CISO Tradecraft®

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job? Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/ Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/ Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS Chapters 00:00 Introduction 06:02 The 4 Questions that allow you to measure twice cut once 09:29 How Data Flow Diagrams help teams 16:04 It's more than just looking at threats 19:23 Chasing the most fluid thing or the most worrisome thing 22:00 All models are wrong and some are useful 26:25 Actionable Remediation 31:05 LLMs and Threat Models

There's a lot of new cyber attacks occurring and today we are going to talk about them in more detail.  Many bad actors are using SMS spoofing and Social Engineering to get in.  Listen in an learn about how those attacks played out against the casino industry. You don't want to miss when we share what you can do to stop them.  Pro-tip: Good MFA is your friend.  Use it everywhere you can including on your employees and customers during phone calls.   Big Thanks to our Sponsor Risk3Sixty - https://risk3sixty.com/whitepaper/ Mandiant Post - https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware Rachel Tobac Post - https://www.linkedin.com/feed/update/urn:li:activity:7108040643905474562  Transcripts: https://docs.google.com/document/d/186g8y_8wMcBPwdaiFjduhRiXC88ice0T/ Chapters 00:00 Introduction 01:06 Improving the Attacker Odds at the Casino 04:09 SEC 8-K filings 13:28 MGM Timeline of attack 16:55 What can we do against these attacks? 22:51 Upgrading your MFA 24:16 Custom Authentication Strength 27:11 New Social Engineering Attacks 32:31 OKTA attacks

Have you ever thought about what does it mean to say there has been a material incident? How is materiality determined? What is the history of how that term has been defined by U.S. Regulators. Listen to today's show and increase your CISO Tradecraft Big Thanks to our Sponsors Risk3Sixty - https://risk3sixty.com/whitepaper/ CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at www.cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach! Transcripts https://docs.google.com/document/d/1h7IBZI27ZOg4nxec2fCBmrX0c-0O15Zr  Link to FAIR-MAM https://www.fairinstitute.org/resources/fair-mam Chapters 00:00 Introduction 02:16 What is the concept of material? 07:08 Investors increasingly seek information 11:21 Title 17 of the US Code Part 242 17:38 Backup and Recovery that is Resilient and Geographically Diverse 22:10 The New SEC requirements 26:38 Reporting Cyber Incidents 31:40 FAIR-MAM

On this episode we overview the CIS Document titled, "The Cost of Cyber Defense". https://www.cisecurity.org/insights/white-papers/the-cost-of-cyber-defense-cis-controls-ig1 Big Thanks to our Sponsors Risk3Sixty - https://risk3sixty.com/whitepaper/ CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach! Transcripts https://docs.google.com/document/d/1TAltDwJxQg9MqVRNCCgwIJa1a3WKpep5---WVOUsdLE/  Chapters 00:00 Introduction 01:30 What are the CIS Critical Security Controls? 03:00 How have the CIS Critical Security Controls evolved over time? 05:30 What are the benefits of implementing the CIS Critical Security Controls? 07:30 The three crucial questions for implementing the CIS Critical Security Controls 10:30 How to prioritize the CIS Critical Security Controls 12:30 What are Implementation Groups? 13:37 Enterprise Profiles 14:00 Why are Implementation Groups important? 15:30 How to choose the right Implementation Group for your organization 19:46 Cost Breakdown 23:16 Thoughts on the CIS Study

In this episode of CISO Tradecraft, we delve into the evolving landscape of cybersecurity regulations. From data incident notifications to required contract language, we uncover common trends and compliance challenges. Learn how to prepare, adapt, and network within your industry to stay ahead. Tune in for insights and tips! Thanks again to our Sponsors for supporting this episode: Risk3Sixty: Check out Risk3Sixty's weekly thought leadership webinars and downloadable resources at https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise! References AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/ Secure Controls Framework: https://securecontrolsframework.com/scf-download/ Transcripts https://docs.google.com/document/d/1RplLpZCMw8foLu9oqkZs1_A2aIbYk1Xo/ Chapters 00:00 Introduction 04:28 Meeting Cybersecurity Controls and Understanding Applicable Regulations 11:28 Ensuring Compliance with Laws and Regulations 15:42 Handling Regulatory Change: Mapping Controls & Tracking Requirements 22:02 Navigating Regulatory Changes and Ensuring Compliance

Here's a nice overview of cybersecurity on passwords, authentication, rainbow tables, and password managers. Enjoy the show and check out our other podcasts. Special Thanks to our Sponsors: Risk3Sixty: Being able to clearly articulate your vision for your security program to the board and other executives within your firm is critical to obtaining the buy in you need for your program's success. Risk3Sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise! Transcripts: https://docs.google.com/document/d/1BD6LnITOpq6wrM2CsJzCHefN0Dw4hFp9  Chapters 00:00 Introduction 02:02 Evaluating Password Management Solutions and Design-Making Approaches 05:36 Password Security and Authentication Methods 27:25 Background Sanitization, Password Storage, and Login Screen Risks 28:52 The Importance of Commercial Password Managers and Security Threats 31:27 Considerations for Choosing a Password Manager

