Transcript

welcome to the Cyber Rants podcast
where we're all about sharing the forbidden secrets
and slightly embellish truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
Mike Ratando
Zack Fuller and Loro Chavez
hello and welcome to the Cyber Ants podcast
this is your co host
Zack Fuller
joined by Mike Ortondo and Laro Chavez
today we have a extra special topic
because every topic is extra special
when you're listening to the Cyber Rants podcast
today we are talking about
what you need to do internally
to really implement a strong cyber security program
regardless of the help you have
these things can't be done in a vacuum right
so organizations need to understand
what needs to be in place within the company
in order to be effective
so we'll dive into that today
after Mike gives us the news
and we have a little visit to lauro's Corner
Mike welcome and good day to the news
wipers are widening
here's why that matters
wiper wear aka wiper
is a term associated with malware
that purposely erases hard drive content
first surfacing in 2012 as the Shamoon malware
that was deployed against Saudi energy companies
wipe where has use has exploded in 2022
in the first half of the year
researchers
saw rising trend of wiper malware being deployed
in parallel with the Russian Ukraine war
however these
those wipers haven't stayed in one place
they're emerging globally
which underscores the fact
that cyber crime does no borders
it's not just the numbers that are growing
we're also seeing a rise in variety and sophistication
these white varieties
are also increasingly targeting critical infrastructure
since Feb 2022
at least 24 countries
and some critical infrastructure networks
have been affected by wiperware
that they're just bad
so they may actually ask you for Ransom
and then just wipe you anyway
so here's another issue on wiper
where this badly made ransomware
can't decrypt your files
even if you pay the Ransom
victims of recently uncovered form of ransomware
being warned not to pay the Ransom demand
simply because
the ransomware isn't able to decrypt the files
just destroys them instead
Kryptonite ransomware
which is coded in Python
first appeared in October 2022
as part of a free download
open source toolkit
available to anyone with the skills
required to deploy it
and attack against Microsoft Windows systems
the fishing attacks
believed to be the most common means of delivery
the analysis of Kryptonite
by cybersecurity researchers at Horton
and has found that the Ransom only
has bare bones functionality
and doesn't offer a means of decrypting files at all
even if a Ransom payment is made
and said Kryptonite effectively acts as wiper malware
destroying the encrypted files
leaving no way to retrieve the data
so rather than being an intentionally endless
act of destruction by design
researchers suggest that the reason kryptonite does not
does this is because
ransomware has been poorly put together
basic design
in what's described as lack of quality assurance
means the ransomware doesn't work correctly
because of flaw in the way it's been
put together
means if Kryptonite crashes or is closed
that leaves no way to cover
the encrypted file
so even cybercriminals have QA issue
largest mobile malware marketplace
identified by our security
in the dark web
our security
has identified a new
underground marketplace in the dark web
oriented towards mobile malware developers
and operators
in the box is what it's called
Dark Web marketplace
is leveraged by cybercriminals to attack over 300
financial institutions
payment system
social media
and online retailers
at 43 countries
in the box has been available
for cybercriminals in the tour network
from at least the start of may 2022
however since then
is transformed
from a cybercriminal service
operating privately
into the largest marketplace known today
for a large number of unique tools
and webbing jacks
offered for sale
Dutch Melissa scenarios
are purposely developed by cybercriminals
and used for online banking
theft and financial fraud
web injects are integrated into mobile wallware to
intercept banking credentials
payment system
social media
and email provider credentials
but it doesn't end there
these malicious tools are
also used to collect other sensitive
information
such as credit cards
address details
phone and pie
the trend comes from the man in the browser attacks
and Web injects design
traditional PC
based malware criminals
have now been successfully applied to the same approach
to mobile devices
so be careful what you do on your phone
a rack space hosted exchange service outage
caused by security incident
for those of you who believe that cloud
computing is bulletproof
here's some proof it ain't
cloud computing company
Rack Spaces
suffered a security breach
has resulted in a still
as of the 12
as of 12 5 ongoing outage
of their hosted exchange environment
now in order to best protect the environment
this will continue
to be an extended
outage of Hosted Exchange
to the company
set on Sunday
the connectivity issues
for Rack Space Hosted
Exchange customers
mostly small to medium sized businesses
started on Friday
December second
with users experienced
errors when
accessing OA
Web App and singing their email clients
what causes incident
is unknown right now
but security
research at Kevin Beaumont
has noticed
that a few days ago
the showdown search engine
was showing
Rack Space Exchange clusters
