Online Business Security - Custom Corporate Cybersecurity

November 4, 2020

The Cyber Rants Podcast

Episode 5: Defining Proactive Security Posture

This Week, Zach, Lauro, and Mike discuss the steps needed to have online business security, and creating a proactive security posture, especially when creating a cybersecurity program for the first time. In addition, we also provide tips on how to create a custom corporate cybersecurity plan of action when implementing your cybersecurity program to make it the right fit for your company.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and

slightly embellished truths of corporate cyber security programs we're ranting we're raving

and we're telling you the stuff that nobody talks about and their fancy marketing materials all to

help you protect your company from cyber security criminals and now here are your hosts mike rotondo

zach fuller and lauro chavez welcome to the cyber ants podcast this is your co-host zach fuller

joined by mike rotondo and lauro chavez and today we are going to kick it off like we usually do

with cyber security news mike what's happening in the world of cyber security today oh there's

a lot going on right now and uh you know because it's been like 24 hours we you know we've gone

a whole 24 hours without another form of malware being coming out but here we have wellness which

is started in europe and is now moving to the us it's a standard mitigation for these but it's uh

we got a new one so look for that coming to you today uh there is a there is data out there

about this you just need to dig it up so um the next here we go from the next one hacker stole

government source code from sonar cube instances uh so the government once again is being hacked

uh through insecure technology uh mainly through sonar cube right now um they're working on locking

it down uh trick bot is back it's working through a linux variant now so your mac isn't safe your

linux box isn't safe but it's still wreaking havoc on microsoft um attacks on io up to one one-third

it's estimated up to one-third of infected devices now are iot devices um that's your phone and so on

um from another side it's not a low-tech it's that physical security is a lot of catching you have to

do right now there's some study into what about physical security um you know they're talking

about using the old-school ties old-school way of doing things and now they want to leverage

new things like biological or bio biometric data to manage physical security now

from the world of do do we really want to hear this the irs is exploring using hacking tools

because why not it's 20 20 and the irs might as well start hacking us right

there's a massive nitro breach that impacts microsoft google apple and more nitro is a

pdf format that these companies use it also hit chase there are a lot of data exposed and finally

because it hasn't happened soon enough i.e is dying the microsoft ie browser death march hastens

so they are starting to shut down i.e access all over the world which should be interesting for

companies that support large end user uh populations uh lauro i can both think of a company

that used to or several companies that used to be dependent on uh end users for most of their web

traffic and uh getting those forcing those guys to the correct browser was always difficult and

so one more thing the remote workers are ignoring training to open suspicious emails between 35

and 47 percent of all end users are just randomly opening suspicious emails because they're curious

which is not a good thing so um we'll leave it on that high note so lauro nah thanks mike uh

interesting stuff so you know the biometric thing is is kind of interesting because i

always picture the you ever seen the movie GATTACA um it's a it's a yeah yeah you're right where you

know he goes in and he's gotta you gotta give a blood sample to even get in the building right it

checks your dna on the spot before it even allows you into the academy and that's every day right

you just go through a turn style and you drop a blood and checks you out and you move forward

so the level of hacking and forgery that had to occur has just always been that's a really

cool movie if any of you haven't seen that yet GATTACA check that out um all right so

internet explorer is going away huh well you know they're getting rid of flash too so i say

it's a good weekstart hack and crap software uh speaking of crap software no offense but

oracle is on the list of vulnerabilities this week my gosh i mean i they've got probably 15 or so

critical and high vulnerabilities and then another probably 20 or 30 mediums so if you run an oracle

in any capacity it doesn't matter what version it is looking at those look at those updates there's

a lot of remote code execution and uh other types of other types of dubious activities that can

happen if if you're running oracle um especially if you've got it exposed to your uh your perimeter

in the in the iot uh red hats on the news uh this week for vulnerabilities uh there's a flash plug

again for red hat which i think is funny anyways but uh yeah so before before the end of it all

