CISO Tradecraft®

Special Thanks to our podcast sponsor, Cymulate.  On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face: Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment. In the pursuit of digital innovation, we are changing our IT infrastructure by the hour.  For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.   Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management.  This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized.  Key benefits of adopting Breach and Attack Simulation software include: Managing organizational cyber-risk end to end Rationalizing security spend Prioritizing mitigations based on validated risks Protecting against the latest threats in near real-time Preventing environmental drift   Welcome back listeners and thank you for continuing your education in CISO Tradecraft.  Today we are excited to share with you a great episode focused on Breach and Attack Simulation software.  To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.   Starting from the beginning.  What is Breach and Attack Simulation software and why is this needed?  At the end of the day most companies are not on an island.  They need to connect to clients, partners, and vendors.  They need the ability for employees to visit websites.  They need to host public facing websites to sell products and services.  Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity.  Now internet connectivity isn’t a bad thing.  Remember internet connectivity allows companies to generate income which allows the organization to exist.  This income goes to funding expenses like the cyber organization so that is a good thing.     If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization.  So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk.  Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM).  It’s also commonly referred to as continuous threat exposure management.  Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources.  Essentially they are designed to address key questions such as:  How do we get an inventory of what we have? How do we know our vulnerabilities? and  How do we know which vulnerabilities might be exploited by threat actors?     Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software.  Note Breach and Attack Simulation software overlaps with

Have you ever just met someone that was so interesting that you just sat and gave them your full attention?  On this episode of CISO Tradecraft, we have Bill Cheswick come on the show.  Bill talks about his 50 years in computing.  From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses.  He was also the first person to co-author a book on Internet Security.  So listen in and enjoy. Also special thanks to our sponsor, Obsidian Security.  You can learn more about them at: https://www.obsidiansecurity.com/sspm/

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is about how to better mentor your people (and in doing so, improve yourself as well.)  Mentoring is an important part of being a leader, and I would venture that most listeners have achieved their current level of success with the insights of a mentor, along with a lot of hard work.  Today we're going to give you a template for creating a personal development plan you can use with your team.  I also want to introduce you to a booklet that I keep on my desk.  It was written in 1899.  Do you have any idea what it might be?  Well, keep listening and you'll find out, and you may end up getting yourself a copy of your own. Let's take a moment to hear from today's sponsor Obsidian Security. Career success rarely happens independently -- it usually involves multiple milestones, promotions, and sometimes moves.  But success shouldn't be a secret.  As Tony Robbins said, "success leaves clues."  One of the best ways to achieve personal or professional success, or indeed help others do the same, is through mentoring and sponsorship.  But the right person rarely shows up at our doorstep offering us the key to the future -- we have to go out and make that relationship happen.  Today we're going to talk about mentors, protégés, sponsors, and that little booklet that has a repeatable secret for success. Definitions Let's start with what is a mentor - the dictionary definition is "an experienced and trusted adviser."  My definition is it's a person with more experience and WISDOM who is willing to provide guidance to someone else -- a protégé.  Notice I didn't say anything about careers -- you can have a spiritual mentor, an academic mentor, and if you're a new grandparent you want to pass along some tips to help raise your grandkids.  You may also hear the term "mentee" instead of protégé -- I see that used from time to time, but it makes me think of those big slow sea creatures that keep getting run over by speedboats. Mentor Let's talk about the who, what, when, why, and how of being a mentor.  The WHO part is someone with experience and wisdom willing to share insights.  Insights about WHAT, at least as far as we're concerned today, is usually career-related -- what jobs or assignments may be best, what personal characteristics are important, whom should you meet and why. The WHEN portion of mentoring is usually a condition of the type of relationship.  A traditional one-on-one mentor relationship may be established formally or informally.  We established a program at work where those willing to offer advice could volunteer as a mentor and those seeking advice could request the assistance of a mentor.  I was asked by our most senior technical security expert if I would serve as his mentor -- an assignment which I was pleased to accept, and we held mentoring sessions quarterly.  Of course, we worked together more frequently than that, but those sessions were specifically about what he could learn from me as a mentor, and what I could do to structure his experiences to help with his personal and career growth.  [Irish whiskey story] The WHY can be either because there is a mentorship program at your organization (and if there isn't one, do your homework and consider proposing one) or because someone reached out and requested assistance.  Mentoring is not like doing the dishes where anyone can do a competent job.  It requires empathy, communication skills, wisdom, and time commitment.  I'm at the point in my life and career where I actively try to help others who are not as old as I am.  Many times, that's appreciated, but some people seem to pref

