Why the ship has sailed on BYOD

Physical threats to mobile phones, SIM hijacking, out of band SMS, and Yubikeys

How to analyze workloads and decide how they should be hosted

CISO, CTO, CIO, what's the difference?

Zero trust fundamentals

FTC SafeguardsRule, IRS requirements, and tax preparers

Methods to prevent business email compromise

Tech E&O and cyber insurance with Joe Brunsman

Tech E&O and Cyber insurance with:

Joe Brunsman of The Brunsgroup – Expert on Tech E&O and Cyber Insurance

YouTube channel – Joseph Brunsman

https://www.youtube.com/@JosephBrunsman

https://www.thebrunsgroup.com/

Damage Control book

https://www.thebrunsgroup.com/book2

Tech E&O and cyber

MSP should have a tech E&O policy. They cover different things. What types of third-party claims will they cover? A guy on the Que recently said that he did not think that E&O was required because his customers have never asked for it. You must have a TECH E&O policy.

What is the biggest thing that you need to pay attention into the E&O policy?

Look at the definition of technology services in the policy. Everything past that point, it does not matter if the definition of technology services is correct.

Avoid the named peril policy. An all risks policy is better. These are becoming harder to come by.

Named peril:  Technology services means:   there is a list

You have to prove to the insurance company that what you did falls within that definition.

What do you need to look for? “Including but not limited to”  contra proferentem = ambiguity is held against the draftsman. The onus is on the insurance company to prove that what you did was not covered under the definition.

How much coverage in the policy should they have?

How much cyber insurance do you need? Here are the variables that I think about. – See Youtube video

Brokers – There is no legal requirement that they understand or read the insurance policies.

Average IQ of an insurance broker is 104. They do not understand what they are selling. The onus is on the business owner to ask and to get the right things.

What is your major loss event? What are we worried about? Is that even possible to insure for those issues?

Step 1: Stop relying on the insurance broker.

Step 2: Fellow decision-makers in the business, what are you worried about? Talk to the broker about that. Then the broker finds “these are the options in the cyberinsurance market that address those concerns”.

Joe: Huge proponent of defense in depth over cyber insurance. Rank order the biggest bang for the buck. Felicia has been talking about that for years and is doing a webinar on 2/9/2023 on that very topic.

Insights from plaintiff’s attorney

Joe had a great convo with a plaintiff’s attorney and got his opinion on risk management.

Risk discovery question: What is the one thing that sinks the ship in the lawsuit?

There is an internal email. You knew you were supposed to do this. But they said it was too expensive. They were not going to do that. They understood the risk and just accepted it.

What could the business do in order to circumvent that email being a death blow in the lawsuit?

Plan of implementation.

No business has unlimited resources. No business is perfectly secure. You sit down the with business owners and MSP. We need to work on a plan to better your security. You don’t have unlimited money. I am a business owner too. You need a roadmap. Everyone signs off on it. We were trying, we were getting there.

Felicia: Wow this is astonishing because this is what we have been doing with clients for 20 years. It is the type of thing that a CISO knows how to do, but few others know how to do well.

Life hack tip from Joe:

Convo with the average business owner:

Obviously you are really good at what you do. You have built this business. Build a relationship with them. The MSP is not the subject matter expert on the client’s industry. Fluff their feathers. Transition that. I asked you a bunch of questions, thank you for hearing me. Now we are going to go through this. Can we just do the same thing in reverse? If you do not understand this yet, let me know and let’s break it down.

Joe and Felicia agree:

One way or another, those controls will be implemented. Read any breach notification letter. Magically we found more money to invest in cybersecurity.

Either work on your information security program monthly at a pace that your budget can absorb, or that decision of timing and magnitude will be taken away from you.

Dark web monitoring and avoiding FUD decisions

Kathy Durfee – CEO & Founder of Tech House joined Felicia to discuss dark web breach monitoring

Scenario: FUD report from a competitor

Perceived: Multiple users in their environment were breached. Perceived proof was report with the listing of the users and the passwords and columns that the customers did not know what that data was.

Good: Customer told their current IT service provider about the report.

FUD – Fear, Uncertainty, and Doubt – is, in the wrong hands, a powerful tool to drive snap decisions within a company. However, it is not a viable or valid sales tactic: for all it could potentially do well, causing unnecessary stress and suffering is what it does best. Speaking with Kathy Durfee, CEO and Founder of TechHouse, a managed services and solutions provider based in Florida, we walk through a recent case of FUD with a customer of hers that received a worrisome report from a potential competitor. During our chat, we covered:

  • The key aspects of FUD (and how it does not work)
  • What the Dark Web is, and the logistics of monitoring and combating it
  • Leadership training and best practices for helping a team best meet their security and regulation requirements
  • Identifying the key differences between commodified and relational partnerships, especially in the technological sphere
  • Shared responsibility between MSPs, their customers, and those customers’ clients

Where does dark web monitoring and dark web data risk reside on the continuum of risk? How best to mitigate?

What really is the risk and the mitigation?

Put the efforts into prevention.

Put the individual in the driver’s seat of managing the risk that is best managed by them by putting the right tools in their hands.

Resources

https://haveibeenpwned.com/

Perception of the proper allocation of the budget

Businesses must make time for training.

ITSP must include in service catalog what the client is getting in terms of services.

  • What do we need to do? Cross reference on tools that accomplish outcomes and cover risk mitigation and ensure that the client understands what those are.

Training is how you squeeze the juice out of the orange. Without it you may not get all the juice out of the orange or get any juice out of it at all.

Common business objections to allocating time for training

Payroll costs, but avoiding training is not legally defensible anymore.

Policies

The IT Service provider CANNOT alone write policies for you, and they CANNOT approve and enforce your organizational policies.

Four pillars

  • Policies
  • Technical controls implemented
  • Automation of technical controls
  • Reported to the business – It’s YOUR report, your organization.
    Shared responsibility – some months the CFO does it, some months the CEO does it.
    Set a schedule and do it. 3 weeks any habit; trainer or partner

Do you look at your P&L and balance sheet every month? You should be understanding the reports from IT.

An interesting lawyer opinion on the topic:

https://abovethelaw.com/2023/01/dark-web-monitoring-for-law-firms-is-it-worthwhile/

The relationship between proper data handling and real risk reduction

Those who listened to the November 19th, 2022 podcast I did with breach attorney Spencer Pollock know that he stated that 90% of the breaches he was involved in over the prior 12-month period would have been non-reportable had the data been properly encrypted.

https://qpcsecurity.podbean.com/e/what-you-must-do-in-order-to-prepare-for-a-breach/

(Review link above for attestation and regulatory enforcement proof.)

I have three major points for you in this show.

  • You need an IRP
  • You need a CvCISO
  • And you need to understand how data is being handled in your organization

Let’s first talk about CvCISO

Help you understand why you need a CvCISO working with you on a regular basis because even if you are a really large organization, the probability that all of your processes are clean, secured, compliant, and all your end user training is effective, well that probability is not high.

https://qpcsecurity.podbean.com/e/understanding-vciso-services-and-why-you-need-them/

Incident response plan

Virtually every organization is now required to have a written incident response plan. These are some examples of people that must be specifically listed in the IRP. What does your organization do when they don’t have these people as full-time internal staff? You need a CvCISO.

People you are required to name explicitly as part of your incident response plan:

  • IT technical staff
  • Incident response manager (this better be a CvCISO or a certified incident response company)
  • IT director
  • CIO
  • Stakeholders such as board of directors and heads of business units
  • Finance director
  • Communications manager – this is either your internal PR person, your internal corporate counsel, or your breach attorney
  • Legal representative – either your internal corporate counsel or breach attorney
  • Human resource manager

Types of data

Let’s talk about some real-world examples of data insecurity. Let’s start by establishing what some categories of data are. PII, PHI, PCI data.

PHI is personal health information so think of that as drug screening results as well as medical records. So it’s not just healthcare organizations that have it. Anyone who does drug screening will have PHI.

PII is personally identifiable information such as your name, contact information, social security number, I-9 information, a copy of your passport or driver’s license, and non-public photos of you. This is also your direct deposit bank information. I would also include your salary at your job is PII. It is certainly non‑public. So who has that kind of information on you? Well anyone who does HR recruiting or has employees is typically going to have this kind of data.