running an exchange version
from August 2022
which means
they did not have the patches
for the proxy
not shell vulnerabilities
this is a danger
without sourced anything
because you don't have control over it you
so be careful
when you're making that decision
to move to the cloud
FFT and ransomware
represent over half of cyber
insurance claims of 2022
FFT is fraudulent
funds transfer
and ran somewhere with
the biggest drivers
of financial
loss from cyber crime in 2022
counting for more than 50%
of insurance claims
according to figures
from Corvus
the insurance
company found that
FFT and Ransom
are the 2 most consistent tactics
of choice for threat actors
with FFT representing 28% of cyber claims
and ransomware 23%
in its all time figures
however the
average FFT claim
it's completely lower than ransomware
which is 90,000
versus 256,000
for ransomware
additionally
overall time
ransomware claims
are 3 times higher than that of FFT
this is because
FFT instance
do not typically
involve costly
data restoration
system recovery
business interruption
or breach response efforts
that are required
for following ransomware attacks
I think IBM
estimates it takes 4 times
the cost to
remediate a breach
as it does prevent it
flight to CESO
at Corvus Insurance
told an Info Security
that the cyber insurance
industry must
avoid tunnel vision
on ransomware
union is a soul threat
organizations
while the cost
of ransomware claims
are 3 times
out of fraudulent funds transfer
the higher frequency
of other tax
like business
email compromise
Becs and FFT
could deliver
death by 1000 cuts
the prevalence of FFT
in which social
engineering techniques are used to trick employees
or vendors into
transferring funds
to the wrong counts
highlights the growing effectiveness of BEC scams
the report found that FFT
represents 70% of all BEC
related claims
and BC made up
45% of all claims
in H one 2022
you know how
you beat some of that
training training
training all right
so there's a couple
critical highlights
there's an Android
security fix
that has 80
security vulnerabilities in it
Stofos fixed
a critical flaw
in their firewall
so patch cyber
attackers are using
popular EDR tools
to turn them
turning them into
destructive
data wipers
that's always
good to know
and lastly there's
a Christmas
warning for actors
are impersonating
your favorite brands
to attack finds CNC
that's including Amazon
Walmart McDonald's
all of them
out there Starbucks
so with that
let's go to
Laura's corner
where we can
learn about
cybersecurity
and perhaps
to love our fellow man
a little more
that was that was
beautiful welcome
thank you Mike
for the introduction
welcome to my
my small yet
very fashionable
corner here
at Silent Sector
and you know what
I want to do
the intent of
the corner here
is to help us
all be better
with cyber security
sorry it's hard
for me to say
with a straight face
we're still
working on the name
Laros Corner
so love your
feedback on
any of that
okay today the topic
I really want to
drive home for the listeners
is multi factor
authentication
on this you know
you get enough of this at work
I'm not talking about
your business accounts
that's driven by policy
I'm talking
about all your
personal accounts
grandma's Facebook
account um your
your you know
maybe neighbors
kids families
TikToks and
other types
of accounts
make accounts
all the stuff
that you need
to run your
digital life
those accounts
multi factor
authentication
is important
because it requires
you to have
a second thing
that you know or have
in order to
demonstrate
that you are
who you say
you are okay
now there's
a lot of options
for this out there
I think the
most common
and this is what I
want to try to
focus on today
is not using
SMS text codes
as your form
of multi factor
authentication
your second factor
as you're putting
your password in
and you're sending
your little
button that says
send it to my
phone and then
you're taking
the phone from
your text code
your text code
from your phone
and putting that back
into your app
and you're authenticating
okay that's bad
for a couple of reasons
and I'm gonna tell
you why here
in a minute
but what the
better option
is I'm gonna
start with this
is using a one
time pin app
or an authenticator app
so instead of using
those SMS codes
which can be
intercepted
and cloned and
we'll talk about that
in just a second
I'll give you 2 examples
real world examples
what you want to do
instead is get
if you're using Google
Google has an
authenticator app
and you can use
Google Authenticator app
for lots of
other things
like your bank
even if you're doing
something online
auctions eBay
they'll all allow
you to use a
one time pen
authenticator
app whether
it's Google's
authenticator
if you're a
Microsoft three
sixty five user
did Microsoft
has an authenticator
that you can
use as well
so you know
I always like to
tell people
hey whatever
your major email is
go with their
authenticator
you can use it
for the email
and then you can
tie your bank
and your Facebook
and your Instagram
and your TikTok
and all of your online
brokerage sites
that you have
into this one time
pin code so
what that does
is it makes
somebody have to
have actual
physical access
of your phone
in order for
them to gain
access to your
accounts right
that one time
pin is an app
that sits on
your phone so
it can't be stolen
off of your phone
they have to
steal your phone
which means
I have to shake you up
and if you're
somebody like
