Skip to main content
Category

Risk Management

LESSONS MY TEAM HAS LEARNED FROM THE LOG4J EXPLOIT

By Cyber Security, Risk Management No Comments

The recent Log4J exploit seems to have taken many companies by surprise. The team at Cyber Self-Defense, LLC has heard many horror stories about it, and we have heard that companies were not prepared for it.

For years, I have been preaching that cybersecurity is cybersecurity (it is the same, for the most part, for all companies) and that a properly built cybersecurity program should allow you to run your business as usual. While I will be the first to tell you there is no such thing as perfect cybersecurity and that a determined hacker can get in, I will also tell you that you can make it very difficult and quickly detect their presence once they do get in. Building a strategy to enable the business’ success through a risk-based and strategic process is the only effective way to know that your company is investing the right resources.

What is Log4j? Apache systems have a logging utility to log events and configure various features. This utility was created for many practical purposes and has been implemented into various Apache systems. Unfortunately, criminals are always looking for code (software) flaws that can be exploited, leading to a system or data breach. In this case, some of the Log4J instances have flaws that can be exploited to leak data and allow remote code execution. Essentially, hackers can gain access to systems and/or data. The first fix would be to determine if any of your internal or external systems (don’t forget shadow IT: external systems or solutions that are not known to IT and IT Security or are minimally understood) are vulnerable, test to see if they can be patched and patch them. If they cannot be patched, mitigate the risk through various other techniques.

Having said all of this, I think we need to talk about the main problem; Companies tend to build checkbox-based cybersecurity programs. For instance, a company might download a policy from the internet, perform a find and replace, and then tell the security auditor they have a policy. Unfortunately, they might not have appropriately deployed the policy. We have seen such situations lead to data breaches. A company might have a policy requiring their staff to patch all systems within ten days after testing. They fail if they don’t patch the systems strategically and per the policy. Furthermore, if they don’t test for vulnerabilities regularly, they also fail.

We need to build comprehensive cybersecurity programs based on the business’ needs. Here are my takeaways for what went wrong with companies who were victims of Log4J:

1. The companies we have talked to did not have an enterprise-wide, risk-based, strategic, and fully-implemented program. Many of them had checkbox security.

a. Along these lines, they did not have leaders who understood both the administrative and the technical aspects of cybersecurity. Many fall under IT leadership, where it is challenging to balance security needs with the need to have easy to configure and deploy computing assets.

b. FULL Executive buy-in and support.

c. Communications up and down the chain of command were lacking.

d. The companies did not have accountable cybersecurity professionals thinking about the business, not just cybersecurity. The business must strike a balance between having a solid technologist, a person with real-world cybersecurity experience (NOTE: Cybersecurity and IT are NOT the same things), and a person who understands the business needs to lead the program. I could spend hours on this part of the discussion; you need a balanced leader; not an IT or IT Security Analyst).

2. Many did not have a risk management program that was comprehensive and effective. The company often had a document or program that was too high-level but could not drive the security efforts; so no return on investment could be calculable.

3. Training for all staff should be done in a manner that shows that the company is engaged in the cybersecurity process. Haphazard “check the box training” does not help, nor does “one size fits all” training. If the training is not important to you, it will not be important to your employees.

a. Secure Code Training is not widely enforced and included in the creation of code and the integration of libraries.

b. System or job role-specific training is not occurring or not comprehensive enough.

c. ALL STAFF, including your executives and the Board of Directors.

4. Vigorous code testing. In our world today, code is developed very rapidly, and quality testing of the code package is not widely enough done.

5. Vendor management:

a. We need specific contract language that requires the vendor to provide:

i. Rapid response to issues.
ii. Strong SLAs for security.
iii. Fast communication.
iv. Regulatory requirements.
v. Anything else you require to ensure a solid partnership between the two companies. Again, this could be an article in and of itself; We spend large amounts of time with our customers ensuring that this is covered.

b. Vendor vetting processes:

i. Many IT Departments had no clue that Log4J was a risk; they did not know that they had shadow IT.
ii. Controls to prevent shadow IT. There must be a method of bringing vendors in, while ensuring that they have been thoroughly vetted and meet all of the organization’s needs, not just the department bringing the vendor in.