Join us at the heart of Hacker Summer Camp for insights into the cybersecurity world! Discover the art of asking powerful questions that can change your career and impact others. Learn how CISOs assess cyber solutions and how startups can win their attention. Uncover the secrets of building connections and value through meaningful inquiries. Don't miss this episode featuring expert advice on navigating the cybersecurity landscape. Special Thanks to our Sponsors: The Chertoff Group: https://www.chertoffgroup.com CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, and zero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us! Transcripts: https://docs.google.com/document/d/1qf9kH9a5rPlK8zaOWXGAp0-E6p7PNNuT/ Chapters 00:00 Introduction 01:49 How to Get More Sales at Blackhat 05:57 How to Differentiate Yourself From the Competition 10:05 How to Solve a Priority Problem 16:07 How to Achieve Bigger Goals Through Accelerating Teamwork 18:13 How to Find a CISO Job 20:30 How to follow a Rich Dad's Advice 22:59 How to Create an Opportunity Not Just for Yourself, but for Others 24:18 How to Create Value for Others 26:20 How to Provide Value to Others 28:21 The Power of Open-Ended Questions as a CISO 32:33 How to Ask Powerful Questions

On this episode, David London and Adam Isles from the Chertoff Group stop by to discuss emerging risk topics such as AI, Supply Chain Attacks, and the new SEC regulations. Stick around and learn the tradecraft to better protect your company. Special Thanks to our Sponsors: The Chertoff Group: https://www.chertoffgroup.com.Note you can read more about their thoughts on AI here: https://www.chertoffgroup.com/managing-ai-risks/ Prelude: https://www.preludesecurity.com/ CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, and zero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us! Transcripts: https://docs.google.com/document/d/1tW0kOYCURXgRF-z7UqeQGga0zAkwGuZ9/ Chapters 00:00 Introduction 02:33 The SEC's Final Rule on Cybersecurity Disclosure 05:29 What is a Material Incident? 07:13 The Commission's Final Rule on Board Engagement in Cybersecurity Risk 10:03 The Four Day Rule for Incident Reporting 12:46 The Implications of the New Role of the CISO 15:46 The Ticking Clock on Disclosure 18:31 SolarWinds and the Software Chain Security Exposure 19:53 The Role of the Software Bill of Materials (SBOM) in the Software Supply Chain Security Challenges 21:29 The Rise of the SBOM 23:16 The Rise of Expectations in the U.S. Government 25:02 The Future of Software Security 27:22 The Progress of the CMMC Program 29:59 The SEC Disclosure Requirements: What to Expect From Your Board 31:57 How to Reduce Complexity in Your Software Develop

Don't let Bobby the Intern cause havoc in your network. On this episode of CISO Tradecraft, G Mark Hardy discusses the importance of training new hires in cybersecurity to create a strong security culture within an organization. The focus is on shaping employees' behavior and beliefs to enhance the overall cybersecurity posture. Special Thanks to our Two Sponsors: 1) The Chertoff Group: www.chertoffgroup.com 2) Prelude: https://www.preludesecurity.com/  Transcripts: https://docs.google.com/document/d/1Z4ftmqZdUMkxD6ATRRLp0EmO_DVluQ4n Chapters 00:00 Introduction 03:57 How to Build a Security Culture 07:19 The Importance of a Good Username and Password 11:24 How to Use MFA to Protect Your Brand 12:50 How to Teach Your Employees About Phishing 17:07 How to Deal with External Email Addresses 20:30 How to Avoid a Business Email Compromise 22:42 How to Protect Your Website from Attackers 24:40 How to Secure Your Applications 26:46 The Importance of Threat Modeling 30:48 QR Codes and How to Use Them Effectively 32:34 Delaying Desktop Patches 34:36 How to Teach Your New Hires About Security 36:30 How to Orient Your New Employees

On this episode we bring on CIA Veteran James "Jim" Lawler to discuss how spies are recruited, how individuals are turned, and what makes them vulnerable to being turned. Learn what managers and executives can and should know about their people to help them better understand who's at risk and the types of programs that executives can put into place to stop insider threats. Special Thanks to our Two Sponsors: 1) Prelude: https://www.preludesecurity.com/ 2) Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. Learn more at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser Be sure to read Jim's books 1) Living Lies: A Novel of the Iranian Nuclear Weapons Program https://amzn.to/3Y5x2Sc 2) In the Twinkling of an Eye: A Novel of Biological Terror and Espionage https://amzn.to/43EkvpE  Chapters 00:00 Introduction 02:24 The Importance of Recruiting Insiders 08:06 How to Be a Successful Case Officer 11:09 The Importance of Identifying Vulnerabilities in Insider Threats 14:00 The Cockamamie Recruitment Pitch Scheme 18:50 The Importance of Rationality in Espionage 21:10 The Complex Motivations for Espionage 23:49 The Key to Stress in a Target Life 27:34 The Importance of Listening to Your People 30:02 How to Be a Good Leader 35:02 The Metaphysics of Recruitment 37:31 How to Firewall a Threat to Your Organization 41:00 Living Lies 44:49 How to Be a Better Writer 49:31 How to Be a Better Threat Manager