Watch podcast interview now with Khai Waterman and the HALOCK Radio host Terry Kurzynski.
TRANSCRIPT
With Khai Waterman.
Khai, you’ve been gracious enough to allow this one to be recorded.
I’ve been doing these Security Briefings for the last four years.
And, I have a lot of folks say, what is the what happens in the briefings?
Can you tell me about it before they wanna really sign up for one?
So great for you to, have this one recorded so we can send this out to other folks.
They can see kinda behind the scenes what actually happens on the security briefings.
But in general, you know, what’s going on in the industry with breaches, changes in, you know, litigation or regulations out there, you know, big breaches, insights, new technologies.
You know, that’s what we’re gonna go over.
In fact, you and I have known each other since the nineties going back to when you were director of IT initially. And but now in the last few roles, you’ve been CISO.
So it’s been, I’m gonna guess, 20 twenty six plus years going on twenty seven that we’ve actually known each other and worked together.
Right?
Yeah. It’s, it’s been a while. Pre-kids. Definitely.
But yet, never a briefing. Right?
So I thought, well, okay. Let’s just do two on one here.
So maybe this is a good time for us to, get together and go for this.
So let’s start out. I’m gonna share a screen here. And since you actually never experienced this either, I got the short form and long form.
The short form is stuff that’s kinda changing daily with, you know, kind of intel.
So this is on a PowerPoint, and I send this all out to folks after we do the briefings as well.
So let’s just jump right into it.
Are there any hot topics, by the way, things that you’re working on in the industry that you think are hot topics that, you know, you wanna make sure we’re covering?
Yeah.
You know, there’s a lot of awareness in almost every industry, regarding, you know, breaches.
And this is great information, but, there has been several situations where CISOs have been targeted directly for or due to their company’s, lack of security.
So if there’s, you know, any additional information, that, CISOs really need to arm themselves to ensure that, you know, they have proper, insurance coverage, etcetera, that that would be extremely helpful.
Alright. Making a point of that one. I hadn’t heard of that aspect of it, but, it makes sense.
So, but just to start out, a lot of people have board meetings and they have a lot of data they need to try to pull together to present to the board.
So one of the things I have here is any information I’m supplying, you’re free to reuse. I usually cite the source of the information that I’m gathering unless it’s our own intel.
So in this case, this came from Harvard Business Review, twenty percent increase in data breaches from 2022 to 2023, twice as many victims, ransomware activity as we saw, big increase, seventy seven percent.
The next slide, you’ll see what the actual extortion payments increased by eighty percent of the breaches involve some sort of cloud storage.
This will be a little bit of a theme today for the briefing.
Most of those are dealing with cloud misconfigurations.
You know, we we talked about this before, a little bit of the toxic combinations, exposing assets that weren’t supposed to be publicly assessable, not changing the default passwords, not putting MFA.
You know, they’re just these toxic combinations allow for threat actors to get in on cloud environments that can quickly be spun up and spun down.
Right?
You know, I wonder if I wonder if it would make sense to, you know, have an organization similar to OWASP where they release the top ten cloud misconfigurations every year.
I guarantee you, they wouldn’t change that much. And the simple fact that eighty percent of these breaches are due to that, we we could minimize or mitigate.
Do you let me tell you what we’re working on for the briefing.
So this is coming up in the next quarter’s briefing. We are working on compiling the last hundred plus, maybe even thousand pen tests that we performed. And I don’t know what the title is gonna be called, but it’s like the top ten things you can do to stop hackers in their tracks.
So lessons learned from the field, from our hackers, how are we getting it. I can tell you what the most you can guess what the number one is, but it’s, patching mobile, you know, where the patch has been out for over a year.
That’s number one.
Like, that’s still the number one thing that people can do because it’s almost half the breaches right now.
That’s crazy. With that.
So cloud security is gonna be a theme today.
Also, ninety eight percent of organizations have a relationship with a vendor that was breached. Namely, everyone has worked with someone that’s been breached over the last two years.
So that kinda puts in the mind vendor risk management. It’s another theme today.
Ransomware extortion payments. So I mentioned they went up. Well, they went up almost double. So 2022, the extortion payments were five sixty seven. They hit one point one billion last year.