goes away go ahead and patch your uh your red hat for the flash uh so that you know your users can

check that out for the final month uh and then uh cisco xr uh the the discovery protocol format

string vulnerability is is out there and so you can kind of um you can you can cork

that that protocol string and send it back and it ends up bad so if you're running cisco xr

go ahead and check that update as well and of course mozilla firefox lots of stuff going on

with mozilla so if you're running mozilla browser go ahead and go ahead and uh and update that and

while you're at it go ahead and install uninstall internet explorer and see everybody at the time

that's it for me should have had uh internet explorer uninstalled years ago i think in my

in my humble opinion but uh for those people who are just joining us for the first time

or haven't listened in for a couple episodes we have been doing a series uh that's that's

actually information from the book cyber rants but we took a chapter out of it called eight

steps to implementing your cyber security program and so this is really designed for those business

leaders that have that burden of responsibility to build or implement a cyber security program

for their organization but haven't done it before we're doing this for the first time it

may we don't even have a background in it so we first talked about obtaining leadership support

and uh then we talked about understanding your current risks and vulnerabilities as they stand

today it's really the first two steps and so the next step is really just to define a path

to a proactive security posture right so you really need a a written documented roadmap

a plan of action to to get this done right and and that's the thing about cyber security right

it's not it's not um you know a magic solution that people just come up with it's it's um really

there are a lot of industry standards except the best practices a lot of good information out there

so it's not about reinventing the wheel or just having you know some smart technical

person just kind of make things up as they go right it's a very very methodical process um so

we'll dive into a little bit about that today building a plan of action a road map forward

mike or lauro any comments any any best practices you'd recommend right off the bat yeah get get

good at writing and smooching smooching the the tail coats of your bosses because

this is well it sounds simple and it's really easy to build a road map or a gantt chart or however

you choose to to display your information and needs right on how you're going to

obtain this proactive posture because where we're at right is you got leadership support all right

the bosses are like yeah we need cyber security of course and you get the risk assessments done

and now you know where all the holes in the house are and so now you're going to write

that that proactive plan that's going to get you to that secure computing model that you want to

be at right to a place that again there's no magic there's no magic recipe it's it's per organization

and per the amount of risk that every organization is willing to accept or not accept so you're going

to find that you're going to kind of find that that apex in your own home and you're going to

you're going to try to make that your goal and so in this piece of it where you're you're building

out you're you've got the risk assessment findings and they found all kinds of stuff and you know you

need people you know you need process you know you need documentation there's going to be tools that

you're going to need to buy uh probably if you don't have them already or you're maybe gonna need

to source some um um some you know free software that's out there that might suit your purposes or

try to structure something in-house with some maybe resources that are that are crafty with

excel spreadsheets and sharepoint sites so um but but this is really where i think

the when i when i told you to get your to put your lipstick or your chapstick on whichever you prefer

is that you're gonna have this this whole chart laid out and you're gonna need to then take it

to budget right mike i mean that's kind of the next step right once you have the whole plan

it's like okay we gotta do these three things if we're not gonna you know the three of us can't do

this in the next it'll take us five years to do this so we're gonna if we want to do it next year

we're gonna need these sort of these certain things these certain technologies

these practices in place and that's all going to be stuff you're going to be taking back to

that board meeting and saying i need money right exactly and i'm sorry i'm still reeling that from

the fact that zach said we're not magic because i think we are so yeah i thought so too like how are

you gonna insult your teammates like that exactly i mean just watch risk disappear that's magical

no hard work for you man trying to be humble you know i mean i mean i don't wanna i wanna let

people know that that really is our secret sauce is magic so apologize for that but now that it's