I encourage small businesses to use a PEO and not store any of this data themselves. They should outsource that entirely. Some HR management firms have areas in their SaaS platform that their customers (your employer) can upload documents to and store them securely and NOT on the employer’s environment anywhere.

PCI is payment card information. If an organization processes credit cards in any way outside of a contained e-commerce and merchant processing platform, then they probably have PCI data that is on a system they control. Many retailers just use SaaS apps that directly integrate with merchant processing to avoid any storage or holding of PCI data. You should expect that larger organizations are retaining your credit card information.

Applicant tracking and employee onboarding systems

The security of these systems is only as good as the security of the company that is using them, their processes, how they handle the data throughout the flow, and how documents you complete for them are disposed of if they were submitted in paper format.

Good process

As you interact with the recruiter or prospective employer, all of the data goes directly into an applicant tracking system that is SaaS by the applicant themselves. The only thing that may be emailed would be a resume. Any assessment results or applicant data is all direct input into the ATS. The ATS is SaaS cloud hosted with a very secure company and all accounts which access the data are on a need to know, RBAC approach with MFA enforcement.

  • WOTC information is all submitted by you directly into the WOTC company website
  • All of your PII would be submitted by you directly into the HR enrollment/payroll system without intervention from anyone else. No one else needs to handle your data.
  • The data you submit is only being submitted to a high security SaaS HR management/payroll platform.
  • Your employer never needs to download and retain any of that information because it is stored in the HR management system. Nor did your employer ever need to have a copy of the information you submitted because you submitted it yourself. So you know it is not in their email or on their servers anywhere. They also did not print it and then not shred it.

Bad process

You are an applicant and the company you are applying to has you fill out paper forms. You do and then they scan those forms with a scanner and send those files somewhere. Let’s say they are scanned to an insecure location on the internal network. Then someone retrieves the scanned images of the paper you filled out and emails them to a distribution list.

So let’s go over what is in the scanned PDF file that got emailed to an internal company distribution list.

  • Direct deposit information – full banking account and routing number
  • Full name and address
  • I-9 verification which includes social security number, driver’s license number, and birth certificate
  • W-4 which contains PII and SSN again
  • Copies of your signature
  • Date of birth
  • Your offer letter including salary and benefits

Concerns

What happened to the physical paper copies of the forms you completed? Were these shredded same day?

Was the information in the email distribution list forwarded to anyone who did not have a complete need to know?

Was the information forwarded to a party external to the company?

Document management platforms

Premise databases often have a lack of encryption

Lack of data encrypted at rest and quite possibly the data is not encrypted in transit. If the system that the data is stored inside of is a premise-based thick client application such as an application that has SQL server as the back end, it is not likely that those communications between the thick client and the database server are encrypted in transit. The SQL server most assuredly is not encrypted because very few applications support SQL database encryption and even fewer IT people know how to set it up.

I have seen document management platforms with 500,000 records in them containing some of the most sensitive PII and this data was not only housed on servers that were unpatchable and fully deprecated, but the data being transmitted to/from the server was not encrypted, nor was the data in the database encrypted at rest.

If you put a dollar figure to the cost of a breach and it is associated with the number of unique records that contain reportable information, the cost of that old, insecure server just went through the roof.

Even if you say $1/record, that is $500k. Wowzers! And it’s not likely that was the only server compromised in the breach.

What data is stored in people’s emails when a company does not have solid policies, end user training, and technical enforcements to prevent the data from being improperly stored?

Implications of poor design on security - an example

Google and how they do their technology

Things that make security hard.

This is not an exhaustive list of the implications of poor design on security. Covering that topic adequately would likely rival the size of War and Peace. This is a discussion of a tangible example to convey understanding of how technology selection directly correlates to an organizations’ ability to secure or secure their overall environment. In order to accommodate something poorly designed, larger than necessary holes through security may need to be carved. Please get your CISO and security architect to perform a risk assessment technology BEFORE procurement.

Recent security news alerts discussed again why advertisements must be blocked. Google’s own ad network has been used for hosting and serving malware to victims.

Google and their netblocks

Their guidance to you is to whitelist their entire network blocks which is beyond insane. Just like the insanity of whitelisting *.windows.net which is what is advocated by some SaaS providers who host their resources on Azure.

Azure hosted customer resources are on windows.net. That means that a hacker can dial up a hosted VM and that’s on a windows.net FQDN and IP space.

You cannot just whitelist all of Azure either.

https://ipinfo.io/AS15169

Beware that software companies will put out idiotic statements in their support documentation that tell IT professionals to “open ports [range of ports] to all IP addresses contained in the IP blocks listed in Googles ASN.

Let’s be clear. Those are IP addresses not just for Google’s company internal resources. That is customer hosted resources that they don’t control, manage, or secure the content. So the Google netblocks represent 73.5 million domains.

There is NO legal defensibility in creating a hole that massive through any security system. Yet this is likely what 99% of IT professionals are doing because they are not network security architects. Business decision-makers must understand that there is a lot of bad advice that comes out of even major companies as it relates to information security risk management. They put out insane statements such as whitelisting the IP space representing 73.5 million domains.

Even if you look up a separate Google ASN, it is still 18,933,082 domains. That is clearly a massive amount more than just the small amount of resources that you legitimately need to access for something like Google reCAPTCHA to work. But because of the way that Google has designed their infrastructure, your ability to have network security is hampered.

https://chronicler.tech/firewall-considerations-for-google-recaptcha/

Autoblocking and DNS latency.

One of the major problems with using anything on Google’s infrastructure is that their entire system was never designed for compatibility with selective controls.

It was not mail.google.com. It was google.com/mail.

It was not drive.google.com, it was really google.com/drive. The real infrastructure was hosted as a subdomain of Google.

And then so many web developers have made google analytics a mandatory component of how their website infrastructure works that you have to allow it. It just allows google to be a data vampire.

Microsoft in contrast

https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

There is a strong tendency to among IT support personnel to engage in over-troubleshooting. They follow software vendor’s recommendations and end up driving holes the size of North America through your security configuration. Please ensure that the personnel who are managing network security for your organization are actually qualified to do it.

Understanding vCISO services and why you need them

Recent question I got:

What are the major changes that you have seen from security auditors in recent years and/or where do you see the audit process heading?

Quick response:

For the sake of a high level, automation is and will continue to be used. The size of the IT service provider is NOT a conveyance of their capabilities or capacity.

Many 60 person MSPs are grossly incompetent. Some small teams of about 8 people are exceptionally skilled.

C-suite needs to drive it from the end in mind. The end is compliance attestation. Back into it from there and ONLY use a team which also has the technical capabilities to perform the remediations.

Do not use vCISO services from one company and remediation services from another. You get too many cooks in the kitchen and a disjointed and more expensive outcome will be the likely result.

The insurance companies are pushing the cost of the audit on the insured or applicant. This will involve eating tools and processes that connect with their assessment process.

Hence why it is crucial to work with a company like mine that has these workflows. Most don’t.

In this podcast, I provide an overview of the role of executives, managers, internal IT, and the CISO in business risk management. Until all parties understand that this is not information security risk or cybersecurity risk, it is business risk that they are responsible for managing, then it is not likely the situation will improve.

In order for business risk managers to make good risk decisions, they first have to engage and be involved. They cannot put their head in the sand and believe that "It's an IT problem." No it's not an IT problem. When the HVAC system is open for hacking to everyone on the planet because the facilities director refuses to collaborate with IT security to come up with a solution to maintain business functionality while managing risk, that is a business risk issue.

If the facilities director REALLY believes that it is an IT problem, then IT needs to be provided the authority to rectify the issues. And when the facilities director's access is interrupted, then they will be forced to engage and collaborate at that time. But executive management needs to have the intestinal fortitude to enforce policy. The policy that IT does have that authority and no IT will not be retaliated against. That is one approach. The other approach is that the facilities director needs to acknowledge that THEY are responsible for business risk management of the HVAC system. So if the facilities director wants the right to complain when their access is revoked, then they cannot abdicate their responsibility and accountability for the security of the HVAC system.

What you must do in order to prepare for a breach

Breach attorney, Spencer Pollock joins Felicia for a vigorous discussion of what you must do in order to be prepared for an incident or breach. Learn from the breach attorney perspective.

Spencer is with the well-known firm McDonald Hopkins.

