File integrity checks (hashing) versus communications or data encryption

We have seen some really goofy cybersecurity insurance application questions. It is always best to not answer a question that is goofy, but instead to write an addendum that defines terms and explains the cybersecurity posture of an organization related to the topic. You need to try to figure what the insurance company was trying to evaluate rather than just answering their questions because their questions are frequently not suitable for yes/no answers.

Greg Cloon joins me to discuss this topic.

We also touch on when you would use file hash integrity checking, when to use disk encryption, and when to use encryption for communications.

Here's a link to IISCrypto.

https://www.nartac.com/Products/IISCrypto/

Signs of insufficient networking knowledge

Scenario 1

Phone VLAN on a switch and cross connected into a Firebox with desk phones, PCs, and printers in the environment

Questions we actually got:

On Monday, we send over the list of what switch ports are for printers, which are for PCs, and which are for desk phones. Technician says that two of the three phones are not working. We use our awesome switches to find out exactly where these other phones were plugged in. The phones were plugged into the wrong switch ports. Move desk phones, phones work.

Then later, the technician runs a test for the VOIP service from a PC on the PC VLAN not from a PC connected to the phone VLAN. So the test for the VOIP service fails. Security zone profiles exist. It is not acceptable to have an allow everything network security posture. Configures needed to support desk phones are completely different from those that are required to support domain joined Windows computer assets.

Some ITSPs have to pay for expensive add-ons like Auvik to try to compensate for the fact that they have inadequate switching equipment with inadequate design and a sprawl that they have to inventory and keep track of. TCO comes from how much time it takes to maintain, manage, adds/moves/deletes/upgrades, troubleshoot. If I have to physically go to a site to chase some cabling, something is really wrong.

The technician in this scenario also could not believe we wanted two network cables between the switch and core router. They are not the only one. I encountered this lack of vision of understanding in another client IT director earlier in the year. If you don't know why you would have two network cables between a switch and a core router, go figure that out.

Scenario 1

Phone system with desk phones. Each desk phone has its own network cable, which is good. Phone subnet should be a separate VLAN, but the choice is made by ITSP to separate the phones using physically separate switching equipment. That is something I would never do.

Commentary provided by ITSP:

I don’t like VLANs. I would rather setup a network with physical segmentation. Results in:

  • Loss of visibility
  • Loss of network resiliency
  • More expensive because you have more switches to babysit and troubleshoot
  • So if you have 20 or 40 VLANs, so does that mean you are going to have 20 or 40 physical switches?
  • If you don’t have 20 VLANs then what network security do you really have?
  • How do you present virtual servers on the proper microsegmented security zone when you cannot transmit tagged packets?

Let’s just talk minimum VLANs that we typically see here:

  • SwitchOOBM
  • ServerOOBM
  • SwitchMgmt
  • WAPMgmt
  • Phone
  • Surveillance
  • CorpWired
  • CorpWireless
  • GuestWireless
  • HVAC
  • ElecMon
  • Chromebooks
  • CaptivePortal
  • Tier0
  • DCs
  • AppGroup1
  • AppGroup2
  • DeprecatedApps
  • Printer
  • Storage
  • IAM
  • RMM

Clearly anything over two becomes ridiculous to do with physically separate switch equipment. The days of this paradigm or strategy are long gone since cybersecurity compliance is requiring microsegmentation. And network security strategies and technical controls are some of the most effective primary and compensating controls for cybersecurity posture for all the protected assets regardless of type.

About Password Managers

More than 80% of breaches occur due to credential theft. All organizations have compliance requirements to have org-owned password management systems and MFA enforcement on accounts used by employees and contractors.

Some other needs which must be met are:

  • Compliance attestation documentation
  • Proper use of the best MFA method on a per resource basis
  • Aligning business continuity objectives with cybersecurity objectives
  • Developing procedures for staff on how to use the company password manager system properly
  • Aligning procedures with information security policy
  • Developing/enhancing information security policy
  • End user awareness training around credentials, MFA, password management
  • and more

I wrote a 16-page educational guide for clients to help them understand the complexities and challenges of password manager solutions and why this is not an easy button project. This podcast is a supplement to that whitepaper.