40 hours but it really takes us two minutes to write the spell and yeah yeah just keep depositing

my golden green gods that's all i asked exactly because team might write a policy set in five

minutes flat start to finish from scratch go into a trance scotch and do trans and it's all good

your keyboard was so hot after that i couldn't even touch it with my fingers like remember we

were remember zach we were roasting sausages over his keyboard after that five minute document it's

crazy well yeah mike let out the secret now it's scotch it's gotta be a good scotch too

to be exact that's the same thing batman uses to keep him in a good mood so anyway one of

one of the key things to defining the path of proactive posture which is going to you know

branch outside of security is it is also you need a business impact analysis which is going to

require conversations with all the stakeholders in your security posture which is basically everybody

right so it's from sales to accounting to you know what else you have marketing

communications and and you know even the physical building staff when people weren't working remote

because you got to understand what needs to be protected what needs to be spun up first what

needs to be you know what is what are in fact the key pieces it's uh to make your company run it's

not necessarily email it's not necessarily your website their backend systems that are maybe far

more critical so you need to understand what to protect first and that's where the business

impact analysis comes in and that's one of the things that we need to do um as far as you know

establishing those for establishing your baseline it gives you a good place to start so i guess the

the thing here is that security is a holistic whole company thing it is not solely based the

security team is the driver of it um actually top management is the driver but security team is the

the people on the ground driving it from that point forward once they have their marching

orders but the whole company owns it um and what i think with a lot of things is forgot it's not the

cesar that owns it it's the ceo and the board that owns the risk so that's where that needs to be um

that's where the effort and the pressure needs to come from so do the business

impact analysis and then you'll be able to define a plan and then you'll be able to go from there

and you'll be able to be able to track you know your trajectory as you go forward you know you'll

be able to say this is gone this is gone this is this is better this is worse and so on so i

think that yeah but but well i mean i agree with you man but i mean they're still going to have

to ask for stuff at this stage oh no no i'm not saying that but you gotta have the bia in place

first oh you gotta have bia oh yeah absolutely not certainly not um disagreeing there yeah no

you certainly need to have your bia you need to have your road map you need to have a gantt chart

or whatever right when you right you know your little hot little hand down the hall we have slaps

and and that's probably what what's a good segue for um for step four which is build

alliances across business units because it could be the middleware team that kai bashes your whole

your whole security endeavor right yeah one of the key things too is that you need a solid

project manager running the thing running the show and that's a lot of time that's forgotten

um you need an overall project manager program manager whatever you want to call them

to run this show um as far as making sure milestones are hit but yeah building the

alliance's piece that is the next it's all these are kind of like you know step three a and three

b rather than three and four i mean to be honest with you the way i see it yeah you almost want

to do them in parallel because you know having that having those parallel departments kind of

on your team for the changes that you're trying to make because you know let's just get real here

okay you know cyber security um professionals are often called cyber cops right i mean we

you know coming to make changes and it admins don't like us because now they can't log in with

their admin accounts and use it all day long and you know little changes that that are cultural

really but you know kind of impact everybody's experience and the holistic culture at work

and and so the more that you can massage that message into your your parallel departments that

you need right i mean you need them on your side um the better off you're going to be when you go

to the board with a plan and ask for money because there might be some places that you can even

toss tools as an example or toss works though you know we were talking about the middleware

team kybosh in your whole your whole endeavor right so you can have this big goal of making all

these changes having the secure computing model put in at your company and you go about i guess

i don't want to call it campaigning but i mean it really is it's going to be an internal campaign

and if you miss certain parties and they feel left out they're going to douse you with red paint

or whatever color they're choosing and that's ultimately end up uh not in your favor and so

you know there might be cases where if you can make you know good parlay with these organizations

then then you can say hey look in this middleware region we want to we know that you're using you

know tool a and right now you don't have the security modules purchased for tool a

we would like to see you do that we're willing to you know pay part of it from our budget

and we'll also monitor and help you configure it but we just need you to be on our team when

we go and ask these questions right because we're going to need money we need to add you need you to

add that to your budget for requests for the next quarter um would you say that's kind of accurate

mike yeah no no and i and then you know if you can come to them with a list of tools do an inventory

