CISO Tradecraft®

In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management. Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/ Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207 Chapters 00:00 Introduction 00:56 Understanding Vulnerability Management 02:15 How Bad Actors Exploit Vulnerabilities 04:26 Building a Comprehensive Vulnerability Management Program 08:10 Prioritizing and Remediation of Vulnerabilities 13:09 Optimizing the Patching Process 15:28 Measuring and Improving Vulnerability Management Effectiveness 18:28 Gamifying Vulnerability Management for Better Results 20:38 Securing Executive Buy-In for Enhanced Security 21:15 Conclusion and Further Resources

This episode of CISO Tradecraft, hosted by G Mark Hardy, delves into the concept, significance, and implementation of tabletop exercises in improving organizational security posture. Tabletop exercises are described as invaluable, informal training sessions that simulate hypothetical situations allowing teams to discuss and plan responses, thereby refining incident response plans and protocols. The podcast covers the advantages of conducting these exercises, highlighting their cost-effectiveness and the crucial role they play in crisis preparation and response. It also discusses various aspects of preparing for and executing a successful tabletop exercise, including setting objectives, selecting participants, creating scenarios, and the importance of a follow-up. Additionally, the episode touches on compliance aspects related to SOC 2 and the use of tabletop exercises to expose and address potential organizational weaknesses. The overall message underscores the importance of these exercises in preparing cybersecurity teams for real-world incidents. Outline & References: https://docs.google.com/document/d/13Qj4MOjPxWz9mhQCDQNBtoQwrXdTeIEf Transcripts: https://docs.google.com/document/d/1yfmZALQfkhQCMfp9ao3151P9L2XcEXFm/ Chapters 00:00 Introduction 00:47 The Importance of Tabletop Exercises 01:53 The Benefits of Tabletop Exercises 03:06 How to Implement Tabletop Exercises 05:30 The Role of Tabletop Exercises in Compliance 08:24 The Participants in Tabletop Exercises 09:25 The Preparation for Tabletop Exercises 16:57 The Execution of Tabletop Exercises 21:58 Understanding Roles and Responsibilities in an Exercise 22:17 The Importance of a Hot Wash Up 23:36 Creating an After Action Report (AAR) 24:06 Implementing an Action Plan 24:34 Example Scenario: Network Administrator's Mistake 25:08 Formulating Targeted Questions for the Scenario 26:36 The Role of Innovation in Tabletop Exercises 27:11 The Connection Between Tabletop Exercises and Compliance 29:18 12 Key Steps to a Successful Exercise 30:43 The Importance of Realistic Scenarios 34:05 The Role of Communication in Crisis Management 37:33 The Impact of Cyber Attacks on Operations 39:57 The Importance of Tabletop Exercises and How to Get Started

In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity. Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2 Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9 Chapters 00:00 Introduction 01:44 Discussion on Software Supply Chain Security 02:33 Insights into Secure Development Life Cycle 03:20 Understanding the Importance of Supplier Landscape 05:09 The Role of Security in Software Supply Chain 07:29 The Impact of Vulnerabilities in Software Supply Chain 09:06 The Importance of Secure Software Development Life Cycle 14:13 The Role of Frameworks and Standards in Software Supply Chain Security 17:39 Understanding the Importance of Business Continuity Plan 20:53 The Importance of Security in Agile Development 24:01 Understanding OWASP and Secure Coding 24:20 The Importance of API Security 24:50 The Concept of Shift Left in Software Development 25:20 The Role of Culture in Software Development 25:52 Exploring Different Source Code Types 26:19 The Rise of Low Code, No Code Platforms 28:53 The Potential Risks of Generative AI Source Code 34:24 Understanding Software Bill of Materials (SBOM) 41:07 The Challenge of Spotting Counterfeit Software 41:36 The Importance of Integrity Checks in Software Development 45:45 Closing Thoughts and the Importance of Cybersecurity Awareness