6. Technologies and processes (in no particular order; your risk assessment should drive the correct order). The following controls should be considered (note this is not meant to be an all-inclusive list, it is intended to push you back to your risk assessment and policies and see if they are appropriately guiding you):

a. DNS firewalls to filter malicious domains out.

b. Web Application Firewalls to detect and prevent inappropriate traffic.

c. Multifactor authentication makes it more challenging to gain access to systems and data.

d. SIEM and SIEM-like tools should be available, properly configured, and tuned to prevent alert fatigue.

e. Complete endpoint protection. Our network boundaries are all over; we need all systems to speak for themselves.

f. PROPER and strategic vulnerability MANAGEMENT:

i. Patching should be prioritized.
ii. All systems should be in scope (including external systems).

g. VPN and other remote access tools that validate the system meets the minimum requirements.

h. Encryption of data at rest and in transit.

i. Data leakage protection/prevention.

j. Network segmentation, based on need:

i. No system should talk to another one unless it is appropriate and reasonable.
ii. Corporations should consider blocking traffic from outside their operating areas. This should be planned for and strategically deployed.

k. Least privilege should be enforced:

i. Users SHOULD NOT be local admins.
ii. Administrators should NEVER log in with administrative credentials. They should log in as a normal user and elevate.
iii. Privileged Access Management and Identity Management solutions should be employed.

7. Internal audit processes.

8. Incident Response PROGRAMS.

a. You should have a comprehensive incident response program that contains playbooks and guide your team. I see many IRPs that allow you to check the box saying you have a plan but cannot be used during an incident.

b. You should train your team!

c. You should equip your team!

d. You should ensure that you conduct drills, tabletop exercises, etc., to practice.

9. Business Continuity planning and management.

As a busy Executive or business leader, you need to know that your program is running effectively and that your team is making risk-based decisions. You need to know that they program is built around the needs of the organization. You also need to know that the program is built correctly, so knee jerk reactions are not the standard; pre-incident preparedness is the norm. Let us know if we can help you to have a solid understanding of your program!

Cyber Self-Defense is a premier cybersecurity organization that is focused on the success of our customers. Our approach is different from most companies as we have been in many of your roles and understand how to achieve success with limited resources and the need to allow the company to operate at a profit. If you have questions about anything related to cybersecurity or want some help getting on track, give us a call or send us an email. We’re passionate about what we do and are always happy to help!

Happy New Year! More CMMC News!

By Cyber Security, Risk Management No Comments

December was a great month for us, here are Cyber Self-Defense. As always, we had some amazing opportunities to work with a number of the best customers in the world and on some exciting projects. OUR CUSTOMERS ARE THE REASON WE EXIST!

Our CEO, Michael Meline, was able to become selected as one of the first 100 Provisional Assessors for the CMMC (Cybersecurity Maturity Model Certification) program and a CMMC Registered Practitioner. Toward the end of the month Nelson Wenner became a CMMC Registered Practitioner. Congratulations Nelson! The Registered Practitioner course is a difficult, but very rewarding course.

Cyber Self-Defense became one of 224 companies in the world authorized to help companies prepare for CMMC with our certification as a “Registered Provider Organization”. Cyber Self-Defense also became one of 18 companies in the world authorized to conduct provisional Assessments.
Here are our badges/certifications related to the CMMC:

You can go here, to see our status and validate our certifications; https://portal.cmmcab.org/marketplace/

Moving forward, we hope to be able to help answer some of the questions people/companies have about the requirements of CMMC. Please contact us for a non-sales presentation of the CMMC process. Please do not wait until it is too late, to become ready; the CMMC is here and it is NOW!

Here are some links that will help you, if you are contracting with the DoD;
https://www.acq.osd.mil/cmmc/updates.html
https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

SolarWinds Orion Data Breach

By Cyber Security, Risk Management No Comments

Hello everyone. As many of you know, SolarWinds just suffered a significant data breach. Our CEO, Mike Meline, spent quite a bit of this week researching the compromise and have gathered some details to aid you in your response. We, at Cyber Self-Defense, will continue to monitor and update you.

