Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

Episode #89 - The Cybersecurity Committee

The development of a cybersecurity committee will accelerate your company's alignment to a cybersecurity framework and compliance requirements. 

This week, the guys discuss why you may need a committee for your cybersecurity framework adoption, instead of leaving one person to lead the job. 

They also cover operational tempo with a 12-month calendar example to accelerate your progress and maintain compliance. 



Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

Transcript


welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellished truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller and laura chavez
hello and welcome to the cyber ants podcast
this is your co host
zack fuller
joined by mike ortondo and laro chavez
today we are talking about a couple different things
we'll talk about cybersecurity committee
what that is
what that looks like
why you should have it
and we'll also talk a little bit about
the operational tempo
you might want to look at throughout the year
when you're planning your year out
it's always good to start with a plan in mind
so we'll dive into that and more today
but first mike
you want to kick us off with the news
here's the news
this is from krebs
identity thieves bypassed experience security
to view credit reports
identity thieves have been exploiting
glaring week security weakness
in the website of experian
one of the big three consumer credit reporting bureaus
normally experience requires
that those seeking a copy of their credit report
successfully answer several multiple choice questions
about their financial history
but till the end of twenty twenty two
experience website allowed anyone to bypass
these questions
go straight to the consumers report
all that was needed was the person's name
address birthday
and social security number
so check that out
when you're doing your experian boost
these and that service that says
plug in for wordpress
you know what i mean
yeah exactly
a number of cloud apps delivering malware
nearly tripled in twenty twenty two
netscope reported january tenth at
more than four hundred distinct cloud applications
delivered malware in twenty twenty two
nearly triple the amount seen the year before
the researchers
also found that thirty percent of all cloud
malware downloads in twenty twenty two
originated from get
wait for it
microsoft onedrive
attackers are increasingly of using business
critical cloud apps to deliver malware
by bypassing inadequate security controls
said ray hands
a nice threat research director at netscope threat labs
that's why it's an imperative
more organizations expect all http and attps traffic
including traffic
for popular cloud apps
both company and personal
insists for malicious content
and that's important for those of you to say
well everything's a sas
that you know
we don't really need security controls
well actually kind of do
the strong pity
apt group targeted
android users
with a trojanized version of the telegram app
served through a website impersonating a video chat
service called shaggle
i'm gonna guess that most of you know it
guess by the name
what shaggle is about
video chat with random people online
instantly on shaggle
we connected a live cam to cam
chat with strangers
make it easier
than ever for you to meet new people online he said
researchers reported that strong pity apt
group targeted android users with a charge line
version of the telegram app
campaign has been active since november
twenty twenty one
threat actors
serve the voices app through website
impersonating a video chat service
the experts highlighted that the shadow service
is available only via web interface
and doesn't have a mobile app
copycat website
mimicking the shadow service
is used to distribute
strong pd's mobile
backdoor app
reads the report
the app is a modified
version of the open source telegram app
the html code of the fake site includes
was copied from the legitimate shadowcom
com site on november first
using a tool called ht track
while the domain was registered
on the same day
so if you're looking for some hot video chat
you might be getting the back door
i could be taken in a
variety yeah let's
let's move on
yeah nice payload
sir yes sir
dark nut markets
using custom android apps for fulfillment
it's not a good day for android
e karma's markets
offering a list of substances
digital copperband
fraudster tools
and other criminal wares
continued to thrive
many buyers and sellers of such goods and services
rely on darknet markets
but no market
lives forever
and whenever
a major player gets disrupted
user scatter
some flock to rival services
other start up
new options
underground
chatter intensifies
over how to better camouflage activities
using encrypted chat
apps or services
the better safeguard administrators and users
for law enforcement
multiple drug focused
darknet markets last year
began testing new strategies
only displaying iron for sale
to prevent be
vetted members
and providing them with
android apps
built using m
club engine
so far it's counted
seven drug shops
using this engine
they may all be working with the same developer
so long story short
they're using
custom apps now
researchers find security flaw
in json web
token library
used by twenty thousand projects
there's a new
high severity vulnerability
that has been found
in the popular
json web token
open source
javascript package
by exploring the flaw
an attacker
could perform
remote code execution
on a server
verifying was just
mostly crafted
json web token request
according to palo alto
