CISO Tradecraft®

On this episode of CISO Tradecraft, we focus on the Password Security and how it's evolving.  Tune in to learn about: Why do we need passwords Ways consumers login and authenticate How bad actors attack passwords How long does it take to break passwords Different types of MFA  The future of passwords with conditional access policies Infographic:   References: https://danielmiessler.com/blog/not-all-mfa-is-equal-and-the-differences-matter-a-lot/  https://www.hivesystems.io/blog/are-your-passwords-in-the-green?utm_source=tabletext  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps https://en.wikipedia.org/wiki/RockYou https://cisotradecraft.podbean.com/e/ciso-tradecraft-active-directory-is-active-with-attacks/ https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

Winn Schwartau is a well-recognized icon in the cybersecurity community, and also a dear friend for over 25 years.  Always one to stir the pot and offer radical ideas (many of which come true), we discuss Hacker Jeopardy, INFOWARCON, his books "Pearl Harbor Dot Com", "Time-Based Security", and his magnum opus "Analog Security."  We speculate on the future of our industry with respect to quantum and probabilistic computing, and after hanging up his pen, looks like he's doing a Tom Brady and writing one more amazing book. **Warning Adult Language** Winn's Website Link

On this episode of CISO Tradecraft, Anton Chuvakin talks about Logging, Security Information & Event Management (SIEM) tooling, and Cloud Security.  Anton share’s fantastic points of view on: How moving to the cloud is like moving to a space station (13:44) How you may be one IAM mistake away from a breach (20:05) How a SIEM is a logging based approach, whereas EDRs require agents at endpoints.  This becomes really interesting when cloud solutions don’t have an endpoint to install an agent (26:53) Why you don’t want an on premises SIEM (32:35) The 3 AM Test - Should you wake someone up for this alert at 3 AM (39:24)

On this special episode of CISO Tradecraft, we have Gary Hayslip talk about his lessons learned being a CISO.  He shares various tips and tricks he has used to work effectively as a CISO across multiple companies.  Everything from fish tacos and beer to how to look at an opportunity when your boss has no clue about cyber frameworks.  There's lots of great information to digest.     Additionally, Gary has co-authored a number of amazing books on cyber security that we strongly recommend reading.  You can find them here on Gary's Amazon page.  

On this episode of CISO Tradecraft you can learn how to build relationships of trust with other executives by demonstrating executive skill & cyber security expertise.  You can learn what to say to each of the following executives to build common ground and meaningful work:  CFO Legal Marketing Business Units CEO CIO HR Note Robin Dreeke mentions 5 keys to building goals.:  Learn… about their priorities, goals, and objectives. Place… theirs ahead of yours Allow them to talk…. suspend your own need to talk. Seek their thoughts and opinions. Ego suspension!!! Validate them unconditionally and non-judgmentally for who they are as a human being. During this week's Monday Morning Email, CISO Tradecraft answers the question on how to craft a winning resume to land your first CISO role.   InfoGraphic

On this episode of CISO Tradecraft, we talk about how cyber can help the four business key objectives identified by InfoTech: 1.  Profit generation: The revenue generated from a business capability with a product that is enabled with modern technologies. 2.  Cost reduction: The cost reduction when performing business capabilities with a product that is enabled with modern technologies. 3.  Service enablement: The productivity and efficiency gains of internal business operations from products and capabilities enhanced with modern technologies. 4.  Customer and market reach: The improved reach and insights of the business in existing or new markets. We also discuss Franklin Covey's 4 Disciplines of Execution (TM):  Focus on the Wildly Important Act on the lead measures Keep a compelling scoreboard Create a cadence of accountability Please note references to Infotech and Franklin Covey Material can be found here: https://www.infotech.com/research/ss/build-a-business-aligned-it-strategy https://www.franklincovey.com/the-4-disciplines/ Infographic:

Today we speak with Richard Thieme, a man with a reputation for stretching your mind with his insights, who has spoken at 25 consecutive DEFCONs as well as keynoted BlackHat 1 and 2.  In a far-ranging discussion, we cover the concept of what it's like to be a heretic (hint:  it's one step beyond being a visionary), the thought that the singularity has already arrived, Pierre Teilhard de Chardin's noosphere, disinformation and cyber war, ethical decision-making in automated systems, and why there is convincing evidence we are not alone in this universe.    References: https://thiemeworks.com/

On this episode of CISO Tradecraft we are going to talk about various Access Control & Authentication technologies. Access Control Methodologies: Mandatory Access Control or (MAC) Discretionary Access Control or (DAC) Role Based Access Control or (RBAC) Privileged Access Management or (PAM) Rule Based Access Control Attribute Based Policy Control (ABAC) or Policy Based Access Control (PBAC) Authentication Types: Password-based authentication Certificate-based authentication Token-based authentication Biometric authentication Two-factor Authentication (2FA) Multi-Factor Authentication (MFA) Location-based authentication Computer recognition authentication Completely Automated Public Turing Test to Tell Computers & Humans Apart (CAPTCHA) Single Sign On (SSO) Risk Based authentication References https://riskbasedauthentication.org/ https://blog.identityautomation.com/what-is-risk-based-authentication-types-of-authentication-methods https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures  https://www.n-able.com/blog/network-authentication-methods  https://www.getgenea.com/blog/types-of-access-control/  https://www.twingate.com/blog/access-control-models/  https://csrc.nist.gov/glossary/term/authentication  https://csrc.nist.gov/glossary/term/authorization  https://www.techtarget.com/searchsecurity/definition/access-control 

On this episode of CISO Tradecraft, you can learn about supply chain vulnerabilities and the 6 important steps you can take to mitigate this attack within your organization: Centralize your software code repository Centralize your artifact repository Scan open source software for malware Scan software for vulnerabilities and vendor support Run a Web Application Firewall (WAF) Run a Runtime Application Self Protection (RASP) References: https://owasp.org/www-project-threat-and-safeguard-matrix/ https://slsa.dev/ Infographic:

Gamification is a superpower that CISOs can use to change the culture of an organization.  On this episode of CISO Tradecraft we discuss how to use gamification concepts as a CISO.  What’s in a Game? Objective Rules Challenge/Competition Randomness or unpredictability Designed for fun and sometimes learning What Makes a Game Fun? Challenge requires reasonable level of difficulty Fantasy compelling setting for game action; temporary suspension of reality Curiosity random events so that play is not completely deterministic Control learners are confronted with choices What’s in a Learning Game? Active participation Immediate feedback Dynamic interaction Competition Novelty Goal direction 5 Gamification Concepts Leaderboards Badges & Achievements Levels & Progression Unlockables Virtual Economy 4 Player Types Killers are players motivated by leader boards and ranks.  These players focus on winning and peer to peer competition. Their focus is on acting on other players. Achievers are players motivated by achievements and points.  These players focus on achieving present goals quickly and completely.  Their focus is on acting on the world.   Socializers are players motivated by friends lists, chat, and news feeds.  These players focus on socializing and developing a network of friends. Their focus is on interacting with players Explorers are players motivated by hidden content and levels.  These players focus on exploring and discovering the unknown.  Their focus is on interacting with the world. References: https://www.chaostheorygames.com/blog/serious-games-guide-everything-you-need-to-know-in-2021  https://www.chaostheorygames.com/blog/what-is-gamification-2020-definition https://directivecommunication.net/the-ultimate-guide-to-work-gamification/ https://yukaichou.com/gamificationnews/4-dominant-applications-of-gamification/ https://medium.com/@chow0531/actionable-gamification-fbe27f6cb2d6 https://www.capgemini.com/2020/06/gamification/ https://insights.lytho.com/translation-fails-advertising http://timboileau.wordpress.com  https://www.amazon.com/dp/1451611064/?coliid=I2J1XHCOBD5476&colid=2CQEH5MGKB5YX&psc=1&ref_=lv_ov_lig_dp_it  Infographic: