Tuesday, December 29, 2020

Cyber Security ROI for the CEO - Part One - The Roadmap Dilemma




"...life's little dilemma - understanding too late that it is far better to experience a short period of rejection, than a lifetime of regret...".

What we will discuss in this section:

  • Before you can have a workable roadmap, you must know where you are
  • How to accurately define the current state
  • Where do you want to be, really....the "desired end state"
  • How will you measure success...are you being honest?
  • How will you call the ball between IT and Cyber Security (yes, they will disagree)
  • What is your business's appetite for change?
  • Call to Action - Your CEO action plan

Setting the stage

It's an inconvenient truth that business leaders are demanding, it's in their nature and that's a good thing. The problems start when business leaders think that things that motivate the Sales Department should be able to motivate the Cyber Security Department.

Every good Leader needs a roadmap that is understandable by mere mortals, nothing beats a great strategy and a roadmap is a strategic document. Problems begin when you either inherit someone else's dream (a.k.a., roadmap), you are unsure about what actually constitutes a useful roadmap or you make the assumption that the business is in alignment with your roadmap.

Before you can have a workable roadmap, you must know where you are

So, let's discuss what constitutes a useful and strategic Cyber Security Roadmap...

Everything we do in the business world revolves around "...the business state model...". There are three "states" in the business state model: (1.) everything that has happened in the past; (2.) everything that is happening now; and (3.) everything that will happen in the future. Your roadmap must take these three states into account.

How to accurately define the current state

The Roadmap and "everything that has happened in the past": This is where we are "now". Things that happened in the past (we're going to use the People, Process and Technology approach) allow us to understand the "services" [Think ITIL service catalog] that the Cyber Security Teams are delivering now to the business. 

This is a good start, however, a better start would be to discuss with your business stakeholders / customers what "services" they REQUIRE from the Cyber Security organization to deliver capabilities, products and services back to the business and it's customers.

This is the backbone of gaining agreement on "how success is measured" by your business stakeholders and will enhance your understanding of the current state. 

Your business stakeholders should be able to tell you what they need from you. It will probably be messy (chances are no one from Cyber Security has ever asked them before). You should be able to take the business stakeholders "desirements" and turn them / map them to the capabilities of your technology tools - People, Process and Technology - these are your tools. A thorough analysis of this will drive a capabilities/services gap analysis.

Where do you want to be, really....the "desired end state"

Once you have discussed business "desirements" with your stakeholders you have an outline of the "business requirements", now, you as the knowledgeable professional need to identify the hidden dependency relationships between the "desirements" and the capabilities of your tools (People, Process and Technologies [PP&T]) and identify what gaps exist that will inhibit service delivery in the near and long term.

This "gap analysis" when completed should be discussed, frankly with the CEO and CFO (chances are that you will need additional PP&T). Each "gap" should be aligned with a business driven service delivery requirement and the name of a business stakeholder that reports to the CEO who requires that cyber security service to deliver critical capabilities to support strategic business goals. Expect the CEO and CFO to say, "...show me...".

The "desired end state" is that state where three things must happen:

  1. Cyber Security and IT service delivery are completely aligned with the business, with zero negative business outcomes in the delivery model.
  2. Cyber Security and IT service delivery capacity planning is proactively discussed with your business stakeholders to the point that service delivery is ready BEFORE business growth milestones need that capacity. Think of this as "just in time" service delivery.
  3. A note of caution - If your tools (People, Process and Technology) are too lean, your ability to increase service delivery at the optimal tempo to support business success will inevitably compromise business product delivery to meet expanding business opportunity. Your PP&T should be at a 75% utilization rate during times of expected business expansion AND you should have a plan to reduce costs [PP&T] during times of business contraction.

If you cannot deliver business critical Cyber Security Services in this manner, you will, in essence, become a net inhibitor of business success. Needless to say, this is not good.

How will you measure success...are you being honest?