There is some information available on the breach, that shows that in March (or perhaps before), a nation state injected a trojanized DLL into the SolarWinds.Orion.Core.BusinessLayer.dll (with a file hash of [b91ce2fa41029f6955bff20079468448]) into the update CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp. After a dormant period (that seems to differ for each compromised system; but around two weeks), the trojan attempts to resolve a subdomain of avsvmcloud.com (I placed a generic link of google.com into the previously listed link, to prevent someone from accidentally clicking on it and going to the website). The ensuing DNS response returned, points the system that was compromised to a command and control network.

Good morning, As many of you know, SolarWinds suffered a significant data breach. Our CEO, Mike Meline, spent quite a bit of this week researching the compromise and have gathered some details to aid you in your response. We, at Cyber Self-Defense, will continue to monitor and update you.

There is some information available on the breach, that shows that in March (or perhaps before), a nation state injected a trojanized DLL into the SolarWinds.Orion.Core.BusinessLayer.dll (with a file hash of [b91ce2fa41029f6955bff20079468448]) into the update CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp. After a dormant period (that seems to differ for each compromised system; but around two weeks), the trojan attempts to resolve a subdomain of avsvmcloud.com (I placed a generic link of google.com into the previously listed link, to prevent someone from accidentally clicking on it and going to the website). The ensuing DNS response returned, points the system that was compromised to a command and control network.

a. Identification of vulnerability
i. This affects “SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1.”
1. Known affected products: Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including:
a. Application Centric Monitor (ACM)
b. Database Performance Analyzer Integration Module (DPAIM)
c. Enterprise Operations Console (EOC)
d. High Availability (HA)
e. IP Address Manager (IPAM)
f. Log Analyzer (LA)
g. Network Automation Manager (NAM)
h. Network Configuration Manager (NCM)
i. Network Operations Manager (NOM)
j. Network Performance Monitor (NPM)
k. NetFlow Traffic Analyzer (NTA)
l. Server & Application Monitor (SAM)
m. Server Configuration Monitor (SCM)
n. Storage Resource Monitor (SCM)
o. User Device Tracker (UDT)
p. Virtualization Manager (VMAN)
q. VoIP & Network Quality Manager (VNQM)
r. Web Performance Monitor (WPM)
2. I recommend that you determine if you have SolarWinds.Orion.Core.BusinessLayer.dll
a. with a file hash of [b91ce2fa41029f6955bff20079468448];
b. [C:\WINDOWS\SysWOW64\netsetupsvc.dll] (unknown hash)
c. If you have Tenable Nessus installed, you can use plugin 62117 to detect SolarWinds Orion and 144198 To detect the specific version believed to have been affected.
b. Actions to take
i. There is an update that should be applied, which came out yesterday and one that will come out today. See https://www.solarwinds.com/securityadvisory
ii. It is recommended that if you have these products, that you;
1. Review logs, to ensure that there are no indicators of compromise.
iii. Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1].
1. Analyze for new user or service accounts, privileged or otherwise. (from https://cyber.dhs.gov/ed/21-01/)
2. Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of hosts (e.g., SolarWinds systems) have had connections. (from https://cyber.dhs.gov/ed/21-01/)
iv. Block all traffic to and from any devices that have SolarWinds installed
v. Monitor traffic
c. For more information;
i. please review the SolarWinds advisory at; https://www.solarwinds.com/securityadvisory
ii. see the guidance provided by DHS at; https://cyber.dhs.gov/ed/21-01/
d. Assistance
i. We do have Tenable Nessus and forensic tools and can run tests for you; please let us know if you need help or further guidance.

If you have any questions or would like to discuss this further, don’t hesitate to reach out to us. Stay safe!

UPDATE: Cybersecurity Maturity Model Certification

By Cyber Security, Risk Management No Comments

 

 

We have all been hearing about Cybersecurity Maturity Model Certification (CMMC).  Cyber Self-Defense has been posting quite a bit about this program as we want you to be well-informed.  As we begin preparations for 2021, I thought I would write another article that answers two of the questions we are asked by everyone who calls us; and we have been receiving plenty of questions.

 

The first question I receive most often is, “Do I have to be compliant with CMMC?”  My initial response is that as business leaders, it is our responsibility to protect our company and customers.  Cybersecurity is another business risk that MUST be addressed.  This theory does not take into account whether or not you have a legal requirement to do so, so let me dig in some more. A NON-CMMC question I receive often is, “What standard for cybersecurity should I follow?”  My answers vary, based on the needs of the company.  Having looked at many companies, I think a middle of the road approach is the CMMC.  This standard is laser focused and one that allows for certification, without the heavy overhead required by many of the standards.  It is well mapped out and provides a realistic approach to cybersecurity, while being adaptable to the needs of the organization.

 

Let’s now discuss the “legal” stuff.  I am not an attorney, nor do I play one on television.  What I keep hearing is that the Department of Defense has the ability to hold companies accountable for three times the cost of the contract plus per claim in accordance with the False Claims Act.  If you are currently doing business with the DOD, you are already accountable for compliance.  If you plan on doing business with the DOD, you will (eventually) have to achieve compliance.  In addition, your employees have an incentive to report your non-compliance; they receive between 15% and 30% of any award under the False Claims Act.  I have read that the Department of Justice has already obtained over $3 Billion dollars in settlements and judgements in fiscal year ending September 30, 2019.  Based on this, I recommend the certification.

 

Another question/statement we receive is something to the effect of “I am going to wait and see if the DOD will enforce it, I don’t have to be complaint right now, do I?”  On November 23rd, 2020, I received a communication from Idaho PTAC that stated, “Idaho’s PTAC has been made aware of a fast-approaching deadline for prime and sub-contractors working with the Department of Defense (DoD). All contractors must complete and submit a NIST SP 800-171 cyber self-assessment to the DoD Supplier Performance Risk System (SPRS) through their approved vendor, Project Spectrum, in compliance with CMMC requirements. The deadline for this self-assessment is Monday, November 30, 2020. Those who do not complete and submit this initial self-assessment are at risk of losing their contracts with the DoD.”  In every circle I belong to, I am hearing that this WILL be enforced.  If you wait until the last minute, you will not make it!!!  The CMMC is based on maturity, so if you think you will be able to put a plan together, last minute, and pass the certification; you are incorrect!!!  This program is designed to ensure that you are mature, not that you threw something up overnight.

As this is a program that we care about and REALLY want to help you with, please reach out to us for answers to your questions.  We have put together a PowerPoint with key information and this is a free service we offer, to help you with your decision as to whether you should prepare for the certification. Just give us a call at (866) 292-3796 to start the conversation!

 

COVID-19 Has Created Cybersecurity Issues for My Company; HELP!!

By CISO/Management, Cyber Security, Defensive Tactics, Risk Management One Comment

Cybersecurity is always a balancing act.  Good security personnel find ways in which to implement security controls that enable business users and the business.  Good Security leaders make decisions based on quality risk management techniques, ensuring that costs are managed.  What happens when we identify risk that cannot be appropriately mitigated?

With COVID-19, our world has changed, and we have been forced to make decisions.  I have heard from security professionals who say that they are ready to quit their jobs because COVID-19 has opened up a world of insecurity and that “the execs don’t care”.  I submit to you that the executive teams DO care, these professionals simply have not presented the information in a manner that allows for an appropriate decision.

This article is not one that is designed to have people migrate from any specific device or to create stir in the Android community, it is one of finding ways in which to balance risk.  The Android platform is a great example.

Before I get into the risk management part, let’s use an example that you are likely facing;

Some years back, we (the company I worked for and myself) implemented a Mobile Device Management (MDM) solution.  We then allowed select users (a small test group) to connect their (company owned) devices to segregated parts of the network.  My SIEM quickly lit up, telling me that many (almost all) of the Androids were compromised and communicating with nefarious servers.  I also began to receive complaints from end users that ranged from data being overwritten, to their phones not ringing, after the MDM encrypted the company data on the phones.  Needless to say, we began to investigate and identify problems.  We had to conduct a large amount of research and ultimately concluded that we could not use the MDM solution if our users could not receive great service.  We also could not allow these devices to connect to our network as the data we were accountable for would be placed at risk.