See the following supporting podcasts for additional information.

https://qpcsecurity.podbean.com/e/requirements-for-premise-hosted-assets-cybersecurity-bcdr-and-more/

https://qpcsecurity.podbean.com/e/how-to-achieve-compliance-for-privileged-account-management/

https://qpcsecurity.podbean.com/e/avoid-cybersecurity-insurance-fraud/

Requirements for premise hosted assets; cybersecurity, BCDR, and more

You should not put things in the cloud unless you can secure them there at least as good as a highly competent professional would have if they had that asset on premise.

Cloud hosted assets have additional risks.

  • Counterparty risk
  • Additional outage and accessibility risk
  • You have less control
  • You have less security over the human or governmental access to your content
  • Zero 4th Amendment protections over that data. It's fully subject to FISA searches that the provider is required to never tell you about.

Also do NOT get sucked into the scam that cloud hosting servers is more secure than if you did them on premise or somehow more cost effective. That is sheer lunacy.

SaaS can be more cost effective and more secure. Look at Office 365 as an example. That is clearly more secure, more cost effective, and more value than a premise Exchange server. SalesForce could be better for you than running your own CRM, but then you are also fully open to their crazy policies which could rip the rug out from under one of your most business critical systems.

There is no one right answer 100% of the time. Context and artistry of security strategy are exceedingly important.

This show is about these things as well as what you must have in place to have premise hosted secure assets. I describe a Tier0 asset scenario in specific and what can easily undermine it.

 

Premise hosted password managers

It is worth noting that extremely high functionality privileged access management and identity management systems are available in a premise hosted format which are a perpetual licensing model with very low annual software maintenance fees. These systems are exceptionally valuable to IT departments and QPC has extensive experience in these platforms. They are an exceptional value to IT management functions and IT departments.

However, most organizations, even those with full-time IT departments, will not meet the requirements for self-hosting. Why? In order for a self-hosted password management system to be successful, it relies upon many factors which must be in place and be fully executed with extremely high levels of skill and security. This level of skill is outside of the technical skill level of nearly all IT departments of companies with less than 5000 employees.

If the requirements are not fully met continually for the life of use of the platform, the platform and its contents are likely to be compromised. A compromise could consist of the data exfiltration of the entire password vault database which would be catastrophic to the organization.

Baseline requirements for premise password managers

  • Extremely tight supply chain risk network layer security rules and management
  • Ability to do offline upgrades for all software and systems involved
  • Extremely adept underlying server, network, power infrastructure management
  • Rapid patch management within 48 hours or less
  • Always on scanning for vulnerability assessment backed by active monitoring and remediation
  • Active monitoring
  • Multiple first line backups per day with multiple encrypted offsite backups per day
  • Two physically disparate sites with significant server, network, power infrastructure with automatic backup generator service and redundant internet
  • Proficiency at managing SQL server replication over WAN links in an active/active SQL server configuration
  • Proficiency at maintaining active/active application server configurations and automatic failover network configurations
  • Absolute rigorous discipline to adhere to documented standards for vault creation, password management system administration, application updates, database system updates, OS updates, third party app updates, network layer security management across the entire internal and site-to-site connected networks
    Any laxity in the discipline of the IT personnel managing the system will cause it to fail to deliver the security profile required for critical assets.
  • Minimum of two servers involved with the addition of more servers if internet facing roles such as mobile access are desired
  • IT personnel’s ability to implement and maintain complex privileged access management systems
  • Regular security compliance and audit report reviews. This will require a CISO and/or compliance officer with significant technical skill.

Resources for job candidates in cybersecurity - What you need to do to be employable

Networking

  • Network layer security appliances
    • I recommend WatchGuard Fireboxes where you use the Firebox as the core router. It must have a full Total Security Suite active subscription with fully updated Fireware or you won’t be able to learn.
    • LAG a trunk between the Firebox and the switch
    • Must use a unit with an active subscription
  • Layer 3 network switches
    • Must be able to LAG and VLAN at a minimum
    • Recommend Extreme EXOS X440 G2 PoE switches. 12p, 24p, etc. But you must get modern firmware on the switch.
      These can be procured online used via eBay and other sources.
  • Enterprise grade wireless access point
    • At least two wireless SSIDs on different VLANs, supply chain risk management configuration on the management interface
    • Depending on the WAP model, it may be possible to use an older WAP that has no cloud controller. It may be configurable as the local controller. Cloud controller is acceptable also as long as you do supply chain risk management network configuration.

