CISO Tradecraft®

This episode of CISO Tradecraft discusses CMMC.  The Cybersecurity Maturity Model Certification (CMMC), is the US government response to the massive amounts of defense-related information compromised over the years from contractors and third parties.  The program will be mandatory for all defense contractors by 2025, and has the potential to expand to the entire Federal government, affecting every entity that sells to Uncle Sam.  CMMC has five levels of progressively more rigorous certification with up to 171 controls based on acquisition regulations, NIST standards, and Federal information processing standards. In addition, there will be an entire ecosystem of trainers, consultants, assessors, and the organizations that support them.  We'll cover those in enough detail so that you can decide if expanding your career skill set into CMMC might make sense.

On this episode of CISO Tradecraft, you will hear about the most prominent Cyber Security Laws and Regulations: The Health Insurance Portability and Accountability Act (HIPAA) advocates the security and privacy of personal health information Administrative Safeguards Physical Safeguards Technical Safeguards The Sarbanes-Oxley Act (SOX) is designed to provide transparency on anything that could cause material impact to the financials of a company Cyber Risk Assessment Identify Disclosure Controls and Policies Implementing Cyber Security Controls Using a Reliable Framework (NIST CSF / ISO 27001) Monitor and Test SOX Controls The Gramm Leach Bliley Act (GLBA) requires Financial Institutions to protect Personally Identifiable Information (PII)  The Federal Information Security Management Act (FISMA) requires executive agencies in the federal government to address cyber security concerns Plan for security Assign responsibility Periodically review security controls on systems Authorize systems to Operate The Payment Card Industry Data Security Standards (PCI-DSS) is a framework required to protect payment card information The General Data Protection Regulation (GDPR) - Data Compliance and Privacy law for European citizens Consent Data Minimization Individual Rights The California Consumer Protection Act (CCPA) - Data Compliance and Privacy law for California residents.  This law provides Californians the right to know what data is collected or sold, the right to access data, the ability to request its deletion, and the ability to opt out of it being collected or sold. The Cybersecurity Maturity Model Certification (CMMC)- combines various cybersecurity standards and best practices and maps these controls and processes across maturity levels for Department of Defense contractors.

This episode of CISO Tradecraft is all about IPv6, featuring Joe Klein.  IPv6 is becoming the dominant protocol on the Internet, and CISOs should understand the implications of how their enterprise is potentially vulnerable to attacks that may come from that vector, as well as be aware of defenses that may originate from an effective IPv6 deployment.  This broadcast will cover the business cases for IPv6, the technical differences between IPv4 and IPv6, and the security implications of implementing this protocol correctly and incorrectly.

On this episode of CISO Tradecraft, you can learn how to build an Application Security program.  Start with Key Questions for Security IT Operations Application Development/Engineering Groups Identify Key Activities Asset Discovery Asset Risk Prioritization Mapping Assets Against Compliance Requirements Setting up a Communications Plan Perform Application Security Testing Activities SAST DAST Vulnerability Scanners Software Composition Analysis Secrets Scanning Cloud Security Scanning Measure and Improve Current Vulnerability Posture through metrics The number of vulnerabilities present in an application The time to fix vulnerabilities The remediation rate of vulnerabilities The time vulnerabilities remain open Defect Density - number of vulnerabilities per server We also recommend reading the Microsoft Security Developer Life Cycle Practices Link For more great ideas on setting up an application security program please read this amazing guide from WhiteHat Security Link If you would like to improve cloud security scanning by automating Infrastructure as Code checks, then please check out Indeni CloudRail Link

What is measured gets done.  However before you measure you need to think about how best to measure.  On this episode of CISO Tradecraft, we provide you new insights into optimizing metrics that matter.   What is a Metric? Metrics drive outcomes.  Before picking a metric consider the following: What data is required? What stories can it tell? What questions does it invite? How sustainable is it? When you report metrics highlight three things: Status or Measure- Where is your company right now? Trends- What direction is your company headed? Goals- A description of where your company wants to be Goals or Metrics should be SMART: Specific, Measurable, Achievable, Realistic, and Time-based For a helpful list of metrics that you might consider please check out the following list from Security Scorecard Link Thank you again to our sponsor CyberArk, please check out their CISO Reports.

