CISO Tradecraft®

Would you like to know more about Ransomware?  On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide an in-depth discussion on Ransomware.  Key discussions include: What is ransomware? Why does it work? Ransomware Types (Client-Side, Server-Side, & Hybrid) How each of these enter a target environment Ransomware Incidents The Economics of Ransomware How is Ransomware Evolving? Why Ransomware continues to work :( Ethical Issues to consider before paying Ransomware Defenses Please subscribe to the CISO Tradecraft LinkedIn Group to get even more great content CISA Ransomware Guide Link

If there's one place that knows how Advanced Persistent Threat (APT) actors work, it's the National Security Agency (NSA).  On this episode of CISO Tradecraft G Mark Hardy and Ross Young discuss NSA's Top Ten Cybersecurity Mitigation Strategies and how to use them to secure your company. Since the mitigation strategies are ranked by effectiveness against known APT tactics, they can be used to set the priorities for organizations to minimize mission impact from cyber attacks. Update and Upgrade Software Immediately Defend Privileges and Accounts Enforce Signed Software Execution Policies Exercise a System Recovery Plan Actively Manage Systems & Configurations Continuously Hunt for Network Intrusions Leverage Modern Hardware Security Features Segregate Networks using Application-Aware Defenses Integrate Threat Reputation Services Transition to Multi-Factor Authentication Link to NSA's Material

Would you like to know the best practices in modern software development?  On this episode G Mark Hardy and Ross Young overview the 12 Factor App and its best practices: Codebase: One codebase tracked in revision control with many deploys. Dependencies: Explicitly declare and isolate dependencies. Config: Store configurations in the environment. Backing Services: Treat backing services as attached resources Build, Release, Run: Strictly separate build and run stages  Processes: Execute the app as one or more stateless processes. Port Binding: Export services are via port binding. Concurrency: Scale out via the process model. Disposability: Maximize robustness with fast startups and graceful shutdowns. Dev/Prod parity: Keep development, staging, and production as similar as possible. Logs: Treat logs as event streams. Admin Processes: Run admin/management tasks as one-off processes. The episode of CISO Tradecraft discusses important software development concepts such as Extreme Programming, Lean Product Development, and User Centered Design Methodologies.  To learn more about these important concepts please look at the Pivotal Process

This special episode features Mark Egan (Former CIO of Symantec as well as VMWare).  Mark discusses what he looks for during interviews with CISOs, what executives need to demonstrate during their first 90 days to be successful, and how he helps the next generation of cyber professionals at Merritt College. Three Questions to ask during any interview: What do you like best about this role? What are the most challenging pieces of this role? What does success look like for this role one year into the future? Five Step Plan for New CISOs: Start with an assessment of the current “As-Is” IT architecture Perform Business Requirements Analysis (What are the strategic objectives, tactical issues, and business environment). Design of the Future “To Be” IT architecture (application architecture, organization architecture, network architecture, infrastructure architecture) Gap Analysis = (Future - Present).  This is the most important step as you need to determine a good list of alternatives for management.  Talk to consultants and peers in other companies to see how you can come up with a wide range of solutions. Options to Bridge the Gaps = (Cost, Time, & Business Environment).  Present management with alternative approaches for transforming the organization.  Remember speak in business terms and specify ways that align with business objectives.  In terms of cyber it might be Ensuring Financially Significant Applications don’t have operational disruption, ensuring revenue and brand protection by securing internet facing applications, meeting compliance and regulatory concerns, etc. Merritt College Overview Link Volunteer to Help Merritt College Link Contact Merritt College Link Mark Egan LinkedIn Profile Link

Would you actually like to learn about what Zero Trust is without a bunch of marketing jargon?  On this week's episode G Mark Hardy and Ross Young provide a thoughtful discussion on Zero Trust from NIST and Microsoft: Microsoft's Zero Trust Principles Verify Explicitly Use Least Privileged Access Assume Breach NIST 800-207 Seven Tenets of Zero Trust All data sources and computing services are considered resources All communication is secured regardless of network location Access to individual enterprise resources is granted on a per-session basis Access to resources is determined by dynamic policy The enterprise monitors and measures the integrity and security posture of all owned and associated assets All resource authentication and authorization are dynamic and strictly enforced before access is allowed The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communication and uses it to improve its security posture Six Foundational Elements of Zero Trust Identities Devices Applications Data Infrastructure Networks

Every leader needs to know how to lead and manage a team.  On this episode G Mark Hardy and Ross Young share tradecraft on team building. Pitfalls to team building with becoming a hero Organizational Maturity Models (Levels 1-5) Tuckman Teaming Model (Forming, Storming, Norming, and Performing) Leadership Styles (Telling, Selling, Participating, & Delegating) Aligning your Team and Regaining former employees

Having the ability to inspire confidence is crucial to lead others and allows you the opportunity to gain access to executive roles.  On this episode G Mark Hardy and Ross Young discuss executive presence: What is it Why you need it How to get it We will discuss Gerry Valentine's 7 Key Steps to building Your executive presence: Have a vision, and articulate it well Understand how others experience you Build your communication skills Become an excellent listener Cultivate your network and build political savvy Learn to operate effectively under stress Make sure your appearance isn't a distraction

If you use email, this episode is for you.  Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.) These three tools all involve placing simple entries in your DNS records.  To work effectively, the recipient also needs to be checking entries.  They are: SPF = sender policy framework; designates only mail from designated IP address(es) or mail server(s) are valid.  For example:  v=spf1 include:spf.protection.outlook.com  DKIM = domain keys identified mail; advertises a public key that can be used to validate all mail sent was signed with corresponding private key.  For example:  v=DKIM1\; k=rsa\; 0123456789ABCDEF… DMARC = domain-based message authentication, reporting, and conformance; establishes policy of what recipient should do when message fails an SPF or DKIM check.  For example:  v=DMARC1; p='quarantine' Check your settings at MXToolbox Learn DMARC Link Implementing these protections require a small amount of work but can yield outsized benefits.  In addition to allowing recipients of your mail to validate SPF, DKIM, and DMARC, ensure your incoming mail is checked for conformance as well, labeling, quarantining, or rejecting any that fail. Lastly, blocking top-level domains (TLDs) with which you do not do business can significantly improve your security by short-circuiting many ransomware, command-and-control, and malware URLs that will be unable to resolve through your DNS.  Get the latest list from IANA Great Background Reading from Australian Signals Directorate Link Email Authenticity 101 Link

The Australian Cyber Security Center (ACSC) believes that not all cyber security controls are created equal.  The have assessed various strategies to mitigate cyber security incidents and determined there are eight essential cyber security controls which safeguard any organization more than another control. These controls are commonly known as, "The Essential Eight" are highly recommended. Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Patch applications (e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers). Patch/mitigate computers with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest version of applications. Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Strategies to mitigate cyber incidents Link Strategies to mitigate cyber incidents poster Link Essential Eight Maturity Model Link Link

As a CISO, one of the key functions you will be responsible for is IT Governance.  On this episode we discuss what the intent is for a wide variety of cybersecurity documentation that you can leverage, influence, and enforce.  Examples include: Policies Control Objectives Standards Guidelines Controls Procedures ... Helpful visual from ComplianceForge which shows how various documentation standards can be integrated Link