We discovered that applications (apps) were being downloaded from the App store that were wrought with malware.  We also found that the devices were almost all different with different parts, different versions of Android, and a variety of problems.  Here is an example story about hacked apps; https://www.forbes.com/sites/kateoflahertyuk/2019/10/30/new-google-android-threat-malicious-app-installed-by-40-million-play-store-users/#759b0b50511e

This morning, I read a Wired article about Qualcomm releasing a fix that will affect around 90% of US user’s Android devices.  The article presents the idea that “A BILLION OR more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.”  The article can be found here;  https://www.wired.com/story/over-a-billion-android-devices-are-at-risk-of-data-theft/

Risk Management

In this situation, we have some choices that MUST be made;

  1. We can ignore the issue, citing the fact that users have to be able to perform their jobs.
  2. We can ban the devices.
  3. We can add compensating controls (which must be tested and validated).
  4. We can limit the user experience and lock the devices down.
  5. We can elevate our concerns to management and ask for guidance.

What is the correct answer?  Often, we make assumptions about what other people think that are wrong.  Those Cybersecurity people who are ready to quit can breathe a sigh of relief; so can your executives!

As we deal with this situation, or any other situation, it is critical that we follow basic risk management techniques because the answer is going to depend upon the company, culture, type of data, and a variety of other factors.

As security professionals, we have an obligation to ensure that the company is successful and that the business is enabled through the use of cybersecurity.  With COVID-19, this becomes a widespread concern.  I hear this from customers and other decision makers daily.  They ask me about how they should build secure home environments as their users are working from home.  My answer is ALWAYS, “Consult your risk assessment!”  If your risk assessment does not help you with an answer, I would recommend that you conduct a more mature risk assessment.

Proper risk management begins with discussions about the definitions of risk; each company is different.  This flows into a process of understanding the risk tolerance of the organization.  We then look at the business and determine the risks (this is a lengthy process that should be pages, not lines).  We identify the likelihood and criticality of the risk being realized (I like to score the areas of Compliance Risk, Confidentiality Risk, Integrity Risk, Availability Risk, AND Company Image Risk).  We then calculate the effectiveness of the controls we have in place that mitigate the risk to determine the residual risk.

Here is where it gets fun.  We now must put together a comprehensive plan to address the risks.  This should include multiple options for treating the risk, including the acceptance of risk.  As security professionals, we are accountable to treat the risks we identify when they are within our ability to treat them.  When they fall outside of our reach, we escalate them to management; not with a story of how we will be hacked, but with a discussion about the true concerns surrounding the risk.  We then allow them to make an informed decision.  We document their decision and move on; readdressing the risk when changes occur or upon agreed upon intervals.  This is a cyclical process that must be done anytime something changes and at least annually.

When this process is followed, your risk assessment will guide you.  Security practitioners will be relieved to know that they are not accountable with risk outside their control and executives will know that the security program is not just a money pit, it is a tool for the successful enablement of the business.

NIST 800-171 is being enforced!

By CISO-as-a-Service, CISO/Management, Cyber Security, Risk Management No Comments

In October 2017 I wrote how the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 required contractors to implement NIST Special Publication 800-171 by December 31, 2017 regarding data protections and safeguards around Controlled Unclassified Information (CUI).

