Round Table Archives - Fortify Experts

CISO Forum Summary – The Viability of Passwordless Authentication

CISO Forum Summary: The Viability of Passwordless Authentication

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics. Recently, we discussed the viability of passwordless authentication.

The desire is high to achieve Passwordless Authentication, but there appear to be very few Passwordless solutions that achieve the level of security required for the broad needs of a large enterprise.

Our discussion revolved around password best practices and what technologies are available to reduce the burden of managing and securing passwords.

Initial Questions to Consider:

Would Passwordless Authentication (PA) increase security across the enterprise?
How much will implementing PA cost the firm?
What price will users be willing to pay for the convenience of PA (giving access to biometrics, using an app, or company-issued phones, USB security devices, etc.)?
What legacy applications will be a barrier to implementing PA?
Is the goal is to be Passwordless across the end user workstations & devices or across the entire enterprise?

What is Password Integrity:

NIST standard recommendation is now to make passwords at least 12 characters, but they can be less complex making it easier to remember.
Using passphrases such as “Thi$_i$_a_L0ng_Pa$$word” could significantly increase security.
Many people are using “Lost my password” to log in each time. One firm, with many hourly workers, had to ramp up staff to assist with all the password change requests. For them, this is an administrative nightmare and the desire to use a biometric (i.e. fingerprint) instead of a password is very high.
One leader said, “We all are experiencing password & MFA overload.”
One firm provides “LastPass” to all employees and their families, so they will utilize good password hygiene in personal accounts. This leads to better password hygiene at work.
This same firm also provide Password Vaulting though Thycotic (now Delinea)
They also enacted that if an employee fails a phishing test, they must change their passwords. This “Punishment” fits the ‘crime’ and is a natural consequence of their actions.
One firm eliminated password security questions for their MFA into HR Systems. Instead, employees must use an app or VPN to get access to HR systems.
One firm has gone to 16-character passwords, but they only expire once a year. Admin PW’s still expire every 90 days and Contractors also expire every 90 days.

Biometrics:

Microsoft has been able to get 85% of their campus to Zero Trust and much of that is Passwordless using biometrics.
Biometrics could solve so much of the password reset issues.
Some firms like Wells Fargo are using Voice printing to authenticate. But it was recommended that you don’t manage the crown jewel with that.
Voice was said to be one of the weaker biometrics. Face and fingerprints are better.

Multi-Factor Authentication (MFA):

While MFA is more secure, it can be breached. If an email breach occurs, a SIM card is swapped, or a cell phone is left behind, MFA codes can be stolen, passwords can be reset, and access to systems can be compromised.
Smishing (SMiSing) is making MFA less secure
However, MFA is still recommended for all public facing apps.

Challenges to Implementing MFA

A lot of legacy systems are still in place which inhibit a single sign-on MFA from being implemented.
Each different division, acquisition or subsidiary has different ways of doing things making a universal MFA impractical.
We should be cautious of using too much Push MFA because people are getting MFA fatigue.

Zero-Trust

To achieve true zero trust, MFA needs to be redefined. It is more than just sending a code to your phone. Zero Trust MFA evaluates 3 factors:
1. What you know – i.e. password
2. What you have – i.e. personal device, authenticator, or a UBT
3. What you are. – i.e. biometrics
However, “what you are” is morphing – what you do is what you are. Some firms are analyzing your patterns to validate you. (i.e. keystrokes, habits, voice print, etc.) not just body parts.

Could a Personal Mobile Device be used for Passwordless Authentication?

An Apple Watch can unlock your MAC workstation.
Microsoft Hello for facial recognition has been mildly successful, but there are issues with having a good enough camera, or masks.
It would require Microsoft and Apple to work together to build a holistic solution. That’s a real challenge.
It seems like there is an opportunity to create an App which leverages a phone capability and tie it to a single sign-on solution to unlock enterprise applications.

Unhappy Path:

Much of the focus is on the users “happy path” – when they have all they need to log in (device, PW, biometrics, etc.)
The real thing that needs to be evaluated is the Unhappy Path (when the user doesn’t have one of those). Then what happens and how does one validate to get in?

Security on OT Systems:

More focus needs to be put on the securing of OT systems where you may have 10+ people all interacting with the same terminals. Facial recognition may not be an option in a chemical plant if they have a serious incident.
Maybe combining plant badging in/out, smart camera systems, proximity badges and storing this data in a block chain to evaluate multiple attributes to better validate if the right people have access.
OT systems ‘should’ be air gapped but often they are not.
One question was asked: “Is the biggest challenge using Passwordless Authentication on OT systems or is it at the app level where the masses are accessing thousands of applications?

YubiKey Authentication:

YubiKey’s are typically Impractical at scale. There are no doubts about the security of the product. The problem is the management of these in a remote work environment. SecureID was the predecessor of the technology. It is also difficult to manage in smaller organizations.
How about Bring Your Own YubiKey? It was said to be not practical for larger corporation. These should be Corporate assigned only.
Do YubiKey’s expire? Depends on how they are set up.
YubiKey’s would be good as a 3^rd or 4^th Not as a single sign-on or even a 2^nd factor.

Challenges of YubiKey’s:

YubiKey’s can be stolen.
YubiKey trojans – Someone could switch out one embedded with ransomware on someone’s desk.
Laptops have limited # of USB ports. Also, newer laptops may only have USB-C instead of USB-A.
Logistical problems of getting YubiKey’s into employee’s hands if they are remote.
When someone leaves the company, it become a challenge to shut all the access down. It’s just one more thing to disable especially if the process is not automated.

Other Emerging Technologies:

Typing DNA (https://www.typingdna.com/) is analyzing keyboard cadence to identify you.
Bind ID (https://www.transmitsecurity.com/passwordless) – Uses an app to enable facial recognition or a fingerprint scan to enter customer facing apps.
Human (https://www.humansecurity.com/) – Separates botnets from humans
Deduce (https://www.deduce.com/) – Builds up a personal identity profile to authenticate you.
Delina https://delinea.com/) – Privileged Access Management

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your password authentication activities.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments.

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

CISO Forum Summary – Establishing a Baseline in your Security Program

CISO Forum Summary – Establishing a Baseline in your Security Program

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics. Recently, we discussed how these successful security leaders have been able to create higher-performing security teams. Here is a summary of their top tips or suggestions on how to create a baseline to move your program forward.

Frameworks for establishing a baseline in your program:

Leaders should establish a baseline on a Risk Management Framework (RMF) like NIST Controls.

- NIST has 260 controls for their top level which is required by the DoD or other Federal Agencies.
- NIST has also established a Cybersecurity Framework for those industries who fall under Critical Infrastructure, those NIST guidelines only have 160 of the 260 controls.
- Therefore, if NIST is the RMF for Critical Infrastructure, then those 100 controls NOT implemented could be attack vectors.

Another framework is FFIEC which is designed for the financial industry. While it’s not 100% cyber focused, it has many cyber controls built into it.
There are several other more proprietary Frameworks such as HI-TRUST which is designed for the Health Care industry and based on NIST but also adds a layer of HIPAA controls on top of it.

Challenges with Establishing a Baseline

NIST is more of a guideline instead of a black and white – do this or that. Therefore, it allows room for interpretation and could lead to disagreements on its application or implementation.
Some try to box answers into Yes, No or Does not Apply which may not work as well in a large enterprise since one area or business unit may implement that control well while a different unit may not. Therefore, there may need to be more depth to answers.
Self-assessments can be skewed and do not carry much weight.
Managing all of the framework controls data (i.e. status, maturity, documentation, procedures, exceptions, etc.) is a major challenge. Most of the leaders were managing this in spreadsheets.

Assessing a Baseline on Employees:

Since 80-90% of all attacks come through email, using a Phishing tool (i.e. KnowBe4 or PhishMe) to assess cyber awareness is highly effective. One CISO lowered his phishing rates from 22% down to 1% in one year.
Employee Awareness if often just benchmarked on phishing success. However, with today’s remote workforce, it requires a much larger scope. Employees need to be trained on data security. Exfiltration thorough Dropbox, and other shadow IT, BYOD acceptable uses, personal email accessibility on corporate devices, home network and wifi settings, USB use, ability to print, connecting to public WIFI, etc.
Employee cyber safety knowledge needs to be holistically assessed and measured to know where the training requirements need to be focused.

“Security is everyone’s responsibility, but not everyone knows their responsibility.”

Development Staff – To raise the secure coding awareness of developers, one CISO creates competitions between development groups to find vulnerabilities in each other’s code then rewards the team with the most secure code. This teaches both teams what to look for and how to code more securely.
Tech Staff – One CISO creates Capture the Flag events for all tech staff – Infrastructure, Privileged Access team, QA, Developers – anyone can participate. Teaches them how to break code, how to secure code and even identifies potential security team new hires.

Assessing a Baseline for Vendors:

It is typically a painful experience to vet out vendors to validate their maturity.
Need to know:
1. Who filled out the form
2. Who’s ultimately responsible for the program
3. Their contact information to validate answers and listen for competency.
4. A good competency measurement is whether they conduct regular Internal & external vulnerability tests.

Tools & Technology that Help:

https://csf.tools/ is the NIST Cybersecurity Framework (CST) tool.
Diligence (acquired Steel & Galvanize) – Integrated GRC SaaS solution
Privva (acquired by Entreda) – Integrated GRC solution for regulated industries
SecurityStudio – NIST CSF maturity assessment tool which simplifies an assessment across NIST CSF, HIPAA, & CMMC. Also automates the assessing of security maturity for Employee and Vendors.
Riskrecon – Vendor risk assessment tool.

Other Best Practices:

Think about each control with the following levels of maturity:
1. Documented
2. Implemented
3. Practiced
4. Measured
5. Optimized
Assessments should be done by 3^rd parties to create an objective lens.
1. Partner with audit. Point them to the problem areas to create visibility which can then be used to gain support.
2. Be consistent. Every 12 month to 24 months with the same vendor to track improvements and gaps.
Track who owns the controls and who is responsible for them for being implemented fully. If someone leaves, the ownership needs to transferred.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your Red Teaming activities.

About Tim Howard

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

CISO Forum Summary – Establishing Meaningful Metrics in your Security Program

CISO Forum Summary – Establishing Meaningful Metrics in your Security Program

Below are perspectives from 18 Security Leaders who provided input on the following questions:

What metric has helped drive your program forward the most?

Understanding the Audience: The metric that has helped drive his program the most is understanding the audience and getting the metrics they want. Thinks that is one of the critical differentiators so that both parties will speak the same language and are on the same page.
MTTD (Mean time to Detect) & MTTR (Mean Time to Resolve/Respond): The ones that he has always gone back to are MTTD (Mean time to Detect) & MTTR (Mean Time to Resolve/Respond). This is useful in the operational realm because it shows your responsivity and how quickly you can get back up. Another metric is your level of preparedness and patchwork for your vulnerabilities. These aren’t the metrics and the measures that go with them; it is more the ability to tell the story and how it will impact others. These metrics will mean different things to others in the company, and that is why it is helpful to understand what story you are trying to tell.
Impact Analysis: The metric that has helped him the most is a quality metric which is an impact analysis that he does after every widespread cyber-attack that comes to the news. He looks at the impact of that attack and analyzes that attack for different companies and his own. If that attack did not affect his organization the same way it did others, he will examine what works for him and see the differences between the other companies and vice versa. This has been good for showing how his program works for people on his board.
Risk-Based Metrics: The metrics that work best with her programs are risk-based Metrics. Metrics that share the risks exceeding the agreed mitigation timeframe with the enterprise. Also, extending chances that the owner’s request since extensions are always requested is mitigation of a problem that has not been resolved. Another metric is the measurement of risks they are being accepted. These are usually of value to executives by bringing these to the surface to be discussed.
Readiness Metrics: The metric that has worked for him is reviewing all of the big hacks and presenting them to the executive committees, explaining what has happened, and showing their readiness for that to potentially happen at his organization. It feels like we get too technical with terms that many people, especially executives, do not understand, and he feels it is best to keep things as simple as possible for people to all understand.
NIST CSF Maturity Score: The metric that has worked best for him is reporting his company’s maturity score, as measured by the NIST cybersecurity framework. He knows it is subjective but used his proper funding to hire a third party to analyze the maturity score.
Tracking Against a Baseline: You’ve got a board or an executive leadership team that only thinks of risk after getting a poor or fair assessment. Establishing a baseline foundation and starting tracking against it has been effective for him over the years.
NIST maturity assessment: He completed a NIST maturity assessment which has given him leverage to talk to the board about focusing on tracking metrics that focus on vulnerabilities and patchwork. His company bought Tenable and scans their devices every week, showing that things were old and needed to be patched. His goal is to get where he can detect in 1 minute, contain in 10 minutes, and recover fully in 60 minutes.
Measuring against a Framework: He found a lot of success by starting with the simple things that people can wrap their arms around, such as project status. NCSF (NIST Cybersecurity Framework) is always at the top of the list of customers he has worked with. They are working with key stakeholders and internal auditors to define agreed-upon attributes that encompass a maturity level capability, which allows the maturity level to be their own.
TOP 4 Metrics: 4 metrics have helped him along the way, one being visible grading systems available on the internet (BitSight, Recon, etc.) because it shows what the world thinks when they look at his company. The other three are % of completed commitments planned, the % of the operationalized controls, and the maturity of those implemented controls.
Qualitative Metrics: His new company focuses on the qualitative side and operates in a no-blame culture.
IAM Metrics: Use metrics around identity and access management. Who has access to customer data is getting a lot of attention from the executives.
Top 10 Most Asked Questions: Building a program from the ground up, they went straight to the business. From there, they would take the top 10 most asked questions from prospective clients and compare them to their existing controls environment and map them out to missed opportunities/missed revenue. This is what he dubbed the Security Blitz and has helped gain executive support and drive a lot of change.
Question Provoking Metrics: Impactful metrics are taking credit for success and showing where the achievements are. Metrics should drive more questions for the executives, especially before asking for more resources.
Connecting to Organizational Strategy: The metrics that have helped him are the ones that are related to risk. It was understanding the risks related to the IT environment and the risk posed to the business environment. The key to his success is aligning the metrics that he is presenting to the overall strategic plan for the organization and making that connection solid.
Financial Impact Metrics: The metric that got the most attention from his board and President was when they reported the number of records they have and the potential financial impact of the organization if those records were breached. This helps the conversations start moving forward so that they can get additional resources going.
Gamification Scoring Metrics: We are hiring analysts who have a technical background but who also have a gaming background because they are competitive. They do gamification of the SOC internal by finding remediating against the metrics they have. By having a points system that will be rewarded each month. So, keeping them motivated and gamification are helpful for his team.
Business Aligned Outcome-Driven Metrics: By getting with the business leaders we have them identify what value they see in their investment for security. We also have them define an acceptable baseline. We developed Protection Level Agreements to help businesses understand the value we are giving to them. We developed metrics to give regular status updates on those business objectives.

What technologies are used to help drive better metrics?

Solutions like RiskLens or SecurityStudio bring a lot of visibility to risk managers presenting on that front. In enterprise environments, Looker and PowerBI take data out of they’re data dumping lake to help make sense of all of it and eventually dashboard it.
One leader just relies on their ticketing system. They put a lot of effort into getting everybody in the university to use it. This helped his university understand where the issues are coming from and where they need to put their resources. The ticketing system is probably their most significant resource in gaining metrics for their ticketing system.
API Connections to a cloud-based tool for our compliance. For their SOC, it has API connections in all the various devices that they feed data so that it knows based on the controls what the evidence should be, and it pulls it monthly.

What are the most useless metrics to track?

Number of phishing emails! Rather have the number that did not get clicked.
Billions of attacks on the firewall.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your Red Teaming activities.

About Tim Howard

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

CISO Forum Summary – Best Practices for Managing a Hybrid Security Team

CISO Executive Forum Summary – Best Practices for Managing a Hybrid Security Team

Challenges with Hybrid/Remote Teams:

One CISO said remote or hybrid teams raise the following questions:
- Are your systems architected correctly to handle a large number of remote people?
- How do you prevent your remoteness from setting you up for failure?
One CISO rolled out a hybrid option 2 years ago. It has been challenging meshing all of the teams together. He believes that the infrastructure team is critical for all of it to work properly.
He said language, communication, and time zones all play a factor in how successful a hybrid security team can be.
Another CISO of 6,000 employees, allows each director the flexibility to choose how hybrid they want to be with their teams.
One CISO said they had initial difficulty while transitioning to remote work because they didn’t have all the controls at home that they had in the office.
Remote workers pose a schedule coordination issue which gets very frustrating with the hybrid systems.
One leader said her goal was not to make remote workers feel like 3rd Class citizens.

WFH and/or BYOD Policies:

She initiated a Work-from-Home policy that would allow people to have 1 or 2 days to work from home. Her company already had a hybrid foundation in place, especially since they have been doing it off and on for about two years now.
One CISO did not have a Work-from-Home policy, but her company has a Bring Your Own Device (BYOD) policy to help them know what kind of devices they can or cannot use for work.
Another leader did have a Work-from-Home policy before the pandemic however, many positions would still need to come into the office because they were accustomed to their desktops, and during the pandemic, it was a rush to get laptops that were unfortunately backlogged. So they had to temporarily implement a BYOD policy where they had to implement some safeguards.
A Work-from-Home policy should also provide guidelines around an Acceptable Use Policy for security measures.

Suggestions:

Establish specific work-from-home days because it would be better to align teams to be in the office on the same days.
Tell employees they cannot print certain documents at home with important information on them.

Connectivity and Bandwidth Challenges:

People believed that their ISP was delivering a certain level of service, but with all of the kids being home, it caused all ISPs to provide terrible service to people who thought it was good.
One CISO sent documents titled “Helpful Hints” to help employees who have kids at home to help employees understand the demands of streaming services and bandwidth issues that could impact their work. Although HR didn’t like it, the goal was to help moderate the bandwidth of individual households.
One other suggestion was to advise people to get 5G internet through a cellular system that would allow them to use a directional antenna that points at one of the towers which will enable them to have better service even with a slow ISP.
When some people working from home connected via ethernet, it made them have a public IP address. The security team had to help employees figure out how to remove it from public view.
One leader said going remote impacted him negatively because he lives in Idaho, and Fiber optics cables are not everywhere. It went from only 20-25 people on a VPN to over 5,000. People were having problems, which impacted what they could do and how well they could get it done. More solutions are finally coming online for the more rural areas.

Hiring Hybrid & Remote Talent

A survey said that 80% of people said that if their employer were to force them to return to the office, they would find a job elsewhere. This will become an issue that many companies will have to deal with in the future.
When hiring people have them submit a screenshot of a speed test to make sure they have fast internet. The speed test has become a requirement for employment, and if their internet is not up to speed, they will not be hired. It has been helpful to have this guideline when recruiting new employees because they can know what to expect before they even interview for this position. With the guidelines, they can upgrade their bandwidth or find a way to increase their internet speed to be up to par with the standards of the policy.
Remote roles have allowed one CISO to finally recruit outside of his small town in Idaho because not many want to live there.
However, this has a negative impact as well, because many people in remote areas are also finding better remote jobs elsewhere.
One CISO said remote hiring has been a multiplier because they have so many locations in the US. Complete remote work has freed them up to hiring people where they are located, which has helped them hire many more employees and aren’t limited to just location.
Creating a hybrid culture needs to be high on the list of importance because, the cost of turnover is enormous, and the best people are getting picked off is also a considerable cost.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your Red Teaming activities.

About Tim Howard

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

CISO Forum Summary – Best Practices for Red Teaming

CISO Forum Summary – Best Practices for Red Teaming

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics. Recently, we discussed how these successful security leaders have been able to improve their security programs through the use of red teams. Here is a summary of their top tips or suggestions on how to select and create better red teaming engagements.

Selecting a Red Team:

Here are some perspectives on how to select a red team.

One CISO said his current employer (large health care), outsources pen testing to the big consulting firms which he believes do not have the right people. He feels small boutiques are the way to go with 20 people or less. They usually have come out of the industry and are diverse and have specialists.
He says to get on the phone and talk to the companies to see what they know and based on his experience he could decipher the best one to choose. The key is asking the right questions to determine who the best pen-testing companies are.
One leader said he picks a different vendor every year to show the executive board how they compare to their peers. After 3 years of annual tests, they could anticipate what they were going to find because they kept running into systemic issues that come up mostly with change management and third-party risk.
One CISO prefers small pen testing companies over large ones because they usually have a more mapped-out plan for diverse attacks and do not try to sell them services afterward. Also, as soon as the small companies get bought, he usually drops them.
Another CISO said he would not use the same red team twice in one year because they would do their attack the same way and he needed a variety of attacks.

Scoping/Contracting a Red Team:

Here are some perspectives on how to scope out and contract a red team engagement.

It is critical to define the rules of engagement for a pen test.
Have a detailed attack plan that is memorialized because in you can’t have systems going down.
Evaluate the company’s Modus operandi for each attack vector to monitor if there is any recourse or downtime as a result of their activities. That way you will know what they are doing if something goes wrong – then it’s on them.
The scoping exercise is the most critical, and figuring out where each vendor’s strengths and weaknesses are very critical.
One CISO said the philosophy at his company was to sit down and see what was important to test that they had not looked at before. They would target where the business is trying to grow because this is where the investments are in the business. They figured that where it is new, that is what they would target for pen testing.
Another CISO says, he does pen testing every 2 years, uses both small/large third-party vendors to keep things diverse, and tries to focus on key business risk areas

Why you SHOULD NOT do Red Teaming:

One leader explicitly forbade red teaming and hunting internally. Here’s why:
- Not allowed because it was a luxury, they could not afford from a resource’s perspective.
- His team focused on automation containment in SOAR.
- They don’t go hunting for needles in the haystack. Instead, automate the needles that we know we need to find.
- However, they did conduct annual pen-testing.
Another leader said they are going with attack surface profiling and attack surface management instead of red teaming.
- They wanted to see how to get real-time visibility of the business surface/internet facing to see where there might be vulnerably based on the attack tools that everyone uses
- Red teaming is “sexy” but has very low ROI
- He feels you do not need to spend money on an internal pen-testing team, and most external teams are just a compliance check box.
- He says, the only thing red teaming adds value in is application pen-testing.

Why you SHOULD use Red Teaming:

To prove to customers that they are serious about security and having a third-party pen test is collateral that they can waive to prospective clients to reduce sales friction around being a secure company.
Red-Teaming is proactive instead of reactive.
Pen-testing forces groups to be more diligent in administration, policies, procedures, coding, clean-up, and maintenance.

Simulation instead of Red Teaming?

One recommendation is to start moving away from traditional pen testing and Red Teaming, and get involved in cyber test ranges and attack modeling and simulation (i.e SafeBreach, Verodin, AttackIQ, Cymulate, etc.), so you can remain prepared. Although the simulation is not as good as pen-testing, it is getting close. The industry needs to support these vendors to help mature the attack modeling simulation space.

Different Approaches:

One CISO is using O365 hunting to show that he is continuously pen-testing and continuously mitigating attacks.
Consider using indicative compromise, which is a pen test that checks the pen tester’s ability to get through indicators of compromise.
Another CISO said he leveraged red teaming on accounts payable to justify red teaming tactics. They would work with him and do both a social/cyber-attack with the red team and identify risks. The rule of thumb with this tactic is that no one could get in trouble because this was a tool for training. Through this tactic, he was able to avoid ROI issues while still spending 2 million on red teaming.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your Red Teaming activities.

About Tim Howard

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

CISO Forum Summary – IAM Best Practices

CISO EXECUTIVE FORUM SUMMARY: IAM BEST PRACTICES

Every month, Fortify Experts holds CISO Executive Forums discussing the latest trends and topics. Recently, we discussed how these successful security leaders have been able to create higher-performing security teams. Here is a summary of their top tips or suggestions on establishing best practices around Identity Access Management (IAM).

HERE ARE THE BIGGEST IAM CHALLENGES FACING LEADERS:

The biggest challenge right now is during a merger how to bring those two worlds together from an IAM perspective (process, policy, procedure, etc.) because they are so different (one immature and one mature).
Biggest challenge is getting our business processes organized and making sure they find a technology solution that can implement IAM
Culturally getting folks to buy into IAM which will help them be more efficient with onboarding/offboarding and provisioning.
Biggest challenge is that there are many processes that people have had to create for not having a centralized Identity management system.
Biggest Issue is getting the right integrations done, all within a timely manner.
Not having an automated system in place
Having a lot of manual processes and scripting processes that need to be integrated into Workday.
The biggest challenge is that there is no IAM strategy in the company and not knowing what the company wants and where they want to go.
Struggling to define what IAM means, the strategy to define it, plus selling the idea of IAM internally.
Not having a universal plan to maturing IAM processes and integration.

WHERE CAN WE MAKE THE BIGGEST IAM IMPACT THE FASTEST?

Getting to a point that LDAP is your friend. Moving to single sign-on (SSO) will make the biggest impact because then you can control who gets access to what, from where, for how long, to what access level, and even when they get access.
Need to have tools in your toolbox to move from on-Prem to the cloud to keep SSO intact.
One leader concluded that he will never get to single sign-on so he devised a group that would be an on-prem managed group and kept them in they’re own connection. He put out models for people to go to if you wanted to use a cloud service so they would have a specific model to refer to. If they want to connect to a certain model, they did not have access to, then they would need to sign a waiver with the cyberteam. This helped mature the business units and started seeing the value in productivity which helped get the single sign-on to work in other areas
One leader can identity who the people are, but is struggling getting people in the door provisioning, deprovisioning and keeping up with the access. Wants to find the right solution to identity and access management, because he has so many people in different departments having access to the company’s information.
One leader said they need to build the IAM foundation so users can see the benefit of the single sign-on and multifactor.

EXPERIENCE WITH ONBOARDING/OFFBOARDING PROCESS:

Need to establish an authoritative record source, (i.e. Workday?) and if so, HR must be timely in termination and creating accounts.
Using HR as the starting point of the onboarding process and then using automation from there has helped.
When HR is not the source, issues tend to arise.
Cross boarding has also been an issue when they are making a transition in the company. One leaders explained how they addressed it: If there is a change/move in position within the company, allow them to make that change from role A to role B, and then manually go back in add the access to their old positions and have an expiration date for the permissions to have access to their old work. This wasn’t the greatest because it was manual, but it did work for them.
There should be a technology to enable the process of the cross boarding easier
Establishing a user data store could be useful in mitigating these issues

IS THE GOAL OF IAM TO GET TO ZERO-TRUST AND IS THAT A COMMON GOAL?

One leader was curious how zero-trust plays into reducing the risk and improving the overall security posture. Plus, will zero-trust eliminate a perimeter so does that mean that we are losing all the things we are putting so much time and effort into because zero-trust architecture is coming down the pipe. No, we need to do IAM correctly.
This is still a role-based access and starts at the point of hire, and then it changes dynamically as they change their role, and that will set up zero-trust very well.
Without IAM you’re not going to get into Zero-trust.
One CISO, only made process when he trained the IT community and IT engineers on their security controls/IT controls in their circle of influence. Also having a CFO that understands that they need to do something and holds the focus of the strategy that they have put together.
Role definition, securing documents, and provisioning of these roles is essential to the enterprise IAM model.

Tools and how they how helped but has also exposed lack of skill in other areas:

SailPoint has been the main tool of most of the leaders but other options that other have tried is Microsoft Identity Manager and OKTA, but you need to find the right partner to helping with IAM especially with Microsoft’s limited staff.
Finding good partner is difficult and takes time to find. There are not many competitors to SailPoint
SailPoint & Octa have overlapping features and it can be challenging to figure out what software does what properly, such as Octa for Authenticating, and maybe only SailPoint for account provisioning, but it is still a work in process.
Orchestration is the end goal. Strata Identity does orchestration across points on cloud and on- prem with OCTA and other vendors. That is where things are headed.
However, if your processes are not well-defined and you are not doing your basic block and tackling (role definition, provisioning, etc.) on the forefront, these tools will just expose how bad things are currently in a company.
IAM needs to be a full-time project for a team to work on, not a part-time team.
Your organization needs to be able to point to your IAM owner, otherwise, it becomes an issue.
Awareness and education outside of IT, including HR & Executives, is key to a successful IAM implementation.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to better prepare against the threat of ransomware.

