CISO Tradecraft®

Containers are a lightweight technology that allows applications to deploy to a number of different host Operating Systems without having to make any modifications at all to the code.  As a result, we're been seeing a big increase in the use of Docker, Kubernetes, and other tools deployed by enterprises.  In this episode, we'll cover the fundamentals of containers, Docker, orchestration tools such as Kubernetes, and provide you with knowledge to understand this environment, and maybe even tempt you to create your own container to test your skill. Major links referenced in the show Container Architecture Link Kubernetes Diagrams Link Kubernetes Glossary Link Kubernetes Primer Link Special Thanks to our podcast Sponsor, CyberGRX

Join CISO Tradecraft for a fascinating discussion on how to build cyber traps for the bad guys that really work.  By creating a deceptive environment that "booby-trap" your networks with fake services, enticing resources, and make-believe traffic, we can create a high-fidelity, low-noise intrusion sensor system -- no legitimate user would ever try these.  Improve your SOC efficiency by actively engaging with intruders rather than sifting through false positives.  There's a lot to learn here, and Kevin Fiscus offers a promise of more to come.  By listening to this episode you will learn: What is cyber deception? What problem does cyber deception solve? How do cyber deception technologies work? Why is deception more effective than other detection and response technologies? If you would like to learn more about Cyber Deception, then be sure to check out these great resources: Kevin’s YouTube channel, Take Back the Advantage Link The Mitre Engage Matrix Link SANS SEC 550 Link Special Thanks to our podcast Sponsor, CyberGRX

Special Thanks to our podcast Sponsor, CyberGRX On today’s episode, we bring in Scott Fairbrother to help tackle key questions with Third Party Risk Management: How do you identify which vendors pose the highest risk to your business? How do you see which vendor’s security controls protect against threats?  How do you validate their risk profiles by scanning, dark web monitoring or other techniques to correlate what attackers are seeing and acting upon? Do you have an understanding of how to improve risk mitigation in your third-party ecosystem? Also please subscribe to to the CISO Tradecraft LinkedIn Page to get more relevant content

Cyber Threat Intelligence is an important part of an effective CISO arsenal, but many security leaders don’t fully understand how to optimize it for their benefit.  In this show, we examine why cyber threat intelligence is vital to fielding an effective defense, discuss the intelligence cycle, examine the four types of threat intelligence, and feature a special guest, Landon Winkelvoss of https://nisos.com, who has spent a career mastering this topic and shares a number of important insights you won’t want to miss.

In this episode, we take a deep dive into that four-letter word RISK. Risk is measurable uncertainty. As a component of Governance, Risk, and Compliance (GRC), risk management is an important part of a security leader's responsibility. Risk assessment is conducted for a number of reasons, and measuring risk is an important component of effectively overseeing our IT investments. We'll look at NIST and ISO standards for risk, and define the different types of risk assessments. And, because there is risk inherent in many endeavors, this episode will be continued in a part 2, because we didn't allow for the risk of running over with this much great information.

Being a CISO has been described as the "toughest job in the world."  It comes with a lot of stress, which can lead to early burnout as well as a number of health and relationship problems.  Well, we're going to tackle this elephant in the room and investigate some of the sources of stress and ways we can deal with it.   88% of CISOS report being "moderately or tremendously stressed"   We discuss eight everyday situations that can cause CISO stress, and then explore the way of Ikigai, Japanese for "reason for being."  The intersection of what you love, what you are good at, what the world needs, and what you can be paid for represents this ideal state.  Mihaly Csikszentmihalyi describes this as "flow," when work comes seemingly effortlessly because we are in alignment with our actions.  We'll also explore Dave Crenshaw's factors to being invaluable, which can help us better meet the demands of our job by being the best possible fit.   Tune in and gain some ideas on how to help yourself. and your staff, deal with stress.   CISO Tradecraft By Topic on GitHub  Csikszentmihalyi Ikigai Invaluable: The Secret to Becoming Irreplaceable The Six Invaluable Factors by David Crenshaw

This episode of CISO Tradecraft discusses CMMC.  The Cybersecurity Maturity Model Certification (CMMC), is the US government response to the massive amounts of defense-related information compromised over the years from contractors and third parties.  The program will be mandatory for all defense contractors by 2025, and has the potential to expand to the entire Federal government, affecting every entity that sells to Uncle Sam.  CMMC has five levels of progressively more rigorous certification with up to 171 controls based on acquisition regulations, NIST standards, and Federal information processing standards. In addition, there will be an entire ecosystem of trainers, consultants, assessors, and the organizations that support them.  We'll cover those in enough detail so that you can decide if expanding your career skill set into CMMC might make sense.

On this episode of CISO Tradecraft, you will hear about the most prominent Cyber Security Laws and Regulations: The Health Insurance Portability and Accountability Act (HIPAA) advocates the security and privacy of personal health information Administrative Safeguards Physical Safeguards Technical Safeguards The Sarbanes-Oxley Act (SOX) is designed to provide transparency on anything that could cause material impact to the financials of a company Cyber Risk Assessment Identify Disclosure Controls and Policies Implementing Cyber Security Controls Using a Reliable Framework (NIST CSF / ISO 27001) Monitor and Test SOX Controls The Gramm Leach Bliley Act (GLBA) requires Financial Institutions to protect Personally Identifiable Information (PII)  The Federal Information Security Management Act (FISMA) requires executive agencies in the federal government to address cyber security concerns Plan for security Assign responsibility Periodically review security controls on systems Authorize systems to Operate The Payment Card Industry Data Security Standards (PCI-DSS) is a framework required to protect payment card information The General Data Protection Regulation (GDPR) - Data Compliance and Privacy law for European citizens Consent Data Minimization Individual Rights The California Consumer Protection Act (CCPA) - Data Compliance and Privacy law for California residents.  This law provides Californians the right to know what data is collected or sold, the right to access data, the ability to request its deletion, and the ability to opt out of it being collected or sold. The Cybersecurity Maturity Model Certification (CMMC)- combines various cybersecurity standards and best practices and maps these controls and processes across maturity levels for Department of Defense contractors.

This episode of CISO Tradecraft is all about IPv6, featuring Joe Klein.  IPv6 is becoming the dominant protocol on the Internet, and CISOs should understand the implications of how their enterprise is potentially vulnerable to attacks that may come from that vector, as well as be aware of defenses that may originate from an effective IPv6 deployment.  This broadcast will cover the business cases for IPv6, the technical differences between IPv4 and IPv6, and the security implications of implementing this protocol correctly and incorrectly.

On this episode of CISO Tradecraft, you can learn how to build an Application Security program.  Start with Key Questions for Security IT Operations Application Development/Engineering Groups Identify Key Activities Asset Discovery Asset Risk Prioritization Mapping Assets Against Compliance Requirements Setting up a Communications Plan Perform Application Security Testing Activities SAST DAST Vulnerability Scanners Software Composition Analysis Secrets Scanning Cloud Security Scanning Measure and Improve Current Vulnerability Posture through metrics The number of vulnerabilities present in an application The time to fix vulnerabilities The remediation rate of vulnerabilities The time vulnerabilities remain open Defect Density - number of vulnerabilities per server We also recommend reading the Microsoft Security Developer Life Cycle Practices Link For more great ideas on setting up an application security program please read this amazing guide from WhiteHat Security Link If you would like to improve cloud security scanning by automating Infrastructure as Code checks, then please check out Indeni CloudRail Link