Special Thanks to our podcast sponsor, Obsidian Security.   We are really excited to share today’s show on SaaS Security Posture Management.  Please note we have Ben Johnson stopping by the show so please stick around and enjoy.  First let’s go back to the basics: Today most companies have already begun their journey to the cloud.  If you are in the midst of a cloud transformation, you should ask yourself three important questions:   How many clouds are we in? What data are we sending to the cloud to help the business? How do we know the cloud environments we are using are properly configured? Let’s walk through each of these questions to understand the cyber risks we need to communicate to the business as well as focus on one Cloud type that might be forecasting a major event.  First let’s look at the first question.   How many clouds are we in?  It’s pretty common to find organizations still host data in on premises data centers.  This data is also likely backed up to a second location just in case a disaster event occurs and knocks out the main location.  Example if you live in Florida you can expect a hurricane.  When this happens you might expect the data center to lose power and internet connectivity.  Therefore it’s smart to have a backup location somewhere else that would be unlikely to be impacted by the same regional event.  We can think of our primary data center and our backup data center as an On-Premises cloud.  Therefore it’s the first cloud that we encounter.   The second cloud we are likely to encounter is external.  Most organizations have made the shift to using Cloud Computing Service providers such as Amazon Web Services, Azure, Google Cloud Platform, or Alibaba.  Each of these cloud providers has a multitude of offerings designed to help organizations reduce the need to host IT services on premises.  Now if you are using both on-premises and a cloud computing provider such as AWS, congratulations you are in what is known as a hybrid cloud environment.  If you use multiple cloud computing providers such as AWS and Azure then you are in a multi-cloud environment.  Notice the difference between terms.  Hybrid cloud means you host on premises and use an external cloud provider, whereas multi-cloud means you use multiple external cloud providers.  If you are using a Common Cloud platform like AWS, Azure, or GCP then you can look into a Gartner Magic Quadrant category known as Cloud Workload Protection Platforms.  Here you might encounter vendors like Palo Alto Prisma Cloud, Wiz, or Orca who will provide you with recommendations for your cloud configuration settings. So let’s say your organization uses on premises and AWS but not Azure or GCP.  Does that mean you only have two clouds?  Probably not.  You see there’s one more type of cloud hosted service that you need to understand how to defend.  The most common cloud model organizations leverage is Software as a Service commonly pronounced as (SaaS). Frankly we don’t hear about SaaS security being discussed much which is why we are doing a deep dive on its security in this episode.  We think there's a real danger of SaaS clouds turning from a nice cloud that gently cools down a hot summer day into a severe weather storm that can cause an event.  So let’s look at SaaS Security in more depth.   SaaS refers to cloud hosted solutions whereby vendors maintain most everything.  They run the application, they host the data, they host runtime environments, middleware, operating systems, virtualization technologies, servers, storage, and networking.  It can be a huge win to run SaaS soluti

References https://github.com/cisotradecraft/Podcast https://cisotradecraft.podbean.com/e/84-gaining-trust-with-robin-dreeke/ https://www.youtube.com/shorts/vSART2mutwc https://www.peopleformula.com/selfmastery https://cisotradecraft.podbean.com/e/ciso-tradecraft-roses-buds-thorns/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-how-to-compare-software/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-shall-we-play-a-game/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-aligning-security-initiatives-with-business-objectives/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-promotion-through-politics/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-presentation-skills/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-avoiding-death-by-powerpoint/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-partnership-is-key/ Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is something special for us and we hope for you as well.  It’s hard to believe it but CISO Tradecraft has been producing episodes for about two years now.  This is our 100th episode!  We've covered quite a bit of ground over that time, and we thought we would do a little reflection on our previous episodes and highlight seven differentiators that set World Class CISOs apart from others.  So, stick around and learn these seven tips that will enable you to enhance your CISO Tradecraft and help you have a more successful career.   The first tip we want you to understand is that you must always help others to understand your viewpoints through Connection.  Now there is one thing to note:  the way you connect depends on the size of the audience.  We observe that there’s usually three different audience sizes that you will connect with: Individuals or 1:1, Small Teams (between 2 and 20), and Large Groups (more than 20).With Individuals it’s all about building the one-on-one connection.  An example of folks who excel at building connections are spies.  Spies have a mission to build connections with others and recruit them to share important information.  Now if you go back to Episode #84, we brought Robin Dreeke on the show to talk about Building Relationships of Trust.  Robin was a long time FBI agent who excelled in recruiting and turning Russian spies.  In the episode, Robin talked about the key to building relationships of trust.  He mentioned four key recommendations:Seek the thoughts and opinions of others; Talk in terms of priorities, pain poi

Episode 99 - Cyberwar and the Law of Armed Conflict with Larry Dietz We bring you another episode from Naas, Ireland today speaking about cyberwar and the law of armed conflict with Larry Dietz, a retired US Army Colonel and practicing attorney. This is a follow-up to Episode 98, where we cover the Tallin Manual, discover a surprise resource on cyber conflict hosted by the Red Cross, examine what critical infrastructure might be legitimate targets, and the importance for CISOs to establish relationships with law enforcement before things go bad.   References: https://ccdcoe.org/research/tallinn-manual/ https://www.icrc.org/en/war-and-law/conduct-hostilities/cyber-warfare https://www.cisa.gov/critical-infrastructure-sectors https://www.secretservice.gov/contact/ectf-fctf https://psyopregiment.blogspot.com/

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we are going to discuss how nation state conflict and sponsored cyberattacks can affect us as non-combatants, and what we should be doing about it.  Even if you don't have operations in a war zone, remember cyber has a global reach, so don't think that just because you may be half a world away from the battlefield that someone is not going to reach out and touch you in a bad way.  So, listen for what I think will be a fascinating episode, and please do us a small favor and give us a "like" or a 5-star review on your favorite podcast platform -- those ratings really help us reach our peers.  It only takes a click -- thank you for helping out our security leadership community. I'm not going to get into any geopolitics here; I'm going to try to ensure that this episode remains useful for quite some time.  However, since the conflict in Ukraine has been ongoing for over two hundred days, I will draw examples from that. The ancient Chinese military strategist Sun Tzu wrote: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.  If you know neither the enemy nor yourself, you will succumb in every battle.” That's a little more detailed than the classic Greek aphorism, "know thyself," but the intent is the same even today.  Let me add one more quote and we'll get into the material.  Over 20 years ago, when he was Secretary of Defense, Donald Rumsfeld said: "As we know, there are known knowns; there are things we know we know.  We also know there are known unknowns; that is to say we know there are some things we do not know.  But there are also unknown unknowns—the ones we don't know we don't know.  And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones. So, knowledge seems extremely important throughout the ages.  Modern governments know that, and as a result all have their own intelligence agencies.  Let's look at an example.  If we go to the CIA's website, we will see the fourfold mission of the Central Intelligence Agency: Collecting foreign intelligence that matters Producing objective all-source analysis Conducting effective covert action as directed by the President Safeguarding the secrets that help keep our nation safe. Why do we mention this?  Most governments around the world have similar Nation State objectives and mission statements.  Additionally, it’s particularly important to understand what is wanted by "state actors" (note, I'll use that term for government and contract intelligence agents.). What are typical goals for State Actors?  Let's look at a couple: Goal 1: Steal targeting data to enable future operations.  Data such as cell phone records, banking statements or emails allow countries to better target individuals and companies when they know that identifying information.  Additionally, targeting data allows Nation state organizations to understand how individuals are connected.  This can be key when we are looking for key influencers for targets of interest.  All targeting data should not be considered equal.  Generally, Banking and Telecom Data are considered the best for collecting so be mindful if that is the type of company that you protect.  State Actors target these organizations because of two factors:The Importance of the Data is the first factor.  If one party sends a second party an email, that means there is a basic level