Similar to the first implementation of the Healthcare HIPAA regulations, we did not see an immediate attempt to audit and enforce the requirements of the mandate.  I stated then that failure to follow the requirements would result in breach of contract with the government (Department of Defense).  After the publication of NIST 800-171, there were many questions around what constituted CUI. Furthermore, if you read the language in government contracts, you will see how ambiguous the definitions of data protection requirements really are.  We’ve discovered that most contracts do not always follow the requirements of the rule; see 252.204-7012 (a);

1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Many prime contractors have told us that they are waiting to see what enforcement steps would be implemented and/or until the regulations were fully ratified (The latest version, as of today’s date, can be found at; https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final and Revisions 2 will be published soon).  These “wait and see” companies felt their partial implementation of the regulation was “good enough.”  We have pushed existing and prospective customers on the fact that there are many risks beyond simply the contractual requirements to achieve compliance and that doing so early on could save them headaches, costs, fines, etc. in the long-term.  At Cyber Self-Defense, we’ve responded to many actual data breaches across many industries which were highly preventable, and we continue to encourage customers to become compliant as soon as possible.  We encourage our customers to get ahead of the curve and develop a risk-based cybersecurity program for the sake of enabling the business’ success; noting that compliance becomes easier and less expensive when done according to the needs of the business and implemented in a manner that is compliant with regulations and contractual requirements.

Well my friends, this discussion has just turned another corner!

In January of this year, the Under Secretary of Defense, Ellen M. Lord, sent a memorandum to a large number of organizations directing them to enforce the provisions of the contracts.  (Found here, https://www.acq.osd.mil/dpap/pdi/cyber/docs/USA000140-19%20TAB%20A%20USD(AS)%20Signed%20Memo.pdf

Lord asks these agencies to begin to audit ensuring compliance with the requirements.  Specifically;

To effectively implement the cybersecurity requirements addressed in DFARS Clause 252.204-7012 and NIST SP 800-171, I have asked the Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration, in order to:

  • Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
  • Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

To ensure that a similar approach may be taken at companies for which DCMA does not administer contracts (such as the Secretary of the Navy’s ship building contracts), we will work with representatives of those communities to implement a similar solution.

So, what does this all mean?  We believe this will be similar to what happened with the implementation and enforcement of the HIPAA regulations.  Companies will wait for enforcement to begin, and there will be a mad rush to become compliant.  In the meantime, these companies will be the targets of cybercriminals, they will be the new “low hanging fruit,” and ultimately suffer the negative impact of a breach compounded by the heavy fines or contract cancellations.  We encourage you, if you are not following a cyber security plan which truly enables the business, to prioritize building a comprehensive program.  EVERYONE is an unfortunate target of criminals!

Please don’t delay. The longer you wait the greater the risk of non-compliance becomes. Let us help you solve the mystery of cybersecurity by assessing your current state program and designing and implementing compliance and data protection. Contact us today!

Cybersecurity Leadership (CISO): A Modern Approach to Cybersecurity

By CISO-as-a-Service, CISO/Management, Cyber Crime, Cyber Security, Defensive Tactics, Risk Management No Comments

Businesses have a corporate responsibility to secure their own and the information they have been entrusted with. Many companies believe that this is expensive, not their responsibility, etc. They also assume (usually incorrectly) that the IT department is handling cybersecurity. Most companies lack the talent necessary to build a security  program that is cost-effective, enables the business for success, and has the necessary depth. When the Cyber Self-Defense team speaks with companies, they tell us they do not know where to begin. Our answer to this issue is always the same; start by hiring the right talent to make you successful. CISO-as-a-Service® might be your answer!

Talent

At Cyber Self Defense, we often hear that cybersecurity talent is becoming harder and harder to come by. With the increasing level and complexity of cyber attacks, companies are looking for cybersecurity teams to help them to build their programs, yet job requisitions remain unfilled.

Trends

This is what we know;

  • Cybersecurity professionals are demanding more money.
  • Companies are creating positions that are vague, all-encompassing, and that fail to help them to build a comprehensive cybersecurity program.
  • Companies are electing to hire junior professionals who are unqualified to lead the program; with no strategic or leadership experience.
  • Companies are compromising on experience, qualifications, and other critical knowledge factors, just to get someone in the role.
  • Companies are over-spending on technology because they do not have the strategic outlook and risk-based approach which is so critical to any cybersecurity program.
  • Audit Pleasing- many companies build their cybersecurity programs to please auditors; they fail to see the need for true security. They also fail to see that a properly built program can be done at about the same cost of program meant only to “check the box”.
  • Companies add technologies that are just sitting in the racks.; we have seen situations where systems are installed with less than 10% of the features configured and used. Please see my article on “Blinky Light Syndrome”.
Common fears of hiring a CISO-as-a-Service®