Microtundo that's
not gonna be
an easy thing to do
so it'd be a lot
easier to try
to catch Mike
using an SMS code
for things so
let's talk about
some examples
here about why
this is a bad idea
and the first
one I want to
talk about is
some stolen
crypto now at
Silence Center
we get blessed
I guess and
curse to be
privy to a lot
of incidents
that happen
out there in
the business world
especially where
it centers around
technology and
things like
fraud and theft
and especially
theft at crypto
so we we unfortunately
we had we didn't
have a lot of
interface in
this but but
essentially
what happened
is that there was
an investment firm
that was handling
crypto as part
of their portfolio
the crypto wallets
were being held
online and I know
all the toddlers
out there are
screeching right now
it's okay this is
new ball stuff
this happens
right if you're
not familiar
with crypto
you think an
online bank um
like Coinbase
or something
of the equivalent
is good enough
to hold your coin
well there was
about $700,000
in Bitcoin US
dollars in Bitcoin
sitting in this
online account
that was all tied
multi factor
back to the
human's phone
somebody found
out that this
this individual was
was holding
all of this crypto
and targeted
them by cloning
the SIM card
in their phone
they then went
to the crypto
exchange and
initiated a
password reset
where that reset go
went to 2 phones
at one time
because the
Sims cloned now
so the SMS code
went to the
banker's phone
and he was like
well that's weird
I just got a text
for a password reset
I wonder what
that's about
and the time
it took him to
think those things
the cybercriminal
already had
logged into
the bank account
with that code
and changed
the passwords
and emptied
the crypto wallet
this all transpired
in about a minute and 1/2
by the time
that we were
involved it was
far too late
for us to do
anything other
than involve
the authorities
at that point
so with monetary
and financials
it's super important
to make sure
that that multi
factor is there
in a one time pin app
semantic has one
Google Microsoft
the second one
let me give you
is for all of you
out there who
are fathers
and husbands
and there was a
woman who had
was going to
college and
she had someone
in one of her
classes that
was kind of
stalking her
there was a
kind of situation
where this individual
worked at one
of these break
fixed places
where they fix
iPhone screens
and phone screens
so he deliberately
knocked her phone
off the table
and broke the
screen so that
he could make
an excuse to
fix the phone
while he was
fixing the phone
which she agreed
to for free
of course he
cloned the s
the SIM card
so now this
individual has
got a secondary phone
with a cloned
SIM and he's
seeing everything
that this girl
this woman is doing
in her life
all the text
messages to family
all the stuff
that she's sending
so she gets a
new admirer
and you know
they're starting into
this kind of
boyfriend girlfriend
relationship
and there's some
indecent pics
that are sent
well this guy
receives these
images to his
cloned phone
that he's sneakily
creepily doing
this right and
he loses his mind
so in class
he freaks out on the
on the woman
and she calls
the authorities
they you know
he says things
that leads her
to believe that
he knows way
too much about
what's going on
there has to
be something
going on here
so the authorities
get involved
they confiscate
the phone they
find out that
he does have
a secondary
phone with her
SIM is cloned
right so now
that's another
good example
of you know
something that
could just happen
to any one of us
out there just
going about
our daily lives
just trying to
be you know
be good humans
and do the best
that we have
with our with our
digital assets
so keep in mind
that you might
not be looking
for trouble
and trouble
will just happen
upon you the
best thing is
to just avoid
trouble at all
and trouble
in this case
comes in the
form of an SMS
code to your
phone for a
second factor
authentication
so please stop
that and try to
get everybody
that you love
especially yourself
using a one
time pin app
like Google
Authenticator
or Microsoft
Authenticator
or Semantec
VIP or RSA or
anyone that's out
there really
is going to
be hundreds
and hundreds
of times more
beneficial in
risk reduction
over the use
of your SMS
text code that
you have today
and that's probably enough
in Laura's Corners
getting small
in here I'm
getting a little
claustrophobic
Zach tell me
we got a good
topic to pull
us out of the
the area out
of the corner
into the main room
well you know what
we do have a
good topic and
we're gonna
dive right into that
after a quick
commercial break
want even more
Cyber Rants
be sure to subscribe
to the Cyber
Rants podcast
get your copy
of our best
selling books
Cyber Rants
on Amazon today
this podcast
is brought to you by
Silent Sector
the firm dedicated
to building
world class
cybersecurity
programs for
bidmarket and
immersion companies
across the US
Silent Sector
also provides
industry leading
penetration tests
and cyber risk
assessments
visit Silent
Sector com and
contact us today
and we're back
with the Cyber
Ants podcast
today we are
talking about
what organizations need to
do internally
in order to
be effective
with implementing
a cyber risk
management program
we're talking
about policies
and procedures
implementing
and controls
for the organization that
I'm sorry to say
but nobody can do
for you from
the outside
despite there
being a lot
of marketing
hype in our
industry about
cybersecurity
done for you
and we'll take care
of everything
sorry to say
unfortunately
that's not how
it works there
is work that
you will have
to do within
your team so
we're going
to talk about
how to structure
that diving in
want to talk about
maybe you guys
could share
a couple of
you know real world
examples or
things that
you've come
across with
organizations that get held up
implementing certain policies within their company
you know slow to make decisions
or just struggling to
define any type of hierarchy for making those decisions
do you have any examples
off top of your head you could share about that
well policy paralysis
is always a big thing that happens
anytime you start working on a security framework
you look at the set of 20 policies
that need to be written
and processes that need to be written
and all of a sudden
you know your hands freezing
you're like
I don't understand
this is overwhelming
the problem is
is that you can't use policies out of the box
and we run across as
it's not just one
you know client
it's most many
not most many clients will run in this
where you know
they have a policy set
that was prepared by someone else
that they really had no input into
and you know
we start reviewing those things
for the security framework and
it's not really accurate
there's nothing there that they use
they they they don't understand
all the policies and procedures in them
so that happens
and then you don't have the file structure
or the organizational structure
in place in a lot of ways that
will allow you to create effective policies
so that that is a very
very real thing
you really just need to knuckle down and say all right
start with a low hanging fruit
like password or acceptable use
or something that you have
that you've already got in place
that can be augmented to fit the security framework
like Minister CSF
so yeah it's a very common problem
so I like that policy paralysis man
I'm gonna start using that
that's not only do I dig the alliteration
but man that's
that's certainly applicable
and I think what I'll add
you know I agree
I think many
many of the clients
and many the organizations suffer from this
what I think is important to understand is
and I think a lot of the reasons
why they get that paralysis piece
is that once they write this down into corporate law
that's exactly what it becomes
right now they've created a policy
they've created a group
an empowered group right
we like to use a cyber street council instead of like
a seesaw or a risk officer
but they empower a group of individuals
and once the policies are solidified in PDF form
that's how you have to
that's the rule book that you've now made
and so the term that I always tell
clients going into this work
this documentation exercise
is that you gotta be careful
because we all choose the size of the stick
to which we beat ourselves with in policy right
yeah especially if you're gonna be audited
like suck to or PCI or something like that
yeah yeah you have to have it yeah
well you know
I tell people my Socte prep training
and you know
and anything else it's like
don't put in a policy if you're not going to do it
and if you're not
if you're gonna put in a policy
you better be able to prove you do it
so yeah that's the
I think the 3 fundamentals that are important here
for maybe some of the listers to realize
is that policies
the foundation right
you have to have that
it sets an action and gives
the manifestation of the risk management pieces
in your organization
so you have to have the policies
lots of organizations will probably have the technology
and the process in place
and don't have the documentation
you got to have it all
and the assessor's responsibility
is to look in 3 places to ascertain
if a control exists in the framework or not
okay so it doesn't matter if it's PCI or NIST or Soc 2
they're gonna say
show me the
I'm gonna talk to a person
they're gonna review the people
they're gonna inter
review you to ask you
how do you create a new user account
they're going to review the documentation
to make sure that what you articulated to them
is reflected in the document
and then they're going to want to review
the technical control
right the actual technology
show me the last 2 tickets for users created
to demonstrate that your user creation
follows the process that your admin told me
and that your document says
and now I'm trying to determine if the 3 of them
3 amigos all maintain the same story together
and that's how your auditor
your assessor
is going to determine
whether or not you have a controlled place or not
so you have to have all of those 3 places
all tied together
and I think that's probably the biggest thing missing
I think from the awareness
and we always try to you know
bring that up front
but that policy paralysis
I love that
that starts to happen right when they realize that
as soon as we finalize these things
and there's like
we have all these documents
and soon as we file these things
this becomes real
it's real now
yeah and you know
from a sock to perspective
they're gonna take 20% of those changes
and then they're gonna evaluate
maybe another 20% inside of that
from the interview
so if you are from the
from the evidence
so if you've got 100 tickets
they're gonna take 20 and then they're gonna look at 5
as far as their evidence
so keep that in mind
I think what's important to know is that 1/3 party
can't tailor the documents for you
nor can they accept them into corporate law
right corporate policy
as 3rd parties or contractors
you have to have a business employee that's a leader
or it's been assigned the responsibility
to accept these policies into the business practice
it cannot be done by 1/3 party
yeah so to answers that question specifically
can't think of a client that I have worked with
that doesn't have some form of that issue
where they don't have a structure in place
they can't accept the policy
they're paralyzed
by looking at them and they just
so whole thing I mean
we have to change the names to protect the guilty right
so better not
better to not speak at all and just say Yep
that happens
yeah that's my
that's my take on that
or are you guys done with your dance is that us
we were dancing in my corner
Laros corners
got a disco ball if you didn't know
but let's oh
yeah can we
can we step back a little bit for those people
that haven't gone through policy implementation before
we can't do that
there's good luck to you
no we're not going forward
only forward
Godspeed yeah
well let's take
can you just take a specific policy
and I'm gonna pick it for you
so you don't even have to pick it but walk
walk the millions of listeners through the process
start to finish
of designing that policy
and then getting it put into that corporate law
and even enforcement if you would
can I go ahead and pick a policy
pick it I'm gonna take that as a yes
I'm gonna go with the bring your own device policy
because that has a lot of craziness around it
so let me know your thoughts end to end
so this is a
that's a dangerous policy for a couple of reasons
because if you're
if you're going down a NIST or a more government driven
framework they're going to be very concerned
about mobile devices and having Cui
or highly confidential learning of
type of classified and managed data on those phones
everybody typically brings their own device
you all bring your phone to work
most all of us have our work email added to our phone
it's our personal phone
but we've gone into the local mail client
or downloaded something
and we've signed up with our employee email
that's the problem
and that's specifically one of the areas
that the Mobile Device Management policy
or the Bring Your Own Device policy rather addresses
it's like any other document
you're gonna have a background
you're gonna scope
you're gonna have limitations
and you're gonna have the meat of the policy
but it's difficult for organizations to adopt this
because again
now they're getting into a place
where they're realizing that maybe
I should be issuing my own mobile funds to my employees
if they're not doing that already
and if they
once they issue the device
now they have to worry about
well what if the device is stolen
can we redact information on that mobile phone
if it's a victim to a thievery
or gets lost
hopefully it gets dropped
in the ocean
they wouldn't have to worry about it anymore
but if it is taken in a manner that
somebody might be able to get that date off
that is a big question that comes up
in this bring your own device policy
because it's a matter of
should we allow you to bring your own phone
and if the answer is yes
what controls do we need to have in place
to mitigate the risk
for you making a human and making a snake on a phone
on a piece of technology that we
as a business don't own
but you're using it to interface with our business
so I think there's a lot of
it's a good ones app
because there's a lot of back and forth
on this policy
and lots of organizations
because the moment that you enact it
now you've got to figure out how to solve
these problems that it specifically addresses
well you have legal questions that come into place too
do I have the right to demand that you install MDM
that you install certain
preventative measures on that device
do I legally have the right to
some of the MDM tools
especially older ones
when you hit wipe the email
you would break the phone
and that's someone's personal device
it's happening
what do you
yeah what do you do when you have contractors
working for you that have the same access
are you going to provide a contractor a device
and then allow them you know
with the hope that they don't disappear with it
I mean what what
what are you going to do
so for the BYOD
for a contractor
you've got to have some kind of
mobile device management
and then you know
we deal with a fact of
you know say
take regularly data like HIPAA
you know you don't want HIPAA data on that device
and it's fine
you know we don't
they don't have access
any HIPAA applications
what really
do they get attachments in their email
do they get email
it's got HIPAA data in it
possibly you know
so that's a concern
but then you can get back to the nuts and bolts
piece of all right look
these are the 3 levels of iPhone we cover
we support the 12
the 13 and the 14
if you don't have that then we
we don't have
you can't use our applications on your phone
or the Android
or whatever
but you know
it must be patched
and it must be supported
and it must be you know
kept up to date
and you have to allow us to install
X y and Z um
so that's why I
B O B y O d
gets really sticky
I mean I get
its cost effective from the beginning and if
if you're a smaller company
but you know
as you get bigger
you really want to consider
providing phones for work
and of course
then the employees gonna be like
