bsw240

Business Security Weekly Episode #240 – November 15, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Protecting Identity Services – 03:00 PM-03:30 PM

Sponsored By

sponsor
Visit https://securityweekly.com/attivonetworks for more information!

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • In case you missed it: Paul’s Security Weekly’s new streaming time is Wednesday nights from 6pm-9pm ET & Enterprise Security Weekly’s new streaming time is Thursday afternoons from 3pm-4:30pm ET. You can view our live stream schedule at any time at https://securityweekly.com/live!

Description

Identity Services such as Active Directory is an area that is almost always utilized by the attacker after the initial endpoint is compromised. This is an area lacking critical focus by defenders for a myriad of reasons. Discussion will entail how this attitude can and should change.

This segment is sponsored by Attivo Networks. Visit https://securityweekly.com/attivonetworks to learn more about them!

Guest(s)

Tony Cole

Tony Cole – CTO at Attivo Networks

@NoHackn

Tony Cole is a cyber expert with over thirty-five years of experience as a strategist, risk expert, advisor, and board member. Today, he’s the CTO at Attivo Networks, the global leader in identity detection and response, providing an innovative defense for protection against identity compromise, privilege escalation, and lateral movement attacks
Prior to joining Attivo Networks, Mr. Cole held executive positions at FireEye, McAfee and Symantec. He’s retired from the U.S. Army, where he worked in intelligence, communications, and cryptography around the world including building out the Network Security Services at the Pentagon. Mr. Cole served previously on numerous boards and government committees including (ISC)² Board of Directors as Treasurer and Chair of Audit and Risk, the NASA Advisory Council under appointment by the NASA Administrator, and the FCC CSRIC (Communications Security, Reliability, and Interoperability Council). Today he serves on the Gula Tech Foundation Grant Advisory Board helping the Foundation give back to the community and drive a more diverse cyber workforce.

Hosts

BenCarr

Ben Carr

CISO at Qualys

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

2. 4 Attributes of a Great Leader & 5 Myths About Management & Cybersecurity – 03:30 PM-04:00 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista! Keynotes from Alyssa Miller, John Strand, Lesley Carhart, Dave Kennedy, & Maril Vernon! Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

  • Join us for our next live webcast on December 2nd to see what’s under the XDR hood. Visit https://securityweekly.com/webcasts to save your seat! Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand

Description

In the Leadership and Communications section, The Gardener: Four Attributes Of A Great Leader, Unpacking 5 Myths About Management, 5 Cybersecurity Myths That Make You More Vulnerable to Attacks, and more!

Hosts

BenCarr

Ben Carr

CISO at Qualys

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

  1. The Gardener: Four Attributes Of A Great Leader – If the best leaders are like gardeners, what characteristics can we learn from the green thumbs around us that we can translate into the workplace to see our employees bloom?

    1. They Know
    2. They Feel
    3. They Protect
    4. They Celebrate

  2. Unpacking 5 Myths About Management – In science the key question is “Is it true?” In management the key question is “Does it work?” But context is critical: Just because an idea works in a particular case does not mean it is a universal truth.

    If you set a stretch goal, make sure that the organization has some stretch in it, or it will break. To execute a strategy, you need a dashboard covering a wide range of performance indicators. If you treat those indicators as your strategic goals, be very sure that what you are asking for is what you want, because it is what you will get. Your business needs a value proposition for employees as much as it needs one for customers. In developing one, think hard about what “talent” means for you and do not forget that the real challenge is building an organization that enables average people to deliver an above-average performance. Develop good leaders, but do not neglect the skills of management, for no-one can perform if they do not have the right resources in the right place at the right time. Reduce bureaucracy to a minimum, but make sure you have enough structure to distribute decision rights in a rational way and enough process to enable people to know how the organization will work. To deal with external unpredictability, you need internal predictability.

    Ambitions, targets, talent, leadership, and culture are all important. But in each case, make sure that you’re using them rather than letting them use you.

  3. The State of the CISO – There are three actions that CISOs must take to gain the credibility and confidence of their peers and stakeholders. The study confirms that if these actions are not taken in today’s cyber world, it’s an uphill battle:

    1. Develop and manage key stakeholders.
    2. Understand the business.
    3. Be able to demonstrate value.

  4. Zoom CISO’s Lessons in Scaling With Simplicity – A simple security strategy is standardization augmented by innovation. Here’s what that looks like:

    1. Consistency with industry best practices
    2. Standardized design processes
    3. A real-time feedback loop
    4. Persistent employee education

  5. Why are people so bad at risk assessment? Blame the brain – Stakeholders and CISOs tend to have different perspectives on estimating the risk of a potential cybersecurity incident. Understanding the psychological aspects can help bridge the gap.

    When estimating potential risks, we often rely on our intuitive sense of danger. We tend to be too optimistic or overconfident. We might also be subject to confirmation bias or have a false sense of control that could skew our perspective.

    Although our brains are not necessarily optimized to assess the risk of cybersecurity incidents, we can do a couple of things to improve our chances. First, cybersecurity could learn from its older sister, physical security, as Matt Blaze suggested in an iconic paper published in 2004. The fundamental idea of the paper is that almost all systems can be broken given enough time.

  6. 5 Cybersecurity Myths That Make You More Vulnerable to Attacks – A lot of conflicting information exists about cybersecurity. So, what shouldn’t you believe?

    1. Attackers Stand to Gain Nothing From Hacking My System
    2. Using a Great Security Solution Is Enough
    3. Implementing Cybersecurity Is Too Expensive
    4. Cyber Threats Are Only External
    5. I’m Safe Because I Have a Security Expert on My Team

  7. 5 IT risk assessment frameworks compared – Formal risk assessment methodologies can help take guesswork out of evaluating IT risks if applied appropriately. Here is real-world feedback on using COBIT, OCTAVE, FAIR, NIST RMF, and TARA.

    The Risk Management Framework (RMF) from the National Institute of Standards and Technology (NIST) provides a comprehensive, repeatable, and measurable seven-step process organizations can use to manage information security and privacy risk. It links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).

    The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), developed by the Computer Emergency Readiness Team (CERT) at Carnegie Mellon University, is a framework for identifying and managing information security risks. It defines a comprehensive evaluation method that allows organizations to identify the information assets that are important to their goals, the threats to those assets, and the vulnerabilities that might expose those assets to the threats.

    Control Objectives for Information and related Technology (COBIT), from ISACA, is a framework for IT management and governance. It is designed to be business focused and defines a set of generic processes for the management of IT. Each process is defined together with process inputs and outputs, key activities, objectives, performance measures and an elementary maturity model.

    Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cybersecurity vulnerabilities and deploy countermeasures to mitigate them, according to MITRE, a not-for-profit organization that works on research and development in technology domains including cybersecurity.

    Factor Analysis of Information Risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. Developed by Jack Jones, former CISO of Nationwide Mutual Insurance, the framework is mainly concerned with establishing accurate probabilities for the frequency and magnitude of data loss events.