so something to look into
i read that
if that's something you use
and lastly data backup
is no longer just about
operational fallback
data backup
has traditionally
been an operational domain of it
while security teams
have been responsible
for threats to data
from attacks
these attacks have been
become more sophisticated
backups have come under threat
and vendors
have had to incorporate
new features
into their software
address attacks
and protect data
some of these
new features
are called continuous
data production
a data protection method
that backs up information
as it changes
without schedules
the zero test framework
air gapping
dr orchestration
it's facilitated dr testing
threat prevention
and detection
all the other cloud
so you enabling
cobranetti's
officer sixty
five docker
and cloud to cloud
copying data
from cloud to cloud
we had a podcast with mr
backup and i
highly recommend
you go back and
listen to it
but it was probably what
ten or fifteen ago
there's more
more fallout
from the rack space
ransomware attack
cisco won't fix
router flaws
even though a poc
exploit is available
there's some other
cooingers related
security projects
to watch in
twenty twenty three
and zoom addressed
for high security
vulnerabilities
impacting its
popular video
conferencing
software zoom rooms
those are just some headlines
that we have
from the week
ending in one
thirteen twenty
twenty three
and with that
we can move on to
laurel's corner
where we can learn
to love laugh
and be better
to cyber security
people laurel
thank you mike
that was always
so so lovely
getting getting
intro by you
sir thank you
well welcome
everybody to
episode two of
twenty twenty three
and again today
i have four
helpful tips
to help you
with your critical data
and i think
this is a great
follow on conversation
to two of the articles
that mike just
talked about
that cybercriminals are
car getting
her backup data
for organizations
because they know
that that's kind of
the fail safe
as if something happens
we can always
roll back to
the previous
hour two hours
three hours
and really not
have a problem
so i've got
four things for you
to think about
today number one
don't trust
your technology
now this is for
all of us out here
not just the
corporations
that have millions of dollars
to throw into
santa rays and
things like that
where they can
back up the data
or cheeky services
this is for me
you aunt gemama
that's probably
a bad thing to say
joe take that out
this is for
me you aunt
auntie lynette
uncle jim grandpa
laro whatever
it doesn't matter
make sure that
this data you know
stays with somebody
that you care about
so number one
don't trust your tech
everything's
consumable today
our laptops
are getting
you know replaced
and thrown away
they're easy to break
if you trust your tech
and you trust your data
on your check
you could be
making a fatal mistake
so whether it's
your phone or
your onedrive
for microsoft
or maybe your apple
icloud drive
that's not secured
if attackers
or something
bad happens
and you can't
get to that data
all those pictures
of little timmy
will be lost forever
so in order to keep
that brings me to
point number two
point number one
don't trust your check
point number two
get a usb drive
while all the
cloud services
out there are
really cool and um
very clever
and very useful
i'd say a wise man
once told me
if you don't
hold your data
you don't own your data
so that goes
doubly for us
because if you
something happens
and you have
to be a hobo
for two years
and you can't
afford a new
apple laptop
to log into
your icloud
to get your
photos of timmy
what happens after
four hundred
and fifty days
when apple says
this account
doesn't look like
it's used anymore
let's go ahead
and delete it
to save space
on our giant
cloud drive
so don't trust
the cloud with
your critical data
you want to have
something localized
that you can
put your hands
on in worse
case scenario
anybody can go
and borrow a laptop
from grandma
or uncle willie
in order to
install your
thumb drive
so that you can see
pictures of
timmy again
okay so let's
not lose sight
of what's important here
now number one
don't trust your tech
number two get you
a thumb drive
or a removable hard drive
or something
that you can
keep with your hands
that has all
of your beautiful
wonderful pictures
of timmy now
number three
is have a backup schedule
for that said drive
that drive is useless
if you don't
keep it up to date
think a worst
case scenario
timmy spills
orange juice
all over your
laptop frying
pretty much
everything that
you just bought
on the new apple m
two including
all the pictures
of timmy that
have been taken
in the last
three months
because it's been
three months
since you've updated
said removable
hard drive so
make yourself a schedule
at least once a month
or every other week
think big organizations
are doing these
incremental backups
usually daily
to stay on top
of their changes
so if you set
something for
once a week
you probably
won't be in a
bad shape if
worst case scenario
happens with
your onedrive
or your personal
compute device
whether it's
a phone or tablet
or a laptop
so that brings me to
number four
just to sign up
one don't trust
your your tech
it is consumable
to have a usb drive
that you can use
to keep your data
of timmy secure
and close at hand
number three
have a backup
schedule to
keep your data
rotating on that
as changes occur
and number four
share this with
somebody you love
or someone close
to you because
as mike said
lara's corners
all about making us
all better together
so thank you
mike thank you
and i think
what we need
to do is put
a little timmy
on a leash or
jack him with some