Here is the uncomfortable reality. Your success or failure will be measured (as it should be) by your business stakeholders.

For this reason, it is essential that before you begin work on delivering what is in your "roadmap" that you and your business stakeholders completely agree on how success is measured.

I use the term "completely agree" because we humans are social creatures, we will say one thing in public and another in private - make sure that you are meeting early and often with each stake holder one on one and listen carefully to what they are telling you that they require and do not be shocked if the term "require" comes out as "want" in the Board Room.

Successfully Managing Change

This is where your "steering committee" will come into play (a critical component of your successful roadmap). The goal of the steering committee is to canalize public and private expectations among your stakeholders in a public forum. To drive agreement on "how success is measured", to agree on the roadmap, to approve funding, to discuss, understand and mitigate risks, to own the human impacts of change within you organization that successful delivery of the roadmap will inevitably cause, and to support strategic investment when IT and Cyber Security disagree on service delivery.

Last but not least is your empathy. 

As a Cyber Security Leader, you must begin, now, to mentally align yourself with understanding and internalizing the fact that your business stakeholders will define the corporate appetite for risk and that this will, on occasion, run counter to what you think is best for the business.

This is inevitable, get used to it. Remember, it's not personal, it's just business.

CALL TO ACTION:

  1. What "services" are business critical for your Cyber Security Organization to deliver to your business stakeholders?
  2. Are your Cyber Security "tools" [ People, Process + Technology] available in adequate quantity to deliver in the short term as well as "surge" to deliver in support of planned business growth?
  3. Are you confident that your Cyber Security & IT Leaders understand what is "business critical" and that they are managing People, Process and Technologies in ways that completely support that criticality?
  4. Are your Cyber Security and IT tools aligned with your risk, compliance and audit requirements? Are "artifacts" generated without labor dollars to the greatest extent possible?
  5. Is your Executive Team in alignment as to their role in Corporate Change Management? You might want to look for a local PROSCI change management consultant to minimize and mitigate the human impacts of change.

Global Leaders in Change Management Success

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 


 

Cyber Security ROI for the CEO - Introduction


 

Cyber Security ROI for the CEO - Introduction

Glad you stopped by. In doing so, you are separating yourself from the herd, in a good way. You are here because you have questions, questions people have given you answers to, but in your mind those answers are just not adding up.

You are in good company and you are not alone.

In this series of related articles, we will provide you, the business decision maker with knowledge that will allow you to make better informed business decisions about your past, present and future Cyber Security spending, risks to your company based on past decisions (People, Process and Technology), and some recommendations on a smooth, least disruptive path forward.

What you choose to do with the answers to those questions is up to you....

Before we get started, ask yourself this question: "...do I want my business to be safe or strong?..."

OK...Let's get started...

Part One: The Roadmap Dilemma

Part Two: Risk Management

Part Three: Ransomware Prevention

Part Four: Compliance and Audit

Part Five: Cloud "stuff"

Part Six: People, Process and Technology

Part Seven: Incident Response Realities

This list may expand as we move thru the topics above, stay tuned and enjoy the ride!

This series of articles is being brought to you by 180AConsulting, a boutique Cyber Security consulting firm, you can reach us if you wish via

Robert@180AConsulting.com

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 


Friday, December 25, 2020

...the "Island of Authentication" Concept...


 

 ..."Islands of Authentication"...  or "IoA" I've used this term for so long, I assumed that it must be part of the lexicon and the concepts well understood...and I am mistaken. 

No one understands what I mean when I use this term, so I am claiming this term for "180A Consulting" and the "Secret CISO".  Take that!  Bembridge Scholars!

But...what you ask... are "Islands of Authentication" [IoA]? 

IoA are technologies or software applications that are so critical, capable or high risk, that the risks of integrating them into centralized authentication capabilities / technologies are unacceptable.

