seems like you can tell just by the uh level of consideration they put in their security program

i can give a an example of a of a client it's a fairly sizable healthcare company and i think

they've done a tremendous job the company has a great culture overall and their approach to

building a security program a few years back was um probably over over five years now actually but

was to basically um promote from within and they had one individual on the i.t team that kind of

became the the champion of this uh cyber security program and then grew his team from other people

within the organization and actually separated out that security department into a a whole different

chain of command if you will under a chief risk officer um so it no longer fell under

i.t but having come from i.t um they you know they understood the inner workings within the

organization they were able to work complementary very very well i put together a five-year road map

and grew the company and the internal security team still continues to expand and um

because it's under uh the chief risk officer who actually reports directly to the board um rather

than the CEO um i think that's an excellent way to go especially with a healthcare organization

um holding you know millions and millions of patient records and such um i i think that's a

model that a lot of organizations could follow uh regardless of their industry so long as they have

a few in-house resources that they could you know they could could take on that type

of role and that level of thinking to build something new um in the organization and for

smaller companies it can't can't really do that that's you know that's why companies like ours

exist of course come in and help support that and build that out yeah no good good point zach and

they did and and that healthcare client has done a really really good job and we have another client

um you know i was kind of given a personal experience because i i don't have a lot of

bad to talk about some of the clients that we've had um but we've got another small SaaS that

uh deals in the the licensing and marketing space and they um they they really you

know their leadership saw right away that they needed to to have an edge over their

competition and they had you know again they had all that the pretty the pretty app they had the

great website they had good office space the one thing they were really missing was that that cyber

security piece and again it you know it it all kind of starts with a security questionnaire at

some point right that's i think that's really kind of the snowball effect right that that

initial ball that we roll over the cliff but they've just done an outstanding job themselves

over the past six or seven years that we've been with them to um you know to continually push that

to push that that that that measurable goal forward for cyber security and then also to

set themselves apart from pretty much everybody in there you know that would be their competition

in their in their marketing space um and they're leading that they're leading that space i think

and getting more clients and maintaining the really really really large clients that

they currently have today because of that it's interesting you bring that up because um that yeah

i call it the cyber security growth ceiling it's when b2b technology companies are trying to land

contracts they they're growing they're doing well you know they're getting they're getting

revenue in the door getting some basic clients and then they start trying to land

large enterprise contracts companies that are much larger than themselves and those security

questionnaires come down and when they don't have that formalized security program in place they

kind of hit this this growth ceiling and um a lot of times in the b2b tech space that's when leaders

finally decide to come together and say okay now we realize we have to do this not because it's

you know risk management but because it's hindering our revenue generation

and that that changes the conversation completely right so if you can show

how in your organization how cyber security relates to revenue generation client retention

profitability that's going to get a tremendous amount of hold a tremendous amount of weight

whereas if you're only having the risk management conversation um there's a lot of unknowns there

there's a lot of misunderstanding um especially people that are not technical they don't really

think through the ramifications of a breach uh day in and day out like we do so um yeah at excellent

point um it's a it's an awesome i also think they don't understand how it's monetized right i mean

cost of a breach varies from you know forty dollars per incident or forty dollars per person

per record loss to you know IBM estimates the millions of dollars per breach because they they

look at the oh we lost data well then they also have to look at the remediation costs the changes

the architecture changes the insurance everything else and a lot of people in the larger companies

that we've spoken to are like oh our stock will just dip for a month and then we'll be back

that's the wrong perspective they have to understand the whole holistic perspective

and it's talking about the the smaller b to b type things i mean that's why we started

keystone audit to do sock too audits because we see that trend with these smaller companies that

are trying to land that bigger fish like you were talking about their growth their growth ceiling

that need the sock to audit now and that's why we've got keystone audit and that's one

of the things that we're seeing as well right absolutely you know the other thing is when

you're when you're talking about breaches so you have the you need if you really want to get cyber

security ramped up in your organization talk to the leadership about the benefits and the

the business development capabilities especially if you're serving you know if you're if you're

filling out those security questionnaires and you're serving clients that are concerned with

your your security um the other side of that is is don't ever bring them like the the average um cost

of a data breach right because i always compare it to um it's kind of like buying a house right if

you when you're buying a house you don't look at the average cost of a house in the united states