Policies
preparation
incident response plan
tabletop exercises
must get breach attorney involved before there is an incident
determine your team in advance
What's new?

regulatory enforcement
multi-state class action lawsuits
attorney generals getting together to class action effort
Regulators DIG

They want to see your policies.
You must demonstrate your administrative, physical, and technical controls.
Attestation proof of state is mandatory
You better be able to enable your breach attorney to tell a legally defensible story.

How many data breaches could have been avoided by properly encrypting the data? - 90%

Information Security, Cybersecurity, and Everyone’s Responsibility

What is information security versus cybersecurity?

What are policies and why do we care?

Isn't that IT's problem?

Examples to learn from

Ripping apart cybersecurity insurance

Special guest:

Vince Gremillion – President and Founder of Restech: CISSP, CvCISO, GCIH

Overview

Travelers policy – requires MFA on switches. They require you comply with the intent of that.

Recent Cowbell application did not require MFA!

What is required is contingent upon the coverage you are asking for.

Some suggestions:

  • Never fill out an app for a client, not even partially
  • MSP comms to a client should be in a document in a detailed format and it should be digitally signed and locked for editing through that digital signature. I use Adobe EchoSign for that.
  • I address everything in a CRAQ format and then include for the client a spreadsheet which is a cross reference. I will never answer any of those questions on the application directly because I can tear holes in every single one of those questions.
  • I reject many of those cybersecurity insurance application questions as yes or no. Yes/No just does not fit.
  • All the insurance carriers and underwriters have accepted my method which I fine to be the only defensible approach since yes/no is inadequate and does not protect the insured/applicant or their MSP.

Future strategy

This is exactly why we need CISO platforms which have automatic data ingestion and transmission of the data to insurance carriers in standardize pre-scored format.

Check out this podcast on the topic: https://qpcsecurity.podbean.com/e/ciso-workflows/

Business owners: You own the risk, you decide what to do with that. If you did not vet the MSP or the vendor or their stack, that is ultimately your risk problem.

HUB International as a broker specifically tried to suggest to one of our clients that the MSP should be filling out the cybersecurity insurance application. I found working with HUB International to be very difficult. Marsh McLennan Agency https://www.marshmma.com/ was very good to work with, but they cater only to larger employers.

Gem from Vince: Compliance as a threat
If law firm A can no longer do business with customer B because they don’t have compliance, that is a threat.

CISO Workflows

Frank Raimondi, VP of Channel Development at IGI Cyber Labs

IGI CyberLabs has a product called Nodeware which does continuous vulnerability assessment.

PenLogic – regular penetration test – once a quarter deep dive heavy one and a monthly light test.

CEO buyer’s journey

Security velocity

Risk scoring is part of security velocity

Improve your cyber-hygiene – all small businesses

Security 101 is inventory 101

Cysurance – warranty and liability company

It’s good that insurance companies are trying to be more objective about the real risk metrics. Get the scoring and get the data about how risky they are. This feeds into the evaluation data which is used for underwriting.

FTC Safeguards policy impact

Operational security issues – MSPs that post all their personnel information publicly.

The impact of customer contracts and compliance. Squeeze between cost and staying in business in terms of insurance and customer contract requirements.

Business Email Compromise

Ken Dwight is “The Virus Doctor” – Business consultant and advisor to IT service providers and internal IT at many businesses who have come to him for his training, has his own direct clients. Ken conducts a monthly community meetings for alumni. He provides a list of curated items of current interest for discussion and resources, and has a featured topic which often includes another speaker to provide breadth of perspective. He has been doing this community service for 83 months!

I asked Ken to cover with me some topics that from his perspective don’t get talked about enough.

Business Email Compromise

Also known as CEO fraud. Impersonating a CEO for purposes of wire fraud. We are focused on the technological solutions. There is no technological solution for eliminating BEC.

CEOs must be part of the solution.

Example: Subcontractor to Airbus. Used to dealing with multi-million-dollar wire transfers.

BEC is a large Fortune 500 issue, it scales down to one user environments.

Title companies are a big target.

Retention policies and standards for WHERE to store what kinds of data to make sure that email is not a file server thereby increasing the risk of what data is compromised as part of BEC.

Perfect example of the beginning of an incident response plan or a tabletop exercise. Orgs must define the cost of compromise. That plan needs to be in place long before. It makes a recovery so much more straightforward.

Attackers analyze their victims in tiers. Potential victims $10 - $50mm revenue organizations. Reputational damage, but not big enough to have an adequate cybersecurity budget.

ShadowIT is a problem, which is why you must address it with a CFO-enforced procurement policy.

Proactive management of M365 tenant security configuration is so critical

The security of your tenant is not included in the fee for biz premium or the overall licensing.

How much activity there is, changes, products, services, vendors. Ideal stack, layers, point solutions within that. Revisit that in a period of time like a year.

This is a nice resource for M365 security and BEC.

https://www.blumira.com/office-365-security-issues

Direct advice from Ken

One topic I believe falls directly into this category is the issue of Business Email Compromise, as opposed to actual malware / hacking / ransomware attacks. As you know, the losses to BEC still represent a greater dollar value than ransomware, according to the FBI statistics. But BEC isn’t even a technology problem, it’s pure social engineering – and no additional layers of hardware or software “solutions” will prevent it or reduce the cost to its victims. In my opinion, that’s why you hear so little on the subject from the cybersecurity vendors.

Another topic I find interesting, but haven’t really heard any vendors or industry pundits talk about, is the whole new ecosystem and infrastructure produced by modern threat actors. The whole business model of these sophisticated criminals has created occupations, titles, and job descriptions that didn’t exist a few years ago. Some of these are a result of the specialization, compartmentalization, and outsourcing by these organizations; here are a few that come to mind:

  • Breach attorney
  • Ransomware Negotiator
  • Initial Access Broker
  • Cloud Access Security Broker
  • Multiple “As-a-Service” offerings:
  • Ransomware as a Service
  • Phishing as a Service
  • C2 as a Service

Another area that is mentioned fairly frequently, but typically fueled by more heat than light – and raised as a point of frustration by MSPs and IT Solution Providers in general – is the users who still believe they don’t have to worry about cybersecurity, hackers, malware, or ransomware, because they “don’t have anything the criminals would want,” or words to that effect. I believe those users need to comprehend how real and serious the threats are to their business.

By defining the multiple tiers of threat actors, the threat vectors they may employ, their potential victims, the assets owned and managed by those victims, and the attacker’s strategy for monetizing those assets, I believe it becomes obvious that every organization and every individual is the intended target of some subset of those threat actors.

Visit this resource for help making argumentation. Ken is working on some additional materials for end user cybersecurity awareness training.

https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/

Vulnerability management with Felicia and Dan - Part 2

This episode of Breakfast Bytes is Part 2 of a series where Felicia King and Dan Moyer of QPC Security continue their conversation on Vulnerability Management. Listen to Part 1 at https://qpcsecurity.podbean.com/e/vulnerability-management-part-1/.

In today’s episode, Felicia and Dan discuss vulnerability management workflows, supply chain risk management, starting with security on the front end rather than retrofitting, and proper patch management.

Workflow management

01:10 CISO-related (Chief Information Security Officer) workflows are at the core of what is today’s necessity, and we will only see it become more mandatory within the next couple of years. Organizations that do not have vulnerability management workflows in place in a comprehensive way are going to find they have too much technical debt, deferred maintenance, or deferred security to be able to dig themselves out. This won’t be from a lack of money either, but a lack of manpower and time in the day to rectify the issue.

Supply chain risk management

02:43 SaaS vendors have vulnerabilities and very few of them have in their contracts your rights and their obligations. What kind of questions should you be asking your SaaS vendors that in many cases you are responsible for as an organization? Here are just a few:

  • Do they have continuous vulnerability management scanning going on with regards to their SaaS platform?
  • How are they classifying vulnerabilities?
  • How quickly are they going to resolve vulnerabilities?
  • How are they communicating these issues to you?
  • Do they use API security scanning?
  • How do they adhere to OWASP API standards and best practices?
  • What are they doing for you in terms of supply chain risk management or software bill of materials?

Your organization’s CISO or vCISO should be in your court getting answers to these questions if they are not being addressed by your SaaS vendor or addressed in your contract. Having a proactive, highly functional, highly communicative, and open, honest working relationship with your CISO will ensure you have the protections your organization needs.

Proper patch management

04:51 Let's walk through an example of patch management in an environment with Hyper-V hosts, Dell PowerEdge server, domain controllers, business critical SQL servers with essential business applications, virtual machines, remote sites, on-site and offsite backups, hardware at different speeds, and then all these third-party software on these workloads – how do you patch all these things?