Five hundred and thirty eight new variants. It works. It pays. Here’s a full, report on it.
Like, link is right there.
We have another federal, a bill for privacy. So the American Privacy Rights Act of 2024, this just was published two weeks ago. It’s not law, but the summary of the bill is here. The full bill is here, but these are just some of the points from it. And I wanted to point out this one, which is, you know, our whole duty of care theme.
Covered entities and service providers must assess vulnerabilities and mitigate reasonably foreseeable risk to consumer data. So hopefully, everyone has a good risk assessment in place to be able to do that one.
But, so that’s out there.
AT&T had their, or in the news couple weeks ago. This was really from an old breach though in 2019. Now the reason why I’m posting this one is because they originally denied this in 2021 when this breach became publicly notified. They said, no.
It’s not us.
But then, TechCrunch did some research and said, no. I think it really is. So about two, three weeks ago, they actually had to formally announce, yes. Seventy three million records were breached, social security numbers (SSN), birth dates, passcodes.
And so if you wanna know whether you’ve been pwned, you can obviously go there and figure that out. But they’ll also cover some of your, identity theft cost and things like that.
Moving on.
So you saw Microsoft, you know, they had the China situation last summer, but since fall and this year, it’s been all about Russian hackers.
Right? And it’s that same group.
Right?
So mid Midnight Blizzard, Cozy Bear, Nebellium, APT twenty nine, they all go by the same name. But this started out as a password spray, and you know what that is.
It’s one password that you use in all the accounts. And if you don’t get it that way, you don’t have the password lockout, right, for that one account. And then the next day Right.They’ll try another password on all the accounts.
Well so they started that in November. They got a hit January twenty fourth. So it took a few months. They had to be patient. I’m one of those legacy Microsoft accounts that did not have MFA in place. That was enough to get in and then escalate privileges into the corporate environment.
You know, how they did that is not really known yet, but they created an OAuth application, malicious application, created a new user in that corporate environment, granted access to that OAuth application. And then they granted that legacy OAuth app granted access into their corporate emails, and this is where the biggest no no was.
Right?
There was sensitive information being shared in those emails from Microsoft execs and corporate, folks at Microsoft with clients, passwords and such. So it’s now in the last few weeks, you saw, DHS tell the federal agencies to change passwords because they use a lot of Microsoft Azure and things like that because they believe that these passwords were compromised or that were, you know, they were targeted specifically in this.
But even, commercial customers are, you know, should be changing their passwords in there. So that’s Microsoft. Any thoughts on that one? Any questions?
You know, it really, it’s almost funny, if not sad, that, you know, Microsoft can can be in the middle of this when they really have the tools and Yeah. Solutions not to be.
You know, it’s kinda disappointing, actually.
Comes down to a little bit of corporate culture, you know, and I think that it kinda started with, you know, Ballmer, you know, when they went over to China. And I think that there’s a little bit too much of this, let’s open up things to the global market, but the global markets wanna steal our stuff.
I mean, that’s what we gotta to be mindful of.
So, moving on, health care. And and I know I don’t think you’ve had any health care in your background, but we’ve got some stats on that. That’s obviously was a big target for hackers, especially for ransomware over the last few years.
This is some of the big breaches. I got links there to the, to the HIPAA Journal on that one. But we were talking about this a little bit before we started, but, this Change Healthcare one where, you know, Change Healthcare into making the payment, the twenty two million dollar ransom payment.
But then the ransomware as a service (RaaS) guys, this in particular one, Black Hat, the Alpha v guys, decided not to pay the threat actor that got in initially that they’re supposed to share in the, you know, the prize money.
So the threat actor said, I’m keeping it, and they’re trying to do a second form of extortion now on Change Healthcare. So that’s an interesting twist on things that, the ransomware as a service not paying out could actually maybe implode the whole ransomware as a service a little bit if these guys are not actually gonna pay out.
Some of the predictions from HALOCK, the rise of governance, and, you were steeped in this stuff with publicly traded companies. But with the SEC cybersecurity rule now requiring organizations to demonstrate how they’re governing, how the board is involved in making cyber decisions, how executive management is determining threats, how they’re bringing those down to an acceptable level. That is predicting for us the rise of governance. Also, you have the govern function now in NIST 2.0. We see all the regulations like, PCI even with more targeted risk analysis (TRA). So one of our predictions is the rise of governance.
