Importance of the approach

Besides the obvious goal of trying to achieve Return On Security Investment (ROSI), it is important to be legally defensible or risk facing the consequences. A critical approach from the perspective of being laser-focused will help deliver value on investment, while creating safeguards in the form of non-tamperable evidence about the measures put in place.

Strategy

Keep it simple – use a framework, a risk assessment model to assess, prioritize, and communicate an information security roadmap. Ask basic, but key, questions:

  • What is the current state?
  • What is the future state?
  • When will we get there?
  • How much will it cost?

What standard to use?

I recommend mastering the CIS before blowing time on other risk assessment frameworks. The road starts at making the policy. The CIS Community Defense Model can be accessed at https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0. As per the Community Defense Model 2.0, the top 6 things you can do to get ROSI are:

  1. Establish and Maintain a Secure Configuration Process
  2. Establish an Access Granting Process
  3. Establish an Access Revoking Process
  4. Remediate Penetration Test Findings
  5. Define and Maintain Role-Based Access Control
  6. Manage Default Accounts on Enterprise Assets and Software

The bare minimum for Vulnerability Management

Vulnerability management is NOT patch management! It’s not about patches, it is about multi-layered vulnerability management. Are you doing at least these?

  • GPO central store
  • Software and asset reconciliation monthly
  • EOL/EOS removal
  • Continuous vuln assessment internal/external
  • Assess CIS gaps compliance
  • iDrac, bios, firmware, drivers, OMSA, DSU, DCU
  • Unique bios admin
  • SQL
  • Full disk encryption
  • Websites
  • Business line apps - no patch automation
  • SSRS hardening
  • NTLM disable, LLMNR, samRPC
  • SMB ver control
  • PowerShell upgrade
  • Krbtgt roll
  • Tiered access control
  • PAWs and microsegmentation
  • PBX, cams, door controllers, speakers, NAS
  • Hypervisor, backup software

Check out this podcast where Felicia King and Dan Moyer talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately:

https://qpcsecurity.podbean.com/e/vulnerability-management-part-1/

https://qpcsecurity.podbean.com/e/vulnerability-management-with-felicia-and-dan-part-2/

2024 Slides

10 InfoSec rabbit-approved Best Cyber Hygiene Practices

  1. Run continuous IT asset scans and monitor hardware and software
  2. Perform vulnerability scans every day, assess detected vulnerabilities, and remediate them
  3. Patch OSs, un-updated software, and critical vulnerabilities on time
  4. Ensure endpoint protection software is installed and updated regularly in all endpoints
  5. Impose strict password policies and prevent users from setting weak passwords
  6. Identify deviated system settings and harden endpoints to meet security compliance standards
  7. Evaluate system health, user login credentials, services, and processes regularly
  8. Analyze software usage, blacklist rogue assets, and manage license violations
  9. Block rogue applications and unwanted USB devices that pose security threats
  10. Detect and respond to indicators of attacks and compromise immediately

What are InfoSec rabbits?