CISO Tradecraft®

Explore the significance of tabletop exercises in bolstering cybersecurity preparedness. These informal training sessions simulate real-world scenarios, allowing teams to refine their incident response plans through collaborative discussions. Discover the cost-effective benefits and compliance aspects, particularly related to SOC 2. Learn how to effectively prepare and execute these exercises by setting clear objectives, choosing the right participants, and conducting valuable follow-ups. Ultimately, it’s all about enhancing your organization’s readiness for potential cyber incidents.

In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity. Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2 Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9 Chapters 00:00 Introduction 01:44 Discussion on Software Supply Chain Security 02:33 Insights into Secure Development Life Cycle 03:20 Understanding the Importance of Supplier Landscape 05:09 The Role of Security in Software Supply Chain 07:29 The Impact of Vulnerabilities in Software Supply Chain 09:06 The Importance of Secure Software Development Life Cycle 14:13 The Role of Frameworks and Standards in Software Supply Chain Security 17:39 Understanding the Importance of Business Continuity Plan 20:53 The Importance of Security in Agile Development 24:01 Understanding OWASP and Secure Coding 24:20 The Importance of API Security 24:50 The Concept of Shift Left in Software Development 25:20 The Role of Culture in Software Development 25:52 Exploring Different Source Code Types 26:19 The Rise of Low Code, No Code Platforms 28:53 The Potential Risks of Generative AI Source Code 34:24 Understanding Software Bill of Materials (SBOM) 41:07 The Challenge of Spotting Counterfeit Software 41:36 The Importance of Integrity Checks in Software Development 45:45 Closing Thoughts and the Importance of Cybersecurity Awareness

In this episode of CISO Tradecraft, the host, G Mark Hardy, delves into the concepts of responsibility, accountability, and authority. These are considered critical domains in any leadership position but are also specifically applicable in the field of cybersecurity. The host emphasizes the need for a perfect balance between these areas to avoid putting one in a scapegoat position, which is often common for CISOs. Drawing on his military and cybersecurity experiences, he provides insights into how responsibility, accountability, and authority can be perfectly aligned for the efficient execution of duties. He also addresses how these concepts intertwine with various forms of power - positional, coercive, expert, informational, reward, referent, and connection. The host further empathizes with CISOs often put in tricky situations where they are held accountable but lack the authority or resources to execute their roles effectively and provides suggestions for culture change within organizations to overcome these challenges. Transcripts: https://docs.google.com/document/d/1S8JIRztM6iaZonGv0qhtWY4vDyBfGhs-/ Chapters 00:00 Introduction 00:22 Understanding Responsibility, Accountability, and Authority 01:20 The Role of Leadership in Cybersecurity 02:47 Exploring the Concepts of Responsibility, Authority, and Accountability 03:08 Applying Responsibility, Authority, and Accountability to the CISO Role 04:20 The Interplay of Responsibility, Authority, and Accountability 11:57 Understanding Power and Its Forms 12:43 The Impact of Power on Leadership and Influence 24:04 The Role of Connection Power in Today's Digital Age 24:40 Understanding Different Sources of Power 25:13 The Power of Networking and Connections 26:49 The Challenges of Being a CISO 29:19 Understanding the Value of Your Role 33:56 The Importance of Expert Power 37:46 The Consequences of Ignoring Maintenance 43:40 Aligning Responsibility, Accountability, and Authority 44:39 The Importance of Legal Protections for CISOs 45:30 Wrapping Up: Balancing Responsibility, Authority, and Accountability