The other is SIM swapping attacks. Turns out banks are really, really bad at identity and proving out identities and getting that right. So the threat actors are like, we’ll just bypass the companies. We’ll just go where the money is, and it’s at the banks. They’ll impersonate the CFO. They’ll do a SIM swap, and they’ll transfer money. The key thing I found out about is that’s not covered by the bank. That’s not covered by FDIC. You’re just out. And so you get to you know, as a corporation, you’ll have to make sure that you have good cyber insurance for ecrimes or financial inducement instructions, which I’ll cover in just a second.
Increased cloud security attacks, Nth party attacks. We saw the big MoveIt one. That was over a hundred million in extortion. And that was the people injured from that weren’t even doing business with MoveIt, you know, Progress, I should say, right, which owns MoveIt software.
It’s a supply chain issue, which it turns out thirty eight percent of all the breaches are not even from your vendor, but somewhere down the supply chain that will impact you. So we we think that’s gonna continue to increase. Increased ransomware attacks, why they pay, and then frictionless authentication.
To me, this is an interesting one. You remember back in the nineties, Khai, we would tell people, you can’t write down your password on sticky note.
Right?
And then about I don’t know if it was about four years ago or so, five years ago. I somewhere the malware was being injected into the browsers and the plugins, and the threat actors were able to harvest passwords from the browser.
On average, thirty six passwords harvested from the browsers. So we said Yep. You know, don’t save them the browsers.
That’s not a good idea either.
Well, then we saw see now in the last, what, eighteen months, two years, password manager vaults are targeted. So what’s what we’re gonna do?
Have the users have this thirty to forty passwords that they have to rotate every ninety days and they can’t keep it anywhere?
So what’s what’s crazy about that is, I believe Verizon came out with this statistic, but the average user has more than a hundred online accounts.
So that’s crazy.
You know, you can essentially deduce that since, you know, less than, thirty percent of users actually have a password manager or use a password manager, that there’s a lot of reuse going on Right.
Or some level of, you know, abbreviated passwords. So credential stuffing. You know, hack a site over here, reuse those over here, and they’ll get a hit.
Right?
Yeah.
So I we believe that the rise of frictionless authentication, especially now with Windows Hello and passkeys, u b keys, you know, Google Titan, all these things are contributing to, we wanna reduce the friction.
We’re not necessarily, I think, gonna go purely passwordless, but reducing that friction so we don’t have to, rotate passwords as often.
So the next series here just hits on cloud security. I’m just trying to make the point, you know, this is the Department of Defense (DoD), Mercedes Benz. They had their, GitHub instance exposed for over four months. That’s a Microsoft asset. Right?
Unmonitored, unrestricted access to their entire code base. We don’t know where this is gonna end up yet, but I’m sure the threat actors are planning their next move right now. Equilen, we saw that this disrupted all kinds of transactions, including trying to close on a house at the end of January if you’re trying to do that.
CloudFlare.
So this was, stemmed from that October fourteenth Octa breach, one of the Okta breaches. And, CrowdStrike did identify by November twenty fourth. CloudFlare was publicly not happy with CrowdStrike for taking ten days to notify it and see it and stop it. But, the threat actors got into AWS, environment including the Jira and Confluence environments. So, again, going after source code. Right? This one, just happened recently. So CISA published their initial rulemaking, act April fourth for that, cyber incident reporting of critical infrastructure act, which Biden signed in 2022. It was supposed to start moving in 2024. So now the rule making is finally happening to put together the structure around it. We expect that the rules will be published in 2025. It’s open for public comment right now, actually, until June third. So if you’re part of critical infrastructure, this is a big deal. Enforcement will be 2026. There are exclusions for small businesses and they now have defined what is substantial attack mean in the rule making. So you can click here to check on the rules. I did put that in here too just to list off what does substantial mean because that was a part of what the rule making identified.
Have you ever have you been a part of any critical infrastructure over the years? I think you have. Right?
Yes. I have.
Avanti, ConnectSecure, they have their challenges. This is an acquisition of PulseSecure. We’ve been advising folks probably to migrate off of that and many have and are in the process of doing so. Citrix, please, still giving some, organization some issues.