In this episode of CISO Tradecraft, the host, G Mark Hardy, delves into the concepts of responsibility, accountability, and authority. These are considered critical domains in any leadership position but are also specifically applicable in the field of cybersecurity. The host emphasizes the need for a perfect balance between these areas to avoid putting one in a scapegoat position, which is often common for CISOs. Drawing on his military and cybersecurity experiences, he provides insights into how responsibility, accountability, and authority can be perfectly aligned for the efficient execution of duties. He also addresses how these concepts intertwine with various forms of power - positional, coercive, expert, informational, reward, referent, and connection. The host further empathizes with CISOs often put in tricky situations where they are held accountable but lack the authority or resources to execute their roles effectively and provides suggestions for culture change within organizations to overcome these challenges. Transcripts: https://docs.google.com/document/d/1S8JIRztM6iaZonGv0qhtWY4vDyBfGhs-/ Chapters 00:00 Introduction 00:22 Understanding Responsibility, Accountability, and Authority 01:20 The Role of Leadership in Cybersecurity 02:47 Exploring the Concepts of Responsibility, Authority, and Accountability 03:08 Applying Responsibility, Authority, and Accountability to the CISO Role 04:20 The Interplay of Responsibility, Authority, and Accountability 11:57 Understanding Power and Its Forms 12:43 The Impact of Power on Leadership and Influence 24:04 The Role of Connection Power in Today's Digital Age 24:40 Understanding Different Sources of Power 25:13 The Power of Networking and Connections 26:49 The Challenges of Being a CISO 29:19 Understanding the Value of Your Role 33:56 The Importance of Expert Power 37:46 The Consequences of Ignoring Maintenance 43:40 Aligning Responsibility, Accountability, and Authority 44:39 The Importance of Legal Protections for CISOs 45:30 Wrapping Up: Balancing Responsibility, Authority, and Accountability

In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection. Transcripts: https://docs.google.com/document/d/1FPCFlFRV1S_5eaFmjp5ByU-FCAzg_1kO References: Evil Proxy Attack- https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web Microsoft Attack - https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/amp/ Illinois Biometric Law - https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994 Chapters 00:00 Introduction 00:43 Understanding Multi Factor Authentication 01:05 Exploring Different Levels of Authentication 03:30 The Risks of Multi Factor Authentication 03:51 The Importance of Password Management 04:27 Exploring the Use of Trusted Platform Module for Authentication 06:17 Understanding the Difference Between TPM and HSM 09:00 The Challenges of Implementing MFA in Enterprises 11:25 Exploring Real-World MFA Mishaps 15:30 The Risks of Overprivileged Test Systems 17:16 The Importance of Monitoring Non-Production Environments 19:02 Understanding Consent Phishing Scams 30:37 The Legal Implications of Biometric Data Collection 32:24 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire. Rick shares his insights on first principles in cybersecurity, discussing how these form the foundations of any cybersecurity strategy. He emphasizes the importance of understanding materiality and integrating the concept of time bound risk assessment to achieve a resilient cybersecurity environment. The episode also delves into the value of Fermi estimates and Bayes algorithm for risk calculation. Amid humor and personal anecdotes, Rick and Mark also reflect on their experiences during 9/11. Rick introduces his book, 'Cybersecurity First Principles', elucidating the rationale behind its conception. Link to the Cybersecurity First Principles Book: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/B0CBVSX2H2/?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2&linkId=1b3010fb678a109743f1fb564eb6d0fc&camp=1789&creative=9325 Transcripts: https://docs.google.com/document/d/1y8JPSzpmqDMd-1PZ-MWSqOuxgFTDVvre Chapters 00:00 Introduction 02:00 Guest's Career Journey and Achievements 08:49 Discussion on Cybersecurity First Principles 15:27 Understanding Materiality in Cybersecurity 21:56 The Gap Between Security Teams and Business Leaders 22:21 The Importance of Speaking the Language of Business 23:03 The Art of the Elevator Pitch 24:04 The Impact of Cybersecurity on Business Value 25:10 The Importance of a Clear Cybersecurity Strategy 26:04 The Value of Business Fluency in Cybersecurity 27:44 The Role of Risk Calculation in Cybersecurity 29:41 The Power of Estimation in Risk Management 30:33 The Importance of Understanding Business Imperatives 41:25 The Role of Culture and Risk Appetite in Cybersecurity 45:39 The First Principle of Cybersecurity