of security tools first and say we don't need this we don't need this this hasn't been logged on in

three months but we're still paying for three years and we're still paying for it you come to

them and say look we can cut savings here we can create money budget here if you do this this and

this that helps your case too because uh you know we've both been in companies and where and i'm

sure many of the listeners have been in companies where you got more tools than you know to do with

and redundant oh yeah redundant and then tools that are only 10 or 15 or 20 deployed you know

that have other modules they provide free training and support and all this kind of stuff and

you know the the next management team or security team or you know whiz bang security guy comes and

said oh we have to have this tool and it never gets deployed properly nope it never gets deployed

properly never gets managed properly it never gets matured properly and now you just got another

sinkhole of money sitting there right it might as well it might as well be a

buzz will be like a you know an 85 fiat sit in the garage does a project you know right right

and you know nobody tells accountant to stop paying for the paying the bill the renewal so

wait a minute wait a minute but on all of these tool companies websites they promise the

tools answer all the problems and make companies secure are you telling me that's not true well

well it's true in the case of one particular product that i'm not going to say the name of

but it is artificially intelligence driven and the department of defense is made by a

wing of the department of defense and it was actually sent to the department of defense

for them to put it in and have this piece of artificial intelligence cyber security technology

go through their network what it does is it finds vulnerabilities and patches them for you it makes

the decisions for you to build a secure system right it's literally skynet on your network and so

it has two modes of operations like most intrusion detection mechanisms that people that technicians

would be familiar with today right they've got the the the detect only and they have the prevention

piece right where now we're stopping attacks right was do it too um they would never put

the ai it's been in it's been in the organization for six months they never turned it to auto mode

basically it was only in manual so it would find problems and report back to the team and what they

needed to do they never let it they never let it go patch itself so if the department of defense

is even trust the own technology that they've built for themselves then yeah i'm pretty sure

that nobody else in the market is going to be able to build a tool that anybody's going to trust you

need people you got to have human expertise right well and we don't need to usher in the era of sky

that any sooner than is going to happen right you know we don't need HAL from 2001 to space odyssey

you know i have this theory well no i don't know i mean i don't think the robotic age is going to be

all i mean have you seen what human hair does to your vacuum cleaner

can you imagine the robot army of the future like just in a big hairball yeah

because they killed like new york city or something you know what i mean and they

walk through and they're all just tied up in their own in their own destruction yeah so i'm

not too worried about it well i don't know man it didn't work out well in the movie aliens so

you know with the robot so who knows man that it'll be an interesting thing to say for certain

but you know you talk about bishop bishop was a nice guy uh and aliens yeah but not an alien oh

oh yeah that was the first uh that was the first day i know that guy well he had other

he was programmed with other um instructions right right that overrode his ability to be kind

of humans right he was supposed to keep that life for him right right and so the the the bishop and

aliens which i'm i think that's one of the better movies of the of the series um uh yeah certainly

he he helped save her at the ends so yeah um actually did yeah he came to get her when the you

know she's trying to kill a little queen anyways tangent sci-fi people apologies so i think we've

learned uh you know really really back to building alliances across business units teamwork makes the

dream work everybody should have that motivate motivational poster on their wall it'll make

all the difference i promise is that the one with the cats um it's well it uh i think it's the one

with the chain links i i don't i don't remember there's some there's so many of them

there's some really really great ones out there but um but yeah but if that doesn't work um you

know it gets down to a deeper uh a deeper question what's a corporate culture right is it a is it a

a me culture or is it or is it about the a team as a whole you know and more a selfless service

and that's that's a much deeper discussion than we have uh time for today but i'm sure we'll

we'll get more into that in future episodes but um but uh yeah great stuff today we um we'll be back

next week uh with some more information we will continue our series but for now have a

great week and we will connect again soon

Episode 5: Defining Proactive Security Posture

Send Us Your Questions & Rants!

Categories

Archives

Transcript