Virtualized switches and net sec appliances don’t work for learning.

Setup OOBM VLANs.

Lock it down. Hardcore microsegmentation, hardcore packet inspection. Massive supply chain risk management strategies at the network layer. Challenge yourself to always make it more locked down.

If you want to learn networking, I do not suggest Cisco's training material at all. HP Flex Net training is quite good in terms of teaching you the fundamentals that you need to know. Then from a network security model, you need to learn and master network layer security appliances. I can only recommend WatchGuard and Fortinet. Everything else has problems which I won't waste time here on why.

Servers

Dell PowerEdge servers can be purchased from outlet.dell.com very inexpensively. Get something you can run at least the hypervisor and a couple VMs on. Must have at least iDrac Enterprise.

Knowledge of HyperV, managing VMs, hypervisors, and sophisticated patching is mandatory.

Office 365 / Microsoft 365

You should run your own tenant and learn how to use this technology if you want to be employable.

Domain/DNS

You must understand domain and DNS hosting and DNS records especially for all services hosted through Office 365.

NAS

TFTP server is mandatory for working with switching equipment for configuration backups, restores, firmware upgrades. Running TFTP on Windows or Linux desktop OS are very problematic. A Synology NAS has TFTP capabilities as well as a ton of other features. The NAS has ActiveBackup, HyperBackup and that could be used to back up the VMs in your lab and your Office 365 tenant.

BCDR skills are mandatory.

I see no better way to learn BCDR other than by doing it. Do not shortcut the size of the hard drives you put in the NAS. It's not worth it. You need lots of space to be able to fully utilize the NAS as your learning zone.

Minimum NAS is DS218. https://www.synology.com/en-us/products/DS218

Suggest Seagate IronWolf Pro drives. Must use NAS rated hard drives.

Priority recommendation

  1. NAS
  2. Domain/DNS/Office 365 tenant
  3. Network layer security appliance
  4. Layer 3 switch
  5. PowerEdge server

Learning resources

TryHackMe

https://www.ultimatewindowssecurity.com/webinars/default.aspx

You must learn Tiered access control. MUST. And you must know how to implement it.

https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=3695

Learn privileged access management

Privileged admin workstations

https://docs.microsoft.com/en-us/security/compass/privileged-access-devices

https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model

https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges

https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

BHIS webinars and training

https://www.blackhillsinfosec.com/blog/

KnowBe4 excellent webinars and ebooks

https://www.knowbe4.com/webinar-library

How to achieve compliance for privileged account management

Cybersecurity insurance requires MFA for all internal and external administrative access. How do you accomplish this?

Examples of things you might access:

  • switches
  • firewalls
  • servers
  • printers
  • workstations
  • DNS hosting
  • website hosting
  • cloud management portals
  • NAS
  • BCDR appliances

There are many ways to solve this problem and they are all too long to post about here, so this is what this podcast is about.

  • Passwordstate remote integrated proxy authentication
  • tiered access control
  • compensating controls as an alternate for MFA
  • access portals with MFA
  • privileged admin workstations
  • account logon restrictions
  • hardened network access control restrictions (microsegmentation strategies)
  • more

https://www.clickstudios.com.au/remotesitelocations/default.aspx

API Security and external vulnerability scanning

API Security is going to be the thing you need to be paying attention to in the next two years.

Partner with an information security officer like QPC Security to get an internal and external vulnerability scanning plan in place for your organization. A lot of vulnerability management is not possible to do with tools. It takes experience and expertise that comes from 29 years of hard work.

A great API scanner https://www.wallarm.com/

RMM security topics/tactics

Either fund your IT security or decide to go out of business

Companies have some hard decisions to make. They are either going to continue to be in business and allocate budget to correcting gaps, or they are going to go out of business because they will find themselves uninsurable or unable to come up with the funds to rectify all their security gaps in the required allotted time.