On this episode of CISO Tradecraft, you can learn the 10 steps to Incident Response Planning: Establish a Cyber Incident Response Team Develop a 24/7 Contact list for Response Personnel Compile Key Documentation of Business-Critical Networks and Systems Identify Response Partners and Establish Mutual Assistance Agreements Develop Technical Response Procedures for Incident Handling that your team can follow: External Media - An alert identifies someone plugged in a removable USB or external device  Attrition - An alert identifies brute force techniques to compromise systems, networks, or applications.  (Examples Attackers trying thousands of passwords on login pages) Web - A Web Application Firewall alert shows attacks carried out against your website or web-based application Email - A user reports phishing attacks with a malicious link or attachment Impersonation - An attack that inserts malicious processes into something benign (example Rogue Access Point found on company property) Improper Usage - Attack stemming from user violation of the IT policies.  (Example employee installs file sharing software on a company laptop)  Physical Loss- Loss or theft of a physical device (Example employee loses their luggage containing a company laptop) Classify the Severity of the Cyber Incident Develop Strategic Communication Procedures Develop Legal Response Procedures Obtain CEO or Senior Executive Buy-In and Sign-off Exercise the Plan, Train Staff, and Update the Plan Regularly To learn more about Incident Response Planning, CISO Tradecraft recommends reading this helpful document from the American Public Power Association If you would like to automate security reviews of infrastructure-as-code, then please check out Indeni CloudRail Link

Special Thanks to our podcast Sponsor, CyberArk.   Experienced CISOs know that it's not a matter of if, but when.  Incidents happen, and there is an established response strategy nicknamed PICERL that works:  (P)reparation  (I)dentification  (C)ontainment  (E)radication  (R)ecovery  (L)essons Learned If we "shift left" with our incident planning, we can minimize our organizational risk -- thorough preparation, including establishing an environment of least privilege, significantly increases the challenge for an attacker, buys us time to identify early, and limits the damage potential from an incident.   This episode features Bryan Murphy, the Incident Response team leader at CyberArk.  His insights from managing dozens of responses are invaluable, and they are now yours through this special episode

On this episode of CISO Tradecraft, you can learn about the new Executive Order on Improving the Nation's Cyber Security.  The episode provides a brief background on three security incidents which have influenced the Biden administration: SolarWinds Microsoft Exchange Servers Colonial Pipeline Attack The episode then overviews the various sections of the new Executive Order: Policy Removing Barriers to Sharing Threat Information Modernizing Federal Government Cybersecurity Enhancing Software Supply Chain Security Establish a Cyber Safety Review Board Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks Improving the Federal Government’s Investigative and Remediation Capabilities National Security Systems Thanks to CyberArk for sponsoring this episode.  Please check out CyberArk's new conference

This episode is sponsored by Indeni.   On this episode of CISO Tradecraft, G Mark Hardy discusses with Yoni Leitersdorf (CEO and CISO of Indeni) the risks which can occur in a cloud environment after it has been provisioned. Essentially it's quite common for organizations to change their cloud environment from what was declared in a Terraform or Cloud Formation Script.  These unapproved cloud changes or Cloud Drift often create harmful misconfigurations and have the potential to create data loss events. The podcast discusses the pros and cons of two key approaches to solve the Cloud Drift problem: Static Security Testing in a build pipeline Runtime Inventory Approaches  The podcast features Yoni Leitersdorf.  Yoni founded a company (Indeni) to address Cloud Drift and discusses the business point of view of why this is a critical concern for the business.  If you would like to learn more about what Yoni is working on please check out Indeni   Yoni Leitersdorf can also be found on: LinkedIn Twitter

Identity is the New Perimeter.  On this episode of CISO Tradecraft you will increase your understanding of Identity and Access Management.  Key topics include: Audit Trail Authentication Authorization Identity Compromise Least Privilege Microsegmentation Multi Factor Authentication (MFA) Privileged Access/Account Management (PAM) Role Based Access Control (RBAC) Single Sign On (SSO)