well I don't want to carry 2 phones
well and then you have to decide
on what you're gonna allow them to do
and not do on the work phone
can they take personal email
can they play doodle jump
can they do Facebook
you know what
you know is it candy crushable
you know what
what are we gonna do with the BYOT
you know so those restrictions
but those are the same restrictions
you're gonna put on some of the laptop you know
you know so it is a sticky
sticky thing that takes a lot of thought
and it sounds easier than it is
so does you know so
but you have to work through that and you have to
and the other thing that involves outside it
you got to talk to HR
you talk to legal
you got to talk to accounting
and you got to figure out
you know all the
all those ramifications before you can write the policy
but once you've written that policy
then you got to get some kind of
acceptance or request part process involved
you know all your inevitably going to have
at some point someone circumvent that policy
so you know
then what are the repercussions of doing that right
yeah and the authors gonna ask you all of this stuff
too if you've got a B
wow d policy
I mean honestly the right
I think part of the right solution Mike
would be to just issue devices and then your b y o d
policies it says we don't allow b y o d yeah
yeah but unfortunately that
you know they're small company
yeah yeah there's no money and phones are not
I mean gosh
phones are 1314 hundred bucks now
yeah and you're right
is it legally
I mean how do you
what are the legal ramifications of forcing
an individual to install a piece of software
that are for the work for your company
so there's like some weirdness right
and the truth of the matter is
is like you said
it's cost effective
but it's not
it's probably not the best way forward
for risk mitigation
the BYOD policy should be like
we do not allow anyone to bring your own devices
all the devices are issued by the organization
and have controls commensurate to prevent data loss
and data integrity situations
sofa laptops stolen or lost
or phone stolen or lost
the data can be remotely wiped
without anybody having to worry
and your humans have signed usually some form of a
inventory like acceptance right
what's that call Mike
where they have to accept their
their items from the company and sign for them
oh tell me that
off the top of my head
I was thinking about the potential conspiracy theories
of the fact that now you can Geode
track all your employees and know where they're at
as long as they have that phone
that's right
you find out where they shop
is that where they shop
where they shop
well I think it's real
but it could be extrapolated into a big
you know conspiracy
the business has got to try to protect its data
because the business is liable
for the mistakes that it makes
you know and so
classified message incidents
in the military and the department of defense
that's what they called CMIS
is what exactly what I'm talking about
if you get an attachment with healthcare data in
and it's on your personal phone
that's a message incident
you've taken
a classified data set
that's recognized by the industry and the organization
and you put it on a phone
not classified
to handle that type of data
you know what I mean
no controls in place
there's an incident
that should actually go on an incident matrix report
and have a whole review by the council
to understand why
it's important
that you either make employees install software
if they're going to use their personal phone for email
or you just need to issue the phone right
venture capital
and just issue the phone
you know there you go
easiest thing to do
there we go
take just put it on
get us get a big credit card
and just max it out for
well I mean
just don't allow the remote functionality you know
yeah that too
and you say
you can't have your email on your phone
except for specific exceptions Yep
more than that device is provided
so you know
you've got 500 employees
you don't need to provide 500 phones
and maybe provide 40 phones
and everybody else can't have email on their phone
I was gonna say
I can't even tell you how much
how much PCI data was found on mobile phones
through attachments
from sales teacher
god's disgusting
well I'm sure
didn't mean to go down too far down the rabbit hole
on the BYOD specifically
but that gives you
gives the listeners an incredible idea
of what is actually involved
when you're implementing policy
and rightfully so
people get confused
people have trouble making these decisions
processes can be delayed
and so we see some organizations that are
extremely quick to make decisions
they have a good decision making process
they make it happen
they implement it they go
other organizations have no formalization and really
really struggle in this area
so think about that
BYOD is a interesting topic for sure
not to be confused with BYOB
which you should also have a bring your own beer policy
right no Bud Light
or Keystone
or anything allowed in the office
get something decent
but exactly
BYOD among many others
right we could get into a whole bunch
I mean I don't even
we don't have the time to dive into things
like the incident response right now
but that being said
that should give our listeners
a good idea of
the thought process that goes through this
is there a specific organizational structure
or specific systems that companies have internally
that you seen are more effective than others