riddle and so
you know i don't know if that's a
i know the leashes
i don't know if they allow that anymore
that was a big thing in the two thousands you know
yeah no i see kids running around with that
that now and it's on a backpack
so if it's tied to a backpack
then it's not a leash directly tied to the
the kids so that's
i still see that training about
i remember sitting on a resort in san diego
smoking a cigar and some kid
little kid runs up to me and he's like bat mama
mama the bad man smoking a cigar
and i'm like you're on a leash go away
mike always loves the kids
i just think it's funny that you say that
and then you play santa claus at the jcpenney
at christmas you know
of course man that
in the dollar store
in the dollar store
actually pretty soon
there's not gonna be any more jc pitney
or macy's for that matter
i think we're seeing the end of the mall
and know at least
at least mike still has a job
when the world is secure
and cyber security professionals are no longer needed
so exactly that's
you know we should aspire to that
but we shall
well outstanding
you know let's
let's take a quick commercial break
we'll be right back and actually get into
the meat of our discussion and see where it goes
we'll be right back
want even more cyber rants
be sure to subscribe to the cyber rants podcast
get your copy of our best selling book
cyber rants
on amazon today
this podcast is brought to you by silent sector
the firm dedicated to building world class
cyber security programs for bidmarket
and immersion companies across the us
silent sector also provides industry
leading penetration tests and cyber risk assessments
visit silent sector com and contact us today
and we're back with the cyber rants podcast
second episode of the year
and we are talking about a topic
that is important for a lot of organizations
but a lot of organizations don't know they need it
until they start following
industry recognized standards and frameworks
and going after things like sock two audits
and that is the concept of the cybersecurity committee
and i know what you're thinking
if you represent a company that's like twenty people
thinking well
i'm the only person doing tech
why would we have a committee
but hear us out
why don't we start off with that question
in fact anybody need a committee
why do you need a committee
even if even
even for small
small businesses out there
because i think we've
we've learned the hard way
and some companies are probably still learning
through that method of difficulty
that putting all of the
empowerment and leadership
of cyber security and data risk level decisions
into the hands of one person can be dangerous
i think that that's one of the issues
and i think the other one is in order to get buy in
even on a twenty person company
you're gonna need more than one person
and generally
that person's gonna be whoever owns the company
or whoever has the authority to say yeah
this is what we have to do
because i can't tell you how many times we go
into companies
and it's like
well we've done this all you know
and they're growing
and they're like
well this is the way we've always done it
and it's like
well i ain't gonna wait
it's not gonna work going forward
so you need to get buy in from all the stakeholders
and that should be your committee
we used to have wooden wheels as a society too
and you know
someone at that time thought that was the best idea
to roll with on the oregon trail
you know what i mean so bugging
yeah loading please
but you're right
and you know to my point absolute power
you know corrupts absolutely
and so there i think you're right mike
it's it's good for two reasons to
to not only have that buy in
but also so that you have a very even
i guess a very evenly set participation
of the ownership and oversight of data
risking our organization
and it's not just in the hands of one person
that might cover something up
to you know
cover up a mistake or something like that well yeah
because you don't want one person to go all off the
off the rails
and a hundred percent security
we get an air gap
you can't look at anything
blah blah blah
but we're gonna be secure
suppose you have to you know
have to have someone that tempers that and says
you know no
we have to have functionality
and we have to have usability
so you need to have that
that check and balance to have
you know just some kind of way of ensuring there's a
there's a median that you can walk as opposed to
you know going too far one way or too far the other
you know i might give it
had it is like
yes please please
oh it's gonna
i was just gonna go into add for
think about the cya effect as well
which of course stands for cover your assets right
if something were to occur
if a breach were to occur
and you're in court and they say well you know
who was in charge of your cybersecurity program
and you say oh well bill was
it was bill's fault
right that's
that's gonna be pretty negligent for the company
it's like well
what do you mean you didn't have the executive team
is somebody from the executive team involved
you didn't get any kind of
inside or recommendations from your
maybe your general counsel or outside council exactly
you need to have multiple people involved
these types of things
because one person scapegoat
that doesn't really fly anymore right
they're gonna
they're gonna hold a lot more people accountable
in the event of a breach and a loss of it
think of it as like a risk
republic right
for your organization
like before palpatine took over
you know like what it
what it should
what it should have been
and i guess that's a good analogy for why you want to