Sony games was, ex tried to be extorted for two million by the Resideo gang. There’s, an Insomniac division, the gaming division of Sony. They did not pay it, so they dumped all the IP onto the Internet. So that’s what happened with that one. One point six terabytes of secrets of how the games turn out and code.
US officials have seized a bunch of sites and about thirteen hundred people have been able to decrypt their ransomware attacks over the last eighteen months, so that’s some good news. China can. They’ve been stealing our IP for over twenty years, but now they set up shop on all of our critical infrastructure, water systems, transportation, gas, etcetera.
So this is an escalation. I just wanna make sure we’re we’re letting people know. I’m actually speaking in front of the municipalities next week around the country, trying to give them some advice on how to secure our water systems.
Some of the mergers and acquisitions happening in the space, you’re part you’ve been part of many acquisitions and mergers (M&As) over the years, so you know what that’s like. More than a hundred and fifty. Microsoft, was targeted pretty heavily there at Microsoft 365. And so I always ask people what their, you know, Microsoft licensing is if they’re on a mic if they’re a Microsoft shop. And if they’re on e three,
I’m always suggesting to get to something like an e five so that they can do things like device registration, and conditional access, and also to make sure that they have some good DNS filtering in place.
Question for you.
How are you handling remote workers, right, with DNS filtering? Are you backhauling them? Are you going through a SaaS? What’s your answer for DNS filtering for remote workers? It really depends on the situation and sometimes geographical locations. You know, what the essentially, the short answer or cheap not necessarily from a financial impact standpoint is, you know, force all remote users to have a standard, endpoint and, you know, VPN back into central locations and, you know, receive DNS that way. If you’re at an organization where, that isn’t necessarily the case, you know, there’s several services out there, to help with with that process, But you’re still dependent on the end user and the formal training for that end user to ensure that they don’t Yeah. You know, make it easy or open something up, by mistake or on purpose. You have to simultaneously lock down their systems so they don’t have admin rights to add their own apps to those systems too? Otherwise, they’re just gonna bypass everything you just put in place.
Right?
Absolutely. They are.
And if you’re forced to allow, you know, bring your own device, you’re you’re limited. It’s really tough, from a perspective.
Yeah. I see a lot.
So do you think a lot of organizations are struggling with this? You know, you’ve been to a bunch. You know, is this something that most organizations have their grip on, or is this still an open issue?
Well, I mean, I’ve, you know, I’ve also been
yes.
I believe it is an open issue for organizations within a per a specific, financial threshold. Organizations that can, you know, deal with, say, VDI or some levels, you know, VPN connection where they’re forcing, the end device, you know, to go through a specific control check or specific controls, they can bypass or prevent, you know, mitigate, that that type of decision making by the end user.
But organizations that can’t, they suffer, through through that, and it’s very difficult for them to mitigate.
Yeah. I I do think this is a problem.
The next few here, really, there’s some Asian banking apps that, are are allowing, you know, threat actors to deplete the bank accounts and that’s both through Android and iPhone. We haven’t yet seen it come over to America, but we think it’s coming.
This is just Absolutely. Including crypto.
In fact, I think you have some you were over in Asia recently. So is there is there any updates on these, these apps that you can give me? So I can tell you people were freaking out, just recently when several, crypto drainers were making, huge headlines over there? People were being sent links. If you clicked on the links, you got drained, and they followed very similar, financial banking, you know, applications. They made themselves look, official. They mirrored, copied almost identical to every pixel of, you know, opular apps, including, you know, major banking chains, as well as, crypto wallets.
And so it’s a major problem, and we can definitely see that happening, you know, progressing in this direction very easily. They’re gonna follow the money.
That’s Yeah.
To me, I thought I thought it was like a test bed. You know?
Let’s get let’s get all the kinks worked out over there, and then now let’s go to Europe and and and US.
Right?
I absolutely agree. That happens all the time.
Asia Pac gets targeted.
Next thing you know, they start targeting the specific industries that worked well for them.
Yeah.
Well, we have jobs for a while, I guess.