1. Is the CISO-as-a-Service® a group of professional consultants who have no real-world experience?

  • The one thing we hear from our customers, when wanting to hire a CISO-as-a-Service® is that they tend to get “professional consultants”. It is important to hire companies who hire individuals with real leadership level experience building cyber security programs, while an employee of the company.
  • Professional consultants are great, but unless they have the practical experience of managing a program for an organization, they will struggle finding the correct balance between security and operations. They will also struggle with the political aspects of building a program.
  •  Any leader can tell you that there is a huge gap between the professional consultant and someone with full-time experience.
  • You should interview YOUR CISO and determine if he/she has the requisite knowledge and skills to make you successful. We enjoy having people interview us, as they would an internal employee. We would be glad to provide you with a resume of your CISO to show their qualifications.

2. Is there a conflict of interest, when a company comes in as a CISO and then sells us their other products and other non-related services?

  • It can be a conflict of interest if your CISO-as-a-Service® professional is a part of a large firm that sells products and other services; occasionally, they tend to push you to purchase their products, meaning the CISO might have not have your best interest at heart. Instead of being fully vested to ensure a purpose fit program for the company, he/she might be forced to push product and services.

3. How can a part time company build a program faster and cheaper than our internal employee?

  • A CISO-as-a-Service® professional hits the ground running with the tools, tricks of the trade, and other pieces of information that can make a huge difference in the overall successful delivery.
  • We have discovered that being a third party, your professional opinions are more likely to be considered. Many times, an internal person must deal with too many internal politics.
  • With a professional company, you do get the collective knowledge of the team. This benefit is critical to your success.

4. I am the acting CISO or want that job; I am the CIO and do not want to look bad; or I have other fears that this company will displace me, my team, or others and or damage my reputation.

  • As a consultant with experience performing in this capacity, it is our job to make you successful, based on your definition of success. Your CISO should ensure that your company is highly successful in all aspects of the process.
  • It is also our responsibility, as it would be in a full-time CISO, to ensure that we mentor staff and prepare them to take over for us.
  • We should be a core part of the TEAM that is designed to enable the company to succeed.

5. Is a CISO-as-a-Service® just going to come in, drop templates on my desk and have me implement them?

  • No unless they don’t want to succeed! This person should be YOUR CISO and perform is the SAME capacity, just on a part time basis.
  • Any templates or other tools that are brought in should be used as a starting point, above ground level, to allow a faster (controlled) implementation; No template is a one size fits all, it must be molded to your company. It must have an implementation strategy. It must be your company’s established program that is implemented through a formal process that follows your company’s normal flows.
Conclusion

A responsible company knows that to run their company correctly, they must have the correct leadership! Most companies would never ask corporate attorney to lead the IT department. At the same time, most companies would never place a paralegal into the corporate counsel position.

We believe that the same is true for companies who make the Chief Information Officer (CIO) in direct charge of cybersecurity. Most Chief Information Officers (CIOs) will tell you that they are not comfortable managing cyber security and IT at the same time; these can be conflicting. We’ve also found that companies who place a Security Analyst into the position of strategically building a cybersecurity program will fail to recognize a comprehensive, risk-based, and cost-effective solution that truly enables the business to succeed. Hire the right person for the job and you will reap the rewards of your decision.

We look forward to your feedback on our website; www.cyberselfdefense.org

CISO-as-a-Service®

Cyber Self-Defense was built as a result of a growing demand in the marketplace seeking out knowledge, expertise, and leadership in cybersecurity and risk management.  Our clients wanted us to bring in our templates, processes, experiences, and our collective knowledge and put it to work for them.  They wanted people who had built programs from the organically — from the ground-up. They wanted people who were known for enabling the business through cybersecurity efforts, not people who shut the business down with high costs and inappropriate rules. This is how we grew into a full-time business which has positively and directly contributed to the success of our clients.