when it comes to writing and implementing policy
well I mean
if you have a GRC team then
you know that makes life easier
is that suicide
I mean it depends on the size of the company
to be honest with you
a lot of times these policies fall to it
people that don't necessarily would own that policy
so you need to have a structure
you need to identify who's the process owner
and then who is and who is the policy owner
that is defined by the process so
or the policy
yeah anyway
so that ideally
you need at least one
one worker bee and one queen
for lack of a better way of putting it
so you need someone who can sign off of it
you need someone who can
you know but you need to define that clearly
and you need to have that defined
before you write the first policy
because otherwise you're just running in circles
that's our opinion
yeah yeah circumlocution is certainly
can be an output of this document exercise
I think the other thing that's important probably
to point out here
is that these documents are living artifacts
they can be changed at any time
but they need to be changed
they can't just be sitting there
your auditor is going to say
show me your change table
and if you have a document listed as V 2
they're gonna ask you where V one is
trust me this just happened
so keep in mind that no audit is created equal
and all auditors are different
they're all gonna try to ascertain evidence
in their own way
that makes them feel comfortable
because they're putting their
their gusto on the line
to determine whether something exists or not
let me ask you a bunch of different questions
that you might have added another audit
but these policies have to be tailor fit to you
you have to
you know the way that we do it is
we have these exercises where we
we walk through every part of the document
and we add the language
with everybody there so
and we explain why it's necessary
why the scope of portion of the documents necessary
right I mean
that's a very important area
believe it or not
and then you know
because if you don't define the scope of the document
then it can apply to anything right
and then people are going to come in
and make a bunch of assumptions
so you have to be very concise
well yeah and the policies can be changed
but they cannot be ignored
that's one of the key pieces to correct
so that would happen
well you know
we've all dealt with smallers
never needs that
it like well
this is the way we've always done things
why we have to do it this way now
because we've been successful
and it's like
well that's
the next step in maturity
is codifying what you do
now we're not telling you
you can't do it the way you've done it before
but we're going to write it down
and that's how it's going to be now
we're also going to tell you if you're doing it wrong
you know and it creates additional risk
but the fact of the matter is
you have to document what you do
why you do it
how you do it
and then be able to provide other facts for doing so
and not you know and and
and one thing to keep in mind
especially for you Hippo folks out there
you got to keep 6 years of those policies
you can't just keep the last version
there's 6 years you have to keep
so every time you update that thing over 6 years
you got to keep that from averaging perspective
because you're liable for that
yeah well there has to be an exception process too
for every policy
I think probably the last thing too
there's always gonna be an exception process
for most every policy you have
because like Mike said
someone's not gonna be bound to policy
whether they're a leader in the organization
or executive or some special person that
believes they're above the policy
there's gonna have to be an exception process
so keep that in mind too
most of these documents
will have to have a process of exception right
and an effect for violating that process
yes some kind of consequence
I hate to end the fun
everybody loves policies
but we are coming up on time gentlemen
so policies thank you
such a buzzkill
I know I know
we were just getting into it and we could probably talk
time to work on things that BYOB policy I guess
exactly exactly
but for everybody listening
hope this help you understand what goes into this
from a taking a real world example
talking through the thought process
and talking about the structure that's needed to be
that needs to be in place
in order to really implement these things
and be effective in doing so
so this stuff is important
we know everybody hates doing policy work
it's something that's that kind of necessary evil
thorn inside for a lot of organizations
I shouldn't say that
Mike and Laura love policy work
but most people hate policies
totally with that
it's just the reality of the world we live in today
unfortunately
that's just
just how it has to be so
hope this helped you
thanks for listening to the Cyber Ants podcast
be sure that you reach out
let us know about future topics like the podcast
subscribe share
all those things that go on with podcasts
and that helps us get the word out
to the world people that need it
and helps us do our part to spread this information
and make the world a little bit more secure place
so have a great rest of your day
and we'll see you on the next episode
pick up your copy of the Cyber Ants
book on Amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at
silentsector com
join us next time
for another edition of the Cyber Rants podcast