# # # # #

Microsoft's Active Directory technology is a great boon to both Cyber Security and Convenience, however, it comes with risks that their marketing department would rather not talk about.

The internet is rife with stories about security problems with the "windows operating system", and make no mistake, Active Directory is a part of the Windows Operating System's DNA - you cannot remove it without crippling the operating system.

Don't believe me - take a look here...   https://adsecurity.org/ 

This website is a rabbit hole the Cyber Security student could fall down and never emerge from.  If you are a Cyber Security noobie and you can muddle thru this website, you will come out the other end a changed person.

# # # # #

Think about this...Ransomware.

Did your heart kind of skip a beat?  Mine too...  

Star Lord said it best...

# # # # #  Disclaimer - the following is not FUD (fear, uncertainty and doubt), ask around...the following scenario is DRAMATICALLY simplified  # # # # #

A timely example of why Islands of Authentication are "business critical".

SUNDAY:  Your sysadmin "Sam" goes home over a long holiday weekend, he/she gets bored, surfs some porn and downloads some bittorrents, since she's/he's a knowledgeable and lazy professional, his/her laptop account is a "local admin".  The malware he/she downloaded in his/her porn download (let's call it TINKERBELL) that is now sniffing around his/her laptop is now, also a "local admin".

MONDAY - 08:59:  Sam walks into the office, plugs into your Corporate network and the malware (TINKERBELL) begins exploring your business network...

Next Sam, switches to his/her "elevated privilege" account "Sam-ADMIN" (catchy...who would want to crack that account...am I right?) and log's into your "backup" software system using Microsoft Active Directory.

MONDAY - 9:00 A.M.:  Now Tinkerbell "owns" your backup's for all of your critical corporate systems, AND, since your backup software knows where your disaster recovery site is, Tinkerbell now knows.

MONDAY - 9:02 A.M.:  Tinkerbell goes to work.  Tinkerbell phones home for an encryption key to lock you out of your Disaster Recovery Site and backup data at your DR site.  Since your using a SIEM and not a SOAR, your pricey SIEM will send you a report in a week about Tinkerbell phoning home for tools to destroy your business. Silly Wabbit!  Tinkerbell has also been busy...

MONDAY - 9:03 A.M.:  Tinkerbell used the "Sam-ADMIN" account to take control of your Microsoft Active Directory servers AND your AZURE Cloud infrastructure.  Your IT staff is beginning to notice that something is amiss however your super dooper SIEM hasn't reported anything so no one is worrying (you never configured your SIEM to perform "real time alerting" because, "...that's hard..."), but that's not all!

MONDAY - 9:04 A.M.:  Tinkerbell is getting ready to change the passwords on all of your "human-name-ADMIN" Microsoft Active Directory accounts (I mean, really?  adding ADMIN to the USERID?  Could you make it any easier?) I guess you could just post the USERID's and PASSWORDS on REDDIT, but I digress...someone should have told you about the concept of Privileged Access Workstation, but that's a topic for another episode...

MONDAY - 9:05 A.M.:  Tinkerbell strikes.  

  • Your DR site backup copies are now encrypted - you can no longer use them to recover your business...
  • Your routers and WAN routers are down (Tinkerbell used your RADIUS integration into Microsoft Active Directory to "own" your CISCO network too, clever girl!)
  • Your AZURE Cloud systems now belong to Tinkerbell (you synchronized your on premise AD to AZURE for the sake of "convenience").
  • Your HR systems now belong to Tinkerbell
  • Your FINANCE systems now belong to Tinkerbell (where did all the money go?)
  • Your SALES FORCE systems now belong to Tinkerbell (your "cloud single sign on" system was using the Sam-ADMIN account...oops!).
  • Your VPN concentrators now belong to Tinkerbell 
  • Your VOIP Telephone Systems now belong to Tinkerbell  
  • Your public websites have been defaced, telling EVERYONE about Tinkerbell's takeover of your business!
  • Your business partners have received an email from Tinkerbell announcing the takeover
  • Your employees have received a courteous text message announcing the takeover and the terms of the Ransomware Attack

And...since all your systems are integrated into Microsoft Active Directory there is NOTHING that you can do, you cannot even log into any of your systems.  Tinkerbell is the new CEO.