So in an industry. I’ve been doing this thing the last couple months, the five things you can do to survive a breach, and one of them is taking a look at your cyber insurance policy. So I’ve done a lot of review of cyber insurance policies. And one of the things that we’ve noted is that the retentions, which is known as the deductible, has increased four hundred percent over the last few years.
Now, okay, insurance is going up, retentions are going up, but what I’ve noticed is that the sublimits for these things have not been going up at the same pace. So, generally, there’s a policy, but then there’s some sub limits for some carve outs of specific things. But the very thing that you want cyber insurance for, extortion payments, funds transfer fraud, social engineering, fraudulent inducement instructions of your people or your financial institutions, ecrimes. These are the very things that sometimes the sub limits are less than the retention. So you actually, in effect, don’t have insurance. So this is a real problem that I don’t think a lot of people understand they even have, or they may not even have these components in their cyber insurance.
So that example I gave about where that, you know, your banking example too, that stuff’s not covered. You know, you’re just out, if you don’t have these sorts of, protections. The second thing I usually talk about is instant response readiness (IRR). The ability for an organization to actually identify that they have an issue. Right? The monitoring, the alerting. Are they logging correctly to know where the threat actor is actually touching what systems, what records?
So I roll this all into an incident response readiness program and making sure that the runbooks are current, that their management is involved. So I think this is a really important aspect too of surviving a breach is instant response readiness.
I totally agree.
Some of the the larger issues, say, like, alert fatigue. There’s, you know, tons of IT slash security departments out there that just stop, and start ignoring alerts because, you know, that’s all they get. It just keeps filling up their inboxes. They create rules. It goes straight into trash cans.
And you really, do a disservice, for your company when when that starts taking place. So if you’re not on top of that, your incident response plan (IRP) is going to be the next step that really needs to be mature. So, you know, it really starts with, ensuring that your team has all the necessary tools, to mitigate in the first place. Speaking of incident response, you know, that cybersecurity rule gives a four day notice.
Right? You have to any material breach, you got the four days.
So, I’m just letting make sure people know about that. But most publicly traded companies are very informed on the SEC cybersecurity rule at this point. This is some lessons learned I put together with my team over the last, you know, few months, but, tabletop exercises should be performing them. Usually, cyber insurance requires that you’re performing them, but you should include management so that they’re involved in these things to make those big decisions.
Right? Do we pay? Do we not pay? Right?
Usually, because this comes down to a ransomware thing.
The Veris Community Database (VCDB). So this is pumped out by Verizon. This is different than the Verizon report, which is coming out in early May, which is their breach report of things they investigate. This is the publicly known, publicly notified breaches.
The names of the companies are known. But I’m suggesting that organizations take a look at that once a year to see if what’s trending in their industry for breaches so that they can create a run book or protect themselves against the next thing that’s affecting their their peers.
Leaders need to lead.
A lot of times, the tech person’s on scene. They’re doing all the technical like, oh, I think we have a problem. When it’s known that there’s a cyber incident, we should make sure we’re triggering the, you know, the incident response plan and the leader if that incident response team needs to take take control. Test your managed security service providers (MSSPs). Now this has been a big one over the last two years. So there’s everyone’s outsourced. They have an MSP monitoring the SOC or the endpoint or some sort of MDR. I always ask, well, how do you know it’s working? And, you know, lately, a lot more people are saying, well, we’re doing our assumed breach or adversarial simulation.
Good job because that’s the next step up from a basic pen test is to see, you know, are your security solutions and security providers monitored, management providers, are they actually going to do what they’re supposed to do when the threat actors run into the organization?
So I love that one. Comment you have a comment on that one? Look like you wanna say anything. I love that as well. You know, long are the days that you come wash your hands because you hired an MSSP and walk away.
You just can’t do that anymore. You have to stay on top of them. And, you know Keep them on as well.
Stranded hand yeah.
It goes hand in hand with alert fatigue too.
Because if they’re not doing their job and all they’re doing is acting like call centers, that means your team isn’t getting the benefit of that MSS fee.
Yeah.
And the people are paying tens of thousands of dollars per month for that.
You have a plan. Follow it. You don’t wanna go rogue.
This is a big one.