About Tim Howard

In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

CISO Forum Summary – Measuring Success Through Metrics

CISO Forum Summary – Measuring Success Through Metrics

Purpose of Metrics

As a CISO, “You want to be able to tell a story, so what story are you telling.” The key question is, “How are you using those metrics?”

You should be asking, “What is my priority here?” every time you develop a metric. This is the question that every business person and every executive is always asking as they are allocating resources.

Board wants to know, “Are we investing in the right security capabilities to protect our assets?”
CFO wants to know, “How do we show value while managing costs?”
CEO wants to know, “What are the risks of a financial loss if we don’t take action?”

Metrics:

provide the platform for creating the story that you need to tell, and you need to be able to carry around with you on a day-to-day basis
are the containers that carry all of that detail which are important to our jobs.
build confidence within the executive team that your security and compliance program is actually working.
help you stay more strategic and less reactive.
provide a view into what has to be done going forward.
Are key performance & key risk indicators that help us justify our existence to senior execs.

KEY POINT: Metrics can change based on the behavior that needs to change. Larger vs. Smaller companies, regulated vs. non-regulated, immature vs. mature, technology vs non-tech dependent, all play into which metrics boil up to be critical to measure. There is no one size or one set of metrics that fits all.

CIA TRIAD:

The CIA Triad can be used as a foundation for Metrics: https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA#:

Confidentiality
- Confidentiality limits access to information and is more important from a regulatory or compliance point of view (progress of GDPR, servers not on 2FA, unprotected PII data repositories)
Integrity:
- Integrity is the assurance that the information is trustworthy and accurate unauthorized access is not allowed (related to patching)
Availability
- Availability is more important in operations because you care about the volume of applications you’re processing and the throughput how quickly they are able to be addressed and circulated (impacted by ransomware,
- Day-to-day business is going to care about the flow so maybe like what controls are around availability of data to make sure that it’s unencumbered and what security measures ensure that availability.

KEY POINT: In the CIA Triad, availability is probably the highest most scrutinized piece to keep data flowing, followed by integrity of data from an operational standpoint. There’s an assumption that privacy that’s probably going to help drive confidentiality.

Most Useless Metrics:

A lot of Metrics create a “So What?” Here are some of metrics that leaders have been asked to provide but can have little actionable value:

Number of malicious or phishing emails that come in (spam)
Total number of unpatched vulnerabilities
Number of attacks thwarted
# of dropped packets on the firewall
Ranked Vulnerabilities when there is no business context to know the actual risk.
# of actions items required to get a system compliant
# of systems that are compliant

KEY POINT: Instead just posting up metrics when asked, focus on high value metrics. Those are the ones that lead to a decision point and drive change.

IT Operational Metrics:

Operational metrics are useless without the business context behind them.

Phishing Training (often provided by the Phishing tool):

# of people positively report a Phish without interacting with it
# who failed by clicking
# of people who did nothing with it (i.e. Apathy score) – most concerning?

Cloud:

With the migration to the cloud, measuring the CIA metrics in your DevOps chain becomes much more complicated and difficult to monitor.
Companies that don’t do DevSecOps management well in the future are going to lose ground very quickly in agile environments.
DevOps & Security Ops should partner to defining how they can work together more efficiently.

Track Ugly Metrics:

You need to be ready to track some ugly metrics right now like:
- How many how many applications aren’t passing vulnerability scans?
- How many applications aren’t being screened for security criteria?
- When they’re screened, how many of them have vulnerabilities and how many of them don’t?
- How many emergency changes occurred where DevOps didn’t do their security checks or made changes outside of the process.
- How many critical servers with a high vulnerability remain unpatched.

Use the CVSS scores to classify and highlight the % of exploitable or highly exploitable vulnerabilities that exist.

KEY POINT: Measuring the Ugly Metrics in DevOps helps teams focus on the stuff that really matters and less on the stuff that doesn’t and moves a really unstable state towards a stable state.

Other Operational Metrics:

Measuring % of devices which were N vs. N-1 (i.e. Within a standard or compliance vs. a variant of the standard or out of compliance.)
Patching performance metrics against defined risk categories or vulnerabilities that have been identified over time (i.e. 6 months).
# of people who didn’t have multi-factor authentication turned on

Business Operational Metrics

It takes time to strategically think about these metrics to ask “how can I identify and track what’s important to the business.
Define business success factors such as what is needed to ensure Productivity, prevent Revenue loss, Protect Market Share and reputation, etc.
What levers can the security team pull to give the business a strategic advantage or to take risks off the table. The determine if they are worth investing in?
Define what Risks could take the company off of our mission over the next 18 to 24 months?
Develop a data management committee – Include a leader from each business unit to discuss what they care about. Side benefit is that the data management committee is also involved in the board meeting as provides positive feedback because they were involved in the process of establishing what was important to them.

KEY POINT: Push to hire a cyber expert on the Board to help sell the importance.

KEY POINT: Only track 3 to 4 things that are the most important to the business. More than 5 is too much.

Mike Davis shared his detailed report on NIST based Cybersecurity Metrics. You can download, use and modify this document: (Scanned Safe) – NIST Scorecard https://fortifyexperts.com/wp-content/uploads/2021/04/CISO-Scorecard-_-Security-Metrics-Approach-Mke-Davis.docx

Risk Metrics:

Measuring how many administrators and privileged access management did not meet policy by introducing accountability for role based access.
Defining what metrics were acceptable, unacceptable, and what risks we were willing to accept.
Measuring compliance and internal audit risks can have value in the right context. Especially, if they are identifying potential operational risks.

KEY POINT: Aligning your operational metrics to NIST categories can be valuable because it allows the operational metrics to translate easier to your risk metrics.

KEY POINT: Move towards a risk-based vulnerability model from a “critical” model.

3rd Party Metrics

What metrics can be measured to understand the supply chain especially in the delivery of software in the cloud?
How do you measure Trust in your Supply Chain? Can you build in metrics to understand their risks?
Measure and track 3^rd parties that are critical to the business success, plus track their supply chain as well.

Benchmarking Metrics:

Answers, “How are we doing compared to others within the sector?”
We never want to be caught behind where the industry is going. We don’t want to look incompetent against our peers.
Financial Cybersecurity Profile (FSP) https://fsscc.org/ – Annual evaluation to know how you compare to others. Regulators want to understand if you understand where you stand and where you need to focus attention.