In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection. Transcripts: https://docs.google.com/document/d/1FPCFlFRV1S_5eaFmjp5ByU-FCAzg_1kO References: Evil Proxy Attack- https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web Microsoft Attack - https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/amp/ Illinois Biometric Law - https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994 Chapters 00:00 Introduction 00:43 Understanding Multi Factor Authentication 01:05 Exploring Different Levels of Authentication 03:30 The Risks of Multi Factor Authentication 03:51 The Importance of Password Management 04:27 Exploring the Use of Trusted Platform Module for Authentication 06:17 Understanding the Difference Between TPM and HSM 09:00 The Challenges of Implementing MFA in Enterprises 11:25 Exploring Real-World MFA Mishaps 15:30 The Risks of Overprivileged Test Systems 17:16 The Importance of Monitoring Non-Production Environments 19:02 Understanding Consent Phishing Scams 30:37 The Legal Implications of Biometric Data Collection 32:24 Conclusion and Final Thoughts

Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire, discusses cybersecurity first principles and the importance of understanding materiality and time bound risk assessment. He also highlights the value of Fermi estimates and Bayes algorithm for risk calculation. Rick and the host reflect on their experiences during 9/11 and Rick introduces his book, 'Cybersecurity First Principles'.

In this episode of CISO Tradecraft, host G Mark Hardy is joined by guest Craig Barber, the Chief Information Security Officer at SugarCRM. They discuss the increasingly critical topic of cybersecurity apprenticeships and Craig shares his personal journey from technical network engineer to CISO. They delve into the benefits of apprenticeships for both the individual and the organization, drawing parallels with guilds and trade schools of the past and incorporating real-world examples. They also look at the potential challenges and pitfalls of such programs, providing insights for organizations considering creating an apprenticeship scheme. Lastly, they examine the key attributes of successful apprentices and how these contribute to building stronger, more diverse cybersecurity teams. Craig Barber's Profile: https://www.linkedin.com/in/craig-barber/ Transcripts https://docs.google.com/document/d/1J8nrhYCMBSmc0kLBasskBoY2RLIwR7Vb Chapters 00:00 Introduction 00:23 Understanding Cybersecurity Apprenticeships 02:43 The Role of Mentorship in Cybersecurity 04:09 The Benefits of Cybersecurity Apprenticeships 07:17 The Evolution of Apprenticeships in the Tech Industry 10:00 The Value of Apprenticeships in Building Loyalty 11:08 The Difference Between Internships and Apprenticeships 15:32 The Role of Apprenticeships in Addressing the Skills Shortage 19:15 The Challenges of Implementing Apprenticeships 26:28 The Future of Cybersecurity Apprenticeships 44:32 Conclusion: The Value of Cybersecurity Apprenticeships

Learn about newly proposed cybersecurity acronym 'Cyber UPDATE', the importance of cybersecurity acronyms from different time periods, understanding STRIDE, DREAD, PICERL, and MITRE models, exploring cloud computing and the DIE triad, reducing data loss using ephemeral approach, challenges of RSA algorithm, and the effectiveness of multi-factor authentication in preventing unauthorized logins.

JP Bourget, a security data pipeline and SOC ingest expert, discusses the benefits of modernizing SOC ingest, vendor policies impacting data accessibility, cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures.

Debunking common lies in the cybersecurity industry, including inaccurate inventory and risk assessments, the misconception of shifting left in DevSecOps, the limitations of certifications and reports of cyber incidents, and the accuracy of application security tools. The podcast also explores the truth about cybersecurity as a cost center and offers guidance on enhancing cybersecurity measures.

Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more.    Link to the ORF - https://www.grf.org/orf Transcripts - https://docs.google.com/document/d/1ckYj-UKDa-wlOVbalWvXOdEO4OYgjO0i Chapters 00:12 Introduction 01:47 Introduction to Operational Resilience Framework 02:38 Understanding Resilience and Antifragility 03:32 Common Cybersecurity Attacks and How to Anticipate Them 06:22 Building Resilience in Cybersecurity 09:43 Operational Resilience Framework: Steps and Principles 17:50 Preserving Datasets and Implementing Recovery Processes 20:18 Evaluating and Testing Your Disaster Recovery Plan 21:11 Recap of Operational Resilience Framework Steps 22:04 CISO Tradecraft Services and Closing Remarks