In this episode of CISO Tradecraft, host G Mark Hardy is joined by guest Craig Barber, the Chief Information Security Officer at SugarCRM. They discuss the increasingly critical topic of cybersecurity apprenticeships and Craig shares his personal journey from technical network engineer to CISO. They delve into the benefits of apprenticeships for both the individual and the organization, drawing parallels with guilds and trade schools of the past and incorporating real-world examples. They also look at the potential challenges and pitfalls of such programs, providing insights for organizations considering creating an apprenticeship scheme. Lastly, they examine the key attributes of successful apprentices and how these contribute to building stronger, more diverse cybersecurity teams. Craig Barber's Profile: https://www.linkedin.com/in/craig-barber/ Transcripts https://docs.google.com/document/d/1J8nrhYCMBSmc0kLBasskBoY2RLIwR7Vb Chapters 00:00 Introduction 00:23 Understanding Cybersecurity Apprenticeships 02:43 The Role of Mentorship in Cybersecurity 04:09 The Benefits of Cybersecurity Apprenticeships 07:17 The Evolution of Apprenticeships in the Tech Industry 10:00 The Value of Apprenticeships in Building Loyalty 11:08 The Difference Between Internships and Apprenticeships 15:32 The Role of Apprenticeships in Addressing the Skills Shortage 19:15 The Challenges of Implementing Apprenticeships 26:28 The Future of Cybersecurity Apprenticeships 44:32 Conclusion: The Value of Cybersecurity Apprenticeships

This video introduces a newly proposed acronym in the world of cybersecurity known as the 'Cyber UPDATE'. The acronym breaks down into Unchanging, Perimeterizing, Distributing, Authenticating and Authorizing, Tracing, and Ephemeralizing. The video aims to explain each component of the acronym and its significance in enhancing cybersecurity.  References: https://www.watchguard.com/wgrd-news/blog/decrypting-cybersecurity-acronyms-0 https://computerhistory.org/profile/john-mccarthy/ https://owasp.org/www-community/Threat_Modeling_Process#stride https://attack.mitre.org/att&ck  https://d3fend.mitre.org/ https://fourcore.io/blogs/mitre-attack-mitre-defend-detection-engineering-threat-hunting   https://cars.mclaren.com/us-en/legacy/mclaren-p1-gtr https://csrc.nist.gov/glossary/term/confidentiality https://csrc.nist.gov/glossary/term/integrity https://csrc.nist.gov/glossary/term/availability https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services https://www.nytimes.com/2006/06/30/washington/va-laptop-is-recovered-its-data-intact.html https://cloudscaling.com/blog/cloud-computing/the-history-of-pets-vs-cattle/ https://apps.dtic.mil/sti/tr/pdf/ADA221814.pdf  Transcripts https://docs.google.com/document/d/16upm5bKTsIkDo3s-mvUMlgkX1uqUKnUH Chapters 00:00 Introduction 01:34 Cybersecurity Acronyms: Pre-1990s 02:26 STRIDE and DREAD Models 02:39 PICERL and MITRE Models 05:04 Defining Cybersecurity 07:52 CIA Triad and Its Importance 09:00 Confidentiality, Integrity, and Availability 11:52 The Parkerian Hexad 17:30 D.I.E. Triad Concept 24:28 Cybersecurity UPDATE 24:51 Unchanging 25:46 Perimeterizing 29:36 Distributing

In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts. Transcripts: https://docs.google.com/document/d/1evI2JTGg7S_Hjaf0sV-Nk_i0oiv8XNAr  Chapters 00:00 Introduction 00:50 Guest's Background and Journey 05:27 Discussion on Security Data Pipeline 07:19 Introduction to SOAR 08:01 Benefits and Challenges of SOAR 12:40 Guest's Current Work and Company 14:04 Security Data Pipeline Modernization 22:20 Discussion on Vendor Integration 29:09 Security Pipeline Approach and AI 38:03 Closing Thoughts and Future Directions

In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures. CloudGoat EC2 SSRF- https://rhinosecuritylabs.com/cloud-security/cloudgoat-aws-scenario-ec2_ssrf/ OWASP Benchmark - https://owasp.org/www-project-benchmark/ Transcripts - https://docs.google.com/document/d/1yZZ4TLlC2sRfwPV7bQmar7LY4xk2HcIo Chapters 00:12 Introduction 00:56 The Lie of Accurate Inventory 05:29 The Lie of Accurate Risk Assessment 08:41 The Lie of Shifting Left in DevSecOps 13:45 The Lie of Certifications Ensuring Security 18:33 The Lie of Reporting Cyber Incidents in 72 Hours 20:44 The Lie of Accurate Application Security Tools 22:07 The Lie of Cybersecurity Not Being a Cost Center 24:44 Conclusion and Recap of Cybersecurity Lies