 # # # # #

You get the idea...

In this day and age, convenience is one of the primary enemies of your Business - as far as Cyber Security, Risk and Compliance are concerned, not to mention the safety and security of your Intellectual Property and Trade Secrets...

# # # # #  Disclaimer - the preceding is not FUD (fear, uncertainty and doubt), ask around...the preceding scenario is DRAMATICALLY simplified  # # # # #

Talk to your CIO and your CISO, if they are "leveraging convenience", maybe you need a second opinion?

Give us a call here at the home of the Secret CISO....we can give you a trusted second opinion...

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.



 



 

...human error's impact on Cyber Security...

 


 

Human error's causes and impacts as relates to Cyber Security and your business. Pro Tip:  If you can automate it, and based on risk - it makes financial sense, then do so.

One of my personal favorite topics.

Excellent, well written, thought provoking research, there is a vendor data collection hurdle, but it's worth the effort.

A great, timely read and a great way to exercise your brain on an day.

 

Research Paper Link

 

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

Wednesday, December 23, 2020

...will your Cyber Security tools lead to your compromise...?

 


The "dark side" utility of the Cyber Security Tools you own.

Tools vs. Concepts...it's a conundrum. You purchase a Cyber Security tool [hopefully] understanding full well the value proposition from a risk mitigation perspective, AND before implementation, you fully understand how to best configure it to deny your attackers it's inherent "dark side" utility... of that very same tool.

Of course we do! We're professionals!

With the normal holiday slow down, now would be a great time to have a look at all of your shiny Cyber Security Tools and ensure that you fully understand their "dark side utility" and have implementation mitigations in place to deny their utility to any attacker.

Have a look at my series here [or on Linkedin], "The Year of Anti-Ransomware" for some tips, or feel free to reach out directly via "the_Secret_CISO@Protonmail.com"

Shout out to John Lambert for the graphic and the timely reminder.

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

Saturday, December 12, 2020

...if you own a SIEM, there is only one thing that actually matters...

 


 

Your SIEM is good for one thing and one thing only, REAL TIME ALERTING... if you are wasting time, labor dollars, etc.. on historical reporting from your SIEM, you need to fire yourself, right now!

Want the biggest bang for your Cyber Security investment dollars? Give a listen to the King of the SIEM Value Proposition, Randy Franklin in his upcoming webinar...

Relevant, awesone SIEM training

Randy is the real deal, a true Thought Leader

Your business decision makers and Board will thank you for the reduction in your Risk Profile!

         Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

Friday, December 11, 2020

new OWASP Web Security Testing Guide - FREE

 


 

What are your risks and exposure on your public web points of presence and API's?

Value added network payment gateways?

If you don't know, are not sure or your team is not tracking these, now would be a great time to begin.

The folks over at OWASP released this week an update to their Web Security Testing Guide. This is the platinum plated, gold standard for web application security.

If you're already using this toolset, great! If not, now would be a good time to have a look at adoption?

 

Updated OWASP Web Testing Guide 

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

The bigger they are, the harder they fall....

 

Never, ever, rest on your laurels....the work required to stay on top is WORK, it never stops...

Well, there goes the neighborhood. Even the great Cyber Security Companies make mistakes.

FireEye, certainly a Tier One Cyber Security Tools provider announced that it's intellectual property has been stolen by a Nation State Actor.

To their credit, FireEye is making available, free or charge, their "...counter measures tools..." to allow you to detect an offensive attack that is using these tools against your business.

Today would be a good day to task some internal resources to do a proactive and in depth risk assessment of your potential vulnerabilities?

Original Press Release

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.