Reviewing your last cybersecurity insurance application

My latest offer is to review your last completed cybersecurity insurance application. The offer is only open to business owners directly or the executive management team of an organization who would be a good fit to be a client of ours.

https://qpcsecurity.com

The truth about smart cities.

https://www.theguardian.com/cities/2014/dec/17/truth-smart-city-destroy-democracy-urban-thinkers-buzzphrase

There is an updated FAQ for the CAN-SPAM Act.

https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

Working with a Breach Coach/Attorney - A Primer

Cyberlaw podcast

  • What needs to be pre-documented for the breach attorney to be effective? And in what format?
  • What to do to protect yourself from outrageous fees?
  • What to do in order to get proper service from a breach attorney?
  • What are the advantages of having a pre-established relationship with a breach attorney?
  • What positive outcomes arise from having pre-breach meetings with a breach attorney?

3/24/2022

Spencer Pollock – Cybersecurity breach attorney

Felicia King – QPC Security, Security Architect and Information Security Officer

What needs to be pre-documented for the breach attorney to be effective?

Cybersecurity posture of the organization.

Compliance/legal and the technical / security

Security: identify the gaps and procedures

And in what format?

Data is everywhere.

Clients that have an IRP, data map and have a list.

Customers and data breach classification, impact / no impact

What to do to protect yourself from outrageous fees?

The more times you have to engage a breach coach in advance, the better off you are.

The more time you bake people into your team, the less time is spent on the phone when an issue occurs. This means it is less expensive and your organizational response is faster.

This is why it is critical to get the breach attorney written into the policy.

When to get the breach attorney written into the policy?

Business owner needs to be driving the breach attorney selection during the insurance application period.

Insurance policy, Beazley example. You should do a retainer with them.

Retainer: You get the benefit of cell phone, breach line.

Preparation meetings are going to be paid out of pocket. Prebreach stuff is a separate engagement, and it will usually be a lower fee.

Avoiding real estate theft, deed theft, and related scams

Check out dark patterns for scam awareness.

https://www.darkpatterns.org/

  • Avoid the new movers mailing list
  • Avoid putting real estate in your personal name
  • Use a service like Abine DeleteMe
  • Get a PO Box and stop having snail mail delivered as much as possible
  • Subscribe to paperless billing as much as possible
  • Harden your digital life
  • Get off social media and stop sharing your life in public digital media
  • Be aware of deed fraud and how to verify that no one has stolen your deed.
  • Be aware of how foreclosure rescue scams are perpetrated.
  • and more!

Attestation, scoring, evaluation, and business process in achieving improved cybersecurity posture and compliance

Joy Beland joins Felicia to discuss:

  • What Edwards Performance Solutions is doing in the CMMC training space
  • Joy's team created the CMMC assessor textbook
  • Many orgs have cybersecurity insurance enforcement for the first time ever
  • Joy's extremely wise metaphor and perspective on cybersecurity insurance (15 mins)
  • Transfer of risk and economic destruction
  • DMARC, DKIM, SPF tuning
  • What tools exist to help the SMB market with attestation, and establishing patterns of due care and due diligence?
  • IS policies and processes are required as part of the proof mechanism
  • Mechanisms to actually evaluate risk so that business leaders can make effective decisions
  • Control planes for infrastructure

Joy's sage advice: "Know what the crown jewels are."

Learn to identify wasteful practices with Gemba walks.

https://www.creativesafetysupply.com/content/PPC/gemba/index.html

CMMC 2.0 scoping analysis

https://www.linkedin.com/feed/update/urn:li:activity:6889627454466469888/

Future Feed for CMMC orgs

https://futurefeed.co/

https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/

Special guest:

Joy Beland, a CMMC Provisional Assessor and CMMC Provisional Instructor, who works with Edwards Performance Solutions as a Senior Cybersecurity Consultant.  Joy owned an MSP for twenty-one years in Los Angeles.  She has a CISM and Security+ certification.

Integrated IT risk management - part 2

Identity theft via insecure credit APIs
Integrated IT risk management part 2

Assessments and Integrated IT Risk Management - Part 1

  • Problems with and limitations in many assessments
  • Many assessment report results from automated tools can be incomplete, incorrect, or pretzel talk
  • What realistic expectations should you have from a paid and unpaid assessment
  • There are certain security baselines simply so your organization can be insurable.
  • There are certain security baselines in order for your organization to be serviceable by an IT service provider.
  • Small organizations can easily find themselves spending $50,000 that they don't have in order to recover from a cybersecurity event.
  • It's not just about money. Are you sure that you can get access to all the personnel in order to get your organization back up and running in the designated time?
  • You need to mitigate risk proactively in order to make sure the cybersecurity event never happens.
  • Do not evaluate your risk based upon what you think the value of your data is. Evaluate your risk based upon whether or not you want to stay in business.

Technical Debt - a whole new perspective

Cyber Matt Lee joins Felicia on Breakfast Bytes to talk about massive issues with technical debt.

Senior Director of Security and Compliance at Pax8.

You have to start with the right definitions. It’s not patch management, it is vulnerability management. You have to ZOOM in. Is your TPM up to date? Is your firmware up to date? Drivers, configurations, remove unpatchable software. Are you still susceptible to spectre and meltdown? What about SMB1, PowerShell 2.0, LLMNR, etc.? “That doesn’t have a patch, and you have to get rid of it.”

Where there is technical debt with a software code base, on a 5-year journey, you need to move to different software because the software vendors are literally incapable of updating the code base of their software. They are not actually doing the work to update the software. Their paradigms for software development lifecycle and codebase are crippling them from being able to correct issues.

Matt recommends finding SaaS platforms that suck over premise applications that suck because at least you are in the shared responsibility model.

Modern dev sec op practices are what is needed. You can build software that has a good paradigm.

We still acknowledge that there are issues with resources in the cloud as well unless an organization is willing to accept the risk of data sovereignty and the third-party risk of being disconnected from their services and data. Being disconnected from your data or being disconnected from your application because the SaaS vendor disagrees with your business model even though what you are doing is legal, this needs to be regulated out of existence. SaaS vendors are playing God.

And some things are just not cost effective in the cloud or are financially unobtainable in a SaaS format. Are you comfortable with the government accessing your data through backdoors? This is a very personal decision to each organization and individual.

15:30 mins - Matt talks about paradigm challenges that impede the ability to ever create bug free software. True SaaS should be able to iterate an outcome regardless of the hardware and OS that is accessing the system, so the software vendor does not have to plan for all the variables in their testing. This allows them to have a CICD development pipeline for their software.

Get to the nugget of what is required. An information security officer can get to what is really the intent of what the compliance requirements are asking for and translate that into what is required to fulfill that and protect the organization. Interpretation is required because too frequently the questions asked or requirements specified are not as specific or accurate as what is required.

26 mins – Vendor software development and vulnerability disclosure programs. The vendors need to tie revenue lost to the vulnerabilities. Software vendors are often setup for failure. Monolithic apps start at the top and run to the bottom of the code. Better models are where apps have microservices and each microservice can be corrected individually without a massive ordeal. A different software codebase paradigm allows for sprint teams to correct software bugs easier.

28 mins – There is no real effective possible way for many of these software vendors to fix their apps.

30 mins - It is in the C-Suite and the board to fix this. You are either going to die at the hands of threat actors, in an escalating war that we cannot win. Or you are going to start having practices that understand that this is a football game. There is no one right way to run a football play, but you cannot play with 9 players. You have no defensibility in your actions if you put only 9 players on the field when 11 are required. There are requirements and boundaries to any strategy or solution. If you don’t do the things you need to do, you don’t have defensibility.

If you are already fighting with all this massive technical debt, you are not going to ever win.

Go to tryhackme.com and find out how easy the threat actor side of this is.

Avoid cybersecurity insurance fraud

How to avoid cybersecurity insurance fraud. If this happens to you, your claim will be denied and you will likely be uninsurable in the future including by other insurance providers.

You have to be working with an extremely operationally mature ITSP with ISOs on staff or you probably will not be able to navigate this complexity.