06:11 It is exceptionally important to note that some patches will step on or over each other, be required to be put in place and rebooted first, and then other patches applied on top of it. The time it takes to patch a server can be exacerbated by trying to accomplish, say, five patches in one changewindow rather than one patch/reboot followed by another one patch/reboot, and so on.

07:48 Watching the servers reboot is an important piece to verify the workload comes back up reiterating the point made in Part 1 of this series that adequate patch management of an entire server for $50/month cannot be done.

Domain controllers

09:19 There tends to be multiple domain controllers or, in the case of just one, it has been designed so that it can reboot whenever it needs to allow for patching. The domain controller is the brain of everything, and since it can reboot whenever needed to apply patches, it can facilitate that while staying available when everything else comes back up.

Typically we will start with domain controllers as the first thing patched and verified. Now if there are multiple, and depending on how critical the environment is, a rolling out patch might be done so that these secondary domain controllers or ones that are not on the best hardware are patched and then they sit for a period.

Backup plans and backstops

11:29 Part of that patching methodology is your backup plans and backstops – having the tools and everything else in place to uninstall a patch if needed. When we set up our servers, we always have Command Prompt and PowerShell already queued up on those devices when we log in. Then we have the availability of pre-planned scripts that we can adjust as we go but most importantly, all the tools are there and available.

Importance of roles on servers

12:25 Part of your ability to have resiliency in the environment is the ability to reboot whenever you need, because you have redundancy and resiliency. Because it is a single role server, it gives you that agility to be able to resolve and prevent issues.

Therefore, workload design is the name of the game. Whatever you think that cost is of that additional virtual machine, that is nothing compared to the problems that you cannot solve because you tried to shove a bunch of stuff together in workloads that did not meet because they were mismatched workloads.

Many patch managers are not comprehensive and there is a lack of consistency in of what is getting patched on a well-designed domain controller versus a third-party party application server.

Physical servers

16:09 Watching a virtual machine reboot while maintaining efficiency and not biting off more than one can chew is crucial, but we are also finding is increasingly important to watch the physical servers and that can only be possible with the right hardware.

How are you auditing and confirming that patches are being applied and which ones have not? At QPC Security, we bring all the virtual machines down and reboot the host as a prerequisite for patching because it gives you a clean slate to start your patches. Then we will use the patching methodology to push specific patches down to it. We use our patching piece to push specific ones because not everything is needed for hosts and other pieces that we have identified will cause an issue, is a multi-patch, or a multi-patch/multi-reboot process.

Taking one step at a time, pull it down, apply patches, make sure everything is happy coming up. Go through that entire process again. While we are connected to iDRAC, we watch the server, reboot, apply patches, come back up, make sure all the VM's are checking in properly, we are making sure everything is available, then they go through that process two to three times. It depends on how many patches are available and what things got pushed out.

Everything has patches

20:39 If you have a hypervisor that is not giving you patches; you should not be using them. Likewise, if there is no product improvement then there is no security management from that vendor. There is no easy button or a set it and forget it.

21:42 When IT is not confident in how a process is going to work, they do not want to touch it and that is exactly where a vulnerability arises. Say a consultant installs Cisco, but without a brand expert or budget in place keep the consultant to maintain it, it remains unpatched and therefore vulnerable. That is precisely why organizations need to have a business continuity and disaster recovery (BCDR) plan in place and a procurement policy that drives effective vulnerability management.

Incremental patching

25:26 When people are too afraid to patch the hardware, it does not get patch which accumulates over time in terms of technical debt and the technical issues it accumulates. Attempting to patch too many patches at once or jump too many versions results in the reboot cycle of death or a very time-consuming reboot because you are not running a vetted, tested, and supported configuration. The more time and versions you allow to pass between patches, the more divergent from manufacturer’s tested config those updates become.

Buying the right hardware to begin with saves you money down the line

33:20 A crucial piece to vulnerability management in your workstations is BIOS, drivers, firmware. If you buy the right hardware to begin with that has the automation engine built into it and when you deploy it you are configuring it accordingly, it becomes far less expensive than paying a human being to manually babysit your vulnerability management.

Not all workloads are created equal

34:59 A word of caution when an IT service provider quotes patch management for your organization. When it comes to patching business line apps that need high uptimes because it costs a business thousands of dollars per hour to be down, what patches does the ITSP apply and with what preparation for back out plan?

In many cases, an ITSP is giving a client the perception of patch management, certainly not vulnerability management, but in reality they are simply doing a Windows update and only some third-party patching, which might only be five third party applications. At QPC Security, our catalog of patches of over 9500 software titles that we are patching and there is no automation. Visit https://www.ivanti.com/partners/ivanti-software-catalog to learn more about the normalization of software titles.

Cybersecurity insurance applications require continuous vulnerability assessment and vulnerability management. However, most IT service providers do not offer comprehensive patch management. Their vulnerability management claims are grossly misrepresented to the point of malfeasance.

Vendor documentation & software bill of materials

37:43 You cannot keep your head in the sand – all these things must be considered when receiving a quote from an IT service provider.

In cases when the software vendor is not offering competent documentation, your organization must rely on the legwork of your IT service provider to offer timely patches at opportune times. Do not forget that many ITSPs will charge you to run patches on the weekend or evenings when there will be minimal impact to your business.

"Titrics"

43:02 Your ITSP should have vetted and tested procedures and protocols for implementing patches, yet all too many do not. So many times, we see the priority of IT companies are how quickly they can close a ticket and rely on the software companies to do it for them. This focus on first-call closures and ticket metrics (termed here as “titrics”) is grossly underserving their clients and their clients’ organizations. Proper documentation allows for better time management and to offer effective support to best serve the needs of the clients without requiring the assistance of the third-party software vendor.

47:05 Gaps in change management, change control, and documentation for server workloads arise when an ITSP is focused on ticket-based productivity rather than quality of service. The original scope of the project by the ITSP requires evaluation from someone who can accurately evaluate the needs of the client’s organization. When the bid is too low, the needs of the client are not going to be met, the work will not be completed, and the organization is left vulnerable.

50:03 Unfortunately, an incompetent ITSP will leave out what services they had to cut out on the race to the bottom of the pricing model and that leaves it up to you, as the business owner, to be aware of your organization’s cybersecurity insurance policy requirements and how they are being fulfilled.

Questions? Reach out to us

QPC Security proudly serves businesses with virtual CISO services for our clients. If you are interested in learning more about how QPC Security can serve the needs of your organization please visit https://www.qpcsecurity.com/ or call one of our experts directly on (262) 553-6510.

Stay up to date on the most recent episode of Breakfast Bytes by following the podcast on Podbean at https://qpcsecurity.podbean.com/.

Vulnerability management that every business decision maker needs to know about

Felicia King and Dan Moyer of QPC Security talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately. As a result of that, you're being underserved, misled, and in some cases were lied to and ripped off.

Ultimately, many business owners are refusing to pay for what they need for adequate risk management because they don't understand what they need. In today's episode Felicia and Dan fill that gap.

Announced on October 6, 2021, the US Department of Justice Civil Cyber-Fraud Initiative is applying the false claims act to those who:

  • fail to follow required cybersecurity standards
  • knowingly provide deficient cybersecurity products or services
  • misrepresent their cybersecurity practices or protocols
  • violate obligations to monitor and report cybersecurity incidents and breaches

Just let that sink in for a second. So, is your IT service provider really meeting that standard? I sincerely doubt it.

01:23 The difference between vulnerability management and patch management

Holistic vulnerability management includes, but is certainly not limited to:

  • Software bill of materials analysis
  • Supply chain risk management
  • Third-party risk management
  • End-of-life software
  • Asset inventory up to date
  • Lifecycle management
  • Continuous vulnerability assessment
  • Frequency penetration tests
  • Tabletop exercises
  • Procurement policy

04:38 Cybersecurity insurance applications aren’t asking JUST about patch management

  1. When did you have your last penetration test?
  2. Do you have continuous vulnerability assessment in place?
  3. How long are you going to go without having the patches applied in the environment?
  4. If you think adequate patch management can be done for $50/mo/server, you are hallucinating.

So, what’s included in patch and vulnerability management?

