CISO Tradecraft®

Having the ability to inspire confidence is crucial to lead others and allows you the opportunity to gain access to executive roles.  On this episode G Mark Hardy and Ross Young discuss executive presence: What is it Why you need it How to get it We will discuss Gerry Valentine's 7 Key Steps to building Your executive presence: Have a vision, and articulate it well Understand how others experience you Build your communication skills Become an excellent listener Cultivate your network and build political savvy Learn to operate effectively under stress Make sure your appearance isn't a distraction

If you use email, this episode is for you.  Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.) These three tools all involve placing simple entries in your DNS records.  To work effectively, the recipient also needs to be checking entries.  They are: SPF = sender policy framework; designates only mail from designated IP address(es) or mail server(s) are valid.  For example:  v=spf1 include:spf.protection.outlook.com  DKIM = domain keys identified mail; advertises a public key that can be used to validate all mail sent was signed with corresponding private key.  For example:  v=DKIM1\; k=rsa\; 0123456789ABCDEF… DMARC = domain-based message authentication, reporting, and conformance; establishes policy of what recipient should do when message fails an SPF or DKIM check.  For example:  v=DMARC1; p='quarantine' Check your settings at MXToolbox Learn DMARC Link Implementing these protections require a small amount of work but can yield outsized benefits.  In addition to allowing recipients of your mail to validate SPF, DKIM, and DMARC, ensure your incoming mail is checked for conformance as well, labeling, quarantining, or rejecting any that fail. Lastly, blocking top-level domains (TLDs) with which you do not do business can significantly improve your security by short-circuiting many ransomware, command-and-control, and malware URLs that will be unable to resolve through your DNS.  Get the latest list from IANA Great Background Reading from Australian Signals Directorate Link Email Authenticity 101 Link

The Australian Cyber Security Center (ACSC) believes that not all cyber security controls are created equal.  The have assessed various strategies to mitigate cyber security incidents and determined there are eight essential cyber security controls which safeguard any organization more than another control. These controls are commonly known as, "The Essential Eight" are highly recommended. Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Patch applications (e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers). Patch/mitigate computers with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest version of applications. Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Strategies to mitigate cyber incidents Link Strategies to mitigate cyber incidents poster Link Essential Eight Maturity Model Link Link

As a CISO, one of the key functions you will be responsible for is IT Governance.  On this episode we discuss what the intent is for a wide variety of cybersecurity documentation that you can leverage, influence, and enforce.  Examples include: Policies Control Objectives Standards Guidelines Controls Procedures ... Helpful visual from ComplianceForge which shows how various documentation standards can be integrated Link

At some point in time, a CISO will need to purchase new security technology.  Whether it's antivirus, firewalls, or SIEMs you need to understand how to choose a product that will benefit your organization for years to come.  This podcast discusses 5 different techniques that CISOs can apply to help with product selection Perform Market Research to learn the players  Gartner Magic Quadrant Forrester Wave Leverage Vendor Comparison Tools to spot the features Mitre ATT&CK Evaluation AV-Comparatives MoSCoW Method (Must Have, Should Have, Could Have, & Will not Have) Pugh Matrix Use Predictive Analysis tools to see the trends Google Trends OpenHub.Net Stack Overflow DB-Engines Apply Problem Framing to understand the limitations and politics  Define the Problem: List the current problem you are facing. State the Intended Objective: Identify the goal an organization is trying to achieve so that a consensus can be made when the original problem has been solved Understand the Status Quo: If you take no action, does the current problem get worse, get better, or remain the same. List any Implied Solutions: List early solutions that appear to address the initial problem. Likely these solutions may come from your direct boss who has a certain way of doing things. Identify the Gap- The gap is roughly the difference between the intended objective and the status quo. Essentially this is the opportunity cost your organization must use when comparing this against other problems in the organization.  Identify the Trap- For each of the implied solutions imagine how you might build the product or service as directed and still not solve the intended objective. Explore Alternatives- Are there other solutions that avoid traps or gaps to address a problem that have not been previously evaluated? Execute an Analytical Hierarchy Process (AHP) to remove bias AHP is a structured process that helps remove politics or bias from decision-making.  It relies on creating relative weights among decision criteria, and possibly decomposing those into sub-criteria resulting in a weighted formula for all inputs.  Those become the equation that is used to evaluate alternatives; each alternative is scored on its sub-criteria then summed up by relative weight, resulting in a relative scoring based on numeric analysis.  For example, selecting a new product might involve evaluating three major criteria:  cost, functionality, and maintenance.  These are ranked pairwise on a relative scale of 1x-9x.  For this example, cost is twice as important as maintenance; functionality is twice as important as maintenance; cost is equally important to functionality.  From that comes a 40% - 40% - 20% ranking (all must sum to 100%).  Next, sub-criteria may be identified and weighted, e.g., initial cost is 1/3 the importance of ongoing cost.  Thus, the 40% global weighting for cost would consist of local weighting of 1 part initial cost [25%] to 3 parts ongoing cost [75%]

