InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!
In case you missed it: Paul’s Security Weekly’s new streaming time is Wednesday nights from 6pm-9pm ET & Enterprise Security Weekly’s new streaming time is Thursday afternoons from 3pm-4:30pm ET. You can view our live stream schedule at any time at https://securityweekly.com/live!
Identity Services such as Active Directory is an area that is almost always utilized by the attacker after the initial endpoint is compromised. This is an area lacking critical focus by defenders for a myriad of reasons. Discussion will entail how this attitude can and should change.
Tony Cole is a cyber expert with over thirty-five years of experience as a strategist, risk expert, advisor, and board member. Today, he’s the CTO at Attivo Networks, the global leader in identity detection and response, providing an innovative defense for protection against identity compromise, privilege escalation, and lateral movement attacks
Prior to joining Attivo Networks, Mr. Cole held executive positions at FireEye, McAfee and Symantec. He’s retired from the U.S. Army, where he worked in intelligence, communications, and cryptography around the world including building out the Network Security Services at the Pentagon. Mr. Cole served previously on numerous boards and government committees including (ISC)² Board of Directors as Treasurer and Chair of Audit and Risk, the NASA Advisory Council under appointment by the NASA Administrator, and the FCC CSRIC (Communications Security, Reliability, and Interoperability Council). Today he serves on the Gula Tech Foundation Grant Advisory Board helping the Foundation give back to the community and drive a more diverse cyber workforce.
CISO at Qualys
Chief Operating Officer at Envision Technologies
Executive Director at CyberRisk Alliance
2. 4 Attributes of a Great Leader & 5 Myths About Management & Cybersecurity – 03:30 PM-04:00 PM
Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista! Keynotes from Alyssa Miller, John Strand, Lesley Carhart, Dave Kennedy, & Maril Vernon! Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!
In the Leadership and Communications section, The Gardener: Four Attributes Of A Great Leader, Unpacking 5 Myths About Management, 5 Cybersecurity Myths That Make You More Vulnerable to Attacks, and more!
1. They Know
2. They Feel
3. They Protect
4. They Celebrate
Unpacking 5 Myths About Management – In science the key question is “Is it true?” In management the key question is “Does it work?” But context is critical: Just because an idea works in a particular case does not mean it is a universal truth.
If you set a stretch goal, make sure that the organization has some stretch in it, or it will break. To execute a strategy, you need a dashboard covering a wide range of performance indicators. If you treat those indicators as your strategic goals, be very sure that what you are asking for is what you want, because it is what you will get. Your business needs a value proposition for employees as much as it needs one for customers. In developing one, think hard about what “talent” means for you and do not forget that the real challenge is building an organization that enables average people to deliver an above-average performance. Develop good leaders, but do not neglect the skills of management, for no-one can perform if they do not have the right resources in the right place at the right time. Reduce bureaucracy to a minimum, but make sure you have enough structure to distribute decision rights in a rational way and enough process to enable people to know how the organization will work. To deal with external unpredictability, you need internal predictability.
Ambitions, targets, talent, leadership, and culture are all important. But in each case, make sure that you’re using them rather than letting them use you.
The State of the CISO – There are three actions that CISOs must take to gain the credibility and confidence of their peers and stakeholders. The study confirms that if these actions are not taken in today’s cyber world, it’s an uphill battle:
1. Develop and manage key stakeholders.
2. Understand the business.
3. Be able to demonstrate value.
When estimating potential risks, we often rely on our intuitive sense of danger. We tend to be too optimistic or overconfident. We might also be subject to confirmation bias or have a false sense of control that could skew our perspective.
Although our brains are not necessarily optimized to assess the risk of cybersecurity incidents, we can do a couple of things to improve our chances. First, cybersecurity could learn from its older sister, physical security, as Matt Blaze suggested in an iconic paper published in 2004. The fundamental idea of the paper is that almost all systems can be broken given enough time.
1. Attackers Stand to Gain Nothing From Hacking My System
2. Using a Great Security Solution Is Enough
3. Implementing Cybersecurity Is Too Expensive
4. Cyber Threats Are Only External
5. I’m Safe Because I Have a Security Expert on My Team
5 IT risk assessment frameworks compared – Formal risk assessment methodologies can help take guesswork out of evaluating IT risks if applied appropriately. Here is real-world feedback on using COBIT, OCTAVE, FAIR, NIST RMF, and TARA.
The Risk Management Framework (RMF) from the National Institute of Standards and Technology (NIST) provides a comprehensive, repeatable, and measurable seven-step process organizations can use to manage information security and privacy risk. It links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), developed by the Computer Emergency Readiness Team (CERT) at Carnegie Mellon University, is a framework for identifying and managing information security risks. It defines a comprehensive evaluation method that allows organizations to identify the information assets that are important to their goals, the threats to those assets, and the vulnerabilities that might expose those assets to the threats.
Control Objectives for Information and related Technology (COBIT), from ISACA, is a framework for IT management and governance. It is designed to be business focused and defines a set of generic processes for the management of IT. Each process is defined together with process inputs and outputs, key activities, objectives, performance measures and an elementary maturity model.
Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cybersecurity vulnerabilities and deploy countermeasures to mitigate them, according to MITRE, a not-for-profit organization that works on research and development in technology domains including cybersecurity.
Factor Analysis of Information Risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. Developed by Jack Jones, former CISO of Nationwide Mutual Insurance, the framework is mainly concerned with establishing accurate probabilities for the frequency and magnitude of data loss events.