05:34 Patch management

Patches are the building blocks that are improving the software that lives on the hardware. Without software, you can't interact with the piece of hardware unless it's purely mechanical, and even then there's still improvements of usage.

How do you manage and protect those tools of your business from threat factors?

09:20 Third-party patches & vulnerabilities

IT service provider proposals are telling business owners that they can patch their servers and their endpoints and automate Windows updates and some third-party patches. What are those third party applications? What about all your custom business line applications? Do you actually want your critical SQL server to have its SQL instance updated using automation? How much money does it cost you if that workload is down?

10:27 Asset management

Do you know what you have in your environment? Do you have accurate asset management and vulnerability assessments? Simply stated:

“You can’t secure what you don’t have an accurate inventory for.”

It is a regulatory requirement and cybersecurity insurance requirement to adequately document and understand software dependencies in your environment. That requires a proper inventory of your hardware, software, and subcomponents of the software. This is frequently referred to as SBOM - software bill of materials. And if you think your software vendor is going to provide that information, please go ask them for that information. You will probably get a blank stare. IS security engineers can figure it out on their own.

18:48 Implementing proper procurement policies

Does your procurement policy support your vulnerability management strategy? Does your software acquisition and implementation policy (if you even have one) support your cybersecurity insurance and regulatory requirements?

When business decision makers put pressure on an IT service provider or internal IT to implement new software without proper security protocols, vetting, and process documentation, vulnerabilities are nearly always introduced into your environment. Sometimes that comes directly from their insecure software. Sometimes it comes from the tools and connectivity they use to remote into your systems or things like API connectors that your IT is supposed to just blindly trust the software vendor to secure their software with zero validation or proof. A proper CISO on your team or through your ITSP will be able to directly vet the vendor and software itself.

You are required by cybersecurity insurance and Federal regulatory guidance to do so. It is also in your business's best interest to do so.

Be very careful looking for just certifications for someone who says they are a CISO. The majority of CISOs do not have technical chops. They are often compliance managers that cannot do the technical work. Those people have limited usefulness and will not be able to

All of the vCISOs at QPC are hardcore technical because we understand the essential nature of that skillset being a mandatory requirement to deliver effective CISO services.

20:24 Privileged access management and privileged password management

How do you know who has access to remote access to your systems? How many people will have access to your systems? Today, there are many IT service providers who are not disclosing their outsourced Helpdesks that are giving full administrative-level access to a customer’s back end to all those workers at the virtual live Helpdesk. Most ITSPs also fail to disclose the totality of the quantity of people that will end up with admin access to some or all of your systems.

Ask yourself. If you have 25 office personnel, why would it take 30 remote people to have admin access to your systems in order to provide competent support? Do you think it is actually possible to have a high security environment and magically keep 30 people fully up-to-speed on the exact correct configurations required in your environment and what the interaction effects are? It's not possible and will never happen.

24:27 A procurement policy can keep a business' IT costs stable

The number one thing that business owners complain about is the cost of maintenance. With a procurement policy in place and by working with their IT service provider and procuring anything that they do not have a full understanding of the total cost of ownership for – costs can be managed.

Does your procurement policy support your business strategy and needs?

34:22 Understanding the cost and time of device and software procurement

There's also a lot of other risks that the vast majority people don't think about; they tend to only think about the budgetary risk. However, getting the strategic input from a CISO or CIO to develop an understanding of the minimum pricing floor and how that affects the total cost of ownership, can save a business not only money but time.

SaaS can get you closer to a flat-rate cost but you may have inherited additional risk and vulnerabilities, depending on how the new technology interconnects with your systems. Additional risk factors are:

  • counterparty risk
  • structural increase in cost of doing business risk
  • accessibility risk (redundant access is then required and cannot be fully mitigated)
  • external software vendor attack vector risk that cannot be mitigated through Layer3 ACLs
  • takedown/contract risk

37:33 Cloud vs on-prem security

It's still a fallacy that having your systems in the cloud is better and cheaper, incorrectly thinking they can have as good security in the cloud as they can on premise. Going to SaaS can provide a lower and more predictable TCO if the counterparty risk you accept is worth it. But picking up your servers and hosting them on someone else's infrastructure will never be less expensive. IaaS cost savings are a fallacy for the majority of businesses. The exception being massive companies with heavy DevOps needs for spinning up and down workloads quickly. Most of those items are being migrated to Kubernetes and OpenShift.

46:48 IT/IS is not a utility

The electricity company, the water utility, garbage pickup, fire and safety, ISP – they are monopolies and uni-taskers. Whereas IT is far more complex. People tend to think that if it’s a utility, therefore it’s a commodity, and if it’s a commodity it doesn’t matter which service provider I choose.

Business decision makers are trying to manage budget risk without understanding their requirements. They also want to have budgetary control while abdicating their involvement upon outsourcing their IT to an ITSP.

An IT service provider can be a partner to success and can help businesses develop better business strategies IF there is regular and open communication.

This is part 1 of a 2-part series on vulnerability management. To learn more, visit us at qpcsecurity.com 

This is another resource for vulnerability management information.

https://land.fortmesa.com/vulnerability-management-101

File integrity checks (hashing) versus communications or data encryption

We have seen some really goofy cybersecurity insurance application questions. It is always best to not answer a question that is goofy, but instead to write an addendum that defines terms and explains the cybersecurity posture of an organization related to the topic. You need to try to figure what the insurance company was trying to evaluate rather than just answering their questions because their questions are frequently not suitable for yes/no answers.

Greg Cloon joins me to discuss this topic.

We also touch on when you would use file hash integrity checking, when to use disk encryption, and when to use encryption for communications.

Here's a link to IISCrypto.

https://www.nartac.com/Products/IISCrypto/

Signs of insufficient networking knowledge

Scenario 1

Phone VLAN on a switch and cross connected into a Firebox with desk phones, PCs, and printers in the environment

Questions we actually got:

On Monday, we send over the list of what switch ports are for printers, which are for PCs, and which are for desk phones. Technician says that two of the three phones are not working. We use our awesome switches to find out exactly where these other phones were plugged in. The phones were plugged into the wrong switch ports. Move desk phones, phones work.

Then later, the technician runs a test for the VOIP service from a PC on the PC VLAN not from a PC connected to the phone VLAN. So the test for the VOIP service fails. Security zone profiles exist. It is not acceptable to have an allow everything network security posture. Configures needed to support desk phones are completely different from those that are required to support domain joined Windows computer assets.

Some ITSPs have to pay for expensive add-ons like Auvik to try to compensate for the fact that they have inadequate switching equipment with inadequate design and a sprawl that they have to inventory and keep track of. TCO comes from how much time it takes to maintain, manage, adds/moves/deletes/upgrades, troubleshoot. If I have to physically go to a site to chase some cabling, something is really wrong.

The technician in this scenario also could not believe we wanted two network cables between the switch and core router. They are not the only one. I encountered this lack of vision of understanding in another client IT director earlier in the year. If you don't know why you would have two network cables between a switch and a core router, go figure that out.

Scenario 1

Phone system with desk phones. Each desk phone has its own network cable, which is good. Phone subnet should be a separate VLAN, but the choice is made by ITSP to separate the phones using physically separate switching equipment. That is something I would never do.

Commentary provided by ITSP:

I don’t like VLANs. I would rather setup a network with physical segmentation. Results in:

  • Loss of visibility
  • Loss of network resiliency
  • More expensive because you have more switches to babysit and troubleshoot
  • So if you have 20 or 40 VLANs, so does that mean you are going to have 20 or 40 physical switches?
  • If you don’t have 20 VLANs then what network security do you really have?
  • How do you present virtual servers on the proper microsegmented security zone when you cannot transmit tagged packets?

Let’s just talk minimum VLANs that we typically see here:

  • SwitchOOBM
  • ServerOOBM
  • SwitchMgmt
  • WAPMgmt
  • Phone
  • Surveillance
  • CorpWired
  • CorpWireless
  • GuestWireless
  • HVAC
  • ElecMon
  • Chromebooks
  • CaptivePortal
  • Tier0
  • DCs
  • AppGroup1
  • AppGroup2
  • DeprecatedApps
  • Printer
  • Storage
  • IAM
  • RMM

Clearly anything over two becomes ridiculous to do with physically separate switch equipment. The days of this paradigm or strategy are long gone since cybersecurity compliance is requiring microsegmentation. And network security strategies and technical controls are some of the most effective primary and compensating controls for cybersecurity posture for all the protected assets regardless of type.