bring members of
critical members of your organization
into this cyber security council
now there may be a lead or a speaker
or someone who you know
has to manage the schedule of when everybody meets
and sometimes the meeting minutes
and those types of things
but the ownership of data risk belongs to
everybody who works there
and everybody who's a
who's a leader
most definitely
so let's probably talk about
who should be included in said cyber security council
i would always want mike and laurel
in my cyber security council
i'll tell you that
that's a good choice if you're
if we're on the field and we can get chosen
i think we do participate in some of our clients
but i think number one you want to have
you know aside from whoever
whoever is having to carry the bag of
cyber security and data risk for the organization
you want to have at least legal representation right
you'll want somebody from the legal team
if you don't have that then hr
who would you pick mike
for your cyber security council teams
i'll pull hr over
yeah you would go illegal
i have very little use for hr
but that's another story
but no they have to be involved in the council
because a lot of things like background checks that are
you know part of
part of being compliant with a framework
making sure that new employees that are on board
are going through security awareness training
things like that
there there are
unfortunately
contracts that have language in them that dictate about
bring your own device and
and the cliches of
working with the organization's technology
and being compliant with the handbook
and so hr well
you'll take illegal
that's fine
so we'll pull hr
so now you if you
if you can you should have
you know yourself
who's been in charge
and then pull it hr
and then and cfo
your books absolutely
the money absolutely yeah
and then you really want to have your business owner
whoever whatever widget you sell
or whatever service you provide
whoever is in charge of that income generation stream
needs to buy in as well
simply because they can push back and say hey
i'm your rockstar
you don't have a company without me
i'm not doing that
you need to get them bought in
especially in a small company
absolutely so all of your
your critical
i'd say all your
you know sea level leadership
whether it's over marketing or over sales
or over human resources or legal or finances
you're gonna want to bring them in onto that
cyber security council team
and then i'm gonna also
i'm gonna pull in on my team
whoever's in charge of technology
so if you're an individual
and your labeled compliance or governance
make sure you pull in your it leadership
and if the it leader usually has a one or two
right hand individuals that work closely with them
if they don't have the band with
you can pull in one of them as well
an architect or an engineer
but you'll want to have somebody technical on the team
representing
because they're going to be directly impacted
by a lot of what's happening at this level
by having to go and make those changes
in the technologies
or configure the technologies to meet
or reduce that risk
that's being identified at the council level
i think you want to define a team racy to
you know responsible
accountable
consulted and informed
so like your marketing team would be more informed
maybe consulted
but they're not responsible or accountable
you know it's
your responsible parties are gonna be your hr
legal team and your technology team
so those are gonna be your
you know your main
your main team
so you know
and then you're gonna have
you know accountable for that
it's gonna be them and you know and so on
but yeah define a racy and decide who's
because you don't need everybody at every meeting
we've all been in those meetings
we've got you know three hundred people in a meeting
exaggerating obviously
but you know
only five of people really need to be there you know
i can think back to one of my last corporate gigs where
you know we have to have a security guy
in a meeting
and i'd wind up with thirty eight out
thirty eight hours of meetings in a forty hour week
and it's just like
just because we needed a security guy on the phone
just in case and
are we talking about that one playlist yes we are
you know if i
if i owned that place in hell
i'd live in hell and rent that place out
you know what i mean yeah
well well what
what about what about
what are your thoughts on having
in house people versus third parties
so especially for mid market or emerging companies
maybe don't have all these resources internally
what are your thoughts on bringing in their contractors
or it companies
whatever that might be versus
good question
keeping it in
in within the walls
good question
i think i should bring in sound sector
there's that
is that a shameless plug
of course it was plug
it was a scruffy shameless plug to apparently okay
no i so we we work with several clients
that have third party vendors
that manage things like their website or you know
some of the web application
you know front that
that's being provided by the business
those if those third parties are
you know i don't want to quote a pci term here
but if they can directly impact the security
of a technology or a dataset that you own
then they should be involved in the council
and like mike said
everybody might not
be required to be there every time you meet
but as part of the meeting notes
in the agenda and the racy
they should certainly be included frequently
because they
you know as
as web administrators or database administrators
they're going to be
directly involved in some of the risks
they're identified as
as part of this