because that's that's meaningless to you right you look at what um you know what it costs in a

specific um city specific neighborhood certain characteristics square footage and finishes in

the in the property and all that um there are a lot of considerations so if you can you know take

that same thought process bring the number to your organization and there's certain you know tools

and companies that can help you do this um we can we can certainly provide some guidance there but

um bring in bring a definitive number to your your leadership saying this is what it will cost us

in the event of a breach um and here's how it's broken out by you know and how we can

prevent each piece and what those prevention measures will cover in terms of dollars and cents

um essentially a financial risk analysis and uh that will certainly get their attention the more

you can customize anything to the organization for presentational leadership the more they will

um uh you know look at it and really put some some serious consideration uh into that

yeah uh exactly i can agree more and i think that that drops us right into um into the into the

second second portion of that chapter right where we're talking about understanding your current

risks and vulnerabilities you can't really go and provide that information to the board until you've

done that that kind of next part investigation now that you're the new sheriff you know you

were the troublemakers you know what what are the vulnerable technologies where the

the the sun setting technologies where the technologies at that you know haven't had SME

attention for for years or legacy apps things like that right that that that are going to potentially

cause problems um is right in line with with what you're talking about in the next thing we have

yeah yeah absolutely i mean that's that's one of those things where you can't

you can't know what direction to go until you know where you are right and so um like

we say in the book you know it's plausible that plausible deniability is not a not a solution

not an answer anymore right especially with executives being held liable for breaches so

you know the best thing an organization can do and what we do whenever we start working with

an organization to build out a security program it starts with a cyber risk assessment right we

need to understand the strengths and weaknesses and uh and be able to go from there so usually

and different organizations look at this differently but when we say cyber risk assessment

in that we're also including technical testing and penetration testing and scanning

to ensure that we're taking a technical view at the at the vulnerabilities and the risk

surfaces that that rise from those and not just a paper review right i mean pay-per-view of course

is important too so looking at all policies and procedures uh but the uh but you i think

you have to have the technical side it seems like a lot of organizations are are only doing

um documentation policy review and they're calling that cyber risk assessment you have any any

thoughts on that oh yeah we're seeing that because that can be presented to a lawyer and say oh look

we're doing all this and then what they don't have is the actual validation that's backed up

right that's actually backed up in practice that they're actually doing it that they've

actually ensured that it's actually functional working so yeah i mean we're seeing a lot of

that paper stuff and and i mean i can think of a client off the top of my head

that basically told us point blank he's like i don't want to want this done because i don't want

to know it and i don't want to be responsible for it so i mean it it is changing because of

the awareness that you were talking about zach but yeah but you see that quite a bit

yeah right that's that's that goes back to the plausible deniability right but now i mean we it's

our job of course in the security world to educate people that's that's not going to cut it and um

the the more you know the better but at least even if you haven't been able to fix everything right i

think when breaches occur nobody's expected to be perfect in terms of cyber security because

nobody is but if you can at least prove that you've been doing taking the right steps and

you know running industry best practices starting with your cyber risk assessments and penetration

testing activities at least um you know you then you can justify hey we you know these are risks we

made a business decision to cover down um on these vulnerabilities and remediate these issues because

to us they were the greatest concern at the time so we had you know we had to make an educated

guess people are going to give more weight to that than saying oh well we just didn't even know these

issues were there right so it's about having a plan of action milestones documenting that and um

continuing to keep it to keep it updated any other thoughts before we wrap up on uh today's show

no make sure that you're doing a uh doing a full cyber risk assessment looking at all the different

risk vectors of the business including the cyber wing and the financial wing

and if uh you're getting uh you're just getting a uh you know

a commoditized uh scan then uh you're not really getting a holistic view

well i know a lot of people are interested in in the finer points of cyber risk assessments

and penetration testing so we will certainly uh be covering that and in the future and the show

but for now we want to talk about implementing cyber security programs so just know that

getting complete leadership buy-in um is first thing that needs to happen and then from there

you have to understand what your risks are today how how things stand before you can

plot your route forward so we'll get into the next steps and future episodes here but to thank

you for joining us.

Episode 3 - Building a Security-Conscious Culture

Send Us Your Questions & Rants!

Categories

Archives

Transcript