About Password Managers

More than 80% of breaches occur due to credential theft. All organizations have compliance requirements to have org-owned password management systems and MFA enforcement on accounts used by employees and contractors.

Some other needs which must be met are:

  • Compliance attestation documentation
  • Proper use of the best MFA method on a per resource basis
  • Aligning business continuity objectives with cybersecurity objectives
  • Developing procedures for staff on how to use the company password manager system properly
  • Aligning procedures with information security policy
  • Developing/enhancing information security policy
  • End user awareness training around credentials, MFA, password management
  • and more

I wrote a 16-page educational guide for clients to help them understand the complexities and challenges of password manager solutions and why this is not an easy button project. This podcast is a supplement to that whitepaper.

See the following supporting podcasts for additional information.

https://qpcsecurity.podbean.com/e/requirements-for-premise-hosted-assets-cybersecurity-bcdr-and-more/

https://qpcsecurity.podbean.com/e/how-to-achieve-compliance-for-privileged-account-management/

https://qpcsecurity.podbean.com/e/avoid-cybersecurity-insurance-fraud/

Requirements for premise hosted assets; cybersecurity, BCDR, and more

You should not put things in the cloud unless you can secure them there at least as good as a highly competent professional would have if they had that asset on premise.

Cloud hosted assets have additional risks.

  • Counterparty risk
  • Additional outage and accessibility risk
  • You have less control
  • You have less security over the human or governmental access to your content
  • Zero 4th Amendment protections over that data. It's fully subject to FISA searches that the provider is required to never tell you about.

Also do NOT get sucked into the scam that cloud hosting servers is more secure than if you did them on premise or somehow more cost effective. That is sheer lunacy.

SaaS can be more cost effective and more secure. Look at Office 365 as an example. That is clearly more secure, more cost effective, and more value than a premise Exchange server. SalesForce could be better for you than running your own CRM, but then you are also fully open to their crazy policies which could rip the rug out from under one of your most business critical systems.

There is no one right answer 100% of the time. Context and artistry of security strategy are exceedingly important.

This show is about these things as well as what you must have in place to have premise hosted secure assets. I describe a Tier0 asset scenario in specific and what can easily undermine it.

 

Premise hosted password managers

It is worth noting that extremely high functionality privileged access management and identity management systems are available in a premise hosted format which are a perpetual licensing model with very low annual software maintenance fees. These systems are exceptionally valuable to IT departments and QPC has extensive experience in these platforms. They are an exceptional value to IT management functions and IT departments.

However, most organizations, even those with full-time IT departments, will not meet the requirements for self-hosting. Why? In order for a self-hosted password management system to be successful, it relies upon many factors which must be in place and be fully executed with extremely high levels of skill and security. This level of skill is outside of the technical skill level of nearly all IT departments of companies with less than 5000 employees.

If the requirements are not fully met continually for the life of use of the platform, the platform and its contents are likely to be compromised. A compromise could consist of the data exfiltration of the entire password vault database which would be catastrophic to the organization.

Baseline requirements for premise password managers

  • Extremely tight supply chain risk network layer security rules and management
  • Ability to do offline upgrades for all software and systems involved
  • Extremely adept underlying server, network, power infrastructure management
  • Rapid patch management within 48 hours or less
  • Always on scanning for vulnerability assessment backed by active monitoring and remediation
  • Active monitoring
  • Multiple first line backups per day with multiple encrypted offsite backups per day
  • Two physically disparate sites with significant server, network, power infrastructure with automatic backup generator service and redundant internet
  • Proficiency at managing SQL server replication over WAN links in an active/active SQL server configuration
  • Proficiency at maintaining active/active application server configurations and automatic failover network configurations
  • Absolute rigorous discipline to adhere to documented standards for vault creation, password management system administration, application updates, database system updates, OS updates, third party app updates, network layer security management across the entire internal and site-to-site connected networks
    Any laxity in the discipline of the IT personnel managing the system will cause it to fail to deliver the security profile required for critical assets.
  • Minimum of two servers involved with the addition of more servers if internet facing roles such as mobile access are desired
  • IT personnel’s ability to implement and maintain complex privileged access management systems
  • Regular security compliance and audit report reviews. This will require a CISO and/or compliance officer with significant technical skill.

Resources for job candidates in cybersecurity - What you need to do to be employable

Networking

  • Network layer security appliances
    • I recommend WatchGuard Fireboxes where you use the Firebox as the core router. It must have a full Total Security Suite active subscription with fully updated Fireware or you won’t be able to learn.
    • LAG a trunk between the Firebox and the switch
    • Must use a unit with an active subscription
  • Layer 3 network switches
    • Must be able to LAG and VLAN at a minimum
    • Recommend Extreme EXOS X440 G2 PoE switches. 12p, 24p, etc. But you must get modern firmware on the switch.
      These can be procured online used via eBay and other sources.
  • Enterprise grade wireless access point
    • At least two wireless SSIDs on different VLANs, supply chain risk management configuration on the management interface
    • Depending on the WAP model, it may be possible to use an older WAP that has no cloud controller. It may be configurable as the local controller. Cloud controller is acceptable also as long as you do supply chain risk management network configuration.

Virtualized switches and net sec appliances don’t work for learning.

Setup OOBM VLANs.

Lock it down. Hardcore microsegmentation, hardcore packet inspection. Massive supply chain risk management strategies at the network layer. Challenge yourself to always make it more locked down.

If you want to learn networking, I do not suggest Cisco's training material at all. HP Flex Net training is quite good in terms of teaching you the fundamentals that you need to know. Then from a network security model, you need to learn and master network layer security appliances. I can only recommend WatchGuard and Fortinet. Everything else has problems which I won't waste time here on why.

Servers

Dell PowerEdge servers can be purchased from outlet.dell.com very inexpensively. Get something you can run at least the hypervisor and a couple VMs on. Must have at least iDrac Enterprise.

Knowledge of HyperV, managing VMs, hypervisors, and sophisticated patching is mandatory.

Office 365 / Microsoft 365

You should run your own tenant and learn how to use this technology if you want to be employable.

Domain/DNS

You must understand domain and DNS hosting and DNS records especially for all services hosted through Office 365.

NAS

TFTP server is mandatory for working with switching equipment for configuration backups, restores, firmware upgrades. Running TFTP on Windows or Linux desktop OS are very problematic. A Synology NAS has TFTP capabilities as well as a ton of other features. The NAS has ActiveBackup, HyperBackup and that could be used to back up the VMs in your lab and your Office 365 tenant.

BCDR skills are mandatory.

I see no better way to learn BCDR other than by doing it. Do not shortcut the size of the hard drives you put in the NAS. It's not worth it. You need lots of space to be able to fully utilize the NAS as your learning zone.

Minimum NAS is DS218. https://www.synology.com/en-us/products/DS218

Suggest Seagate IronWolf Pro drives. Must use NAS rated hard drives.

Priority recommendation

  1. NAS
  2. Domain/DNS/Office 365 tenant
  3. Network layer security appliance
  4. Layer 3 switch
  5. PowerEdge server

Learning resources

TryHackMe

https://www.ultimatewindowssecurity.com/webinars/default.aspx

You must learn Tiered access control. MUST. And you must know how to implement it.

https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=3695

Learn privileged access management

Privileged admin workstations

https://docs.microsoft.com/en-us/security/compass/privileged-access-devices

https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model

https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges

https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

BHIS webinars and training

https://www.blackhillsinfosec.com/blog/

KnowBe4 excellent webinars and ebooks

https://www.knowbe4.com/webinar-library

How to achieve compliance for privileged account management

Cybersecurity insurance requires MFA for all internal and external administrative access. How do you accomplish this?

Examples of things you might access:

  • switches
  • firewalls
  • servers
  • printers
  • workstations
  • DNS hosting
  • website hosting
  • cloud management portals
  • NAS
  • BCDR appliances

There are many ways to solve this problem and they are all too long to post about here, so this is what this podcast is about.

  • Passwordstate remote integrated proxy authentication
  • tiered access control
  • compensating controls as an alternate for MFA
  • access portals with MFA
  • privileged admin workstations
  • account logon restrictions
  • hardened network access control restrictions (microsegmentation strategies)
  • more

https://www.clickstudios.com.au/remotesitelocations/default.aspx

API Security and external vulnerability scanning

API Security is going to be the thing you need to be paying attention to in the next two years.