you know this council
let's switch gears a little bit here
so we get our
we got a team together
hold on a second
i want to add one thing okay
you can have a third party involved
but you always want to have someone internal
that knows what
you know is responsible for the security so
and then they should be in some way versed in it
security because you really don't want
some fast talking security consultant
come in there and say yeah
we got to make sure the flux capacitors secure
otherwise companies going to hell
and i'm gonna need
twenty five thousand dollars to do it
and you don't know anything about security
you're gonna be like
okay let's let
we don't want to break preacher flux capacitor
so you know
we have to be careful with that kind of stuff
so you're gonna say
just hear the cloud and you're good to go
exactly yeah
if you let your flux capacitor go and it comes back
then you were meant to have it
there you go
very well the excellent point
well we have this
security committee together
then what happens is they just basically meet
every quarter for beers at the local bar
what are they doing
well if you don't have a
kegerator underneath your conference room table
then are you even working
really yeah
you know or you know
good scotch in the cabinet
with some nice crystal glasses
possibly from dillard's
before they close
you can get them on sale now i hear
well i think a good question
you should probably make a
so i think i'll preface my response with the fact that
these initiatives are
are forever machines
and i think a lot of our listeners
and i know that everybody hears me say that
like once you open a framework
a compliance initiative
it's a forever machine
you don't you can't
you don't get to stop being compliant with pci dss
unless you get out of the credit card
processing game altogether
like it's not even a part of your business anymore
cause you're taking
you know dirt as income as an example
so you don't get to stop that
just because you become compliant in year one
year two year three year four
now you're required to do this every year
for as long as your business is in existence
so think about that
these are forever machines
so you better get a handle on
getting used to having to do these things every year
and so mike and i know that most companies
like the first
for pci there was an interesting statistic
that most companies who passed in year one
failed in year two and year three
because they get complacent
there's a huge rush to work and get all the stuff done
and once it's done
everybody takes this big breath
and goes on vacation for a year
and then what happens in eleven months
is you're getting audited again
for the same stuff you just passed
and you're having to again rush through all this
so tempoing it out over the twelve months
or you know
even even sooner or longer
depending on how your
your compliance and audit initiatives are being set out
i know that there are some companies
that only want to do this every two or three years
which i think is
silly and irresponsible
but we've heard that from the mouths of
quote unquote
professionals
which is kind of a shocking thing
anyways make cyclical activities
that you know
are gonna reoccur
as part of this compliance initiative
it doesn't matter if it's hipper
pci or nist or cis
they're all gonna have
things that you need to demonstrate
as a technology
and as a document set and as
as human employees
that are being met
demonstrate that you are compliant with you know
the number of given controls
in the compliance framework
so ten pointing that out throughout the year
making it easier to palate
so that you're not
drinking by a fire hose
or as i say
boiling the ocean
you know eating all the cats at once
now you're just making up making up sayings
i don't think that's a thing
i don't think that's a thing
i saw mike's cat run out of the room
oh did you yeah i did
not not right now
it was earlier
the cat i see now is only in my head it's
i got you know what i mean
so i don't know
should we talk about january
you want me to just you know
you want to throw out some yeah
let's give an example of what your
annual activities might look like if you were to
if you were to build a calendar
put a fancy picture on each
each month what would that picture show people doing
dancing drinking beer
probably swimming someplace
i meant i meant like in terms of cyber security but
oh yeah that's another another
that's another
that's another calendar
sorry i thought
i thought we were talking about fun here
maybe beautiful nature pictures
things like that
but no in terms of cyber security
once a month
what would your prescribed method be
or what would an example be
i should say that a company might follow
in order to make this
something that stays top of mind throughout the year
gets done and passes the audits
cool so we'll play a little game
i'll start with january
and then mike can do february
and then we'll go back and forth
so in january
you should review your previous year
key takeaways
stuff that came out of the last audit from last year
um any any work remaining after everybody
just takes off for three weeks in december
and leaves all the pen test work to somebody else
making sure that all of your risk register items
that were on the risk register last year
are still being moved forward into the next year
along with those two things
think you know
making sure that you have the tempo
and cyber security meetings for the month of january
to make these things happen
right so again
like mike said
not everybody needs to be in these meetings
but you can have these meetings
to look at the previous takeaways