Other Benchmarking Tools:

ISO – ISF & NIST
CMMC
BitSight
SecurityScore Card
Cyber resilience review: https://us-cert.cisa.gov/resources/assessments
FFIEC

KEY POINT: SecurityStudio – Combines CMMC, NIST CSF, PCI into one simple assessment, plus has automated 3^rd Party Assessment Tool and a free Employee Assessment and training tool – Request Demo via Fortify Experts

Metrics Reporting Tools:

Excel – is the most popular because of the flexibility but very difficult because you almost have to really be a master at excel and a very manual process.
Phishing Tools provide some metrics
Ask your MSSP to provide metrics for executive reporting
SolarWinds (https://www.solarwinds.com/)
RiskLens (https://www.risklens.com/)
Archer as a data repository but too complex and not a good analytics tool.
OnSpring – GRC Tool (https://onspring.com/)
Or created your own data repository and use a BI tool.

ADDITIONAL RESOURCES:

NACD report – Getting the Right Cybersecurity Metrics and Reports for Your Board: https://blog.nacdonline.org/posts/getting-the-right-cybersecurity-metrics-and-reports-for-your-board) provides some good best practices for generating board focused cybersecurity metrics.
Common Vulnerability Scoring System, CVSS Version 3.1 Release https://www.first.org/cvss/specification-document
Dr. Hayden’s Book, IT Security Metrics (https://www.amazon.com/Security-Metrics-Practical-Framework-Protecting/dp/0071713409)
ISO/IEC 27004:2016, Second Edition: Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation – https://www.amazon.com/ISO-IEC-27004-Information-measurement/dp/9267109707/
How to Measure Anything in Cybersecurity Risk, Douglas Hubbard
Webinar: https://hubbardresearch.com/shop/webinar-measure-anything-cybersecurity-risk/
Book: https://www.amazon.com/How-Measure-Anything-Cybersecurity-Risk/dp/1119085292/
Presentation: http://www.hubbardresearch.com/wp-content/uploads/2014/01/TAC-How-To-Measure-Anything1.pdf
FAIR (Factor Analysis of Information Risk) Institute: https://www.fairinstitute.org/

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to improve your security program.

About Tim Howard

In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

CISO Forum Summary – Implementing Zero Trust

CISO Forum Summary – Implementing Zero Trust

Since the SolarWinds breach was discovered in December 2020, the security industry has been hyper-focused on how much exposure an organization may have – even when there is perceived to have a trusted and secure relationship.

“Are we trusting our vendors too much?”

The question being asked is, “Are we trusting our vendors too much?” One CISO said, “Vendors want us to accept them as blind trust.“ If SolarWinds was using a Zero Trust model with Multi-Factor Authentication (MFA) or another authentication method, they would not have likely been breached.

In our CISO Forum, we discussed how security programs need to thoroughly evaluate their 3rd party vendors through better assessments and more robust contracts. One recommendation was to ensure the vendor agreements have policies that bind them with indemnification clauses and hold them accountable to protect your data. If there are financial consequences, they will be more motivated to provide you with a secure environment.

So who can you trust? The answer is quickly moving toward – No one. No 3rd party, no person, no machine, no connection, and no application. Hence, the reason Zero Trust is now the newest security buzzword.

In February 2021, the NSA published a succinct paper called Embracing A Zero Trust Model which defines Zero Trust as:

Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries.

It is a data-centric security model that allows the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.

“Zero trust is a state of mind.”

Zero Trust is not just another security technique or tool. “Zero trust is a state of mind.”
You have to completely change the way you think about access.
Another leader said it is more about, “Who you are and how you are, not what you do.” There will be plenty to do after everyone is on-board with this new mindset.
“Don’t trust anybody, treat everybody as the enemy.” another leader described it.
“Trust nothing – everything is hostile. Treat everything as if you are on a Starbucks network.”

Traditionally, data centers were protected, walled off mainframes, and those accessing the data were within the walls of the same building or at least on a dedicated secure connection to the mainframe.

Now, we are moving critical and confidential data out of those buildings as fast as we can to the cloud which is owned by someone else. However, many businesses still have the old mindset that their traditional identity and role-based access management should still be adequate.

“We have always done it that way” is no longer a valid argument when you move to the cloud and now you are exposing your source code, build pipeline, critical customer data, and much more. Development teams who have worked behind the firewall and have always assumed they were protected will now have their code exposed to the best hackers in the world.

Zero Trust must be designed into everything …

Zero Trust must be designed into everything and may not even be achievable for many firms. It really needs to be designed holistically to evaluate the entire enterprise application architecture, the identity access systems, and all the assets.

A risk framework should be used to understand where the highest risks are and where the initial focus and investment should take place. For most organizations, this is a true paradigm shift that impacts their entire approach if it is done correctly.

In planning for Zero Trust, leaders need to project three years out to predict where Zero Trust needs to be then. It is a long initiative, that frankly, many CISOs won’t be around to see the full lifecycle of the implementation.

The NSA recommends a Zero Trust Mindset should take into consideration:

Coordinated and aggressive system monitoring, system management, and defensive operations capabilities.
Assuming all requests for critical resources and all network traffic may be malicious.
Assuming all devices and infrastructure may be compromised.
Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations.

Several leaders described executive resistance to supporting another large security initiative. However, leaders said developing organizational awareness and educating executives was critical to gaining support. The NSA Zero Trust Model may help evangelize this as they strongly recommend Zero Trust be considered for all critical networks.

5 Step Model for how to get to Zero Trust:

Establish trust in user identities and permissions and reconcile those
Evaluate the trustworthiness of the device
Enforce access policies on devices
Enable secure connections (MFA) to applications
Once the above are in place, look for anomalies

In the design phase, it was recommended to use a tool like Ardoq (a Visio alternative) for Enterprise Architecture (EA) to map all asset inventory, communication ports, and access points to thoroughly understand those interrelationships.

With an EA map, the security team can begin working with the business teams to understand and define:

How much can be restricted?
What is the least amount of access required?
What will be the process for temporarily expanding access?
What criteria will be used to validate access?

Design Advice from leaders:

Must prioritize and get small wins to show progress to maintain executive support.
Find ways to make it easier on the user. A suggestion offered was to go back to Certification-based authentication where you identify and match both the machine certification and the user.
Risk Tier all applications. You have to know what you need to trust. Move toward software-defined perimeter. Can’t access servers unless every connection & MAC address is validated.
Eliminate VPNs and use MFA.
Containerize applications, Use Software Defined Networks, & Device Trust.
Move away from Passwords as they are flawed.
Validate credentials by using a jump server with MFA then, track IP, ISP, and MAC addresses to ensure all are recognized. If not, all exception messages are sent to a 24-hour monitored SOC and must be approved if location, device or user is not recognized.
Build in Adaptive MFA, Factor Resequencing, Impossible Travel & Unknown location, and use SOAR to reset accounts when an anomaly comes up.
One firm built its own SOAR platform to save costs and has a goal of achieving 80% automation.

Advice on Vendor Selection:

Achieving a robust Zero Trust program will require the use of multiple technologies. Here are some words of advice from leaders when evaluating and selecting Zero Trust vendors.