Why converged NOC and SOC are so critical to security efficacy

Joining Felicia is Rui Lopes, Senior Technical Evangelist at WatchGuard Technologies. Rui was with Panda Security prior to the WatchGuard acquisition and has spent many years merging the technical with customer enablement at a level rarely seen. His efforts at WatchGuard are projects, partner support, and overall customer enablement of using the endpoint protection technology effectively.

When I listened to an interview with Fortinet's CISO regarding converged NOC/SOC, I had to reach to Rui to formalize several conversations we have had over the last 1+ years because we both have seen the need for this strategy for a very long time.

At QPC, we have been doing converged NOC/SOC since around 2009.

Listen in to hear our breakdown about why this is such a critical strategy in today's threat landscape. Also, check out our article "Time For NOC/SOC Convergence" for more thoughts on this topic.

Act now so your emails will still be deliverable

NDAA 2021 legislation is forcing a gaps closure in SPF, DKIM, and DMARC.

This stuff is really complicated. Get some seriously competent help. I don't think most ITSPs (IT service providers) have enough experience in managing this especially in light of the inclusions of marketing automation platforms on root domains.

You cannot be driving a hole with a 20 lb sledgehammer through your email ingress filtration policies in order to accommodate for incompetently configured sender framework on behalf of your senders.

It's time to push back on their incompetence. Get your VISO involved and get policies in place such as ones that IT will not be requested to put holes in security in order to accommodate senders with bad email systems. Instead, letters will go to bad senders to tell them to get their house in order.

You need to get your own house in order in order to make sure that your emails are deliverable. Cybersecurity insurance providers are assessing this information as part of your risk profile.

For more information: Email Deliverability- The Titanic Problem Headed Your Way

Gaps in EDR/EPP paradigms and what to do about them

Excellent and invigorating discussion on the gaps in EDR/EPP and what to do about them with Maxime Lamothe-Brassard, founder of LimaCharlie.io and Refraction Point.

LimaCharlie

  • avoiding tool proliferation
  • avoiding the jedi mind trick of EPP
  • identify gaps in a lot of EDR/EPPs
  • challenges with outsourced SOC
  • supply chain risk in toolset vendors
  • paradigms around security tools and training

Kaseya VSA breach analysis

Why the breach happened and what people could have done to prevent it.

What Kaseya could have done differently.

How to manage supply chain risk when your software vendor is not.

Smart vendors use the experts in their customer base.

People really need to have a major paradigm shift and look seriously at an RMM as being nearly the same as a nuclear launch code.

Parsing out the risk issues associated with cloud technologies

Improper use of cloud and the problems caused by improper pre-planning and risk assessment of improper use of cloud.

Kim Nielsen, founder and President of Computer Technologies, Inc. cti-mi.com joins Felicia to discuss dangers and risk of improper use of cloud hosted technologies.

Business risk vs security risk, must have an exit plan. Dangers of subscriptions.

The REAL reason you cannot afford to have a cybersecurity incident

I have been thinking for months about the latest challenges faced by organizations with regards to the increased cybersecurity risks, what is at stake, how unprepared they are, and how the cyber insurance companies are responding to the changing landscape.

As I have had conversations with business decisions makers, they often think that they have little to risk. Many businesses feel that they are not under much if any regulatory framework that requires them to take action. It seems that each week I see another cybersecurity insurance risk assessment questionnaire that nearly every organization will fail. Compliance frameworks are incomplete and horrifically confusing.

There is no compliance framework that will get you the fundamentals. There is no security control framework that tells you how to have effective network layer security. The gap between guidance and successful execution is wide.

It occurs to me that the only real defense for small and medium businesses are organizations like QPC which have virtual information security officers and full remediation services on offer backed by ongoing management. There are plenty of penetration testers or those that will sell you MDR services. Execution of fundamentals is where it is at. There is little value in pursuing the frameworks until you have addressed the fundamentals. After you have the fundamentals in place, then review your status against frameworks and you will probably find that many items have already been addressed.

Regardless, I'm always on the hunt for helping the SMB organization leader. It occurs to me that no matter what data you think you have a risk or don't at risk, there is one thing you don't have which is at risk. Listen to the show to find out the real reason you cannot afford to have a cybersecurity incident.