Test your cybersecurity insurance hotline. So I ran a couple issues where clients had a ransomware attack. Backups are locked up. They have a note. Pay seven hundred fifty thousand dollars, you know, to get, you know, to get the decryption key. Well, they call. It’s Friday. It’s six o’clock. Right? So not unlike right now, and insurance doesn’t call them back till midday Monday. Well, how are you gonna incorporate that into your planning?
Right?
So I’m suggesting folks reach out, test this on a holiday or weekend, on a night, clock it, see how long it takes the crisis hotline to get enabled with you so they can walk you through this and say, oh, it’s a part of a test. And then work that into your next table top exercise when someone says, yeah. Call insurance. Great. We just did. They’re gonna call back in forty seven hours. Now what do we do?
Right?
Actually incorporate that whole thing into your planning. Include critical partners in the plan and readiness exercises. I think this is really key. If you have if you’ve outsourced a lot of piece of your or your organization that are critical, you gotta bring them into your your plan for your IR plans and the exercises. Review the IR plans and readiness of your critical vendors.
Right?
That’s not something we normally do in a vendor risk management exercise is to get deep into that. Usually say, do you have a plan? Do you do exercises? I’m talking about a level deeper. If you’re breached, how do you know whether my data and my systems were impacted versus another client’s? Please walk me through how you would be able to differentiate that so that you have reasonable belief yes or reasonable belief no. And when I think if you start drilling in from that perspective, we get a good idea whether these vendors actually can handle an incident if it comes in. Fifty four that’s because fifty four percent of the breaches are from a vendor.
Right? They start with somewhere in the supply chain. Fifty four percent of the breaches start with a third party. Thirty eight percent are an end party somewhere down the chain that eventually impacts you. Someone that you’re not managing the vent the security of So what does that mean we need to do? I’ve been advising that in vendor risk management that you need to include strong assessment of your vendor’s risk management process to know that down the chain, at least two away, that there’s strong security at least at the, you know, fourth party.
Right? So that you actually know what’s going on there.
Have you seen this start to take hold? Have you seen this in any of your last organizations where you guys are starting to do that?
Only in one, and that’s due to, a push because there was, such a reliance on that firm I see. For all of these vendors. The view typically is that most of the r m’s, vendor risk management, departments are understaffed. You know, they have one or two people or even four or five for larger firms, and they’re so busy, you know, dealing with, request for information or reviewing potential new client clients that they don’t have the time to go back and look at this. You know, there’s a lot of automated tools now that help with this process, and that that definitely, will start kicking in and and start, being appreciated once, you know, larger firms start adopting and then a down chain, reaction occurs and, you know, vendors start becoming more mature with their process.
Yeah.
I think this is a big one that’s hard for organizations to get control because it’s sort of out of their control. And and that’s the other reason why SEC, this is one of the other clauses in their cybersecurity rule, companies will need to disclose how they evaluate and manage risk posed by third parties such as service providers, technology providers and suppliers. So now they have to actually talk about how they’re, you know, managing those risk of their supply chain. Now when I do vendor risk management, and for on behalf of a client, I wanna know that their vendor is considering harm to them. I kinda highlighted here the impacts and obligations owed to my client.
Are these vendors considering that? And what I like to see coming back is something like this, that they’re considering in their risk management program or risk assurance documentation, the obligations owed to clients for protecting personal information from potential harm and the overall public interest.
Right? This one will stand up. Right?
Because it now what I don’t need to know necessarily every single control if I know that their vendor their risk management process is considering harm to my client. Every new control that comes by is not necessarily as important as their ability to understand whether the client’s at risk and that they’re putting in and and mitigating risk down to an acceptable level.
So those that can’t do that get these big fines and class actions against them. So these are the big ones last year. And it’s because these organizations and you’ve been involved in sort of duty of care and, you know, the risk management and governance side for years.
I think you’re even either current or former ISO 27001implementer auditor.
Right?
Yes.
It’s because these organizations could not consider they did not consider these aspects.
Right?
They didn’t think through the likelihood of the potential harm to you and others. They did not think about the magnitude of that potential harm. In other words, was it an inconvenience or was it identity theft or was it death death?
Right? You know?
It’s like, these are big deals to consider. Did you consider the safeguards to reduce the risk down to an acceptable level? Acceptable not just from the perspective of the organization that they can afford to find a reputational hit, but acceptable to the person that’s gonna engage in your products or service.