Zero Trust enabling cloud tools are coming online rapidly, therefore, it may not be best to sign long-term contracts even if they offer deep discounts. Technology is changing too rapidly.
It is better to go with a single 80% solution, than trying to boil the ocean with many different tools to get to a 100% solution. Also, don’t be afraid to throw solutions out of the boat if they are no longer delivering value.
Develop a formal RFP process for adding tools. Define the necessary functionality then bring in all the stakeholders into the buying process. This will slow the propagation of tools and provide a better ROI for evaluation later.

What tools are advancing Zero Trust?

Here are solutions that were mentioned in our CISO Forum as ones to consider when planning and evaluating Zero Trust technologies.

OKTA – Identity and access management
FireEye’s Cloud Visery – Anomaly detection & Incident Response
CloudKnox.io – Automated Permissions Management
Tetration – Micro-segmentation and cloud workload protection
Citrix ADC (NetScaler) – Application delivery and load balancing
Varonis – User rights management
Cyphre – Encryption in motion & rest
Microsoft Azure Application Proxy
Palo Alto’s Prisma – Cloud Native Security Platform (CNSP)
ManageEngine – Manage all user’s permissions, updates, and records past activities.
Palo Alto – AlgoSec – Enterprise Firewall Policy management
Cisco’s SecureX – Orchestration & threat response.

Conclusion:

Deploying a Zero Trust framework is not easy. While it may not seem as difficult to achieve with new cloud-based applications, it can be a huge challenge when you consider the entire enterprise including all data, legacy applications, vendors, users, and devices.

Focusing on education, using a risk-based methodical approach, and showing wins along the way will increase the level of support and success for achieving Zero-Trust within your organization.

One leader proclaimed, “This just shows we will never be done with security.”

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to improve your security program.

About Tim Howard

In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

Defeating Ransomware: The Heroic Role of a CISO

CISO Forum Summary – Is there a Silver Bullet to Thwart Ransomware?

CISO FORUM SUMMARY: Is there a Silver Bullet to Thwart Ransomware?

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics. Recently, we discussed how these successful security leaders have been able to create higher-performing security programs. Here is a summary of their top tips or suggestions on how to thwart ransomware.

CISO Executive Round Table Forums

15 years ago ransomware was not on at the organizational level that it is today, but now ransomware is more than just advanced malware, it is now threat actors going in and gaining command and control inside networks for the sake of a big payday.

One CISO recently had 22 of its partners hit by ransomware in a single year.

That raised these questions:

- Do they have accounts in our system?
- Do they have connections into our systems?
- What data do they have?
- Can they get information out of us as a result?
- Did we find out on the news or did they inform us? etc.

Their focus is now to bring consistency to their visibility, tooling, and entering the response process. His concern is that outside entities will be targeted to specifically reach into other targets like us.

Being a large company leaves them vulnerable to attacks. He said, “You may have intelligence analysts who track and keep a record of internal events, but outside of the corporate infrastructure, the gates are not being watched as closely. Relying on subsidiaries to do that may need to be addressed.”

Lessons Learned:

One CISO was hired after a ransomware attack. The company that hired him had the tools for ransomware, but no strategy for dealing with the problem. The effects of the attacks were a lot of downtime and production slowed down, but there was not any data extortion for either one of the attacks he experienced. However, he gained a lot of knowledge through the process:

Lessons Learned:

If you do not practice response and restore, you don’t know how long it may take to get things back up and running, even with backups and a robust response process.
Develop a ransomware risk assessor tool that looks at the critical items (about 20-25 things) to rank and prioritize risks
Plan for the worst, then develop a mitigation strategy.
Verify backups can securely restore
Implement phishing training by educating users
Optimize incident response by containing the issue before it gets out of hand.
Incident response efficiency is of the most important things to practice.
Every year they do a technical exercise for ransomware involving the executives to provide awareness and exposure.

What is the legality of paying the ransomware?

One CISO said they struggled to decide on whether they should pay off ransomware and possibly go into the territory of money laundering. One consulting firm CISO said they have tried tackling this fear with their customers, plus, have had to coach them after they paid it.

To pay or not to pay…

Paying the ransomware is a business decision, and now there are negotiators that do this for a living. If you find the right people, they would be the best to handle the legality of this issue.
While paying for the ransomware may not be recommended or even legal in some cases, who is going to cover the cost or losses during the drop in production? So the decision becomes, which is more prudent?
One CISO offered up that these threat actors are extracting data, deleting your backup data, and leaving you with no choice other than to pay.
People need to realize that ransomware operations are running well-resourced, for-profit businesses.
We need to think holistically about how to handle ransomware and not myopically because it should not always be seen that paying the ransom is a bad idea, even with all the risk that comes along with it.

What has been the most effective thing you have done to reduce ransomware exposure?

All agreed that email phishing is the biggest vector by far.

One CISO said, “Train and make it painful to fail a phishing test.”
- 1^st offense – Require additional training and a test,
- 2^nd offense – Cut off access, and then go to their boss for them to address.
- if an employee has failed phishing training twice, it is a training issue on the supervisor’s side and not the employee
- They are strict at his company with the 3 strikes rule, but they also provide positive reinforcement to celebrate those who have been following the right steps in preventing attacks.
- Highlight different parts of the company that is progressing and those that may be failing.
Another CISO said, that’s effective, but the downside is the staff becomes too paranoid with emailing and sending things to IT to be assessed maybe too often. Therefore, they use more of the ‘carrot’ instead of the stick by providing recognition to employees for reporting and by not falling victim to phishing tests.
A third CISO felt the right solution was a combination of both positive and negative reinforcement.

What about Cyber Insurance?

The requirement in getting cyber insurance has been “ratcheting up” a lot and is changing in real-time.
A lot of insurance providers are saying businesses need to team up with an authorized coach/incident manager before they can get insurance. The coach/incident manager will coordinate different monetary/cryptocurrency exchanges on your behalf.
The cost of insurance has gone up, the coverage has gone down, and the exclusions have also gone up as well. Therefore, you need to read the details and have it reviewed by an attorney.

What are ways technology has helped recover from ransomware attacks?

It’s less about technology and more about your process in the visibility of your security operations. Technology only supports the process. The important thing is comprehensiveness in management. This CISO was very big on optimizing the technical controls. His suggestions include:

Verify what you have in technical controls in place (e.g. Umbrella/Cisco, Zscaler, Mimecast, etc.) and make sure they are optimized.
Develop a quick incident response. It should be minutes instead of days or weeks to identify and contain.
Secure your backups.
Explore Next-gen user behavior analytics software such as Forcepoint. It is an agent-based software, which sits on the server and looks at file activity to flag or disrupt malicious activity. It causes a hit on the CPU side, but there has been a success in the use of that software.

CAUTION: New Threat Vector:

Cybercriminals are getting smarter. They don’t start with a malicious attachment or link because they know they likely won’t get past the email gateway. Instead, they look for any way to get a person engaged, then send a link or an attachment to escalate it.

Other Resources:

Ransomware Best Practices by Mike Davis https://www.linkedin.com/posts/activity-6823355202691850240-beak
31 Ransomware Statistics https://https://www.blumira.com/ransomware-statistics/

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to better prepare against the threat of ransomware.