Have you ever wanted to become an executive, but didn’t know what skills to focus on?  On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide guidance from the Office of Personnel Management (Chief Human Resources Agency and personnel policy manager for the US government).  The podcast discusses the 6 Fundamental Competencies and the 5 Executive Core Qualifications required by all federal executives.   Fundamental Competencies: Interpersonal Skills Oral Communication Integrity/Honesty Written Communication Continual Learning Public Service Motivation Executive Core Qualifications Leading Change Leading People Results Driven Business Acumen Building Coalitions https://www.opm.gov/policy-data-oversight/senior-executive-service/executive-core-qualifications/#url=Overview  

Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security.  The three ways of DevOps consist of: The First Way: Principles of Flow The Second Way: Principles of Feedback The Third Way: Principles of Continuous Learning If you would like to learn more about the three ways of DevOps, G Mark Hardy and Ross Young invite you to read The Phoenix Project by Gene Kim https://www.amazon.com/Phoenix-Project-DevOps-Helping-Business/dp/0988262592

Most organizations generate revenue by hosting online transactions.  Cryptography is a key enabler to securing online transactions in untrusted spaces.  Therefore it's important for CISOs to understand how it works.  This episode discusses the fundamentals of cryptography: What are the requirements for cryptography? How long has cryptography been around? Are there differences between legacy and modern cryptography? Differences between symmetric and asymmetric encryption Common use of encryption at rest Encryption in transit

Understanding how to secure the cloud is a crucial piece of tradecraft that every CISO needs to understand.  This episode provides an in depth discussion of AWS's 7 design principles for securing the cloud: Implement a strong identity foundation Enable traceability Apply security at all layers Automate security best practices Protect data in transit and rest Keep people away from data Prepare for security events Please note the AWS Well-Architected Framework Security Design Principles can be found here: https://wa.aws.amazon.com/wat.pillar.security.en.html Chapters 00:00 Introduction 02:33 Seven design principles for securing the cloud 04:17 Multi Factor Authentication (MFA) 05:59 How to prevent password guessing attacks on the cloud 08:19 How to limit access to your applications 11:05 How to enable traceability in your environment 13:15 The importance of cloud infrastructure 14:47 How to monitor security in the cloud 17:09 How to automate monitoring, alerting, and auditing 19:09 Configuring a strong identity foundation 20:52 How to have an effective real time view of what your developers have produced 22:48 How to automate your security best practices 26:42 How to protect your data in the cloud 28:36 How to limit access to your data 31:36 How to scan your APIs to protect your data 33:41 The importance of permissions in a data science environment 36:06 The importance of identity in cloud computing 41:30 Review of the 7 design principles for securing the cloud

Have you ever wanted to learn the basic fundamentals of the cloud?  This podcast provides a 50,000 foot view of the cloud.  Specific discussions include: What is the cloud? What types of clouds are there and what are the differences? What is the term shared responsibility model and what does that mean for securing the cloud? Chapters 00:00 Introduction 02:10 The Basics of Cloud Computing 06:20 Cloud Computing and Infrastructure as a Service Model 10:17 The different levels of responsibility in an Elastic Compute Cloud Environment 13:18 How to host a server in the cloud 15:33 The differences between IaaS, PaaS, and SaaS 17:30 The consequences of committing to the cloud 19:15 The rise of AWS locations 21:21 The politics of Cloud Provider Infrastructure 24:15 The benefits of the cloud 26:30 AWS's share responsibility model 30:43 The impediments to a high level of security in the cloud 34:46 How to sleep soundly with your data n the cloud 37:18 How to run a hybrid cloud 39:46 The challenges of hybrid clouds 43:03 Seven design principles for securing the cloud