Partner with an information security officer like QPC Security to get an internal and external vulnerability scanning plan in place for your organization. A lot of vulnerability management is not possible to do with tools. It takes experience and expertise that comes from 29 years of hard work.

A great API scanner https://www.wallarm.com/

RMM security topics/tactics

Either fund your IT security or decide to go out of business

Companies have some hard decisions to make. They are either going to continue to be in business and allocate budget to correcting gaps, or they are going to go out of business because they will find themselves uninsurable or unable to come up with the funds to rectify all their security gaps in the required allotted time.

Reviewing your last cybersecurity insurance application

My latest offer is to review your last completed cybersecurity insurance application. The offer is only open to business owners directly or the executive management team of an organization who would be a good fit to be a client of ours.

https://qpcsecurity.com

The truth about smart cities.

https://www.theguardian.com/cities/2014/dec/17/truth-smart-city-destroy-democracy-urban-thinkers-buzzphrase

There is an updated FAQ for the CAN-SPAM Act.

https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

Working with a Breach Coach/Attorney - A Primer

Cyberlaw podcast

  • What needs to be pre-documented for the breach attorney to be effective? And in what format?
  • What to do to protect yourself from outrageous fees?
  • What to do in order to get proper service from a breach attorney?
  • What are the advantages of having a pre-established relationship with a breach attorney?
  • What positive outcomes arise from having pre-breach meetings with a breach attorney?

3/24/2022

Spencer Pollock – Cybersecurity breach attorney

Felicia King – QPC Security, Security Architect and Information Security Officer

What needs to be pre-documented for the breach attorney to be effective?

Cybersecurity posture of the organization.

Compliance/legal and the technical / security

Security: identify the gaps and procedures

And in what format?

Data is everywhere.

Clients that have an IRP, data map and have a list.

Customers and data breach classification, impact / no impact

What to do to protect yourself from outrageous fees?

The more times you have to engage a breach coach in advance, the better off you are.

The more time you bake people into your team, the less time is spent on the phone when an issue occurs. This means it is less expensive and your organizational response is faster.

This is why it is critical to get the breach attorney written into the policy.

When to get the breach attorney written into the policy?

Business owner needs to be driving the breach attorney selection during the insurance application period.

Insurance policy, Beazley example. You should do a retainer with them.

Retainer: You get the benefit of cell phone, breach line.

Preparation meetings are going to be paid out of pocket. Prebreach stuff is a separate engagement, and it will usually be a lower fee.

Avoiding real estate theft, deed theft, and related scams

Check out dark patterns for scam awareness.

https://www.darkpatterns.org/

  • Avoid the new movers mailing list
  • Avoid putting real estate in your personal name
  • Use a service like Abine DeleteMe
  • Get a PO Box and stop having snail mail delivered as much as possible
  • Subscribe to paperless billing as much as possible
  • Harden your digital life
  • Get off social media and stop sharing your life in public digital media
  • Be aware of deed fraud and how to verify that no one has stolen your deed.
  • Be aware of how foreclosure rescue scams are perpetrated.
  • and more!

Attestation, scoring, evaluation, and business process in achieving improved cybersecurity posture and compliance

Joy Beland joins Felicia to discuss:

  • What Edwards Performance Solutions is doing in the CMMC training space
  • Joy's team created the CMMC assessor textbook
  • Many orgs have cybersecurity insurance enforcement for the first time ever
  • Joy's extremely wise metaphor and perspective on cybersecurity insurance (15 mins)
  • Transfer of risk and economic destruction
  • DMARC, DKIM, SPF tuning
  • What tools exist to help the SMB market with attestation, and establishing patterns of due care and due diligence?
  • IS policies and processes are required as part of the proof mechanism
  • Mechanisms to actually evaluate risk so that business leaders can make effective decisions
  • Control planes for infrastructure

Joy's sage advice: "Know what the crown jewels are."

Learn to identify wasteful practices with Gemba walks.

https://www.creativesafetysupply.com/content/PPC/gemba/index.html

CMMC 2.0 scoping analysis

https://www.linkedin.com/feed/update/urn:li:activity:6889627454466469888/

Future Feed for CMMC orgs

https://futurefeed.co/

https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/

Special guest:

Joy Beland, a CMMC Provisional Assessor and CMMC Provisional Instructor, who works with Edwards Performance Solutions as a Senior Cybersecurity Consultant.  Joy owned an MSP for twenty-one years in Los Angeles.  She has a CISM and Security+ certification.

Integrated IT risk management - part 2

Identity theft via insecure credit APIs
Integrated IT risk management part 2

Assessments and Integrated IT Risk Management - Part 1

  • Problems with and limitations in many assessments
  • Many assessment report results from automated tools can be incomplete, incorrect, or pretzel talk
  • What realistic expectations should you have from a paid and unpaid assessment
  • There are certain security baselines simply so your organization can be insurable.
  • There are certain security baselines in order for your organization to be serviceable by an IT service provider.
  • Small organizations can easily find themselves spending $50,000 that they don't have in order to recover from a cybersecurity event.
  • It's not just about money. Are you sure that you can get access to all the personnel in order to get your organization back up and running in the designated time?
  • You need to mitigate risk proactively in order to make sure the cybersecurity event never happens.
  • Do not evaluate your risk based upon what you think the value of your data is. Evaluate your risk based upon whether or not you want to stay in business.

Technical Debt - a whole new perspective

Cyber Matt Lee joins Felicia on Breakfast Bytes to talk about massive issues with technical debt.

Senior Director of Security and Compliance at Pax8.

You have to start with the right definitions. It’s not patch management, it is vulnerability management. You have to ZOOM in. Is your TPM up to date? Is your firmware up to date? Drivers, configurations, remove unpatchable software. Are you still susceptible to spectre and meltdown? What about SMB1, PowerShell 2.0, LLMNR, etc.? “That doesn’t have a patch, and you have to get rid of it.”

Where there is technical debt with a software code base, on a 5-year journey, you need to move to different software because the software vendors are literally incapable of updating the code base of their software. They are not actually doing the work to update the software. Their paradigms for software development lifecycle and codebase are crippling them from being able to correct issues.

Matt recommends finding SaaS platforms that suck over premise applications that suck because at least you are in the shared responsibility model.

Modern dev sec op practices are what is needed. You can build software that has a good paradigm.

We still acknowledge that there are issues with resources in the cloud as well unless an organization is willing to accept the risk of data sovereignty and the third-party risk of being disconnected from their services and data. Being disconnected from your data or being disconnected from your application because the SaaS vendor disagrees with your business model even though what you are doing is legal, this needs to be regulated out of existence. SaaS vendors are playing God.

And some things are just not cost effective in the cloud or are financially unobtainable in a SaaS format. Are you comfortable with the government accessing your data through backdoors? This is a very personal decision to each organization and individual.

15:30 mins - Matt talks about paradigm challenges that impede the ability to ever create bug free software. True SaaS should be able to iterate an outcome regardless of the hardware and OS that is accessing the system, so the software vendor does not have to plan for all the variables in their testing. This allows them to have a CICD development pipeline for their software.

Get to the nugget of what is required. An information security officer can get to what is really the intent of what the compliance requirements are asking for and translate that into what is required to fulfill that and protect the organization. Interpretation is required because too frequently the questions asked or requirements specified are not as specific or accurate as what is required.

26 mins – Vendor software development and vulnerability disclosure programs. The vendors need to tie revenue lost to the vulnerabilities. Software vendors are often setup for failure. Monolithic apps start at the top and run to the bottom of the code. Better models are where apps have microservices and each microservice can be corrected individually without a massive ordeal. A different software codebase paradigm allows for sprint teams to correct software bugs easier.

28 mins – There is no real effective possible way for many of these software vendors to fix their apps.

30 mins - It is in the C-Suite and the board to fix this. You are either going to die at the hands of threat actors, in an escalating war that we cannot win. Or you are going to start having practices that understand that this is a football game. There is no one right way to run a football play, but you cannot play with 9 players. You have no defensibility in your actions if you put only 9 players on the field when 11 are required. There are requirements and boundaries to any strategy or solution. If you don’t do the things you need to do, you don’t have defensibility.

If you are already fighting with all this massive technical debt, you are not going to ever win.

Go to tryhackme.com and find out how easy the threat actor side of this is.