About Tim Howard

In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

CISO Forum Summary – 3rd Party Evaluation & Monitoring

CISO Forum Summary – 3rd Party Evaluation & Monitoring

Suggested Best Practices:

Risk Ranking and tiering vendors. Deﬁning the perceived risk factors for each vendor.
Deﬁne Critical Vendors – If a breach occurred with them, would it result in loss of PII or a signiﬁcant business interruption to your business?
Deﬁne the likelihood for a 3rd party breach that would impact your organization – Externally facing systems, user counts, system connectivity, etc.
Bring on other Business Units to evaluate 3rd party vendors such as Legal, Accounting, Sales, Marketing and Operations, etc. as all BU’s can introduce vendors who increase exposure risks.
Gaining eﬃciencies to evaluate vendors so that it is not just the top tier vendors. Some of the smaller vendors (mid to lower tier) might be opportunistic targets for hackers, therefore, gaining greater awareness with smaller vendors may identify where additional controls may be required for those vendors such as encryption, tokenization, etc.
Asking the vendor security team to ﬁll out assessments instead of the sales team.

Responding to 3rd party vendor requests:

In regulated industries like the Banking or Health Care industries, the approach 3rd party assessments diﬀerently because responses may be required by regulations.

One CISO recommend not to share:

Internal system level data (i.e. processes, settings, scans, potential ﬁndings, etc.) that is the footprint of your company and could lead to an opportunity for breach if it gets into the wrong hands.
Client or Personally identiﬁable information (PII) which is any data that could be used to identify a particular client or person.
Best to provide internally developed 3rd party assessment which has been screened for PII or conﬁdential corporate data.
If a party requests a deeper analysis than your standard report then, try to push back with a Statement of Work and fees to produce the customize report or data.
It is best to create a mutually trusted and sharing relationship with vendors, i.e. “Show me yours and I’ll show you mine.” The best relationships are give and take.

How do you manage and send out 3rd party assessments:

Tools to push out 3rd party assessments:

Out of the box 3rd Party Assessment Tools
Security Studio – My personal favorite – Easy for vendors to use so they actually complete it. Plus, they oﬀer many free personnel (www.s2me.io) and organization assessment tools.
Security Scorecard

Workﬂow / Survey Automation Tools to develop your own custom assessment tool:

Use a 3rd Party to evaluate 3rd Parties:

How much time do you want to spend evaluating systems of vendors? Therefore, the trend may be to use a 3rd party to evaluate your 3rd parties.
If a vendor has a Hi-Trust Certiﬁcation, some will use that report in lieu of an assessment.
A SOCII compliance can be used as an assessment if the ﬁndings are evaluated and acceptable.

3rd Party Evaluation Services:

Y3P – For ﬁnancial industry: Crowd sourced platform – Large overlap across banks, they provide a monitoring and validation service of ﬁnancial vendors.
Bitsight – Active 3rd party monitoring – Bitsight might be antagonistic because there are errors which need to be resolved.
iTrust – 3rd party assessment certiﬁcation.

Frequency of 3rd Party Reviews or triggers for new reviews:

At time of signing up a New Vendor or a Contract Renewal
Any major upgrade
When vendor in the news or pop up in a threat feed.
Per SOC II requirement and/or Regulatory requirements
Semiannually or Annually for new or mission critical vendors. Need to be more vigilant with newer partners.
Established trusted vendors could be less frequent
If a critical new vendor, conduct an onsite visit (if possible)

Impacted by SolarWinds?

Only one CISO out of 11 was impacted by the SolarWinds hack.
30% were using SolarWinds but those others were on diﬀerent versions.
Regulators asked about SolarWinds exposure through 3rd parties, so had to poll vendors to see if data was separated from any exposure they had..
If impacted, here are recommendations from CISA: See Appendix B for recommendations: https://www.cisa.gov/emergency-directive-21-01

How quickly do you implement upgrades and updates?

Who can you trust? Therefore, some leaders are dedicating an entire product team to evaluate solution tools to better understand any technology threats that might be introduced by updates or upgrades.
Is it time to move security programs from more of a traditional passive approach to a more cautious, threat-hunting approach?
Same leaders have all updates or upgrades to critical systems go to the lab and have tools run against them.(i.e. internal testing and sandboxing of patches, upgrades, etc.) This does result in longer lead times before it hits production. In some cases it could take 6 to 10 months before a major upgrade is validated before it goes into production.
Unless a patch is deemed critical, it would go through this process.
Move to a rigorous change management process using this ‘burn-in’ before applying new changes – even to a proven solution.
Move towards a “No Trust” environment.

Tools to help evaluate 3rd party web, software, patches, & upgrades:

Virus Total – Analyze so ware, upgrades, patches:
Manage Engine – Gets complete inventory, user activities, mandates reboots for updates.
AlgoSec – To manage ﬁrewall rules.
Medigate – To monitor medical devices.
Cy ware – Virtual Cyber Fusion Center
DarkTrace – AI cyber defense platform.
Vetra – AI-driven network detection and response
Trinity Cyber – Man-in-the-middle threat protection service

Involving Security in the vendor agreement process:

For all new vendor services involving tech, the cyber team should be involved in the contracting process to embed security clauses into the agreements.
If vendors are reluctant to fully disclose all their details, use contract language to cover liabilities
For critical vendors, build in performance and cyber SLA’s into contracts.
Contracts may be able to reduce Cyber insurance if the liability is transferred, however, evaluate business outage costs even if liability is transferred.
Start working on renewing contracts early with large critical vendors to allow a time to fully vet contracts. It may require hiring attorneys and contract negotiators to ensure the proper terms and SLA’s are built in.

What to do when a Vendor doesn’t pass an established level of scrutiny?

Establish a governance council who makes the ﬁnal business decision.
Security does not make the decision – just the review and recommend process.
Business must agree on the risk level and they decide if the risk is acceptable.
Track it & Document it.

Do you help raise the level of competency of vendors?

Share what is required, but do not coach them or prescribe a solution on how to remediate. If so, you would accept the liability.
A vendor need to right size a solution for their business not adopt your solution.

Upcoming Trends:

3rd party assessments are ﬁnally getting some executive exposure and support.
Leveraging Enterprise Risk to apply quantitative risk management models to quantify actual ﬁnancial impact. Some BU’s have very robust quantitative risk management numbers but need to do a better job on quantifying technology vendor risks.
More use of 3rd party ﬁrms to validate 3rd parties.
Bringing in a speciﬁc compliance person to handle vendor evaluation so the security team stays focused.
Build in-house capability to analyze all new technologies by upgrading the SOC with tier three threat hunters and AI tools to monitor all updates and systems.
Newer technologies coming online like internet connected AI, surgical robots, remote evaluation tools, will continue to provide new challenges for security departments.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to improve your security program.

About Tim Howard

In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.

Invite Tim to connect: www.linkedin.com/in/timhoward

Employee Operating Manual

Company

Title

Fortune 500 Rank

Biographical Info

City

State

Employee Operating Manual

“Are we trusting our vendors too much?”

Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries.

“Zero trust is a state of mind.”

Zero Trust must be designed into everything …

One leader proclaimed, “This just shows we will never be done with security.”