and use them to review and update or enhance
the risk register that's currently running
all right then
you know in february
you're gonna want to start updating
your cybersecurity library
the policy libraries
you're gonna start your ir and dr
tabletop exercises
and again you're gonna have your
monthly cybersecurity council meeting
you know those are important things
to keep the momentum going because you don't wanna
you don't wanna let that go
um and you know
in january you've just gotten that brand new budget
so now is the time really to start planning
and like little said
in january that's where you got to look at last year
where what would we miss
what did we need to get done
let's start doing it
so i put yeah in place
don't forget february's coming up too so
yeah we're almost
we're almost in february
so if you finish your january stuff
if you have a spouse or significant other
valentine's day don't forget that
that's bad that's bad
yeah yeah and if you got married in february it's
you just have to deal with it
yeah and the super bowl with february it is yo
so what happens in march
what happens in march
march madness
march madness
march madness
and if you're doing cyber security exercises
and maybe in march
you should think about doing the administrator acts
us audit it's gonna be required
probably by any framework you choose
making sure that all of the administrators
who have administrative privileges to global admin
things like your microsoft three sixty five online or
or your google corporate online or dropbox github
things like that
as well as the administrators that are
that might be localized to your internal business
you want to start doing an audit on that access
making sure that you've got
no changes or changes are noted
and that you can demonstrate the change control piece
that shows that anybody who was require that access
was granted it through that specific process
and then you should probably also check out the
the inventory of your critical software
and your hardware assets
so an asset inventory audit
making sure that
all the new assets have been tagged properly
according to your process
making sure that
whatever you're using for an acid inventory
whether it's a vulnerability scanner
or something like salesforce
that it's accurate and it's up to date
and that you've got all your business critical software
accounted for
and ready to demonstrate that you do have it
when month eleven comes around
then of course you're still gonna have council meetings
right i mean
that should be happening at least every other week
if not weekly throughout
throughout the month
yeah and you want
you know maybe save the big ones for quarterly
so maybe march is a big quarterly one
where all the stakeholders are there
yeah and then you go back to the
you know the accountable teams
where you know
when you're reviewing technology
like in april
you're gonna audit your vulnerability technology
internally and externally
you really probably just need
your technical team there for that
you don't need
you know hr and legal
and the financial guys and all that kind of stuff
you just need you tech team for something like that
so it's a good thing
three april
yeah i think one thing that we need to bring up to
is this can be translated to is like the
if we're doing a twelve month
you know audit
or a twelve month you know
nist assessment or something of that nature
upon completion of you know
the twelve month project plan for a nist assessment
for example
at the end of that month
and that twelfth month you should
you can use these steps as well
it doesn't have to necessarily be january
but you know
january is just a good marker that we all have to face
so yeah yeah
no good point mike
and in some organizations
even some that we work with they
they consider january february
march like q two
which is interesting
they've got it kind of
well they're on the fiscal year so it ends
not september thirtieth
gotcha okay
just a technical guy i don't
i don't get all that stuff but
i can tell you what you should probably be doing in may
um if you're following these cyclical activities
and that would be getting your pen test scheduled
um knowing that there is a growing number of
organizations that are required to comply
and part of that compliance is going to be
trying to schedule your annual pin test
if you're still doing it only annually
some organizations are doing it daily
or even continuous pin testing
with some of the newer products
that are out there that they
if you've got
hundreds of millions of dollars in your pocket
that you can throw at this problem
but if you're using third parties
or you're using even internal resources
make sure that you start getting your pen test
for the year scheduled
and defining that scope of
what's going to be
in the scope of that pen test for this year
if you're going to do internal external
you're going to actually use authentication this time
with some of your apps
or even if you're going to do
any kind of physical intrusion testing
or pits as part of this
to include wireless penetration testing
whatever compliance framework that you're working with
is going to have
maybe some specifics around what type of pit
test you should get
and then looking at last year
last year's pen test
if you had one last year
what was scoped
and should that scope change
and then really
you should probably
go back at this point
right after
like mike said
and you might want to roll this back a month
but when you have the big
anytime you have the big quarterly meeting
and you bring everybody in the hrs
and you know
the financed individuals
and stuff like that
and you're kind of out of your