Would that be deemed acceptable for them to engage in your services? And you need to consider that because they don’t always don’t have an opportunity to do a vendor risk assessment on you before they take out that checking account or before they get that, you know, that surgery scheduled. So it’s up to that organization to actually manage that duty of care for them to make you know, to bring that down to an acceptable level of risk. Do you have frameworks to consider whether it’s reasonable or burdensome?
And what was the relationship between the parties, and was it worth it? The and one of the examples I like to give here, which is, you know, I was a former skydiver. I think you remember back in the day, I used to go skydiving quite a bit. But you show up to a drop zone, you gotta do the video, you got the training, you got this, you know, you know, contract. Essentially, it’s attorney liability letter, which is like, this is dangerous. You might get injured. You might die. You can’t sue us. Your family can’t sue us. You’re probably gonna die. You will die. Sign here. Right?
So that’s basically how these documents go. And so you’re like, you sign off. Why? Because okay. I get it. It’s really risky, but I like the benefit. And so that’s why you engage in it.
But we always don’t have that opportunity to understand really what the risks are that we’re being posed.
They’re not that obvious. Right?
So Right.
Organizations need to consider that harm for them. And when they don’t, they have these fines. That’s the whole reason why the SEC cybersecurity rule and the rise of governance has all come around. I got some of the links to it right here on the cybersecurity rule. Little bit on cybersecurity risk management.
Key point, I like to talk about this a lot.
Risk is not a maturity assessment. Now I’m stating this for all the big accounting firms out there that say they do risk assessments. It is not a maturity assessment. Three two, you should get to a three four. That’s not a risk assessment. That is not going to cover, and be qualified as a risk assessment. It’s a maturity model assessment. It is not a risk assessment.
Compliance assessments are not risk assessments.
A gap assessment is not a risk assessment.
Yet, I continuously see this as I do these briefings with clients.
They’re like, oh, so and so just did our risk assessment. I go, well, let’s talk about the results. What are you gonna oh, what are you gonna do with that three two? How are you gonna decide where you’re gonna actually implement your controls? Where are you gonna allocate your limited funds to reduce risk of harm to the organization and to others, which is actually your duty of care? Your duty of care is not to get to a three four. Your duty of care is to keep shareholders, your clients, and the general public out of harm’s way that’s foreseeable. That’s actually what’s required. Nowhere on the face of the plan does it say to do a maturity model assessment and get to a three four, yet this is what’s happening.
Any experience with that? Have you ever had that request?
I wanna know what our maturity score is.
Yes.
At multiple organizations, and they were told in the past that, you know, a gap analysis was a risk assessment or a pen test was a risk assessment, and that’s what they presented to the board, unfortunately.
So yep.
And I just don’t it just keeps propagating.
I don’t know how, but it just keeps propagating.
And it quite honestly, some of the board members are at fault too because maybe they grew up from some of these same firms, and now they’re board members. Now they’re asking for the same maturity assessment that they did twenty years ago because that’s all they know to ask.
I don’t know. I’m trying to figure out why it’s happening, but it’s not required by any law.
It’s not being required by any regulation, Yet it’s what they all keep asking for. I don’t understand. I think it’s knowledge, gaps that keep, you know, being per perpetual, because, you know, a c suite individual understands it that way, retires, joins a board, and perpetuates that thought process down to people reporting to them.
So it’s, you know, a never ending cycle, unfortunately.
So we definitely have to break that cycle.
Yeah. To me, it’s just perplexing. It’s maddening.
So anyway, we describe what cybersecurity strategy is in here, what is governance, right, the right roles for the right people with the right responsibilities executing on that.
You can’t blame the help desk guy for the breach. Right?
That’s not appropriate in any breach.
The real issue see, person should ever do that.
That’s just absolutely ridiculous.
But that’s what they do publicly.
They’ll throw them under the bus.
So the real issue I think that we’re trying to solve in governance is the fact that executives speak business speak. They speak legal speak.
Right? That’s very similar sort of language.
But yet the management executives, you know, a lot of times they’re presenting a pen test report or something very technical to a board member, and they’re like, what’s this? And so we really wanna make sure that we’re letting people know that there is a translator out there.