Special Thanks to our podcast sponsor, NowSecure.  On this episode, Brian Reed (Chief Mobility Officer at NowSecure) stops in to provide a world class education on Mobile Application Security.  It's incredible to think that 70% of internet traffic is coming over mobile devices.  Most of this traffic occurs via mobile applications so we need to understand mobile application security testing, before attackers show us how important it is. This episode will help you understand: What should you be doing to secure your mobile applications? Why managing a mobile device doesn't secure your application layer? How should you vet your mobile applications according to recommendations from OWASP References: NowSecure Academy provides free mobile application security training and certificate programs- https://academy.nowsecure.com/  Mobile app growth trends and security issues in the news-  https://www.nowsecure.com/mobile-app-breach-news/  Snapshot of the current risk profile for mobile apps in your industry- https://mobilerisktracker.nowsecure.com/ App Defense Alliance https://appdefensealliance.dev/  Google Play Data Safety- https://blog.google/products/google-play/data-safety/   OWASP CycloneDX- https://owasp.org/www-project-cyclonedx/  OWASP MASVS- https://github.com/OWASP/owasp-masvs 

Ahoy! and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we’re going to -- talk like a pirate.  ARRR As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. On today’s episode we are going to talk about the 9 Cs of Cyber Security.  Note these are not the 9 Seas that you might find today, the 19th of September, which happens to be the 20th annual International Talk like a Pirate Day.  They are the nine words that begin with the letter C (but not the letter ARRR): Controls, Compliance, Continuity, Coverage, Complexity, Competency, Communication, Convenience, Consistency. Please note that this talk is inspired by an article by Mark Wojtasiak from Vectra, but we have modified the content to be more aligned with our thoughts at CISO Tradecraft. Now before we go into the 9 Cs, it’s important to understand that the 9 Cs represent three equal groups of three.  Be sure to look at the show notes which will link to our CISO Tradecraft website that shows a 9-box picture which should make this easier to understand.  But if you're listening, imagine a three-by-three grid where each row corresponds to a different stakeholder.  Each stakeholder is going to be concerned with different things, and by identifying three important priorities for each, we have our grid.  Make sense?  Okay, let's dig in. The first row in our grid is the focus of Executive Leaders. First, this group of executives such as the CEO, CIO, and CISO ensure that the IT controls and objectives are working as desired.  Next, these executives want attestations and audits to ensure that compliance is being achieved and the organization is not just paying lip service to those requirements.  Thirdly, they also want business continuity.  IT systems must be constantly available despite attacks from ransomware, hardware failures, and power outages. The second row in our grid is the focus of Software Development shops. This group consists of Architects, Developers, Engineers, and Administrators.  First, they need to ensure they understand the Coverage of their IT systems in asset inventories -- can we account for all hardware and software.  Next, developers should be concerned with how Complexity in their environment can reduce security, as these tend to work at cross-purposes.  Lastly, developers care about Competency of their teams to build software correctly; that competency is a key predictor of the end quality of what is ultimately produced. The third and final row in our grid is the focus of Security Operations Centers. This group consists of Incident Handlers and Responders, Threat Intelligence Teams, and Business Information System Officers commonly known as BISOs.  They need to provide clear communication that informs others what they need to do, they need processes and tools that enable convenience so as to reduce friction.  Finally, they need to be consistent.  No one wants a fire department that only shows up 25% of the time. So now that we have a high-level overview of the 9 C’s let’s start going into detail on each one of them.  We'll start with the focus of executive leaders.  Again, that is controls, compliance, and continuity. Controls- According to James Hall's book on Accounting Information Systems[i], General Computer Controls are "specific activities performed by per

Special Thanks to our podcast Sponsor, Varonis.  Please check out Varonis's Webpage to learn more about their custom data security solutions and ransomware protection software.  On this episode Brian Vecci (Field CTO of Varonis) stops by CISO Tradecraft to discuss all things Data Security.  He highlights the top 3 things every CISO needs to balance with regards to data security (Productivity, Convenience, and Security).  He also discusses the most important security questions we need to understand: What is Data Security and how does it fit into Data Protection? How do we understand where our company’s data resides? How do we know if our data is exposed? How do we reduce the risk of data exposure without harming the business? Enjoy the show and please share it with others.  Also don't forget to follow the LinkedIn CISO Tradecraft Page to get more great content.