what i'd say
the core council group
of just your technical domain
that might be also
a good time to throw in the risk register again
and say hey
this is what we've got on the risk register right now
did anybody have any updates or heartaches
these are the exceptions we have in place
and these is when the exceptions expired
and what we're gonna need your signature again mr
cfo or that sort of thing
so i think those are good
initiatives for
for may while keeping those
those council meetings
moving as well
yeah i think the risk register entries need to be audit
every ninety
on two hundred and twenty days and
and that risk needs to be updated
and they should never go past twelve months
without justification for making
making it so um
this is my opinion on that um
and as far as penn tesco
it's nice to i
you know i think what we need to emphasize to
is that it's an unleashed
an annual pen test
but every time
if you're a software company
every time you have a major release
you should be getting a pen test
every time you're changing infrastructure in a
in a significant way
should have a penthouse
and and those are
those are things that you need to
you need to keep in mind
it's not just an annual check the box thing
so good point
pci is gonna tell you you have to ever
every time you significant change anything
yeah yeah exactly
um so um something to be concerned about and
and it's just good practice
but i you know i've seen so many people that manage by
well compliances
i only have to do this
well that's fine
but you really need to do x y and z on top of that
because best practice
and the cybersecurity
world we live in changes so rapidly that
you know if you're running static from last year
you could be left behind so
yeah or breached really which is the
the bigger threat
things yeah
things changed fast right
you don't stop to you know smell the flower sometimes
that you know it might go past you
so yeah i think those
those pen tests after significant changes
are something that you should do always
but that can get caught
you know that can be not cost effective too
boat ferris bueller
life comes actually pretty fast
you saw where i was going with that didn't you oh yeah
watch that after this
throw it on the tube
we're getting into summer here
what happens in june
we can audio change management policies
you're gonna order your ir
you're gonna continue doing your
you know your cadence for your tabletop exercises
and then you know again
if you're gonna hold to the quarterly big meeting
this is when you're gonna have your quarterly big
cyber security meeting your
your council meeting um
and then the other thing is
you need to make sure that they understand
the stakeholders are going to start to wane
especially those non technical ones
in their interest
but you have to emphasize
and that's what you need top down direction for
is to make sure that they're there
or at least have a delegate there so
yeah and in july here in arizona when it's
you know a hundred and fifteen degrees outside
and your car's door handles
a hundred and fifty three degrees outside that's
that's like a hundred and five degrees celsius for
anyways for those
it's what it feels like anyway so i think
i don't think it's the conversion
no no i know i'm not
no it's not
no it's not
it feels like a hundred degrees celsius which is like
it's pretty
and it's pretty hot
yeah but you know
while it's hot outside in july
i think it's a good idea for everybody here
to start auditing your vendor management processes
and making sure that
any vendors that you have that are critical vendors
that you've sent them the security questionnaire
or to be at least gone and pull their soft to type two
certificate down from their website
or you've at least
you know stated in your vendor management log
that you've reached out on this date
and you still haven't heard anything back
and you probably don't expect to for a million years
because microsoft doesn't respond to anybody's security
requirement matrix
so i wouldn't worry about it
continue to have those security council meetings
you know throughout that
to get that vendor management
that vendor management audit piece done
so that you
you have that
it'll probably take all month
depending on how many vendors you have
it was actually one of the headlines that i didn't
i didn't talk about
but it was one of the things that actually
vendor management is becoming one of the key
and most critical pieces in healthcare hacks
which is the number one target right now
so definitely audit your vendors
it's critical
so in august
we want to make sure security activity
security awareness training is continuing to go
make sure everybody is compliant with that
make sure you're kicking off your fishing campaigns
and changing those around
so you're you know
staying seasonal and you
and staying up with the trends that are going on
you know cause over christmas
it was free gift cards and paypal issues
and amazon and walmart issues
and you know
coming in the spring
it's gonna be vacation getaways and holiday deals
and hope hotel deals next
so you need to keep up with the cycles that they go
and they they
they run marketing campaigns
just like you know
any online retailer or any
you know man
you know anybody selling something runs an online
advertising campaign so
just keep that in mind
you're always gonna have that meeting and then you know
we're gonna go back to risk registers and
and you know in august people are gonna be losing focus
people are taking a lot of time off
so make sure your core team is up and energized
maybe have a team event
yeah go to you know