Avoid cybersecurity insurance fraud

How to avoid cybersecurity insurance fraud. If this happens to you, your claim will be denied and you will likely be uninsurable in the future including by other insurance providers.

You have to be working with an extremely operationally mature ITSP with ISOs on staff or you probably will not be able to navigate this complexity.

Why converged NOC and SOC are so critical to security efficacy

Joining Felicia is Rui Lopes, Senior Technical Evangelist at WatchGuard Technologies. Rui was with Panda Security prior to the WatchGuard acquisition and has spent many years merging the technical with customer enablement at a level rarely seen. His efforts at WatchGuard are projects, partner support, and overall customer enablement of using the endpoint protection technology effectively.

When I listened to an interview with Fortinet's CISO regarding converged NOC/SOC, I had to reach to Rui to formalize several conversations we have had over the last 1+ years because we both have seen the need for this strategy for a very long time.

At QPC, we have been doing converged NOC/SOC since around 2009.

Listen in to hear our breakdown about why this is such a critical strategy in today's threat landscape. Also, check out our article "Time For NOC/SOC Convergence" for more thoughts on this topic.

Act now so your emails will still be deliverable

NDAA 2021 legislation is forcing a gaps closure in SPF, DKIM, and DMARC.

This stuff is really complicated. Get some seriously competent help. I don't think most ITSPs (IT service providers) have enough experience in managing this especially in light of the inclusions of marketing automation platforms on root domains.

You cannot be driving a hole with a 20 lb sledgehammer through your email ingress filtration policies in order to accommodate for incompetently configured sender framework on behalf of your senders.

It's time to push back on their incompetence. Get your vCISO involved and get policies in place such as ones that IT will not be requested to put holes in security in order to accommodate senders with bad email systems. Instead, letters will go to bad senders to tell them to get their house in order.

You need to get your own house in order in order to make sure that your emails are deliverable. Cybersecurity insurance providers are assessing this information as part of your risk profile.

For more information: Email Deliverability- The Titanic Problem Headed Your Way

Gaps in EDR/EPP paradigms and what to do about them

Excellent and invigorating discussion on the gaps in EDR/EPP and what to do about them with Maxime Lamothe-Brassard, founder of LimaCharlie.io and Refraction Point.

LimaCharlie

  • avoiding tool proliferation
  • avoiding the jedi mind trick of EPP
  • identify gaps in a lot of EDR/EPPs
  • challenges with outsourced SOC
  • supply chain risk in toolset vendors
  • paradigms around security tools and training

Kaseya VSA breach analysis

Why the breach happened and what people could have done to prevent it.

What Kaseya could have done differently.

How to manage supply chain risk when your software vendor is not.

Smart vendors use the experts in their customer base.

People really need to have a major paradigm shift and look seriously at an RMM as being nearly the same as a nuclear launch code.

Parsing out the risk issues associated with cloud technologies

Improper use of cloud and the problems caused by improper pre-planning and risk assessment of improper use of cloud.

Kim Nielsen, founder and President of Computer Technologies, Inc. cti-mi.com joins Felicia to discuss dangers and risk of improper use of cloud hosted technologies.

Business risk vs security risk, must have an exit plan. Dangers of subscriptions.

The REAL reason you cannot afford to have a cybersecurity incident

I have been thinking for months about the latest challenges faced by organizations with regards to the increased cybersecurity risks, what is at stake, how unprepared they are, and how the cyber insurance companies are responding to the changing landscape.

As I have had conversations with business decisions makers, they often think that they have little to risk. Many businesses feel that they are not under much if any regulatory framework that requires them to take action. It seems that each week I see another cybersecurity insurance risk assessment questionnaire that nearly every organization will fail. Compliance frameworks are incomplete and horrifically confusing.

There is no compliance framework that will get you the fundamentals. There is no security control framework that tells you how to have effective network layer security. The gap between guidance and successful execution is wide.

It occurs to me that the only real defense for small and medium businesses are organizations like QPC which have virtual information security officers and full remediation services on offer backed by ongoing management. There are plenty of penetration testers or those that will sell you MDR services. Execution of fundamentals is where it is at. There is little value in pursuing the frameworks until you have addressed the fundamentals. After you have the fundamentals in place, then review your status against frameworks and you will probably find that many items have already been addressed.

Regardless, I'm always on the hunt for helping the SMB organization leader. It occurs to me that no matter what data you think you have a risk or don't at risk, there is one thing you don't have which is at risk. Listen to the show to find out the real reason you cannot afford to have a cybersecurity incident.

Why bidding out IT jobs often fails

Why many IT business decision makers make mistakes

Why bidding out IT jobs often fails

Vehicles and privacy issues

Vehicles and privacy issues

Wireless security, wireless TCO, 3-2-1 backup strategy, MFA and IP access control strategies

Wireless security, wireless TCO, 3-2-1 backup strategy, MFA and IP access control strategies

What to do in the event of a cyber attack

I read an article authored by two IT people where the article provided what I felt was a bunch of misinformation about what to do in the event of a cyberattack.

I'm not disclosing here who the authors were or providing a link. Instead I thought the best approach was to provide direct actionable intel on what to do in the event of a cyberattack that counteracts the misinformation in the article.

PrintNightmare and business risk

What did you do about the PrintNightmare vulnerability? I describe what we did at QPC Security and for our clients. I also discuss how business owners and executive management can use IT steering committees to make sure that information technology decisions are being made properly and their risks are being mitigated. I often see poor, uninformed decisions being made that lead to massive adverse business financial impact that were completely avoidable by simply using a decision process that is not flawed.

Listen in to learn more about using good decision-making practices that will protect you from financial ruin.

We regularly save clients hundreds of thousands of dollars by simply having ongoing meetings and preventing missteps.

Gone are the days that executive management can delegate and abdicate. You must be involved, and you must get external advice.

Only large enterprise can afford to have industry connection subscriptions such as IANS. This resource is completely inaccessible to SMB. The cost of the annual subscription to something like that is typically in excess of $40,000 per year, but you would then have to employ an extremely skilled internal information security officer to even be able to make use of any of the value of the subscription. This is why those resources are financial unobtanium for SMB. It is critical that SMB have relationships with managed security services providers who have a certified virtual information security officer to manage your account.

Additional resources: https://www.qpcsecurity.com/2021/07/18/think-you-could-have-prevented-the-impact-of-the-printnightmare-attack-think-again/

Tough talk about cybersecurity insurance and ransomware incidents

I discuss converting the hearsay from some reported incidents into tangible, actionable intelligence. A ransomware remediator initially reported some really high level unusable data. I pushed for more details, and got them, but immense questions remained.

I help you understand what you can do from a process and systems perspective in order to have provable, attestable, non-tamperable proof about the status of your systems. I also include a list of questions for you to ask your cybersecurity insurance provider.

Exposed Colonial Pipeline

Barb Paluszkiewicz Chief Executive Officer of CDN Technologies and Felicia King of Quality Plus Consulting discuss the Colonial pipeline cybersecurity incident.

  • What would you do if it happened to you?
  • Lessons learned
  • Great examples of how to avoid this happening to you

Felicia was a guest on Barb's KNOW Tech Talk podcast.

Privacy problems with IoT and wearables and bluetooth

In this episode, I discuss:

  • Privacy problems with IoT and wearables
  • Bluetooth
  • Ransomware guidance from US Treasury

Hackers compiled data from a bunch of breaches and it's in a reusable script

This week I cover:
  • School cybersecurity attacks
  • automated hack strategy

What is zero trust cybersecurity?

Assessing and understanding counterparty risk

The most secure helpdesk is the one that is not outsourced

Incident response and mitigating supply chain attacks

Patching strategy and lessons from the Exchange HAFNIUM attack

Exchange HAFNIUM attack

  • Pretty much every Exchange server on the planet got hacked that was internet accessible without protections in front of it
  • Anything that does not have MFA protections in 2021 is going to be hacked, especially if it is accessible from the internet
  • Not having MDR and THIS with zero trust posture is just not acceptable
    Yes this is increasing the cost substantially, but your alternative is what?
  • It is possible to proxy the traffic ingressing to the Exchange server and inspect that for IPS signatures
    Fireboxes Detect HAFNIUM Attacks in the Wild | Secplicity - Security Simplified
  • It is also possible to put a web portal in front of the Exchange server that is required to be accessed with MFA before it would be possible to use the services there.
    Reverse Proxy for the Access Portal (watchguard.com)