Why bidding out IT jobs often fails

Why many IT business decision makers make mistakes

Why bidding out IT jobs often fails

Vehicles and privacy issues

Vehicles and privacy issues

Wireless security, wireless TCO, 3-2-1 backup strategy, MFA and IP access control strategies

Wireless security, wireless TCO, 3-2-1 backup strategy, MFA and IP access control strategies

What to do in the event of a cyber attack

I read an article authored by two IT people where the article provided what I felt was a bunch of misinformation about what to do in the event of a cyberattack.

I'm not disclosing here who the authors were or providing a link. Instead I thought the best approach was to provide direct actionable intel on what to do in the event of a cyberattack that counteracts the misinformation in the article.

PrintNightmare and business risk

What did you do about the PrintNightmare vulnerability? I describe what we did at QPC Security and for our clients. I also discuss how business owners and executive management can use IT steering committees to make sure that information technology decisions are being made properly and their risks are being mitigated. I often see poor, uninformed decisions being made that lead to massive adverse business financial impact that were completely avoidable by simply using a decision process that is not flawed.

Listen in to learn more about using good decision-making practices that will protect you from financial ruin.

We regularly save clients hundreds of thousands of dollars by simply having ongoing meetings and preventing missteps.

Gone are the days that executive management can delegate and abdicate. You must be involved, and you must get external advice.

Only large enterprise can afford to have industry connection subscriptions such as IANS. This resource is completely inaccessible to SMB. The cost of the annual subscription to something like that is typically in excess of $40,000 per year, but you would then have to employ an extremely skilled internal information security officer to even be able to make use of any of the value of the subscription. This is why those resources are financial unobtanium for SMB. It is critical that SMB have relationships with managed security services providers who have a certified virtual information security officer to manage your account.

Additional resources: https://www.qpcsecurity.com/2021/07/18/think-you-could-have-prevented-the-impact-of-the-printnightmare-attack-think-again/

Tough talk about cybersecurity insurance and ransomware incidents

I discuss converting the hearsay from some reported incidents into tangible, actionable intelligence. A ransomware remediator initially reported some really high level unusable data. I pushed for more details, and got them, but immense questions remained.

I help you understand what you can do from a process and systems perspective in order to have provable, attestable, non-tamperable proof about the status of your systems. I also include a list of questions for you to ask your cybersecurity insurance provider.

Exposed Colonial Pipeline

Barb Paluszkiewicz Chief Executive Officer of CDN Technologies and Felicia King of Quality Plus Consulting discuss the Colonial pipeline cybersecurity incident.

  • What would you do if it happened to you?
  • Lessons learned
  • Great examples of how to avoid this happening to you

Felicia was a guest on Barb's KNOW Tech Talk podcast.

Privacy problems with IoT and wearables and bluetooth

In this episode, I discuss:

  • Privacy problems with IoT and wearables
  • Bluetooth
  • Ransomware guidance from US Treasury

Hackers compiled data from a bunch of breaches and it's in a reusable script

This week I cover:
  • School cybersecurity attacks
  • automated hack strategy

What is zero trust cybersecurity?

Assessing and understanding counterparty risk

The most secure helpdesk is the one that is not outsourced

Incident response and mitigating supply chain attacks

Patching strategy and lessons from the Exchange HAFNIUM attack

Exchange HAFNIUM attack

  • Pretty much every Exchange server on the planet got hacked that was internet accessible without protections in front of it
  • Anything that does not have MFA protections in 2021 is going to be hacked, especially if it is accessible from the internet
  • Not having MDR and THIS with zero trust posture is just not acceptable
    Yes this is increasing the cost substantially, but your alternative is what?
  • It is possible to proxy the traffic ingressing to the Exchange server and inspect that for IPS signatures
    Fireboxes Detect HAFNIUM Attacks in the Wild | Secplicity - Security Simplified
  • It is also possible to put a web portal in front of the Exchange server that is required to be accessed with MFA before it would be possible to use the services there.
    Reverse Proxy for the Access Portal (watchguard.com)