top golf or dave and busters or chuck e
cheese some place
i thought you're gonna see that
practice the trust fall you know
so booker cruise
yeah that's a good one
well if you can book a cruise through september
you can do the vulnerability technology audit
that you should
that you had to do previously
you should probably be doing that again
at least twice a year
auditing the vulnerability management technologies
that you're using
to make sure that there's been no changes
and you're still getting good metrics
or keeper for metrics out of that
demonstrating all the good activities
you'll need to show for your audit
at the end of the year
and then mike
what'll we do in september then i guess
that was what do we do in august i mean october
no i mean in june
what are we doing in june i don't even remember
all right so something about losing focus
yeah it towards the end of the year
everybody's got that budget to burn right so
and no one ever gets in trouble
for scheduling a pen test
or getting a security assessment
or something of that nature
so what we see in the trend
set dollars
yeah so the trend that we always see is
just gets really busy
and people start borrowing dollars
on security assessments
with grandiose plans
and we're gonna have everything fixed
by the end of the year
and you know the
really the time that you should be doing this is
june or may
and getting that stuff kicked off and then
so that gives you
actual time through the end of the year
but you know
burn that budget now you know
get the assessments get the pen task get the
you know those sort of things that you need done
not just to burn the budget
but that need to be done annually anyway and
you know football season is going so we got that
that's true
hockey season starts
well that framework re certification
that they'll begins
probably gonna take two months
like october through november
if you're doing pci or sock to type two
if you're doing field work during that time
or even if you're doing
you know any of the nist or cis stuff
give yourself
you know six to eight weeks
to go back and recertify through that framework
and then and then by december
you should you know
be doing your final tabletop
incident response exercise of the year
and getting that letter
pestation that says that you are
compliant with said framework
yeah and it's all good
sector on it
it's worth a lot of here
yeah um yeah
so you know
one thing is
we have a lot of companies are like oh yeah
we do this all internally
you know what
you do need an external
it's great that you do internal
internal risk assessments
great that you do internal
you know compliance assessments
framework assessments
you do occasionally need
a third party to come in and look at it
because you know
it's just like developers writing code
we don't want them testing their own code
so we don't want your teams
unless you're big enough
to have your own compliance department
or internal audit department
um you know
assessing frameworks and that sort of thing
you need to
make sure that somebody else is looking at your work
so checks and balances
yep well outstanding
that sounds like a good year to me
i mean you get all that done
you have a methodical approach
you feel good at the end of the year
like yes we accomplish something
versus jumping through hoops
and scrambling for
did scrambling
and get everything done so that's
i like that
i like that framework
i like that methodology
you guys are smart
well if it's like
you've done this before
i think the listeners are smart
because they'll go back and fast forward
throw a rhetoric
and roll with a pin
right down these
these monthly activities
got them down
super heroes
you know what i mean
outstanding
hey any final words of wisdom
snarky remarks before we jump off
i think i'm snarked out for the morning
at least until you know
a lot of snark
yeah a snark
i'll just say remember these are forever machines
these compliance initiatives
so create you a cyclical activities matrix you
you know things are gonna have to be done every year
don't wait till you're five to go
okay i realized like every time it rains
i got to mow the grass so get it
you can stop when you're dead
all right yeah that's
yeah that's when you get to rest
yeah my grave
my gravestones gonna say don't worry i'm fine
well that's encouraging
yeah well good stuff here
i hope everybody listening enjoyed the podcast
hope this gives you some direction and guidance
on how to piece these things out throughout the year
make sure if you haven't already
put together that cybersecurity committee
first thing do that
go do that today you get it
you could get it done today if you really want
maybe it might be just
it is a friday
but you know point
just point your finger
but like you want to be on my team
and that they say yeah that
you don't have to tell them what kind of team it is
just you know
there you go
there you go
yeah there's gonna be pizza right
it's gonna be pizza
yeah of course
sweets they're gonna jump all over that so
well good stuff
get those things done
go out there
make it a great year
we hope you enjoyed the cyber ants podcast
be sure to subscribe
share with your friends
get this information out there
so that we can make the world a more
secure place together
so reach out again
cyberands podcast com
you can submit your questions requests
topic ideas
same thing on our linkedin post and all that good stuff
but have a great rest of your day
and we'll see you on the next episode
pick up your copy of the cyber ants
book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at silentsector com
join us next time
for another edition of the cyber rants podcast