Cyber Self-Defense has years of experience in reducing your cybersecurity risk and we would love to work with you on all your cyber risk needs. We make cybersecurity attainable for all organizations, without inhibiting your ability to work and make a profit. Cyber Self-Defense can be reached at: (866) CYBER-96 or on our website: www.cyberselfdefense.org

Blinky Light Syndrome

By CISO/Management, Cyber Crime, Cyber Security, Defensive Tactics, Risk Management, Tutorials No Comments

Far too often, I meet companies who are excited when I arrive. They pull me into their data center and show me their new KYZ 5000 and go on to explain that it has ended all of their cyber security concerns. I review the device and find out that it is plugged in and has a flashing light somewhere in the front and that is the end of the story. Other times, I go to a site and find that the company has just purchased an ABC 1000; plugged it in, turned it on, and perhaps even configured it.

In both cases, I tend to ask what problem(s) the piece of equipment is solving. Most of the time, I hear a story like; “Mike, you don’t understand, Joe down the street just bought one and it has solved all of his problems!”

Unfortunately, I find that these are simply impulse buys or worse, auditor pleasers. When we actually take a look, they are not working the way the purchasing company believes they are working. I frequently ask the company’s representative how this purchase has helped to lower the company’s risk. They usually give me a blank stare and asked what I mean. I usually ask to see the company’s risk assessment. The person then goes into panic mode and begins a hunt for the risk assessment. After finding the risk assessment (and knocking a year’s worth of dust buildup off), I ask how the purchase has reduced the risks listed in the assessment.

Risk Assessment

It is usually at this point that I must explain that the risk assessment is designed to help organizations manage their security spend, the effects of security on the end user, and the true need for security. After reviewing the risk assessment together, we usually agree that had the organization used the assessment as it was intended, the same spend would have reduced risk a great deal more than the purchase of the equipment; perhaps the piece of equipment reduced the risk by .5% and spending the money wisely would have reduced risk by 30%.

Cybersecurity experts MUST be risk managers. They MUST ensure that the security program is being managed to enable the success of the business. When we do not use our risk assessment to perform our duties, we run the risk of over spending, over protecting, or simply wasting time, money, and resources. It is also crucial for us to understand that our roles require that we understand all methods of treating risk. Many, in our community, believe that we must throw technology at everything and that it will solve all. Even the vendors (at least the honest ones) will tell you that their technology is one part of an overall strategy.

Many would agree that their technology must be fully implemented from a technology configuration, policy, procedure, and corporate strategy standpoint; having the equipment plugged in, whether configured or not, is only one piece. On that same note, the technology MUST work in harmony with all other security strategies. I have yet to find a tool that will solve all Information security problems; as cybersecurity experts we must layer our approach to cybersecurity. Our approach MUST include training, risk management, policy procedure, company buy-in, and technology. Note that technology is last; without the first pieces, you have (BLS) Blinky Light Syndrome.

Blinky Light Syndrome (BLS) describes a device that is plugged in, turned on, but not doing what the owner thinks it is doing or what the owner wants it to do. It can be used to describe either of the scenarios I covered at the beginning of this article.

Conclusion

In conclusion, a risk assessment is not just used once a year, to show auditors that you have it. It is a tool that takes on a living role in your success as a cybersecurity expert. It grows with you, as you add new processes, technologies, or the business changes; the risk assessment grows. As your company divests, the risk assessment should be consulted and adjusted to reflect the changes. When you purchase new security tools, your risk assessment should aid you in determining exactly how the solution will need to be set up and configured. At Cyber Self-Defense, we make it our business to help your organization to steer clear of Blinky Light Syndrome and equip you to truly be secure!

 

Your Board May Need a Cybersecurity Expert

By Cyber Security, Risk Management No Comments

The Cybersecurity Act of 2017 introduced in March sponsored by three bipartisan senators applies pressure to organizations by requiring disclosure of cybersecurity expertise serving on the board of directors. The legislature, if enacted, would enforce this disclosure first to public companies but sends a clear message that information security and cyber risk management is a much needed, but lacking, skill for global commerce. Read More