Duty of Care Risk, you know, six years ago came about to really be that universal translator so that the business and the legal side can translate, to infosec.
Well, momentary pause. Okay.
So I had a hello.
Hello.
So CIS RAM is the only risk method on the planet based on duty of care out of the box. And I think this is important for folks to know that the other risk methods, especially these maturity models that we were just talking about, they don’t meet this bar of duty of care. You walk into a court defending yourself saying that you did a, a maturity model assessment or a gap assessment, you’re gonna be in trouble. So there’s some resources here. I give folks links to those. This is a sample Calculate Acceptable Risk Definition (CARD), how we think about how to prioritize risk. It’s just a lot of content. But good governance means you’re doing good risk management.
You’re able to communicate to the board, but yet down to the departments using the same risk, but in different terms.
Right? It’s communicated differently.
Again, all these risk methods can meet duty of care if they meet these three principles, and so I think that’s important. Did you consider the interest of all interested parties to the harm that you could cause? Did you reduce that down to an acceptable level? Did you consider the burden of the safeguards? Right? Are they more than the risk? Okay. Final point I wanna make in this briefing.
I wanna wrap it up.
I got a lot of attention on this one.
So we had a few clients breached in the last few months, and it all came down to a very similar issue.
The council was corrupted or the council would not authenticate to AD, but it came down to a backup issue. If you really think about it, backups have become the fail safe. And and think about what’s broken in cybersecurity. The cyber team is over here, and the backups is kind of over here with the network ops or infrastructure guys.
And it you know, yes.
CIA, confidential integrity and availability, we’re supposed to be overseeing these backups, yet it’s a disparate group over there not run by cyber security, and yet it’s become the most critical piece of the entire security architecture is the backups, and they’re not set up correctly.
Comment?
I agree with you one hundred percent.
You know, historically, security individual, CISOs, have really not paid attention to that side of the fence, and it shows. I mean, multiple industries, have tried to, you know, fight, ransomware by restoring from backup only to realize that the threat actors had been in the environment long enough to take over those backups.
Yep.
Yep.
So with that, you’re you’re right on point.
So not only do you need to separate and have a dedicated infrastructure for the actual backups, because that my clients did that.
You know, it was in AWS. It’s in its own network.
But you also have to separate that dedicated management network of the council.
The council needs to be on its own network, logically or physically segregated. And here’s the key. Neither one of them can be joined to AD. Right? It can’t have a connected AD because if you have to authenticate your council and the console and any AD is corrupted, council’s not gonna authenticate. Also, big issue with the council.
What if it gets corrupted in some way? And if you kept all the backups only in the cloud, but you need a console to get to the cloud, you need a immediate access to that console locally close by on a USB or some sort of image that you can immediately rebuild the console and not have to try to authenticate to the cloud to get access to the backup of the console.
I know it sounds strange, but this has been done.
I don’t know why. Three two one.
To your point, one copy local, one non continuously accessible. We used to do this in tape. Now we do it in cloud.
Right?
One backup needs to be immutable. Right? Right?
Once read money, so not written over, so I know I can always get a good copy. That’s the immutable concept. We need to make sure we have that. The latest version of Veeam certainly has that built in. I’m not, you know, advertising Veeam, but just happens to be one of them. MFA, obviously, on everywhere you’re using your administrator rights and where your backups are located.
This is another one that stung people. Not having properly printed instructions for restoration. So that application or that system or that critical server, when when it was originally built, had some changes made to it. They didn’t update the documentation on how to restore it. And now they have a real issue. Now they’re trying to restore it. But the nuances and special conditions were not redocument and reprinted. They have no idea how to restore the system or it takes weeks to restore it because they have to rebuild it instead of restore it.
So this is another key issue.
So I know we kinda went a little bit over.
I wanted to make sure just to give folks a sample and give you a the first time we did a briefing. This is what I’ve been doing the last four years.
It’s great stuff.
I’m sad you, kept it hidden from me. I didn’t hide it. I don’t know. We just didn’t connect up.
So, hey, Khai.
As usual, it’s great to see you again, and, I look forward to getting together with you, you know, soon.
So don’t be a stranger, and
good luck.
Thank you. It’s been a pleasure. Thanks again, Terry.
Take care.
